 Research
 Open Access
 Published:
Independent quality assessment of a commercial quantum random number generator
EPJ Quantum Technology volume 9, Article number: 17 (2022)
Abstract
We reverseengineer, test and analyse hardware and firmware of the commercial quantumoptical random number generator Quantis from ID Quantique. We show that \(>99\%\) of its output data originates in physically random processes: random timing of photon absorption in a semiconductor material, and random growth of avalanche owing to impact ionisation. Under a strong assumption that these processes correspond to a measurement of an initially pure state of the components, our analysis implies the unpredictability of the generated randomness. We have also found minor nonrandom contributions from imperfections in detector electronics and an internal processing algorithm, specific to this particular device. Our work shows that the design quality of a commercial quantumoptical randomness source can be verified without cooperation of the manufacturer and without access to the engineering documentation.
Introduction
Random number generators (RNGs) are used in a large variety of applications. Nowadays both software and physical RNGs are in use [1]. A crucial aspect of random numbers is their unpredictability—the outcome of a coin toss would not be considered random if it could be known before the tossing. Software RNGs do not satisfy this criterion (unless further assumptions are made) for their output is generated by a deterministic algorithm, which is why they are also termed “pseudorandom” [2]. Conversely, the output of physical RNGs is obtained by measuring physical quantities. According to quantum theory, for a suitably designed measurement on a quantum system, the outcome cannot be predicted even if the system’s physical state at the time when the measurement process is started is known completely. Quantum RNGs exploit such quantum measurements. Hence, if designed properly, their outputs are fundamentally unpredictable and, in this sense, truly random [3].
Although physical RNGs are used in commercial applications, as of yet there does not exist any complete and reliable procedure for their certification [1]. Attempts to establish requirements based exclusively on an analysis of the output stream like NIST’s tests [4] are not sufficient to ascertain randomness, because a statistical test of a sequence can never prove its unpredictability [5]. Indeed, a device may pretend to generate randomness while actually replaying a bit sequence that has been prerecorded from a true random source. The output of such a fake RNG would then obviously pass any statistical test that the true random source passes, whereas a third party may hold an exact copy of the prerecorded sequence and hence predict its output.
There are in principle two different approaches to resolve this problem. One is deviceindependent random number generation [6–8]. Here the idea is to consider data generated by two separated devices that share quantum entanglement. The quantum origin of the data can then be certified by a Bell test. The advantage of this approach is that no assumptions about the inner workings of the devices that produce the data are necessary. However, with today’s technology, deviceindependent schemes are complex lab experiments with impractically low bit rates (see, e.g., [9]). In addition, they still need some trusted randomness as input, which is used for selecting between the different observables that enter the Bell test.
Semideviceindependent QRNG [10] is a more technically feasible approach than deviceindependent. In return for the relative simplicity of the QRNG implementation and increase generation rate, the semideviceindependent QRNG requires some assumptions about the device operation or its features, although still does not need a complete device model. As example, some semideviceindependent protocols require that QRNG should have trusted source [11, 12] or trusted measurement [13, 14]. Other protocols do not require any assumptions for setup components, but they make assumptions on the overlap [15] or the energy [16] of the prepared quantum states or assumptions on the Hilbert space dimension [17, 18]. While generation rate increased significantly, technical realization of the semideviceindependent QRNG remains relatively complex and there are still no onshelf devices.
In this work we are concerned with the converse, i.e., the devicedependent, approach [19]. In contrast to the above, devicedependent RNGs are more practical, smaller, faster, and cheaper [3]. The price to pay for this is that, to certify their unpredictability, one requires an accurate and verifiable model of the device’s operation, described within the formalism of quantum theory. Such a description is however rarely available for realworld devices. In this case the assessment of the quality of the generated randomness may still be based on tests of the individual components of the device, but must usually be supplemented by strong assumptions about the parts that cannot be analysed completely.
Here we carry out such an analysis for the quantumoptical “Quantis” device from ID Quantique [20], which has been available since the year 2001 and used in a number of realworld applications (Swiss Lottery, United Kingdom NSI Banking, Ukraine Online Gaming, etc. [20]). As explained above, the question whether the device generates true randomness cannot be answered by mere statistical tests of the output sequence. Instead, a user must trust that the randomnessgenerating process the device’s manufacturer claims to employ has been implemented correctly. To establish this trust, it should be possible for an independent party to examine and verify the generator, including an indepth inspection of its internal functioning. This certification can be commissioned by the manufacturer from an accredited certification lab. ID Quantique has got verified the compliance of Quantis with the AIS 20/31 standard [21, 22].
