Imperfection-insensitivity quantum random number generator with untrusted daily illumination

Xing Lin; Xing Lin; Xing Lin; Rong Wang; Rong Wang; Rong Wang; Rong Wang; Shuang Wang; Shuang Wang; Shuang Wang; Shuang Wang; Zhen-Qiang Yin; Zhen-Qiang Yin; Zhen-Qiang Yin; Zhen-Qiang Yin; Wei Chen; Wei Chen; Wei Chen; De-Yong He; De-Yong He; De-Yong He; Zheng Zhou; Zheng Zhou; Zheng Zhou; Guang-Can Guo; Guang-Can Guo; Guang-Can Guo; Zheng-Fu Han; Zheng-Fu Han; Zheng-Fu Han

doi:10.1364/OE.460907

1. Introduction

Random numbers are considered an important resource in a wide range of fields, especially in numerical simulations and cryptography. Most current commercial random number generators are based on deterministic algorithms or classical physics processes. However, their predictability and long-range correction might lead to errors in simulations and information disclosure in cryptography. Correspondingly, random numbers generated from uncertainty principle of quantum mechanics become a great substitute. Quantum random number generators (QRNGs) have been studied over the past twenty years and many of them are proposed on the foundation of various sources [1–15].

The core issue of QRNGs is how to estimate the uncertainty from measuring the random sources. For the ideal models, the randomness of output sequences is demonstrable. For the practical systems, however, the gaps between theoretical models and practical devices always exist. In that sense, these devices might be imperfect or even untrusted, which could cause the randomness loss of the output sequences. To guarantee the randomness and the security, device-independent QRNGs (DI-QRNGs) whose security relies on the violation of a Bell inequality become a solution [16–19]. DI-QRNGs can achieve random numbers generation without knowledge of the devices. However, the loophole-free Bell tests in DI-QRNGs are highly challenging, and thus the maximum randomness rate is limited to 2.3 kbps [20] and 13.5 kbps [21]. Meanwhile, some protocols relaxing the assumptions have been presented, such as measurement-device-independent QRNGs (MDI-QRNGs) [22,23] and self-testing QRNGs [24–26].

Recently, a practical scheme known as source-independent QRNG (SI-QRNG) has been proposed [27]. This scheme removes all source assumptions that are usually difficult to be characterized in QRNG implementations. Because of the high rate and no need of the Bell test in the SI-QRNG scheme, its practicality and feasibility attract public concern [28–35].

Nevertheless, there is still a problem that we need to characterize the imperfect measurement devices to close the gap between practice and theory. Concentrating on the discrete variable SI-QRNG, there are some analyses [30,34,35]. However, these analyses of different imperfection factors have been piecemeal until now. In these works, different imperfect factors have been discussed with different analysis models, such as the afterpulse [34], detection efficiency mismatching [30,35], double clicks, and mistaken modulation [30], and these factors haven’t been discussed uniformly. Moreover, the randomness rates will sharply decline with the large imperfections in these models. That is to say, a SI-QRNG scheme that takes account of general device imperfections and allows large deviations from theory to exist is still lacking, which limits practical scenarios of the SI-QRNG.

In this work, we propose an imperfection-insensitivity discrete variable SI-QRNG scheme, in which we provide a unified model that takes account of general imperfection factors and satisfies the composable security. In particular, based on the uncertainty relation of smooth entropies [36], we derive a tight bound in the case of large deviations existing. Compared with the more pessimistic bounds of the previous methods [30,34,35], our result can demonstrate a higher performance with a tolerance of device imperfections. Moreover, we experimentally implement a SI-QRNG system with daily illuminations, a halogen lamp and a laser, and the phase encoding method that is more suitable for modulation in optical fiber systems. Even if we adopt the large deviation measurement devices, the final randomness rates reach 1.06 Mbps and 3.37 Mbps for different sources, the same order of magnitude as the rate upper bound in common QRNGs with the single-photon detectors. In addition, we believe that our device model can be used in other discrete variable QRNG protocols as well as in general scenarios with imperfect measurement devices.

2. Security definitions

Here we firstly review the security framework of SI-QRNG protocols [27,34]. We consider a general SI-QRNG protocol generating a bit string S and a quantum system E owned by Eve, which may be correlated to S. We denote $\rho _{E}^{s}$ as the state when S=s. The situation can be described by the classical-quantum state

(1)$$\rho_{AE}=\sum_{s\in\textbf{S}}p_{s}|{s}\rangle\langle{s}|\otimes\rho^{s}_{E}.$$

The string S is called $\varepsilon _{sec}$-secret if it is $\varepsilon _{sec}$-close to a uniform randomness string that is uncorrelated with the quantum state $\rho _{E}$ of Eve, which can be expressed as

(2)$$\frac{1}{2}\parallel\rho_{AE}-U_{A}\otimes\rho_{E}\parallel_{1}\leqslant\varepsilon_{sec},$$

where $\parallel \cdot \parallel _{1}$ denotes the trace norm and $U_{A}$ is the full mixed density matrix on S. For a SI-QRNG protocol, similar as QKD [37], it is called $\varepsilon _{sec}$-secret if it is $\varepsilon _{sec}$-indistinguishable from a secret protocol which satisfies $\varepsilon _{sec}=0$ whenever the protocol generates randomness.

