A central assumption in quantum key distribution (QKD) is that Eve has no knowledge about which rounds will be used for parameter estimation or key distillation. Here we show that this assumption is violated for iterative sifting, a sifting procedure that has been employed in some (but not all) of the recently suggested QKD protocols in order to increase their efficiency. We show that iterative sifting leads to two security issues: (1) some rounds are more likely to be key rounds than others, (2) the public communication of past measurement choices changes this bias round by round. We analyze these two previously unnoticed problems, present eavesdropping strategies that exploit them, and find that the two problems are independent. We discuss some sifting protocols in the literature that are immune to these problems. While some of these would be inefficient replacements for iterative sifting, we find that the sifting subroutine of an asymptotically secure protocol suggested by Lo et al (2005 J. Cryptol.18 133-65), which we call LCA sifting, has an efficiency on par with that of iterative sifting. One of our main results is to show that LCA sifting can be adapted to achieve secure sifting in the finitekey regime. More precisely, we combine LCA sifting with a certain parameter estimation protocol, and we prove the finite-key security of this combination. Hence we propose that LCA sifting should replace iterative sifting in future QKD implementations. More generally, we present two formal criteria for a sifting protocol that guarantee its finite-key security. Our criteria may guide the design of future protocols and inspire a more rigorous QKD analysis, which has neglected sifting-related attacks so far.Here, equation (1) expresses the absence of non-uniform sampling, i.e., that the probability ( ) J Q P for a partitioning J of the total rounds into sample rounds and KG rounds is independent of J. Equation (2) expresses the absence of basis information leak, which is formally expressed by stating that the classical communication Q l associated with the sifting process is uncorrelated (i.e., in a tensor product state) with Alice's and Bob's quantum systems A B l l . (The precise details of these two equations will be explained in section 6.) We find that the two problems are in fact independent. Hence, security from one of the two problems does not imply security from the other. The two formal criteria can be used to check whether a candidate protocol is subject to the two problems or not. New J. Phys. 18 (2016) 053001 C Pfister et al 1 2 instead of ( ) ( ) J J J J = ¼ = , , , New J. Phys. 18 (2016) 053001 C Pfister et al 2 1 . 1 6 z z z z z ( ) å å J J = ¢ ¢ J J ¢ ÎW ¢Q ¢ ÎW ¢Q s s P z z P z z , , , , , E 2 1 z z ZZ z z ZZ , , , , j tot tot where {( ) | ( ) ( ) } ( ) J J J