Certified Quantum Random Numbers from Untrusted Light

A remarkable aspect of quantum theory is that certain measurement outcomes are entirely unpredictable to all possible observers. Such quantum events can be harnessed to generate numbers whose randomness is asserted based upon the underlying physical processes. We formally introduce, design, and experimentally demonstrate an ultrafast optical quantum random number generator that uses a totally untrusted photonic source. While considering completely general quantum attacks, we certify and generate in real time random numbers at a rate of 8 . 05 Gb = s with a composable security parameter of 10 − 10 . Composable security is the most stringent and useful security paradigm because any given protocol remains secure even if arbitrarily combined with other instances of the same, or other, protocols, thereby allowing the generated randomness to be utilized for arbitrary applications in cryptography and beyond. This work achieves the fastest generation of composably secure quantum random numbers ever reported. DOI: 10.1103/PhysRevX


I. INTRODUCTION
The inherent randomness of quantum theory, embodied by Born's rule, creates fundamentally unpredictable events. The concept of a quantum random number generator (QRNG) is to leverage this principle to produce a random, unpredictable output with an unparalleled level of confidence. The central challenge faced by practical QRNGs is to rigorously quantify how much of the entropy generated by a real-world device is indeed intrinsically unpredictable.
To sketch the basic idea, let us consider a device completely described by parameters s which could be quantum or classical. These are used to generate a classical outcome X that should appear unpredictable from the perspective of an agent external to the device. Consider such an agent E with access to a system which includes all the parameters s as well as any other side information (classical or quantum). For any given value of s, the joint system is described by a classical-quantum stateρ XE and the outcome's predictability is simply the probability of the best guess, P ideal;s ðXjEÞ ¼ sup where the supremum is taken over all measurements fÊ x g made by E on the system, p x is the probability distribution of the random variable X, andρ x E is the state of E conditioned on X ¼ x. For a real device, however, s is never known exactly. In this case, a conservative estimate of the predictability is given by P ¼ max s P ideal;s ðXjEÞ, where the maximization is taken over all plausible parameters s. Confidence in the randomness is thus linked to claims about trusted workings of the device and subsequent constraints on the knowledge of the external agent.
Approaches to QRNGs differ by the detail with which the devices need to be characterized in order to constrain s [1,2]. Perhaps the simplest conceptually is a so-called device-independent QRNG, which can take the form of a Bell test [3][4][5][6]. In this case, the device must be composed of two isolated measurements that employ independently selected bases-a requirement that can be verified with high confidence. With this condition, P < 1 as long as the measurement outcomes violate a Bell inequality, which in turn constrain the plausible s [7]. In reality, however, even state-of-the-art implementations [8] are extremely complex and yield impractical bit rates of the order ∼10 b=s. An alternate approach is to build a QRNG in which the entire device, from quantum source to measurement, is faithfully characterized and modeled [9]. Here, the detailed characterization, which might use both off-line and in-line measurements, crucially constrains s (and thus E) sufficiently to assert a nonunit P. As such, this seemingly exhaustive type of characterization of the setup, and hence trust in its proper inner workings, opens up a myriad of potential attacks and malfunctions which might compromise the randomness output.
A series of intermediate approaches have appeared, commonly referred to as having partial device-independence, which yield a QRNG that permits abstraction from some of the devices while needing a detailed characterization of the remainder. These can be broadly classified as those that are independent of the measurement devices [10][11][12] or the sources [13]. A third class, known as semidevice-independent, makes no assumptions on either the source or measurements except to assert a global constraint on the relevant dimension [14,15], energy [16], or orthogonality of the relevant states [17]. Finally, other works have combined assumptions, such as the semi-sourceindependent protocols (originally thought to be fully source independent) that invoke a dimension assumption in conjunction with a calibrated detection [18][19][20]. These latter works exemplify the critical point that when analyzing partially device-independent protocols, it is important to keep track of the interaction between trusted, but imperfect, devices and the certification techniques used to prove security against deviations in the untrusted components.
In this paper, we develop a certification of quantum randomness generated by an optical beam splitter for which one input field is the vacuum and the other is completely unknown. The certification was carried out in real time using an additional vacuum mode to tap off part of the unknown light source prior to the randomness generation. This method probabilistically infers a lower bound on the photon number of the remaining untrusted source impinging onto the randomness generation measurement. We show that signals from carefully characterized photodetectors, which need not resolve photon number, are sufficient to both generate and certify genuine quantum randomness.
Our approach results in a composably secure protocol and we provide an explicit security proof for high-speed quantum randomness expansion. Such a proof is necessary for all applications that wish to claim provable quantumbased security. A key or random string only becomes useful in composition with other protocols (one-time pad, hashing, etc.) such that in order to retain provable quantum security, a composable proof is mandatory. To date, most randomness generation protocols fail to provide outputs that are useable in a composable framework, with, to our knowledge, only a handful shown to be composably secure in a device-dependent scenario [9,37,38] and only one partially device-independent result [13].
To experimentally demonstrate our scheme, we used off-the-shelf components-a laser source, high bandwidth photodiodes, basic linear optical elements, and a high-performance field-programmable gate array (FPGA) board-and generated random numbers with a bit rate of 8.05 Gb=s and a composable security parameter ϵ ¼ 10 −10 . Overall, our framework is compatible with a wide range of optical detectors and avoids the need to trust or precisely characterize the source of light, as opposed to conventional vacuum homodyning wherein a trusted photonic source is a necessity.

II. GENERATING RANDOMNESS FROM UNTRUSTED LIGHT
In Eq. (1), we quantified the randomness of an outcome X for an external agent E. As is common in quantum cryptography, we refer to this agent as Eve the eavesdropper. An equivalent, but more convenient, way of quantifying this randomness is to compute the quantum conditional min-entropy of the quantum stateρ XE for the joint system XE [39], where the argument of the logarithm is the guessing probability for Eve to guess X, as in Eq. (1). This quantity has been shown to quantify the number of bits-almost perfectly random with respect to Eve-that can be extracted via postprocessing [40]. Notice the distinction between a quantum randomness generator (QRG) which simply generates outputs with a certain conditional minentropy and a QRNG that also includes the postprocessing (hashing) necessary to produce almost perfect random numbers. This is worth mentioning because many results in the literature only implement the randomness generation without carrying out random number extraction in real time. Note also that only by composably certifying the randomness generation process can the security of the extracted numbers be rigorously established. A certified randomness generation protocol allows for some, or all, devices to deviate arbitrarily from their purported specifications. A certification test P is applied to the experimental data and only upon that test passing is the output certified as having a certain amount of randomness, otherwise it is discarded. Furthermore, a useful generator will be robust; i.e., it will pass the test with high probability. Formally, we can define such a protocol as follows.
Definition 1.-An (m; κ; ϵ fail;m ; ϵ c )-certified randomness generation protocol produces an output X made of m measurement results such that (i) Security: Either the certification test P fails, or H min ðXjEÞ ≥ κ; except with probability ϵ fail;m . (ii) Completeness: There exists an honest implementation such that the test will be passed with probability 1 − ϵ c . This security definition is composable, which ensures several crucial properties for cryptographic applications. Firstly, any two protocols that have been proven to satisfy Definition 1 except with failure probabilities ε 1 and ε 2 can be composed into a joint protocol with a total security parameter ε ≤ ε 1 þ ε 2 . Just as importantly, if a single string is divided in two, the security of one part remains unchanged even if the other part's security has been compromised. Note that this situation often occurs by design, whereby some part of a random string is subsequently publicly revealed (e.g., if it was used to generate lotto numbers or to encrypt information that is announced at a later date).
We define our source-device-independent (SDI) photonic QRG as a protocol in which detectors and passive optical devices (e.g., beam splitters) are taken to be trusted. Photonic states are generated via a laser as input to the experiment (essentially preparing a large amplitude coherent state); however, in the analysis, we will not assume anything about the state of these photons and in that sense we claim that randomness is generated in an SDI manner. Crucially, however, we also assume that it is possible to exploit a trusted vacuum mode. One might point out that this is in fact assuming at least one trusted source, namely the vacuum. Nevertheless, we argue that vacuum is a rather privileged source in the sense that it does not really require a "device" to be generated, merely the ability to block an input port to a beam splitter. Thus, it would seem highly preferable from a security perspective to trust a vacuum source rather than some photonic state created by a sophisticated device such as a laser or spontaneous parametric down-conversion process. We also emphasize that the detection process here is distinct from a homodyne detection in that the incoming state is mixed with a vacuum mode instead of a local oscillator (large amplitude coherent state). Even more importantly, we model our measurements directly as opposed to the homodyne protocols [18][19][20] which model this detection as a quadrature measurement. This is rather at odds with the goal of being SDI because that is only approximately true in the limit where one assumes that the input signal has far fewer photons than the local oscillator. In Sec. VI and Appendix G, we will also discuss how our measurement scheme has different, and in many cases, superior scalings of the certifiable randomness rates than standard homodyne based protocols.
To gain some intuition, let us start by considering the randomness generation measurement depicted in Fig. 1. It consists of a beam splitter BS 0 with reflectivity r 0 ¼ 1 2 , an input mode R, a trusted vacuum fed into the other input mode, and two output photodetectors A and B performing a difference measurement. Assuming the photodetectors to be perfect, we can model them as performing a single measurement acting on the untrusted photonic randomness source in mode R. The outcomes of the measurement will be the photon numbers n A and n B detected by detectors A and B, respectively. Propagating this detection event back through the beam splitter and using our knowledge about the trusted vacuum mode, this measurement is then associated with positive-operator valued measure (POVM) elements of the form living in the Hilbert space of the input mode R (see Appendix A for details). Given this, we now propose a simple certifiable randomness generation protocol. It consists of recording the value of the photon number sum N ≔ n A þ n B and then using the difference measurement x ≔ n A − n B as the source of randomness. Therefore, we have two measurements: one of N and one of x. The POVM Z has elementsẐðNÞ for the measurement of N that can be readily recovered aŝ FIG. 1. Scheme for our SDI protocol. An unknown light sourcê ρ E is mixed with a trusted vacuum on a beam splitter (BS) with reflectivity r 1 to perform a certification measurement. The measured outcome at detector C is subject to a test P that passes if the outcome lies within a certain range ½n − C ; n þ C . Upon passing the test, we certify a photon number n R in mode R that impinges onto the randomness generation measurement except with probability ϵ fail .
On the other hand, as we show in Appendix A, the POVM X for the value of x has elements given bŷ We already see the inherent randomness of this scheme sinceXðxÞ has support over the whole Fock space. Therefore, for any state in mode R with total photon number N > 0, there will be multiple possible values x which can occur. Moreover, there is a manifest independence from the photonic input state. Because the measurements described byẐðNÞ andXðxÞ are by definition compatible, we can always think of theẐðNÞ measurement happening first and projecting onto the state jNi, which will subsequently produce randomness when measured with X. Thus, conditioned upon observing a sum value of N, one would certify with probability ϵ fail;m ¼ 0 an amount of randomness that scales as log 2 ðNπ=2Þ, for large N, as per Definition 1 and shown in Appendix A. Now, consider the full setup shown in Fig. 1. We introduce the certification measurement in mode C which is done by tapping off a fraction of the completely unknown incoming light in mode E with a beam splitter BS 1 of reflectivity r 1 . The input stateρ E is mixed with a trusted vacuum on BS 1 and the reflected beam in mode C is measured at detector C while the transmitted beam in mode R is input to the randomness generation measurement. This idea is superficially similar to the "energy test" proposed in the context of device-dependent continuous variable quantum key distribution (QKD) [41]. This test also taps off a portion of the incoming mode but instead uses a trusted and ideal heterodyne detection for the certification measurement. Such a scheme is a priori forbidden in an SDI context (a trusted photonic source being necessary for a heterodyne detection) and, as we show in Appendix B, also fails to provide any security for realistic finite-range detectors.
Our test P is applied to the output of detector C with the protocol aborting if the result lies outside a range ½n − C ; n þ C . Upon passing the test, we obtain a certificate that n R , the photon number in mode R, lies within a range ½n − R ; n þ R except with some failure probability ϵ fail . Then, by minimizing the min-entropy over all states within this range, we obtain a certified lower bound on the generated randomness. For this idealised scenario, we could allow n þ R to be unbounded and would simply look to certify the largest possible value of n − R given a specific ϵ fail .

