Random number generators (RNGs) are the basic building block of many computing methods and digital solutions in use today, e.g., in simulation, optimisation, cryptography, and gambling. Ideally, the output of an RNG should be uniform and unpredictable. The first property requires all outputs are equally likely and the second stipulates that no observer can do better than a random guess even with side information about the device. Indeed, the latter property is especially important when dealing with digital technologies like secure communications, block-chain, and digital lottery, where privacy and information security are critical.

Quantum processes are excellent sources of randomness due to their intrinsic probabilistic nature. In particular, by tapping on the uncertainty of quantum measurements, one can, in principle, devise quantum random number generators (QRNGs) which are perfectly uniform and unpredictable1,2,3. The standard approach uses a model-based approach, where the underlying probability model is based on the certain trusted quantum measurement process. However, while this approach presents a straightforward way to quantify the amount of extractable randomness, it is prone to implementation deviations (for a concrete example, we refer the reader to ref. 4). In particular, the model may not capture the actual physical process due to unexpected device changes and the amount of extractable randomness can be overestimated. Crucially, this could lead to catastrophic outcomes when the device is used for cryptography, for example.

An elegant solution is to consider new forms of QRNGs which provide certifiable randomness based on minimal assumptions about the underlying quantum measurement process. This is made possible by exploiting the unique correlations established by quantum measurements on entangled systems. The best example is the Device-Independent (DI) QRNG1,5,6,7,8,9. However, in view of the demanding experimental requirements for a loophole-free observation of non-local correlations5,7,10, it is generally believed that the first practical application of such DI QRNGs will likely be Randomness Beacons7,8.

There are other QRNGs that make reasonable assumptions about the system and require only a partial characterisation of the device. These schemes provide a system performance improvement in terms of the implementation complexity and the random number generation rate when compared to DI QRNGs. Due to the partial characterisation feature, this class of QRNGs is often called semi-DI QRNG. A comparison of different QRNG studies is listed in Table 1.

Table 1 Features of our proposed QRNG protocol as compared to the features of existing protocols

For practical semi-DI randomness generations, the following features are highly desirable in practical applications. Firstly, the security of the randomness generation should rely on only a few justifiable assumptions on the system operation and its critical components. This would ensure that these QRNGs remain secure even in the presence of unexpected device changes. Secondly, it should also provide a relatively high randomness generation rate. Finally, the QRNG should be cost-effective and have small footprints. The latter would be essential in a wide range of applications: from handheld devices to Internet-of-Things.

In this regard, balanced homodyne detection offers distinct advantages in practical randomness generation. Firstly, as balanced homodyne detectors simply consist of a pair of photodiodes and some electrical components, they are readily implementable on integrated-photonic platforms11,12,13,14. Hence, QRNGs that are based on homodyne detectors have a unique practical advantage in terms of the cost-effectiveness, compactness and system stability. Secondly, homodyne detection works at room temperature and no additional cooling is needed. This, again, reduces the system complexity and eliminates the extra requirement for space consumption.

Unfortunately, due to many practical limitations, real homodyne detectors often deviate from an ideal quadrature measurement – which is the standard theoretical model for a balanced homodyne detection. Firstly, modelling homodyne detectors as perfect quadrature measurements of the input optical field requires the local oscillator (LO) to operate at the high intensity limit15,16, which may not be the case in the actual implementation. In addition, implementing the perfect quadrature measurement would also require perfect photon number subtraction which is non-trivial in the presence finite common-mode rejection ratio (CMRR) and imbalance drifts. Moreover, in contrast to perfect quadrature measurements, practical homodyne detectors are subjected to electronic noise, LO intensity fluctuations, finite detection range, etc. While there are theoretical studies on how to account for these imperfections in the model (for example, the standard theoretical treatment for electronic noise is to model it as an independent noise17,18 with Gaussian and stationary nature18,19), the model demands an accurate characterisation of each imperfection. Not only is this task technically demanding, there is actually a danger of false precision with the model-based approach as the quality of the homodyne detector may degrade over time. In that case, this would invalidate the model and hence, the randomness generated by the homodyne detection may be overestimated.

Additionally, it has been pointed out that finite bandwidths of practical homodyne detector may result in correlations among successive rounds of the QRNG operation19,20. In this case, the experimental rounds in practice would be unlikely to exhibit a completely independent and identically distributed (i.i.d.) behaviour. In particular, comparing to the quantum state generation part, the homodyne detector with a shot-noise-limited performance generally has a more restricted working bandwidth17,21. Therefore, it is of great interest to devise a randomness certification that can mitigate (if not fully remove) the i.i.d. assumption for the system operation. Moreover, as any QRNG protocols have to be executed in a finite number of rounds, finite-size effects (such as statistical fluctuations) should be taken into consideration. This is especially important for semi-DI and DI QRNGs, whose randomness certification relies on experimental statistics, which necessarily entail statistical fluctuations.

In this work, we propose a novel semi-DI QRNG protocol based on homodyne detection and certify its security against quantum side information. Given the challenges with modelling the homodyne detector, our proposed framework treats it as a black-box quantum measurement which sidesteps the demanding characterisation requirement of the model-based approach. Importantly, our framework does not require any i.i.d. assumption on the measurement device which protects the security of the protocol against potential correlations shared between different rounds. Moreover, the proposed protocol is composably secure22,23,24, which guarantees that the random numbers produced by our protocol can be securely used for cryptographic applications. Furthermore, we show that our protocol can produce more randomness than that consumed (for choosing the settings for the devices) in the protocol. As such, our protocol is a quantum randomness expansion (QRE) protocol.


Protocol description

We shall now present our proposed randomness generation protocol. The protocol that we consider is a prepare-and-measure (P&M) protocol with an uncharacterised measurement device. To illustrate the protocol, it is convenient to consider a device that consists of two parts: a trusted source of quantum states (which we assume to be operated by Alice) and an uncharacterised measurement device (which is operated by Bob). As such, the protocol that we consider is a self-testing protocol in which the working of Bob’s measurement device is not assumed a priori, but could be verified during the protocol using the spot-checking scheme in which every round is randomly assigned to be a generation or test round.

To that end, suppose that during the test round, the device plays a P&M game \({{{{{{{\mathcal{G}}}}}}}}\). A P&M game can be thought of as a P&M analogue of the more well-known non-local games in the context of Bell nonlocality25,26 and device-independent protocols. In a P&M game, Alice receives a random input x from a pre-defined set \({{{{{{{\mathcal{X}}}}}}}}\) and then prepares the state \(\left|{\psi }_{x}\right\rangle\) from the set of states \({{{{{{{{\mathcal{S}}}}}}}}}_{{{{{{{{\mathcal{X}}}}}}}}}\). Similarly, Bob receives an input y from a pre-defined set \({{{{{{{\mathcal{Y}}}}}}}}\) and uses it as his measurement setting. Let us suppose that Alice and Bob receive those inputs with probability q(x, y) which is fixed for a given game. For each pair of inputs x and y, the game \({{{{{{{\mathcal{G}}}}}}}}\) defines the winning outcome bxy {0, 1}. For a given round, the device wins the game when Bob outputs the winning outcome; otherwise, the device loses the game. In the Methods section, we present a systematic method to choose the winning outcome bxy as well as the probability of choosing each pair of inputs q(x, y).

The protocol that we propose is given in Box 1

In the experiment reported in this work, we consider \({{{{{{{\mathcal{X}}}}}}}} =\{0,\, 1,\, 2,\, 3\}\), the set of states \({{{{{{{{\mathcal{S}}}}}}}}}_{{{{{{{{\mathcal{X}}}}}}}}} =\{\left|\alpha {e}^{ix\pi /2}\right\rangle :x\in {{{{{{{\mathcal{X}}}}}}}}\}\) and \({{{{{{{\mathcal{Y}}}}}}}} =\{0,\, 1\}\). Furthermore, the honest implementation corresponds to homodyne detection with its LO’s phase set to φ = π/2 when y = 0 and φ = 0 when y = 1. The measurement device would then output b = 0 if the result of the homodyne measurement is positive; else, it would output b = 1. The quantum states in this case correspond to quadrature phase shift keying (QPSK) modulation format, which is compatible with standard optical modulation techniques. Remarkably, it is straightforward to generalise the protocol to include more states or more measurement settings, e.g. quadrature amplitude modulation (QAM).

Security framework

We shall now consider the security of our protocol. Here, we consider a framework in which the measurement device is uncharacterised and hence, when analysing the security of the proposed protocol, we shall treat Bob’s measurement as a set of abstract measurement operators. In particular, we do not assume that Bob’s measurement device behaves independently and identically for each round.

