LEO Satellites Constellation-to-Ground QKD Links: Greek Quantum Communication Infrastructure Paradigm

: Quantum key distribution (QKD) has gained a lot of attention over the past few years, but the implementation of quantum security applications is still challenging to accomplish with the current technology. Towards a global-scale quantum-secured network, satellite communications seem to be a promising candidate to successfully support the quantum communication infrastructure (QCI) by delivering quantum keys to optical ground terminals. In this research, we examined the feasibility of satellite-to-ground QKD under daylight and nighttime conditions using the decoy-state BB84 QKD protocol. We evaluated its performance on a hypothetical constellation with 10 satellites in sun-synchronous Low Earth Orbit (LEO) that are assumed to communicate over a period of one year with three optical ground stations (OGSs) located in Greece. By taking into account the atmospheric effects of turbulence as well as the background solar radiance, we showed that positive normalized secure key rates (SKRs) up to 3.9 × 10 − 4 (bps/pulse) can be obtained, which implies that satellite-to-ground QKD can be feasible for various conditions, under realistic assumptions in an existing infrastructure.


Introduction
The advent of quantum computing may affect classical key cryptography in the next decades, setting a large part of cryptosystems insecure. Quantum computers are constantly gaining computational power with the manipulation of more and more qubits [1], while at the same time Shor's algorithm ensures that today's classical public key algorithms will become obsolete [2]. While data content is constantly becoming more vital and its security is getting compromised more frequently, the need for resilient schemes in cryptography is of high importance. Quantum cryptography promises unconditional security based on the laws of nature rather than computational security, providing a combat to the threat of quantum computers [3][4][5]. Quantum key distribution (QKD) protocols can establish a private key encryption between two remote parties, ensuring the generation of a shared key, which can be used in symmetric cryptographic algorithms, such as the Advanced Encryption Standard (AES).
Since the emergence of the first QKD protocol in 1984 [6], rapid progress has been made in the last decade, resulting in increases of transmission distances and key rates [3]. Fiber links have been realized and scaled up to the network size, as in SECOQC [7]. Despite the great progress, this technology has to overcome a major limitation. The lack of efficient quantum repeaters results in unamplified signals [8], thus leaving weak single-photon pulses extremely exposed to the induced attenuation due to the propagation. Therefore, serious limitations occur regarding the distance reach of such links, especially in fiber media. Currently, the maximum ground-based communication range achieved is 509 km in Photonics 2021, 8,544 3 of 20 lent atmospheric channel under daytime and nighttime conditions. For QKD transmitter stations, we considered a satellite constellation consisting of 10 LEO satellites flying at an orbital height of about 600 km. We assumed that each satellite can communicate with up to three OGSs at the same time. These ground stations are hosted in astronomical observatories located across Greece, and they were selected to support three different segments of Greek QCI. In order to model the atmospheric link, we took into account the position, height, and receiver's telescope diameter of each OGS. By examining a period of one year, we reported secure key rates (SKRs) up to kbps and total distilled key bits per ground station up to Gbits. Finally, we described how the trusted satellites could share keys with the OGS in order to establish inter-OGS communication, and we examined if the distilled key rates can meet the demands for AES 256-bit key refresh time necessary to keep the attack success probability as low as possible.
The paper is structured as follows. Section 2 briefly describes the BB84 QKD protocol and its system architecture in the proposed satellite QKD network of ground stations located at Greek territory. Section 3 describes the methodology for the modeling of the atmospheric downlink channel, by taking into account the OGSs' positions and altitudes. Finally, Section 4 provides the results of this study, and Sections 5 and 6 discuss and conclude this work, respectively.

System Architecture, Satellite, and Ground Stations
The presented work focuses on the use of LEO satellite-to-ground QKD links for delivering quantum keys on the ground segment of the network. The orbit altitude of LEO satellites is lower than 2000 km, thereby allowing for much higher signal-to-noise ratio (SNR) values and lower free-space loss compared to geostationary Earth orbit (GEO) satellites, which are positioned in a height of about 35,000 km. On the other hand, in contrast with GEO satellites that are at a fixed position in the sky, LEO satellites are visible by OGSs only a few minutes each day, if the atmospheric conditions allow it.
Through our analysis, we considered the satellite-to-ground scenario (downlink) assuming the cloud-free line of sight conditions and links with elevation angle higher than 20 degrees. In the case of downlink transmission, the attenuation caused by atmospheric turbulence is lower compared to that of the uplink, since the laser beam has already expanded before it comes into contact with the atmosphere [23,32]. Aside from the attractive transmission features, the downlink scenario is compatible with the strict requirements of satellite system architectures. More specifically, it allows the implementation of a compact quantum sender station based on a highly attenuated coherent source and simple optics for the encoding of quantum information, being also controlled by simple electronics [33]. In this way, complex single-photon counters which require advanced cooling mechanisms are located at the ground stations where there are not any strict requirements on footprint and energy consumption. Moreover, by implementing the satellite-to-ground scenario, large apertures for the single-photon detection can be placed in astronomical observatories. In this way, smaller, lighter apertures can be employed on board in space.
Through our analysis, we assumed that three astronomical observatories in Greece communicate with the LEO satellite constellation. The first is located in Skinakas (South, longitude: 35.2118 • , latitude: 24.8981 • ) at a height of 1750 m, the second in Helmos (Middle, longitude: 37.9855 • , latitude : 22.1984 • ) is at a height of 2340 m, and the third in Cholomondas (North, longitude: 40.3419 • , latitude: 23.5060 • ) is at a height of 850 m. These three observatories are involved in Greek QCI, which aims to build a secure communication infrastructure by exploiting the terrestrial fiber segments for quantum key delivery in users [31]. The location of each OGS is shown in Figure 1. The quantum key sifting is assumed to be implemented via a public optical channel. For this purpose, different wavelengths within the standard bands will be available for classical data channel and quantum channel. Uplink beacon and other service channels for the QKD link establishment can be also implemented within the available bands [Error! Reference source not found.].

