Abstract
Quantum random numbers distinguish themselves from others by their intrinsic unpredictability arising from the principles of quantum mechanics. As such they are extremely useful in many scientific and realworld applications with considerable efforts going into their realizations. Most demonstrations focus on high asymptotic generation rates. For this goal, a large number of repeated trials are required to accumulate a significant store of certifiable randomness, resulting in a high latency between the initial request and the delivery of the requested random bits. Here we demonstrate lowlatency realtime certifiable randomness generation from measurements on photonic timebin states. For this, we develop methods to certify randomness taking into account adversarial imperfections in both the state preparation and the measurement apparatus. Every 0.12 s we generate a block of 8192 random bits which are certifiable against all quantum adversaries with an error bounded by 2^{−64}. Our quantum random number generator is thus well suited for realizing a continuouslyoperating, highsecurity and highspeed quantum randomness beacon.
Similar content being viewed by others
Introduction
Quantum mechanics is well known to offer many opportunities for generating genuine randomness that is unpredictable by any reference^{1,2,3}. This unpredictability can be proven based only on measurement observations and a few assumptions. Therefore, the randomness generated according to quantum mechanics is certifiable. The simplest example involves measuring a twolevel quantum system (a qubit) prepared in an equal superposition of its two levels. However, its proper working and certifiability rely on the trust of both the quantum state prepared and the measurement performed. This scheme is thus devicedependent^{2,3}. On the other hand, there are also deviceindependent schemes that do not require any trust on the inner working of the employed quantum devices^{4,5}. Unfortunately, it is difficult to realize such a scheme for practical use with excellent performance as it requires a loopholefree Bell test^{6,7,8,9,10,11}. Consequently, the randomnessgeneration rates achieved are extremely low with a high latency from the beginning of the experiment to the output of the certified random bits^{12,13,14,15}. The natural question then is whether we can reduce the trust required by the above simple scheme while avoiding the difficulties inherent in the deviceindependent approach.
In this work we explore a simple practical scheme for the realization of a lowlatency realtime certifiable quantum random number generator (QRNG). The simple scheme works ideally as follows: At each trial a horizontally polarized single photon is emitted from a source, and then measured randomly along either the Xbasis (diagonal/antidiagonal polarization basis) to generate a random bit or the Zbasis (horizontal/vertical polarization basis) to verify the prepared state. This scheme is motivated by that for entanglementbased quantum key distribution (QKD)^{16,17}, where one basis is used to generate secret keys and other bases are used to estimate the prepared state. Random bits or secret keys can be certified since measurement outcomes allow us to bound the correlation between the prepared state and the side information of an adversary known as Eve^{18}.
The above ideal scheme has been well studied in the literature^{19,20}. However, in order to make the resulting QRNG practical, we need to consider the imperfections in its implementations and show the robustness of randomness generation against those imperfections. First, singlephoton sources are not easily accessible and as for QKD^{18}, weak optical pulses are usually employed. Even if a singlephoton source is available, it is still generally difficult to produce a particular quantum state with high accuracy. Second, it is difficult in an experiment to perform measurements precisely along both the Xbasis and Zbasis, as one basis tends to be more precise than the other. Third, the basis choice at a trial is usually made by a pseudo or physical random number generator. This means that the probabilities of selecting the Xbasis and Zbasis, denoted as P_{X} and P_{Z}, can only be bounded but not exactly known. Furthermore, in the adversarial scenario Eve could manipulate these imperfections. These adversarial imperfections must be addressed together to reliably certify randomness which currently has not been done.
Here we develop a method to guarantee the proper working and security of our QRNG in the presence of those above adversarial imperfections. For this, we require a lower bound q_{1,lb} on the singlephoton probability in a practical photon source (such as a weak laser pulse in the absence of a phase reference), an upper bound δ on the misalignment angle between the Xbasis and Zbasis, and both a lower and an upper bounds on the imbalance between the probabilities P_{X} and P_{Z} given by τ = (P_{X} − P_{Z})/2. We emphasize that except the above bounds which characterize the adversarial imperfections, our method does not need any other information about the state prepared or measurements performed. In this sense, our QRNG works in a semideviceindependent way. The values of the above imperfection bounds can be obtained by calibrating the photon source and measurement apparatuses in real time. We allow Eve to manipulate the state prepared or measurements performed as long as these manipulations satisfy the above imperfection bounds. Our method is of excellent finitedata efficiency, thus enabling lowlatency realtime randomness generation. Specifically, we experimentally demonstrate that every 0.1 s a sufficient amount of entropy with respect to the quantum (or classical) side information of Eve is certified such that a block of 8192 (or 2 × 8192) random bits is generated with a certified error bounded by 2^{−64} and with an extraction time of 0.02 s (or 0.04 s).
Results
Outline
In what follows, we first introduce the setup of the problem and the main idea of our method for certifying randomness with the adversarial imperfections discussed above. Our method works in the presence of both the classical and quantum side information of Eve. We then illustrate the performance of our method with simulations, showing the advantage of Eve with an access to quantum side information. Finally, we present our experimental realization of a simple lowlatency realtime QRNG enabled by our method.
