Experimental device-independent certified randomness generation with an instrumental causal structure

The intrinsic random nature of quantum physics offers novel tools for the generation of random numbers, a central challenge for a plethora of fields. Bell non-local correlations obtained by measurements on entangled states allow for the generation of bit strings whose randomness is guaranteed in a device-independent manner, i.e. without assumptions on the measurement and state-generation devices. Here, we generate this strong form of certified randomness on a new platform: the so-called instrumental scenario, which is central to the field of causal inference. First, we theoretically show that certified random bits, private against general quantum adversaries, can be extracted exploiting device-independent quantum instrumental-inequality violations. Then, we experimentally implement the corresponding randomness-generation protocol using entangled photons and active feed-forward of information. Moreover, we show that, for low levels of noise, our protocol offers an advantage over the simplest Bell-nonlocality protocol based on the Clauser-Horn-Shimony-Holt inequality. Random number generation has applications spanning several sectors, from scientific research to cryptography, with the intrinsic random nature of quantum physics allows to obtain truly random sequences. The authors present a proof-of principle implementation of a device-independent random number generator protocol, whose effectiveness is certified by quantum instrumental correlations, which also ensures privacy with respect to any quantum adversarial attack.


INTRODUCTION
The generation of random numbers has applications in a wide range of fields, from scientific research -e.g. to simulate physical systems -to military scopes -e.g. for effective cryptographic protocols -and every-day concerns -like ensuring privacy and gambling.From a classical point of view, the concept of randomness is tightly bound to the incomplete knowledge of a system; indeed, classical randomness has a subjective and epistemological nature and is erased when the system is completely known [1].Hence, classical algorithms can only generate pseudo-random numbers [2], whose unpredictability relies on the complexity of the device generating them.Besides, the certification of randomness is an elusive task, since the available tests can only verify the absence of specific patterns, which may go undetected but still be known to an adversary [3].
On the other hand, randomness is intrinsic to quantum systems, which do not posses definite properties until these are measured.In real experiments, however, this intrinsic quantum randomness comes embedded with noise and lack of complete control over the device, compromising the security of quantum random-number generation.A solution to that is to devise quantum protocols whose correctness can be certified in a device-independent (DI) manner, i.e. solely from the observed statistics and with no assumption whatsoever on the internal working of the experimental devices [4].For instance, only from the extent of the observed CHSH inequality violation [5], one can put a lower lower bound on the certified randomness characterizing the measurement outputs of the two parties performing the Bell test.After the seminal work [4], several protocols of randomness amplification, i.e. to generate near-perfect randomness, from a source of weak randomness, and quantum key distribution, i.e. sharing a common secret string through communication over public channels, have been developed exploiting Bell inequalities [6][7][8][9][10][11][12][13][14][15][16][17][18].In particular, loophole-free Bell tests based randomness generation protocol have been implemented [4,16,19] and more advanced techniques have been developed to provide security against general adversarial attacks in [17].
From a causal perspective, the non-classical behaviour revealed by a Bell test lies in the incompatibility of quantum predictions with our intuitive notion of cause and effect [20][21][22].Given that the causal structure underlying a Bell-like scenario involves five variables (the measurement choices and outcomes for each of the two observers and a fifth variable representing their shared correlations), it is natural to wonder whether a simpler causal structure could give rise to an analogous discrepancy between quantum and classical causal predictions [23].Indeed, as reported for the first time in [24], the simplest scenario, in terms of involved nodes' number, achieving this result is the instrumental causal structure [25,26] (shown in Fig. 1-a), where the two parties (A and B) are linked by a classical channel of communication.This scenario has fundamental importance in causal inference, since it allows the estimation of causal influences even in the presence of unknown latent factors [25].
In this letter, we provide a proof-of-principle that the instrumental scenario can be exploited to devise a DI randomness generation and certification protocol.Indeed, we show (DAG), where each node represents a variable and the arrows link variables between which there is causal influence.In this case, X, A and B are observable, while Λ is a latent variable.b) The main plot shows the lower bounds fx(I) to H∞(A, B|E, x) as a function of I, for inputs x = 1 (grey) and x = 2, 3 (dashed red).Interestingly, unlike what happens in CHSH scenario [4,18], there is a difference in the bounds corresponding to different inputs, indeed the certified randomness for x = 1 is slightly smaller than that for x = 2, 3. c) The randomness generation and certification protocol is made up of three stages: (i) initial seed generation (defining Alice's choice between the operators), (ii) instrumental process implementation, (iii) classical randomness extractor.The initial seed is obtained from the random bits provided by the NIST Randomness Beacon [37].In the second stage, Alice's and Bob's outputs are collected and characterized by the min-entropy corresponding to the value of the instrumental violation I * , according to the relation shown in Fig. 1-b.The value of the min-entropy indicates the number of certified random bits that can be extracted.At the end, those strings are injected in a classical randomness extractor (Trevisan's extractor [27]) and the certified random bits are extracted.The extractor's seed is as well provided by the NIST Randomness Beacon.
for the first time that the sequence of the measurement outputs obtained by the parties within an instrumental process is characterized by a minimum amount of randomness, quantified by the min-entropy of the bit-string, which depends and is certified by the observed instrumental violation.Therefore, we demonstrate that the techniques previously developed for the Bell scenario can be adapted to the instrumental process venue, offering a valid alternative platform which involves a causal structure requiring less number of inputs than the Bell scenario.To implement the protocol in all of its parts, we have setup a classical extractor following the theoretical design by Trevisan [27].This work opens the way to other applications of the instrumental scenario in the field of device independent protocols, which until now have relied primarily on Bell-like tests.