Likewise, we do not assume that the quantum channel faithfully transmits the quantum states sent by Alice, nor it behaves independaently and identically for each round. As we do not limit the dimension of the Hilbert space of the channel output, we can model any quantum channel by an isometry U which preserves the inner-product of the states prepared by Alice’s trusted source.

Additionally, we also allow the adversary (or any agent trying to guess the output of the protocol), Eve, to have some pre-shared entanglement with Bob’s uncharacterised device, but due to some technicality regarding the method used to certify the generated randomness, we assume that Eve does not obtain additional quantum side information when the protocol is executed. This assumption can be well justified for the setting considered in QRNG protocols where Alice and Bob are both inside the same secure location.

Finally, we also assume that the device is equipped with trusted and private random seed that is used to choose the inputs for each round as well as to perform seeded extraction. For a detailed discussion on the assumptions we make in the randomness certification, we refer the readers to the Methods section ‘Randomness certification’.

The security of our protocol relies on the quantum-proof strong seeded extractor which guarantees that whenever the protocol is not aborted, the output string is close to an ideal random bit-string that is uniformly random and independent from any pre-shared quantum information held by the adversary as well as the initial random seed. Hence, we have to certify that our protocol produces enough randomness (measured in terms of the conditional smooth min-entropy of the raw string) before applying the randomness extraction. To that end, we adopt the framework of entropy accumulation theorem (EAT)27,28,29,30. Informally, the EAT states that when our protocol is not aborted, the conditional smooth min-entropy of the raw string given Eve’s side information and the random inputs is at least

$$nh(\omega,\, \delta )-{{{{{{{\mathcal{O}}}}}}}}(\sqrt{n}).$$

Importantly, the leading term which scales linearly with the number of rounds n can be evaluated by analysing a single-round of the protocol. The constant of proportionality h(ω, δ) as well as the correction term \({{{{{{{\mathcal{O}}}}}}}}(\sqrt{n})\) can then be computed using a semi-definite-programming (SDP) technique introduced in ref. 31. More precisely, we have the following theorem.

Theorem 1

(Entropy accumulation theorem (as modified from Lemma III.3 of ref. 30)) Let Ω denote the event in which our QRNG protocol is not aborted and ρΩ be the final state conditioned on this. Let f(1−ν) be an affine lower bound on the single-round conditional von Neumann entropy for any strategy that wins the game \({{{{{{{\mathcal{G}}}}}}}}\) with probability ν. For fixed parameters ϵs, ϵEA, β (0, 1), then either our QRNG protocol aborts with probability greater than 1−ϵEA or

$${H}_{\min }^{{\epsilon }_{s}}{({{{{{{{\bf{B}}}}}}}}|{{{{{{{\bf{T}}}}}}}},\, {{{{{{{\bf{X}}}}}}}},\, {{{{{{{\bf{Y}}}}}}}},\, E)}_{{\rho }^{\Omega }}\, > \, nf(1-\omega+\delta )-\frac{1}{\beta }\left[1-2{\log }_{2}({\epsilon }_{{{{{{{{\rm{EA}}}}}}}}}{\epsilon }_{s})\right]\\ -n\left[\beta V(\gamma,\, f)+{\beta }^{2}K(\beta,\, \gamma,\, f)\right].$$

The explicit expressions for the functions f, V, K can be found in the “Methods” section ‘Randomness certification’.

As Theorem 1 holds for any choice of β, as we can see in the Methods section, we can choose \(\beta \propto 1/\sqrt{n}\) such that the correction term would scale with \(\sqrt{n}\) as claimed earlier. We refer to the parameter ϵEA as the entropy accumulation error. As can be seen from Theorem 1, it quantifies our tolerance of encountering an event in which the protocol is not aborted but the lower bound (2) on the accumulated entropy does not hold.

Finally, with the lower bound on the conditional smooth min-entropy being established, we can use the quantum leftover hash lemma32,33 to find the extractable length of the output string Z, denoted by . As the extractor seed S is part of the protocol output K, the expected net randomness expansion rate rnet is then defined as

$${r}_{{{{{{{{\rm{net}}}}}}}}}: =\frac{\ell -{\ell }_{{{{{{{{\rm{in}}}}}}}}}}{n},\,$$

where in is the expected amount of randomness used during the protocol to choose the settings of the device.

The details of randomness certification, the estimation of the input randomness can be found in “Methods” section ‘Randomness certification’ and ‘Input randomness’, respectively.

Experimental implementation

In order to verify the feasibility of the proposed protocol, we set up a fibre-optic experimental system. The schematic diagram is shown in Fig. 1a.

Fig. 1: Experiment Overview.
figure 1

a Schematic of the experimental setup. The Laser Diode (LD) emits a continuous-wave laser, which is split into two parts by a Beam Splitter(BS). One is for quantum state preparation, and the other is for Local Oscillator (LO) for homodyne detection. In the signal path, an Intensity Modulator (IM) is used for pulse curving and intensity modulation, and a Phase Modulator (PM) is used for phase modulation. The optical signal is then attenuated to single-photon energy level by an attenuator (ATT). The final quantum states after modulation are in QPSK or QAM-16 format. In the LO path, a PM is deployed for basis choosing for the homodyne detection. The signal states and the LO are mixed on a balanced BS, and the photocurrent of two photodiodes (PD) are subtracted and further amplified. Finally, a data acquisition (DAQ) device samples the signal and obtain the data for analysis. b, c Constellation diagram for QPSK modulation and QAM-16 modulation, respectively. The blue circles represent the quantum states to be prepared by the transmitter. The circle with red centre represents the state used when the randomness generation round is chosen, and all the states are used for the testing rounds. The black dashed lines represent the two measurement bases in our protocol. For the convenience of illustration, we shift the phase of the states and measurements by π/4 comparing to the descriptions in the main text. This will not affect either the security analysis or the experimental results. d, e Homodyne detector characterisation. d Power spectrum of the homodyne detector from DC to 120 MHz. The 3 dB bandwidth is ~72 MHz. e Noise variance for different LO powers. A clearance of 16.94 dB is obtained with 10 mW LO input.

Our experimental system is composed of two main parts, quantum state generation and quantum state measurement. In the quantum state generation, a laser diode emits continuous-wave (c.w.) laser with a central wavelength of 1550 nm and a linewidth of 50 kHz, which is split into two paths, one for quantum state preparation and the other as Local Oscillator (LO) for homodyne detection. In the signal path, an Intensity Modulator (IM) first curves the c.w. laser into pulses with pulse width of 4 ns each, for defining the temporal mode of the quantum states. Besides, the IM could also perform the intensity modulation for QAM-16 state generation. A Phase Modulator (PM) modulates the phase of the quantum states. Thereafter, the optical signals are attenuated to single-photon energy level with an optical attenuator, to finally generate the QPSK quantum states \(\{\left|\alpha {e}^{ix\pi /2}\right\rangle \}\) where x {0, 1, 2, 3}, whose constellation diagram is shown in Fig. 1b.

In the quantum state measurement, a homodyne detector is deployed. To maximise the generated randomness, we developed a high-efficiency and low-noise fibre-coupled homodyne detector. To minimise the optical loss, we first adopt a pair of high-efficiency photodiodes (PDs) for photon detection. Moreover, we apply anti-reflection coated graded-index (GRIN) lens for the light coupling from optical fibre to the PDs. The overall efficiency of the PD including the coupling loss is measured to be 98.3% and 98.8%, respectively. The signal and LO are interfered in a balanced polarisation maintaining fibre-optical beam splitter (BS) before detection, providing good mode matching for a stable and efficient interference. After a careful balancing of the two arms, the photocurrents are subtracted and then amplified by a low-noise amplifier. The characterisation results of our homodyne detector are shown in Fig. 1 (d, e). The 3 dB bandwidth of our homodyne detector is ~72 MHz, and the clearance (shot noise to electronic noise ratio) is measured to be 16.94 dB with a 10 mW LO. Taking all the factors into consideration, the total effective efficiency of our homodyne detector is characterised to be 91.7%. The details of homodyne characterisation and modelling are provided in the “Methods” section ‘Homodyne detector modelling and characterisation’.

