Randomness certification in a quantum network with independent sources
Giorgio Minati, Giovanni Rodari, Emanuele Polino, Francesco Andreoli, Davide Poderini, Rafael Chaves, Gonzalo Carvacho, Fabio Sciarrino

TL;DR
This paper certifies randomness in a quantum network using two independent entanglement sources, a key step toward secure large-scale quantum communication.
Contribution
The work introduces a method for certifying device-independent randomness in a quantum network with multiple entanglement sources.
Findings
Randomness certification is achieved in an entanglement-teleportation setup with two independent sources.
The scalar extension method effectively bounds an eavesdropper's knowledge of shared secret bits.
Theoretical predictions are validated using experimental data from a photonic quantum network.
Abstract
Randomness certification is a foundational and practical aspect of quantum information science, essential for securing quantum communication protocols. Traditionally, these protocols have been implemented and validated with a single entanglement source, as in the paradigmatic Bell scenario. However, advancing these protocols to support more complex configurations involving multiple entanglement sources is key to building robust architectures and realizing large-scale quantum networks. Here, we show how to certify randomness in an entanglement-teleportation experiment, the building block of a quantum repeater displaying two independent sources of entanglement. Using the scalar extension method, we address the challenge posed by the nonconvexity of the correlation set, providing effective bounds on an eavesdropper’s knowledge of the shared secret bits. Our theoretical model characterizes…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6| ( | Strong eavesdropper | Double eavesdropper | ||
|---|---|---|---|---|
| (1,4) | (2,2) | (1,4) | (2,2) | |
|
| 1.41 | 1.41 | 3.00 | 2.41 |
|
| 1.41 | 1.41 | 1.41 | 1.41 |
- —http://dx.doi.org/10.13039/501100004809Financiadora de Estudos e Projetos
- —Brazilian National Council for Scientific and Technological Development
- —MUR PRIN
- —FARE Ricerca in Italia QU-DICE
- —Sapienza Grant
- —Simons Foundation
- —Otto Moensted Foundation visiting professorship
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsQuantum Information and Cryptography · Quantum Mechanics and Applications · Quantum Computing Algorithms and Architecture
INTRODUCTION
Quantum nonlocality has captivated scientific interest since the seminal contributions of Einstein et al. (1) and later Bell (2). These foundational studies have prompted extensive investigations into the limitations of local hidden variable theories, which fail to explain the predictions of quantum theory (3, 4). In parallel, advances in quantum information theory have revealed that these nonclassical properties provide essential resources for practical applications such as distributed computing (5, 6) and cryptographic protocols (7–10).
The nonclassical nature revealed by violations of Bell inequalities serves as the foundation for secure randomness generation and certification, specifically by enabling eavesdropper-secure random bit strings through measurements on a physical system (11–16). This task can be achieved in a device-independent (DI) framework and has been explored theoretically and experimentally (17–22), predominantly within the paradigmatic Bell’s scenario, where two distant parties perform local measurements on a shared entangled resource. In this case, the secure randomness that can be generated is quantified using the concept of guessing probability (13, 23), which represents the probability that an external agent, such as an eavesdropper, can correctly predict the measurement results based on the observed output statistics. It has been shown that whenever nonclassicality is manifested through the violation of a Bell inequality, a nonzero amount of randomness can be certified (11, 13, 24). Similar studies have investigated variations of the bipartite scenario (12, 14–16, 24, 25) and other configurations, such as Bell-like (26, 27) or broadcasting (28) three-party networks and the instrumental scenario (22). All of these scenarios share the common feature of involving a single shared source of correlations between distant parties.
Notwithstanding, identifying nonclassicality in scenarios with multiple independent sources is crucial for both foundational research and practical applications in quantum technologies (29–40). These multisource configurations are essential building blocks for scalable, long-range quantum communication networks. Within the network framework (29), independent sources generate a complex, nonconvex set of correlations, making randomness certification particularly challenging. Consequently, existing methods for certifying randomness have shown limited effectiveness when applied to these intricate network structures (41–43).
Here, we address this challenge by leveraging the scalar extension technique (44) to establish a robust framework for randomness certification in quantum networks. To illustrate the general method, we focus on the network underlying the entanglement swapping experiment (45), composed of two independent entanglement sources also known as the bilocal scenario (46). In particular, this network structure allows for two distinct eavesdropping strategies. For both strategies, we demonstrate that source independence enables the certification of up to 1.41 bits of randomness between the network’s outer nodes—a figure that surpasses the 1.23 bits certified by the maximal violation of the Clauser–Horne–Shimony–Holt (CHSH) inequality (14). Furthermore, we apply our framework to certify randomness in the experimental bilocal scenario (47), thus demonstrating the feasibility of certifying randomness against eavesdropping threats in operational quantum networks.
