Certified Quantum Random Numbers from Untrusted Light
David Drahi, Nathan Walk, Matty J. Hoban, Aleksey K. Fedorov, Roman, Shakhovoy, Akky Feimov, Yury Kurochkin, W. Steven Kolthammer, Joshua Nunn,, Jonathan Barrett, Ian A. Walmsley

TL;DR
This paper presents an ultrafast, secure quantum random number generator that operates at 8.05 Gb/s using an untrusted light source, with rigorous security guarantees suitable for cryptographic applications.
Contribution
It introduces and experimentally demonstrates the fastest composably secure quantum random number generator from an untrusted source.
Findings
Achieved 8.05 Gb/s random number generation rate.
Provided a fully composable security proof.
Demonstrated real-time operation with rigorous security parameters.
Abstract
A remarkable aspect of quantum theory is that certain measurement outcomes are entirely unpredictable to all possible observers. Such quantum events can be harnessed to generate numbers whose randomness is asserted based upon the underlying physical processes. We formally introduce, design and experimentally demonstrate an ultrafast optical quantum random number generator that uses a totally untrusted photonic source. While considering completely general quantum attacks, we certify and generate in real-time random numbers at a rate of Gb/s with a rigorous security parameter of . Our security proof is entirely composable, thereby allowing the generated randomness to be utilised for arbitrary applications in cryptography and beyond. To our knowledge, this represents the fastest composably secure source of quantum random numbers ever reported.
| \addstackgap[.5]() | Parameters | Value | |
|---|---|---|---|
| \addstackgap[.5]() | Number of output strings | ||
| \addstackgap[.5]() | Hashing block size | bits | bits |
| \addstackgap[.5]() | Hashes per string | ||
| \addstackgap[.5]() | Samples per hash | ||
| \addstackgap[.5]() | Min-entropy per sample | bits | bits |
| \addstackgap[.5]() | Hashing output length | bits | bits |
| \addstackgap[.5]() | Sample failure | ||
| \addstackgap[.5]() | Hashing failure | ||
| \addstackgap[.5]() | Single hashing failure | ||
| \addstackgap[.5]() | Total failure | ||
| \addstackgap[.5]() | Data limited bit rate | Gb/s | Gb/s |
| \addstackgap[.5]() | Average bit rate | Gb/s | Gb/s |
| \addstackgap[.5]() | -random bits per string | Gb | kb |
| \addstackgap[.5]() Work | |||||
|---|---|---|---|---|---|
| \addstackgap[.5]() Gehring et al. (2018) | DD | No | 10740 | 8000 | |
| \addstackgap[.5]() Marangon et al. (2017) | sSDI | Yes | – | 1700 | – |
| \addstackgap[.5]() Michel et al. (2019) | sSDI | No | – | 0.0082 | – |
| \addstackgap[.5]() Brask et al. (2017) | sDI | N/A | – | 16.5 | – |
| \addstackgap[.5]() Cao et al. (2016) | SI | N/A | 0.005 | – | |
| \addstackgap[.5]() Liu et al. (2018a) | DI | N/A | 0.000181 | – | |
| \addstackgap[.5]() | SDI | Yes | 8211 | 8050 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Certified Quantum Random Numbers from Untrusted Light
David Drahi
Clarendon Laboratory, Department of Physics, University of Oxford, Oxford OX1 3PU, UK
Nathan Walk
Department of Computer Science, University of Oxford, Oxford OX1 3QD, UK
Dahlem Center for Complex Quantum Systems, Freie Universität Berlin, 14195 Berlin, Germany
Matty J. Hoban
Department of Computing, Goldsmiths, University of London, London SE14 6NW, UK
Aleksey K. Fedorov
Russian Quantum Center, 100 Novaya St., Skolkovo, Moscow 143025, Russia
Roman Shakhovoy
Russian Quantum Center, 100 Novaya St., Skolkovo, Moscow 143025, Russia
Akky Feimov
Russian Quantum Center, 100 Novaya St., Skolkovo, Moscow 143025, Russia
Yury Kurochkin
Russian Quantum Center, 100 Novaya St., Skolkovo, Moscow 143025, Russia
W. Steven Kolthammer
Clarendon Laboratory, Department of Physics, University of Oxford, Oxford OX1 3PU, UK
Joshua Nunn
Clarendon Laboratory, Department of Physics, University of Oxford, Oxford OX1 3PU, UK
Jonathan Barrett
Department of Computer Science, University of Oxford, Oxford OX1 3QD, UK
Ian A. Walmsley
Clarendon Laboratory, Department of Physics, University of Oxford, Oxford OX1 3PU, UK
(June 3, 2020)
Abstract
A remarkable aspect of quantum theory is that certain measurement outcomes are entirely unpredictable to all possible observers. Such quantum events can be harnessed to generate numbers whose randomness is asserted based upon the underlying physical processes. We formally introduce, design and experimentally demonstrate an ultrafast optical quantum random number generator that uses a totally untrusted photonic source. While considering completely general quantum attacks, we certify and generate in real-time random numbers at a rate of Gb/s with a rigorous security parameter of . Our security proof is entirely composable, thereby allowing the generated randomness to be utilised for arbitrary applications in cryptography and beyond. To our knowledge, this represents the fastest composably secure source of quantum random numbers ever reported.
I Introduction
The inherent randomness of quantum theory, embodied by Born’s rule, creates fundamentally unpredictable events. The concept of a quantum random number generator (QRNG) is to leverage this principle to produce a random, unpredictable output with an unparalleled level of confidence. The central challenge faced by practical QRNGs is to rigorously quantify how much of the entropy generated by a real-world device is indeed intrinsically unpredictable.
To sketch the basic idea, let’s consider a device completely described by parameters which could be quantum or classical. These are used to generate a classical outcome that should appear unpredictable from the perspective of an agent external to the device. Consider such an agent with access to a system which includes all the parameters as well as any other side information (classical or quantum). For any given value of , the joint system is described by a classical-quantum state and the outcome’s predictability is simply the probability of the best guess
[TABLE]
where the supremum is taken over all measurements made by on the system and is the state of conditioned on . For a real device, however, is never known exactly. In this case, a conservative estimate of the predictability is given by , where the maximisation is taken over all plausible parameters . Confidence in the randomness is thus linked to claims about trusted workings of the device and subsequent constraints on the knowledge of the external agent.
Approaches to QRNGs differ by the detail with which the devices need to be characterised in order to constrain Herrero-Collantes and Garcia-Escartin (2017); Ma et al. (2016). Perhaps the simplest conceptually is a so-called device independent QRNG, which can take the form of a Bell test Pironio et al. (2010); Acín and Masanes (2016); Bierhorst et al. (2018); Liu et al. (2018a). In this case, the device must be composed of two isolated measurements that employ independently selected bases — a requirement that can be verified with high confidence. With this condition, as long as the measurement outcomes violate a Bell inequality, which in turn constrain the plausible Acín et al. (2012). In reality, however, even state-of-the-art implementations Liu et al. (2018b) are extremely complex and yield impractical bit rates of the order b/s. An alternate approach is to build a QRNG in which the entire device, from quantum source to measurement, is faithfully characterised and modelled Mitchell et al. (2015). Here, the detailed characterisation, which might use both off-line and in-line measurements, crucially constrains (and thus ) sufficiently to assert a non-unit . As such, this seemingly exhaustive type of characterisation of the setup, and hence trust in its proper inner workings, opens up a myriad of potential attacks and malfunctions which might compromise the randomness output.
A series of intermediate approaches have appeared, commonly referred to as having partial device-independence, which yield a QRNG that permits abstraction from some of the devices while needing a detailed characterisation of the remainder. These can be broadly classified as those that are independent of the measurement devices Cao et al. (2015); Chaturvedi and Banik (2015); Nie et al. (2016) or the sources Cao et al. (2016). A third class, known as semi-device-independent makes no assumptions on either the source or measurements except to assert a global constraint on the relevant dimension Pawłowski and Brunner (2011); Lunghi et al. (2015), energy Himbeeck et al. (2017) or orthogonality of the relevant states Brask et al. (2017). Finally, other works have combined assumptions, such as the semi-source independent protocols (originally thought to be fully source-independent) that invoke a dimension assumption in conjunction with a calibrated detection Vallone et al. (2014); Marangon et al. (2017); Michel et al. (2019). These latter works exemplify the critical point that when analysing partially device-independent protocols, it is important to keep track of the interaction between trusted, but imperfect, devices and the certification techniques used to prove security against deviations in the untrusted components.
Successful design of a practical QRNG must balance confidence with ease of implementation, achievable bit rate, durability and cost. For example, QRNGs based on radioactive decay have limited bit rates, whereas those utilising electronic noise require careful distinction of quantum and thermal fluctuations Herrero-Collantes and Garcia-Escartin (2017). In contrast, optical QRNGs promise well isolated quantum systems along with speed and technical ease. Implementations have been based on photon welcher weg Rarity et al. (1994); Jennewein et al. (2000); Stefanov et al. (2000), photon arrival time Wayne et al. (2009); Nie et al. (2014), photon number statistics Ren et al. (2011), vacuum fluctuations Gabriel et al. (2010); Shen et al. (2010); Symul et al. (2011), phase noise Guo et al. (2010); Abellán et al. (2014); Nie et al. (2015) and Raman scattering Bustard et al. (2013); England et al. (2014).
In this paper, we develop a certification of quantum randomness generated by an optical beam splitter for which one input field is the vacuum and the other is completely unknown. The certification was carried out in real-time using an additional vacuum mode to tap off part of the unknown light source prior to the randomness generation. This method probabilistically infers a lower bound on the photon number of the remaining untrusted source impinging onto the randomness generation measurement. We show that signals from carefully characterised photodetectors, which needn’t resolve photon number, are sufficient to both generate and certify genuine quantum randomness.
Our approach results in a composably secure protocol and we provide an explicit security proof for high-speed quantum randomness expansion. Such a proof is necessary for all applications that wish to claim provable quantum-based security. A key or random string only becomes useful in composition with other protocols (one-time pad, hashing etc.) such that in order to retain provable quantum security, a composable proof is mandatory. To date, most randomness generation protocols fail to provide outputs that are useable in a composable framework, with, to our knowledge, only a handful shown to be composably secure in a device-dependent scenario Mitchell et al. (2015); Haw et al. (2015); Gehring et al. (2018) and only one partially device independent result Cao et al. (2016).
To experimentally demonstrate our scheme, we used off-the-shelf components — a laser source, high bandwidth photodiodes, basic linear optical elements and a high-performance field-programmable gate array (FPGA) board — and generated random numbers with a bit rate of Gb/s and a composable security parameter . Overall, our framework is compatible with a wide range of optical detectors and avoids the need to trust or precisely characterise the source of light, as opposed to conventional vacuum homodyning wherein a trusted photonic source is a necessity.