Weak + Vacuum Decoy-State BB84 Protocol
In our simulation, we used the most well-known variation of the BB84 protocol [Error! Reference source not found.], the weak + vacuum decoy-state BB84 protocol [Error! Reference source not found.]. The concept behind the BB84 protocol is that Alice encodes bit sequences into different polarization states of single photons. Its security generally relies on the fact that Eve's presence cannot remain undetected due to the quantum nature of single photons and will therefore inevitably introduce errors in the bit sequences. The only thing Alice and Bob have to do is to sacrifice a part of the exchanged The quantum key sifting is assumed to be implemented via a public optical channel. For this purpose, different wavelengths within the standard bands will be available for classical data channel and quantum channel. Uplink beacon and other service channels for the QKD link establishment can be also implemented within the available bands [34].

Weak + Vacuum Decoy-State BB84 Protocol
In our simulation, we used the most well-known variation of the BB84 protocol [6], the weak + vacuum decoy-state BB84 protocol [35]. The concept behind the BB84 protocol is that Alice encodes bit sequences into different polarization states of single photons. Its security generally relies on the fact that Eve's presence cannot remain undetected due to the quantum nature of single photons and will therefore inevitably introduce errors in the bit sequences. The only thing Alice and Bob have to do is to sacrifice a part of the exchanged bits to estimate the error rate. If the bit error rate is lower than a specific threshold, they proceed to the procedure of the secure key distillation. Despite that the unconditional security of the BB84 protocol has been proven [5,6,36], security loopholes may arise when moving on its practical implementations. For example, due to the hardness of engineering on-demand single-photon sources, most QKD implementations and experiments rely on the use of highly attenuated laser sources which emit probabilistically photons, including also multi-photon pulses. In order not to compromise security by the presence of these multi-photon pulses, the selected intensity level leads to an average photon number much smaller than one, thereby leading to lower detection rates. Even in that case, there exist a non-zero probability of emitting multi-photon states, which can open the possibility of photon-number-splitting (PNS) attacks. The need to counter the PNS attack [37] triggers the invention of the decoy-state protocol [35,38,39], which allows the efficient distillation of secure keys using weak coherent pulse-based QKD systems that were once vulnerable [8]. In the weak + vacuum state modification, this kind of attacks is encountered using decoy and vacuum states in order to precisely measure the attenuation of the channel, the background noise, and detector's dark counts. It has been shown that, with the decoy modification, higher key rates and longer communication distances can be achieved [40,41].
For the reasons mentioned above, we adopted the weak + vacuum decoy-state BB84 protocol [35]. The introduction of the decoy states enhances the detection of eavesdropping via PNS attacks, thus allowing Alice to transmit a higher mean photon number per pulse, improving key rates and reaching longer distances. It is important to mention here that this protocol is suitable for free-space transmission, since experimental results have already shown very good polarization stability in the satellite-to-ground transmission [42,43]. The normalized SKR (bps/pulse) is lower bounded by the following inequation according to [35], as described in Appendix A: where f rep is the transmitters pulse repetition rate, q is the protocol efficiency, subscript µ is the average photon number per signal in signal states, Q µ and E µ are the gain and the quantum bit error rate (QBER) of signal states, respectively, Q 1 and e 1 are the gain and the error rate of the single-photon state in signal states, respectively, f(x) is the bi-directional error correction rate, and H 2 (x) is the binary entropy function.

FSO Channel Modeling
Atmospheric conditions have a serious impact on the performance of the link. In the following subsections, the atmospheric losses under the cloud-free line of sight conditions, link losses, and setup losses are summarized [16,[21][22][23]44].

Received Power
The received power after the receiver telescope and before the photo detector Pr (watt) can be estimated as [16,22,23]: where P t and P r are the transmitted and received intensities respectively, L a is the atmospheric transmittance, L pt is the pointing loss factor, L sci is the scintillation loss factor, L f sl is the free-space loss, and G t and G r are the transmitter and receiver gains, respectively.

Free-Space Loss
The free-space loss of the optical signal is due to the optical wave propagation from the transmitter to the receiver and is calculated as [32]: where λ (m) is the wavelength of the signal and d(θ) is the distance between the satellite and the OGS, which depends on the elevation angle of the satellite and can be given by [45]: where H (m) is the satellite attitude above Earth's surface, R e (m) is the Earth's radius, and θ (rad) is the elevation angle.

Transmitter and Receiver Gains
The gains of the transmitter and the receiver can be calculated according to [23]: where D r (m) is the receiver's aperture diameter and w 0 is the half-width beam divergence angle (rad), which depends on the transmitter's aperture diameter D t (m) and can calculated as follows [32]:

Atmospheric Attenuation
The atmospheric transmittance of the laser beam under clear sky conditions (absence of clouds, rain etc.) is also dependent on the elevation angle and can be given by Equation (7) [46]: where L zen is the vertical link transmittance and ζ (rad) is the zenith angle of the link. It is evident that, for low elevation angles, atmospheric attenuation is higher, since the light has to travel a longer path through the atmosphere to reach the receiver.