In the actual experiment, the settings for quantum state preparation and measurement need to be optimised for a high net randomness expansion rate. For example, the randomness generation round could be chosen for most of the time (with a small testing probability γ) to obtain the optimal generation rate. This raises an issue with our AC-coupled systems such as the homodyne detector and the amplifiers for driving the modulators, where a DC-balanced data streams are preferred to eliminate potential signal distortions34. To mitigate this, we apply a complementary modulation scheme in our experiment where the protocol based on QPSK modulation is performed, as shown in Fig. 2a. With our scheme, the quantum state preparation is performed on two-mode coherent states, which are based on the two successive temporal modes. In this case, the modulation patterns for the state preparation and LO phase setting are naturally DC-balanced with any settings x and y. Besides, the two temporal modes are modulated with a π phase difference, while the LO phase settings are kept the same. As such, the expectation values of the individual quadrature measurements of the two temporal modes possess opposite values. Hence, the outputs of the homodyne detector are also naturally DC-balanced for all experimental settings. The quadrature measurement of the two-mode coherent state in this case is \({q}_{t} =\frac{1}{\sqrt{2}}({q}_{e}-{q}_{l})\), where qe and ql are the quadrature measurement value of the two individual temporal modes. For more details about the two-mode coherent states, please refer to the “Methods” section ‘Two-mode coherent state’.

Fig. 2: Modulation Scheme.
figure 2

a Illustration of the complementary modulation scheme. The blue curves represent the voltage levels applied for the signal and LO phase modulation. The green pulses represent the temporal modes for defining the two-mode coherent states. Regions divided by the black dashed lines represent the quantum state preparation and measurement for a single round of QRNG execution. The constellation diagrams illustrate the distributions of the quadrature measurement with given input settings. b Illustration of the time frame configuration. Reference signals for phase calibration are prepared and measured amongst the signals for QRNG execution.

To faithfully implement the QRNG protocol, a fixed phase reference between the signal and LO is required. To this end, a feedback control for phase locking (not shown in Fig. 1a) is deployed, by analysing the statistics of the reference signals as well as the signals for QRNG execution. The illustration of the time frame configuration of our QRNG is shown in Fig. 2b.

At this point, we emphasise that since our QRNG protocol does not require any characterisation of the measurement device (i.e., the homodyne detector), our efforts in loss and noise reduction, phase locking, etc. do not affect the soundness of the randomness certification, but will certainly improve the performance in terms of randomness generation rate, the system stability (which is related to the completeness of the protocol), etc.

Based on Theorem 1, the quantum leftover hash lemma, and the definition of the expected net randomness expansion rate given in Eq. (3), we first simulate the performance of our proposed protocol. The simulated net randomness expansion rate with QPSK modulation and QAM-16 modulation are shown in Fig. 3a and b, respectively.

Fig. 3: Performance Analysis 1.
figure 3

Expected net randomness expansion rate rnet against system efficiency ηeff for different number of rounds n for (a) QPSK modulation and (b) QAM-16 modulation. Security parameters used for the simulation: εcom=1 × 10−3, εsou=1 × 10−6 and ϵEA=1 × 10−6.

The parameters used in the experiment are listed in Table. 2, where the mean photon number α2 of quantum states in QPSK format, the probability of choosing test rounds γ are optimised based on the system efficiency of our setup and the chosen security parameters, as shown in Fig. 4a, b. The relation of the expected net randomness expansion rate and the randomness consumed is shown in Fig. 4c.

Table 2 Parameters used in the experiment
Fig. 4: Performance Analysis 2.
figure 4

a, b The expected net randomness expansion rate of the QRNG versus the (b) amplitude of the quantum state α and (c) the probability of test rounds γ, with ηeff = 91.7%. c The expected net randomness expansion rate and the randomness consumed versus the homodyne detection efficiency. The results are obtained by optimising the net expansion rate over \({\left|\alpha \right|}^{2}\) and γ. All plots are based on system parameters n = 1 × 1010, εcom = 1 × 10−3, εsou = 1 × 10−6 and ϵEA = 1 × 10−6.

According to the construction described in the “Methods” section ‘Formulating a P&M game’., we formulate the P&M game \({{{{{{{\mathcal{G}}}}}}}}\) used in our QRNG protocol as shown in Table. 3, which determines the probability of choosing settings for Alice’s input x and Bob’s input y for test rounds and the scoring rules. Based on our model of the honest implementation (refer to the “Methods” section ‘Two-mode coherent state’ for details), we set ω = 0.59422 and δ = 0.00189 for the experiment, which represents the expected winning probability, and the confidence interval for the winning probability, respectively.

Table 3 The configuration for the P&M game \({{{{{{{\mathcal{G}}}}}}}}\) used in the test rounds in our experiment

We collect n = 1 × 1010 rounds of data in the experiment, and obtain an observed winning probability of ωobs = 0.59443, which is very close to the expected value. The number of rounds in which the players lost the game is 942820, which is within the acceptance range nlost ≤ 946026. Hence, the protocol execution is accepted, and we could certify a gross randomness generation rate (the randomness generated by the protocol per round) of at least 0.00455 bits per round can be obtained by running the protocol. Considering the randomness invested for determining whether a given round is a test round and the inputs of Alice and Bob (x and y), the expected randomness consumption rate in our case is 0.00256 bits per round. Therefore, the expected net randomness expansion rate of our system is 0.00199 bits per round. The observed experimental results for test rounds are shown in Table 4.

Table 4 Observed experimental results for the test rounds

Finally, we implement randomness extraction using Toeplitz hashing with the help of a random seed. Toeplitz hashing is a family of two-universal hash functions, and it has been shown to be a strong randomness extractor32,35,36. This means Toeplitz hashing not only extracts randomness from a weak entropy source, but also guarantees that the output string is independent of the seed. Thus, in this work, the seed required for randomness extraction is not considered as consumed randomness as the seed can be concatenated to the output due to the properties of a strong extractor.

We utilise a Zynq Ultrascale+ FPGA (XCZU28DR) to implement randomness extraction. We construct a Toeplitz matrix with the size of 45 × 10,000 to extract the random numbers from the raw data. To achieve a faster extraction speed, we further split the Toeplitz matrix into sub-blocks of size 45 × 1000 during the extraction. In total, the size of the raw data was 10.622 Gbits (we conservatively collected a bit more data than 1 × 1010), and we extracted 47.8 Mbits of random numbers from it. The detailed implementation of Toeplitz hashing on FPGA is provided in Methods section ‘Randomness extraction’.


In this section, we discuss the strengths and limitations of our work. Besides its high level of security due to its immunity to detection side channels, one of the main strengths of our protocol is its potential for miniaturisation. In the following, we discuss the feasibility of the proposed protocol to be implemented on silicon photonic integrated circuit (PIC), which is a leading platform for integrated-photonic applications with substantial advantages regarding miniaturisation, compatibility with CMOS microelectronics, and high-speed signal processing. The process design kits (PDKs) from major foundries can provide the key components on a single chip, with a decent performance stability for volume production37,38,39.

By leveraging mature silicon-on-insulator (SOI) technology, the optical waveguide on silicon PIC is able to provide a low propagation loss and large integration density. The 2 × 2 beam spliter can be achieved by using either evanescent couplers or multimode interference (MMI) couplers.

For the high-speed optical modulation, the carrier depletion type modulators are available for quantum state preparation. While the high-speed Germanium photodetectors could be utilised for the homodyne detection on the optical quantum states.

The integrated laser, a critical component to our QRNG system, turns out to be a hurdle that impedes full system integration on a single silicon chip. This is because pure crystalline silicon lacks a direct bandgap precluding the possibility of monolithic silicon laser38. Fortunately, recent integrated laser technology based on packaging or heterogeneous integration technologies could be adopted to address this problem37.

In this, one of our main objectives is to validate experimentally the key concept of the proposed protocol and this ultimately boils down to achieving sufficient effective efficiency of the measurement device to demonstrate positive net randomness expansion rate. To that end, we require high-efficiency PDs on silicon PICs. Fortunately, such highly efficient PDs are within the reach of current technology. For example, Globalfoundries offers PDs with >1 A/W responsivity at 1310 nm wavelength, which corresponds to a quantum efficiency of >94%40 while AIM Photonics provides ones with quantum efficiency >80% at 1550 nm wavelength41. Moreover, there is more flexibility for the efficiency improvement if customised components can be used. Thus, a fully integrated version of our QRNG protocol is practically attainable with existing PIC technology.

At the system level, however, the main limitation of our current work is the relatively low randomness generation/expansion rate. We now discuss some reasons for the limited randomness expansion rate. One of the reasons is that we used Eve’s guessing probability to construct the min-tradeoff function when applying the EAT. While the guessing probability can be easily computed using the SDP relaxation, this construction is generally not tight. Recently, a tight bound on the conditional von Neumann entropy that is also compatible with our SDP relaxation was developed42. It would be interesting to see if one can obtain an improvement in the randomness expansion rate by incorporating the new bound on the conditional von Neumann entropy.

