Introduction

Random numbers are necessary for many different applications, ranging from simulations to cryptography and fundamental physics tests, such as Bell tests1,2,3. Despite its common use, the certification of randomness is a complex task. Classical processes cannot generate genuine randomness because of the determinism of classical mechanics. On the other hand, randomness is an intrinsic feature of quantum mechanics due to the probabilistic nature of its laws. However, the generation and certification of randomness, even from quantum processes, always require some assumptions4.

The most reliable type of certification is given by Device-Independent (DI) protocols4 where the violation of a Bell inequality can certify the randomness and privacy of the numbers without any assumption on the devices used. Despite recent demonstrations5,6,7,8,9, DI-QRNGs are extremely demanding from an experimental point of view, and their performances also cannot satisfy the needs for practical implementation. For this reason, all current commercial QRNGs use trusted protocols, where both the source and measurements are trusted.

Although trusted QRNGs are high-rate, easy-to-implement and cheap, the security and privacy of the generated random numbers could be compromised. Recently, a new class of protocols, called Semi-Device-Independent (Semi-DI)10,11 have been proposed as a compromise between the DI and the trusted ones. The Semi-DI protocols work in a similar "paranoid scenario” of DI, although with few assumptions on the devices’ inner working. Assumptions can be related to the dimension of the exchanged system12, the device used for the measurement13,14,15,16,17, the device used for the source18,19, the overlap between the states20 the energy21,22,23,24,25,26,27or general apparatus imperfections28. These protocols are promising, since they can provide a higher level of security with a generation rate compatible with practical needs.

Most of the DI and Semi-DI protocols employ projective measurement, limiting the maximal certification to the underlying Hilbert space’s dimension. The possibility of increasing the generation rate using general measurement has recently been discussed for entangled systems in the DI scenario29,30,31. While projective measurements can only certify up to one bit of randomness for every pair of entangled qubits, POVM can saturate the optimal bound of 2 bits30. Additionally, unbounded generation is possible if repeated non-demolition measurements are performed on one of the qubits, but the protocol is not robust to noise32,33. However, all of these scenarios need entanglement, which is a strong requirement and involves an increased experimental complexity.

In this work, we will consider a prepare-and-measure scenario where the coherence (or purity) of the source is the resource for the protocol. We will show that a robust unbounded randomness certification can be obtained in the Source-DI scenario when non-orthogonal POVMs are used. For a fixed dimension of Hilbert space, we demonstrate that the amount of extractable random bits scales up as \(\propto {\log }_{2}(N)\) with N the number of POVM outcomes. In such a way, an infinite number of random bits can be certified for any dimension of the quantum system to be measured. In addition, the use of non-orthogonal POVMS instead of multiple projective measurements allows to implement the Source-DI protocol without an active switching of the measurement basis, but in a completely passive way. This feature greatly simplifies the experimental implementation which does not require fast electronics for the switching and can increase the generation rate, which is not limited by the switching frequency. Moreover, no additional randomness and an initial seed is required for the basis selection. We specialize our analysis for polarization qubits, considering symmetric POVM measurements. In particular, we derive tight analytical bounds for equiangular POVMs restricted on the plane of the Bloch sphere and for POVMs that correspond to Platonic solids inscribed in the Bloch sphere. Finally, to validate our findings, we experimentally implement three equiangular measurements on a plane with 3, 4, and 6 outcomes, and the octahedron measurement with 6 outcomes, using a simple optical setup.

Results

Randomness certification with POVM

In the prepare and measure scenario, a QRNG is composed of two systems: a source that emits a quantum state \({\hat{\rho }}_{A}\) and a measurement station. At each round, the measurement produces an outcome K = k with some probability Pk.

While in the trusted scenario, both the measurement and preparation stages are trusted and characterized, in the Source-DI scenario only the measurement is trusted and characterized, while the source is considered untrusted and under the control of the eavesdropper(Eve). Trusted measurement means that the user has full control of the measurement apparatus. In particular, trusted POVM means that any adversary has no classical or quantum correlation with the measurement setup and he cannot access the Naimark extension of the POVM.

In this case, the amount of private randomness that can be extracted by the QRNG can be quantified by quantum conditional min-entropy34, related to the guessing probability as

$${H}_{\min }(X| E)=-{\log }_{2}({p}_{{{{{{{{\rm{g}}}}}}}}}(X| E))$$
(1)

Here, the probability of correctly guessing the measurement outcome pg is conditioned on Eve’s (quantum) side information E on the system.

As discussed in ref. 13, if the prepared state \({\hat{\rho }}_{A}\) is pure, Eve does not have access to any quantum side information. On the contrary, if \({\hat{\rho }}_{A}\) is mixed, there is always a purification \({\hat{\rho }}_{AE}\) of \({\hat{\rho }}_{A}\), such that the systems A and E are correlated. Bounding the Hmin(XE) is then directly linked with the problem of bounding the purity of the unknown state \({\hat{\rho }}_{A}\).

In this scenario, a single projective measurement \(\{{\hat{P}}_{i}\}\) cannot certify any amount of randomness13,35.

A solution to this problem, proposed in ref. 13, uses two conjugate projective measurements \({\mathbb{Z}}\) and \({\mathbb{X}}\) and the Entropic Uncertainty Principle to bound the value of \({H}_{\min }(X| E)\). However, this approach requires the active switching of the two conjugate measurements that comes with two major drawbacks: first, the switching requires an initial source of private randomness and then requires active elements in the experimental implementation, increasing the complexity of the setup. For this protocol, the maximum value of min entropy is upper bounded by the dimension d of the measurement \({H}_{min}(X| E)\le {\log }_{2}(d)\).

In the following, we will show that the use of a single POVM \(\{{\hat{F}}_{k}\}\) with k = 1,   , N at the measurement station will solve the above issues. No initial randomness and no active devices are required; the maximum value of the min-entropy is bounded by the number of POVM elements N, but is not limited by the dimension d of the underlying Hilbert space.