Typically, in the course of such a certification, the lab examines design documentation provided by the manufacturer, and examines a device sample according to procedures defined in the standard. However, it is not clear how well the procedures in the existing standards cover the greater number of physical phenomena in the quantum RNG. Therefore, here we perform an independent examination of Quantis without access to the manufacturer’s internal documentation. The goal of our work is to identify the physical processes that produce data in Quantis, and verify that the internal postprocessing of this data is sound. Our analysis and model are specific to this particular type of device. Other types of QRNGs would have a different model and, possibly, other analysis approaches of their hardware, operation, and postprocessing algorithms.
In analogue to existing practices in highlydemanding hardwaredependent areas [23, 24], the certification procedure of the physical RNG should consists of at least the following four stages.

Discussion of the underlying physical model and assumptions.

Examination of calculation algorithms.

Inspection of the hardware realization.

Statistical tests of the output bit stream.
We follow the above methodology in our study. Previous studies have only tested the output stream of Quantis [21, 25–27] but not analysed its internals.
We have examined 6 devices with different manufacturing dates, ranging from 2007 to 2013 with serial numbers (s/n): 0701100A210, 0701108A210, 0701132A210, 0902242A210, 1304527A210, and 1304609A210 (the first two digits represent the year of manufacture and the remaining digits are internal serial numbers). Our key sample that provides most of our data has been purchased from a regular stock, without warning the manufacturer of its intended use. We have been guided only by openly available information: a white paper [28], application note [29], user guide [20], randomness test report [27], and a patent that outlines the actual implementation of the optics [30]. These sources provide a very basic understanding of the device’s principle and functionality. To obtain the rest of the necessary data, we have reverseengineered the device, examining and analysing closely its electrical and optical parts. During the examination Quantis s/n 0902242A210 has been destroyed in order to explore its optical part, obtain images of avalanche photodiodes (APDs) and measure properties of the light source. Our key sample (s/n 1304527A210) has been disassembled but remained functional, and all our invivo measurements have been done on it. The other four samples (s/n 1304609A210, 0701100A210, 0701108A210, and 0701132A210) have not been disassembled and have only been used for tests of their output bit stream.
Quantis teardown
The basis of Quantis hardware is a printed circuit board (PCB) that carries all its construction elements. The board is coated with a thick layer of black epoxy then packed into a metal can, presumably either to hide the design or to protect internal components from ambient light and moisture. We have removed the can and epoxy by heating the PCB up to about \(150\,^{\circ}\text{C}\) with a hotair gun. At this temperature solder does not yet melt and electronic components survive, while the epoxy softens and can be peeled off completely. The PCB is shown in Fig. 1.
A key part of the device is its “source of quantumness”, consisting of a black anodized aluminum sleeve [Fig. 2(b)] with a light source at one end [Fig. 2(a)] and a pair of singlephoton detectors at the opposite end [Fig. 2(c)]. No optical beamsplitter element has been found inside the sleeve, which is consistent with the patent [30] but disagrees with the optical scheme included in the specification of the device that shows a freespace beamsplitter (Fig. 1 in [28]).
The detectors are avalanche photodiodes (APDs) working in a Geiger mode [31]. The allsilicon structure embodies a pair of APDs, amplifiers and quenching circuit for them. Geometric dimensions of the APDs have been determined by electron microscopy: the sensitive areas have a round shape with a diameter of \(\approx 10~\mu \text{m} \) spaced at \(50~\mu \text{m} \) between their centers [Fig. 2(d)]. A programmable stepup switching DC/DC converter (SSC) provides a bias voltage for both APDs.
We have measured spectral characteristics of the light source. It has broadband emission centered at \(820\text{ n} \text{m} \) with fullwidth at halfmagnitude (FWHM) of 40 nm, and viewing angle of 10^{∘}. These characteristics are very typical for a nearinfrared lightemitting diode (LED).
Linear voltage regulators with 3.3 and 1.8 V output voltages (Fig. 1) power all onboard electronics. A broadspectrum \(40\text{ M} \text{Hz} \) oscillator provides a system clock. A complex programmable logic device (CPLD) performs most of the device functionality. This CPLD is Xilinx type XC2C256 in a 100pin package VQG100CMS1249 with multivoltage input and output operation from 1.5 to 3.3 V. Unsurprisingly, the CPLD firmware is locked against its readout. All the following knowledge has therefore been obtained by analysing the rest of the electronic circuit, invivo signal capturing, applying external probing signals and observing them propagating through the circuit.