III. CERTIFYING RANDOMNESS WITH REALISTIC DEVICES
In a real experiment, several further complications must be taken into account. Even in a scenario of completely trusted and calibrated devices, care must be taken to quantify the amount of randomness that can be credibly claimed to have been generated. Firstly, real detectors only possess a finite dynamic range over which their response is meaningful. Secondly, measurement outcomes are coarse grained to a finite resolution which must be carefully accounted for when determining the output randomness. Finally, noisy devices will exhibit fluctuations due to processes not under complete experimental control. Information about these processes might be accessible to external observers and, even if not, could certainly be stemming from physical processes that are far from random. Nevertheless, this can be accounted for provided the device noise is calibrated and not controlled by Eve. This makes the noise essentially classical, in the sense that we may assume that it is described by variables λ which are distributed according to a characterized probability distribution. These variables are then given to Eve on a shot-byshot basis.
Consequently, the first step for analyzing our experiment is to carefully calibrate and model the realistic photodiodes, which output noisy voltage measurements rather than exact photon numbers. More formally, following the approach of Ref. [42], we model the POVM describing our noisy, characterized measurements as a projective measurement on a larger system. For the case of our detectors (see Fig. 6 in Appendix B for a cohesive summary), the measured voltages are modeled as follows. First, we consider an L ≔ n max − n min þ 1 outcome photon number resolving measurement with a finite range ½n min ; n max described by measurement operators that are number state projectors (i.e.,NðnÞ ¼ jnihnj), except for the first and last operators which are given byNðn min Þ ¼ P n min n¼0 jnihnj and Nðn max Þ ¼ P ∞ n¼n max jnihnj. This photon number is converted to a voltage via a conversion factor α and is then smeared by an additional Gaussian noise term λ of known variance σ 2 . Note that, in principle, the conversion factor α representing the voltage response of the detector need not be constant over time. Indeed, as evidenced in Appendix B, this fact potentially leads to major security loopholes unless appropriate narrow spectral filtering is applied. Such filtering is straightforward for narrow band sources, but problematic for the more commonly used pulsed lasers as it significantly reduces the output number of photons. Finally, the voltage signal is coarse grained by a b-bit analog-todigital converter (ADC) that itself has only finite range ½V min ; V max and finite resolution of 2 b bins. However, to correctly quantify the randomness associated with each b-bit measurement, it is essential for one to consider Δ ADC , the ADC's effective number of bits (ENOB). Indeed, it corresponds to the amount of bits free of internal electronic noise. This effective bit depth leads to an effective voltage resolution δV ¼ ðV max − V min Þ=2 Δ ADC . The output of such a realistic measurement is an index, say j, corresponding to a voltage bin of width δV centered at jδV. We can therefore associate minimum and maximum voltages v AE j ¼ δVðj AE 1 2 Þ with this outcome j. The certification measurement is made by mixing the unknown photonic inputρ E in mode E with vacuum j0i on a beam splitter of reflectivity r 1 . The reflected mode C is then detected with a noisy photodiode (characterized by noise standard deviation σ C and voltage conversion factor α C ) that is coarse grained by an ADC. The protocol aborts for sufficiently large or small observed voltages (P is now a test applied directly to the measured voltage index). Finally, the randomness is generated by mixing the transmitted state in mode R with another vacuum on a beam splitter with reflectivity r 0 ¼ 1 2 and making a coarse-grained, noisy difference measurement characterized by noise standard deviation σ D and voltage conversion factor α D . As with the ideal case, we can write the measurements as operators in the input Hilbert space. As shown in Appendix B, the POVM element for a realistic voltage difference measurement whose outcome is the bin labeled j iŝ whereX fin ðxÞ are the POVM elements of a difference measurement that is identical to Eq. (5) except that it is made with finite-range photodetectors described above and is hence only operationally equivalent over an input photon number range ½n D min ; n D max . Similarly, the certification measurement element corresponding to the outcome bin labeled i is given bŷ With this detection model in hand, we state our main theorem as follows.
Theorem 1.-An optical setup consisting of (i) two trusted vacuum modes (ii) two beam splitters of reflectivity r 0 ¼ 1 2 and r 1 (iii) two noisy photodetectors used to make a difference measurement as described in Eq. (6) (iv) a third noisy photodetector used to make a certification measurement as described in Eq. (8) which passes the test P if i falls in a chosen range ½i − ; i þ can be used as a certified ðm; κ; ϵ fail;m ; ϵ c Þ-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with where where with where n opt E ¼ n − C þ n − R − 1, n þ R is set to be the saturating photon number of the difference measurement, andλ is a bound on λ C , the noise variable of the certification measurement's detector, such that jλ C j <λ except with probability ε λ C . Moreover, using a coherent state jαi as an input. Proof sketch.-For a complete proof, see Appendix C. The protocol consists of m rounds, each of which are defined as a certification measurement subjected to the test P and a randomness measurement sample that is registered in X. One part of the proof is to show that, for any given round of the protocol, conditioned on passing the test P, the state in mode R has support in the photon number basis that lies almost entirely in the range ½n − R ; n þ R . More concretely, we maximize over all possible input states to upper bound the joint probability that the test would be passed in mode C while a photon number outside the range ½n − R ; n þ R was present in mode R. This quantity can be interpreted as the probability that the conditional state in mode R can be CERTIFIED QUANTUM RANDOM NUMBERS FROM UNTRUSTED … PHYS. REV. X 10, 041048 (2020) 041048-5 operationally distinguished from any state solely supported within ½n − R ; n þ R (see Appendix D). The second part of the proof is to optimize over all possible input states with support only in ½n − R ; n þ R to derive a lower bound on the conditional min-entropy. Note that a priori, Eve has the freedom to choose an input state that is potentially entangled across all m rounds; i.e., we are considering completely general, so-called coherent attacks. Together, these results mean that either the min-entropy for a single round will be lower bounded or the protocol will abort except with probability ϵ fail . For m rounds, one can simply add these lower bounds together to bound the min-entropy of the output concatenated string except with a probability as claimed in Eq. (12). Intuitively, one would expect that Eve's optimal strategy to predict the outcome of a difference measurement would be to input a pure Fock state and this is indeed the case. The key fact is that the realistic difference measurement is still diagonal in the photon number basis and that an m-round protocol can be described as a tensor product of such measurements. Note that for the purposes of calculating the min-entropy, we consider the difference measurement in Eq. (6) from the perspective of Eve who knows the noise variable λ D on a shot-by-shot basis, for whicĥ The fact that this measurement commutes with a diagonalizing map in the photon number basis makes it straightforward to show that Eve's optimal guessing probability is achieved by inputting a pure Fock state. Provided we choose n þ R less than n max , the saturation value for the detectors, then direct calculation shows that the guessing probability decreases monotonically in n R . Thus, for states restricted to ½n − R ; n þ R , the smallest min-entropy is achieved by inputting jn − R i. Finally, the fact that the coefficients in Eq. (5) are those of a binomial distribution can be used to show that Eve's minentropy is minimized whenever x is minimal (0 or 1 depending if an odd or even photon number is input) and λ D ¼ 0. Assuming that this is always the case, direct evaluation of trfjn − R ihn − R jV Δ ADC D ðn − R mod 2Þg yields the expression in Eq. (10).
Turning to the failure probability, we first define a failure operator which corresponds to taking the failure condition (i.e., a passing voltage is observed at detector C along with n R ∉ ½n − R ; n þ R in mode R) and write it as an operator in the Hilbert space of Eve's input mode: where C ¼ fn C ∶α C n C þ λ C ∈ ½i − ; i þ g.
Since this operator is also diagonal in the photon number basis, one can repeat the previous arguments to show that Eve's optimal strategy to maximize this failure probability is also achieved by a Fock state.
The failure probability for a single round of the protocol can then be written as To bound this quantity, we first use our knowledge of the certification noise variable λ C . Except with probability ϵ λ C ¼ 1 − erfðλ= ffiffi ffi 2 p σ C Þ, we know that jλ C j ≤λ. Substituting Eq. (18) in Eq. (19) yields two terms as the sum over n R ∉ ½n − R ; n þ R decomposes as a sum for 0 ≤ n R < n − R and , then there is no value of n E for which both terms will be simultaneously nonzero and we can write where ϵ − (ϵ þ ) corresponds to the lower (upper) sum. Both of these are essentially cumulative binomial distributions. For example, for a particular value of n E , where n − C is the smallest photon number allowed at mode C consistent with passing the test.
For unbounded λ C , it would be impossible to determine n − C or ϵ − , but again usingλ, we can do so except with probability ϵ λ C . If we define v −ðþÞ i as the minimum (maximum) voltage compatible with the passing range ½i − ; i þ , we can obtain a minimum (maximum) photon number for mode C compatible with passing the test. The varying lower limit on the sum in Eq. (21) stems from the fact that for Eve to cheat, there are two constraints on n C . First, it must be the case that a sufficiently large number of photons go to detector C such that the test is passed, but for sufficiently large n E this condition is superseded by the requirement that less than n − R photons go to mode R. Arguments based on the nature of the binomial coefficients allow us to show that to maximize ϵ − , Eve should choose the input state n opt This can be directly substituted into Eq. (21) to obtain ϵ − as per Eq. (14) and an analogous argument can be applied to bound the corresponding ϵ þ . In combination with Eqs. (17) and (20), this completes the security proof.
▪ Finally, as elucidated in Appendix C, the application of Hoeffding's bound yields more convenient expressions for direct evaluation of the failure probabilities in Eq. (14).

