Modelling efficient BB84 with applications for medium-range, terrestrial free-space QKD

Terrestrial free-space quantum key distribution is ideally suited for deployment in dense urban environments. The transition from laboratory to commercial deployment, however, raises a number of important engineering and deployment issues. Here, we investigate these issues for efficient BB84 using a weak coherent pulse-decoy state protocol. We calculate expected key lengths for different environmental conditions and when the scope for optimisation of protocol parameters is restricted due to practical considerations. In particular, we find that for a fixed receiver basis choice probability, it can be advantageous to allow the transmitter to have a different basis choice probability depending on varying channel loss and background light levels. Finally, we examine the effects of pulse intensity uncertainty finding that they can dramatically reduce the key length. These results can be used to determine the loss budget for the free-space optics of a QKD systems and assist in their design.


Introduction
Quantum key distribution (QKD) allows for the secure distribution of cryptographic keys, where in principle, the security is guaranteed by the laws of physics [1,2,3]. This is in contrast to current public key methods, where the security is based on the difficulty of mathematical problems such as factoring or the discrete logarithm of elliptic curves [3,4]. Such schemes are rendered insecure by a quantum computer, which can efficiently solve the hidden abelian subgroup problem that underlies efficient solutions to factoring and discrete logarithms [5]. The development of QKD is thus vital to protect our communication infrastructure and provide forward security without reliance on computational complexity assumptions.
In free-space (FS) QKD, signals are sent via line-of-sight transmission, e.g. between two ground stations or between a satellite and ground station. Satellite-based FS-QKD has attracted a great deal of attention due to its potential to allow QKD over global distances [6,7,8,9,10,11,12,13,14,15,16,17,18]. In contrast, ground based FS-QKD typically operates over short to medium distances, ideal for deployment in dense urban spaces where it may be difficult and costly to deploy ad hoc short range fibre links. FS-QKD between either buildings or existing towers should allow secure communication in a more flexible manner. A prototype of such a network is being constructed as part of the AirQKD project [19]. Here, we present high-level analysis of terrestrial FS-QKD operational trade-offs with particular consideration of how finite key statistical effects and uncertainties impact upon their design.
The development of a commercial ground based FS-QKD network faces significant challenges [20]. Firstly, the system has to operate under diverse environmental conditions such as varying background light levels, meteorological visibilities ‡, and levels of turbulence, etc. [21]. Furthermore, engineering or economic factors constrain the design and component choice. Components or operating settings may be standardised rather than optimised for each link scenario. For example, this could result in fixed or common protocol parameters such as basis bias and weak coherent pulse intensities set at the factory instead of being optimised for each deployment at greater cost. Hence, determining the performance of a fixed-setting FS-QKD system over a wide range of operating conditions and finding robust sets of protocol parameters are important practical considerations for real-world applications.
To ensure security, it is crucial to take into account finite statistical fluctuations and uncertainties during operation. A vital step for all QKD protocols is to use the transmitted data to estimate parameters, e.g. such as the quantum bit error (QBER), yields from vacuum and single photon emissions, and phase errors [22,23,24]. In practical use, the transmission window (or integration time) is finite and will be predetermined or limited due to operational considerations such as key refresh tempo or latency. Finite statistical effects can lead to sharp cutoffs in the positive secret key region as a function of channel loss and background count, thus selection of block accumulation lengths and integration times should be balanced against operational requirements.
QKD protocols based on weak coherent pulses (WCPs) requires knowledge of their intensities and these must be stabilized to what is intended. This is achieved by using power monitors to monitor the power and adjusting [25]. However, for any measurement there is an uncertainty associated with this. In a laboratory setting this uncertainty can be reduced and controlled. But in real world deployment, we must expect there to be a non-negligible uncertainty. If we are to ensure security, we must increase the amount of privacy amplification to take account of this uncertainty. We study this effect and show that it leads to both a reduction of the secure key length and a reduction of the region of parameter space for which a secret key can be extracted.
In this paper, we perform a systematic study of efficient BB84 across different environmental conditions, for fixed protocol parameters and study the effects of uncertainties in the intensities. In principle, the results can also be applied to fibre QKD, though will be of lesser utility as their operating conditions tend to be more stable compared with a terrestrial FS-QKD link that will be subject to large variations ‡ Here, visibility refers to atmospheric transmittance [26] in loss and background light throughout the day. Geographic variation between FS-QKD links also requires modelling of the performance for a wide range of conditions and typical operating points. The outline of the manuscript is as follows. In section 2 we describe the channel and QKD setup; which serves to introduce the main physical parameters. In section 3 we explain the protocol and how this can be implemented physically in a real system. Results for optimizing the length of the secret key under different conditions are presented in section 4. Next, we study the effects of fixing protocol parameters on the optimization of the secure key length in section 5. We then investigate the effects of uncertainty in the WCP intensities in section 6. Finally, we discuss the findings in section 7. Preliminary versions of some of these result can also be found in [27].