The security can be interpreted as the true randomness in the QRNG scenario. A similar definition of truly random has been given in Ref. [38] where S is required $\varepsilon _{sec}$-close uncorrelated to all other space-time variables which are not in the future light cone of S.

3. Protocol

The abridged schematic diagram of a SI-QRNG protocol is illustrated in Fig. 1(a). Alice uses an unknown light source as the randomness source. She receives and squashes the quantum states to the qubits to eliminate the influence of dimension, as shown in Table 1.

Fig. 1. The schematic diagram of a SI-QRNG protocol. Eve controls the untrusted source and the exterior space, and Alice owns the trusted measurement part including the squashing operator, basis selection, and detection. (a) shows the ideal measurement with squashing model, and (b) shows the practical measurement with threshold detectors.

Download Full Size | PDF

Table 1. Protocol for a SI-QRNG

View Table

In practice, squashing step is accomplished through the threshold detectors with random assignments for double clicks [39]. For the general measurement, the conclusion that a full measurement is equivalent to a squashing map and a qubit measurement is demonstrated [39,40], which is shown in Fig. 1(b). What’s less obvious is that, for satisfying the squashing model, random assignment is necessary for both parameter estimation and generation steps. Otherwise, there will be entropy overestimation in multiphoton conditions, as discussed in the following.

Next, Alice measures the squashed qubits in the bases chosen from {X, Z}. X, Z are the bases to achieve parameter estimation and randomness generation, which is analogous to the bases in the BB84 protocol [41]. For ideal measurement, X basis is represented as $\{|+\rangle \langle +|, |-\rangle \langle -|\}$ for the results in $|{+}\rangle$ or $|{-}\rangle$, and Z basis is represented as $\{|{0}\rangle \langle {0}|, |{1}\rangle \langle {1}|\}$ for the results in $|{0}\rangle$ or $|{1}\rangle$. Here, we let $|{+}\rangle =\frac {1}{\sqrt {2}}(|{0}\rangle +|{1}\rangle )$, and $|{-}\rangle =\frac {1}{\sqrt {2}}(|{0}\rangle -|{1}\rangle )$.

After the parameter estimation in the X basis, Alice takes $Q_{tol}$ to limit the upper bound of the error rate. If the error parameter is larger than $Q_{tol}$, the protocol aborts. Therefore, $Q_{tol}$ is usually set as the tolerance limits, $\frac {1}{2}$. Finally, the results in the Z basis are used for raw randomness generation. It should be noted that our protocol is a randomness expansion method. Because the random sequences consumed in basis selection are unbalanced, the net final randomness can reach an exponential randomness expansion [27]. The detailed steps of the protocol are described in Table 1.

As the measurement part in SI-QRNG is strongly similar to that in the standard QKD system, BB84 [41], the security of SI-QRNG can be proven by the similar idea in the BB84 protocol, the complementary uncertainty relation [42–44]. This idea has been successfully applied with the technique of quantum correction and builds the security proof of SI-QRNG. Here we also use a similar idea but a different technique, the uncertainty relation of smooth entropies [36], which is widely applied in many applications, including QKDs [37,45,46].

4. Device model

In general, a QRNG system can be divided into the parts of source and measurement. For a SI-QRNG protocol, the assumption of the source part is removed, and thus there is no need to characterize the source devices accurately. In contrast, the measurement part is trusted, and precise characterization is extremely necessary. The neglected imperfection in the measurement implementations means that unknown side information exists, which might cause the overestimation of entropy. Therefore, our discussions in the following revolve around building a unified model that takes account of general imperfection factors in the measurement part and then estimates the security bound of extractable randomness.

For a realistic SI-QRNG, the measurement devices can be described in two parts: the basis modulation and detection. Thus we classify the side information into three categories: mistaken mutually unbiased bases (MUBs) modulation, unbalanced detection, and unexpected responses. In the basis modulation part, the mistakes for MUBs modulation, usually the basis additional rotation $\theta$, can cause the extra gap between the bit error rate in the X basis and the phase error rate in the Z basis. In the detection part, the side information is usually provided by the single-photon detectors (SPDs). Compared with an ideal detector, the realistic SPD often suffers from detection efficiency mismatching $\gamma _{0}\neq \gamma _{1}$ and afterpulse $P_{ap}$, which might introduce the wrong error rate estimation and extra autocorrelation [34].

