Security analysis and improvement of source independent quantum random number generators with imperfect devices

A quantum random number generator (QRNG) as a genuine source of randomness is essential in many applications, such as number simulation and cryptography. Recently, a source-independent quantum random number generator (SI-QRNG), which can generate secure random numbers with untrusted sources, has been realized. However, the measurement loopholes of the trusted but imperfect devices used in SI-QRNGs have not yet been fully explored, which will cause security problems, especially in high-speed systems. Here, we point out and evaluate the security loopholes of practical imperfect measurement devices in SI-QRNGs. We also provide corresponding countermeasures to prevent these information leakages by recalculating the conditional minimum entropy and adding a monitor. Furthermore, by taking into account the finite-size effect, we show that the influence of the afterpulse can exceed that of the finite-size effect with the large number of sampled rounds. Our protocol is simple and effective, and it promotes the security of SI-QRNG in practice as well as the compatibility with high-speed measurement devices, thus paving the way for constructing ultrafast and security-certified commercial SI-QRNG systems.


INTRODUCTION
Random numbers have become a core element in many fields, ranging from daily applications, such as lotteries, to scientific simulation and cryptography.Pseudo or classical random number generators, relying on deterministic algorithms or physical processes, have been widely used.However, their predictability and strong long-range correlation mean that they are not suitable for applications that need high security, such as cryptography.
Device-independent QRNGs (DI-QRNGs), which are based on the violation of the Bell inequality, have been proposed to solve this problem, but their extremely low bit rates and low loss tolerance limit their development [27][28][29].To date, the rate of the fastest DI-QRNG has been reported to be 181 bps [30], which is very low for practical applications.To increase both the bit rate and security, source independent QRNGs (SI-QRNGs), as a compromise solution, have been proposed [31][32][33][34][35][36].By a proper conditional min-entropy estimation, SI-QRNGs can generate highspeed secure random numbers with the untrusted source.
In general, measurement devices in SI-QRNGs are trusted and cannot be controlled by attackers.However, practical measurement devices are not perfect.It is reasonable to suppose that there is no classical or quantum relevance between measurement devices and attackers, but we do not prevent attackers from obtaining the essential parameters of detectors that can reveal the detector imperfections.These imperfections, such as the afterpulse, provide side information to attackers and thus impact the security of SI-QRNGs.
In this work, we build a model of practical imperfect measurement devices and evaluate the influences of these imperfections on the discrete-variable SI-QRNG.We also propose a protocol to eliminate these influences and then estimate the conditional min-entropy and the rate of this SI-QRNG.In the framework of the discrete variable SI-QRNGs, single photon avalanche detectors (SPDs) are the core detection components and the imperfect factors of practical SPDs, such as the afterpulse, detector efficiency and sensitivity to photon number distribution, will cause the conditional min-entropy to be estimated incorrectly.Here, we present an effective method to estimate the conditional min-entropy focusing on the afterpulse.Additionally, we analyse the influences of detector efficiency mismatch and photon number distribution in entropy estimation and then consider a scheme to remove them.Finally, by using the random sampling method as the previous protocol [31] and entropy inequality method [37], we analyze the secure randomness rates with the finite key effect and compare the influences of different factors.
This paper is organized as follows.First, we describe how random numbers can be generated by a typical SI-QRNG.Then, we show the effects of different parameters and present a model to account for these effects.In addition, we analyse a numerical simulation of the finite size effect.Finally, we conclude with a discussion.