Setup of the problem
To generate random bits, we consider an experiment with a sequence of n repeated trials. These trials are not necessarily independent or identical. We denote the input (basis choice) and the output (measurement outcome) at the k’th trial by the random variables I_{k} and O_{k}, respectively. The inputs and outputs of the experiment are then \({{\bf{I}}}_{n}={({I}_{k})}_{k = 1}^{n}\) and \({{\bf{O}}}_{n}={({O}_{k})}_{k = 1}^{n}\). The amount of randomness in the outputs relative to both the inputs and Eve is quantified by the smooth conditional minentropy \({H}_{\min }^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\), where ϵ_{s} is the smoothness error^{21}. We consider two alternative smooth conditional minentropies \({H}_{\min ,\,\text{c}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) and \({H}_{\min ,\,\text{q}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) in the presence of the classical and quantum side information of Eve, respectively. The ability of Eve to access quantum side information (which is stored in a quantum system \({\mathsf{E}}\)) as compared with classical side information (which is stored in a classical, random variable E) allows attacks that can take advantage of longterm quantum memories^{22,23} correlated in a quantum manner with the quantum devices used for the state preparation in the experiment. Our goal is to bound the smooth conditional minentropies \({H}_{\min ,\,\text{c}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) and \({H}_{\min ,\,\text{q}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) from below.
For certifying the randomness in the outputs O_{n} relative to the inputs I_{n} and Eve, we must assume that the outputs O_{n} are kept private and not accessible to Eve. We allow Eve to hold classical or quantum side information about the state prepared at a trial. At the same time, we allow Eve to manipulate the distribution of the possible inputs and the specific forms of the associated measurements at the trial, as long as these manipulations satisfy the prespecified imperfection bounds. We assume that by manipulations Eve can access classical side information but not quantum side information about the measurement performed. The method to be presented allows classical correlations between Eve’s side information about the state prepared and Eve’s partial knowledge of the input and measurement used at each trial. That is, the state prepared can be classically correlated with the input selected or the measurement performed. We emphasize that our method cannot be applied in the case where at each trial Eve’s side information about the state is correlated in a quantum manner with Eve’s partial knowledge of the input and measurement. Moreover, although we allow Eve to manipulate the input distribution, we assume that before a trial Eve has no perfect knowledge of which specific input to be selected at the trial. This assumption is required for security analysis; otherwise, Eve can deterministically forecast the output of the trial, and it would be therefore impossible to certify randomness^{24}.
Main idea of our method
For certifying randomness with respect to classical and quantum side information, we construct probability estimation factors (PEFs)^{25,26} and quantum estimation factors (QEFs)^{27,28}, respectively. Both a PEF and a QEF are nonnegative functions of the input I and output O of a trial, denoted by F_{c}(I, O) and F_{q}(I, O). The key observation is that the smooth conditional minentropies \({H}_{\min ,\,\text{c}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) and \({H}_{\min ,\,\text{q}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\) can be bounded from below, once we know the respective products \(\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{\text{c}}({i}_{k},{o}_{k})\) and \(\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{\text{q}}({i}_{k},{o}_{k})\). Here, i_{k} and o_{k} are the observed values of the input and output at the k’th trial. This key observation can be formalized by Theorem 1 and Theorem 2 in the “Methods” section. We emphasize that PEFs and QEFs can use the result of each trial for both verifying and accumulating randomness. Both PEFs and QEFs have been constructed for certifying deviceindependent randomness^{15,25,26,27,28}. In this work, we develop methods to construct PEFs and QEFs for the scenario of our interest. In particular, the PEFs and QEFs constructed are adapted to the adversarial imperfections in both the state source and the measurement apparatus. Both PEFs and QEFs have the advantage that significantly less data is required in order to certify a fixed amount of randomness. Details for constructing PEFs and QEFs are discussed in the “Methods” section.
After certifying the amount of randomness, we run the randomness extractor developed in ref. ^{29} with extractor error ϵ_{x} = ϵ − ϵ_{s} in order to generate random bits which are within distance of ϵ > ϵ_{s} from uniform. The distance ϵ is termed the soundness error. For the results presented in this work, we set the smoothness error and the extractor error to be ϵ_{s} = 0.8ϵ and ϵ_{x} = 0.2ϵ.
Advantage of quantum adversaries over classical adversaries
We illustrate with simulations the performance of our method in the asymptotic limit, so that one can see the expected behavior of our QRNG scheme. When the trials are identical and n approaches infinity, the amount of randomness certified by our method increases linearly with n. The increasing rate (per trial) is called the asymptotic randomnessgeneration rate. The rates in the presence of classical and quantum side information, R_{c} and R_{q}, certified by our method are optimal (see refs. ^{25,27} for general proofs). We can quantify R_{c} and R_{q} as functions of the depolarization noise d (as defined in the caption of Fig. 1). The results presented in Fig. 1 clearly indicate that Eve’s access to quantum side information as compared with classical side information results in a reduction of the randomnessgeneration rate. Such a reduction is an important yet unquantified advantage to Eve.
Experimental realization of a simple lowlatency realtime QRNG
To realize a QRNG, we perform measurements on photonic timebin states, where the quantum information is encoded into the superposition of two different temporal positions (time bins) of an optical pulse. The two time bins are usually called the early and late time bins denoted by t_{e} and t_{l}. Timebin encoding has been widely used especially in fiberbased quantum communication systems^{30}. The advantage of timebin encoding lies in that both the state source and the measurement apparatus required are easily packaged onto a chip, which is an important factor to consider for practical QRNG use.
