 Research
 Open access
 Published:
Generalized timebin quantum random number generator with uncharacterized devices
EPJ Quantum Technology volume 11, Article number: 15 (2024)
Abstract
Random number generators (RNG) based on quantum mechanics are captivating due to their security and unpredictability compared to conventional generators, such as pseudorandom number generators and hardwarerandom number generators. This work analyzes evolutions in the extractable amount of randomness with increasing the Hilbert space dimension, state preparation subspace, or measurement subspace in a class of semideviceindependent quantumRNG, where bounding the states’ overlap is the core assumption, built on the prepareandmeasure scheme. We further discuss the effect of these factors on the complexity and draw a conclusion on the optimal scenario. We investigate the generic case of timebin encoding scheme, define various input (state preparation) and outcome (measurement) subspaces, and discuss the optimal scenarios to obtain maximum entropy. Several input designs were experimentally tested and analyzed for their conceivable outcome arrangements. We evaluated their performance by considering the device’s imperfections, particularly the afterpulsing effect and dark counts of the detectors. Finally, we demonstrate that this approach can boost the system entropy, resulting in more extractable randomness.
1 Introduction
Randomness is indispensable for simulation, gambling, and numerous cryptographic applications, e.g., quantum key distribution (QKD) [1, 2], where the protocol’s security is guaranteed by random selections of the encoding and measurement bases [3]. Traditional randomness generators rely on deterministic processes, which are, in principle, predictable. However, unlike the deterministic evolution of classical systems, quantum mechanics grants the ability to generate genuine randomness based on the quantum measurement outcome that is entirely unpredictable [4, 5]. A random number generator (RNG), in general, should deliver unpredictable and secure random numbers by exploiting effective instruments aiming to make it performant, high rate, and commercially affordable. Quantum RNG (QRNG) can be an outstanding choice in satisfying the needs for security, practicality, and affordability; nevertheless, any imperfection in the physical realization may cause information leakage which an eavesdropper could use to predict the QRNG’s outcome [6, 7].
Nowadays, QRNGs are commercially available, symbolizing one of the most successful developments of quantum technologies. In Devicedependent (DD) QRNGs, the user must trust the device’s performance. This type of QRNG requires a detailed understanding of the functioning of the inuse devices to constrain the output’s randomness [8–11]. Although DD QRNGs randomness is guaranteed by quantum theory, any gap between theoretical and realworld implementation, such as experimental errors, device imperfections, or dishonest producers, may enable an adversary to predict the QRNG’s outcomes and thus endanger the system’s security [12–16]. At the same time, in deviceindependent (DI) protocols, one can certify randomness without relying on assumptions about the device’s performance. These protocols utilize the nonlocal property of quantum theory to guarantee the output’s randomness. DI QRNGs are, therefore, highly secure, and thus no assumptions on the eavesdropper are made. Implementing DI QRNGs, nevertheless, can be demanding as it involves conducting a loopholefree Bell test, which is a challenging experimental task with a typically low generation rate [17].
Contrary to DD and DI QRNGs, semidevice independent QRNGs are based on protocols that allow for highrate generation, acceptable security, and simplicity in implementation [18–21]. In this class, the performance is boosted by taking a few assumptions on the working principle of the experimental apparatus, e.g., trusting the measurement [22, 23] or the preparation device [19, 24] or weaker hypothesis like bounding the energy or the overlap [25, 26] of the generated states, while guaranteeing the security by accounting for all possible attack attempts within our assumptions [27].
This work studies a class of semiDI QRNGs founded on the basis of restraining the states’ overlap by employing a timebin encoding scheme and singlephoton detection. The overlap bound guarantees that the prepared states are nonorthogonal and hence, no measurement can perfectly distinguish them [26, 28]. While the inability of predicting the outcome of measurement by the user is the source of randomness, the indistinguishability of the state is the source of security, from the perspective of the measurement apparatus. The entropy and extractable randomness are optimized, and compared, with the help of semidefinite programming (SDP). We discuss the improvement in entropy and randomness generation rate with increasing the number of timebin or input states.
The main contribution of this work is to investigate the impact of increasing or adjusting the number of time bins on the extractable amount of randomness and the system’s generation rate with the security assumption. We found an upper bound on the number of inputoutput for a general number of time bins and showed that the system’s entropy improves with a increasing number of time bins. We also discuss the experimental challenges from both state preparation and measurement points of view. Similarly, we demonstrate that the generation rate increases by optimally dispersing the weak coherent state (WCS) in timebin configurations, which can significantly enhance this approach’s performance for practical applications.
2 Methods
2.1 Protocol
The QRNG protocol introduced here is based on the prepareandmeasure scenario, where the prepared states’ overlap is bounded while no other assumptions are required on the rest of the setup [25, 29, 30].
2.1.1 Preparation and measurement stages
Quantum mechanics does not allow any measurement to distinguish nonorthogonal states perfectly [31]. This feature can be used to generate random numbers without trusting the measurement apparatus. Here, we address a general case of nonorthogonal states in a timebin encoding with n bins and m distributed weak coherent pulses \( \alpha \rangle \). The states ,
are formed by permuting the m WCSs in the n bins where the rest are filled with vacuum states (VS). The states are required to respect an overlap condition that satisfies the protocol’s assumption:
where δ is the overlap bound. The nonzero overlap guarantees the inability to distinguish the states by performing any measurement, hence, allowing to generate secure randomness from the ambiguity therein [31]. A simple illustration of state formation in timebin encoding can be found in [25].
In this scenario, the general case is defined by allowing the number of timebins n to increase without any limits as well as the number of WCSs m, where \(1 \leq m < n\). We denote a configuration of n timebins and m WCSs with \((n,m)\)configuration. The number of states in a \((n,m)\)configuration is given by the binomial coefficient, \(C_{n}^{m}=n!/(m!(nm)!)\), formed by all possible combinations of placing m WCSs in n timebins. However, not all groups of states in a configuration respect the overlap bound, Eq. (2). A careful examination of combinations shows that in an \((n,m)\)configuration, there are subsets of states with specific overlaps. Each subset is then divided into groups of states that are equivalent w.r.t. the overlap value. Figure 1 shows the \((4,2)\)configuration and its subsets with different overlap values. To be noted that while the four groups of subset I are not closed w.r.t. each other, adding any elements of another group to any of them violates the overlap bound.
It is easy to show that the number of subsets is equal to
Consequently, a \((n,m)\)configuration can have a total overlap value of the form
where s is the number of coinciding \(\langle \alpha  \alpha \rangle \) WCSs. We denote an \((n,m)\)configuration with s coinciding WCSs as \(n_{m,s}\) with \(n > m \geq s\).
In the following, we will only consider the case of equality in Eq. (2). We denote with \(\mathcal{B}(n,m,s)\) the maximum number of states in any subset \(\mathcal{S}\) of the \((n,m)\)configuration such that all elements in \(\mathcal{S}\) have the same value of s pairwise, with s defined as in Eq. (3). It is of relevance to know \(\mathcal{B}\) for any configuration as it defines the number of inputs and possible outputs in our prepareandmeasure QRNG protocol. This question is closely related to constant weight binary codes. To see this, we can identify bins that contain a WCS with ‘1’ and bins that contain the vacuum state with ‘0’, such that we identify each state in a \((n,m)\)configuration with a binary vector of length n and weight m. Each subset \(\mathcal{S}\) can then be directly identified with a code of length n, Hamming distance d, and weight m, where Hamming distance and s are related as \(d=2(ms)\). Equation (3) can then be written as . In the context of constant weight binary codes, there exists the wellknown but open question of determining the maximum number of codewords \(\mathcal{A}(n,m,d_{\text{min}})\), where \(d_{\text{min}}\) refers to the minimum distance of the code. \(\mathcal{B}(n,m,s)\) can be upperbounded by \(\mathcal{A}(n,m,2(ms))\) which in turn can be upperbounded by different theoretical bounds [32–34]. Lower bounds to \(\mathcal{A}\), typically by explicit construction [35, 36], cannot be applied to \(\mathcal{B}\) as the codes can contain statepairs with \(d>d_{\text{min}}\) which translates to a violation of Eq. (2) since \(\delta = \langle 0\alpha \rangle ^{d}\). Increasing d reduces the overlap value and therefore reduces the ambiguity in their measurement. Instead, we show here an explicit lower bound C by simple construction: For \(2mn\leq 0\), all codewords share s ‘1’s at the same positions. Distribute the remaining \(ms\) ones in the remaining \(ns\) slots so that there is no coinciding ones, and fill the \(R=n \lfloor \frac{ns}{ms} \rfloor (ms)s\) leftover columns with zeros.
This results in \(C = \lfloor \frac{ns}{ms} \rfloor \) different states. If instead \(2mn>0\), all codewords share \(n+s2m\) zero positions and the remaining \(2ms\) slots are divided into sections with \(ms\) zeros. \(\mathcal{B}\) can therefore be lowerbounded by
In the absence of noise or errors, the number of all possible outcomes, B, follows from the click or noclick event when a state is sent. For an \(n_{m,s}\)configuration, the number of distinct outcomes is obtained as
In the nofrills case, only one WCS is placed, \(m=1\), in each timebin regardless of the number of bins, see Fig. 1 (set I). There are always \(B=n+1\) possible outcomes in this case – one for each input plus one for the noclick (indeterminate) event, which occurs randomly, suggesting that the entropy should be minimal. Figure 1 (Set II and III) shows the cases with \(m=2\) and \(m=3\), respectively. Note that the case with \(m=2\) WCSs has two subsets with 1 and 2 coinciding WCSs with 4 equivalent groups for \(m=2\) and 3 for \(m=3\). In the ideal situation, the number of outcomes follows Eq. (5). However, in a real implementation, due to noise, dark counts, or afterpulsing, all \(B=2^{n}\) outcomes, shown in Fig. 1 for \(n=4\) – Outputs, are probable although with negligible probability. These errors and imperfections are viewed as classical sideinformation serving the adversary to predict the measurement outcome. All sorts of probable classical sideinformation and correlations (between preparation and measurement sides) are considered in the security estimation. The user can monitor these correlations and stop the protocol in case of observing considerable noise.
2.1.2 Security estimation
Despite the fact that the generation of random numbers in a QRNG is based on the intrinsic probabilistic nature of quantum mechanics, the raw data outcome is a mixture of the sequences generated from deterministic classical sources and quantum processes. Therefore, it is essential to estimate the amount of extractable randomness in a defined protocol and later use it to exclude the classical contribution. The quantity minentropy (\(H_{ \min}\)) measures the maximum extractable randomness provided that an adversary can optimally guess the generator’s outcome knowing the working principle of the devices. To account for any side information, we used conditional minentropy and considered only classical sideinformation. Throughout this work, we assumed a trusty source with no quantum correlation to the outside world.
The conditional minentropy on the variable b conditioned on classical sideinformation E reads [37]
where \(P_{\text{guess}}\) is the maximum probability that an adversary can guess the measurement outcome with a complete understanding of the devices’ working principle and classical noises. In a semiDI framework, the guessing probability should be maximized over all possible preparation and measurement strategies. \(P_{\text{guess}}\) reads:
where \(p(x)\) is the probability of transmitting input x, \(M_{b}^{{\varsigma}}=P(\varsigma )\Pi _{b}^{{\varsigma}}\) are weighted measurement strategies over all positive operator valued measurements (POVM), and ς, known by the adversary, represents the classical correlations between the measurement devices and environment (e.g., adversary). Each POVM \(\Pi _{b}^{{\varsigma}}\), labeled by ς, can be implemented with probability \(P(\varsigma )\). I and B are the numbers of inputs and outcomes, respectively. As shown in [38], the maximizations in Eq. (7) can be grouped as they occur for the same value of b at given x, this would significantly ease up the optimization process. Therefore the total number of possible measurement strategies for given input would be \(B^{I}\), thus \(\varsigma \in \{\varsigma _{0},\dots , \varsigma _{I1}\}\), where \(\varsigma _{s} \in \{0,\dots .,B1\}\). Following the same approach presented in [25, 26, 39], \(P_{\text{guess}}\) for the balanced input case, \(p(x)=1/I\), can be written as:
where , and \(\operatorname{Tr}[\hat{\rho}_{x} M _{b}^{\varsigma} ]=p(bx)\) is the conditional probability of obtaining outcome b given input x. Equation (8) suggests that \(P_{\text{guess}}\) depends on the state’s overlap rather than input state \(\hat{\rho}_{x}\). Besides, the optimization problem in Eq. (8) can be bounded to a Idimensional Hilbert space; for more detail, see [25, 26, 38].
The optimization problem in \(P_{\text{guess}}\) can be efficiently solved by casting it into semidefinite programming (SDP), which is a numerical tool for solving complex optimization problems.
Following the same argument presented in [25, 26, 38, 39], we can show that for the protocol under study, strong duality holds which means both the primal and dual forms of the SDP exist. By feeding the SDP with the experimental conditional probabilities \(P(bx)\) and defining the overlap bound, the SDP can numerically optimize \(P_{\text{guess}}\). Afterward, the conditional minentropy, Eq. (6), can be calculated.
It should be noted that the security estimation is applicable for multiple inputoutput (IO) cases. The number of inputs can vary from 2 to the number of available states in an equivalence group in a \(n_{m,s}\)configuration. For example, one can choose to send only 2 out of 4 states in set I in Fig. 1. The computational cost (CC) is associated with the number of IO in the system and can affect the system’s overall generation rate. This is due to an increment in the time it takes to execute the SDP, which in turn leads to a decrease in the system’s overall efficiency. Thus, it is important to be mindful of the impact of increased computational complexity when considering adding more IO to the system. Figure 2 shows the CC as a function of the number of IO obtained on a personal computer.
Given a specific input, an outcome probability is a function of mean photon number per pulse μ, detector efficiency \(\eta _{\text{det}}\), noise in the form of background light, dark count, and afterpulsing. An approach to reduce the complexity of SDP is to group the outcomes, from an adversary point of view. This will drastically reduce the complexity of SDP.
It can be explained in a \(n_{1,0}\)configuration where, in the absence of noise, there are \(n+1\) different outcomes. The common outcome is the noclick one, and the others are 1click due to the WCS. In this case, a new variable (\(E \in \{0,1\}\)) can be assigned to the outcomes in which \(E=0\) corresponds to the noclick event, all ‘0’, while E is 1 for \(b\in \{\underbrace{100\cdots 0}_{\text{n}}, 010\cdots 0, \ldots , 0 \cdots 01\}\).
For configurations with more WCSs more variables (corresponding to E) should be specified as there would be more indeterminate events.
The manyoutcome approach is a computationally simplified, effective, and efficient method of increasing entropy without significantly increasing CC. This is a result of comparing the computational cost with increasing the number of inputs versus the number of outcomes which shows that the former increases faster, see Fig. 2. Hence, in an \(n_{m,s}\) configuration, an efficient strategy is to keep the number of inputs fixed and low and increase the number of outcomes.
The manyoutcome approach is studied for the continuous variable (CV) case in Ref. [39] where the focus is on heterodyne and homodyne detectors with binary input. In the timebin encoding scheme, we can control the number of outcomes by adjusting the number of timebins or the number of WCS in each configuration. It should be noted that the overlap bound is not considered in this argument and should be added as criteria when solving the SDP. As an example with dual input, it is shown in Fig. 3 that conditional entropy rises when the number of outcomes increases.
As shown in Table 1top, the overlap could be different from case to case; this causes the optimal value of conditional minentropy to take place at different meanphoton numbers; the inset of Fig. 3 shows the optimal meanphoton number as a function of outcomes for different overlaps. Similarly, a manyinput case can be introduced while keeping the outcome minimal. Table 1bottom shows examples of the possible setting of the manyinput approach.
2.1.3 Conditional probability
Given the inputs and the outputs, one can compute the inputoutput correlation by employing the conditional probability \(p(bx)\), i.e., the probability of receiving outcome b given input x:
where \(\hat{\rho}_{x}\) are the prepared states, \(\hat{\Pi}_{b}^{\varsigma}\) are the POVMs describing the measurement, ς the classical variable provided to the adversary which describes the classical correlations between the experimental devices and the adversary.
The detector’s dark count rate (DCR) and ambient light are usually considered constant (on average); as they are independent of the incident photon’s energy. However, the likelihood of obtaining an afterpulse click is directly related to the system’s repetition rate. Some detection events may not be caused by a WCS but could be afterpulses of an earlier detection event—the higher the system’s repetition rate, the higher the chance of an afterpulse in the subsequent timebins. Consequently, it is critical to consider the afterpulsing effect for practical situations.
The probability of registering a detection event in the Tth bin is mainly subject to the presence of a WCS in that bin and afterpulsing due to detections in the earlier bins. Assuming that afterpulsing only happens due to a detection event in the immediate bin before, the probability of detection in bin T can be written as:
where \(P_{\alpha}^{T}(1)\) is the probability of registering a detection when sending \(\alpha \rangle \), \(\eta _{\text{det}}\) and L are detector efficiency and sourcemeasurement loss, ϵ is for devices’ imperfections and classical noises, e.g., dark counts, background noise, etc., and \(P_{ap}\) represents the afterpulse probability due to a detection event at one bin distance which is the intrinsic character of a singlephoton avalanche diode (SPAD) that can be characterized experimentally. In Eq. (11), we substituted \(P_{\alpha}^{T2}(1)\) with its value and formed a geometric series to find the result.
The rest of the probabilities can be expressed as
where \(P_{\alpha}(1)\), \(P_{\varnothing}(1)\), ( \(P_{\alpha}(0)\), \(P_{\varnothing}(0)\) ) represent the probability of registering a click (noclick ) event when states and are transmitted. Given Eqs. (11) and (12), we can compute all the possible conditional probabilities for any inputoutput dimension.
2.1.4 Randomness generation rate
Besides security, the randomness generation rate is another key parameter of any QRNG. We previously discussed the security estimation for the general case with multiple inputoutput in the presence of classical side information and noise and how it scales up. Here, we consider the eventual generation rate in the timebin protocol.
For a weak coherent pulse source with repetition rate f, the inputstate generation, comprised of n timebins, scales down as \(f/n\). However, the extractable randomness is determined by \(H_{\min}\), Eq. (6), and the number of states available in an equivalence group in a \(n_{m,s}\)configuration. Hence, the rate can be written as,
where \(H_{\min}(n_{m,s}, \upsilon , \eta _{\text{det}}, \mu _{\text{optimal}})\) is the maximum extractable entropy from that set considering optimal μ, all the sources of noise, and detector efficiency. As discussed in Sect. 2.1.2, a general solution for \(H_{\min}\) considering all the parameters is not feasible to present and this quantity needs to be calculated and optimized for each case.
It should be noted that we assume f being below the detector’s deadtime to avoid missing a signal. Additionally, the analysis considers all the possible inputs and outcomes. The investigation would become more straightforward in the case of the manyinput or manyoutcome approaches.
2.2 Experimental implementation
This section investigates the experimental implementation and some practical considerations of this protocol. According to the protocol, the detection apparatus is considered a black box with no assumption on its performance. However, state generation must respect an overlap criteria, Eq. (2), which translates in two conditions; limited mean photon number μ per WCS and WCS positioning in an ntimebin state.
Figure 4 shows a schematic representation of the setup. The ntimebin state is generated by carving a 1550 nm continuous wave laser (CW) into pulses with 120 ps pulse width and a repetition rate of 31.25 MHz. Two cascaded intensity modulators, shown as one in the setup, guarantee high extinction ratio and perfect state generation. The repetition rate is chosen such that it matches the detector’s deadtime and to minimize the chance of nodetection events. A field programmable gate array (FPGA) generates the electrical signal to drive the intensity modulators and to synchronize the measurement apparatus. To verify the overlap criteria, WCS placement is controlled such that the final state matches a subset, see Fig. 1. A 99:1 beamsplitter separates the signal with the 99% arm redirected to a power meter (PM). A variable optical attenuator (VOA) then sets the mean photon number to \(\mu _{\text{optimal}}\) extracted from the security estimation process. The quantum states are then sent and measured with a superconducting nanowire single photon detector (SNSPD) with 30 ns deadtime, 80 Hz DCR, and 83% detection efficiency. The detection events are then registered with a timetodigital converter (TDC) with 1 ps resolution and are analyzed for randomness extraction.
It is worth noting that in the timebin encoding, detector’s deadtime is the main limiting factor for high repetition rate state generation.
3 Results & discussion
This section presents the theoretical and experimental minentropy of different configurations, intending to validate the theoretical estimations. Foremost, the inputoutput correlation \(P(bx)\) is estimated by performing several measurements with various overlaps and gathering the detector’s outcomes b for given input x. The extractable amount of randomness is evaluated by inserting the inputoutput correlation and states’ overlap into the SDP, which numerically computes the minentropy.
We consider the simplest case: supplying one bin with a WCS and filling the rest of the bins with VS. Possible outcome configurations increase by raising the number of inputs, leading to a different inputoutput correlation and entropy. As shown in Fig. 5, the amount of extractable randomness conditioned on the classical sideinformation increases for the cases with a higher number of inputs.
Alternative forms of input configurations with more WCSs can also be considered. Paying attention to the 4input case as an example, as shown in Fig. 1, instead of using the typical input configurations (set I, II, and III), one can implement subsets I and II, which require a ternary and binary initial seed rather than quartet one, downsizing the computational complexity, see Fig. 2. In Fig. 6, the conditional minentropy is plotted as a function of states’ overlap for subsets I and II. The dashed curve is the expected theoretical results obtained for our experimental parameters which is in acceptable agreement with the experimental data taken from SNSPD with 83% detection efficiency and for various mean photon numbers.
The maximum conditional minentropy for subsets I and II is 0.759 and 0.546, respectively, which are remarkably higher compared to typical binary and ternary input configurations at ∼0.2 and ∼0.25 obtained with detectors with 80% and higher than 90% detection efficiencies, respectively [25, 26]. It should be noted that this higher rate entropy is achievable without the need of adjusting the optical setup and can be done in the signal preparation and postprocessing stage. Furthermore, the randomness generation rate scaled from 0.11 and 0.083 to 0.1897 and 0.136 which is a considerable improvement achieved only by redefining the transmitted states.
Our research introduces significant improvements in QRNG, particularly in terms of noise analysis, adaptability, and security:

We provide a detailed noise assessment, improving the system’s realworld applicability by accounting for practical operational challenges. This comprehensive approach sets our work apart from existing studies that may overlook these critical factors.

Our protocol features adjustable inputoutput configurations, offering a more flexible and scalable solution compared to previous models. This adaptability is crucial for keeping pace with technological advancements in quantum systems.

We enhance the security measures within our QRNG model without compromising efficiency. This balance is achieved through systematic theoretical analysis, ensuring our system is not only more secure but also remains practical for broader application scenarios.

The potential for chip integration demonstrates our protocol’s readiness for future technological developments.
Overall, our work marks a substantial advancement in QRNG by addressing several fundamental limitations in existing models while maintaining practicality for users by emphasizing versatility and enhanced security. It extends beyond traditional binary or ternary systems, utilizing a timebin encoding approach that integrates oftenneglected noise factors like afterpulsing probability. This consideration not only bolsters the security but also adapts to various inputoutput configurations. While our current setup prioritizes theoretical validation over maximizing the generation rate, achieving the rate of about 9.01 Mbits/s, the rate can be improved using higher rate components.
Recognizing that finite data sizes in experimental setups might introduce security issues, our analysis accounts for these finitesize effects. It is critical to incorporate these considerations to accurately calculate the conditional minentropy, particularly in scenarios with limited data availability. Appendix A presents our approach to this challenge, outlining the mathematical adjustments made to the SDP objective function and their direct impact on minentropy estimations under finitesize conditions.
In prepareandmeasure schemes, one plausible adversarial strategy is for Eve to fake measurement outcomes independent of the actual inputs. This type of attack could compromise the randomness of the output. Appendix B delves into this specific scenario, studying its impact on our system, assessing that the protocol can detect and mitigate such attacks, and ensuring the reliability and security of the generated randomness.
4 Randomness test
The initial outcomes from our QRNG, characterized by low minentropy, are refined through a Toeplitz hash function designed for randomness extraction [40]. This transformation enhances the quality of the raw data into highgrade random numbers [41]. Figure 7 displays the results of subjecting these enhanced numbers to the NIST Statistical Test Suite [42], with pvalues for each test depicted. The suite’s tests comprehensively assess the statistical randomness, and as indicated, all pvalues surpass the significance level, affirming that the randomness criteria are met. Note, however, that while the NIST suite’s clearance is a fundamental requirement, it does not solely confirm the quantum nature of the random numbers. Thus, the successful passage of these tests should be seen as meeting a basic standard for any QRNG rather than as proof of inherent quantum randomness.
5 Conclusion
In conclusion, we demonstrated a semiDI QRNG based on the prepareandmeasure scenario exploiting a timebin encoding scheme and singlephoton detection technique investigating multiple inputoutput cases. Furthermore, the protocol is experimentally implemented using commercialofftheshelf components in a simple allinfibre optical setup at telecom wavelength, allowing a straightforward tunable input configuration needless of an optical switch. We show that by holding the number of inputs(outcomes) fixed (minimal), known as the manyoutcome (manyinputs) approach, one can increase the system entropy while keeping the computational complexity low. Additionally, a comprehensive study of timebin encoding semiDI QNRG is presented where, depending on the needs, one can select appropriate timebin settings.
Besides, we compared this protocol’s results with binary and ternaryinput systems and showed that our protocol is capable of generating more randomness with the same optical setup. The proposed protocol features advanced security since it only demands bounding the prepared states’ overlap; the rest of the setup is not required to be characterized and can be classically correlated with the adversary. Alternatively, this protocol can be implemented in a different wavelength where single photon avalanche diodes (SPADs) have better detection efficiency, thus making this proposal chipintegrable. In a nutshell, the semiDI protocols’ main advantage is to ease up the implementation complexity and enhance the generation rate preserving a high level of security. This paper demonstrates a semiDI QRNG based on the overlap bound with an easytoimplement experimental setup which can produce random numbers at a high rate with robust security applicable for various inputoutput configurations.
Data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request.
Abbreviations
 RNG:

random number generator
 QRNG:

quantum random number generator
 QKD:

quantum key distribution
 DD:

devicedependent
 DI:

deviceindependent
 SDP:

semidefinite programming
 WCS:

weak coherent state
 VS:

vacuum states
 CC:

computational cost
 IO:

inputoutput
 CV:

continuous variable
 DCR:

dark count rate
 SPAD:

singlephoton avalanche diode
 SNSPD:

superconducting nanowire single photon detector
 TDC:

timetodigital converter
 FPGA:

fieldprogrammable gate array
 CW:

continuous wave
 PM:

power meter
 PC:

polarization controller
References
Ding Y, Bacco D, Dalgaard K, Cai X, Zhou X, Rottwitt K, Oxenløwe LK. Highdimensional quantum key distribution based on multicore fiber using silicon photonic integrated circuits. npj Quantum Information. 2017;3:25.
Zahidy M, Liu Y, Cozzolino D, Ding Y, Morioka T, Oxenløwe LK, Bacco D. Photonic integrated chip enabling orbital angular momentum multiplexing for quantum communication. Nanophotonics. 2021. https://doi.org/10.1515/nanoph20210500.
Acín A, Masanes L. Certified randomness in quantum physics. Nature. 2016;540:213.
Mannalath V, Mishra S, Pathak A. A comprehensive review of quantum random number generators: concepts, classification and the origin of randomness. 2022.
Almaraz Luengo E, Leiva Cerna M, García Villalba LJ, HurleySmith D, HernandezCastro J. Sensitivity and uniformity in statistical randomness tests. Journal of Information Security and Applications. 2022;70:103322.
Stipcevic M. Quantum random number generators and their applications in cryptography. Itzler MA, editor. Advanced Photon Counting Techniques VI. International Society for Optics and Photonics (SPIE, 2012) vol. 8375. p. 20–34.
HerreroCollantes M, GarciaEscartin JC. Quantum random number generators. Rev Mod Phys. 2017;89:15004.
Zahidy M, Tebyanian H, Cozzolino D, Liu Y, Ding Y, Morioka T, Oxenløwe LK, Bacco D. Quantum randomness generation via orbital angular momentum modes crosstalk in a ringcore fiber. AVS Quantum Sci. 2022;4:011402. https://doi.org/10.1116/5.0074253.
Gras G, Martin A, Choi JW, Bussières F. Quantum entropy model of an integrated quantumrandomnumbergenerator chip. Phys Rev Appl. 2021;15:054048.
Yuan ZL, Lucamarini M, Dynes JF, Fröhlich B, Plews A, Shields AJ. Robust random number generation using steadystate emission of gainswitched laser diodes. Appl Phys Lett. 2014;104:261112. https://doi.org/10.1063/1.4886761.
Huang L, Zhou H, Feng K, Xie C. Quantum random number cloud platform. npj Quantum Inf. 2021;7:107.
Brown PJ, Ragy S, Colbeck R. A framework for quantumsecure deviceindependent randomness expansion. IEEE Trans Inf Theory. 2020;66:2964.
Colbeck R. Quantum and relativistic protocols for secure multiparty computation. 2011. arXiv:0911.3814 [quantph].
Colbeck R, Kent A. Private randomness expansion with untrusted devices. J Phys A, Math Theor. 2011;44:095305.
Foletto G, Padovan M, Avesani M, Tebyanian H, Villoresi P, Vallone G. Experimental test of sequential weak measurements for certified quantum randomness extraction. Phys Rev A. 2021;103:062206.
Bhavsar R, Ragy S, Colbeck R. Improved deviceindependent randomness expansion rates from tight bounds on the two sided randomness using chsh tests. 2021.
Li MH, Zhang X, Liu WZ, Zhao SR, Bai B, Liu Y, Zhao Q, Peng Y, Zhang J, Zhang Y, Munro WJ, Ma X, Zhang Q, Fan J, Pan JW. Experimental realization of deviceindependent quantum randomness expansion. Phys Rev Lett. 2021;126:050503.
Sun LL, Zhang X, Zhou X, Li ZD, Ma X, Fan J, Yu S. 2022. Certifying randomness in quantum state collapse.
Jones CL, Ludescher SL, Aloy A, Mueller MP. Theoryindependent randomness generation with spacetime symmetries. 2022.
Wang C, Primaatmaja IW, Ng HJ, Haw JY, Ho R, Zhang J, Zhang G, Lim C. Provablysecure quantum randomness expansion with uncharacterised homodyne detection. Nat Commun. 2023;14:316.
Drahi D, Walk N, Hoban MJ, Fedorov AK, Shakhovoy R, Feimov A, Kurochkin Y, Kolthammer WS, Nunn J, Barrett J, Walmsley IA. Certified quantum random numbers from untrusted light. Phys Rev X. 2020;10:041048.
Dai H, Chen B, Zhang X, Ma X. Intrinsic randomness under general quantum measurements. 2022.
Avesani M, Tebyanian H, Villoresi P, Vallone G. Unbounded randomness from uncharacterized sources. Commun Phys. 2022;5:273.
Nie YQ, Guan JY, Zhou H, Zhang Q, Ma X, Zhang J, Pan JW. Experimental measurementdeviceindependent quantum randomnumber generation. Phys Rev A. 2016;94:060301.
Tebyanian H, Zahidy M, Avesani M, Stanco A, Villoresi P, Vallone G. Semidevice independent randomness generation based on quantum state’s indistinguishability. Quantum Sci Technol. 2021;6:045026.
Brask JB, Martin A, Esposito W, Houlmann R, Bowles J, Zbinden H, Brunner N. Megahertzrate semideviceindependent quantum random number generators based on unambiguous state discrimination. Phys Rev Appl. 2017;7:054018.
Ma X, Yuan X, Cao Z, Qi B, Zhang Z. Quantum random number generation. npj Quantum Inf. 2016;2:16021.
Van Himbeeck T, Woodhead E, Cerf NJ, GarcíaPatrón R, Pironio S. Semideviceindependent framework based on natural physical assumptions. Quantum. 2017;1:33.
Tebyanian H. Randomness generation with untrusted devices. In: 2022 Workshop on Recent Advances in Photonics (WRAP). 2022. p. 1–2.
Avesani M, Tebyanian H, Villoresi P, Vallone G. Semideviceindependent heterodynebased quantum randomnumber generator. Phys Rev Appl. 2021;15:034034.
Barnett SM, Croke S. Quantum state discrimination. Adv Opt Photonics. 2009;1:238.
