Abstract
Quantum random number generators promise perfectly unpredictable random numbers. A popular approach to quantum random number generation is homodyne measurements of the vacuum state, the ground state of the electromagnetic field. Here we experimentally implement such a quantum random number generator, and derive a security proof that considers quantum sideinformation instead of classical sideinformation only. Based on the assumptions of Gaussianity and stationarity of noise processes, our security analysis furthermore includes correlations between consecutive measurement outcomes due to finite detection bandwidth, as well as analogtodigital converter imperfections. We characterize our experimental realization by bounding measured parameters of the stochastic model determining the minentropy of the system’s measurement outcomes, and we demonstrate a realtime generation rate of 2.9 Gbit/s. Our generator follows a trusted, devicedependent, approach. By treating sideinformation quantum mechanically an important restriction on adversaries is removed, which usually was reserved to semideviceindependent and deviceindependent schemes.
Introduction
Random numbers are ubiquitous in modern society^{1}. They are used in numerous applications ranging from cryptography, simulations, and gambling, to fundamental tests of physics. For most of these applications, the quality of the random numbers is of utmost importance. If, for instance, cryptographic keys originating from random numbers are predictable, it will have severe consequences for the security of the internet. To ensure the security of cryptographic encryption, the random numbers used to generate the secret encryption key must be completely unpredictable, private, and their randomness must be certified.
True unpredictability and privacy of the generated numbers can be attained through a quantum measurement process: by performing a projective measurement on a pure quantum state, and ensuring that the state is not an eigenstate of the measurement projector, the outcome is unpredictable and thus true random numbers can be generated^{2}. Moreover, the generated numbers can be private since a pure state cannot be correlated to any other state in the universe.
Numerous different types of quantum random number generators (QRNGs) have been devised exploiting the quantum uncertainty in photon counting measurements, phase measurements, or quadrature measurements^{3,4,5}. One particular approach of increasing interest due to its high practicality is the optical quadrature measurements of the vacuum state by means of a simple homodyne detection^{6,7,8}. This approach combines simplicity, costeffectiveness, chip integrability, and high generation speed.
Stateofthe art security proofs for such QRNGs assumed that the information available in the environment about the measurement outcomes, socalled side information, is of classical nature^{8}. Recently, quantum side information was taken into account for a sourceindependent QRNG^{9,10,11,12}, which however requires a more complex measurement apparatus.
Furthermore, it has been assumed in the security proof that subsequent measurement outcomes of QRNGs based on homodyning of vacuum states are uncorrelated in time. Therefore, experiments dealt with the unavoidable correlations caused by the finite bandwidth of the detection system by exploiting aliasing in the sampling procedure or by using suitable postprocessing algorithms^{6,7,8,11,13,14,15,16,17,18,19,20}. Such measures usually throttle the overall rate considerably or remove the correlations only partially.
A rigorous characterization of the system is of utmost importance as any parameter uncertainty introduces a nonzero probability for system failure, i.e., the probability that the actual device does not follow the stochastic model describing the underlying physical random number generation process. Knowing the failure probability for the system is critical to its certification. Previously this metrologygrade approach was used for phase fluctuation QRNGs^{21}. This includes that imperfect analogtodigital conversion is taken into account.
Realtime fieldprogrammablegatearray (FPGA) implementations of randomness extraction with Gbit/sspeed using an information theoretically secure Toeplitz randomness extractor have been demonstrated recently^{12,18,19,20,22}. Previously reported QRNG implementations achieved only moderate speeds or did not extract random numbers in real time^{6,7,8,11,13,14,15,16,17}.
Here we devise a security analysis for QRNGs based on quadrature measurements of the (trusted) vacuum state that takes quantum side information into account. Our security analysis is based on the assumptions of stationarity and Gaussianity of the involved noise processes. We include correlations of measurement outcomes in the security proof as well as the imperfections of analogtodigital conversion. We experimentally implement the QRNG and use a conservative and rigorous approach to characterize the parameters of the stochastic model that determines the amount of randomness. To establish a conservative bound with confidence intervals on the amount of vacuum fluctuations, we devise an experimental procedure based on a measurement of the transfer function (TF) of the measuring device. Using realtime Toeplitz randomness extraction implemented in an FPGA, we achieve a rate of 2.9 Gbit/s.
Results
Setting the stage
A schematic of our QRNG is shown in Fig. 1. An arbitrary quadrature of the vacuum state is measured using a balanced homodyne detector comprising a bright reference beam, a nominal symmetric beam splitter, and two photo diodes^{23}. The measurement outcomes ideally are random with a Gaussian distribution associated with the Gaussian Wigner function of the vacuum state^{24}. The measured distribution, however, contains two additional independent noise sources: excess optical noise and electronic noise, thereby contributing two side channels. These must be accounted for in estimating the minentropy of the source.
The amount of quantum randomness that can be extracted from the homodyne measurement of vacuum fluctuations is given by the leftover hash lemma against quantum side information^{25,26}
Here \({H}_{\min }(X E)\) is the minentropy of a single measurement outcome drawn from a random variable X conditioned on the quantum side information E, N is the number of aggregated samples, and ϵ_{hash} is the distance between a perfectly uniform random string and the string produced by a randomness extractor. It is therefore clear that we need to find the minentropy of our practical—thus imperfect—realization in order to bound the amount of randomness. We achieve this in a twostep approach: First, we theoretically derive a bound for the minentropy using a realistic model and express it in terms of experimentally accessible parameters. Second, we experimentally deduce these parameters through a conservative and rigorous characterization. Using such an approach, we find the worstcase minentropy compatible with the confidence intervals of our characterization and calibration measurements, thereby obtaining a string of ϵrandom bits that are trustworthy with the same level of confidence.
Theoretical analysis
The theoretical analysis of the security of the QRNG is made under the following assumptions:

A0 The predictions of quantum mechanics are reliable.