Here, we establish the Positive-Operator Valued Measure (POVM) to model the measurement in the X basis $\{M_{x+},M_{x-}\}$ and Z basis $\{M_{z0},M_{z1}\}$. The physical model of realistic measurement devices detecting the incoming photons with different bases can be modeled by $\{M_{x+},M_{x-},M_{x\varnothing }\}$, $\{M_{z0},M_{z1},M_{z\varnothing }\}$ with

(3)$$\begin{aligned}&M_{x+}=\frac{1}{2}\begin{pmatrix} 1-\sin\theta & \cos\theta \\ \cos\theta & 1+\sin\theta \end{pmatrix}, \qquad M_{z0}=\begin{pmatrix} 1 & 0 \\ 0 & 0 \end{pmatrix},\\ &M_{x-}=\frac{\eta_{x}}{2}\begin{pmatrix} 1+\sin\theta & -\cos\theta \\ -\cos\theta & 1-\sin\theta \end{pmatrix},\quad ~ M_{z1}=\eta_{z}\begin{pmatrix} 0 & 0 \\ 0 & 1 \end{pmatrix},\\ &M_{x\varnothing}=\mathbb{I}-M_{x+}- M_{x-},\qquad\qquad\quad~~ M_{z\varnothing}=\mathbb{I}-M_{z0}- M_{z1}. \end{aligned}$$

where $\mathbb {I}$ is the two-dimensions unit matrix and $\varnothing$ is correspond to the outcome "no click". We denote the ideal Z basis as the normal orthogonal basis and the imperfect basis modulation lead to the $\frac {\theta }{2}$ rotation of the X basis. $\eta _{x}$ and $\eta _{z}$ are the mismatching parameters defined by

(4)$$\eta_{x}= \frac{p_{-}}{p_{+}},\qquad\eta_{z}= \frac{p_{1}}{p_{0}}.$$

which satisfy $\eta _{x},\eta _{z}\leq 1$. Here, we actually assume there are the common loss $p_{+}$ and $p_{0}$ in the X and Z basis, which can be treated as additional transmission loss [47], and thus we can use the renormalized parameters $\eta _{x}$ and $\eta _{z}$ to analyze the detector imperfections. As we consider the squash operator in our protocol at first, we can model the POVMs in the qubit scenarios. Therefore we can define $p_{\alpha }$, the response probability for the response $\alpha$, by [48]

(5)$$p_{\alpha}=1-(1-\gamma_{\alpha})(1-P_{ap\alpha})\qquad\alpha\in\{0,1,+,-\},$$

where $\gamma _{\alpha }$ is the bounded probability which includes the total loss and the detection efficiency. $P_{ap\alpha }$ is the total afterpulse probability with total orders afterpulses of $D_{\alpha }$ which is given by [49]

(6)$$P_{ap\alpha}=\frac{\hat{p_{\alpha}}}{1-\hat{p_{\alpha}}}\gamma_{\alpha} \qquad\alpha\in\{0,1,+,-\},$$

where $\hat {p}_{\alpha }= \sum ^{n}_{j=1}\hat {p}_{j\alpha }$ is the overall first-order afterpulse rate, and $\hat {p}_{j\alpha }$ is the first-order afterpulse coefficient contributed by the former jth detection window avalanche. It should be noted that since we use the same detectors in error estimation and randomness generation in the dual-detector system, afterpulse could introduce the crosstalk noise. For example, the afterpulse of the Z basis will inevitably cause the error increase of the X basis. It has an unavoidable effect on the error rate and protocol security. A further derivation process of our physical model above can be found in Supplementary Information.

5. Security randomness rate

According to the device model and the protocol described above, here, we present the security randomness rate. The SI-QRNG protocol with the imperfect devices characterized by the POVM above is $\varepsilon _{sec}$-secret if the extracted randomness length satisfies

(7)$$\begin{aligned} &\mathcal{L}=n_{z}[1-h(e_{bx}^{obs}+{\parallel} M_{x-}-M_{x'-} \parallel_{1}+\mu+\mu')-Q_{dz}]-2\log_{2}\frac{1}{\varepsilon_{sec}},\\ &\mu:=\sqrt{\frac{n_{z}+n_{x}}{n_{z}n_{x}}\frac{n_{x}+1}{n_{x}}\ln\frac{2}{\varepsilon_{sec}}},\\ &\mu':=\sqrt{\frac{8}{n_{x}}\ln\frac{2}{\varepsilon'}}. \end{aligned}$$

where $Q_{dz}$ is the proportion of double-clicks in total responses in the Z basis and $n_{x}$, $n_{z}$ are the number of bits generated in the X and Z basis, respectively. $h(x)$ is the binary Shannon entropy function. $M_{x'-}$ denotes the POVM defined by

(8)$$M_{x'-}=HM_{z1}H$$

where H is the Hadamard operator. $M_{x'-}$ corresponds to a measurement operator of the theoretical basis that is MUBs with Z basis. $\mu$ and $\mu '$ are the finite-key parameters affected by the error statistics in the X basis and the imperfection factors of our model. In the case of the asymptotic limit of the large data block and perfect devices, the reductions of randomness length because of statistical fluctuations and device imperfections are neglected, and a final random bit string of length $\mathcal {L}=n_{z}[1-h(e_{bx}^{obs})-Q_{dz}]$ can be extracted. Actually, by building a suitable device model, we integrate the device imperfections into the POVMs of the measurement bases. Then, we combine our device model with the uncertainty relation of smooth entropies and, considering that the bound of the uncertainty relation of smooth entropies is not tight for general POVMs that aren’t MUBs, we introduce the virtual basis, X’, which is MUBs with Z basis. By estimating the corresponding error of X’, we transfer the imperfections to the trace distance of X’ and X, which can counteract the effects of the similar deviations of the error estimation basis X and the generation basis Z, especially in the dual detectors systems. In the final, we obtain a tighter bound with the finite-key regime in Eq. (7). A rigorous proof of the Eq. (7) is presented in Supplementary Information.