To produce randomness, at each trial we attempt to prepare the timebin qubit state \({1}_{{t}_{e}}\rangle \otimes {0}_{{t}_{l}}\rangle\), where \(\left{j}_{t}\right\rangle\) represents the jphoton state located at the time bin t ∈ {t_{e}, t_{l}}. After passing it through an unbalanced Mach–Zehnder interferometer (MZI), we measure the timebin qubit, as depicted in Fig. 2. The difference in photon transit time between the two unbalanced paths of the MZI matches the separation between t_{e} and t_{l}. Therefore, a photon can come out from the MZI at the early, middle and late time bins denoted by \({t}_{e}^{\prime}\), \({t}_{m}^{\prime}\) and \({t}_{l}^{\prime}\), respectively. If the photon comes out at \({t}_{e}^{\prime}\) or \({t}_{l}^{\prime}\), then the Zbasis (timebin basis) is passively selected. In this case, the arrival time indicates the measurement outcome. If the photon comes out at \({t}_{m}^{\prime}\), then the Xbasis (superposition basis) is passively selected. In this case, the two output ports of the MZI indicate which measurement outcomes are observed. Note that if the first beam splitter in the MZI has the 50:50 splitting ratio, the two measurement bases are uniformly randomly selected. In this sense, the first beam splitter in the MZI acts effectively as a physical but uncertified random number generator^{31}.
In practice, the source emits zero photon with a nonzero probability at each trial, and threshold detectors (which cannot resolve photon number) of finite efficiency are employed. Moreover, a photon can be lost over the transmission from the source to the detectors. Therefore, not all trials have detector clicks. For security analysis, we assume that the trials with detector clicks are a fair sample of all trials. Accordingly, noclick events do not affect the security analysis of randomness generation but only the rate and latency achieved in practice.
Now for certifying randomness, we must take into account the adversarial imperfections in our setup. Neither of the two beam splitters, BS1 and BS2, in the MZI has the ideal 50:50 splitting ratio. In addition, the two detectors at the output ports a and b may have different efficiencies η_{a} and η_{b}. These facts induce not only an imbalance between the probabilities P_{X} and P_{Z} of selecting the Xbasis and Zbasis but also a misalignment between the two bases. Based on a calibration of our measurement apparatus, we found that the splitting ratios of BS1 and BS2 are 53.8:46.2 and 46.9:53.1, respectively, and that the ratio η_{a}: η_{b} is 1.024:1. Consequently, the imbalance τ = (P_{X} − P_{Z})/2 and misalignment δ satisfy the conditions ∣τ∣ ≤ 0.041 and δ ≤ 3.565^{∘}. Moreover, we estimated that the singlephoton component of the optical pulse contributes at least 99.3% of all click events. More details behind the above characterizations are available in Supplementary Note 3. Accordingly, we conservatively assume that ∣τ∣ ≤ 0.06, δ ≤ 6^{∘}, and q_{1,lb} = 0.98 in our security analysis, specifically, for constructing PEFs and QEFs to guarantee certifiable randomness generation.
Based on a set of calibration data, we estimated the expected number, k_{exp}, of random bits certifiable every 0.1 s runtime at a soundness error ϵ varying from 10^{−5} to 10^{−30}. The dependence of k_{exp} on ϵ in the presence of either quantum or classical side information is illustrated in Fig. 3. As expected fewer number of random bits can be certified with respect to quantum side information than with respect to classical side information. However, the number of certifiable bits in each situation is not significantly affected by the soundness error in the range considered.
We finally consider a request for a block of 8192 (or 2 × 8192) random bits in the presence of quantum (or classical) side information and with soundness error bounded by 2^{−64} ≈ 5.42 × 10^{−20}. The results in Fig. 3 strongly suggest that our QRNG can successfully fulfill the request every 0.1 s runtime. Indeed, the success probability is estimated to be at least 1 − 2^{−380} (or 1 − 2^{−478}) in the presence of quantum (or classical) side information (see Supplementary Note 4 for details). We further demonstrate this repeated fulfillment in experiment. For this, before the experiment we fixed the PEF and QEF used, as well as several other parameters used in our security analysis, based on the above calibration data (see Supplementary Note 4). Then we ran the experiment for 420 s and processed the data block obtained every 0.1 s runtime successively. For each data block, we certified a lower bound on the number of random bits extractable with soundness error 2^{−64} and with respect to either quantum or classical side information. If the certified lower bound exceeds the request threshold, the instance of our QRNG succeeds. Conditional on success, we run the randomness extractor developed in^{29} to generate the final random bits. The randomness extractor is seedefficient and requires an additional processing time: for extracting 8192 (or 2 × 8192) random bits it takes 0.02 s (or 0.04 s), respectively. Totally we ran 4200 instances of our QRNG. The analysis results summarized in Fig. 4 show the success of each instance.
Discussion
In conclusion, we demonstrate a simple lowlatency realtime certifiable quantum random number generator (QRNG). The generator is based on the measurement of a weak optical pulse with an unbalanced MachZehnder interferometer. By developing an efficient securityanalysis method, genuine randomness can be certified and then generated with a low latency from every short block of experimental data even at an extremely high security level and even considering adversarial imperfections in our experimental setup. Further, the implementation of randomness extraction allows realtime performance to be achieved. Our QRNG is thus well suited for realizing a continuouslyoperating, highsecurity, and highspeed quantum randomness beacon.
Our security analysis considers both quantum and classical side information. Our security certificate is resistant to the adversarial imperfections in both the state source and the measurement apparatus, in contrast to those certificates achieved in previous works^{20,32,33,34} where either the adversarial imperfections in the source or those in the measurement apparatus are considered. Moreover, our method exhibits unsurpassed finitedata efficiency. As certifying smooth conditional minentropies is also the central task for quantum key distribution (QKD), we envision that our method can be extended to improve the finitedata efficiency of QKD. In the future work, we will address the details required for this extension.