A simplified electrical scheme of Quantis and recorded real signals are shown in Figs. 3 and 4. The RNG works in a cyclebased regime. Every cycle starts with a \(12\text{ n} \text{s} \) long voltage pulse formed at line LD by the CPLD [Fig. 5(a)], which is applied through a ballast resistor R to the LED causing it to emit a longer flash of light [Fig. 5(b)]. This light may trigger an avalanche in either of the APDs, generating, after amplification, “click” signals DET1 and DET2 for the CPLD. The CPLD operation procedure differs depending on whether or not clicks appear from the APDs. If none of the detectors has clicked, the CPLD just repeat next cycle by the pulse at line LD with a \(50\text{ n} \text{s} \) delay (cycles # 2, 3, 7–9, 12, 14, … in Fig. 4). If any of the APDs clicks, the CPLD DETx input goes high and it activates a quenching procedure by pulling the QNCH output low, which reduces the bias voltage \(V_{\text{b}}\) on both APDs and thus quenches the avalanche (cycles # 1, 4–6, 10, 11, 13, …). In most cycles with detectors clicks (cycles # 1, 4–6, 13, …) the CPLD starts next cycle with \(150\text{ n} \text{s} \) delay presumably needed to reduce afterpulsing [31]. But sometimes one or both APDs click with a slight delay relative to the LED light pulse (cycles # 10, 11, 20), in these cases the postprocessing algorithm (PP in Fig. 3) does not consider this to be a valid click and the cycle time remains 50 ns.
To convert input APD clicks into the output random bit stream, CPLD performs the postprocessing procedure. After postprocessing the output binary stream of the RNG is transmitted out through a serial peripheral interface (SPI) bus: the random bit value should be read on data_out line at the leading edge of the clock signal data_sck [29].
An analysis of the captured oscillograms reveals the following postprocessing algorithm of converting APD clicks into the output stream. A random bit is output from PP if one and only one APD clicks (cycles # 1, 4–6, 13, 15, 19, 23–25, 28 in Fig. 4), namely the output level data_out may change and a sync pulse data_sck is generated. In cycles when none (# 2, 3, 7–9, 12, 14, 16–18, 21, 22, 26, 29) or both (# 27) APDs click, and in cycles with delayed (# 10, 11, 20) APD clicks, no output random bit is produced (data_out remains unchanged and there is no sync pulse data_sck).
The postprocessing consist of a state machine (Fig. 6). It has two states \(S = 0\) and \(S = 1\) and generates the output bit \(x_{n}\) (data_out) in each CPLD cycle n. Only one 1bit internal variable exists: the value \(x_{n}\) of the last random bit outputted (0 or 1). Events A and B correspond to valid clicks of the first (DET1) and the second (DET2) APDs, respectively. The state machine works in every cycle as follows. When \(S = 0\) and event A occurs, a “flip” is executed—the output bit value is reversed relative to the current one (\(x_{n+1}=\overline{x_{n}}\)) and the state S remains unchanged. When \(S = 0\) and event B occurs, a “hold” is executed—the value of the output bit does not change (\(x_{n+1}=x_{n}\)) and the state S changes to the opposite (S becomes 1). When \(S = 1\), at event A the hold occurs and at event B the flip occurs. In the cases when either none of the events A and B occur or both events A and B occur simultaneously, S changes to the opposite without outputting a bit. Note that PP treats delayed clicks (# 10, 11, 20) as the absence of A and B.
Figure 4 shows signals in the circuit well after the state machine has started. For the cycle we numbered #0 in Fig. 4 we have \(S = 1\), \(x_{0}=0\), and \({\textit{data}\_\textit{out}} = 0\).
A feedback loop exists to maintain a mean rate of the output stream at the level of \(4\text{ M} \text{Hz} \). For this purpose, the CPLD varies the bias voltage of the APDs \(V_{\text{b}}\), effectively tuning their quantum efficiency (Fig. 3). A counter CNT measures a mean frequency of cycles when only one detector clicks. The error signal of the feedback loop is a difference between the value counted and the target rate of \(4\text{ M} \text{Hz} \). The error signal passes through a software integrator INT and is applied to the voltage control input of the SSC.
