Eavesdropping Detection in BB84 Quantum Key Distribution Protocols

The nature of quantum mechanics provides us with an opportunity to statistically detect eavesdropping in quantum key distribution (QKD) protocols, which is unimaginable in classical digital communications. By utilizing Hoeffding’s inequality, this study analyzes the upper bounds of the false-positive ratio (FPR) and false-negative ratio (FNR) of eavesdropping detection in the Bennett–Brassard-84 (BB84) QKD protocol, where eavesdropping is detected if the measured quantum bit error rate (QBER) is equal to or higher than a threshold. The analysis clarifies the trade-off between the accuracy of eavesdropping detection and the economy of quantum resources in the BB84 protocol. Owing to the central limit theorem, the QBER measured by 300 quantum bits (qubits) is sufficient to guarantee lower than 0.009% of the FPR and FNR of eavesdropping detection. To deal with rapidly varying quantum channel conditions, this study further introduces grouped BB84 protocol and combinatory eavesdropping detection algorithms. A polarization basis is changeable for a group of qubits, and eavesdropping is judged by a combination of criteria between QBER and group-QBER in the proposed protocol and algorithms. In our extensive simulation study, the grouped BB84 protocol with 300 qubits comparison guarantees at least 99.92% accuracy in eavesdropping detection under rapidly varying quantum channel conditions.


I. INTRODUCTION
R EMARKABLE developments in information and communication technology (ICT) have resulted in an explosive increase in network users and traffic [1]. Accordingly, most offline services have been migrated to online platforms, including services dealing with sensitive information, such as banking, research data transfer, and medical care. The development in ICT requires a stricter level of network security [2]- [4], which cannot be satisfied by the number theory-based state-of-the-art cryptosystems [5], especially when quantum computers become publicly available [6].
Accordingly, quantum key distribution (QKD) technologies have gained industrial and academic interest, as it has been shown that QKD can provide unconditional secure communication at the physical layer [7]- [10]. In the QKD protocol, Manuscript  information can be encoded into the physical states of particles, where the state is referred to as a quantum bit (qubit). The QKD protocol exchanges a sequence of qubits between two entities (from Alice to Bob) in a secure manner against the presence of an eavesdropper (Eve). The secure exchange of qubits in the QKD protocol is guaranteed by the nocloning principle in quantum mechanics [11]. The information encoded in the qubits can be used as a secret key to encrypt/decrypt the plaintext between Alice and Bob. In this study, we use the terms eavesdropper and Eve interchangeably. The Bennett-Brassard-84 (BB84) protocol was the first QKD protocol [7]. Because the BB84 protocol is the most well-known QKD protocol, we regard BB84 as a basic QKD model throughout this study. Interestingly, intercept-andresend-attack from Eve in the BB84 protocol cannot avoid affecting the original qubits, and thus, causes quantum bit errors [7]. This phenomenon in BB84 provides a new perspective and intuition for engineering problems for secure communications. However, because of the imperfections in the physical implementation of QKD systems, quantum errors in practical quantum channels are inevitable, even when an eavesdropper does not exist. Unfortunately, it is impossible to deterministically distinguish between quantum errors caused by Eve and those caused by quantum channels. Accordingly, as stated in [8], the majority of prior studies on QKD over practical noisy quantum channels has been concentrated on the secret key rate performance [8]- [10], rather than on detection of the presence of an eavesdropper. Because the secret key rate is calculated with respect to the quantum bit error rate (QBER) [8], the secret key rate can be excessively limited owing to the temporary poor quantum channel, even though the channel is free from Eve. In this study, in contrast to the existing research direction in the QKD community, we investigate the fundamental research aspects in the domain including statistically distinguishing quantum errors to detect eavesdropping in QKD protocols.
Although key distribution is the purpose of the QKD protocol, this study focuses on the detectability of eavesdropping in the BB84 QKD protocols, as accurate detection of eavesdropping can help key distribution performance as well. The remainder of this paper is organized as follows: In Section II, we review the procedure of the classical BB84 protocol, define performance metrics, study related works, and clarify contributions. Section III introduces a simple QBER comparison algorithm for the BB84 protocol and evaluates the algorithm using the upper bounds of the false positive ratio (FPR) and false negative ratio (FNR) of eavesdropping  detection. Section IV proposes a novel grouped BB84 protocol and corresponding combinatory eavesdropping detection algorithms to deal with rapidly varying quantum channel conditions. In Section V, we analyze the results from our extensive simulation and compare the security performance of the proposed protocols and algorithms. Finally, Section VI concludes the paper.

II. BACKGROUND AND CONTRIBUTIONS
This section reviews the step-by-step operational procedure of the classical BB84 protocol, defines performance metrics, studies related works, and summarizes the contributions of the study.