RESULTS
Randomness in the Bell scenario
Bell’s theorem (3) is a no-go theorem proving the impossibility of reproducing the predictions of quantum theory within the classical causal model depicted in Fig. 1A. If we consider two parties A and B performing local measurements on subsystems of a bipartite state produced by a single common source, then the output probabilities predicted by the quantum theory are
Representation of different causal structures.Directed acyclic graphs (DAGs) represent different causal structures, and the nodes in the graph represent the relevant random variables with arrows accounting for their causal relations. There are three different kinds of nodes: sources of correlations represented either by hidden variables or quantum states (purple triangles), measurement settings (green squares), and measurement outcomes (blue circles). (A) Bipartite model with one entangled source. (B) Tripartite scenario with two independent sources, accounting for the bilocal hidden variable model.
For a suitable choice of an entangled state and operators , this distribution cannot be described by the classical causal model in Fig. 1A, which implies its incompatibility with a hidden variable model given by
A notable property of such nonclassical distributions is the possibility to certify that the correlations established between parties A and B cannot be shared with a third party (13). This certification relies on minimal assumptions that an eavesdropper (E) has access to an extended quantum state and that the laboratories in which A and B carry out their measurements are secure. By further assuming that the eavesdropper’s measurement procedure is described by positive operator-valued measure (POVM) operators , the information accessible to the eavesdropper should arise from a joint quantum distribution
such that A and B observe a specific probability distribution admitting the realization of Eq. 1.
To bound the amount of information that E can extract over the outcomes of A and B, one considers the guessing probability
The amount of certifiable randomness in a certain scenario is related to the maximum of this quantity achievable with a given realization , a problem that can be efficiently solved through semi-definite programming (SDP) techniques as the NPA (Navascués-Pironio-Acín) hierarchy (48) under the constraint given by Eq. 3. From the guessing probability, one can readily obtain the amount of certifiable randomness in bits, expressed by the so-called min-entropy (49), defined as
that can achieve values up to 1.23 bits of randomness in the standard bipartite scenario when bounded by the CHSH inequality (11). Within bipartite scenarios, several approaches have been explored to increase the certifiable randomness, reaching up to 2 bits per round. For instance, this value can be obtained at the expense of reduced robustness to noise (14), by considering bipartite scenarios with additional inputs (50), by using more general positive operator-valued measurements (15), or—in the standard case of dichotomic inputs and outputs and for CHSH values in the range —by using so-called “tilted” Bell inequalities (51). In this latter approach, as in (52), other figures of merit different from have also been considered.
Randomness certification in the bilocal scenario
Building on the concept of randomness in the standard Bell scenario, several works have addressed its variations (12, 14–16, 24, 25) and other Bell-like scenarios of relevance (22, 26–28). Although scenarios involving multiple independent sources of correlations are crucial for future applications, the challenge of randomness certification in these quantum networks (29) remains almost unexplored (41–43). In this context, the bilocal scenario (46), depicted in Fig. 1B, plays a prominent role because it is the underlying causal structure of entanglement swapping (45, 53), an essential protocol for quantum repeaters (54, 55) and long-distance communication networks (56, 57). It consists of two independent sources distributed among three parties: Two of them receive a single subsystem coming, respectively, from and , while the central node holds two independent subsystems coming from both sources. Each of the parties carries out local measurements by independently choosing among settings described by the variables , producing outcomes denoted as , with a probability distribution of measurements outcomes given by
Here, encodes the source independence and define the measurements described, in general, by POVM operators. Crucially, the scenario described above cannot be trivially reduced to a configuration consisting of two independent bipartite scenarios (58, 59). Two key features distinguish the bilocal scenario: the underlying causal structure and the range of admissible measurement strategies. Notably, the bilocal framework permits an input-less central node capable of performing entangled measurements. Therefore, compared to separate bipartite configurations, it requires less input randomness and enables access to a broader set of correlations.
