Quantum random number generation

Quantum physics can be exploited to generate true random numbers, which have important roles in many applications, especially in cryptography. Genuine randomness from the measurement of a quantum system reveals the inherent nature of quantumness—coherence, an important feature that differentiates quantum mechanics from classical physics. The generation of genuine randomness is generally considered impossible with only classical means. On the basis of the degree of trustworthiness on devices, quantum random number generators (QRNGs) can be grouped into three categories. The first category, practical QRNG, is built on fully trusted and calibrated devices and typically can generate randomness at a high speed by properly modelling the devices. The second category is self-testing QRNG, in which verifiable randomness can be generated without trusting the actual implementation. The third category, semi-self-testing QRNG, is an intermediate category that provides a tradeoff between the trustworthiness on the device and the random number generation speed.


Introduction
Random numbers play essential roles in many fields, such as, cryptography 1 , scientific simulations 2 , lotteries, and fundamental physics tests 3 .These tasks rely on the unpredictability of random numbers, which generally cannot be guaranteed in classical processes.In computer science, random number generators (RNGs) are based on pseudo-random number generation algorithms 4 , which deterministically expand a random seed.Although the output sequences are usually perfectly balanced between 0s and 1s, a strong long-range correlation exists, which can undermine cryptographic security, cause unexpected errors in scientific simulations, or open loopholes in fundamental physics tests [5][6][7] .
Many researchers have attempted to certify randomness solely based on the observed random sequences.In the 1950s, Kolmogorov developed the Kolmogorov complexity concept to quantify the randomness in a certain string 8 .A RNG output sequence appears random if it has a high Kolmogorov complexity.Later, many other statistical tests [9][10][11] were developed to examine randomness in the RNG outputs.However, testing a RNG from its outputs can never prevent a malicious RNG from outputting a predetermined string that passes all of these statistical tests.Therefore, true randomness can only be obtained via processes involving inherent randomness.
In quantum mechanics, a system can be prepared in a superposition of the (measurement) basis states, as shown in Fig. 1.According to Born's rule, the measurement outcome of a quantum state can be intrinsically random, i.e. it can never be predicted better than blindly guessing.Therefore, the nature of inherent randomness in quantum measurements can be exploited for generating true random numbers.Within a resource framework, coherence 12 can be measured similarly to entanglement 13 .By breaking the coherence or superposition of the measurement basis, it is shown that the obtained intrinsic randomness comes from the consumption of coherence.In turn, quantum coherence can be quantified from intrinsic randomness 14 .
A practical QRNG can be developed using the simple process as shown in Fig. 1.Based on the different implementations, there exists a variety of practical QRNGs.Generally, these QRNGs are featured for their high generation speed and a relatively low cost.In reality, quantum effects are always mixed with classical noises, which can be subtracted from the quantum randomness after properly modelling the underlying quantum process 15 .
The randomness in the practical QRNGs usually suffices for real applications if the model fits the implementation adequately.However, such QRNGs can generate randomness with informationtheoretical security only when the model assumptions are fulfilled.In the case that the devices are manipulated by adversaries, the output may not be genuinely random.For example, when a QRNG is wholly supplied by a malicious manufacturer, who copies a very long random string to a large hard drive and only outputs the numbers from the hard drive in sequence, the manufacturer can always predict the output of the QRNG device.
On the other hand, a QRNG can be designed in a such way that its output randomness does not rely on any physical implementations.True randomness can be generated in a self-testing way even without perfectly characterizing the realisation instruments.The essence of a self-testing QRNG is based on device-independently witnessing quantum entanglement or nonlocality by observing a violation of the Bell inequality 3 .Even if the output randomness is mixed with uncharacterised classical noise, we can still get a lower bound on the amount of genuine randomness based on the amount of nonlocality observed.The advantage of this type of QRNG is the self-testing property of the randomness.However, because the self-testing QRNG must demonstrate nonlocality, its generation speed is usually very low.As the Bell tests require random inputs, it is crucial to start with a short random seed.Therefore, such a randomness generation process is also called randomness expansion.
In general, a QRNG comprises a source of randomness and a readout system.In realistic implementations, some parts may be well characterised while others are not.This motivates the development of an intermediate type of QRNG, between practical and fully self-testing QRNGs, which is called semi-self-testing.Under several reasonable assumptions, randomness can be generated without fully characterising the devices.For instance, faithful randomness can be generated with a trusted readout system and an arbitrary untrusted randomness resource.A semi-self-testing QRNG provides a trade off between practical QRNGs (high performance and low cost) and selftesting QRNGs (high security of certified randomness).
In the last two decades, there have been tremendous development for all the three types of QRNG, trusted-device, self-testing, and semi-self-testing.In fact, there are commercial QRNG products available in the market.A brief summary of representative practical QRNG demonstrations that highlights the broad variety of optical QRNG is presented in Table 1.These QRNG schemes will be discussed further in Section 2 and 3. A summary of self-testing and semi-selftesting QRNG demonstrations is presented in Table 2, which will be reviewed in details in Section 4 and 5.