6. Simulation analysis

We illustrate by simulating the performance of our results in the case of different device imperfections. In our simulation, we consider a practical SI-QRNG implementation with a dual-detectors system, and thus we let the detector parameters of different bases same, such as $\gamma _{0}(or~\gamma _{1})=\gamma _{+}(or~\gamma _{-})$ and $P_{ap0}(or~P_{ap1})=P_{ap+}(or~P_{ap-})$. Also, we assume that the quantum states that the source emits are the coherent states with misalignment-error 1% and mean photon number $\sigma =0.1$, and the other parameters we used are referred to as the practical experimental parameters as follows. Here, we compare our optimal randomness rates of different imperfections with the security rates in previous work, respectively [30,34,35]. In Fig. 2, as the parameters defined above, we present the extractable randomness rate for each single-click as the functions of the total afterpulse probability $P_{ap}$, the detector efficiency proportion $\gamma _{1}/\gamma _{0}$, and the basis modulation error $\theta$ in the finite-key scenario with total responses $N=10^{9}$. The rate of our model is insensitive to each imperfect parameter, and the reductions due to the large device imperfections are no more than 3 dB. In contrast, the other results in previous works [30,34,35] are hard to bear the imperfections considered in those works respectively and appear to decrease by one or more orders of magnitude with large imperfections.

Fig. 2. The simulation of our result performance with different imperfections and the security rate with different analyses. (a) Considering the influences with afterpulse increasing in our model, previous work in Ref. [34] and the ideal situation. (b) Considering the influences with detection efficiency proportion increasing in our model, previous work in Ref. [30] and Ref. [35], and the ideal situation. We assume the total detection efficiency is a fixed value, 30%. (c) Considering the influences with the basis modulation error increasing in our model. (d) Comparing the results of considering or not considering the double-click in the Z basis with the security rate upper bound.

Download Full Size | PDF

We note that only considering the single-click results in the Z basis, which is a common practice in the previous works, is insecure. Discarding the double-click in the Z basis might leave a backdoor and cause the overestimation of the entropy. Here we provide an illustrative example of a valid attack by this loophole. For the ideal SI-QRNG system, consider the situation that Eve emits the states satisfying $\rho =1/2|{+}\rangle \;\langle {+}|+1/2\mathbb {I}$ with half of states randomly emitting $|{0}\rangle \langle {0}|$ (or $|{1}\rangle \langle {1}|$) and half of states emitting$|{+}\rangle \langle {+}|$. Actually, as we discussed in the protocol, only the state $|{+}\rangle \langle {+}|$ can generate the security rate in the Z basis, as well as the double-click. The error rate caused by the states $|{0}\rangle \langle {0}|$ (or $|{1}\rangle \langle {1}|$) in the X basis can’t actually help us estimate the security rate precisely.

In Fig. 2, we simulate the security randomness rate with the photon distribution of the coherent state by different analyses with the asymptotic limit of the large data block and perfect devices. Obviously, the rate of discarding the double-click on the Z basis is overestimated when the light intensity increases. In fact, this example can be expand to the general attacking states satisfying $\rho =q|{+}\rangle \;\langle {+}|+(1-q)\mathbb {I}$, and here we only show the case with $q=\frac {1}{2}$. A discussion of more general versions of the attack aiming at double-clicks can be found in Supplementary Information.

7. Experiment

Here we implement a SI-QRNG with the phase encoding method that is convenient for modulation and measurement in the fiber system. Because there is no limitation of the source in a SI-QRNG system, we use the daily illumination, such as a halogen lamp and a laser, as the source to demonstrate the general applicability and the robustness of coherent and thermal sources in our implementation.

Our setup is shown in Fig. 3: A double output light source owned by Eve and an all-fiber measurement part with two SPDs owned by Alice, which are both formed by commercially available components. To characterize the SPDs precisely, we measure the detector parameters with a well-controlled laser beforehand. We set the detectors with trigger bandwidth 20 MHz, gate width 3 ns, and dark count rate $\sim$300/s. The SPDs are measured to have detection efficiencies $\gamma _{0}, ~\gamma _{1}$ of $13\%$ and $17\%$, and the overall first-order afterpulse probabilities $\hat {p}_{0},~\hat {p}_{1}$ of 4.36% and 8.23%, respectively. The gate model is used for chopping the continuous light and deciding the detection windows. Dead-time is not set for guaranteeing that each gate can normally receive the photons.

