Experimental Low-Latency Device-Independent Quantum Randomness

Abstract

Applications of randomness such as private key generation and public randomness beacons require small blocks of certified random bits on demand. Device-independent quantum random number generators can produce such random bits, but existing quantum-proof protocols and loophole-free implementations suffer from high latency, requiring many hours to produce any random bits. We demonstrate device-independent quantum randomness generation from a loophole-free Bell test with a more efficient quantum-proof protocol, obtaining multiple blocks of 512 random bits with an average experiment time of less than 5 min per block and with a certified error bounded by 2⁻⁶⁴ ≈ 5.42 × 10⁻²⁰.

A fundamental feature of quantum mechanics is that measurements of a quantum system can have random outcomes even when the system is in a definite, pure state. By definition, pure states are completely uncorrelated with every other physical system, which implies that the measurement outcomes are intrinsically unpredictable by anyone outside the measured quantum system’s laboratory. The unpredictability of quantum measurements is exploited by conventional quantum random number generators (QRNGs) [1] for obtaining random bits whose distribution is ideally uniform and independent of other systems. The use of such QRNGs requires trust in the underlying quantum devices [2]. A higher level of security is attained by device-independent quantum random number generators (DIQRNGs) [3,4] based on loophole-free Bell tests, where the randomness produced can be certified even with untrusted quantum devices that may have been manufactured by dishonest parties. The security of a DIQRNG relies on the physical security of the laboratory to prevent unwanted information leakage, and on the trust in the classical systems that record and process the outputs of quantum devices for randomness generation.

Since the idea of DIQRNGs was introduced in Colbeck’s thesis [3], many DIQRNG protocols have been developed—for a review, see [5]. These protocols generally exploit quantum nonlocality to certify entropy but differ in device requirements, Bell-test configurations, randomness rates, finite-data efficiencies, and the security levels achieved. We can classify protocols by whether they are secure in the presence of classical or quantum side information, in other words, by whether they are classical or quantum proof.

The first experimentally accessible DIQRNG protocol was given and implemented by Pironio et al. [6] with a detection-loophole-free Bell test using entangled ions. They certified 42 bits of classical-proof entropy with error bounded by 0.01, where, informally, the error can be thought of as the probability that the protocol output does not satisfy the certified claim. This required about one month of experiment time. To improve this result required the advent of loophole-free Bell tests and much more efficient protocols. Such a protocol and experimental implementation with an optical loophole-free Bell test was given by Bierhorst et al. [7] and obtained 1024 classical-proof random bits with error 10⁻¹² in 10 min. There have been three demonstrations of quantum-proof DIQRNGs, all with photons. The first two were subject to the locality and freedom-of-choice loopholes [8]. They obtained 4.6 × 10⁷ random bits with error 10⁻⁵ in 111 h [9], and 6.2 × 10⁵ random bits with error 10⁻¹⁰ in 43 min [10], respectively. The third was loophole free and obtained 6.2 × 10⁷ random bits with error 10⁻⁵ in 96 h [11].

The quantum-proof experiments described above aimed for good asymptotic rates. To approach the asymptotic rate requires a very large number of trials to certify a large amount of entropy. However, many if not most applications of certified randomness require only short blocks of fresh randomness. To address these applications, we consider instead a standardized request for 512 random bits with error 2⁻⁶⁴ ≈ 5.42 × 10⁻²⁰ and with minimum delay, or latency, between the request and delivery of bits satisfying the request. In this work, we consider only the contribution of experiment time to latency. The previous quantum-proof DIQRNG implemented with a loophole-free Bell test [11] would have required at least 24.1 h to satisfy the standardized request—see the Supplemental Material (SM) [12].