Pointing Error Loss
The pointing error loss is usually estimated for a specific probability from the probability density function (PDF) of the normalized intensity as follows [47]: where β p is the divergence pointing ratio and can be written as: where σ p is the pointing error variance in rad and w 0 is the half-width divergence angle of the transmitted beam commuted for Gaussian beams. For a given outage probability p 0 , the pointing error loss L pt is calculated as follows [47]:

Scintillation Loss
Scintillation can heavily affect an FSO communication link by causing intensity fluctuations in the receiver [32]. These fluctuations are caused by thermal changes that lead to changes in the refractive indices in small air cells, resulting in beam diffraction and beam wander [23,32]. In the case of satellite downlink, the beam front is usually much larger than the size of these air cells; therefore, the effect of scintillation in the receiver is small but should be taken into consideration.
The intensity of the scintillation is often described as weak, moderate and strong, depending on the value of the refractive index structure parameter C 2 n (m −2/3 ), which strongly depends on the atmospheric conditions such as temperature and pressure. In this analysis, the modified expression of Hufnagel-Valley model was used [23,32], which takes into account the altitude of the ground station and the elevation angle. The value of C 2 n can be calculated as follows [22,23]:  where A 0 (m −2/3 ) is the refractive index structure parameter at the ground level, u rms (m/s) is the average wind speed along the slant path using the Bufton model, H GS (m) is the OGS altitude height, and h (m) is the height above the ground station altitude. For a plane wave approximation and assuming the Kolmogorov model, the scintillation index for weak, mean, and strong turbulences can be given by the following expression [16,32]: where σ R is the Rytov index which when taking into account the OGS's height and can be calculated as [16,32]: where k (rad/m) is the wavenumber, ζ (rad) is the zenith angle, and H Turb (m) is the turbulence altitude which is considered negligible for altitudes higher than 20 km. To continue, we also considered the aperture-averaging effect in order to take the receiver's aperture diameter into account. The aperture-averaging factor was expressed as [32,48]: where σ 2 I is the scintillation index for a receiving telescope and is described as: The aperture-averaging factor is calculated according to the following expression [32,49]: where ρ I is intensity structure size parameter [32,49]: where θ (deg) is the elevation angle of the link and H d is 12,000 m. Finally, for modeling the signal fluctuation due to the scintillation effect, we used the log-normal distribution that suits for weak-and moderate-turbulence regimes. The log-normal normalized PDF is calculated as [32,49]: where σ 2 lnI = ln(σ 2 I + 1). Given the PDF, we can now calculate the loss (dB) that is introduced by scintillation for a given probability (e.g., 1%) threshold as follows [49]:

Background Solar Radiance
Since single-photon detectors are extremely sensitive to noise, solar radiance is a major limitation in the implementation of a QKD FSO link under daylight conditions. The background noise power level in watt reaching the receiver can be given by the following equation [50]: where H rad W/m 2 sr µm corresponds to the background radiance energy density, Ω FOV (sr) is the field of view of the receiver's aperture, A r (m 2 ) is the receiver's capture area, and ∆λ (µm) is the receiver's band pass optical filter width. To insert this value to the QBER, we expressed the solar background noise power level in watt reaching the receiver in counts per second. Therefore, the probability of the detector firing due to a background noise photon can be expressed as: where h × f corresponds to the energy of a single photon and therefore P back /(h × f ) denotes the photon flux arriving at the receiver measured in counts per second. It is clear that a narrow bandpass filter combined with a limited receiver's field of view (FOV) is necessary to keep the background noise to acceptable levels.

System Parameters
To begin with, the wavelength of 1550 nm was selected. At this wavelength, we observed low atmospheric loss and decreased solar radiance [51,52]. Through this study, only the satellite downlink scenario was examined, while only satellite elevation angle over 20 • was considered. Considering the atmospheric parameters, the value of the refractive index structure parameter at the ground level was set to 1.7 × 10 −14 (m −2/3 ), and the average wind speed was set to 10 m/s. The pointing error variance was set to 0.75 µrad, and the pointing loss was calculated for an outage probability of 1%.
Considering the satellites components, we assumed an aperture of 0.15 m [24] for all three transmitters that the satellites are equipped with, providing a small beam divergence of about 13 µrad. On the receiver side, we assumed that every OGS is equipped with a different telescope aperture. Specifically, the OGSs of Skinakas, Helmos, and Cholomondas are equipped with a receiver telescope aperture of 1.3 m, 2.3 m and 0.75 m, respectively. To continue, in order to minimize the effects of strong daylight radiance, we assumed a narrow FOV of 100 µrad [27] and a narrow band-pass filter of 0.2 nm with an insertion loss of 3 dB. Concerning the detectors, we assumed two superconducting nanowires singlephoton detectors (SNSPDs), which offer high detection efficiencies and low timing jitter [53]. Specifically, in our analysis, we assumed SNSPDs with quantum efficiencies of 85% at 1550 nm, dark count rates of 300 counts per second (cps), timing jitter of 50 ps, dead time of 30 ns, and no after-pulsing effect. The detector's gate duration time was set to 1 ns. These values correspond to the typical performance of SNSPDs modules photon counters for single-photon detection at telecom wavelengths [53]. Finally, the Bob's receiver loss was set to 2.65 dB [54], Bob's interferometer visibility was set to 98%, and the polarization decoherence loss of the link was set to 0.3 dB [43].
Considering the mean photon number values of the signal and decoy states, we proceeded with a numerical optimization in order to provide the possible highest key rates. Specifically, the quantum signal mean value was set to µ = 0.56, the decoy mean value was set to ν = 0.11, and the protocol efficiency was set to about q = 2/5 (signal:decoy:vacuum ratio = 4:1:16, and 1 2 due to the BB84 protocol; Appendix A) [35]. Finally, the bi-direction error correction efficiency f (e) was set to 1.22, corresponding to the CASCADE error correction algorithm [55].

