Source-independent quantum random number generation

Quantum random number generators can provide genuine randomness by appealing to the fundamental principles of quantum mechanics. In general, a physical generator contains two parts---a randomness source and its readout. The source is essential to the quality of the resulting random numbers; hence, it needs to be carefully calibrated and modeled to achieve information-theoretical provable randomness. However, in practice, the source is a complicated physical system, such as a light source or an atomic ensemble, and any deviations in the real-life implementation from the theoretical model may affect the randomness of the output. To close this gap, we propose a source-independent scheme for quantum random number generation in which output randomness can be certified, even when the source is uncharacterized and untrusted. In our randomness analysis, we make no assumptions about the dimension of the source. For instance, multiphoton emissions are allowed in optical implementations. Our analysis takes into account the finite-key effect with the composable security definition. In the limit of large data size, the length of the input random seed is exponentially small compared to that of the output random bit. In addition, by modifying a quantum key distribution system, we experimentally demonstrate our scheme and achieve a randomness generation rate of over $5\times 10^3$ bit/s.


I. INTRODUCTION
Random numbers play important roles in many fields, such as scientific simulation [1], cryptography [2], testing fundamental principles of physics [3], and lotteries.Different applications require different levels of randomness.In cryptography, input randomness is one of the security foundations in communication protocols.In fact, many commercial products for generating random numbers exist in the market; such products function under various information-theoretical or computational assumptions.
In computer science, random number generators (RNGs) are based on generating pseudorandom numbers [4] in which a random seed is expanded according to some deterministic procedure.By definition, these RNGs produce sequences that are not truly random.Although these sequences usually attain a perfect balance between 0s and 1s, strong long-range correlations exist which undermine cryptographic security and may cause unexpected errors in scientific simulations.
In contrast, hardware RNGs originating from physical processes, such as noise in electric devices, nuclear fission, and circuit and radial decay [5][6][7][8][9][10][11], are believed to be able to offer better random numbers.However, it is unclear whether they are truly random because these RNGs normally involve complicated classical physics processes that produce no randomness.
A typical QRNG can be decomposed into two modules: a randomness source (quantum state preparation) and its readout (measurement), as shown in Fig. 1.In general, the source emits quantum states that are superpositions of the measurement basis.The output (raw) random numbers are the measurement results.In many QRNGs, a short random seed is required to assist state preparation or measurement.
FIG. 1. Illustration of a generic QRNG setup in which we take photon polarization as the example.H and V refer to horizontal and vertical polarizations, respectively.PBS refers to a polarizing beam splitter.(a) The source functions normally (or trusted) and sends superpositions of H and V polarizations, which offers quantum randomness.(b) The source malfunctions (or untrusted) and sends H and V polarizations in a predetermined order, which should output no genuine randomness.From the measurement result viewpoint, one cannot distinguish these two cases.
As an example, consider a simple QRNG that projects the quantum state |+ = (|H + |V )/ √ 2 emitted from a single photon source on the horizontal and vertical polarization basis |H , |V .This QRNG can be divided into two modules, as shown in Fig. 1(a).Randomness is guaranteed by the intrinsically probabilistic nature of quantum physics.Hereafter, we denote |H , |V (|+ , |− ) as the Z-basis (X-basis) eigenstates.
Existing practical QRNGs suffer from security loopholes if the devices are not perfect.In the source readout model, the measurement device can normally be trusted due to its simple structure.For instance, in the previous example, the measurement is a simple demolition measurement on the polarization basis.In contrast, the randomness contained in a source, such as a laser or an atomic ensemble, is normally difficult to characterize completely.If the source malfunctions and emits classical signals instead of quantum ones, the outputs may not be truly random.Consider the worst-case scenario in which the devices are designed or controlled by an adversary Eve.Eve can employ a pseudo-RNG to output a fixed (from Eve's viewpoint) string that still appears random to Alice.More concretely, in the example of the previous paragraph, when a dishonest source emits Z-basis instead of X-basis eigenstates for the Z-basis measurement, the output will just be a fixed string, as shown in Fig. 1(b).From this perspective, with given measurement devices, justifying the randomness in a source is crucial to generating randomness.
