Introduction

Random numbers have become a core element in many fields, ranging from daily applications, such as lotteries, to scientific simulation and cryptography. Pseudo or classical random number generators, relying on deterministic algorithms or physical processes, have been widely used. However, their predictability and strong long-range correlation mean that they are not suitable for applications that need high security, such as cryptography.

In contrast, quantum random number generators (QRNGs) are considered the best solution for generating unpredictable random numbers by exploiting the intrinsic uncertainty of quantum mechanics1. Many QRNG protocols have been presented recently; they are based on different sources, such as the spatial2,3,4,5,6 and temporal7,8,9,10 modes of photons, vacuum-state fluctuations11,12,13,14,15, laser phase noise16,17,18,19, stimulated scattering20,21, and other quantum phenomena22,23,24,25,26. Most of them rely on fully trusted devices, however, realistic devices are usually imperfect or even untrusted, and they might provide side information to eavesdroppers and cause overestimation of the conditional min-entropy.

Device-independent QRNGs (DI-QRNGs), which are based on the violation of the Bell inequality, have been proposed to solve this problem, but their extremely low bit rates and low loss tolerance limit their development27,28,29. To date, the rate of the fastest DI-QRNG has been reported to be 181 bps30, which is very low for practical applications. To increase both the bit rate and security, source independent QRNGs (SI-QRNGs), as a compromise solution, have been proposed31,32,33,34,35,36. By a proper conditional min-entropy estimation, SI-QRNGs can generate high-speed secure random numbers with the untrusted source.

In general, measurement devices in SI-QRNGs are trusted and cannot be controlled by attackers. However, practical measurement devices are not perfect. It is reasonable to suppose that there is no classical or quantum relevance between measurement devices and attackers, but we do not prevent attackers from obtaining the essential parameters of detectors that can reveal the detector imperfections. These imperfections, such as the afterpulse, provide side information to attackers and thus impact the security of SI-QRNGs.

In this work, we build a model of practical imperfect measurement devices and evaluate the influences of these imperfections on the discrete-variable SI-QRNG. We also propose a protocol to eliminate these influences and then estimate the conditional min-entropy and the rate of this SI-QRNG. In the framework of the discrete variable SI-QRNGs, single photon avalanche detectors (SPDs) are the core detection components and the imperfect factors of practical SPDs, such as the afterpulse, detector efficiency, and sensitivity to photon number distribution, will cause the conditional min-entropy to be estimated incorrectly. Here, we present an effective method to estimate the conditional min-entropy focusing on the afterpulse. Additionally, we analyse the influences of detector efficiency mismatch and photon number distribution in entropy estimation and then consider a scheme to remove them. Finally, by using the random sampling method as the previous protocol31 and entropy inequality method37, we analyze the secure randomness rates with the finite key effect and compare the influences of different factors.

This paper is organized as follows. First, we describe how random numbers can be generated by a typical SI-QRNG. Then, we show the effects of different parameters and present a model to account for these effects. In addition, we analyse a numerical simulation of the finite size effect. Finally, we conclude with a discussion.

Results

A typical SI-QRNG

In a discrete-variable SI-QRNG scenario, as shown in Fig. 1, the source is an untrusted party that might be controlled by an attacker, Eve, and Alice has trusted measurement devices such as threshold detectors (SPDs), a polarizing beam splitter (PBS) and a filter as well as the trusted randomness encoding device. By estimating the conditional min-entropy based on the error rate of the X-basis measurement, randomness extraction can then extract uniform random numbers from the original data31. The detailed process is as follows.

Fig. 1: A schematic diagram of a SI-QRNG.
figure 1

Eve controls the laser diode (LD) and sends pulses with states that are changed to mixed states through a filter and a phase randomizer (PR). Through a photon distribution monitor (PDM) which consists of a beam splitter (BS), an attenuator (ATT), a photodiode (PD) and a variable optical attenuator (VOA), the pulses are sent to an optical switch (OS) to choose the measurement basis-the X basis measurement (XBM) or Z basis measurement (ZBM)-both of which consist of a polarization beam splitter (PBS) and two single photon detectors (SPD). The PDM block is used for the distribution monitor and does not exist in general SI-QRNGs in the ref. 31.

Full size image

First, the untrusted source which might be controlled by Eve emits N pulses with quantum state ρ. From the perspective of Alice, the emitted photons should be in the qubit state \(\left|+\right\rangle =(\left|0\right\rangle +\left|1\right\rangle )/\sqrt{2}\).

After proper filtering and attenuation, Alice randomly chooses nx pulses and measures them in the X basis to estimate error. The remaining nz = Nnx pulses will be used to generate raw random numbers in the Z basis measurement.

Note that it is a key assumption that the measurement devices are compatible with the squashing model38. In an ideal scheme, a pulse with multiphotons will be squashed into a qubit; therefore, the unknown arbitrary-dimensional signal state emitted from the source will become the qubit or vacuum state. Then, \({n}_{{\mathrm{x}}}^{\prime}\) qubits in the X basis and \({n}_{{\mathrm{z}}}^{\prime}\) qubits in the Z basis will be detected with post-selection of the vacua. In practice, the threshold detectors are considered equivalents of the squashing operation in this protocol; therefore we can use the squashing model directly in the analysis. However, the threshold detectors are usually placed at the end of the system, and a double click might not be avoided. Therefore, in the postprocess, it is necessary to randomly assign the outcome to 0 or 1 for double-click events to satisfy the needs of the squashing model39.

According to the error rate ebx, which represents the ratio of detecting \(\left|-\right\rangle =(\left|0\right\rangle -\left|1\right\rangle )/\sqrt{2}\) in the X basis, and the complementary uncertainty relation, as well as that in the quantum key distribution (QKD)40, we can obtain the extractable random numbers from the raw data: \(K\,=\,{n}_{{\mathrm{z}}}^{\prime}[1-h({e}_{{\mathrm{bx}}}+\theta )]-{t}_{{\mathrm{e}}}\), where θ is the deviation due to statistical fluctuations, \({2}^{-{t}_{{\mathrm{e}}}}\) is the failure probability of the randomness extraction and h(x) represents the binary Shannon entropy function of x.