A1 The measurement performs homodyne detection on a singlemode and the measurement outcome is linear in the quadratures.

A2 The quantum state that is measured is a single mode thermal state with stationary mean photon number.
The analysis of the QRNG follows a devicedependent approach, which assumes that the system (and therefore the minentropy of the source) does not change after system characterization (A2). The quantum side information comprises all information that can be extracted from the environment of the QRNG, i.e., from the rest of the universe. Therefore, under assumptions A0–A2, the bits extracted by the QRNG are random with respect to all (quantum and classical) side channels. Following A2, homodyne detection is performed on a single optical mode in a thermal state, which at a given time is characterized by the field quadratures \(\hat{q}\) and \(\hat{p}\).
The physical model of our device is derived in “Methods.” There we show that our device performs the measurement
where g is a gain factor, \({\hat{X}}_{a}\) is the quadrature operator of the vacuum mode entering the central beam splitter, and \(\hat{N}\) is a noise operator describing all noise sources.
In the following, we first present a theoretical analysis of a source emitting i.i.d. (independent and identically distributed) quantum states, i.e., a source of infinite bandwidth, and an ideal analogtodigital converter (ADC). We then extend the security analysis to imperfect ADCs. Finally, we extend to a source with finite bandwidth that emits correlated (noni.i.d.) quantum states at different times.
Limit of identical and independent distribution
Under ideal conditions, homodyne detection would allow us to measure the quadrature of a target optical mode, which in our setting is in the vacuum state. However, as discussed in detail in “Methods,” because of experimental imperfections, this vacuum signal is mixed with noise. Therefore, the nonideal homodyne detector measures the quadrature \(\hat{q}\) of a mode, denoted in the following as S, that is not in the vacuum state. Following assumption A2, said state is a thermal state, which we denote as ρ_{S}. We recall that a thermal state is uniquely characterized by the mean photon number n.
We require the random numbers to be statistically independent of any quantum or classical side information. Therefore, we need to analyze the correlations between the measured system S and its environment E. Following A0, the joint state of S and E is necessarily a pure state, ψ_{SE}, as the combined system SE is by definition isolated^{27}. There exist infinitely many purifications ψ_{SE} of the thermal state ρ_{S}. However, these purifications are all equivalent up to local unitary transformations in the environment E, and thus they all have the same information content^{27}. To perform our theoretical analysis, it is therefore sufficient to consider any of these purifications. We choose the twomode squeezed vacuum (TMSV), which is a twomode Gaussian state that purifies the thermal state^{24}. The environment E is thus described by a single bosonic mode.
The outcome X of homodyne detection on a thermal state with mean photon number n is a continuous realvalued variable, whose probability density distribution is
where g is a gain factor and
denotes a Gaussian in the variable x, with mean μ, and variance v^{2}.
In our QRNG, the continuous variable X is mapped into a discrete and bounded variable \(\bar{X}\) due to the use of an ADC with range R and bin size Δx. We therefore consider a model in which X is replaced by a discrete variable \(\bar{X}\) that assumes values j = 1, 2, …, d with probability mass distribution
where I_{j}s are d intervals that discretize the outcome of homodyne detection. This models an ideal ADC without errors.
The correlations between the discretized outcome \(\bar{X}\) and the environment E are described by the classicalquantum (CQ) state,
with
Here \(\leftj\right\rangle\) are orthogonal states representing the possible discrete outcomes and \({\rho }_{E}^{x}\) describes the postmeasurement quantum state of the environment. The explicit expressions of these quantities are given in “Methods,” and the full derivation is in Supplementary Note 2.
We will now quantify the rate of the QRNG in terms of the conditional minentropy with quantum side information. Given the state \({\rho }_{\overline{X}E}\) in Eq. (6), the minentropy of \(\bar{X}\) conditioned on the environment mode reads^{28}
where ∥⋅∥_{∞} denotes the operator norm, i.e., the largest eigenvalue, and the supremum is over a density operator γ_{E} for the environment system. Here \({\gamma }_{E}^{1/2}{\rho }_{\overline{X}E}\ {\gamma }_{E}^{1/2}=\left({I}_{X}\otimes {\gamma }_{E}^{1/2}\right){\rho }_{\overline{X}E}\left({I}_{X}\otimes {\gamma }_{E}^{1/2}\right)\), where I_{X} is the identity operator on X. The \(\mathrm{log}\,\) has base 2.
In “Methods,” we compute a lower bound on this quantity following a particular choice for γ_{E}. The final result (which includes an optimization over the gain g—see “Methods” for the unoptimized result) is
where
and \({g}_{* }^{\prime}\) is implicitly defined by the equation
ADC digitization noise
The above result assumed an ADC without digitization errors and noise. However, those imperfections reduce the extractable minentropy. Given the true digitization outcome j, the noise replaces it with a different, possibly random, output f. For any given f, we count up to M possible true values j that map into f. In “Methods,” we show that this reduces the minentropy by at most \(\mathrm{log}\,M\) bits, i.e.,
with \({H}_{\min }{(\bar{X} E)}^{{\rm{ideal}}}\) given in Eq. (9).
Beyond i.i.d.: stationary Gaussian process
We now consider the more realistic scenario of finite bandwidth. In the experimental implementation, the finite detection bandwidth, described by the impulse response of the detector, defines the temporal mode of the measured quantum state. Correlations arise due to the temporal overlap of the different modes. The process is still stationary and Gaussian (A2), however, not i.i.d. Here we use theoretical tools from information theory^{29} and signal processing^{30} to analyze this stationary Gaussian process. We first obtain a virtual i.i.d. model for the noni.i.d. process. Then we apply the results of the previous section to compute a lower bound on the minentropy with quantum side information of said virtual i.i.d. model.