Fig. 3. The experimental setup of our scheme. The source is collected and modulated in the part of Eve by a convex lens (CL), an adjustable collimator (AC), several filters, a fiber polarizer, a variable optical attenuator (VOA), and a $50/50$ beam spliter (BS). Then Alice modulates and measures the received photons by a phase modulation (PM) and two SPDs to generate the raw random bits.

Download Full Size | PDF

In theory, we can use any illumination as the light source, but delicate calibration is also necessary for the high performance of the generation rate. Here we precisely calibrate the spectrum and the polarization of the source. Our light source is a common daily-use illumination, a halogen lamp (Philips GU5.3) that is focused by a convex lens (focus length of 25.4mm) and then collected into a single-mode fiber by an adjustable collimator (focus length of 11mm). To guarantee a better interference result, we use several filters to make the photons satisfy the wavelength range of $1549.3\pm 0.3$ nm. Besides, a laser with center wavelengths of $1550.1\pm 0.02$ nm is also used as the initial coherent state source. The initial photons are transmitted through a variable optical attenuator (VOA) to adjust the numbers of photons. Then, a fiber polarizer (FP) follows to guarantee the determinacy of the polarization, and a $50/50$ beam spliter (BS) divides these photons into two synchronously outputting light beams whose phase difference is zero. In the dimension of the phase, we hope to achieve an ideal superposition of the phase $|{+}\rangle$, which is common in the phase coding system [50].

To generate random numbers, we make the input light beams interfere. A phase modulator (PM) is placed on one arm to realize base selection. Charge accumulation in the birefringence modulator is relevant only for modulation slower than 1 Hz [51], thus it won’t introduce the autocorrelation. The modulation signal generated by an any waveform generator (AWG) is used to modulate the phases difference of input beams to $0, \pi /2$, corresponding to the X and Z bases, respectively. The X basis ratio is chosen as 10% which is the optimized probability of $q_{x}$ in simulation. The modulation signal is calibrated in advance, and the imperfect modulation rotation angle $\theta$ is measured as 0.002 rad.

The interference photons are detected by the SPDs and corresponding response results are recorded by a time-digital converter. Here we acquired $N=10^{9}$ total effective results and choose the security parameter $\varepsilon _{sec}=2\times 2^{-50}$. By the Toeplitz-matrix hashing extractor, we obtain the final randomness rates of 1.06 Mbps and 3.37 Mbps with the halogen bulb and laser, respectively. It is faster than the original SI-QRNG which achieved the rate of 5 kbps [27]. In Fig. 4, we demonstrate the extractable randomness rate of each raw bit with different post-processing block sizes with $\sigma =10$. The plot shows that randomness bits can significantly be obtained already for $n_{p}=10^{6}$. In our experiment, for the optimal final rate, we set $n_{p}=10^{9}$. The output strings successfully passed the standard statistical test, NIST, and the results are shown in Supplementary Information.

Fig. 4. Extractable randomness rate as a function of the block size. We choose the mean photon number $\sigma =10$. FRCS is the finite-key rate of the coherent state. ARCS is the asymptotic rate of the coherent state. FRTS is the finite-key rate of the thermal state. ARTS is the asymptotic rate of the thermal state.

Download Full Size | PDF

We note that the photon number distribution is also an important parameter for the final randomness rate, while it has a vital influence on the generation rate rather than the security [34]. Here, corresponding to the source used, we assume the distribution is measured beforehand as the thermal state and coherence state. In Fig. 5, we demonstrate the randomness generation rate in simulation and experiment with different mean photon numbers of each detection window. For measuring the mean photon numbers, we set the basis to Z to record the total counts and then calculate the mean photon numbers. The result shows that with the same measurement devices, the randomness rate in our scheme can reach the same order of magnitude as the rate upper bound in general QRNGs, even in the case of large imperfections. Therefore, the rate of our protocol can be increased by using a SPD with a higher frequency, such as the SPD with 500 MHz [52]. When the photon number increases, the high double click ratio can lead to the rate reduction, and hence the optimal light intensity is around 10 photons per pulse in our experiment, which has not reached the saturation rate of the detector. In Fig. 6, we demonstrate the double click ratios on the Z basis. We can see that when the light intensity is over 1 photon per pulse, the double click ratios of the coherent state will obviously be higher than that of the thermal state, and thus the rate of the coherent state has declined even more with high light intensity. It is also shown in Fig. 4 with $\sigma =10$. In Fig. 6, we also show the errorbar to bound the statistic fluctuations of the double-click results.

Fig. 5. The simulation and experimental results with different photon distributions. UBCS is the upper bound of the coherent state. FRCS is the finite-key rate of the coherent state. ARCS is the asymptotic rate of the coherent state. ECS are the experiment results of the coherent state. UBTS is the upper bound of the thermal state. FRTS is the finite-key rate of the thermal state. ARTS is the asymptotic rate of the thermal state. ETS are the experiment results of the thermal state.