In this Letter, we reduce the latency required to produce 512 device-independent and quantum-proof random bits with error 2⁻⁶⁴ by orders of magnitude. For this purpose, here we implement a quantum-proof protocol developed in the companion paper (CP) [27] with a loophole-free Bell test. Unlike other demonstrations of quantum-proof DIQRNGs, we conservatively account for adversarial bias in the setting choices, and we show repeated fulfillment of the standardized request. We obtain five successive blocks of 512 random bits with error 2⁻⁶⁴ and with an average experiment time of less than 5 min per block.

Overview of theory.—

We give a high-level description of the features of our protocol. For formal definitions and technical details, see the CP [27]. Our protocol is based on repeated (but not necessarily independent or identical) trials of a loophole-free Clauser, Horne, Shimony, and Holt (CHSH) Bell test [28], consisting of a source S and two measurement stations A and B (see Fig. 2). In each trial, the source attempts to distribute a pair of entangled photons to the stations, the protocol randomly chooses binary measurement settings X and Y for the stations, the corresponding measurements are performed, and the binary outcomes A and B are recorded. We call Z = XY and C = AB the input and output of the trial, respectively.

FIG. 2.

Locations of Alice (A), Bob (B), and the source (S). Alice and Bob are separated by 194.8 ± 1.0 m (this is slightly further than in Refs. [7,35]). Faint gray lines indicate the paths that the entangled photons take from the source to Alice and Bob through fiber optic cables. The light-green quarter circles are the 2D projections of the expanding light spheres containing the earliest available information about the random bits used for Alice’s and Bob’s setting choices at the trial. When Bob finishes his measurement, the radius of the light sphere corresponding to the start of Alice’s QRNG has expanded to 127.3 0.5 m, after which it takes an additional 222.3 3.8 ns before the light sphere will intersect Bob’s location. Similarly, when Alice completes her measurement, the light sphere corresponding to the start of Bob’s QRNG has only reached a radius of 98.3 0.5 m, and it will take 315.5 3.8 ns more to arrive at Alice’s station. In this way, the actions of Alice and Bob are spacelike separated. Inset: Alice’s and Bob’s measurement apparatuses both consist of a Pockels cell (PC), operating at approximately 100 KHz, and a polarizer, constructed using two half-wavelength plates (HWPs), a quarterwavelength plate (QWP) and a polarizing beam displacer, in order to make fast polarization measurements on their respective photons. The measurement setting is controlled by a QRNG, the photon is detected by a high-efficiency superconducting nanowire single-photon detector, and the resulting signal is recorded on a time tagger, where a 10 MHz oscillator is used to keep Alice’s and Bob’s time taggers synchronized.

An end-to-end randomness generation protocol starts with a request for k random bits with error ϵ. The user then chooses a positive quantity σ (the entropy threshold for success) and positive errors _ϵσ, _ϵx (the entropy error and the extractor error, respectively) whose sum is no more than ϵ. The quantity σ chosen by the user must satisfy the inequality $\sigma \ge k+4{\log }_2\left(k\right)+4{\log }_2\left(2/{ϵ}_x^2\right)+6$. This inequality is sufficient to guarantee that, if the outputs of the experiment can be proven to have entropy at least σ, then k random bits can be extracted. (The randomness extractor that we use for this purpose is Trevisan’s extractor [29] as implemented by Mauerer, Portmann, and Scholz [30]. We refer to it as the TMPS extractor—see the SM [12].) The user also needs to decide the maximum number n of Bell-test trials to run. For simplicity, we temporarily assume that a fixed number n of trials will be executed, but in the implementation as described in a later section we exploit the ability to stop early.

After fixing the parameters defined in the previous paragraph, n Bell-test trials are sequentially executed, and the inputs and outputs are recorded as $\mathbf{Z}={\left(Z_i\right)}_{i=1}^n$ and $\mathbf{C}={\left(C_i\right)}_{i=1}^n$, where Z_i and C_i are the input and output of the ith trial. The uppercase symbols C, C_i, Z, and Z_i are treated as random variables, and their values are denoted by the corresponding lowercase symbols. Let E denote the “environment” of the experiment, including any quantum side information that could be possessed by an adversary. The entropy of the outputs C is quantified by the quantum ϵ_σ-smooth conditional min-entropy of C given ZE [31]. We refer to this quantity as the output entropy. The user can estimate the output entropy as described in the next section and check whether that estimate is at least σ. If not, the protocol fails and a binary variable P is set to P = 0; otherwise, the protocol succeeds and P = 1.