RANDOMNESS CERTIFICATION VIA INSTRUMENTAL INEQUALITY VIOLATIONS
Let us first briefly review the previous results obtained within the Bell inequalities context [28].In a CHSH (Clauser Horne Shimony Holt) scenario [5], two parties, A and B, share a bipartite system and, without communicating to each other, perform local measurements on their subsystem.If A and B choose between two given operators each, i.e. (A 1 , A 2 ) and (B 1 , B 2 ) respectively, and then combine their data, the mean value of the operator should be upper-bounded by 2, for any deterministic model respecting a natural notion of locality.However, as proved in [5], if A and B share an entangled state, they can get a value exceeding such bound, whose explanation requires the presence of non-classical correlations between the two parties.Hence, Bell inequalities have been adopted in [4] to guarantee the intrinsic random nature of the measurements' outcomes, within a DI randomness generation and certification protocol.
In the instrumental scenario, which can be depicted with the causal structure in Fig. 1-a ) depends on Alice's outcome.In other words, as opposed to the spatial correlations in a Bell-like scenario, the instrumental process constitutes a temporal scenario, with one-way communication of Alice outcomes to select Bob's measurement.In analogy with Bell-like scenarios, the causal structure underlying an instrumental process imposes some constraints on the classical joint probabilities P (a, b|x) that are compatible with it [25,26] (the so-called instrumental inequalities) and, as shown in [24], those inequalities can be violated when Alice and Bob perform their measurements on entangled states.In the particular case where the instrument X can assume three different values (1,2,3), while a and b are dichotomic, the following inequality holds [26]: where AB x = a,b=0,1 (−1) a+b P (a, b|x).Remarkably, this inequality can be violated with the correlations produced by quantum instrumental causal models [24].The maximal value attained by such quantum models is Recently the relationship with the Bell scenario has been studied in [29].
In this context, we show that if a given statistics P (a, b|x) violates inequality (1), then private random bits can be extracted from their measurement outcomes.More precisely, we consider the general scenario where, in addition to Alice and Bob, there exists a third observer -an adversary eavesdropper Eve -who tries to guess Alice and Bob's outcomes.That is, Eve has some (classical) side information e, which may be correlated with (a, b).For instance, the quantum state from which Alice and Bob obtain a and b could actually be part of a tripartite state shared with Eve and e could then be the outcome of a measurement on her share of the state.For a given input x, the correlations between (a, b) and e are given by an extended joint distribution P (a, b, e|x) that marginalizes to the observed statistics, i.e.
e P (a, b, e|x) = P (a, b|x).For each x, the randomness of (a, b) with respect to e can be quantified by the conditional min-entropy H ∞ (A, B|E, x) = − log 2 [ e P (e) max a,b P (a, b|e, x)] [30].Interestingly, the quantity inside the logarithm gives the optimal guessing probability by Eve, i.e., the probability that e = (a, b), for each x, over all possible guessing strategies and average over her side information e: P guess (x) = e P (e) max a,b P (a, b|e, x).This is due to the fact that Eve's optimal guessing strategy is known to consist of simply betting for the most likely outcome given her side information e and x [31,32].Thus, Now, the fact that P (a, b|x) violates Eq. ( 1) imposes non-trivial constraints on its possible extensions P (a, b, e|x).In particular, it restricts the values H ∞ (A, B|E, x) can take.