A. BB84 Protocol
We review the classical 4-state BB84 protocol [7] by assuming an ideal quantum channel condition, where eavesdropping is the only reason behind QBER > 0. First, Alice generates N binary bits that need to be transported to Bob. To encode a binary bit into a qubit, Alice randomly selects a polarization basis between the diagonal (×) or rectangular (+). The encoding is performed using a publicly shared encoding rule. For example, with a rectangular basis, binary information 0 and 1 can be encoded by a qubit with ↔ and polarizations, respectively. Similarly, a qubit with and polarizations can represent 0 and 1 in a diagonal basis, respectively. An example of the encoding rule is presented in Table I. Because Alice does not share her sending basis, Bob randomly selects a basis between diagonal or rectangular to decode a receiving qubit. If the sending basis of Alice and the receiving basis of Bob are identical for a qubit, Bob can decode an original binary bit without error. Otherwise, the qubit from Alice randomly collapses into one qubit with respect to the basis of Bob. In the aforementioned example, if Alice encodes 0 into a qubit with ↔ polarization and Bob selects a diagonal basis to receive the qubit, the qubit will randomly collapse into a qubit with or polarizations [7]. After transporting N qubits over the quantum channel, Alice and Bob discuss over the classical channel. Bob reports to Alice about his N receiving bases and Alice shares her identical sending bases. Assume that the number of qubits, whose bases between Alice and Bob are identical, is M. Then, Bob shares his decoding results for K qubits, which are subsets of M qubits. Alice can calculate QBER as the number of disagreeing bits in K, divided by K. Without Eve, the QBER must be measured as 0, under the ideal quantum channel conditions [7], [12]- [16]. In the case of intercept-and-resend-attack from Eve, she randomly selects a basis between diagonal or rectangular to intercept a qubit from Alice and resend it to Bob. If the bases between Alice and Eve are identical for a given qubit, the qubit will not experience an error. Otherwise, the qubit will randomly collapse into a qubit associated with the basis used by Eve. Therefore, under the eavesdropping, Alice and Bob measure an average QBER as 25% (= 50% × 50%), as the probability of nonidentical bases between Alice and Eve is 50% and half of them causes bit mismatch.

B. Performance Metrics and Notations
To evaluate the performance of eavesdropping detection, this study adopts the terminologies and metrics used in [17], [18], which are representative measures in anomaly detection research. Table II summarizes the terminologies of truepositive (TP), false-negative (FN), false-positive (FP), and true-negative (TN). For example, TP represents the number of correct judgments when Eve exists.
From the terminology, accuracy can be defined as a performance that is the ratio of the correct judgments to the total judgments made.
Similarly, FNR and FPR are expressed as in (2) and (3) to describe the ratios of incorrect judgments with and without the presence of an eavesdropper, respectively.
Table III summarizes the notations and descriptions used in this paper.

C. Related Works
In the seminal paper on the BB84 protocol [7], Bennett and Brassard assumed a perfect quantum channel and thus, stated that the quantum transmission is free from Eve if the QBER is measured to be 0. Elboukhari et al. [12] calculated FNR in the classical 4-state BB84 to be (3/4) K . In [13], Subramaniam and Parakh analyzed the FNR of the BB84 protocol to be (1/2) K , when the number of bases in BB84 reached infinity. Zamani and Verma [14] proposed a QKD protocol with a two-way quantum channel and calculated the expected QBER as a function of K, which iteratively transmits qubits back and forth between Alice and Bob. In [15], Subramaniam and  Parakh developed a quantum Diffie-Hellman protocol and calculated FNR to be (1/2) K , when the number of bases of the protocol was infinite. Parakh [16] proposed a duplicationbased quantum key transfer protocol and calculated the FNR as (1/2) (# of dup.)×K /4 , where Bob will realign a sequence of bases if he detects a change of qubits between duplications.
The quantum channels in previous eavesdropping detection studies in QKD protocols were considered as ideal, which is not practical. Moreover, although FPR is an important measure in security [19], it has been overlooked in previous research. To the best of our knowledge, this is the first study to statistically detect eavesdropping in QKD protocols for practical quantum channel conditions.

D. Summary of Contributions
Our contributions can be summarized as follows. • We propose a simple eavesdropping detection algorithm that is highly compatible with the classical BB84 protocol. The algorithm judges the intercept-and-resend-attack from Eve by comparing the QBER and θ QBER . We suggest an optimal θ QBER by considering the relative importance between FPR and FNR. • By exploring Hoeffding's inequality, we indicate the presence of a trade-off between the accuracy of eavesdropping detection and the economy of quantum resources. The upper bounds of the FPR and FNR of eavesdropping detection in the proposed algorithm exponentially decrease with respect to the increase in K. • To provide secure communications for rapidly varying quantum channel conditions, we propose a novel design of a grouped BB84 protocol that maintains a polarization basis for a group of bits. We further introduce combinatory eavesdropping detection algorithms that combine QBER and group-QBER criteria for accurate eavesdropping judgment. • We empirically find solutions for thresholds in the proposed protocols and algorithms from extensive simulation studies. We show that the grouped BB84 protocol with optimized algorithms can guarantee a high level of security performance, whereas the classical BB84 protocol fails to do so.

