Real-Time Source Independent Quantum Random Number Generator with Squeezed States
Thibault Michel, Jing Yan Haw, Davide G. Marangon, Oliver Thearle,, Giuseppe Vallone, Paolo Villoresi, Ping Koy Lam, Syed M. Assad

TL;DR
This paper presents a real-time, source independent quantum random number generator using squeezed light, capable of generating secure, unpredictable random bits with high speed, suitable for cryptographic and simulation applications.
Contribution
It introduces a self-testing QRNG that operates independently of the source, using squeezed states and homodyne detection to ensure security and real-time performance.
Findings
Achieved 8.2 kb/s bit rate with squeezed states
Compared performance with thermal states, showing improved speed
Demonstrated security bounds using entropic uncertainty relations
Abstract
Random numbers are a fundamental ingredient for many applications including simulation, modelling and cryptography. Sound random numbers should be independent and uniformly distributed. Moreover, for cryptographic applications they should also be unpredictable. We demonstrate a real-time self-testing source independent quantum random number generator (QRNG) that uses squeezed light as source. We generate secure random numbers by measuring the quadratures of the electromagnetic field without making any assumptions on the source; only the detection device is trusted. We use a homodyne detection to alternatively measure the Q and P conjugate quadratures of our source. Using the entropic uncertainty relation, measurements on P allow us to estimate a bound on the min-entropy of Q conditioned on any classical or quantum side information that a malicious eavesdropper may detain. This boundâŠ
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Real-Time Source Independent Quantum
Random Number Generator with Squeezed States
Thibault Michel
Center for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 0200, Australia
Laboratoire Kastler Brossel, UPMC-Sorbonne Universités, CNRS, ENS-PSL Research University, CollÚge de France, 4 place Jussieu, 75252 Paris, France
ââ
Jing Yan Haw
Center for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 0200, Australia
ââ
Davide G. Marangon
Dipartimento di Ingegneria dellâInformazione, UniversitĂ degli Studi di Padova, Via Gradenigo 6B, 35131 Padova, Italy
ââ
Oliver Thearle
Center for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 0200, Australia
ââ
Giuseppe Vallone
Dipartimento di Ingegneria dellâInformazione, UniversitĂ degli Studi di Padova, Via Gradenigo 6B, 35131 Padova, Italy
Istituto di Fotonica e Nanotecnologie âCNR, Via Trasea 7, 35131 Padova, Italy
ââ
Paolo Villoresi
Dipartimento di Ingegneria dellâInformazione, UniversitĂ degli Studi di Padova, Via Gradenigo 6B, 35131 Padova, Italy
Istituto di Fotonica e Nanotecnologie âCNR, Via Trasea 7, 35131 Padova, Italy
ââ
Ping Koy Lam
Center for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 0200, Australia
ââ
Syed M. Assad
Center for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 0200, Australia
Abstract
Random numbers are a fundamental ingredient for many applications including simulation, modelling and cryptography. Sound random numbers should be independent and uniformly distributed. Moreover, for cryptographic applications they should also be unpredictable. We demonstrate a real-time self-testing source independent quantum random number generator (QRNG) that uses squeezed light as source. We generate secure random numbers by measuring the quadratures of the electromagnetic field without making any assumptions on the source; only the detection device is trusted. We use a homodyne detection to alternatively measure the and conjugate quadratures of our source. Using the entropic uncertainty relation, measurements on allows us to estimate a bound on the min-entropy of conditioned on any classical or quantum side information that a malicious eavesdropper may detain. This bound gives the minimum number of secure bits we can extract from the measurement. We discuss the performance of different estimators for this bound. We operate this QRNG with a squeezed state and we compare its performance with a QRNG using thermal states. The real-time bit rate was kb/s when using the squeezed source and between â kb/s when the thermal state source was used.