Feasibility of LEO Satellite-to-Ground QKD in Daytime and Nighttime
In this subsection, we analyzed the performance of the satellite FSO downlink considering one LEO satellite and one OGS. For the evaluation studies included in this subsection, the receiver's telescope aperture diameter was set to be 0.75 m (if not stated otherwise).

Distance Reach
As we have already discussed in the introduction section, fiber QKD links are limited to few hundreds of kilometers due to the photon loss imposed by the fiber medium. When light propagates through empty space, none attenuation mechanism is present and therefore longer distances can be reached. On the other hand, other factors should be considered that lead to increased transmission losses, such as free-space loss. In order to minimize the geometrical loss, narrow beam divergences and large receiver apertures can be used. Aside from the loss mechanisms, the effect of the solar background noise during the day can significantly degrade the transmission performance. To combat this effect, ultra-narrow band-pass filters can be used to minimize the background noise to acceptable levels and isolate the quantum passband. Following the above approach and by using state-of-the-art equipment in both the satellite and the ground station, links up to GEO distances can be achieved [56]. Figure 2a shows the total downlink loss of the link including the quantum efficiency of the detectors, the setup loss of Bob station, the absorption and geometrical loss, the scintillation effect loss, pointing loss, and polarization decoherence loss. Figure 2b shows the SKR as a function of receiving telescope aperture and link distance under nighttime conditions. effect, ultra-narrow band-pass filters can be used to minimize the background noise to acceptable levels and isolate the quantum passband. Following the above approach and by using state-of-the-art equipment in both the satellite and the ground station, links up to GEO distances can be achieved [Error! Reference source not found.]. Figure 2a shows the total downlink loss of the link including the quantum efficiency of the detectors, the setup loss of Bob station, the absorption and geometrical loss, the scintillation effect loss, pointing loss, and polarization decoherence loss. Figure 2b shows the SKR as a function of receiving telescope aperture and link distance under nighttime conditions. It is evident from the contour plots in Figure 2 that the total link loss for a 600 km link distance can get as low as 20 dB in total. To achieve this loss performance, a large enough telescope in the receiver is required. It should be also noted that this value would be the lowest for the link for an orbital height of 600 km that corresponds only to the point when the satellite is exactly above the station.

QKD under Different Background Noise Levels
The detection of single-photon signals buried in the intent background noise stemming from the solar radiance could be practically a very challenging task. Therefore, specific techniques are required to alleviate the presence of noise photons in QKD links, such as narrow spectral filtering and short detector gate time opening at Bob station. Even in this case, the presence of solar daylight radiance still affects drastically the performance of the link. The values of the solar background radiance during the day depend on the position of the satellite relative to the sun azimuth as well as on the OGS's location. In addition, weather conditions such as cloud presence may further deteriorate the situation, enhancing the strength of the effect of solar radiance. Typical values for (watt/sr m µm) at 1550 nm for clear sky daylight conditions may vary between 0.1 and 6 (watt/sr m µm) [24,52,57]. In Figure 3, the effect of the solar radiance over the normalized secure key rate is presented. It can be observed that the background noise is a limiting factor not only in the distance reach, but also in the angle of view. This leads to a smaller view cone, which in turn reduces the satellite-OGS communication time.
In Figure 3, it is evident that strong limitations are imposed on the key establishment It is evident from the contour plots in Figure 2 that the total link loss for a 600 km link distance can get as low as 20 dB in total. To achieve this loss performance, a large enough telescope in the receiver is required. It should be also noted that this value would be the lowest for the link for an orbital height of 600 km that corresponds only to the point when the satellite is exactly above the station.

QKD under Different Background Noise Levels
The detection of single-photon signals buried in the intent background noise stemming from the solar radiance could be practically a very challenging task. Therefore, specific techniques are required to alleviate the presence of noise photons in QKD links, such as narrow spectral filtering and short detector gate time opening at Bob station. Even in this case, the presence of solar daylight radiance still affects drastically the performance of the link. The values of the solar background radiance during the day depend on the position of the satellite relative to the sun azimuth as well as on the OGS's location. In addition, weather conditions such as cloud presence may further deteriorate the situation, enhancing the strength of the effect of solar radiance. Typical values for H rad (watt/sr m 2 µm) at 1550 nm for clear sky daylight conditions may vary between 0.1 and 6 (watt/sr m 2 µm) [24,52,57]. In Figure 3, the effect of the solar radiance over the normalized secure key rate is presented. It can be observed that the background noise is a limiting factor not only in the distance reach, but also in the angle of view. This leads to a smaller view cone, which in turn reduces the satellite-OGS communication time. In nighttime, the main source of background radiance is the moonlight. In addition, the night sky and city lights can also generate an amount of noise photons in the detectors. Typical values nighttime radiance ( ) at 1550 nm may vary from 1.5 × 10 (watt/sr m µm) (moonless clear night) to 1.5 × 10 (watt/sr m µm) (full moon clear night) [24,52,57]. Even in the case of full moon, the background radiance corresponds to 10 kcps in the photon counter at most. In the next subsections, we assumed that the link is always interrupted during daylight, and therefore, communication is only established during nighttime. The nighttime solar radiance was set to an average value of 1.5 × 10 (watt/sr m μm) and was kept constant for the needs of the numerical study.