Finally, uniform random numbers can be obtained from the raw data by a randomness extractor. A random seed with a length of nseed and npost will be consumed in the basis choice and the postprocess, respectively.

Model

In the previous SI-QRNG scheme, the untrusted source was the focus of the QRNG, and previous work has tried to eliminate Eve’s influence on the source. However, in real implementation, the ignored imperfections of measurement devices, such as the afterpulse, detection efficiency mismatch, and sensitivity to the photon number distribution, also have a strong impact on security. In what follows, we first build the underlying response probability model with these factors and recalculate the entropy to reveal these factors’ influence mechanism on SI-QRNGs. Then we propose a scheme to solve these problems.

For threshold detectors, SPDs, the usual model of the response probabilities without the afterpulse effect \({p}_{\alpha }^{{\mathrm{d}}}\) can be written as41

$${p}_{\alpha }^{{\mathrm{d}}}=1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha })\quad \alpha \in \{0,1,+,-\},\,$$
(1)

where τα is the zero photon distribution probability after the influence of the loss and detector efficiency and e is the background counting rate. The subscript α indicates the different detectors which include D0 and D1 in the Z basis and D+ and D in the X basis.

One of the most important factors of SPDs is the afterpulse, which has considerable effects on high-speed systems and will be blinding existing analytical models from reality. Therefore, it is necessary to build an afterpulse-compatible model. To adapt the model with the afterpulse, we should change the response probabilities \({p}_{\alpha }^{{\mathrm{d}}}\) to

$${p}_{\alpha }\,=\,1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha })(1-{P}_{{\mathrm{ap}}\alpha }),$$
(2)

where Papα is the practical current afterpulse probability of each detector which is given by42

$${P}_{{\mathrm{ap}}\alpha }\,=\,\frac{\hat{{p}_{\alpha }}}{1-\hat{{p}_{\alpha }}}{p}_{{\mathrm{b}}\alpha }^{d},$$
(3)

where \(\hat{{p}_{\alpha }}\,=\,\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{{\mathrm{n}}}{\hat{p}}_{{\mathrm{j}}\alpha }\) is the overall first-order afterpulse rate, and \({\hat{p}}_{{\mathrm{j}}\alpha }\) is the first-order afterpulse coefficient contributed by the former jth detection window avalanche. \({p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}\) represents the former response ratio without the afterpulse. It should be noted that we only consider infinite former responses here and the finite responses influence will be discussed later.

Furthermore, to achieve compatibility between our model and the squashing model, it is necessary to precisely depict the probabilities of single-click and double-click events. Moreover, we define the error counts as the events in which only D responds, and according to the squashing model, a double click event should be assigned a random bit, which will add a half error count in the X basis. Therefore, according to Eq. (2), the probabilities of single-click and double-click events Qsingle, Qdouble in the Z basis and the error rate EQ in the X basis are given by

$${Q}_{{\mathrm{single}}}\,=\,{p}_{0}(1-{p}_{1})\,+\,{p}_{1}(1-{p}_{0}),$$
(4)
$${Q}_{{\mathrm{double}}}\,=\,{p}_{0}{p}_{1},$$
(5)
$$EQ\,=\,{p}_{-}(1-{p}_{+})+\frac{1}{2}{p}_{-}{p}_{+}.$$
(6)

Afterpulse

The afterpulse is a key factor in SPD, especially in high-speed systems. In a discrete variable QRNG system, as the afterpulse probability becomes very high with the increase in the system speed, it has a significant impact on not only the random number generation rate but also on the security, which has been ignored in previous works.

Here, we first consider the afterpulse influence mechanism on raw random numbers generated on the Z basis. Intuitively, for a dual detector system, we can infer that the afterpulse will increase the response probability of the detector and increase the production probability of “00” or “11”. This means that the raw sequence will come to have more positive correlations, which will lead to the overestimation of the entropy and thus an information leak to Eve in the previous models. In what follows, we quantitatively analyse the influence of afterpulse on random number sequences.

In statistical analysis, we always use the autocorrelation coefficient ai to describe the ith autocorrelation of a n-bit sequence {xi}43:

$${a}_{{\mathrm{i}}}=\frac{\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{{\mathrm{n}}-{\mathrm{i}}}({x}_{{\mathrm{j}}}-\bar{x})({x}_{{\mathrm{j}}+{\mathrm{i}}}-\bar{x})}{\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{{\mathrm{n}}}{({x}_{{\mathrm{j}}}-\bar{x})}^{2}},$$
(7)

where \(\bar{x}\) is the expectation value of {xi}. In general, if the sequence is a series of random numbers with good statistical characteristics, the theoretical expectation of ai should be 0.

With the model presented in the previous sections, we can derive the prior autocorrelation coefficient with afterpulse \({a}_{{\mathrm{i}}}^{{\mathrm{p}}}\):

$$\begin{array}{rcl}{a}_{{\mathrm{i}}}^{{\mathrm{p}}}\,=\,[{p}_{1}^{{\mathrm{i}}1}(1-{p}_{0}^{{\mathrm{i}}0})-{p}_{1}^{{\mathrm{i}}0}(1-{p}_{0}^{{\mathrm{i}}1})](1-{\mathrm{k}})\\ +[{p}_{0}^{{\mathrm{i}}0}(1-{p}_{1}^{{\mathrm{i}}1})-{p}_{0}^{{\mathrm{i}}1}(1-{p}_{1}^{{\mathrm{i}}0})](-k)\end{array},$$
(8)

where \({p}_{\alpha }^{{\mathrm{i}}1}\) is the response probability of Dα with the former ith detection response and \({p}_{\alpha }^{{\mathrm{i}}0}\) is that without the former ith detection response. k is the expectation of this raw sequence, which is given by

$$k=\frac{{p}_{1}(1-{p}_{0})}{{p}_{1}(1-{p}_{0})+{p}_{0}(1-{p}_{1})}.$$
(9)

Note that we assign double-click events to random bits, so these events should not affect the autocorrelation coefficient in the statistical analysis. Therefore, here we only consider the random numbers generated by single-click events.