IV. EXTRACTING RANDOM NUMBERS FROM CERTIFIED QUANTUM RANDOMNESS
Finally, we turn to the task of actually extracting ϵ-secure random numbers for use in real-world applications. This can be achieved via two-universal hashing (detailed in Appendix E) which can be efficiently implemented using an FPGA. The details of the randomness extraction are critical in determining both the final speed and security of the QRNG. Firstly, one must obtain a composable certificate for how close the hashed outputs are to perfect randomness. Secondly, one needs to assess whether the randomness extraction is performed in real time, i.e., at a rate greater than or equal to the randomness generation rate posed by the experiment. To precisely address these issues, the critical parameters are the FPGA's hashing speed (number of hashes per second) and the hashing block size.
Regarding the composable security definition for the final hashed numbers, we can simply adopt the following standard secrecy criteria from the QKD literature [43].
Definition 2.-Let X be the random variable describing the measurements of a certified QRG protocol which succeeds with probability p pass and let S denote the result of a randomness extraction process applied to X. The result S is ϵ secure ifρ SE , the joint state with the eavesdropper, satisfies where Dðρ;σÞ ≔ 1 2 jjρ −σjj 1 is the trace distance andρ ideal is the output of an ideal randomness source, defined aŝ ρ ideal ≔τ S ⊗ρ E , withτ S the uniformly distributed state on S.
Because of the composable nature of our randomness generation protocol, we can apply previous results on hashing with quantum side information [44] to obtain the desired certificate in Eq. (22). Its precise formulation is given by the theorem below (see Appendix E for a full derivation).
Theorem 2.-A certified SDI ðm; κ; ϵ fail;m ; ϵ c Þ-randomness generation protocol as defined in Definition 1 can be processed with a random seed of length m via twouniversal hashing to produce a certified SDI random string of length l given by that is ϵ c complete and ε l secure, where ϵ l ¼ ϵ hash þ ϵ fail;m secure.
To understand how such a system will perform, we examine these security parameters in more detail beginning with ϵ hash . Inverting Eq. (23), ϵ hash is expressed as The raw data output by an m-round QRG protocol will be a bit string of length h ¼ mb, where b is the total number of bits recorded by the ADC for each measurement (recall that this is different from Δ ADC , the effective number of noise-free bits that we used to lower bound the randomness). From Theorem 1, we know that the total min-entropy is proportional to the number of rounds, or alternatively the block length, and so we can write κ ¼ g 0 m ¼ ðg 0 =bÞh ≔ gh for some constants g and g 0 . The extracted length can also be written in terms of a compression ratio r defined by l ¼ r × h. Putting this together, we can rewrite Eq. (24) as To see the critical importance of the block size h, consider the case of maximal compression. For fixed h, there is a hard lower limit to the compression ratio given by r ≥ 1=h, since the minimum possible output length is 1 bit. This in turn necessitates a lower limit ϵ hash ≥ 2 −ðhg−3Þ=2 and hence a limit on the total achievable ϵ l . This shows that a certain minimum block size is mandatory to obtain a given level of security. More generally, considering Eq. (25), it becomes clear that increasing h allows us to either increase the compression ratio while keeping ϵ hash constant (i.e., linearly improving performance while maintaining security) or decrease ϵ hash while keeping r constant (i.e., exponentially improving security while maintaining performance).
There is a further consideration in that augmenting the block size h (i.e., taking more measurement samples m) has the deleterious effect of increasing the value of ϵ fail;m . This can be compensated by either altering the voltage thresholds used in the test P at the cost of a decreased probability of passing the test 1 − ϵ c or inferring a smaller certified minimum photon number and hence a smaller min-entropy κ. This in turn feeds back into ϵ hash . Nevertheless, although one cannot arbitrarily increase h, in practice it turns out that having a sufficiently large block size is imperative for maximizing the overall performance of a QRNG setup. If the min-entropy per measurement is relatively low, then as per Eq. (25) and the discussion above, a small h prohibits any randomness extraction whatsoever. As well as this inprinciple limitation, in practice, the maximum achievable block size h is typically limited by the technical parameters of the FPGA used for postprocessing. Therefore, depending upon the desired application, one may need to concatenate several blocks of hashed random numbers to obtain a final string of the requisite length. Intuitively, it should be possible to deliver shorter strings at a faster bit rate, given that less concatenation is required and hence worse security per hashed output string of length l can be tolerated. Defining t to be the number of output l-bit concatenated blocks, one obtains a final string of the desired length L ¼ t × l ¼ t × r × h with an overall security parameter ϵ given by as per Eqs. (17) and (E10).
One can now readily observe that for a fixed final ϵ, a smaller number of concatenations t would allow a larger value for ϵ fail and ϵ hash , which in turn permits a larger compression ratio r and thus a faster overall bit rate.
Turning to the final bit rate, there are two cases, depending upon whether it is the FPGA or the experiment itself which is the bottleneck. Consider the case when the hashing speed is slower than the experiment's output data generation rate. Define R hash as the FPGA clock rate (i.e., the inverse of the time it takes to carry out one hashing operation). Since each hashing operation outputs l bits, the total bit rate is where the subscript h denotes that the limiting time factor is the hashing speed. The second case, which will hold for our real-time implementation, is when the experiment is slower than the hashing. Given an experimental data acquisition rate of R data , the total bit rate will simply be where the subscript d denotes that this time, it is the data acquisition rate which is the limiting factor. Ultimately, given that an honest implementation of the QRNG protocol passes with probability 1 − ϵ c , the averaged generated bit rate is where the minimum discriminates between the two possible cases described above.

V. EXPERIMENT
The experiment carries out two separate key tasks: the randomness generation and the real-time extraction of random numbers.
The experimental setup is displayed in Fig. 2 and consists of a fully fiber-connected architecture with commercially available components for the randomness generation and a high-speed field-programmable gate array for random number extraction. Note that for the randomness generation experiment, measurement signals will be analyzed with an oscilloscope in order to precisely characterize the randomness found in each measurement while the realtime extraction of random numbers will be faithfully performed on a dedicated high-performance postprocessing board containing both an ADC and an FPGA.

A. Randomness generation
The light source utilized is a continuous-wave (cw) laser (Koheras Adjustik E15) at telecom wavelength λ ¼ 1550 nm. Note that the source's linewidth is less than 100 Hz, thereby ensuring it to be extremely narrow band. The laser output is directed onto a fiber optical isolator (Thorlabs IO-H-1550APC) in order to prevent unwanted back reflections into the laser. A fiber optical variable attenuator (model MAP-220CX-A from JDSU) is used to generate different photon numbers impinging onto the QRG by varying the laser's optical power. The certification and randomness generation measurements are implemented using standard fiber couplers (Thorlabs 10202A optimized for telecom wavelength) with reflectivities r 1 ¼ 0.0965 (i.e., ≈90∶10) and r 0 ¼ 1 2 (i.e., 50∶50), respectively. Detector C-used for the certification measurement-is a fiber-coupled InGaAs PIN photodiode (Thorlabs DET08CFC/M) with a large bandwidth BW C ¼ 5 GHz, a responsitivity η C ¼ 1.04 A W −1 at λ ¼ 1550 nm, a transimpedance gain G C ¼ 50 Ω, and a measured electronic noise with standard deviation σ C ≈ 0.25 mV. On the other hand, the randomness generation measurement made of detectors A and B is implemented by means of a fibercoupled ac-coupled balanced detector (Thorlabs PDB-480C-AC) with the following corresponding specifications: Signals from the detectors are sampled by an oscilloscope (Lecroy WaveRunner 204MXi) with a 2 GHz bandwidth, a sampling rate of F S ¼ 10 GS=s, and a voltage resolution of V max − V min ¼ 10 mV=div. The measurements are recorded by the oscilloscope's ADC as an 8-bit output, but with a calibrated bit depth of Δ ADC ¼ 4.772 bits. This corresponds to the effective number of bits free of ADC internal noise. A total of 24 datasets were acquired, scanning the optical power input to the difference measurement from 0 to 6.77 mW, corresponding to the balanced detector's linearity response range. Each dataset was acquired over T ¼ 1 ms, yielding 10 7 samples per power setting. To evaluate the certified randomness of this data for a desired failure probability ϵ fail , we must first fixλ such that ϵ λ C < ϵ fail (here we choose ϵ λ C ¼ ϵ fail =2). Then, given the difference measurement's saturation power, we set n þ R equal to the corresponding saturating photon number n D max ¼ 1.06 × 10 7 and choose an upper voltage threshold v i þ in Eq. (14) such that ϵ þ < ϵ fail =2. Finally, for a given lower voltage threshold v i − , we solve Eq. (14) to find n − R such that ϵ − ¼ ϵ fail =2. This ensures that the photon number input to the difference measurement lies within ½n − R ; n þ R except with probability maxfϵ − ; ϵ þ g þ ϵ λ C ¼ ϵ − þ ϵ λ C ¼ ϵ fail and the certified randomness can then be determined by plugging n − R into Eq. (10) to retrieve the conditional minentropy.
This establishes the protocol's SDI security as per Definition 1. However, to understand how much randomness we can expect to obtain in practice, we should also consider the protocol's completeness. Typically, we will have some claimed specifications for the source and can choose thresholds accordingly. We would normally only attempt to certify a quantity and quality of randomness such that the corresponding test P would be passed with high probability by a source satisfying the claimed specifications using Eq. (15). Here, for simplicity, for each input power, we will only allow ourselves to apply thresholds such that all 10 7 measured samples pass the test.
In Fig. 3, the certified minimum photon number n − R in mode R is plotted against the input optical power for various security parameters ϵ fail . The input power was scanned across the linear range of the balanced detector, with the voltage thresholds (v AE i AE ) at each power setting constrained such that all samples passed the test P. Under these constraints, we chose a voltage threshold within the range 0 to 39.2 mV. As can be seen, the certified photon number scales linearly with the input power and vanishes for sufficiently small or large photonic inputs. For small powers, n − R goes to zero as no positive solution for Eq. (14) with the required ϵ − can be found. This is as expected given that, when a low photon number impinges onto detector C, one cannot discern the produced voltage from the detector's inherent electronic noise. Alternatively, for large powers, one can easily achieve a small value for ϵ − but it now is not possible to obtain a value of ϵ þ such that the total certification is valid for ϵ fail . This is also to be expected as one approaches the balanced detector's saturating power. Finally, for increasing security (i.e., smaller ϵ fail ), n − R decreases for a given input power and remains positive over a smaller range of inputs. Indeed, the penultimate data point is nonzero only for ϵ fail ≥ 10 −20 and no photon number can be certified with any security for the final point.
The main result of this new SDI framework is shown in Fig. 4, for which a comparison is made between the experimentally estimated min-entropy, various devicedependent (DD) min-entropy models, and our SDI approach. The red data points are experimental estimates of the unconditional min-entropy for different average input powers of the laser. These have been calculated from histograms of the difference measurement (shown as inset to Fig. 4) output by the balanced detector. Given these  histograms, a Gaussian fit was performed and the retrieved maximum probability p max was used to estimate the unconditional min-entropy via H min ¼ −log 2 ðp max Þ. This corresponds to a naive analysis where all observed fluctuations are assumed to be truly random. The red line is a device-dependent prediction for H DD min ðXÞ, calculated using our detector model and assuming that the laser is well modeled by a coherent state jαi. The resulting curve matches the data well with a coefficient of determination R 2 ¼ 98.96%, thereby confirming the validity of our modelling. In pink, H DD min ðXjEÞ corresponds to the usual device-dependent conditional min-entropy, assuming a known source but accounting for Eve's knowledge of the electronic noise present in our measurement apparatus. As such, it is equal to H DD min ðXÞ but shifted down by the minentropy associated with the electronic noise of the balanced detector. Finally, in green, orange, and blue points, we show our SDI model for the certified conditional minentropy H SDI min ðXjEÞ for different values of the security parameter ϵ fail . These were calculated via Eq. (10) using the minimum certified photon numbers n − R displayed in Fig. 3 for each ϵ fail .
When comparing the different min-entropies in Fig. 4, it is clear that the claimed level of randomness critically depends on what assumptions are made about the QRG. Indeed, if one were to naively take H DD min ðXÞ as a consistent min-entropy model, the QRG's output would consequently be predictable since the electronic noise can be accessible to Eve. On the other hand, while H DD min ðXjEÞ correctly removes such classical side information, it nevertheless is a device-dependent model for which the experimentalist must trust the proper working of the entire setup, having carefully modeled it and its possible deviations. This means that such a scheme must be secure against all sorts of complicated attacks from Eve. In the canonical setup of Fig. 2, a key origin of experimental complexity arises from the input light source. Our approach provides total independence from such complexity while still certifying a substantial amount of min-entropy per measurement as well as an explicit quantification of its confidence given by ϵ fail . As can be seen in Fig. 4, we certify up to ≈1.1 bit of minentropy with ϵ fail ¼ 10 −20 for the penultimate data point. While this value is about half of what H DD min ðXjEÞ predicts, we argue that such compromise is reasonable given that we can still achieve large randomness bit rates for the added SDI security. Indeed, the importance of our SDI protocol's security is starkly illustrated by the final and initial input powers for which no min-entropy is assigned as opposed to the device-dependent model H DD min ðXjEÞ.