Johnson S. A new upper bound for errorcorrecting codes. IRE Trans Inf Theory. 1962;8:203.
Agrell E, Vardy A, Zeger K. Upper bounds for constantweight codes. IEEE Trans Inf Theory. 2000;46:2373.
Schrijver A. New code upper bounds from the terwilliger algebra and semidefinite programming. IEEE Trans Inf Theory. 2005;51:2859.
Brouwer A, Shearer J, Sloane N, Smith W. A new table of constant weight codes. IEEE Trans Inf Theory. 1990;36:1334.
Montemanni R, Smith D. Heuristic algorithms for constructing binary constant weight codes. IEEE Trans Inf Theory. 2009;55:4651.
Tomamichel M, Schaffner C, Smith A, Renner R. Leftover hashing against quantum side information. IEEE Trans Inf Theory. 2011;57:5524.
Bancal JD, Sheridan L, Scarani V. More randomness from the same data. New J Phys. 2014;16:033011.
Tebyanian H, Avesani M, Vallone G, Villoresi P. Semideviceindependent randomness from doutcome continuousvariable detection. Phys Rev A. 2021;104:062424.
Krawczyk H. Lfsrbased hashing and authentication. In: Advances in cryptology—CRYPTO’94. Berlin: Springer; 1994. p. 129–39.
Frauchiger D, Renner R, Troyer M. True randomness from realistic quantum devices. 2013. arXiv:1311.4547 [quantph].
Lawrence EB III et al.. SP 80022 Rev. 1a. A statistical test suite for random and pseudorandom number generators for cryptographic applications. National Institute of Standards and Technology; 2010.
Renner R. Security of quantum key destribution. Int J Quantum Inf. 2008;6:1.
Curty M, Xu F, Cui W, Lim CCW, Tamaki K, Lo HK. Finitekey analysis for measurementdeviceindependent quantum key distribution. Nat Commun. 2014;5:1. arXiv:1307.1081.
Acknowledgements
This work is supported by the Center of Excellence SPOC (ref DNRF123), Innovations fonden project FireQ (No. 909000031B), and EraNET Cofund Initiatives QuantERA within the European Union’s Horizon 2020 research and innovation program grant agreement No. 731473 (project SQUARE). H. T. acknowledges the Innovate UK Industrial Strategy Challenge Fund (ISCF), project 10637449229 AQuRand (Assurance of Quantum Random Number Generators).
Funding
Not applicable.
Author information
Authors and Affiliations
Contributions
H.T. and M. Z. conceived the idea. M. Z. performed the experiment. H. T., M. Z., and R. M. analyzed the data and the model. D. B. and S. F. supervised the project. All the authors contributed to the manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Finitesize effects
In this appendix, we describe the calculation of the conditional minentropy that systematically accounts for the impacts of finite experimental data sizes. This enhanced approach is essential in evaluating the security and reliability of the generated sequences, ensuring a more robust and scientifically rigorous assessment.
The optimization process in guessing probability Eq. (8) is convex and can be numerically solved by transforming it into a semidefinite programming (SDP) version. The duality is held for this optimization problem, indicating both primal and dual forms exist. The primal form of an SDP directly addresses the original optimization problem, aiming to maximize the objective function under certain constraints. In contrast, the dual form derived from the primal simplifies the problem by providing bounds on the primal objective value. The dual form is preferred for its ability to provide an upper bound on the guessing probability, as opposed to the lower bound offered by the primal form. The dual form then can be written as
where scalar coefficient \(\nu _{bx}\) is the Lagrange multipliers for each primal problem constraint. We refer to Refs [25, 26, 39] for a detailed mathematical derivation for primal and dual calculation. Using the dual form ensures conservative estimates that crucially do not overestimate the minentropy, thereby safeguarding the integrity of QRNG. Additionally, it offers the flexibility of recalculating bounds without requiring exhaustive optimization in each iteration, thereby streamlining realtime operations and optimizing the resources needed for entropy estimation.
We start by considering quantum measurement outcomes as independent Bernoulli random variables, \(X_{1}, X_{2}, \ldots , X_{n} \), with the aggregate outcome given by their sum:
The summation \(S_{n}\) represents the total count of a particular outcome across all measurements, offering a cumulative perspective of the quantum measurement results. This aggregate outcome necessitates the computation of its mean and variance, essential statistical measures that contribute to the QRNG’s assessment:
A lower bound on the mean, considering error tolerance ε, reads:
The confidence interval surrounding the mean, \(CI(S_{n})\) is then given by:
with δ as the margin of estimation error.
This model presents a robust foundation for evaluating the impact of finitesize effects on the security and reliability of the system. For the estimation of conditional probabilities \(\tilde{p}(bx) = \frac{n_{b,x}}{n_{x}}\) and their confidence interval is determined by the security parameter ϵ:
The introduction of finitesize effects into this formulation is achieved through adjustments to the dual SDP objective function:
with \(\Delta (\epsilon ,n)\) encapsulating the finitesize correction. Although not providing an exact bound, Eq. (A.7) addresses the extreme scenarios encountered in singleshot measurements. This approach ensures the equation’s relevance and effectiveness in finitesize regimes, making it a versatile tool in quantum computation analysis.