QKD Link Performance of an LEO Satellite Constellation over Greek QCI
The satellite constellation considered in this study consists of 10 LEO sun synchronous satellites at an orbital altitude of about 600 km with an inclination angle of 97.4 . Each satellite flies over Greece approximately twice a day. The initial step towards the satellite QKD link modeling involves the estimation of time instances when each one of the ground stations views each satellite with an elevation angle greater than 20 . For this estimation, we used the latitude, longitude, and orbital height data of each satellite that are obtained every 10 s employing the AGI/STK system tool [Error! Reference source not found.].
By having all the time instances when the satellites are visible by the OGSs, we considered only nighttime communication, as discussed in the previous subsection. The time period between 6:00 am to 6:00 pm was considered as the daylight period; therefore, no key rates could be distilled during this time. In Figure 4 the satellites route during 24 h is depicted. In Figure 3, it is evident that strong limitations are imposed on the key establishment due to background radiance in daylight. More specifically, under our assumptions (0.2 nm filter passband, 1 ns detector gate opening, and 100 µrad FOV), the noise levels even for low solar radiance values are over the acceptable threshold, and therefore, no QKD link can be established. Further narrowing the quantum passband is a candidate solution, but state-of-the-art equipment with increased optical loss will be required. In general, it is uncertain if such a link could be operating under full daylight conditions [57].
In nighttime, the main source of background radiance is the moonlight. In addition, the night sky and city lights can also generate an amount of noise photons in the detectors. Typical values nighttime radiance (H rad ) at 1550 nm may vary from 1.5 × 10 −5 (watt/sr m 2 µm) (moonless clear night) to 1.5 × 10 −3 (watt/sr m 2 µm) (full moon clear night) [24,52,57]. Even in the case of full moon, the background radiance corresponds to 10 kcps in the photon counter at most.
In the next subsections, we assumed that the link is always interrupted during daylight, and therefore, communication is only established during nighttime. The nighttime solar radiance was set to an average value of 1.5 × 10 −4 watt/sr m 2 µm and was kept constant for the needs of the numerical study.

QKD Link Performance of an LEO Satellite Constellation over Greek QCI
The satellite constellation considered in this study consists of 10 LEO sun synchronous satellites at an orbital altitude of about 600 km with an inclination angle of 97.4 • . Each satellite flies over Greece approximately twice a day. The initial step towards the satellite QKD link modeling involves the estimation of time instances when each one of the ground stations views each satellite with an elevation angle greater than 20 • . For this estimation, we used the latitude, longitude, and orbital height data of each satellite that are obtained every 10 s employing the AGI/STK system tool [58].
By having all the time instances when the satellites are visible by the OGSs, we considered only nighttime communication, as discussed in the previous subsection. The time period between 6:00 am to 6:00 pm was considered as the daylight period; therefore, no key rates could be distilled during this time. In Figure 4 the satellites route during 24 h is depicted. Figure 4. Path of one out of 10 satellites during a single day of the year. The route lines to the left day by day. Note that the satellite can be seen coming with the direction, South to North or from North to South. In the faint red circle, a single pass of the s Greece is depicted.

Single Satellite Pass over a Single OGS
As the first step, a single pass of a satellite over the OGS of Helmos was ex Figure 5, the normalized SKR and the satellite-OGS distance are depicted as a time for one LEO satellite pass over the Helmos OGS. The duration of this single pass was found to be 340 s or 5.7 min. The max value that was obtained was 3.33 × 10 bps/pulse, which corresponded to

Single Satellite Pass over a Single OGS
As the first step, a single pass of a satellite over the OGS of Helmos was examined. In Figure 5, the normalized SKR and the satellite-OGS distance are depicted as a function of time for one LEO satellite pass over the Helmos OGS.

Single Satellite Pass over a Single OGS
As the first step, a single pass of a satellite over the OGS of Helmos was examined. In Figure 5, the normalized SKR and the satellite-OGS distance are depicted as a function of time for one LEO satellite pass over the Helmos OGS. The duration of this single pass was found to be 340 s or 5.7 min. The maximum SKR value that was obtained was 3.33 × 10 bps/pulse, which corresponded to the maximum elevation angle of 67.2°. The total number of key bits that were distilled from this single pass, assuming a 100 MHz Alice's repetition rate [Error! Reference source not found.,Error! Reference source not found.], was about 1.99 Mbits. It should be mentioned that the elevation angle of the satellite may differ from day to day, since the satellite does not always follow the exact same path over the OGS. Therefore, the satellite can be visible for either shorter or longer time lapses. The duration of this single pass was found to be 340 s or 5.7 min. The maximum SKR value that was obtained was 3.33 × 10 −4 bps/pulse, which corresponded to the maximum elevation angle of 67.2 • . The total number of key bits that were distilled from this single pass, assuming a 100 MHz Alice's repetition rate [25,26], was about 1.99 Mbits. It should be mentioned that the elevation angle of the satellite may differ from day to day, since the satellite does not always follow the exact same path over the OGS. Therefore, the satellite can be visible for either shorter or longer time lapses.

