The E91 Protocol — padho.wiki

In short

The E91 protocol (Artur Ekert, 1991) distributes a secret key between Alice and Bob using entangled pairs rather than single photons. A source emits Bell states |\Phi^+\rangle = \tfrac{1}{\sqrt 2}(|00\rangle + |11\rangle); one qubit goes to Alice, the other to Bob. Each measures along one of three randomly chosen axes. After many rounds, they publicly announce their axes (not outcomes). They sort their data into two piles: matching-axis rounds (perfectly anti-/correlated outcomes — these become the key) and non-matching-axis rounds (used to compute the CHSH correlator S). If S \approx 2\sqrt 2, the Bell inequality is violated — which, by the no-hidden-variable theorem, means no eavesdropper could have pre-determined the outcomes. The security is certified by measurement statistics, not by trusting the hardware. E91 is operationally equivalent to BB84 (Shor-Preskill, 2000), but conceptually it is deeper: it is the direct ancestor of device-independent QKD, where security follows from observed Bell violation even if Alice and Bob do not trust the devices they are using.

BB84 builds its security on the no-cloning theorem: an eavesdropper who measures Alice's qubit cannot perfectly resend it, so Eve's interference shows up as errors on Bob's side. The argument is clean, and it works. But it has a subtle assumption baked in: Alice and Bob have to trust that their own state preparation and measurement devices are doing what the protocol claims. If the manufacturer slipped in a flaw — a detector that leaks basis information, a source that emits a subtly biased state — the security proof collapses, and Alice and Bob would not necessarily notice.

In 1991, Artur Ekert, then a graduate student at Oxford, proposed an alternative. Build the key from entanglement instead of single qubits, and certify the security not by assuming the hardware behaves, but by measuring that the hardware behaves. Specifically: measure the CHSH correlator of the shared state, and if it reaches the quantum maximum 2\sqrt 2, the shared pairs must be genuinely entangled Bell states, and no eavesdropper can have seen inside them. The security is not an assumption — it is a number you compute from your own data.

This chapter derives the E91 protocol from scratch: the setup, the measurement choices, the sifting procedure, the CHSH test, and the argument for why Bell violation and Eve's presence are mutually exclusive. At the end we will connect E91 to its modern descendant — device-independent QKD — and to the Indian quantum-communication programme, which is actively pursuing satellite-based entanglement-distribution experiments.

The setup — Bell pairs instead of single qubits

In BB84, Alice prepares single qubits in one of four states (|0\rangle, |1\rangle, |+\rangle, |-\rangle) and sends them to Bob. In E91, nobody sends individual qubits with pre-chosen states. Instead, a shared entangled source — somewhere in the middle, possibly on a satellite — emits Bell pairs and sends one qubit of each pair to Alice and one to Bob. The source may even be controlled by Eve; the protocol is designed so that this does not matter.

The canonical choice is the Bell state

|\Phi^+\rangle = \tfrac{1}{\sqrt 2}\bigl(|00\rangle_{AB} + |11\rangle_{AB}\bigr).

The subscripts remind you: the first qubit lives with Alice, the second with Bob. If Alice measures her qubit in the computational basis and gets 0, Bob's qubit is now |0\rangle — guaranteed. If Alice measures and gets 1, Bob's is |1\rangle. Their outcomes are perfectly correlated. This is the raw key-generation machinery: correlated bits for free, as long as they measure along the same axis.

The E91 setup. A source — which Alice and Bob do not need to trust — emits entangled pairs and sends one qubit to each. Alice and Bob each randomly pick one of three measurement axes per round. A public classical channel is used only afterwards, to announce axes and compare a subset of outcomes.

A few things to note before the protocol.

The source can belong to Eve. The security will not rely on trusting it. If Eve controls the source, she might try to emit states other than |\Phi^+\rangle, or to send correlated classical distributions instead of entangled ones. The CHSH test will catch her.
The distance between Alice and Bob is arbitrary. The two halves of the Bell pair could be metres apart in a lab, hundreds of kilometres apart across a fibre link, or thousands of kilometres apart — one in Bengaluru, one on an orbiting satellite.
The classical channel is public. Alice and Bob's announcements of measurement axes can be overheard by Eve. This is fine; the security argument does not depend on keeping axis choices secret. It depends on the outcomes, which are never announced in bulk.

