Design of Satellite-Based FSO/QKD Systems Using GEO/LEOs for Multiple Wireless Users

This article proposes the design of a global-scale free-space optics/quantum key distribution (FSO/QKD) network based on a geosynchronous (GEO) satellite as the secret key source and low-Earth orbit (LEO) satellites as relay nodes for multiple legitimate users on the ground. The continuous variable QKD (CV-QKD) protocol with dual-threshold/direct detection (DT/DD) receivers is employed. The system performance is analyzed by considering the spreading loss, atmospheric attenuation, and turbulence. Based on the design criteria for the proposed system, we investigate the feasibility of a case study for the Japan QKD network considering the unauthorized receiver attack (URA) and beam-splitting attack (BSA). In addition, we analyze the secret-key rate performance of the proposed system and perform Monte Carlo simulations to verify analytical results.

. Proposal of satellite-based FSO/QKD system using GEO and LEO satellites.
satellite with an altitude of 35,786 km can solve the coverage problem, the system suffers from a high path loss and limited key rates. Therefore, combining GEO and LEO satellites becomes a promising solution for the global-scale QKD network.
This article presents a novel satellite-based FSO/QKD system that uses LEO and GEO satellites. We focus on designing a system that can support multiple wireless users, which opens the potential to establish a global-scale QKD network. Based on the design criteria for the proposed system, we investigate the feasibility of a case study for the Japan QKD network using the existing GEO satellite and LEO satellite constellation to provide QKD service for legitimate users in Japan. Furthermore, the secret key performance of the proposed system is studied based on the design criteria of transmitters and receivers considering the unauthorized receiver attack (URA) and beam-splitting attack (BSA). In particular, we aim to design the transmitted signal to prevent URA and propose a simple scheme that allows legitimate users to detect BSA. For all analyses, Monte Carlo simulations are also performed to verify analytical results.
The article is organized as follows. In Section II, we describe the proposed satellite-based FSO/QKD system model using both LEOs and GEO for multiple wireless users, the BBM92 protocol, signal model, and the multiple access scheme. The channel model and system performance analysis are presented in Section III and Section IV, respectively. Section V focuses on the design and analysis of a case study of Japan; in particular, we present the criteria for system design under the URA and BSA and analyze the secret key performance. Finally, the article is concluded in Section VI. Fig. 1 presents the proposed FSO/QKD system, in which a GEO satellite (Charlie) distributes secret keys to a legitimate server, i.e., Alice and multiple users Bob i , i ∈ {1, 2 . . . N}, via FSO channels with the help of two LEO satellites for amplifying the signal. LEO satellites relaying Charlie's signals to Alice and Bobs are denoted as L A and L B , respectively. We assume that Alice is a server that performs post-processing procedures over the public channel with each user Bob i to create secret keys between Alice and each user Bob i . For the sake of simplicity, we use notations "A", "B i ", and "C" for Alice, Bob i , and Charlie. In addition, H C , H L , and H U denote the altitude of Charlie, LEO satellites, and user U ∈ {A, B i }, respectively. The zenith angle is denoted as ζ U . The elevation angle is given by (π/2 − ζ U ). To inhibit signal blockage by skyscrapers and minimize the effect of atmospheric attenuation and turbulence, the minimum acceptable elevation angle is set to 30 • [23].

A. System Model
We consider the scenario in which Eavesdroppers (Eves) can compromise the system by attempting URA or BSA, as shown in Fig. 1. In the former, Eves locate on the ground and try to tap the transmitted signal from LEO satellites by being within the beam footprint near legitimate users, either at Alice or Bob's location. In the case of URA, the countermeasure is to limit the damage by designing and setting appropriate system parameters.
In the latter, we assume that Eves have the capability to split a part of the beam at an LEO satellite to perform the BSA. As a portion of the signal is lost, it is possible to detect the presence of BSA. Our strategy is, therefore, to propose a method for BSA detection.