The free-space system
We consider a free-space optical line-of-sight system between a transmitter (Alice) and receiver (Bob) with a 100MHz pulsed source of phase randomized polarisation encoded WCPs with signals states: vertical (0 • ), horizontal (90 • ), diagonal (45 • ) and anti-diagonal (135 • ), V , H, D and A, respectively. For the purposes of a high-level system performance model, we assume that side-channel leakage is negligible [28]. In practice, any implementation should be evaluated for such vulnerabilities, non-idealities characterised, and their effects taken into account in the final security analysis. In a deployed system the maximum integration time will normally be preset and cannot be easily increased without increased memory or processing. It is thus vital to evaluate system performance over a range of integration times, or transmission block sizes that are the product of the pulse repetition rate and the integration time. The secure key length is determined by the total number of pulses transmitted and received, not the transmission rate, hence we consider a fixed repetition rate with different integration times to determine the number of pulses sent. Results for different repetition rates and transmission times can be easily inferred, keeping other parameters fixed.
Free-space channels suffer losses due to beam spreading (i.e. diffraction or geometrical losses), absorption, and scattering [29]. Turbulence will also cause the beam to both wander and distort [30,31], reducing the coupling of the modes to the collection device. Sway of the transmitters and receivers together with additional pointing errors also adds to loss. These effects could be mitigated by active correction methods [32]. Other source of loss are imperfect mode coupling into the detector, detector efficiencies, and losses within the transmitter and receivers optics.
The losses in the transmitter can be mitigated, provided they can be well characterized. For security, what matters is that the emitted signal intensities exiting the transmitter aperture and into the Eve-controlled quantum channel are as specified. We can compensate for internal transmitter losses by producing WCPs with greater intensities at the source so that when they leave the exit aperture, they have the required intensity. Scattered light within the transmitter needs to be prevented from escaping else it could leak side-channel information.
We assume that transmitter losses are compensated by the above method hence we only need to consider the remaining contribution that we group together to obtain a total system loss η loss . Let p d be the total probability that a photon emitted from the transmitter is detected at the receiver, we characterise the channel optoelectronic efficiency by the total system loss (in dB) defined as η loss = −10 log 10 (p d ). (1) We also consider extraneous counts due to detector dark counts or from stray-light where p ec is the probability per pulse. Another source of errors is due to errors in the polarization states or their measurement and we characterise these by the intrinsic quantum bit error rate or QBER I that is independent of channel loss. We also account for detector after-pulsing where we assume the value p ap = 10 −3 , consistent with values used in previous modelling of fibre and free-space QKD systems [35,39]. For convenience, fixed modelling parameter are listed in table 1. The photon statistics of the WCP signal states are described by a Poissonian distribution P (n) = exp(−µ)µ n /n! where µ is the mean number of photons per pulse. An eavesdropper can perform a photon number splitting attack on the multiphoton emissisions [33,34]. To counter this, we use the so-called decoy state method to estimate the number of received vacuum and single photon emission events [22,23,24].

Outline of protocol
We employ the Efficient BB84 WCP Decoy State protocol with 3 intensities µ 1 , µ 2 and µ 3 that are randomly and independently chosen [35] §. Alice prepares WCPs with polarization chosen from one of two bases: X ∈ {H, V } and Z ∈ {D, A}. With probability P A X Alice chooses the X basis, and with probability P A Z = 1−P A X she chooses the Z basis, In efficient BB84 the two bases need not be chosen with equal probability. Instead, the probability is found by optimizing the protocol so as to maximize the secure key length. With the basis chosen, Alice randomly and uniformly encodes bit values 0 or 1 onto the appropriate polarization state, where: V, D ≡ 0 and H, A ≡ 1, before choosing the intensity of each pulse: k ∈ {µ 1 , µ 2 , µ 3 } with probability p k . The intensity values can be any values that satisfy the relations: (i) µ 1 > µ 2 > µ 3 and (ii) µ 1 > µ 2 + µ 3 . Bob randomly chooses to measure the polarization in either the basis X or Z, with probability P B X and P B Z = 1 − P B X , respectively. After transmission Alice and Bob perform basis sifting through authenticated public announcement where they retain only those results corresponding to received pulses when they chose the same basis. Alice and Bob will then have n X sifted X basis bits and n Z sifted Z basis.
For the sifted bits, Alice publicly announces her choice of intensities for each WCP allowing Bob to tag each bit with its transmitted intensity. Let n X(Z),k denote the number of bits in the X(Z) basis that originated from a pulse of intensity k. The secret key is constructed using only the sifted bits from the X basis, while the bits from the Z basis are used for parameter estimation. All the data from the Z basis is publicly announced, which allows Alice and Bob to calculate the number of errors in this basis: m Z . Additionally, they can calculate the number of errors in bits that originate from pulses with intensity k, m Z,k . Using these results, one can calculate the phase error φ X using Eq.s (4) and (5) of [35].
Alice and Bob's sifted bit string for the X basis will differ due to errors, which are corrected in the reconciliation stage, to produce the identical bit strings called the raw key. Error correction can be performed using a number of schemes [3], all of which requires public communication between that leaks λ EC bits. Alice and Bob then perform a verification step to ensure their raw keys are identical with probability at least 1 − ǫ c , where ǫ c is a pre-agreed correction parameter [35], here chosen to be ǫ c = 10 −15 . The final stage is privacy amplification [2,3,42] that reduces the key to length ℓ bits.