The analysis deals with two stochastic processes. One is the outcome X of the homodyne measurement. The second stochastic process, denoted as U, describes the excess noise, i.e., all fluctuations in the measurement that are not purely vacuum fluctuations, including electronic noise of the detector and intensity noise of the local oscillator laser. Both X and U are stationary and Gaussian processes (A2). When a measurement is performed at a given time t, the homodyne outcome is denoted as X_{t}. Similarly, we denote as U_{t} the excess noise at time t.
The homodyne measurement outcome X_{t} comprises several components. Part of it comes from pure vacuum fluctuations and part comes from the excess noise. However, because of the finite bandwidth, X_{t} also contains a component that is determined by past measurement outcomes, denoted as X_{<t}. The component from past measurement outcomes is considered as side information.
We write the variance of X_{t} as \({\sigma }^{2}={\sigma }_{X}^{2}+\zeta\), where ζ accounts for the fluctuations of X_{<t}, and \({\sigma }_{X}^{2}\) accounts for all fluctuations that are independent of the past, i.e., the variance of X_{t} conditioned on X_{<t}. The conditional variance \({\sigma }_{X}^{2}\) accounts for both pure vacuum fluctuations and for the excess noise. The conditional variance of the excess noise is denoted as \({\sigma }_{U}^{2}\), and the variance of pure vacuum fluctuations is thus obtained as \({\sigma }_{X}^{2}{\sigma }_{U}^{2}\). Below we develop a theory that allows us to determine the quantities \({\sigma }_{X}^{2}\), ζ, and \({\sigma }_{U}^{2}\).
Let us first consider the stochastic process X. Given the time series of measured values \({x}_{{t}_{k}}\), \(\hat{x}(\lambda)={\sum }_{k}{x}_{{t}_{k}}{e}^{ik\lambda }\) is the Fourier transform, for λ ∈ [0, 2π]. The power spectral density (PSD) is then defined as \({f}_{X}(\lambda)= \hat{x}(\lambda){ }^{2}\). The variance σ^{2} and the PSD can be both estimated experimentally. In turn, from the PSD we can estimate the entropy rate^{29,30},
where
is the conditional variance. The same formal relation links the PSD and the entropy rate of the excess noise U,
where
is the conditional variance of the excess noise.
Because of the finite bandwidth of the measuring apparatus, both the homodyne outcome X_{t} and excess noise U_{t}, at a given time t, are correlated with their values at previous times. To filter out the effects of these correlations, we consider the probability density distribution of X_{t}, conditioned on all past homodyne measurement outcomes,
where x_{t} denotes the possible values of the variable X_{t} at time t, x_{<t} denotes the collection of values of all homodyne measurement outcomes at times \(t^{\prime} \, < \, t\), and μ_{t} is the conditional mean value of X_{t}. Note that, if p(x_{1}, x_{2}, …x_{n}) is a multivariate Gaussian probability distribution, the conditional distribution p(x_{1}∣x_{2}, …x_{n}) is also Gaussian. Also note that \({\sigma }_{X}^{2}\) does not depend on time because X is stationary (this follows, for example, from Eq. (13)). Although the mean value μ_{t} may depend parametrically on the past values x_{<t}, the random variable X_{t} is (by definition) conditionally independent of previous homodyne outcomes. Therefore, we can formally describe it—once the previous measurement outcomes are known—as the outcome of a measurement applied on correlationfree quantum state with variance \({\sigma }_{X}^{2}\). We thus identify (using the notation of Eq. (3)):
We can then write the (unconditional) variance σ^{2} as
which allows us to obtain \(\zeta ={\sigma }^{2}{\sigma }_{X}^{2}\).
In summary, we have defined an effective i.i.d. model for the noni.i.d. signal. The i.i.d. model is characterized by the parameters n and g in Eq. (18). To determine these parameters, we need a second equation in addition to Eq. (18). Such a second equation is obtained through the conditional variance of the excess noise.
For the excess noise U_{t}, we can similarly write the probability density distribution conditioned on past values, i.e.,
where u_{t} denotes the possible values of the variable U_{t} at time t, u_{<t} denotes its past values, and ν_{t} is the conditional mean value of U_{t}. The quantity of interest is the conditional excess noise variance \({\sigma }_{U}^{2}\). We identify the latter with the variance of the excess noise in the i.i.d. model:
By inverting Eqs. (18) and (21), we obtain the parameters n and g of the i.i.d. model of the noni.i.d. process,
Finally, we need to account for the term ζ, which describes the fluctuations due to past measurements. We incorporate this in the variance of the excess noise and redefine
In conclusion, we use this virtual i.i.d. model to compute a lower bound for the minentropy of the noni.i.d. process, where the values for g and n in Eq. (3) are given in Eq. (22) and (24), respectively. In turn, this allows us to estimate the minentropy rate using Eq. (9) (see also Eqs. (62) and (67) in “Methods”). This is plotted in Fig. 2 for varying excess noise, ADC resolution, and temporal correlations. The xaxis of the plot is the ratio of the conditional variance of the vacuum fluctuations and the excess noise, i.e., the quantum noise to excess noise ratio of the virtual i.i.d. process. If, as assumed for the plot in Fig. 2, the homodyne measurement outcomes and the excess noise have similar temporal correlations, this ratio is independent of the amount of correlations. The amount of correlations present in the system is instead characterized by the ratio \({\sigma }_{X}^{2}/{\sigma }^{2}\), which takes the value of 1 for an i.i.d. process and becomes smaller for increasing temporal correlations. For each ADC resolution, the upper traces in Fig. 2 show the extractable minentropy when almost no correlations are present. Obviously, stronger correlations yield lower randomness.
Similar to the result for classical side information^{8}, we show that random numbers can in principle be generated for noise treated as quantum side information as well and even in the large excess noise regime. This is due to the fact that relatively small vacuum fluctuations can give a substantial contribution to the entropy if the ADC resolution is sufficiently high. This property is preserved even when a large amount of temporal correlations is present in the recorded data (lower traces in Fig. 2). However, as discussed below, increasing the precision may not necessarily lead to an increase in the minentropy in the presence of digitization errors.