B. Non-Coherent CV-QKD Scheme Inspired by BBM92
In each operating scheme, there are two ways to implement QKD protocol owing to how the key information is encoded, namely discrete-variable QKD (DV-QKD) and continuousvariable QKD (CV-QKD) [25]. In EB DV-QKD systems, Alice and Bob each receive one photon from the entangled photon pairs sent from Charlie. The measurement of these received photons requires the use of bulky and expensive single-photon detectors [14]. In comparison with DV-QKD, CV-QKD is a cheaper and easier implementation as it is compatible with standard optical communication technologies. In EB CV-QKD systems, a two-mode entangled state is shared between Alice and Bob. Detection in CV-QKD is realized by high-efficiency coherent detectors (homodyne or heterodyne) [26]. However, the key implementation issue with CV-QKD systems comes from the high-cost coherent detectors due to the requirement for the sophisticated phase-stabilized local light [27]. To simplify CV-QKD systems with low-cost implementation, non-coherent CV-QKD has been proposed for the PM CV-QKD [28], [29], [30]. Recently, we have proposed non-coherent CV-QKD inspired by the BBM92 protocol for EB scheme. This protocol is realized by transmitting subcarrier intensity modulation/binary phasesift keying (SIM/BPSK) signal and using dual-threshold/direct detection (DT/DD) receivers in [24], [31]. The similarities in the security of the original BBM92 and this protocol and its key features are explained in [24]. We review the implementation of non-coherent CV-QKD inspired by the BBM92 protocol and apply it to the new scenario of this article as follows.
Stage 1: Using the quantum channel (FSO channel) r Signal preparation at Charlie: SIM/BPSK modulated signal is generated representing random binary bits "0" and "1". The value of modulation depth δ (0 < δ < 1) is chosen to be small enough in order that the transmitted state cannot be fully distinguished. Example of non-coherent CV-QKD inspired by the BBM92 protocol for EB scheme [24].
r Signal transmission: The signal is transmitted simultaneously to both relay satellites, which then amplify and forward the received signal to Alice and Bob i .
r Detection: The received signal at Alice and Bob i is individually detected using their own DT/DD receivers. The two levels of the DT (i.e., d U 0 and d U 1 ) at each user are selected symmetrically over the mean signal level.
-If the detected value i U r of received current signal at user U is less than d U 0 , the user U detects bit "0". -If the detected value i U r of received current signal at user U is greater than d U 1 , the user U detects bit "1". -Otherwise, the user U detects bit "X", which specifies the case that either Alice or Bob i does not detect any bit.

Stage 2:
Using the public channel (e.g., the Internet) r Sifting process: Alice and Bob i notify of the time instants that they were able to create binary bits from received signals. They discard bit values at the time instant that no bit (i.e., bit "X") is detected. Alice and Bob i then share an identical bit string, i.e., sifted key. An example of the detecting and sifting process of this protocol is illustrated in Fig. 2.
r Post-processing: Alice and Bob i perform error correction and privacy amplification to turn the sifted key into a final shared secret key.

C. Signal Model
The block diagram of the proposed system is illustrated in Fig. 3. There are four main parts: a GEO satellite (Charlie), LEO satellites as relay nodes, and legitimate users (Alice and Bob i ). In the preparation stage, a perfect pre-synchronization realized by using the global positioning system (GPS) between users, LEO satellites, and Charlie is assumed.
At the GEO and LEO Satellites: The raw key data d(t) is modulated onto a radio frequency (RF) subcarrier signal using BPSK scheme prior to modulating the laser irradiance. We denote P s (t) as the transmitted power of the modulated laser beam. The radiated optical signal is expressed as where P is the peak laser power, δ is the intensity modulation depth, and m(t) is the subcarrier signal [24]. It is noted that the two-laser source sending the signal from the GEO satellite to LEO satellites is not a truly entangled one. It was inspired by the BBM92 protocol for EB scheme while the signal from the two-laser source is sent to two LEO satellites simultaneously. Then, the received signal from the GEO satellite at LEO satellites is passed through an optical band-pass filter (OBPF), amplified optically using erbium-doped fiber amplifiers (EDFA), and forwarded to legitimate users.
At the Legitimate User U : The received optical signal is passed through OBPF, and then detected by a PIN photodetector. The photocurrent i U p is given as where R e is the responsivity of the photodetector, G a is the EDFA gain at the LEO satellite, h U e2e (t) is the channel state between Charlie and user U , and n U e2e (t) is the receiver noise. The demodulated signal r U d (t) at BPSK demodulator with the DC component filtered out is expressed as where i U r , r ∈ {0, 1} are the detected signals corresponding to bit "0" and bit "1", respectively.
The receiver noise power at user U , denoted as (σ U N ) 2 , includes shot noise, background noise, and amplified spontaneous emission (ASE) noise generated by the optical amplifier at the LEO satellite. The formula for (σ U N ) 2 is given as are variances of the amplified background noise from the LEO satellite and the ASE noise, respectively.
F n Δ f represent variances of the shot noise, background noise, and thermal noise at user U , respectively. In these formulas, q is the electron charge, k B is Boltzmann's constant, and h U L is the channel state between the LEO satellite and user U . P L b = Ω l πa 2 L Δλ is the background noise power collected at the LEO satellite, 2 is the efficient bandwidth. For the remaining notations, they are given in Table. I.