In contrast to a standard scenario with a single source, quantum networks introduce the constraint of independent sources, which allows multiple ways to model the eavesdropper’s influence. Within our model for randomness certification, we consider three scenarios that may arise in realistic implementations, as illustrated in Fig. 2. First, we examine the possibility of two independent eavesdroppers operating separately at different points in the network, inheriting the limitations of the bilocal scenario, as could occur in networks accessible by multiple users (Fig. 2A). Formally, this means that Eve can perform a POVM on her share of the state , where and act only on the parts and , respectively. We will refer to this as the “double-eavesdropper” (DE) scenario. Second, we analyze the case where a single eavesdropper has simultaneous access to both sources, particularly relevant for short-range network connections. This more powerful eavesdropper can measure a general POVM on both and , as depicted in Fig. 2B. We will call this the “weak-eavesdropper” (WE) scenario, as a stronger single-eavesdropper configuration is still possible. We can finally consider a scenario within the bilocal network, where the bilocality constraints at nodes A and C are preserved, but the configuration of the latent variables allows the most general form of eavesdropping attack. We refer to this last scenario as the “strong-eavesdropper” (SE) scenario. We represent this case by introducing an additional latent node Λ affecting both E and B (see Fig. 2C). Its presence does not affect the independence relation between the other two sources Γ and Δ, nor the one between the outer nodes A and C, which are the characterizing feature of the bilocal scenario, but rather acts as an extra node that elaborates the incoming signals before sending them to B and E. In this scenario, the adversary, Eve, is granted access to the same quantum state received by node B, allowing her, in principle, to perform measurements compatible with Bob’s settings. This causal structure permits Eve to apply measurement strategies that commute with Bob’s projectors, allowing her to obtain information correlated with Bob’s outcomes without altering the observed probability distribution. However, it should be noted that this does not always guarantee Eve full knowledge of Bob’s measurement results, as the ability to perfectly guess Bob’s outcomes depends on additional constraints such as measurement commutation and state projections that preserve the statistics. While our security analysis adopts the SE model as the conservative, worst-case adversary, we also report the results of the WE and DE assumptions, given their relevant connection to the topology of the bilocal causal structure (independent sources and constrained access), which can be physically enforced in specific deployments. Crucially, the SE bounds always remain valid and provide a lower bound for the WE and DE scenarios, providing a worst-case benchmark for the cases where the weaker-adversary assumptions were to fail.
Different eavesdropping strategies within the bilocal scenario.Eavesdropper actions are represented by red circles. (A) DE scenario reports a possible eavesdropping strategy within the bilocal scenario, accounting for the case of two distinct agents acting separately on the sources. (B) WE scenario reports a single eavesdropper acting on both sources. (C) SE scenario is equivalent to additionally supplying Eve with a further latent source. The dashed frame on the setting node Y represents the possibility of performing both single- or multiple-setting measurements in the central node.
Note that while the WE and SE scenarios are equivalent when all variables are classical, in the quantum case, there can be a difference. This is related to the known fact that the usual classical exogenization procedures do not work for quantum latent variables with incoming edges (42, 60). Because any eavesdropping strategy, including WE, can also be implemented in the SE case, the certified randomness in the latter scenario will always serve as a lower bound for the former. The increasing generality of the eavesdropping strategies under consideration leads to the inclusion relations
where denotes the set of quantum distributions compatible with the corresponding scenario . Specifically, any WE strategy can be regarded as a particular case of the SE scenario, in which the node Λ acts merely as a relay, forwarding to B and E the information coming from Γ and Δ without performing additional processing or measurements. Similarly, the DE scenario can be embedded within the WE or SE scenarios by imposing a tensor product structure on the eavesdropper’s measurements, namely
where and represent independent measurement operators associated with the two parts of the eavesdropper’s system in the DE scenario. This tensor product structure restricts correlations in the eavesdropper’s measurements, ensuring the inclusion of the DE distributions within the more general WE or SE frameworks. In summary, these inclusion relations reflect the increasing generality of the eavesdropping models: from DE, which assumes independent measurements on separated subsystems, to WE, where Eve directly receives the states from the two independent sources, and last to the fully general SE scenario with arbitrary joint operations. This hierarchy is essential to understand how assumptions about the eavesdropper’s capabilities affect the set of admissible quantum correlations. In this context, it is important to underline that the WE and SE strategies do not account for the possibility that the eavesdropper can control the states emitted by both sources. In such a case, Eve could introduce correlations between the sources, effectively reducing the causal structure to that of a single-source tripartite scenario—a configuration in which randomness certification has already been extensively studied (26, 27) and does not represent an actual network with independent sources, which is the focus of this manuscript. In the following analysis, we will concentrate mostly on the least and most general eavesdropping strategies, namely, the DE and SE scenarios, while some results specifically pertaining to the WE scenario are reported in section “Tilted strategies for the bilocal scenario.”
