Free-space optical channel estimation for physical layer security

We present experimental data on message transmission in a free-space optical (FSO) link at an eye-safe wavelength, using a testbed consisting of one sender and two receiver terminals, where the latter two are a legitimate receiver and an eavesdropper. The testbed allows us to emulate a typical scenario of physical-layer (PHY) security such as satellite-to-ground laser communications. We estimate information-theoretic metrics including secrecy rate, secrecy outage probability, and expected code lengths for given secrecy criteria based on observed channel statistics. We then discuss operation principles of secure message transmission under realistic fading conditions, and provide a guideline on a multi-layer security architecture by combining PHY security and upper-layer (algorithmic) security.


Introduction
Free-space optical (FSO) communication is a promising technology for enhancing the connectivity of wireless networks [1], thanks to the features such as wide band width in an unregulated spectrum, ultra-low inter-channel interference, and power-efficient transmission.Potential applications of FSO communication include satellite laser communications [2], a network system comprised of unmanned aerial vehicles, high-altitude platforms or drones [3][4][5], the last one mile link from the fiber backbone to the clients premises [6] and military applications [7,8].
As FSO communication becomes more and more important in these applications, the security requirements also become more demanding.Although high directionality of laser beam makes FSO communication inherently more secure than RF counterparts, FSO communication can still suffer from optical tapping risks, especially when the main lobe of laser beam footprint is considerably wider than the receiver size [9][10][11].These risks would be pronounced in urban communications where an eavesdropper would hide in the top of the same building as the legitimate receiver [12], or in satellite-to-ground laser communications in which the beam footprint would be a scale of km.Therefore, secure communication over FSO links still remains a challenging task.
Traditionally, security has been highly dependent on the upper layer protocols such as conventional encryption techniques with a pre-shared secret key or a key exchanged via public key cryptosystems.The security of these protocols is proved with algorithmic means.Then, it will be weakened as computer technologies and decryption algorithms are advancing.Moreover, with the rapid growth of the number of communication nodes, the key distribution and management are becoming increasingly difficult, and are introducing larger overhead and latency to the system.During the past few years, however, physical layer (PHY) security [13,14] has been gaining research attentions as a means to complement conventional encryption techniques.Its security is provided in information theoretical manners based on the particular coding techniques [15][16][17][18][19] or the careful signal designs [20][21][22][23].Different from conventional encryption techniques, no computational assumptions are placed on the eavesdropper.Practically, the existing security system can be enhanced by introducing PHY security as a first line of defense against eavesdropping.
The fundamental theoretical frameworks of PHY security was laid by Wyner [16], and Csiszár and Körner [17] based on secure message transmission over a wiretap channel, and by Ahlswede and Csiszár [18], and Maurer [19] based on secret key agreement from common randomness.In the wiretap channel model, its security is provided by an appropriate channel code guaranteeing both the reliability for the legitimate receiver and the secrecy against the eavesdropper.If the channel from the sender to the eavesdropper is a degraded version of that from the sender to the legitimate receiver, a non-zero secrecy rate can be achieved by sacrificing a fraction of the message rate.While such a degraded condition seems not to be realistic in wired communications, it is more reasonable in FSO communications built up between parties with a direct line-of-sight (LoS).Specifically, in LoS links, surveillance cameras will be able to detect any suspicious activity which makes it harder for an eavesdropper to intercept the main lobe of laser beam.On the perspective of this scenario, there have been theoretical studies [12,[24][25][26] on the potential of PHY security in FSO communications.
In spite of these remarkable theoretical studies, realization of PHY security is still a challenging issue.In FSO links, the intensity of the transmitted beam and the statistics of the received signals vary in a time scale of ms due to atmospheric turbulences.This kind of fading effect makes it difficult to implement an efficient coding scheme which can ensure PHY security un-