B. Real-time random number extraction
The real-time extraction of random numbers is performed with a dedicated postprocessing printed circuit board (PCB) whose content and functioning are both thoroughly detailed in Appendix F. Here, instead of using an oscilloscope to read the measurements output by the various detectors in the setup, voltage signals are directly fed to a b ¼ 12 bits bit-depth ADC (Analog Devices AD9625) capable of measuring analog inputs up to 3.2 GHz with a sampling rate of F S ¼ 2.5 GS=s as well as a large ENOB of Δ ADC ¼ 9.2 bits. This represents a substantial improvement with respect to the ADC found in the oscilloscope used in the characterization measurements in the previous section.
As a general principle, to maximize a QRNG's final bit rate, it is important to use an ADC whose ENOB over bitdepth ratio Δ ADC =b is as large as possible for a given bit depth b. Indeed, for a fixed number of photons input to the randomness generation measurement, a large ENOB Δ ADC allows one to maximize the extractable certified minentropy per sample κ=m since the noise contribution intrinsic to the ADC would be minimized. As explained in Sec. IV, the min-entropy in turn sets the upper limit to the compression ratio, r ≤ κ=mb. Although the ENOB is often not taken into account, this argument makes it clear why one should maximize Δ ADC =b rather than solely b. Finally, the output of the ADC is sent directly to the FPGA (Zynq Ultrascale þ ZU9EG) in order to carry out hashing.
The real-time hashing of raw data was implemented using the concurrent pipeline algorithm based on Toeplitz matrix hashing [45]. The idea of the algorithm is to improve the speed of postprocessing by decomposing the large Toeplitz matrix of size h × l into several submatrices of dimension k × l and then simultaneously performing matrix multiplication with the raw data. The crucial task of determining k, the number of rows for the submatrices, is explained in Appendix F.
To demonstrate our protocol, we ran a real-time random number extraction experiment in two distinct configurations producing either long or short strings. These address different real-world applications such as large scale simulations (e.g., Monte Carlo) for which gigabits of random numbers are required and standard cryptographic protocols (e.g., Advanced Encryption Standard) typically employing random seeds of kilobit lengths. The parameters of both configurations are summarized in Table I. For the first configuration, we inserted an optimal input optical power of 5.8 mW prior to the randomness generation measurement. The optimization was performed such that the entire data would pass the certification test P with a probability 1 − ϵ c ¼ 99.5%. This yields a certified minentropy of H SDI min ðXjEÞ ¼ 5.32 bits per sample acquired by the ADC with a security parameter ϵ fail ¼ 1.6 × 10 −19 . Next, we downsampled the digitized output of the ADC to 1.55GS/s in order to remove any time correlation. This stream of bits was then fed to the FPGA for which the hashing algorithm described above was performed at a speed of R hash ¼ 193.75 MHz and with a Toeplitz matrix of size h ¼ 9600 bits and l ¼ 4155 bits. We thus achieved a total bit rate of R d ¼ R data × r ¼ 12 × 1.55 × 10 9 × 4155 9600 ¼ 8.05 Gb=s with an overall composable security of ϵ ¼ 4.3 × 10 −10 , thereby generating in real time N S ¼ 1 string of length L ¼ 8.05 × 10 9 certified and composably secure quantum random numbers made of t ¼ 1.9375 × 10 6 concatenations. Note that given the probability of passing the test, this obtained bit rate corresponds to a bit rate of Gb=s averaged over many runs and with the same level of security. In the second configuration, we took the inverse approach and avoided any concatenation (i.e., t ¼ 1), allowing for a larger hashing output length of l ¼ 4210 bits. Every second, this resulted in N S ¼ 1.9375 × 10 6 strings of length L ¼ 4.21 kb each with a composable security of ϵ ¼ 4.8 × 10 −10 . The obtained bit rate was thus R d ¼ 8. 16 Gb=s with the same corresponding average bit rate hRi ¼ 8. 16 Gb=s up to two decimal places. The numbers obtained from both settings were ultimately found to successfully pass the battery of NIST tests [46]. This achieves an ultrafast and highly composably secure QRNG based on commercially available components and entirely independent of the incoming light source for which the random numbers are both composably certified and extracted in real time. To our knowledge, this is the fastest composably secure QRNG (including device-dependent implementations) ever reported.

VI. DISCUSSION
We now return to the desiderata previously outlined for evaluating the usefulness of a QRNG device, namely, level of security, performance (achievable bit rate), and practicality (ease of implementation, durability, and cost). Our protocol used cheap and robust off-the-shelf components that lend themselves to prolonged, high-speed usage and would be amenable to miniaturization in an integrated photonic architecture. Utilizing an FPGA, we were able to implement the necessary hashing operations in real time by using the pipeline algorithm of Ref. [45] detailed in Appendix F. Moreoever, we hashed relatively large blocks which allowed us to extract random numbers at close to the optimal possible rate given the randomness source.
Another consideration when developing a protocol for certified randomness is whether such a protocol is composably secure [39,43]. That is, whether the output of the protocol can then be used as an input to other cryptographic protocols without compromising the security. For example, it can be input to a randomness extractor along with a seed to achieve certified randomness expansion using wellknown techniques [42,44]. Very few implementations enjoy such composable security proofs in either the device-dependent [9,37,38] or partially device-independent case [13]. While there is a device-independent result that produces random strings that may be composed [6], it is still unknown whether fully device-independent protocols are secure under composition of devices without extra assumptions, e.g., devices are memoryless [47]. It is thus necessary for the moment to move beyond device independence if one desires a fully composably secure protocol.
In terms of security and performance, our work considers completely general quantum attacks and achieves significantly higher bit rates for a given security parameter than the fastest known source-independent (5 kb=s in Ref. [13]), measurement-independent (5.7 kb=s in Ref. [12]), semiindependent (16.5 Mb=s in Ref. [17]), or fully deviceindependent protocols (180 b/s in Ref. [6]). The only directly comparable work which offers a source-independent composable security proof is Ref. [13], whose randomness generation rate we improve upon by more than 6 orders of magnitude. In fact, our work achieves the highest composably secure bit rate for any level of device assumptions, including the fastest device-dependent implementations [38].
The experimental architectures most similar to ours are a recent series of papers that involve homodyning the vacuum [19], or squeezed state [20], or dual homodyning the vacuum [48], and were claimed to be SDI. Indeed, these works also achieve impressive rates as high as 17 Gb=s. To derive an SDI proof, these works apply entropic uncertainty relations [41,49] that can, in principle, lead to devices for which randomness can be certified even if the source of quantum states is completely unknown, provided the measurements acting on these states are well characterized. However, for realistic homodyne detectors with finite range, the corresponding uncertainty relation becomes trivial and no randomness can be certified [49]. Even in the case of infinite-range detectors, the modeling of a photon difference as a quadrature measurement is only valid in the case where the input photon number is small with respect to the local oscillator. This problem can be ameliorated but only at the price of introducing an energy assumption (similar to the semi-device-independent approach) upon the source, thus jeopardizing the claimed source independence. A comparison of the security, assumptions and performance of a selection of other works compared to ours can be found in Table II. This work achieves the fastest generation of composably secure random numbers (i.e., QRNG bit rate) ever reported, including the device-dependent homodyning result of [38], even though the latter implementation produces a higher QRG bit rate. This superior QRNG performance stems from the highly efficient postprocessing, thus emphasizing the critical role of carefully designing state-of-the-art randomness extraction. A final technical point is that, although the importance of considering digitization noise via the ENOB of the ADC has been pointed out previously [19,45], many experiments fail to take this into account. This key consideration has the effect of reducing the retrievable min-entropy per sample, thereby considerably lowering the bit rates reported in the vast majority of the corresponding literature.
Finally, we turn to a quantitative comparison between this work and earlier protocols based on homodyne detection in the device-dependent [37,38] and semi-SDI contexts [19,20,48]. Strictly speaking, direct comparison with the semi-SDI protocols is impossible since these fail to give a composable security parameter. Also, in practice the achievable rates depend heavily on many technical constraints such as the detector noise and especially the effective number of ADC bits. In Fig. 5, we consider a simpler calculation of the min-entropy generated in a single round using ideal equipment to compare the ultimate rates of these different protocols. The security parameter for the displayed SDI curves is chosen to be ϵ fail ¼ 10 −10 with the honest passing probability chosen as 1 − ϵ C ¼ 0.995. For the entropic uncertainty relation (EUR) protocol, the probability of making a randomness generating measurement was set to be p X ¼ 0.9 and the photon number of the local oscillator used in the homodyne detection was n LO ¼ 10 7 . Details of the calculations are give in Appendix G.
For certain input states we identify fundamentally different scalings in some instances. Although we actually consider upper bounds on the rates for the device-dependent and semi-SDI schemes, thereby penalizing this work by comparison, we see dramatically different scalings between this work and the semi-SDI homodyne scheme. As can be observed in Fig. 5, if the input state is one half an entangled two-mode squeezed vacuum state (i.e., a thermal state) or a coherent state, then the randomness of homodyne TABLE II. Comparison of randomness generation protocols. DD, device-dependent; sSDI, semi-source-deviceindependent; sDI, semi-device-independent; SDI, source-device-independent; DI, device-independent. The asterisk denotes "not proven secure under composition of devices."  protocols decreases as a function of the photon number of the input state, whereas the randomness of the present protocol monotonically increases. For sufficiently large photon numbers, this work scales identically to the devicedependent case, thereby achieving significantly improved security with only a constant factor reduction in performance. Moreover, it should be noticed that for an input coherent state, the photon number from which this work's generated min-entropy surpasses that obtained from the EUR protocol is relatively small (i.e.,n ¼ jαj 2 ≈ 2 × 10 6 ). This crossing point and the ensuing advantageous scaling make this work even more desirable from a realization point of view since it occurs for a coherent state, the most practical and hence widely utilized state in experimental quantum optics. Overall, these key considerations highlight the fundamental quantitative differences between this work and traditional homodyne-based protocols.