In the “Methods” section, we will show the detail of the \({a}_{{\mathrm{i}}}^{{\mathrm{p}}}\) calculation and it is proven that the relation between \({a}_{{\mathrm{i}}}^{{\mathrm{p}}}\) and \({\hat{p}}_{{\mathrm{i}}\alpha }\) is quadratic and degenerates to linear when all the parameters of the two detectors are the same. As shown in Fig. 2, with the increase of \({\hat{p}}_{{\mathrm{i}}\alpha }\), \({a}_{{\mathrm{i}}}^{p}\) increases rapidly and has an obviously positive correlation.

Fig. 2: The relation function between \({a}_{{\mathrm{i}}}^{{\mathrm{p}}}\) and \({\hat{p}}_{{\mathrm{i}}\alpha }\).
figure 2

The same values are given to the parameters of the detectors. We assume that pulses with coherent states that contain the mean photon number ν = 1 insert SPDs with detection efficiency ηα = 0.1, e = 6 × 10−7 and \(\hat{{p}_{\alpha }}=0.05\). For ideal devices, the prior autocorrelation coefficient should be 0.

Full size image

To solve this security issue, it is necessary to analyse the entropy adapted to the afterpulse model. Here, we define Hmin(AE) as the total conditional minimum entropy of the raw random numbers. It needs to be emphasized that the use of minimum entropy is necessary because Eve is allowed to obtain the probability distribution {Pi} of the raw sequence, and there is an optimum strategy for Eve that she can use to guess the maximum probability event and obtain more information than under the limitation of conditional entropy. Therefore, we should estimate this worst-case and calculate the minimum randomness event with the afterpulse.

We first consider only the model of raw randomness generation in the Z basis and calculate the conditional minimum entropy Hmin(ZE) with the afterpulse under this condition. According to the response probability model with the afterpulse in Eqs. (2) and (3), the afterpulse probability Papα is dependent on the former response ratio \({p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}\). Let us consider the maximum leakage information condition, in which the contribution of Papα to the two detectors reaches its maximum difference. If D0 always responds before, which is opposite to the behavior of D1, the afterpulse contributions to the two detectors will become the most unbalanced. Understandably, the final distribution P(i) will deviate far from Alice’s estimation and Eve will obtain the maximum amount of leaked information. Under this condition, the response probabilities p0 and p1 will become:

$$\begin{array}{l}{p}_{0}^{(1)}=1-{\tau }_{0}(1-{e}_{{\mathrm{d}}0})(1-\frac{\hat{{p}_{0}}}{1-\hat{{p}_{0}}}),\\ {p}_{1}^{(0)}=1-{\tau }_{1}(1-{e}_{{\mathrm{d}}1}).\end{array}$$
(10)

Assuming that the input state is \(\left|+\right\rangle\), we can obtain the conditional minimum entropy Hmin(ZE) (without the consideration of double clicks)

$$\begin{array}{l}{H}_{min}(Z| E)=-{\log}_{2}(\mathop{\max}\limits_{i}{P}_{i}),\\=-{\log}_{2}\left\{\max \left[\frac{{p}_{0}^{(1)}(1-{p}_{1}^{(0)})}{{Q}_{01}},\frac{{p}_{0}^{(1)}(1-{p}_{0}^{(1)})}{{Q}_{01}}\right]\right\},\\{Q}_{01}={p}_{0}^{(1)}(1-{p}_{1}^{(0)})+{p}_{1}^{(0)}(1-{p}_{0}^{(1)}).\end{array}$$
(11)

Without loss of generality, we consider the parameter difference of the two detectors, and Hmin(ZE) will become:

$$\begin{array}{lll}&&{H}_{{\mathrm{min}}}(Z| E)=-{\mathrm{log}\,}_{2}\left\{\mathop{\max }\limits_{\{\alpha ,\beta \},\{m,n\}=\{1,0\}}\left[\frac{{p}_{\alpha }^{{\mathrm{(m)}}}(1-{p}_{\beta }^{{\mathrm{(n)}}})}{{Q}_{\alpha \beta }^{\mathrm{{mn}}}}\right]\right\},\\ &&{Q}_{\alpha \beta }^{\mathrm{{mn}}}={p}_{\alpha }^{(m)}(1-{p}_{\beta }^{{\mathrm{(n)}}})+{p}_{\beta }^{{\mathrm{(n)}}}(1-{p}_{\alpha }^{{\mathrm{(m)}}}),\\ &&{p}_{\alpha }^{(1)}=1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha })(1-\frac{\hat{{p}_{\alpha }}}{{1}\,-\,\hat{{p}_{\alpha }}}),\\ &&{p}_{\alpha }^{(0)}=1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha }).\end{array}$$
(12)

In what follows, we discuss the total conditional minimum entropy Hmin(AE) in SI-QRNGs. In a typical SI-QRNG, a key idea is that the protocol with randomness generation and randomness extraction can be seen as similar to that with error correction and randomness generation31, which borrows a similar technique from the security analysis of the QKD40. Corresponding to the original protocol discussed in the previous section, the equivalent virtual protocol can be described as follows: the input states ρ will be corrected to perfect diagonal states \(\left|+\right\rangle\) by a phase error correction with losses of the h(ebx) states and the remaining 1 − h(ebx) corrected states \(\left|+\right\rangle\) can be used to generate perfect random numbers in the Z basis. In this sense, when we estimate Hmin(AE), it is reasonable that we first estimate the influence of the error rate ebx in the X basis and correct all the states to \(\left|+\right\rangle\), and then the problem can be changed to the estimation of the conditional minimum entropy Hmin(ZE) with these input states \(\left|+\right\rangle\). In the previous section, we obtained the error rate EQ in the X basis with our afterpulse model in Eq. (6). Therefore, the number of corrected states \(\left|+\right\rangle\) is:

$${n}_{{\mathrm{corrected}}}={n}_{{\mathrm{z}}}(1-h(EQ)),$$
(13)

where nz is the number of pulses detected in the Z basis.