System characterization
To be able to apply the theoretical result obtained above to our experimental implementation, we need to provide evidence that our implementation indeed fulfills the assumptions. This is in fact a difficult task and a detailed discussion can be found in “Methods.”
We are now in a position to estimate the minentropy through characterization of our setup. According to the theoretical analysis, the minentropy can be found by determining the variance σ^{2} as well as the conditional variances of the homodyne measurement outcomes \({\sigma }_{X}^{2}\) and the excess noise \({\sigma }_{U}^{2}\). To obtain a conservative, and thus reliable, estimate of the minentropy, it is important that the measurement of these parameters does not rely on any ideality assumptions of the homodyne detector.
The first two parameters σ^{2} and \({\sigma }_{X}^{2}\) can be directly established from the PSD f_{X}(λ) of the homodyne measurement outcomes. The excess noise parameter \({\sigma }_{U}^{2}\) is, however, more involved as its amount is determined by several sources whose individual contributions is too cumbersome to determine. Our goal is thus to establish the PSD of the excess noise f_{U}(λ) by determining the contribution of the vacuum fluctuations to the total noise. \({\sigma }_{U}^{2}\) can then be computed from f_{U}(λ) = f_{X}(λ) − f_{vac}(λ), where f_{vac}(λ) is the PSD of the vacuum fluctuations.
To establish a lower bound on f_{vac}(λ), we basically consider the homodyne detector as a box (see Fig. 3a) with a quantum state input and an input–output relation given by Eq. (2) with unknown parameters. Our strategy is thus to measure the TF of the box by probing it with known quantum states and to use this result to conservatively calibrate the PSD of the vacuum fluctuations. This method allows us to establish a lower bound on the vacuum fluctuations under all experimental conditions, in particular where other noise sources couple into the detector, e.g., intensity noise of the laser due to imperfect commonmode rejection or stray light coupling into the signal port—likely to be an issue with integrated photonic chips.
The TF of the box is measured by injecting a coherent state in the form of a second laser beam (independent of the local oscillator laser) with low power P_{sig} into the signal port of the beam splitter as displayed in Fig. 3a. A typical beat signal is shown in Fig. 3b obtained by computing an averaged periodogram from the sampled signal. We record the TF(ν) by scanning the frequency of the signal laser. At each difference frequency ν, we determine the power of the beat signal and normalize it to P_{sig}. At high signaltonoise ratio, the rootmeansquare power of the beat signal is purely a function of the coherent state amplitude (determined by the signal laser power). It is independent of the noise of the detector, since the second term in Eq. (2), the noise term, can be neglected. The first term depending on the quadrature operator \({\hat{X}}_{a}\) can be decomposed into a dominating term depending on the coherent state amplitude and a negligible term depending on the noise of the input state, rendering the rootmeansquare power independent of the laser noise properties.
Since the vacuum noise was amplified to optimally fill the range of the ADC, we used a 20dB electrical attenuator with flat attenuation over the frequency band of interest to avoid saturation, see Fig. 3a. The result of the TF characterization, normalized to a maximum gain of 1, is shown in Fig. 3c.
Given the linearity of the detector (A1), we obtain the PSD of the vacuum fluctuations by multiplying the TF(ν) with the shot noise energy \(\hbar\omega_L\) contained in 1 Hz bandwidth, where \(\hbar\) is Planck’s constant and ω_{L} is the angular frequency of the local oscillator laser. By modeling the inner workings of the box, we confirm in Supplementary Note 5 that with this procedure we indeed obtain a lower bound on the PSD of the vacuum fluctuations.
The conservatively estimated PSD of the vacuum fluctuations is shown in Fig. 4a together with the actually measured PSD of the signal. The spectra are clearly colored which indicates that the data samples are correlated and therefore noni.i.d. This is further corroborated in Fig. 4b, where the autocorrelation of the homodyne measurement outcomes is plotted. It justifies the importance of using the minentropy relation associated with noni.i.d. samples.
From the PSDs, we calculate the three parameters for obtaining the minentropy, which are summarized in Table 1. By minimizing the minentropy over the confidence set of the estimated parameters, we obtain 10.74 bit per 16bit sample with a failure probability of ϵ_{PE} = 10^{−10} (i.e., the probability that the actual parameters are outside the confidence intervals) under the assumption of an ideal ADC.
Finally, we characterized the digitization error of our ADC, which is shown in Fig. 4c. The measurement protocol is described in Supplementary Note 3. The reduction of the minentropy due to the digitization error is 7.23 bit with a confidence of 2 × 10^{−6} as 500,000 measurements have been used to construct the histogram for each digitization result. Thus this yields a total minentropy of 3.51 bit. This relatively large reduction is due to the fact that our ADC is fourway interleaved and has a large analog bandwidth.
Discussion
We have demonstrated a QRNG based on the measurement of vacuum fluctuations with realtime extraction at a rate of 2.9 Gbit/s and security against quantum side information. Our QRNG has a strong security guarantee with a failure probability of \({N}^{\prime}\cdot {\epsilon }_{\text{hash}}+{\epsilon }_{\text{PE}}+{\epsilon }_{\text{ADC}}+{\epsilon }_{\text{seed}}={N}^{\prime}\cdot 1{0}^{32}+3\times 1{0}^{10}+2\times 1{0}^{6}+{\epsilon }_{\text{seed}}\), where \({N}^{\prime}\) is the number of QRNG runs in the past with the same seed for the randomness extractor, ϵ_{hash} is the security parameter related to the removal of side information [see Eq. (1)], ϵ_{PE} = 10^{−10} is the security parameter of the estimation of one parameter, ϵ_{ADC} = 2 × 10^{−6} is related to the confidence of the digitization error measurement, and ϵ_{seed} describes the security of the random bits used for seeding the randomness extractor. Since quantum side information from the past has to be taken into account, ϵ_{hash} grows with time^{2}.