Methods
Outline
Here we provide details of our experimental setup for realizing a simple lowlatency realtime certifiable quantum random number generator. We also introduce the general framework of probability estimation (or quantum probability estimation) for certifiable randomness generation in the presence of classical (or quantum) side information. Further, we discuss the details of implementing these general frameworks in the presence of the adversarial imperfections considered in both the state source and the measurement apparatus.
Experimental implementation
Our experimental setup is shown in Fig. 2. To generate timebin states, amplified spontaneous emission from an erbiumdoped fiber amplifier (EDFA), which has a broad spectrum and thus can be regarded as inherently dephased, is used as a light source. After reducing its bandwidth by a bandpass filter (BPF1) of 1551.1 ± 1.2 nm, the light from the EDFA is sent into an intensity modulator (IM) to generate (in the ideal case) the timebin qubit state consisting of the singlephoton pulse \({1}_{{t}_{e}}\rangle\) and the vacuum pulse \({0}_{{t}_{l}}\rangle\). A pulse pattern generator (PPG) is used to modulate the IM at a repetition rate of 500 MHz using a pulse of width approximately 100 ps. The same modulation signal is also sent to the timeinterval analyzer (TIA), to synchronize the IM and TIA. A BPF2 of 1551.1 ± 0.44 nm is then used to further surpress the noise outside of the bandwidth. With the help of an optical attenuator (ATT), we then adjust the average photon number per pulse to a value of approximately 0.0035. Finally, we launch the timebin pulse into an unbalanced Mach–Zehnder interferometer (MZI), which is fabricated using planar lightwave circuit technologies^{35}. The path difference of the unbalanced MZI is 500 ps, the same as the time separation between the early and late time bins. The insertion loss of the MZI is approximately 2.0 dB. The photons from the output ports of the MZI are detected by two superconducting nanowire singlephoton detectors (SSPDs), where the detection events are recorded by the TIA. The system detection efficiency of each SSPD is about 59%, and the dark count rate of each SSPD is less than 40 s^{−1}. A few polarization controllers (PCs) are inserted before the IM and SSPDs in order to adjust the polarization of photons. We measure that roughly 470,000 trials with detector clicks are generated per second.
Certifiable randomness generation in the presence of classical side information
To certify randomness with respect to the classical side information of Eve, we apply the framework of probability estimation as developed in refs. ^{25,26}. For this, we need to characterize each trial of the experiment by a classical model. In the scenario of our interest, the model is adapted to the adversarial imperfections considered. Given the model, we construct probability estimation factors (PEFs) which can certify randomness with respect to classical side information. Below we first introduce the concepts of classical models and PEFs, and then present the main result of probability estimation for randomness generation.
Let us focus on a generic trial in the experiment with an input I and an output O. We omit the trial index for generic trials. As is conventional, we denote a random variable and its possible value by an uppercase letter in regular math font and the corresponding lowercase letter. The classical side information E of Eve can be correlated with the trial input I and trial output O. This correlation is described by a joint probability distribution \({\mathbb{P}}(I,O,E)\). However, in practice we cannot access the classical side information E held by Eve. Therefore, we can characterize only the distribution of I and O conditional on each possible value e of E, denoted by \({\mathbb{P}}(I,O E=e)\). The set of conditional distributions \({\mathbb{P}}(I,O E=e)\), for all possible e, achievable at a trial is defined to be the classical model \({\mathcal{C}}\) for the trial. For simplicity we make the condition on Eve’s classical side information implicit in the rest of the paper, and so the classical model \({\mathcal{C}}\) specifies the set of probability distributions \({\mathbb{P}}(I,O)\) achievable at a trial. To certify randomness in the output O conditional on the input I and on the classical side information E, we consider a class of nonnegative functions F_{c}: (i, o) ↦ F_{c}(i, o), called PEFs for the classical trial model \({\mathcal{C}}\). A PEF with a positive power β_{c} is a nonnegative function F_{c}: (i, o) ↦ F_{c}(i, o) which satisfies the PEF inequality
at each probability distribution \({\mathbb{P}}(I,O)\) in the classical trial model \({\mathcal{C}}\). We have two remarks on the constructions of the classical trial model and the corresponding PEFs as follows: First, when Eve’s classical side information about the state is classically correlated with Eve’s partial knowledge of the input and measurement at a trial, the classical trial model will become the convex closure of the model \({\mathcal{C}}\) as introduced above. Second, according to Lemma 14 of ref. ^{26}, a PEF with power β_{c} for the model \({\mathcal{C}}\) is also a PEF with the same power for the convex closure of \({\mathcal{C}}\). In view of the above two remarks, probability estimation automatically handles the classical correlation between Eve’s classical side information about the state and Eve’s partial knowledge of the input and measurement at a trial.
