Quantum random number cloud platform

Randomness lays the foundation for information security. Quantum random number generation based on various quantum principles has been proposed to provide true randomness in the last two decades. We integrate four different types of quantum random number generators on the Alibaba Cloud servers to enhance cybersecurity. Post-processing modules are integrated into the quantum platform to extract true random numbers. We employ improved authentication protocols where original pseudo-random numbers are replaced with quantum ones. Users from the Alibaba Cloud, such as Ant Financial and Smart Access Gateway, request random numbers from the quantum platform for various cryptographic tasks. For cloud services demanding the highest security, such as Alipay at Ant Financial, we combine the random numbers from four quantum devices by XOR the outputs to enhance practical security. The quantum platform has been continuously run for more than a year.


INTRODUCTION
Random numbers play an important role in cybersecurity, cryptography, lottery, and scientific simulations [1][2][3] .In recent years, with the widespread of next-generation information technologies such as big data, cloud computing, and Internet of Things, a large amount of confidential data related to customer privacy has been increasingly exposed to the Internet.Data security is facing great challenges from increasing computing power, future quantum computers, and newalgorithm attacks 4,5 .In the meantime, poor implementations of randomness generation would open up serious security loopholes for cryptosystems even when the underlying algorithms are secure [6][7][8][9][10] .Even for those newly proposed lattice or hashed-based quantum-safe cryptography algorithms, randomness is still a fundamental problem that cannot be solved with classical means.The ability to provide high-quality, high-speed, and stable random number services is an essential demand for information security today 11,12 .
Quantum random number generators (QRNGs) have attracted extensive interests in the past two decades.For a review of the subject, please refer to the recent review articles 13,14 and references therein.The essential difference between QRNGs and classical ones (such as pseudo or thermal noise-based) lies in the unpredictability 15,16 .Guaranteed by the principle of quantum mechanics, QRNGs can avoid predictability loopholes in classical random numbers.As a result, quantum devices show the superiority in tasks with a high information security level, such as data encryption, authentications, and digital signatures.Till now, various methods have been applied to generate quantum randomness, such as detecting the path of a single-photon after a beam splitter [17][18][19] , the arrival time of a weak coherent state [20][21][22][23][24] , the photon-counting detection or the vacuum-fluctuations of an optical field [25][26][27][28][29] , and the phase fluctuations in spontaneous emission [30][31][32][33] .Moreover, when we relax the assumptions and characterizations on the devices, there are also device-independent 34,35 and semi-deviceindependent QRNG schemes 36,37 .
With so many different choices of QRNGs, it is challenging for end-users to understand the underlying principles and to get familiar with various physical and application programming interfaces (APIs) of different devices.Besides, no universal QRNG standards and verification techniques have been officially released so far, making it difficult to evaluate the quality and performance of QRNGs.Individual QRNG devices are usually lack of real-time randomness check, and cannot provide sustainable random number services to online security applications with high stability request.A high-quality quantum random number service should be adaptive with various QRNGs using different interfaces and plug-and-play even if any (not all) device fails.
In this work, we realize a platform on the Alibaba Cloud servers that provides random numbers from four different types of QRNGs, including those based on single-photon detection, photon-counting detection, phase-fluctuations, and vacuum-fluctuations.Real-time post-processing and randomness monitoring modules are integrated into the platform.The generated random numbers are fed into applications either on the Alibaba Cloud servers or remote access for data encryption, with various security levels and speeds.For applications in financial services requiring the highest security, we combine the random numbers from the four quantum devices by bitwise exclusive-OR of the outputs.In this case, as long as at least one of the devices provides true randomness, the applications are secure.A universal trust-cloud-center is more reliable than individual device manufactures.In practice, it is much more challenging for hackers to find loopholes in all different QRNGs.In the future, we would add more quantum entropy sources into the systems to further enhance the security on the implementation level.