Secure key length
From the analysis of [35], the final composable secure key length is given by where s X,0 is the estimated number of bits coming from vacuum events, s X,1 is the number of bits originating from single photons, ǫ s is the security parameter and is the binary entropy. A protocol is said to be ε = ǫ s + ǫ c secure if it is ǫ c -correct and ǫ s -secret [42]. For all calculations presented we use ǫ c = 10 −15 and ǫ s = 10 −9 . The quantities s X,0 , s X,1 and φ X can be calculated using Eq. (1) to (5) from [35]. In that paper, there are correction terms due to finite statistical fluctuations appearing in the quantities n ± X(Z),k and m ± Z,k , which we define below in Eq. (3). In [35] the correction terms are calculated using the Hoeffding bound [36] but it is possible to improve them using a modified version of the Chernoff bound [37,38] as described in [39]. For the current analysis we use where k ∈ {µ 1 , µ 2 , µ 3 } and where β = ln(1/ε) and Y can equal either n X(Z),k or m X(Z),k [38]. The environmental parameters η loss , p ec and QBER I appear within the expressions for n X(Z),k and m X(Z),k , which feed into Eqs. (3) and (5). For more details on how the environmental factors are incorporated within the model, see appendix E or [39].
The error correction term λ EC is equal to the classical information exchanged during the reconciliation stage, this is included in the estimate of the amount of privacy amplification needed. In practice, we can keep track of the bits exchanged and thus λ EC is known and not subject to statistical uncertainty. However, to model the systems performance we need an estimate of λ EC and we use the sophisticated estimate introduce in [41], as discussed in [39].

Unequal basis choice
In Efficient BB84, it is standard to choose P A X = P B X and optimised for the channel conditions [40]. In practice, however, it often straightforward for Alice to vary her basis probabilities but difficult for Bob. This is because Alice can encode polarization states using four separate WCP emitters. Changing P A X amounts to changing the probability of Alice choosing the X basis signals. In contrast, Bob's measurement is typically realized by beam-splitter that randomly sends photons to one of two polarization measurement setups, to measure either in the basis X or Z. While a variable beam-splitter could be used in a laboratory, it would be more economical and practical in a mass produced commercial system to use a fixed beam-splitter.
To understand why setting P A X = P B X is helpful in the case of Bob's receiver being fixed, consider the sifting stage. Before sifting, Alice and Bob shared N bits. The fraction of these bits discarded in the sifting stage is P A The fraction of bits retained in the X basis is P A X P B X , while P A Z P B Z is the fraction in the Z basis. To maximize the key length, we want P A X P B X close to one, while still allowing enough bits in the Z basis to accurately estimate the parameters. If P B X is fixed and P A X = P B X , we have no control of the sifting ratios. We thus generalize the protocol by allowing Alice and Bob to have different basis choice probabilities. This change in the protocol affects the numbers n X(Z),k and m X(Z),k seen in a given run. The change, however, does not affect either the key length formula, (2), or crucially, the security analysis [35,42].

Optimization of the protocol
For a given value of the integration time, source repetition rate, η loss , QBER I and p ec , we will calculate the secure key length. Initially, this involves optimizing the secure key length by varying the parameters: {P A X , p µ 1 , p µ 2 , µ 1 , µ 2 }. The value of P B X will either be set equal to P A X or will be fixed. The smallest intensity, µ 3 should be set to zero, but to avoid numerical issues, we instead use a very small value, µ 3 = 10 −9 . The details of the optimization are the same as those presented in [39] with the exception that now the channel loss is assumed to be fixed in time.
In section 5 we fix P B X and the intensities {µ 1 , µ 2 , µ 3 }. The numerical optimization of the secure key length now involves varying only the parameters: {P A X , p µ 1 , p µ 2 }, this only requires changing the way that the unbiased random number stream, e.g. from a quantum random number generator (QRNG), are processed to derive the source input data. The approach is the same as before, but where now we input fixed values for P B X , µ 1 , µ 2 and µ 3 which we assume are set and calibrated at the factory. The values of P B X chosen correspond to splitting rations of commercially available beam-splitters. The fixed values for the intensities are picked by a process of trial and error as well as through studying typical values found in the cases where they were optimized. The aim was not to find the optimal choice of fixed intensities, but instead to show that good choices existed over a range of channel conditions. As such the values of fixed values of intensities described in section 5 were not numerically optimized, but instead found using a process of trial and error.

System performance
For the design of free-space optical systems, one must know the total loss budget, i.e. the maximum η loss one can tolerate, while still producing a secure key. We evaluate the secure key length for different values of η loss , p ec and QBER I . The results we present allow one to both evaluate the system performance under a wide range of environmental conditions and to determine a total loss budget for a given set of circumstances.