When the protocol succeeds, we apply the TMPS extractor [30] to extract k random bits with error ϵ. The TMPS extractor is a classical algorithm that is applied to the outputs C as well as a random seed S, and produces a bit string R. The final state of the protocol then consists of the classical variables RSZP and the quantum system E. In the CP [27], we prove that the protocol is e sound in the following sense: The error ϵ is an upper bound on the product of the success probability and the purified distance [32] between the actual state of RSZE conditional on the success event P = 1 and an ideal state of RSZE, according to which RS is uniformly random and independent of ZE. For the protocol to be useful, it is necessary that the probability of success in the actual implementation can be close to 1, a property referred to as completeness. With properly configured quantum devices, it is possible to make this probability exponentially close to 1 by increasing the number of trials executed. Soundness and completeness imply formal security of the protocol.

Estimating entropy.—

In the CP [27], we develop the approach of certifying entropy by “quantum estimation factors” (QEFs), a general technique that generalizes previous certification techniques against quantum side information [33,34]. The construction of QEFs requires first defining a notion of models. The “model” for an experiment is the set of all possible final states that can occur at the end of the experiment. A final state can be written as ρ_CZE = ∑_CZ |cz〉〈cz| ⊗ ρ_E (cz), where ρ_E(cz) is the unnormalized state of E given results cz.

Given the state ρ_CZE, we characterize the unpredictability of the outputs c given the system E and the inputs z by the sandwiched Rényi power, denoted by ${\mathcal{R}}_{1+\beta }\left[{\rho }_{\mathbf{E}}\left(cz\right)|{\rho }_{\mathbf{E}}\left(z\right)\right]$ where β > 0 and ρ_E(z) = ∑_c ρ_E(cz) (see the SM [12] for the explicit expression). A QEF with a positive power β for a sequence of n trials is a non-negative function T of random variables CZ such that for all states ρ_CZE in the model, T satisfies the inequality

$$\sum _{\mathbf{cz}}T\left(cz\right){\mathcal{R}}_{1+\beta }\left[{\rho }_{\mathbf{E}}\left(cz\right)|{\rho }_{\mathbf{E}}\left(z\right)\right]\le 1$$

Informally, one main result in the CP [27] is that if at the conclusion of the experiment the variable log₂ (T)/β takes a value at least h for some h > 0, then the output entropy (in bits) must be at least $h-{\log }_2\left(2/{ϵ}_{\sigma }^2\right)/\beta$ no matter which particular state in the model describes the experiment. Hence, for estimating entropy it suffices to construct QEFs.

In practice, the model for a sequence of trials is constructed as a chain of models for each individual trial. QEFs then satisfy a chaining property: If F_i(C_iZ_i) is a QEF with power β for the ith trial, then the product ${\prod }_{i=1}^n{F}_i\left(C_i{Z}_i\right)$ is a QEF with power β for the sequence of n trials. To construct the QEF T(CZ), we use this property. Moreover, since the model for each trial of our experiment is identical, we always take the same QEF for each executed trial. The CP [27] contains general techniques for constructing models and QEFs, and the SM [12] contains the details of constructing models and QEFs for each trial of our experiment.

