Security loophole in error verification in quantum key distribution

The security of quantum key distribution (QKD) is evaluated based on the secrecy of Alice's key and the correctness of the keys held by Alice and Bob. A practical method for ensuring correctness is known as error verification, in which Alice and Bob reveal a portion of their reconciled keys and check whether the revealed information matches. In this paper, we argue that when the verification is executed in QKD protocols, it must be assumed that its outcome is leaked to Eve. However, we observe that some existing security proofs for QKD protocols that abort based on this outcome do not explicitly take into account the information leakage associated with this outcome. To address this problem, we present a simple and practical method that builds on Renner's approach using the leftover hash lemma. Specifically, we show that even if verification's outcome is leaked to Eve, the security can still be guaranteed by increasing the number of bits reduced in privacy amplification by just one bit. This result, presenting a method to incorporate a key step in practical QKD protocols into security proofs, is expected to play an important role in future standardization and formal certification of QKD protocols.