Analogously to Eq. 4, one can define the global guessing probability in the bilocal scenario as
which, again, represents the overall probability for an eavesdropper to correctly guess measurement outcomes.
In the SE scenario, the information available to Eve can be bounded via the following optimization problem
Similarly, in the DE scenario, one can instantiate an analogous optimization problem with the crucial difference that the relevant guessing probability is now given by
where, as will be discussed below, and correspond to distinct bits associated to Bob’s outcome. In both situations, one could also focus on the guessing probability corresponding only to the outcomes of the outer nodes, that is
Its importance lies in the fact that the bilocal scenario can be seen as the prototype of a long-range quantum communication architecture, exploiting an intermediate node as a quantum repeater, exactly as it happens in event-ready Bell experiments (45, 61, 62).
Single-output versus multiple-output randomness content
In possible applications where only one device’s output (e.g., a) is used for randomness extraction, one evaluates the single-output guessing probability, e.g., . However, it holds that
where
One can write
Therefore, it holds that the certifiable randomness per trial (smooth min-entropy) for a single output cannot exceed that for the joint variables (abc)
A numerical approach for randomness certification
To quantify the amount of certifiable randomness in the bilocal scenario, it is necessary to maximize the guessing probability of an eavesdropper. This probability is defined by the expressions in Eqs. 7 to 10, subject to the constraint of observing a set quantum behavior described as in Eq. 6. The result of this optimization provides an estimate of the certifiable randomness in bits, quantified via the min-entropy, . However, in network scenarios, the independence of sources results in a nonconvex set of correlations (59), rendering standard techniques, such as the NPA hierarchy (63), inapplicable. To address this challenge, the scalar extension technique (44) was developed. This method adapts the NPA hierarchy to account for the independence among the parties, enabling the optimization problem in Eq. 8 to be reformulated as a hierarchy of SDPs. Further details on the scalar extension method and its application to the bilocal scenario can be found in Materials and Methods and the Supplementary Materials.
To illustrate the general method, we start by considering the scenario depicted in Fig. 1A. Each of the sources in the bilocal network is given by noisy quantum states modeled as
where v is the visibility parameter (64). Concerning the measurement operators, two potential measurement strategies performed by the central node are considered: a single projective measurement on the Bell basis or separable measurements given by and . We will refer to these two choices using the labels “(1,4)” and “(2,2)”, denoting the number of settings and outputs featured by Bob’s measurements, respectively. In what follows, when the presence of multiple settings for Bob’s measurement is unspecified, the corresponding node will be represented by dashed edges, as depicted in Fig. 2. In turn, the outer node measurements have two possibilities, given by
Taking these setups into account, we have solved the optimization problem in Eq. 8, over the visibility range , as reported in Fig. 3 and in Table 1.
Min-entropy for different configurations of the entanglement-swapping scenario.Taking into account the possible eavesdropping strategies (SE or DE) and measurements performed in the central node [(1,4), (2,2)], we obtain four different configurations. For each of them, we report the min-entropy corresponding to the guessing probability obtained by solving the optimization problem in Eq. 8 using the scalar extension technique. In particular, we plot the min-entropies associated either with the outer (AC) or all (ABC) parties, as a function of the visibility of the sources state. (A) In the strong eavesdropper scenario, both these quantities coincide and are jointly reported as green dots, while in the (B) double eavesdropper scenario, they are respectively illustrated as blue and red dots. The stars illustrate the theoretical upper bounds at unitary visibility (see the Supplementary Materials), which are saturated in every configuration of eavesdropping scenarios and measurement choices. The black dashed line shows the threshold visibility below which the states given by the sources, defined in Eq. 15, can no longer violate the CHSH inequality.
Strong eavesdropper (SE) scenario
In the context of the SE scenario for the measurement choices (1,4) and (2,2), we can certify up to ≈1.41 bits of randomness when v = 1. This value reaches its theoretical upper bound, as demonstrated by explicitly identifying a potential strategy for Eve. In this specific case of maximal visibility, the strategy involves a nondestructive Bell-state measurement (BSM) of the qubits directed to Bob, followed by a guess of Alice and Charlie’s outcomes based on the expected probability distribution (see the Supplementary Materials). Moreover, Fig. 3A shows that, in the SE scenario, it is possible to certify a nonzero amount of randomness as the visibility of the sources reaches the value , known to be the threshold above which a Werner state can violate the CHSH inequality.