Most existing QRNGs use complicated physical models [17,22] to quantify their sources.For example, the dimension of the source is sometimes assumed to be a fixed known number [23].The underlying models implicitly assume the existence of randomness in the first place, but this assumption cannot be verified experimentally.Therefore, to achieve truly reliable randomness, there is a strong motivation to avoid the use of such models.Note that removing the dimension assumption is the key challenge to the analysis for device-independent scenarios.Thus, a QRNG without trusting the source (sourceindependent) is both theoretically and practically meaningful and greatly needed.A device-independent QRNG [24] can generate randomness without having to trust the devices.This type of QRNG requires a short seed for device testing, which is the reason why they are also called randomness expansions [25][26][27].By observing the violation of a certain Bell's inequality, such as the Clauser-Horne-Shimony-Holt inequality [28], one can guarantee the presence of randomness without any assumptions about the source or the measurement device.The main drawback of device-independent QRNGs is that they are not loss tolerant, which typically imposes very severe requirements on experimental devices.Furthermore, this type of QRNG generates random numbers at rates that are very low for practical applications.The highest speed of this type of QRNG has, so far, been reported to be 0.4 bps [29].
Here, we propose a source-independent QRNG (SIQRNG) scheme that is loss tolerant and hence highly practical.In particular, our scheme allows the source to have arbitrary and unknown dimensions.The losstolerance property enables potential high-loss implementations of our scheme, such as in integrated optic chips or with inefficient but cheap single photon detectors.We analyze the randomness of the scheme based on complementary uncertainty relations.Our analysis takes into account several practical issues, including finite-key-size effects, multiphoton components in the source, initial seed length, and losses.The analysis combines several ingredients from the security proof of quantum key distribution (QKD), a rich subject that has developed over the last two decades.These ingredients include phase error correction [30], random sampling [31], and the squashing model [32].Since the squashing model shows the equivalence between threshold detectors and qubit detectors [32], our scheme allows the source to have an unfixed finite dimension as well as an infinite dimension.For simplicity, in the rest of the paper, we assume a two-level (bit) output system.All our techniques can be directly applied to cases with more outputs.
In many theoretical aspects, there are strong similarities between QKD and QRNG.For example, the security definition in QKD can be applied to the definition of randomness in QRNG, and similar proof techniques can be applied to both, as we do in the later analysis.However, in some practical scenarios, there are subtle differences between the two.For example, local randomness is free in QKD but not in QRNG.A more crucial difference lies in the trustworthy components of QKD and QRNG in practice.In QKD, the sender and receiver are two remotely separated parties, so an adversary could intercept and resend the transmitted signals in the quantum channel and then take advantage of the imperfections of measurement devices to perform attacks.Thus, compared to the source, the measurement device becomes a more vulnerable part of a QKD system.
Different from QKD, source and measurement devices in QRNG are normally local, so attacks aimed at imperfections in measurement devices seem more artificial than practical.The main purpose in studying the untrusted device scenario in QRNG is to address device imperfections.This subtle difference may lead to deviations between QKD and QRNG.For instance, it is reasonable to assume that Alice can characterize the measurement device for QRNG well and trust it during random number production.Furthermore, compared to QKD, the source in QRNG involves a complicated design so that the QRNG is fast and convenient.For instance, in a recent experiment [33], a QRNG was demonstrated based on measuring light-emitting diode (LED) light with a mobile phone.Such sources are hard to characterize and could possibly be manipulated by Eve, but one can reasonably trust one's own mobile phone.From this viewpoint, the source in QRNG is at least as problematic as the measurement.Thus in our work, we take the reasonable assumption that the measurement device can be characterized well but not the source.Note that the opposite scenario, where the source rather than the mea-surement device of QRNG is trusted, has also been recently investigated [34].
To show the practicality of the proposed scheme, we provide a proof-of-principle experimental demonstration by simply modifying a QKD system.We experimentally examine the effect of different detector efficiencies on the randomness generation rate.Under a practical total transmittance, a high randomness generation rate can be achieved.
The organization of the paper is as follows.In Section II, we present our protocol.In Section III, we analyze the protocol and calculate the min-entropy of its output after investigating various practical scenarios.In Section IV, an experimental demonstration of our protocol is performed.Finally, we conclude in Section V.