III. EAVESDROPPING DETECTION IN THE CLASSICAL BB84 PROTOCOL
As described in Section II, Alice can measure the QBER by comparing K qubits with Bob in the BB84 protocol. Since a period of an individual qubit transmission is shared between Alice and Bob, study on existence of the individual qubit in signal processing is out of interest of this paper. A qubit may experience errors due to imperfections in the implementation of QKD systems, such as multiple photon generation in a pulse, attenuation in a fiber, and dark current at a photo detector [5], [8]. We define a term, channel error, to represent errors resulting from imperfections in the implementation of the QKD system. We model the channel error as a single random variable and assume independent and identically distributed (i.i.d.) channel errors for each qubit [20]. Therefore, the channel error events of each qubit can be modeled as independent Bernoulli random variables.

A. QBER Comparison Algorithm for Eavesdropping Detection
In this study, we assume that Eve launches an intercept-andresend-attack on all qubits between Alice and Bob. Therefore, the measured QBER can be modeled by the case of either with or without the presence of Eve. Without the presence of Eve, the Bernoulli random variables Q ch,1 , Q ch,2 · · · Q ch,K represent the channel error events of each qubit. Q ch,i is 1 if Alice and Bob disagree on the ith qubit; otherwise, it is 0. Now, Alice calculates the QBER as Similarly, with the presence of Eve, the QBER measured by K qubits can be expressed as where Q eve,i is a Bernoulli random variable for the error event of an ith qubit with the presence of Eve. Notably, both channel error and eavesdropping affect Q eve,i . Owing to the central limit theorem [21], both ν ch,K and ν eve,K can be approximated by normal distributions, if K is sufficiently large, for example, K > 30 [22]. Therefore, the probability density functions (PDFs) of ν ch,K and ν eve,K can be modeled by normal distributions represented by N (μ ch , σ 2 ch /K ) and N (μ eve , σ 2 eve /K ), as illustrated in Figs. 1 (a) and (b), respectively. Please note that μ ch and μ eve are genuine QBERs without and with the presence of Eve, which can be calculated using (4) and (5) with K = ∞, respectively.
We can categorize error event of qubit for cases of identical and non-identical bases between Alice and Eve. Please note that we omit consideration of basis of Bob, because QBER is measured only when bases between Alice and Bob are identical. Then μ eve is expressed as . Appendix A describes all the bit flip events with associated probability. We assume that error events described at Table V in Appendix A are independent each other. Therefore, μ eve can be calculated as (6), by a summation of probability of all error events in Table V.
represent the probability of identical bases between Alice and Eve, the probability of non-identical bases between Alice and Eve, the average channel error between Alice and Eve, the average channel error between Eve and Bob, the conditional probability that binary information is flipped due to a basis of Eve when b A=E , and the conditional probability that binary information is flipped due to a basis of Bob when b A=E , respectively.
Because the QBER in BB84 is measured by qubits whose bases are identical between Alice and Bob, b A=E in (6) represent events when the bases of Alice, Eve, and Bob are all identical. Similarly, b A =E in (6) represent events when the bases of Alice and Bob are identical; however, that of Eve is nonidentical. The first term in (6) calculates the probability that Alice and Eve select identical bases for a given qubit, and binary information encoded in the qubit is flipped once because of the channel error between Alice and Eve or between Eve and Bob. The remaining terms consider the events when Alice and Eve select nonidentical bases for a given qubit. For the nonidentical bases, the second and third terms in (6) calculate the probabilities that the bases of Eve or Bob flip binary information encoded in the qubit once and channel error does not flip or flips twice. Similarly, the fourth and last terms in (6) calculate the probabilities that the channel error flips a binary information encoded in the qubit once, and the bases of Eve and Bob do not flip or flip twice, for the nonidentical bases. Because Alice and Eve randomly select their bases, If we assume that the average channel error between any two entities is the same, namely μ AE = μ EB = μ ch , we can simplify (6) as Please note that the assumption of an ideal quantum channel (μ ch = 0) for (7) results in μ eve to be 25%, same to [7], [12]- [16]. The deterministic distinction between quantum error caused by Eve and that caused by quantum channel is not achievable because of the intersection between the PDFs of ν ch,K and ν eve,K in Figs. 1 (a) and (b). Fortunately, owing to the central limit theorem, an increase in K effectively reduces the variances of each distribution while maintaining averages. Moreover, with a first-order approximation, the distance between μ ch and μ eve in (7) remains at 25%, even though we consider a practical quantum channel condition. From these observations, we propose a QBER comparison eavesdropping detection algorithm that is highly compatible with the classical BB84 protocol. The QBER comparison algorithm judges eavesdropping by comparing the measured QBER to a threshold (θ QBER ). In this algorithm, FN increases when ν eve,K is lower than a given θ QBER in the presence of Eve. Conversely, without the presence of Eve, FP increases when ν ch,K is equal to or higher than θ QBER . It is expected that an appropriate θ QBER with a sufficiently large K in the proposed algorithm can effectively detect eavesdropping, with negligibly small FPR and FNR. We limit θ QBER to a real number within the range (μ ch , μ eve ).