Analysis of design
Physical model
We now have a closer look at Quantis’ underlying physical model, which we describe in terms of standard notions from quantum optics. As we have investigated before, the light source is a LED with central line at \(\lambda = 820\text{ n} \text{m} \) and bandwidth of \(2 \cdot \Delta \lambda = 40\text{ n} \text{m} \). For such a source the coherence time (a characteristic period of time while light wave “remembers” its history) can be estimated as
On the other hand, the registration period of APDs signals is at least \(25\text{ n} \text{s} \gg \tau _{\text{coh}}\). Hence, the signal measured can be regarded a result of a large number of possible independent photon absorption events. This would imply that the APD clicks have Poissonian statistics and are independent in both channels.
No entanglement by the number of photons may exist in the current scheme: the presence or absence of a photon in one channel says nothing about signal in the other one. It contradicts the principle declared in ID Quantique Quantis white paper (p. 11) [28] that states it is a “which way” scheme. It is not, because registration of a photon in one channel does not exclude the possibility of photon registration in the other channel.
The actual physical source of randomness in Quantis is the photoexcitation of a carrier in the absorption layer of the APD [31]. A secondary significant source of randomness is the subsequent random growth of avalanche by impact ionisation in the APD [32]. Owing to the statistical nature of the latter process, some avalanches die without being detected (their number of carriers may fluctuate down to zero), and for those detected their detection time is randomly distributed.
Lacking a precise microscopic model of this hardware, we cannot however without further assumptions conclude that its apparent random behaviour is due to a generically unpredictable quantum process. At this point we thus need to make a crucial assumption. We suppose that the measured statistics of the data produced by the components would be unchanged if all degrees of freedom that are accessible to an adversary were initialised to any pure state. This assumption guarantees that a possible attacker who has access to information about the device’s initial state cannot predict its outputs (beyond the bias implied by the measured statistics).
Postprocessing procedure
Now, let us consider the postprocessing algorithm with assumptions that follow from the physical model. We treat the signals from the pair of APDs as independent Poisson processes with different probabilities of clicks
The probabilities of events when one and only one particular detector clicks (events A and B) are
and the probability that neither A nor B takes place is
In this notation the probability that the next output bit will be inverted with respect to the current bit (we call this action a flip) equals to
where the sum over m is the probability of an even number of transitions between \(S=0\) and \(S=1\) without producing an output bit. Similarly, the probability of the next bit being equal to the current bit (hold) is
Their difference is thus
For a real physical system, the count probability of two detectors can never be perfectly equal, owing to differences in their quantum efficiency, size, intensity of illumination, and possibly other factors. It follows from Eq. (7) that if the probabilities of APD signals \(p_{1}\) and \(p_{2}\) are not exactly equal, then the event flip will be more likely than hold. This intrinsic property of the PP introduces correlations in the output stream, i.e., makes it less than perfectly random. We have studied this effect experimentally in Sect. 4.4.
The prevalence of the flip events may also be caused by the APD signals being nonPoissonian, in particular their exhibiting afterpulsing. We have not considered this effect in our model.
Feedback loop stability
A feedback loop that maintains a constant bitrate of the output stream includes integrator INT and switching power supply SSC (Fig. 3), besides other elements. SSC has a passive filter network at its output with a time constant of \(100\text{ m} \text{s} \). This means that its frequency response decays by \(20\text{ d} \text{B} \) per frequency decade at frequencies \(> 1.6\text{ Hz} \). The integrator provides an additional slope of \(20\text{ d} \text{B} \) per decade in the loop gain. Hence, the phase margin is not sufficient, which may lead to peaking and oscillation of the output stream bitrate.
Moreover, this feedback loop in theory allows that a lock situation may happen. With increasing reverse bias voltage \(V_{\text{b}}\), the probability of APD clicks increases. However, only singledetection events are counted. The higher \(V_{\text{b}}\) is, the more simultaneous clicks in both detectors appear and these events will be discarded. The negative feedback may then turn into positive. This may in principle lead to the system locking at the maximum \(V_{\text{b}}\).
Measurements
In order to test the ability of RNG Quantis to generate random sequences, we have carried out a number of measurements on both the source of randomness (the APDs) and postprocessing procedure. The objective of each is to find and quantify possible nonrandom effects. Since we are measuring correlations at the APD outputs, we deem it unnecessary to check the stability and power of the LED emission. It is clear both APDs are working in the Geiger mode, although their photon detection efficiency may be rather low (we did not measure it). We do not think low photon detection efficiency affects the randomness, because the physics of the avalanche remains the same. We compare the contribution of possible nonrandom effects in the output bit stream with the specification of Quantis that states that “thermal noise contribution” should be less than 1% [20], which means to be the upper bound on all potential nonrandomness in the output stream. While we cannot claim that our set of measurements is complete, the sum of the nonrandom effects we have found does not exceed 1%.
