Security loophole in error verification in quantum key distribution

TL;DR

This paper reveals a security loophole in quantum key distribution caused by improper error verification, and proposes a method to correctly incorporate the revised secrecy definition into existing security proof frameworks.

Contribution

It identifies a critical oversight in QKD security proofs related to error verification and offers a translation method to ensure validity across different proof approaches.

Findings

Neglecting the revised secrecy definition can lead to incorrect security claims.

The proposed translation preserves security proof validity without changing key length.

Existing security proofs based on phase error correction remain valid with proper interpretation.

Abstract

The security of quantum key distribution (QKD) is evaluated based on the secrecy of Alice's key and the correctness of the keys held by Alice and Bob. A practical method for ensuring correctness is known as error verification, in which Alice and Bob reveal a portion of their reconciled keys and check whether the revealed information matches. In this paper, we point out that when error verification is performed in a QKD protocol, the definition of secrecy must be revised accordingly. We illustrate the necessity of this revision with a counterexample, showing that neglecting it can lead to an incorrect security claim. In particular, we observe that in the case of security proof method based on phase error correction, which is one of the mainstream approaches and also known as Koashi's approach, no explicit method has been established to properly incorporate the revised secrecy definition. To resolve this issue, we present a way to translate the phase error correction-based approach into another mainstream approach, called the leftover hashing lemma-based approach, also known as Renner's approach, where a solution has already been formulated. As a consequence, security proofs under the phase error correction-based approach automatically remain valid without any change in the secret key length, even if they implicitly consider error verification without revising the secrecy definition.