Abstract
Quantum random number generators (QRNGs) are able to generate numbers that are certifiably random, even to an agent who holds some side information. Such systems typically require that the elements being used are precisely calibrated and validly certified for a credible security analysis. However, this can be experimentally challenging and result in potential sidechannels which could compromise the security of the QRNG. In this work, we propose, design and experimentally demonstrate a QRNG protocol that completely removes the calibration requirement for the measurement device. Moreover, our protocol is secure against quantum side information. We also take into account the finitesize effects and remove the independent and identically distributed requirement for the measurement side. More importantly, our QRNG scheme features a simple implementation which uses only standard optical components and are readily implementable on integratedphotonic platforms. To validate the feasibility and practicability of the protocol, we set up a fibreoptical experimental system with a homemade homodyne detector with an effective efficiency of 91.7% at 1550 nm. The system works at a rate of 2.5 MHz, and obtains a net randomness expansion rate of 4.98 kbits/s at 10^{10} rounds. Our results pave the way for an integrated QRNG with selftesting feature and provable security.
Introduction
Random number generators (RNGs) are the basic building block of many computing methods and digital solutions in use today, e.g., in simulation, optimisation, cryptography, and gambling. Ideally, the output of an RNG should be uniform and unpredictable. The first property requires all outputs are equally likely and the second stipulates that no observer can do better than a random guess even with side information about the device. Indeed, the latter property is especially important when dealing with digital technologies like secure communications, blockchain, and digital lottery, where privacy and information security are critical.
Quantum processes are excellent sources of randomness due to their intrinsic probabilistic nature. In particular, by tapping on the uncertainty of quantum measurements, one can, in principle, devise quantum random number generators (QRNGs) which are perfectly uniform and unpredictable^{1,2,3}. The standard approach uses a modelbased approach, where the underlying probability model is based on the certain trusted quantum measurement process. However, while this approach presents a straightforward way to quantify the amount of extractable randomness, it is prone to implementation deviations (for a concrete example, we refer the reader to ref. ^{4}). In particular, the model may not capture the actual physical process due to unexpected device changes and the amount of extractable randomness can be overestimated. Crucially, this could lead to catastrophic outcomes when the device is used for cryptography, for example.
An elegant solution is to consider new forms of QRNGs which provide certifiable randomness based on minimal assumptions about the underlying quantum measurement process. This is made possible by exploiting the unique correlations established by quantum measurements on entangled systems. The best example is the DeviceIndependent (DI) QRNG^{1,5,6,7,8,9}. However, in view of the demanding experimental requirements for a loopholefree observation of nonlocal correlations^{5,7,10}, it is generally believed that the first practical application of such DI QRNGs will likely be Randomness Beacons^{7,8}.
There are other QRNGs that make reasonable assumptions about the system and require only a partial characterisation of the device. These schemes provide a system performance improvement in terms of the implementation complexity and the random number generation rate when compared to DI QRNGs. Due to the partial characterisation feature, this class of QRNGs is often called semiDI QRNG. A comparison of different QRNG studies is listed in Table 1.
For practical semiDI randomness generations, the following features are highly desirable in practical applications. Firstly, the security of the randomness generation should rely on only a few justifiable assumptions on the system operation and its critical components. This would ensure that these QRNGs remain secure even in the presence of unexpected device changes. Secondly, it should also provide a relatively high randomness generation rate. Finally, the QRNG should be costeffective and have small footprints. The latter would be essential in a wide range of applications: from handheld devices to InternetofThings.
In this regard, balanced homodyne detection offers distinct advantages in practical randomness generation. Firstly, as balanced homodyne detectors simply consist of a pair of photodiodes and some electrical components, they are readily implementable on integratedphotonic platforms^{11,12,13,14}. Hence, QRNGs that are based on homodyne detectors have a unique practical advantage in terms of the costeffectiveness, compactness and system stability. Secondly, homodyne detection works at room temperature and no additional cooling is needed. This, again, reduces the system complexity and eliminates the extra requirement for space consumption.
Unfortunately, due to many practical limitations, real homodyne detectors often deviate from an ideal quadrature measurement – which is the standard theoretical model for a balanced homodyne detection. Firstly, modelling homodyne detectors as perfect quadrature measurements of the input optical field requires the local oscillator (LO) to operate at the high intensity limit^{15,16}, which may not be the case in the actual implementation. In addition, implementing the perfect quadrature measurement would also require perfect photon number subtraction which is nontrivial in the presence finite commonmode rejection ratio (CMRR) and imbalance drifts. Moreover, in contrast to perfect quadrature measurements, practical homodyne detectors are subjected to electronic noise, LO intensity fluctuations, finite detection range, etc. While there are theoretical studies on how to account for these imperfections in the model (for example, the standard theoretical treatment for electronic noise is to model it as an independent noise^{17,18} with Gaussian and stationary nature^{18,19}), the model demands an accurate characterisation of each imperfection. Not only is this task technically demanding, there is actually a danger of false precision with the modelbased approach as the quality of the homodyne detector may degrade over time. In that case, this would invalidate the model and hence, the randomness generated by the homodyne detection may be overestimated.
Additionally, it has been pointed out that finite bandwidths of practical homodyne detector may result in correlations among successive rounds of the QRNG operation^{19,20}. In this case, the experimental rounds in practice would be unlikely to exhibit a completely independent and identically distributed (i.i.d.) behaviour. In particular, comparing to the quantum state generation part, the homodyne detector with a shotnoiselimited performance generally has a more restricted working bandwidth^{17,21}. Therefore, it is of great interest to devise a randomness certification that can mitigate (if not fully remove) the i.i.d. assumption for the system operation. Moreover, as any QRNG protocols have to be executed in a finite number of rounds, finitesize effects (such as statistical fluctuations) should be taken into consideration. This is especially important for semiDI and DI QRNGs, whose randomness certification relies on experimental statistics, which necessarily entail statistical fluctuations.
In this work, we propose a novel semiDI QRNG protocol based on homodyne detection and certify its security against quantum side information. Given the challenges with modelling the homodyne detector, our proposed framework treats it as a blackbox quantum measurement which sidesteps the demanding characterisation requirement of the modelbased approach. Importantly, our framework does not require any i.i.d. assumption on the measurement device which protects the security of the protocol against potential correlations shared between different rounds. Moreover, the proposed protocol is composably secure^{22,23,24}, which guarantees that the random numbers produced by our protocol can be securely used for cryptographic applications. Furthermore, we show that our protocol can produce more randomness than that consumed (for choosing the settings for the devices) in the protocol. As such, our protocol is a quantum randomness expansion (QRE) protocol.
Results
Protocol description
We shall now present our proposed randomness generation protocol. The protocol that we consider is a prepareandmeasure (P&M) protocol with an uncharacterised measurement device. To illustrate the protocol, it is convenient to consider a device that consists of two parts: a trusted source of quantum states (which we assume to be operated by Alice) and an uncharacterised measurement device (which is operated by Bob). As such, the protocol that we consider is a selftesting protocol in which the working of Bob’s measurement device is not assumed a priori, but could be verified during the protocol using the spotchecking scheme in which every round is randomly assigned to be a generation or test round.
To that end, suppose that during the test round, the device plays a P&M game \({{{{{{{\mathcal{G}}}}}}}}\). A P&M game can be thought of as a P&M analogue of the more wellknown nonlocal games in the context of Bell nonlocality^{25,26} and deviceindependent protocols. In a P&M game, Alice receives a random input x from a predefined set \({{{{{{{\mathcal{X}}}}}}}}\) and then prepares the state \(\left{\psi }_{x}\right\rangle\) from the set of states \({{{{{{{{\mathcal{S}}}}}}}}}_{{{{{{{{\mathcal{X}}}}}}}}}\). Similarly, Bob receives an input y from a predefined set \({{{{{{{\mathcal{Y}}}}}}}}\) and uses it as his measurement setting. Let us suppose that Alice and Bob receive those inputs with probability q(x, y) which is fixed for a given game. For each pair of inputs x and y, the game \({{{{{{{\mathcal{G}}}}}}}}\) defines the winning outcome b_{xy} ∈ {0, 1}. For a given round, the device wins the game when Bob outputs the winning outcome; otherwise, the device loses the game. In the Methods section, we present a systematic method to choose the winning outcome b_{xy} as well as the probability of choosing each pair of inputs q(x, y).