D. Multiple Access Scheme
We consider two methods Charlie can use to transmit the signal to multiple users, called Bob's cluster. In the conventional Time Division Multiplexing Access (TDMA) method, Charlie sends the signal to each user Bob i within specified time slots. Alice and each user Bob i receive independent binary bit sequences from Charlie. The key rate will therefore be decreased proportionally to the number of users. To remedy the drawback of TDMA, we exploit the randomness of the fading channels and the DT/DD settings. Specifically, we can let Charlie send   the same bit sequence to Alice and all users Bob i . As mentioned in Section II-B, only a tiny and random fraction of transmitted bits are detected at each receiver; we expect each pair of Alice and Bob i to achieve a secret key with a minimum, unknown overlapped with others. This allows a higher achievable key rate while keeping acceptable secrecy between users. Fig. 4 compares our proposed scheme with the TDMA when Charlie transmits the signal to multiple users. The colored parts of the received bits at Alice and Bob i illustrate the instants that Alice and Bob i decoded bits. The blank parts represent the time instants that Alice and Bob i decoded bit "X" (i.e., no bit is detected). Sifted bits between Alice and Bob i are the overlapped parts of the received bits at Alice and Bob i . The knowledge parts of their received bit information from other users Bob j are aligned by dash lines.

III. CHANNEL MODEL
The end-to-end channel state between Charlie and user U h U e2e can be formulated as where h U G is the channel state between GEO and LEO satellites, and h U L is the channel state between LEO satellites and user U . These channel states are explained in more detail as follows.

A. GEO-to-LEO Channel Model
For the GEO-to-LEO link, the effect of atmospheric is insignificant as the laser signal from the GEO satellite goes through a non-atmospheric region at an altitude above 20 km compared to the sea level [32]. In addition, we assume that a fine tracking system with perfect alignment is equipped [33]. Therefore, it is supposed that the geometric spreading loss of the laser beam is the major impairment for this link. Moreover, the maximum frequency shift in LEO satellite communications is within the capability of the current design for optical satellite communications [32]. Thus, we ignore the Doppler effect in further analysis. The Gaussian beam model is assumed for the laser beam from the GEO satellite (Charlie (C)). The geometric spreading loss for the position vector from the center of the beam footprint r at LEO satellites is then given by [24] where I beam (.) is the normalized spatial distribution of the transmitted intensity. h U g 1 (.) denotes the fraction of power collected by each LEO satellite's receiver with the receiving area of A Z r , Z ∈ {L A , L B }. L C is the distances between Charlie and LEO satellites, which can be derived from two-line element (TLE) sets of the GEO and LEO satellites and the geometric analysis as in [34].
The approximated result of this integration is given as [35] where r is the radial distance from the center of beam footprint, is the fraction of the collected power at , where a Z is the radius of Z's receiving telescope aperture, and ω 2 L C ,eq = (ω 2 is the equivalent beam radius at distance L C . ω L C is the beam radius at distance L C and is given as where ω 0,C = λ/2θ C is the beam waist at the transmitter of C, and λ is the operation wavelength. Here, θ C is the full beam divergence angle determined as θ C = 2.44λ/D G , where D G is the diameter of GEO's transmitting telescope aperture [36].
For simplicity's sake, LEO satellites are assumed to be at the center of Charlie's beam footprint. The fraction of collected power at LEO satellites is given as