We chose ϵ_{hash} = 10^{−32} to keep \({N}^{\prime}{\epsilon }_{\text{hash}}\) low enough to, in principle, be able to generate Gaussian random numbers with security ϵ = 10^{−9} for a single execution of a continuous variable quantum key distribution (QKD)^{5} protocol with 10^{10} transmitted quantum states even after 10 years of continuous operation of the QRNG. See Supplementary Note 6 for details. We note, however, that in our case the ϵsecurity parameter is limited by ϵ_{ADC}. In our experiment, the seed bits were chosen with a pseudorandom number generator, which does not allow us to give a security guarantee for ϵ_{seed}. The generated random numbers passed both the Dieharder^{31} and the NIST 80090B^{32} statistical batteries of randomness tests.
Due to the choice of a very small ϵ_{hash}, the realtime speed of our QRNG was limited to 2.9 Gbit/s by the input size of the Toeplitz extractor required by our FPGA implementation. Without limitations to the matrix size, a speed of 3.5 Gbit/s could be reached. The main limitation to the available minentropy is the ADC digitization error.
Our QRNG is suited for use in highspeed QKD links, for instance, in GHz clocked discrete variable^{33} as well as in highspeed continuousvariable QKD (CVQKD)^{34}. For Gaussianmodulated CVQKD, the uniform random number distribution has to be converted to a Gaussian distribution, which requires a larger random number generation rate. Furthermore, QKD requires composable security and a guarantee of privacy of the random numbers as provided by our system.
Further developments to guarantee reliable operation over a long time and to fulfill requirements by certification authorities would need to include poweron selftests and online testing of the parameters in the security analysis as well as the generated random numbers. Finally, the removal of the Gaussianity and stationarity assumptions in the security analysis, which are in practise difficult to verify, would further strengthen the security of the QRNG.
Methods
Physical model
Here we will develop a physical model of the QRNG using a description of optical modes by annihilation and creation operators in the Heisenberg picture^{35}. A schematic of our detector depicting the involved modes and parameters is shown in Fig. 5. Mode operators \(\hat{a}\) and \(\hat{b}\) denote the signal and local oscillator, respectively. The signal and the local oscillator are mixed at the central beam splitter, which, under ideal conditions, has 50% splitting ratio. In our model, we consider that the splitting ratio of the central beam splitter may deviate from perfect balancing by Δ. The optical modes at the output of the central beam splitter are measured by a pair of photo diodes, with quantum efficiencies η_{1} and η_{2}, respectively. The nonunit efficiencies are modeled by introducing the auxiliary modes \({\hat{l}}_{1}\) and \({\hat{l}}_{2}\). Optoelectrical conversion is described by the constant K.
The local oscillator laser mode \(\hat{b}\) can be written as \(\hat{b}=\langle \hat{b}\rangle +\delta \hat{b}\equiv \beta +\delta \hat{b}\), where \(\langle \hat{b}\rangle\) is the expectation value and \(\delta \hat{b}\) describes the fluctuations. We operate our homodyne detector in the strong local oscillator regime, so that products of operators describing fluctuations are negligible: \(\delta \hat{x}\delta \hat{y}\approx 0\). We note that with local oscillator photon flux in the range of 10^{15} the detector operates deep within the strong local oscillator regime.
The modes that are detected by photo detection are given by
After subtraction and amplification, we obtain
with \(\tilde{g}:= K\beta\). Here we have introduced the quadrature operators
and the prefactors are given by
The homodyne detection circuit implements a highpass filter that removes the first term, which is constant. For an ideal homodyne detector, with Δ = 0 and η_{1} = η_{2} = 1, the output current of the detector reduces to
All the other terms that appear in Eq. (28) are treated as noise. We define the noise operator, \(\hat{N}=(B{\hat{X}}_{b}+{L}_{1}{\hat{X}}_{l1}+{L}_{2}{\hat{X}}_{l2})/A\), and rewrite Eq. (28) as
with \(g=\tilde{g}A\). Note that electronic noise can also be modeled in this way, by attributing it to fluctuations in the auxiliary modes \({\hat{l}}_{1}\) and \({\hat{l}}_{2}\) or in the local oscillator mode \(\delta \hat{b}\). The goal of the QRNG system is to extract bits from the measured homodyne output \(\hat{q}\), with the requirement that these bits are random with respect to the noisy variable \(\hat{N}\). This requirement means that the extracted random bits look random to an agent that has perfect knowledge, not only of the system specifications but also of \(\hat{N}\). Note that the noise comes from the fluctuations of the variables \({\hat{X}}_{b}\), \({\hat{X}}_{l1}\), and \({\hat{X}}_{l2}\) and is thus ultimately of quantum nature. For example, an agent may prepare the initial state of the modes \({\hat{l}}_{1}\) and \({\hat{l}}_{2}\) and measure them after the interaction at the beam splitters shown in Fig. 5.
The finite bandwidth of the detector can be modeled by its impulse response h_{amp}, which is the Fourier transform of its frequency response. The output voltage is then given by
where * is a convolution. Electronic noise also has finite bandwidth, and we assume it to have a Gaussian distribution with PSD S_{elec}(λ), zero mean, and variance \({\sigma }_{{\text{elec}}}^{2}=\int_{0}^{2\pi }{S}_{\text{elec}}(\lambda)/2\pi d\lambda\).
In our calibration method, described in the main text, we replace the vacuum state in the signal mode \(\hat{a}\) with a coherent state. This allows us to estimate the contribution of the vacuum fluctuations, \({\hat{X}}_{a}\), to the PSD of the detector output.
