A privacy-preserving publicly verifiable quantum random number generator

Verifying the quality of a random number generator involves performing computationally intensive statistical tests on large data sets commonly in the range of gigabytes. Limitations on computing power can restrict an end-user’s ability to perform such verification. There are also random number-based applications where an honest user needs to publicly demonstrate that the random bits they are using pass the statistical tests without the bits being revealed. Here, we report the implementation of an entanglement-based protocol that allows a third party to publicly perform statistical tests without compromising the privacy of the random bits.


I. INTRODUCTION
Generating random numbers that are private, secure, and have the statistical properties expected of a uniform randomness distribution is a crucial step for many computational tasks.For example, scientific simulations [1], self-testing quantum systems [2], randomized algorithms [3,4], machine learning [5], cryptography [6,7], lottery, gambling, public tenders, computer games, utilize random numbers during initialization of the systems or during operation.Pseudo-random number generators (PRNG) based on algorithms can have good statistical properties resembling a uniform source, but strong longrange correlations exist in the output that may undermine the applications [8], or introduce security loopholes.This is because the seed to the PRNG is the only entropy in the system, and entropy cannot be increased by deterministic computation.Quantum random number generators (QRNG) [9,10] have been proposed as an alternative where entropy is extracted from a quantum mechanical process.
All random number generators, however, face two common problems.First, the user may lack sufficient computational capacity to perform the statistical tests [11][12][13] needed to certify the quality of the randomness.Second, in public-facing applications, such as lottery or public tenders, the owner of the QRNG device may have to prove the statistical quality of the bits to public stakeholders before the bits are used.These problems demand a solution where a user may publicly test their random bits without revealing them.
In a publicly testable random number generator [14] multiple correlated streams of random bits are generated.A public tester performs arbitrary statistical tests on one of the bit streams to certify its randomness properties.This certifies the other output streams that are not shared with the tester.
In this manuscript we report the implementation of a QRNG using only a polarization-entangled photon pair source, and linear optics.The implementation satisfies the conditions of secrecy, public testability.

II. THE PROTOCOL CONSTRUCTION
A publicly verifiable QRNG should have the following properties.
• Property 1: The source of the entropy is of quantum origin.
• Property 2: The quality of the random output is publicly verifiable without compromising the secrecy of the final output bits.
In the following sections, we elaborate the steps of the protocol and demonstrate its implementation.

A. Publicly verifiable quantum random number generation protocol
Property 1 is satisfied when an entanglement-based QRNG demonstrates that the source is producing a stream of entangled states and the random output is generated from the outcome of projective measurements on these entangled qubits.Here, the entanglement can be verified using Bell inequalities [15].In our implementation below we use the CHSH inequality to ensure that Property 1 is satisfied.
A QRNG that produces a single stream of bits cannot be publicly verified without completely losing its secrecy.One needs a solution with at least two streams of bits, denoted X A and X B , that are correlated in a way that publicly verifying the randomness of stream X A ensures the quality of the stream X B .However, the protocol must ensure that their mutual information I(X A , X B ) = 0.When this is achieved, the bit stream X B can be securely used as a publicly verified private randomness.
In our protocol, the QRNG produces three streams of random bits that are correlated.One of the bit streams is subjected to public randomness testing.As the streams are correlated this public randomness test verifies the quality of randomness in the other two streams that are not revealed.This satisfies Property 2.