The measurement axes

Pick three measurement axes for Alice and three for Bob, arranged so some pairs coincide (for key generation) and some differ (for the CHSH test). Ekert's original choice:

Alice's axes: a_1 = 0°,\ a_2 = 45°,\ a_3 = 90° (measure along Z, along (Z+X)/\sqrt 2, along X).
Bob's axes: b_1 = 45°,\ b_2 = 90°,\ b_3 = 135° (measure along (Z+X)/\sqrt 2, along X, along (Z-X)/\sqrt 2).

All angles live in the XZ-plane of the Bloch sphere. Each axis corresponds to a Pauli-like observable with eigenvalues \pm 1. Each round, Alice picks one of her three axes uniformly at random, and Bob independently picks one of his three. So there are 3 \times 3 = 9 possible axis combinations per round.

Alice's three axes (solid red) and Bob's three axes (dashed grey) in the XZ-plane of the Bloch sphere. Two axes coincide: Alice's $a_2$ matches Bob's $b_1$ at $45°$, and Alice's $a_3$ matches Bob's $b_2$ at $90°$. These matching rounds generate perfect correlations — the key. The four "corner" pairs $a_1b_1$, $a_1b_3$, $a_3b_1$, $a_3b_3$ are used for the CHSH test.

Recall from the Bell theorem and CHSH article: for the Bell state |\Phi^+\rangle, if Alice measures along unit vector \vec a and Bob along \vec b, the correlation is

\langle A(\vec a)\, B(\vec b)\rangle = \vec a \cdot \vec b = \cos\theta_{ab},

where \theta_{ab} is the angle between the two axes. When \vec a = \vec b, \cos 0 = 1: outcomes are perfectly correlated. When \theta_{ab} = 45°, the correlator is 1/\sqrt 2. These are the numbers that will drive both the key generation and the CHSH test.

The protocol in six steps

Here is E91 end to end. Each line is one step.

Source emits Bell pairs. The source prepares many copies of |\Phi^+\rangle and sends one qubit of each to Alice, the other to Bob.
Each party measures along a random axis. For each pair received, Alice picks a \in \{a_1, a_2, a_3\} uniformly at random; Bob picks b \in \{b_1, b_2, b_3\} uniformly at random. They measure. Alice records A = \pm 1, Bob records B = \pm 1.
Announce axes publicly. Alice and Bob publish, over the classical channel, which axis they used for each round. They do not publish the outcomes.
Sift into two piles.
- Key pile: rounds where Alice's axis matches Bob's (a_2 = b_1 at 45°, or a_3 = b_2 at 90°). In these, \vec a \cdot \vec b = 1 and outcomes are perfectly correlated. Each such round gives one bit of raw key.
- CHSH pile: rounds where axes differ. Specifically the four "corner" pairs (a_1, b_1), (a_1, b_3), (a_3, b_1), (a_3, b_3) — these are the ones at mutual angles of 45°, 45°, 45°, and 135°, the exact CHSH configuration.
Compute CHSH from the CHSH pile. Alice and Bob publish the outcomes (not the rounds' positions in the full sequence) for the CHSH pile and compute

S = \langle A_1 B_1\rangle + \langle A_1 B_3\rangle + \langle A_3 B_1\rangle - \langle A_3 B_3\rangle.

If the source is honestly producing Bell pairs, S = 2\sqrt 2 \approx 2.828. If S drops significantly below 2\sqrt 2, someone has been tampering with the source, the channel, or the detectors. Abort. Otherwise, proceed.
Error correction and privacy amplification on the key pile. Any small residual errors in the key pile (from decoherence, detector imperfections, or Eve's sub-threshold tampering) are cleaned up by the same classical post-processing that BB84 uses: classical error correction, followed by privacy amplification that compresses the raw key into a shorter, uniformly random key that Eve has near-zero information about.

The output is a shared secret key — arbitrarily long, since you can run the protocol for as many rounds as you like — that Alice and Bob are confident is secret. "Confident" here means: certified by the observed CHSH value, which is a number they actually computed, not a number they assumed.

The six steps of E91. The key pile (left, red) carries the raw correlated bits; the CHSH pile (right) is sacrificed to verify that Bell violation holds. If $S$ falls below threshold, eavesdropping (or hardware failure) is suspected and the protocol aborts.