A typical SI-QRNG
In a discrete-variable SI-QRNG scenario, as shown in Fig. 1, the source is an untrusted party that might be controlled by an attacker, Eve, and Alice has trusted measurement devices such as threshold detectors (SPDs), a polarizing beam splitter (PBS) and a filter as well as the trusted randomness encoding device.By estimating the conditional min-entropy based on the error rate of the X-basis measurement, randomness extraction can then extract uniform random numbers from the original data [31].The detailed process is as follows.
First, the untrusted source which might be controlled by Eve emits N pulses with quantum state ρ.From the perspective of Alice, the emitted photons should be in the qubit state |+ = (|0 + |1 )/ √ 2. After proper filtering and attenuation, Alice randomly chooses n x pulses and measures them in the X basis to estimate error.The remaining n z = N − n x pulses will be used to generate raw random numbers in the Z basis measurement.
Note that it is a key assumption that the measurement devices are compatible with the squashing model [38].In an ideal scheme, a pulse with multiphotons will be squashed into a qubit; therefore, the unknown arbitrary-dimensional signal state emitted from the source will become the qubit or vacuum state.Then, n x qubits in the X basis and n z qubits in the Z basis will be detected with post-selection of the vacua.In practice, the threshold detectors are considered equivalents of the squashing operation in this protocol; therefore we can use the squashing model directly in the analysis.However, the threshold detectors are usually placed at the end of the system, and a double click FIG. 1.A schematic diagram of a SI-QRNG.Eve controls the laser diode (LD) and sends pulses with states that are changed to mixed states through a filter and a phase randomizer (PR).Through a photon distribution monitor (PDM) which consists of a beam splitter (BS), an attenuator (ATT), a photodiode (PD) and a variable optical attenuator (VOA), the pulses are sent to an optical switch (OS) to choose the measurement basis-the X basis measurement (XBM) or Z basis measurement (ZBM)-both of which consist of a polarization beam splitter (PBS) and two single photon detectors (SPD).The PDM block is used for the distribution monitor and does not exist in general SI-QRNGs in [31] might not be avoided.Therefore, in the postprocess, it is necessary to randomly assign the outcome to 0 or 1 for double-click events to satisfy the needs of the squashing model [39].
According to the error rate e bx , which represents the ratio of detecting |− = (|0 − |1 )/ √ 2 in the X basis, and the complementary uncertainty relation, as well as that in the quantum key distribution (QKD) [40], we can obtain the extractable random numbers from the raw data: where θ is the deviation due to statistical fluctuations, 2 −te is the failure probability of the randomness extraction and h(x) represents the binary Shannon entropy function of x.
Finally, uniform random numbers can be obtained from the raw data by a randomness extractor.A random seed with a length of n seed and n post will be consumed in the basis choice and the postprocess, respectively.

Model
In the previous SI-QRNG scheme, the untrusted source was the focus of the QRNG, and previous work has tried to eliminate Eve's influence on the source.However, in real implementation, the ignored imperfections of measurement devices, such as the afterpulse, detection efficiency mismatch and sensitivity to the photon number distribution, also have a strong impact on security.In what follows, we first build the underlying response probability model with these factors and recalculate the entropy to reveal these factors' influence mechanism on SI-QRNGs.Then we propose a scheme to solve these problems.
For threshold detectors, SPDs, the usual model of the response probabilities without the afterpulse effect p d α can be written as [41] p where τ α is the zero photon distribution probability after the influence of the loss and detector efficiency and e dα is the background counting rate.The subscript α indicates the different detectors which include D 0 and D 1 in the Z basis and D + and D − in the X basis.One of the most important factors of SPDs is the afterpulse, which has considerable effects on high-speed systems and will be blinding existing analytical models from reality.Therefore, it is necessary to build an afterpulse-compatible model.To adapt the model with the afterpulse, we should change the response probabilities p d α to where P apα is the practical current afterpulse probability of each detector which is given by [42] where pα = n j=1 pjα is the overall first-order afterpulse rate, and pjα is the first-order afterpulse coefficient contributed by the former j th detection window avalanche.p d bα represents the former response ratio without the afterpulse.It should be noted that we only consider infinite former responses here and the finite responses influence will be discussed later.
Furthermore, to achieve compatibility between our model and the squashing model, it is necessary to precisely depict the probabilities of single-click and double-click events.Moreover, we define the error counts as the events in which only D − responds, and according to the squashing model, a double click event should be assigned a random bit, which will add a half error count in the X basis.Therefore, according to Eq.2, the probabilities of single-click and double-click events Q single , Q double in the Z basis and the error rate EQ in the X basis are given by