Note that the double clicks in the Z basis should also be considered. A series of true random numbers will be input to fill in these double-click events, and, of course, these true random numbers will be subtracted from the final bit rate. According to the probabilities of single click and double-click events Qsingle, and Qdouble in the Z basis in Eqs. (4), and (5) and the conditional minimum entropy in the Z basis Hmin(ZE) in Eq. (12), we can obtain Hmin(AE) by:

$$\begin{array}{l}{H}_{{\mathrm{min}}}(A| E)=[{H}_{{\mathrm{min}}}(Z| E){Q}_{{\mathrm{single}}}+1\times {Q}_{{\mathrm{double}}}]\\ \times [1-h(EQ)]-{Q}_{{\mathrm{double}}}.\end{array}$$
(14)

In the previous discussion, we considered the afterpulse probability Papα with Eq. (3) under the condition that there are infinite former responses42. However, in real implementations, there are finite pulses in front and hence only these corresponding responses’ afterpulse contributions should be calculated. Here we consider this condition and recalculate the afterpulse probability \({P}_{{\mathrm{ap}}\alpha }^{\prime}\) with finite former responses.

Here, we assume that there are m previous detection windows. As in our earlier definition, \({\hat{p}}_{{\mathrm{j}}\alpha }\) is the first-order afterpulse probability coefficient contributed by the former jth detection. A high-order afterpulse is the superposition of the contributions of each first-order afterpulse. All of these high-order afterpulse probabilities contributed by the former kth detection window \({p}_{{\mathrm{ap}}\alpha }^{{\mathrm{k}}}\) are given by:

$${p}_{{\mathrm{ap}}\alpha }^{{\mathrm{k}}}=\mathop{\sum}\limits_{\sum i=k}\prod _{{\mathrm{i}}}{\hat{p}}_{{\mathrm{i}}\alpha }.$$
(15)

According to the previous analysis, always letting one of the detectors respond before is the best case for Eve. The total afterpulse probability \({P}_{{\mathrm{ap}}\alpha }^{\prime}(m)\) in this case changes to

$${P}_{{\mathrm{ap}}\alpha }^{\prime}(m)=\mathop{\sum }\limits_{k=1}^{{\mathrm{m}}}{p}_{{\mathrm{ap}}\alpha }^{{\mathrm{k}}}=\mathop{\sum }\limits_{k=1}^{m}\mathop{\sum}\limits _{\sum i=k}\prod _{{\mathrm{i}}}{\hat{p}}_{{\mathrm{i}}\alpha }.$$
(16)

Previous works44,45 show that the afterpulse probability \({\hat{p}}_{{\mathrm{j}}\alpha }\) at time t conforms to an “exponential model”, where the characteristic decay of the afterpulse probability depends on the depth of the levels in which the charges are trapped. A simplified model for the gating detector can be given by:

$${\hat{p}}_{{\mathrm{j}}\alpha }={A}_{\alpha }{e}^{-{\mathrm{m}}{\omega }_{\alpha }},$$
(17)

where ωα is the ratio between the gating time and the de-trapping lifetime, and Aα is the amplitude factor for the depth level. Therefore, the total afterpulse probability contributed by m previous detection windows can be derived as:

$${P}_{{\mathrm{ap}}\alpha }^{\prime}(m)={A}_{\alpha }{e}^{-{\omega }_{\alpha }}\frac{{[(1+{A}_{\alpha }){e}^{-{\omega }_{\alpha }}]}^{{\mathrm{m}}}-1}{(1+{A}_{\alpha }){e}^{-{\omega }_{\alpha }}-1},$$
(18)

and \({\omega }_{\alpha }\,>\,{\mathrm{ln}}\,(1+{A}_{\alpha })\) is the convergence condition for m. In the “Methods” section, we will show the details of the derivation and the relation to infinite previous pulses.

In Fig. 3, we have shown the relation between the conditional minimum entropy Hmin(AE) and the overall afterpulse rate \(\hat{{p}_{\alpha }}\) with and without the afterpulse. The two lines of Hmin(AE) with the afterpulse have a significant inverse relationship with \(\hat{{p}_{\alpha }}\) and decrease nearly 20% when \(\hat{{p}_{\alpha }}\) increases to 0.1. We can also see that the conditional minimum entropy with previous infinite pulses will decrease more rapidly than that with previous finite pulses. This means that limiting the number of responses in a detection period is an effective way to enhance the conditional minimum entropy, especially under the condition with the high afterpulse probability.

Fig. 3: The relation between Hmin(AE) and \(\hat{{p}_{\alpha }}\) with no afterpulse (Np), previous infinite afterpulse (Ip) and previous finite afterpulse (Fp), which consists of 1000 pulses.
figure 3

The factors ωα = 0.001 and Aα are related to \(\hat{{p}_{\alpha }}\). The pulses with coherent states that contain ν = 10 photons insert SPDs with ηα = 0.1 and ed = 6 × 10−7. The shadow gap is the side information leaked to Eve due to the afterpulse.

Full size image

Detection efficiency and the photon distribution

In addition to the afterpulse, the other non-negligible parameter that might affect the conditional minimum entropy is the zero photon distribution probability τα in Eq. (2). In the SI-QRNG protocol, τα is determined by the detection efficiency, loss, and photon distribution input to the detector. The difference in detection efficiency and loss will cause an imbalance in the final random numbers and have a severe impact on the security of the scheme. In Fig. 4, we show that with detection efficiency mismatch, Hmin(AE) falls sharply. Moreover, the photon distribution input to the detector also influences the conditional minimum entropy. In previous works, the photon distribution is usually seen as a Poisson distribution, which is not universal for sources and might result in information leakage as the afterpulse. Here, we analyse how the detection efficiency, loss, and photon distribution affect τα and design a scheme to monitor these influences.