Double eavesdropper (DE) scenario
Within this scenario, the threshold is no longer valid because a nonzero amount of randomness can still be certified even for . In addition, in this scenario, Eve can no longer perform projection measurements on the Bell basis, hence invalidating the previous optimal strategy. This is demonstrated in the numerical results shown in Fig. 3B, where we achieve guessing probabilities as low as and , meaning that up to ≈2.41 and ≈3 bits of randomness can be certified for v = 1 in the (2,2) and (1,4) measurement settings, respectively. An overview of the min-entropy achieved with maximal visibility states in the considered scenarios is reported in Table 1. Notably, under the assumption of independent eavesdroppers, a nonzero amount of certifiable randomness is observed across the entire range of visibilities in the scenario where the outcomes of all three nodes are guessed. While the randomness generated in this process originates from a combination of classical uncertainty and quantum correlations, this result might be valuable in practical scenarios where the assumption of eavesdropper independence is reasonable. In particular, the eavesdroppers target also the central node’s random variable b, which, in both the (2,2) and (1,4) measurement strategies, depends jointly on the latent variables Γ and Λ. However, because in the DE scenario (Fig. 2A) and are independent, neither E nor F can perfectly infer b, giving rise to a classical contribution to the total randomness. It is worth highlighting that both results align with the intuitive observation that the independence of the eavesdroppers prevents them from collaboratively acting on the global system. This restriction inhibits the application of the Bell projection strategy on the central qubits, thereby limiting their predictive capabilities. This classical randomness would not be present in the case where the separate eavesdroppers are allowed to perform classical postprocessing of their data, a different scenario that cannot be treated simply with the scalar extension technique. To summarize, in the visibility range , the locality of the source states implies that the certified randomness only comes from the independence constraint; hence, its origin is inherently classical, while for higher visibilities, quantum correlations also play a role. It is worth underlining that this coexistence of both classical and quantum randomness has no counterpart in single-source scenarios, as it is inherently rooted in the network topology arising from the presence of independent sources.
Special attention should be given to the certifiable randomness generated at the outer nodes, as this may represent the key figure of merit in long-distance communication scenarios where the central node functions solely as a repeater. Notably, the numerical results obtained, along with the theoretical upper bounds derived (see the Supplementary Materials), indicate that the amount of randomness reaches 1.41 bits for all combinations of measurement choices [(1,4) or (2,2)] and attack strategies (SE or DE). This exceeds the typical value of 1.23 bits achieved through the violation of the CHSH inequality in a bipartite Bell scenario (11), a consequence of the underlying causal structure, that is, it follows from the assumption that the correlations in the network are mediated by two independent sources. Moreover, we underline how such an advantage remains meaningful despite the greater experimental complexity of a realization of a bilocal network. In practical implementations, one might be unable to use a single source to distribute signals, such as in the aforementioned case of long-distance communication scenarios with an intermediate repeater. In such a situation, then the underlying structure is intrinsically constrained to be a bilocal network. As discussed in the Supplementary Materials, Eve’s optimal strategy involves projecting Bob’s state onto the Bell basis, thereby gaining complete knowledge of his measurement outcome. Crucially, the effective state shared between nodes A and C becomes one of the Bell states, conditioned on the result of Bob’s initial projection. Any further projection on this state by Eve is prohibited, as it would disturb the probability distribution and thus signal the presence of an eavesdropper, a fundamental distinction from the bipartite scenario. This explicit strategy demonstrates that the bilocal scenario allows to certify randomness from its outer nodes even if the resulting distribution observed between these nodes does not enable the violation of any Bell inequality, showing that the network topology plays an active role in the achievable randomness in a causal network.