Another reason for the limited randomness expansion rate is that we coarse-grained the homodyne detection output. Indeed, here we considered a measurement device that gives a binary output; whereas in practice, the homodyne measurement actually has a large number of discrete bins determined by the ADC circuit. The coarse-graining was done to simplify the protocol as it allows us to simply monitor the winning probability in the parameter estimation step. However, our security analysis can be extended to consider more outputs using the framework of ref. 30. Nevertheless, there is a tradeoff between the number of outputs used in the protocol and the randomness generation rate as fine-graining the outputs would enhance the effect of the statistical fluctuations as the probability of obtaining each bin gets smaller. Finding the optimal number of bins for the measurement outputs deserve a deeper investigation in the future.

Next, our protocol also demands relatively high detection efficiency to generate net randomness expansion. As there is a tradeoff between the electronic noise (and its equivalent efficiency loss) and the working bandwidth of the system, the working frequency in our experiment is relatively low which results in the low randomness generation rate. One of the reasons for the high detection efficiency requirement is the choice of states used in the protocol. In our experiment, we use the QPSK encoding for the simplicity of the experiment. However, this choice of states may be sub-optimal. For example, as shown in Fig. 3b, a significant increase in the randomness expansion per pulse and decrease in the required detection efficiency can be seen by choosing the QAM-16 constellation. This would lead to a significant increase in the actual randomness expansion rate.

Finally, in this work, we assume that the device is sufficiently isolated from the environment such that any quantum side information that is accessible to the adversary was obtained before the start of the protocol. While this assumption can be well justified for QRNGs as both parties are inside in the same secure location, it could still be removed using the recently developed generalisation of the EAT43,44. The relaxed assumption may be relevant in a more pessimistic scenario where the device is surrounded by an insecure environment such that any photons that are scattered in the channel might fall into the adversary’s hands. Since the bound in the generalised EAT is similar to the one derived under the original entropy accumulation framework (with slightly different correction terms), we expect that our QRNG could still exhibit randomness expansion in the more pessimistic scenario. We leave this investigation for future work.

To summarise, we present a QRNG protocol based on a completely uncharacterised homodyne detector. The security analysis takes into account the finite size effects and the non-i.i.d. measurement process, providing random number generation that is certified in the presence of quantum side information. To verify the feasibility of the protocol, we set up a high-efficiency and low noise fibre-coupled homodyne detector for experiment. The averaged quantum efficiency of the photodiode pair is 98.55% at 1550 nm, and the clearance is measured to be 16.94 dB with a 10 mW LO input. The effective efficiency of the homodyne detector is characterised to be 91.7%. In order to have a proper implementation of our protocol and remove potential signal distortions, we come up with a complementary modulation scheme and adopt the two-mode coherent states for quantum state preparation. This guarantees both the modulation signals and measurement outcomes are DC-balanced data streams, for any experimental setting during the QRNG protocol execution. The system works at a repetition rate of 2.5 MHz, and finally obtain a gross randomness generation rate of 0.00455 and a net randomness expansion rate of 0.00199, with a 1 × 1010 rounds of protocol execution. In addition, we show that our protocol is compatible with the silicon photonics platform and is readily implementable on silicon PIC.

In conclusion, our results exhibit a practical QRNG with self-testing feature and provable security, showing a great potential for providing certifiable randomness for practical and private use.


Randomness certification

Before we explain the randomness certification of the protocol, we shall first explain the security criterion of the protocol. Consider a randomness generation protocol that produces an output string, which we label as Z. In a self-testing protocol such as ours, it is common that the legitimate parties exchange some classical information during the protocol (e.g., in the parameter estimation step). We denote the transcript of any classical communication in the protocol by M. Suppose also that the protocol involves seeded randomness extraction. We shall denote the seed used for the randomness extraction by S. Finally, any side information that is available to Eve will be denoted by E. For a given run of the protocol, let us suppose that its output can be described using the quantum state

$${\rho }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E} =\left|\varnothing \right\rangle \left\langle \varnothing \right|_{{{{{{{{\bf{Z}}}}}}}}}\otimes {\tau }_{\left|{{{{{{{\bf{S}}}}}}}}\right|}\otimes {\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{\varnothing }+{\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}.$$

Here, we account for the probability that the protocol may abort (in which case, we denote the output of the protocol by \(\varnothing\)). Furthermore, τl denotes the uniformly random string with length l denoted in the subscript and \({\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{\varnothing }\) describes the sub-normalised state of Eve’s side information and the classical transcript when the protocol aborts. On the other hand, the sub-normalised state \({\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}\) in the second term describes the state when the protocol is not aborted

$${\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E} =\mathop{\sum}\limits_{z,s}\left|z,\, s\right\rangle \left\langle z,\, s\right|_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}}\otimes {\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{z,s},\,$$

where the summation is taken over all possible output and seed strings, which we denote by z and s. The sub-normalised state \({\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{z,\, s}\) is the state describing Eve’s side information and the classical transcript conditioned on the output string being z and the seed string being s. Denoting the event in which the protocol is not aborted by Ω, we have

$${{{{{{{\rm{Tr}}}}}}}}[{\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{\varnothing }] =1-\Pr [\Omega ],\\ {{{{{{{\rm{Tr}}}}}}}}[{\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{z,s}] =\Pr [{{{{{{{\bf{Z}}}}}}}} =z,\, {{{{{{{\bf{S}}}}}}}} =s],\\ {{{{{{{\rm{Tr}}}}}}}}[{\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}] =\mathop{\sum}\limits_{z,s}\Pr [{{{{{{{\bf{Z}}}}}}}} =z,\, {{{{{{{\bf{S}}}}}}}} =s] =\Pr [\Omega ].$$

Normalising the state in which the protocol is not aborted, we obtain \({\sigma }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}: ={\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}/\Pr [\Omega ]\). We say that the QRNG is εsou-sound if

$$\Pr [\Omega ]\cdot \frac{1}{2}{\left\|{\sigma }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}-{\tau }_{\ell }\otimes {\tau }_{\left|{{{{{{{\bf{S}}}}}}}}\right|}\otimes {\sigma }_{{{{{{{{\bf{M}}}}}}}}E}\right \|}_{1}\le {\varepsilon }_{{{{{{{{\rm{sou}}}}}}}}}$$

for a fixed εsou (0, 1). Here, \({\sigma }_{{{{{{{{\bf{M}}}}}}}}E} ={{{{{{{{\rm{Tr}}}}}}}}}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}}[{\sigma }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}]\). Informally speaking, the soundness of the protocol would imply that either the protocol aborts with high probability or the output of the protocol would be close (in trace-distance) to a random string with length that is independent of the seed S, any classical information being exchanged in the protocol M, and Eve’s side information E. Importantly, the above security definition is composable. Hence, the output of the protocol can be securely used for other cryptographic applications.

However, a protocol that always aborts would trivially satisfy the soundness condition given in Eq. (7), and such a protocol is clearly undesirable. Therefore, we also impose an additional requirement that the protocol would succeed with high probability of producing a random string when the device works as expected. Formally, we call a protocol εcom-complete if its honest implementation (which may use imperfect devices) satisfy the following

$$\Pr {[\Omega ]}_{{{\mbox{honest}}}}\ge 1-{\varepsilon }_{{{{{{{{\rm{com}}}}}}}}}$$

for some fixed εcom (0, 1). Note that the subscript “honest” emphasises that Pr[Ω]honest is calculated with the assumption that the device works as expected, in particular, independently and identically for each round. In this case, we normally model the behaviour of the device, including its imperfection, and calculate the probability of the protocol aborting (e.g., due to statistical fluctuations in the parameter estimation) in such scenario.

Next, to analyse the security of the protocol, we shall assume the following:

  1. 1.

    Quantum theory is correct.

  2. 2.

    Alice has a trusted source of quantum states that can accurately prepare the code states specified by the protocol.

  3. 3.

    The device is equipped with trusted and private random seed.

  4. 4.

    The device has access to trusted classical devices to perform any classical post-processing.

  5. 5.

    The device is well isolated such that it does not leak additional quantum side information nor the output string.

Now, we shall briefly elaborate the assumptions mentioned above. The first assumption is normally taken for granted as quantum theory is the best available description of nature at small scale that we currently have. As such, throughout this paper, we shall assume that Eve and the devices used in the protocol obey the laws of quantum physics.

The second assumption can be practically justified by careful characterisation of Alice’s source. As the scenario that is relevant for QRNG considers the case where Alice and Bob are located in close proximity to each other, one could reasonably believe that the source is well protected from source side-channel attacks that are possible in other quantum crytographic protocols (for example, Trojan horse attacks in QKD45). In particular, we assume that the source behaves identically and independently in each round.