The number of nearuniform random bits extractable from the outputs O_{n} given the inputs I_{n} and the classical side information E of Eve is quantified by the classical smooth conditional minentropy \({H}_{\min ,\,\text{c}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\)^{21}. Here, the smoothness error ϵ_{s} measures the totalvariation distance between the actual distribution and an ideal distribution of I_{n}, O_{n} and E (see Definition 9 of ref. ^{26}). Suppose that each trial of an experiment is characterized by the classical model \({\mathcal{C}}\). Denote the PEF with power β_{c} at the k’th trial by F_{c,k}, which is a function of I_{k} and O_{k}, and let the variable T_{c,n} be the product of PEFs up to the n’th trial, that is, \({T}_{{\text{c}},n}=\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{{\text{c}},k}\). In practice, the input at a trial is independent of the outputs of the previous trials conditionally on the classical side information E and the inputs of the previous trials. Under this conditionalindependence condition, probability estimation can certify randomness with respect to classical side information according to the following theorem:
Theorem 1 (Theorem 1 of ref. ^{26}): Let 1 ≥ κ, ϵ_{s} > 0 and 1 ≥ p ≥ 1/∣Rng(O_{n})∣, where ∣Rng(O_{n})∣ is the number of possible outputs after n trials. Define Φ to be the event that T_{c,n }≥ 1/(\({p^{\beta_{c}}}\)ϵ_{s}). For each joint probability distribution \({\mathbb{P}}({{\bf{I}}}_{n},{{\bf{O}}}_{n},E)\), either the probability of the event Φ is less than κ or the classical smooth conditional minentropy, when the event Φ happens, satisfies
The event Φ can be interpreted as the event that the experiment succeeds. When the experiment succeeds, we compose the classical smooth conditional minentropy bound in Eq. (2) with a classicalproof strong extractor of error ϵ_{x} (in totalvariation distance), in order to obtain random bits which are within soundness error (in totalvariation distance) ϵ = ϵ_{s} + ϵ_{x} from uniform in the presence of classical side information. See Sect. IV C of ref. ^{25} for the details of the endtoend randomness generation. Note that an extractor is strong if the joint of its output and the seed is nearly uniform, while an extractor is classicalproof if it works in the presence of classical side information. In our experiment, we used Trevisan’s extractor^{36} as implemented by Mauerer, Portmann, and Scholz^{29}, which we refer to as the TMPS extractor. The TMPS extractor is an efficient classicalproof strong extractor that requires few seed bits^{29,36}. The way of running the TMPS extractor for our case is the same as for the case of deviceindependent randomness generation with respect to classical side information studied in refs. ^{13,25}.
Certifiable randomness generation in the presence of quantum side information
To certify randomness with respect to the quantum side information of Eve, we apply the framework of quantum probability estimation as developed in refs. ^{27,28}. For this, we need to characterize each trial of the experiment by a quantum model. In the scenario of our interest, the model is adapted to the adversarial imperfections considered. Given the model, we construct quantum estimation factors (QEFs) which can certify randomness with respect to quantum side information. Below we first introduce the concepts of quantum models and QEFs, and then present the main result of quantum probability estimation for randomness generation.
Consider a generic experimental trial which has a classical input I and a classical output O. Suppose that Eve holds a quantum system \({\mathsf{E}}\), which carries the quantum side information about the experiment. So, the quantum system \({\mathsf{E}}\) is correlated with the trial input I and trial output O. The correlation between \({\mathsf{E}}\) and (I, O) can be described by a classicalquantum state
where \({\rho}_{\mathsf{E}}\)(i, o) is the subnormalized state of \({\mathsf{E}}\) conditional on I = i and O = o. The trace \({\rm{Tr}}\left({\rho }_{{\mathsf{E}}}(i,o)\right)\) is the probability of observing that I = i and O = o at a trial. Since the system \({\mathsf{E}}\) is inaccessible by us, we consider the set of all the possible classicalquantum states that can occur at the end of the trial. This set is defined to be the quantum model \({\mathcal{Q}}\) for the trial. We characterize the unpredictability of an output c given both an input i and the quantum side information in \({\mathsf{E}}\) by the sandwiched Rényi power \(R_{\alpha_{\text{q}}}\left({\rho }_{{\mathsf{E}}}(i,o)\left\right.{\rho }_{{\mathsf{E}}}(i)\right)\) expressed as
where β_{q} > 0 is a free parameter, α_{q} = 1 + β_{q}, and \({\rho}_{\mathsf{E}}\)(i) = ∑_{o}\({\rho}_{\mathsf{E}}\)(i, o). To certify randomness in the output O conditional on the input I and on the quantum side information in \({\mathsf{E}}\), we consider a class of nonnegative functions F_{q}: (i, o) ↦ F_{q}(i, o), called QEFs for the quantum trial model \({\mathcal{Q}}\). A QEF with a positive power β_{q} is a nonnegative function F_{q}: (i, o) ↦ F_{q}(i, o) which satisfies the QEF inequality
at all states \({\rho}_{IO\,{\mathsf{E}}}\) in the quantum trial model \({\mathcal{Q}}\). We have two remarks on the constructions of the quantum trial model and the corresponding QEFs as follows: First, when Eve’s quantum side information about the state is classically correlated with Eve’s partial knowledge of the input and measurement at a trial, the quantum trial model will become the convex closure of the model \({\mathcal{Q}}\) as introduced above. Second, according to Property 2 of ref. ^{28}, a QEF with power β_{q} for the model \({\mathcal{Q}}\) is also a QEF with the same power for the convex closure of \({\mathcal{Q}}\). In view of the above two remarks, quantum probability estimation automatically handles the classical correlation between Eve’s quantum side information about the state and Eve’s partial knowledge of the input and measurement at a trial.