VII. CONCLUSION
In summary, we present and experimentally implement an SDI protocol based on the quantum nature of untrusted light. Our QRNG achieves both state-of-the-art ultrafast randomness generation and real-time random number extraction with a bit rate of R d ¼ 8.05 Gb=s while providing a rigorous and specific security parameter of ϵ ¼ 10 −10 for the generated random numbers with no assumptions on the light source. There are several avenues for improvement. A higher bandwidth balanced detector for the randomness generation speed as well as a larger effective bit resolution of the ADC for the retrievable min-entropy per sample are primary examples among them. Lastly, the present configuration could be upgraded by connecting more randomness sources (say γ > 1 of such sources) to the same FPGA and carrying out parallel real-time postprocessing. This would achieve an unparalleled average QRNG bit rate of γ × hRi for the same level of composable security. To begin with, consider the randomness generation measurement of Fig. 1. It consists of a beam splitter BS 0 with reflectivity r 0 ¼ 1 2 , an input mode R, a trusted vacuum fed into the other input mode, and two output photodetectors A and B performing a difference measurement. It simplifies matters greatly if we can prove that the potential eavesdropper in charge of our photonic source is making definite photon number states (i.e., Fock states) for each round of the protocol. In particular, we would like to rule out any sophisticated, collective strategy where Eve sends a complicated state that is entangled across all rounds of the protocol.
Intuitively, this should be the case because the randomness generation measurement for each round is a photon number difference and can be thought of as a coarse graining over an initial measurement that is diagonal in the Fock basis. Here, this is shown by writing out the POVM directly and the optimality of unentangled Fock state inputs from Eve's perspective becomes explicit.
For a single round, the entire process of mixingρ R with a vacuum ancilla j0i ∈ H V and then making Fock state projections upon both output ports can be seen as a POVM on H R , the Hilbert space ofρ R . Consider the probability for detecting n A and n B photons at detectors A and B. This is given by whereM is the corresponding POVM element in the input state Hilbert space (with the subscript R suppressed for brevity). This expression is just the evolution of the Fock state projections back through the beam splitter BS 0 and projected onto the vacuum ancilla. To get an explicit expression, it is simpler to switch to the Heisenberg picture for the reverse beam splitter transformation: CERTIFIED QUANTUM RANDOM NUMBERS FROM UNTRUSTED … PHYS. REV. X 10, 041048 (2020) 041048-13 Acting on the left with h0j on the ancilla mode implies that we must have j þ and hencê where we have substituted in the total photon number N ≔ n A þ n B . As expected, each POVM element is proportional to a single Fock state of fixed photon number N and the coefficient can be understood intuitively. Indeed, each of the N photons can be thought of as individually randomizing at the beam splitter. The probability for a specific sequence of paths taken by each photon is 2 −N and thus the probability of observing the POVM elementMðn A ; n B Þ is the number of paths such that n A out of N photons could have been recorded at detector A, which is ð N n A Þ as above. If we consider the sum measurement, it is just a coarse graining over the two outcome POVM, summing together all the elements such that n A þ n B ¼ N. The POVM elements of the sum measurement Z ¼ fẐðNÞg arê Using the fact that P n k¼0 ð n k Þ ¼ 2 n , we can see that ZðNÞ ¼ jNihNj R and it is thus just a photon number projector as expected.
The randomness generation measurement is another coarse graining. However, it will turn out to have larger rank and consequently some randomness for all possible input states other than the vacuum. Define X ¼ fXðxÞg as the POVM elements of the randomness generation measurement corresponding to the cases where n A − n B ≔ x. These are given bŷ if x is positive and ðA8Þ if x is negative or for all x.
Note that for x even (odd), thenXðxÞ only has support over even (odd) number states. Clearly, if Eve inputs a vacuum state, then the difference outcome can be predicted with certainty as x ¼ 0. However, as pointed out in the main text, if Alice observes a value N for her sum measurement, then regardless of the original input, she performs a projection onto the state jNi and can immediately calculate the guessing probability of the X measurement p guess ¼ max x hNjXðxÞjNi from Eq. (A9) and hence the associated min-entropy. For perfect measurements, this would guarantee the min-entropy with certainty and in an SDI manner. DAVID DRAHI et al.

041048-14
Now, consider the full setup shown in Fig. 1. We introduce the certification measurement in mode C which is done by tapping off a fraction of the completely unknown incoming light in mode E with a beam splitter BS 1 of reflectivity r 1 . The input stateρ E is mixed with vacuum on BS 1 and the reflected beam in mode C is measured at detector C while the transmitted beam in mode R is input to the randomness generation measurement. For simplicity, we will imagine that the outcome at detector C is also always given to Eve. Writing the photon number projections as operators on the input Hilbert space H E is the same calculation as Eq. (A5), except now with a beam splitter of reflectivity r 1 instead of 1 2 . This giveŝ and hence the certification measurement has elementŝ Given this measurement, one cannot exactly determine the number of photons in mode R incident onto the randomizing beam splitter BS 0 , but one can obtain a lower bound on the min-entropy of m such measurements except with some failure probability ϵ fail;m . Specifically, we impose a test P at detector C which is passed if the measured photon number is greater than a lower threshold n − C . Upon passing the test P, we certify a lower bound n − R on the photon number in mode R impinging onto the randomness generation measurement. We formally state and prove this result below.
Theorem 3.-An optical setup consisting of (i) two trusted vacuum modes (ii) two beam splitters of reflectivity r 0 ¼ 1 2 and r 1 (iii) three ideal photon counting detectors A, B, and C utilized to perform a certification measurement modeled by Eq. (A11) with lower threshold n − C and a randomness generation measurement modeled by Eq. (A9) can be used as a certified ðm; κ; ϵ fail;m ; ϵ c Þ-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with where n opt using a coherent state jαi as an input. Proof.-Security: The key feature here is the diagonal nature in the photon number basis of all measurements performed in the protocol. We first prove a Lemma regarding such measurements.
Eve's optimal strategy to maximize the probability of a desired outcome q Ã is to input a pure Fock state jn Ã i for each round. Moreover, this remains true for inputs with restricted support in the Fock basis.
Proof.-One way to see this is to consider a diagonalizing map in the Fock basis applied to the input of the ith round:D This operator commutes with the Q measurement and there is no operational way for Eve (or anyone else) to distinguish between directly measuring Q or measuring Q after first applyingD. As such, we could imagine that we are in fact always applyingD to each run of the protocol [50]. To start with, sinceD satisfies the definition of an entanglement breaking map [51], we may safely conclude that Eve's optimal strategy will not include any entanglement as there is no way for such entanglement to be noticeable. Moreover, if we consider any individual round of the protocol, we can write its purification as a mode E 0 held by Eve (including potentially all the other rounds of the protocol) in the Schmidt form jΨ E 0 E i ¼ P j λ j jji E 0 jji E (with jji not necessarily the Fock basis) and actD upon it. This yields CERTIFIED QUANTUM RANDOM NUMBERS FROM UNTRUSTED … PHYS. REV. X 10, 041048 (2020) 041048-15 whereσ E 0 n ¼ P j;l;n λ l λ Ã j hnjlihjjnijlihjj. This means that the most general state Eve can effectively prepare for the input mode E is of the form where pðnÞ ¼ P j jλ j hnjjij 2 . In other words, the input state for each run of the protocol is effectively just a mixture of Fock states (potentially classically correlated between rounds). Intuitively, one would imagine that the best strategy for Eve would be to choose a state such that fjjig is indeed the Fock basis and, moreover, to make pðnÞ simply a Kronecker delta function at some fixed n.
We can show this as follows. Let p Ã ðnÞ be the distribution of the optimal input state that maximizes the probability of q Ã and fc n ðq Ã Þg be the Fock state coefficients for that element as given in Eq. (A15). Then, Eve's optimal probability is given by where we have defined n Ã as the value that achieves the maximum. This optimal guessing probability would be saturated by choosing an input state jn Ã i; therefore, the optimal input state is indeed a pure Fock state.
Note that the result extends straightforwardly to the case where the input state is restricted to have support only over a finite range of number states ½n − R ; n þ R . Let p Ã ðnÞ be a probability distribution over ½n − R ; n þ R , x Ã be the value of the most likely POVM element of the difference measurement given that input state, and c n be the Fock state coefficients for that element as given in Eq. (A9). Then Therefore, the optimal input state is jni with n ∈ ½n − R ; n þ R . This result can be independently applied to each run of the protocol (by including the other rounds in the purification, Eve has already been granted the option to utilize a sophisticated collective encoding); hence we can conclude that Eve's optimal probability to obtain a string of outcomes for all m rounds is to choose a single Fock state for each round. ▪ Given Lemma 1, we now lower bound the min-entropy under the assumption that Eve's input state only has support over number states in the range ½n − R ; ∞½. Eve's guess for the difference measurement outcome will always be just the outcome of the most likely element of the difference element defined in Eq. (A9). Thus, if we choose x Ã to be the most probable outcome of the difference measurement (whatever that might be), then we can immediately conclude that for input states restricted to have support only over the range ½n − R ; ∞½, Eve's optimal strategy to maximize the occurrence of x Ã (and hence her guessing probability) will be to input a number state jni ∈ ½n − R ; ∞½. In fact, it will be optimal to input the smallest number state jn − R i. We have where in the penultimate line, we used the fact that ð n k Þ is maximal for k ¼ bn=2c (i.e., x Ã ¼ 0) and monotonically decreases for greater and smaller values of k, which means that the smallest allowed x will be optimal. In the final line, we used that 2 −n ð n bðnþxÞ=2c Þ decreases monotonically in n. To see this, first note that for n even bðn þ 1Þ=2c ¼ bn=2c and for n odd bðn þ 1Þ=2c ¼ bn=2c þ 1. Thus the ratio of successive terms is Substituting this optimal guessing probability into the definition of the conditional min-entropy gives the expression in Eq. (A12), where the application of Stirling's approximation ð 2n n Þ ∼ ð4 n = ffiffiffiffiffi ffi πn p Þ as n → ∞ gives the second line. Now, we show that provided that in each round the certification measurement outcome is above a certain threshold n − C , the input to the randomness generation measurement is ϵ fail;m indistinguishable from a state with support only over ½n − R ; ∞½. The worst-case scenario would be that whenever Eve can distinguish the real state from one with restricted support, she learns the full measurement record. We can thus interpret this distinguishing probability as a lower bound to the failure probability for the whole protocol.
Specifically, we are interested in the probability where the certification measurement takes a value which passes our test P while simultaneously a smaller than desired number of photons goes to the randomness generation measurement, thereby representing a failure of the protocol. As such, we introduce a failure operator corresponding to there being n − R or fewer photons in mode R given n C photons in mode C expressed aŝ The failure probability for Eve successfully cheating the test in a single round is then given by It is straightforward to see (and we show it in Appendix D) that this probability is also explicitly the probability of passing the test, multiplied by the distinguishing probability between the real input to the randomness measurement,ρ R , and the closest state with support solely in the range ½n − R ; ∞½ as one would expect in a composably secure framework. SinceF is once more diagonal in the photon number basis, we can again apply Lemma 1 to conclude that Eve's optimal strategy is achieved by a single number state jn E i. Substitution via Eq. (A23) gives The lower limit on n C in the sum comes from the fact that for n E > n − C þ n − R − 1, the requirement for at least n − C photons at detector C is superseded by the requirement that there be less than n − R photons in mode R, which implies n C > n E − n − R . In fact, we show that Eve's optimal input is to send precisely n opt The summand is a generic binomial distribution, such that the failure probability in Eq. (25) can be seen as the complement of the binomial cumulative distribution function. For a fixed lower limit in the sum, the failure probability increases monotonically with n E . However, once n E > n − C þ n − R − 1, the situation is more complicated because the limits of the sum change as well as the summand. Indeed, instead of running from n − C to n E , it will run from n − C þ 1 to n E þ 1 as argued above. We now show that the difference between successive terms of the sum for all values n E larger than this threshold is negative and thus the function is monotonically decreasing in n E . Hence, it reaches its maximum for n opt we can write ϵ fail for the corresponding successive input Fock states as where we used Pascal's identity in the last line. Using the following result, where 2 F 1 is the hypergeometric function, it can be shown after some algebra that Eq. (A27) simply reduces to which is always negative for any n − C . Moreover, Eve adding extra photons will always result in deleting the lowest term in the summation in Eq. (A25) so that the failure probability monotonically decreases for all n E ≥ n − C þ n − R − 1. Thus, the optimal value for Eve to maximize the failure probability is the single Fock state with photon number where the last line is given by Hoeffding's inequality which states that for a binomial distribution Bðr 1 ; n E ; kÞ with n − C ≥ n E r 1 , one gets Finally, the probability that any one of the m rounds fails is the complement that all of them pass thus which is precisely the result stated Eq. (A13), thereby completing the proof.
Completeness: Substituting in the number state expansion for a coherent state jαi and calculating the probability for the certification test to pass via Eq. (A23) gives the desired result expressed in Eq. (A14). ▪

APPENDIX B: MODELING DETECTORS
Here, we remove the idealized assumptions from the previous section and present a detailed detector model.