II. PROTOCOL
A schematic of our SIQRNG protocol is shown in Fig. 2(a).Here, we take an optical implementation as the example, as shown in Fig. 2  1.Source: An untrusted party, Eve, prepares many quantum states in an arbitrary and unknown dimension and feeds them into the measurement box of Alice.
2. Squashing: Alice (or Eve) squashes the quantum states into qubits and vacua.Alice postselects the vacua and obtains n squashed qubits.The vacuum components take into account optical losses and quantum efficiencies.
3. Random sampling: By consuming a short seed with the length given in Eq. ( 6), Alice randomly chooses nx out of the n squashed qubits and measures them in the X basis, each results in |+ or |− .

4.
Parameter estimation: When the system operates properly, the source emits qubits |+ for all runs.Thus, a result of |− in the X-basis measurement is defined as an error.A double click is considered to be half an error.Alice evaluates the bit error rate e bx in the X basis and its statistical deviation θ according to Eq. ( 5).If e bx + θ ≥ 1/2, Alice aborts the protocol.

Randomness generation:
For the remaining n− nx squashed qubits, Alice performs measurement in the Z basis to generate nz = n − nx random bits.
6. Randomness extraction: Alice picks a parameter te according to the desired failure probability restriction and extracts nz − nzH(e bx + θ) − te bits of final randomness using Toeplitz-matrix hashing [35,36] a .

Security parameter:
With the composable security definition, the security parameter (in trace-distance measure) is given by ε a Other extraction methods, such as Trevisan's extractor [37] can be applied, in which the relation between the failure probability and te can differ.
TABLE I. Source-independent QRNG with the finite data size effect.The results are proven in Section III.

III. ANALYSIS
In this section, we analyze the randomness output of the SIQRNG protocol.Strictly speaking, like deviceindependent QRNGs, our scheme is a randomness expansion scheme, in which a random seed is used to generate extra independent randomness.The procedure of parameter estimation is an analog to the phase error rate estimation in QKD postprocessing [36].Randomness extraction is mathematically equivalent to privacy amplification in QKD.The difference between the biased measurement used here and the biased-basis choice QKD protocol [38] is that the number of X-basis measurements is a constant in our case, whereas in QKD, this number must go to infinity when the data size is infinitely large.

A. Squashing model
In the SIQRNG scheme, we assume that measurement devices are trusted and well characterized.The key assumption here is that the measurement setup is compatible with the squashing model.In other words, a measurement can be treated in two steps.First, the (unknown arbitrary-dimensional) signal state emitted from the source is projected to a qubit or vacuum.The projection is called a squasher, as shown in Fig. 2(a).Then, the squashed qubits are postselected by discarding the vacua and measuring them in the X or Z basis.This assumption can be satisfied when threshold detectors are used with random bit assignments for double clicks [32].For the protocol described in Section II, the X-basis measurement results are used for parameter estimation and are then discarded in postprocessing.Thus, the random assignment can be replaced by adding half of the doubleclick ratio to the X-basis error rate.
In practice, it is a challenge to verify whether a measurement setup is compatible with the squashing model.Much effort has been put into this question [39].The key point here is to make the two detectors respond equally to (four) different qubits, and hence make the measurement device basis independent [40].This can be done by adding a series of filters (including spectrum and temporal filters) before the threshold detectors, to ensure that the input states stay within a proper set of optical modes [41], in which the detectors have the same efficiencies [32,40].One can further assume that Alice uses a trusted source to calibrate the measurement devices beforehand; that is, Alice performs a quantum measurement tomography.A similar measurement calibration procedure should be done in most current QKD and QRNG realizations.Here, we emphasize that the verification of the squashing model does not affect the source-independent property of our scheme.Thus, we leave detailed investigation on validating the measurement setting for future works.
Similar to the QKD case [32], we can assume that the squashing operator is held by Eve in the randomness analysis.By this, we mean that Eve can choose a valid operator, so long as the output is a qubit or a vacuum.In the following discussions, we focus on the squashed qubits.We need to determine the min-entropy associated with these qubits in the Z-basis measurement.