Wiretap channel code
Message bit

Code length
Fig. 1.Schematic diagram of the wireless wiretap channel model and wiretap channel coding [27].
der various conditions.Some approaches to mitigate the effect of atmospheric turbulences have been investigated such as the adaptive real time selection technique [28] in a horizontal quantum communication link of 143 km between La Palma and Tenerife Islands [29].However, experimental data and analyses on FSO fading links from the viewpoint of PHY security are still overwhelmingly lacking.This motivates us to collect transmission data in an FSO wiretap channel and analyze them in terms of fundamental metrics of PHY security.To this end, we have constructed a metropolitan terrestrial FSO link testbed (Tokyo FSO Testbed).This testbed consists of one sender terminal and two receiver terminals, one for the legitimate receiver and the other for the eavesdropper.Each of the two is 7.8 km distance apart from the sender terminal.The purposes of the testbed are (1) to examine PHY security techniques (e.g., secure message transmission and secret key agreement) in real-field FSO links, (2) to emulate typical FSO communication scenarios such as satellite-to-ground laser communications, and (3) to accumulate transmission data under several real-field conditions and utilize them for practical system design.In this paper, we focus on secure message transmission and analyze the characteristics of the FSO wiretap channel by transmitting a pseudorandom binary sequence based on on-off keying modulation.Using the output signal statistics, we estimate secrecy rates and related security metrics.We then discuss how the legitimate party can set a guideline for operating secure message transmission based on the observed data with pilot signals and the data accumulated from the past.

Wiretap channel and performance metric
Throughout the paper, we consider secure message transmission via a wireless wiretap channel system illustrated in Fig. 1.The sender (Alice) encodes a confidential message into a code word random variable (RV) X n for transmission over the wiretap channel, where n is the code length.We assume that Alice uses on-off keying modulation, thus RV X takes a value with 0 or the peak power of the transmission laser.Moreover, we also assume that the laser power and the input probability distribution P X over X are fixed irrespective of the channel state.
The legitimate receiver (Bob) observes the output via a discrete-time quasi-static fading channel (the main channel) given by being H B the channel gain RV and N B the additive white Gaussian noise (AWGN) RV.The eavesdropper (Eve) is also capable to observe Alice's transmission from the output via a discrete-time quasi-static fading channel (the wiretapper channel) given by being H E the channel gain RV and N E the AWGN RV.Here, upper case letters X,Y, Z, H B , H E are all positive real RVs since we modulate intensity of light.For later convenience, we shall use lower case letters x, y, z, h B , h E to denote realizations of X,Y, Z, H B , H E , respectively.In order to transmit m bits of confidential information reliably and securely through the wiretap channel, Alice introduces some redundancy to perform error correction and some random dummy information as the cost of additional secrecy.This entails adding redundant bits and l random dummy bits to the code word and hence increasing its length to n as shown in the lower panel of Fig. 1.This scheme is particularly referred to as wiretap channel coding.To design a wiretap channel code of length n, we shall specify two rates, the message rate R B = m/n and the randomness rate R E = l/n in bits/letter.
We assume that the channel gains H B and H E remain constants h B and h E , respectively, during specific interval (coherence interval).In each coherence interval with channel realizations h B and h E , one has to satisfy R B +R E ≤ I(P X , P Y |X,H B ) to establish a reliable communication, where I(P X ,W ) is the mutual information with the input probability distribution P X and the transition probability distribution W , and P Y |X,H B denotes the transition probability distribution of the main channel.On the other hand, R E ≥ I(P X , P Z|X,H E ) should be satisfied for confidentiality, where P Z|X,H E denotes the transition probability distribution of the wiretapper channel.Hence, the message rate R B must satisfy the following relation in each coherence interval, We shall call R S,i (h B , h E ) the instantaneous secrecy rate given h B and h E .When there is no ambiguity, we will drop the dependence on (h B , h E ).
In this paper, Bob is assumed to use hard-decision decoding where the value of individual bits are quantized to either y = 0 or y = 1 based on the threshold y th .Thus, the mutual information I(P X , P Y |X,H B ) is calculated as In the above equation, the transition probability functions for y = 1 and y = 0 given by x ∈ {0, 1} are defined as where N(x) is the number of an input x ∈ {0, 1} transmitted by Alice, and N(y ≥ y th |x, h B ) and N(y ≤ y th |x, h B ) are the numbers of events of y ≥ y th and y ≤ y th conditioned by an input x ∈ {0, 1} in the coherence interval with the channel realization h B , respectively.The threshold y th should be numerically optimized such that the mutual information I(P X , P Y |X,H B ) is maximized.
On the other hand, Eve is assumed to use soft-decision decoding which uses a whole range of output values to make decisions.This is the reasonable in secure communication, since the mutual information based on soft-decision decoding is slightly larger than that based on harddecision decoding [30].In this decoding, considering the finite size of samples (see Appendix A), we quantize the experimental data into K bins with an identical width ∆.Thus, the transition probability function P Z|X,H E (z (i) |x, h E ) is calculated as follows: being N(z (i) |x, h E ) the number of events that z is in i-th bin conditioned by an input x ∈ {0, 1} in the coherence interval with the channel realization h E .The mutual information I(P X , P Z|X,H E ) is calculated as

