The use of quantum bits (qubits) in cryptography holds the promise of secure cryptographic quantum key distribution schemes. Unfortunately, the implemented schemes can be totally insecure. We provide a thorough investigation of security issues for practical quantum key distribution, taking into account channel losses, a realistic detection process, and modifications of the "qubits" sent from the sender to the receiver. We first show that even quantum key distribution with perfect qubits cannot be achieved over long distances when fixed channel losses and fixed dark count errors are taken into account. Then we show that existing experimental schemes (based on "weak-pulse") are usually totally insecure. Finally we show that parametric downconversion offers enhanced performance compared to its weak coherent pulse counterpart.Pacs: 03.67. Dd, 42.50.Dv, 03.65.Bz, 89.80.+h Quantum information theory suggests the possibility of accomplishing tasks which are beyond the capability of classical computer science, such as information-secure cryptographic key distribution [1,2]. The lack of security proofs for standard (secret-and public-) key distribution schemes, and the insecurity of the strongest classical schemes against "quantum attacks" [3], emphasizes the need for information-secure key distribution. Whereas the security of idealized quantum key distribution (qkd) schemes has been investigated against very sophisticated collective and joint attacks (e.g., [4,5]), the experimental qkd schemes have been proven secure against the simple individual attack only recently [6] (via the application of ideas presented here).In the four-state scheme [1], usually referred to as Bennett-Brassard-84 (BB84), the sender (Alice) and the receiver (Bob) use two conjugate bases (say, the rectilinear basis, +, and the diagonal basis, ×) for the polarization of single photons. In basis + they use the two orthogonal basis states |0 + and |1 + to represent "0" and "1" respectively. In basis × they use the two orthogonal basis states2)[|0 + − |1 + ] to represent "0" and "1". The basis is revealed later on via an unjammable and insecure classical channel. The signals where Bob used the same basis as Alice form the sifted key on which Bob can decode the bit value. The remaining signals are being discarded. Finally, they test a few bits to estimate the error-rate, and if the test passes (the tested error-rate is less than some pre-agreed threshold), they use errorcorrection and privacy amplification to obtain a potentially secure final key [7,8].The security of that scheme, which assumes a source of perfect qubits as well as losses and errors which are bounded by some small threshold, has been investigated in various works. Very simple attacks already render realistic qkd impossible, as we show here.The experiments are usually based on weak coherent pulses (wcp) as signal states with a low probability of containing more than one photon [7,9]. Initial security analysis of such weak-pulse schemes were done [7,10], and evidence of some potentia...