B. Complementary uncertainty relation
First, we show intuitively why the protocol works.According to quantum mechanics, the outcome of projecting the state |+ on the Z basis is random.Of course, in reality, due to device imperfections, Alice would never obtain a perfect state of |+ .Now, the key question for Alice becomes how to verify that the source faithfully emits the state |+ .This can be done by borrowing a similar technique from the security analysis of QKD [30,42,43] and consider an equivalent virtual protocol depicted in Fig. II, where we replace steps 5 and 6 by 5 ′ and 6 ′ .In steps 3 and 4 of the protocol, Alice occasionally performs the X-basis measurement and defines the phase error rate to be the ratio of detecting |− .In the virtual protocol, once Alice knows the phase error rate by random sampling tests, she can perform a phase error correction (step 5 ′ ) before the final Z-basis measurement (step 6 ′ ).From the smart design of the phase error correction procedure [30], Alice can make it commute with the Z-basis measurement.Thus, she can perform the Zbasis measurement (step 5) first and then apply randomness extraction (step 6).At this stage, all the states have already collapsed to classical results, and the phase error correction procedure becomes randomness extraction (or privacy amplification in QKD) [30,42,43].Besides QKD, the argument here is similar to the one used in Ref. [44], where one can consider the error correction process 5 ′ as distilling coherence or randomness extraction.It has been proved that the phase error correction (randomness extraction) can be efficiently done with Toeplitz-matrix hashing [35].Suppose the number of qubits measured in the Z basis is n z and the phase error rate is e pz , the number of bits sacrificed in the phase error correction is given by and the probability that the phase error correction fails is 2 −te [36].Here, H(e) = −e log e − (1 − e) log(1 − e) is the binary Shannon entropy function, all the log is base 2 throughout the paper, and t e is the parameter Alice picks up by balancing the failure probability and the final output length.Then, the number of final random bits is given by, In practice, Alice needs to prepare a Toeplitz matrix of size n z × [n z − n z H(e pz ) − t e ] for randomness extraction.
We note that the failure probability 2 −te quantifies fidelity between the state that results from the phase error correction and the ideal state |+ ⊗nz .In the composable security definition [45,46], a trace-distance measure security parameter ε t should be employed.Its relation to the fidelity measure ε f is given by [31] In the following, we use the fidelity measure for the failure probability, which, in the end, can be conveniently converted to the trace-distance measure security parameter.
To construct the Toeplitz matrix of size n z × [n z − n z H(e pz ) − t e ], Alice needs to use n z + n z − n z H(e pz ) − t e − 1 random bits.Thanks to the Leftover Hash Lemma [47], the Toeplitz hashing extractor can be proven to be a strong extractor.That is, the output random bits are independent of the random bits used in the construction of the Toeplitz matrix [48].Thus, the Toeplitz matrix can be reused.
Our result can also be derived via a different but elegant approach by employing a newly developed seminal uncertainty relation [49] and extending the Leftover Hash Lemma [47] to the quantum scenario [50].Interestingly, the result from that approach yields a security parameter (in trace-distance measure) that is of the order of 2 −te/2 , which is consistent with ours.Such techniques have been successfully applied in some applications, including QRNGs [23].

C. Finite key analysis
In practice, the QRNG only runs for a finite time; consequently, the sampling tests for the X-basis measurements will suffer from statistical fluctuations.In the parameter estimation step, the key parameter e pz in Eq. ( 2) should be estimated (bounded) from the finite data size effect.
In the random sampling test, Alice measures the squashed qubits in the X basis and obtains the error rate, e bx .Remember that, as required in the squashing model, this error rate includes half of the double-click ratio.Henceforth, we simply call this error rate the X-basis error rate.Recall that the phase error rate e pz is defined as the error rate if the quantum signals measured in the Z basis are measured in the X basis.When the sampling size is large enough, e pz can be well approximated by e bx .
Before presenting the details of the random sampling analysis, we establish a notation.Suppose Alice receives n squashed qubits and randomly chooses n x of them to be measured in the X basis, leaving the remaining n z = n − n x qubits in the Z basis.Let the ratio of X-basis measurements be q x = n x /n, the number of errors Alice finds in the X basis be k, and the total number of errors be m if Alice measures all qubits in the X basis.Then, the number of errors in the qubits measured in the Z basis is m − k, which is the key parameter we need to determine through random sampling.The quantity m − k = n z e pz determines the randomness extraction rate.Define the lower bound of e pz by, where θ is the deviation due to statistical fluctuations.Following the random sampling results of Fung et al. [31], we can bound the probability when Eq. ( 4) fails, where ξ(θ) = H(e bx +θ−q x θ)−q x H(e bx )−(1−q x )H(e bx + θ).Note that in the unlikely event that e bx = 0, the failure probability is unbounded, and one should rederive the failure probability or simply replace e bx with a small value, say, 1/n x .
In practice, the failure probability ε θ is normally picked to be a small number depending on applications.In later data postprocessing, we pick up ε θ = 2 −100 .Once ε θ is fixed, there is a trade-off between q x and θ for the ratio of the final random bit length over the raw data size.Thus, the number of samples for the X-basis measurement should be optimized for the randomness extraction rate.
One key property for the random sampling is that the n x locations of the X-basis measurements are randomly chosen from the total n locations, i.e., the n nx cases are equally likely to occur.Then, Alice needs a random seed with a length of The effect of loss on the seed length will be discussed in Section III D. In Appendix A, we show that n x can remain a constant, given the failure probability, when n is large.Then, in the large data size limit, the seed length is exponentially small compared to the length of the output random bit.Therefore, we reach an exponential randomness expansion.