Dark counts
Even in the absence of light, the APDs produce a certain number of clicks—dark counts [31]. Conservatively, these are not considered to be the source of randomness.
We have measured the dark counts in 0 to \(40\,^{\circ}\text{C} \) temperature range, by placing Quantis in a thermal chamber. Results of the measurements are shown in Fig. 7. The dark count rate rises exponentially with temperature. Extrapolating to \(+70\,^{\circ}\text{C} \), which it a commonly assumed upper end of operating temperature range for commercial products, we obtain less than \(1\text{ k} \text{Hz} \) dark count rate summed over the two APDs. Thus the dark counts contribute less than 0.025% of the output bits.
Autocorrelation of APD counts
In Quantis the sources forming a random output sequence are APDs. Therefore, we have first studied the properties of the output signals obtained from photodetectors directly after their preamplification (DET1 and DET2 in Fig. 3).
As discussed in Sect. 3.1, the clicks from each photodetector should be independent and their statistics should be Poissonian. The measured autocorrelation function under continuouswave illumination from the LED is plotted in Fig. 8(a). It has an expected shape for a Poissonian process, with a dip in the first \(150\text{ n} \text{s} \) owing to the deadtime imposed by the PP. However a close examination reveals smallamplitude oscillation of unknown origin, which we have magnified in Fig. 8(b). The peaktopeak magnitude of these oscillations reaches 2.6%.
Owing to the relatively large magnitude exceeding 1% and the oscillation frequency comparable with the output bit rate, this effect is potentially significant. To analyse it, the measurement needs to be repeated in the normal operation of the circuit (with gated LED). Also, a crosscorrelation on a similar or longer time scale need to be measured and the combined correlation propagated through the PP. Unfortunately, we have realised this after dismantling the experiment. A simpler crosscorrelation measurement presented in Sect. 4.3 is insufficient for this analysis.
Crosscorrelation of APD counts
During an avalanche, the APD emits a few photons, socalled backflash [33]. These may reach the other APD (via internal reflections and scattering inside the optical enclosure shown in Fig. 2) and cause a correlated click. Also, electronic interference between the two singlephoton detector circuits may in principle exist. Such clicks are not considered to be random.
In order to estimate the click rate owing to the backflash, we have electrically disconnected the LED and measured crosscorrelation between DET1 and DET2 in darkness (Fig. 9). The peak owing to the optical crosstalk is clearly visible. However, the probability of backflashinduced click is small: in 16 h measurement time, we have registered \(2.8 \times 10^{6}\) single clicks in one APD and \(4.3 \times 10^{6}\) in another, but only about 500 coincidences in \(\pm 20\text{ n} \text{s} \) window. Thus the contribution of the crosstalk to the output bit stream is \(\approx 0.007\%\).
In order to check for possible further crosstalk effects, we have repeated the measurement under continuouswave illumination from the LED. The result is shown in Fig. 10. The central features are caused by the expected circuit operation such as quenching (Sect. 2). However any crosscorrelation beyond the shortest bit generation interval of \(\pm 150\text{ n} \text{s} \) would be of interest, because it may affect the output bit stream. Our histogram shows an elevated crosscorrelation probability in −300 to \(150\text{ n} \text{s} \) range, however a further study is required to confirm and quantify it.
Statistical imperfections in the output bit stream
To verify statistic bias owing to APD efficiency mismatch derived in Sect. 3.2, a dedicated FPGAbased circuit has been designed. It allows to analyse long consistent sequences in real time without missing a bit. With this setup, the sequence of signals of \(N = 1\) Gibit length at the output of the RNG has been analysed. The results of this analysis are given in Table 1. We have measured five devices with different s/n. For each device, we have counted the number of bits 0 and 1 in the output stream \(\mathbb{N}\) and calculated their relative deviation from equiprobable. We have also counted the number of hold and flip events, i.e., the number of two consecutive bits having matching and not matching values. The last column shows the relative deviation of hold and flip from equiprobable.