B. Bounds
The FPR can be calculated by integrating the distribution of ν ch,K , from θ QBER to infinity. However, to consider a diverse range of K, we calculate the upper bound of FPR. Using ε FP to denote θ QBER −μ ch , FPR and its upper bound is expressed as (8). The upper bound is calculated by Hoeffiding's inequality, which can calculate the bound of the difference between the genuine and empirical means from the K-sample [23]. The upper bound is expressed by an exponential function with respect to θ QBER , μ ch , and K.
Similarly, upper bound of FNR is written as where ε FN is μ eve − θ QBER . Because μ eve can be calculated by a function of μ ch using (7), the upper bounds of FNR can be written as a function of θ QBER , μ ch , and K, as well. Figure 2 depicts the upper bounds of FPR and FNR of eavesdropping detection for diverse K and θ QBER , calculated by (8) and (9). We considered 1% and 10% for μ ch . As expected, the increase in K exponentially reduces the upper bounds of FPR and FNR. Figure 2 clarifies the trade-off between the security performance of the algorithm and the economy of quantum resources in the BB84 protocol. Because a qubit is a costly quantum resource, careful selection of K is required by considering the security criteria of the networking service. For example, as shown in Fig. 2 (a) and (b), comparison of 300 qubits for QBER is sufficient to guarantee lower than 0.009% of FPR and FNR, if we set θ QBER to 0.135. A small θ QBER effectively reduces the upper bound of FNR at the cost of increasing the upper bound of FPR. Similarly, a large θ QBER improves the upper bound of FPR by sacrificing the upper bound of FNR. Therefore, the selection of an appropriate θ QBER is a significantly important problem in the proposed algorithm. Optimal θ QBER for the proposed algorithm for diverse α, K, and μ ch .

C. Optimal Threshold
We define an optimal θ QBER that satisfies The objective function in (10) is a summation of the upper bound of FNR and the weighted upper bound of FPR by a balancing parameter α (0 ≤ α ≤ 1), as the reduction of FN is practically important in security [12]- [16], [18]. Both the first and second terms in (10) are differentiable. Therefore, we can find an optimal θ QBER by differentiating the objective function with respect to θ QBER .
According to the Appendix B, the optimal θ QBER for the proposed algorithm can be expressed as (12), with respect to α, μ ch , and K.
The optimal θ QBER in (12) under the ideal quantum channel condition is calculated as (ln α)/K + 0.125. If we further assume equal importance between FPR and FNR, the optimal θ QBER is calculated as 12.5% which is half of 25%. Figure 3 plots optimal θ QBER calculated by (12). In a small α regime, the objective function in (10) finds an optimal θ QBER , which lowers the upper bound of FNR. Therefore, the optimal θ QBER in Fig. 3 follows a monotonic decrease with respect to the decrease of α. From (8) and (9), the upper bounds of FPR and FNR for a given K are symmetric to the θ QBER = 0.125 + μ ch − 0.5μ 2 ch . Therefore, when α is 1, the optimal θ QBER in (12) is independent of K and plotted at 0.125 + μ ch − 0.5μ 2 ch in Fig. 3. As expected, a large μ ch finds a large optimal θ QBER .