Why it works — Bell violation rules out Eve

This is the beating heart of E91. Every other quantum cryptographic protocol derives security from a specific quantum property; E91 derives it from what is arguably the deepest quantum property of them all.

Suppose, for contradiction, Eve has a strategy to learn the key. To know what bit Alice and Bob will get on any given matching-axis round, Eve must have — somewhere in her notebook — an assignment of outcomes A(a, \lambda) and B(b, \lambda) to every combination of Alice's axis a, Bob's axis b, and any auxiliary information \lambda she has access to. She might have prepared the pairs, or measured them en route, or cloned them — whatever the strategy, at the end of the protocol, Eve has a classical variable that predicts (with some fidelity) what outcomes Alice and Bob will report.

But the moment Eve has such a predictive classical model for Alice's and Bob's outcomes, her model is a local hidden-variable theory. Alice's outcome A(a, \lambda) depends only on her axis and the hidden variable \lambda that Eve knows; similarly Bob's. The existence of such a model is exactly what Bell's theorem rules out — not as a philosophical aspiration, but as a mathematical impossibility under the CHSH inequality.

Why this logic is airtight: any local hidden-variable theory implies |S| \leq 2 by CHSH. Any strategy by which Eve extracts information about the outcomes is a local hidden-variable theory. So if S > 2 — if Bell is violated — no such Eve-strategy exists. The protocol's threshold is usually set slightly below 2\sqrt 2 to account for finite-sample statistics and natural channel noise; but as long as Alice and Bob observe S well above 2, Eve cannot have a classical model of their outcomes.

Contrapositive form: if Eve's presence forces S below 2\sqrt 2, and Alice and Bob measure S \approx 2\sqrt 2, then Eve is not present. More carefully: Eve can be present, but her maximum information about the final key goes to zero as S \to 2\sqrt 2.

This is a dramatically different security argument from BB84's. BB84 says: "Eve must introduce errors because measurement disturbs a superposition." E91 says: "Eve must reduce the Bell violation, because any tampering introduces classical structure that caps S at 2." Both are true, and indeed Shor and Preskill proved (in 2000) that the two protocols are equivalent in their security guarantees. But E91's argument is stronger in one specific sense: it does not assume Alice's and Bob's devices are behaving as labelled. It only assumes they report outcomes, and the computed S certifies everything else.

Worked examples

Example 1 — CHSH computation on ideal Bell pairs

Verify, by direct computation, that the four CHSH-pile pairs in E91 give S = 2\sqrt 2 when the source is producing genuine |\Phi^+\rangle states.

Step 1 — Gather the angles. The four CHSH-pile pairs are (a_1, b_1), (a_1, b_3), (a_3, b_1), (a_3, b_3) with axes a_1 = 0°, a_3 = 90°, b_1 = 45°, b_3 = 135°.

\theta_{11} = |0° - 45°| = 45°, so \cos\theta_{11} = 1/\sqrt 2.
\theta_{13} = |0° - 135°| = 135°, so \cos\theta_{13} = -1/\sqrt 2.
\theta_{31} = |90° - 45°| = 45°, so \cos\theta_{31} = 1/\sqrt 2.
\theta_{33} = |90° - 135°| = 45°, so \cos\theta_{33} = 1/\sqrt 2. Why these angles: we picked Alice's a_1 at the "top" of the XZ-circle (Z axis) and a_3 at the "right" (X axis), with Bob's axes rotated 45° into the first and third quadrants. The pattern of three 45° angles and one 135° is exactly the CHSH-optimal configuration from ch.19.

Step 2 — Apply the Bell-state correlation formula. For |\Phi^+\rangle, \langle A(\vec a) B(\vec b)\rangle = \cos\theta_{ab}.

\langle A_1 B_1\rangle = 1/\sqrt 2.
\langle A_1 B_3\rangle = -1/\sqrt 2.
\langle A_3 B_1\rangle = 1/\sqrt 2.
\langle A_3 B_3\rangle = 1/\sqrt 2.

