The E91 Protocol

Imagine hiring a security guard whose only job is to certify, from the outside, that your secret was never touched — and who works even if you don't trust the locks, the safe, or the guard's own tools. In 1991 Artur Ekert showed how to build exactly that guard out of physics. His protocol, E91, distributes a secret key using entangled pairs, and its proof of safety is not a hard maths problem but a measurable fact about nature: a Bell-inequality violation. If the violation is there in full, the pairs were genuinely entangled and nobody listened in. If it fades, you throw the key away. The security certificate is the physics.

The setup: one source, two random dials

A central source repeatedly prepares the Bell state |\Phi^+\rangle and sends one qubit to Alice and the other to Bob:

|\Phi^+\rangle = \tfrac{1}{\sqrt2}\big(|00\rangle + |11\rangle\big).

For each incoming qubit, Alice and Bob each independently pick a measurement axis at random from a small menu of angles, and record their 0/1 outcome. Because the choices are made separately and only revealed afterwards, no adversary — and no faulty device — can know in advance which axis either party will use. Once many pairs are done, they announce their axis choices (but not the outcomes) over a public channel and sort every run into two piles:

Worked example 1: where the key bits come from

Take a run where Alice and Bob both happen to measure |\Phi^+\rangle along the same axis. In the computational basis the state is \tfrac{1}{\sqrt2}(|00\rangle + |11\rangle), so the only outcomes with non-zero amplitude are 00 and 11, each with probability \big|\tfrac{1}{\sqrt2}\big|^2 = \tfrac12. The outcomes 01 and 10 are impossible.

So on every matched-axis run the two results are perfectly correlated: if Alice reads 0, so does Bob; if she reads 1, so does he. Neither of them can predict the individual bit — it is a fair coin — but they are guaranteed to get the same one. Line those matched-run bits up and Alice and Bob hold an identical random string: their shared secret key. The probability their two key bits agree is

\Pr[\text{Alice} = \text{Bob} \mid \text{same axis}] = 1.

Worked example 2: the Bell test, S = 2√2

The mismatched runs are where the magic hides. From them Alice and Bob estimate correlators E(a,b) — the average of (Alice's \pm1) times (Bob's \pm1) when Alice used axis a and Bob used axis b. Combining four such settings gives the CHSH quantity

S = E(a,b) - E(a,b') + E(a',b) + E(a',b').

Any theory in which each qubit secretly carried its answers all along — a local hidden-variable model — is bound by the classical CHSH inequality:

|S| \le 2 \qquad \text{(classical bound).}

Now compute S for the genuine Bell pair. For |\Phi^+\rangle a correlator depends only on the angle between the two chosen axes, and with Ekert's optimal choice of the four angles each of the four terms has magnitude \cos 45^\circ = \tfrac{1}{\sqrt2}, all adding constructively:

S = 4 \times \tfrac{1}{\sqrt2} = 2\sqrt2 \approx 2.83.

That is bigger than 2 — the quantum pair violates the classical bound. In fact 2\sqrt2 is the largest value quantum mechanics itself allows (Tsirelson's bound). Measuring S = 2\sqrt2 is a certificate, checkable from the public data alone, that the pairs really were entangled.

Seeing it: the security bar

The whole protocol lives in one picture. The dashed line is the classical ceiling S = 2 that any un-entangled or eavesdropped pair cannot beat. Clean |\Phi^+\rangle pairs shoot past it to 2\sqrt2; the moment an eavesdropper meddles, the bar sags back down toward — and below — the line. Reveal the bars one at a time.

What an eavesdropper does to S

Suppose Eve tries the obvious attack: intercept each qubit in flight, measure it along some axis, and pass on a fresh qubit prepared to match. Her measurement forces the intercepted qubit into a definite state — which is exactly the "hidden variable" the classical bound assumes. Any run she touches therefore obeys |S| \le 2. Mixing her tampered runs in with the honest ones can only drag the measured S down toward 2.

So Alice and Bob don't need to catch Eve in the act. They simply compute S from the public mismatched runs. See the full 2\sqrt2 and the key is safe; see S slumped toward 2 and they know someone — or something — interfered, so they discard the key and try again. Even a perfectly disguised eavesdropper cannot fake correlations she has already destroyed.

E91 vs BB84: two roads to a quantum key

E91 is the entanglement-based cousin of the earlier BB84 protocol. The contrast is worth holding in mind:

Classical cryptography usually asks you to trust something: that a factoring problem is hard, that your random-number chip isn't backdoored, that the box on your desk is really doing what the label says. E91's radical move is to trust almost nothing and let a Bell test stand guard instead. If the boxes produce statistics that violate a Bell inequality by the full quantum amount, then — by a theorem, not by faith — those outputs could only have come from genuine, private, entangled randomness. Push this idea to its limit and you reach device-independent quantum key distribution: even if the hardware were built by your adversary, a maximal Bell violation still certifies your key is secret. The security guard doesn't inspect the safe; it inspects the correlations.

Two traps to sidestep. First: E91's security is the Bell violation. If S drops to the classical bound 2, the key is untrustworthy and must be discarded — a passing key is one that comes with a full 2\sqrt2, not merely one where Alice and Bob agree. Second: however "nonlocal" the correlations feel, they carry no signal. Each party alone sees only random 0s and 1s; the shared key exists only after the public discussion that sifts matched from mismatched runs. Nothing about the key is transmitted faster than light — entanglement is a shared correlation, never a telephone.