Indeed, it is possible to obtain a lower-bound on H ∞ (A, B|E, x), for each x, as a function f x of I: For each x and I, the lower bound f x (I) can be computed by applying to the instrumental case the numerical techniques developed in [34] originally for the Bell scenario (see Methods), via semidefinite programming (SDP).The functions f x are convex and grow monotonically with I; so that the higher the violation of Eq. ( 1) is, the higher the min-entropy.Hence, the violation can certify both the randomness of the outcomes as well as their privacy with respect to any adversary.In Fig. 1-b, we plot f x (I) as a function of I for all three values of x.Interestingly, the certified randomness for x = 1 is slightly smaller than that for x = 2, 3.
The entropy bounds obtained above require one to know I.However, in actual implementations, the exact distribution is unknown and one can only get a finite-sample estimate I * of I. To account for this, we adapt the finite-sample statistical analysis developed in Ref. [4] for the Bell case to our instrumental scenario.More precisely, we consider n experimental runs, with inputs given by a string s The estimate I * is defined as I in Eq. ( 1) but with the actual expectation values substituted by finite-sample averages over the n runs.The private randomness of the 2n-bit output string r, given the input string s, is quantified by the min-entropy H∞ (R|E, s), defined analogously to H ∞ (A, B|E, x) but with r and s instead (a, b) and x, respectively.A lower-bound of the following form on H ∞ (R|E, s) as a function of I * can be obtained adapting the strategy in [4] to the instrumental case, which is done simply setting, on each run, y = a: with probability at least 1 − δ, where γ = −2 log δ/n| 1 q + I q | is the statistical error of the estimation, which depends on the finite size of the sample (n), on the probability q of the least probable input (x), on δ and on the maximum achievable quantum violation I q , which in our case amounts to 1 + 2 √ 2. Note that, for any fixed q and desired failure probability δ, γ can be made arbitrarily small by increasing the sample size n.The failure probability δ comes to play, in order not to make the iid assumption on the adopted device (for further details see Appendix A.2 of [4], whose calculations, originally made for Bell-like scenarios, hold also in the case of the Instrumental scenario).This bound gives the minimum number of certified random bits that can be extracted from the obtained 2n-bit raw output by a classical randomness-extraction algorithm, in order to obtain a certified random bits string.We feed our raw string to use our implementation of the extractor theoretically devised by Trevisan [27] (our code can be found at [36]).The extraction protocol outputs at most nf (I * − γ) certified random bits, according to a parameter set by the user as a preliminary, in our case 10 −7 (for further details about the randomness extractor, see the Methods and Supplementary Information).Summarizing, the proposed certified random number generation protocol consists of implementing a quantum instrumental process, where the input x is given at each experimental run by the NIST randomness Beacon, then collecting the 2n output bits, evaluating the corresponding experimental value of I * and setting the desired value of the security parameter δ, in our case to 0.01.At this point, the minimum number of certified random bits that can be extracted is n * f (I * − γ), where γ depends on δ, n and q, that, considering equiprobable inputs, is 1/3.Finally, these bits are extracted with Trevisan's extraction protocol and constitute the final output of our protocol.