Trusted-device QRNG I: single-photon detector
True randomness can be generated from any quantum process that breaks coherent superposition of states.Due to the availability of high quality optical components and the potential of chip-size integration, most of today's practical QRNGs are implemented in photonic systems.In this survey, we focus on various implementations of optical QRNGs.
A typical QRNG includes an entropy source for generating well-defined quantum states and a corresponding detection system.The inherent quantum randomness in the output is generally mixed with classical noises.Ideally, the extractable quantum randomness should be well quanti-  The most appealing property of this type of QRNGs lies on their simplicity in theory that the generated randomness has a clear quantum origin.This scheme was widely adopted in the early development of QRNGs 16,17,42 .Since at most one random bit can be generated from each detected photon, the random number generation rate is limited by the detector's performance, such as dead time and efficiency.For example, the dead time of a typical silicon SPD based on an avalanche diode is tens of ns 43 .Therefore, the random number generation rate is limited to tens of Mbps, which is too low for certain applications such as high-speed quantum key distribution (QKD), which can be operated at GHz clock rates 44,45 .Various schemes have been developed to improve the performance of QRNG based on SPD.
Temporal mode One way to increase the random number generation rate is to perform measurement on a high-dimensional quantum space, such as measuring the temporal or spatial mode of a photon.Temporal QRNGs measure the arrival time of a photon, as shown in Fig. 2 (c).In this example, the output of a continuous-wave laser is detected by a time-resolving SPD.The laser intensity can be carefully controlled such that within a chosen time period T , there is roughly one detection event.The detection time is randomly distributed within the time period T and digitized with a time resolution of δ t .The time of each detection event is recorded as raw data.Thus for each detection, the QRNG generates about log 2 (T /δ t ) bits of raw random numbers.Essentially, δ t is limited by the time jitter of the detector (typically in the order of 100 ps), which is normally much smaller than the detector deadtime (typically in the order of 100 ns) 43 .
One important advantage of temporal QRNGs is that more than one bit of random number can be extracted from a single-photon detection, thus improving the random number generation rate.The time period T is normally set to be comparable to the detector deadtime.Comparing to the qubit QRNG, the temporal-mode QRNG alleviates the impact of detection deadtime.For example, if the time resolution and the dead time of an SPD are 100 ps and 100 ns respectively, the generation rate of temporal QRNG is around log 2 (1000)×10 Mbps, which is higher than that of the qubit scheme (limited to 10 Mbps).The temporal QRNGs have been well studied recently [19][20][21][22]46 .
Spatial mode Similar to the case of temporal QRNG, multiple random bits can be generated by measuring the spatial mode of a photon with a space-resolving detection system.One illustrative example is to send a photon through a 1 × N beam splitter and to detect the position of the output photon.Spatial QRNG has been experimentally demonstrated by using a multi-pixel single-photon detector array 18 , as shown in Fig. 2 (d).The distribution of the random numbers depends on both the spatial distribution of light intensity and the efficiency uniformity of the SPD arrays.
The spatial QRNG offers similar properties as the temporal QRNG, but requires multiple detectors.Also, correlation may be introduced between the random bits because of cross talk between different pixels in the closely-packed detector array.
Multiple photon number states Randomness can be generated not only from measuring a single photon, but also from quantum states containing multiple photons.For instance, a coherent state is a superposition of different photon-number (Fock) states {|n }, where n is the photon number and |α| 2 is the mean photon number of the coherent state.Thus, by measuring the photon number of a coherent laser pulse with a photon-number resolving SPD, we can obtain random numbers that follow a Poisson distribution.QRNGs based on measuring photon number have been successfully demonstrated in experiments [23][24][25] .Interestingly, random numbers can be generated by resolving photon number distribution of a light-emitting diode (LED) with a consumer-grade camera inside a mobile phone, as shown in a recent study 47 .
Note that, the above scheme is sensitive to both the photon number distribution of the source and the detection efficiency of the detector.In the case of a coherent state source, if the loss can be modeled as a beam splitter, the low detection efficiency of the detector can be easily compensated by using a relatively strong laser pulse.