Overview of the experimental setup
The ideal technological goal is to evaluate the instantaneous secrecy rate R S,i by monitoring the channel state information (CSI), namely, the channel gains of both the main and wiretapper channels, in various conditions depending on weather, temperature, and instruments.However, due to the effect of atmospheric turbulences, the gains H B and H E are always fluctuating and hardly predicted.This kind of fading effect makes it difficult to implement an efficient wiretap channel coding scheme under various conditions.This motivates us to collect transmission data in an FSO wiretap channel by using Tokyo FSO Testbed introduced in this section.The testbed and its experimental data allow us not only to analyze the secrecy performance of secure message transmission based on the information-theoretic metrics, but also to determine whether secure message transmission can be established or not under a given condition.
A schematic layout of Tokyo FSO Testbed is shown in Fig. 2(a).We set Alice in an all-weather telescope dome on the rooftop of a building in the University of Electro-Communications (UEC) at Chofu of Japan (35 • 39 28.8 N, 139 • 32 39.5 E).In the National Institute of Information and Communications Technology (NICT) at Koganei (35 • 42 24.2N, 139 • 29 19.3 E), we set Bob's receiver in the sixth floor of a building.All optical components are located on a high-precision motorized gimbal.On the rooftop of the building which is just above the sixth floor, we set a container type terminal which takes the role of Eve.This terminal consists of an all-weather scanner on the top of the container.Receiver optics and electronics are located on an optical breadboard inside of the container.These facilities form an FSO link with a straight-line distance of 7.8 km.
In Fig. 2(b), we show an overview of the optical and electrical components in our testbed.The light source is a narrow linewidth direct-modulated laser diode (DM LD, Sense Light Semiconductors DL-BF10-CLS101B-S1550: band width less than 50 kHz at CW operation mode) with a central wavelength λ c of 1550 nm.This wavelength is selected since it suffers from less free-space attenuation [31] and meets the eye-safety regulations [32].A signal is in the format of a 10 MHz pseudorandom binary sequence (PRBS) with length of 2 15 − 1, and the modulation scheme is Non-Return-to-Zero on-off keying.The signal light is coupled into a fiber collimator (aperture diameter of 10 mm and divergence angle of 1.0 mrad) via a single mode fiber (SMF) and expanded into an approximately 5.5 mm beam.The laser is driven by direct modulation mode, and the average output power is set to be 100 mW.The collimator is mounted on a motorized gimbal driven by a high-resolution stepper motor.
At Bob's terminal, a fraction of the signal beam spot whose diameter is approximately 8 m is coupled into a Cassegrain telescope (aperture diameter of 111 mm and focal length of 800 mm) which collimates the beam down into 10 mm in diameter.Then, the beam is focused into a 200 µm multimode fiber (MMF) and finally sent to a photodiode detector (PD, Terahelz Technology Inc. TIA-525 optical receiver) whose noise equivalent power (NEP) is 3.0 pW/ √ Hz.The total optical loss of Bob's system, including the attenuation due to the window glass, is estimated to be -14dB.At Eve's terminal, the signal beam is tapped with a Cassegrain telescope (aperture diameter of 100 mm and focal length of 2000 mm).The intensity of the beam is measured by an avalanche photodiode detector (APD, Laser Components A-CUBE-I200-10) with higher sensitivity (NEP is 160 fW/ √ Hz) than Bob's detector.The total optical loss of Eve's system was measured to be -9dB.The comparison of the NEPs of the detectors and the total optical losses between the terminals corroborates that Eve's receiver system is much more sensitive than Bob's one.This fact allows us to emulate a reasonable situation where Eve's receiver is much better than Bob's one.In addition, we can emulate more various wiretap channel conditions by directing Alice's beam to several positions between Bob and Eve.
At both terminals, the photodetector signal is amplified by a preamplifier (Hamamatsu C6438) and then sent to a USB oscilloscope (sampling rate of 50 MHz and bandwidth limit of 20 MHz by a low-pass filter (LPF)) for A/D conversion.Digitized data are then sent to a computer.In order to identify the transmitted signal from the received data, Bob and Eve independently perform an off-line PC-based data recovery process of which the flow chart is shown in the middle panel of Fig. 2(b).First, high frequency noise is filtered out by a LPF (cutoff frequency f c of 6 MHz) from the input sequence.Then, an accompanying clock signal is generated via a clock data recovery (CDR) process, and the data are down sampled (DS) into 10 MHz of repetition rate by referencing the clock data.Finally, to perform the frame synchronization, cross-correlation between the down sampled data and the original PRBS sequence is calculated.In the experiment, the above-mentioned flow is implemented via LabVIEW.