Fig. 4: The relation between Hmin(AE) and \(\frac{{\eta }_{1}}{{\eta }_{0}}\) with different \({\hat{{p}}_{\alpha }}\) (0, 0.05).
figure 4

The pulses with a Poisson distribution that contains ν = 10 photons insert SPDs with ηα = 0.1 and ed = 6 × 10−7.

Full size image

In theory, the photon distributions before and after loss satisfy a Bernoulli transformation. The untrusted photon source through a filter, which is used to guarantee the source in single mode, will become a photon number mixed state by a phase randomizer46:

$$\rho =\mathop{\sum }\limits_{n=0}^{\infty }{P}_{{\mathrm{untrusted}}}(n)\left|n\right\rangle \left\langle n\right|,$$
(19)

and then through the loss transmittance in the system, tallα and the detector’s efficiency, ηα, the photon distributions input to the detectors will become47

$$\begin{array}{l}D(m)\,=\,B[{P}_{{\mathrm{untrusted}}}(n),{\xi }_{\alpha }]\\=\,\mathop{\sum }\limits_{n=m}^{\infty }{P}_{{\mathrm{untrusted}}}(n)\left(\begin{array}{l}n\\ m\end{array}\right){\xi }_{\alpha }^{{\mathrm{m}}}{(1-{\xi }_{\alpha })}^{{\mathrm{n-m}}},\end{array}$$
(20)

where ξα = tallαηα. As a consequence, we can obtain the zero photon distribution probability τα by

$$\begin{array}{l}{\tau }_{\alpha }=D(0) \\=\mathop{\sum }\limits_{n=0}^{\infty }{P}_{{\mathrm{untrusted}}}(n){(1-{\xi }_{\alpha })}^{{\mathrm{n}}}\end{array}.$$
(21)

Now, the key question for Alice becomes how to monitor the distribution of the untrusted source Puntrusted(n). With the existence of the afterpulse, it is difficult to obtain the distribution precisely only through the SPDs. Fortunately, this can be done by borrowing a similar technique from the source monitor of the QKD48. As shown in Fig. 1, in the photon distribution monitor block, a beam splitter (BS) is used to take out a beam of photons to a photodetector (PD) which is used to monitor the photon distribution of the source. Then the others will go through the BS, and an attenuation with the attenuation coefficient t0 is placed to guarantee that the distribution after it is the same as that detected in the PD, which satisfies:

$${t}_{0}=\frac{(1-{\eta }_{{\mathrm{BS}}})}{{\eta }_{{\mathrm{BS}}}}{\eta }_{{\mathrm{DET}}},$$
(22)

where ηBS is the transmittance of the BS and ηDET is the detection efficiency of the PD. Through random sampling of the pulses, we can estimate the photon distribution Puntrusted(n), and with Eq. (21), the zero photon distribution probability τα after the attenuation rate tallα and the detection efficiency ηα can be obtained, which can help us to precisely estimate Hmin(AE) with Eq. (14). And a series of biased random seeds will be consumed in the random sampling of the pulses, which guarantees that the distribution measurements are independent.

Simulation in finite-size regime

In practice, the resources of Alice are limited and the system can run for only finite time. Limited samplings will suffer from statistical fluctuations, which might enable attacks by Eve. Therefore, it is of great importance to estimate the parameters in the finite-size regime for the final random number security. Here, we consider the influence of the finite data size on the error estimation in the X basis as well as the process of photon distribution monitoring. We also consider the composable security and obtain the final random number rate Rf with the total security parameter ζ.

In the error parameter estimation step, Alice can obtain EQ in the X basis according to Eq. (6) and can approximate the phase error rate epz in the Z basis by EQ. However, due to statistical fluctuations, epz cannot be estimated accurately and the method of approximating it is crucial. In this section, we use two approaches to bound it: one of the methods is random sampling theory used in the ref. 31 and the other is entropy inequality.

The upper bound of epz can be defined by

$${e}_{{\mathrm{pz}}}\,\le\,EQ+\theta ,$$
(23)

and on the basis of the random sampling analysis in the ref. 49, θ is the deviation due to statistical fluctuations which is bounded by

$$\begin{array}{l}{\varepsilon }_{e}\,=\,{Prob}({e}_{{\mathrm{pz}}}> EQ+\theta )\\ \le \frac{1}{\sqrt{{q}_{{\mathrm{x}}}(1-{q}_{{\mathrm{x}}})EQ(1-EQ)N}}{2}^{-n\zeta (\theta )},\end{array}$$
(24)

where ζ(θ) = h(EQ + θqxθ) − qxh(EQ) − (1 − qx)h(EQ + θ), qx is the rate of X basis measurement and N is the total number of pulses. With the model presented in the previous sections, the number of final random bits is given by

$$\begin{array}{lll}R&=&{n}_{{\mathrm{z}}}\left[({H}_{{\mathrm{min}}}(Z| E){Q}_{{\mathrm{single}}}+1\times {Q}_{{\mathrm{double}}})\right.\\ &&\left.\times (1-h(EQ+\theta ))-{Q}_{{\mathrm{double}}}\right]-{t}_{{\mathrm{e}}},\end{array}$$
(25)

where nz is the number of pulses measurement in Z basis and \(\varepsilon ={2}^{-{t}_{{\mathrm{e}}}}\) is the failure probability of the randomness extraction which satisfies the relation with security parameter \({\varepsilon }_{{\mathrm{all}}}=\sqrt{({\varepsilon }_{{\mathrm{e}}}+{2}^{-{t}_{{\mathrm{e}}}})(2-{\varepsilon }_{{\mathrm{e}}}-{2}^{-{t}_{{\mathrm{e}}}})}\).