Trusted-device QRNG II: macroscopic photodetector
The performance of an optical QRNG largely depends on the employed detection device.Beside SPD, high-performance macroscopic photodetectors have also been applied in various QRNG schemes.This is similar to the case of QKD, where protocols based on optical homodyne detection 48 have been developed, with the hope to achieve a higher key rate over a low-loss channel.In the following discussion, we review two examples of QRNG implemented with macroscopic photodetector.

Vacuum noise
In quantum optics, the amplitude and phase quadratures of the vacuum state are represented by a pair of non-commuting operators (X and P with [X, P ] = i/2), which cannot be determined simultaneously with an arbitrarily high precision 49 , i.e. (∆X) 2 × (∆P ) 2 ≥ 1/16, with ∆O defined by O − O and O denoting the average of O.This can be easily visualised in the phase space, where the vacuum state is represented by a two-dimensional Gaussian distribution centered at the origin with an uncertainty of 1/4 (the shot-noise variance) along any directions, as shown in Fig. 3 (a).In principle, Gaussian distributed random numbers can be generated by measuring any field quadrature repeatedly.This scheme has been implemented by sending a strong laser pulse through a symmetric beam splitter and detecting the differential signal of the two output beams with a balanced receiver [26][27][28] .
Given that the local oscillator (LO) is a single-mode coherent state and the detector is shot-noise limited, the random numbers generated in this scheme follow a Gaussian distribution, which is on demand in certain applications, such as Gaussian-Modulated Coherent States (GMCS) QKD 48 .There are several distinct advantages of this approach.First, the resource of quantum randomness, the vacuum state, can be easily prepared with a high fidelity.Second, the performance of the QRNG is insensitive to detector loss, which can be simply compensated by increasing the LO power.Third, the field quadrature of vacuum is a continuous variable, suggesting that more than one random bit can be generated from one measurement.For example, 3.25 bits of random numbers are generated from each measurement 26 .
In practice, an optical homodyne detector itself contributes additional technical noise, which may be observed or even controlled by a potential adversary.A randomness extractor is commonly required to generate secure random numbers.To extract quantum randomness effectively, the detector should be operated in the shot-noise limited region, in which the overall observed noise is dominated by vacuum noise.We remark that building a broadband shot-noise limited homodyne detector operating above a few hundred MHz is technically challenging [50][51][52] .This may in turn limit the ultimate operating speed of this type of QRNG.
In the phase-noise based QRNG scheme, random numbers are generated by measuring a field quadrature of phase-randomized weak coherent states (signal states).Figure 3 (c) shows the phasespace representation of a signal state with an average photon number of n and a phase variance of (∆θ) 2 .If the average phase of the signal state is around π/2, the uncertainty of the X-quadrature is of the order of n (∆θ) 2 .When n is large, this uncertainty can be significantly larger than the vacuum noise.Therefore, phase noise based QRNG is more robust against detector noise.In fact, this scheme can be implemented with commercial photo-detectors operated above GHz rates.
QRNG based on laser phase noise was first developed using a cw laser source and a delayed self-heterodyning detection system 31 , as shown in Fig. 3 (d).Random numbers are generated by measuring the phase difference of a single-mode laser at times t and t + T d .Intuitively, if the time delay T d is much larger than the coherence time of the laser, the two laser beams interfering at the second beam splitter can be treated as generated by independent laser sources.In this case, the phase difference is a random variable uniformly distributed in [−π, π), regardless of the classical phase noise introduced by the unbalanced interferometer itself.This suggests that a robust QRNG can be implemented without phase-stabilizing the interferometer.On the other hand, by phasestabilizing the interferometer, the time delay T d can be made much shorter than the coherent time of the laser 31 , enabling a much higher sampling rate.This phase stabilization scheme has been adopted in a ≥ 6 Gbps QRNG 33 and a 68 Gbps QRNG demonstration 36 .
Phase noise based QRNG has also been implemented using pulsed laser source, where the phase difference between adjacent pulses is automatically randomized 32,34,35 .A speed of 80 Gbps (raw rate as shown in Table1) has been demonstrated 34 .It also played a crucial role in a recent loophole-free Bell experiment 55 .Here, we want to emphasize that strictly speaking, none of these generation speeds are real-time, due to the speed limitation of the randomness extraction 15 .Although such limitation is rather technical, in practice, it is important to develop extraction schemes and hardware that can match the fast random bit generation speed in the future.