Platform realization
Recently, popular QRNG realizations are mainly based on singlephoton detection, photon-counting detection, and phase or vacuum-fluctuations.The schematic diagram of each principle is shown in Fig. 1.The most straightforward idea of QRNG is based on single-photon detection, as shown in Fig. 1(a).When a photon passes through a 50/50 beam splitter, the probabilities to enter detector "0" and detector "1" are balanced [17][18][19] .Due to the dead time of single-photon detectors, such QRNGs usually have a limited speed of Mbps, while phase-fluctuation ones [30][31][32][33] in Fig. 1(b) can dramatically increase the generation speed up to Gbps using traditional photodetectors.Due to the complexity of their optical setups, commercial phase-fluctuation QRNGs are normally bulky (approximately in the size of 1U rack).A more compact QRNG-chip (Fig. 1(c)) based on photon-counting detection 25 has been demonstrated and commercialized, with a relative simple setup and moderate generation rate (240 Mbps).However, the theoretical evaluation of classical and quantum entropy for direct photoncounting QRNGs is still under discussion.For comparison and easy demonstration, a lab-made vacuum-fluctuation QRNG [26][27][28] has also been demonstrated in Fig. 1(d) with a generation rate of 400 Mbps (limited by the characteristics of the homodyne detector), where the lab-made homodyne detector has a bandwidth of 150 MHz and a common mode rejection ratio of 30 dB.All the types of QRNGs above are adopted by our platform.
We present the QRNG Platform protocol and the schematic diagram of the platform setup is shown in Fig. 2. Details of the QRNG cloud platform protocol are described as follows.
1. Data import.The cloud platform adopts quantum random numbers from various QRNG devices through different interfaces (e.g., PCIe, USB, Ethernet, etc.).Our online random number server provides standard interfaces (RESTful or gRPC API), or random numbers can be downloaded from website directly for end-users.The request size of random numbers can be customized, and APIs are compatible with multiple data format including binary, text, ASCII, etc. 2. Randomness extraction.The randomness of the input random numbers from different entropy sources are evaluated.The random numbers pass a real-time randomness extractor, by which the randomness per bit is enhanced to almost 1. 3. Bitwise XOR.A bitwise XOR operation is performed between random numbers from two or more quantum entropy sources.For each train of n-bit random series X i (n), the output random train Y(n) is given by This step is optional.Here are some remarks for the protocol.First, we integrate a real-time post-processing into our cloud.The post-processing technique, namely a randomness extractor (k, ϵ, n, d, m)-extractor, is a function that transforms the n-bit raw sequence with conditional minentropy H min (ρ A |E) ⩾ k (this quantity characterizes the true randomness of ρ A in the presence of eavesdroppers E) to a m-bit sequence arbitrarily close to a uniform distribution with the help of a d-random-bit seed.This process will succeed with a probability no <1 − ϵ.The relations of these parameters are given by the Leftover Hash Lemma For different QRNGs, we quantify the randomness and apply corresponding extractors according to H min (ρ A |E) and get uniform output sequences.In our implementation, both commercial and lab-made QRNG devices are connected to the QRNG Platform.For the commercial QRNGs, the conditional min-entropy is evaluated internally with real-time post-processing by the devices.For the lab-made QRNG, we assume that the quantum signal and classical noise follow independent Gaussian distributions 29 in the strong local oscillator limit, and we have the following relation about their variances, σ t is the standard deviation of the output of the ADC, which includes both σ q (quantum signal) and σ c (classical noise).In a QRNG whose devices are trusted and characterized, the conditional-min entropy is calculated by extracting the quantum signal from classical noise.
Here we take a vacuum-fluctuation QRNG as an example.The fundamental quantum randomness comes from the shot noise of the coherent laser source, whose variance σ 2 q is a linear function of the intensity of the local oscillator 38 .The classical noises are assumed to be independent with laser power [26][27][28][29] , which can be obtained in the absence of the local oscillator.Then we can calculate the signal-to-noise ratio at a certain laser power, and the output randomness is given by the min-entropy function where J is the label of ADC bins, Δ is the resolution of ADC, Gð0; σ t ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi γ=ðγ þ 1Þ p Þ is a Gaussian distribution with zero mean and a variance of σ 2 t γ=ðγ þ 1Þ, and is the probability to generate a certain sequence of random numbers.P max is the maximum probability of some random number sequence occurs per sample, which can be calculated by the area under the probability density in an ADC bin.The conditional min-entropy of other type of QRNGs can be calculated with similar process.
Second, the bitwise XOR operation enhances the reliability of the random numbers in case some of the entropy sources are infiltrated by eavesdroppers.According to Shannon entropy theory 1 , in Eq. ( 1), Y(n) has the perfect secrecy to be all possible n-bit train, providing that any one of X i (n) is random and X i (n) trains are independent from each other.If only two trains X 1 (n) and X 2 (n) are applied, Eq. ( 1) is similar to the one-time pad, where X 1 (n), X 2 (n) and Y(n) are corresponding to the key, the plaintext and the ciphertext respectively.Therefore, we do not need to trust all of the QRNGs but only at least one of them.As long as one of the QRNG entropy sources is reliable, the output Y(n) is random.On the other hand, according to the Leftover Hash Lemma Eq. ( 3), the parameter ϵ characterizes the failure probability of the hashing function.Since the integrated QRNGs work independently, the total failure probability can be decreased by the XOR operation according to the union bound.
Third, depending on specific circumstances, different strategies can be applied to meet the requirements of different levels of security and speeds.For example, financial services such as Alipay require the utmost security.We need to close any possible loopholes in the cryptosystem.For this purpose, random numbers from various quantum devices are taken and processed as in Eq. ( 1).As a result, the highest speed is limited by the slowest QRNG at a rate of 16 Mbps.If end-users have concerns with some specific entropy sources or if any of the hardware breaks down, they can always choose an arbitrary combination of these QRNGs.
Finally, end-users are permitted to store and manage the random number files on the cloud.The generated random numbers could be used for encryption required by other services, either on the end-users' (e.g., Ant Financial) or remote-users' servers (e.g., Smart Access Gateway (SAG)).As those services are on the cloud, high-volume random numbers are required by thousands of servers and real-time post-processing is needed to meet the requirements of online encryption.