Satellite Full Constellation Pass over a Single OGS
Every satellite passes over a ground station approximately twice a day (24 h). Therefore, 10 constellations are visible around 20 times a day by every station. A single station can establish 10 different quantum links, each one with a different satellite. In Figure 6, the passes of the constellation over the observatory of Helmos over a period of one month and over two days are shown. Again, the time instances when the sun is up were filtered out, as it can be clearly seen in Figure 6b. Every satellite passes over a ground station approximately twice a day (24 h). Therefore, 10 constellations are visible around 20 times a day by every station. A single station can establish 10 different quantum links, each one with a different satellite. In Figure 6, the passes of the constellation over the observatory of Helmos over a period of one month and over two days are shown. Again, the time instances when the sun is up were filtered out, as it can be clearly seen in Figure 6b.
The total daily time contact for a single pass of the constellation over the OGS of Helmos can be found to be 2010 s or 33.5 min, thereby allowing for a longer quantum communication window. Aside from the increase of the overall key rates, the LEO satellite constellation increases the QKD link availability, since it is more likely that an OGS establishes a link to at least one satellite. Since the weather conditions and specifically clouds may interrupt the satellite downlink, the employment more satellites can increase the QKD link availability within the day. It is worth mentioning that the constellation satellites are placed in such a way to achieve the maximum availability. This means that no more than one satellite is visible by an OGS at the same time.

Satellite Full Constellation Pass over Greek QCI
The QKD link availability can be significantly enhanced by considering that each QKD satellite payload can communicate with a number of OGSs that are geographically distributed across the territory [Error! Reference source not found.,Error! Reference source not found.]. Assuming that each LEO satellite is equipped with three independent QKD Alice stations, three independent QKD links can be established with the three OGSs simultaneously for a period when they are all visible and only if the weather conditions allow it. Therefore, based on the link study in the above paragraphs, these three QKD links can be efficiently established for less than 10 min each day. During the rest of the period, the links could be used for classical communication or for other functions (e.g., imaging). Figure 7 illustrates the downlink normalized SKR between the satellite constellation and the three OGSs across Greece. The total daily time contact for a single pass of the constellation over the OGS of Helmos can be found to be 2010 s or 33.5 min, thereby allowing for a longer quantum communication window. Aside from the increase of the overall key rates, the LEO satellite constellation increases the QKD link availability, since it is more likely that an OGS establishes a link to at least one satellite. Since the weather conditions and specifically clouds may interrupt the satellite downlink, the employment more satellites can increase the QKD link availability within the day. It is worth mentioning that the constellation satellites are placed in such a way to achieve the maximum availability. This means that no more than one satellite is visible by an OGS at the same time.

Satellite Full Constellation Pass over Greek QCI
The QKD link availability can be significantly enhanced by considering that each QKD satellite payload can communicate with a number of OGSs that are geographically distributed across the territory [18,19]. Assuming that each LEO satellite is equipped with three independent QKD Alice stations, three independent QKD links can be established with the three OGSs simultaneously for a period when they are all visible and only if the weather conditions allow it. Therefore, based on the link study in the above paragraphs, these three QKD links can be efficiently established for less than 10 min each day. During the rest of the period, the links could be used for classical communication or for other functions (e.g., imaging). Figure 7 illustrates the downlink normalized SKR between the satellite constellation and the three OGSs across Greece. The differences in the maximum value of the normalized SKRs depicted in Figure 8a were estimated due to the different aperture diameters of the telescopes installed in the three OGSs. Larger aperture diameters lead to lower free-space loss and scintillation loss, and therefore, higher key rates can be distilled from the QKD links. In our study, Helmos OGS, equipped with the largest telescope in Greece with a diameter of 2.3 m, can offer SKRs up to 3.9 × 10 (bps/pulse), which is about four times higher SKRs compared to that offered by Skinakas OGS and more than eight times higher SKRs compared to that offered by Cholomondas OGS.
In Table 1, the estimated total distilled key bits between each satellite and each ground station for a period of one year are presented, assuming nighttime communication and no link interruption due to clouds and a quantum signal repetition rate of 100 MHz [Error! Reference source not found.,Error! Reference source not found.]. It is worth mentioning that despite the fast repetition rate at Alice station, the photon loss due to link attenuation is also high. This combination prevents the detectors of Bob station to be saturated due to their dead time, since only a limited number of photons go to reach OGSs' detectors. Higher repetition rates values have been also assumed in other publications [Error! Reference source not found.], but this comes at the cost of further reducing the detectors gate time opening, possibly resulting in high time jitter loss and difficulties in synchronization [Error! Reference source not found.]. As expected, the OGSs with bigger apertures are able to distill more key bits. We assumed that these key bits are stored in a memory and can be used to encrypt classical communication data when necessary. Appropriate key management is necessary to assure that the keys are properly stored and their cryptoperiod while they are either stored The differences in the maximum value of the normalized SKRs depicted in Figure 8a were estimated due to the different aperture diameters of the telescopes installed in the three OGSs. Larger aperture diameters lead to lower free-space loss and scintillation loss, and therefore, higher key rates can be distilled from the QKD links. In our study, Helmos OGS, equipped with the largest telescope in Greece with a diameter of 2.3 m, can offer SKRs up to 3.9 × 10 −4 (bps/pulse), which is about four times higher SKRs compared to that offered by Skinakas OGS and more than eight times higher SKRs compared to that offered by Cholomondas OGS.