I Introduction
Random numbers are used as a resource for many application such as statistical analysis, numerical simulation, encryption and communication protocols. Random numbers must satisfy three main requirements: they must be uniformly distributed, independent and unpredictable. Pseudo random numbers are generated with a computer via algorithmic routines from a seed. They have the advantage of being easy to implement and fast, but they are intrinsically not secure due to their deterministic generation Hellekalek (1998) and some commonly used pseudo random number generators (PRNG) have been shown to be unsecure Dodis et al. (2013). Their randomness can also be flawed Herrero-Collantes and Garcia-Escartin (2017) which can lead to errors in simulations Marsaglia (1968); Ferrenberg et al. (1992). Physical random number generators use a stochastic physical process as the source of randomness Uchida et al. (2008); Marangon et al. (2015). They are slower than PRNGs but can still achieve very high generation rate and has been used as a seed for PRNGs. For random number generators based on classical systems, the randomness usually originate as lack of knowledge on the initial state of the system, in which case the security relies on the assumption that no one has a better knowledge of this original state. Quantum systems on the other hand Ma et al. (2016) offer an interesting alternative source of randomness as measurement outcomes on such systems are intrinsically random due to Bornâs rule Rarity et al. (1994). It is then possible to create a long-term stable Marangon et al. (2018), fast quantum random number generator (QRNG) Symul et al. (2011); Haw et al. (2015); Zhang et al. (2017), in a self testing fashion Lunghi et al. (2015), or even on a mobile phone Sanguinetti et al. (2014). However the measurement outcomes may still be correlated with another party Frauchiger et al. (2013). This is the case whenever the source of randomness is in a mixed state. Even in that case, it is still possible to exploit non-local Bell state measurement Bell (1964); Brunner et al. (2014) to extract true random numbers without any assumption on the source of randomness or the measurement device Pironio et al. (2010); Christensen et al. (2013); Pivoluska et al. (2014); Liu et al. (2018); Bierhorst et al. (2018). However these implementation are still very slow with rates around few tens of bits per second. In a similar fashion, generation protocols using light emitted from distant cosmic sources were recently proposed and demonstrated Wu et al. (2017); Handsteiner et al. (2017); Leung et al. (2018). As a faster alternative one can implement a semi device independent QRNG by assuming only either the source Nie et al. (2016) or the detection Vallone et al. (2014); Xu et al. (2017); Marangon et al. (2017); Ma et al. (2017); Avesani et al. (2018) device is trusted. In a source independent quantum random number generator (SI-QRNG), the source of randomness can be arbitrary and controlled by an adversarial party; yet it can still yield secure random numbers. Roughly speaking, the principle of SI-QRNG is that, by switching between different measurement basis, one is able to assess the purity of the source, which can in turn set a bound on its extractable randomness. This can be formalized rigorously using the entropic uncertainty relation Furrer et al. (2014) which was first introduced in BiaĆynicki-Birula and Mycielski (1975).
SI-QRNG based on the entropic uncertainty relation have already been demonstrated in both discrete Vallone et al. (2014) and continuous variables Marangon et al. (2017). However, in these proof of principle experiments, the randomness estimation was always evaluated in post processing after collecting all the raw data. Here we implement a continuous variable SI-QRNG where all processing is done in real-time. Additionally, we dynamically switch between two measurement basis to alternate between a check measurement and a random-data measurement. The SI-QRNG is self testing and changes its output secure bit rate depending on the check measurement data. Although theoretical proposal for using squeezed states as sources of entropy for a QRNG have been suggested Zhu et al. (2012); Marangon et al. (2017), we report the first experimental use of squeezed states as an entropy source for a QRNG.
The paper is organized as follows. In section II we present the protocol and experimental details for generating random numbers. The protocol requires estimating a lower bound to the conditional min-entropy. In section III, we present the real-time entropy estimation procedure and the statistics of the random numbers generated. Due to finite sample size, we find that the evaluated conditional min-entropy is positively biased which can lead to an overestimation of the randomness rate. To mitigate this, we propose and discuss other more robust estimators in section IV. Finally, we conclude in section V with a discussion of several ways for extending the work in this paper as well as a summary of our work.
II Protocol and experiment
In a SI-QRNG, we are attempting to generate secure random numbers without having to trust the source state. This is possible by performing trusted measurements on two non-commuting observables. Our experiment was performed on continuous variable light fields, and the observables measured are the field quadratures and . By measuring the check quadrature , we put a bound on how much secure randomness can be extracted on the orthogonal random-data quadrature . In the following, we provide the details on how a bound on the random-data measurements can be calculated.
II.1 Randomness bound from conditional min-entropy
In our experiment, even though the quadrature observable has a continuous degree of freedom, the data that is recorded is ultimately discrete. The discretization size is determined by the finite resolution of the digitizer. This finite resolution implies that we do not measure the observables and , but rather their discretized counterparts. Formally we measure a subsection of the positive-operator valued measures (POVM) corresponding to , where and
[TABLE]
The even integer denotes the total number of bins, the index enumerates the outcomes and specifies the precision of the measurement. The measurement outcomes on state , appear with probability and are stored in a classical register .