Configuration of the experiment
Figure 3 shows our experimental configuration of FSO transmission campaign held on 17 November 2015 under cloudy Tokyo skies.During the experiment, the beam centroid is put in a position closer to Bob's terminal than Eve's one as shown by red circle, such that the received power at Eve would be slightly degraded compared to that at Bob.This geometrical configuration allows us to emulate typical wiretap channel model for satellite-to-ground laser communications where Eve attempts to tap the lobe of the beam footprint.Although our horizontal link cannot precisely emulate the realistic fading-induced scintillation in the vertical link of satellite-to-ground laser communications (the former is in one atmospheric layer while the latter is affected by several atmospheric layers with different scintillation effects), we can derive the basic principles of the channel estimation and the design of secure message transmission systems for a generic FSO link.
We conducted the experiments in 5 time periods, namely, 14:43 -14:46, 15:57 -16:00, 16:33 -16:36, 17:37 -17:40, and 18:10 -18:13 in JST.We note that 16:33 JST was the sunset time on the day.In each time period, we made 10 times of transmission and 2 × 10 6 bits of the PRBS are transmitted in each transmission with 200 ms duration.To characterize the instantaneous secrecy rate R S,i , we divide the duration of each 200 ms transmission into 50 of the 4 ms slot which includes 2 × 10 5 samples corresponding to 4 × 10 4 bits.In this time slot, the channel realizations h B and h E seem to be roughly constant hence the coherence time of the fading channels is in the order of ms.Moreover, samples of statistically sufficient size are included in the duration.The effect of atmospheric turbulence is nicely captured as the variation of the instantaneous secrecy rate at each time slot.
In this transmission campaign, we observed a pointing deviation of the received peak power, which can be compensated by rearranging the angles of the receiver telescopes every hour.We observed a typical deviation rate of 0.2 mrad/hour, which may be attributed to the refraction effect due to the varying and nonuniform air temperature and to the thermal expansion of the building in which the two receivers are located.In the time scale of each transmission (a few minutes), the FSO link stays in the same condition.