The protocol that we propose is given in Box 1
In the experiment reported in this work, we consider \({{{{{{{\mathcal{X}}}}}}}} =\{0,\, 1,\, 2,\, 3\}\), the set of states \({{{{{{{{\mathcal{S}}}}}}}}}_{{{{{{{{\mathcal{X}}}}}}}}} =\{\left\alpha {e}^{ix\pi /2}\right\rangle :x\in {{{{{{{\mathcal{X}}}}}}}}\}\) and \({{{{{{{\mathcal{Y}}}}}}}} =\{0,\, 1\}\). Furthermore, the honest implementation corresponds to homodyne detection with its LO’s phase set to φ = π/2 when y = 0 and φ = 0 when y = 1. The measurement device would then output b = 0 if the result of the homodyne measurement is positive; else, it would output b = 1. The quantum states in this case correspond to quadrature phase shift keying (QPSK) modulation format, which is compatible with standard optical modulation techniques. Remarkably, it is straightforward to generalise the protocol to include more states or more measurement settings, e.g. quadrature amplitude modulation (QAM).
Security framework
We shall now consider the security of our protocol. Here, we consider a framework in which the measurement device is uncharacterised and hence, when analysing the security of the proposed protocol, we shall treat Bob’s measurement as a set of abstract measurement operators. In particular, we do not assume that Bob’s measurement device behaves independently and identically for each round.
Likewise, we do not assume that the quantum channel faithfully transmits the quantum states sent by Alice, nor it behaves independaently and identically for each round. As we do not limit the dimension of the Hilbert space of the channel output, we can model any quantum channel by an isometry U which preserves the innerproduct of the states prepared by Alice’s trusted source.
Additionally, we also allow the adversary (or any agent trying to guess the output of the protocol), Eve, to have some preshared entanglement with Bob’s uncharacterised device, but due to some technicality regarding the method used to certify the generated randomness, we assume that Eve does not obtain additional quantum side information when the protocol is executed. This assumption can be well justified for the setting considered in QRNG protocols where Alice and Bob are both inside the same secure location.
Finally, we also assume that the device is equipped with trusted and private random seed that is used to choose the inputs for each round as well as to perform seeded extraction. For a detailed discussion on the assumptions we make in the randomness certification, we refer the readers to the Methods section ‘Randomness certification’.
The security of our protocol relies on the quantumproof strong seeded extractor which guarantees that whenever the protocol is not aborted, the output string is close to an ideal random bitstring that is uniformly random and independent from any preshared quantum information held by the adversary as well as the initial random seed. Hence, we have to certify that our protocol produces enough randomness (measured in terms of the conditional smooth minentropy of the raw string) before applying the randomness extraction. To that end, we adopt the framework of entropy accumulation theorem (EAT)^{27,28,29,30}. Informally, the EAT states that when our protocol is not aborted, the conditional smooth minentropy of the raw string given Eve’s side information and the random inputs is at least
Importantly, the leading term which scales linearly with the number of rounds n can be evaluated by analysing a singleround of the protocol. The constant of proportionality h(ω, δ) as well as the correction term \({{{{{{{\mathcal{O}}}}}}}}(\sqrt{n})\) can then be computed using a semidefiniteprogramming (SDP) technique introduced in ref. ^{31}. More precisely, we have the following theorem.
Theorem 1
(Entropy accumulation theorem (as modified from Lemma III.3 of ref. ^{30})) Let Ω denote the event in which our QRNG protocol is not aborted and ρ^{Ω} be the final state conditioned on this. Let f(1−ν) be an affine lower bound on the singleround conditional von Neumann entropy for any strategy that wins the game \({{{{{{{\mathcal{G}}}}}}}}\) with probability ν. For fixed parameters ϵ_{s}, ϵ_{EA}, β ∈ (0, 1), then either our QRNG protocol aborts with probability greater than 1−ϵ_{EA} or
The explicit expressions for the functions f, V, K can be found in the “Methods” section ‘Randomness certification’.
As Theorem 1 holds for any choice of β, as we can see in the Methods section, we can choose \(\beta \propto 1/\sqrt{n}\) such that the correction term would scale with \(\sqrt{n}\) as claimed earlier. We refer to the parameter ϵ_{EA} as the entropy accumulation error. As can be seen from Theorem 1, it quantifies our tolerance of encountering an event in which the protocol is not aborted but the lower bound (2) on the accumulated entropy does not hold.
Finally, with the lower bound on the conditional smooth minentropy being established, we can use the quantum leftover hash lemma^{32,33} to find the extractable length of the output string Z, denoted by ℓ. As the extractor seed S is part of the protocol output K, the expected net randomness expansion rate r_{net} is then defined as
where ℓ_{in} is the expected amount of randomness used during the protocol to choose the settings of the device.
The details of randomness certification, the estimation of the input randomness can be found in “Methods” section ‘Randomness certification’ and ‘Input randomness’, respectively.
Experimental implementation
In order to verify the feasibility of the proposed protocol, we set up a fibreoptic experimental system. The schematic diagram is shown in Fig. 1a.
Our experimental system is composed of two main parts, quantum state generation and quantum state measurement. In the quantum state generation, a laser diode emits continuouswave (c.w.) laser with a central wavelength of 1550 nm and a linewidth of 50 kHz, which is split into two paths, one for quantum state preparation and the other as Local Oscillator (LO) for homodyne detection. In the signal path, an Intensity Modulator (IM) first curves the c.w. laser into pulses with pulse width of 4 ns each, for defining the temporal mode of the quantum states. Besides, the IM could also perform the intensity modulation for QAM16 state generation. A Phase Modulator (PM) modulates the phase of the quantum states. Thereafter, the optical signals are attenuated to singlephoton energy level with an optical attenuator, to finally generate the QPSK quantum states \(\{\left\alpha {e}^{ix\pi /2}\right\rangle \}\) where x ∈ {0, 1, 2, 3}, whose constellation diagram is shown in Fig. 1b.
In the quantum state measurement, a homodyne detector is deployed. To maximise the generated randomness, we developed a highefficiency and lownoise fibrecoupled homodyne detector. To minimise the optical loss, we first adopt a pair of highefficiency photodiodes (PDs) for photon detection. Moreover, we apply antireflection coated gradedindex (GRIN) lens for the light coupling from optical fibre to the PDs. The overall efficiency of the PD including the coupling loss is measured to be 98.3% and 98.8%, respectively. The signal and LO are interfered in a balanced polarisation maintaining fibreoptical beam splitter (BS) before detection, providing good mode matching for a stable and efficient interference. After a careful balancing of the two arms, the photocurrents are subtracted and then amplified by a lownoise amplifier. The characterisation results of our homodyne detector are shown in Fig. 1 (d, e). The 3 dB bandwidth of our homodyne detector is ~72 MHz, and the clearance (shot noise to electronic noise ratio) is measured to be 16.94 dB with a 10 mW LO. Taking all the factors into consideration, the total effective efficiency of our homodyne detector is characterised to be 91.7%. The details of homodyne characterisation and modelling are provided in the “Methods” section ‘Homodyne detector modelling and characterisation’.
In the actual experiment, the settings for quantum state preparation and measurement need to be optimised for a high net randomness expansion rate. For example, the randomness generation round could be chosen for most of the time (with a small testing probability γ) to obtain the optimal generation rate. This raises an issue with our ACcoupled systems such as the homodyne detector and the amplifiers for driving the modulators, where a DCbalanced data streams are preferred to eliminate potential signal distortions^{34}. To mitigate this, we apply a complementary modulation scheme in our experiment where the protocol based on QPSK modulation is performed, as shown in Fig. 2a. With our scheme, the quantum state preparation is performed on twomode coherent states, which are based on the two successive temporal modes. In this case, the modulation patterns for the state preparation and LO phase setting are naturally DCbalanced with any settings x and y. Besides, the two temporal modes are modulated with a π phase difference, while the LO phase settings are kept the same. As such, the expectation values of the individual quadrature measurements of the two temporal modes possess opposite values. Hence, the outputs of the homodyne detector are also naturally DCbalanced for all experimental settings. The quadrature measurement of the twomode coherent state in this case is \({q}_{t} =\frac{1}{\sqrt{2}}({q}_{e}{q}_{l})\), where q_{e} and q_{l} are the quadrature measurement value of the two individual temporal modes. For more details about the twomode coherent states, please refer to the “Methods” section ‘Twomode coherent state’.