For a large and perfectly random binary sequence, the standard deviation of the relative deviation from equiprobable is \(N^{1/2} \approx 3.05\cdot 10^{5}\). The relative deviation between the number of 0 and 1 bits in our tests is small and does not exceed the standard deviation, with the exception of the device s/n 0701132A210 that slightly exceeds it. These results are in good agreement with the expected equal probability of 0 and 1, i.e., the output sequence is balanced. However, for the hold and flip events the situation is different. Their measured relative deviation exceeds the standard deviation by a factor of 2 to 12. We infer that this statistical deviation is due to APD efficiency mismatch.
Assuming click probabilities for both APDs are approximately equal \(p_{1} \approx p_{2} \approx 0.28\) (estimated from the recorded oscillograms in Fig. 4), we obtain from Eq. (7):
For Quantis s/n 0701132A210, in which the greatest deviation has been observed, the absolute difference of APD click probabilities \({p_{1}  p_{2}} \approx 0.025\) and the relative difference \({{p_{1}  p_{2}} / p_{1}} \approx 8.8\%\). While this is a fairly good click rate matching for the APDs manufactured on the same chip, they are not identical.
We remark that the above statistically significant prevalence of the flip bit pairs over hold bit pairs has neither been detected by the manufacturer’s statistical testing [27] nor our own application of the NIST SP80022 test suite [34] on the output stream from our abovementioned worst sample. It was detected by independent researchers [26], who however could not explain its origin. They tested a Quantis sample purchased in 2004 and also observed a statistically significant bias (fewer zeros than ones in the output sequence) that we did not observe in our samples.
Feedback signal
We have measured time and frequency characteristics of the feedback signal (Fig. 11). As expected, it exhibits oscillations with the spectral maximum around 33 Hz. These oscillations however should not affect the probability distribution of the output sequence, because they affect both APDs in the same way. However, they should cause the timing of the output bits to not be regular, which indicates that the timing should not be used in an application.
We have not observed the system locking, whose theoretical possibility is mentioned in Sect. 3.3.
Discussion and conclusion
While no optical beamsplitter element has been found in the Quantis device, it nevertheless contains two sources of randomness—two Geigermode APDs. Within them, the relevant quantum processes are photoexcitation and impact ionisation. Basically, either APD may be regarded as an independent source of randomness, however the presence of two of them increases the output bit rate. Indeed, a similar QRNG based on a single APD can be constructed [35].
To assess the quality of the randomness generated by these APDs, one would in principle need a microscopic model describing their workings. Within such a model, one may then attempt to prove that their output is unpredictable even if the quantum state of the APDs was fully known (i.e., pure) at the time when the randomness generation process is initiated, that is, when the device received the trigger signal requesting it to generate randomness [19]. However, lacking such a microscopic model, one may also resort to physically reasonable assumptions. Specifically, we assume here that the experimentally measured behaviour of the APDs is identical to the one they would exhibit if their microscopic degrees of freedom that are accessible to an adversary were at the beginning of each measurement in any pure state. Under the assumption that the adversary has no access to the device, this assumption holds trivially.
We have tested for potential imperfections in Quantis that could have an impact on the randomness in the output bit stream. We have found a correlation between adjacent output bits owing to the click rate mismatch of the APDs. However this and other effects stay well below the specified “thermal noise contribution” of less than 1% [20]. Our preliminary conclusion is that Quantis conforms to its published specification of the physical randomness content in the output bit stream, provided that one is ready to make the assumptions described above.
Unfortunately, one potential effect that may lead to an additional reduction of randomness—auto and crosscorrelations of APD clicks—has not been sufficiently well measured and analysed by us to reach a conclusion. This could be the topic of a future study.
We also note that the postprocessing implemented by the device does not include randomness extraction. The generated randomness may thus be used for applications where a small bias is acceptable. However, for applications that require uniform randomness, the raw randomness generated by the device would need to be further processed by randomness extractors (see [36] for details). To choose the corresponding extractor parameters, one would also need an estimate of the minentropy of the raw randomness. Such an estimate would however require additional assumptions on the type of side information held by an adversary as well as a detailed analysis of crosscorrelations, and thus goes beyond the scope of this work. We remark that not all applications require or indeed can tolerate the timeconsuming randomness extraction. An example of the latter is testing for the violation of a Bell inequality with the locality and freedomofchoice loopholes closed [37–39]. There, the short time between the photon absorption in the APD and the resulting random bit being used for measurement choice is a crucial experimental and conceptual constraint.