Consider a system operating with an integration time of 60s (link refresh period), QBER I = 0.5%, P A X = P B X and repetition rate of 100MHz. A plot showing the region where one obtains secret keys is shown in figure 1 where we have numerical optimised all protocol parameters at each point, as discussed in section 3.4. The shaded region shows where one obtains a nonzero value for the secret key. We observe that ℓ, when non-zero, is large, even for relatively large losses. An important feature of the plot is that a slight increase in p ec or η loss can cause a sharp drop off in the secret key or reduce it to zero. This is illustrated more clearly in figure 2 where we plot ℓ against η loss , for different values of QBER I and p ec . An important feature is the sharp drop of ℓ to zero resulting from finite statistical corrections [39].
From figure 1 we observe that the effect of increasing p ec becomes more pronounced as η loss increases, this is due to two reasons. Firstly, increasing the loss decreases the total counts and thus increasing finite statistical fluctuations in the parameters. Errors due to p ec thus become more significant. Secondly, as we increase η loss , the fraction of the total counts corresponding to extraneous counts increases. This increases both the quantum bit error rate and the phase error, φ X . Figure 1 strongly suggest that p ec  It is also important to understand the effect of the intrinsic quantum bit error rate, QBER I on ℓ. In figure 2 we see that increasing QBER I causes ℓ to decrease. Furthermore, increasing both QBER I and p ec causes ℓ to drop to zero for smaller values of the total loss. We see however, that increasing QBER I from 0.005 to 0.01 does not affect ℓ as greatly as increasing p ec .
The sharp drop off of ℓ to zero is important when designing QKD systems. Is vital to know the range of parameters for which ℓ > 0. In figure 3 we plot the region of values for η loss and p ec where ℓ > 0. The regions are plotted for different values of QBER I . It is evident that increasing QBER I not only decreases ℓ, as shown in figure 2, it also leads to a decrease in the regions where one can extract a secret key. Notice, however, for moderate values of η loss the difference in regions for values of QBER I equal to 0.5% and 1% is small. This suggests that if the QKD network is expected to operate in conditions where η loss is below 35 dB, then the effort to decrease QBER I below 1% might not yield great rewards. Instead, more attention should be focused on reducing p ec . The coloured lines represent the boundary for ℓ > 0, while the shaded coloured regions also corresponds to ℓ > 0.
The integration time also affects the secret key rate (SKR). Doubling the integration time doubles the raw key bits, this may be expected to also double ℓ but several effects can lead to a super-linear increase. A greater integration time also yields more data for parameter estimation, hence we can estimate the parameters with less error and obtain a smaller correction due to the finite statistics, illustrated in figure 4. In this plot, all curves correspond to QBER I = 0.005. Both the blue and black curves are for a total system loss of η loss = 32 dB. The extraneous count probabilities are p ec = 10 −6 for the blue curve and p ec = 10 −5 for the black curve. In contrast, the red curve is for p ec = 10 −5 and η loss = 34 dB. If increasing the integration time had no effect on parameter estimation, then the SKR would be constant as integration time increases. However, as we see in figure 4, the SKR increases with integration time. In both the black and red curves, ℓ = 0 initially. However, by increasing the integration time we eventually obtain a nonzero secret key. Furthermore, in all three curves, while the SKR continues to increase as the integration time increases, the rate of increase slows, suggesting that it will plateau for a sufficiently large integration times. These results dramatically illustrate the effects of finite statistics. For integration time of 60 seconds, the errors within parameter estimation could lead to ℓ = 0. However, by increasing the integration time we can extract a secret key.
These results show that if possible, one should avoid using several short transmission windows. Instead, one should use fewer, but longer transmission windows. This would necessitate increasing the systems memory and changing the key generation cycle to accommodate the production of large amounts of key, over longer intervals. In principle, one could also group several smaller transmission windows together to form a larger integration time. This approach was investigated in [39] in the case of limited satellite overpass time, but here could be used to mitigate against weather induced channel outages. This is valid for finite data security proofs that use smoothed min-entropies, as described in [35]. In view of the previous results, one should use large integration times. For this reason we study the secure key length with an integration time of 30 minutes. Under the correct circumstances, this will provide a large amount of secret key. One can then use this to distribute multiple secret keys within a QKD network. Figure 5 shows a plot of the secret key against η loss and p ec , where (a) is for QBER I equal to 0.5% and (b) is for QBER I equal to 1%. The long integration times means that we can extract secret keys for large losses. For example, for QBER I = 0.005, we can extract 34,256 bits for η loss = 50 dB and p ec = 10 −7 . The plots also show the importance of background light. For example, with p ec = 10 −3 we can only extract a secret key for η loss up to 14 dB. An important feature of figure 5 is that plots (a) and (b) are very similar. This demonstrates that increasing QBER I from 0.005 to 0.01 has an almost negligible effect for large integration times. This suggests that once QBER I has fallen 0.01, there are diminishing returns from its further improvement. For examples of how these results can be used to obtain loss budgets, see appendix A.

Performance with fixed parameters
In a real world deployment of a QKD system, it may not be cost effective to produce separate systems with different parameters for different operating conditions due to the additional effort and components required. An obvious issue is that Bob's basis choice is made using a fixed beam splitter. This means that P B X will be fixed, unlike in the previous plots where we assumed one could choose any value. In contrast, as we explained in section 3.3, Alice's can easily vary her basis choice probability, P A X . In the remainder of the analysis we allow for P A X = P B X . We consider a long integration time of 30 minutes and QBER I of 1%. In models of fibre and satellite QKD systems, a value of 0.5% has often been assumed [35,39]. The current value for QBER I is more conservative and reflects the fact that a mass produced commercial system may not be as well aligned as current experimental systems.
