Professional Documents
Culture Documents
Maximization of Extractable Randomness in A Quantum Random-Number
Maximization of Extractable Randomness in A Quantum Random-Number
net/publication/268451821
CITATIONS READS
106 521
7 authors, including:
All content following this page was uploaded by Jing Yan Haw on 20 May 2015.
quantum random-number generator is inevitably tainted by classical technical noise. The integrity
of the device can be compromised if this noise is tampered with, or even controlled by some malicious
party. To safeguard against this, we propose and experimentally demonstrate an approach that pro-
duces side-information independent randomness that is quantified by min-entropy conditioned on
this classical noise. We present a method for maximizing the conditional min-entropy of the number
sequence generated from a given quantum-to-classical-noise ratio. The detected photocurrent in our
experiment is shown to have a real-time random-number generation rate of 14 (Mbit/s)/MHz. The
spectral response of the detection system shows the potential to deliver more than 70 Gbit/s of
random numbers in our experimental setup.
in Refs. [28, 29], the choice of dynamical ADC range was PMdis(mi)
justified by experimental observations. Thus, a system-
atic approach to determine the dynamical ADC range in
extracting a maximum amount of secure randomness is
very much required. δ/2
In this work, we propose a new generic framework
where the dynamical ADC range can be appropriately
chosen to deliver maximum randomness. By quantify- mi
ing randomness via min-entropy conditioned on classical -R δ R
noise, we show that QCNR is not the sole limiting fac- i: -2n-1 ... -2 -1 0 1 2 ... 2n-1-1
tor in generating secure random bits. In fact, by care-
fully optimizing the dynamical ADC range, one can ex- Figure 1. Model of the n-bit ADC, with analog input in the
tract a nonzero amount of secure randomness even when ADC dynamical range [−R + δ/2, R − 3δ/2] and bin width
the classical noise is larger than the quantum noise. By δ = R/2n−1 . We choose the central bin centred around 0,
applying this method to our continuous-variable (CV) the lowest bin imin = −2n−1 centered around −R, and the
highest bin imax = 2n−1 − 1 centered around R − δ.
QRNG based on a homodyne measurement of vacuum
state [23], we demonstrate that the setup is capable of
delivering more than 70 Gbps of secure random bits. sources of classical origin, such as technical electronic
In most QRNGs, including this work, the measurement noise and thermal noise. We look at the worst-case sce-
device has to be calibrated and trusted. Recently, cer- nario, namely that these parameters, in principle can be
tifiable randomness based on a violation of fundamental known by the adversary either due to monitoring or con-
inequalities has been proposed and demonstrated [30– trolling of the classical noise, and, hence are untrusted.
32]. These devices do not rely on the assumption of a In order to guarantee the security of the random bits
trusted device. The generated bits can be certified as generated, we resort to the notion of min-entropy. This
random based on the measured correlations alone and quantity is directly related to the maximum probabil-
independent from the internal structure of the genera- ity of observing any particular measurement outcome,
tor. However, achieving a high generation rate with such hence bounding the amount of knowledge of an adver-
devices is experimentally challenging. sary. More specifically, the conditional min-entropy tells
This paper is structured as follows. In Sec II, we us the amount of (almost) uniform and independent ran-
present the modelling of our CV QRNG and the quan- dom bits that one can extract from a biased random
tification of entropy via (conditional) min-entropy. We source with respect to untrusted parameters. Our goal
outline the procedure of optimizing the dynamical ADC here is to achieve the maximum amount of conditional
range under different operating conditions and experi- min-entropy by optimizing the measurement settings.
mental parameters. In Sec. III, we analyze and charac-
terize our CV QRNG based on our framework. We then
review and discuss the randomness extraction in our CV A. Characterization of noise and measurement
QRNG, ending with brief concluding remarks in Sec. IV.
We first discuss the model for our CV QRNG. Follow-
ing our previous work [23], a homodyne measurement of
II. ENTROPY QUANTIFICATION the vacuum state is performed. This measures Q, the
quadrature values of the vacuum state. The theory of
The main goal of entropy evaluation of a secure quantum mechanics states that these values are random
QRNG is to quantify the amount of randomness avail- and have a probability density function (PDF) pQ which
2
able in the measurement outcome M , conditioned upon is Gaussian and centred at zero with variance σM . In
side-information E, which might be accessible, con- practice, these quadrature values cannot be measured
trollable, or correlated with an adversary. The con- in complete isolation from sources of classical noise E.