II Generating randomness from untrusted light
In Eq. (1), we quantified the randomness of an outcome for an external agent . As is common in quantum cryptography, we will refer to this agent as Eve the eavesdropper. An equivalent, but more convenient, way of quantifying this randomness is to compute the quantum conditional min-entropy of the quantum state for the joint system Renner (2008)
[TABLE]
where the argument of the logarithm is the guessing probability for Eve to guess , as in Eq. (1). This quantity has been shown to quantify the number of bits — almost perfectly random with respect to Eve — that can be extracted via post-processing Konig et al. (2009). Notice the distinction between a quantum randomness generator (QRG) which simply generates outputs with a certain conditional min-entropy and a QRNG that also includes the post-processing (hashing) necessary to produce almost perfect random numbers. This is worth mentioning because many results in the literature only implement the randomness generation without carrying out random number extraction in real-time. Note also that only by composably certifying the randomness generation process can the security of the extracted numbers be rigorously established.
A certified randomness generation protocol allows for some, or all, devices to deviate arbitrarily from their purported specifications. A certification test is applied to the experimental data and only upon that test passing is the output certified as having a certain amount of randomness, otherwise it is discarded. Furthermore, a useful generator will be robust, i.e. it will pass the test with high probability. Formally, we can define such a protocol as follows.
Definition 1**.**
An ()-certified randomness generation protocol produces an output made of measurement results such that
- •
Security:* Either the certification test fails, or*
[TABLE]
except with probability .
- •
Completeness:* There exists an honest implementation such that the test will be passed with probability .*
We define our source-device-independent (SDI) photonic QRG as a protocol in which detectors and passive optical devices (e.g. beam splitters) are taken to be trusted. Photonic states are generated via a laser as input to the experiment (essentially preparing a large amplitude coherent state), however in the analysis, we will not assume anything about the state of these photons and in that sense we claim that randomness is generated in a SDI manner. Crucially, however, we also assume that it is possible to exploit a trusted vacuum mode. One might point out that this is in fact assuming at least one trusted source, namely the vacuum. Nevertheless, we argue that vacuum is a rather privileged source in the sense that it does not really require a “device” to be generated, merely the ability to block an input port to a beam splitter. Thus, it would seem highly preferable from a security perspective to trust a vacuum source rather than some photonic state created by a sophisticated device such as a laser or spontaneous parametric down conversion (SPDC) process. We also emphasise that the detection process here is distinct from a homodyne detection in that the incoming state is mixed with a vacuum mode instead of a local oscillator (large amplitude coherent state). Even more importantly, we model our measurements directly as opposed to the homodyne protocols Vallone et al. (2014); Marangon et al. (2017); Michel et al. (2019) which model this detection as a quadrature measurement. This is rather at odds with the goal of being SDI as that is only approximately true in the limit where one assumes that the input signal has far fewer photons than the local oscillator. In Section VI and Appendix G, we will also discuss how our measurement scheme has different, and in many cases, superior scalings of the certifiable randomness rates than standard homodyne based protocols.
To gain some intuition, let us start by considering the randomness generation measurement depicted in Fig. 1. It consists of a beam splitter BS0 with reflectivity , an input mode R, a trusted vacuum fed into the other input mode and two output photodetectors A and B performing a difference measurement. Assuming the photodetectors to be perfect, we can model them as performing a single measurement acting on the untrusted photonic randomness source in mode R. The outcomes of the measurement will be the photon numbers and detected by detectors A and B, respectively. Propagating this detection event back through the beam splitter and using our knowledge about the trusted vacuum mode, this measurement is then associated with positive-operator valued measure (POVM) elements of the form
[TABLE]
living in the Hilbert space of the input mode R (see Appendix A for details).
Given this, we now propose a simple certifiable randomness generation protocol. It consists of recording the value of the photon number sum and then using the difference measurement as the source of randomness. Therefore, we have two measurements: one of and one of . The POVM has elements for the measurement of that can be readily recovered as
[TABLE]
On the other hand, as we show in Appendix A, the POVM for the value of has elements given by
[TABLE]
We already see the inherent randomness of this scheme since has support over the whole Fock space. Therefore, for any state in mode R with total photon number , there will be multiple possible values which can occur. Moreover, there is a manifest independence from the photonic input state. Because the measurements described by and are by definition compatible, we can always think of the measurement happening first and projecting onto the state , which will subsequently produce randomness when measured with . Thus, conditioned upon observing a sum value of , one would certify with probability an amount of randomness that scales as as per Definition 1 and shown in Appendix A.
Now, consider the full setup shown in Fig. 1. We introduce the certification measurement in mode C which is done by tapping off a fraction of the completely unknown incoming light in mode E with a beam splitter BS1 of reflectivity . The input state is mixed with a trusted vacuum on BS1 and the reflected beam in mode C is measured at detector C while the transmitted beam in mode R is input to the randomness generation measurement. This idea is superficially similar to the “energy test” proposed in the context of device-dependent continuous variable quantum key distribution (QKD) Furrer (2014). This test also taps off a portion of the incoming mode but instead uses a trusted and ideal heterodyne detection for the certification measurement. Such a scheme is a priori forbidden in an SDI context (a trusted photonic source being necessary for a heterodyne detection) and, as we show in Appendix B, also fails to provide any security for realistic finite-range detectors.
Our test is applied to the output of detector C with the protocol aborting if the result lies outside a range . Upon passing the test, we obtain a certificate that , the photon number in mode R, lies within a range except with some failure probability . Then, by minimising the min-entropy over all states within this range, we obtain a certified lower bound on the generated randomness. For this idealised scenario, we could allow to be unbounded and would simply look to certify the largest possible value of given a specific .
III Certifying randomness with realistic devices
In a real experiment, several further complications must be taken into account. Even in a scenario of completely trusted and calibrated devices, care must be taken to quantify the amount of randomness that can be credibly claimed to have been generated. Firstly, real detectors only possess a finite dynamic range over which their response is meaningful. Secondly, measurement outcomes are coarse grained to a finite resolution which must be carefully accounted for when determining the output randomness. Finally, noisy devices will exhibit fluctuations due to processes not under complete experimental control. Information about these processes might be accessible to external observers and, even if not, could certainly be stemming from physical processes that are far from random. Nevertheless, this can be accounted for provided the device noise is calibrated and not controlled by Eve. This makes the noise essentially classical, in the sense that we may assume that it is described by variables which are distributed according to a characterised probability distribution. These variables are then given to Eve on a shot-by-shot basis.
Consequently, the first step for analysing our experiment is to carefully calibrate and model the realistic photodiodes, which output noisy voltage measurements rather than exact photon numbers. More formally, following the approach of Frauchiger et al. (2013), we model the POVM describing our noisy, characterised measurements as a projective measurement on a larger system. For the case of our detectors (see Fig. 6 in Appendix B for a cohesive summary), the measured voltages are modelled as follows. First, we consider an outcome photon number resolving measurement with a finite range described by measurement operators that are number state projectors (i.e. ), except for the first and last operators which are given by and . This photon number is converted to a voltage via a conversion factor and is then smeared by an additional Gaussian noise term of known variance and finally coarse grained by a -bit analogue-to-digital converter (ADC) that itself has only finite range and finite resolution of bins. However, to correctly quantify the randomness associated with each -bit measurement, it is essential for one to consider , the ADC’s effective number of bits (ENOB). Indeed, it corresponds to the amount of bits free of internal electronic noise. This effective bit depth leads to an effective voltage resolution . The output of such a realistic measurement is an index, say , corresponding to a voltage bin of width centered at . We can therefore associate minimum and maximum voltages with this outcome .
The certification measurement is made by mixing the unknown photonic input in mode E with vacuum on a beam splitter of reflectivity . The reflected mode C is then detected with a noisy photodiode (characterised by noise standard deviation and voltage conversion factor ) that is coarse grained by an ADC. The protocol aborts for sufficiently large or small observed voltages ( is now a test applied directly to the measured voltage index). Finally, the randomness is generated by mixing the transmitted state in mode R with another vacuum on a beam splitter with reflectivity and making a coarse-grained, noisy difference measurement characterised by noise standard deviation and voltage conversion factor . As with the ideal case, we can write the measurements as operators in the input Hilbert space. As shown in Appendix B, the POVM element for a realistic voltage difference measurement whose outcome is the bin labelled is
[TABLE]
with
[TABLE]
where are the POVM elements of a difference measurement that is identical to Eq. (5) except that it is made with finite range photodetectors described above and is hence only operationally equivalent over an input photon number range .
Similarly, the certification measurement element corresponding to the outcome bin labelled is given by
[TABLE]
with
[TABLE]
With this detection model in hand, we state our main theorem as follows.
Theorem 1**.**
An optical setup consisting of
- •
Two trusted vacuum modes
- •
Two beam splitters of reflectivity and
- •
Two noisy photodetectors used to make a difference measurement as described in Eq. (6)
- •
A third noisy photodetector used to make a certification measurement as described in Eq. (8) which passes the test if falls in a chosen range
can be used as a certified (m,,,)-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with
[TABLE]
where
[TABLE]
with ,
[TABLE]
where
[TABLE]
with
[TABLE]
provided is set to the saturating photon number of the difference measurement.
Moreover,
[TABLE]
using a coherent state as an input.
Proof sketch: For a complete proof, see Appendix C. The protocol consists of rounds, each of which are defined as a certification measurement subjected to the test and a randomness measurement sample that is registered in . One part of the proof is to show that, for any given round of the protocol, conditioned on passing the test , the state in mode R has support in the photon number basis that lies almost entirely in the range . More concretely, we maximise over all possible input states to upper bound
[TABLE]
the joint probability that the test would be passed in mode C whilst a photon number outside the range was present in mode R. This quantity can be interpreted as the probability that the conditional state in mode R can be operationally distinguished from any state solely supported within (see Appendix D).
The second part of the proof is to optimise over all possible input states with support only in to derive a lower bound on the conditional min-entropy. Note that a priori, Eve has the freedom to choose an input state that is potentially entangled across all rounds, i.e. we are considering completely general, so-called coherent attacks. Together, these results mean that either the min-entropy for a single round will be lower bounded or the protocol will abort except with probability . For rounds, one can simply add these lower bounds together to bound the min-entropy of the output concatenated string except with a probability
[TABLE]
as claimed in Eq. (12).
Intuitively, one would expect that Eve’s optimal strategy to predict the outcome of a difference measurement would be to input a pure Fock state and this is indeed the case. The key fact is that the realistic difference measurement is still diagonal in the photon number basis and that a -round protocol can be described as a tensor product of such measurements. Note that for the purposes of calculating the min-entropy, we consider the difference measurement in Eq. (6) from the perspective of Eve who knows the noise variable on a shot-by-shot basis, for which , where . The fact that this measurement commutes with a diagonalising map in the photon number basis makes it straightforward to show that Eve’s optimal guessing probability is achieved by inputting a pure Fock state. Provided we choose less than , the saturation value for the detectors, then direct calculation shows that the guessing probability decreases monotonically in . Thus, for states restricted to , the smallest min-entropy is achieved by inputting . Finally, the fact that the coefficients in Eq. (5) are those of a binomial distribution can be used to show that Eve’s min-entropy is minimised whenever is minimal (0 or 1 depending if an odd or even photon number is input) and . Assuming that this is always the case, direct evaluation of yields the expression in Eq. (10).
Turning to the failure probability, we first define a failure operator which corresponds to taking the failure condition (i.e. a passing voltage is observed at detector C along with in mode R) and write it as an operator in the Hilbert space of Eve’s input mode
[TABLE]
Since this operator is also diagonal in the photon number basis, one can repeat the previous arguments to show that Eve’s optimal strategy to maximise this failure probability is also achieved by a Fock state.