The number of nearuniform random bits extractable from the outputs O_{n} given the inputs I_{n} and the quantum side information carried by the system \({\mathsf{E}}\) of Eve is quantified by the quantum smooth conditional minentropy \({H}_{\min ,\,\text{q}\,}^{{\epsilon }_{s}}({{\bf{O}}}_{n} {{\bf{I}}}_{n},\,\text{Eve}\,)\)^{21}. Here, the smoothness error ϵ_{s} measures the purified distance between the actual state and an ideal state of I_{n}, O_{n} and \({\mathsf{E}}\) (see Sect. IV of ref. ^{28}). Suppose that each trial of an experiment is characterized by the quantum model \({\mathcal{Q}}\). Denote the QEF with power β_{q} at the k’th trial by F_{q,k}, which is a function of I_{k} and O_{k}, and let the variable T_{q,n} be the product of QEFs up to the n’th trial, that is, \({T}_{{\text{q}},n}=\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{{\text{q}},k}\). In practice, the input at a trial is independent of the outputs of the previous trials given the quantum side information in \({\mathsf{E}}\) and the inputs of the previous trials. Under this conditionalindependence condition, quantum probability estimation can certify randomness with respect to quantum side information according to the following theorem:
Theorem 2 (Theorem 3 of ref. ^{28}): Let 1≥κ, ϵ_{s}, p > 0. Define Φ to be the event that \({T}_{{\text{q}},n}\ge 1/\left(\right.{p}^{\beta_{\text{q}}}({\epsilon }_{s}^{2}/2)\left)\right.\). For each classicalquantum state \({\rho }_{{{\bf{I}}}_{n}{{\bf{O}}}_{n}{\mathsf{E}}}\), either the probability of the event Φ is less than κ or the quantum smooth conditional minentropy, when the event Φ happens, satisfies
The event Φ can be interpreted as the event that the experiment succeeds. When the experiment succeeds, we compose the quantum smooth conditional minentropy bound in Eq. (6) with a quantumproof strong extractor of error ϵ_{x} (in trace distance), in order to obtain random bits which are within soundness error (in trace distance) ϵ = ϵ_{s} + ϵ_{x} from uniform in the presence of quantum side information. See Sect. V of ref. ^{28} for the details of the endtoend randomness generation. Note that an extractor is quantumproof if it works in the presence of quantum side information. As the TMPS extractor^{29,36} is a quantumproof strong extractor^{37}, we use this extractor for randomness extraction. The way of running the TMPS extractor for our case is the same as for the case of deviceindependent randomness generation with respect to quantum side information studied in refs. ^{15,27,28}.
Constructions of PEFs and QEFs with adversarial imperfections
Both probability estimation and quantum probability estimation are general frameworks for certifying randomness; however, their implementations are casedependent as both the classical and quantum models for a trial depend on the case of interest. For the case of deviceindependent randomness generation, both frameworks have been implemented, see refs. ^{15,25,26,27,28}. In this work we would like to apply probability estimation and quantum probability estimation for randomness generation with partially characterized quantum devices. For this, we need to first construct the classical model \({\mathcal{C}}\) and the quantum model \({\mathcal{Q}}\) for an experimental trial in the scenario of our interest, and then construct the corresponding PEFs and QEFs. Below we provide an overview of our constructions. Details are presented in Supplementary Notes 1 and 2.
To construct the models \({\mathcal{C}}\) and \({\mathcal{Q}}\) for the scenario of our interest, we observe that although the measurements along the Xbasis and Zbasis are difficult to be precisely characterized, both of them are blockdiagonal with respect to various photonnumber subspaces. Therefore, the model \({\mathcal{C}}\) (or \({\mathcal{Q}}\)) can be expressed as a convex combination (or a direct sum) of submodels \({{\mathcal{C}}}_{j}\) (or \({{\mathcal{Q}}}_{j}\)), where the submodels \({{\mathcal{C}}}_{j}\) and \({{\mathcal{Q}}}_{j}\) are the classical and quantum models conditional on the number of photons j emitted from the source. So, we need only to construct the submodels \({{\mathcal{C}}}_{j}\) and \({{\mathcal{Q}}}_{j}\) individually, which is discussed in the next two paragraphs.
To construct the submodels \({{\mathcal{C}}}_{1}\) and \({{\mathcal{Q}}}_{1}\) when a single photon is emitted (i.e., j = 1), we take into account of the bounds on the adversarial misalignment and on the adversarial imbalance between the Xbasis and Zbasis, and consider all the possible singlephoton states which may be correlated with the side information of Eve. We assume that the measurements in the singlephoton subspace are projective, although these measurements are not precisely characterized. So, the misalignment and imbalance are sufficient for characterizing these imperfect measurements. The above assumption can be relaxed to some degree as explained in Supplementary Notes 1 and 2. When Eve can manipulate the misalignment or imbalance depending on the auxiliary degrees of freedom of the single photon such as spatial mode, frequency or polarization, we need to represent the singlephoton state and the associated measurement operators in a Hilbert space describing not only the timebin degree of freedom for information encoding but also the auxiliary degrees of freedom manipulable by Eve. In this case, we take advantage of the assumption that the coherent superposition of states for an auxiliary degree of freedom manipulable by Eve does not play a role throughout the measurement process. (Such assumption has been exploited for verifying entanglement^{38} and further for proving the security of quantum key distribution^{39} in the presence of side channels that can induce detectionefficiency mismatch.) This assumption can be justified if in the setup for timebin measurements there is no quantum interference between any pair of states for the auxiliary degree of freedom manipulable by Eve (which is true in practice as we think). In addition, the above assumption is consistent with the assumption specified in the Results section that by manipulations Eve can access classical side information but not quantum side information about the measurement performed. Therefore, each measurement operator on a single photon is blockdiagonal with respect to various states for the auxiliary degrees of freedom, where each block is described by a qubit measurement. As a consequence, for constructing the submodels \({{\mathcal{C}}}_{1}\) and \({{\mathcal{Q}}}_{1}\) the singlephoton state and the associated measurement operators can be treated without loss of generality as living in a twodimensional Hilbert space, even in the general case where Eve’s manipulations can depend on the auxiliary degrees of freedom of the single photon. We note that for security analysis in the above general case, the bounds on the misalignment and on the imbalance between the Xbasis and Zbasis should be satisfied by the measurement operators in each twodimensional Hilbert space obtained by projecting onto each particular state for the auxiliary degrees of freedom manipulable by Eve.