Finite range of photodetectors
As a first idealization, we shall remove the assumption of infinite dynamic range for the photodiodes. In fact, the detectors only respond linearly above and below certain photon numbers thresholds, namely n min and n max . In reality, as the detectors enter this nonlinear regime, there will still be quantum randomness in their outcome statistics, but we take the worst-case view and assume that all states with overly large or small photon numbers will be mapped with certainty to end bins, thereby yielding no such randomness. Thus, instead of a sum over all photon number states, we model a photodetection with L ≔ n max − n min þ 1 measurement operators given bŷ NðnÞ ¼ jnihnj; ∀ n min < n < n max ; This can make quite a difference to the output randomness since if Eve either inputs a sufficiently small or large number of photons, she can be sure that the lower or upper outcome will occur on detectors A and B, leading to a difference outcome of 0 with certainty. This can be seen directly by calculating the difference measurement POVM elements using finite-range photodetectors as an operator in Eve's input Hilbert space as before to find wherê For states with an appropriate photon number support, a difference measurement made using finite-range photodetectors will be virtually indistinguishable from the ideal difference measurement in Eq. (A9). Specifically, if a number state jni is input to a difference measurement with two detectors A and B that have linearity ranges ½n min ; n max such that n min ≪ n=2 ≪ n max , then the probability that either detector will register a number of photons outside its linear range will be given by the tails of a binomial distribution. It can then be checked whether this probability is smaller than the other failure probabilities in the protocol (typical realistic values will render it far smaller, i.e., 10 −30000 ). Alternatively, one can also directly empirically verify the linear response range ½n D min ; n D max of a difference measurement by inputting a known photonic laser source and observing that the difference variance indeed grows linearly when the laser's optical power is increased.
This finite range of the photodetection also applies to the certification measurement in mode C using a finite-range detector with linear range ½n C min ; n C max and L C ¼ n C max − n C min þ 1 possible outcomes. We have N C;fin ðn C Þ ¼N C ðn C Þ; ∀ n C min < n C < n C max ; whereN C ðn C Þ is given in Eq. (A11).
Finally, we can also write the failure operator associated with this certification measurement. It will be similar to the ideal case in Eq. (A23) except for the end bins. The failure of the protocol occurs when the test is passed and there are either too many (more than n þ R ) or too few (less than n − R ) photons incident onto the difference measurement. We obtain the following failure operator: Parenthetically, we note that finite-range considerations expose a problem with the proposed solution to saturation attacks found in Ref. [41] within the context of continuous variable QKD. There, the idea is to tap off a small amount of the incoming light and measure it via a dual-homodyne (heterodyne) detection, aborting the protocol if a sufficiently large value of the heterodyne measurement is observed. While this solves the problem in the limit of perfect, infinite-range detectors, for any realistic finiterange detectors, this procedure itself is vulnerable to a saturation attack. To see this, consider an individual homodyne detection of one of the two field quadratures: the incoming signal is mixed with a local oscillator and the difference between the two detectors' signals is taken. However, a sufficiently bright input signal would saturate each individual detector such that it outputs its maximum value, meaning that the difference measurement would result in a (typically small) constant value. Thus, in contrast to our certification measurement based upon a single detector, there is no guarantee that a bright input would result in a large measurement outcome, and therefore applying a threshold check to a heterodyne detection offers no protection against high-energy attacks. This again highlights the importance of rigorously modeling the trusted devices in a cryptographic setup, as even small imperfections can completely alter the security of the protocol.

Voltage response and temporal behavior
The next step in our modeling is to take into account the fact that the detector response is not completely flat over the time window that makes up one round of the protocol. Instead, the voltage response decays exponentially in time. However, using careful spectral filtering, one can enforce an effectively flat temporal distribution for incoming photons. Considering this, we show that we can model the voltage response with a single average conversion factor α.
In general, the detector response of a photodiode can be regarded as analogous to an RC circuit where the voltage at time T is given by where IðT − τÞ is the current generated by the absorbed photons. However, one cannot take the above equation too literally since a genuinely continuous time dependence would correspond to a detector with infinite temporal resolution. Instead, we model a voltage detector as having K finite time intervals δ t ¼ T=K over which the response is flat (i.e., the detector cannot resolve temporal differences smaller than δ t ). The entire detection over the time window T can then be regarded as postprocessing of the K outcomes arising from each of the detection intervals δ t . This resulting POVM has elements of the form where n ¼ ½n 1 ; n 2 ; …; n K . The voltage response to a photon arriving at the kth interval is given by a conversion factor where β is a constant. The voltage POVM is thus expressed asV ðvÞ ¼ X n c n;k ðvÞMðnÞ; ðB9Þ with c n;k ðvÞ ¼ δðv − nα T Þ; where α T ¼ ½α 1 ; …; α k T and the sum is over all L K possible values for n. In principle, this temporal detector response could open loopholes for Eve to exploit. For example, if she were able to generate extremely short time pulses, Eve could saturate individual detectors which would then be heavily damped in time (due to the exponential term in Eq. (B8)), resulting in a certification voltage that would appear acceptable even though there would be no randomness in this case. However, these temporal attacks can be circumvented via an appropriate choice of spectral filtering in the detection process. For transform-limited pulses, a sufficiently narrow spectral filter enforces an effectively flat temporal distribution for the detected photons. Since the source in our experiment is extremely narrow band (cw laser), we can afford to use a correspondingly narrow filter without altering the detection rates in our actual implementation. Note that a pulsed system which cannot afford to be similarly filtered without reducing the resulting count rates would require a careful analysis of the effects of Eve's temporal modulation of the source on the output statistics. This highlights the importance of considering all relevant physical degrees of freedom in certified randomness generation.
Considering our implementation, the voltage response of a detector to a photon arrival is given by a time averaged conversion factor, where h is Planck's constant, c is the speed of light, BW is the detector's bandwidth, η is its responsitivity (in A W −1 ) at the wavelength λ considered, and G is the transimpedence gain.

Electronic noise
So far, all measurements have been described without the presence of detector noise. As outlined in the main text, our detector's noise λ is well modeled as being Gaussian with variance σ 2 . We want to write down the POVM describing a voltage measurement over an appropriate basis as parametrized by its outcome. Given that the noisy measurement is still phase insensitive, the POVM elements can be written diagonally in the Fock basis aŝ Consider the randomness generation measurement. Since the detector noise terms are taken to be independent from one another, we can equivalently combine them into a single overall noise variable λ D with variance σ 2 D ¼ σ 2 A þ σ 2 B (this joint variable is what was determined in practice during device calibration) that acts to smear out the ideal difference measurement to obtain [52] V σ D D ðv D Þ ¼ withX fin ðxÞ given by Eq. (B2) but effectively by Eq. (A9) for the photon ranges we will certify. In addition, the certification measurement's POVM accounting for the Gaussian noise characterized by variance σ 2 C is given bŷ Finally, for the failure operator associated with the certification measurement with Gaussian electronic noise, we have the following: where α C is the voltage conversion factor for the photodetector C and σ C is the standard deviation of its associated electronic noise.
For the security analysis later, we will often be interested in the measurement operators from Eve's perspective who always knows the relevant value of λ. This leads to a voltage POVM given bŷ a difference measurement a certification measurement and a failure operator associated with certification voltage measurement

Finite resolution and range of analog-to-digital converter
In the previous section, we modeled the detectors as having a finite range but otherwise being perfectly photon number resolving and convolved with a classical noise variable subsequently given to the eavesdropper. In fact, the randomness generation measurement has a finite resolution which corresponds to an extra coarse graining. Specifically, the analog-to-digital converter which processes the voltage signal can only record a certain set range of voltages ½V min ; V max , with all voltages greater or smaller than this amount registered as results in one of the end bins. Furthermore, within the range ½V min ; V max , voltages are only recorded with a finite resolution. Therefore, while an ideal voltage measurement might have unbounded and continuous values, a real detector in combination with an ADC with finite bits of resolution Δ ADC outputs J ¼ 2 Δ ADC outcomes with corresponding POVM elements fV σ;Δ ADC ðjÞg j for the measured jth bin expressed asV σ;Δ ADC ðjÞ ¼ where the integration regions are given by and δV ¼ ðV max − V min Þ=2 Δ ADC is the effective voltage resolution induced by Δ ADC . Note that b·c and ⌈·⌉ are the floor and ceiling functions, respectively. As a result, the coarse-grained noisy difference measurement operators are given by fV σ D ;Δ ADC D ðjÞg j , for whicĥ The corresponding difference measurement from Eve's perspective (i.e., given the relevant λ) would bê where The certification voltage measurement is recorded by an ADC with the same resolution and consequently it is still a J-outcome measurement but over an ADC range ½V C min ; V C max and a corresponding voltage resolution δV C ¼ ðV C max − V C min Þ=2 Δ ADC . This leads to intervals I C i which are defined as per Eq. (B21) and coarse-grained certification measurements elements, Moreover, the associated failure operator iŝ For a fixed value of the noise variable λ C , we have the following failure operator from Eve's perspective: CERTIFIED QUANTUM RANDOM NUMBERS FROM UNTRUSTED … PHYS. REV. X 10, 041048 (2020) 041048-21 where In general, one must be mindful of the interplay between the conversion from photon number to voltage and the final voltage resolution. Indeed, if the signal were to experience strong attenuation (very small α), then the voltage distribution would start to become small with respect to the fixed voltage resolution and the entropy would decrease. In our implementation, we carefully kept track of the coarse graining, thus avoiding such issue.
Before we proceed further, we show in Fig. 6 a schematic drawing summarizing our detector's model. The POVMs present in the figure are those specified in this Appendix.