The third assumption is necessary because the measurement device which generates the raw random string in this protocol is uncharacterised. If the inputs are not chosen from a trusted random number generator, one possible scenario is that the uncharacterised measurement device could have access to the inputs before the protocol is run. In this case, it is trivial to reproduce the statistics obtained by the honest implementation of the protocol. Moreover, as our randomness certification would utilise the EAT, using a trusted random number generator could enforce the quantum Markov chain condition. Lastly, the last step of the protocol uses seeded extraction, which requires a private and uniformly random seed.

The fourth assumption is necessary for any QRNG protocol to prevent the security criteria from being trivially broken. For example, when the randomness extraction is not executed properly, it is clear that the soundness criterion may not be satisfied. Furthermore, when the output string is leaked, it is trivial to guess the output of the QRNG.

The last assumption is necessary for two reasons. Firstly, it is obvious that the security of the protocol is null when the device leaks the output string. Secondly, due to some technicality with the EAT, we need to assume that the quantum side information available to Eve is not updated as the protocol is run. It is worth noting that this assumption is not too restrictive for QRNGs since Alice and Bob are both inside the same secure location. Recently, there is a generalised version of the EAT43,44 that allows Eve’s quantum side information to be updated as the protocol is run and hence, it would be interesting to see if the assumption that the device does not leak additional quantum side information can be relaxed.

Having mentioned the assumptions we need in the security analysis, we emphasise again that we do not make any assumptions on the measurement device and the quantum channel. In particular, in a given round, the behaviour of these components can have arbitrary correlation to their inputs and outputs in the preceding rounds (unlike the source which we assumed to behave independently and identically in each round). Remarkably, our protocol remains secure even if there is a degradation in the homodyne detector or when Eve has some pre-shared entanglement with Bob’s uncharacterised measurement device.

As elaborated previously, we want our protocol to satisfy both soundness and completeness criteria. We first prove the completeness of our QRNG protocol. To that end, we use the following theorem.

Theorem 2

(Bounds on the binomial cumulative distribution46,47) Let \(n\in {\mathbb{N}}\), p (0, 1) and let X be a random variable distributed according to X ~ Binomial(n, p). Then, for any integer k such that 0 ≤ k < n, we have

$$F(n,\, p,\, k)\le \Pr [X\le k]\le F(n,\, p,\, k+1),$$


$$D(q,\, p) =q\ln \left(\frac{q}{p}\right)+(1-q)\ln \left(\frac{1-q}{1-p}\right)\\ \Phi (a) =\frac{1}{\sqrt{2\pi }}\int\nolimits_{-\infty }^{a}{{{{{{{\rm{d}}}}}}}}x\,{e}^{-{x}^{2}/2}\\ F(n,\, p,\, k) =\Phi \left({{{{{{{\rm{sign}}}}}}}}\left(\frac{k}{n}-p\right)\sqrt{2nD\left(\frac{k}{n},\, p\right)}\right)$$

Since the protocol is aborted if \(\left|\{{C}_{i}:{C}_{i} =0\}\right|\, > \, n\gamma (1-\omega+\delta )\), we can apply Theorem 2, in the same way as in ref. 9, to get the following upper bound on the probability of the protocol being aborted

$$\Pr \left[\left|\{{C}_{i}:{C}_{i} =0\}\right|\, > \, n\gamma (1-\omega+\delta )\right]\le 1-F(n,\, \gamma (1-\omega ),\, \left\lfloor n\gamma (1-\omega+\delta )\right\rfloor ).$$

Hence, by choosing the completeness error as

$${\varepsilon }_{{{{{{{{\rm{com}}}}}}}}} =1-F(n,\, \gamma (1-\omega ),\, \left\lfloor n\gamma (1-\omega+\delta )\right\rfloor ),$$

our QRNG protocol would satisfy the completeness condition.

Next, to prove the soundness of our QRNG protocol, we shall use the following Quantum Leftover Hash Lemma (Theorem 8 of ref. 33).

Theorem 3

(Quantum Leftover Hash Lemma33) Let \({\rho }_{{{{{{{{\bf{B}}}}}}}}{E}^{{\prime} }}\) be a classical-quantum state and \({{{{{{{\mathcal{F}}}}}}}} =\{{f}_{s}:{\{0,\, 1\}}^{n}\to {\{0,\, 1\}}^{\ell }\}\) be a two-universal hash family with Z = fs(B) and the seed S {0, 1}m is chosen uniformly. Let 0 < κ ≤ ε/2 < 1, we have

$$\frac{1}{2}{\left \|{\rho }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{E}^{{\prime} }}-{\tau }_{\ell }\otimes {\tau }_{m}\otimes {\rho }_{{E}^{{\prime} }}\right \|}_{1}\le 2\left(\frac{\varepsilon }{2}-\kappa \right)+{2}^{3/2}{\left({2}^{\ell -{H}_{\min }^{\varepsilon /2-\kappa }({{{{{{{\bf{B}}}}}}}}|{E}^{{\prime} })}\right)}^{1/4}$$

where τ and τm are the uniform random strings of length and m respectively. Consequently, if we choose the output length to be

$$\ell =\mathop{\max }\limits_{\kappa }\left\lfloor {H}_{\min }^{\varepsilon /2-\kappa }({{{{{{{\bf{B}}}}}}}}|{E}^{{\prime} })+4{\log }_{2}\kappa -2\right\rfloor \,,$$

where the maximisation is taken over κ (0, ε/2], then, we have

$$\frac{1}{2}{\left \|{\rho }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{E}^{{\prime} }}-{\tau }_{\ell }\otimes {\tau }_{m}\otimes {\rho }_{{E}^{{\prime} }}\right \|}_{1}\le \varepsilon .$$

On the other hand, for a fixed smoothing parameter ϵs, the EAT (Theorem 1) guarantees that either the protocol aborts with probability of at least 1 − ϵEA (i.e. the probability that the protocol is not aborted is upper bounded by ϵEA) or the conditional smooth min-entropy \({H}_{\min }^{{\epsilon }_{s}}{({{{{{{{\bf{B}}}}}}}}|{{{{{{{\bf{M}}}}}}}},\, E)}_{{\rho }^{\Omega }}\) (here, M consists of the registers T, X, and Y) is lower bounded by a certain amount. By identifying the register \({E}^{{\prime} }\) in Theorem 3 as the register ME in the soundness criterion, we can choose the soundness error εsou to be

$${\varepsilon }_{{{{{{{{\rm{sou}}}}}}}}} =\max \{{\epsilon }_{{{{{{{{\rm{EA}}}}}}}}},\, 2({\epsilon }_{s}+\kappa )\}.$$

In this case, EAT either upper bounds Pr[Ω] by ϵEA or—in conjunction with the Quantum Leftover Hash Lemma—guarantees that the trace-distance term (for the state in which the protocol is not aborted) in the soundness criteria is smaller than 2(ϵs + κ). Hence, our choice of εsou ensures that the protocol is sound in both cases considered by the EAT. In this work, we choose εsou = ϵEA = 2(ϵs + κ) where κ is chosen to maximise the expected net expansion rate.

We shall now discuss the technical details of Theorem 1. Firstly, to apply the EAT, it is important to ensure that the so-called Markov condition is satisfied during the execution of the protocol. More precisely, we want that for any round i [n], we need

$$I({B}_{[i]}:{X}_{i+1}{Y}_{i+1}{T}_{i+1}|{X}_{[i]},\, {Y}_{[i]},\, {T}_{[i]},\, E) =0$$

where I(A: BC) denotes the quantum mutual information between A and B conditioned on C. Here, B[i] denotes the string (B1, B2, . . . Bi) that describes the measurement outcomes from the first round until the i-th round. X[i], Y[i], T[i] are defined similarly. To enforce the Markov condition in the protocol, we implement each round sequentially and we choose the inputs for each round from a trusted and private random seed which is independent from the inputs and outputs from the preceding rounds. We also isolate the device such that Eve does not obtain additional quantum side information as we execute the protocol.

The next ingredient we need is the so-called min-tradeoff function f (for its formal definition, we refer the readers to Definition II.4 of ref. 30). The min-tradeoff function is, roughly speaking, an affine lower bound on the worst case single-round conditional von Neumann entropy H(BiXi, Yi, Ti, R) that is “compatible” with the probability distribution over \({{{{{{{\mathcal{C}}}}}}}} =\{\perp,\, 0,\, 1\}\) for random variable Ci. Here, R is a quantum register that is isomorphic to the pre-measured state in round i.