Validation on experimental data
To showcase a practical application of our method, we apply it to analyze the experimental data from (47) that uses the photonic setup illustrated in Fig. 4 to provide the first randomness certification of nonlocal correlations within the bilocal scenario. In this setup, two nonlinear crystals generate entangled photon pairs, serving as independent sources of quantum correlations. Alice’s and Charlie’s measurements are performed with polarization analyzers. In addition, a partial BSM is achieved through interference at an in-fiber beamsplitter, where a delay line adjusts the indistinguishability of the incoming photons. Our BSM at the central node is partial: With linear optics and no ancilla/feedforward, only a subset of Bell states is identified via twofold coincidences, and all other events are labeled as “no BSM” (failure). Consequently, the statistics input to our SDP are computed conditioned on the heralding event . To preclude sampling bias induced by losses or mode-overlap fluctuations, we adopt the standard fair-sampling assumption, namely that acceptance is independent of the would-be outcomes beyond the declared inputs
independently from a, b, and c, for any internal variables λ and Eve’s side information E. Equivalently
Experimental setup implementing the entanglement swapping network.Two polarization-entangled photon pairs are generated via spontaneous parametric down-conversion (SPDC) in two separated nonlinear crystals. Photons 2 and 3, one from each source, are directed to the central node Bob, while photon 1 (4) is directed to Alice (Charlie). The measurement performed in the central node is fixed and can either discriminate between ∣Ψ−〉 and ∣Ψ+〉 or between ∣Φ−〉 and ∣Φ+〉, depending on the configuration of the half-wave plate of Bob’s station.
Under this assumption, conditioning on yields a representative subset, and our certified smooth min-entropy is a valid lower bound per accepted trial. We note that, in principle, the closure of all relevant loopholes in the bilocal network scenario would allow for a fully DI certification of the underlying quantum correlations. However, achieving complete loophole closure in these multipartite network configurations remains, to our knowledge, an open experimental challenge (65).
To compare the theoretical expectations and the experimental finding, we account for several sources of experimental imperfections: (i) the finite indistinguishability of photons 2 and 3, which directly impacts Bob’s measurements; (ii) an improved noise model that includes both white and colored noise in the quantum state; and (iii) statistical fluctuations, which may cause the data to fall slightly outside the set of valid quantum behaviors. Further details on the experimental model are provided in the Supplementary Materials. In addition, we used the NPA hierarchy, augmented with the scalar extension, to evaluate the certifiable randomness from the experimental data.
SE scenario
In Fig. 5, we compare the experimental and theoretical min-entropies as a function of the violation of the Branciard-Rosset-Gisin-Pironio bilocal inequality , as defined in (46), exhibiting excellent agreement. In the SE scenario, the experimental min-entropy on the outer nodes reaches 0.170 ± 0.027 bits compared to its theoretical maximum of 0.35 bits, corresponding to the ideal case where Bob measures completely indistinguishable photons. In this scenario, we do not report the amount of randomness certifiable from all three nodes, as Bob’s outcomes can always be predicted by an eavesdropper in the strong configuration, hence contributing zero bits to the min-entropy.
Experimental min-entropy for the strong and double eavesdropper scenarios in the (1,4) measurement setup.The min-entropy, derived from the guessing probability by solving Eq. (8), is shown as a function of the violation of the bilocal inequality IBRGP. Theoretical predictions (solid curves) are compared with experimental data (crosses) for different values of IBRGP, controlled by adjusting the indistinguishability of the photons in the network’s central node. (A) In the SE scenario, only the min-entropy of the outer nodes’ outcomes is reported (green crosses and solid curve), as Bob’s outcomes are fully known to the eavesdropper and do not contribute to the certifiable randomness. (B) In the DE scenario, Hmin(ABC∣EF,000) (red) and Hmin(AC∣EF,00) (blue) differ and are shown as solid curves and crosses. For both SE and DE cases, the maximum achievable min-entropy within the experimental visibility vexp=0.89 is indicated by dashed lines [green for Hmin(SE)(AC∣E,000), red for Hmin(DE)(ABC∣EF,000) and blue for Hmin(DE)(AC∣EF,00)]. The experimental points do not achieve these values because they would require perfectly indistinguishable photons incoming at Bob’s measurement station (further information about the experimental model and the effects of partial indistinguishability are reported in the Supplementary Materials). The orange dashed line represents the maximum violation of IBRGP.
DE scenario
In the context of the DE scenario, the experimental data allow us to certify up to 0.205 ± 0.028 random bits for external nodes A and C and up to 0.907 ± 0.039 random bits when including all three nodes, while the maximal theoretical predictions achieve 0.424 random bits (external nodes) and 1.10 random bits (all three nodes). This scenario shows very good agreement between the experimental data and the corresponding theoretical model. Minor deviations from the expected behavior can be attributed to experimental fluctuations in the noise parameters across different data acquisitions-fluctuations that are neglected in the theoretical model, which assumes ideal quantum state generation with fixed levels of white and colored noise. These results successfully validate our approach within a practical context and demonstrate that certifying a nonzero amount of secure randomness is feasible in a real-world network implementation.