Afterpulse
The afterpulse is a key factor in SPD, especially in high-speed systems.In a discrete variable QRNG system, as the afterpulse probability becomes very high with the increase in the system speed, it has a significant impact on not only the random number generation rate but also on the security, which has been ignored in previous works.
Here, we first consider the afterpulse influence mechanism on raw random numbers generated on the Z basis.Intuitively, for a dual detector system, we can infer that the afterpulse will increase the response probability of the detector and increase the production probability of '00' or '11'.This means that the raw sequence will come to have more positive correlations, which will lead to the overestimation of the entropy and thus an information leak to Eve in the previous models.In what follows, we quantitatively analyse the influence of afterpulse on random number sequences.
In statistical analysis, we always use the autocorrelation coefficient a i to describe the i th autocorrelation of a n-bit sequence {x i } [43]: where x is the expectation value of {x i }.In general, if the sequence is a series of random numbers with good statistical characteristics, the theoretical expectation of a i should be 0.
With the model presented in the previous sections, we can derive the prior autocorrelation coefficient with afterpulse a p i : where p i1 α is the response probability of D α with the former i th detection response and p i0 α is that without the former i th detection response.k is the expectation of this raw sequence, which is given by Note that we assign double-click events to random bits, so these events should not affect the autocorrelation coefficient in the statistical analysis.Therefore, here we only consider the random numbers generated by single-click events.
In the METHODS section, we will show the detail of the a p i calculation and it is proven that the relation between a p i and piα is quadratic and degenerates to linear when all the parameters of the two detectors are the same.As shown in Fig. 2, with the increase of piα , a p i increases rapidly and has an obviously positive correlation.To solve this security issue, it is necessary to analyse the entropy adapted to the afterpulse model.Here, we define H min (A|E) as the total conditional minimum entropy of the raw random numbers.It needs to be emphasized that the use of minimum entropy is necessary because Eve is allowed to obtain the probability distribution {P i } of the raw sequence, and there is an optimum strategy for Eve that she can use to guess the maximum probability event and obtain more information than under the limitation of conditional entropy.Therefore, we should estimate this worst-case and calculate the minimum randomness event with the afterpulse.
We first consider only the model of raw randomness generation in the Z basis and calculate the conditional minimum entropy H min (Z|E) with the afterpulse under this condition.According to the response probability model with the afterpulse in Eqs. ( 2) and (3), the afterpulse probability P apα is dependent on the former response ratio p d bα .Let us consider the maximum leakage information condition, in which the contribution of P apα to the two detectors reaches its maximum difference.If D 0 always responds before, which is opposite to the behaviour of D 1 , the afterpulse contributions to the two detectors will become the most unbalanced.Understandably, the final distribution P (i) will deviate far from Alice's estimation and Eve will obtain the maximum amount of leaked information.Under this condition, the response probabilities p 0 and p 1 will become: Assuming that the input state is |+ , we can obtain the conditional minimum entropy H min (Z|E) (without the consideration of double clicks) Without loss of generality, we consider the parameter difference of the two detectors, and H min (Z|E) will become: In what follows, we discuss the total conditional minimum entropy H min (A|E) in SI-QRNGs.In a typical SI-QRNG, a key idea is that the protocol with randomness generation and randomness extraction can be seen as similar to that with error correction and randomness generation [31], which borrows a similar technique from the security analysis of the QKD [40].Corresponding to the original protocol discussed in the previous section, the equivalent virtual protocol can be described as follows: the input states ρ will be corrected to perfect diagonal states |+ by a phase error correction with losses of the h(e bx ) states and the remaining 1 − h(e bx ) corrected states |+ can be used to generate perfect random numbers in the Z basis.In this sense, when we estimate H min (A|E), it is reasonable that we first estimate the influence of the error rate e bx in the X basis and correct all the states to |+ , and then the problem can be changed to the estimation of the conditional minimum entropy H min (Z|E) with these input states |+ .In the previous section, we obtained the error rate EQ in the X basis with our afterpulse model in Eq. (6).Therefore, the number of corrected states |+ is: where n z is the number of pulses detected in the Z basis.Note that the double clicks in the Z basis should also be considered.A series of true random numbers will be input to fill in these double-click events, and, of course, these true random numbers will be subtracted from the final bit rate.According to the probabilities of single click and double-click events Q single , and Q double in the Z basis in Eqs.(4), and (5) and the conditional minimum entropy in the Z basis H min (Z|E) in Eq. ( 12), we can obtain H min (A|E) by: In the previous discussion, we considered the afterpulse probability P apα with Eq. (3) under the condition that there are infinite former responses [42].However, in real implementations, there are finite pulses in front and hence only these corresponding responses' afterpulse contributions should be calculated.Here we consider this condition and recalculate the afterpulse probability P apα with finite former responses.
Here, we assume that there are m previous detection windows.As in our earlier definition, pjα is the first-order afterpulse probability coefficient contributed by the former j th detection.A high-order afterpulse is the superposition of the contributions of each first-order afterpulse.All of these high-order afterpulse probabilities contributed by the former k th detection window p k apα are given by: According to the previous analysis, always letting one of the detectors respond before is the best case for Eve.The total afterpulse probability P apα (m) in this case changes to Previous works [44][45] show that the afterpulse probability pjα at time t conforms to an "exponential model"where the characteristic decay of the afterpulse probability depends on the depth of the levels in which the charges are trapped.A simplified model for the gating detector can be given by: where ω α is the ratio between the gating time and the de-trapping lifetime, and A α is the amplitude factor for the depth level.Therefore, the total afterpulse probability contributed by m previous detection windows can be derived as: and ω α > ln(1 + A α ) is the convergence condition for m → ∞.In the METHODS section, we will show the details of the derivation and the relation to infinite previous pulses.In Fig. 3, we have shown the relation between the conditional minimum entropy H min (A|E) and the overall afterpulse rate pα with and without the afterpulse.The two lines of H min (A|E) with the afterpulse have a significant inverse relationship with pα and decrease nearly 20% when pα increases to 0.1.We can also see that the conditional minimum entropy with previous infinite pulses will decrease more rapidly than that with previous finite pulses.This means that limiting the number of responses in a detection period is an effective way to enhance the conditional minimum entropy, especially under the condition with the high afterpulse probability.