Theoretical analysis in the i.i.d. limit
Consider a single optical mode characterized by the quadrature operators \(\hat{q}\) and \(\hat{p}\). For a thermal state ρ_{S} with mean photon number n, the first moments of the field quadratures vanish, and the covariance matrix (CM) is
where we, as a matter of convention, put the variance of the vacuum equal to 1. In the equation above, we use \(\langle \hat{O}\rangle := \,{\text{tr}}\,({\rho }_{S}\hat{O})\) for operator \(\hat{O}\). For such a state, the output X of homodyne detection is distributed according to a Gaussian law,
where g is a gain factor.
As discussed above, the measured state ρ_{S} is purified into a TMSV. Thereby the second optical mode of this TMSV state, characterized by the field quadratures \({\hat{q}}_{{\rm{e}}}\) and \({\hat{p}}_{{\rm{e}}}\), is associated with the environment, i.e., the rest of the universe. The TMSV state is a Gaussian state with zero mean and CM^{24}
The correlations between the outcome X of ideal homodyne detection and the quantum side information in its environment are described by the CQ state
where \(\leftx\right\rangle\) are orthogonal states used to represent the possible outcomes of homodyne detection, and the integral in Eq. (45) extends over the real line. The state \({\rho }_{E}^{x}\) is the conditional state of the environment for a given measurement output value x. Without loss of generality, we consider the case where the quadrature \(\hat{q}\) is measured. We can then compute (see Supplementary Note 1 for details of the derivation) the first moment of the field quadratures of \({\rho }_{E}^{x}\):
as well as the CM
The continuous variable X is mapped into a discrete and bounded variable \(\bar{X}\) due to the use of an ADC. The probability mass distribution of \(\bar{X}\) is
where I_{j}s are d intervals that discretize the outcome of homodyne detection. In a typical setting, these d nonoverlapping intervals I_{j} are of the form
and for j = 2, …, d − 1
with a_{j} = − R + (j − 1)Δx/2 and Δx = 2R/(d − 2). This choice of the intervals reflects the way in which an ideal ADC with range R and bin size Δx operates in mapping a continuous variable into a discrete one. However, ADCs are not ideal devices, and below we show how the digitization error of the ADC reduces the minentropy.
In terms of the discrete variable \(\bar{X}\), the correlations with the environment are thus described by the state
with
We are now ready to quantify the rate of the QRNG in terms of the conditional minentropy. Given the state \({\rho }_{\overline{X}E}\) in Eq. (52), the minentropy of \(\bar{X}\) conditioned on the eavesdropper (denoted with the letter E) reads^{28}
where ∥⋅∥_{∞} denotes the operator norm (equal to the value of the maximum eigenvalue), and the supremum is over a density operator γ_{E} for the environment system.
Since a direct computation of the minentropy is not feasible, as it requires an optimization over all density operators γ_{E} in an infinitedimensional Hilbert space, we instead focus on finding a computable lower bound. A first lower bound on the minentropy is obtained by computing \(\parallel {\gamma }_{E}^{1/2}{\rho }_{\overline{X}E}\ {\gamma }_{E}^{1/2}{\parallel }_{\infty }\) for a given choice of the state γ_{E}, so that we have
where the last equality holds because the eigenstates \(\leftj\right\rangle\) of \({\rho }_{\overline{X}E}\) in Eq. (52) are mutually orthogonal. Here we set γ_{E} equal to a Gaussian state with zero mean and CM
where the parameter δ will be optimized a posteriori to improve the bound.
A second lower bound is obtained by applying the triangular inequality,
which implies
Since \({\rho }_{E}^{x}\) and γ_{E} are both Gaussian states, the above lower bound can be computed using the Gibbs representation techniques developed in ref. ^{36}. Employing these techniques and additional tools, ref. ^{37} derived a formula for the minentropy. By applying this result, we obtain (see Supplementary Note 2 for details)
To simplify the notation, we define
This yields
For j = 2, …, d − 1, this latter quantity reads
and for j = 1 and j = d,
We hence obtain
We remark that this is in fact a family of lower bounds parameterized by δ and g. The best bound in the family is
Let us define the function
Note that \({\rm{erf}}\left(\frac{{{\Delta }}x}{2g^{\prime} }\right)\) is a monotonically decreasing function of \(g^{\prime}\) with values in [0, 1), whereas \(\frac{1}{2}{\rm{erfc}}\left(\frac{R}{g^{\prime} }\right)\) is monotonically increasing with values in [0, 1/2). This implies that there exists a unique value of \({g}_{* }^{\prime}\) such that
If \(g^{\prime} \, > \, {g}_{* }^{\prime}\), then \(Q(g^{\prime})={\rm{erf}}\left(\frac{{{\Delta }}x}{2g^{\prime} }\right) \, > \, Q({g}_{* }^{\prime})\), and if \(g^{\prime} \, < \, {g}_{* }^{\prime}\), then \(Q(g^{\prime})=\frac{1}{2}{\rm{erfc}}\left(\frac{R}{g^{\prime} }\right) \, > \, Q({g}_{* }^{\prime})\). This implies that \({g}_{* }^{\prime}\) is a local and global maximum for the function Q.
In conclusion, the best lower bound on the conditional minentropy is
with \({g}_{* }^{\prime}\) implicitly given in Eq. (71).
ADC digitization noise
ADCs are not ideal devices and are subject to digitization error. We model the digitization error by introducing:

1.
A classical noise variable N, with associated probability distribution p_{N};

2.
A function f that describes how the noise variable i combines with the noiseless output value j to produce the noisy output f = f(j, i).
Using this model, the quantum side information about the output of the noisy ADC is described by the CQ state
where we have introduced a dummy quantum register N to keep track of the noise value i.
We want to ensure that the randomness extracted is also independent on the noise variable N, therefore, we compute the minentropy conditioned on EN,
where S_{f} denotes the set of values of j, i such that f(j, i) = f.