Step 3 — Assemble with the CHSH sign pattern. E91 uses the sign pattern where one term has a minus; Ekert's original labelling puts the minus on a different pair than CHSH's standard. Rearrange to match the standard CHSH: the four correlations above combine as

S = \langle A_1 B_1\rangle - \langle A_1 B_3\rangle + \langle A_3 B_1\rangle + \langle A_3 B_3\rangle = \tfrac{1}{\sqrt 2} - \bigl(-\tfrac{1}{\sqrt 2}\bigr) + \tfrac{1}{\sqrt 2} + \tfrac{1}{\sqrt 2} = \tfrac{4}{\sqrt 2} = 2\sqrt 2.

Why the rearranged sign pattern still works: CHSH is invariant under relabelling of inputs — as long as exactly one of the four correlations carries the minus sign and the three "aligned" angles carry the plus signs, the bound and the quantum maximum are identical. Ekert wrote it slightly differently in the original paper but the arithmetic is the same.

Result. S = 2\sqrt 2 \approx 2.828 — the quantum maximum, well above the classical bound of 2.

Four correlation values for the E91 CHSH pile. With the CHSH sign pattern (minus on $\langle A_1 B_3\rangle$, plus on the others), the four contributions add in phase to $4/\sqrt 2 = 2\sqrt 2$.

What this shows. When the source is honest, the quantum maximum of 2\sqrt 2 falls out as a direct arithmetic consequence of the cosine correlations and the sign pattern. Alice and Bob can compute S with only their announced outcomes; they never need to measure the state itself or trust the source.

Example 2 — What Eve does to $S$ if she intercepts and resends

Suppose Eve tries a simple intercept-resend attack. For each pair, she intercepts Alice's qubit, measures it along a fixed axis (say a_1 = 0°, so in the Z basis), then sends a replacement qubit to Alice in the eigenstate matching the outcome she observed. Bob's qubit — which Eve cannot touch in transit in this model — arrives undisturbed, but it is now correlated with Eve's outcome rather than with an entangled partner.

Step 1 — Effect on matching-axis rounds. When Alice picks a_2 = 45° (not the axis Eve measured), Alice measures Eve's replacement qubit (a Z eigenstate) along X Z-rotated-45°. The outcome is random, with 50/50 probability of agreeing with Bob's outcome on his matching b_1 = 45° axis. The perfect correlation is broken: Alice and Bob now agree only half the time on matching-axis rounds. This is a 50\% error rate in the raw key — catastrophic; Eve would be caught immediately by Alice-Bob error-check on a subset of the key pile.

But E91 does not rely on this. Privacy amplification is applied to the raw key regardless, and the CHSH pile is the principal check.

Step 2 — Effect on CHSH correlators. Without entanglement, Bob's outcomes are now uncorrelated with the replacement qubit's orientation in any axis other than the one Eve measured. For a CHSH-pile pair (a_1, b_1): Alice measures the replacement along a_1 = 0° (same as Eve's measurement axis), gets the same outcome Eve got, perfectly correlated with Bob's original Bell-pair outcome measured along b_1 = 45°. That correlator is \cos 45° = 1/\sqrt 2, unchanged.

But for (a_1, b_3) with b_3 = 135°, or any pair where Bob's axis is on the opposite side, the value of the correlator after Eve's attack depends on how the Eve-replacement qubit correlates with Bob's original. A detailed calculation (average over Eve's measurement outcomes and over all possible original Bell-pair configurations) gives:

S_{\text{with intercept-resend}} \approx \sqrt 2 \approx 1.414.

Why the intercept-resend value is \sqrt 2: the classical intercept-resend strategy is equivalent to Eve preparing a classical mixture of computational-basis states for Alice. Any such classical preparation caps the correlator sum at \sqrt 2 — the "Holevo-like" bound for a single-axis measurement. The full calculation runs through density matrices; the upshot is the square-root-2 value.

Step 3 — Alice and Bob detect. S \approx 1.414 is well below the classical bound of 2 — not only is the Bell violation gone, the correlator does not even reach the classical ceiling. Alice and Bob see this immediately when they compute S. Protocol aborts.

Result. Intercept-resend drops S from 2\sqrt 2 to approximately \sqrt 2 — a dramatic change, easily distinguished from noise, immediately detectable.

Alice and Bob's observed $S$ determines whether to proceed. Ideal Bell gives $S = 2\sqrt 2$; classical (including Eve's intercept-resend) is capped at $2$. Eve's intercept-resend specifically gives $S \approx \sqrt 2$, below even the classical bound. Any $S < 2$ is a hard abort.