Practical Exploitation of Distilled Key Bits
Beyond the QKD link performance evaluation, the use of quantum keys as part of the symmetric-key cryptography systems is discussed in this subsection. In our proposed scheme, the quantum keys distilled by the QKD satellite link are fed into an AES-256 encryption engine, providing ultra-secure protection for data flows in Gbps rates. When sufficient key bits can be distilled, the OGS is able to use them to securely communicate with a single satellite. In practice, this is not very useful, since every satellite is visible by the OGS only for a few minutes daily. To overcome this limitation, an alternative security scheme is proposed, where the satellites are considered as trusted nodes that share identical keys between two OGSs. The security levels of the AES-256 for the above security architectures are studied, focusing on the AES-256 key refresh time.

Satellite as a Trusted Node
In the security architecture where the satellite can be used as a trusted node, one key that is shared between a satellite and an OGS can be also securely transmitted to another OGS as depicted in Figure 8 [Error! Reference source not found.]. It is assumed that the satellite has already established quantum links between two different OGSs and two key strings of 256 bits distilled by these QKD links have been stored in its memory. By using the method of one-time pad (OTP), the satellite can send the 256-bit string result of the exclusive OR (XOR) operation between Key1 and Key2 (Key1 ⊕ Key2) to the OGS2. Given that Key1 and Key2 are only known by the satellite and each of the OGSs, the transmission of Key1 ⊕ Key2 through a classical channel is proven to be completely secure by the theory of OTP. Finally, OGS2 performs (Key1 ⊕ Key2) ⊕ Key2 to obtain Key1. Similarly, OGS1 obtains Key2; therefore, no quantum-distributed key bits are sacrificed in this chain.

AES-256 Key Refresh Time
The cryptographic algorithm of AES is most frequently supposed to be used as the encryption algorithm using the distilled keys of a QKD link. AES is proven to be quantum-resistant and therefore can be effectively combined with QKD to offer high security in the post-quantum world [Error! Reference source not found.]. In order to further enforce the security of the encryption, a key size of 256 bits, instead of the classical size of 128 bits, was proposed to be used in AES-based methods. Besides the size of the AES key, In Table 1, the estimated total distilled key bits between each satellite and each ground station for a period of one year are presented, assuming nighttime communication and no link interruption due to clouds and a quantum signal repetition rate of 100 MHz [25,26]. It is worth mentioning that despite the fast repetition rate at Alice station, the photon loss due to link attenuation is also high. This combination prevents the detectors of Bob station to be saturated due to their dead time, since only a limited number of photons go to reach OGSs' detectors. Higher repetition rates values have been also assumed in other publications [56], but this comes at the cost of further reducing the detectors gate time opening, possibly resulting in high time jitter loss and difficulties in synchronization [59]. As expected, the OGSs with bigger apertures are able to distill more key bits. We assumed that these key bits are stored in a memory and can be used to encrypt classical communication data when necessary. Appropriate key management is necessary to assure that the keys are properly stored and their cryptoperiod while they are either stored or in use does not exceed the standard limits set by the National Institute of Standards and Technology (NIST) [60].

Practical Exploitation of Distilled Key Bits
Beyond the QKD link performance evaluation, the use of quantum keys as part of the symmetric-key cryptography systems is discussed in this subsection. In our proposed scheme, the quantum keys distilled by the QKD satellite link are fed into an AES-256 encryption engine, providing ultra-secure protection for data flows in Gbps rates. When sufficient key bits can be distilled, the OGS is able to use them to securely communicate with a single satellite. In practice, this is not very useful, since every satellite is visible by the OGS only for a few minutes daily. To overcome this limitation, an alternative security scheme is proposed, where the satellites are considered as trusted nodes that share identical keys between two OGSs. The security levels of the AES-256 for the above security architectures are studied, focusing on the AES-256 key refresh time.

Satellite as a Trusted Node
In the security architecture where the satellite can be used as a trusted node, one key that is shared between a satellite and an OGS can be also securely transmitted to another OGS as depicted in Figure 8 [61]. It is assumed that the satellite has already established quantum links between two different OGSs and two key strings of 256 bits distilled by these QKD links have been stored in its memory. By using the method of one-time pad (OTP), the satellite can send the 256-bit string result of the exclusive OR (XOR) operation between Key1 and Key2 (Key1 ⊕ Key2) to the OGS2. Given that Key1 and Key2 are only known by the satellite and each of the OGSs, the transmission of Key1 ⊕ Key2 through a classical channel is proven to be completely secure by the theory of OTP. Finally, OGS2 performs (Key1 ⊕ Key2) ⊕ Key2 to obtain Key1. Similarly, OGS1 obtains Key2; therefore, no quantum-distributed key bits are sacrificed in this chain.