B. LEO-to-User Channel Model
For LEO-to-user link, we take into account three major impairments: geometric spreading loss h U g 2 , atmospheric attenuation h U l , and atmospheric turbulence h U a . The composite channel for LEO-to-user link, thus, can be formulated as These impairments are described as follows 1) Geometric Spreading Loss: : We consider the Gaussian beam model for the laser beam from LEO satellites. With a similar approach in Section III-A, the fraction of power collected by the user U 's receiver is approximated as where  [37].
is the beam waist at the transmitter of Z, and θ Z is the full beam divergence angle determined as θ Z = 2.44λ/D U with D U the diameter of user's transmitting telescope aperture [36].
The user U is assumed to be at the center of Charlie's beam footprint. The fraction of collected power at LEO satellites is thus derived as h U g 2 (0; L Z ) ≈ A U 0 . 2) Atmospheric Attenuation: The attenuation of laser power through the atmosphere is formulated by the exponential Beer-Lambert's law as where is the propagation distance to user U with the altitude H h = 20 km that the atmospheric attenuation mainly occurs below [13]. ξ is the attenuation coefficient, and determined as [38] where V is the atmospheric visibility. Depending on the weather conditions, the value of V will be changed. The value of the atmospheric attenuation visibility coefficient q(V ) is modeled with respect to the value of V as shown in [39].
3) Atmospheric Turbulence-Induced Fading: Atmospheric turbulence causes by inhomogeneities in the temperature and pressure of the atmosphere, which lead to variations of the refractive index along the transmission path [39]. This phenomenon ultimately results in fading of the received optical power, thus leading to system performance degradation. As reported in [32], the turbulence strength for LEO-to-user link is usually weak with the zenith angles being equal to or less than 60 • (due to the minimum acceptable elevation angle for satellite tracking being set to 30 • ). Therefore, the distribution of h U a can be modeled as a log-normal distribution that suits the weak turbulence regime.
It can be formulated as [35] where μ U X = −(σ U X ) 2 and (σ U X ) 2 are the mean and variance of log-amplitude fluctuation, respectively. (σ U X ) 2 is calculated as [40] (σ U X ) 2 = 0.56 k 7/6 sec 11/6 (ζ U ) where k = 2π/λ is the wave number, and sec(x) is the secant function. The refractive index structure parameter C 2 where w (m/s) is the average wind velocity, h (m) is the height above the ground, and C 2 n (0) is the refractive index structure parameter at the ground level.

IV. PERFORMANCE ANALYSIS
This section presents the analytical framework to analyze the performance of the proposed system using the non-coherent CV-QKD inspired by the BBM92 protocol for EB scheme. We first derive the sift probability between Alice and an individual Bob in the context of multiple users for both TDMA and the proposed multiple-access method. The quantum bit-error rate (QBER) and the total final key creation rate for all users are then derived.
A. Sift Probabilities 1) Single-User Sift Probability: Sift probability (P sift ) between Charlie (the satellite) and a legitimate user U is the probability that the user can decode bits using the DT detection, which is given as where is the joint probability that bit "x" sent by Charlie coincides with the decoded bit "y" of user U . P C (x) is the probability that Charlie sends bit "x". Bits "0" and "1" are assumed equally likely to be transmitted; thus, P C (x) = 1 2 . P U |C (y|x) is the conditional probability that Charlie transmits bit "x" when user U detects bit "y" and calculated as [41] where are the received current signals for bit "0" and bit "1", respectively. Q(·) is the Qfunction. Two thresholds d U 0 and d U 1 at the receiver of user U are determined by where ς U is the DT scale coefficient of user U and E[·] is the expectation operator. Hence, as the mean irradiance is normalized to unity.
2) Multiple-User Sift Probability: a) TDMA method: P sift between two legitimate users, namely Alice and Bob i , is the probability that both users can decode a bit sent by Charlie using the DT detection receiver. This probability can be derived as where P AB i (x, y) with x, y ∈ {0, 1} is the probability that Alice's detected bit "x" coincides with Bob i 's detected bit "y". The probability P AB i (x, y) is computed as b) Proposed method: In our proposed method, as Charlie sends the same bit sequence to Alice and all users Bob i , there is a possibility that two or more Bobs can detect the same bit, which is called the mutual sift probability. Fig. 5 illustrates the relationship between the sifted bits of four pairs of users Alice-Bob i (AB i ). To guarantee mutually secret keys, Alice and Bob i need to exclude sifting bits overlapping with other users. The sift probability between Alice and Bob i is thus determined as follows where P (AB i ) excl is the mutual sift probability with other users Bob j . The exclusion ratio coefficient, 0 ≤ ε ≤ 1, determines the exclusion ratio of mutual bits; when ε = 1, all mutual bits are excluded. P (AB i ) excl can be calculated as Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
where P (AB i ∩ AB j ) is denoted for the mutual sift probability between two pairs, AB i and AB j . This mutual sift probability P (AB i ∩ AB j ) is expressed as follows where P AB i B j (x, y, z) with x, y, z ∈ {0, 1} is the probability that Alice's detected bit "x" coincides with Bob i 's detected bit "y" and Bob j 's detected bit "z". The probability P AB i B j (x, y, z) is then computed as We assume that bit "0" and bit "1" are equally likely, i.e., P C (0) = P C (1) = 1/2. DT threshold is set so that the error conditional probabilities P A|C (y|x), P B i |C (y|x), and P B j |C (y|x), x =y, x, y ∈ {0, 1} are small enough to neglect (e.g., below 10 −6 ).
In addition, two levels of DT at receivers are selected symmetrically over "zero" level. Thus, the symmetrical conditional probabilities are equal. We also assume that all users Bob i are on a circle whose radius is the distance from Bob i to the center of the beam footprint. The conditional probabilities of B i given C are the same for all users Bob i . As a consequence, (21) can be rewritten as From (23), we can simplify (20) as follows where N is the number of users and C k+1 N −1 is the number of combinations of k + 1 users from a set with N − 1 users.