Download Full Size | PDF

Fig. 6. The simulation and experimental results of the double click ratio in the Z basis with different photon distributions. DECS are the experiment results of the coherent state. DETS are the experiment results of the thermal state. DCS is the simulation results of the coherent state. DTS is the simulation results of the thermal state.

Download Full Size | PDF

8. Discussion

In conclusion, we have presented and experimentally demonstrated a SI-QRNG scheme tolerating high imperfect devices with daily illumination. SI-QRNG is the practical QRNG protocol that offers a great balance between rate and security. We have built the unified model for different imperfections based on the uncertainty relation for smooth entropy, and our results demonstrate that even with the large imperfections in the practical devices, it is possible to perform the security randomness rate close to the general QRNGs rate upper bound.

The main challenge of discrete variable QRNG performance is the frequency limitation of the SPDs, and high-frequency SPDs always suffer from unavoidable imperfections, such as high afterpulse probability. We have shown that this problem can be successfully solved in our model, and comparing the previous work, the rate reduction is trivial. Therefore, we believe that our results push ahead with the high speed and practical process of QRNG systems. Further, we also believe that our analysis model can be extended to other practical discrete variable protocols, such as QKDs.

Funding

National Key Research and Development Program of China (2018YFA0306400); National Natural Science Foundation of China (61627820, 61775207, 61822115, 61961136004); the Anhui Initiative in Quantum Information Technologies..

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

Supplemental document

See Supplement 1 for supporting content.

References

1. M. Herrero-Collantes and J. C. Garcia-Escartin, “Quantum random number generators,” Rev. Mod. Phys. 89(1), 015004 (2017). [CrossRef]

2. X. Ma, X. Yuan, Z. Cao, B. Qi, and Z. Zhang, “Quantum random number generation,” npj Quantum Inf. 2(1), 16021 (2016). [CrossRef]

3. T. Jennewein, U. Achleitner, G. Weihs, H. Weinfurter, and A. Zeilinger, “A fast and compact quantum random number generator,” Rev. Sci. Instrum. 71(4), 1675–1680 (2000). [CrossRef]

4. M. Gräfe, R. Heilmann, A. Perez-Leija, R. Keil, F. Dreisow, M. Heinrich, H. Moya-Cessa, S. Nolte, D. N. Christodoulides, and A. Szameit, “On-chip generation of high-order single-photon w-states,” Nat. Photonics 8(10), 791–795 (2014). [CrossRef]

5. L. Oberreiter and I. Gerhardt, “Light on a beam splitter: More randomness with single photons,” Laser Photonics Rev. 10(1), 108–115 (2016). [CrossRef]

6. M. A. Wayne, E. R. Jeffrey, G. M. Akselrod, and P. G. Kwiat, “Photon arrival time quantum random number generation,” J. Mod. Opt. 56(4), 516–522 (2009). [CrossRef]

7. M. Wahl, M. Leifgen, M. Berlin, T. Röhlicke, H.-J. Rahn, and O. Benson, “An ultrafast quantum random number generator with provably bounded output bias based on photon arrival time measurements,” Appl. Phys. Lett. 98(17), 171105 (2011). [CrossRef]

8. Y.-Q. Nie, H.-F. Zhang, Z. Zhang, J. Wang, X. Ma, J. Zhang, and J.-W. Pan, “Practical and fast quantum random number generation based on photon arrival time relative to external reference,” Appl. Phys. Lett. 104(5), 051110 (2014). [CrossRef]

9. C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. L. Andersen, C. Marquardt, and G. Leuchs, “A generator for unique quantum random numbers based on vacuum states,” Nat. Photonics 4(10), 711–715 (2010). [CrossRef]

10. B. Qi, Y.-M. Chi, H.-K. Lo, and L. Qian, “High-speed quantum random number generation by measuring phase noise of a single-mode laser,” Opt. Lett. 35(3), 312–314 (2010). [CrossRef]

11. H. Guo, W. Tang, Y. Liu, and W. Wei, “Truly random number generation based on measurement of phase noise of a laser,” Phys. Rev. E 81(5), 051137 (2010). [CrossRef]

12. M. Jofre, M. Curty, F. Steinlechner, G. Anzolin, J. Torres, M. Mitchell, and V. Pruneri, “True random numbers from amplified quantum vacuum,” Opt. Express 19(21), 20665–20672 (2011). [CrossRef]

13. P. J. Bustard, D. Moffatt, R. Lausten, G. Wu, I. A. Walmsley, and B. J. Sussman, “Quantum random bit generation using stimulated raman scattering,” Opt. Express 19(25), 25173–25180 (2011). [CrossRef]

14. A. Quirce and A. Valle, “Random polarization switching in gain-switched vcsels for quantum random number generation,” Opt. Express 30(7), 10513–10527 (2022). [CrossRef]