Since we are working in the source-device-independent framework, we do not have assumptions on the quantum source, which can share, in general, quantum correlations with the adversary, meaning that there are no restrictions to the bipartite state \({\hat{\rho }}_{AE}\). On the other hand, the measurements are characterized, and the POVM operators are known, so we do not consider quantum-side information on the measurement side.

In the Methods we demonstrate the following:

Proposition 1

In the source-device independent framework with a trusted measurement device described by the POVM \(\{{\hat{F}}_{k}\}\) with k = 1,   , N, the guessing probability can be written as

$${p}_{{{{{{{{\rm{g}}}}}}}}}(X| E)=\mathop{\max }\limits_{\{{p}_{k},{\hat{\tau }}_{k}\}}\mathop{\sum }\limits_{k=1}^{N}{p}_{k}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\left[{\hat{F}}_{k}{\hat{\tau }}_{k}\right]$$
(2)

where the normalized states \({\hat{\tau }}_{k}\) belong to the A system and the maximization is subjected to the following constraint on the states \({\hat{\tau }}_{k}\)

$${{{{{{{{\rm{Tr}}}}}}}}}_{A}[{\hat{F}}_{j}(\mathop{\sum }\limits_{k=1}^{N}{p}_{k}{\hat{\tau }}_{k})]={P}_{j},\quad j=1,\cdots \,,N,$$
(3)

and Pj are the experimental observed probabilities.

The above constraint ensures that the states \({\hat{\tau }}_{k}\) form a decomposition of the state \({\hat{\rho }}_{A}^{\prime}\equiv {\sum }_{k}{p}_{k}{\hat{\tau }}_{k}\) that has the same outcome probabilities Pj of the unknown state \({\hat{\rho }}_{A}\) when measured with the POVM \(\{{\hat{F}}_{j}\}\). Differently from the common definition of pg for classical-quantum states presented in ref. 36, the above formulation is easier to calculate in scenarios where the source is untrusted.

From this definition of pg(XE), we can see why a single projective measurement \(\{{\hat{\Pi }}_{k}\}\) (that satisfies \({\hat{\Pi }}_{j}{\hat{\Pi }}_{k}={\delta }_{j,k}{\hat{\Pi }}_{k}\)) cannot be used to extract randomness: for every set of Pk we can choose in Eq. (2)\({\hat{\tau }}_{k}={\hat{\Pi }}_{k}\) and pk = Pk, such that \({\sum }_{j}{p}_{j}{{{{{{{\rm{Tr}}}}}}}}[{\hat{\Pi }}_{k}{\hat{\tau }}_{j}]={P}_{k}\) and \({{{{{{{\rm{Tr}}}}}}}}[{\hat{\Pi }}_{k}{\hat{\tau }}_{k}]=1\). Thus, pg(XE) reaches unity, which means that Eve is able to guess Alice’s result deterministically. On the other hand, if the POVM used by Alice have non-orthogonal elements \({\hat{F}}_{j}^{N}{\hat{F}}_{k}^{N}\,\ne \,{\delta }_{j,k}\) the attacker can never guess with certainty the outcome of the measurement.

Let us first consider the simple case where the equiangular three-state POVM for a qubit is used, namely:

$${\hat{F}}_{k}^{3}=\frac{2}{3}\left|{\psi }_{k}\right\rangle \left\langle {\psi }_{k}\right|$$
(4)

where

$$\begin{array}{l}\left|{\psi }_{1}\right\rangle =\left|0\right\rangle \\ \left|{\psi }_{2}\right\rangle =\frac{1}{2}\left|0\right\rangle +\frac{\sqrt{3}}{2}\left|1\right\rangle \\ \left|{\psi }_{3}\right\rangle =\frac{1}{2}\left|0\right\rangle -\frac{\sqrt{3}}{2}\left|1\right\rangle \end{array}$$
(5)

By solving the optimization problem in Eq. (2), we can calculate \({H}_{\min }(X| E)\) for every possible set of states \({\hat{\rho }}_{A}\) sent by the attacker.

Since the POVM elements \({\hat{F}}_{k}\) belong to the ZX plane of the Bloch sphere, all the \({\hat{\rho }}_{A}\) that have the same projection in the ZX plane will lead to the same result. The min-entropy in function of the projection of the state \({\hat{\rho }}_{A}\) in the ZX plane are shown in Fig. 1.

Fig. 1: Min-entropy contour plot.
figure 1

Contour plot of Hmin(XE) for the three-outcome POVM \({\hat{F}}_{k}^{3}\) in function of the projection of \({\hat{\rho }}_{A}\) in the ZX plane of the Bloch sphere. The states \(\left|{\Psi }_{i}\right\rangle\) are associated to the POVM elements. For experimental probabilities inside the red triangle 0.58 bits of randomness can be certified, while for the region outside the triangle up to 1bit can be certified.

Full size image

It is possible to distinguish two different areas: the region inside the triangle (formed by the lines that connect the three \(|{\psi }_{k}\rangle\)), and the one outside it. Within this region, the min-entropy is constant and it reaches the minimal value of \({H}_{min}(X| E)=-{\log }_{2}(2/3)\approx 0.58\). This result is in contrast with projective measurements, where a single projective measurement can never achieve Hmin(XE) > 0. Outside this region, the min-entropy increases monotonically and reaches its maximum Hmin(XE) = 1 for three pure states, each orthogonal to one of the states \(|{\psi }_{k}\rangle .\)

The reason can be intuitively understood. Consider that the state orthogonal to \(\left|{\psi }_{1}\right\rangle\) is sent: the output corresponding to \({\hat{F}}_{1}^{3}\) never appears, and this result alone certifies the purity of ρA. On the other hand, the other two outcomes relative to \({\hat{F}}_{2}^{3}\) and \({\hat{F}}_{3}^{3}\) occur with the same probability of 0.5. Then, in this case, it behaves like an unbiased coin, and the maximum achievable randomness is 1 bit per measurement.

Exploiting the geometrical properties of the POVM we derived an analytical relation on pg(XE) as a function of the measured outcomes for general regular POVMs with N outcomes, as stated below.