In figure 6 we present plots of the optimized values for ℓ, where P B X is fixed to be a particular value. The optimization is performed by varying the values of {P A X , p µ 1 , p µ 2 , µ 1 , µ 2 }. In figure 6, (a) is for P B X = 0.3, while (b) is for P B X = 0.9. Additional plots for P B X = 0.5 and P B X = 0.7 are shown in figure 9 of appendix B. One can extract a secret key over a larger range of η loss for smaller values of P B X . For instance, for P B X = 0.9, the largest total system loss for which we can extract a secret key for is η loss = 47 dB. In contrast, we can extract secret key up to η loss = 50 dB for both P B X = 0.5 and 0.3. While we can extract a secret key for a wide range of parameter, when we fix P B X , figure 6 shows that there is a trade-off for different values of P B X . For P B X = 0.9 we obtain a larger value of ℓ at smaller losses, than we do for P B X = 0.3. For Figure 6. A 3D plot ofℓ plotted for total system loss η loss and log 10 (p ec ). All plots are for QBER I = 0.01 and an integration time of 30 minutes. The receiver basis choice probability is fixed to set values for both plots. In figure (a) we fix P B X = 0.3, while in (b) we have P B X = 0.9. This figure illustrates that there can be a trade-off for the choice of P B X . Low values for P B X give ℓ > 0 for wider ranges of losses than larger values of P B X . However, when a secure key is produced, it tends to be larger when P B X is closer to one.
example, for η loss = 10 dB and p ec = 10 −3 we obtain 2.42 × 10 9 bits when P B X = 0.9 and 8.68 × 10 8 bits for P B X = 0.3. Using P B X = 0.9 yields a key that is ≈ 2.8 times greater than using P B X = 0.3. However, fixing P B X to a small value gives ℓ > 0 over a wider range of losses, but at a cost of providing less secret key bits at lower losses than using larger values for P B X . This trade-off results as lower values for P B X means P B Z is larger thus increasing the number of bits available for parameter estimation. This is important for high losses, but for lower losses this leads to an excess of signals for parameter estimation at the expense of key generation. As only bits in the X-basis are used to construct the final key, having an excess of bits in the Z basis becomes wasteful. The choice of P B X is governed by whether we want to design a system to function over wide ranges of loss as possible. And if so, how great a decrease in secure key length are we willing to accept to achieve this robustness.
We've allowed P A X to vary and in particular, we do not assume that P A X = P B X . Some optimized values for P A X , corresponding to figure 6 are presented in Appendix C. In it is observed that P A X is generally not equal to P B X , which means there is an advantage to allowing P A X = P B X . Table 2 corresponds to P B X = 0.3 and p ec = 5 × 10 −5 , it shows that P A X is close to one for η loss =18 dB, and decreases as the loss increases. This demonstrates that setting P B X = 0.3 is sacrificing too much data to parameter estimation. The opposite case is shown in table 5, which corresponds to P B X = 0.9 and p ec = 10 −6 . Here we see that for η loss ≥ 34 dB, P A X is less than P B X = 0.9. This occurs because the loss is so great that we need to ensure we have sufficient data in the Z-basis for parameter estimation.
We've shown that allowing P A X to differ from P B X is beneficial when P B X is fixed. Figure 7.
A 3D plot of ℓ plotted for total system loss η loss and log 10 (p ec ). QBER I = 0.01, integration time was 30 minutes, P B X = 0.5 was fixed, µ 1 = 0.50, µ 2 = 0.10 and µ 3 = 0. Even when both P B X and {µ 1 , µ 2 , µ 3 } are fixed, we can still choose values that allow one to extract a secure key over a wide range of system parameters.
However, care must be taken with this observation. We have not shown that one should always optimize both P A X and P B X separately. Instead, we have argued that if P B X is fixed, then it is advantageous to allow P A X to differ from P B X . In fact, one can prove that for any values of P A X and P B X , one can find different values, where P X = P A X = P B X , that yields the same ratio of raw bits in each basis and provides a possibly greater total number of sifted bits. The proof of this is presented in appendix D.
Due to deployment in different locations and operation during both night and day, the environmental factors of the system will differ. So far we assumed that signal intensities could be adjusted to accommodate the anticipated operating conditions. In practice this could be both costly and difficult to automatically employ, hence we now investigate the effect of fixing {µ 1 , µ 2 , µ 3 }. We look at finding fixed values for the intensities that still allow ℓ > 0 over a wide range of different environmental conditions. As discussed in section 3.4, we use the numerically optimized results for ℓ, with P B X fixed, to help find robust values for µ 1 and µ 2 , as in figure 7 where ℓ is plotted for P B X =0.5 and µ 1 = 0.50, µ 2 = 0.10 and µ 3 = 0. Even when both P B X and the intensities are fixed, we can still obtain ℓ > 0 over a wide ranges of values for η loss and p ec . Furthermore, we obtain significant values for the secure key length. The value P B X = 0.5 is not special and similar results can be obtained for other commonly available splitting ratios of beamsplitters (appendix B figure 10).