AES-256 Key Refresh Time
The cryptographic algorithm of AES is most frequently supposed to be used as the encryption algorithm using the distilled keys of a QKD link. AES is proven to be quantumresistant and therefore can be effectively combined with QKD to offer high security in the post-quantum world [62]. In order to further enforce the security of the encryption, a key size of 256 bits, instead of the classical size of 128 bits, was proposed to be used in AES-based methods. Besides the size of the AES key, the amount of the data encrypted by the same key is essential for guaranteeing the algorithm's security [60,63]. Therefore, it is of high importance that the keys that will support the AES-256 engines are frequently refreshed. Different quantum key rotation times can be selected, depending on the attack surface that we need to pursue in the link, as well the classical data rates fed into AES-256 cryptographic engines [64].
In the presented satellite QKD scheme, we assumed that the trusted node communicates between all three OGSs with a single shared key used for encryption of data flows at 10 Gbps data speeds. The lifespan of a single key is depended on many factors [60], with the amount of data encrypted by the same key to be the most crucial parameter. According to [63], the maximum volume of data that can be encrypted by a single key in order to achieve an ultra-low attack success probability of 2 −60 is calculated to be about 0.3887 terabytes. Therefore, the keys should be frequently refreshed in order not to exceed this threshold. The maximum refresh time that can ensure this constraint for the given data speed was calculated in Appendix B to be 103.65 s or approximately 1.72 min. According to Table 1 and the method described in Section 4.4.1, every ground station is able to share up to 1.43 Gbits over a period of one year with each other. In Appendix C, these calculated bits are sufficient for refresh times down to about 5.64 s. This value is much less than the maximum refresh threshold of 1.72 min, corresponding to attack success probability threshold of 2 −60 . Consequently, this would mean that the security levels of all three OGSs would not be compromised even if the link had an availability as low as low as 5.4% during nighttime and the key rates would still support the threshold refresh time value of 1.72 min (Appendix C).

Discussion
Satellite communication networks have been declared as a strong candidate to support QKD blocks towards global-scale quantum-secured networks. This strategy for global-scale interconnection segments is going to be implemented through national-scale infrastructures, allowing for the enhanced feasibility of delivering satellite QKD across OGSs. Contributing in this direction, this research attempted to evaluate a satellite QKD downlink under realistic clear sky conditions for Greek QCI. Assuming a sufficient number of bits stored to be able to refresh the AES-256 keys, even with very low-key rates or frequent link interruption, the QKD-enabled communication link would still be practical, as it was presented in the results section. Beyond this proof-of-concept key distillation, a feasibility analysis investigating other atmospheric effects such as cloud coverage and the impact of the background radiance in the QKD link is the next research step. More specifically, studying on solar radiance under different sun and moon positions in the sky as well as the satellite's position would be an interesting research extension.
It should also me mentioned that the finite size effect of key bits is an important parameter, especially in LEO satellite-to-ground QKD links. Due to the limited transmission time windows between the satellite and the OGS, this design parameter is taken into account in QKD studies [65,66]. Usually, the finite size effect is considered and examined in the optimization of QKD protocols. In our case, the finite size effect of key bits was not taken into consideration in the feasibility analysis, since the amount of exchanged key bits is big enough to exceed the lower bounds set in [67], therefore allowing positive key rates. Under a scenario where the link gets frequently interrupted (e.g., due to the cloud presence), thus leading to shorter communication time windows, this effect should be taken into consideration.
Besides the feasibility of the satellite-to-ground QKD link, the distribution of the quantum keys across terrestrial fiber segments is also an essential block of the future QCI. Observatories may be able to host state-of-the-art equipment that will grant higher key rates, but the support of the demanding needs of a terrestrial environment requires a closer investigation in both the physical layer and the security architecture. Under the Greek QCI initiative, dark fiber segments are planned to interconnect OGSs with nearby cities. By establishing QKD links between OGSs and the nearest cities and at the same time using the OGS as trusted relays, key delivery can be supported to distant fiber terminals. QKD protocols with proven performance in real-world circumstances can be considered as a deployment option [68]. Aside from the state-of-the-art QKD protocols allowing for outstanding distance-rate performance metrics, advanced quantum key management strategies can be implemented, based on collaboration with quantum-resistant algorithms (QRAs) [69].

Conclusions
We presented a thorough design study and a feasibility analysis on QKD satellite deployment devoted for Greek QCI. Using the installation parameters of OGSs hosted in Greek observatories, a decoy-state BB84 QKD link between a satellite constellation consisting of 10 LEO satellites and three OGSs was discussed. Realistic protocol implementation parameters have been considered for the QKD layer, and the QKD link performance was studied, considering the key atmospheric processes affecting the wireless optical link. Based on the set of the reported numerical results, the establishment of the QKD downlink is hard to accomplish in daylight conditions, but a sufficient amount of quantum keys can be distilled during nighttime. During the time instances when the satellites are visible to the OGSs at nighttime, the normalized SKR up to 3.9 × 10 −4 (bps/pulse) can be distilled. Over a period of one year, an amount of up to 1.435 Gbits of secret keys can be generated per ground station, and by using the trusted node architecture, these bits can be shared between the OGSs. It has been shown that this value of distilled bits is sufficient to support the AES-256 refresh times that keep an ultra-low attack success probability, ensuring high levels of security in data encryption/decryption. The reported results contribute towards the deployment discussions on Greek QCI based on the telescopes hosted in the observatories placed in South, Central, and North sectors of Greek territory. The successful quantum key delivery in the three OGSs via LEO satellite QKD links can be combined with terrestrial fiber segments to distribute securely optical data flows via terrestrial QKD systems, thereby allowing for end-to-end quantum-secured connectivity scenarios.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Decoy-State BB84 Protocol Equation
Equation (1) gives the lower bound of the normalized SKR value and was written according to [35]. In this equation, q denotes the protocol efficiency factor, which depends on the implementation and can be calculated as: where 1 2 occurs due to the selection of the BB84 protocol, since half of the received bit are shifted; N s , N 1 , and N 2 correspond to the numbers of emitted signal, decoy, and vacuum states, respectively; Q 1 and e 1 correspond to the gain and the error rate of the single-