Self-testing QRNG
Realistic devices inevitably introduce classical noise that affects the output randomness, thus causing the generated random numbers depending on certain classical variables, which might open up security issues.To remove this bias, one must properly model the devices and quantify their contributions.In the QRNG schemes described in Section 2 and Section 3, the output randomness relies on the device models 15,54 .When the implementation devices deviate from the theoretical models, the randomness can be compromised.In this section, we discuss self-testing QRNGs, whose output randomness is certified independent of device implementations.

Self-testing randomness expansion
In QKD, secure keys can be generated even when the experimental devices are not fully trusted or characterised 56,57 .Such self-testing processing of quantum information also occur in randomness generation (expansion).The output randomness can be certified by observing violations of the Bell inequalities 3 , see Fig. 4.Under the no-signalling condition 58 in the Bell tests, it is impossible to violate Bell inequalities if the output is not random, or, predetermined by local hidden variables.
Since Colbeck 60,61 suggested that randomness can be expanded by untrusted devices, several protocols based on different assumptions have been proposed.For instance, in a non-malicious device scenario, we can consider that the devices are honestly designed but get easily corrupt by unexpected classical noises.In this case, instead of a powerful adversary that may entangle with the experiment devices, we can consider a classical adversary who possesses only classical knowledge of the quantum system and analyzes the average randomness output conditioned by the classical information.Based on the Clauser-Horne-Shimony-Holt (CHSH) inequality 59 , Fehr et al. 62 and Pironio et al. 63 proposed self-testing randomness expansion protocols against classical adversaries.
The protocols quadratically expands the input seed, implying that the length of the input seed is where n denotes the experimental iteration number.
A more sophisticated exponential randomness expansion protocol based on the CHSH in-  Quantum features (such as intrinsic randomness) manifest as violations of the CHSH inequality.
equality was proposed by Vidick and Vazirani 64 , in which the lengths of the input seed is O(log 2 n).
In the same work, they also presented an exponential expansion protocol against quantum adversaries, where quantum memories in the devices may entangle with the adversary.The Vidick-Vazirani protocol against quantum adversaries places strict requirements on the experimental realisation.Miller and Shi 65 partially solved this problem by introducing a more robust protocol.
Combined with the work by Chung, Shi, and Wu 66 , they also presented an unbounded randomness expansion scheme.By adopting a more general security proof, Miller and Shi 67 recently showed that genuinely randomness can be obtained as long as the CHSH inequality is violated.Their protocol greatly improves the noise tolerance, indicating that an experimental realisation of a fully self-testing randomness expansion protocol is feasible.
The self-testing randomness expansion protocol relies on a faithful realisation of Bell test excluding the experimental loopholes, such as locality and efficiency loopholes.The randomness expansion protocol against classical adversaries is firstly experimentally demonstrated by Pironio et al. 37 in an ion-trap system, which closes the efficiency loophole but not the locality loophole.
To experimentally close the locality loophole, a photonic system is more preferable when quantum memories are unavailable.As the CHSH inequality is minimally violated in an optically realised system 38,68 , the randomness output is also very small (with min-entropy of H min = 7.2 × 10 −5 in each run), and the randomness generation rate is 0.4 bits/s.To maximise the output randomness, the implementation settings are designed to maximally violate the CHSH inequality.Due to experimental imperfections, the chosen Bell inequality might be sub-optimal for the observed data.In this case, the output randomness can be optimised over all possible Bell inequalities 69,70 .
Although nonlocality or entanglement certifies the randomness, the three quantities, nonlocality, entanglement, and randomness are not equivalent 71 .Maximum randomness generation does not require maximum nonlocal correlation or a maximum entangled state.In the protocols based on the CHSH inequality, maximal violation (nonlocality and entanglement) generates 1.23 bits of randomness.It is shown that 2 bits of randomness can be certified with little involvement of nonlocality and entanglement 71 .Furthermore, as discussed in a more generic scenario involving nonlocality and randomness, it is shown that maximally nonlocal theories cannot be maximally random 72 .