To faithfully implement the QRNG protocol, a fixed phase reference between the signal and LO is required. To this end, a feedback control for phase locking (not shown in Fig. 1a) is deployed, by analysing the statistics of the reference signals as well as the signals for QRNG execution. The illustration of the time frame configuration of our QRNG is shown in Fig. 2b.
At this point, we emphasise that since our QRNG protocol does not require any characterisation of the measurement device (i.e., the homodyne detector), our efforts in loss and noise reduction, phase locking, etc. do not affect the soundness of the randomness certification, but will certainly improve the performance in terms of randomness generation rate, the system stability (which is related to the completeness of the protocol), etc.
Based on Theorem 1, the quantum leftover hash lemma, and the definition of the expected net randomness expansion rate given in Eq. (3), we first simulate the performance of our proposed protocol. The simulated net randomness expansion rate with QPSK modulation and QAM16 modulation are shown in Fig. 3a and b, respectively.
The parameters used in the experiment are listed in Table. 2, where the mean photon number ∣α∣^{2} of quantum states in QPSK format, the probability of choosing test rounds γ are optimised based on the system efficiency of our setup and the chosen security parameters, as shown in Fig. 4a, b. The relation of the expected net randomness expansion rate and the randomness consumed is shown in Fig. 4c.
According to the construction described in the “Methods” section ‘Formulating a P&M game’., we formulate the P&M game \({{{{{{{\mathcal{G}}}}}}}}\) used in our QRNG protocol as shown in Table. 3, which determines the probability of choosing settings for Alice’s input x and Bob’s input y for test rounds and the scoring rules. Based on our model of the honest implementation (refer to the “Methods” section ‘Twomode coherent state’ for details), we set ω = 0.59422 and δ = 0.00189 for the experiment, which represents the expected winning probability, and the confidence interval for the winning probability, respectively.
We collect n = 1 × 10^{10} rounds of data in the experiment, and obtain an observed winning probability of ω_{obs} = 0.59443, which is very close to the expected value. The number of rounds in which the players lost the game is 942820, which is within the acceptance range n_{lost} ≤ 946026. Hence, the protocol execution is accepted, and we could certify a gross randomness generation rate (the randomness generated by the protocol per round) of at least 0.00455 bits per round can be obtained by running the protocol. Considering the randomness invested for determining whether a given round is a test round and the inputs of Alice and Bob (x and y), the expected randomness consumption rate in our case is 0.00256 bits per round. Therefore, the expected net randomness expansion rate of our system is 0.00199 bits per round. The observed experimental results for test rounds are shown in Table 4.
Finally, we implement randomness extraction using Toeplitz hashing with the help of a random seed. Toeplitz hashing is a family of twouniversal hash functions, and it has been shown to be a strong randomness extractor^{32,35,36}. This means Toeplitz hashing not only extracts randomness from a weak entropy source, but also guarantees that the output string is independent of the seed. Thus, in this work, the seed required for randomness extraction is not considered as consumed randomness as the seed can be concatenated to the output due to the properties of a strong extractor.
We utilise a Zynq Ultrascale+ FPGA (XCZU28DR) to implement randomness extraction. We construct a Toeplitz matrix with the size of 45 × 10,000 to extract the random numbers from the raw data. To achieve a faster extraction speed, we further split the Toeplitz matrix into subblocks of size 45 × 1000 during the extraction. In total, the size of the raw data was 10.622 Gbits (we conservatively collected a bit more data than 1 × 10^{10}), and we extracted 47.8 Mbits of random numbers from it. The detailed implementation of Toeplitz hashing on FPGA is provided in Methods section ‘Randomness extraction’.
Discussion
In this section, we discuss the strengths and limitations of our work. Besides its high level of security due to its immunity to detection side channels, one of the main strengths of our protocol is its potential for miniaturisation. In the following, we discuss the feasibility of the proposed protocol to be implemented on silicon photonic integrated circuit (PIC), which is a leading platform for integratedphotonic applications with substantial advantages regarding miniaturisation, compatibility with CMOS microelectronics, and highspeed signal processing. The process design kits (PDKs) from major foundries can provide the key components on a single chip, with a decent performance stability for volume production^{37,38,39}.
By leveraging mature silicononinsulator (SOI) technology, the optical waveguide on silicon PIC is able to provide a low propagation loss and large integration density. The 2 × 2 beam spliter can be achieved by using either evanescent couplers or multimode interference (MMI) couplers.
For the highspeed optical modulation, the carrier depletion type modulators are available for quantum state preparation. While the highspeed Germanium photodetectors could be utilised for the homodyne detection on the optical quantum states.
The integrated laser, a critical component to our QRNG system, turns out to be a hurdle that impedes full system integration on a single silicon chip. This is because pure crystalline silicon lacks a direct bandgap precluding the possibility of monolithic silicon laser^{38}. Fortunately, recent integrated laser technology based on packaging or heterogeneous integration technologies could be adopted to address this problem^{37}.
In this, one of our main objectives is to validate experimentally the key concept of the proposed protocol and this ultimately boils down to achieving sufficient effective efficiency of the measurement device to demonstrate positive net randomness expansion rate. To that end, we require highefficiency PDs on silicon PICs. Fortunately, such highly efficient PDs are within the reach of current technology. For example, Globalfoundries offers PDs with >1 A/W responsivity at 1310 nm wavelength, which corresponds to a quantum efficiency of >94%^{40} while AIM Photonics provides ones with quantum efficiency >80% at 1550 nm wavelength^{41}. Moreover, there is more flexibility for the efficiency improvement if customised components can be used. Thus, a fully integrated version of our QRNG protocol is practically attainable with existing PIC technology.
At the system level, however, the main limitation of our current work is the relatively low randomness generation/expansion rate. We now discuss some reasons for the limited randomness expansion rate. One of the reasons is that we used Eve’s guessing probability to construct the mintradeoff function when applying the EAT. While the guessing probability can be easily computed using the SDP relaxation, this construction is generally not tight. Recently, a tight bound on the conditional von Neumann entropy that is also compatible with our SDP relaxation was developed^{42}. It would be interesting to see if one can obtain an improvement in the randomness expansion rate by incorporating the new bound on the conditional von Neumann entropy.
Another reason for the limited randomness expansion rate is that we coarsegrained the homodyne detection output. Indeed, here we considered a measurement device that gives a binary output; whereas in practice, the homodyne measurement actually has a large number of discrete bins determined by the ADC circuit. The coarsegraining was done to simplify the protocol as it allows us to simply monitor the winning probability in the parameter estimation step. However, our security analysis can be extended to consider more outputs using the framework of ref. ^{30}. Nevertheless, there is a tradeoff between the number of outputs used in the protocol and the randomness generation rate as finegraining the outputs would enhance the effect of the statistical fluctuations as the probability of obtaining each bin gets smaller. Finding the optimal number of bins for the measurement outputs deserve a deeper investigation in the future.
Next, our protocol also demands relatively high detection efficiency to generate net randomness expansion. As there is a tradeoff between the electronic noise (and its equivalent efficiency loss) and the working bandwidth of the system, the working frequency in our experiment is relatively low which results in the low randomness generation rate. One of the reasons for the high detection efficiency requirement is the choice of states used in the protocol. In our experiment, we use the QPSK encoding for the simplicity of the experiment. However, this choice of states may be suboptimal. For example, as shown in Fig. 3b, a significant increase in the randomness expansion per pulse and decrease in the required detection efficiency can be seen by choosing the QAM16 constellation. This would lead to a significant increase in the actual randomness expansion rate.
Finally, in this work, we assume that the device is sufficiently isolated from the environment such that any quantum side information that is accessible to the adversary was obtained before the start of the protocol. While this assumption can be well justified for QRNGs as both parties are inside in the same secure location, it could still be removed using the recently developed generalisation of the EAT^{43,44}. The relaxed assumption may be relevant in a more pessimistic scenario where the device is surrounded by an insecure environment such that any photons that are scattered in the channel might fall into the adversary’s hands. Since the bound in the generalised EAT is similar to the one derived under the original entropy accumulation framework (with slightly different correction terms), we expect that our QRNG could still exhibit randomness expansion in the more pessimistic scenario. We leave this investigation for future work.