D. Practical issues
Multiphotons: In our protocol, the source is allowed to emit multiphotons, since its dimension is assumed to be uncharacterized.In other words, these components do not affect the randomness of the final output.In practice, multiphotons may introduce double clicks when threshold detectors are used [32]; these double clicks will directly contribute to the error rate term e bx .Thus, when the multi-photon ratio is very high, the double-click ratio will increase to a point at which the upper bound on information leakage e pz increases to one-half; at that point, no random bits can be extracted according to Eq. ( 2) and Alice simply aborts the protocol.
Loss: The loss tolerance of our protocol is guaranteed by the squashing model in which the measurement is assumed to be basis independent [32].This assumption can be guaranteed by the fact that the basis is chosen after losses.Alice does not anticipate the positions of losses, so she effectively decides the (random) positions for X-basis measurements before losses.The effect of loss only decreases the number of effective X measurements, but the positions of effective X measurements are still uniformly random in squashed qubits; this fulfills the requirement of random sampling.The detailed proof is shown in Appendix B.
Basis-dependent detector efficiency: Our protocol assumes that the efficiencies of the detectors are the same.In practice, efficiency mismatches would cause the measurement to be different for the two bases (basis dependent).A viable way to deal with this imperfection is to recalculate the rate as a function of the ratio between the efficiencies of the two bases, employing the technique used in QKD [40].As indicated by the result in QKD [40], the random number generation rate will slightly decrease when there is a small mismatch in detector efficiencies.More precisely, we denote the ratio between the minimum and maximum efficiencies of the two detectors as r ≤ 1, then the key size becomes rn z (1 − H[(e bx + θ)/r]) − t e bits.We leave detailed analysis of this imperfection for future work.
Double clicks: Our analysis takes account of the effect of double clicks by adding half of the double-click ratio to the X-basis error rate, as required in the squashing model.This is also essentially why multiphoton states can be used on the source side without affecting final randomness.Note that double clicks should not be discarded freely in the measurement.Otherwise, a security loophole will appear, namely, a strong pulse attack [51].In a strong pulse attack, Eve always sends strong signals (with many photons) in the Z basis.Suppose she sends a strong state in |H ; if Alice chooses the Z-basis measurement, a valid raw random bit will be obtained, but if she chooses the X basis, a double click is likely to happen.In our protocol, when Alice chooses the X-basis measurement, she should get an error (resulting in |− ) with a probability of one-half.If Alice simply discards all double clicks, Eve's attack will not be noticed.This attack cannot be explained by a qubit measurement.This is intuitively why the squashing model requires random assignments for double clicks.
Basis choice: When choosing X-or Z-basis measurements, an input random string of length N (as a seed) is needed.Suppose the number of X-basis measurements to be performed is N x , then Alice chooses N x positions out of N with equal probability, i.e., with probability N Nx −1 .Then, she needs a seed length of log N Nx .This is similar to Eq. ( 6) with the difference that before the measurement, Alice does not know the positions of losses.More details on how to dilute a short random seed to a longer (partially random) one are provided in Appendix C.
Intensity optimization: The intensity of the source should be optimized to maximize the randomness generation rate.With increasing intensity, the detection rate will increase along with an increases in the double-click rate (and hence e pz increases).There exists a trade-off between n z and e pz , as shown in Eq. (2).