The failure probability for a single round of the protocol can then be written as
[TABLE]
where .
To bound this quantity, we first use our knowledge of the certification noise variable . Except with probability , we know that . Substituting Eq. (18) in Eq. (19) yields two terms as the sum over decomposes as a sum for and . Provided we have , then there is no value of for which both terms will be simultaneously non-zero and we can write
[TABLE]
where () corresponds to the lower (upper) sum.
Both of these are essentially cumulative binomial distributions. For example, for a particular value of
[TABLE]
where is the smallest photon number allowed at mode C consistent with passing the test.
For unbounded , it would be impossible to determine or , but again using , we can do so except with probability . If we define as the minimum (maximum) voltage compatible with the passing range , we can obtain a minimum (maximum) photon number () for mode C compatible with passing the test. The varying lower limit on the sum in Eq. (21) stems from the fact that for Eve to cheat, there are two constraints on . First, it must be the case that a sufficiently large number of photons go to detector C such that the test is passed, but for sufficiently large this condition is superseded by the requirement that less than photons go to mode R. Arguments based upon the nature of the binomial coefficients allow us to show that to maximise , Eve should choose the input state . This can be directly substituted into Eq. (21) and the application of Hoeffding’s bound yields the term appearing in Eq. (14). Finally, an analogous argument can be applied to bound as per Eq. (14). In combination with Eq. (17) and Eq. (20), this completes the security proof.
IV Extracting Random Numbers from Certified Quantum Randomness
Finally, we turn to the task of actually extracting -secure random numbers for use in real-world applications. This can be achieved via two-universal hashing (detailed in Appendix E) which can be efficiently implemented using an FPGA. The details of the randomness extraction are critical in determining both the final speed and security of the QRNG. Firstly, one must obtain a composable certificate for how close the hashed outputs are to perfect randomness. Secondly, one needs to assess whether the randomness extraction is performed in real-time, i.e. at a rate greater than or equal to the randomness generation rate posed by the experiment. To precisely address these issues, the critical parameters are the FPGA’s hashing speed (number of hashes per second) and the hashing block size.
Regarding the composable security definition for the final hashed numbers, we can simply adopt the following standard secrecy criteria from the QKD literature Portmann and Renner (2014).
Definition 2**.**
Let be the random variable describing the measurements of a certified QRG protocol which succeeds with probability and let denote the result of a randomness extraction process applied to . The result is -secure if , the joint state with the eavesdropper, satisfies
[TABLE]
where is the trace distance and is the output of an ideal randomness source, defined as , with the uniformly distributed state on .
Due to the composable nature of our randomness generation protocol, we can apply previous results on hashing with quantum side information Tomamichel et al. (2011) to obtain the desired certificate in Eq. (22). Its precise formulation is given by the theorem below (see Appendix E for a full derivation).
Theorem 2**.**
A certified SDI (m,,,)-randomness generation protocol as defined in Definition 1 can be processed with a random seed of length via two-universal hashing to produce a certified SDI random string of length given by
[TABLE]
that is -complete and secure with
[TABLE]
To understand how such a system will perform, we will examine these security parameters in more detail beginning with . The raw data output by an -round QRG protocol will be a bit-string of length , where is the total number of bits recorded by the ADC for each measurement (recall that this is different from , the effective number of noise free bits that we used to lower bound the randomness). From Theorem 1, we know that the total min-entropy is proportional to the number of rounds, or alternatively the block length, and so we can write for some constants and . The extracted length can also be written in terms of a compression ratio defined by . Putting this together, we can rewrite Eq. (24) as
[TABLE]
To see the critical importance of the block size , consider the case of maximal compression. For fixed , there is hard lower limit to the compression ratio given by , since the minimum possible output length is bit. This in turn necessitates a lower limit and hence a limit on the total achievable . This shows that a certain minimum block size is mandatory to obtain a given level of security. More generally, considering Eq. (25), it becomes clear that increasing allows us to either increase the compression ratio while keeping constant (i.e. linearly improving performance whilst maintaining security) or decrease while keeping constant (i.e. exponentially improving security whilst maintaining performance).
There is a further consideration in that augmenting the block size (i.e. taking more measurement samples ) has the deleterious effect of increasing the value of . This can be compensated by either altering the voltage thresholds used in the test at the cost of a decreased probability of passing the test , or inferring a smaller certified minimum photon number and hence a smaller min-entropy . This in turn feeds back into . Nevertheless, although one cannot arbitrarily increase , in practice it turns out that having a sufficiently large block size is imperative for maximising the overall performance of a QRNG setup. If the min-entropy per measurement is relatively low, then as per Eq. (25) and the discussion above, a small prohibits any randomness extraction whatsoever. As well as this in-principle limitation, in practice, the maximum achievable block size is typically limited by the technical parameters of the FPGA used for post-processing.
Therefore, depending upon the desired application, one may need to concatenate several blocks of hashed random numbers to obtain a final string of the requisite length. Intuitively, it should be possible to deliver shorter strings at a faster bit rate, given that less concatenation is required and hence worse security per hashed output string of length can be tolerated. Defining to be the number of output -bit concatenated blocks, one obtains a final string of the desired length with an overall security parameter given by
[TABLE]
as per Eq. (17) and Eq. (127) in Appendix E.
One can now readily observe that for a fixed final , a smaller number of concatenations would allow a larger value for and which in turn permits a larger compression ratio and thus a faster overall bit rate.
Turning to the final bit rate, there are two cases, depending upon whether it is the FPGA or the experiment itself which is the bottleneck. Consider the case when the hashing speed is slower than the experiment’s output data generation rate. Define as the FPGA clock rate (i.e. the inverse of the time it takes to carry out one hashing operation). Since each hashing operation outputs bits, the total bit rate is
[TABLE]
where the subscript denotes that the limiting time factor is the hashing speed.
The second case, which will hold for our real-time implementation, is when the experiment is slower than the hashing. Given an experimental data acquisition rate of , the total bit rate will simply be
[TABLE]
where the subscript denotes that this time, it is the data acquisition rate which is the limiting factor.
Ultimately, given that an honest implementation of the QRNG protocol passes with probability , the averaged generated bit rate is
[TABLE]
where the minimum discriminates between the two possible cases described above.
V Experiment
The experiment carries out two separate key tasks: the randomness generation and the real-time extraction of random numbers.
The experimental setup is displayed in Fig. 2 and consists of a fully fibre-connected architecture with commercially available components for the randomness generation, and a high-speed field-programmable gate array (FPGA) for random number extraction. Note that for the randomness generation experiment, measurement signals will be analysed with an oscilloscope in order to precisely characterise the randomness found in each measurement while the real-time extraction of random numbers will be faithfully performed on a dedicated high-performance post-processing board containing both an ADC and an FPGA.
V.1 Randomness Generation
The light source utilised is a continuous wavelength (CW) laser (Koheras Adjustik E15) at telecom wavelength \mathrm{nm}. Note that the source’s linewidth is less than $100\,$\mathrm{Hz}, thereby ensuring it to be effectively single-frequency. The laser output is directed onto a fibre optical isolator (Thorlabs IO-H-1550APC) in order to prevent unwanted back reflections into the laser. A fibre optical variable attenuator (model MAP-220CX-A from JDSU) is used to generate different photon numbers impinging onto the QRG by varying the laser’s optical power. The certification and randomness generation measurements are implemented using standard fibre couplers (Thorlabs 10202A optimised for telecom wavelength) with reflectivities (i.e. 90:10) and (i.e. 50:50), respectively. Detector C — used for the certification measurement — is a fibre-coupled InGaAs PIN photodiode (Thorlabs DET08CFC/M) with a large bandwidth \mathrm{GHz}, a responsitivity $\eta_{C}=1.04\,$\mathrm{A}\text{\,}{\mathrm{W}}^{-1} at \mathrm{nm}, a transimpedance gain $G_{C}=50\,$\mathrm{\SIUnitSymbolOhm} and a measured electronic noise with standard deviation \mathrm{mV}. On the other hand, the randomness generation measurement made of detectors A and B is implemented by means of a fibre-coupled AC-coupled balanced detector (Thorlabs PDB-480C-AC) with the following corresponding specifications: $BW_{D}=1.6\,$\mathrm{GHz}, \mathrm{A}\text{,}{\mathrm{W}}^{-1} at $\lambda=1550\,$\mathrm{nm}, \mathrm{\SIUnitSymbolOhm} and $\sigma_{D}\approx 3.05\,$\mathrm{mV}. Signals from the detectors are sampled by an oscilloscope (Lecroy WaveRunner 204MXi) with a \mathrm{GHz} bandwidth, a sampling rate of $F_{S}=10\,$GS/s and a voltage resolution of $V_{\mathrm{max}}-V_{\mathrm{min}}=10\,$\mathrm{mV}$/\textnormal{div}$. The measurements are recorded by the oscilloscope’s ADC as an 8-bit output, but with a calibrated bit depth of $\Delta_{\mathrm{ADC}}=4.772\,$bits. This corresponds to the effective number of bits free of ADC internal noise. A total of 24 data sets were acquired, scanning the optical power input to the difference measurement from $0\,$\mathrm{mW} to \mathrm{mW}, corresponding to the balanced detector’s linearity response range. Each data set was acquired over $T=1\,$\mathrm{ms}, yielding 10 million samples per power setting.
To evaluate the certified randomness of this data for a desired failure probability , we must first fix such that (here we choose ). Then, given the difference measurement’s saturation power, we set equal to the corresponding saturating photon number and choose an upper voltage threshold in Eq. (14) such that . Finally, for a given lower voltage threshold , we solve Eq. (14) to find such that . This ensures that the photon number input to the difference measurement lies within except with probability and the certified randomness can then be determined by plugging into Eq. (10) to retrieve the conditional min-entropy.
This establishes the protocol’s SDI security as per Definition 1. However, to understand how much randomness we can expect to obtain in practice, we should also consider the protocol’s completeness. Typically, we will have some claimed specifications for the source and can choose thresholds accordingly. We would normally only attempt to certify a quantity and quality of randomness such that the corresponding test would be passed with high probability by a source satisfying the claimed specifications using Eq. (15). Here, for simplicity, for each input power, we will only allow ourselves to apply thresholds such that all measured samples pass the test.
In Fig. 3, the certified minimum photon number in mode R is plotted against the input optical power for various security parameters . The input power was scanned across the linear range of the balanced detector, with the voltage thresholds () at each power setting constrained such that all samples passed the test . Under these constraints, we chose a voltage threshold within the range \mathrm{mV} to $39.2\,$\mathrm{mV}. As can be seen, the certified photon number scales linearly with the input power and vanishes for sufficiently small or large photonic inputs. For small powers, goes to zero as no positive solution for Eq. (14) with the required can be found. This is as expected given that, when a low photon number impinges onto detector C, one cannot discern the produced voltage from the detector’s inherent electronic noise. Alternatively, for large powers, one can easily achieve a small value for but it now is not possible to obtain a value of such that the total certification is valid for . This is also to be expected as one approaches the balanced detector’s saturating power. Finally, for increasing security (i.e. smaller ), decreases for a given input power and remains positive over a smaller range of inputs. Indeed, the penultimate data point is non-zero only for and no photon number can be certified with any security for the final point.