arXiv:2305.10909v1 [quant-ph] 18 May 2023
To achieve Property 1 and 2, we prepare a tripartite entangled state, This state exhibits the interesting property that performing a projective measurement in the computational basis on any one of the qubits projects the combined state of the other two qubits to either of two Bell states.As an example, if we measure qubit A in the computational basis the BC system is projected onto either Bell states, Qubits prepared in a Bell state produce random outcomes when measured individually.Monogamy of entanglement [16] ensures that this measurement outcome is not correlated to any outside system.Therefore, the outcome of the system BC cannot be predicted even if one has access to the outcome of A.
Consider a single copy of the state (1).We perform a projective measurement in the computational basis on the three subsystems of the state.Let x A , x B and x C denote the outcomes of projective measurement of the three subsystems, A, B and C in the computational basis.They can be considered as bit valued random variables taking their values with probabilities from Table I By construction of the state |Φ ABC the outcomes always satisfy, where ⊕ is the addition modulo 2 operator.Table I shows that the marginal probability distribution for x A is, p(x A = 1) = p(x 1 = 0) = 1/2.Also, x B and x C has similar marginal distribution.Therefore, if we consider the each of the three bits individually then they have maximal Shannon entropy, ( The QRNG outputs three correlated streams of random bits XA, XB and XC .Using them the quantum bit error rate (QBER), δ is estimated and the error triplet of bits are removed to generate X A , X B and X C .After this, X A is sent to public verifier X C is stored securely or deleted.Verifier runs randomness tests on X A .If the test fails the protocol is aborted, else user outputs X B and δ.
From Table I we see that in the absence of knowledge of any one bit, the two other bits become completely uncorrelated with each other.That is, their marginal distribution factorises.Therefore, their mutual information is 0, For random number generation, n copies of the state |Φ ABC prepared as in equation ( 1) and each of the three parts of the state is measured in the computational basis.The outcomes are recorded in bit strings X A , X B and X C of lengths n.From our discussion so far, we see that each of the bit strings valued random variable X A , X B and X C takes the value from strings in {0, 1} n uniformly at random.
From the preparation, each copy of the state (1) are independent.Therefore, the condition (6) ensures that the random variables X A , X B and X C are pairwise mutually independent.That is, The string X A is provided to a public verifier that validates the string via statistical tests.If X A passes the randomness test, condition (5) ensures the quality of randomness of X B and X C .As the verifier only has access to X A , the condition (7) ensures that no information is leaked about X B or X C .However, following Eq.( 4) knowledge of any two bit strings would allow recovery of the third string.Therefore to satisfy Property 2, either X B or X C should remain inaccessible.Imperfections in any practical implementation will lead to equation ( 4) not being always satisfied.Counting the number of events that do not meet the XOR condition (4) provides the quantum bit error rate (QBER).Removing the erroneous triplet of outcomes from X A , X B and X C gives X A , X B and X C each of length m that satisfy, where ⊕ denotes bit-wise addition modulo-2 operation.At this point the user sends out X A to the public verifier for statistical randomness testing.If the verification fails then the user will discard the data and start over.If the verification succeeds then the user uses X B as private randomness and securely stores or deletes X C .The presence of positive QBER indicates information leakage to the environment.The user may use the QBER information to perform further randomness extraction to amplify the privacy (similar to privacy amplification [17] in quantum key distribution).
The workflow of the protocol is depicted in Figure 1 and the detailed steps are listed in Protocol 1.

B. The experimental setup
The source of entangled photon pairs follows the design demonstrated in [18] to produce photon pairs in the  the detector setup (see Figure 2) and the signal photons (λ ≈ 780nm) are separated from the idler photons (λ ≈ 842nm) by a dichroic mirror (DM).Stacks of quarter-half-quarter waveplates correct for the change in polarization state caused by the SMF birefringence.
The idler photons exit out of the two ports of the non-polarizing beam splitter (BS) with equal probability.This choice of paths defines the bit x A .The idler photons are then projected into the H/V basis by either polarizing beam splitters (PBS).The value of x B depends on the detection outcome at PBS1 or PBS2, and x c on the outcome at PBS3.
Due to the entanglement between the signal and idler photons, coincidence events are only expected to occur between the following detector pairs with equal probability: D1 and D5, D2 and D6, D3 and D5, D4 and D6.Together with x A determined from the choice of paths at the BS, the state in Eq. 1 can be realised.This is achieved by flipping the outcome labels in PBS2 compared to PBS1, which is equivalent to performing a local rotation of π/2 on path 1.If path 0 is taken at BS, then the detectors measure the state |Φ − BC and if path 1 is taken, they measure |Ψ − BC .