Proposition 2

Consider the N-outcome qubit POVM \(\{{\hat{F}}_{k}^{N}\}\) defined by

$${\hat{F}}_{k}^{N}=\frac{1}{3}({\mathbb{1}}+{\overrightarrow{a}}_{k}\cdot \overrightarrow{\sigma }),\quad k=1,\cdots \,,N$$
(6)

with \({\overrightarrow{a}}_{k}\) representing the vertices of a regular polygon in the ZX plane, namely \({\overrightarrow{a}}_{k}=1\) and \({\overrightarrow{a}}_{k}\cdot {\overrightarrow{a}}_{k+1}=\cos \frac{2\pi }{N}\). The measured output probabilities Pk uniquely identify a point \(\overrightarrow{r}\) in the ZX plane with coordinates (rz, rx). The guessing probability pg(XE) is given by

$${p}_{g}=\frac{1}{N}+\frac{1}{N}\mathop{\sum}\limits_{k}{f}_{N}(\overrightarrow{r}\cdot {\overrightarrow{u}}_{k},\alpha )\,\theta \,(\overrightarrow{r}\cdot {\overrightarrow{u}}_{k}-\cos \alpha )$$
(7)

where

$${f}_{N}(x,\alpha ) =x\cos \alpha +\sqrt{1-{x}^{2}}\sin \alpha \\ \alpha =\frac{\pi }{N}$$
(8)

and \({\overrightarrow{u}}_{k}\) the unit vectors orthogonal to the edges of the polygon.

We note that if the point \(\overrightarrow{r}\) is inside the polygon, then pg(XE) = 2/N. Otherwise, if the point \(\overrightarrow{r}\) is outside the polygon, only one term in the sum (7) is nonvanishing. From the experimental probabilities we can obtain the point \(\overrightarrow{r}\) with different methods: it is possible to employ a simple linear inversion, however, a more reliable method is to use the approach described in ref. 37.

For an arbitrary set of POVM, the guessing probability can be numerically obtained by Semidefinite Optimization (SDP), as shown in the Methods.

Analytical results for regular POVMs of Eq. (7) has been compared with the numerical solutions for N up to 100. The results were calculated with respect to the statistics reproduced by \({\hat{\rho }}_{A}\) sampled from the entire Bloch sphere. The numerical and analytical methods always agreed, up to a factor smaller than the numerical tolerance.

In Fig. 2, for N = 4,  5,  6 and 10, we show the contour plots of the min-entropy as a function of the projection of the unknown state \({\hat{\rho }}_{A}\) in the ZX plane of the Bloch sphere. By increasing the number of outcomes, both the lowest and the highest Hmin(XE) increase. From Eq. (7) we obtain:

$${M}_{N}\equiv \mathop{\max }\limits_{\overrightarrow{r}}\left({H}_{min}(X| E)\right)={\log }_{2}(\frac{N}{1+\cos \alpha })$$
(9)
$${m}_{N}\equiv \mathop{\min }\limits_{\overrightarrow{r}}\left({H}_{min}(X| E)\right)={\log }_{2}\left(N\right)-1$$
(10)

with \(\alpha =\frac{\pi }{N}\). This scaling as a function of N for a qubit system and equiangular POVM on a plane is reported in Fig. 3.

Fig. 2: Min-entropy 3D plot for different POVM outcomes.
figure 2

3D plot of Hmin(XE) in function of the projection of \({\hat{\rho }}_{A}\) in the ZX plane. The POVM considered have 4, 5, 6, 10 equispaced elements in the ZX plane. In the region inside the red lines the lower-bound of the min-entropy is reached.

Full size image
Fig. 3: Min-entropy scaling as a function of the number of POVM elements.
figure 3

Scaling of Hmin(XE) as a function of N. In the untrusted scenario, we report the max and the min Hmin(XE) for N equispaced POVM on a plane of the Bloch sphere. We also report the max Hmin(XE) for POVM representing platonic solids inscribed in the Bloch sphere. The dashed line represents the upper-bound for the trusted model. Finally, the colored dot represent estimated min-entropy from the experimental data. The error bars represent the standard deviation of the mean but they are smaller than the symbols of the datapoints.

Full size image

The difference between MN and mN is given by:

$${M}_{N}-{m}_{N}=1-{\log }_{2}\left(1+\cos \frac{\pi }{N}\right)\approx \frac{{\pi }^{2}}{2{N}^{2}\ln 2}$$
(11)

which becomes negligible for large N, since the distance between the POVM’s elements also gets smaller.

The analytical bounds of Eq. (7) can be extended to general POVM, not restricted to a plane of the Bloch sphere. We also considered symmetric POVMs, representing platonic solids inscribed in the Bloch sphere38. We show in Supplementary Method 1 that for these measurements, Eq. (9), with different values of α, correctly bounds the maximum amount of min-entropy that can be certified. In Fig. 3 we compare the scaling of such measurements with the POVM restricted to the plane.

Additionally, in Fig. 3 we show a comparison between the extractable randomness in the trusted and Source-DI scenarios. In the trusted scenario (i.e., both source and measurement trusted, without quantum correlation between the devices and the attacker), up to \({\log }_{2}N\) bits can be certified per measurement, sending for example the completely mixed state \({\hat{{\mathbb{1}}}}_{2}\).

The gap between the trusted and the untrusted bounds is never larger than 1 bit, for any ρA, meaning that the price to pay for the increased security of the Source-DI certification is at most 1 bit per measurement. The results indicate that in the asymptotic limit N → ∞ the min-entropy tends to Hmin(XE) → ∞, showing that unbounded randomness can be certified even from quantum systems with finite dimension d, including qubits.

Finally, we would like to highlight several advantages of the proposed protocol over previous discrete variable source-DI protocols13,35,39,40. In addition to the increased Hmin(XE) per measurement, the protocol allows for an important simplification of the experimental setup. Indeed, the non-orthogonal POVMs considered in this work can be implemented with only passive optical element. On the contrary, previous protocols based on Quantum State Tomography35 or the Entropic Uncertainty Principle13,39,40 require an active and random switching of the measurement basis. The active switching requires fast electronics to implement it in real-time during the execution of the protocol and is often the main factor limiting the speed of the QRNG40. Moreover, basis switching requires an initial random seed for random selection of the basis and consumes part of the produced randomness after the start of the protocol, lowering the final generation rate. In contrast, the protocol presented in this work does not require any initial seed for the implementation of the protocol.