APPENDIX C: PROOF OF THE MAIN THEOREM
In this Appendix, we provide the full security proof for the more realistic QRG protocol carried out in the experiment. As per the idealized protocol, the proof proceeds in two steps. First, we calculate the worst-case min-entropy for a certain class of states, namely those with a limited support over Fock states. Second, we calculate the failure probability of the protocol which is the maximum probability that a state not in that class could have passed the certification test. We rewrite Theorem 1 given in the main text and proceed with our proof.
Theorem 4.-An optical setup consisting of (i) two trusted vacuum modes (ii) two beam splitters of reflectivity r 0 ¼ 1 2 and r 1 (iii) two noisy photodetectors used to make a difference measurement as described in Eq. (B22) (iv) a third noisy photodetector used to make a certification measurement as described in Eq. (B25) which passes the test P if i falls in a chosen range ½i − ; i þ can be used as a certified ðm; κ; ϵ fail;m ; ϵ c Þ-randomness generation protocol as per Definition 1 without making any assumptions about the photonic source with where where n opt E ¼ n − C þ n − R − 1, n þ R is set to be the saturating photon number of the difference measurement, andλ is a bound on λ C , the noise variable of the certification measurement's detector, such that jλ C j <λ except with probability ε λ C . Moreover, using a coherent state jαi as an input.
Proof.-Security: Consider the task of guessing the difference measurement from the perspective of Eve who knows λ D on a shot-by-shot basis, which is given by Eq. (B23). First, this measurement satisfies the conditions of Lemma 1 and so Eve's optimal state is a number state. Her strategy will be to add λ D to the most likely value of the noiseless difference measurement which, as shown in Appendix A, is 0 or 1 depending upon whether Eve inputs an odd or even number of photons. Therefore, Eve's best guess will be the voltage bin I D j with j ¼ bλ D =δV⌉ or j ¼ bð1 þ λ D Þ=δV⌉, where b:⌉ is the nearest integer rounding function. The guessing probability is given by the sum of all the probabilities associated with the outcomesXðxÞ for which Eve's guess would remain true. This can be expressed as the following set: For states restricted to the range ½n − R ; n þ R , the guessing probability corresponds to where again the sum only includes even (odd) values of x when n is even (odd). From the expressions above, the interplay between the voltage conversion factor α D and the voltage resolution δV becomes clear. The number of difference measurement elements that will be mapped to a given voltage bin is given by ⌈δV=α D ⌉, such that as α D becomes smaller, this number grows and Eve's guessing probability will increase. Since we will only consider number states within the linear regime of the difference measurement (i.e., n þ R ¼ n max ), we can safely assert that hnjXðxÞjni ¼ 2 −n ð n b nþx 2 c Þ is a binomial distribution. Thus, the largest guessing probability for a given n will occur when λ D is such that the ⌈δV=α D ⌉ bins are centered evenly around the origin, i.e., the middle portion of the binomial distribution. Moreover, we know from Appendix A that the guessing probability will decrease monotonically with the photon number. This yields which is exactly Eq. (C1). While this expression can be directly evaluated numerically, for large n − R (recall here that n − R > 10 5 ), one can use the Gaussian distribution as an excellent approximation for the binomial distribution and evaluate the sum as an integral to get the following compact expression: The failure probability for the protocol is given by the probability of passing the test even though a state with too few, or too many, photons is incident onto the difference measurement in mode R. We can express the probability of Eve successfully cheating in a single round as where in the last line we used the fact thatV F satisfies the conditions of Lemma 1, implying that Eve's optimal input state will be a number state.
To begin with, let us consider this probability given a particular value for λ C , the detector's noise variable. Then, from Eve's perspective, this electronic noise λ C is effectively removed as expressed in Eq. (B27) and we have where n − C ¼ min n C fn C ∶α C n C þ λ C ∈ I C ½i − ;i þ g and n þ C ¼ max n C fn C ∶α C n C þ λ C ∈ I C ½i − ;i þ g, with I C ½i − ;iþ being the entire voltage range for which the test P is passed.
Let v AE i ¼ δVði AE 1 2 Þ be the smallest and largest voltages corresponding to bin i. Therefore, the minimum (maximum) voltage consistent with passing the test is . The corresponding minimum and maximum photon numbers are We can use our knowledge of the detector's noise distribution to turn these into worst-case upper and lower bounds for n þ C and n − C , respectively. Recalling that λ C is Gaussian with variance σ 2 C , we can say that except with a probability one has jλ C j <λ. This gives Next, the varying limits in the sums of Eq. (C12) can be explained as follows. For the first sum, an unconditional lower limit is given by n − C . However, for sufficiently large inputs n E , this requirement is superseded by the constraint that n R < n − R , which in turn necessitates that n C ≥ n E − ðn − R − 1Þ. The upper limit simply comes from the fact that if n E < n þ C , then the binomial distribution can only run up to n E . For the second sum, we have an unconditional constraint n R > n þ R ; however again for sufficiently large n E , the requirement that n C < n − C implies that we must have n R > n E − ðn þ C þ 1Þ. Notice that depending upon the bounds for n þ C and n − C , there are certain values of n E for which the first or second sums may vanish. This turns out to be the case here (i.e., for our values only one of the sums will be nonzero at a time).
The first sum in Eq. (C12) will vanish whenever n In summary, as long as it implies that there are no values of n E for which both sums will be simultaneously nonzero. In our case, this condition evaluates to jλj ≤ 1.155: ðC17Þ We will always be making a much tighter probabilistic bound onλ such that Eq. (C16) is satisfied at all times. Substitution in Eq. (C14) indicates that this will be true except with probability 10 −3769921 , which is far below the other failure probabilities that we certify.
Except with probability ϵ λ C , we can then write the single round failure probability as The probabilities in Eq. (C18) can be bounded as follows. Considering, for example, ϵ − , we have This expression is precisely of the form as Eq. (A25) for which we already know that n opt . Similarly, the expression for ϵ þ is again the cumulative tail of a binomial distribution such that via the argument above, Eve must choose n opt Recall that we can interpret ϵ 0 fail as being the worst-case scenario-i.e., the maximum over the probabilities of there being either too few (causing overestimation of the minentropy) or too many (leading to detector saturation) photons-given a fixed value of λ C . Finally, the total failure probability is given by which is exactly the same as Eq. (C4), thereby completing the proof. Completeness: Lastly, the argument for completeness is the same as that in Appendix A.
▪ The summations in Eq. (C18) are typically difficult to evaluate in practice. Therefore, we apply Hoeffding's bound to the binomial cumulative distribution to bound the failure probabilities. This results in provided there exists a n − R such that n − provided there exists n þ R > (ð1 − r 1 Þ=r 1 )(ðv þ i þ −λÞ=α C ).
Thus, provided the Hoeffding conditions above are satisfied, the total failure probability for one round of the protocol is given by

APPENDIX D: MATHEMATICAL DETAILS
Composable security for a protocol is frequently defined in terms of the probability of passing some test p pass , the distinguishability between the output of a real implementation conditioned on passing that testρ pass and an ideal output of the protocolρ ideal . Since quantum state distinguishability is precisely captured by the trace distance Dðρ;σÞ ¼ jjρ −σjj 1 , the security parameter of such a definition is typically written as ϵ fail ≔ p pass Dðρ pass ; ρ ideal Þ. Above, we showed that the security parameter for this protocol is where the failure operatorsFðn C ; n − R ; n þ R Þ are defined in Eq. (B5).
This can be interpreted as the joint probability that the test would be passed in mode C while a photon number outside the range ½n − R ; n þ R was measured forρ pass R (the conditional state in mode R). For completeness, we show here that ϵ fail can equivalently be seen as the probability of passing the test multiplied by the distinguishability betweenρ pass R and any state with support solely in the range ½n − R ; n þ R . Recall that without loss of generality, we can take Eve's input stateρ E to be diagonal in the Fock basis. In this case,ρ pass R will also be diagonal in the Fock basis and so will the closest state in the range ½n − R ; n þ R , which we denoteσ ½n − R ;n þ R . For such diagonal states, the trace distance simplifies and it is straightforward to show that the distance Dðρ pass R ;σ ½n − R ;n þ R Þ is just the probability of projectingρ pass R onto a Fock state that lies outside ½n − R ; n þ R . In other words, However, this probability is precisely the same as the joint probability of observing too few or too many photons in mode R while passing the test, renormalized by the probability of passing the test. The joint probability is exactly what is given by the failure mode operators in Eq. (B5) acting on Eve's input. Thus, we can write Comparing Eq. (D3) with Eq. (D1), we find which shows that our failure probability can also be interpreted as the product of p pass and the distinguishing probability between the conditional output state and an ideal state (i.e., one that has support solely in the desired photon number range), as claimed in Appendix A.

APPENDIX E: SOURCE-DEVICE-INDEPENDENT QUANTUM RANDOM NUMBER EXPANSION
The certified SDI QRG protocol either aborts or, except with some failure probability ϵ fail;m , produces an output X with a min-entropy H min ðXjEÞ ≥ κ > 0 with respect to any third party, even one with complete control over the photonic source and access to all other environmental modes. Equivalently, this is the joint probability of simultaneously passing the certification test P and producing an output with less than a specified amount of min-entropy, expressed as However, the final goal of a randomness expansion protocol is to utilize an initial random seed in order to generate a much longer bit string that is "ϵ close" (in some well-chosen metric) to perfectly uniformly distributed and unpredictable with respect to any third party. This can be achieved via randomness extraction (also sometimes called privacy amplification), which is a judiciously chosen postprocessing of the measurements. We would also like to be confident that a realistic implementation of the protocol will succeed with high probability. Without loss of generality, the output state S of this postprocessing can be written as a classical-quantum state,ρ for which we have the following definition. Definition 3.-A protocol that outputs a state of the form in Eq. (E2) is (i) Security: ϵ l secure (or sound) if where p pass is the probability that the certification test P is passed, Dðρ;σÞ ≔ 1 2 jjρ −σjj 1 is the trace distance, andτ S is the uniform (i.e., maximally mixed) state over S. This means that there is no device or procedure that can distinguish between the actual protocol and an ideal protocol with probability higher than ϵ s . (ii) Completeness: ϵ c complete (or robust) if there exists an honest implementation such that 1 − p pass ≤ ϵ c . The properties of the trace norm ensure that randomness satisfying Definition 3 is composable, which is critical for cryptographic applications [43].
Particular care must be taken against quantum adversaries to choose an extractor that has provable security when considering potentially quantum side information. In general, quantum-secure randomness extraction can be seen as a function Ext∶f0; 1g h × f0; 1g d → f0; 1g l that involves processing a block of size h ¼ mb (the m, b-bit measurement outcomes) along with a random d-bit seed to produce an l-bit output that is ϵ l close to being perfectly random.
A very attractive choice is two-universal hashing [53] (or leftover hashing) which is secure against quantum adversaries [39,44] and can be implemented efficiently as it achieves an excellent trade-off between ϵ and l. It should be noted that this extractor still requires a perfectly random seed of length d and thus any protocol that makes use of leftover hashing can technically only be regarded as a randomness expansion protocol [54,55]. While the length of the seed must be chosen proportional to m, it only has to be generated once and can be safely reused to hash arbitrarily many blocks, meaning that the initial random seed can be used to generate an unbounded amount of randomness. This also means that the seed can be hard coded into the hashing device (for a further discussion and an explicit implementation, see Ref. [42]). Other quantumsecure methods, such as the Trevisan extractor, are more efficient in the length of the required seed. However, this is a more computationally expensive process and cannot currently be performed at speeds at which our protocol can generate raw randomness. Thus, to achieve bitgeneration rates of the same speed as the randomness generation rates reported here, it seems necessary to perform randomness extraction via leftover hashing.
We now have the tools to write down the following result for certified randomness expansion. Although this is essentially a repeat of standard techniques (see, e.g., Refs. [42,44]) adapted to our specific setup, we state it as a stand-alone theorem for completeness.
Theorem 5.-A certified SDI ðm; κ; ϵ fail;m ; ϵ c Þ-randomness generation protocol as defined in Definition 1 can be processed with a randomness generation seed of length m via leftover hashing to produce a certified SDI random string of length that is ϵ c complete and ε l secure, where ϵ l ¼ ϵ hash þ ϵ fail;m secure.
Proof.-Security: Let X be the variable describing the measurement outcomes. Recall that the output of the randomness generation protocol after the measurement including the potential side information can be written as a classical-quantum state, where X is the alphabet of possible measurement outcomes andρ x E is the state of the eavesdropper given the outcome x. A randomly chosen leftover hashing function is then applied to distill a final random string denoted by the variable S. The joint state is noŵ We then apply the leftover hash lemma with quantum side information [44] and its extension to infinite dimensional Hilbert spaces [49,56], which is necessary for our purposes.
Lemma 2.-Letρ XE be a state of the form in Eq. (E5) where X is defined over a discrete-valued and finite alphabet and E is a finite or infinite dimensional system. If one applies a hashing function drawn at random from a family of two-universal hash functions that maps X to S and generates a string of length l, then where H min ðXjEÞ is the conditional smooth min-entropy (with smoothing parameter ϵ ¼ 0) of the raw measurement data given Eve's quantum system. Comparing the security definitions in Eqs. (E3) and (E7), we note that with an appropriate choice of l, we can ensure the security condition is met. In particular, we see that the smooth min-entropy is a lower bound on the extractable key length. To get a more exact expression, first notice that if we choose for some ϵ hash > 0, then the right-hand side of Eq. (E7) becomes ϵ hash =p pass . Then, provided we have definitively bounded the smooth min-entropy, we will satisfy Eq. (E3) for any ϵ hash > 0. Finally, since log 2 ðp pass Þ < 0, we have Now, suppose that we are only able to bound the joint probability of passing the test while outputting a small smooth min-entropy H min ðXjEÞ < κ with a certain probability ϵ fail;m as is the case here. Then, the convexity and boundedness of the trace distance implies that this string of length l will be ϵ l secure for any security parameter if the length is chosen as per Eq. (E4).
Completeness: This follows immediately from the completeness of the certified randomness generation protocol. ▪