Temporal variation of instantaneous secrecy rate
In Fig. 4, we show the temporal variation of the instantaneous secrecy rate R S,i (solid line) and the average output voltage (dotted line) for the typical 200 ms FSO transmission at 17:37:00 JST, in the late evening time about an hour after the sunset.This time period is a typical case where the fading-induced scintillation is not so heavy.Actually, the highest rate (8.30Mbits/second (Mbps), from 12 ms to 16 ms) and the lowest rate (5.25 Mbps, from 76 ms to 80 ms) are not so far different (Taking into account the 10 MHz repetition rate of the input, Bob would gain 10 Mbps of information if Eve was absent.).Moreover, the fluctuation of the average output voltage at Bob (dotted line) seems not to have a direct correlation with the instantaneous secrecy rate R S,i (solid line).
In the two left upper insets of Fig. 4, we show the histograms of the output voltage of the detectors for the best and worst cases.Clearly, the two peaks in Eve's received power histograms overlap with each other while the peaks in Bob's one are perfectly separated in both insets.It turns out that under the condition of this time period, we can potentially transmit at most 5.25 Mbps of information with perfect secrecy.We also show the histograms of the output voltage for the whole period of 200 ms transmission in the upper rightmost inset of Fig. 4. The spectra of these histograms are not so broader even compared to those of 4 ms time slot.In general, the stronger the light fluctuation is, the broader the spectrum of the intensity distribution becomes [33], but Fig. 4 is not the case.
Figure 5 shows the temporal variation of the instantaneous secrecy rate R S,i (solid line) and the average output voltage (dotted line) for the typical 200 ms FSO transmission at 16:34:20 JST, just one minute after the sunset time.Contrary to Fig. 4, the difference between the best case (8.75 Mbps, from 24 ms to 28 ms) and the worst case (0 bps, from 144 ms to 148 ms) is much more distinct.For the best case, the signal via the main channel is quite distinguishable while that via the wiretapper channel is hardly distinguished as seen in the upper left inset.On the other hand, around the time slot of the worst case, the instantaneous secrecy rate decreases suddenly.This is because the wiretapper channel is error-free and hence Eve can establish a reliable channel from Alice.It is estimated that the beam centroid should have suddenly been gotten closer to Eve's one.The output voltage histograms for the whole period of the 200 ms transmission are shown in the upper-right inset of Fig. 5. Compared to the one in Fig. 4, their shapes are much broader or heavy-tailed.This means that the atmospheric turbulences in this time period are much more pronounced than that in the late evening time.Similar to Fig. 4, the variations of Bob's average output voltage (dotted line) seem not to have a direct correlation with the instantaneous secrecy rate R S,i (solid line).Therefore, even in the present receiver configuration, based on the Eve-near-Bob scenario in [12], the possible spatial correlation between Eve's and Bob's channels does not show a significant impact on the secrecy rate.Figures 4 and 5 indicate that Alice and Bob should find good atmospheric conditions so as to avoid a sudden fatal information leakage.If there is a good correlation between Bob's and Eve's observations on some straightforward measure, such as the average output voltages, then Alice and Bob could roughly infer an attainable secrecy rate (or its lower bound) by looking only at output voltage of Bob's detector.Unfortunately, however, no good correlation between the secrecy rate and Bob's average output voltage was seen in Figs. 4 and 5.One way is to use Bob's output voltage histograms which are measured for a longer time (e.g., 200 ms like as in Figs. 4 and 5) than a fading time scale as the partial CSI.If the histogram is broader, the secrecy rate varies and the fatal information leakage would occur, implying that Alice and Bob should avoid from such durations.Thus Alice and Bob can use appropriate pilot signals, compare the histogram with accumulated data, and opportunistically choose good time durations like Fig. 4.