Experimental implementation

To test the certification protocol with a proof-of-principle experiment, we developed a simple optical setup that employs a heralded single-photon source and four different POVM configurations. The preparation and measurement exploit the polarization degree of freedom of single photons. A schematic representation of the setup is shown in Fig. 4. The heralded source is composed of a continuous-wave laser at 404 nm, which optically pumps a 30 mm long Periodically Poled Potassium Titanyl Phosphate crystal. This configuration produces photon pairs at 808 nm through type-II collinear-phase-matching spontaneous parametric down-conversion.

Fig. 4: Experimental setup.
figure 4

An heralded single photon source made from a Periodically Poled Potassium Titanyl Phosphate (PPKTP) crystal in a Sagnac interferometer, generates single photons at 808 nm. After the polarizing beam splitter (PBS), the heralded photon is prepared in any desired polarization by using an Half-Wave Plate (HWP) and a Quarter-Wave Plate (QWP). The photon is then measured using Single Photon Avalanche Diodes (SPAD) with four different POVM configurations with 3, 4, and 6 outcomes. The coincidences between the heralding photon detector D0 and the detectors in the measurement station are recorded by a timetagger on a PC.

Full size image

The photons are deterministically separated by a polarizing beam splitter (PBS), and the detection of a photon at D0 (see Fig. 4) heralds the presence of the single photon \({\left|H\right\rangle }_{s}\), which is sent to the preparation stage.

Here a Half Wave Plate (HWP) and a Quarter Wave Plate (QWP) are used to prepare the photon in any required polarization. The photon is then sent to Alice’s measurement. Taking into account filtering and finite SPAD efficiency, we obtain a heralded photon generation rate of ≈10 kHz.

We decided to implement the protocol using a heralded single-photon source in order to reduce the contribution of dark counts and background noise. However, since we work in the Source-DI scenario, no assumptions are made on the source or on the channel losses and any implementation can be used.

The POVM \(\{{\hat{F}}_{k}^{N}\}\) used by Alice are N-output measurement in the two-dimensional Hilbert space of photon polarization. The optical implementation of such POVM can be realized by using interferometric setups (as in ref. 41): however, this technique requires high precision in the alignment and offers low temporal stability. For this reason, we decided to follow the approach presented in42, which does not require any interferometric scheme.

In the three outcomes equiangular POVM \({\hat{F}}_{k}^{3}\), shown in Fig. 4, the photon passes through a Partially Polarizing Beam Splitter (pPBS), which reflects with probability 2/3 the state \(\left|V\right\rangle\), while fully transmits \(\left|H\right\rangle\).

Thus, detecting the reflected photons implements the first POVM element \({\hat{F}}_{1}^{3}=\frac{2}{3}\left|V\right\rangle \left\langle V\right|\). The transmitted part is instead measured in the diagonal basis, implementing the remaining operators \({\hat{F}}_{2}^{3}\) and \({\hat{F}}_{3}^{3}\) (see ref. 42 for more detail).

The POVM with four and six outcomes can be implemented in a similar way, and they only require standard BS, PBS and waveplates. The four-outcome POVM \({\hat{F}}_{k}^{4}\) is realized in the following way: a 50:50 BS reflects and transmits the photons with equal probability, then in the reflected path a PBS measures in the \({\mathbb{Z}}\) basis, while in the transmitted path the HWP at \(\frac{\pi }{8}\) followed by the PBS, performs a measurement in the \({\mathbb{X}}\) basis. Accordingly, the four POVM elements \(\{{\hat{F}}_{k}^{4}\}=\{\frac{1}{4}\left|H\right\rangle \left\langle H\right|,\frac{1}{4}\left|+\right\rangle \left\langle +\right|,\frac{1}{4}\left|V\right\rangle \left\langle V\right|,\frac{1}{4}\left|-\right\rangle \left\langle -\right|\}\) are realized. Similarly, for the six-outcome POVM on the plane \({\hat{F}}_{k}^{6}\), a BS with transmissivity \(\frac{2}{3}\) followed by a BS with transmissivity \(\frac{1}{2}\), creates three different optical paths where the probability of detecting a photon is \(\frac{1}{3}\). Later, one path is measured directly along with the \({\mathbb{Z}}\) basis with a PBS, implementing the elements \({\hat{F}}_{1,4}^{6}=\frac{1}{6}\left|H\right\rangle \left\langle H\right|,\frac{1}{6}\left|V\right\rangle \left\langle V\right|\). In the second arm, an HWP at \(\frac{\pi }{12}\) before the PBS implements the elements \({\hat{F}}_{2,5}^{6}=\frac{1}{6}(\frac{\sqrt{3}}{2}\left|H\right\rangle +\frac{1}{2}\left|V\right\rangle )(\frac{\sqrt{3}}{2}\left\langle H\right|+\frac{1}{2}\left\langle V\right|),\frac{1}{6}(\frac{1}{2}\left|H\right\rangle -\frac{\sqrt{3}}{2}\left|V\right\rangle )(\frac{1}{2}\left\langle H\right|-\frac{\sqrt{3}}{2}\left\langle V\right|)\). Similarly, in the third arm, an HWP at \(\frac{\pi }{6}\) before the PBS implements the elements: \({\hat{F}}_{3,6}^{6}=\frac{1}{6}(\frac{1}{2}\left|H\right\rangle +\frac{\sqrt{3}}{2}\left|V\right\rangle )(\frac{1}{2}\left\langle H\right|+\frac{\sqrt{3}}{2}\left\langle V\right|),\frac{1}{6}(\frac{\sqrt{3}}{2}\left|H\right\rangle -\frac{1}{2}\left|V\right\rangle )(\frac{\sqrt{3}}{2}\left\langle H\right|-\frac{1}{2}\left\langle V\right|)\). Finally, the implementation of the six-outcome POVM \({\hat{S}}^{6}\) is similar to the previous one. One of the HWP is now rotated at \(\frac{\pi }{8}\) while the other HWP is replaced with a QWP at \(\frac{\pi }{4}\). In this way, each arm measures along one of the \({\mathbb{X}},{\mathbb{Y}},{\mathbb{Z}}\) bases, implementing the following POVM elements \(\{{\hat{S}}_{k}^{6}\}=\left\{\frac{1}{6}\left|H\right\rangle \left\langle H\right|,\frac{1}{6}\left|+\right\rangle \left\langle +\right|,\frac{1}{6}\left|L\right\rangle \left\langle L\right|,\frac{1}{6}\left|V\right\rangle \left\langle V\right|,\frac{1}{6}\left|-\right\rangle \left\langle -\right|,\frac{1}{6}\left|R\right\rangle \left\langle R\right|\right\}\).