When measuring the discretized quadrature , the maximum amount of secure extractable randomness from a single shot measurement of on a state is given by Renner (2008); Konig et al. (2009); Koenig and Renner (2011); Tomamichel and Hayashi (2013); Frauchiger et al. (2013); Tomamichel (2016)
[TABLE]
where is the security parameter and is the conditional min-entropy of  Renner (2005). The protocol is then said to be -secure, which means that the probability of distinguishing the output from a truly uniform independent distribution is smaller than  Tomamichel (2016). The conditional min-entropy is defined as Konig et al. (2009); Tomamichel et al. (2009); Koenig and Renner (2011)
[TABLE]
where is the collective classical-quantum state after measurement on system . is the state of system conditioned on measurement by , and is a POVM on system . The quantity is the average probability for an adversary Eve to correctly guess the index using a measurement strategy . The maximization on the POVM corresponds to finding the best measurement strategy Eve might apply to guess the index on the post-measurement state . The amount of secure randomness is then the smallest conditional min-entropy for states consistent with Aliceâs state . If the state is pure, this implies that and are independent: , in which case the conditional min-entropy reduces to the classical unconditioned min-entropy
[TABLE]
Here Eveâs best guessing strategy is to guess the most likely index everytime. For any state, and the difference can be seen as the amount of side information detained by Eve. To compute the exact value of in (2), one needs to know . Since Alice does not have access to , she would need to perform a complete tomography of to find all compatible states . This is tedious for an infinite dimensional system. Instead, one can bound by the max-entropy of the conjugate quadrature using the entropic uncertainty relation (EUR) BiaĆynicki-Birula and Mycielski (1975); Berta et al. (2010); Rastegin (2011); Tomamichel and Renner (2011); Coles et al. (2012); Furrer et al. (2014); Zhang et al. (2015); Coles et al. (2017). This leads to a lower bound :
[TABLE]
where the max entropy is defined as
[TABLE]
The classical unconditioned max and min entropies are equivalent to the Rényi entropies Rényi et al. (1961) of order and respectively. Additionally,
[TABLE]
is a measure of the incompatibility between the two measurements and is the [math]th radial prolate spheroidal wave function of the first kind Landau and Pollak (1961). This wavefunction comes about by considering the maximum overlap between the eigenstates of and and holds for states that has no support in the two extreme bins because those extreme bins have width larger than . This requirement correspond to bounding the energy of the input state which is a reasonable assumption. This assumption could be verified by including an energy measurement as part of the protocol Furrer (2014); Zhang et al. (2018). In our real-time demonstration, we just limit the excursion of the state by aborting the protocol when one of the extreme bins is populated.
The bound is unconditional; it is a function of only and is independent of . We use the convention where the vacuum state has a quadrature variance of
- The quadrature is used as the check quadrature that estimates the amount of randomness extractable in the measurement on the conjugate which is the random-data quadrature.
II.2 Experimental details
As shown in Fig.1, the experimental set-up has two parts. The fist part is an untrusted entropy source which consists of a quantum state that may be mixed and correlated to a malicious party E: . We operated the device on two sources, a squeezed state and a thermal state. A shot-noise limited 1064 nm Nd:YAG continuous wave laser provides the laser source for this experiment. A portion of the 1064 nm light is frequency doubled to provide a pump field at 532 nm. Both fields undergo spatial and frequency filtering to provide shot-noise limited light at the sideband frequencies above 2 MHz. The thermal state was generated with an amplitude and phase electro-optic modulators on which we send a white noise electronic signal from two independent function generators. By varing the amplitudes of the noise to the modulators, we varied the variance of this thermal state to see the effect on the secure bit rate. The squeezed state with around dB of squeezing was generated with a seeded doubly resonant optical parametric amplifier in a bow-tie geometry. Details on the squeezed state generation can be found in Chrzanowski et al. (2013).
The second part of the set-up is a trusted measurement device which consists of a homodyne detector that can measure one of two conjugate quadratures and on the state by locking the phase of a local oscillator (LO) using amplitude or phase modulation. The subtracted current is then mixed down and filtered in the 13 to 17 MHz band before being digitized over bins. The measurement device switches randomly between two measurement states: check measurements and random-data measurements. On average, a check measurement was performed once every ten measurement cycles.