Tilted strategies for the bilocal scenario
In the standard Bell scenario, the optimal strategies for randomness certification are not necessarily the ones that are maximally nonlocal (26, 51). We are now going to consider similar strategies for the bilocal scenario using different measurements in the A and C nodes, inspired by the tilted Bell inequalities, which are known to improve certified randomness in the Bell case (51). Specifically, we consider observables of the form
while the central node B performs the standard BSM as in the previous case.
SE scenario
In this case, we find that it is possible to achieve the maximum of 2 bits per round for and the same value for (see Fig. 6A). Similarly to the nontilted case, this result can be explained by the fact that Eve can always guess the result of the BSM in the B node, as described in the Supplementary Materials. This suggests that the limit of 2 bits could be improved if we introduce a binary measurement setting Y for the central node B. If we consider a protocol where is again the standard BSM while projects on the rotated base
we can get up to 3 bits of certified randomness as shown in Fig. 6A.
Min-entropy for alternative quantum strategies.Analyze two quantum strategies using tilted Pauli operator: one with a single BSM on B, denoted as (1,4) in the figure, and another with two measurement choices on B, one of which is a rotated BSM, (2,4) in the figure. (A) Min-entropy Hmin(ABC∣E) is shown for both strategies in the SE scenario, where the maximum values reach 3 bits for the (2,4) case and 2 bits for the (1,4) case. (B) In the DE scenario, as represented by the corresponding DAG, the (1,4) strategy allows reaching a maximum min-entropy of 4 bits. The stars illustrate the maximum theoretical bound, which is saturated. In particular, the min-entropy attained in the DE scenario reaches its algebraic maximum. This implies that the eavesdroppers do not have any information about the outcomes.
DE and WE scenarios
If, instead, we consider the DE and WE scenarios with the (1,4) strategy, then the restriction on using the same eavesdropping strategy markedly increases the amount of certified randomness. In particular, we can use a self-testing approach (see the Supplementary Materials), in the case of ideal visibility, to certify up to for both the WE and DE scenarios. In such a situation, the eavesdroppers have no information at all about the outcomes, and their best strategy is to uniformly guess them. These findings are corroborated by the numerical results for the DE scenario, as illustrated in Fig. 6B. Last, it is worth mentioning that while the tilted CHSH inequality can certify up to 2 bits of randomness, this is achieved using nearly separable states that exhibit little to no robustness against noise. In contrast, as shown in Fig. 6, the randomness certification inspired by the tilted scenario within the bilocal framework demonstrates greater noise resistance.
DISCUSSION
The intrinsic randomness of quantum mechanics is fundamental for understanding the nonclassical aspects of the theory. It has several practical applications, including random number generation, randomness certification, and secure quantum communication. Although randomness in Bell-like scenarios—where a single source generates quantum correlations—has been extensively studied and implemented experimentally, extending this framework to quantum networks with multiple independent sources remains largely uncharted. This challenge stems from the complexity of analyzing the nonconvex set of correlations produced by independent sources (29, 59). We have addressed this gap by using the scalar extension method (44), which offers a reliable and robust approach to certify randomness within quantum networks.
To illustrate the power and versatility of our approach, we have focused on the entanglement-swapping network, a building block for quantum repeaters and an essential component in scalable quantum networks. This network enables different eavesdropping strategies, depending on whether Eve can access one or both entangled sources. In both scenarios, we demonstrated that up to 1.41 bits of randomness can be certified between the network’s outer nodes, a value that surpasses the 1.23 bits achievable through CHSH inequality violations between these nodes (12, 14). This suggests that the source independence enforced by the network topology can offer an advantage in the randomness certification. When considering all the three network’s nodes, we can exploit tilted measurement strategies to certify up to 4 bits of randomness, meaning that none of the outcomes can be known to potential eavesdroppers in this configuration. In addition, we validated our approach by successfully quantifying the amount of randomness in the experimental data from the first photonic implementation of the bilocal network (47).