B. Quantum Bit Error Rates
Quantum bit error rate (QBER) is used to reflect the bit error rate in the sifted key. QBER of the proposed system is formulated as [24] QBER = P error P sift .
Depending on calculating QBER between Charlie and the legitimate user or QBER between two legitimate users, P error is determined differently as follows

1) QBER Between Charlie and the Legitimate User:
where P error is the probability that the transmitted bit from Charlie and the received bit at user U are not the same.
2) QBER Between Two Legitimate Users: where P error is the probability that the received bits at Alice and Bob i are not the same. An approximate expression for QBER can be obtained by plugging the conditional probabilities' approximations in (30) into (12), (17), (25), (26), and (27).

C. Final-Key Creation Rate for Multiple Users
From the information-theoretical viewpoint, we denote the mutual information I(A; B i ), I(A; E 1 ), I(B i ; E 2 ), and I(E 1 ; E 2 ) are defined as the estimation of the amount of information shared between Alice and Bob i , Alice and Eve 1 (Eve 1 located near Alice), Bob i and Eve 2 (Eve 2 located near Bob i ), and Eve 1 and Eve 2 , respectively. All of them can be determined by where P Y Z (y, z) with Y, Z ∈ {A, B i , E 1 , E 2 } is the probability that Y 's detected bit "y" coincides with Z's detected bit "z". P Y (y), P Z (z) are probabilities that Y and Z detected bit "y" and bit "z", respectively. In case of I(A; B i ), in the proposed method, P AB i (0, 0) and P AB i (1, 1) needs to exclude respectively the probability 1 2 εP (AB i ) excl that other users Bob j also detect the same bit values with user Bob i . In the TDMA method, there is not any effect on I(A; B i ).
After error correction and privacy amplification to exclude the amount of information leaked to Eve 1 and Eve 2 from the key information shared between Alice and user Bob i at Bob's cluster, the useful bit rate, namely final key-creation rate, is calculated as where R s i is the sifted-key rate, i.e., the length of the raw key that can be produced per unit of time that contains the sifting factor. In case of the TDMA method, R s i = P sift In case of the proposed method, R s i = P sift-excl AB i R b . R b is the system bit rate. α accounts for error correction efficiency in post-processing procedures. In this article, we assume perfect error correction efficiency, i.e., α = 1, as an upper bound evaluation of the system performance [28].
The total final key-creation rate of N users on Bob's cluster is expressed as

V. DESIGN AND ANALYSIS: A CASE STUDY OF JAPAN
In this section, we investigate the feasibility of the proposed FSO/QKD systems using GEO and LEO satellites. In particular, a case study of the QKD network for Japan is examined.