In the check measurement state, three measurement steps are performed. In the first step, the LO and signal beams are blocked using servo-controlled beam-blocks and the electronic dark noise is recorded. In the second step, the signal beam is blocked, while the LO is unblocked. This allows us to record the vacuum shot noise. In the third step, both signal and LO beams are unblocked; the LO is locked to and the check data is recorded. The data is then normalized according to the shot noise corrected of dark noise . In this way, all electronic noise will be accounted as impurity on .
From the check data, we evaluated the probabilities using the frequentist estimator and using eqn (5). For each evaluation, the bin size is recalculated, in units of shot noise, using the corrected shot noise measurement. The corresponding value of is then evaluated using a pre-calculated polynomial approximation. In the experiment, we had an average and for the thermal state and squeezed state run respectively. The bound is then estimated using (4) and stored in the computer for use in the random-data measurement stage.
In the random-data measurement state, both the signal and LO beams are unblocked. The LO phase is locked to , and the raw data is recorded. It is then normalized according to the shot noise corrected of dark noise taken from the previous check measurement. In order to eliminate Eveâs information, we apply the Toeplitz matrix hashing algorithm Ma et al. (2013) on the raw data to obtain the secure random data. The length of the Toeplitz matrix is determined by the randomness bound evaluated in check stage. A few bits of the hashed random numbers are used to determine whether the next stage will be a check or random-data measurement stage.
For both check and random-data measurements, the number of measurements points collected was . In our implementation, to avoid slowing down the protocol, the random Toeplitz matrix was generated once at the start of the experiment using a trusted QRNG Haw et al. (2015) source. However, for the hashing to be fully secure, a new hashing function randomly chosen from a family of two-universal hashing functions should be used every time Bennett et al. (1995); Renner and König (2005); Tomamichel (2016). This is so that Eve does not have knowledge of the hash function prior to preparing the state such that she cannot implement deception strategies tailored to the hashing function. For monitoring purposes, we also evaluated using the frequentist estimator. We also check that the homodyne detection was never saturated. If a saturation event is ever detected, the protocol will abort immediately.
III Results and Estimation error analysis
As mentioned before, the QRNG was operated with two different sources; a -squeezed state and a thermal state. In order to generate secure randomness, we use the bound provided by in eq (4). In order to apply this bound, we need to know the value of . In subsection III.1, we present the real-time experimental result where the frequentist estimator for was used. In subsection III.2, we show that this estimator is biased which may compromise the security of the QRNG.
III.1 Real time entropy estimation
In the experiment, the entropies are calculated in real time using the frequentists estimator. After measuring data points, and binning the outcomes into bins, the frequentist estimators are given by
[TABLE]
where denotes the number of outcomes in the -th bin and . The entropy bounds and the unconditioned classical entropy from the experiments are recorded for thermal and squeezed state and these are presented as the points in Figs. 2(a) and 2(b). In the same figures, we also plot simulation results and obtained by sampling points from a perfect Gaussian distribution. These simulations are repeated times to estimate the mean and standard deviation of the estimated entropy bound. Finally, the theoretical values we would expect for a perfect discretized Gaussian distribution
[TABLE]
are plotted as solid lines and .
For the squeezed state simulation results, the impurity of the squeezed state was accounted for by inferring the amount of loss on the state from the two quadrature variance measurement. This was estimated to be . This is the reason why the min-entropy and the bound are not equal; they can only be equal for a pure state. Figure 2(b) shows that higher squeezing give rise to more extractable randomness. Indeed, measuring squeezing on one quadrature guarantees increased noise on the conjugate anti-squeezed quadrature. Unlike in the thermal noise case, this noise is not correlated to another system. For example having dB squeezing on the source increases the entropy rate by around % compared to vacuum. Therefore using a squeezed state as an entropy source can improve the QRNG bit rate, especially with broadband squeezing. For the squeezed state run the bit rate was kb/s.
The thermal state results in Fig. 2(a) illustrate the difference between the conditioned and unconditioned min-entropy. Indeed a thermal state can be purified by a two-mode squeezed state such that the outcome of a measurement on that state may well be correlated to a mode detained by Eve. This amount of quantum or classical side information is the difference between the min-entropy, which quantifies the entropy of the measurement distribution, and the conditional min-entropy which quantifies the entropy given any possible side information. For a thermal state, the higher the variance the higher the min-entropy which reflects the apparent random noise in quadrature measurement, yet the lower the conditioned min-entropy because the state could be a two-mode squeezed state with higher correlations. For the thermal state run, the bit rate varied between kb/s for the state with higher variance to kb/s for the state with lower variance.