To construct the min-tradeoff function, we follow the framework presented in ref. 30 in the context of device-independent randomness expansion. A key difference here is that we use the bound on the conditional von Neumann entropy derived in the Theorem 14 of ref. 48

$$H({B}_{i}|{X}_{i} =0,\, {Y}_{i} =0,\, {T}_{i} =0,\, R)\ge 2\left[1-{p}_{g}({B}_{i}|{X}_{i} =0,\, {Y}_{i} =0,\, {T}_{i} =0,\, R)\right]$$

instead of the bound based on conditional min-entropy used in ref. 30. While both bounds are based on the guessing probability pg(BiXi = 0, Yi = 0, Ti = 0, R), the bound that we used here is significantly tighter than the one given by conditional min-entropy in the parameter regime in which the experiment is conducted. Another advantage is that the bound that we use is already linear, and as such, we do not need to perform the linearisation that was performed in ref. 30 to obtain an affine min-tradeoff function.

To bound the guessing probability, we use the semi-definite programming (SDP) technique proposed in ref. 31 instead of the Navascues–Pironio–Acin (NPA) hierarchy49,50 used in ref. 30. Both techniques are two similar hierarchies of SDP relaxation that bound the set of quantum correlations; the latter is for the device-independent scenario while the former is appropriate for the prepare-and-measure architecture considered in our protocol. For a fixed level of relaxation k, a given P&M game \({{{{{{{\mathcal{G}}}}}}}}\), characterised by the scoring coefficients \({w}_{b,x,y} =q(x,\, y){\delta }_{b,{b}_{xy}}\), and some winning probability ν, the SDP for the guessing probability has the following primal form

$$\begin{array}{ll}\mathop{\max }\limits_{{\{{M}_{b|y}\}}_{b,y},\, {\{{\Pi }_{e}\}}_{e},\, {{{{{{{\mathcal{U}}}}}}}}}\quad &\mathop{\sum }\limits_{b =0}^{1}\left\langle {\phi }_{0}\right|{M}_{b|0}{\Pi }_{b}\left|{\phi }_{0}\right\rangle \\ \,{{\mbox{subject to}}}\,\qquad &\mathop{\sum}\limits_{b,x,y}{w}_{b,x,y}\left\langle {\phi }_{x}\right|{M}_{b|y}\left|{\phi }_{x}\right\rangle =\nu,\\ &\langle {\phi }_{x}|{\phi }_{{x}^{{\prime} }}\rangle =\langle {\psi }_{x}|{\psi }_{{x}^{{\prime} }}\rangle \quad \forall x,\, {x}^{{\prime} }\in {{{{{{{\mathcal{X}}}}}}}}.\end{array}$$

Here, \({\{{M}_{b|y}\}}_{b,y}\) denotes Bob’s POVM elements, \({\{{\Pi }_{e}\}}_{e}\) denotes the POVM elements acting on the system R and \({{{{{{{\mathcal{U}}}}}}}}:\left|{\psi }_{x}\right\rangle \to \left|{\phi }_{x}\right\rangle\) denotes the isometry describing the unknown quantum channel connecting Alice and Bob. From the dual solution of (17), we can obtain a bound on the guessing probability of the form

$${p}_{g}({B}_{i}|{X}_{i} =0,\, {Y}_{i} =0,\, {T}_{i} =0,\, R)\le {c}_{\nu }+{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\cdot {{{{{{{\boldsymbol{p}}}}}}}}.$$

Here, p = (1 − p, p) is the score distribution of the device while λν and cν are the dual solutions to the SDP (17). We emphasise that ν is a parameter that we can choose freely and it does not have to be the actual winning probability that is attained by the device.

Following the arguments in ref. 30, consider the affine function gν, which maps a distribution over \({{{{{{{\mathcal{C}}}}}}}}\setminus \{\perp \}\) to a real number

$${g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{c}) =2(1-\gamma )\left[1-{c}_{\nu }-{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\cdot {{{{{{{\boldsymbol{{e}}}}}}}_{c}}}\right],$$

where ec is the probability distribution where its cth entry is 1 and the other entries are zeros. Then, for some constant u that we shall determine later, the following function fν is a min-tradeoff function

$${f}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{c}) =\frac{{g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{c})}{\gamma }+\left(1-\frac{1}{\gamma }\right){u}_{\perp },\quad \forall c\ne \perp \\ {f}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{\perp }) ={u}_{\perp }.$$

To find the worst case over all distributions which lead to the protocol being accepted, we repeat the argument presented in ref. 9 here. First, we use the condition for the protocol to be accepted, freqC(0) ≤ γ(1 − ω + δ), to deduce that if u ≥ gν(e0), then we have

$${f}_{\nu }({{{{{{{{\rm{freq}}}}}}}}}_{{{{{{{{\bf{C}}}}}}}}})\ge (1-\omega+\delta )\left({g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{0})-{u}_{\perp }\right)+\frac{{{{{{{{{\rm{freq}}}}}}}}}_{{{{{{{{\bf{C}}}}}}}}}(1)}{\gamma }\left({g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{1})-{u}_{\perp }\right)+{u}_{\perp }.$$

Now, we demand that u ≤ gν(e1) and hence, the second term on the right-hand side can be dropped

$${f}_{\nu }({{{{{{{{\rm{freq}}}}}}}}}_{{{{{{{{\bf{C}}}}}}}}})\ge (1-\omega+\delta )\left.\left({g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{0})-{u}_{\perp }\right)\right)+{u}_{\perp }.$$

This is increasing with u and hence, it is best to fix u = gν(e1). We have

$${f}_{\nu }({{{{{{{{\rm{freq}}}}}}}}}_{{{{{{{{\bf{C}}}}}}}}})\ge (1-\omega+\delta ){g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{0})+(\omega -\delta ){g}_{\nu }({{{{{{{{\boldsymbol{e}}}}}}}}}_{1})$$
$$ =2(1-\gamma )\left[1-{c}_{\nu }-{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\cdot \tilde{{{{{{{{\boldsymbol{\omega }}}}}}}}}\right],$$

where the adjusted score \(\tilde{{{{{{{{\boldsymbol{\omega }}}}}}}}} =(1-\omega+\delta,\, \omega -\delta )\). Thus, we have obtained the function f in Theorem 1.

Lastly, we have to calculate the correction terms V and K. To that end, we need to consider a few properties of the min-tradeoff function. They are the following

  1. 1.

    Maximum over all probability distributions

$${{{{{{{\rm{Max}}}}}}}}[{f}_{\nu }] =\mathop{\max }\limits_{p\in {{{{{{{{\mathcal{P}}}}}}}}}_{{{{{{{{\mathcal{C}}}}}}}}}}{f}_{\nu }(p),$$

where \({{{{{{{{\mathcal{P}}}}}}}}}_{{{{{{{{\mathcal{C}}}}}}}}}\) is the set of all valid probability distributions.

  1. 2.

    Minimum over all protocol respecting distributions

$${{{{{{{{\rm{Min}}}}}}}}}_{{{\Gamma }}}[{f}_{\nu }] =\mathop{\inf }\limits_{p\in {{\Gamma }}}{f}_{\nu }(p),$$

where Γ denotes the set of distributions of the form (γω, 1 − γ). We call such distribution a protocol respecting distribution.

  1. 3.

    The maximum variance over all protocol respecting distributions

$${{{{{{{{\rm{Var}}}}}}}}}_{{{\Gamma }}}[{f}_{\nu }] =\mathop{\max }\limits_{p\in {{\Gamma }}}\mathop{\sum}\limits_{c\in {{{{{{{\mathcal{C}}}}}}}}}p(c){[f({{{{{{{{\boldsymbol{e}}}}}}}}}_{c})-{f}_{\nu }(p)]}^{2}.$$

To compute these quantities, we consider the maximum and minimum attainable value of gν (over all distributions) as

$$\begin{array}{ll}{{{{{{{\rm{Max}}}}}}}}[{g}_{\nu }]& =2(1-\gamma )\left[1-{c}_{\nu }-{\lambda }_{\min }\right],\\ {{{{{{{\rm{Min}}}}}}}}[{g}_{\nu }]& =2(1-\gamma )\left[1-{c}_{\nu }-{\lambda }_{\max }\right],\end{array}$$

where \({\lambda }_{\min } =\mathop{\min}\limits_{c}{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\) and \({\lambda }_{\max } =\mathop{\max}\limits_{c}{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\). Note that the choice of gν(e0) ≤ u = gν(e1) implies that \({u}_{\perp } ={{{{{{{\rm{Max}}}}}}}}[{g}_{\nu }]\). Therefore, we are dealing with similar min-tradeoff functions as those considered in refs. 29,30, where we have the following relations

$${{{{{{{\rm{Max}}}}}}}}[{f}_{\nu }] ={{{{{{{\rm{Max}}}}}}}}[{g}_{\nu }],\\ {{{{{{{{\rm{Min}}}}}}}}}_{{{\Gamma }}}[{f}_{\nu }] \ge {{{{{{{\rm{Min}}}}}}}}[{g}_{\nu }],\\ {{{{{{{{\rm{Var}}}}}}}}}_{{{\Gamma }}}[{f}_{\nu }] \le \frac{{({{{{{{{\rm{Max}}}}}}}}[{g}_{\nu }]-{{{{{{{\rm{Min}}}}}}}}[{g}_{\nu }])}^{2}}{\gamma }.$$