Overall, we have shown that an independent security analysis of a commercial quantum RNG can be done. This improves the trust in these devices.
We shared the finished manuscript with ID Quantique before its submission for publication. The company read it, thanked us, and did not suggest any significant corrections.
Availability of data and materials
Raw experimental data and calculations can be obtained from the corresponding author upon a reasonable request.
References
L’Ecuyer P. History of uniform random number generation. In: Proc. winter simul. conference. IEEE; 2017. p. 202–30.
Knuth DE. The art of computer programming. 3rd ed. vol. 2. Boston: AddisonWesley; 1997.
HerreroCollantes M, GarciaEscartin JC. Quantum random number generators. Rev Mod Phys. 2017;89:015004.
Soto J. Statistical testing of random number generators. In: Proc. 22nd national inf. systems security conference. NIST; 1999. p. 321–32.
Rukhin A, Soto J, Nechvatal J, Smid M, Barker E, Leigh S, Levenson M, Vangel M, Banks D, Heckert A, Dray J, Vo S. A statistical test suite for random and pseudorandom number generators for cryptographic applications. 2010. NIST Special Publication 80022 Revision 1a.
Colbeck R, Kent A. Private randomness expansion with untrusted devices. J Phys A. 2011;44:095305.
Pironio S, Acín A, Massar S, Boyer de la Giroday A, Matsukevich DN, Maunz P, Olmschenk S, Hayes D, Luo L, Manning TA, Monroe C. Random numbers certified by Bell’s theorem. Nature. 2010;464:1021–4.
Colbeck R, Renner R. Free randomness can be amplified. Nat Phys. 2012;8:450–3.
Liu WZ, Li MH, Ragy S, Zhao SR, Bai B, Liu Y, Brown PJ, Zhang J, Colbeck R, Fan J, Zhang Q, Pan JW. Deviceindependent randomness expansion against quantum side information. Nat Phys. 2021;17:448.
Pawłowski M, Brunner N. Semideviceindependent security of oneway quantum key distribution. Phys Rev A. 2011;84:010302.
Nie YQ, Guan JY, Zhou H, Zhang Q, Ma X, Zhang J, Pan JW. Experimental measurementdeviceindependent quantum randomnumber generation. Phys Rev A. 2016;94:060301.
Cao Z, Zhou H, Ma X. Losstolerant measurementdeviceindependent quantum random number generation. New J Phys. 2015;17:125011.
Vallone G, Marangon DG, Tomasin M, Villoresi P. Quantum randomness certified by the uncertainty principle. Phys Rev A. 2014;90:052327.
Avesani M, Marangon DG, Vallone G, Villoresi P. Sourcedeviceindependent heterodynebased quantum random number generator at 17 Gbps. Nat Commun. 2018;9:5365.
Brask JB, Martin A, Esposito W, Houlmann R, Bowles J, Zbinden H, Brunner N. Megahertzrate semideviceindependent quantum random number generators based on unambiguous state discrimination. Phys Rev Appl. 2017;7:054018.
Rusca D, van Himbeeck T, Martin A, Brask JB, Shi W, Pironio S, Brunner N, Zbinden H. Selftesting quantum randomnumber generator based on an energy bound. Phys Rev A. 2019;100:062338.
Lunghi T, Brask JB, Lim CCW, Lavigne Q, Bowles J, Martin A, Zbinden H, Brunner N. Selftesting quantum random number generator. Phys Rev Lett. 2015;114:150501.
Mironowicz P, Cañas G, Cariñe J, Gómez ES, Barra JF, Cabello A, Xavier GB, Lima G, Pawłowski M. Quantum randomness protected against detection loophole attacks. Quantum Inf Process. 2021;20:39.
Frauchiger D, Renner R, Troyer M. True randomness from realistic quantum devices. arXiv:1311.4547 [quantph].
ID Quantique. Quantis random number generator, https://www.idquantique.com/randomnumbergeneration/products/quantisrandomnumbergenerator/, visited 3 Apr 2020.
Walenta N, Soucarros M, Stucki D, Caselunghe D, Domergue M, Hagerman M, Hart R, Hayford D, Houlmann R, Legré M, McCandlish T, Page JB, Tourville M, Wolterman R. Practical aspects of security certification for commercial quantum technologies. In: Proc. SPIE. vol. 9648. 2015. p. 96480U.
ID Quantique. Quantis AIS 31 validated RNG. https://www.idquantique.com/randomnumbergeneration/products/quantisais31/, visited 3 Apr 2020.