After the polarization measurements, the photons are collected by multimode fibers and detected by Silicon SPAD (Excelitas SPCM-NIR).

The electrical signals generated by the SPADs are registered by a Time-to-Digital Converter with a resolution of 81 ps, which streams the data to a PC. On the PC, we keep only the timetags that are inside a coincidence window of 1ns between the heralding detector and any other detector.

Experimental results

In this section we describe the results of our experimental run. For each of the four measurement configurations described in the previous section, we prepare four different quantum states ρA and we evaluate the corresponding min-entropy Hmin(XE)a in the asymptotic limit. The states are chosen in order to maximize or minimize the min-entropy. However, since the protocol assumes uncharacterized light, we do not use any information about the preparation for the actual estimation of the randomness in the system.

For each run of the protocol, we use the heralded source to prepare the state, and we record the number of coincidences between the heralding detector D0 and any other detector D1-DN, associated to a particular POVM element. Then the total number of events per detector Nk is directly converted to a probability \({p}_{k}=\frac{{N}_{k}}{{\sum }_{i}{N}_{k}}\) of the occurrence of a particular POVM element \({\hat{F}}_{k}\).

For a typical run of the experiment, we acquire a total number Ntot of 107 coincidence events. However, since the prepared states are (almost) pure, the finite statistics could lead to non-physical quantum states, similarly to what happens for quantum state tomography43,44. To enforce a physical reconstruction, we use the constrained maximum-likelihood estimation technique presented in ref. 37 to retrieve a physical state \({\tilde{\rho }}_{A}\) compatible with the measured statistics pk. The asymptotic min-entropy Hmin(XE)a has been calculated using both the numerical methods presented in Methods and the analytical expression given by Eq. (7) (or its general version given in Eq. S25) for the reconstructed state \({\tilde{\rho }}_{A}\).

The results are shown graphically in Fig. 3, while the estimated \({\tilde{\rho }}_{A}\) and Hmin(XE)a are reported in the Supplementary Methods 3, in particular in the Supplementary Tables I, II, III, IV. As we can see, the experimental data confirm the expected scalings up to N = 6, for both the maximum and minimum of the Hmin(XE). Considering the heralded photon generation rate of ≈ 10kHz of our source, depending on the specific configuration implemented and the obtained min-entropy, the random generation rate is between 5 and 20 kbps.

Although the theoretical lower bound was always experimentally achievable (up to numerical precision), the maximum of the Hmin(XE) could not be achieved exactly. This effect is due to the limited accuracy in the preparation of the ρA state and the unavoidable dark counts in \({\hat{F}}_{k}\) due to accidental coincidences.

In the present proof-of-principle experiment, we considered a perfect POVM as defined above. However, any experimental measurement device is subject to imperfection. To deal with the experimental realization of POVM subjected to errors, we could recall that our results are completely general and they can be applied to any POVM. Therefore, since the measurement device is trusted, it is possible to characterize all the imperfections of the beam-splitters, polarizing beam-splitters, single-photon detectors and other elements. To perform this characterization of the implemented POVM, Quantum Measurement Tomography (QMT) can be used45. After these characterizations a well-defined POVM is obtained. While for "symmetric” POVM such as (6) it is possible to find analytic results, for generic POVM it is possible to use the numerical tools illustrated in Methods to evaluate the conditional min-entropy. In this way, by using the QMT and the numerical tools, it is possible to bound the min-entropy not only for SIC-POVM and ideal measurements, but also for any general non-ideal measurement, greatly simplifying the experimental requirements and increasing the robustness of the protocol.

Under the i.i.d. condition, it is possible to exploit the numerical approach presented in the Methods to include finite-size effects. To obtain bounds without the I.I.D assumption, several approaches are possible. A simple, but non-tight method would be to bound the guessing probability without constraints. In this way, the min-entropy would be minimized over all the possible quantum states, not only the ones compatible with the observed statistics. We detail this approach in Supplementary Methods 2. However, this method is not tight, since it always bounds the min-entropy with the lowest possible value obtainable by that specific POVM, regardless of the output statistics. To obtain tighter bound without the I.I.D assumption it is possible to exploit the newly developed Entropy Accumulation Theorem (EAT)46 or Quantum Probability Estimation47. As an example, if the EAT is chosen, it is possible to follow the construction detailed in48, where a min-tradeoff function for the EAT is built from the single-round quantum conditional min-entropy. Using that framework it is possible to obtain the (accumulated) smooth conditional min-entropy for n rounds without the I.I.D assumption. A similar approach can be done for QPE, as, for example, in ref. 28. The full inclusion of finite-size effects by the EAT is out of the scope of this work and will be investigated in our future research.

Conclusion

We have presented a protocol for the generation of random numbers from quantum measurement based on the Source-Device-Independent scenario: no assumptions are included in the source of quantum states, while the measurement device is fully trusted and characterized. We have shown that the amount of extractable random bits scales up as \(\propto {\log }_{2}(N)\) when the measurement is performed by a N-outcome POVM. Thus, an infinite number of random bits can be certified for any dimension of the quantum system to be measured. We derived an analytical bound for the estimation of the extractable randomness using symmetric POVM on the Bloch sphere. Our findings were validated experimentally by implementing several POVMs in the polarization space of single photons with a simple optical setup. Compared to previous DV Source-DI protocols, the one presented here allows for a passive implementation without an active switching of the measurement basis. This feature greatly simplifies the experimental implementation, which does not require fast electronics for the switching and can increase the generation rate, which is not limited by the switching frequency. Moreover, no additional randomness and an initial seed is required for the basis selection.