Furthermore, the entropy inequality is an alternative method to bound the final random bit rate through bounding epz37 by:

$$\theta =\sqrt{\frac{{n}_{{\mathrm{z}}}+{n}_{{\mathrm{x}}}}{{n}_{{\mathrm{z}}}{n}_{{\mathrm{x}}}}\frac{{n}_{{\mathrm{x}}}+1}{{n}_{{\mathrm{x}}}}\mathrm{ln}\,\frac{2}{{\varepsilon }_{{\mathrm{e}}}}}.$$
(26)

Here we set εe as the total security parameter εall because there is no error correction, which is different from the QKD. The final random bit rate can be bounded by

$$\begin{array}{*{20}{l}}R={n}_{{\mathrm{z}}}\left[({H}_{{\mathrm{min}}}(Z| E){Q}_{{\mathrm{single}}}+1\times {Q}_{{\mathrm{double}}})\right.\\\left.\times \,(1-h(EQ+\theta ))-{Q}_{{\mathrm{double}}}\right]-2{\mathrm{log}\,}_{2}\frac{1}{{\varepsilon }_{{\mathrm{all}}}}.\end{array}$$
(27)

In what follows, we present and discuss the results of the numerical simulation. We use the experimental parameters listed in Table 1. The relations between the loss of VOA and the randomness generation rates, with different values of \({\hat{p}}_{\alpha }\) and different methods, are shown in Fig. 5. Compared with the rate without the afterpulse, the rate with the afterpulse is lower and decreases more obviously; from the loss not exceeding 5 dB, the influence of the afterpulse has become more memorable than that of statistical fluctuation gradually and the afterpulse will result in the lower tolerance for fewer photons as well as more information leakage to Eve. Moreover, the bound of the entropy inequality results in a higher randomness generation rate than random sampling. The rate peak is approximately 1–2 dB, and there is a slight difference with different analysis methods.

Table 1 List of the experiment parameters used in numerical simulations.
Full size table
Fig. 5: Optimal randomness generation rates as a function of the loss of VOA with different values of \({\hat{p}}_{\alpha }\) and error estimation methods including random sampling (RS), entropy inequality (EI) and infinite length (IL).
figure 5

RS, EI, and IL represent the models without the afterpulse and RSP, EIP, and ILP represent the models with the afterpulse \({\hat{p}}_{\alpha }=5 \%\). The experimental parameters are listed in Table 1, and we assume that the pulse distribution is the coherent state that contains ν = 50 photons initially. a The condition with low loss. b The condition with the loss of up to 50 dB.

Full size image

Furthermore, there is also statistical fluctuation in the photon distribution monitor. Even if we use an ideal photodetector, the distribution estimation will also fluctuate with limited sampling pulses. Assume that Alice randomly chooses N pulses in the photon distribution monitor, and the vacuum probability value input to SPDs \({\tau }_{\alpha }^{\prime}\) can be estimated by Eq. (21). According to Hoeffding’s inequality50, the confidence interval of the vacuum probability is \({\tau }_{\alpha }\in [{\tau }_{\alpha }^{\prime}-{\delta }_{{\mathrm{d}}},{\tau }_{\alpha }^{\prime}+{\delta }_{{\mathrm{d}}}]\) with confidence level κ = 1 − εd, where εd is the distribution estimation failing probability, which is given by \({\varepsilon }_{{\mathrm{d}}}=2{\mathrm{exp}}(-2N{\delta }_{{\mathrm{d}}}^{2})\). To show the effect of statistical fluctuations in the numerical simulation, we assume that the untrusted source distribution estimation result is a Poissonian distribution. As shown in Fig. 6, the limited random sampling pulses will cause the large gap between the ideal Hmin(AE) and practical Hmin(AE) with finite size effect and it will be shrunken when the length of the random sampling pulses is at least 105.

Fig. 6: Conditional minimum entropy Hmin(AE) as a function of the sampling length with the finite size (FS) and infinite length (IL).
figure 6

FZ and IL represent the rates without the afterpulse, and FZP and ILP represent the rates with the afterpulse \({\hat{p}}_{\alpha }=5 \%\). Assume that pulses with coherent states contain ν = 10 photons.

Full size image

For a larger system, giving one monolithic security proof is error prone. Therefore, in the past few years, composable security, as a solution to this problem, has been developed in the research of QRNGs34,35 as well as QKDs37,49,51,52. Here we also establish composable security and obtain the final random number rate Rf.

In general, the raw random sequence of Alice can be quantum correlated with a quantum state that is held by Eve. Mathematically, this situation is described by the classical quantum state

$${\rho }_{{\mathrm{AE}}}=\sum _{{\mathrm{i}}}{p}_{{\mathrm{i}}}\left|i\right\rangle \left\langle i\right|\otimes {\rho }_{{\mathrm{E}}}^{{\mathrm{i}}},$$
(28)

where \(\{\left|i\right\rangle \}\) denotes an orthonormal basis for Alice’s system, and the subscript E indicates the system of Eve. It is easy to see that, for any attack, the state resulting from the run of a perfectly secure scheme has the form \({\rho }_{{\mathrm{AE}}}^{\prime}={\rho }_{{\mathrm{A}}}\otimes {\rho }_{{\mathrm{E}}}\) where \({\rho }_{{\mathrm{A}}}={\sum }_{{\mathrm{i}}}\frac{1}{| I| }\left|i\right\rangle \left\langle i\right|\) is the uniform mixture of all possible values of the bit string. As is common in quantum cryptography, a QRNG protocol is ζ-secret if and only if, for any attack, the classical quantum state ρAE satisfies

$$\frac{1}{2}\parallel {\rho }_{{\mathrm{AE}}}-{\rho }_{{\mathrm{AE}}}^{\prime}{\parallel }_{1}\le \zeta ,$$
(29)

where 1 denotes the trace norm. In our protocol, the total failing probability is a combination of two processes, error estimation and photon distribution estimation. As the composable security analysis in the QKD49, ζ can be given by

$$\zeta \le \sqrt{({\varepsilon }_{{\mathrm{d}}}+{\varepsilon }_{{\mathrm{e}}}+{2}^{-{t}_{{\mathrm{e}}}})(2-{\varepsilon }_{{\mathrm{d}}}-{\varepsilon }_{{\mathrm{e}}}-{2}^{-{t}_{{\mathrm{e}}}})},$$
(30)

where εe and εd are the failure probabilities of the error estimation and photon distribution estimation, respectively. \({2}^{-{t}_{{\mathrm{e}}}}\) is the failure probability of the randomness extraction. Combining the analysis in Eq. (30), the final random number rate is

$$\begin{array}{l}{R}_{{\mathrm{f}}}=\mathop{\min }\limits_{{\tau }_{\alpha }\in [{\tau }_{\alpha }^{\prime}-{\delta }_{{\mathrm{d}}},{\tau }_{\alpha }^{\prime}+{\delta }_{{\mathrm{d}}}]}\left\{{n}_{{\mathrm{z}}}\left[\left({H}_{{\mathrm{min}}}(Z| E){Q}_{{\mathrm{single}}}\right.\right.\right.\\\left.\left.\left.+\,{1}\times {Q}_{{\mathrm{double}}}\right)\times (1-h(EQ+\theta ))-{Q}_{{\mathrm{double}}}\right]\right\} -{t}_{{\mathrm{e}}}\end{array},$$
(31)

where θ is the deviation due to statistical fluctuations, which is bounded by Eq. (24).