Effects of intensity uncertainty on secure key length
In the protocol the pulse intensities need to be well characterized. In a laboratory setting the intensities of the WCPs can be controlled to a high degree. In contrast, this will be difficult in a commercial system deployed within a busy urban environment. Instead, there may be long terms drifts or else systematic offsets from the ideal intensity values. This uncertainty affects the protocol as the security analysis assumes Alice transmits particular values for {µ j }. Bob then uses this information to estimate the vacuum and single photon yields. To ensure security, we must conservatively assume that the values transmitted correspond to those leading to the the largest amount of privacy amplification required.
If the WCP intensities can vary by at most a fraction f , the actual mean photon number of the j-th intensity lies within the range [µ j − f µ j , µ j + f µ j ]. If we neglect the other intensities and model the variation from µ j by a Gaussian distribution, then we would require that a large variation from µ j must occur with probability less than ǫ sec , otherwise the security might be compromised. For the full protocol, we use 3 different WCPs, the weakest pulse the vacuum (µ 3 = 0). Any variation in this will be due to dark counts and stray-light and this is already taken into account in the previous analysis. Instead, we are concerned with the uncertainty in µ 1 and µ 2 . If we model these with a multivariable Gaussian, then we require that any fractional variation larger than f occurs with probability less than ǫ sec . The variance of these Gaussians is distinct from the photon statistical fluctuations but is determined by the uncertainty in how well one can set the intensities of the WCPs, an extremely stable laser could still have a large uncertainty in the WCPs intensities due to calibration of the electronic control system.
In practice, we can measure and determine the uncertainties in the WCPs and then deduce the value for the maximum fractional deviation, f . Any larger deviations must occurs with probability less than ǫ sec . From this we obtain a range of values for µ 1 and µ 2 . We find combinations of values that lead, in the worst case, to the smallest secure key. As we have no a priori information about what are the real values for µ 1 and µ 2 , we assume the worst case and perform parameter estimation and privacy amplification with those values of intensities. This ensures the security of the system, but at a cost of reducing the length of the secret key.
Similar approaches have been studied before, but with important differences [44,45]. In [44], they employed a numerical parameter estimation method with possible values of µ j whose uncertainties were accounted within the numerical optimization scheme. In [45] the authors use an analytic approach directly incorporating fluctuations within the estimation procedure. Here, we use an analytic estimation procedure but take account of fluctuations using numerical optimisation, also considering the case where the nominal intensities are fixed for different losses, not considered in [44,45]. Additionally, in [44,45] the same uncertainties are applied to all signals with the same intensity but different polarization, we employ a slightly more involved approach as described below. As such, our results complement the existing literature. x-axis is the total system loss η loss and the y-axis is log 10 (p ec ).
Separate lasers and driving electronics may be used for different signal states, hence we must allow µ 1 and µ 2 to vary independently for both bases and bit values, i.e. they can take different values from the intervals [µ j − f µ j , µ j + f µ j ], j = 1, 2. To estimate s X,0 and s X,1 Bob will need to know µ 1 and µ 2 . We assume Bob knows both the intended values and f . As such, he can construct the intervals [µ j − f µ j , µ j + f µ j ], j=1,2. However, neither Bob or Alice will know the real values for µ 1 and µ 2 . During parameter estimation, Bob must choose values for µ 1 and µ 2 that lead to the smallest secret key. To summarize, we choose values for µ j from [µ j − f µ j , µ j + f µ j ], j=1 and 2, independently for the four signal states H, V , D and A, and also independently for Bob. We then find the smallest possible value for ℓ, which is the worst case value. To guarantee that we have performed sufficient privacy amplification, and thus the protocol is secure, we must use the worst case value for the secure key length.
To find the minimum value of the secret key, we discretise the intervals [µ j − f µ j , µ j + f µ j ]. Numerical investigations showed that the minimum always occurred for values of µ j at the edges of the intervals. This lead us to limit ourselves to 3 possible values for each µ j : µ j − f µ j , µ j and µ j + f µ j , retaining the middle value as a check on our assumption that the end values always yield the minimum. The minimization thus requires evaluating the secure key length for 3 10 different sets of WCP intensities.
We study the case where we fix both the receiver basis probability and the WCP intensities, illustrated in figure 8. As expected, the effect of uncertainty is to reduce ℓ and in particular, ℓ goes to zero for lower values of η loss as f increases. The effect, for a given value of p ec , is to decrease the total loss budget of about 4 dB which can make a significant difference and must be factored in when designing a QKD system.