IV. EAVESDROPPING DETECTION IN THE GROUPED BB84 PROTOCOL
The optimal θ QBER in (12) requires information of μ ch . However, accurate estimation of μ ch is infeasible in the practical communication networks. In this paper, we assume that Alice and Bob can approximate μ ch before QKD transmission. According to [24], Alice and Bob can approximately predict μ ch from the quantum interference visibility, before actual QKD transmission. A gap between the predicted and measured QBERs lies within 1% in 120km QKD transmission. Moreover, it is shown that fluctuation of QBER in QKD transmission lies within 0.16% during 70-hour monitoring period [25].
The proposed QBER comparison eavesdropping detection algorithm in Section III assumes a stationary quantum channel condition where μ ch does not change over time. In practical time-varying quantum channel conditions, an optimal θ QBER calculated by a function of μ ch at time t can be outdated when it is applied at time t + τ (τ > 0). Moreover, if an eavesdropper has prior knowledge of our QBER comparison algorithm, the eavesdropper can degrade the security performance of the algorithm by manipulating the QKD devices and rapidly changing the quantum channel error. We defineμ thr ch and μ alg ch for genuine QBERs on the quantum channel when calculating an optimal θ QBER at t, and applying the eavesdropping detection algorithm at t + τ , respectively. For example, the optimal θ QBER is calculated to be 0.135 from (12), when μ thr ch = 1%, K = 200, and α = 1. However, if μ alg ch changes to 10%, the upper bound of FPR is calculated as 61% from (8), which is not acceptable for a practical system. To provide highly secure communications for rapidly varying quantum channel conditions, Section IV proposes a grouped BB84 protocol with associated eavesdropping detection algorithms.

A. Grouped BB84 Protocol
As described in (8) and (9), the decreasing slopes of the upper bounds of FPR and FNR of eavesdropping detection with respect to the increase in K becomes smaller when K is large. To effectively exploit the limited qubit resources, we introduce a grouped BB84 protocol, as shown in Fig. 4. Alice generates a sequence of N random binary bits. She randomly selects a polarization basis between diagonal (×) and rectangular (+) bases, which is maintained during encoding b bits in a row. The example in Fig. 4 assumes the encoding rule shown in Table I. We define a group to represent a set of successive b qubits. An example of an intercept-and-resend-attack by Eve and decoding by Bob is shown in Fig. 4. A value of b can be selected as a divisor of N. Because the value of b is publicly shared, Alice and Bob can maintain a basis for a group using a counter.
We assume that Eve has prior knowledge of the grouped BB84 protocol. Under this assumption, Eve can spoil the protocol by changing her polarization basis within b qubits. Therefore, maximum size of b is limited by photon pulse interval of pulse generator of Alice, minimum required switching time of polarization switch of Eve, and dead time of photo detector of Bob. With state-of-the-art technology, we assume that Alice is with 100GHz level photon generator [26], [27], Eve is with LiNbO3 technology-based tens of MHz switch [28], and Bob is with tens of ns dead time photo detector [29], [30]. If Bob takes advantage of multiplexed single photon detector technology [31], it is sufficient to set b as thousands of qubits. For the photo detector, avalanche photodiode with a single photon counting method can detect qubits in the noisy channel. Superconducting single photon detector operated in the cryogenic environment can achieve extremely low dark counts, due to the low noise [32].
After sending all qubits over the quantum channel, Alice and Bob discuss their bases over a public channel. Bob reports his receiving bases for groups, Alice replies identical bases, and Bob shares parts of his decoding results of qubits regarding identical bases. The bases between Alice and Bob are either identical or nonidentical for b qubits in a group. If the bases of Alice and Bob are identical for a group, Bob shares the decoding results of whole or nothing of the b qubits in the group. In other words, in the proposed grouped BB84 protocol, the minimum period of basis change and the granularity of decoding results sharing are b, which is the cardinality of a group.
Bob shares his decoding results of K qubits. Alice categorizes the K qubits into groups and indexes them from G 1 to G K /b . The grouped BB84 protocol measures two types of error statistics between Alice and Bob; group-QBER and QBER. The group-QBER is a set of measured QBERs for each group. The cardinality of the group-QBER is K/b. Because we consider an equivalent cardinality for all groups, the QBER can be calculated by averaging the group-QBER. For example, assume that K and b are 100 and 20, respectively. Bob shares the decoding results of qubits in G 1 , G 2 , G 3 , G 4 , and G 5 . If the number of disagree bits between Alice and Bob in each group is 2, 11, 1, 10, and 2, the group-QBER and QBER are calculated to be {0.1, 0.55, 0.05, 0.5, 0.1} and 0.26, respectively. Due to the identical error event assumption for each qubit, the grouped BB84 protocol does not affect QBER and secret key rate from those of the classical BB84 protocol. Figures 5 (a) and (b) illustrate the flow charts of the proposed combinatory eavesdropping detection algorithms for the grouped BB84 protocol. This paper suggests two types of combinatory algorithms to judge Eve; combining QBER Fig. 5. Flow charts of combinatory eavesdropping detection algorithms with "or" (a) and "and" (b) operations between QBER and group-QBER to judge eavesdropping. and group-QBER criteria with "or" and "and" operations, as shown in Figs. 5 (a) and (b), respectively. In Fig. 5 (a), an eavesdropping is judged, unless both the QBER and group-QBER criteria are not satisfied. The QBER and group-QBER comparison algorithm in Fig. 5 (b) judges eavesdropping if both QBER and group-QBER criteria are satisfied. The QBER criterion is satisfied when the measured QBER is equal to or higher than a threshold, which is the same as the QBER comparison algorithm introduced in Section III. The group-QBER criterion will be met if both (13) and (14) are satisfied.