On the other hand, when multiple photons are emitted (i.e., j > 1) we construct the submodels \({{\mathcal{C}}}_{j}\) and \({{\mathcal{Q}}}_{j}\) in a deviceindependent way (i.e., without using any information about the multiphoton state prepared or measurements performed). By the deviceindependent constructions of submodels \({{\mathcal{C}}}_{j}\) and \({{\mathcal{Q}}}_{j}\) with j > 1, we pessimistically allow Eve’s classical or quantum side information to be perfectly correlated with the trial output O given the trial input I and j > 1. Consequently, we choose to not certify the randomness contributed by the multiphoton events, and so our security analysis is robust against photonnumber splitting attacks. We emphasize that even with the deviceindependent constructions of submodels \({{\mathcal{C}}}_{j}\) and \({{\mathcal{Q}}}_{j}\) with j > 1, the resulting models \({\mathcal{C}}\) and \({\mathcal{Q}}\) still behave well for certifying randomness as the probability of emitting a single photon at each trial is assumed to be bounded from below no matter how Eve manipulates the photonnumber distribution.
Once the classical model \({\mathcal{C}}\) and the quantum model \({\mathcal{Q}}\) are constructed, we can construct the corresponding PEFs and QEFs. Since the classical model (or the quantum model) for each trial is the identical \({\mathcal{C}}\) (or \({\mathcal{Q}}\)), we can use the same PEF F_{c}(I, O) (or the same QEF F_{q}(I, O)) for each trial. According to Theorem 1 (or Theorem 2), the amount of classical (or quantum) ϵ_{s}smooth minentropy in the outputs O_{n} certifiable conditionally on the inputs I_{n} and on the side information E (or \({\mathsf{E}}\)) is determined by the product \(\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{\text{c}}({I}_{k},{O}_{k})\) (or \(\mathop{\prod }\nolimits_{k = 1}^{n}{F}_{\text{q}}({I}_{k},{O}_{k})\)). Before the experiment we need to choose a PEF (or a QEF) such that the expected amount of certifiable classical (or quantum) ϵ_{s}smooth minentropy is as large as possible. At the same time, a PEF (or a QEF) satisfies a set of linear constraints imposed by each member of the model \({\mathcal{C}}\) (or \({\mathcal{Q}}\)). Therefore, we can formulate the constructions of PEFs and QEFs as constrained optimization problems. To solve these optimization problems, we provide effective outerapproximations of the models \({\mathcal{C}}\) and \({\mathcal{Q}}\). We note that the outerapproximations of \({\mathcal{C}}\) and \({\mathcal{Q}}\) provided by us include the convex closures of \({\mathcal{C}}\) and \({\mathcal{Q}}\), respectively. Therefore, in view of the remarks below Eqs. (1) and (5), the constructed PEFs and QEFs can certify randomness even when Eve’s side information about the state is classically correlated with Eve’s partial knowledge of the input and measurement at a trial.
Reporting summary
Further information on research design is available in the Nature Research Reporting Summary linked to this article.
Data availability
The data that support the findings of this study are available from the corresponding authors upon reasonable request.
Code availability
The code that produces the results presented in this work is available from the corresponding authors upon reasonable request.
References
Acín, A. & Masanes, L. Certified randomness in quantum physics. Nature 540, 213–219 (2016).
Ma, X., Yuan, X., Cao, Z., Qi, B. & Zhang, Z. Quantum random number generation. npj Quantum Inf. 2, 16021 (2016).
HerreroCollantes, M. & GarciaEscartin, J. C. Quantum random number generators. Rev. Mod. Phys. 89, 015004 (2017).
Colbeck, R. Quantum and Relativistic Protocols for Secure MultiParty Computation. PhD thesis. Trinity College, University of Cambridge (2006).
Colbeck, R. & Kent, A. Private randomness expansion with untrusted devices. J. Phys. A 44, 095305 (2011).
Bell, J. S. On the Einstein Podolsky Rosen paradox. Physics 1, 195–200 (1964).
Hensen, B. et al. Loopholefree Bell inequality violation using electron spins separated by 1.3 kilometres. Nature 526, 682–686 (2015).
Shalm, L. K. et al. Strong loopholefree test of local realism. Phys. Rev. Lett. 115, 250402 (2015).
Giustina, M. et al. Significantloopholefree test of Bell’s theorem with entangled photons. Phys. Rev. Lett. 115, 250401 (2015).
Rosenfeld, W. et al. Eventready Bell test using entangled atoms simultaneously closing detection and locality loopholes. Phys. Rev. Lett. 119, 010402 (2017).
Li, M.H. et al. Test of local realism into the past without detection and locality loopholes. Phys. Rev. Lett. 121, 080404 (2018).