We tested a collection of random numbers obtained from both the thermal and squeezed states with the NIST statistical test suite Rukhin et al. (2001). The results are shown in Fig. 3.
III.2 Bias of the frequentist estimator
We see in Figs. 2(a) and 2(b) that there is a discrepancy between the theoretical bound and calculated for a Gaussian state and the experimental data. To analyse this we ran a simulation by sampling a pure Gaussian distribution for different sample size . Each simulation was repeated times. As shown in Figs. 4(a) and 4(b), we find that the frequentist estimators and are both biased. The mean of the frequentist estimators do not match the true values and . This leads to an apparent violation of the EUR as is positively biased while is negatively biased. This bias gets smaller as the sample size increases. But even for very large sample size this problem might be present, as it will depend on the source state considered, as shown in Appendix B. Moreover if Eveâs state is maximally correlated with ours then any overestimation of the bound will compromise the security of the random numbers. One may try to correct this by using a different estimator for the max-entropy.
IV Other estimators for the entropy bound
Having learned that the frequentist estimator can be biased, in this section we investigate and compare three different estimators. These estimators comes with their own natural confidence interval that we can set.
IV.1 Bayesian estimator
Another class of possible estimators for are the Bayesian estimators. To calculate the Bayes estimator of an unknown parameter, one has to specify a prior probability density. This represents our initial belief about the distribution of the unknown parameter. Here we analyse two estimators for based on two different priors. The first is an uninformative prior which makes no assumption on the underlying probability distribution. The second assumes the worst case scenario by choosing a prior peaked around the uniform probability. Deciding which prior to use is a matter of the experimentalistâs degree of paranoia. Even though the QRNG device is source-independent, it is not belief-independent. We note that using Bayesian estimators bring with it the additional advantage of having the posterior estimate as a natural confidence interval.
IV.1.1 Bayesian estimator for with a completely uninformative prior
The indirect Bayesian estimator with a completely uninformative uniform prior was developed in Wolpert and Wolf (1995); Holste et al. (1998) and proposed for source-device-independent QRNG in Vallone et al. (2014). It is given by:
[TABLE]
Using this estimator in simulation for a gaussian state in our experimental conditions, we find that it has a negative bias which does not lead to a violation of the EUP (see Fig. 5).
If one can check that the distribution is Gaussian, it is then justifiable to use the Bayesian estimator. In fact, one can go a step further and remove this bias from the estimator. Otherwise, this negative bias will lead to a severe underestimation of the secure bit rate. But a priori the distribution might not be Gaussian and this bias will depend on the distribution and experimental conditions such as the binning size. We show in Appendix (B) that in some extreme cases this bias can still be positive.
IV.1.2 Bayesian estimator for with a prior
peaked around the uniform distribution
The Bayesian estimator depends on the chosen prior. The natural choice of prior is the Dirichlet distribution since it is the conjugate prior to the multinomial distribution. The Dirichlet distribution parameterised by the vector is given by
[TABLE]
where . In order to prevent an under-estimation of , it is prudent to assume the worst case scenario by choosing a prior that is sharply peaked around the uniform distribution. This is because the uniform distribution is the distribution with the maximum possible . We subsequently adjust our belief when presented with the measured data. Such a prior can be constructed by choosing for all
[TABLE]
Here characterize the peakedness of the prior distribution. A large value of will correspond to a distribution peaked around the uniform distribution, whilst will correspond to the frequentist estimator. The Bayes posterior estimator given the measurement outcomes is the Dirichlet distribution with parameters  Leonard (1977)
[TABLE]
From this posterior distribution, we can arrive at a Bayesian estimator for . Alternatively, an indirect estimator for which we denote by can be obtained by substituting the Bayes posterior mean for the probabilities
[TABLE]
into (5). As we shall see in section IV.3, with a large , this estimator tends to be very conservative.
IV.2 Extremal Variance-based Estimator
Another way to estimate is by estimating the variance distribution. Instead of estimating from the sampled distribution, we can try to bound it. We first estimate , the variance of with the unbiased estimator . We can then find the distribution that maximizes for this given variance. This is similar to the method used in Xu et al. (2017) for bounding the Shannon entropy Shannon ; Wolf et al. (2006).