A. System Configuration and Satellite Selections
We assume that the server Alice is in Aizuwakamatsu City (longitude: 139.93899 • E; latitude: 37.52266 • N; elevation: 209.093 m), and the user's cluster Bobs is in Osaka City (longitude: 135.51983 • E; latitude: 34.68305 • N; elevation: 155.448 m), which is about 500 km southwest of Alice's location. Himawari-8, a Japanese GEO weather satellite operated by the Japan Meteorological Agency [42], is employed as Charlie. Due to the capability of 24/7 global coverage, Starlink satellites are chosen to be the relay nodes [43]. Illustrations of Himawari-8's position and orbits of two Starlink satellites (Starlink-1293 and Starlink-2063) over Japan on December 23 rd , 2021 are calculated from the available TLE data in [44] and displayed in Fig. 6. All satellites are supposed to be equipped with optical devices necessary for the proposed system shown in Fig. 3.
There are seven orbital planes of the Starlink satellite constellation from northwest to southwest of Japan, as shown in Fig. 7. Each plane composes of a group of LEO satellites that fly across Japan alternately. For the sake of clarity, each group is numbered by the orbital plane order at the time of observation. To realize the proposed system, it is required that there exist two LEO satellites that are simultaneously within the required elevation angle with their respective users at any given time. This requirement is verified by Fig. 8(a) and 8(b), which show the evolutions of the elevation angle of satellites in Group I to VI respective to users located in Aizuwakamatsu City and Osaka City during a 3000-second period from 16:09:00 UTC+9 Dec. 23, 2021. For example, during the elapsed time from 1000 to 1200 seconds, Starlink-1293 of group III and Starlink-2063 of group IV are within the required elevation angle with users in Aizuwkamatsu City and Osaka City, respectively. Without loss of generality, in the following analyses, these two satellites are chosen as the relay nodes to forward signals from Charlie to Alice and Bobs.
The parameters used in the analysis, unless otherwise noted, are listed in Table I. Monte Carlo simulations are also provided to validate the correctness of analytical results, and a good match is confirmed. The details of the simulation are as follows. At each second in the elapsed time, we generate 10 7 random binary bits. Also, using parameters given in Table I, we generate 10 7 independent channel states between GEO and LEO satellites h U G and between LEO satellite and user h U L . The simulation is performed as a discrete event for each bit. Then, we calculate the received current signal for each bit at user U and detect the received bit by comparing it with two thresholds d U 0 and d U 1 . The simulation runs repeatedly 100 times (i.e., the bit rate is 1 Gbps as the given system bit rate). We aggregate the number of received bits "0", "1", and "X".

B. Transmitter Design
We first investigate the design criteria for Charlie's transmitter to maintain the security of the proposed system under URAs. In such attacks, Eves on the ground try to locate their receivers within the beam footprint of the transmitted signal (at the distance of d E m from the footprint center). To prevent URAs, a small modulation depth δ should be set so that Eve would suffer from a high error rate (e.g., P E error > 0.1) when she tries to decode the received signal using the optimal threshold d E t = 0 1 . Fig. 9 illustrates the error probabilities at Eves as a function of δ for different values of d E . We consider the worst-case scenario where the relay satellites are closest to legitimate users (i.e., the zenith angle is 0 degrees). In this case, Eve can eavesdrop on the maximum possible information. As seen from the figure, the values of δ should be less than 0.7 to guarantee that P E error > 0.1 in all chosen values of d E . It is important to note that higher values of δ may lead to a lower key rate and higher   QBER [46]. Therefore, we set δ = 0.5 for Charlie's transmitter in the analysis. Also, in this figure, the analytical results closely follow the simulated ones, confirming the model's correctness and analysis.
In addition, we consider the case that LEO satellites are attacked by BSA. Fig. 10 shows Eve's error probability versus the modulation depth and the splitting percentage of the signal received at LEO satellites for different modulation depths δ. It is observed that if δ is decreased, Eve needs a more significant amount of the received power at LEO satellites to reduce its error probability. With our transmitter settings (transmitted power, modulation depth, etc.), it is seen that Eve needs at least 1.5% of splitting power to gain an acceptable BER (less than 10%). This minimum splitting percentage is used in further analysis as the lower bound on the performance of BSA detection.