IV. EXPERIMENT DEMONSTRATION
In this section, we perform a proof-of-principle experimental demonstration to show the practicality of the SIQRNG scheme.Our experiment setup consists of two parts, the source, owned by an untrusted party Eve, and the measurement device, owned by the user Alice.The schematic diagram is shown in Fig. 3. On Eve's side, a laser, labeled as S, with a wavelength of 850 nm and a repetition rate of 1 MHz is used as a photon source.The power of the laser is adjusted to be one photon per pulse.Instead of assuming each state is a qubit system, each pulse that the laser sends is a coherent state of infinite dimensions.The pulse of the laser is then modulated to |+ polarization by a linear polarizer (LP) and a fiber polarization controller (FPC1).Between the source and the measurement device, we put a fiber attenuator (FA) to simulate different losses in the system.
On Alice's side, first a series of filters needs to be applied to ensure the measured optical mode is pure before entering the threshold detectors, as required by the squashing model.For demonstration purposes, we use a single-mode fiber to play the role of a filter.Ideally, frequency and temporal filters should also be added to further purify the optical mode in order to make the photons indistinguishable.For demonstration purposes, a biased beam splitter (BS1) with a ratio of 1 : 49 is used to passively choose the X or Z basis.Finally, Alice records when the photon detector (PD) clicks.The detector is time-division-multiplexed by adding four time delays TD1-TD4 (60 ns each) in the optical paths, so that it can simulate four detectors that detect the outcomes of both bases and each bit value.The gate width and the dead time of the detector are 10 ns and 50 ns, respectively.
The phase error rate, as calculated in Eq. ( 4), is plotted in Fig. 4. The typical values of the related experimental parameters are listed as follows.The raw key size is N = 10 6 ; the dark count is 0.002; the detector efficiency (without a FC adaptor) is 45%; the misalignment error of the source is 2%; and the failure probability is ε θ = 2 −100 .The figure shows that the error rate increases as the loss becomes large.This is because the effect of dark counts becomes dominant when the loss is high.Because of statistical fluctuations, the phase error rate increases when the data size shrinks.Note, in particular, that the phase error rate can go beyond 20% under high losses, which does not yield any key rates in most QKD protocols.Nevertheless, random numbers can still be generated in our SIQRNG scheme.The relation between the randomness generation rate and the loss is plotted in Fig. 5.It can be seen that the randomness generation rate becomes lower with a larger loss, which is consistent with Fig. 4.Under practical detector efficiency, the randomness generation rate still achieves a relatively high rate of 5 × 10 3 bit/s.Note that, the intensity of the source is fixed in our experimental demonstration.In practice, the intensity of the source can be increased to compensate the loss, and actually the maximum randomness generation rate in our scheme is mainly limited by the dead time of the detector.For our detector with a dead time of 50 ns, the maximum randomness generation rate is 1 bit/50 ns=20 Mbps, which requires the source to be a single photon source with a repetition rate of 20 Mbps.For practical implementations with coherent-state sources, the randomness generation rate can reach the order of 2 Mbps after taking into account various errors and finite data size effects.After obtaining the random bits, we apply the Toeplitz-matrix hashing [35] on the raw data to obtain final random numbers.To test the randomness, we further perform two statistical tests on the output of our SIQRNG, the autocorrelation test and the NIST test suite [52].The autocorrelation is defined as where j is the lag between the samples, X i is the i-th sample bit, µ and σ are the average and the variance of the sample, and E stands for expectation.The result of the autocorrelation test of raw data and final data is shown in Fig. 6.It can be seen that the autocorrelation is substantially reduced in the final data.The result of NIST tests on the final data is shown in Fig. 7.We can see that all tests are passed.