Detection efficiency and the photon distribution
In addition to the afterpulse, the other non-negligible parameter that might affect the conditional minimum entropy is the zero photon distribution probability τ α in Eq. ( 2).In the SI-QRNG protocol, τ α is determined by the detection efficiency, loss, and photon distribution input to the detector.The difference in detection efficiency and loss will cause an imbalance in the final random numbers and have a severe impact on the security of the scheme.In Fig. 4, we show that with detection efficiency mismatch, H min (A|E) falls sharply.Moreover, the photon distribution input to the detector also influences the conditional minimum entropy.In previous works, the photon distribution is usually seen as a Poisson distribution, which is not universal for sources and might result in information leakage as the afterpulse.Here, we analyse how the detection efficiency, loss, and photon distribution affect τ α and design a scheme to monitor these influences.
In theory, the photon distributions before and after loss satisfy a Bernoulli transformation.The untrusted photon source through a filter, which is used to guarantee the source in single mode, will become a photon number mixed state by a phase randomizer [46]: and then through the loss transmittance in the system, t allα and the detector's efficiency, η α , the photon distributions input to the detectors will become [47]   where ξ α = t allα η α .As a consequence, we can obtain the zero photon distribution probability τ α by Now, the key question for Alice becomes how to monitor the distribution of the untrusted source P untrusted (n).With the existence of the afterpulse, it is difficult to obtain the distribution precisely only through the SPDs.Fortunately, this can be done by borrowing a similar technique from the source monitor of the QKD [48].As shown in Fig. 1, in the photon distribution monitor block, a beam splitter (BS) is used to take out a beam of photons to a photodetector (PD) which is used to monitor the photon distribution of the source.Then the others will go through the BS, and an attenuation with the attenuation coefficient t 0 is placed to guarantee that the distribution after it is the same as that detected in the PD, which satisfies: where η BS is the transmittance of the BS and η DET is the detection efficiency of the PD.Through random sampling of the pulses, we can estimate the photon distribution P untrusted (n), and with Eq. ( 21), the zero photon distribution probability τ α after the attenuation rate t allα and the detection efficiency η α can be obtained, which can help us to precisely estimate H min (A|E) with Eq. ( 14).And a series of biased random seeds will be consumed in the random sampling of the pulses, which guarantees that the distribution measurements are independent.