Conclusions
We have presented an in-depth investigation of the performance of efficient BB84 with the aim of aiding the design of terrestrial free-space QKD systems. For fibre-based systems, the channel conditions are relatively stable and controled, in contrast to a ground based, free-space QKD network where daily light levels and environmental conditions can vary site-to-site and from hour-to-hour. This motivates a systematic study of how the secure key length varies with loss and extraneous count rates. For the design of realistic commercial systems, for example see [19], one must also consider fixing protocol parameters though operating in different environments. We examine such factors that are important to the deployment of a ground based QKD network. For a real system, the signals are transmitted for a finite duration, and thus finite statistical effects are important to the performance. A particularly dramatic example was illustrated in figure 4, where increasing the integration time allowed extraction of a secure key in conditions where this was impossible for smaller integration times. Using a long integration times thus makes a system more robust.
For longer integration times, the secure key length was strongly affected by the probability of an extraneous count, e.g. from background light or a detector dark count. In particular, we found that when the rate of background counts is high, we can tolerate only low losses if we are to generate a secret key. This is an important design consideration. To allow for as large a loss budget as possible, we must reduce the extraneous counts. For a ground based, free-space QKD system, one should either operated in night conditions, or the receivers must be shielded from background light.
For a commercial QKD system, it would be difficult and expensive to customise all system parameters when deploying the system in different conditions. For example, the receiver basis choice is usually implemented with a passive beam-splitter, which will be fixed during production to reduce costs. Similarly, changing the WCP intensities for different locations or channel conditions would require adjustable components and systems, potentially increasing the cost. Adapting the intensities either on a site-by-site basis, or on a session basis adds considerable complication to deployment and operations, further increasing costs. In section 5 we showed that one can fix both the receiver's basis choice probability and the WCP intensities, and still extract a secure key over a wide range of different environmental conditions. We also found that a larger secure key is obtained by allowing the transmitters basis choice probability to differ from the receiver's, when the latter was fixed.
Finally, we investigated the effects of uncertainties in the fixed WCP intensities, where we allow for independent uncertainties in all four encoded signal states. If their is any uncertainties, then to ensure security, this needs to be factored in during the privacy amplification stage. We find that uncertainties reduce the secure key length. In particular, it can reduce the region of parameter space for which we can extract a secure key. In some cases the reduction can be of the order of 3-4 dB. As such it is vital to factor in these effects when designing any QKD system. and pointing errors, must be be no greater than 15.6 dB. The transmitter and receiver must thus be designed so as to keep these losses below about 15 dB. However, if the extraneous counts can be reduced by a factor of 4, to p ec = 2.5 × 10 −5 , by better design of the transmitter and receiver, then we can extract a key up to η loss = 26 dB. This increases the loss budget for the design of the optics to 19.6 dB. This example illustrates that if the QKD link is to be robust to advection fog, then it is crucial to design the receiver and transmitter so as to reduce background light.
In the previous example we assumed that P B X and the WCP intensities can both be adapted to the location. In a future commercially deployed systems, such as that planned as part of the AirQKD project [19], both the receiver basis and the set of intensities will be fixed for all units. Furthermore, suppose the design brief requires each link to produce 50, 256-bit AES keys every 10 minutes. For an integration time of 30 minutes, we need ℓ = 38, 400 bits. As with the previous example, we assume that the link distance is 300m and the source is at 850nm. Furthermore, locations are chosen such that for night operation, p ec is at most 10 −6 . Using MODTRAN 6 [43], for an urban environment with link distance 300m, the losses due to scattering and absorption are 0.6 dB. We fix the protocol parameters to P B X = 0.5, µ 1 = 0.5, µ 2 = 0.1 and µ 3 = 0, which are the same as for plot 7. By assumption, the the worst case is p ec = 10 −6 , for which ℓ > 38, 400 for η loss up to and including 42 dB. The total loss budget, minus absorption and scattering, is approximately 41 dB.
For η loss = 42 dB, we produce over 125,800 bits of key. However, due to finite statistical effects, the key dips to below 38,400 bits for η loss = 42.5 dB. If we operate the system right at the edge of the loss budget, then any unexpected increase in say pointing error due to strong winds, will lead to the system falling below its aim of producing 50 AES keys every 10 minutes. However, as we produce large amounts of key (125,800 bits for η loss ), we could store the excesses key. It is thus possible to smooth out any outages by designing the memory and the classical part of the cryptographic infrastructure, using knowledge of the protocol performance under different environmental conditions. Appendix B: Additional result for different values of P B X In section 5 we investigated fixing the receiver basis choice probability, P B X . We demonstrated that P B X can be fixed to either 0.3 and 0.9, and ℓ > 0 for a wide range of values for p ec and η loss . The two values considered for P B X correspond to common commercially available beam-splitter splitting ratios. Two other common values are P B X = 0.5 and 0.7, which we now investigate for completeness. Figure 9 is a 3D plot of ℓ, plotted for η loss and log 10 (p ec ). Both plots are for an integration time of 30 minutes and QBER I = 0.01. In figure 9, (a) is for P B X = 0.5, while (b) is for P B X = 0.7. This plot demonstrates that one can obtain a secure key for a wide range of environmental conditions for many different fixed values of P B X . We also investigated fixing both P B X and {µ 1 , µ 2 , µ 3 }. Even when fixing all these parameters, it was still possible to find values such that one could obtain secure key Figure 9.