Moreover, the concept of smooth conditional minentropy extends over multiple rounds, indexed as n, and is intricately related to the conditional minentropy computed for an individual round. This intricate relationship is presented in the [43, 44], where it is expressed as:
where \(\rho _{XE}\) is the classicalquantum state, encapsulating the classical random variable X and its quantum counterpart \(\rho ^{x}_{E}\), which is associated with an adversary. Given that the bound applies to a wide range of quantumside information scenarios, it naturally extends to our specific situation where we deal only with classical side information.
Figure 8 illustrates the entropy variation as a function of the experimental data size, specifically for a system operating at 83% efficiency with an epsilon value of \(1 \times 10^{9}\). This graph effectively demonstrates that, beyond a certain sample size threshold, the impact of finite size effects becomes negligible. In our experimental setup, this threshold is identified at a minimum sample size of \(5 \times 10^{11}\), maintaining a security parameter of \(\epsilon = 10^{9}\), which assures the accurate probability estimation and subsequent entropy computation.
Appendix B: Fake data attack
A vital element of our semiDI QRNG framework is the implementation of an overlap bound. The overlap directly influences the security of the randomness generation process, as it dictates the degree of uncertainty that an adversary faces in predicting the outcomes of quantum measurements. To better illustrate the fact see Fig. 9 (A). Consider measuring a set of quantum states (i.e., coherent states in phasespace representation for better visualization of the point) with high overlap and obtaining the measurement outcome in the intersection area (shown by the cross). It is impossible to know whether the blue or red circle was the transmitted state for the depicted measurement result.
The preparation and measurement devices may be classically correlated, but they are not permitted to share quantum entanglement.
A potential security threat in the randomness generation process involves an adversary, Eve, who might attempt to compromise the system by simulating the conditional probability distributions, \(P(bx) \). This strategy involves Eve deliberately altering the outcomes in a way that falsely appears to result from genuine quantum processes. In this scenario, Eve would alter the outputs to resemble those produced by quantum randomness, posing a challenge to the authenticity of the randomness generation.
The security estimation is designed to assess and validate the randomness of the outcomes based on the observed correlations between the preparation inputs and measurement outcomes, given the states’ overlap. When an adversary attempts to simulate or replicate the probability distributions, the protocol’s security estimation mechanism discerns between authentic quantum randomness and fabricated outcomes by returning zero entropy for the invalid data set.
The optimization process for computing minentropy involves the conditional probabilities \(P(bx) \) and the overlap parameter into an SDP solver. This numerical optimizer then searches over all feasible preparation and measurement strategies permitted by the overlap bound. For each strategy, it calculates the corresponding guessing probability – the probability that an adversary could correctly guess the measurement outcome. The negative logarithm of the optimized guessing probability then gives the minentropy. Deriving an analytical solution for the minentropy is highly complex due to the optimization across a large strategy space. The SDP solver approach provides an efficient numerical method that rigorously bounds the maximal guessing probability achievable within the physical limits imposed. The computed minentropy represents a certified lower bound on the extractable randomness in our semiDI framework by minimizing this guessing probability over all allowable quantum strategies respecting the overlap assumption. Figure 9 (B) represents the protocol’s capabilities, mapping the minentropy against various conditional probabilities \(P(bx) \). The xaxis represents \(P(bx=0) \) and the yaxis \(P(bx=1) \), with the minentropy values depicted through an intuitive colourcoding scheme.
A pivotal observation from this plot is the predominance of zero entropy across a significant portion of the probability distribution space, with nonzero entropy confined to a narrowly defined region. This distinct pattern is a direct consequence of the specific overlap bound which is also established in our protocol.
The narrow range of conditions that produce nonzero minentropy is an effective filter against adversarial tampering. It sharply distinguishes authentic quantum randomness from fabricated or intercepted data. For an adversary, mimicking the specific \(P(bx) \) conditions that yield valid quantum randomness is a significant challenge. Our semiDI QRNG protocol, designed with a specific overlap bound and thorough security checks, effectively counters attempts to simulate quantum randomness.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Tebyanian, H., Zahidy, M., Müller, R. et al. Generalized timebin quantum random number generator with uncharacterized devices. EPJ Quantum Technol. 11, 15 (2024). https://doi.org/10.1140/epjqt/s4050702400227z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1140/epjqt/s4050702400227z