B. Combinatory Eavesdropping Detection Algorithms for the Grouped BB84 Protocol
Here, I x is 1 if x is true and 0 otherwise. Regarding a group-QBER set, (13) represents a condition in which the ratio of elements whose QBER is higher than θ h G−QBER is higher than γ h . Similarly, (14) will be satisfied if the ratio of elements whose QBER is lower than θ l G−QBER , is higher than γ l . Please note that the "or" operation in Fig. 5 (a) relaxes the criteria for eavesdropping judgment so that it can effectively reduce FN at the cost of FP, from the QBER comparison algorithm.

C. Thresholds and Group Size
The security performance of the proposed algorithms highly depends on the thresholds (θ QBER , θ h G−QBER , θ l G−QBER , γ h , γ l ) and group size b. We first calculate and fix an optimal θ QBER using (12) for a given K, α, and μ thr ch . Then, using (15), we find a solution for thresholds (θ h G−QBER , θ l G−QBER , γ h , γ l ) and a group size b, for a given K, α, and the optimal θ QBER .
Because our purpose is to provide secure communications through the rapidly varying quantum channel conditions, (15) aims to minimize the summation of FNR and weighted FPR by assuming μ thr ch = μ alg ch conditions. In (15), we assume that μ alg ch is independent of μ thr ch and distributed uniformly from 1% to a max %. By considering the relative importance between FPR and FNP, the FPR is weighted by a balancing parameter α, where 0 ≤ α ≤ 1.
For a given K, α, and optimal θ QBER , we empirically solve (15) Table IV summarizes cases of combination between QKD protocol and eavesdropping detection algorithm investigated in this paper. We define Case 1 for the QBER comparison algorithm over classical BB84 protocol. Similarly, Case 2 and Case 3 represent algorithms illustrated in Fig. 5 (a) and Fig. 5 (b) with the grouped BB84 protocol, respectively. From the protocol perspective, one can regard Case 1 as a conventional method, since it runs over the classical BB84 protocol. We evaluate the security performance (FPR, FNR, and accuracy)  , respectively. The curve with black circular data points indicates the performance of the Case 1, which judges eavesdropping by comparing QBER and θ * QBER . Red triangle and blue rectangular curves represent the performance of the Case 2 and Case 3, respectively. For the Cases, the thresholds and group sizes summarized at Table VI in Appendix C are used for the simulations. The performance is plotted by averaging 10,000 iterations of simulations. We consider N = 10,000 for each iteration and randomly select 100 and 300 qubits for K to calculate the QBER.

A. FPR
When μ thr ch < μ alg ch , all Cases cause a number of FPs, because the optimal θ QBER calculated by μ thr ch becomes too small for actual operation μ alg ch . Conversely, when μ alg ch is small, all Cases show negligibly small FPRs, as shown in Figs. 6 and 9, regardless of μ thr ch . The Case 1 finds an optimal θ QBER by assuming that μ thr ch = μ alg ch . Therefore, as shown in Figs. 6 (a), 6 (b), 9 (a), and 9 (b), when μ thr ch < μ alg ch , the Case 1 suffers from severe FPR. The Case 2 shows similar FPR performance to those of the Case 1 in these realms. However, strict criteria for judgment of eavesdropping in the Case 3 can effectively reduce the FPR for μ thr ch < μ alg ch cases. For large μ thr ch and μ alg ch , as shown in Figs. 6 (c), 6 (d), 9 (c), and 9 (d), both the Case 1 and Case 3 achieve negligibly small FPR. However, owing to the relaxation of criteria for judgment of eavesdropping in the algorithm, Case 2 shows poor FPR performance. A small α results in poor FPR performance for all Cases, because the importance of FPR weakens when α is small.

B. FNR
When μ thr ch > μ alg ch , the optimal value for θ QBER in the Case 1 becomes unnecessarily large for actual μ alg ch , and thus may cause a number of FNs, as shown in Figs. 7 (c), 7 (d), 10 (c), and 10 (d). The Case 3 suffers from the worst FNR in these areas owing to the strict criteria for judgment of eavesdropping. However, owing to the relaxation of criteria for judgment of eavesdropping, the Case 2 effectively achieves the best FNR performance for the cases μ thr ch > μ alg ch . As shown in Figs. 7 (a) and (b), when both μ thr ch and μ alg ch are small and K is small, the Case 2 and Case 3 show relatively poor FNR performance because the combinatory algorithms divide K into groups to judge eavesdropping, which degrades the accuracy of eavesdropping detection. However, when K is sufficiently large, as shown in Figs. 10 (a) and (b), dividing K into groups rarely affects accuracy. As expected, a small α improves the FNR performance of all Cases.