Simulation in finite-size regime
In practice, the resources of Alice are limited and the system can run for only finite time.Limited samplings will suffer from statistical fluctuations, which might enable attacks by Eve.Therefore, it is of great importance to estimate the parameters in the finite-size regime for the final random number security.Here, we consider the influence of the finite data size on the error estimation in the X basis as well as the process of photon distribution monitoring.We also consider the composable security and obtain the final random number rate R f with the total security parameter ζ.
In the error parameter estimation step, Alice can obtain EQ in the X basis according to Eq. ( 6) and can approximate the phase error rate e pz in the Z basis by EQ.However, due to statistical fluctuations, e pz cannot be estimated accurately and the method of approximating it is crucial.In this section, we use two approaches to bound it: one of the methods is random sampling theory used in [31] and the other is entropy inequality.
The upper bound of e pz can be defined by and on the basis of the random sampling analysis in [49], θ is the deviation due to statistical fluctuations which is bounded by where ζ(θ) = h(EQ + θ − q x θ) − q x h(EQ) − (1 − q x )h(EQ + θ), q x is the rate of X basis measurement and N is the total number of pulses.With the model presented in the previous sections, the number of final random bits is given by where n z is the number of pulses measurement in Z basis and ε = 2 −te is the failure probability of the randomness extraction which satisfies the relation with security parameter ε all = (ε e + 2 −te )(2 − ε e − 2 −te ).Furthermore, the entropy inequality is an alternative method to bound the final random bit rate through bounding e pz [37] by: Here we set ε e as the total security parameter ε all because there is no error correction, which is different from the QKD.The final random bit rate can be bounded by In what follows, we present and discuss the results of the numerical simulation.We use the experimental parameters listed in Table .I.The relations between the loss of VOA and the randomness generation rates, with different values of pα and different methods, are shown in Fig. 5. Compared with the rate without the afterpulse, the rate with the afterpulse is lower and decreases more obviously; from the loss not exceeding 5 dB, the influence of the afterpulse has become more memorable than that of statistical fluctuation gradually and the afterpulse will result in the lower tolerance for fewer photons as well as more information leakage to Eve.Moreover, the bound of the entropy inequality results in a higher randomness generation rate than random sampling.The rate peak is approximately 1˜2 dB, and there is a slight difference with different analysis methods.
Furthermore, there is also statistical fluctuation in the photon distribution monitor.Even if we use an ideal photodetector, the distribution estimation will also fluctuate with limited sampling pulses.Assume that Alice randomly chooses N pulses in the photon distribution monitor, and the vacuum probability value input to SPDs τ α can be estimated by Eq. (21).According to Hoeffding's inequality [50], the confidence interval of the vacuum probability is where ε d is the distribution estimation failing probability, which is given by ε d = 2exp(−2N δ 2 d ).To show the effect of statistical fluctuations in the numerical simulation, we assume that the untrusted source distribution estimation result is a Poissonian distribution.As shown in Fig. 6, the limited random sampling pulses will cause the large gap between the ideal H min (A|E) and practical H min (A|E) with finite size effect and it will be shrunken when the length of the random sampling pulses is at least 10 5 .For a larger system, giving one monolithic security proof is error prone.Therefore, in the past few years, composable security, as a solution to this problem, has been developed in the research of QRNGs [34? ] as well as QKDs [37,49,51,52].Here we also establish composable security and obtain the final random number rate R f .In general, the raw random sequence of Alice can be quantum correlated with a quantum state that is held by Eve.Mathematically, this situation is described by the classical quantum state

FZp
where {|i } denotes an orthonormal basis for Alice's system, and the subscript E indicates the system of Eve.It is easy to see that, for any attack, the state resulting from the run of a perfectly secure scheme has the form where • 1 denotes the trace norm.In our protocol, the total failing probability is a combination of two processes, error estimation and photon distribution estimation.As the composable security analysis in the QKD [49], ζ can be given by where ε e and ε d are the failure probabilities of the error estimation and photon distribution estimation, respectively.2 −te is the failure probability of the randomness extraction.Combining the analysis in Eq. ( 30), the final random number rate is where θ is the deviation due to statistical fluctuations, which is bounded by Eq. ( 24).