To summarise, we present a QRNG protocol based on a completely uncharacterised homodyne detector. The security analysis takes into account the finite size effects and the noni.i.d. measurement process, providing random number generation that is certified in the presence of quantum side information. To verify the feasibility of the protocol, we set up a highefficiency and low noise fibrecoupled homodyne detector for experiment. The averaged quantum efficiency of the photodiode pair is 98.55% at 1550 nm, and the clearance is measured to be 16.94 dB with a 10 mW LO input. The effective efficiency of the homodyne detector is characterised to be 91.7%. In order to have a proper implementation of our protocol and remove potential signal distortions, we come up with a complementary modulation scheme and adopt the twomode coherent states for quantum state preparation. This guarantees both the modulation signals and measurement outcomes are DCbalanced data streams, for any experimental setting during the QRNG protocol execution. The system works at a repetition rate of 2.5 MHz, and finally obtain a gross randomness generation rate of 0.00455 and a net randomness expansion rate of 0.00199, with a 1 × 10^{10} rounds of protocol execution. In addition, we show that our protocol is compatible with the silicon photonics platform and is readily implementable on silicon PIC.
In conclusion, our results exhibit a practical QRNG with selftesting feature and provable security, showing a great potential for providing certifiable randomness for practical and private use.
Methods
Randomness certification
Before we explain the randomness certification of the protocol, we shall first explain the security criterion of the protocol. Consider a randomness generation protocol that produces an output string, which we label as Z. In a selftesting protocol such as ours, it is common that the legitimate parties exchange some classical information during the protocol (e.g., in the parameter estimation step). We denote the transcript of any classical communication in the protocol by M. Suppose also that the protocol involves seeded randomness extraction. We shall denote the seed used for the randomness extraction by S. Finally, any side information that is available to Eve will be denoted by E. For a given run of the protocol, let us suppose that its output can be described using the quantum state
Here, we account for the probability that the protocol may abort (in which case, we denote the output of the protocol by \(\varnothing\)). Furthermore, τ_{l} denotes the uniformly random string with length l denoted in the subscript and \({\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{\varnothing }\) describes the subnormalised state of Eve’s side information and the classical transcript when the protocol aborts. On the other hand, the subnormalised state \({\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}\) in the second term describes the state when the protocol is not aborted
where the summation is taken over all possible output and seed strings, which we denote by z and s. The subnormalised state \({\tilde{\rho }}_{{{{{{{{\bf{M}}}}}}}}E}^{z,\, s}\) is the state describing Eve’s side information and the classical transcript conditioned on the output string being z and the seed string being s. Denoting the event in which the protocol is not aborted by Ω, we have
Normalising the state in which the protocol is not aborted, we obtain \({\sigma }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}: ={\tilde{\sigma }}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}/\Pr [\Omega ]\). We say that the QRNG is ε_{sou}sound if
for a fixed ε_{sou} ∈ (0, 1). Here, \({\sigma }_{{{{{{{{\bf{M}}}}}}}}E} ={{{{{{{{\rm{Tr}}}}}}}}}_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}}[{\sigma }_{{{{{{{{\bf{Z}}}}}}}}{{{{{{{\bf{S}}}}}}}}{{{{{{{\bf{M}}}}}}}}E}]\). Informally speaking, the soundness of the protocol would imply that either the protocol aborts with high probability or the output of the protocol would be close (in tracedistance) to a random string with length ℓ that is independent of the seed S, any classical information being exchanged in the protocol M, and Eve’s side information E. Importantly, the above security definition is composable. Hence, the output of the protocol can be securely used for other cryptographic applications.
However, a protocol that always aborts would trivially satisfy the soundness condition given in Eq. (7), and such a protocol is clearly undesirable. Therefore, we also impose an additional requirement that the protocol would succeed with high probability of producing a random string when the device works as expected. Formally, we call a protocol ε_{com}complete if its honest implementation (which may use imperfect devices) satisfy the following
for some fixed ε_{com} ∈ (0, 1). Note that the subscript “honest” emphasises that Pr[Ω]_{honest} is calculated with the assumption that the device works as expected, in particular, independently and identically for each round. In this case, we normally model the behaviour of the device, including its imperfection, and calculate the probability of the protocol aborting (e.g., due to statistical fluctuations in the parameter estimation) in such scenario.
Next, to analyse the security of the protocol, we shall assume the following:

1.
Quantum theory is correct.

2.
Alice has a trusted source of quantum states that can accurately prepare the code states specified by the protocol.

3.
The device is equipped with trusted and private random seed.

4.
The device has access to trusted classical devices to perform any classical postprocessing.

5.
The device is well isolated such that it does not leak additional quantum side information nor the output string.
Now, we shall briefly elaborate the assumptions mentioned above. The first assumption is normally taken for granted as quantum theory is the best available description of nature at small scale that we currently have. As such, throughout this paper, we shall assume that Eve and the devices used in the protocol obey the laws of quantum physics.
The second assumption can be practically justified by careful characterisation of Alice’s source. As the scenario that is relevant for QRNG considers the case where Alice and Bob are located in close proximity to each other, one could reasonably believe that the source is well protected from source sidechannel attacks that are possible in other quantum crytographic protocols (for example, Trojan horse attacks in QKD^{45}). In particular, we assume that the source behaves identically and independently in each round.
The third assumption is necessary because the measurement device which generates the raw random string in this protocol is uncharacterised. If the inputs are not chosen from a trusted random number generator, one possible scenario is that the uncharacterised measurement device could have access to the inputs before the protocol is run. In this case, it is trivial to reproduce the statistics obtained by the honest implementation of the protocol. Moreover, as our randomness certification would utilise the EAT, using a trusted random number generator could enforce the quantum Markov chain condition. Lastly, the last step of the protocol uses seeded extraction, which requires a private and uniformly random seed.
The fourth assumption is necessary for any QRNG protocol to prevent the security criteria from being trivially broken. For example, when the randomness extraction is not executed properly, it is clear that the soundness criterion may not be satisfied. Furthermore, when the output string is leaked, it is trivial to guess the output of the QRNG.
The last assumption is necessary for two reasons. Firstly, it is obvious that the security of the protocol is null when the device leaks the output string. Secondly, due to some technicality with the EAT, we need to assume that the quantum side information available to Eve is not updated as the protocol is run. It is worth noting that this assumption is not too restrictive for QRNGs since Alice and Bob are both inside the same secure location. Recently, there is a generalised version of the EAT^{43,44} that allows Eve’s quantum side information to be updated as the protocol is run and hence, it would be interesting to see if the assumption that the device does not leak additional quantum side information can be relaxed.
Having mentioned the assumptions we need in the security analysis, we emphasise again that we do not make any assumptions on the measurement device and the quantum channel. In particular, in a given round, the behaviour of these components can have arbitrary correlation to their inputs and outputs in the preceding rounds (unlike the source which we assumed to behave independently and identically in each round). Remarkably, our protocol remains secure even if there is a degradation in the homodyne detector or when Eve has some preshared entanglement with Bob’s uncharacterised measurement device.
As elaborated previously, we want our protocol to satisfy both soundness and completeness criteria. We first prove the completeness of our QRNG protocol. To that end, we use the following theorem.
Theorem 2
(Bounds on the binomial cumulative distribution^{46,47}) Let \(n\in {\mathbb{N}}\), p ∈ (0, 1) and let X be a random variable distributed according to X ~ Binomial(n, p). Then, for any integer k such that 0 ≤ k < n, we have
where
Since the protocol is aborted if \(\left\{{C}_{i}:{C}_{i} =0\}\right\, > \, n\gamma (1\omega+\delta )\), we can apply Theorem 2, in the same way as in ref. ^{9}, to get the following upper bound on the probability of the protocol being aborted
Hence, by choosing the completeness error as
our QRNG protocol would satisfy the completeness condition.
Next, to prove the soundness of our QRNG protocol, we shall use the following Quantum Leftover Hash Lemma (Theorem 8 of ref. ^{33}).