What this shows. The CHSH correlator is a sensitive detector: it responds strongly and early to tampering. Eve does not need to tamper with every round for her presence to be noticed; even partial tampering pushes S below the abort threshold. E91's certification is tight.

Equivalence with BB84 — Shor and Preskill, 2000

On the face of it, BB84 and E91 look like different protocols: BB84 sends single qubits with prepared states; E91 distributes entangled pairs and does a Bell test. Peter Shor and John Preskill (2000, unpublished draft; formally published 2002) proved that the two protocols are operationally equivalent. In either case, the final secret key is the same length, the security guarantees match, and the classical post-processing is essentially identical.

The equivalence argument is beautiful: one can think of BB84 as a "delegated" version of E91 where Alice internally prepares a Bell pair, measures her half to generate a random bit, and sends the other half to Bob. From Bob's perspective, this is indistinguishable from BB84's prepare-and-send protocol. The same classical post-processing — error correction, privacy amplification — applied to either protocol yields keys with the same security level.

This is not just a cute observation. It means the entire formal security theory of BB84 (Mayers' 1996 proof, Shor-Preskill's simplification, Lo-Chau's analysis) applies directly to E91. Security arguments proven for one are transferable to the other. For a lab choosing between them, the decision becomes purely practical: do you have a reliable single-qubit source (use BB84) or a reliable entangled-pair source (use E91)?

Device-independent QKD — the modern descendant

E91's deepest legacy is that it was the first protocol whose security argument could, in principle, be made device-independent. Ekert himself noted in the 1991 paper that if Alice and Bob observe a Bell-inequality violation in their data, they can conclude the state is entangled — without knowing anything about the internal workings of the detectors.

This idea sat largely dormant for two decades while the experimental side of Bell-inequality testing caught up. Mayers and Yao (1998) formalised "self-testing" of quantum states. Acín, Brunner, Gisin, Massar, Pironio, and Scarani (2007) gave the first rigorous security proof of device-independent quantum key distribution (DIQKD): a variant of E91 in which nothing about the devices is assumed, except that they satisfy the laws of quantum mechanics and do not leak classical information to Eve. The security follows entirely from the observed CHSH value.

DIQKD is harder than E91: the detection loophole must be closed experimentally, which requires very high-efficiency detectors (typically > 82\%). The first full DIQKD demonstration, Nadlinger et al. (Oxford, 2022), used entangled trapped ion pairs to generate roughly 96\,000 bits of certified secret key with S \approx 2.64. A second demonstration, Zhang et al. (2022), used photonic Bell pairs. Both are research-scale, not yet practical — but they are the prototype of a genuinely new regime of cryptography, where you do not trust your own quantum computer but still get the strongest guarantee the laws of physics allow.

Hype check. "Device-independent" does not mean no classical infrastructure is trusted. Alice and Bob still need an authenticated classical channel (so Eve cannot impersonate either of them during public discussion), a trusted random-number generator for axis choices, and an assumption that their labs are not directly leaking information to Eve (the "no backdoor" assumption). What DIQKD removes is the need to trust the quantum devices — the source, detectors, and state-preparation apparatus. This is the strongest cryptographic guarantee ever proposed based on physical principles; it is not the same as "no trust at all."

Indian context — the quantum-communication pipeline

India's National Quantum Mission (2023, ₹6000 crore, 8-year horizon) has quantum communication as one of its four primary pillars, alongside sensing, materials, and computing. Within communication, satellite-based entanglement distribution — the E91-style "source in the middle" architecture, with the source on a satellite beaming down photons to two ground stations — is a flagship target. The intellectual debt to E91 is direct: the mission's roadmap explicitly references Ekert's protocol as the template for long-distance QKD.

Specific Indian groups active in the space:

ISRO's Space Applications Centre, Ahmedabad, completed a 300-km free-space BB84 demonstration between Bengaluru and Mount Abu in 2022. Satellite-based entanglement trials are slated for late 2020s.
Raman Research Institute (RRI), Bengaluru, founded by C.V. Raman, hosts one of India's leading quantum-optics groups. RRI's Quantum Information and Computing lab has published CHSH-violation experiments on entangled photon pairs since the 2010s and partners with ISRO on detector development.
QNu Labs, Bengaluru, is a commercial QKD company offering BB84-based systems to Indian banks and defence customers. Their roadmap includes a migration path to entanglement-based QKD as the underlying hardware matures.
IIT Madras and IISc Bengaluru have academic groups working on free-space QKD channels and the associated photonics.