APPENDIX F: EXPERIMENTAL DETAILS FOR THE REAL-TIME EXTRACTION OF CERTIFIED QUANTUM RANDOM NUMBERS
In order to generate certified random numbers in real time, the postprocessing was implemented with a highperformance FPGA (Zynq Ultrascale þ ZU9EG) installed on the commercially available printed circuit board Zynq UltraScale þ MPSoC ZCU102 evaluation kit as shown in Fig. 7. For data acquisition, a 12-bit ADC (Analog Devices AD9625) is used while being installed on a separate PCB connected to the FPGA via an FPGA mezzanine card, as can be seen in the inset of Fig. 7. The evaluation kit provides several modules for data transmission, including the cage for small form-factor pluggable modules and a universal serial bus (USB) 3.0 port. The double data rate 4th generation random access memory (DDR4 RAM) module required for data testing is also included.
The process described by Fig. 7 is summarized as follows. The data from the ADC is deserialized with 8 multigigabit transceivers (8 × MGT) and reaches the resampling core of the FPGA where it is resampled to a lower frequency of 1.55 GS/s since the ADC's sampling rate is larger than the experiment's data generation (imposed by the balanced detector's bandwidth). Then, the data arrive at a multiplexing unit (gray parallelogram) followed by the central Toeplitz hashing module. Toeplitz hashing is realized via the concurrent pipeline algorithm (detailed in Ref. [45]) with a clock rate of R hash ¼ 193.75 MHz. Here, a 9600 × 4155 random Toeplitz matrix initially saved in the FPGA's memory is utilized. Indeed, it is proven in Appendix A of Ref. [42] that one need not renew the random input seed used to construct the Toeplitz matrix. Furthermore, for optimization purposes, the initial large Toeplitz matrix is evenly decomposed into a series of submatrices which are multiplied sequentially with the raw input data. These submatrices have sizes of 96 × 4155, where k ¼ 96 bits is carefully chosen to be a multiple of both the ADC's bit depth b ¼ 12 bits and the hashing block size h ¼ 9600 bits. Note that the submatrix's number of rows also corresponds to the precise number of bits injected into the FPGA board per time step of the hashing algorithm; i.e., k ¼ ð12 × 1.55× 10 9 Þ=ð193.75 × 10 6 Þ ¼ 96. As a result of this, substrings of 96 bits from the raw data at each time step are extracted and then multiplied with a corresponding random 96 × 4155 Toeplitz submatrix, thereby obtaining a single substring of l ¼ 4155 bits per clock period. The XOR (exclusive or) logical operation required between pairs of such subsequent strings of 4155 bits is performed concurrently with multiplication steps. The multiplication of the entire large Toeplitz matrix with the raw random string of 9600 bits is thus performed over 9600=96 ¼ 100 time steps, leading to an overall extraction of 4155 bits for every such procedure labeled as a single extraction period. Finally, while the following extraction period commences, the previously obtained block of hashed data is prepared for the final output.
For validation and debugging purposes, the option of saving both raw and hashed data in the FPGA's memory is implemented such that one may extract them for further analysis on a PC. Conversely, data can be uploaded to the FPGA's memory from an external source (e.g., from an oscilloscope's ADC) and then processed by the Toeplitz hashing extractor in the FPGA.

APPENDIX G: RATE COMPARISON WITH HOMODYNE PROTOCOLS
In this Appendix, we derive the curves shown in Fig. 5 which compare the rates for this work to those for the device-dependent homodyning and the semi-SDI protocols with certification based on an entropic uncertainty relation [19,20,48]. Strictly speaking, direct comparison with the EUR protocols is impossible since these fail to give a composable security parameter. Also, in practice, the achievable rates depend heavily on many technical constraints such as the detector noise and especially the number of ADC bits. Consequently, we consider a simpler, idealized calculation of the ultimate rates of these different protocols and identify fundamentally different scalings in some instances. Specifically, we calculate the expected value of the amount of min-entropy generated per round.

Device-dependent homodyning
Following Haw et al. [37], we can upper bound the min-entropy by noting that for arbitrarily many ADC bits and perfect photon number resolving detectors, the probability distribution of the photon difference is only resolution limited by the photon counting measurement itself and the amplitude of the local oscillator. Specifically, it is straightforward to show that the photon difference for an arbitrary input signal mode mixed on a 50∶50 beam splitter with a coherent state jα LO i gives output FIG. 7. Schematic of the real-time postprocessing board used to generate certified random numbers. The analog signal generated by the optical setup described in Fig. 2 is digitized by an ADC and then further processed by an FPGA board. Additionally, the number of bits during each step of the process, along with the inverse duration of each time step, is shown above the various modules in the schematic. PD, photodiode; ADC, analog-to-digital converter; MGT, multigigabit transceiver; DDR4 RAM, double data rate 4th generation random access memory; ETH PHY, Ethernet physical layer. Inset: photograph of the actual postprocessing board comprising the ADC and the FPGA. modesâ 1 ¼ ðâ s þâ LO Þ= ffiffi ffi 2 p andâ 2 ¼ ðâ s −â LO Þ= ffiffi ffi 2 p . The photon difference is then given bŷ If the LO (local oscillator) is very bright, then we can know its quadrature displacement up to an uncertainty that is very small relative to the displacement's mean. Moreover if the LO is very large relative to the photon number of the input signal, this signal will be very close to a quadrature measurement of the input signal. Following, e.g., Ref. [57], one way to see this is to consider a decomposition of the LO operatorâ LO ¼ α LO þ δÂ LO , where α LO is the mean value and the operator and δÂ LO represents the quantum fluctuations. Taking α LO to be real, we havê If the mean LO amplitude is large with respect to fluctuations and the amplitude of the signal mode, then one hasÎ ≈ α LOxs . In the case of ideal detectors that can distinguish between n and n þ 1 photons, this is equivalent to measuring the input quadrature with a resolution given by Δ ¼ 1=α LO (i.e., the rescaling by the LO power). One can also calculate the variance for an arbitrary signal statê ρ s with a coherent state as the LO. Defining the appropriate expectation value as hÎi α LO ¼ trfÎðρ s ⊗ jα LO ihα LO jÞg, we have where we have again taken α LO to be real.

a. Vacuum input
In the device-dependent case where the signal is known to be vacuum, the rescaled output is a discretized Gaussian distribution with variance V ¼ 1 and zero mean. If we label the discretized output with index k, the probability distribution from the perspective of an eavesdropper (here there is no technical noise) is given by where k ∈ f0; AE1; AE2; …g. For small Δ relative to V, Eq. (G4) is well approximated by and the min-entropy H DD min ðXjEÞ ¼ max k f−log 2 ½pðkjEÞg can be directly calculated to be [37] H DD min ðX vac jEÞ ¼ where n LO is the mean photon number present in the LO.

b. Coherent state input
This rate as calculated via Eq. (G5) is also unchanged if the vacuum is replaced by a coherent state since the variance of coherent states is still unity. However, if the signal is a large coherent state jα s i, the approximations we utilized to derive Eq. (G5) no longer hold. The other term in Eq. (G2) will not remain negligible and the fluctuations will actually increase. Considering the photon detections directly, the state after the beam splitter will now be jðα LO þ α s Þ= ffiffi ffi 2 p i ⊗ jðα LO þ α s Þ= ffiffi ffi 2 p i. The output at each detector would be described by a Poissonian distribution, which for large photon number will be well approximated by a Gaussian distribution, as will the photon difference. The variance is straightforwardly calculated to be from which we can immediately read off the min-entropy as H DD min ðX coh jEÞ ¼ On the other hand, if the vacuum source was instead replaced by Eve with one half of an entangled two-mode squeezed vacuum (TMSV) state, then the input to the randomness measurement will be a thermal state with mean photon numbern ¼ sinh 2 ðrÞ and quadrature variance V ¼ 2n þ 1. As the amount of squeezing-and hence the number of photons in the input state-increases, the quadrature measurements will start to become more and more predictable and the min-entropy will decrease. Eventually, however, for a sufficiently bright TMSV state, the extra terms in Eq. (G2) become nonnegligible and extra fluctuations will arise such that the overall entropy will begin to increase again. For all levels of squeezing, the statistics will be well approximated as being Gaussian.
with a failure parameter of Notice that for the regions of interest in Fig. 5, namely where this curve surpasses the EUR curves and scales similarly to the device-dependent case, the inferred photon number will be such that the corrective term Oð1=n − R Þ is negligible. To evaluate this expected min-entropy given a target value for ϵ fail associated with the input states above, we simply need to calculate what 1 − ϵ c will be for a given threshold n − C . With those in hand, we can solve Eq. (G16) for the value of n − R that achieves the target ϵ fail and then calculate the corresponding min-entropy via Eq. (G15).
For a coherent state input jα s i, the state going into the certification measurement will be j ffiffiffiffi ffi r 1 p α s i. For large α s , the Poissonian photon-number distribution will be well approximated by a Gaussian distribution and the probability of observing n − C or more photons will be given by 1 − ϵ c ¼ 1 2 ½erf(ðn C − n − C Þ= ffiffiffiffiffiffiffiffi 2n C p ) þ 1, wheren C ¼ r 1n , withn ¼ jα s j 2 the mean photon number of the incoming coherent state.
Similarly, for a thermal state source, the input to the certification measurement will be a thermal state with mean photon numbern C ¼ r 1 n th , with n th the mean photon number of the incoming thermal state. Finally, using the formula for a geometric series and the photon number representation of a thermal state, the relationship between the threshold and the passing probability is given by 1 − ϵ c ¼ 1 − ½1 − (n C =ðn C þ 1Þ) n − C −1 .