Based on the above relations, we can calculate the correction terms V and K. Following ref. 30, the correction term V(γ, fν) is given by

$$V(\gamma,\, {f}_{\nu }) =\frac{\ln 2}{2}{\left({\log }_{2}9+\sqrt{\frac{4{(1-\gamma )}^{2}{({\lambda }_{\max }-{\lambda }_{\min })}^{2}}{\gamma }+2}\right)}^{2}.$$

On the other hand, the other correction term K(β, γ, fν) is given by

$$K(\beta,\, \gamma,\, {f}_{\nu }) =\frac{{2}^{\beta [1+2(1-\gamma )({\lambda }_{\max }-{\lambda }_{\min })]}}{6{(1-\beta )}^{3}\ln 2}{\ln }^{3}\left({2}^{1+2(1-\gamma )({\lambda }_{\max }-{\lambda }_{\min })}+{e}^{2}\right).$$

Having specified the functions fν, V and K, we can now apply Theorem 1 and Theorem 3 to prove the soundness of our QRNG protocol. This concludes the randomness certification of the protocol.

Input randomness

In the previous section, we have shown that if the extracted length is chosen according to Eq. (13), our QRNG protocol can generate randomness securely. However, for our QRNG protocol to be practically useful, we may also demand that, on average, it produces more randomness than the one consumed to run the protocol.

In this work, as we consider strong extractors for the randomness extraction, it is sufficient to consider the randomness consumed to choose the inputs T, X and Y as we can treat the extractor seed as part of the output. As the optimal input distribution is biased, one could either use a biased random seed or convert a uniform random seed into a biased one (for example, using the interval algorithm51). We denote the expected length of random bit string used to generate the inputs by in. The expected input randomness in is approximately the Shannon entropy of the inputs (up to some small overhead that is negligible for large block sizes)

$${\ell }_{{{{{{{\mathrm{in}}}}}}}} =H({{{{{{{\bf{T}}}}}}}},\, {{{{{{{\bf{X}}}}}}}},\, {{{{{{{\bf{Y}}}}}}}})+3\\ =n[{h}_{2}(\gamma )+\gamma H({{{{{{\boldsymbol{q}}}}}}})]+3,$$

where we have used the fact that the inputs for each round are chosen independently from the ones from the preceding rounds and we also used the chain rule for Shannon entropy. Here, h2(γ) is the binary entropy function and H(q) is the Shannon entropy of the input distribution {q(x, y)}x,y.

Homodyne detector modelling and characterisation

We model the homodyne detector from two aspects: optical loss and the electronic noise.

The optical loss arises from two main parts. The insertion loss of the BS, and the imbalance of the homodyne detection, which is caused by the efficiency mismatch of the two photodiodes and the imperfect BS splitting ratio.

We first characterise the photon detection efficiency of the photodiodes, which includes the quantum efficiency of the photodiodes, coupling loss to the photodiodes, and the insertion loss of the fibre-pigtailed GRIN lenses, with an optical power metre (EXFO PM-1100) and a Source Measurement Unit (Keysight U2722A).

The GRIN lenses used are anti-reflection-coated in the range of 1250–1650 nm, with an average reflection of <0.2%. In addition, the waist diameter of the output light beam is in the order of 10 µm, which is much smaller than the diameter of the active region of our PD (100 µm). We measure the detection efficiency of the two photodiodes, including the coupling loss and the insertion loss, by putting a reverse bias at the working voltage of the photodiode, giving a constant power input light from the laser, and measuring the photocurrent by the Source Measurement Unit. The efficiency of the two photodiodes is deduced from the ratio of the measured photocurrent and the input power to be 98.3% and 98.8%, respectively.

The splitting ratio of the beam splitter is measured to be 50.4:49.6, and the insertion loss is 0.2 dB. By matching the beam splitter with the PDs, and carefully balancing the amplitudes of the two arms, we gradually increase the input LO power with a variable optical attenuator (Yokogawa AQ2200-311A) and obtain the noise measurements. For frequency domain measurement, a spectrum analyser (Rohde & Schwarz FSV40) is used, with a resolution bandwidth of 1 MHz and a video bandwidth of 5 MHz. For the measurement of the noise variance and clearance, an oscilloscope (Tektronix MSO64 BW 2.5 GHz) is utilised.

The characterisation results are shown in Fig. 1d, e. With a 10 mW LO input, a clearance of 16.94 dB is obtained. Under the assumption that the electronic noise of homodyne detector possesses a Gaussian distribution and is independent of the measured optical signal, we follow the model proposed in ref. 52 and treat the effect of the electronic noise as equivalent to efficiency loss. In our case, an equivalent efficiency of 97.98% is estimated.

Taking all the factors into consideration, the total effective efficiency of our homodyne detector is characterised to be 91.7%.

Two-mode coherent states

Two-mode coherent states are used in our system for quantum state preparation. Here, we give the basic form of the quadrature operator of the two-mode coherent state, and show that the quadrature value can be obtained by combining the quadrature values of individual temporal modes.

Without loss of generality, we define the creation (annihilation) operators of the early and late temporal modes by \({\hat{a}}_{e}^{{{{\dagger}}} }\) (\({\hat{a}}_{e}\)) and \({\hat{a}}_{l}^{{{{\dagger}}} }\) (\({\hat{a}}_{l}\)), respectively. Therefore, the quantum state composed of coherent states in both temporal modes can be expressed by:

$$\left|{\alpha }_{e}\right\rangle \left|{\alpha }_{l}\right\rangle ={e}^{-\frac{|{\alpha }_{e}{|}^{2}}{2}}\mathop{\sum }\limits_{m =0}^{\infty }\frac{{({\alpha }_{e}{\hat{a}}_{e}^{{{{\dagger}}} })}^{m}}{m!}\cdot {e}^{-\frac{|{\alpha }_{l}{|}^{2}}{2}}\mathop{\sum }\limits_{n =0}^{\infty }\frac{{({\alpha }_{l}{\hat{a}}_{l}^{{{{\dagger}}} })}^{n}}{n!}\left|0\right\rangle \\ ={e}^{-\frac{|{\alpha }_{e}{|}^{2}+|{\alpha }_{l}{|}^{2}}{2}}\mathop{\sum }\limits_{k =0}^{\infty }\frac{{({\alpha }_{e}{\hat{a}}_{e}^{{{{\dagger}}} }+{\alpha }_{l}{\hat{a}}_{l}^{{{{\dagger}}} })}^{k}}{k!}\left|0\right\rangle \\ ={e}^{-\frac{|{\alpha }_{t}{|}^{2}}{2}}\mathop{\sum }\limits_{k =0}^{\infty }\frac{{({\alpha }_{t}{\hat{a}}_{t}^{{{{\dagger}}} })}^{k}}{k!}\left|0\right\rangle,$$

where \(|{\alpha }_{t}|=\sqrt{|{\alpha }_{e}{|}^{2}+|{\alpha }_{l}{|}^{2}}\) and \({\hat{a}}_{t}^{{{{\dagger}}} } =\frac{1}{\left|{\alpha }_{t}\right|}({\alpha }_{e}{\hat{a}}_{e}^{{{{\dagger}}} }+{\alpha }_{l}{\hat{a}}_{l}^{{{{\dagger}}} })\) represent the amplitude and the creation operator of the new two-mode coherent state, respectively. In our case, we have \(\left|{\alpha }_{l}\right\rangle =\left|-{\alpha }_{e}\right\rangle\), \(|{\alpha }_{t}|=\sqrt{2}|\alpha|\), and \({\hat{a}}_{t}^{{{{\dagger}}} } =1/\sqrt{2}({\hat{a}}_{e}^{{{{\dagger}}} }-{\hat{a}}_{l}^{{{{\dagger}}} })\).