The main result of this new SDI framework is shown in Fig. 4, for which a comparison is made between the experimentally estimated min-entropy, various device-dependent (DD) min-entropy models and our SDI approach. The red data points are experimental estimates of the unconditional min-entropy for different average input powers of the laser. These have been calculated from histograms of the difference measurement (shown as inset to Fig. 4) output by the balanced detector. Given these histograms, a Gaussian fit was performed and the retrieved maximum probability was used to estimate the unconditional min-entropy via . This corresponds to a naive analysis where all observed fluctuations are assumed to be truly random. The red line is a device-dependent prediction for , calculated using our detector model and assuming that the laser is well modelled by a coherent state . The resulting curve fits the data well with a coefficient of determination , thereby confirming the validity of our modelling. In pink, corresponds to the usual device-dependent conditional min-entropy, assuming a known source but accounting for Eve’s knowledge of the electronic noise present in our measurement apparatus. As such, it is equal to but shifted down by the min-entropy associated with the electronic noise of the balanced detector. Finally, in green, orange and blue points, we show our SDI model for the certified conditional min-entropy for different values of the security parameter . These were calculated via Eq. (10) using the minimum certified photon numbers displayed in Fig. 3 for each .
When comparing the different min-entropies in Fig. 4, it is clear that the claimed level of randomness critically depends on what assumptions are made about the QRG. Indeed, if one were to naively take as a consistent min-entropy model, the QRG’s output would consequently be predictable since the electronic noise can be accessible to Eve. On the other hand, whilst correctly removes such classical side information, it nevertheless is a device-dependent model for which the experimentalist must trust the proper working of the entire setup, having carefully modelled it and its possible deviations. This means that such scheme must be secure against all sorts of complicated attacks from Eve. In the canonical setup of Fig. 2, a key origin of experimental complexity arises from the input light source. Our approach provides total independence from such complexity whilst still certifying a substantial amount of min-entropy per measurement as well as an explicit quantification of its confidence given by . As can be seen in Fig. 4, we certify up to bit of min-entropy with for the penultimate data point. While this value is about half of what predicts, we argue that such compromise is reasonable given that we can still achieve large randomness bit rates for the added SDI security. Indeed, the importance of our SDI protocol’s security is starkly illustrated by the final and initial input powers for which no min-entropy is assigned as opposed to the device-dependent model .
V.2 Real-Time Random Number Extraction
The real-time extraction of random numbers is performed with a dedicated post-processing Printed Circuit Board (PCB) whose content and functioning are both thoroughly detailed in Appendix F. Here, instead of using an oscilloscope to read the measurements output by the various detectors in the setup, voltage signals are directly fed to a bits bit-depth ADC (Analog Devices AD9625) capable of measuring analog inputs up to \mathrm{GHz}$$ with a sampling rate of GS/s as well as a large ENOB of bits. This represents a substantial improvement with respect to the ADC found in the oscilloscope used in the characterisation measurements in the previous section.
As a general principle, to maximise a QRNG’s final bit rate, it is important to use an ADC whose ENOB over bit-depth ratio is as large as possible for a given bit-depth . Indeed, for a fixed number of photons input to the randomness generation measurement, a large ENOB allows one to maximise the extractable certified min-entropy per sample since the noise contribution intrinsic to the ADC would be minimised. As explained in Section IV, the min-entropy in turn sets the upper limit to the compression ratio, . Although the ENOB is often not taken into account, this argument makes it clear why one should maximise rather than solely . Finally, the output of the ADC is sent directly to the FPGA (Zynq Ultrascale ZU9EG) in order to carry out hashing.
The real-time hashing of raw data was implemented using the concurrent pipeline algorithm based on Toeplitz matrix hashing Zhang et al. (2016). The idea of the algorithm is to improve the speed of post-processing by decomposing the large Toeplitz matrix of size into several submatrices of dimension and then simultaneously performing matrix multiplication with the raw data. The crucial task of determining , the number of rows for the submatrices, is explained in Appendix F.
To demonstrate our protocol, we ran a real-time random number extraction experiment in two distinct configurations producing either long or short strings. These address different real-world applications such as large scale simulations (e.g. Monte Carlo) for which Gb of random numbers are required and standard cryptographic protocols (e.g. Advanced Encryption Standard) typically employing random seeds of kb lengths. The parameters of both configurations are summarised in Table 1.
For the first configuration, we inserted an optimal input optical power of \mathrm{mW} prior to the randomness generation measurement. The optimisation was performed such that the entire data would pass the certification test $\mathcal{P}$ with a probability $1-\epsilon_{c}=99.5\%$. This yields a certified min-entropy of $H^{\textnormal{SDI}}_{\textnormal{min}}(X|E)=5.32\,$bits per sample acquired by the ADC with a security parameter $\epsilon_{\mathrm{fail}}=1.6\times 10^{-19}$. Next, we downsampled the digitised output of the ADC to $1.55\,$GS/s in order to remove any time correlation. This stream of bits was then fed to the FPGA for which the hashing algorithm described above was performed at a speed of $R_{\mathrm{hash}}=193.75\,$\mathrm{MHz} and with a Toeplitz matrix of size bits and bits. We thus achieved a total bit rate of Gb/s with an overall composable security of , thereby generating in real-time string of length certified and composably secure quantum random numbers made of concatenations. Note that given the probability of passing the test, this obtained bit rate corresponds to a bit rate of Gb/s averaged over many runs and with the same level of security. In the second configuration, we took the inverse approach and avoided any concatenation (i.e. ), allowing for a larger hashing output length of bits. Every second, this resulted in strings of length kb each with a composable security of . The obtained bit rate was thus Gb/s with the same corresponding average bit rate Gb/s up to two decimal places. The numbers obtained from both settings were ultimately found to successfully pass the battery of NIST tests Rukhin et al. (2001).
This achieves an ultrafast and highly composably secure QRNG based on commercially available components and entirely independent of the incoming light source for which the random numbers are both composably certified and extracted in real-time. To our knowledge, this is the fastest composably secure QRNG (including device-dependent implementations) ever reported.
VI Discussion
We now return to the desiderata previously outlined for evaluating the usefulness of a QRNG device, namely, level of security, performance (achievable bit rate) and practicality (ease of implementation, durability, and cost). Our protocol used cheap and robust off-the-shelf components that lend themselves to prolonged, high-speed usage and would be amenable to miniaturisation in an integrated photonic architecture. Utilising an FPGA, we were able to implement the necessary hashing operations in real-time by using the pipeline algorithm of Zhang et al. (2016) detailed in Appendix F. Moreoever, we hashed relatively large blocks which allowed us to extract random numbers at close to the optimal possible rate given the randomness source.
Another consideration when developing a protocol for certified randomness is whether such a protocol is composably secure Renner (2008); Portmann and Renner (2014). That is, whether the output of the protocol can then be used as an input to other cryptographic protocols without compromising the security. For example, it can be input to a randomness extractor along with a seed to achieve certified randomness expansion using well known techniques Frauchiger et al. (2013); Tomamichel et al. (2011). Very few implementations enjoy such composable security proofs in either the device-dependent Mitchell et al. (2015); Haw et al. (2015); Gehring et al. (2018) or partially device-independent case Cao et al. (2016). Whilst there is a device-independent result that produces random strings that may be composed Liu et al. (2018a), it is still unknown whether fully device-independent protocols are secure under composition of devices without extra assumptions, e.g. devices are memoryless Barrett et al. (2013). It is thus necessary for the moment to move beyond device independence if one desires a fully composably secure protocol.
In terms of security and performance, our work considers completely general quantum attacks and achieves significantly higher bit rates for a given security parameter than the fastest known source- (kb/s in Cao et al. (2016)), measurement- (kb/s in Nie et al. (2016)), semi- (Mb/s in Brask et al. (2017)) or fully device-independent protocols (b/s in Liu et al. (2018a)). The only directly comparable work which offers a source-independent composable security proof is Cao et al. (2016), whose randomness generation rate we improve upon by more than 6 orders of magnitude. In fact, our work achieves the highest composably secure bit rate for any level of device assumptions, including the fastest device-dependent implementations Gehring et al. (2018).
The experimental architectures most similar to ours are a recent series of papers that involve homodyning the vacuum Marangon et al. (2017), or squeezed state Michel et al. (2019), or dual-homodyning the vacuum Avesani et al. (2018) and were claimed to be SDI. Indeed, these works also achieve impressive rates as high as Gb/s. To derive a SDI proof, these works apply entropic uncertainty relations Furrer et al. (2014); Furrer (2014) that can, in principle, lead to devices for which randomness can be certified even if the source of quantum states is completely unknown, provided the measurements acting on these states are well-characterised. However, for realistic homodyne detectors with finite range, the corresponding uncertainty relation becomes trivial and no randomness can be certified Furrer et al. (2014). Even in the case of infinite range detectors, the modelling of a photon difference as a quadrature measurement is only valid in the case where the input photon is small with respect to the local oscillator. This problem can be ameliorated but only at the price of introducing an energy assumption (similar to the semi-device-independent approach) upon the source, thus jeopardising the claimed source independence.
A final technical point is that, although the importance of considering digitisation noise via the ENOB of the ADC has been pointed out previously Zhang et al. (2016); Marangon et al. (2017), many experiments fail to take this into account. This key consideration has the effect of reducing the retrievable min-entropy per sample, thereby considerably lowering the bit rates reported in the vast majority of the corresponding literature. A comparison of the security, assumptions and performance of a selection of other works compared to ours can be found in Table 2.
Finally, we turn to a quantitative comparison between this work and earlier protocols based on homodyne detection in the device-dependent Haw et al. (2015); Gehring et al. (2018) and semi-SDI contexts Marangon et al. (2017); Avesani et al. (2018); Michel et al. (2019). Strictly speaking, direct comparison with the semi-SDI protocols is impossible since these fail to give a composable security parameter. Also, in practice the achievable rates depend heavily on many technical constraints such as the detector noise and especially the effective number of ADC bits. In Fig. 5, we consider a simpler calculation of the min-entropy generated in a single round using ideal equipment to compare the ultimate rates of these different protocols. The security parameter for the displayed SDI curves is chosen to be with the honest passing probability chosen as . For the EUR protocol, the probability of making a randomness generating measurement was set to be and the photon number of the local oscillator used in the homodyne detection was . Details of the calculations are give in Appendix G.
For certain input states we identify fundamentally different scalings in some instances. Although we actually consider upper bounds on the rates for the device-dependent and semi-SDI schemes, thereby penalising this work by comparison, we see dramatically different scalings between this work and the semi-SDI homodyne scheme. As can be observed in Fig. 5, if the input state is one half an entangled two-mode squeezed vacuum state (i.e. a thermal state) or a coherent state, then the randomness of homodyne protocols decreases as function of the photon number of the input state whereas the randomness of the present protocol monotonically increases. For sufficiently large photon numbers, this work scales identically to the device-dependent case, thereby achieving significantly improved security with only a constant factor reduction in performance. Moreover, it should be noticed that for an input coherent state, the photon number from which this work’s generated min-entropy surpasses that obtained from the EUR protocol is relatively small (i.e. ). This crossing point and the ensuing advantageous scaling make this work even more desirable from a realisation point of view since it occurs for a coherent state, the most practical and hence widely utilised state in experimental quantum optics. Overall, these key considerations highlight the fundamental quantitative differences in between this work and traditional homodyne based protocols.