Putting \({\gamma }_{EN}={\gamma }_{E}\otimes {\sum }_{i}{p}_{N}(i)\lefti\right\rangle \left\langle i\right\), we obtain
where S_{f∣i} is defined as the set of values of j such that f(j, i) = f for a given value of i. We further define J_{f} as the set of values of j such that f(j, i) = f for some value of i.
It is difficult to estimate S_{f∣i} without making further assumptions on the noise underlying the ADC. However, we can experimentally estimate the cardinality ∣J_{f}∣ of the set J_{f}. Note that J_{f} contains S_{f∣i} for all i. We can then write a computable bound in terms of ∣J_{f}∣:
Here the first inequality follows from the fact that J_{f} contains S_{f∣i} for all i; the second inequality follows from the triangular inequality; the third inequality follows from the fact that the supremum is larger than the average; and the fourth inequality is obtained by replacing the supremum over j ∈ J_{f} with the supremum over all values of j.
In conclusion, when compared with an ideal noiseless ADC, the randomness is reduced by at most b bits, with \(b=\mathrm{log}\,\left[{\sup }_{f} {J}_{f} \right]\).
Verification of assumptions in the theoretical analysis
An integral part is the verification that our implementation indeed fulfills the assumptions made in the theoretical analysis of the QRNG.
A1
The physical model above verifies that our detector indeed performs homodyne detection.
The condition of the measurement of a single mode are given due to the following arguments: The local oscillator laser has a sidemode suppression of >70 dB and therefore operates in a single frequency mode. The local oscillator furthermore defines the polarization and the spatial properties (given by the single mode fiber) of the measured mode. The temporal properties are given by the impulse response of the homodyne detector and the following electronic circuits.
The linearity of our detector has been tested by connecting the output to an electrical spectrum analyzer instead of the ADC. Varying the power of the signal laser in the TF calibration setup, see Fig. 3, we verified its linear operation. We note that the linearity of the output of the homodyne detection circuit before it is sampled by the ADC is the important figure of merit. Nonlinearities introduced by the ADC are taken into account separately by the ADC characterization.
A2
The excess noise in the thermal state stems from relative intensity noise of the laser and the electronic noise of the homodyne circuit. Both are independent of the phase between local oscillator and the measured quantum state and can therefore be modeled as phase invariant state.
Having established the phase invariance of the measured state, we verify the Gaussianity of the measured signal. This can only be shown approximately and is displayed in Fig. 6a where we show the probability quantiles of the measured samples and compared those to the theoretical quantiles of a Gaussian distribution. This completes the verification of the assumption in the security proof that a thermal state is measured.
We are left with that the mean photon number of the thermal state shall be stationary. Also this can only be proven approximately. We computed the overlapped Allan deviation of the measurement outcomes, which is shown in Fig. 6b. It is clearly visible that in the short term the noise processes are stationary. Over longer times, some fluctuations become evident, which could lead to a lower minentropy at times than estimated. A power stabilization of the local oscillator laser could improve this figure of merit. We, however, leave this investigation for future work.
Realtime randomness extraction
Having calculated the minentropy, the next step is to extract random numbers. This is done by using a strong extractor based on a Toeplitz matrix hashing algorithm in which the seed can be reused^{38}. We chose matrix dimensions of n = 5632 bits and m = 1024 bits, which corresponds to 352 input samples with a depth of 16 bit and an output length m < l, chosen such that Eq. (1) was fulfilled with \({H}_{\min }=3.51\) bit and ϵ_{hash} < 10^{−32}. The 16bit samples provided by the ADC at a rate of 1 GHz are received by the FPGA in chunks of 64 bits at a rate of 250 MHz. For the algorithm implementing the Toeplitz hashing, we followed the approach of ref. ^{20}. Every clock cycle 64 bits were stored in a block until nbits were accepted, after which the next block started receiving data. For each full block, we carried out the hashing multiplication with bitwise AND and subsequent XOR operations on the Toeplitz matrix by first splitting up the matrix into submatrices of width 16 bit and then shifting the data through the operations. When the hashing was completed, the mbitwide output data was stored in a register, and the next block was processed. The achieved throughput was 2.9 Gbit/s.
Reporting summary
Further information on research design is available in the Nature Research Reporting Summary linked to this article.
Data availability
All experimental data are available from the authors upon reasonable request.
Code availability
All codes are available from the authors upon reasonable request.
References
Hayes, B. Randomness as a resource. Am. Sci. 89, 300–305 (2001).
Frauchiger, D., Renner, R. & Troyer, M. True randomness from realistic quantum devices. Preprint at https://arxiv.org/abs/1311.4547 (2013).
Ma, X., Cao, Z. & Yuan, X. Quantum random number generation. Quantum Inf. 2, 16021 (2016).
HerreroCollantes, M. & GarciaEscartin, J. C. Quantum random number generators. Rev. Mod. Phys. 89, 015004 (2017).
Pirandola, S. et al. Advances in quantum cryptography. Adv. Opt. Photonics 12, 1012–236 (2020).
Gabriel, C. et al. A generator for unique quantum random numbers based on vacuum states. Nat. Photon. 4, 711–715 (2010).
Symul, T., Assad, S. M. & Lam, P. K. Real time demonstration of high bitrate quantum random number generation with coherent laser light. Appl. Phys. Lett. 98, 231103 (2011).
Haw, J. Y. et al. Maximisation of extractable randomness in quantum random number generator. Phys. Rev. Appl. 3, 054004 (2015).
Cao, Z., Zhou, H., Yuan, X. & Ma, X. Sourceindependent quantum random number generation. Phys. Rev. X 6, 011020 (2016).
Marangon, D. G., Vallone, G. & Villoresi, P. Sourcedeviceindependent ultrafast quantum random number generation. Phys. Rev. Lett. 118, 060503 (2017).
Avesani, M., Marangon, D. G., Vallone, G. & Villoresi, P. Secure heterodynebased quantum random number generator at 17 Gbps. Nat. Commun. 9, 5365 (2018).