Discussion

In conclusion, we have pointed out and evaluated the security loopholes of practical imperfect devices in discrete-variable SI-QRNGs. By our analysis, Eve might obtain the imperfection parameters of the measurement and obtain side information to enhance the guessing probability of outcomes. The entropy estimation error can reach 20% without consideration of the large afterpulse, and even higher under the conditions of the large mismatch of the detector efficiency and the misestimation of the photon number distribution. To solve these problems, we provide a new protocol with distribution monitoring and entropy estimation methods to extract the secure randomness bits with these existing factors. By analysing the finite-size effect, we show the final randomness rates and find that under some conditions, the influence of the afterpulse will exceed that of the finite size effect. Finally, we establish a composable security model to guarantee the security of the total protocol. Compared with the general SI-QRNG in31, our model is more practical and more compatible with imperfect devices.

Our model also provides a way to achieve high-speed SI-QRNGs. The common discrete variable SI-QRNGs are usually limited by the frequency of SPDs which is approximately 100 Mbps. A faster counting rate is not allowed due to the leaked information of the afterpulse. With our model, however, the afterpulse is also a factor in the randomness rate, which means that we can use SPDs with higher afterpulse rates. In recent research, a SPD, with a rate of up to 500 MHz has been presented, which has an afterpulse rate of nearly 10%53. This is not tolerated in most protocols but with our analysis, a high-speed SI-QRNG can be obtained without any security problem of the afterpulse. Therefore, with the promotion rates of SPDs, the imperfect-device-compatible model will be more suitable for high-speed scenarios, and this may make it potentially easier for a discrete-variable GHz-SI-QRNG to be realized.

Methods

Calculation of the autocorrelation coefficient

In this section, we will show the details of calculating \({a}_{{\mathrm{i}}}^{{\mathrm{p}}}\). According to Eq. (7), we have given out the general expression of the autocorrelation coefficient. To obtain the final result, it is important to derive each statistical value of the numerator and denominator.

Here we assume that the n-bits raw random number sequence contains nk bits with the value “0” and n(1 − k) bits with the value “1”. The expectation and variance can be given by

$$\begin{array}{l}\bar{x}=k,\\ \mathop{\sum }\limits_{j=1}^{n}{({x}_{j}-\bar{x})}^{2}=nk{(1-k)}^{2}+n(1-k){k}^{2}.\end{array}$$
(32)

Now we consider the value of the numerator \(\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{n-i}({x}_{{\mathrm{j}}}-\bar{x})({x}_{{\mathrm{j}}+i}-\bar{x})\). For the jth resultful detection event, considering that xj = 1 or 0, the afterpulse probability of detector Dα (α {0, 1}) in the (j+i)th resultful detection event will become (where the high-order afterpulse generated by the jth response is disregarded):

$$\begin{array}{lll}&&{P}_{{\mathrm{ap}}\alpha }^{{\mathrm{i}}1}=\frac{\hat{{p}_{\alpha }}}{1-\hat{{p}_{\alpha }}}{p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}+{\hat{p}}_{{\mathrm{i}}\alpha }(1-{p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}),\\ {\mathrm{or}}\,\,&&{P}_{{\mathrm{ap}}\alpha }^{i0}=\frac{\hat{{p}_{\alpha }}}{1-\hat{{p}_{\alpha }}}{p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}+{\hat{p}}_{{\mathrm{i}}\alpha }(-{p}_{{\mathrm{b}}\alpha }^{{\mathrm{d}}}),\end{array}$$
(33)

and the corresponding response probability is

$$\begin{array}{lll}&&{p}_{\alpha }^{i1}=1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha })(1-{P}_{{\mathrm{ap}}\alpha }^{{\mathrm{i}}1}),\\ {\mathrm{or}}\,\,&&{p}_{\alpha }^{i0}=1-{\tau }_{\alpha }(1-{e}_{{\mathrm{d}}\alpha })(1-{P}_{{\mathrm{ap}}\alpha }^{{\mathrm{i}}0}).\end{array}$$
(34)

Therefore, the prior statistical autocorrelation coefficient can be derived by (n i):