C. Receiver Design
The secrecy performance of the proposed system is significantly influenced by the selection of the dual threshold, which is in turn determined by the DT scale coefficient ς U . In this section, systematic selections of ς U for Alice and Bobs are studied.
1) Alice's Receiver Design: Firstly, the selection of ς A should satisfy two requirements: (i) the sift probability is above 10 −3 to achieve sifted-key rates at Mbps with Gbps transmission rates of FSO communications; (ii) QBER is kept below 10 −3 so that the error can be corrected efficiently at Mbps of sifted-key rates by error-correcting code. From Fig. 11(a), (b), and (c), we can determine the range of ς A values to satisfy two conditions with the sift probability and QBER. For this purpose, Fig. 11(a), 11(b), and 11(c) show the values of ς U satisfying (i), (ii), and both during the communicable period between Starlink-1293 and Alice. It is seen that from the elapsed time of 1293 s, any value between 0 and 4 can be chosen for ς A .
In addition to the above requirements, Alice should be able to detect BSA attacks. It can be done by comparing the difference in the sift probability between Charlie and Alice P C,A sift in the case of BSA and no BSA. The larger the difference is, the more likely a BSA is detected. As shown in Fig. 12, this difference increases as ς A decreases. The question is how much difference would be enough to detect BSAs with high accuracy. To answer this, we first simulate in Fig. 13 the value of P C,A sift during the first 10-second period assuming that the transmission rate is 1 Gbps. The time resolution is set to 10 −2 . Assume that BSAs with the power splitting percentage (SP) of 1.5% happen with a probability of 0.01 (i.e., 1% of the simulation time). Since 10 7 bits are transmitted at each time instance, P C,A sift is simulated as the average of 10 7 independently random values given in (12). Thus, according to the central limit theorem [47], P C,A sift at each time instance can be well approximated by a normal random variable with the standard deviation denoted as σ sd . When a BSA happens, P C,A sift decreases, resulting in an increase in its deviation (i.e., the difference between P C,A sift and its mean value). An attack event can then be detected if the deviation of P C,A sift exceeds a properly chosen threshold d BSA , which is determined in what follows. Firstly, we define the following events. A false alarm is an event that the deviation of P C,A sift exceeds the threshold yet no actual BSA is conducted. A missed   BSA event is an actual BSA that can not be detected due to the low deviation of P C,A sift compared with the threshold d BSA . A probable BSA event is an event that is either a false alarm or an actual BSA. To prevent frequent false alarms (which may interrupt the communication session), d BSA ≥ 2σ sd is considered. A visualization of these events is displayed in Fig. 14   correct attack detection and lower percentages of false alarms. Specifically, when the difference in P C,A sift between BSA and no BSA is higher than 2% (corresponding to ς ≥ 2.5 as shown in Fig. 12), the percentages of correct detection (w.r.t both No. actual BSA and probable BSA events) can be made to 100% by choosing d BSA = 3σ sd . Together with the requirements of the sift probability and QBER described above, ς A should satisfy that 2.5 ≤ ς A ≤ 4. Nonetheless, according to Fig. 11(a), as ς A increases, the sift probability decreases. Since high values of the sift probability are preferable, ς A = 2.5 is chosen for our design.
2) Bobs' Receiver Design: To ensure that each user Bob i can operate properly even if he excludes all key information that other users can be known when applying the proposed system, we assume that ε = 1. Similar to Alice's receiver design, the requirements for selecting ς B i should satisfy: (i) the sift probability between Alice and Bob i is higher than 10 −3 , and (ii) the QBER between them is lower than 10 −3 . Observing from Fig. 15(a), 15(b), and 15(c), any value of ς B i between 0 and 2.5 satisfies these requirements. In addition, regarding the detection of BSAs, to achieve a higher 2% difference in the sift probability between Charlie and Bob i between no BSA and BSA (performed by L B with SP = 1.5%), ς B i should be at least 2.25 as shown in Fig. 16. Therefore, ς B i = 2.25 is chosen to maximize the sift probability between Alice and Bob i .