VII Conclusion
In summary, we presented and experimentally implemented a SDI protocol based on the quantum nature of untrusted light. Our QRNG achieves both state-of-the-art ultrafast randomness generation and real-time random number extraction with a bit rate of Gb/s whilst providing a rigorous and specific security parameter of for the generated random numbers with no assumptions on the light source. There are several avenues for improvement. A higher bandwidth balanced detector for the randomness generation speed as well as a larger effective bit-resolution of the ADC for the retrievable min-entropy per sample are primary examples among them. Lastly, the present configuration could be upgraded by connecting more randomness sources (say of such sources) to the same FPGA and carrying out parallel real-time post-processing. This would achieve an unparalleled average QRNG bit rate of for the same level of composable security.
VIII Acknowledgements
This work was supported by funding from the UK Engineering and Physical Sciences Research Council (EPSRC) National Quantum Technology Hub in Networked Quantum Information Technologies (NQIT). NW acknowledges funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement No. 750905. A.K.F acknowledges RBFR grant No. 18-37-20033.
Appendix A Certifiable randomness of ideal difference measurement
To begin with, consider the randomness generation measurement of Fig. 1. It consists of a beam splitter BS0 with reflectivity , an input mode R, a trusted vacuum fed into the other input mode and two output photodetectors A and B performing a difference measurement. It simplifies matters greatly if we can prove that the potential eavesdropper in charge of our photonic source is making definite photon number states (i.e. Fock states) for each round of the protocol. In particular, we would like to rule out any sophisticated, collective strategy where Eve sends a complicated state that is entangled across all rounds of the protocol.
Intuitively, this should be the case because the randomness generation measurement for each round is a photon number difference and can be thought of as a coarse graining over an initial measurement that is diagonal in the Fock basis. Here, this is shown by writing out the POVM directly and the optimality of unentangled Fock state inputs from Eve’s perspective becomes explicit.
For a single round, the entire process of mixing with a vacuum ancilla and then making Fock state projections upon both output ports can be seen as a POVM on , the Hilbert space of . Consider the probability for detecting and photons at detectors A and B. This is given by
[TABLE]
where
[TABLE]
is the corresponding POVM element in the input state Hilbert space (with the subscript R suppressed for brevity). This expression is just the evolution of the Fock state projections back through the beam splitter BS0 and projected onto the vacuum ancilla. To get an explicit expression, it is simpler to switch to the Heisenberg picture for the reverse beam splitter transformation
[TABLE]
Acting on the left with on the ancilla mode implies that we must have , thus
[TABLE]
and hence
[TABLE]
where we have substituted in the total photon number . As expected, each POVM element is proportional to a single Fock state of fixed photon number and the coefficient can be understood intuitively. Indeed, each of the photons can be thought of as individually randomising at the beam splitter. The probability for a specific sequence of paths taken by each photon is and thus the probability of observing the POVM element is the number of paths such that out of photons could have been recorded at detector A, which is as above.
If we consider the sum measurement, it is just a coarse graining over the two outcome POVM, summing together all the elements such that . The POVM elements of the sum measurement are
[TABLE]
Using the fact that , we can see that and it is thus just a photon number projector as expected.
The randomness generation measurement is another coarse graining. However, it will turn out to have larger rank and consequently some randomness for all possible input states other than the vacuum. Define as the POVM elements of the randomness generation measurement corresponding to the cases where . These are given by
[TABLE]
if is positive and
[TABLE]
if is negative or
[TABLE]
for all .
Note that for even (odd), then only has support over even (odd) number states. Clearly, if Eve inputs a vacuum state, then the difference outcome can be predicted with certainty as . However, as pointed out in the main text, if Alice observes a value for her sum measurement, then regardless of the original input, she performs a projection onto the state and can immediately calculate the guessing probability of the measurement from Eq. (38) and hence the associated min-entropy. For perfect measurements, this would guarantee the min-entropy with certainty and in a SDI manner.
Now, consider the full setup shown in Fig. 1. We introduce the certification measurement in mode C which is done by tapping off a fraction of the completely unknown incoming light in mode E with a beam splitter BS1 of reflectivity . The input state is mixed with vacuum on BS1 and the reflected beam in mode C is measured at detector C while the transmitted beam in mode R is input to the randomness generation measurement. For simplicity, we will imagine that the outcome at detector is also always given to Eve. Writing the photon number projections as operators on the input Hilbert space is the same calculation as Eq. (34), except now with a beam splitter of reflectivity instead of . This gives
[TABLE]
and hence the certification measurement has elements
[TABLE]
Given this measurement, one cannot exactly determine the number of photons in mode R incident onto the randomising beam splitter BS0, but one can obtain a lower bound on the min-entropy of such measurements except with some failure probability . Specifically, we impose a test at detector C which is passed if the measured photon number is greater than a lower threshold .
Upon passing the test , we certify a lower bound on the photon number in mode R impinging onto the randomness generation measurement. We formally state and prove this result below.
Theorem 3**.**
An optical setup consisting of
- •
Two trusted vacuum modes
- •
Two beam splitters of reflectivity and
- •
Three ideal photon counting detectors A, B and C
utilised to perform a certification measurement modelled by Eq. (40) with lower threshold and a randomness generation measurement modelled by Eq. (38) can be used as a certified (m,,,)-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with
[TABLE]
[TABLE]
and
[TABLE]
using a coherent state as an input.
Proof.
Security: The key feature here is the diagonal nature in the photon number basis of all measurements performed in the protocol. We first prove a Lemma regarding such measurements.
Lemma 1**.**
For a -round, SDI protocol involving a measurement in each round that is diagonal in the number basis with elements
[TABLE]
Eve’s optimal strategy to maximise the probability of a desired outcome is to input a pure Fock state for each round. Moreover, this remains true for inputs with restricted support in the Fock basis.
Proof.
One way to see this is to consider a diagonalising map in the Fock basis applied to the input of the round
[TABLE]
This operator commutes with the measurement and there is no operational way for Eve (or anyone else) to distinguish between directly measuring or measuring after first applying . As such, we could imagine that we are in fact always applying to each run of the protocol111That is, the probabilities for any string of measurement outcomes satisfy where with . Note that denotes the trace over all modes except the mode.. To start with, since satisfies the definition of an entanglement breaking map Horodecki et al. (2003), we may safely conclude that Eve’s optimal strategy will not include any entanglement as there is no way for such entanglement to be noticeable. Moreover, if we consider any individual round of the protocol, we can write its purification as a mode held by Eve (including potentially all the other rounds of the protocol) in the Schmidt form (with not necessarily the Fock basis) and act upon it. This yields
[TABLE]
where . This means that the most general state Eve can effectively prepare for the input mode E is of the form
[TABLE]
where . In other words, the input state for each run of the protocol is effectively just a mixture of Fock states (potentially classically correlated between rounds). Intuitively, one would imagine that the best strategy for Eve would be to choose a state such that is indeed the Fock basis and, moreover, to make simply a delta function at some fixed .
We can show this as follows. Let be the distribution of the optimal input state that maximises the probability of and be the Fock state coefficients for that element as given in Eq. (44). Then, Eve’s optimal probability is given by
[TABLE]
where we have defined as the value that achieves the maximum. This optimal guessing probability would be saturated by choosing an input state , therefore the optimal input state is indeed a pure Fock state.
Note that the result extends straightforwardly to the case where the input state is restricted to have support only over a finite range of number states . Let be a probability distribution over , be the value of the most likely POVM element of the difference measurement given that input state and be the Fock state coefficients for that element as given in Eq. (38). Then
[TABLE]
Therefore, the optimal input state is with . This result can be independently applied to each run of the protocol (by including the other rounds in the purification, Eve has already been granted the option to utilise a sophisticated collective encoding), hence we can conclude that Eve’s optimal probability to obtain a string of outcomes for all rounds is to choose a single Fock state for each round.
∎
Given Lemma 1, we now lower bound the min-entropy under the assumption that Eve’s input state only has support over number states in the range . Eve’s guess for the difference measurement outcome will always be just the outcome of the most likely element of the difference element defined in Eq. (38). Thus, if we choose to be the most probable outcome of the difference measurement (whatever that might be), then we can immediately conclude that for input states restricted to have support only over the range , Eve’s optimal strategy to maximise the occurrence of (and hence her guessing probability) will be to input a number state . In fact, it will be optimal to input the smallest number state . We have
[TABLE]
where in the penultimate line, we used the fact that is maximal for and monotonically decreases for greater and smaller values of , which means that the smallest allowed will be optimal. In the final line, we used that decreases monotonically in . To see this, first note that for even and for odd . Thus the ratio of successive terms is
[TABLE]
Substituting this optimal guessing probability into the definition of the conditional min-entropy gives the expression in Eq. (41).
Now, we show that provided that in each round the certification measurement outcome is above a certain threshold , the input to the randomness generation measurement is -indistinguishable from a state with support only over . The worst case scenario would be that whenever Eve can distinguish the real state from one with restricted support, she learns the full measurement record. We can thus interpret this distinguishing probability as a lower bound to the failure probability for the whole protocol.
Specifically, we are interested in the probability where the certification measurement takes a value which passes our test whilst simultaneously a smaller than desired number of photons goes to the randomness generation measurement, thereby representing a failure of the protocol. As such, we introduce a failure operator corresponding to there being or fewer photons in mode R given photons in mode C expressed as
[TABLE]
The failure probability for Eve successfully cheating the test in a single round is then given by
[TABLE]
It is straightforward to see (and we show it in Appendix D) that this probability is also explicitly the probability of passing the test, multiplied by the distinguishing probability between the real input to the randomness measurement, , and the closest state with support solely in the range as one would expect in a composably secure framework. Since is once more diagonal in the photon number basis, we can again apply Lemma 1 to conclude that Eve’s optimal strategy is achieved by a single number state . Substitution via Eq. (52) gives
[TABLE]
The lower limit on in the sum comes from the fact that for , the requirement for at least photons at detector C is superseded by the requirement that there be less than photons in mode R which implies . In fact, we show that Eve’s optimal input is to send precisely photons. The summand is a generic binomial distribution
[TABLE]
such that the failure probability in Eq. (54) can be seen as the complement of the binomial cumulative distribution function (CDF). For a fixed lower limit in the sum, the failure probability increases monotonically with . However, once , the situation is more complicated because the limits of the sum change as well as the summand. Indeed, instead of running from to , it will run from to as argued above. We now show that the difference between successive terms of the sum for all values larger than this threshold is negative and thus the function is monotonically decreasing in . Hence, it reaches its maximum for .
For , we can write for the corresponding successive input Fock states as
[TABLE]
where we used Pascal’s identity and in the last line.
Using the following result
[TABLE]
where is the hypergeometric function, it can be shown after some algebra that Eq. (56) simply reduces to
[TABLE]
which is always negative for any . Moreover, Eve adding extra photons will always result in deleting the lowest term in the summation in Eq. (54) so that the failure probability monotonically decreases for all . Thus, the optimal value for Eve to maximise the failure probability is the single Fock state with photon number . Substitution into Eq. (54) then gives
[TABLE]
where the last line is given by Hoeffding’s inequality which states that for a binomial distribution with , one gets
[TABLE]
Finally, the probability that any one of the rounds fails is the complement that all of them pass thus
[TABLE]
which is precisely the result stated Eq. (42), thereby completing the proof.