Theorem 3
(Quantum Leftover Hash Lemma^{33}) Let \({\rho }_{{{{{{{{\bf{B}}}}}}}}{E}^{{\prime} }}\) be a classicalquantum state and \({{{{{{{\mathcal{F}}}}}}}} =\{{f}_{s}:{\{0,\, 1\}}^{n}\to {\{0,\, 1\}}^{\ell }\}\) be a twouniversal hash family with Z = f_{s}(B) and the seed S ∈ {0, 1}^{m} is chosen uniformly. Let 0 < κ ≤ ε/2 < 1, we have
where τ_{ℓ} and τ_{m} are the uniform random strings of length ℓ and m respectively. Consequently, if we choose the output length to be
where the maximisation is taken over κ ∈ (0, ε/2], then, we have
On the other hand, for a fixed smoothing parameter ϵ_{s}, the EAT (Theorem 1) guarantees that either the protocol aborts with probability of at least 1 − ϵ_{EA} (i.e. the probability that the protocol is not aborted is upper bounded by ϵ_{EA}) or the conditional smooth minentropy \({H}_{\min }^{{\epsilon }_{s}}{({{{{{{{\bf{B}}}}}}}}{{{{{{{\bf{M}}}}}}}},\, E)}_{{\rho }^{\Omega }}\) (here, M consists of the registers T, X, and Y) is lower bounded by a certain amount. By identifying the register \({E}^{{\prime} }\) in Theorem 3 as the register ME in the soundness criterion, we can choose the soundness error ε_{sou} to be
In this case, EAT either upper bounds Pr[Ω] by ϵ_{EA} or—in conjunction with the Quantum Leftover Hash Lemma—guarantees that the tracedistance term (for the state in which the protocol is not aborted) in the soundness criteria is smaller than 2(ϵ_{s} + κ). Hence, our choice of ε_{sou} ensures that the protocol is sound in both cases considered by the EAT. In this work, we choose ε_{sou} = ϵ_{EA} = 2(ϵ_{s} + κ) where κ is chosen to maximise the expected net expansion rate.
We shall now discuss the technical details of Theorem 1. Firstly, to apply the EAT, it is important to ensure that the socalled Markov condition is satisfied during the execution of the protocol. More precisely, we want that for any round i ∈ [n], we need
where I(A: B∣C) denotes the quantum mutual information between A and B conditioned on C. Here, B_{[i]} denotes the string (B_{1}, B_{2}, . . . B_{i}) that describes the measurement outcomes from the first round until the ith round. X_{[i]}, Y_{[i]}, T_{[i]} are defined similarly. To enforce the Markov condition in the protocol, we implement each round sequentially and we choose the inputs for each round from a trusted and private random seed which is independent from the inputs and outputs from the preceding rounds. We also isolate the device such that Eve does not obtain additional quantum side information as we execute the protocol.
The next ingredient we need is the socalled mintradeoff function f (for its formal definition, we refer the readers to Definition II.4 of ref. ^{30}). The mintradeoff function is, roughly speaking, an affine lower bound on the worst case singleround conditional von Neumann entropy H(B_{i}∣X_{i}, Y_{i}, T_{i}, R) that is “compatible” with the probability distribution over \({{{{{{{\mathcal{C}}}}}}}} =\{\perp,\, 0,\, 1\}\) for random variable C_{i}. Here, R is a quantum register that is isomorphic to the premeasured state in round i.
To construct the mintradeoff function, we follow the framework presented in ref. ^{30} in the context of deviceindependent randomness expansion. A key difference here is that we use the bound on the conditional von Neumann entropy derived in the Theorem 14 of ref. ^{48}
instead of the bound based on conditional minentropy used in ref. ^{30}. While both bounds are based on the guessing probability p_{g}(B_{i}∣X_{i} = 0, Y_{i} = 0, T_{i} = 0, R), the bound that we used here is significantly tighter than the one given by conditional minentropy in the parameter regime in which the experiment is conducted. Another advantage is that the bound that we use is already linear, and as such, we do not need to perform the linearisation that was performed in ref. ^{30} to obtain an affine mintradeoff function.
To bound the guessing probability, we use the semidefinite programming (SDP) technique proposed in ref. ^{31} instead of the Navascues–Pironio–Acin (NPA) hierarchy^{49,50} used in ref. ^{30}. Both techniques are two similar hierarchies of SDP relaxation that bound the set of quantum correlations; the latter is for the deviceindependent scenario while the former is appropriate for the prepareandmeasure architecture considered in our protocol. For a fixed level of relaxation k, a given P&M game \({{{{{{{\mathcal{G}}}}}}}}\), characterised by the scoring coefficients \({w}_{b,x,y} =q(x,\, y){\delta }_{b,{b}_{xy}}\), and some winning probability ν, the SDP for the guessing probability has the following primal form
Here, \({\{{M}_{by}\}}_{b,y}\) denotes Bob’s POVM elements, \({\{{\Pi }_{e}\}}_{e}\) denotes the POVM elements acting on the system R and \({{{{{{{\mathcal{U}}}}}}}}:\left{\psi }_{x}\right\rangle \to \left{\phi }_{x}\right\rangle\) denotes the isometry describing the unknown quantum channel connecting Alice and Bob. From the dual solution of (17), we can obtain a bound on the guessing probability of the form
Here, p = (1 − p, p) is the score distribution of the device while λ_{ν} and c_{ν} are the dual solutions to the SDP (17). We emphasise that ν is a parameter that we can choose freely and it does not have to be the actual winning probability that is attained by the device.
Following the arguments in ref. ^{30}, consider the affine function g_{ν}, which maps a distribution over \({{{{{{{\mathcal{C}}}}}}}}\setminus \{\perp \}\) to a real number
where e_{c} is the probability distribution where its cth entry is 1 and the other entries are zeros. Then, for some constant u_{⊥} that we shall determine later, the following function f_{ν} is a mintradeoff function
To find the worst case over all distributions which lead to the protocol being accepted, we repeat the argument presented in ref. ^{9} here. First, we use the condition for the protocol to be accepted, freq_{C}(0) ≤ γ(1 − ω + δ), to deduce that if u_{⊥} ≥ g_{ν}(e_{0}), then we have
Now, we demand that u_{⊥} ≤ g_{ν}(e_{1}) and hence, the second term on the righthand side can be dropped
This is increasing with u_{⊥} and hence, it is best to fix u_{⊥} = g_{ν}(e_{1}). We have
where the adjusted score \(\tilde{{{{{{{{\boldsymbol{\omega }}}}}}}}} =(1\omega+\delta,\, \omega \delta )\). Thus, we have obtained the function f in Theorem 1.
Lastly, we have to calculate the correction terms V and K. To that end, we need to consider a few properties of the mintradeoff function. They are the following

1.
Maximum over all probability distributions
where \({{{{{{{{\mathcal{P}}}}}}}}}_{{{{{{{{\mathcal{C}}}}}}}}}\) is the set of all valid probability distributions.

2.
Minimum over all protocol respecting distributions
where Γ denotes the set of distributions of the form (γω, 1 − γ). We call such distribution a protocol respecting distribution.

3.
The maximum variance over all protocol respecting distributions
To compute these quantities, we consider the maximum and minimum attainable value of g_{ν} (over all distributions) as
where \({\lambda }_{\min } =\mathop{\min}\limits_{c}{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\) and \({\lambda }_{\max } =\mathop{\max}\limits_{c}{{{{{{{{\boldsymbol{\lambda }}}}}}}}}_{\nu }\). Note that the choice of g_{ν}(e_{0}) ≤ u_{⊥} = g_{ν}(e_{1}) implies that \({u}_{\perp } ={{{{{{{\rm{Max}}}}}}}}[{g}_{\nu }]\). Therefore, we are dealing with similar mintradeoff functions as those considered in refs. ^{29,30}, where we have the following relations
Based on the above relations, we can calculate the correction terms V and K. Following ref. ^{30}, the correction term V(γ, f_{ν}) is given by
On the other hand, the other correction term K(β, γ, f_{ν}) is given by
Having specified the functions f_{ν}, V and K, we can now apply Theorem 1 and Theorem 3 to prove the soundness of our QRNG protocol. This concludes the randomness certification of the protocol.