A 3D plot of ℓ plotted for total system loss η loss and log 10 (p ec ). All plots are for QBER I = 0.01 and an integration time of 30 minutes. The receiver basis choice probability is fixed to set values for both plots. In figure (a) P B X = 0.5 and in (b) P B X = 0.7. over a wide range of environmental conditions, as shown for P B X = 0.5 in figure 7. We can also obtain similar results for different values of P B X . In figure 10 we plot ℓ against log 10 (p ec ) and η loss , for an integration time of 30 minutes and QBER I = 0.01. In plot (a) P B X = 0.3, µ 1 = 0.785, µ 2 = 0.0455 and µ 3 = 0, while in (b) P B X = 0.7, µ 1 = 0.50, µ 2 = 0.10 and µ 3 = 0. The results demonstrate that one can obtain fixed intensities for different choice of P B X , which lead to large values of the secure key over wide ranges of environmental parameters.
Appendix C: Sample optimized values for P A X , when P B X is fixed In this appendix we present some optimized values for P A X when P B X is fixed. The fact that we allow Alice and Bob to have different basis probabilities is a novel feature of the current analysis. As such, it is worth presenting some results for how P A X changes. The results are presented in tables 2-5. All results correspond to an integration time of 30 minutes and QBER I = 0.01.  A key feature in all tables is that the optimal secure key length is obtained for P A X = P B X . As a general trend, the value of P A X tends to decrease as η loss increases. Intuitively, this occurs as for greater values of η loss we have less overall data and thus less data in the Z-basis. To ensure we can perform parameter estimation without error, we need to increase the fraction of data in the Z-basis.  however, is not necessarily true. When both Alice and Bob's basis choices are free to vary, then it is sufficient to optimize P X = P A X = P B X . This follows from the following observation. For any values for P A X and P B X , there exists a basis probability P X that yields the same ratio of raw bits in each basis, but where the total sifted bits is greater than or equal to number of raw bits obtained with P A X and P B X . This means that the optimal raw key can always be found by using P A X = P B X = P X . Suppose we have particular values for P A X and P B X , where P A X = P B X . The fraction of bits retained after basis sifting is The fraction of sifted bits in the X basis relative to the Z basis is K = P A X P B X /[(1 − P A X )(1 − P B X )]. Consider instead if Alice and Bob both had both chosen the X-basis with probability P X . The fraction of sifted bits retained is F ′ = P 2 X + (1 − P X ) 2 . For the ratio of bits in each basis to be the same as before we need P X /(1 − P X ) = ± √ K. This yields two values for P X , we take the value P X = √ K/(1 + √ K). One can show that Eq. (6) can be re-written in terms of K as: Our proposition is false if there exists values for P A X and P B X such that F > F ′ . Using Eq. (7) and re-arranging, the condition F > F ′ can be shown to be equivalent to The right hand side of the above Eq. is of the form of a scalar product between the two vectors: ( P A X , 1 − P A X ) and ( P B X , 1 − P B X ). From the Cauchy-Schwartz inequality, we have ( P A X , 1 − P A X ) · ( P B X , 1 − P B X ) ≤ [P A X + 1 − P A X ][P B X + 1 − P B X ] = 1. This implies that the inequality (8) can never be satisfied. But this means that the choice of P X that leads to Eq. (7) can never yields a smaller total fraction of sifted bits than for P A X = P B X , i.e. F ′ ≥ F . The raw key is thus greater than or equal to the original raw key.
Appendix E: Details for how p ec and QBER I contribute to the secure key length The secure key length, ℓ, is calculated using Eqs. (2), (3) and (5), together with Eqs. (1) to (5) from [35]. The extraneous count probability, p ec , and the intrinsic quantum bit error rate, QBER I , induce the errors, which in turn affects ℓ. We detail the relationship in this appendix. The approach is the same as outlined in [39].
The average probability for a pulse of intensity k ∈ {µ 1 , µ 2 , µ 3 } to produce a detection event is given by the equation The probability for a pulse of intensity k to yield a bit with an error is given by e k = p ec + p ap D k 2 + QBER I (1 − exp[−η loss k]).
The total number of pulses transmitted is the product of the integration time, τ , and the source's repetition rate, f s . If the channels parameter, such as η loss , can vary with time, then we partition the integration time into time-slots of width ∆τ , where this is chosen such that the parameters are approximately constant over this time interval. The number of detection events in the X-basis within the j-th time-slot are: n (j) X,k = P A X P B X p k D k (j)f s ∆τ, (11) where p k is the probability to transmit a pulse with intensity k. The total number of detection events in the X-basis from pulses with intensity k is: n X,k = j n (j) X,k and the total number of detection events in the X-basis is n X = k n X,k . The results for the Z-basis have the same form, but with X swapped to Z.
The number of errors in the X-basis, within the j-th time-slot, is m (j) where n (j) X,k . The total number of errors in the X-basis is m X = j m (j) X . The fraction of errors resulting from a pulse of intensity k can be found by weighting m (j) X by the term p k D k (j)/[ k p k D k (j)]. Similar results can be found for the Z basis. These quantities can be used in Eq. (3) and (5) together with Eqs. (1) to (5) of [35], to calculate the length of the secure key (2).