Pironio, S. et al. Random numbers certified by Bellas theorem. Nature 464, 1021–1024 (2010).
Bierhorst, P. et al. Experimentally generated random numbers certified by the impossibility of superluminal signaling. Nature 556, 223–226 (2018).
Liu, Y. et al. Deviceindependent quantum randomnumber generation. Nature 562, 548–551 (2018).
Zhang, Y. et al. Experimental lowlatency deviceindependent quantum randomness. Phys. Rev. Lett. 124, 010505 (2020).
Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661–663 (1991).
Bennett, C. H., Brassard, G. & Mermin, N. D. Quantum cryptography without Bell’s theorem. Phys. Rev. Lett. 68, 557–559 (1992).
Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009).
Vallone, G., Marangon, D. G., Tomasin, M. & Villoresi, P. Quantum randomness certified by the uncertainty principle. Phys. Rev. A 90, 052327 (2014).
Cao, Z., Zhou, H., Yuan, X. & Ma, X. Sourceindependent quantum random number generation. Phys. Rev. X 6, 011020 (2016).
König, R., Renner, R. & Schaffner, C. The operational meaning of min and maxentropy. IEEE Trans. Inf. Theory 55, 4337–4347 (2009).
Lvovsky, A. I., Sanders, B. C. & Tittel, W. Optical quantum memory. Nat. Photon. 3, 706–714 (2009).
Heshami, K. et al. Quantum memories: emerging applications and recent advances. J. Mod. Opt. 63, 2005–2028 (2016).
Ekert, A. & Renner, R. The ultimate physical limits of privacy. Nature 507, 443–447 (2014).
Knill, E., Zhang, Y. & Bierhorst, P. Generation of quantum randomness by probability estimation with classical side information. Phys. Rev. Res. 2, 033465 (2020).
Zhang, Y., Knill, E. & Bierhorst, P. Certifying quantum randomness by probability estimation. Phys. Rev. A 98, 040304(R) (2018).
Knill, E., Zhang, Y. & Fu, H. Quantum probability estimation for randomness with quantum side information. Preprint at arXiv 1806.04553 (2018).
Zhang, Y., Fu, H. & Knill, E. Efficient randomness certification by quantum probability estimation. Phys. Rev. Res. 2, 013016 (2020).
Mauerer, W., Portmann, C.& Scholz, V. B. A modular framework for randomness extraction based on Trevisan’s construction. Preprint at arXiv 1212.0520 (2012).
Gisin, N. & Thew, R. Quantum communication. Nat. Photon. 1, 165–171 (2007).
Rarity, J. G., Owens, P. C. M. & Tapster, P. R. Quantum randomnumber generation and key sharing. J. Mod. Opt. 41, 2435–2444 (1994).
Chaturvedi, A. & Banik, M. Measurementdeviceindependent randomness from local entangled states. Europhys. Lett. 112, 30003 (2015).
Cao, Z., Zhou, H. & Ma, X. Losstolerant measurementdeviceindependent quantum random number generation. New J. Phys. 17, 125011 (2015).
Marangon, D. G., Vallone, G. & Villoresi, P. Sourcedeviceindependent ultrafast quantum random number generation. Phys. Rev. Lett. 118, 060503 (2017).
Honjo, T., Inoue, K. & Takahashi, H. Differentialphaseshift quantum key distribution experiment with a planar lightwave circuit MachZehnder interferometer. Opt. Lett. 29, 2797–2799 (2004).
Trevisan, L. Extractors and pseudorandom generators. J. ACM 48, 860–879 (2001).
De, A., Portmann, C., Vidick, T. & Renner, R. Trevisan’s extractor in the presence of quantum side information. SIAM J. Comput 41, 915–940 (2012).
Zhang, Y. & Lütkenhaus, N. Entanglement verification with detectionefficiency mismatch. Phys. Rev. A 95, 042319 (2017).
Zhang, Y., Coles, P. J., Winick, A., Lin, J. & Lütkenhaus, N. Security proof of practical quantum key distribution with detectionefficiency mismatch. Phys. Rev. Res. 3, 013076 (2021). https://journals.aps.org/prresearch/abstract/10.1103/PhysRevResearch.3.013076.
Acknowledgements
We thank Emanuel Knill for stimulating discussions and Ivan Iakoupov for help with running the extractor. This work includes contributions of the National Institute of Standards and Technology, which are not subject to U.S. copyright.
Author information
Authors and Affiliations
Contributions
Y.Z. and H.P.L. contributed equally to this work. Y.Z., H.T., H.P.L., and W.J.M. conceived the original concept and proposed the experiment, which was carried out by H.P.L. together with T.I. and T.H. Y.Z. developed the securityanalysis method and conducted the data analysis. The randomness extraction was preformed by Y.Z. and A.M. All authors discussed the results and contributed to the writing of the paper.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Peer review information Nature Communications thanks Juan Carlos GarcíaEscartín and Xiongfeng Ma for their contribution to the peer review of this work. Peer reviewer reports are available.
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Zhang, Y., Lo, HP., Mink, A. et al. A simple lowlatency realtime certifiable quantum random number generator. Nat Commun 12, 1056 (2021). https://doi.org/10.1038/s41467021210698
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41467021210698
This article is cited by

Quantum random number generation based on a perovskite light emitting diode
Communications Physics (2023)

A comprehensive review of quantum random number generators: concepts, classification and the origin of randomness
Quantum Information Processing (2023)

Unbounded randomness from uncharacterized sources
Communications Physics (2022)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.