EXPERIMENTAL IMPLEMENTATION OF THE PROTOCOL
The device-independent random numbers generator, in our proposal, is made up of three main parts, which are seen as black boxes to the user: the state generation and Alice's and Bob's measurement stations.The causal correlations among these three stages are those of an instrumental scenario (see Fig. 1-a-c) and are implemented through the photonic platform depicted in Fig. 2.
Within this experimental apparatus, the qubits are encoded in the photon's polarization: horizontal (|H ) and vertical (|V ) polarizations represent, respectively, qubits |0 and |1 , eigenstates of the Pauli matrix σ z .A spontaneous parametric down-conversion (SPDC) process generates the two-photon maximally entangled state . One photon is sent to path 1, towards Alice's station, where an observable among O 1 A , O 2 A and O 3 A is measured, applying the proper voltage to a liquid crystal (LCD).The voltage must be chosen according to a random seed, made of a string of trits.This seed is obtained from the NIST Randomness Beacon [37], which provides 512 random bits per minute.After Alice has performed her measurement, whenever she gets output 1 (i.e.D 0 A registers an event), the detector's signal is split to reach the coincidence counter and, at the same time, trigger the Pockels cell on path 2. Bob's station is made of a Half-Wave Plate (HWP) followed by this fast electro-optical device.When no voltage is applied to the Pockels cell, Bob's operator is O 1 B and, when it is turned on, there is a swift changes to O 2 B (the cell's time response is of the order of nanoseconds).In order to have the time to register Alice's output and select Bob's operator accordingly, the photon on path 2 is delayed, through a 125 meters long single-mode fiber.
The four detectors are synchronized in order to distinguish the coincidence counts generated by the entangled photons' pairs from the accidental counts.The measurement operators achieving maximal violation of I = 1 + 2 √ 2, when applied to the state |ψ − , are the following: After having implemented the instrumental scenario, collected the raw bits characterized by a violation of the instrumental inequality and by its corresponding min-entropy, we executed the classical randomness extractor devised by Trevisan [27] and adopted also in [33].Trevisan's extractor consists in a structure made of two algorithms: the weak design and the one-bit extractor; taking as inputs a weak randomness source, in our case the 2n raw bits long string, and a seed, which is poly-logarithmic in the input size.The weak design splits the extractor seed into smaller sets, characterized by an overlap r, which, for our implementation [35], cannot exceed 2e.The smaller r is, the longer will the final extracted bit string and the required seed be.Then, the onebit extractor combines the weak randomness source with each seed set and extracts a random bit, composing the final string of random bits (for a detailed description of the classical randomness extractor see Methods and Supplementary Information).The complete procedure is summarized in Fig. 3.The implementation of our proposed protocol is made up of three steps.First of all, an instrumental process is implemented on a photonic platform and Alice's and Bob's outcomes are taken as the bits forming the raw data string (in the image, the string of raw bits is represented through a square made of n pixels, where black and white encode the two possible values).Secondly, through these collected bits, we evaluate the corresponding instrumental violation and subtract the statistical error γ, that, in our case, amounts to 0.1619.Then, we evaluate the min-entropy corresponding to the obtained value of instrumental violation minus γ, which characterizes our string of raw data.This is done through the curve given by the NPA method (see Methods), corresponding to x=1, which is the worst-case scenario (lowest min-entropy bound), and multiplying it for the number of performed experimental runs.In the third stage, we employ the Trevisan extractor, to extract the final certified random bit string.The extractor takes, as input, the raw data (weak randomness source), a random seed (given by the NIST Randomness Beacon) and the min-entropy of the input string.In the end, according to the min-entropy the error ( ) threshold set by the user (in our case 10 −7 ), the algorithm extracts m truly random bits, with m < n.