Randomness amplification
In self-testing QRNG protocols based on the assumption of perfectly random inputs, the output randomness is guaranteed by the violations of Bell tests.Conversely, when all the inputs are predetermined, any Bell inequality can be violated to an arbitrary feasible value without invoking a quantum resource.Under these conditions, all self-testing QRNG protocols cease to work any more.Nevertheless, randomness generation in the presence of partial randomness is still an interesting problem.Here, an adversary can use the additional knowledge of the inputs to fake violations of Bell inequalities.The task of generating arbitrarily free randomness from partially free randomness is also called randomness amplification, which is impossible to achieve in classical processes.
The first randomness amplification protocol was proposed by Colbeck and Renner 73 .Using a two-party chained Bell inequality 74,75 , they showed that any Santha-Vazirani weak sources 76 (defined in Methods), with ǫ < 0.058, can be amplified into arbitrarily free random bits in a self-testing way by requiring only no-signaling.A basic question of randomness amplification is whether free random bits can be obtained from arbitrary weak randomness.This question was answered by Gallego et al. 77 , who demonstrated that perfectly random bits can be generated using a five-party Mermin inequality 78 with arbitrarily imperfect random bits under the no-signaling assumption.
Randomness amplification is related to the freewill assumption [5][6][7][79][80][81][82] in Bell tests. In expeiments, the freewill assumption requires the inputs to be random enough such that violations of Bell inequalities are induced from quantum effects rather than predetermined classical processes.This is extremely meaningful in fundamental Bell tests, which aim to rule out local realism.Such fundamental tests are the foundations of self-testing tasks, such as device-independent QKD and self-testing QRNG.Interestingly, self-testing tasks require a faithful violation of a Bell inequality, in which intrinsic random numbers are needed.However, to generate faithful random numbers, we in turn need to witness nonlocality which requires additional true randomness.Therefore, the realisations of genuine loophole-free Bell tests and, hence, fully self-testing tasks are impossible.
Self-testing protocols with securities independent of the untrusted part can be designed only by placing reasonable assumptions on the trusted part.