Completeness: Substituting in the number state expansion for a coherent state and calculating the probability for the certification test to pass via Eq. (52) gives the desired result expressed in Eq. (43).
∎
Appendix B Modelling Detectors
Here, we remove the idealised assumptions from the previous section and present a detailed detector model.
B.1 Finite range of photodetectors
As a first idealisation, we shall remove the assumption of infinite dynamic range for the photodiodes. In fact, the detectors only respond linearly above and below certain photon numbers thresholds, namely and . In reality, as the detectors enter this nonlinear regime, there will still be quantum randomness in their outcome statistics, but we take the worst case view and assume that all states with overly large or small photon numbers will be mapped with certainty to “end bins”, thereby yielding no such randomness. Thus, instead of a sum over all photon number states, we model a photodetection with measurement operators given by
[TABLE]
This can make quite a difference to the output randomness since if Eve either inputs a sufficiently small or large number of photons, she can be sure that the lower or upper outcome will occur on detectors A and B, leading to a difference outcome of 0 with certainty. This can be seen directly by calculating the difference measurement POVM elements using finite range photodetectors as an operator in Eve’s input Hilbert space as before to find
[TABLE]
where
[TABLE]
For states with an appropriate photon number support, a difference measurement made using finite range photodetectors will be virtually indistinguishable from the ideal difference measurement in Eq. (38). Specifically, if a number state is input to a difference measurement with two detectors A and B that have linearity ranges such that , then the probability that either detector will register a number of photons outside its linear range will be given by the tails of a binomial distribution. It can then be checked whether this probability is smaller than the other failure probabilities in the protocol (typical realistic values will render it far smaller, i.e. ). Alternatively, one can also directly empirically verify the linear response range of a difference measurement by inputting a known photonic laser source and observing that the difference variance indeed grows linearly when the laser’s optical power is increased.
This finite range of the photodetection also applies to the certification measurement in mode C using a finite range detector with linear range and possible outcomes. We have
[TABLE]
where is given in Eq. (40).
Finally, we can also write the failure operator associated with this certification measurement. It will be similar to the ideal case in Eq. (52) except for the end bins. The failure of the protocol occurs when the test is passed and there are either too many (more than ) or too few (less than ) photons incident onto the difference measurement. We obtain the following failure operator
[TABLE]
Parenthetically, we note that finite-range considerations expose a problem with the proposed solution to saturation attacks found in Furrer (2014) within the context of continuous-variable QKD. There, the idea is to tap off a small amount of the incoming light and measure it via a dual-homodyne (heterodyne) detection, aborting the protocol if a sufficiently large value of the heterodyne measurement is observed. While this solves the problem in the limit of perfect, infinite-range detectors, for any realistic finite-range detectors, this procedure itself is vulnerable to a saturation attack. To see this, consider an individual homodyne detection of one of the two field quadratures: the incoming signal is mixed with a local oscillator and the difference between the two detectors’ signals is taken. However, a sufficiently bright input signal would saturate each individual detector such that it outputs its maximum value, meaning that the difference measurement would result in a (typically small) constant value. Thus, in contrast to our certification measurement based upon a single detector, there is no guarantee that a bright input would result in a large measurement outcome, and therefore applying a threshold check to a heterodyne detection offers no protection against high energy attacks. This again highlights the importance of rigorously modelling the trusted devices in a cryptographic setup, as even small imperfections can completely alter the security of the protocol.
B.2 Voltage response and temporal behaviour
The next step in our modelling is to take into account the fact that the detector response is not completely flat over the time window that makes up one round of the protocol. Instead, the voltage response decays exponentially in time. However, using careful spectral filtering, one can enforce an effectively flat temporal distribution for incoming photons. Considering this, we show that we can model the voltage response with a single average conversion factor .
In general, the detector response of a photodiode can be regarded as analogous to a RC circuit where the voltage at time is given by
[TABLE]
where is the current generated by the absorbed photons. However, one cannot take the above equation too literally since a genuinely continuous time dependence would correspond to a detector with infinite temporal resolution. Instead, we model a voltage detector as having K finite time intervals over which the response is flat (i.e. the detector cannot resolve temporal differences smaller than ). The entire detection over the time window can then be regarded as post-processing of the outcomes arising from each of the detection intervals . This resulting POVM has elements of the form
[TABLE]
where . The voltage response to a photon arriving at the interval is given by a conversion factor
[TABLE]
where is a constant. The voltage POVM is thus expressed as
[TABLE]
with
[TABLE]
where and the sum is over all possible values for .
In principle, this temporal detector response could open loopholes for Eve to exploit. For example, if she were able to generate extremely short time pulses, Eve could saturate individual detectors which would then be heavily damped in time (due to the exponential term in Eq. (71)), resulting in a certification voltage that would appear acceptable even though there would be no randomness in this case. However, these temporal attacks can be circumvented via an appropriate choice of spectral filtering in the detection process. For transform-limited pulses, a sufficiently narrow spectral filter enforces an effectively flat temporal distribution for the detected photons. Since the source in our experiment is extremely narrowband (single frequency CW laser), we can afford to use a correspondingly narrow filter without altering the detection rates in our actual implementation. Note that a pulsed system which cannot afford to be similarly filtered without reducing the resulting count rates would require a careful analysis of the effects of Eve’s temporal modulation of the source on the output statistics. This highlights the importance of considering all relevant physical degrees of freedom in certified randomness generation.
Considering our implementation, the voltage response of a detector to a photon arrival is given by a time averaged conversion factor
[TABLE]
where is Planck’s constant, is the speed of light, is the detector’s bandwidth, is its responsitivity (in ) at the wavelength considered and is the transimpedence gain.
B.3 Electronic Noise
So far, all measurements have been described without the presence of detector noise. As outlined in the main text, our detector’s noise is well modelled as being Gaussian with variance . We want to write down the POVM describing a voltage measurement over an appropriate basis as parameterised by its outcome. Given that the noisy measurement is still phase insensitive, the POVM elements can be written diagonally in the Fock basis as
[TABLE]
Consider the randomness generation measurement. Since the detector noise terms are taken to be independent from one another, we can equivalently combine them into a single overall noise variable with variance (this joint variable is what was determined in practice during device calibration) that acts to smear out the ideal difference measurement to obtain222For detectors with the same conversion factor , a particular outcome at the detectors A and B would lead to a difference value where we have combined the independent noise variables.
[TABLE]
with given by Eq. (65) but effectively by Eq. (38) for the photon ranges we will certify.
In addition, the certification measurement’s POVM accounting for the Gaussian noise characterised by variance is given by
[TABLE]
Finally, for the failure operator associated with the certification measurement with Gaussian electronic noise, we have the following
[TABLE]
where is the voltage conversion factor for the photodetector C and is the standard deviation of its associated electronic noise.
For the security analysis later, we will often be interested in the measurement operators from Eve’s perspective who always knows the relevant value of . This leads to a voltage POVM given by
[TABLE]
a difference measurement
[TABLE]
a certification measurement
[TABLE]
and a failure operator associated with certification voltage measurement
[TABLE]
B.4 Finite resolution and range of analogue-to-digital converter
In the previous section, we modelled the detectors as having a finite range but otherwise being perfectly photon-number resolving and convolved with a classical noise variable subsequently given to the eavesdropper. In fact, the randomness generation measurement has a finite resolution which corresponds to an extra coarse graining. Specifically, the analogue-to-digital converter (ADC) which processes the voltage signal can only record a certain set range of voltages , with all voltages greater or smaller than this amount registered as results in the “end bin”. Furthermore, within the range , voltages are only recorded with a finite resolution. Therefore, whilst an ideal voltage measurement might have unbounded and continuous values, a real detector in combination with an ADC with finite bits of resolution outputs outcomes with corresponding POVM elements for the measured bin expressed as
[TABLE]
where the integration regions are given by
[TABLE]
and is the effective voltage resolution induced by . Note that and are the floor and ceiling functions, respectively.
As a result, the coarse grained noisy difference measurement operators are given by for which
[TABLE]
The corresponding difference measurement from Eve’s perspective (i.e. given the relevant ) would be
[TABLE]
where
[TABLE]
The certification voltage measurement is recorded by an ADC with the same resolution and consequently it is still a -outcome measurement but over an ADC range and a corresponding voltage resolution . This leads to intervals which are defined as per Eq. (84) and coarse-grained certification measurements elements
[TABLE]
Moreover, the associated failure operator is
[TABLE]
For a fixed value of the noise variable , we have the following failure operator from Eve’s perspective
[TABLE]
where
[TABLE]
In general, one must be mindful of the interplay between the conversion from photon number to voltage and the final voltage resolution. Indeed, if the signal were to experience strong attenuation (very small ), then the voltage distribution would start to become small with respect to the fixed voltage resolution and the entropy would decrease. In our implementation, we carefully kept track of the coarse graining, thus avoiding such issue.
Before we proceed further, we show in Fig. 6 a schematic drawing summarising our detector’s model. The POVMs present in the figure are those specified in this appendix.
Appendix C Proof of the Main Theorem
In this Appendix, we provide the full security proof for the more realistic QRG protocol carried out in the experiment. As per the idealised protocol, the proof proceeds in two steps. First, we calculate the worst-case min-entropy for a certain class of states, namely those with a limited support over Fock states. Secondly, we calculate the failure probability of the protocol which is the maximum probability that a state not in that class could have passed the certification test. We rewrite theorem 1 given in the main text and proceed with our proof.
Theorem 4**.**
An optical setup consisting of
- •
Two trusted vacuum modes
- •
Two beam splitters of reflectivity and
- •
Two noisy photodetectors used to make a difference measurement as described in Eq. (85)
- •
A third noisy photodetector used to make a certification measurement as described in Eq. (88) which passes the test if falls in a chosen range
can be used as a certified (m,,,)-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with
[TABLE]
where
[TABLE]
with ,
[TABLE]
where
[TABLE]
with
[TABLE]
provided is set to the saturating photon number of the difference measurement.
Moreover,
[TABLE]
using a coherent state as an input.
Proof.
Security: Consider the task of guessing the difference measurement from the perspective of Eve who knows on a shot-by-shot basis, which is given by Eq. (86). First, this measurement satisfies the conditions of Lemma 1 and so Eve’s optimal state is a number state. Her strategy will be to add to the most likely value of the noiseless difference measurement which, as shown in Appendix A, is 0 or 1 depending upon whether Eve inputs an odd or even number of photons. Therefore, Eve’s best guess will be the voltage bin with or , where is the nearest integer rounding function. The guessing probability is given by the sum of all the probabilities associated with the outcomes for which Eve’s guess would remain true. This can be expressed as the following set
[TABLE]
For states restricted to the range , the guessing probability corresponds to
[TABLE]
where again the sum only includes even (odd) values of when is even (odd).