Practical implementation and applications
Our platform provides high-quality random numbers in a distributed network environment.The generated random numbers can be further combined with encryption protocols, such as Internet protocol security (IPsec) and SSL/TLS.In these protocols, the existing pseudo-random numbers used in key exchanges, authentication, and digital signatures are replaced with quantum random numbers.Pseudo-random numbers generated by deterministic algorithms will inevitably be predictable and reproducible.The quality of pseudorandom numbers is related to the complexity of the algorithm.With the increasing computing power, the security guaranteed by the complexity of the algorithm is seriously threatened.In contrast, QRNGs with intrinsic unpredictability can be used to greatly enhance the security of cryptosystems.
One example of the QRNG service for practical implementations is the SAG data encryption scenario.SAG is a cloud access solution for connecting hardware and software to the nearest Alibaba Cloud resources through the Internet in encrypted mode.SAG can connect branches (or outlets) and local data centers to the cloud, which enables enterprises to access the cloud more intelligently, safely and reliably.Since more than one million enterprise users from multiple industries are connected by SAG, secure access to the cloud is extremely important.The highly-random QRNG service can be used to enhance the security of the SAG, as shown in Fig. 4. The cloud QRNG transmits the highly-random numbers through RESTful (Representational State Transfer) or gRPC (google Remote Procedure Call) API through TLS to the Cloud Console,  OpenSSL uses both Diffie-Hellman and PQC algorithms in the public key infrastructure (PKI) and the self-signed certificate authority (CA).The QRNG APIs is also integrated into an OpenSSL engine as a dynamic library in the TLS transmission, replacing all the random number modules inside the OpenSSL.A concrete example is AliVPN, which is a self-defined protocol for data encryption.Random numbers from the QRNG platform are used in AliVPN to enhance randomness of the keys.All the quantumsafe techniques are optional here in order to be compliant with security standards in some circumstances.
Similar implementations have also been demonstrated in Ant Financial, where the QRNGs are integrated into an OpenSSL engine as a dynamic library in data encryption of the Alipay cloud CA center.Quantum and pseudo-random numbers are switchable in the applications, which are compatible with current security standards.The generated random numbers are also distributed to end-users directly for certificate of authority and encryption in TLS protocols.
The QRNG service is worldwide, provided to ten different places at Shanghai, Japan, Hongkong, Singapore, Malaysia, Indonesia, Australia, United Kingdom, Germany, US East, US West, as shown in Fig. 4.