Semi-self-testing QRNGs
Traditional QRNGs based on specific models pose security risks in fast random number generation.
On the other hand, the randomness generated by self-testing QRNGs is information-theoretically secure even without characterising the devices, but the processes are impractically slow.As a compromise, intermediate QRNGs might offer a good tradeoff between trusted and self-testing schemes -realising both reasonably fast and secure random number generation.
As shown in Fig. 5, a typical QRNG comprises two main modules, a source that emits quantum states and a measurement device that detects the states and outputs random bits.In trusted-device QRNGs, both source and measurement devices 15, 54 must be modeled properly; while the output randomness in the fully self-testing QRNGs does not depend on the implementation devices.In practice, there exist scenarios that the source (respectively, measurement device) is well characterised, while the measurement device (respectively, source) not.Here, we review the semiself-testing QRNGs, where parts of the devices are trusted.
Source-independent QRNG In source-independent QRNG, the randomness source is assumed to be untrusted, while the measurement devices are trusted.The essential idea for this type of scheme is to use the measurement to monitor the source in real time.In this case, normally one needs to randomly switch among different (typically, complement) measurement settings, so that the source (assumed to be under control of an adversary) cannot predict the measurement ahead.
Thus, a short seed is required for the measurement choices.
In the illustration of semi-self-testing QRNG, Fig. 5, the source-independent scheme is represented by a unique x (corresponding to a state ρ x ) and multiple choices of the measurement settings y.In Section 2, we present that randomness can be obtained by measuring |+ in the Z basis.However, in a source-independent scenario, we cannot assume that the source emits the state |+ .In fact, we cannot even assume the dimension of the state ρ x .This is the major challenge facing for this type of scheme.
In order to faithfully quantify the randomness in the Z basis measurement, first a squashing model is applied so that the to-be-measured state is equivalent to a qubit 83 .Note that this squashing model puts a strong restriction on measurement devices.Then, the measurement device should occasionally project the input state onto the X basis states, |+ and |− , and check whether the input is |+ 39 .The technique used in the protocol shares strong similarity with the one used in QKD 84 .The X basis measurement can be understood as the phase error estimation, from which we can estimate the amount of classical noise.Similar to privacy amplification, randomness extraction is performed to subtract the classical noise and output true random values.
The source-independent QRNG is advantageous when the source is complicated, such as in the aforementioned QRNG schemes based on measuring single photon sources 16,17,42 , LED lights 47 , and phase fluctuation of lasers 33 .In these cases, the sources are quantified by complicated or hypothetical physical models.Without a well-characterized source, randomness can still be generated.The disadvantage of this kind of QRNGs compared to fully self-testing QRNGs is that they need a good characterization of the measurement devices.For example, the upper and the lower bounds on the detector efficiencies need to be known to avoid potential attacks induced from detector efficiency mismatch.Also the intensity of light inputs into the measurement device needs to be carefully controlled to avoid attacks on the detectors.
Recently, a continuous-variable version of the source-independent QRNG is experimentally demonstrated 40 and achieves a randomness generation rate over 1 Gbps.Moreover, with state-ofthe-art devices, it can potentially reach the speed in the order of tens of Gbps, which is similar to the trusted-device QRNGs.Hence, semi-self-testing QRNG is approaching practical regime.
Measurement-device-independent QRNGs Alternatively, we can consider the scenario that the input source is well characterised while the measurement device is untrusted.In Fig. 5, different inputs ρ x (hence multiple x) are needed to calibrate the measurement device with a unique setting y.Similar to the source-independent scenario, the randomness is originated by measuring the input state |+ in the Z basis.The difference is that here the trusted source sends occasionally auxiliary quantum states ρ x , such as |0 , to check whether the measurement is in the Z basis 85 .The analysis combines measurement tomography with randomness quantification of positive-operator valued measure, and does not assume to know the dimension of the measurement device, i.e., the auxiliary ancilla may have an arbitrary dimension.
The advantage of such QRNGs is that they remove all detector side channels, but the disadvantage is that they may be subject to imperfections in the modeling of the source.This kind of QRNG is complementary to the source-independent QRNG, and one should choose the proper QRNG protocol based on the experimental devices.
We now turn to two variations of measurement-device-independent QRNGs.First, the measurement tomography step may be replaced by a certain witness, which could simplify the scheme at the expense of a slightly worse performance.Second, similar to the source-independent case, a continuous-variable version of measurement-device-independent QRNG might significantly increase the bit rate.The challenge lies on continuous-variable entanglement witness and measurement tomography.
Other semi-self-testing QRNGs Apart from the above two types of QRNGs, there are also some other QRNGs that achieve self-testing except under some mild assumptions.For example, the source and measurement devices can be assumed to occupy independent two-dimensional quantum subspaces 41 .In this scenario, the QRNG should use both different input states and different measurement settings.The randomness can be estimated by adopting a dimension witness 86 .A positive value of this dimension witness could certify randomness in this scenario, similar to the fact that a violation of the Bell inequality could certify randomness of self-testing QRNG in Section 4.