DISCUSSION
In conclusion, we have pointed out and evaluated the security loopholes of practical imperfect devices in discretevariable SI-QRNGs.By our analysis, Eve might obtain the imperfection parameters of the measurement and obtain side information to enhance the guessing probability of outcomes.The entropy estimation error can reach 20% without consideration of the large afterpulse and even higher under the conditions of the large mismatch of the detector efficiency and the misestimation of the photon number distribution.To solve these problems, we provide a new protocol with distribution monitoring and entropy estimation methods to extract the secure randomness bits with these existing factors.By analysing the finite-size effect, we show the final randomness rates and find that under some conditions, the influence of the afterpulse will exceed that of the finite size effect.Finally, we establish a composable security model to guarantee the security of the total protocol.Compared with the general SI-QRNG in [31], our model is more practical and more compatible with imperfect devices.
Our model also provides a way to achieve high-speed SI-QRNGs.The common discrete variable SI-QRNGs are usually limited by the frequency of SPDs which is approximately 100 Mbps.A faster counting rate is not allowed due to the leaked information of the afterpulse.With our model, however, the afterpulse is also a factor in the randomness rate, which means that we can use SPDs with higher afterpulse rates.In recent research, a SPD, with a rate of up to 500 MHz has been presented, which has an afterpulse rate of nearly 10% [53].This is not tolerated in most protocols but with our analysis, a high-speed SI-QRNG can be obtained without any security problem of the afterpulse.Therefore, with the promotion rates of SPDs, the imperfect-device-compatible model will be more suitable for high-speed scenarios, and this may make it potentially easier for a discrete-variable GHz-SI-QRNG to be realized.

Calculation of the autocorrelation coefficient
In this section, we will show the details of calculating a p i .According to Eq. ( 7), we have given out the general expression of the autocorrelation coefficient.To obtain the final result, it is important to derive each statistical value of the numerator and denominator.
Here we assume that the n-bits raw random number sequence contains nk bits with the value '0' and n(1 − k) bits with the value '1'.The expectation and variance can be given by x= k, n j=1 Now we consider the value of the numerator n−i j=1 (x j −x)(x j+i −x).For the j th resultful detection event, considering that x j = 1 or 0, the afterpulse probability of detector D α (α ∈ {0, 1}) in the (j +i )th resultful detection event will become (where the high-order afterpulse generated by the j th response is disregarded): According to Eqs. ( 33) and ( 34), the response probabilities p i1 α and p i0 α are both linear about piα .Therefore, it is obvious that a p i is a quadratic function about piα and when we choose the same parameters for the two detectors, a p i will become: and it will degenerate to a linear function about piα .

Calculation of the total afterpulse probability for previous finite responses
In this section, we will derive the total afterpulse probability.According to Eqs. ( 16) and ( 17 and then according to Eq. (3), we can get P apα (all) by: It is obvious that P apα (m) is a monotonic decreasing function and will degenerate to P apα (all) when m → ∞, and the condition of convergence for Eq. ( 37) is (1 + A α )e −ωα < 1, that ω α > ln(1 + A α ).

FIG. 2 .
FIG. 2. The relation function between a pi and piα.The same values are given to the parameters of the detectors.We assume that pulses with coherent states that contain the mean photon number ν = 1 insert SPDs with detection efficiency ηα = 0.1, e dα = 6 × 10 −7 and pα = 0.05.For ideal devices, the prior autocorrelation coefficient should be 0.

FIG. 3 .
FIG. 3. The relation between Hmin(A|E) and pα with no afterpulse (Np), previous infinite afterpulse (Ip) and previous finite afterpulse (Fp), which consists of 1000 pulses.The factors ωα = 0.001 and Aα are related to pα.The pulses with coherent states that contain ν = 10 photons insert SPDs with ηα = 0.1 and e d = 6 × 10 −7 .The shadow gap is the side information leaked to Eve due to the afterpulse.

FIG. 5 .
FIG.5.Optimal randomness generation rates as a function of the loss of VOA with different values of pα and error estimation methods including random sampling (RS), entropy inequality (EI) and infinite length (IL).RS, EI and IL represent the models without the afterpulse and RSP, EIP and ILP represent the models with the afterpulse pα = 5%.The experimental parameters are listed in Table.I, and we assume that the pulse distribution is the coherent state that contains ν = 50 photons initially.Fig.(a) shows the condition with low loss and Fig.(b) shows that with the loss of up to 50 dB.

FIG. 6 .
FIG.6.Conditional minimum entropy Hmin(A|E) as a function of the sampling length with the finite size (FS) and infinite length (IL).FZ and IL represent the rates without the afterpulse, and FZP and ILP represent the rates with the afterpulse pα = 5%.Assume that pulses with coherent states contain ν = 10 photons.

TABLE I .
List of the experiment parameters used in numerical simulations.N is the total number of pulses.eq is the misalignment-error probability.v is the rate of pulses measured in Z basis.
is the uniform mixture of all possible values of the bit string.As is common in quantum cryptography, a QRNG protocol is ζ-secret if and only if, for any attack, the classical quantum state ρ AE satisfies