The satellite angle is not incidental. Fibre-based QKD is limited to roughly 300 km by signal loss; trusted-node repeater networks extend this but reintroduce trust assumptions. Satellite-distributed entanglement (as demonstrated by China's Micius satellite in 2017, the Nobel-adjacent feat that pushed the field to global scale) bypasses fibre loss entirely. India's ambition to follow Micius with an Indian entangled-photon satellite is E91 at continental scale.

Common confusions

"E91 is the same as BB84." Not quite. They are operationally equivalent in their security guarantees (Shor-Preskill, 2000), but E91 uses entanglement-based source-in-the-middle distribution, not single-qubit preparation. Conceptually E91 is deeper because its security follows from Bell violation, not just no-cloning. Practically they are two different hardware architectures.
"The CHSH test is the same as a Bell test." Yes — CHSH (Clauser-Horne-Shimony-Holt, 1969) is the most common and cleanest form of a Bell inequality test. Other Bell tests exist (the original 1964 Bell inequality, Mermin's, Svetlichny's for multi-party scenarios). CHSH is the standard choice for two-party QKD because the inequality has the simplest algebra and the quantum bound is tight.
"Device-independent means I don't trust anything." No. You must still trust: (i) your authenticated classical channel, (ii) your random-number generator for axis choices, (iii) that your lab does not have a classical-information side channel to Eve, and (iv) that quantum mechanics is correct. What you do not need to trust is the internal workings of the quantum hardware — the source, the detectors, the state preparation.
"If a detector has a loophole, E91 is insecure." Partly true, and partly the motivation for full DIQKD. Vanilla E91 assumes Alice's and Bob's detectors are honest; if they have a side channel, security can be compromised. DIQKD closes this by requiring Alice and Bob to observe a loophole-free Bell violation, which certifies the detectors are not leaking. Without the high-efficiency detection, however, some assumptions creep back in.
"E91 requires faster-than-light correlation." No — this is the perennial confusion about entanglement. As with Bell violation generally, E91 correlations are consistent with special relativity. The no-communication theorem forbids signalling, and E91's security argument does not require any superluminal physics. The correlations are real; the causation is not.
"If S = 2.4 instead of 2\sqrt 2, the protocol fails." Not quite. The protocol aborts only if S falls below a threshold, typically around 2.4–2.6 depending on the security level and finite-size corrections. Small deviations from 2\sqrt 2 are expected from channel noise and detector imperfections; these are handled by privacy amplification, which compresses the raw key proportionally to the residual uncertainty. The protocol is designed to gracefully degrade, not to require perfection.

Going deeper

The protocol as stated above is the core. What follows is the formal security argument at research level, the leap from E91 to DIQKD and its experimental status as of 2024, the closely related loophole-free Bell tests that make modern security possible, and the engineering challenges for Indian satellite-based entanglement distribution.

Ekert's 1991 argument and the formal security proof

Ekert's original paper, Quantum cryptography based on Bell's theorem (PRL 67, 661), is four pages long and still clear reading today. The cryptographic argument is informal: if Eve had any information about Alice's and Bob's outcomes beyond what chance provides, she would be describing a local hidden-variable theory, which would violate the observed Bell inequality. Ekert did not prove security in the modern sense (a rigorous bound on Eve's accessible information as a function of S); the formal proof had to wait for the composable-security framework of the 2000s.

The modern proof strategy: define Eve's accessible information \chi_E (the Holevo quantity of her ensemble of guesses), derive an entropic uncertainty relation that relates \chi_E to the observed S, and show that for S close to 2\sqrt 2, \chi_E is exponentially small in the number of rounds. The full proof lives in the device-independent literature: Pironio et al. (2009), Vazirani and Vidick (2014), Arnon-Friedman et al. (2018) for the composable version via the "entropy accumulation theorem." The readable entry point is the Brunner-Cavalcanti-Pironio-Scarani-Wehner review in Rev. Mod. Phys. (2014).