Note added: After the completion/submission of this manuscript, we became aware of a similar work which also considers Source-DI randomness generation with POVM measurements49.

Methods

Source-DI guessing probability: proof of Proposition 1

The framework we are considering is a QRNG whose output is obtained by measuring a quantum system A with a POVM \(\{{\hat{F}}_{j}\}\) obtaining the observed probabilities Pj. Since the system A may have correlation with the adversary E, as shown in ref. 50, the probability of guessing the output of the QRNG is given by

$${p}_{g}(X| E)=\mathop{\sum }\limits_{a=1}^{M}P(a)\mathop{\max }\limits_{j}[p(\,j| a)]$$
(12)

where j = 0,   , d − 1 are the possible classical outcomes of the QRNG, a is the state (possibly quantum) hold by the adversary Eve, M is an arbitrary integer, p(ja) the probability of guessing j when the state a is prepared, P(a) the probability of preparing the state a.

In the source-device-independent scenario, we may assume that Eve can arbitrarily prepare the joint state of the AE system \({\hat{\rho }}_{AE}^{a}\), while the measurement POVMs \(\{{\hat{F}}_{j}\}\) on Alice’s side are trusted. Since the E system is arbitrary, any quantum state \({\hat{\rho }}_{AE}^{a}\) prepared with probability P(a) can also be seen as the post-measurement state obtained after a generalized measurement \({\hat{E}}_{a}\) in a bipartite system ρAE, namely

$${\hat{\rho }}_{AE}^{a}=\frac{{\hat{E}}_{a}{\rho }_{AE}{\hat{E}}_{a}^{{{{\dagger}}} }}{P(a)},\qquad P(a)={{{{{{{{\rm{Tr}}}}}}}}}_{AE}[{\hat{E}}_{a}{\rho }_{AE}{\hat{E}}_{a}^{{{{\dagger}}} }]$$
(13)

By defining the POVM \({\hat{M}}_{a}={\hat{E}}_{a}^{{{{\dagger}}} }{\hat{E}}_{a}\) the above guessing probability can be written in complete generality as

$${p}_{g}(X| E)=\mathop{\max }\limits_{\{P(a),{\hat{\rho }}_{AE}^{a}\}}\mathop{\sum }\limits_{a=1}^{M}P(a)\mathop{\max }\limits_{j}{{{{{{{{\rm{Tr}}}}}}}}}_{AE}[({\hat{F}}_{j}\otimes \hat{{\mathbb{1}}}){\hat{\rho }}_{AE}^{a}]$$
(14)
$$=\mathop{\max }\limits_{\{\hat{M(a),{\hat{\rho }}_{AE}}\}}\mathop{\sum }\limits_{a=1}^{M}P(a)\mathop{\max }\limits_{j}\frac{{{{{{{{{\rm{Tr}}}}}}}}}_{AE}[({\hat{F}}_{j}\otimes {\hat{M}}_{a}){\hat{\rho }}_{AE}]}{P(a)}$$
(15)

The maximization over \(\{P(a),{\hat{\rho }}_{AE}^{a}\}\) is constrained to be compatible with the experimental outcomes on Alice’s side given by \({P}_{j}={{{{{{{{\rm{Tr}}}}}}}}}_{A}[{\hat{F}}_{j}{\hat{\rho }}_{A}]\) where \({\hat{\rho }}_{A}={\sum }_{a}P(a){{{{{{{{\rm{Tr}}}}}}}}}_{E}[{\hat{\rho }}_{AE}^{a}]\) is the reduced state on A subsystem. By tracing the E system, the above expression can be written in terms of states on A, defined by

$${{{{{{{{\rm{Tr}}}}}}}}}_{E}[{\hat{\rho }}_{AE}^{a}]={\hat{\rho }}_{a}^{A}\quad \Rightarrow \quad {{{{{{{{\rm{Tr}}}}}}}}}_{AE}[({\hat{F}}_{j}\otimes \hat{{\mathbb{1}}}){\hat{\rho }}_{AE}^{a}]={{{{{{{{\rm{Tr}}}}}}}}}_{A}[{\hat{F}}_{j}{{{{{{{{\rm{Tr}}}}}}}}}_{E}[{\hat{\rho }}_{AE}^{a}]]={{{{{{{{\rm{Tr}}}}}}}}}_{A}[{\hat{F}}_{j}{\hat{\rho }}_{a}^{A}]$$
(16)

where \({\hat{\rho }}_{a}^{A}\) is a normalized state. We note that, by the above definition, the reduced state on the A system can be written as \({\hat{\rho }}_{A}={\sum }_{a}P(a){\hat{\rho }}_{a}^{A}\). Therefore, the guessing probability can be written only by using states and measurement in the A subsystem as

$${p}_{{{{{{{{\rm{g}}}}}}}}}(X| E)=\mathop{\max }\limits_{\{P(a),{\hat{\rho }}_{a}\}}\mathop{\sum }\limits_{a=1}^{M}P(a)\mathop{\max }\limits_{j}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\left[{\hat{F}}_{j}{\hat{\rho }}_{a}^{A}\right]$$
(17)

where the maximization over \(\{P(a),{\hat{\rho }}_{a}^{A}\}\) is constrained to \({{{{{{{{\rm{Tr}}}}}}}}}_{A}[{\hat{F}}_{j}({\sum }_{a}P(a){\hat{\rho }}_{a}^{A})]={P}_{j}\). The above equation has a simple physical interpretation: by using the optimal measurement strategy on the state ρAE, the eavesdropper effectively prepares, on Alice’s side, the states \({\hat{\rho }}_{a}^{A}\) with probabilities P(a). The states \({\hat{\rho }}_{a}^{A}\) and probabilities P(a) are constrained to reproduce the experimental measured probabilities Pj. When the eavesdropper prepares the state \({\hat{\rho }}_{a}^{A}\) her guessing probability is \(p(\,j| a)=\mathop{\max }\nolimits_{j}{{{{{{{\rm{Tr}}}}}}}}[{\hat{F}}_{j}{\hat{\rho }}_{a}^{A}]\), namely she guessed the output with maximum output probability. Equation (17), averaging and maximizing over all the different prepared states, represents the optimization of her strategy.