$$\begin{array}{l}{a}_{{\mathrm{i}}}^{{\mathrm{p}}}=\frac{\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{n-i}({x}_{{\mathrm{j}}}\,-\,\bar{x})({x}_{{\mathrm{j}}+i}\,-\,\bar{x})}{\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{{\mathrm{n}}}{({x}_{{\mathrm{j}}}\,-\,\bar{x})}^{2}}\\ =\,\frac{\mathop{\sum }\nolimits_{{{\mathrm{x}}}_{{\mathrm{j}}} = 1}^{{\mathrm{j}}}({1}\,-\,\bar{x})({x}_{{\mathrm{j}}+i}-\bar{x})+\mathop{\sum }\nolimits_{{{\mathrm{x}}}_{{\mathrm{j}}} = 0}^{{\mathrm{j}}}(0-\bar{x})({x}_{{\mathrm{j}}+i}-\bar{x})}{\mathop{\sum }\nolimits_{{\mathrm{j}} = 1}^{{\mathrm{n}}}{({x}_{{\mathrm{j}}}-\bar{x})}^{2}}\\ =\,\frac{1}{nk{({1}\,-\,k)}^{2}+n({1}\,-\,k){k}^{2}}\\ \,\times \,\left\{(n-i)k(1-k)\right.\\ \,\times \,[(1-k){p}_{1}^{{\mathrm{i}}1}(1-{p}_{0}^{{\mathrm{i}}0})+(0-k){p}_{0}^{{\mathrm{i}}0}(1-{p}_{1}^{{\mathrm{i}}1})]\\ \,+\,(n-i)(1-k)(-k)\\ \,\left.\times \,[(1-k){p}_{1}^{{\mathrm{i}}0}(1-{p}_{0}^{{\mathrm{i}}1})+(0-k){p}_{0}^{{\mathrm{i}}1}(1-{p}_{1}^{{\mathrm{i}}0})]\right\}\\ =\,[{p}_{1}^{{\mathrm{i}}1}(1-{p}_{0}^{{\mathrm{i}}0})-{p}_{1}^{{\mathrm{i}}0}(1-{p}_{0}^{{\mathrm{i}}1})](1-k)\\ \,+\,[{p}_{0}^{{\mathrm{i}}0}(1-{p}_{1}^{{\mathrm{i}}1})-{p}_{0}^{{\mathrm{i}}1}(1-{p}_{1}^{{\mathrm{i}}0})](-k).\end{array}$$
(35)

According to Eqs. (33) and (34), the response probabilities \({p}_{\alpha }^{i1}\) and \({p}_{\alpha }^{i0}\) are both linear about \({\hat{p}}_{{\mathrm{i}}\alpha }\). Therefore, it is obvious that \({a}_{i}^{p}\) is a quadratic function about \({\hat{p}}_{i\alpha }\) and when we choose the same parameters for the two detectors, \({a}_{i}^{p}\) will become:

$$\begin{array}{l}{a}_{{\mathrm{i}}}^{{\mathrm{p}}}=\,[{p}_{0}^{{\mathrm{i}}1}(1-{p}_{0}^{{\mathrm{i}}0})-{p}_{0}^{{\mathrm{i}}0}(1-{p}_{0}^{{\mathrm{i}}1})](1-k)\\ \,+\,[{p}_{0}^{{\mathrm{i}}0}(1-{p}_{0}^{{\mathrm{i}}1})-{p}_{0}^{{\mathrm{i}}1}(1-{p}_{0}^{{\mathrm{i}}0})](-k)\\ =\,{p}_{0}^{{\mathrm{i}}1}-{p}_{0}^{{\mathrm{i}}0}\\ =\,{\tau }_{0}(1-{e}_{{\mathrm{d}}0}){p}_{{\mathrm{b}}0}^{{\mathrm{d}}}{\hat{p}}_{i0}.\end{array}$$
(36)

and it will degenerate to a linear function about \({\hat{p}}_{i\alpha }\).

Calculation of the total afterpulse probability for previous finite responses

In this section, we will derive the total afterpulse probability. According to Eqs. (16) and (17), we can obtain the \({P}_{ap\alpha }^{\prime}(m)\) by:

$$\begin{array}{l}{P}_{ap\alpha }^{\prime}(m)=\mathop{\sum }\limits_{k=1}^{m}\sum _{\sum i=k}\mathop{\prod }\limits _{i}{\hat{p}}_{i\alpha }\\ =\mathop{\sum }\limits_{k=1}^{m}\sum _{\sum i=k}\mathop{\prod }\limits_{i}{A}_{\alpha }{e}^{-i{\omega }_{\alpha }}\\ =\mathop{\sum }\limits_{k=1}^{m}\mathop{\sum }\limits_{j=1}^{k}\left(\begin{array}{l}k\\ j\end{array}\right){A}_{\alpha }^{j}{e}^{-k{\omega }_{\alpha }}\\ =\mathop{\sum }\limits_{k=1}^{m}{A}_{\alpha }{(1+{A}_{\alpha })}^{k-1}{e}^{-k{\omega }_{\alpha }}\\ ={A}_{\alpha }{e}^{-{\omega }_{\alpha }}\frac{{[({1}\,+\,{A}_{\alpha }){e}^{-{\omega }_{\alpha }}]}^{m}-1}{({1}\,+\,{A}_{\alpha }){e}^{-{\omega }_{\alpha }}-1}.\end{array}$$
(37)

To compare the afterpulse probability for previous infinite responses Papα(all), it is necessary to obtain \(\hat{{p}_{\alpha }}\) by:

$$\begin{array}{l}\hat{{p}_{\alpha }}\,=\mathop{\sum }\limits_{j=1}^{m}{\hat{p}}_{j\alpha }=\mathop{\sum }\limits_{j=1}^{m}{A}_{\alpha }{e}^{-j{\omega }_{\alpha }}={A}_{\alpha }{e}^{{\omega }_{\alpha }}\frac{{e}^{-m{\omega }_{\alpha }}\,-\,{1}}{{e}^{-{\omega }_{\alpha }}\,-\,{1}}\\ \quad\,\,\,=\frac{{A}_{\alpha }{e}^{-{\omega }_{\alpha }}}{{1}-{e}^{-{\omega }_{\alpha }}}\quad (m\to \infty ),\end{array}$$
(38)

and then according to Eq. (3), we can get Papα(all) by:

$${P}_{ap\alpha }(all)=\frac{\hat{{p}_{\alpha }}}{1-\hat{{p}_{\alpha }}}=\frac{{A}_{\alpha }{e}^{-{\omega }_{\alpha }}}{1-(1+{A}_{\alpha }){e}^{-{\omega }_{\alpha }}}.$$
(39)

It is obvious that \({P}_{ap\alpha }^{\prime}(m)\) is a monotonic decreasing function and will degenerate to Papα(all) when m, and the condition of convergence for Eq. (37) is \((1+{A}_{\alpha }){e}^{-{\omega }_{\alpha }}\,<\,1\), that \({\omega }_{\alpha }\,>\,{\mathrm{ln}}\,(1+{A}_{\alpha })\).