Overall, we present a thorough analysis of the emergence of randomness in quantum network topologies, with a particular focus on the bilocal network. On one hand, we demonstrate the potential of the scalar extension approach in this context. Because this method can be extended any scenario with causal independence relations between observable nodes of the network, it could be combined with other techniques such as the quantum inflation (42) and used for the analysis of other quantum network configurations, such as the star network (30, 36, 66), the triangle network (33, 38), and the unrelated confounding scenario (67). Our results also indicate that refining network configurations or measurement settings can improve randomness generation under realistic adversarial conditions. In addition, they reveal possible structural vulnerabilities, such as node-specific predictability, that may remain hidden in simpler bipartite models. While this work serves as a foundational study, with further improvements, its findings could also find more sophisticated applications in networked quantum systems, including Bernoulli factory processes (68–71) and blind quantum computation (72–74), contributing to the advancement of quantum communication architectures where randomness plays a central role.
MATERIALS AND METHODS
The numerical computation of the amount of randomness within the bilocal scenario is based on the scalar extension technique (44), as the standard NPA hierarchy (63) cannot capture the causal independence relations that may arise among the network nodes due to the presence of independent sources. In the bilocal scenario, this is evident from the fact that the independence between Alice’s and Charlie’s nodes makes the corresponding probability distribution factorize as . Such an expression is nonlinear and nonconvex, so we can no longer characterize the quantum bilocal set of correlations using standard SDP relaxations.
In the standard NPA hierarchy, a moment matrix of order k is constructed as the matrix with entries , where are products of the parties’ measurement operators up to a length k. In the limit of , having certifies the membership of a given distribution to the set of quantum behaviors.
The main idea of scalar extension is to expand the set of operators that generate the moment matrix by incorporating additional elements derived from the products of actual operators and scalar terms, defined as the expectation values of operators (e.g., terms such as or ). These terms must be chosen so that the resulting extended moment matrix has factorized entries that encode all the independence relations of the scenario of interest. Hence, a linear expression in the extended moment matrix now suffices to express any independence among the parties, and optimization problems, such as maximizing the guessing probability over the set of bilocal quantum behaviors, can now be cast as SDPs using the scalar extension technique. A crucial feature of the scalar extension technique is its complexity scaling, which does not change with respect to the standard NPA relaxations in single-source multipartite scenarios, regardless of the number of independent sources or connectivity of the causal structure. In both cases, in an N-partite scenario where the parties perform measurements with m outcomes and l setting, the problem of randomness certification at the k-th level of the NPA hierarchy consists in solving an SDP problem with a number of variables scaling as . In conclusion, we believe that this numerical approach constitutes a great resource in the study of quantum networks, as it can be directly extended to any topology that can be characterized by causal independence relations arising among their observable nodes, as the chain and star networks.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1A. Einstein, B. Podolsky, N. Rosen, Can quantum-mechanical description of physical reality be considered complete? Phys. Rev. 47, 777–780 (1935).
- 2J. S. Bell, On the einstein podolsky rosen paradox. Phys. Phys. Fizika 1, 195–200 (1964).
- 3N. Brunner, D. Cavalcanti, S. Pironio, V. Scarani, S. Wehner, Bell nonlocality. Rev. Mod. Phys. 86, 419–478 (2014).
- 4N. Gisin, Physics. Quantum nonlocality: How does nature do it? Science 326, 1357–1358 (2009).19965747 10.1126/science.1182103 · doi ↗ · pubmed ↗
- 5S. Beigi, R. König, Simplified instantaneous non-local quantum computation with applications to position-based cryptography. New J. Phys. 13, 093036 (2011).
- 6H. Buhrman, R. Cleve, S. Massar, R. De Wolf, Nonlocality and communication complexity. Rev. Mod. Phys. 82, 665–698 (2010).
- 7C. Portmann, R. Renner, Security in quantum cryptography. Rev. Mod. Phys. 94, 025008 (2022).
- 8J. Yin, Y.-H. Li, S.-K. Liao, M. Yang, Y. Cao, L. Zhang, J.-G. Ren, W.-Q. Cai, W.-Y. Liu, S.-L. Li, R. Shu, Y.-M. Huang, L. Deng, L. Li, Q. Zhang, N.-L. Liu, Y.-A. Chen, C.-Y. Lu, X.-B. Wang, F. Xu, J.-Y. Wang, C.-Z. Peng, A. K. Ekert, J.-W. Pan, Entanglement-based secure quantum cryptography over 1,120 kilometres. Nature 582, 501–505 (2020).32541968 10.1038/s 41586-020-2401-y · doi ↗ · pubmed ↗