Experiment.—

Our setup is similar to those reported in Refs. [7,35]. A pair of polarization-entangled photons are generated through the process of spontaneous parametric down-conversion and then distributed via optical fiber to Alice and Bob (see Fig. 1). At each lab of Alice and Bob, a fast QRNG with parity-bit randomness extraction [36] is used to randomly switch a Pockels cell-based polarization analyzer (see Fig. 2). Alice’s polarization measurement angles, relative to a vertical polarizer, are a = 4.1° and a′ = 25.5°, and Bob’s are b = −a and b′ = −a′. These measurement angles, along with the nonmaximally entangled state prepared in Fig. 1, are chosen based on numerical simulations of our setup to achieve an optimal Bell violation. The photons are then detected in each lab using superconducting nanowire single-photon detectors with an efficiency greater than 90% [37]. The total system efficiencies for Alice and Bob are 76.2 ± 0.3% and 75.8 ± 0.3%, allowing the detection loophole to be closed. With the configuration detailed in Fig. 2, we can also close the locality loophole.

FIG. 1.

Diagram of the entangled photon-pair source. A 775-nm-wavelength picosecond Ti:sapphire laser operating at a 79.3 MHz repetition rate pumps a 20-mm-long periodically poled potassium titanyl phosphate (PPKTP) crystal, to produce degenerate photons at 1550 nm with a per-pulse probability of 0.0045. The pump is transmitted through a polarization-maintaining single-mode fiber (SMF). The PPKTP crystal is cut for type II phase matching and placed in a polarization-based Mach-Zehnder interferometer constructed using half-wavelength plates (HWPs) and three beam displacers (BD1, BD2, and BD3). Tuning the polarization of the pump by a polarizer and HWP allows us to create the nonmaximally entangled state |ψ〉 = 0.967|HH〉 + 0.254|VV〉, where H and V denote the horizontally and vertically polarized single-photon states. The photons, along with a synchronization signal, are then distributed via optical fiber to Alice and Bob. The synchronization signal is generated by a fast photodiode (FPD) and divider circuit which divides the pump frequency by 800, and is used as a clock to determine the start of a trial and to time the operation of Alice’s and Bob’s measurements. This leads to a trial rate of approximately 100 kHz.

In each trial, Alice’s and Bob’s setting choices X and Y are made with random bits whose deviation from uniform is assumed to be bounded. That is, knowing all events in the past light cone, one should not be able to predict the next choice with a probability better than 0.5 + ϵ_b. We call ϵ_b the (maximum) adversarial bias. In particular, it is assumed that the quantum devices used cannot have more prior knowledge of the random setting choices than the adversarial bias for each trial. Specifically, we assume that the adversarial and trial-dependent bias of Alice’s and Bob’s QRNGs is bounded by ϵ_b ≤ 1 × 10⁻³. That is, each of the setting choices X and Y has a two-outcome distribution with probabilities in the interval [0.5 − 1 × 10⁻³, 0.5 + 1 × 10⁻³]. The bias assumption is supported in two ways: first by a quantum statistical model of the QRNGs, validated by measurements of the QRNG internal operation [36], and second by the observation that the frequencies of the output bits of each QRNG deviate from 0.5 by less than 6 × 10⁻⁵ on average in a run of 21 min of trials.

Protocol implementation.—

The goal is to obtain k = 512 random bits with error ϵ = 2⁻⁶⁴. For this, we set ϵ_σ = 0.8 × 2⁻⁶⁴ and ϵ_x = 0.2 × 2⁻⁶⁴. To extract k = 512 random bits with the TMPS extractor, it suffices to set the entropy threshold to be σ = 1089. The implementation stages for each instance of the protocol are summarized in algorithm 1, and more details are available in the SM [12].

Results.—

Ideally, the protocol would be applied concurrently with the acquisition of the experimental trials. In this case, the trials were performed three months before the protocol was fully implemented. About 89 min of experimental results were recorded. The results were stored in 1 min blocks containing approximately 6 × 10⁶ trials each. The first 21 min were unblinded for testing the protocol, and the rest were kept in blind storage until the protocol was fully implemented and ready to be used.

Algorithm 1.

Overview of protocol implementation

(1) Calibration

(a) Determine the QEF F(CZ) and its power β used for each executed trial.

(b) Fix n—the maximum number of trials.