Proof of Entanglement
Generating a high fidelity Bell state is crucial to prepare the state (1) which preserves the secrecy of X B and X C .Any QBER observed in the measurement outcome indicates the leakage of information to the environment and has to be taken care of in the privacy amplification step.
In the experimental setup (Figure 2, halfwave plates were placed before BS and PBS3 to measure the visibility curves (Figure 3) from which the CHSH [15] values can be computed.The CHSH value for the state measured by systems (D1,D2) and (D5,D6) was 2.70 ± 0.04, while the value for the state measured by systems (D3,D4) and (D5,D6) was 2.72 ± 0.04.

Randomness Testing Results
We perform the statistical randomness test suite 'dieharder' [19] on random numbers generated using our implementation of Protocol 1.This is to verify that the system is indeed generating good quality randomness.Although a thorough verification of randomness would require larger size of data and significantly more computational resource, our limited test shows that the data is very close to an ideal randomness source.The system is compatible for running extensive tests by any third party certification process.Figure 4 shows a result for KS test [20] that was ran on 1 MB of generated random bits.We run the same test on 1 MB of data from quantum random number generators by S-Fifteen Instruments and show it in the figure for comparison.

III. DISCUSSION AND FUTURE DIRECTION
We have presented a QRNG source where the source stream can be subjected to public statistical randomness testing without compromising the secrecy of the final output bits.Any change in detector efficiencies can be locally checked before sending out for public randomness testing.This allow the user to remove statistical bias in the bit strings to avoid information leakage.Along with robust miniaturized polarization entangled photon-pair sources, this setup can be built into a publicly verifiable QRNG source as a commercial off-the-shelf (COTS) product.Additionally, our entanglement based design can be extended to operated as a source deviceindependent [9] publicly verifiable auditable QRNG.

Protocol 1 : 3 Perform step 2 n 4 Assign, QBER = |L| n . 5 Create 6 Send X A to public verifier. 7 Verifier 8
Publicly verifiable QRNG input : n copies of the state |ΦABC prepared as in equation (1).output: Publicly verified private random bits and QBER, or Fail. 1 User: Generation 2 Measure each part of the state |ΦABC in computational basis and store the outcome of system A in xA, B in xB and C in xC times to construct bit strings XA, XB and XC ; Assign, L = {i : s.t.XA[i] ⊕ XB[i] ⊕ XC [i] = 0}, be the set of indices where the XOR condition (4) fails.X A , X B and X C from XA, XB and XC respectively by removing elements with indices i ∈ L. Public Run randomness tests on X A .If the test fails output 'Fail', else output 'Pass'.

9
User: Randomness output 10 Receive output from public verifier.11 If the verifier output is 'Fail' then ouptut 'Fail' and abort protocol, else, output X B and QBER, and securely store or delete X C .

√ 2 (
|HH − |V V ) Bell state.Entangled photon pairs are emitted from a single mode fiber (SMF) to

FIG. 2 .
FIG. 2. The detection setup.The boldfaced numbers represent the bit values encoded by the path of photons and define the bit streams XA, XB and XC .Entangled photons are launched from a single mode fiber (SMF) and separated according to wavelengths by dichroic mirror (DM).The polarization state of the photons in both paths are corrected by a stack of waveplates (Compensation plates).The output of the beam splitter (BS) generates XA.Polarizing beam splitters PBS1 and PBS2 generate XB.XC is generated by PBS3.

FIG. 4 .
FIG. 4. Sorted p-values of the statistical tests run by the diehearder randomness test suite.The black dashed line shows the expected ideal line.The blue curve shows one run of the test result on our data.The orange line shows the test result ran on same amount of data generated by the QRNG1 [21] by S-Fifteen Instruments.The curves imply that our source shows close to ideal expected performance. .
TABLE I. Probability p(xA, xB, xC ), of measurement outcomes xA, xB and xC when each of the qubits A, B and C are subjected to projective measurement in the computational basis.If any one of the output columns is removed the remaining two columns shows uniform distribution of two bits, indicating they are mutually independent.Outcomes that are not presented in the table have probability 0.