Now we can simplify the above expression. For a given decomposition \({{{{{{{\mathcal{E}}}}}}}}\equiv \{P(a),{\hat{\rho }}_{a}^{A}\}\) we can group the indices a = 1,   , M into the N disjoints subset \({S}_{k}({{{{{{{\mathcal{E}}}}}}}})\), with k = 1,   , N. The subset \({S}_{k}({{{{{{{\mathcal{E}}}}}}}})\) includes all indices a so that \({{{{{{{\rm{Tr}}}}}}}}[{\hat{F}}_{j}{\hat{\rho }}_{a}^{A}]\) is maximized for j = k. Therefore,

$${p}_{{{{{{{{\rm{g}}}}}}}}}(X| E)=\mathop{\max }\limits_{\{P(a),{\hat{\rho }}_{a}^{A}\}}\mathop{\sum }\limits_{k=1}^{N}\mathop{\sum}\limits_{a\in {S}_{k}({{{{{{{\mathcal{E}}}}}}}})}P(a)\mathop{\max }\limits_{j}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\left[{\hat{F}}_{j}{\hat{\rho }}_{a}^{A}\right]$$
(18)
$$=\mathop{\max }\limits_{\{{p}_{k},{\hat{\tau }}_{k}^{A}\}}\mathop{\sum }\limits_{k=1}^{N}{p}_{k}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\left[{\hat{F}}_{k}{\hat{\tau }}_{k}^{A}\right]$$
(19)

where we defined \({\hat{\tau }}_{k}^{A}={\sum }_{a\in {S}_{k}({{{{{{{\mathcal{E}}}}}}}})}P(a){\hat{\rho }}_{a}^{A}/{p}_{k}\) and \({p}_{k}={\sum }_{a\in {S}_{k}({{{{{{{\mathcal{E}}}}}}}})}P(a)\). We note that since \({\sum }_{a}P(a){\hat{\rho }}_{a}^{A}={\sum }_{k}{\sum }_{a\in {S}_{k}({{{{{{{\mathcal{E}}}}}}}})}P(a){\hat{\rho }}_{a}^{A}={\sum }_{k}{p}_{k}{\hat{\tau }}_{k}^{A}\) the constraints on the normalized states \({\hat{\rho }}_{a}^{A}\) can be rewritten as

$${P}_{j}={{{{{{{\rm{Tr}}}}}}}}\big[{\hat{F}}_{j}\big(\mathop{\sum}\limits_{k}{p}_{k}{\hat{\tau }}_{k}^{A}\big)\big],\quad j=1,\cdots \,,N.$$
(20)

The proposition is thus demonstrated.

We can also relate our relation to a standard expression typically used for QRNG derived for classical-quantum states (see ref. 36). In the framework considered in ref. 36, a joint state ρAE is measured on the A subsystem by obtaining the classical-quantum state \({\hat{\rho }}_{XE}={\sum }_{j}{P}_{j}{\left|j\right\rangle }_{X}\left\langle j\right|\otimes {\sigma }_{E}^{j}\) where Pj are the output probabilities after the POVM \(\{{\hat{F}}_{j}\}\), X represents a classical system encoding the outputs and \({\sigma }_{E}^{j}\) are the resulting states on the E system after the measurement. Eve can perform arbitrary measurements on her quantum system to maximize the guessing probability of Alice’s outcomes. The guessing probability is then defined as \({p}_{g}(X| E)=\mathop{\max }\nolimits_{\{{\hat{M}}_{k}\}}\mathop{\sum }\nolimits_{j = 1}^{N}{P}_{j}{{{{{{{{\rm{Tr}}}}}}}}}_{E}[{\hat{M}}_{j}{\hat{\sigma }}_{E}^{j}]\) where \({\hat{M}}_{k}\) is a POVM on the E subsystem. In the source-device-independent framework, the initial state \({\hat{\rho }}_{AE}\) is not defined, so we need to optimize also over the possible state \({\hat{\sigma }}_{E}^{j}\) compatible with the observed statistic. Now we show that the above expression is equivalent to (18). By repeating the reasoning leading to (18) from (17), we can rewrite eq. (14) without the internal maximization as

$${p}_{g}(X| E)=\mathop{\max }\limits_{\{{\hat{M}}_{k},{\hat{\rho }}_{AE}\}}\mathop{\sum }\limits_{k=1}^{N}{{{{{{{{\rm{Tr}}}}}}}}}_{AE}[({\hat{F}}_{k}\otimes {\hat{M}}_{k}){\hat{\rho }}_{AE}]$$
(21)

where the maximization over \({\hat{\rho }}_{AE}\) is constrained to satisfy the observed statistic, namely \({P}_{j}={{{{{{{{\rm{Tr}}}}}}}}}_{AE}[({\hat{F}}_{j}\otimes {\mathbb{1}}){\hat{\rho }}_{AE}]\). Due to the above constraint, we can define the normalized states

$${\hat{\sigma }}_{E}^{k}=\frac{1}{{P}_{k}}{{{{{{{{\rm{Tr}}}}}}}}}_{A}[({\hat{F}}_{k}\otimes {\mathbb{1}}){\hat{\rho }}_{AE}]$$
(22)

such that the guessing probability can be written as

$${p}_{g}(X| E)=\mathop{\max }\limits_{\{{\hat{M}}_{k},{\hat{\sigma }}_{E}^{k}\}}\mathop{\sum }\limits_{k=1}^{N}{P}_{k}{{{{{{{{\rm{Tr}}}}}}}}}_{E}\big[{\hat{M}}_{k}{\hat{\sigma }}_{E}^{k}\big]$$
(23)

that is the expression mentioned above and typically used to define the guessing probability for QRNG (see discussion after eq. (17) in ref. 36). Therefore eqs. (23) and (18) are completely equivalent and they represent the guessing probability evaluated by considering the E or A subsystem respectively.