(2) Randomness accumulation: Run the experiment to acquire up to n trials. After each trial i.

(a) Update the running log2-QEF value $L_i={\sum }_{j=1}^i{\log }_2\left[F\left(c_j{z}_j\right)\right]$, where cj and zj are the observed values of Cj and Zj

(b) If $\left[L_i-{\log }_2\left(2/{ϵ}_{\sigma }^2\right)\right]/\beta \ge \sigma$, smiddle the experiment, set the number of trials actually executed as nact = i, and set the success event P = 1.

(3) Randomness extraction: If P = 1, then extract k random bits with error ϵ.

From the first 21 min of unblinded results we decided to run five sequential instances of the protocol, and for calibration in each instance we determined to use the 10 min of results preceding to the first trial to be used for randomness accumulation (see the SM [12] for details). We note that the trials for randomness accumulation in one instance can be used also for calibration in the next instance. For the protocol, we loaded the data and divided each 1 min block into 60 subblocks of approximately 1 × 10⁵ trials each. The protocol was then designed to use integer multiples of these subblocks. The first instance of the protocol started producing randomness at the 22nd 1 min block. Each instance started at the first not-yet-used subblock and used the previous 600 subblocks for calibration, then processed subblocks until the running entropy estimate surpassed the threshold σ. In each instance, this happened well before the maximum number of trials n determined at the calibration stage was reached, leading to success of the instance. We then applied the extractor to produce 512 random bits with error 2⁻⁶⁴.

The results are summarized in Table I. It shows that the experiment time required to fulfill the request for 512 quantum-proof random bits with error 2⁻⁶⁴ is less than 5 min on average, demonstrating a dramatic improvement over other quantum-proof protocols and previous experiments. The only experimentally accessible alternative quantum-proof protocol is entropy accumulation as described in Ref. [34]. We found that satisfying the request using theoretical results from Ref. [34], with our experimental configuration and performance, would have required at least 6.108 × 10¹⁰ trials, corresponding to 169.7 h of experiment time—see the SM [12] for details.

TABLE I.

Characteristics of the five protocol instances. The number of subblocks is approximately the number of seconds of experiment time required. The entropy rate is estimated by L_nact/(βn_act), where n_act is the actual number of trials executed in an instance, L_nact is the running log₂-QEF value at the end of an instance, and β is the power associated with the QEF which is used for each executed trial and determined at the calibration stage. The trial rate in the experiment was approximately 100 kHz.

Instance	n/107	nact/107	Number of subblocks	β	Entropy rate/10−4
1	5.25	2.32	233	0.010	6.07
2	4.74	3.76	379	0.010	3.78
3	5.92	2.85	287	0.009	5.47
4	6.20	2.83	285	0.009	5.53
5	5.49	2.72	274	0.010	5.20

In conclusion, we demonstrated five sequential instances of the DIQRNG protocol. For joint (or composable) security of the five instances, it suffices that the quantum devices do not retain memory of what happened during the previous instances. Without this assumption, the joint security of the five instances can be compromised as Overview of protocol implementation explained in Ref. [38]. In our implementation such problems are mitigated by the definition of soundness in terms of the purified distance rather than the conventional trace distance, but the issues arising in composing protocols like ours need further investigation.

We have emphasized the importance of latency. To produce a fixed block of random bits, latency is simply the time it takes for the protocol to fulfill the request. Above, we have neglected the classical computing time required for calibration and extraction since this can be made relatively small by using faster and more parallel computers. For the current implementation the time costs for calibration and extraction are detailed in the SM [12]. The latency for our setup is limited by the rate at which we can implement random setting choices, which in turn is limited by the Pockels cells. Since the source produces pulses at a rate of 79.3 MHz and we can use ten successive laser pulses as a single trial without reducing the quality of trials, if the Pockels cell limitation can be overcome, the latency could be reduced by a factor of about 80 with the current entangled photon-pair source.