15. Y.-Y. Hu, X. Lin, S. Wang, J.-Q. Geng, Z.-Q. Yin, W. Chen, D.-Y. He, W. Huang, B.-J. Xu, G.-C. Guo, and Z.-F. Han, “Quantum random number generation based on spontaneous raman scattering in standard single-mode fiber,” Opt. Lett. 45(21), 6038–6041 (2020). [CrossRef]

16. S. Pironio, A. Acín, S. Massar, A. B. de La Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Random numbers certified by bell’s theorem,” Nature 464(7291), 1021–1024 (2010). [CrossRef]

17. B. G. Christensen, K. T. McCusker, J. B. Altepeter, B. Calkins, T. Gerrits, A. E. Lita, A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam, N. Brunner, C. C. W. Lim, N. Gisin, and P. G. Kwiat, “Detection-loophole-free test of quantum nonlocality, and applications,” Phys. Rev. Lett. 111(13), 130406 (2013). [CrossRef]

18. P. Bierhorst, E. Knill, S. Glancy, Y. Zhang, A. Mink, S. Jordan, A. Rommal, Y.-K. Liu, B. Christensen, S. W. Nam, M. J. Stevens, and L. K. Shalm, “Experimentally generated randomness certified by the impossibility of superluminal signals,” Nature 556(7700), 223–226 (2018). [CrossRef]

19. Y. Liu, Q. Zhao, M.-H. Li, J.-Y. Guan, Y. Zhang, B. Bai, W. Zhang, W.-Z. Liu, C. Wu, X. Yuan, H. Li, W. J. Munro, Z. Wang, L. You, J. Zhang, X. Ma, J. Fan, Q. Zhang, and J.-W. Pan, “Device-independent quantum random-number generation,” Nature 562(7728), 548–551 (2018). [CrossRef]

20. M.-H. Li, X. Zhang, W.-Z. Liu, S.-R. Zhao, B. Bai, Y. Liu, Q. Zhao, Y. Peng, J. Zhang, Y. Zhang, W. Munro, X. Ma, Q. Zhang, J. Fan, and J.-W. Pan, “Experimental realization of device-independent quantum randomness expansion,” Phys. Rev. Lett. 126(5), 050503 (2021). [CrossRef]

21. W.-Z. Liu, M.-H. Li, S. Ragy, S.-R. Zhao, B. Bai, Y. Liu, P. J. Brown, J. Zhang, R. Colbeck, J. Fan, Q. Zhang, and J.-W. Pan, “Device-independent randomness expansion against quantum side information,” Nat. Phys. 17(4), 448–451 (2021). [CrossRef]

22. Z. Cao, H. Zhou, and X. Ma, “Loss-tolerant measurement-device-independent quantum random number generation,” New J. Phys. 17(12), 125011 (2015). [CrossRef]

23. Y.-Q. Nie, J.-Y. Guan, H. Zhou, Q. Zhang, X. Ma, J. Zhang, and J.-W. Pan, “Experimental measurement-device-independent quantum random-number generation,” Phys. Rev. A 94(6), 060301 (2016). [CrossRef]

24. T. Lunghi, J. B. Brask, C. C. W. Lim, Q. Lavigne, J. Bowles, A. Martin, H. Zbinden, and N. Brunner, “Self-testing quantum random number generator,” Phys. Rev. Lett. 114(15), 150501 (2015). [CrossRef]

25. F. Xu, J. H. Shapiro, and F. N. Wong, “Experimental fast quantum random number generation using high-dimensional entanglement with entropy monitoring,” Optica 3(11), 1266–1269 (2016). [CrossRef]

26. H. Tebyanian, M. Zahidy, M. Avesani, A. Stanco, P. Villoresi, and G. Vallone, “Semi-device independent randomness generation based on quantum state’s indistinguishability,” Quantum Sci. Technol. 6(4), 045026 (2021). [CrossRef]

27. Z. Cao, H. Zhou, X. Yuan, and X. Ma, “Source-independent quantum random number generation,” Phys. Rev. X 6(1), 011020 (2016). [CrossRef]

28. D. G. Marangon, G. Vallone, and P. Villoresi, “Source-device-independent ultrafast quantum random number generation,” Phys. Rev. Lett. 118(6), 060503 (2017). [CrossRef]

29. M. Avesani, D. G. Marangon, G. Vallone, and P. Villoresi, “Source-device-independent heterodyne-based quantum random number generator at 17 gbps,” Nat. Commun. 9(1), 5365 (2018). [CrossRef]

30. Y.-H. Li, X. Han, Y. Cao, X. Yuan, Z.-P. Li, J.-Y. Guan, J. Yin, Q. Zhang, X. Ma, C.-Z. Peng, and J.-W. Pan, “Quantum random number generation with uncharacterized laser and sunlight,” npj Quantum Inf. 5(1), 97 (2019). [CrossRef]