C. Accuracy
As defined by (1), FP and FN directly affect accuracy. In the proposed eavesdropping detection algorithms, the majority of FP and FN are produced when μ thr ch < μ alg ch and μ thr ch > μ alg ch , respectively. When μ thr ch ≈ μ alg ch , the Case 1  shows good accuracy performance in Figs. 8 and 11, because it calculates an optimal θ QBER by assuming μ thr ch = μ alg ch . In our simulation study for μ thr ch = μ alg ch conditions, the worst accuracy of the Case 1 is 99.75%, as shown at μ alg ch = 10% in Fig. 8 (d). However, increase of FP at μ thr ch < μ alg ch and increase of FN at μ thr ch > μ alg ch critically degrade accuracy performance of the Case 1. For example, the worst accuracies of the Case 1 over the entire simulation conditions are 83.28% (μ alg ch = 10% in Fig. 8 (a)) and 96.79% (μ alg ch = 10% in Fig. 11 (a)), when K = 100 and 300, respectively.
The strict criteria for judgment of eavesdropping in the Case 3 effectively lowers FP, and thus introduces a high level of accuracy in cases of μ thr ch < μ alg ch , as shown in Figs. 8 (a), 8 (b), 11 (a), and 11 (b). The Case 3 achieves a maximum of 12% higher accuracy than that of the Case 1, as shown at μ alg ch = 10% in Fig. 8 (a). With a large K, the Case 3 achieves 99.98% accuracy at μ alg ch = 10% in Fig. 11 (a) and 99.97% accuracy at μ alg ch = 10% in Fig. 11 (b), whereas others fail. However, an increase in FN due to the strict criteria degrades accuracy when μ thr ch > μ alg ch . Based on the observations, we can highlight that the Case 3 can be an appropriate solution when the value of μ thr ch is small.  The relaxation of criteria for judgment of eavesdropping in the Case 2 effectively reduces FN with a small FP overhead for cases of μ thr ch > μ alg ch . Therefore, the accuracy of the Case 2 outperforms the other Cases in this condition. For example, as shown at μ alg ch = 1% in Fig. 8 (d), the Case 2 achieves 98.77% of accuracy, whereas those of Case 1 and Case 3 are limited to 90.79% and 87.40%, respectively. However, if K is small, α is small, and both μ thr ch and μ alg ch are large, the Case 2 shows 94.51% accuracy, which is the worst among the Cases, as shown in Fig. 8 (c). There may be two reasons for this observation. First, the Case 2 causes many FPs to minimize FN when α is small. Second, dividing K into groups significantly degrades accuracy, especially when K is small. Accordingly, as shown in Fig. 11 (c), the Case 2 effectively achieves 99.92% accuracy at μ alg ch = 10% when K is 300. The extensive simulation study reveals that the Case 2 can be a solution for highly secure networking when K and μ thr ch are large.
A comparison between (a) and (b) in Figs. 8 and 11 shows that a large α effectively enhances the accuracy performance of all Cases when μ thr ch < μ alg ch , because the accuracy highly depends on FP in this area. Conversely, a large α degrades the accuracies of the Case 1 and Case 3 when μ thr ch = 10%. This is because a large α attempts to reduce FP by sacrificing FN, where the accuracy is highly affected by FN, when μ thr ch is large. Value of b significantly affects accuracy performance of Case 2 and Case 3. For example, when K = 300, μ thr ch = 10%, μ thr ch = 1%, and α = 0.1, Case 2 with b = 60 suffers from 73.34% of accuracy, whereas b = 6 in Fig. 11 (c) achieves 99.92% of accuracy. As shown in Appendix C, the extensive simulation study reveals that the optimal b is calculated as much smaller then K/b, regardless of specific conditions. Therefore, as described at Section IV, limitation of range of b due to the hardware technology of QKD rarely affects the performance of the proposed protocol and algorithms.
From the simulation results, one can dynamically combine Case 2 and Case 3 with respect toμ thr ch . We empirically propose Case 4. The Case 4 works as Case 2, if μ thr ch ≥ 5%, otherwise, Case 3. Figure 12 compares the worst accuracy of Cases 1 and 4 for μ thr ch = 1%, 5%, and 10%. The value of α is limited to as 1. The worst accuracy is calculated by the minimum accuracy among simulation results for all μ alg ch . As shown in Fig. 12, the Case 4 can guarantee at least 98.29% and 99.97% of accuracies for K = 100 and 300, respectively.