Input randomness
In the previous section, we have shown that if the extracted length ℓ is chosen according to Eq. (13), our QRNG protocol can generate randomness securely. However, for our QRNG protocol to be practically useful, we may also demand that, on average, it produces more randomness than the one consumed to run the protocol.
In this work, as we consider strong extractors for the randomness extraction, it is sufficient to consider the randomness consumed to choose the inputs T, X and Y as we can treat the extractor seed as part of the output. As the optimal input distribution is biased, one could either use a biased random seed or convert a uniform random seed into a biased one (for example, using the interval algorithm^{51}). We denote the expected length of random bit string used to generate the inputs by ℓ_{in}. The expected input randomness ℓ_{in} is approximately the Shannon entropy of the inputs (up to some small overhead that is negligible for large block sizes)
where we have used the fact that the inputs for each round are chosen independently from the ones from the preceding rounds and we also used the chain rule for Shannon entropy. Here, h_{2}(γ) is the binary entropy function and H(q) is the Shannon entropy of the input distribution {q(x, y)}_{x,y}.
Homodyne detector modelling and characterisation
We model the homodyne detector from two aspects: optical loss and the electronic noise.
The optical loss arises from two main parts. The insertion loss of the BS, and the imbalance of the homodyne detection, which is caused by the efficiency mismatch of the two photodiodes and the imperfect BS splitting ratio.
We first characterise the photon detection efficiency of the photodiodes, which includes the quantum efficiency of the photodiodes, coupling loss to the photodiodes, and the insertion loss of the fibrepigtailed GRIN lenses, with an optical power metre (EXFO PM1100) and a Source Measurement Unit (Keysight U2722A).
The GRIN lenses used are antireflectioncoated in the range of 1250–1650 nm, with an average reflection of <0.2%. In addition, the waist diameter of the output light beam is in the order of 10 µm, which is much smaller than the diameter of the active region of our PD (100 µm). We measure the detection efficiency of the two photodiodes, including the coupling loss and the insertion loss, by putting a reverse bias at the working voltage of the photodiode, giving a constant power input light from the laser, and measuring the photocurrent by the Source Measurement Unit. The efficiency of the two photodiodes is deduced from the ratio of the measured photocurrent and the input power to be 98.3% and 98.8%, respectively.
The splitting ratio of the beam splitter is measured to be 50.4:49.6, and the insertion loss is 0.2 dB. By matching the beam splitter with the PDs, and carefully balancing the amplitudes of the two arms, we gradually increase the input LO power with a variable optical attenuator (Yokogawa AQ2200311A) and obtain the noise measurements. For frequency domain measurement, a spectrum analyser (Rohde & Schwarz FSV40) is used, with a resolution bandwidth of 1 MHz and a video bandwidth of 5 MHz. For the measurement of the noise variance and clearance, an oscilloscope (Tektronix MSO64 BW 2.5 GHz) is utilised.
The characterisation results are shown in Fig. 1d, e. With a 10 mW LO input, a clearance of 16.94 dB is obtained. Under the assumption that the electronic noise of homodyne detector possesses a Gaussian distribution and is independent of the measured optical signal, we follow the model proposed in ref. ^{52} and treat the effect of the electronic noise as equivalent to efficiency loss. In our case, an equivalent efficiency of 97.98% is estimated.
Taking all the factors into consideration, the total effective efficiency of our homodyne detector is characterised to be 91.7%.
Twomode coherent states
Twomode coherent states are used in our system for quantum state preparation. Here, we give the basic form of the quadrature operator of the twomode coherent state, and show that the quadrature value can be obtained by combining the quadrature values of individual temporal modes.
Without loss of generality, we define the creation (annihilation) operators of the early and late temporal modes by \({\hat{a}}_{e}^{{{{\dagger}}} }\) (\({\hat{a}}_{e}\)) and \({\hat{a}}_{l}^{{{{\dagger}}} }\) (\({\hat{a}}_{l}\)), respectively. Therefore, the quantum state composed of coherent states in both temporal modes can be expressed by:
where \({\alpha }_{t}=\sqrt{{\alpha }_{e}{}^{2}+{\alpha }_{l}{}^{2}}\) and \({\hat{a}}_{t}^{{{{\dagger}}} } =\frac{1}{\left{\alpha }_{t}\right}({\alpha }_{e}{\hat{a}}_{e}^{{{{\dagger}}} }+{\alpha }_{l}{\hat{a}}_{l}^{{{{\dagger}}} })\) represent the amplitude and the creation operator of the new twomode coherent state, respectively. In our case, we have \(\left{\alpha }_{l}\right\rangle =\left{\alpha }_{e}\right\rangle\), \({\alpha }_{t}=\sqrt{2}\alpha\), and \({\hat{a}}_{t}^{{{{\dagger}}} } =1/\sqrt{2}({\hat{a}}_{e}^{{{{\dagger}}} }{\hat{a}}_{l}^{{{{\dagger}}} })\).
As a result, the quadrature operator of the twomode coherent states can be obtained (in ShotNoise Unit):
Hence, the quadrature value of the twomode coherent state q_{t} satisfies
Formulating a P&M game
Previously, we took for granted that our QRNG protocol specifies a P&M game that is used to test whether the devices are working as expected. However, constructing a game that is optimal for certifying randomness generation is a nontrivial task. In this section, we use the SDP duality to construct a P&M game that can asymptotically witness the same amount of randomness that is certified by full inputoutput probability distribution {P(b∣x, y)}_{b,x,y}. The idea behind our method is to find a linear function of the inputoutput probability distribution that witnesses the randomness generated by Bob’s measurement. Then, from this linear function, we could derive the input distribution q(x, y) and the winning outputs b_{xy}. Similar constructions have been used in deviceindependent quantum information processing to construct an optimal Bell inequality for certifying randomness^{53,54} and selftesting^{55}.
Asymptotically, we expect that the full inputoutput probability distribution should be optimal for witnessing randomness as it contains the full statistical information about the devices’ behaviour. Let us now suppose that the expected inputoutput probability distribution is known (either by modelling the honest implementation or calibrating the device prior to the protocol). To construct a game that could optimally certify the amount of randomness, we shall consider the following SDP for the guessing probability subject to the full inputoutput probability distribution.
Suppose that the optimal dual solution to (36) for the kth level of relaxation is given by
where ξ_{0} is associated with the nonstatistical constraints. Any feasible dual solution is a linear function of the inputoutput distribution that upper bounds the guessing probability. As such, the set of feasible dual solutions to the SDP gives a family of linear upper bounds on the guessing probability while \({\hat{d}}_{k}\) is the tightest upper bound on the guessing probability among the family (in fact, it is “tight” up to the semidefinite relaxation^{31} of the set of quantum correlations and any duality gap).
Now, for each pair of inputs (x, y), we define \({b}_{xy}^{{\prime} }\) and \({b}_{xy}^{{\prime\prime} }\) such that \(\xi ({b}_{xy}^{{\prime} },\, x,\, y)\ge \xi ({b}_{xy}^{{\prime\prime} },\, x,\, y)\). We consider
where in the first equality we use the normalisation constraint. Noting that we are just subtracting a constant from \({\hat{d}}_{k}\), expression (38) is still an almost tight witness on the guessing probability. Finally, we could also divide the above expression by a constant and the resulting expression
with
would still be an almost tight witness on the guessing probability. By construction, {q(x, y)}_{x,y} is a valid probability distribution. Moreover, as \({b}_{xy}^{{\prime} }\) is defined such that \({\hat{d}}_{k}\) (and hence, the bound on the guessing probability) would be higher when \(P({b}_{xy}^{{\prime} }x,\, y)\) increases, we could interpret \({b}_{xy}^{{\prime} }\) as the losing outcome (i.e., we assign the score C = 0) when the inputs x and y are chosen and q(x, y) as the probability of choosing this pair of inputs. In this case, the game \({{{{{{{\mathcal{G}}}}}}}}\) is defined as one where for Alice and Bob choose the inputs (x, y) with probability q(x, y) and the winning outcome is given by \({b}_{xy} ={b}_{xy}^{{\prime\prime} }\).
The game construction that we have described above is almost optimal to witness the generated randomness. However, the construction may not minimise the randomness consumed to choose the inputs and hence, its performance in terms of the expanded randomness may be far from optimal. Formulating the optimal game construction that maximises the net randomness expansion rate would be an interesting direction for future work.