D. Secret-Key Performance
In this section, we investigate the secret-key performance of the proposed system in terms of the total final-key creation rates of all users. The number of users at Bob's cluster is N = 4. We assume that there are two eavesdroppers performing URAs at Alice's and Bob cluster's locations as depicted in Fig. 1. The eavesdroppers are assumed to be located 26 meters away from the legitimate users. Under the design of Alice's and Bob i 's receiver presented in the previous sections, Fig. 17 illustrates the total final-key creation rates of all users R f versus the exclusion ratio coefficient ε at different elapsed time instances that Charlie transmits the signal to the relays. It is observed that R f of the TDMA method is nearly three times lower than that of the proposed system. To ensure that different secret keys are generated for users (i.e., no mutual sift probabilities among 4 users), Bob i can keep 0% of the overlapped permission (i.e., ε = 1). R f can increase if Bob i allows a larger percentage of the overlapped permission among all users. For example, at the elapsed time t = 1328 s, R f increases by 7% if Bob i keeps 50% of the overlapped permission (i.e., ε = 0.5) when he is in a trusted network. However, this also increases the knowledge of key information among users, resulting in reduced security of the proposed system if the trust relationship among all users is broken.
Finally, Fig. 18 investigates R f with respect to the number of users at Bob's cluster at the elapsed time t = 1323 s. In addition to ς B i = 2.25 chosen from the previous section, we also examine other lower values of ς B i in the operational region of ς B i . In the case of TDMA, it can be seen that R f keeps unchanged when the number of users increases. In the proposed method,   for each value of ς B i , there exist an optimal number of users that maximizes R f . For example, the optimal number of users is about 30 when ς B i = 2.25. As ς B i decreases, the sift probability between Alice and Bob i increases as shown in Fig. 15(c), leading to an increase in R f at the optimal number of users.

VI. CONCLUSION
We presented a novel design framework for a global-scale FSO/QKD network based on a GEO satellite as the secret key source and LEO satellites as relay nodes for multiple wireless users. The non-coherent CV-QKD protocol inspired by the BBM92 protocol for EB scheme was employed. The system performance was analyzed, considering the spreading loss, atmospheric attenuation, and turbulence. Based on the design criteria for the proposed system, we investigated the case study for the Japan QKD network, taking into consideration the two prevalent attacks of URA and BSA. We proposed a multiple-access method to improve the total secret key performance. We also proposed a simple yet effective BSA detection method based on the statistical observation of sift probability by legitimate users. The numerical and simulation results confirmed the feasibility of implementing the FSO/QKD system.

APPENDIX A
Approximate Expressions for (13) and (14) By using the Gauss-Hermite quadrature, approximate expressions for (13) and (14) can be obtained. Specifically, (13) and (14) can be written in the form ∞ −∞ g(y)exp(−y 2 )dy by making a change of variable y = is a function of the variable y [46]. Next, this integral is approximated using the Gauss-Hermite quadrature as [39] where n is the order of approximation, while ω i and x i are weight factors and zeros of the Hermite polynomial, respectively. Notably, the Gauss-Hermite used for (13) and-(14) quickly converges to the exact-form expressions for a finite value of n, i.e., n = 20 terms.

APPENDIX B
Proof of the Equation (20) P sift-excl AB i can be written in the form of set theory as P sift-excl where (AB j ) C , j =i is the complement of (AB j ). Proposition 1: For every N ≥ 2, the sift probability between Alice and Bob i in the proposed system is calculated as Proof: We give a proof by induction on N .
Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
Base Case: Show that the statement holds for N = 2. It is easy to calculate and verify the result P sift-excl AB i for N = 2 as P sift-excl

Induction
Step: Suppose that the equation is true for N , we show it for N + 1. We have The first term, which is denoted as S 1 , has been supposed to be true and has been written as The second term, which is denoted as S 2 , has been developed as follows Applying the inclusion-exclusion principle [48] for the second term of S 2 , it is continued to calculate as Combining S 1 and S 2 , the equation for N + 1 user is given as The equation for N + 1 also holds true, establishing the induction step. The equation (20) has been proved successfully. Conclusion: Since both the base case and the induction step have been proved as true by mathematical induction, the equation to calculate P sift-excl AB i holds for every number of N .