Drahi, D. et al. Certified quantum random numbers from untrusted light. Phys. Rev. X 10, 41048 (2020).
Fuerst, M. et al. High speed optical quantum random number generation. Opt. Express 18, 13029–37 (2010).
Xu, F. et al. Ultrafast quantum random number generation based on quantum phase fluctuations. Opt. Express 20, 12366–77 (2012).
Nie, Y.Q. et al. The generation of 68 Gbps quantum random number by measuring laser phase fluctuations. Rev. Sci. Instrum. 86, 063105 (2015).
Shi, Y., Chng, B. & Kurtsiefer, C. Random numbers from vacuum fluctuations. Appl. Phys. Lett. 109, 041101 (2016).
Abellán, C. et al. Ultrafast quantum randomness generation by accelerated phase diffusion in a pulsed laser diode. Opt. Express 22, 1645–54 (2014).
Zhang, X.G. et al. Fully integrated 3.2 Gbps quantum random number generator with realtime extraction. Rev. Sci. Instrum. 87, 076102 (2016).
Huang, L. & Zhou, H. Integrated Gbps quantum random number generator with realtime extraction based on homodyne detection. J. Opt. Soc. Am. B 36, 130–136 (2019).
Zheng, Z., Zhang, Y., Huang, W., Yu, S. & Guo, H. 6 Gbps realtime optical quantum random number generator based on vacuum fluctuation. Rev. Sci. Instrum. 90, 043105 (2019).
Mitchell, M. W., Abellan, C. & Amaya, W. Strong experimental guarantees in ultrafast quantum random number generation. Phys. Rev. A 91, 012314 (2015).
Zhang, X., Nie, Y. Q., Liang, H. & Zhang, J. FPGA implementation of Toeplitz hashing extractor for real time postprocessing of raw random numbers. In IEEENPSS Real Time Conference, (RT) 1–5 (IEEE, 2016).
Shapiro, J. H. Homodyne and heterodyne receivers. IEEE J. Quantum Electron. QE21, 237–250 (1985).
Weedbrook, C. et al. Gaussian quantum information. Rev. Mod. Phys. 84, 621–669 (2012).
Renner, R. Security of quantum key distribution. Int. J. Quantum. Inf. 6, 1–127 (2008).
Tomamichel, M., Schaffner, C., Smith, A. & Renner, R. Leftover Hashing against quantum side information. IEEE Trans. Inf. Theory 57, 5524–5535 (2011).
Nielsen, M. A. & Chuang, I. L. Quantum Computation and Quantum Information (Cambridge University Press, 2000).
Tomamichel, M. A Framework for NonAsymptotic Quantum Information Theory. Ph.D. thesis, ETH Zurich (2012).
Covers, T. M. & Thomas, J. A. Elements of Information Theor (WileyInterscience, 1991).
Gray, R. M. Toeplitz and Circulant Matrices: A Review. Foundations and Trends in Communications and Information Theory 155–239 (Now Publishers, 2006).
Brown, R. G. Dieharder. http://www.phy.duke.edu/rgb/General/dieharder.php (2018).
Turan, M. S. et al. Recommendation for the entropy sources used for random bit generation. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090B.pdf (2018).
Dixon, A. R., Yuan, Z. L., Dynes, J. F., Sharpe, A. W. & Shields, A. J. Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate. Opt. Express 16, 18790–18797 (2008).
Huang, D., Huang, P., Lin, D., Wang, C. & Zeng, G. Highspeed continuousvariable quantum key distribution without sending a local oscillator. Opt. Lett. 40, 3695 (2015).
Leonhardt, U. Measuring the Quantum State of Light (Cambridge University Press, 1997).
Banchi, L., Braunstein, S. L. & Pirandola, S. Quantum fidelity for arbitrary Gaussian states. Phys. Rev. Lett. 115, 260501 (2015).
Seshadreesan, K. P., Lami, L. & Wilde, M. M. Rényi relative entropies of quantum Gaussian states. J. Math. Phys. 59, 072204 (2018).
Wegman, M. N. & Carter, J. L. New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981).
Acknowledgements
The authors acknowledge support from the Innovation Fund Denmark through the Quantum Innovation Center, Qubiz. T.G., A.K., D.S.N., N.J., and U.L.A. acknowledge support from the Danish National Research Foundation, Center for Macroscopic Quantum States (bigQ, DNRF142). T.G., N.J., S.P., and U.L.A. acknowledge the EU project CiViQ (grant agreement no. 820466). C.L. was also supported by the EPSRC Quantum Communications Hub, grant no. EP/M013472/1. The authors thank Alberto Nannarelli for valuable discussions.
Author information
Authors and Affiliations
Contributions
T.G., T.B.P., and U.L.A. conceived the idea. T.G. and U.L.A. supervised the project. C.L. and S.P. performed the security analysis with input from T.G. and A.K. T.G., A.K., and N.J. conceived and implemented the experiment. T.G. acquired the final data and performed data analysis. D.S.N. and T.R. implemented the randomness extraction algorithm on FPGA under the supervision of T.G. T.B.P. was responsible for the implementation of the NIST randomness tests.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Peer review information Nature Communications thanks Xiongfeng Ma and the other anonymous reviewer(s) for their contribution to the peer review of this work.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Gehring, T., Lupo, C., Kordts, A. et al. Homodynebased quantum random number generator at 2.9 Gbps secure against quantum sideinformation. Nat Commun 12, 605 (2021). https://doi.org/10.1038/s4146702020813w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s4146702020813w
This article is cited by

Quantum random number generation based on a perovskite light emitting diode
Communications Physics (2023)

Provablysecure quantum randomness expansion with uncharacterised homodyne detection
Nature Communications (2023)

Practical continuousvariable quantum key distribution with composable security
Nature Communications (2022)

Modulation leakagefree continuousvariable quantum key distribution
npj Quantum Information (2022)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.