Our results are summarized in Table I and in
random bits.The ratio between the extracted bits and the maximum amount of bits that could be in principle extracted after n runs, given by n × H ∞ is shown in Fig. 4b.The length of the seed, as mentioned, is poly-logarithmic in the input size and it also depends on and on the particular algorithm chosen as weak design (see Supplementary Information, Figure 3).In our case, we chose the block weak design algorithm [35], which, with respect to other algorithms, requires a longer seed, but allows to extract more random bits.For more details about the internal functioning of the classical randomness extractor and its specific parameter settings, see the Methods and Supplementary Information.

DISCUSSION
In conclusion, in this work, we bring a proof-of-principle demonstration that the instrumental process can generate and certificate random bits in device independent fashion, consti-tuting an alternative venue with respect to Bell-like scenarios.Indeed, the obtained relation between the instrumental violation and min-entropy characterizing the output string requires no assumptions on the quantum state being measured nor on the internal functioning of Alice's and Bob's measurement devices.It only requires that the implemented causal structure is an instrumental process, i.e. in particular, that the instrument is affecting Bob's choice only through Alice's outcome (X has no direct causal influence over B).We do not require the iid assumption either.
Through our protocol, summarized in Fig. 1-c and 3 and implemented on a photonic platform, we were able to extract an overall number of 28273 certified random bits (summing up the values reported in the fifth column of Table I).The highest conversion rate we were able to reach, from public (input) to private (output) randomness (N extr /(N trits × log 2 (3))) of ∼ 0.25, since 180290 trits were injected to the apparatus.Considering that each experimental round lasted 1s, the maximum extraction rate, given by N extr /(N run × FIG. 4. Random bits extraction rate: In these plots we show the ratio of the extracted bits adopting the Trevisan classical randomness extractor.Panel (a) corresponds to the extractor over raw bits collected from the experimental apparatus; whereas panel (b) over the maximum amount of bits that could be extracted according to their certified min-entropy.The exact number of extracted bits for each obtained value of the instrumental violation is included in Tab.I .
∆t run ), was of 0.328 Hz, we considered an upper bound for ∆t run of 1s.Note that the bottleneck of our implementation, which prevents us to reach higher rates, is the time response of the liquid crystal, that implements Alice's operator and makes ∆ t ∼ 700ms.Hence, these rates could be higher if Alice's measurement station was implemented with an electro-optical fast device, with shorter response times.We also notice that, as seen in Fig. 1-b, the randomness generated is different for each input x.This suggests that, in principle, more randomness could be obtained if the best input was chosen more often [38].Let us note that our experimental implementation requires the fair sampling assumption, due to our overall low detection efficiency.Moreover, in the present paper, we adapt the techniques developed by Pironio et al. [4], which is secure against a classical malicious adversary.The same security assumption is made also in [16,32].Only very recently the ultimate solution for unconditional security, included finite statistics and non-iid, was given for the Bell scenario [17].

AKNOWLEDGEMENTS
We acknowledge support from John Templeton Foundation via the grant Q-CAUSAL n • 61084 (the opinions expressed in

Experimental details
Photon pairs were generated in a parametric down conversion source, composed by a nonlinear crystal beta barium borate (BBO) of 2 mm-thick injected by a pulsed pump field with λ = 392.5 nm.After spectral filtering and walk-off compensation, photons of λ = 785 nm are sent to the two measurement stations A and B. The crystal used to implement active feed-forward is a LiNbO 3 high-voltage micro Pockels Cell - Starting from the left, the first and second columns contain all the obtained instrumental violations each of them through 16390 experimental runs, with their standard deviations, estimated through Poissonian error on the coincidence counts propagated.The third column shows the min-entropy in the worst-case (i.e.x=1), through the NPA method (see Methods), corresponding to each violation (I * ) minus the statistical parameter γ of Eq.2, which, for a failure probability δ = 0.01, amounts to 0.1619.The fourth column shows the number of raw bits, while in the fifth and sixth, there is the number of bits extracted, through the Block-weak design algorithm (see the Methods and Supplementary Information) within the classical randomness extractor, setting an error of = 10 −7 , which required the seed lengths shown in the fifth column.
In the sixth column, we are showing the extraction rate, i.e. the number of extracted bits per second, considering that each measurement run lasted at most 1s.
made by Shangai Institute of Ceramics with < 1 ns risetime and a fast electronic circuit transforming each Si-avalanche photodetection signal into a calibrated fast pulse in the kV range needed to activate the Pockels Cell-is fully described in [52].To achieve the active feed-forward of information, the photon sent to Bob's station needs to be delayed, thus allowing the measurement on the first qubit to be performed.The amount of delay was evaluated considering the velocity of the signal transmission through a single mode fiber and the activation time of the Pockels cell.We have used a fiber 125 m long, coupled at the end into a single mode fiber that allows a delay of 600 ns of the second photon with respect to the first.