Randomness extraction
Toeplitz hashing utilises a Toeplitz matrix, H. The Toeplitz matrix is an m × n diagonalconstant matrix, and it is constructed by filling up the first column and first row of the matrix with a uniform seed, denoted by S. Thus, the seed length required for Toeplitz hashing is n + m − 1 bits. Toeplitz matrix H can be expressed as
The hashing is done by expressing the raw bits as a column vector and performing matrixvector multiplication with the Toeplitz matrix. We used the calculated bit generation rate of 0.00455 and constructed a Toeplitz matrix H with the parameters m = 45 and n = 10,000.
A field programmable gate array (FPGA) is the chosen platform for implementation of Toeplitz hashing. The schematic of our postprocessing on FPGA is shown in Fig. 5. The raw data is stored on a personal computer (PC) and sent in batches of approximately 600 Mbits via 1G Ethernet to the FPGA. Upon receiving the batch of raw data, the processing system (PS) on FPGA sends in 10 kbits of data to the programmable logic (PL), where the data will be further split into 10 batches of 1 kbits each. The multiplexing of raw data and seed is done via pipelining and the Toeplitz hashing algorithm is executed in parallel. The PS then receives the output of 45 bits from PL, and sends in a new set of 10 kbits of data to PL, repeating until all the data in the current batch has been processed. The PS then sends the extracted random numbers of the current batch to PC via Ethernet and waits for a new batch, until all 10.622 Gbits of raw data has been processed.
Data availability
All of the data that support the findings of this study are available in the main text. Source data are available from the corresponding author on request.
Code availability
The codes used for simulation are available from the corresponding author on request.
References
Acín, A. & Masanes, L. Certified randomness in quantum physics. Nature 540, 213 (2016).
Ma, X., Yuan, X., Cao, Z., Qi, B. & Zhang, Z. Quantum random number generation. npj Quantum Inf. 2, 16021 (2016).
HerreroCollantes, M. & GarciaEscartin, J. C. Quantum random number generators. Rev. Mod. Phys. 89, 015004 (2017).
Smith, P., Marangon, D., Lucamarini, M., Yuan, Z. & Shields, A. Outofband electromagnetic injection attack on a quantum random number generator. Phys. Rev. Appl. 15, 044044 (2021).
Pironio, S. et al. Random numbers certified by Bell’s theorem. Nature 464, 1021 (2010).
Shen, L. et al. Randomness extraction from Bell violation with continuous parametric downconversion. Phys. Rev. Lett. 121, 150402 (2018).
Liu, Y. et al. Highspeed deviceindependent quantum random number generation without a detection loophole. Phys. Rev. Lett. 120, 010503 (2018).
Shalm, L. K. et al. Deviceindependent randomness expansion with entangled photons. Nat. Phys. 17, 452 (2021).
Liu, W.Z. Deviceindependent randomness expansion against quantum side information. Nat. Phys. 17, 448 (2021).
Hensen, B. et al. Loopholefree Bell inequality violation using electron spins separated by 1.3 kilometres. Nature 526, 682 (2015).
Raffaelli, F. et al. A homodyne detector integrated onto a photonic chip for measuring quantum states and generating random numbers. Quantum Sci. Technol. 3, 025003 (2018).
Zhang, G. et al. An integrated silicon photonic chip platform for continuousvariable quantum key distribution. Nat. Photonics 13, 839 (2019).
Tasker, J. F. et al. Silicon photonics interfaced with integrated electronics for 9 GHz measurement of squeezed light. Nat. Photonics 15, 11 (2021).
Bai, B. et al. 18.8 Gbps realtime quantum random number generator with a photonic integrated chip. Appl. Phys. Lett. 118, 264001 (2021).
Schleich, W. P. Quantum Optics in Phase Space, 1st edn. (WileyVCH, 2001).
Braunstein, S. L. Homodyne statistics. Phys. Rev. A 42, 474 (1990).
Laudenbach, F. et al. Continuousvariable quantum key distribution with gaussian modulation – the theory of practical implementations. Adv. Quantum Technol. 1, 1800011 (2018).
Gabriel, C. et al. A generator for unique quantum random numbers based on vacuum states. Nat. Photonics 4, 711 (2010).
Gehring, T. et al. Homodynebased quantum random number generator at 2.9 Gbps secure against quantum sideinformation. Nat. Commun. 12, 605 (2021).
Shen, Y., Tian, L. & Zou, H. Practical quantum random number generator based on measuring the shot noise of vacuum states. Phys. Rev. A 81, 063814 (2010).
Lvovsky, A. I. & Raymer, M. G. Continuousvariable optical quantumstate tomography. Rev. Mod. Phys. 81, 299 (2009).
MüllerQuade, J. & Renner, R. Composability in quantum cryptography. New J. Phys. 11, 085006 (2009).
Renner, R., Security of Quantum Key Distribution, Ph.D. thesis, ETH Zurich (2005), available at https://arxiv.org/abs/quantph/0512258.
Portmann, C. & Renner, R. Security in quantum cryptography. Rev. Mod. Phys. 94, 025008 (2022).
Bell, J. S. On the EinsteinPodolskyRosen paradox. Physics Physique Fizika 1, 195 (1964).
Brunner, N., Cavalcanti, D., Pironio, S., Scarani, V. & Wehner, S. Bell nonlocality. Rev. Mod. Phys. 86, 419 (2014).
Dupuis, F., Fawzi, O. & Renner, R. Entropy accumulation. Commun. Math. Phys. 379, 867 (2020).
ArnonFriedman, R., Dupuis, F., Fawzi, O., Renner, R. & Vidick, T. Practical deviceindependent quantum cryptography via entropy accumulation. Nat. Commun. 9, 459 (2018).
Dupuis, F. & Fawzi, O. Entropy accumulation with improved secondorder term. IEEE Trans. Information Theory 65, 7596 (2019).
Brown, P. J., Ragy, S. & Colbeck, R. A framework for quantumsecure deviceindependent randomness expansion. IEEE Trans. Information Theory 66, 2964 (2019).
Wang, Y., Primaatmaja, I. W., Lavie, E., Varvitsiotis, A. & Lim, C. C. W. Characterising the correlations of prepareandmeasure quantum networks. npj Quantum Inf. 5, 17 (2019).
Tomamichel, M., Schaffner, C., Smith, A. & Renner, R. Leftover hashing against quantum side information. IEEE Transactions on Information Theory 57, 5524 (2011).
Tomamichel, M. & Hayashi, M. A hierarchy of information quantities for finite block length analysis of quantum tasks. IEEE Trans. Information Theory 59, 7693 (2013).
MacDermott, T., Wireless Digital Communications: Design and Theory 2nd edn. (TAPR, 1998).
Krawczyk, H. LFSRbased hashing and authentication. In: Advances in CryptologyCRYPTO’94 Vol. 839 (ed. Desmedt, Y. G.) 129 (Springer, 1994).
Krawczyk, H. in Advances in Cryptology—UROCRYPT ’95, Lecture Notes in Computer Science (eds Guillou, L. C. & Quisquater, J.J.) 301–310 (Springer, 1995).
Pavesi, L. & Lockwood, D. J. (eds). Silicon Photonics III: Systems and Applications, Topics in Applied Physics, Vol. 122 (Springer, 2016) http://link.springer.com/10.1007/9783642105036.
Siew, S. Y. et al. Review of silicon photonics technology and platform development. J. Light. Technol. 39, 4374 (2021).
O’Brien, J. L. & Furusawa, A. Photonic quantum technologies. Nat. Photonics 3, 687 (2009).
Giewont, K. et al. 300mm monolithic silicon photonics foundry technology. IEEE J. Sel. Top. Quantum Electron. 25, 1 (2019).
Fahrenkopf, N. M. et al. The AIM photonics MPW: a highly accessible cutting edge technology for rapid prototyping of photonic integrated circuits. IEEE J.Sel. Top. Quantum Electron. 25, 1 (2019).
Brown, P., Fawzi, H. & Fawzi, O. Deviceindependent lower bounds on the conditional von Neumann entropy. Preprint at: https://arxiv.org/abs/2106.13692 (2021).