V. CONCLUSION
We have proposed a source-independent and losstolerant QRNG scheme and its experimental demonstration in a passive basis choice realization.From an experimental point of view, the beam splitter itself, as part of the measurement device, may also be uncharacterized.Thus, it would also be interesting to demonstrate FIG. 6.The autocorrelation function of the raw data and the final data.The x axis is the lag j between the sampled data Xi and Xi+j , while the y axis is the autocorrelation R(j) defined in Eq. (7).Data sizes of both the raw data and the final data are on the order of 10 7 .The autocorrelation of the final data is significantly smaller than the raw data in absolute value.Because of finite-key-size effects, the autocorrelation cannot be zero even for perfectly random strings.our scheme with an active basis choice in the future.In fact, when the source operates properly, the speed of our protocol is comparable to that of a trusted polarizationbased QRNG whose frequency is limited only by single photon detectors-approximately 100 Mbps [53].Some current realizations of QRNG experiments could be converted to our SIQRNG protocol.For example, a LED could be used as the source, as regular QRNG [33].Since the polarizations of a LED are random, it would be convenient to add a polarizer for the |+ direction to make the source-polarized light.Since the detector can work in a gated mode, it does not matter whether the light source is continuous or pulsed.This shows why the repetition rate is limited only by single-photon detectors.Viewed from another angle, such a setup could also be used to test quantum features of macroscopic sources.
For future projects, it would be interesting to investigate other loss-tolerant self-testing QRNG schemes.Essentially, we are aiming to design a QRNG to tolerate large losses and generate fast random numbers simultaneously, given the minimum assumptions of a practical setup.
Added note: Upon completion of this work, we noticed a related work [23], the uncertainty relation is employed to quantify entropy in QRNG and finite-key effects are taken into consideration with smooth min entropies.The work also aimed at provable randomness with untrusted sources.However, it makes a strong assumption on the dimension of the source, which turns out to be the key barrier for source-independent QRNG.Moreover, the practical imperfections, such as multiphotons, device imperfections and losses, are not considered.Our work, on the other hand, use the squashing model for arbitrary dimension system and take account of imperfections in practical scenarios.negligible as N goes to infinity because the number of X-basis measurements c 1 is a constant, as derived in Appendix A. More precisely, the min entropy of the input as well as the length of the uniformly random seed has an upper bound given by log N c 1 ≤ c 1 log N. (C1) Note that since the detector completely controls this ran-dom seed length, calculating the exact input min entropy is possible.This is very different from estimating the error rate in the finite-key analysis section, in which we can only estimate the range of the error rate with a high probability of success.Apart from the input specified in the main text, independent and identically distributed bit strings are also a possible choice for the input.Finally, we remark that the reason to include this input seed length analysis is to make our QRNG composable.
(b).All our results apply similarly to other implementation systems.Quantum signals from the source first go through a modulator that actively chooses between the X and Z bases.Then, a polarizing beam splitter and two threshold detectors perform a projective measurement.Since two detectors are used, there are four possible outcomes: no clicks (losses), two single clicks, and double clicks.This implementation is equivalent to the schematic setup of the squashing model as discussed in Section III A. The details of the protocol are presented in Fig. I.

FIG. 2 .
FIG. 2. (a) Measurement model for SIQRNG.The quantum state first passes through a squasher and is projected as either a qubit or a vacuum.Then, the output qubit is measured in the X or Z basis chosen by an active switch.There are two outcomes for each basis measurement, corresponding to the two eigenstates of the basis.(b) An optical implementation of the SIQRNG in (a), as discussed in Section III A.Here Pol-M refers to a polarization modulator, PBS refers to a polarizing beam splitter, and D0 and D1 are the threshold detectors.

FIG. 4 .
FIG. 4. Relation between the phase error rate and the loss.The big error bars are caused by a very conservative estimation of statistical fluctuations and also partially by the fluctuation of experimental parameters for different losses.

FIG. 5 .
FIG. 5. Dependency of randomness generation rate on the loss.The data points on the figure are taken to be the lower bound of the rate, evaluated by random sampling.The security parameter is εt = 2 × 2 −50

F
FIG.7.The P value of the statistical tests.The x axis lists the names of statistical tests in the NIST test suite.The final data size is 91 Mbit, which is extracted from 115-Mbit raw data.To pass each test, the P value should be at least 0.01 and the proportion of sequences that satisfy P > 0.01 should be at least 96%.It can be seen in the figure that the P values of all tests are greater than 0.01.

TABLE II .
An equivalent protocol of source-independent QRNG.