NPA method applied to the instrumental scenario
In order to estimate the randomness in the instrumental scenario we adapted the numerical method proposed in [4], which is valid for the Bell scenario.The idea is to consider that additionally to Alice and Bob, there exists a third observer, Eve, that is trying to guess Alice and Bob's outcomes.The three observers share a tripartite state |Ψ ABE , onto which they perform local measurements.The statistics obtained are then evaluated on an instrumental inequality, which allows us to calculate Eve's maximum guessing probability.Eve is assumed to know |Ψ ABE and the measurements implemented by Alice and Bob.In this case, the maximum probability that Eve guesses correctly (a, b) given that x = j (j = 1, 2, 3), and the value I = β for the left-hand side of (1) was obtained is where the maximization is taken over all possible tripartite states Ψ ABE and local measurements {Π a|x }, {Π b|y }, {Π e } to Alice, Bob, and Eve, respectively.This optimization problem is computationally intractable, as it considers quantum systems of arbitrary dimension.A way out is to upper-bound its value by using the Navascué-Pironio-Acín (NPA) hierarchy [34].In the standard Bell scenario, the NPA hierarchy is used to generate a sequence of sets Q 1 ⊃ Q 2 ⊃ . . .that converges to the set of quantum behaviours.Here, we adapt it to the instrumental scenario, by addressing Bell behaviours {P (a, b|x, y)} a,b,x,y lying on some level Q k of the hierarchy and imposing extra restrictions solely on the events for which Bob's input matches Alice's output, i.e. on the sub-behaviour {P (a, b|x, y = a)} a,b,x .NPA then ensures that our optimization runs over a supraset of the set of quantum behaviours actually originated in an instrumental experiment, while leaving the events P (a, b|x, y) where y = a as free variables that are not considered in the experiment.
More explicitly, we wish to characterize Alice and Bob's instrumental behaviours that can be obtained as marginals of a tripartite behaviour involving Eve.Hence, our upper-bound approximation to the probability P guess (x = j) that Eve guesses correctly (a, b), given that x = j (j = 1, 2, 3) and that the probabilities {P (a, b, e|x)} a,b,e,x display a violation I({ e P (a, b, e|x)} a,b,x ) = β, is given by In our implementation, we used k = 2.
The optimal value P guess (x = j) of the above SDP is used to define f x=j (I) = −log 2 (P guess (x = j)) in the lower bound H ∞ (A, B|E, x = j) ≥ f x=j (I) mentioned in the main text.

