The E91 Protocol
Imagine hiring a security guard whose only job is to certify, from the outside, that your secret was
never touched — and who works even if you don't trust the locks, the safe, or the guard's own tools.
In 1991 Artur Ekert showed how to build exactly that guard out of physics. His
protocol, E91, distributes a secret key using
entangled pairs,
and its proof of safety is not a hard maths problem but a measurable fact about nature: a
Bell-inequality violation. If the violation is there in full, the pairs were genuinely
entangled and nobody listened in. If it fades, you throw the key away. The security certificate is
the physics.
The setup: one source, two random dials
A central source repeatedly prepares the Bell state
|\Phi^+\rangle and sends one qubit to Alice and the other to
Bob:
|\Phi^+\rangle = \tfrac{1}{\sqrt2}\big(|00\rangle + |11\rangle\big).
For each incoming qubit, Alice and Bob each independently pick a measurement axis at random
from a small menu of angles, and record their 0/1 outcome. Because the choices
are made separately and only revealed afterwards, no adversary — and no faulty device — can know in
advance which axis either party will use. Once many pairs are done, they announce their axis choices
(but not the outcomes) over a public channel and sort every run into two piles:
-
Matched axes — the runs where they happened to measure along the same
direction. These give the secret key.
-
Mismatched axes — the runs where they chose different directions. These are
spent, publicly, to compute a Bell quantity S — the security test.
Worked example 1: where the key bits come from
Take a run where Alice and Bob both happen to measure |\Phi^+\rangle along the
same axis. In the computational basis the state is
\tfrac{1}{\sqrt2}(|00\rangle + |11\rangle), so the only outcomes with non-zero
amplitude are 00 and 11, each with probability
\big|\tfrac{1}{\sqrt2}\big|^2 = \tfrac12. The outcomes
01 and 10 are impossible.
So on every matched-axis run the two results are perfectly correlated: if Alice reads
0, so does Bob; if she reads 1, so does he. Neither
of them can predict the individual bit — it is a fair coin — but they are guaranteed to get the
same one. Line those matched-run bits up and Alice and Bob hold an identical random string: their
shared secret key. The probability their two key bits agree is
\Pr[\text{Alice} = \text{Bob} \mid \text{same axis}] = 1.
Worked example 2: the Bell test, S = 2√2
The mismatched runs are where the magic hides. From them Alice and Bob estimate correlators
E(a,b) — the average of (Alice's \pm1) times
(Bob's \pm1) when Alice used axis a and Bob used
axis b. Combining four such settings gives the CHSH quantity
S = E(a,b) - E(a,b') + E(a',b) + E(a',b').
Any theory in which each qubit secretly carried its answers all along — a
local hidden-variable model — is bound by the classical CHSH inequality:
|S| \le 2 \qquad \text{(classical bound).}
Now compute S for the genuine Bell pair. For |\Phi^+\rangle
a correlator depends only on the angle between the two chosen axes, and with Ekert's optimal choice of the
four angles each of the four terms has magnitude \cos 45^\circ = \tfrac{1}{\sqrt2},
all adding constructively:
S = 4 \times \tfrac{1}{\sqrt2} = 2\sqrt2 \approx 2.83.
That is bigger than 2 — the quantum pair violates the classical bound. In fact
2\sqrt2 is the largest value quantum mechanics itself allows (Tsirelson's
bound). Measuring S = 2\sqrt2 is a certificate, checkable from the public data
alone, that the pairs really were entangled.
Seeing it: the security bar
The whole protocol lives in one picture. The dashed line is the classical ceiling
S = 2 that any un-entangled or eavesdropped pair cannot beat. Clean
|\Phi^+\rangle pairs shoot past it to 2\sqrt2; the
moment an eavesdropper meddles, the bar sags back down toward — and below — the line. Reveal the bars
one at a time.
What an eavesdropper does to S
Suppose Eve tries the obvious attack: intercept each qubit in flight, measure it along
some axis, and pass on a fresh qubit prepared to match. Her measurement forces the intercepted qubit into
a definite state — which is exactly the "hidden variable" the classical bound assumes. Any run she touches
therefore obeys |S| \le 2. Mixing her tampered runs in with the honest ones can
only drag the measured S down toward 2.
So Alice and Bob don't need to catch Eve in the act. They simply compute S from
the public mismatched runs. See the full 2\sqrt2 and the key is safe; see
S slumped toward 2 and they know someone — or
something — interfered, so they discard the key and try again. Even a perfectly disguised eavesdropper
cannot fake correlations she has already destroyed.
E91 vs BB84: two roads to a quantum key
E91 is the entanglement-based cousin of the earlier
BB84 protocol.
The contrast is worth holding in mind:
-
Resource. BB84 is prepare-and-measure — Alice sends single qubits she
prepares herself. E91 shares halves of entangled Bell pairs from a common source, so no one
"owns" the key until they measure.
-
Eve-detection. BB84 spots an eavesdropper through the disturbance she causes:
a raised error rate on the sifted bits. E91 spots her through the loss of Bell violation: a
fall in S.
-
The bonus. Because E91's guarantee rests on a statistical test of the outputs, it can
hold even if Alice and Bob distrust their own hardware — the seed of
device-independent cryptography.
- a source shares halves of Bell pairs |\Phi^+\rangle; Alice and Bob each measure along a randomly chosen axis;
- matched-axis runs give perfectly correlated outcomes — the shared secret key;
- mismatched-axis runs estimate the CHSH value S; genuine pairs reach S = 2\sqrt2 \approx 2.83, violating the classical bound |S| \le 2;
- an eavesdropper (or any hidden-variable interference) lowers S toward 2 — so a full violation certifies the key is entangled and un-tapped;
- this is the seed of device-independent QKD: security from the statistics alone, even distrusting the hardware.
Classical cryptography usually asks you to trust something: that a factoring problem is hard, that your
random-number chip isn't backdoored, that the box on your desk is really doing what the label says. E91's
radical move is to trust almost nothing and let a Bell test stand guard instead.
If the boxes produce statistics that violate a Bell inequality by the full quantum amount, then — by a
theorem, not by faith — those outputs could only have come from genuine, private, entangled randomness.
Push this idea to its limit and you reach device-independent quantum key distribution:
even if the hardware were built by your adversary, a maximal Bell violation still certifies your key is
secret. The security guard doesn't inspect the safe; it inspects the correlations.
Two traps to sidestep. First: E91's security is the Bell violation. If S
drops to the classical bound 2, the key is untrustworthy and
must be discarded — a passing key is one that comes with a full 2\sqrt2, not
merely one where Alice and Bob agree. Second: however "nonlocal" the correlations feel, they carry
no signal. Each party alone sees only random 0s and
1s; the shared key exists only after the public discussion that sifts
matched from mismatched runs. Nothing about the key is transmitted faster than light — entanglement is a
shared correlation, never a telephone.