Coherent Eavesdropping Attacks in Quantum Cryptography: Nonequivalence of Quantum and Classical Key Distillation

The security of a cryptographic key that is generated by communication through a noisy quantum channel relies on the ability to distill a shorter secure key sequence from a longer insecure one. We show that -- for protocols that use quantum channels of any dimension and completely characterize them by state tomography -- the noise threshold for classical advantage distillation is substantially lower than the threshold for quantum entanglement distillation because the eavesdropper can perform powerful coherent attacks. The earlier claims that the two noise thresholds are identical, which were based on analyzing incoherent attacks only, are therefore invalid.