D. Impact of K
Based on the comparison between Figs. 6-8 and 9-11, it is clear that an increase in K improves the security performance of all Cases, which can be explained by the central limit theorem. When K is large, the performance gain from the combinatory criteria is much higher than the performance loss from dividing K into groups in the combinatory algorithms. In our extensive simulation study for K = 300 and μ thr ch = 1%, the Case 3 shows at least 99.97% accuracy (μ alg ch = 10% in Fig. 11 (b)) in eavesdropping detection. As shown at μ alg ch = 1% in Fig. 11 (c), the Case 2 guarantees 99.92% accuracy in eavesdropping detection, when K = 300 and μ thr ch = 10%. To provide straightforward comparisons between the Cases, this study evaluates the security performance for K = 100 and 300. However, as it is clear that a larger K can introduce a much higher degree of accuracy in eavesdropping detection, we expect a significantly high level of security in the ICT with the proposed Cases. For example, in our 10,000 iterations of simulations, the Case 1 shows 100% accuracy for all conditions of μ thr ch , μ alg ch , and α, when K reaches 2,000.

VI. CONCLUSION
Because it is not feasible to deterministically distinguish between quantum error from eavesdropping and intrinsic quantum channels, most studies on the security of QKD have concentrated on the secret key rate performance rather than the detection of eavesdropping. Motivated by the central limit theorem, this study investigates the statistical detection of eavesdropping in the BB84 protocols as a function of the number of qubits used. Hoeffding's inequality manifests a tradeoff between the accuracy of eavesdropping detection and the economy of quantum resources by means of FPR and FNR analyses. The QBER calculated by 300 qubits guarantees FPR and FNR lower than 0.009% simultaneously. To provide secure communications against the rapidly varying quantum channel conditions, we propose a grouped BB84 protocol, where the period of basis changing, and the granularity of decoding result sharing are a group of qubits. Inspired by the predictability of the distributions of QBER and group-QBER statistics in the grouped BB84 protocol, this study introduces combinatory eavesdropping detection algorithms. From the extensive simulation study, an optimal combinatory algorithm with respect to a channel condition guarantees 99.97% accuracy of eavesdropping detection, when the number of qubits used to calculate the QBER is 300 and importance between FPR and FNR is equal. In this paper, numerical analysis of FPR and FNR for BB84 is limited to their upper bounds. We leave evaluation of exact FPR and FNR for the future study, which requires accurate variance information of distributions.
In this study, we have simplified models and assumptions to provide straightforward analysis and intuition. For example, we abstracted the quantum channel errors for diverse reasons into a single variable. In future studies, we will consider eavesdropping detection in QKD protocols for further practical conditions. Moreover, this study does not consider interceptand-resend-attack to a part of qubits between Alice and Bob. The Intercept-and-resend-attack to a part of qubits can degrade the eavesdropping detection performance of the proposed protocol and algorithm, by lowering QBER with the presence of Eve. On the other hand, Alice and Bob can take advantage of higher secret key rate which is calculated as a function of QBER. We leave investigation of the tradeoff between eavesdropping detection performance and secret key rate for the future study. APPENDIX A Table V describes bit flip events of the original binary information. The error events between Alice and Eve and the error events between Eve and Bob are assumed to be independent. We assume that the channel errors and errors from non-identical bases between two entities are independent. An original binary information generated by Alice does not coincide with a decoding result of Bob, if a qubit experiences odd number of bit flip events by basis of Eve, basis of Bob, channel error between Alice and Eve, and channel error between Eve and Bob. For example, the first event in Table V represents when bases between Alice and Eve are identical with a probability p(b A=E ), a qubit experiences channel error between Alice and Eve with a probability μ AE , and the qubit does not undergo channel error between Eve and Bob with a probability (1 − μ EB ). Please note that a qubit does not collapse at bases of Eve and Bob, if bases between Alice and Eve are identical, namely, p(q c E |b A=E ) = p(q c B |b A=E ) = 0. Therefore, the original binary information encoded in the qubit is flipped once with a probability of p(b A=E )μ AE (1 − μ EB ), as shown at the first event in Table V. APPENDIX B By organizing terms, we can rewrite (11)  Then, we can put θ * QBER related terms to the right side of (B.1) to as We limit the range of θ QBER to (μ ch , μ eve ), where μ eve can be expressed as 0.25 + μ ch − μ 2 ch by (7). Accordingly, both the numerator and denominator in term A in (B.4) are greater than 0. Because the area of interest for μ ch is much smaller than 1, we can approximate the term B in (B.4) to 1. Therefore, the optimal θ QBER for the proposed algorithm can be expressed as  Table VI summarizes the empirical solutions for thresholds and group sizes for the proposed protocol and algorithms. To find solutions, we iteratively run simulations 10,000 times for each candidate in the entire search space and find the best solution for each condition.