Code word over a longer time span
Even in the larger fading case like Fig. 5, if a fast feed-forward mechanism could be employed, one might be able to use an appropriate wiretap channel code, adapting changes of the channel states due to fading-induced scintillation.This is, however, technically challenging.
Another possibility is to find a good code appropriately designed for the observations over a longer time span, just as shown in the upper rightmost inset in Fig. 5.To distinguish these long span transition probabilities from instantaneous ones, we shall call the former the long span transition probabilities, and denote them as E[P Y |X,H B ] and E[P Z|X,H E ] for Bob's and Eve's channels, respectively.They are actually statistical mixtures of the instantaneous channel transition probabilities of Eq. ( 6) and have much wider spread in distribution.
We can then calculate the secrecy rate for these long span transition probabilities as which we call the long span secrecy rate.The value of R S,T (3.71 Mbps) is shown as the dashed line in Fig. 5.As seen, the long span secrecy rate R S,T itself remains reasonably high, even though there appear fatal decreases of the instantaneous secrecy rates in the observed time span.In such fatal regions, Eve's channel remains error-free as shown in the upper middle inset.The result of the long span secrecy rate implies that there exists a good code to deceive Eve even in such a situation provided that the channel states remain as they are in Fig. 5 for an even longer period such that the channel can be used many times with such a good code.For example, one may spread a message onto a code word over the long spanned observation with sufficient randomization, and attain the secrecy even under the fading like in Fig. 5. Interestingly, under the assumption that both the input probability distribution P X and the input power are fixed over the whole time period and the main channel is almost error-free, the long span secrecy rate R S,T is slightly larger than the ergodic secrecy rate R S,erg (see Appendix B) which is just defined as the average of the instantaneous secrecy rates and is often used to see an overall throughput in fading channels [34].The value of R S,erg (2.77 Mbps) is shown as the chain line in Fig. 5 and corroborates the above point.In order to achieve the ergodic secrecy rate R S,erg , one should employ a fast feed-forward mechanism to adapt changes in a fading channel, which is technically challenging, as stated above.Thus the transmission of a code word over a longer time span would be more attractive as fading-resistant techniques.Fig. 6.Secrecy outage probability P S (R S,i < R th ) as a function of target rate R th for 5 campaign periods on 17 November 2015.In each time period, 10 independent 200 ms FSO transmissions (totally 20 Mbits), namely, 500 of 4 ms FSO transmission is contained.

Secrecy outage probability
In the previous subsection, we observed that the received signal statistics of the long term transmission serves as a partial CSI of the wiretap channel.Alice and Bob can utilize this to determine whether they conduct secure message transmission or not.However, they may dare to perform secure message transmission even with compromising the confidentiality.In such a situation, a natural question arisen is then how is the trade-off relation between the throughput and the risk of information leakage.In this case, the secrecy outage probability provides a quantitative metric.The secrecy outage probability P S (R S,i < R th ) is defined as the cumulative probability that an instantaneous secrecy rate R S,i is smaller than a given target rate R th .This outage probability quantifies how often fatal information leakage occurs when the wiretap channel code is employed at constant rate R th .Obviously, the secrecy outage probability is a monotone increase function of target rate R th , which indicates the trade-off relation between security and throughput.
Figure 6 depicts the outage probability P < R th ) for 5 campaign periods.In each time period, 10 independent 200 ms transmissions (totally 20 Mbits) are contained.The instanta- The behavior of the outage probability shown in Fig. 6 is well reflected in the behaviors of the scintillation index σ 2 I and the refractive-index structure constant C 2 n [33] shown in Table 1.For example, before the sunset time, C 2 n indicates a larger value over 10 −16 .On the other hand, one hour after the sunset time (17:37 -17:40), C 2 n becomes the smaller value below 10 −16 , and C 2 n turns to be a slightly larger value after further 30 minutes later (18:10 -18:13).Such a temporal suppression of fading-induced scintillation one hour after the sunset time has already been observed in the past experiment held in NICT [35].
As shown in Fig. 6, the secrecy outage probability is almost negligible even when the target rate is set to be more than 1 Mbps in the late evening time (17:37 -17:40), meaning that the perfect secure transmission at high throughput is possible.On the other hand, before the sunset time (14:43 -14:46), the outage probability still remains to be 0.01 even if the target rate decreases to 10 kbps.Such kind of larger outage probability alerts that the perfect secrecy cannot be guaranteed solely by the wiretap channel code with R th = 10 kbps.It advices that some backup encryption schemes in the upper layers should be activated to prepare for the worst case scenario.