Device-independent QKD in practice

The three technical requirements for DIQKD:

Loophole-free Bell violation. The detection, locality, and freedom-of-choice loopholes must all be closed simultaneously. This was first achieved for two-party Bell tests in 2015 (Hensen/Giustina/Shalm) and extended to full DIQKD cryptographic demonstrations in 2022.
Composable security. The security proof must guarantee that the extracted key is secret when composed with other cryptographic primitives (e.g., used as an AES key afterwards). This is technically subtle and was the subject of intensive work in the 2010s.
Finite-key analysis. Real protocols run for finite numbers of rounds; the security bounds must account for statistical fluctuations in the observed S.

All three are now mature. Commercial DIQKD systems do not yet exist; research demonstrations are keyword-limited to specialized labs. The Oxford group's 2022 trapped-ion demonstration produced approximately \sim 80\,000 bits of secret key over many hours of running time — useful for research but far from practical rates.

Twin-field and MDI protocols as alternatives

For practical deployments today, E91-style entanglement distribution is often replaced by simpler variants that still get most of the security benefit. Measurement-device-independent QKD (Lo-Curty-Qi, 2012) has Alice and Bob each send prepared states to an untrusted middle station ("Charlie") that performs a Bell-state measurement; security follows from the honesty of Alice's and Bob's preparations, not Charlie's measurement. Twin-field QKD (Lucamarini et al., 2018) extends this to longer distances via interferometric measurement. These are covered in the B92 and variants article.

Every one of these protocols is a descendant of the idea Ekert introduced in 1991: let the observed statistics certify security, not hardware assumptions.

The satellite channel and ISRO's roadmap

Entanglement distribution from a satellite to two ground stations requires: a stable entangled-photon source aboard the satellite, high-precision pointing to maintain line-of-sight with both ground telescopes simultaneously (a non-trivial control problem at orbital speeds), atmospheric-turbulence-correcting adaptive optics at both receivers, and single-photon detectors with sub-nanosecond timing precision. Every one of these is at the edge of current engineering capability.

China's Micius demonstrated the full stack in 2017–2018, distributing Bell pairs over baselines up to 1200 km and closing loopholes on a photonic Bell test with a sky-to-ground link. India's National Quantum Mission allocates specific programme funds for an analogous Indian satellite, expected to begin technology demonstration flights toward the end of the decade. The long-run ambition is a global-scale free-space quantum-communication network operated jointly among the QUAD nations and others, with E91-style entanglement distribution as the backbone.

Randomness expansion and certified randomness

A closely related application: randomness expansion. If Alice and Bob already have a small amount of trusted randomness (for axis choices), running E91 and measuring S certifies that their observed outcomes contain fresh randomness beyond the initial seed — randomness that is provably unpredictable even to Eve. The output random bits are genuine, certified-by-physics randomness, not pseudo-random or classically hash-derived. This is the "device-independent randomness expansion" protocol of Colbeck and Renner (2012) and Pironio et al. (2010); it is a cousin of DIQKD and uses the same underlying Bell-violation certification.

Where this leads next

BB84 protocol — the single-qubit QKD protocol that E91 complements.
Bell's theorem and CHSH — the theorem whose violation underwrites E91's security.
B92 and other QKD variants — the wider QKD family, including decoy states, MDI, and twin-field.
Device-independent QKD — the modern descendant that removes all hardware trust.
The CHSH game, played out — a round-by-round walk through CHSH with a simulated deck.
Quantum teleportation — another protocol that uses Bell pairs plus classical communication.

References

Artur K. Ekert, Quantum cryptography based on Bell's theorem (Phys. Rev. Lett. 67, 661, 1991) — the original paper. Not on arXiv; APS page.
Peter W. Shor and John Preskill, Simple proof of security of the BB84 quantum key distribution protocol (2000) — proves BB84–E91 equivalence. arXiv:quant-ph/0003004.
A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, V. Scarani, Device-independent security of quantum cryptography against collective attacks (2007). arXiv:quant-ph/0702152.
Wikipedia, E91 protocol (Quantum key distribution).
John Preskill, Lecture Notes on Quantum Computation, Ch. 8 (Quantum cryptography, entanglement-based QKD) — theory.caltech.edu/~preskill/ph229.
D. P. Nadlinger et al., Experimental quantum key distribution certified by Bell's theorem (Nature, 2022) — first full DIQKD demonstration. arXiv:2109.14600.