From the expressions above, the interplay between the voltage conversion factor and the voltage resolution becomes clear. The number of difference measurement elements that will be mapped to a given voltage bin is given by , such that as becomes smaller, this number grows and Eve’s guessing probability will increase. Since we will only consider number states within the linear regime of the difference measurement (i.e. ), we can safely assert that is a binomial distribution. Thus, the largest guessing probability for a given will occur when is such that the bins are centered evenly around the origin, i.e. the middle portion of the binomial distribution. Moreover, we know from Section A that the guessing probability will decrease monotonically with the photon number. This yields
[TABLE]
which is exactly Eq. (92). While this expression can be directly evaluated numerically, for large (recall here that ), one can use the Gaussian distribution as an excellent approximation for the binomial distribution and evaluate the sum as an integral to get the following compact expression
[TABLE]
The failure probability for the protocol is given by the probability of passing the test even though a state with too few, or too many, photons is incident onto the difference measurement in mode R. We can express the probability of Eve successfully cheating in a single round as
[TABLE]
where in the last we line we used the fact that satisfies the conditions of Lemma 1, implying that Eve’s optimal input state will be a number state.
To begin with, let us consider this probability given a particular value for , the detector’s noise variable. Then, from Eve’s perspective, this electronic noise is effectively removed as expressed in Eq. (90) and we have
[TABLE]
where and with being the entire voltage range for which the test is passed.
Let be the smallest and largest voltages corresponding to bin . Therefore, the minimum (maximum) voltage consistent with passing the test is (). The corresponding minimum and maximum photon numbers are
[TABLE]
We can use our knowledge of the detector’s noise distribution to turn these into worst case upper and lower bounds for and , respectively. Recalling that is Gaussian with variance , we can say that except with a probability
[TABLE]
one has . This gives
[TABLE]
Next, the varying limits in the sums of Eq. (103) can be explained as follows. For the first sum, an unconditional lower limit is given by . However, for sufficiently large inputs , this requirement is superseded by the constraint that , which in turn necessitates that . The upper limit simply comes from the fact that if , then the binomial distribution can only run up to . For the second sum, we have an unconditional constraint , however again for sufficiently large , the requirement that implies that we must have . Notice that depending upon the bounds for and , there are certain values of for which the first or second sums may vanish. This turns out to be the case here (i.e. for our values only one of the sums will be non-zero at a time).
The first sum in Eq. (103) will vanish whenever and the second when . In summary, as long as
[TABLE]
it implies that there are no values of for which both sums will be simultaneously nonzero. In our case, this condition evaluates to
[TABLE]
We will always be making a much tighter probabilistic bound on such that Eq. (107) is satisfied at all times. Substitution in Eq. (105) indicates that this will be true except with probability , which is far below the other failure probabilities that we certify.
Except with probability , we can then write the single round failure probability as
[TABLE]
Considering the first term, we have
[TABLE]
This expression is exactly the same as Eq. (54) for which we already know that . Therefore, we can apply Hoeffding’s bound to the binomial cumulative distribution to obtain
[TABLE]
provided there exists a such that .
The second term in the maximisation is again just the cumulative tail of a binomial distribution and via the same argument as in Eq. (54), we know that Eve should choose to maximise this term, giving
[TABLE]
provided there exists .
Thus, the total failure probability for one round of the protocol is given by
[TABLE]
which is exactly Eq. (96), thereby completing the proof.
Completeness: Lastly, the argument for completeness is the same as that in Appendix A.
∎
Appendix D Mathematical details
Composable security for a protocol is frequently defined in terms of the probability of passing some test , the distinguishability between the output of a real implementation conditioned on passing that test and an ideal output of the protocol . Since quantum state distinguishability is precisely captured by the trace distance , the security parameter of such a definition is typically written as . Above, we showed that the security parameter for this protocol is
[TABLE]
where the failure operators are defined in Eq. (68).
This can be interpreted as as the joint probability that the test would be passed in mode C whilst a photon number outside the range was measured for (the conditional state in mode R). For completeness, we will show here that can equivalently be seen as the probability of passing the test multiplied by the distinguishability between and any state with support solely in the range . Recall that without loss of generality, we can take Eve’s input state to be diagonal in the Fock basis. In this case, will also be diagonal in the Fock basis and so will the closest state in the range which we will denote . For such diagonal states, the trace distance simplifies and it is straightforward to show that the distance is just the probability of projecting onto a Fock state that lies outside . In other words
[TABLE]
However, this probability is precisely the same as the joint probability of observing too few or too many photons in mode R whilst passing the test, renormalised by the probability of passing the test. The joint probability is exactly what is given by the failure mode operators in Eq. (68) acting on Eve’s input. Thus, we can write
[TABLE]
Comparing Eq. (116) with Eq. (114), we find
[TABLE]
which shows that our failure probability can also be interpreted as the product of and the distinguishing probability between the conditional output state and an ideal state (i.e. one that has support solely in the desired photon number range), as claimed in Appendix A.
Appendix E Source-device independent quantum random number expansion
The certified SDI-QRG protocol either aborts or, except with some failure probability , produces an output with a min-entropy with respect to any third party, even one with complete control over the photonic source and access to all other environmental modes. Equivalently, this is the joint probability of simultaneously passing the certification test and producing an output with less than a specified amount of min-entropy, expressed as
[TABLE]
However, the final goal of a randomness expansion protocol is to utilise an initial random seed in order to generate a much longer bit string that is “-close” (in some well chosen metric) to perfectly uniformly distributed and unpredictable with respect to any third party. This can be achieved via randomness extraction (also sometimes called privacy amplification), which is a judiciously chosen post-processing of the measurements. We would also like to be confident that a realistic implementation of the protocol will succeed with high probability. Without loss of generality, the output state of this post-processing can be written as a classical-quantum state
[TABLE]
for which we have the following definition.
Definition 3**.**
A protocol that outputs a state of the form in Eq. (119) is
- •
Security:* -secure (or sound) if
[TABLE]
where is the probability that the certification test is passed, is the trace distance and is the uniform (i.e. maximally mixed) state over .* This means that there is no device or procedure that can distinguish between the actual protocol and an ideal protocol with probability higher than .*
- •
Completeness:* -complete (or robust) if there exists an honest implementation such that .*
The properties of the trace norm ensure that randomness satisfying Definition 3 is composable, which is critical for cryptographic applications Portmann and Renner (2014).
Particular care must be taken against quantum adversaries to choose an extractor that has provable security when considering potentially quantum side information. In general, quantum-secure randomness extraction can be seen as a function that involves processing a block of size (the , -bit measurement outcomes) along with a random -bit seed to produce an -bit output that is -close to being perfectly random.
A very attractive choice is two-universal hashing333Let be sets of finite cardinality . A family of hash functions is a set of functions and is called two-universal if for drawn uniformly at random from , it holds that , , . The purpose of the random seed is to pick a function uniformly at random, hence . (or leftover hashing) which is secure against quantum adversaries Renner (2008); Tomamichel et al. (2011) and can be implemented efficiently as it achieves an excellent trade-off between and . It should be noted that this extractor still requires a perfectly random seed of length and thus any protocol that makes use of leftover hashing can technically only be regarded as a randomness expansion protocol Pironio and Massar (2013); Law et al. (2014). Whilst the length of the seed must be chosen proportional to , it only has to be generated once and can be safely reused to hash arbitrarily many blocks, meaning that the initial random seed can be used to generate an unbounded amount of randomness. This also means that the seed can be hard-coded into the hashing device (for a further discussion and an explicit implementation, see Frauchiger et al. (2013)). Other quantum-secure methods, such as the Trevisan extractor, are more efficient in the length of the required seed. However, this is a more computationally expensive process and cannot currently be performed at speeds at which our protocol can generate raw randomness. Thus, to achieve bit-generation rates of the same speed as the randomness generation rates reported here, it seems necessary to perform randomness extraction via leftover hashing.
We now have the tools to write down the following result for certified randomness expansion. Although this is essentially a repeat of standard techniques (see e.g. Tomamichel et al. (2011); Frauchiger et al. (2013)) adapted to our specific setup, we state it as a standalone theorem for completeness.
Theorem 5**.**
A certified SDI (m,,,)-randomness generation protocol as defined in Definition 1 can be processed with a randomness generation seed of length via leftover hashing to produce a certified SDI random string of length
[TABLE]
that is -complete and secure.
Proof.
Security: Let be the variable describing the measurement outcomes. Recall that the output of the randomness generation protocol after the measurement including the potential side information can be written as a classical-quantum state
[TABLE]
where is the alphabet of possible measurement outcomes and is the state of the eavesdropper given the outcome . A randomly chosen leftover hashing function is then applied to distill a final random string denoted by the variable . The joint state is now
[TABLE]
We then apply the Leftover Hash Lemma with quantum side information Tomamichel et al. (2011) and its extension to infinite dimensional Hilbert spaces Berta et al. (2016); Furrer et al. (2014) which is necessary for our purposes.
Lemma 2**.**
*Let be a state of the form in Eq. (122) where is defined over a discrete-valued and finite alphabet and E is a finite or infinite dimensional system. If one applies a hashing function drawn at random from a family of two-universal hash functions that maps to and generates a string of length , then *
[TABLE]
where is the conditional smooth min-entropy (with smoothing parameter ) of the raw measurement data given Eve’s quantum system.
Comparing the security definitions in Eq. (120) and Eq. (124), we note that with an appropriate choice of , we can ensure the security condition is met. In particular, we see that the smooth min-entropy is a lower bound on the extractable key length. To get a more exact expression, first notice that if we choose
[TABLE]
for some , then the right hand side of Eq. (124) becomes . Then, provided we have definitively bounded the smooth min-entropy, we will satisfy Eq. (120) for any . Finally since , we have
[TABLE]
Now, suppose that we are only able to bound joint probability of passing the test whilst outputting a small smooth min-entropy with a certain probability as is the case here. Then, the convexity and boundedness of the trace distance implies that this string of length will be -secure for any security parameter
[TABLE]
if the length is chosen as per Eq. (121).
Completeness: This follows immediately from the completeness of the certified randomness generation protocol.
∎
Appendix F Experimental details for the real-time extraction of certified quantum random numbers
In order to generate certified random numbers in real-time, the post-processing was implemented with a high-performance FPGA (Zynq Ultrascale ZU9EG) installed on the commercially available Printed Circuit Board (PCB) Zynq UltraScale MPSoC ZCU102 evaluation kit as shown in Fig. 7. For data acquisition, a 12-bit ADC (Analog Devices AD9625) is used while being installed on a separate PCB connected to the FPGA via an FPGA Mezzanine Card (FMC) as can be seen in the inset to Fig. 7. The evaluation kit provides several modules for data transmission, including the cage for Small Form-factor Pluggable (SFP) modules and a Universal Serial Bus (USB) 3.0 port. The Double Data Rate 4th Generation Random Access Memory (DDR4 RAM) module required for data testing is also included.