We show in Appendix A that given a variance , the corresponding extremal distribution is given by
[TABLE]
where
[TABLE]
is a normalization constant,
[TABLE]
and is the solution to the equation
[TABLE]
This distribution is a discretized Studentâs t-distribution with 3 degrees of freedom. Although equation (19) does not have a closed form solution for , one may calculate it numerically. We can then calculate the extremal variance based (EVB) estimator . This is the extremal max-entropy consistent with the variance . From this we get an estimate for from eqn (4). This is plotted in Fig. 6 for a gaussian state with parameters similar to our experiment.
In these conditions, we see that the EVB estimator shows no bias, the mean value does not change with the sample size. Moreover, by construction, the mean of the EVB estimator for is always smaller than . Unlike the frequentist estimators, the EVB estimator does not over-estimate . However, because the EVB estimator uses only the variance instead of the whole distribution it does not converge to even when the sample size is large. It will only converge to if the check-quadrature distribution happens to be the discretized Studentâs t-distribution (16).
We note that here, the theory and simulations were computed for Gaussian states. The bias results will differ for other input state and in some cases the EVB estimator can still be positively biased. This is because even though the variance estimator is unbiased, the max-entropy is a concave function of the variance. This means that it will have a negative bias. This is illustrated in Appendix B. However, we can get a confidence interval on the variance from the sampled data and from this we can arrive at a confident estimate for the max-entropy.
IV.3 Comparison of the different estimator performances
A comparison on how the different estimators perform with increasing sample size for a vacuum state input is shown in Fig. 7. The frequentist estimator has a positive bias leading to an overestimation of the secure randomness rate which can compromise the security of the random numbers. In contrast, the EVB and both Bayes estimators have a negative bias which leads to an underestimation of the secure randomness rate. Of all the estimators, the Bayesian peaked prior estimator is the most conservative, it will significantly underestimate the bound even for large sample sizes.
Finally we note that even with an unbiased estimator for , one should not take its mean value as the point estimate. Doing this will lead to a 50% probability of over estimating . Instead, one should get a point estimate based on its confidence interval and a required failure rate.
V Conclusion and outlook
We demonstrated a real time source independent QRNG incorporating measurement basis switching and hashing using a squeezed state of light as a source of entropy. The protocol was also validated on different thermal states. In the real time demonstration, the sample size was limited by the finite computational resource. A valuable lesson learnt from this demonstration is that due to finite size effects, the frequentist estimator can lead to an underestimation of the max-entropy due to its biased nature. This can lead to an underestimation of the adversaryâs knowledge on the measured data. To mitigate this potential problem, we propose three different ways for estimation of the max-entropy. Which one of these estimators the experimenter picks will depend on his level of paranoia.
We note that this estimation problem does not arise in a trusted source QRNG where confidence interval on entropy estimator can be calculated from the knowledge of the source. Nor does it appear in asymptotic CV quantum key distribution (QKD) protocols where the measured distribution can be assumed to be Gaussian due to optimality of Gaussian attacks GarcĂa-PatrĂłn and Cerf (2006); NavascuĂ©s et al. (2006). For Gaussian distributions, it is then easy to construct a confidence interval for the max-entropy. However, in a source independent protocol, we see that a Gaussian distribution is not the best that the adversary can do. Hence assuming a Gaussian distribution might lead to an underestimation of her knowledge.
The bit rate was limited by three main factors. First, the slow real-time hashing of the raw bits which was done on a desktop computer. Second, the mechanical beam blocking in check measurement. Third, the limited squeezing bandwidth. The first limitation can be circumvented using a fast programmable gate arrays (FPGA) to hash. We foresee that implementing the hashing on an FPGA would allow us to reach the GHz regime Zhang et al. (2016). The second limitation is less stringent since the beam blocking only happens during the check-measurement. In our setup, the check-measurement was performed with a probability and the data-measurement is not limited by these slow mechanical beam blocks. Furthermore, one may use faster, non mechanical ways to block the beam, for example by using acoustic optical modulators to deflect the beams. The third limitation in this experiment was the squeezing bandwidth which is imposed by the bandwidth of the OPA squeezing cavity. Hence, using a squeezed state source may limit the bit rate through bandwidth limitation more than it improves it through the higher security rate. This limitation can be circumvented by using a single pass OPA with would offer squeezing over much larger bandwidths Ast et al. (2013).