Classical Randomness Extractor
Given a string of n bits, characterized by min-entropy k, with k = αn, where α is the min-entropy per bit, a quantum-proof (k, ) − extractor is a deterministic function which, taking the string as input (the so-called (weak) random source), along with a uniformly distributed seed made of d bits, outputs a m-bit long string -close to uniform.The strength of a randomness extractor depends on two quantities: (i) the so-called entropy loss, given by k − m, and (ii) the bit-length d of the seed.Both these parameters should be optimized, since the goal is to minimize the losses while consuming the smallest possible amount of randomness.
Recently, a promising randomness extractor, Trevisan's extractor [27], has attracted considerable theoretical interest since it has been proven to be secure against quantum adversaries [53].The seed length of Trevisan's extractor is polylogarithmic in the size of the input, greatly outperforming randomness extractors based on (almost) universal hashing, which are the most often used in quantum cryptography but require a seed whose size scales linearly with the length of the input.Trevisan's extractor has been also proven to be a strong extractor [54], i.e., the seed is almost independent of the final output, so the randomness of the seed is not consumed by the process and can be reused as part of the result.
Implementations of this extractor were made by Ma et al.
[55], Mauerer et al. [35], and more recently by Shen et al. [18].The extraction protocol is composed by two parts: (i) the weak design, that divides the initial seed into smaller blocks of random bits of length t and (ii) the one bit extractor, which extracts a single random bit from the random source for each block.In the weak design, the blocks {S 1 , ..., S j } into which the seed is divided should be nearly independent to ensure that the maximum amount of entropy is extracted.Hence, a family of sets S where the parameter r is the so-called overlap of the weak design.Each of the S j is fed into a one bit extractor and they are all finally concatenated into a string to form the extracted randomness.In our work, we adopted two types of weak design.The first, which we will refer to as the standard weak design, is a refined version of Nisan and Wigderson [56], whose effectiveness was proved by Hartman and Raz [57], under the parameters choice given by r = 2e and d = t 2 with t = 2 log n + 2 log 2/ .The second, called block weak design, is a design from Ma and Ta [58] modified by Mauer et al. [35] with r = 1 and d = (l + 1)t 2 , where l := max{1, log(m−r )−log(t−r ) log(r )−log(r −1) } and r = 2e.In comparison, the second design requires a seed's length exceeding the input weak random source's string's length, but it allows to extract more bits from the source, due to a smaller r.The one-bit extractor is realized by an error correcting code, which is constructed by concatenating a Reed-Solomon code with an Hadamard code.Hence, as a preliminary step, we fix the following three parameters: (i) n (input length), (ii) α (minentropy per bit, certified by the experimental instrumental violation, see Fig. 1-c and Fig. 3) and (iii) (error per bit).After that, we derive the seed length, the total min-entropy k = αn, and m = (k − 4 log 1 − 6)/r.As we can see, fixing the lenght m of the output string and the error per bit , the min-entropy required increases with the overlap of the sets {S i }.FIG.1: Length of the single set S of the weak design depending on the error per bit.It can be noted that in semi-log scale, the sub-seed length t is a step function and decreases linearly as the error per bit increases.Furthermore, the greater the input n, the greater the length of the single sub-seed created by the weak design.FIG.2: Length of the single set S of the weak design vs the input length of the source.In this figure is represented how the sub-seed length t varies as a function of the input length n, plotted for different error per bit parameters.We can see that in semi-log scale the sub-seed length is a step function and increases linearly with the input.Furthermore, the greater the error per bit, the smaller the length of the single sub-seed created by the weak design.

FIG. 1 .
FIG. 1. Randomness generation and certification protocol.a) Instrumental causal structure represented as a directed acyclic graph [22](DAG), where each node represents a variable and the arrows link variables between which there is causal influence.In this case, X, A and B are observable, while Λ is a latent variable.b) The main plot shows the lower bounds fx(I) to H∞(A, B|E, x) as a function of I, for inputs x = 1 (grey) and x = 2, 3 (dashed red).Interestingly, unlike what happens in CHSH scenario[4,18], there is a difference in the bounds corresponding to different inputs, indeed the certified randomness for x = 1 is slightly smaller than that for x = 2, 3. c) The randomness generation and certification protocol is made up of three stages: (i) initial seed generation (defining Alice's choice between the operators), (ii) instrumental process implementation, (iii) classical randomness extractor.The initial seed is obtained from the random bits provided by the NIST Randomness Beacon[37].In the second stage, Alice's and Bob's outputs are collected and characterized by the min-entropy corresponding to the value of the instrumental violation I * , according to the relation shown in Fig.1-b.The value of the min-entropy indicates the number of certified random bits that can be extracted.At the end, those strings are injected in a classical randomness extractor (Trevisan's extractor[27]) and the certified random bits are extracted.The extractor's seed is as well provided by the NIST Randomness Beacon.

