Existing quantum cryptographic schemes are not, as they stand, operable in the presence of noise on the quantum communication channel. Although they become operable if they are supplemented by classical privacy-amplification techniques, the resulting schemes are difficult to analyze and have not been proved secure. We introduce the concept of quantum privacy amplification and a cryptographic scheme incorporating it which is provably secure over a noisy channel. The scheme uses an “entanglement purification” procedure which, because it requires only a few quantum controllednot and single-qubit operations, could be implemented using technology that is currently being developed. [S0031-9007(96)01288-4] Quantum cryptography [1 ‐ 3] allows two parties (traditionally known as Alice and Bob) to establish a secure random cryptographic key if, first, they have access to a quantum communication channel, and second, they can exchange classical public messages which can be monitored but not altered by an eavesdropper (Eve). Using such a key, a secure message of equal length can be transmitted over the classical channel. However, the security of quantum cryptography has so far been proved only for the idealized case where the quantum channel, in the absence of eavesdropping, is noiseless. That is because, under existing protocols, Alice and Bob detect eavesdropping by performing certain quantum measurements on transmitted batches of qubits and then using statistical tests to determine, with any desired degree of confidence, that the transmitted qubits are not entangled with any third system such as Eve. The problem is that there is in principle no way of distinguishing entanglement with an eavesdropper (caused by her measurements) from entanglement with the environment caused by innocent noise, some of which is presumably always present. This implies that all existing protocols are, strictly speaking, inoperable in the presence of noise, since they require the transmission of messages to be suspended whenever an eavesdropper (or, therefore, noise) is detected. Conversely, if we want a protocol that is secure in the presence of noise, we must find one that allows secure transmission to continue even in the presence of eavesdroppers. To this end, one might consider modifying the existing pro