Metger, T., Fawzi, O., Sutter, D. & Renner, R. Generalised entropy accumulation. In: 2022 IEEE 63rd Annual Symposium on Foundations of Computer Science (FOCS), Denver, CO, USA, 844–850 (2022). https://doi.org/10.1109/FOCS54457.2022.00085.
Metger, T. & Renner, R. Security of quantum key distribution from generalised entropy accumulation. Preprint at https://arxiv.org/abs/2203.04993 (2022).
Gisin, N., Fasel, S., Kraus, B., Zbinden, H. & Ribordy, G. Trojanhorse attacks on quantumkeydistribution systems. Phys. Rev. A 73, 022320 (2006).
Alfers, D. & Dinges, H. A normal approximation for beta and gamma tail probabilities. Zeit. Wahrscheinlichkeitstheorie verwandte Gebiete 65, 399 (1984).
Zubkov, A. M. & Serov, A. A. A complete proof of universal inequalities for the distribution function of the binomial law. Theory Probab. Appl. 57, 539 (2013).
Audenaert, K. M. R. Quantum skew divergence. J. Math. Phys. 55, 112202 (2014).
Navascués, M., Pironio, S. & Acín, A. Bounding the set of quantum correlations. Phys. Rev. Lett. 98, 010401 (2007).
Navascués, M., Pironio, S. & Acín, A. A convergent hierarchy of semidefinite programs characterizing the set of quantum correlations. New J. Phys. 10, 073013 (2008).
Hoshi, M. Interval algorithm for random number generation. IEEE Trans. Information Theory 43, 599 (1997).
Appel, J., Hoffman, D., Figueroa, E. & Lvovsky, A. I. Electronic noise in optical homodyne tomography. Phys. Rev. A 75, 035802 (2007).
NietoSilleras, O., Pironio, S. & Silman, J. Using complete measurement statistics for optimal deviceindependent randomness evaluation. New J. Phys. 16, 013035 (2014).
Bancal, J.D., Sheridan, L. & Scarani, V. More randomness from the same data. New J. Phys. 16, 033011 (2014).
Bancal, J.D., Navascués, M., Scarani, V., Vértesi, T. & Yang, T. H. Physical characterization of quantum devices from nonlocal correlations. Phys. Rev. A 91, 022115 (2015).
Stefanov, A., Gisin, N., Guinnard, O., Guinnard, L. & Zbinden, H. Optical quantum random number generator. J. Mod. Opt. 47, 595 (2000).
Jennewein, T., Achleitner, U., Weihs, G., Weinfurter, H. & Zeilinger, A. A fast and compact quantum random number generator. Rev. Sci. Instrum. 71, 1675 (2000).
Symul, T., Assad, S. & Lam, P. K. Real time demonstration of high bitrate quantum random number generation with coherent laser light. Appl. Phys. Lett. 98, 231103 (2011).
Haw, J. Y. et al. Maximization of extractable randomness in a quantum randomnumber generator. Phys. Rev. Appl. 3, 054004 (2015).
Gehring, T. et al. Homodynebased quantum random number generator at 2.9 Gbps secure against quantum sideinformation. Nat. Commun. 12, 605 (2021).
Marangon, D. G., Vallone, G. & Villoresi, P. Sourcedeviceindependent ultrafast quantum random number generation. Phys. Rev. Lett. 118, 060503 (2017).
Michel, T. et al. Realtime sourceindependent quantum randomnumber generator with squeezed states. Phys. Rev. Appl. 12, 034017 (2019).
Smith, P. R., Marangon, D. G., Lucamarini, M., Yuan, Z. L. & Shields, A. J. Simple source deviceindependent continuousvariable quantum random number generator. Phys. Rev. A 99, 062326 (2019).
Cao, Z., Zhou, H., Yuan, X. & Ma, X. Sourceindependent quantum random number generation. Phys. Rev. X 6, 011020 (2016).
Avesani, M., Marangon, D. G., Vallone, G. & Villoresi, P. Sourcedeviceindependent heterodynebased quantum random number generator at 17 Gbps. Nat. Commun. 9, 5365 (2018).
Drahi, D. et al. Certified quantum random numbers from untrusted light. Phys. Rev. X 10, 041048 (2020).
Rusca, D. et al. Selftesting quantum randomnumber generator based on an energy bound. Phys. Rev. A 100, 062338 (2019).
Rusca, D., Tebyanian, H., Martin, A. & Zbinden, H. Fast selftesting quantum random number generator based on homodyne detection. Appl. Phys. Lett. 116, 264004 (2020).
Tebyanian, H., Avesani, M., Vallone, G. & Villoresi, P. Semideviceindependent randomness from doutcome continuousvariable detection. Phys. Rev. A 104, 062424 (2021).
Brask, J. B. et al. Megahertzrate semideviceindependent quantum random number generators based on unambiguous state discrimination. Phys. Rev. Applied 7, 054018 (2017).
Tebyanian, H. et al. Semidevice independent randomness generation based on quantum state’s indistinguishability. Quantum Sci. Technol. 6, 045026 (2021).
Avesani, M., Tebyanian, H., Villoresi, P. & Vallone, G. Semideviceindependent heterodynebased quantum randomnumber generator. Phys. Rev. Appl. 15, 034034 (2021).
Lunghi, T. et al. Selftesting quantum random number generator. Phys. Rev. Lett. 114, 150501 (2015).
Cao, Z., Zhou, H. & Ma, X. Losstolerant measurementdeviceindependent quantum random number generation. New J. Phys. 17, 125011 (2015).
Nie, Y.Q. et al. Experimental measurementdeviceindependent quantum randomnumber generation. Phys. Rev. A 94, 060301 (2016).
Mironowicz, P. et al. Quantum randomness protected against detection loophole attacks. Quantum Inf. Process. 20, 39 (2021).
Pironio, S. & Massar, S. Security of practical private randomness generation. Phys. Rev. A 87, 012336 (2013).
Fehr, S., Gelles, R. & Schaffner, C. Security and composability of randomness expansion from Bell inequalities. Phys. Rev. A 87, 012335 (2013).
Zhang, Y., Fu, H. & Knill, E. Efficient randomness certification by quantum probability estimation. Phys. Rev. Res. 2, 013016 (2020).
Gyger, S. et al. Reconfigurable photonics with onchip singlephoton detectors. Nat. Commun. 12, 1408 (2021).
Zhang, J. et al. First InGaAs/InAlAs singlephoton avalanche diodes (SPADs) hetero integrated with Si photonics on SOI platform for 1550 nm detection. In: 2021 Symposium on VLSI Technology pp. 1–2 (IEEE, 2021).
Acknowledgements
The authors acknowledge funding support from the National Research Foundation of Singapore (NRF) Fellowship grant (NRFF1120190001) and NRF Quantum Engineering Programme 1.0 grant (QEPP2). Charles Lim contributed to this work while employed by JP Morgan Chase & Co. This work is for information purposes only, and is not a product of the Research Department of JPMorgan Chase & Co, or its affiliates. Neither JPMorgan Chase & Co nor any of its affiliates make any explicit or implied representation or warranty and none of them accept any liability in connection with this work, including, but limited to, the completeness, accuracy, reliability of information contained herein and the potential legal, compliance, tax or accounting effects thereof. This document is not intended as investment research or investment advice, or a recommendation, offer or solicitation for the purchase or sale of any security, financial instrument, financial product or service, or to be used in any way for evaluating the merits of participating in any transaction.
Author information
Authors and Affiliations
Contributions
C.L., I.W.P. and C.W. designed the research. C.W. designed and carried out the main experiment. I.W.P. developed the security proof and did the numerical simulation. H.J.N. implemented the postprocessing. J.Y.H. and R.H. contributed in highefficiency homodyne detection. J.Z. and G.Z. provided discussions on photonic chip platform and conducted testing. C.W. and I.W.P. wrote the manuscript with contributions from all authors.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Peer review
Peer review information
Nature Communications thanks Hamid Tebyanian and the other, anonymous, reviewer(s) for their contribution to the peer review of this work. Peer reviewer reports are available.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, C., Primaatmaja, I.W., Ng, H.J. et al. Provablysecure quantum randomness expansion with uncharacterised homodyne detection. Nat Commun 14, 316 (2023). https://doi.org/10.1038/s4146702235556z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s4146702235556z
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.