31. D. Drahi, N. Walk, M. J. Hoban, A. K. Fedorov, R. Shakhovoy, A. Feimov, Y. Kurochkin, W. S. Kolthammer, J. Nunn, J. Barrett, and I. A. Walmsley, “Certified quantum random numbers from untrusted light,” Phys. Rev. X 10(4), 041048 (2020). [CrossRef]

32. T. Michel, J. Y. Haw, D. G. Marangon, O. Thearle, G. Vallone, P. Villoresi, P. K. Lam, and S. M. Assad, “Real-time source-independent quantum random-number generator with squeezed states,” Phys. Rev. Appl. 12(3), 034017 (2019). [CrossRef]

33. Z. Zheng, Y. Zhang, M. Huang, Z. Chen, S. Yu, and H. Guo, “Bias-free source-independent quantum random number generator,” Opt. Express 28(15), 22388–22398 (2020). [CrossRef]

34. X. Lin, S. Wang, Z.-Q. Yin, G.-J. Fan-Yuan, R. Wang, W. Chen, D.-Y. He, Z. Zhou, G.-C. Guo, and Z.-F. Han, “Security analysis and improvement of source independent quantum random number generators with imperfect devices,” npj Quantum Inf. 6(1), 100 (2020). [CrossRef]

35. D. Ma, Y. Wang, and K. Wei, “Practical source-independent quantum random number generation with detector efficiency mismatch,” Quantum Inf. Process. 19(10), 384 (2020). [CrossRef]

36. M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,” Phys. Rev. Lett. 106(11), 110506 (2011). [CrossRef]

37. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. 3(1), 634 (2012). [CrossRef]

38. D. Frauchiger, R. Renner, and M. Troyer, “True randomness from realistic quantum devices,” arXiv preprint arXiv:1311.4547 (2013).

39. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef]

40. O. Gittsovich, N. J. Beaudry, V. Narasimhachar, R. R. Alvarez, T. Moroder, and N. Lütkenhaus, “Squashing model for detectors and applications to quantum-key-distribution protocols,” Phys. Rev. A 89(1), 012325 (2014). [CrossRef]

41. C. H. Bennett and G. Brassard, “Quantum cryptography,” in Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India, (1984), pp. 175–179.

42. P. W. Shor and J. Preskill, “Simple proof of security of the bb84 quantum key distribution protocol,” Phys. Rev. Lett. 85(2), 441–444 (2000). [CrossRef]

43. H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science 283(5410), 2050–2056 (1999). [CrossRef]

44. M. Koashi, “Unconditional security of quantum key distribution and the uncertainty principle,” in Journal of Physics: Conference Series, vol. 36 (IOP Publishing, 2006), p. 016.

45. M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.-K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nat. Commun. 5(1), 3732 (2014). [CrossRef]

46. C. C. W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, “Concise security bounds for practical decoy-state quantum key distribution,” Phys. Rev. A 89(2), 022307 (2014). [CrossRef]

47. M. K. Bochkov and A. S. Trushechkin, “Security of quantum key distribution with detection-efficiency mismatch in the single-photon case: Tight bounds,” Phys. Rev. A 99(3), 032308 (2019). [CrossRef]

48. Z.-W. Yu, Y.-H. Zhou, and X.-B. Wang, “Reexamination of decoy-state quantum key distribution with biased bases,” Phys. Rev. A 93(3), 032307 (2016). [CrossRef]

49. G.-J. Fan-Yuan, C. Wang, S. Wang, Z.-Q. Yin, H. Liu, W. Chen, D.-Y. He, Z.-F. Han, and G.-C. Guo, “Afterpulse analysis for quantum key distribution,” Phys. Rev. Appl. 10(6), 064032 (2018). [CrossRef]

50. K. Inoue, E. Waks, and Y. Yamamoto, “Differential phase shift quantum key distribution,” Phys. Rev. Lett. 89(3), 037902 (2002). [CrossRef]

51. E. L. Wooten, K. M. Kissa, A. Yi-Yan, E. J. Murphy, D. A. Lafaw, P. F. Hallemeier, D. Maack, D. V. Attanasio, D. J. Fritz, G. J. McBrien, and D. Bossi, “A review of lithium niobate modulators for fiber-optic communications systems,” IEEE J. Sel. Top. Quantum Electron. 6(1), 69–82 (2000). [CrossRef]

52. L. C. Comandar, B. Fröhlich, J. F. Dynes, A. W. Sharpe, M. Lucamarini, Z. Yuan, R. V. Penty, and A. J. Shields, “Gigahertz-gated ingaas/inp single-photon detector with detection efficiency exceeding 55% at 1550 nm,” J. Appl. Phys. 117(8), 083109 (2015). [CrossRef]

Imperfection-insensitivity quantum random number generator with untrusted daily illumination

Abstract

1. Introduction

2. Security definitions

3. Protocol

4. Device model

5. Security randomness rate

6. Simulation analysis

7. Experiment

8. Discussion

Funding

Disclosures

Data availability

Supplemental document

References

Supplementary Material (1)

Data availability

Cited By

Figures (6)

Tables (1)

Equations (8)

Optics Express