Youn W, Yi B. Software and hardware certification of safetycritical avionic systems: a comparison study. Comput Stand Interfaces. 2014;36:889–98.
Kornecki AJ, Zalewski J. Hardware certification for realtime safetycritical systems: state of the art. Annu Rev Control. 2010;34:163–74.
Calude CS, Dinneen MJ, Dumitrescu M, Svozil K. Experimental evidence of quantum randomness incomputability. Phys Rev A. 2010;82:022102.
Abbott AA, Bienvenu L, Senno G. Nonuniformity in the Quantis random number generator. 2014. CDMTCS Research Reports CDMTCS472.
ID Quantique. Quantis randomness test report, Version 2.0. 2010. https://marketing.idquantique.com/acton/attachment/11868/f004c/1/////Randomness%20Test%20Report.pdf. visited 7 Dec 2019.
ID Quantique. Random number generation white paper. 2019. https://marketing.idquantique.com/acton/attachment/11868/f0226/1/////What%20is%20the%20Q%20in%20QRNG_White%20Paper.pdf. visited 7 Dec 2019.
ID Quantique. QuantisOEM application note. https://marketing.idquantique.com/acton/attachment/11868/f021e/1/////Quantis%20OEM_Application%20Note.pdf. visited 7 Dec 2019.
Ribordy G, Guinnard O. Method and apparatus for generating true random numbers by way of a quantum optics process. US patent US7519641B2 (granted in 2009, filed in 2004).
Cova S, Ghioni M, Lotito A, Rech I, Zappa F. Evolution and prospects for singlephoton avalanche diodes and quenching circuits. J Mod Opt. 2004;51:1267–88.
Spinelli A, Lacaita AL. Physics and numerical simulation of single photon avalanche diodes. IEEE Trans Electron Devices. 1997;44:1931–43.
Renker D. Geigermode avalanche photodiodes, history, properties and problems. Nucl Instrum Methods Phys Res, Sect A. 2006;567:48–56.
NIST SP 80022: download documentation and software. https://csrc.nist.gov/Projects/RandomBitGeneration/DocumentationandSoftware. visited 12 Apr 2021.
Radchenko I. Preparation and measurement of quantum states in quantum communication protocols. Ph D thesis, AM Prokhorov General Physics Institute of the Russian Academy of Sciences. 2015. (in Russian).
Troyer M, Renner R. ID Quantique technical paper on randomness extractor. version 1.0 (Sep 2012), available on request from https://www.idquantique.com/resourcelibrary/randomnumbergeneration/.
Scheidl T, Ursin R, Kofler J, Ramelow S, Ma XS, Herbst T, Ratschbacher L, Fedrizzi A, Langford NK, Jennewein T, Zeilinger A. Violation of local realism with freedom of choice. Proc Natl Acad Sci USA. 2010;107:19708–13.
Hensen B, Bernien H, Dréau AE, Reiserer A, Kalb N, Blok MS, Ruitenberg J, Vermeulen RFL, Schouten RN, Abellán C, Amaya W, Pruneri V, Mitchell MW, Markham M, Twitchen DJ, Elkouss D, Wehner S, Taminiau TH, Hanson R. Loopholefree Bell inequality violation using electron spins separated by 1.3 kilometres. Nature. 2015;526:682–6.
Hu XM, Liu BH, Guo Y, Xiang GY, Huang YF, Li CF, Guo GC, Kleinmann M, Vértesi T, Cabello A. Observation of strongerthanbinary correlations with entangled photonic qutrits. Phys Rev Lett. 2018;120:180402.
Acknowledgements
We thank D. Frauchiger for discussions.
Funding
This work was supported by Industry Canada, CFI, NSERC, Ontario MRIS, U.S. Office of Naval Research, Ministry of Education and Science of Russia (program NTI center for quantum communications), and Russian Science Foundation (grant 214200040).
Author information
Authors and Affiliations
Contributions
MP finished the data analysis and finished writing the Article with input from all authors. IR performed all the experiments, hardware, and data analysis, and started writing the Article with input from all authors. DS and RR contributed to the data analysis. MT performed the initial hardware analysis and supervised the study. VM supervised the study. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Petrov, M., Radchenko, I., Steiger, D. et al. Independent quality assessment of a commercial quantum random number generator. EPJ Quantum Technol. 9, 17 (2022). https://doi.org/10.1140/epjqt/s4050702200136z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s4050702200136z