We note that the two scenarios considered above both correspond to start from a joint state \({\hat{\rho }}_{AE}\) and perform measurement \({\hat{F}}_{k}\) on Alice’s side and measurement \({\hat{M}}_{k}\) on Eve’s side. If we consider performing first Alice’s measurement, the post-measurement state is given by \({\hat{\rho }}_{XE}={\sum }_{k}{P}_{k}{\left|k\right\rangle }_{X}\left\langle k\right|\otimes {\hat{\sigma }}_{E}^{k}\). If we consider to perform first the Eve’s measurement, the post-measurement state is given by \({\hat{\rho }}_{AY}={\sum }_{k}{p}_{k}{\hat{\tau }}_{k}^{A}\otimes {\left|k\right\rangle }_{Y}\left\langle k\right|\) where Y is a classical system in which Eve’s encode her results. The two equivalent expressions (18) and (23) for the guessing probability are obtained by considering, respectively, the post-measurement state \({\hat{\rho }}_{AY}\) or \({\hat{\rho }}_{XE}\).

Numerical tools for bounding the H min(XE) with arbitrary POVM

In this section we introduce a numerical tool based on Semidefinite Optimization (SDP) which can be used to bound the Hmin(XE) in the Source-DI scenario for an arbitrary set of POVM. Besides bounding the min-entropy, this numerical tool can also be useful to get a more precise understanding of Eve’s optimal strategy, since it also returns the states \({\hat{\rho }}_{a}\) of the decomposition used by Eve. To start, we write Eq. (17) in the form of the primal SDP, where we introduce the states \({\hat{\delta }}_{k}={p}_{k}{\hat{\tau }}_{k}\):

$$\begin{array}{rcl}\mathop{{{{{{{{\rm{maximize}}}}}}}}}\limits_{{\hat{\delta }}_{k}}&&\mathop{\sum }\limits_{k=1}^{N}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\big[{\hat{F}}_{k}{\hat{\delta }}_{k}\big]\\ \,{{\mbox{subject to}}}\,&&{\hat{\delta }}_{k}\ge 0\,\forall k,\\ &&{{{{{{{\rm{Tr}}}}}}}}\left[\mathop{\sum}\limits_{k}{\hat{\delta }}_{k}\right]=1,\\ &&| {{{{{{{\rm{Tr}}}}}}}}\left[{\hat{F}}_{i}\mathop{\sum}\limits_{k}{\hat{\delta }}_{k}\right]-{P}_{i}| \le \zeta (\epsilon ,n)\end{array}$$
(24)

where ζ(ϵ, n) is a bound on the experimental probabilities Pi, such as the Chernoff-Hoeffding51 that is used to take into account finite-size effects.

We can rewrite the last constraint using slack variables si, ti in order to have only the equality constraint except for the positive semidefinite condition.

$$\begin{array}{rcl}\mathop{{{{{{{{\rm{maximize}}}}}}}}}\limits_{{\hat{\delta }}_{k}}&&\mathop{\sum }\limits_{x}^{d}{{{{{{{{\rm{Tr}}}}}}}}}_{A}\left[{\hat{F}}_{k}{\delta }_{k}\right]\\ \,{{\mbox{subject to}}}\,&&{\hat{\delta }}_{k}\ge 0\,\forall k,\\ &&{{{{{{{\rm{Tr}}}}}}}}\left[\mathop{\sum}\limits_{k}{\hat{\delta }}_{k}\right]=1,\\ &&{{{{{{{\rm{Tr}}}}}}}}\left[{\hat{F}}_{i}\mathop{\sum}\limits_{k}{\hat{\delta }}_{k}\right]-{P}_{i}+{s}_{i}=\zeta (\epsilon ,n),\\ &&-{{{{{{{\rm{Tr}}}}}}}}\left[{\hat{F}}_{i}\mathop{\sum}\limits_{k}{\hat{\delta }}_{k}\right]+{P}_{i}+{t}_{i}=\zeta (\epsilon ,n),\\ &&{s}_{i}\ge 0,\\ &&{t}_{i}\ge 0\end{array}$$
(25)

This problem can be solved numerically directly using efficient SDP solvers such as refs. 52,53. After the optimization we obtain not only the maximum of the objective function \({p}_{guess}^{* }\) but also the optimal states \({\hat{\tau }}_{k}={\hat{\delta }}_{k}/{{{{{{{\rm{Tr}}}}}}}}[{\hat{\delta }}_{k}]\) that Eve employs to maximize her pguess. However, a solution to the primal problem provides a lower-bound on the guessing probability Pg, not an upper-bound. Thus, if the solver does not converge to the exact solution it will over-estimate the true amount of private randomness, compromising the security. To solve this problem, we can use the approach described in ref. 25 to derive the dual form, which can be written as:

$$\begin{array}{rcl}\mathop{{{{{{{{\rm{minimize}}}}}}}}}\limits_{b,{e}_{i},{f}_{i}}&&-b+\mathop{\sum}\limits_{i}{P}_{i}({e}_{i}-{f}_{i})+\zeta (\epsilon ,n)({e}_{i}+{f}_{i})\\ \,{{\mbox{subject to}}}\,&&\big({\hat{F}}_{k}+b\hat{{\mathbb{1}}}+\mathop{\sum}\limits_{i}({f}_{i}-{e}_{i}){\hat{F}}_{i}\big)\le 0\,\forall k,\\ &&{e}_{i}\ge 0\,\forall i,\\ &&{f}_{i}\ge 0\,\forall i\end{array}$$
(26)

The solution of this dual problem always provides an upper-bound to the guessing probability, resulting always in conservative bounds. Moreover, this dual formulation provides other advantages: the first advantage is related to the speed of the computation. With the primal, every time we obtain new data Pi, it is necessary to run the SDP again to obtain a bound on the guessing probability. With the dual, since the objective function is a linear function of the Pi, after an optimal solution has been found, a new (sub-optimal) upper-bound can be easily evaluated for different Pi, without running the optimization again. This aspect is particularly interesting for real-time applications, where the post-processing can be done efficiently using a Lookup table.