In conclusion, we demonstrated a real-time source independent maximum bit rate of 8.2 kbits per second with a squeezed state source, and from 5.2 to 7.2 kbits per second with thermal source depending on the variance of the source.
VI Acknowledgement
This work was funded by the Australian Research Council Centre of Excellence and Laureate Fellowship schemes (CE110001027 and FL150100019). Our research is also supported by The Defence Industry and Innovation Next Generation Technologies Fund.
We thank Nathan Walk for useful discussions and comments on this work.
Appendix A Extremal distribution for max-entropy with a fixed variance
Suppose we experimentally observed a discrete distribution in a finite support. From the variance of this distribution, we can upper bound its entropy. To do that we shall derive the probability distribution that maximizes the entropy for a fixed variance. We note that entropy does not depend on the labels of the bins; to have a tighter bound we can rearrange the bins to minimize the variance.
Here we derive the probability distribution maximizing max-entropy for a fixed variance in a finite support setting. We want to find the extremal distribution that maximizes the max entropy:
[TABLE]
over the finite support for integer values subject to the normalization constraint and fixed variance condition:
[TABLE]
We first show that the extremal distribution must be symmetric with . From an arbitrary distribution , we can construct a symmetrized distribution with
[TABLE]
This distribution will have a smaller variance, but higher max entropy . The first statement holds due to and . The second statement follows from the concavity of the entropy function:
[TABLE]
Hence, the extremal distribution is symmetric and has zero mean.
To find the extremal distribution , we write the Lagrangian as:
[TABLE]
L attains a stationary point when
[TABLE]
Multiplying both sides by and summing over , we obtain the relation:
[TABLE]
This together with the constraint allows us to write
[TABLE]
We recognize this as a discretised version of the non-standardized Studentâs t-distribution with 3 degrees of freedom and standard deviation :
[TABLE]
When and , we retrieve the continuous limit, and . This is consistent with the known result that the Studentâs t-distribution are the extremal continuous distribution for  Johnson and Vignat (2007).
A necessary condition for the Lagrange multiplier is obtained from the constraint which gives an implicit equation:
[TABLE]
Numerically, we see that there can be more than one real solution for . The extremal is given by the solution that is closest to zero.
Appendix B Small number of bins example
In this Appendix, we show that under extreme cases when the number of bins is very small, when the number of samples are very small or when the input state saturates the extreme bins, some of the estimator for proposed in the main text may still be negatively biased, which would lead to a positive bias on . To illustrate this we considered three different distributions with only nine bins as shown in Fig. 8. The only estimator that shows no negative bias is the peaked prior Bayes estimator.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Hellekalek (1998) P. Hellekalek, Mathematics and Computers in Simulation 46 , 485 (1998) . · doi â
- 2Dodis et al. (2013) Y. Dodis, D. Pointcheval, S. Ruhault, D. Vergniaud, and D. Wichs, Proceedings of the 2013, ACM SIGSAC conference on Computer and communications security - CCS â13 , 647 (2013) . · doi â
- 3Herrero-Collantes and Garcia-Escartin (2017) M. Herrero-Collantes and J. C. Garcia-Escartin, Reviews of Modern Physics 89 (2017), 10.1103/Rev Mod Phys.89.015004 , ar Xiv: 1604.03304. · doi â
- 4Marsaglia (1968) G. Marsaglia, Proceedings of the National Academy of Sciences 61 , 25 (1968) . · doi â
- 5Ferrenberg et al. (1992) A. M. Ferrenberg, D. P. Landau, and Y. J. Wong, Physical Review Letters 69 , 3382 (1992) . · doi â
- 6Uchida et al. (2008) A. Uchida, K. Amano, M. Inoue, K. Hirano, S. Naito, H. Someya, I. Oowada, T. Kurashige, M. Shiki, S. Yoshimori, K. Yoshimura, and P. Davis, Nature Photonics 2 , 728 (2008) . · doi â
- 7Marangon et al. (2015) D. G. Marangon, G. Vallone, and P. Villoresi, Scientific Reports 4 (2015), 10.1038/srep 05490 . · doi â
- 8Ma et al. (2016) X. Ma, X. Yuan, Z. Cao, B. Qi, and Z. Zhang, npj Quantum Information 2 (2016), 10.1038/npjqi.2016.21 . · doi â