Outlook
The needs of "perfect" random numbers in quantum communication and fundamental physics experiments have stimulated the development of various QRNG schemes, from highly efficient systems based on trusted devices, to the more theoretically interesting self-testing protocols.On the practical side, the ultimate goal is to achieve fast random number generation at low cost, while maintaining high-level of randomness.With the recent development on waveguide fabrication technique 87 , we expect that chip-size, high-performance QRNGs could be available in the near future.In order to guarantee the output randomness, the underlying physical models for these QRNGs need to be accurate and both the quantum noise and classical noise should be well quantified.Meanwhile, by developing a semi-self-testing protocol, a QRNG becomes more robust against classical noises and device imperfections.In the future, it is interesting to investigate the potential technologies required to make the self-testing QRNG practical.With the new development on single-photon detection, the readout part of the self-testing QRNG can be ready for practical application in the near future.The entanglement source, on the other hand, is still away from the practical regime (Gbps).
On the theoretical side, the study of self-testing QRNG has not only provided means of generating robust randomness, but also greatly enriched our understanding on the fundamental questions in physics.In fact, even in the most recent loophole-free Bell experiment [88][89][90][91] where high-speed QRNG has played a crucial role, it is still arguable whether it is appropriate to use randomness generated based on quantum theory to test quantum physics itself.Other random resources have also been proposed for loophole-free Bell's inequality tests, such as independent comic photons 92 .
It is an open question whether we can go beyond QRNG and generate randomness from a more general theory.

Methods
Min-entropy source Given the underlying probability distribution, the randomness of a random sequence X on {0, 1} n can be quantified by its min-entropy Santha-Vazirani weak sources 76 We assume that random bit numbers are produced in the time sequence x 1 , x 2 , ..., x j , ....Then, for 0 < ǫ ≤ 1/2, the source is called ǫ-free if ǫ ≤ P (x j |x 1 , x 2 , . . ., x j−1 , e) ≤ 1 − ǫ, for all values of j.Here e represents all classical variables generated outside the future light-cone of the Santha-Vazirani weak sources.
Randomness extractor A RNG typically consists of two components, an entropy source and a randomness extractor 87 .In a QRNG, the entropy source could be a physical device whose output is fundamentally unpredictable, while the randomness extractor could be an algorithm that generates nearly perfect random numbers from the output of the above preceding entropy source, which can be imperfectly random.The two components of QRNG are connected by quantifying the randomness with min-entropy.The min-entropy of the entropy source is first estimated and then fed into the randomness extractor as an input parameter.
The imperfect randomness of the entropy source can already be seen in the SPD based schemes, such as the photon number detection scheme.By denoting N as the discrimination upper bound of a photon number resolving detector, at most log 2 (N) raw random bits can be generated per detection event.However, as the photon numbers of a coherent state source follows a Poisson distribution, the raw random bits follow a non-uniform distribution; consequently, we cannot obtain log 2 (N) bits of random numbers.To extract perfectly random numbers, we require a postprocessing procedure (i.e.randomness extractor).
In the coherent detection based QRNG, the quantum randomness is inevitably mixed with classical noises introduced by the detector and other system imperfections.Moreover, any measurement system has a finite bandwidth, implying unavoidable correlations between adjacent samples.Once quantified, these unwanted side-effects can be eliminated through an appropriate randomness extractor 15 .
The composable extractor was first introduced in classical cryptography 93,94 , and was later extended to quantum cryptography 95,96 .To generate information-theoretically provable random numbers, two typical extractor, the Trevisan's extractor or the Toeplitz-hashing extractor, are generally employed in practice.
Trevisan's extractor 97,98 has been proven secure against quantum adversaries 99 .Moreover, it is a strong extractor (its seed can be reused) and its seed length is polylogarithmic function of the input.Tevisan's extractor comprises two main parts, a one-bit extractor and a combinatorial design.The Toeplitz-hashing extractor was well developed in the privacy amplification procedure of the QKD system 100 .This kind of extractor is also a strong extractor 101 .By applying the fast Fourier transformation technique, the runtime of the Toeplitz-hashing extractor can be improved to O(n log n).
On account of their strong extractor property, both of these extractors generate random numbers even when the random seed is longer than the output length of each run.Both extractors have been implemented 15 and the speed of both extractors have been increased in follow-up studies 102,103 , but remain far below the operating speed of the QRNG based on laser-phase fluctuation (68 Gbps 36 ).Therefore, the speed of the extractor is the main limitation of a practical QRNG.