Finite length analysis
Although the secrecy rate is regarded as a reasonable benchmark of the system, it concerns only the asymptotic limit at code length n → ∞.Practically, in the bounded-code-length scenario, the message rate R B cannot be arbitrarily close to the secrecy rate as well as the information leakage cannot be completely diminished.Thus, in order to design a practical code with the perfect secrecy, the message rate R B should be chosen much lower than the secrecy rate and the necessary code length n for the required secrecy criteria should be known.This motivates researchers [36][37][38] to introduce the secrecy exponent H sec (R E ) (see Appendix C), which is a stronger characterization showing how fast the leaked information decreases.Actually, in [25], through the upper bound on the leaked information measure δ E n ≤ e −nH sec (R E ) , where the leaked information measure δ E n is measured by a statistical distance between distributions [25,36], the code length dependence of δ E n has been investigated in the idealistic fading free model, or constant channel gain model.In what follows, we consider the application of H sec (R E ) on atmospheric fading channels.
First, we consider the case with the weaker fading case, such as in Fig. 4. In this case, the fluctuation of the instantaneous secrecy rate is also weak.We may select the worst time slot, design a code for it, and apply it for the whole interval such as 200 ms in Fig. 4. Now, our purpose is to investigate what code length is required in this time slot.In Fig. 7(a), we show the code length dependence of the leaked information criteria δ E n on the time slot of the worst case (from 76 ms to 80 ms) in Fig. 4. Clearly, as R B decreases (or the randomness rate R E increases, since we assume that sum of the rates R B + R E is fixed), δ E n decreases faster, attaining a given criterion δ E n with a shorter code length.When Alice and Bob set R B to be 3 Mbps (the dotted line in Fig. 7(a)), δ E n < 10 −20 can be obtained by a code with n = 10 3 .Since this value serves as the upper bound over the whole time period, Alice and Bob reasonably achieve the secure message transmission with fixing the message rate R B = 3 Mbps and the code length n = 10 3 .For the curve of R B = 4 Mbps (dashed line), the required code length for δ E n < 10 −20 is n = 10 4 and still reasonable.On the other hand, as we raise the rate up to R B = 5 Mbps (solid line), which is close to the instantaneous secrecy rate R S,i = 5.25 Mbps (see Fig. 4), n = 10 5 of code word is required for δ E n = 10 −20 .However, considering that the repetition rate is 10 MHz and the time slot duration is 4 ms, this code length is out of a consistent design.
Next and finally, we discuss finite length analysis in the larger fading case like in Fig. 5.In Subsection 4.3, we have already discussed a fading resistant technique based on a code word over a longer time span, i.e., the whole observation time of 200 ms.The input repetition rate was set as 10 MHz.This means that there are 2 × 10 6 symbols in the whole span, and the code length is also 2 × 10 6 .This length is however, considerably long, and readily causes large coding complexity.To reduce such complexity, one must set a lower repetition rate R rep for a fixed observation time T O , where the code length n is determined as n = R rep T O . Figure 7(b) shows how fast the leaked information criteria δ E n decreases as the repetition rate R rep for a given message rate R B = m/n.As easily imaged, if the larger message rate is required, the repetition rate must be higher for attaining a given level of secrecy, and hence the code length should also be longer according to n = R rep T O .Suppose that we set the secrecy criteria as δ E n < 10 −20 .Then for a message rate R B = 0.2 bits/letter, the repetition rate and the code length must be set roughly as R rep = 10 kHz and n = 2 × 10 3 , respectively, which realizes the secure message transmission at 2 kbps.For a higher message rate R B = 0.37 bits/letter, the repetition rate and the code length should be R rep = 13.8MHz and n = 2.77 × 10 6 , respectively, realizing the 5.13 Mbps secure message transmission.