DISCUSSION
True random numbers are critical components in all cryptosystems.The major advantage of the QRNG platform over the other ones is it can avoid the loopholes of predictable random numbers.The motivation to reduce costs and increase robustness in quantum cryptography remains a great challenge, but the demonstrated feasibility of implementing quantum random numbers in cryptosystems represents an important step toward enhancing the security of classical communications using quantum technologies.The applications in SAG and Ant Financial show the practical implementation of quantum technology in data encryption.Our platform demonstrates quantum random number services with sufficient and adaptive generation speeds, reasonably low costs, controllable risks, high stability, and simple maintenance.
Our scheme shows the feasibility of providing high-quality random numbers in a distributed network environment.The random numbers generated by this scheme can be combined with encryption-related protocols (IPsec, SSL/TLS), identity authentication technologies, or key management systems.The cloud QRNG platform can also be accessed by different end-users in QKD systems, and the generated quantum random numbers can be used as seeds during the QKD communication.For future work, we will consider applications with postquantum algorithms and QKD, since the current distribution of random numbers using classical SSL/TLS is still an issue from the quantum-safe point of view.Integrated QRNG-chip embedded into the SAG devices is also under development to meet certain requirements.Finally, we will develop and integrate more different QRNGs to enhance the security and speed of the system.

Performance of different entropy sources
The cloud-based high-performance QRNG platform is compatible with different types of QRNGs, whose randomness depends on various techniques.Different entropy sources can be chosen to generate the final random keys, which helps prevent from instability or randomness issues caused by individual QRNG device, and increases the reliability of the whole system.Online randomness testings have been performed regularly to ensure the quality of the entropy sources by taking advantages of the computing power on the cloud server.The unpredictability of quantum random numbers comes from the basic principles of quantum mechanics, which guarantees the security of encryption.End-users do not need to understand the underlying hardware equipment and related interfaces, and can simply obtain stable, high-speed, high-quality quantum random numbers for data encryption.
As mentioned earlier, the four different types of QRNGs connected to the platform are based on single-photon detection, photon-counting detection, phase-fluctuations, and vacuum-fluctuations with different interfaces and speeds.To ensure the reliability of the platform, a labmade vacuum-fluctuation QRNG device is implemented together with three commercially available QRNG devices.The type of the singlephoton detection QRNG is Quantis-PCIe-16M from ID Quantique, the type of the phase-fluctuation QRNG is QRG-100E from QuantumCTeck, and the type of the photon-counting QRNG is QRN-16 from Micro-Photon Devices.Table 1 shows the random number generators of different types, speeds and interfaces.

4 .
Randomness test.The platform performs regular (upon request, hourly by default) real-time entropy estimation test (NIST SP 800-90B) to evaluate the non-IID entropy of the quantum random sources, as well as standard NIST randomness test (NIST-800-22) to verify the quality and status of the generated random numbers. 5. Identity authentication.The cloud server performs identity authentication with the end-users upon requests, using preshared key (PSK).6.Data download.End-users download random numbers in plaintext or ciphertext with classical encryption protocols (such as secure socket layer and transport layer security, SSL/TLS) according to the their needs.

Fig. 2
Fig. 2 Schematic Diagram of the QRNG Cloud Platform.Redundant backup server and QRNG devices are provided in different server rooms in case of system corruptions.

Fig. 3
Fig. 3 QRNG in quantum-safe VPNs.Data flow of the generated random numbers from Alibaba QRNG Cloud Platform in the Smart Access Gateway.
Standard NIST randomness tests have been performed on the generated quantum random numbers at a size of 1 Gbit (1000 of 1 Mbit) from different sources and the test results are shown in Table2.Note that hundreds of tests have been performed and Table2only shows one typical example of each devices.The test results (p values and proportions) vary for different sets of random numbers.It turns out that the randomness in most of the generated random number is sufficient to pass the NIST tests.The operation of XOR normally helps to improve values of P-VAL and Proportion, together with the decreasing of the total failure probability ϵ of the hashing function in Eq. (3).

Table 1 .
Quantum random number generation from different entropy sources.

Table 2 .
Random numbers from QRNG sources pass the NIST randomness tests.For tests with multiple outcomes, a Kolmogorov-Smirnov (KS) uniformity test has been performed for p values (P-VAL), and the corresponding proportions (Prop.)are averaged.