Figure 1 :
Figure 1: Electron spin detection in the Stern-Gerlach experiment.Assume that the spin takes two directions along the vertical axis, denoted by |↑ and |↓ .If the electron is initially in a superposition of the two spin directions, |→ = (|↑ + |↓ )/ √ 2, detecting the location of the electron would breaks the coherence and the outcome (↑ or ↓) is intrinsically random.
For example, Fig. 2 (a) shows a polarization based QRNG, where |0 and |1 denote horizontal and vertical polarization, respectively, and |+ denotes +45 o polarization.Fig. 2 (b) presents a path based QRNG, where |0 and |1 denote the photon traveling via path R and T , respectively.

Figure 2 :
Figure 2: Practical QRNGs based on single photon measurement.(a) A photon is originally prepared in a superposition of horizontal (H) and vertical (V) polarizations, described by (|H + |V )/ √ 2. A polarising beam splitter (PBS) transmits the horizontal and reflects the vertical polarization.For random bit generation, the photon is measured by two single photon detectors (SPDs).(b) After passing through a symmetric beam splitter (BS), a photon exists in a superposition of transmitted (T) and reflected (R) paths, (|R + |T )/ √ 2. A random bit can be generated by measuring the path information of the photon.(c) QRNG based on measurement of photon arrival time.Random bits can be generated, for example, by measuring the time interval, ∆t, between two detection events.(d) QRNG based on measurements of photon spatial mode.The generated random number depends on spatial position of the detected photon, which can be read out by an SPD array.

Figure 3 :
Figure 3: QRNGs using macroscopic photodetector.(a) Phase-space representation of the vacuum state.The variance of the X-quadrature is 1/4.(b) QRNG based on vacuum noise measurements.The system comprises a strong local oscillator (LO), a symmetric beam splitter (BS), a pair of photon detector (PD), and an electrical subtracter (Sub).(c) Phase-space representation of a partially phase-randomised coherent state.The variance of the X-quadrature is in the order of n × ∆θ 2 , where n is the average photon number and ∆θ 2 is the phase noise variance.(d) QRNGs based on measurements of laser phase noise.The first coupler splits the original laser beam into two beams, which propagate through two optical fibres of different lengths, thereafter interfering at the second coupler.The output signal is recorded by a photon detector.The extra length ∆L in one fibre introduces a time delay T d between the two paths, which in turn determines the variance of the output signal.

Figure 4 :
Figure 4: Illustration of a bipartite Bell test.Alice and Bob are two spacelikely separated parties, that output a and b from random inputs x and y, respectively.A Bell inequality is defined as a linear combination of the probabilities p(a, b|x, y).For instance, the Clauser-Horne-Shimony-Holt (CHSH) inequality 59 is defined by S = a,b,x,y (−1) a+b+xy p(a, b|x, y) ≤ S C = 2, where all of the inputs and outputs are bit values, and S C is the classical bound for all local hidden-variable models.With quantum settings, that is, performing measurements M a x ⊗ M b y on quantum state ρ AB , p(a, b|x, y) = Tr[ρ AB M a x ⊗ M b y ], the CHSH inequality can be violated up to S Q = 2 √ 2.

Figure 5 :
Figure 5: A semi-self-testing QRNG.Conditional on the input setting x, the source emits a quantum state ρ x .Conditional on the input y, the detection device measures ρ x and outputs b.

Table 1 :
A brief summary of trusted-device QRNG demonstrations.Detailed description of these schemes can be found in Section 2 and 3. Note that the quality/security of random numbers in different demonstrations may be different.Raw: reported raw generation rate, Refined: reported