Concluding remarks
In this paper, we have discussed the feasibility of PHY security in real-field FSO links.Using Tokyo FSO Testbed, we could gather the experimental data for various atmospheric conditions which will meet satellite-to-ground laser communications.We exploited three information theoretical quantities as performance measures, the secrecy rates, the secrecy outage probability and the expected code lengths for given secrecy criteria.We observed that the real conditions influence the temporal variation of the instantaneous secrecy rate; the temporal variation is stable in the late evening time, whereas it is much stronger before the sunset time.When the variation of secrecy rate is stable, Alice and Bob can establish the secure message transmission with reasonable code lengths.On the other hand, when the variation of secrecy rate is much heavier, Alice and Bob can assess the possibility of secure message transmission using a good and longer code designed based on the long span statistics of the channel.Quantitatively, they can calculate the probability of the fatal information leakage via the secrecy outage probability.Combining the PHY security with upper-layer cryptographic schemes, they may be able to establish secure communication even in the heavy fading condition.
In this paper, we mainly focused on the secure message transmission via the wiretap channel.As was stated, the opportunistic transmission may be impractical in the configuration of this paper since a fast adaptive optimization over input probability distribution, input power, and message rate is required.However, in the delay tolerant communication such as secret key agreement [18,19] using public channels, this opportunistic approach will work effectively.In secret key agreement, Alice and Bob can opportunistically select appropriate time slots after sharing initial randomness, and apply information reconciliation and privacy amplification to the data in these time slots.Moreover, the secrecy rate gives a lower bound for the achievable secret key rate.The experimental result gathered via Tokyo FSO Testbed campaign tells us that the implementation of secret key agreement scheme in this testbed is straightforward.Thus, the feasibility study of this scheme in real field FSO communications will be a next target of this campaign.
With a direct analysis, this study provides quantitative assessment of the key rate reduction from the eavesdropper in real channel conditions.This is a strong support for the further study of this effect with a mobile attack, as for instance in the case of Eve on a drone.Moreover, although our results were obtained in horizontal terrestrial propagation, we believe that our feasibility study is a first step towards a realization for large-scale deployment of PHY security in FSO communication.PHY security in FSO communication will open a new paradigm for the basis of high-capacity and high-altitude secure communications exploiting satellites, air planes and drones.

Fig. 2 .
Fig. 2. (a) Overview of Tokyo FSO Testbed.Alice's terminal is installed on a building roof at UEC. Bob's and Eve's terminals are located on a building at NICT. ©OpenStreetMap contributors, CC-BY-SA.(b) Schematic layout of experimental setup of Alice's, Bob's, and Eve's terminals [27].

Fig. 3 .
Fig. 3. Experimental configuration of FSO transmission campaign held on 17 November 2015, and typical waveforms received by Eve (upper) and Bob (lower) over 5 µs.The data are taken at 14:43:00 JST.In the figure, we subtracted the DC offset of a detector from the received signal.

Fig. 4 .
Fig.4.Temporal variation of instantaneous secrecy rate R S,i (solid line) and the average output voltage (dotted line) for the experimental data at 17:37:00 JST, the late evening time about an hour after the sunset, on 17 November 2015.In each time slot, the measurement duration is 4 ms and 4 × 10 4 bits are contained.Two upper left insets are the histograms of the output voltage for the best case (between 12 ms and 16 ms) and the worst case (between 76 ms and 80 ms).The upper rightmost inset is the output voltage histogram for the whole period of the 200 ms transmission.Width of histogram bins are 0.3 mV both for Bob's and Eve's data (see Appendix A).In the histogram, we subtracted the DC offset of the detector from the received signal.

Fig. 5 .
Fig.5.Temporal variation of instantaneous secrecy rate R S,i (solid line) and the average output voltage (dotted line) for the experimental data at 16:34:20 JST, just one minute after the sunset time, on 17 November 2015.In each time slot, the measurement duration is 4 ms and 4 × 10 4 bits are contained.For comparison, the ergodic secrecy rate R S,erg (chain line) and the long span secrecy rate R S,T (dashed line) are also shown.Two upper left insets are the histograms of the output voltage of the detectors for the best case (between 24 ms and 28) and the worst case (between 144 ms and 148 ms).The upper rightmost inset is the output voltage histogram for the whole period of the 200 ms transmission.Width of histogram bins are 0.3 mV both for Bob's and Eve's data.In the histogram, we subtracted the DC offset of the detector from the received signal.

Fig. 7 .
Fig. 7. (a) Code length dependence of leaked information measure δ E n between 76 ms and 80 ms in Fig. 4. (b) Repetition rate dependence of leaked information measure δ E n over the whole observation time of 200 ms in Fig. 5.

Fig. 8 .
Fig.8.Bin width dependence of the mutual information I(P X , P Z|X,H E ) for the time slot from 76 ms to 80 ms in Fig.4.

Table 1 .
The mean values of the scintillation index σ 2 I and refractive-index structure constant C 2 n for each campaign period a .
a To calculate σ 2 I and C 2 n in this table of each 200 ms transmission, we selected the event where the light source is on.