As a result, the quadrature operator of the two-mode coherent states can be obtained (in Shot-Noise Unit):

$${\hat{q}}_{t} ={\hat{a}}_{t}{e}^{-i\theta }+{\hat{a}}_{t}^{{{{\dagger}}} }{e}^{i\theta }\\ =\frac{{\hat{a}}_{e}-{\hat{a}}_{l}}{\sqrt{2}}{e}^{-i\theta }+\frac{{\hat{a}}_{e}^{{{{\dagger}}} }-{\hat{a}}_{l}^{{{{\dagger}}} }}{\sqrt{2}}{e}^{i\theta }\\ =\frac{1}{\sqrt{2}}({\hat{q}}_{e}-{\hat{q}}_{l}).$$

Hence, the quadrature value of the two-mode coherent state qt satisfies

$${\hat{q}}_{t}\left|q\right\rangle =\frac{1}{\sqrt{2}}({\hat{q}}_{e}-{\hat{q}}_{l})\left|q\right\rangle \\ =\frac{1}{\sqrt{2}}({q}_{e}-{q}_{l})\left|q\right\rangle \\ ={q}_{t}\left|q\right\rangle .$$

Formulating a P&M game

Previously, we took for granted that our QRNG protocol specifies a P&M game that is used to test whether the devices are working as expected. However, constructing a game that is optimal for certifying randomness generation is a non-trivial task. In this section, we use the SDP duality to construct a P&M game that can asymptotically witness the same amount of randomness that is certified by full input-output probability distribution {P(bx, y)}b,x,y. The idea behind our method is to find a linear function of the input-output probability distribution that witnesses the randomness generated by Bob’s measurement. Then, from this linear function, we could derive the input distribution q(x, y) and the winning outputs bxy. Similar constructions have been used in device-independent quantum information processing to construct an optimal Bell inequality for certifying randomness53,54 and self-testing55.

Asymptotically, we expect that the full input-output probability distribution should be optimal for witnessing randomness as it contains the full statistical information about the devices’ behaviour. Let us now suppose that the expected input-output probability distribution is known (either by modelling the honest implementation or calibrating the device prior to the protocol). To construct a game that could optimally certify the amount of randomness, we shall consider the following SDP for the guessing probability subject to the full input-output probability distribution.

$$\begin{array}{ll}\mathop{\max }\limits_{{\{{M}_{b|y}\}}_{b,y},\, {\{{\Pi }_{e}\}}_{e},\, {{{{{{{\mathcal{U}}}}}}}}}\quad &\mathop{\sum }\limits_{b =0}^{1}\left\langle {\phi }_{0}\right|{M}_{b|0}{\Pi }_{b}\left|{\phi }_{0}\right\rangle \\ \,{{\mbox{subject to}}}\,\qquad &\left\langle {\phi }_{x}\right|{M}_{b|y}\left|{\phi }_{x}\right\rangle =P(b|x,\, y),\,\forall b,\, x,\, y\\ &\langle {\phi }_{x}|{\phi }_{{x}^{{\prime} }}\rangle =\langle {\psi }_{x}|{\psi }_{{x}^{{\prime} }}\rangle,\quad \forall x,\, {x}^{{\prime} }\in {{{{{{{\mathcal{X}}}}}}}}.\end{array}$$

Suppose that the optimal dual solution to (36) for the kth level of relaxation is given by

$${\hat{d}}_{k} ={\xi }_{0}+\mathop{\sum}\limits_{b,x,y}\xi (b,\, x,\, y)P(b|x,\, y)\,\ge {p}_{g}({B}_{i}|{T}_{i} =0,\, {X}_{i} =0,\, {Y}_{i} =0,\, R),$$

where ξ0 is associated with the non-statistical constraints. Any feasible dual solution is a linear function of the input-output distribution that upper bounds the guessing probability. As such, the set of feasible dual solutions to the SDP gives a family of linear upper bounds on the guessing probability while \({\hat{d}}_{k}\) is the tightest upper bound on the guessing probability among the family (in fact, it is “tight” up to the semi-definite relaxation31 of the set of quantum correlations and any duality gap).

Now, for each pair of inputs (x, y), we define \({b}_{xy}^{{\prime} }\) and \({b}_{xy}^{{\prime\prime} }\) such that \(\xi ({b}_{xy}^{{\prime} },\, x,\, y)\ge \xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\). We consider

$$ {\hat{d}}_{k}-{\xi }_{0}-\mathop{\sum}\limits_{x,y}\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\\ =\mathop{\sum}\limits_{x,y}\left[\xi ({b}_{xy}^{{\prime} },\, x,\, y)P({b}_{xy}^{{\prime} }|x,\, y)+\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)P({b}_{xy}^{{\prime\prime} }|x,\, y)\right.\\ \quad - \left.\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\left\{P({b}_{xy}^{{\prime} }|x,\, y)+P({b}_{xy}^{{\prime\prime} }|x,\, y)\right\}\right]\\ =\mathop{\sum}\limits_{x,y}\left\{\xi ({b}_{xy}^{{\prime} },\, x,\, y)-\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\right\}P({b}_{xy}^{{\prime} }|x,\, y),$$

where in the first equality we use the normalisation constraint. Noting that we are just subtracting a constant from \({\hat{d}}_{k}\), expression (38) is still an almost tight witness on the guessing probability. Finally, we could also divide the above expression by a constant and the resulting expression

$$\mathop{\sum}\limits_{x,y}q(x,\, y)P({b}_{xy}^{{\prime} }|x,\, y),$$


$$q(x,\, y) =\frac{\xi ({b}_{xy}^{{\prime} },\, x,\, y)-\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)}{{\sum }_{x,y}\left\{\xi ({b}_{xy}^{{\prime} },\, x,\, y)-\xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\right\}},$$

would still be an almost tight witness on the guessing probability. By construction, {q(x, y)}x,y is a valid probability distribution. Moreover, as \({b}_{xy}^{{\prime} }\) is defined such that \({\hat{d}}_{k}\) (and hence, the bound on the guessing probability) would be higher when \(P({b}_{xy}^{{\prime} }|x,\, y)\) increases, we could interpret \({b}_{xy}^{{\prime} }\) as the losing outcome (i.e., we assign the score C = 0) when the inputs x and y are chosen and q(x, y) as the probability of choosing this pair of inputs. In this case, the game \({{{{{{{\mathcal{G}}}}}}}}\) is defined as one where for Alice and Bob choose the inputs (x, y) with probability q(x, y) and the winning outcome is given by \({b}_{xy} ={b}_{xy}^{{\prime\prime} }\).

The game construction that we have described above is almost optimal to witness the generated randomness. However, the construction may not minimise the randomness consumed to choose the inputs and hence, its performance in terms of the expanded randomness may be far from optimal. Formulating the optimal game construction that maximises the net randomness expansion rate would be an interesting direction for future work.

Randomness extraction

Toeplitz hashing utilises a Toeplitz matrix, H. The Toeplitz matrix is an m × n diagonal-constant matrix, and it is constructed by filling up the first column and first row of the matrix with a uniform seed, denoted by S. Thus, the seed length required for Toeplitz hashing is n + m − 1 bits. Toeplitz matrix H can be expressed as

$${{{{{{{\bf{H}}}}}}}} =\left[\begin{array}{ccccc}{s}_{n}&{s}_{n-1}&\cdots &{s}_{2}&{s}_{1}\\ {s}_{n+1}&{s}_{n}&\cdots &{s}_{3}&{s}_{2}\\ \vdots &\vdots &\ddots &\vdots &\vdots \\ {s}_{n+m-1}&{s}_{n+m-2}&\cdots &{s}_{m+1}&{s}_{m}\end{array}\right].$$

The hashing is done by expressing the raw bits as a column vector and performing matrix-vector multiplication with the Toeplitz matrix. We used the calculated bit generation rate of 0.00455 and constructed a Toeplitz matrix H with the parameters m = 45 and n = 10,000.

A field programmable gate array (FPGA) is the chosen platform for implementation of Toeplitz hashing. The schematic of our post-processing on FPGA is shown in Fig. 5. The raw data is stored on a personal computer (PC) and sent in batches of approximately 600 Mbits via 1G Ethernet to the FPGA. Upon receiving the batch of raw data, the processing system (PS) on FPGA sends in 10 kbits of data to the programmable logic (PL), where the data will be further split into 10 batches of 1 kbits each. The multiplexing of raw data and seed is done via pipelining and the Toeplitz hashing algorithm is executed in parallel. The PS then receives the output of 45 bits from PL, and sends in a new set of 10 kbits of data to PL, repeating until all the data in the current batch has been processed. The PS then sends the extracted random numbers of the current batch to PC via Ethernet and waits for a new batch, until all 10.622 Gbits of raw data has been processed.

Fig. 5: Schematic of the post-processing on the ZCU111 evaluation board.
figure 5

The raw numbers are stored on a personal computer (PC) and sent to the field programmable gate array (FPGA) via 1G Ethernet. The data is stored in the double data rate 4th generation random access memory (DDR4 RAM) on the processing system (PS) and multiplexed into the Toeplitz hashing core on the programmable logic (PL) side of the FPGA. The output from the Toeplitz hashing core is accumulated and sent back to PC via 1G Ethernet.