The process described by Fig. 7 is summarised as follows. The data from the ADC is deserialised with 8 Multi-Gigabit Transceivers ( MGT) and reaches the resampling core of the FPGA where it is resampled to a lower frequency of GS/s since the ADC’s sampling rate is larger than the experiment’s data generation (imposed by the balanced detector’s bandwidth). Then, the data arrives at a multiplexing unit (grey parallelogram) followed by the central Toeplitz hashing module. Toeplitz hashing is realised via the concurrent pipeline algorithm (detailed in Zhang et al. (2016)) with a clock rate of \mathrm{MHz}$$. Here, a random Toeplitz matrix initially saved in the FPGA’s memory is utilised. Indeed, it is proven in Appendix A of Frauchiger et al. (2013) that one need not renew the random input seed used to construct the Toeplitz matrix. Furthermore, for optimisation purposes, the initial large Toeplitz matrix is evenly decomposed into a series of submatrices which are multiplied sequentially with the raw input data. These submatrices have sizes of , where bits is carefully chosen to be a multiple of both the ADC’s bit-depth bits and the hashing block size bits. Note that the submatrix’ number of rows also corresponds to the precise number of bits injected into the FPGA board per time step of the hashing algorithm, i.e. . As a result of this, substrings of bits from the raw data at each time step are extracted and then multiplied with a corresponding random Toeplitz submatrix, thereby obtaining a single substring of bits per clock period. The XOR operation required between pairs of such subsequent strings of bits is performed concurrently with multiplication steps. The multiplication of the entire large Toeplitz matrix with the raw random string of bits is thus performed over time steps, leading to an overall extraction of bits for every such procedure labelled as a single extraction period. Finally, while the following extraction period commences, the previously obtained block of hashed data is prepared for the final output.
For validation and debugging purposes, the option of saving both raw and hashed data in the FPGA’s memory is implemented such that one may extract them for further analysis on a PC. Conversely, data can be uploaded to the FPGA’s memory from an external source (e.g. from an oscilloscope’s ADC) and then processed by the Toeplitz hashing extractor in the FPGA.
Appendix G Rate comparison with homodyne protocols
In this appendix, we will derive the curves shown in Fig. 5 which compare the rates for this work to those for the device-dependent homodyning and the semi-SDI protocols with certification based on an entropic uncertainty relation Marangon et al. (2017); Avesani et al. (2018); Michel et al. (2019). Strictly speaking, direct comparison with the EUR protocols is impossible since these fail to give a composable security parameter. Also, in practice, the achievable rates depend heavily on many technical constraints such as the detector noise and especially the number of ADC bits. Consequently, we consider a simpler, idealised calculation of the ultimate rates of these different protocols and identify fundamentally different scalings in some instances. Specifically, we will calculate the expected value of the amount of min-entropy generated per round.
G.1 Device-dependent homodyning
Following Haw et al Haw et al. (2015), we can upper bound the min-entropy by noting that for arbitrarily many ADC bits and perfect photon number resolving detectors, the probability distribution of the photon difference is only resolution-limited by the photon-counting measurement itself and the amplitude of the local oscillator. Specifically, it is straightforward to show that the photon difference for an arbitrary input signal mode mixed on a 50:50 beamsplitter with a coherent state gives output modes and . The photon difference is then given by
[TABLE]
If the LO is very bright, then we can know its quadrature displacement up to an uncertainty that is very small relative to the displacement’s mean. Moreover if the LO is very large relative to the photon number of the input signal, this signal will be very close to a quadrature measurement of the input signal. Following e.g. Bachor and Ralph (2004), one way to see this is to consider a decomposition of the LO operator , where is the mean value and the operator and represents the quantum fluctuations. Taking to be real, we have
[TABLE]
If the mean LO amplitude is large with respect to fluctuations and the amplitude of the signal mode, then one has . In the case of ideal detectors that can distinguish between and photons, this is equivalent to measuring the input quadrature with a resolution given by (i.e. the rescaling by the LO power). One can also calculate the variance for an arbitrary signal state with a coherent state as the LO. Defining the appropriate expectation value as , we have
[TABLE]
where we have again taken to be real.
G.1.1 Vacuum input
In the device-dependent case where the signal is known to be vacuum, the rescaled output is a discretised Gaussian distribution with variance and zero mean. If we label the discretised output with index , the probability distribution from the perspective of an eavesdropper (here there is no technical noise) is given by
[TABLE]
where .
For small relative to , Eq. (131) is well approximated by
[TABLE]
and the min-entropy can be directly calculated to be Haw et al. (2015)
[TABLE]
where is the mean photon number present in the LO.
G.1.2 Coherent state input
This rate as calculated via Eq. (132) is also unchanged if the vacuum is replaced by a coherent state since the variance of coherent states is still unity. However, if the signal is a large coherent state , the approximations we utilised to derive Eq. (132) no longer hold. The other term in Eq. (129) will not remain negligible and the fluctuations will actually increase. Considering the photon detections directly, the state after the beamsplitter will now be . The output at each detector would be described by a Poissonian distribution, which for large photon number will be well approximated by a Gaussian distribution, as will the photon difference. The variance is straightforwardly calculated to be
[TABLE]
from which we can immediately read off the min-entropy as
[TABLE]
G.1.3 Thermal state input
On the other hand, if the vacuum source was instead replaced by Eve with one half of an entangled two-mode squeezed vacuum (TMSV) state
[TABLE]
then the input to the randomness measurement will be a thermal state with mean photon number and quadrature variance . As the amount of squeezing — and hence the number of photons in the input state — increases, the quadrature measurements will start to become more and more predictable and the min-entropy will decrease. Eventually, however, for a sufficiently bright TMSV state, the extra terms in Eq. (129) become non-negligible and extra fluctuations will arise such that the overall entropy will begin to increase again. For all levels of squeezing, the statistics will be well-approximated as being Gaussian.
We can get an upper bound for the device-dependent min-entropy by assuming that Eve makes an quadrature measurement on her half of the TMSV state. This would project the other arm into a -squeezed coherent state with variance and a displacement given by , where is the outcome of Eve’s measurement. We can write down Eve’s conditional guessing probability directly since it would simply be the same kind of coarse grained Gaussian distribution as before with a resolution of , but now the variance given by evaluating Eq. (130) to obtain
[TABLE]
The min-entropy is then given by substitution in Eq. (131), leading to
[TABLE]
Note that this is an upper bound because we are calculating the min-entropy that Eve would have about an individual round of the protocol. In theory, in a protocol where Eve’s goal was to guess the -symbol output of an -round protocol, she could potentially employ a collective measurement that might further reduce her uncertainty. Nevertheless, we will proceed with this device-dependent upper bound for comparative purposes.
G.2 Entropic uncertainty relation certified homodyning
In the works Marangon et al. (2017); Avesani et al. (2018); Michel et al. (2019), the randomness present in the quadrature is certified by making measurements in the conjugate quadrature basis and exploiting an entropic uncertainty relation of the form
[TABLE]
where .
In fact, to get the expected value for the min-entropy generation rate, one should multiply the right-hand side of Eq. (139) by the probability that a round is used as a randomness generation round rather than a check round, and also subtract some randomness used to randomly switch bases in the future iterations of the protocol Vallone et al. (2014); Marangon et al. (2017). Here, we will set as per Michel et al. (2019) and to get an upper bound for comparison purposes, we will ignore the random seed term. For discretised homodyne measurements (assuming symmetric quadrature resolution ), one has that and noting that , we get
[TABLE]
Using the Jacobi theta functions , we can rewrite Eq. (132) to directly evaluate the max-entropy to find
[TABLE]
Using this formula, we can evaluate the EUR-based certified randomness rates for the variance appropriate for each input state; namely the coherent and thermal cases exposed in Eq. (134) and Eq. (137), respectively.
Note that this rate represents an over-estimation of the randomness generated in that we are using the max-entropy exactly. In practice, this would have to be estimated from statistics (see Michel et al. (2019) for several estimators) which would generally result in a lower value for the certified min-entropy.
G.3 This work
Here, we compare the device-dependent and EUR-based rates with our work. In fact, the EUR-based rates cannot be directly compared because in reality entropic terms should be empirically bounded in a way that gives composable -security (i.e. there is a test such that the joint probability of passing the test whilst having less than the certified rate should be less than ). For this idealised calculation, our rates are given by Theorem 3. Recall that our protocol is probabilistic, meaning that randomness is only certified when the test is passed by observing or more photons in the certification measurement, which will happen with a probability at least . From Theorem 3, we know that either the test will fail or the min-entropy will be strictly lower bounded as per Eq. (41). Putting all of this together, we can say that the expected min-entropy generated in a single round (i.e. ) will be
[TABLE]
with a failure parameter of
[TABLE]
Notice that for the regions of interest in Fig. 5, namely where this curve surpasses the EUR curves and scales similarly to the device-dependent case, the inferred photon number will be such that the corrective term is negligible. To evaluate this expected min-entropy given a target value for associated with the input states above, we simply need to calculate what will be for a given threshold . With those in hand, we can solve Eq. (143) for the value of that achieves the target and then calculate the corresponding min-entropy via Eq. (142).
For a coherent state input , the state going into the certification measurement will be . For large , the Poissonian photon-number distribution will be well approximated by a Gaussian distribution and the probability of observing or more photons will be given by , where , with the mean photon number of the incoming coherent state.
Similarly, for a thermal state source, the input to the certification measurement will be a thermal state with mean photon number , with the mean photon number of the incoming thermal state. Finally, using the formula for a geometric series and the photon number representation of a thermal state, the relationship between the threshold and the passing probability is given by .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Herrero-Collantes and Garcia-Escartin (2017) Miguel Herrero-Collantes and Juan Carlos Garcia-Escartin, “Quantum random number generators,” Reviews of Modern Physics 89 , 015004 (2017).
- 2Ma et al. (2016) Xiongfeng Ma, Xiao Yuan, Zhu Cao, Bing Qi, and Zhen Zhang, “Quantum random number generation,” npj Quantum Information 2 , 16021 (2016).
- 3Pironio et al. (2010) Stefano Pironio, Antonio Acín, Serge Massar, A Boyer de La Giroday, Dzmitry N Matsukevich, Peter Maunz, Steven Olmschenk, David Hayes, Le Luo, T Andrew Manning, et al. , “Random numbers certified by bell’s theorem,” Nature 464 , 1021 (2010).
- 4Acín and Masanes (2016) Antonio Acín and Lluis Masanes, “Certified randomness in quantum physics,” Nature 540 , 213 (2016).
- 5Bierhorst et al. (2018) Peter Bierhorst, Emanuel Knill, Scott Glancy, Yanbao Zhang, Alan Mink, Stephen Jordan, Andrea Rommal, Yi-Kai Liu, Bradley Christensen, Sae Woo Nam, et al. , “Experimentally generated randomness certified by the impossibility of superluminal signals,” Nature 556 , 223 (2018).
- 6Liu et al. (2018 a) Yang Liu, Qi Zhao, Ming-Han Li, Jian-Yu Guan, Yanbao Zhang, Bing Bai, Weijun Zhang, Wen-Zhao Liu, Cheng Wu, Xiao Yuan, et al. , “Device-independent quantum random-number generation,” Nature 562 , 548 (2018 a).
- 7Acín et al. (2012) Antonio Acín, Serge Massar, and Stefano Pironio, “Randomness versus nonlocality and entanglement,” Physical review letters 108 , 100402 (2012).
- 8Liu et al. (2018 b) Yang Liu, Xiao Yuan, Ming-Han Li, Weijun Zhang, Qi Zhao, Jiaqiang Zhong, Yuan Cao, Yu-Huai Li, Luo-Kan Chen, Hao Li, et al. , “High-speed device-independent quantum random number generation without a detection loophole,” Physical review letters 120 , 010503 (2018 b).