FIG. 2 .
FIG. 2. Experimental apparatus:A polarization-entangled photon pair is generated via spontaneous parametric down-conversion (SPDC) process in a nonlinear crystal.Photon 1 is sent to the Alice's station, where one of three observables (O 1 A , O 2 A and O 3 A ) is measured through a liquid crystal followed by a polarizing beam splitter (PBS).Detector D 0 A acts as trigger for the application of a 1280 V voltage on the Pockels cell, whenever the measurement output 0 is registered.The photon 2 is delayed 600 ns before arriving to Bob's station by employing a single-mode fiber 125 m long.After leaving the fiber the photon passes through the Pockels cell, followed by a fixed HWP at 56.25 • and a PBS.If the Pockels cell has been triggered (in case of A measurement outcome is 0), its action combined to the fixed HWP in Bob's station allows us to project onto O 1 B .Otherwise (if A measurement outcome is 1), the Pockels cell acts as the identity and we project onto O 2 B .

Fig. 4 .IIFIG. 3 .
FIG.3.Implementation of the Device-Independent randomness certification protocol: The implementation of our proposed protocol is made up of three steps.First of all, an instrumental process is implemented on a photonic platform and Alice's and Bob's outcomes are taken as the bits forming the raw data string (in the image, the string of raw bits is represented through a square made of n pixels, where black and white encode the two possible values).Secondly, through these collected bits, we evaluate the corresponding instrumental violation and subtract the statistical error γ, that, in our case, amounts to 0.1619.Then, we evaluate the min-entropy corresponding to the obtained value of instrumental violation minus γ, which characterizes our string of raw data.This is done through the curve given by the NPA method (see Methods), corresponding to x=1, which is the worst-case scenario (lowest min-entropy bound), and multiplying it for the number of performed experimental runs.In the third stage, we employ the Trevisan extractor, to extract the final certified random bit string.The extractor takes, as input, the raw data (weak randomness source), a random seed (given by the NIST Randomness Beacon) and the min-entropy of the input string.In the end, according to the min-entropy the error ( ) threshold set by the user (in our case 10 −7 ), the algorithm extracts m truly random bits, with m < n.

FIG. 3 :
FIG.3: Ratio between the output length of the extractor and the error per bit parameter.This figure shows linear dependence in semi-log scale of the output length m (multiplied by a constant factor r) as a function of the error per bit .Output length increases with the error and the greater the min-entropy k, the greater the output length.

FIG. 4 :FIG. 5 :
FIG. 4:Output length vs the min-entropy of the source.It can be noted that the output length m (multiplied by a constant factor r) is a linear growing monotone function of the min-entropy of the source k and it also increases with the error per bit .

7 FIG. 6 :
FIG. 6:Comparison between seed length and the input length of the source.In this figure is represented the seed length d vs the input length n in semi-log scale, plotted for different error per bit parameters.The seed is a step function of the input length, it increases with n and, with the same input length, the seed length is greater for lower errors.

FIG. 7 :
FIG. 7:Relation between the seed length of block weak design and the input length of the source.The seed length d as a function of the input length n is plotted for different values of min-entropy per bit α and the error per bit parameter is fixed at = 10 −7 .d is a monotone increasing function of n and it increases also with α.Both the axes are in logarithmic scale.

FIG. 8 :
FIG.8: Seed length of block weak design depending on the error per bit.For different input length of the source, the seed length d as function of the error per bit is plotted.d is a descending step function of , but it increases with n.The min-entropy is fixed at α = 0.4 and both the axes are in logarithmic scale.
, two parties (Alice and Bob) share a bipartite state.Alice can choose among m possible d-outcome measurements (O 1 A , ..., O m A ), according to the instrument variable X, which can assume m different values, while Bob's choice among d observables (O 1 B , ..., O d B

TABLE I .
Extracted certified random bits.In this table, we show the obtained results, given by our randomness generator and certifier.