cept of side-information-independent randomness, which The measured signal M is then M = Q + E. Denot-
includes privacy amplification and randomness extrac- ing the PDF of the classical noise as pE , the resulting
tion, is well established in both classical and quantum- measurement PDF, pM is then a convolution of pQ and
information theory [33–36]. This security aspect of pE . Assuming that the classical noise follows a Gaussian
2
randomness generation started to get considerable at- distribution centred at zero and with variance σE , the
tention recently in the framework of QRNG [13, 20– measurement probability distribution is
23, 26, 27, 37]. In particular, Ref. [37] examines the 1
m2
amount of randomness extractable under various levels pM (m) = √ exp − 2 , (1)
2πσM 2σM
of characterization of the device and power given to the
adversary. 2
for m ∈ M where the measurement variance σM =
2 2
In this paper, we consider randomness as independent σQ + σE . The ratio between the variances of the quan-
of classical side information, which arises from various tum noise and the classical noise defines the QCNR,
3
Figure 2. Numerical simulations for the measured distribution probabilities PMdis (mi ) versus quadrature values, with different
dynamical ADC range parameters R = (a) 5, (b) 2 and (c) 8. Without optimization, one will have either an oversaturated or
unoccupied ADC bins, which will compromise both the rate and the security of the random-number generation. The parameters
used are n = 8 and QCNR= 10 dB. The quadrature values are normalized to quantum noise.
2 2
i.e. QCNR= 10 log10 (σQ /σE ). The sampling is per- From Eq. (2), the discretized conditional probability dis-
formed over an n-bit ADC with dynamical ADC range tribution is, thus,
[−R + δ/2, R − 3δ/2]. Upon measurement, the sam-
pled signal is discretized over 2n bins with bin width PMdis |E (mi |e)
δ = R/2n−1 . The range is chosen so that the central R −R+δ/2
pM|E (m|e)dm, i = imin,
bin is centered at zero. The resulting probability distri- R−∞
mi +δ/2
bution of discretized signal Mdis reads = p
m −δ/2 M|E
(m|e)dm, imin < i < imax , (4)
R ∞i
PMdis (mi ) R−3δ/2 pM|E (m|e)dm, i = imax .
R −R+δ/2
R−∞
pM (m)dm, i = imin , With these, we are now ready to discuss how R should
=
mi +δ/2
p (m)dm, imin < i < imax , (2) be chosen under two different definitions of min-entropy,
m −δ/2 M
R ∞i
namely worst-case min-entropy and average min-entropy.
R−3δ/2 M
p (m)dm, i = imax ,
Figure 3. Numerical simulations of: (a) conditional probability distributions PMdis |E (mi |e), with e = {−10σE , 0, 10σE } (from
left to right) and R = 5. Without optimizing R, when e = ±10σE , saturations in the first and last bins affect the maximum of
the conditional probability distribution. Inset: PMdis |E (mi |e), with e = {−100σE , 0, 100σE } (from left to right). Unbounded
classical noise will lead to zero randomness due to the oversaturation of dynamical ADC. (b) Optimized PMdis |E (mi |e), with
e = {−10σE , 0, 10σE } (from left to right). From Eq. (11), the optimal R is chosen to be 5.35. The saturations do not exceed
the maximum of the conditional probability distribution whenever −10σE ≤ e ≤ 10σE . The parameters are n = 8, QCNR= 10
dB. Dashed lines indicate mi = ±10σE . The quadrature values are normalized to vacuum noise.
1 emax − R + 3δ/2 δ
Hmin (Mdis |E) = − log2 max erf √ + 1 ; erf √ , (10)
2 2 2 2
which can be optimized by choosing R such that saturation in the first (last) bin for emin/max = ±10σE
becomes the peaks of the conditional probability distri-
1 emax − R + 3δ/2 δ bution, hence compromising the attainable min-entropy.
erf √ + 1 = erf √ . (11)
2 2 2 2 By choosing the optimal value for R via Eq. (11), as de-
picted in Fig. 3(b), the peaks at the first and last bins will
This optimized worst-case min-entropy Hmin (Mdis |E) is always be lower than or equal to the probability within
directly related to the extractable secure bits that are in- the dynamical range. Thus, by allowing the dynamical
dependent of the classical noise. As shown in Fig. 3(a), ADC range to be chosen freely, one can obtain the lowest
when Eq. (10) is not optimized with respect to R, the possible conditional probability distribution, and hence
5
Classical Entropy
Table I. Optimized H̄min (Mdis |E) (and R) for 8- and 16-bit
ADCs
QCNR (dB) n=8 n = 16 Quantum Entropy
n-bit
ADC
∞ 7.03 (2.45) 14.36 (3.90) Laser
which denotes the probability of correctly predicting the Sum- Mixer VCO 1 VCO 2 Low Pass Filter
value of discretized measured signal Mdis using the op- Difference
While these cryptographic hashing functions are not apply these observations to analyze the amount of ran-
information-theoretically proven to be secure, they are domness produced by our CV QRNG setup. Efficient
still suited for many cryptographic applications and set- cryptographic hashing functions are then deployed to ex-
tings where the adversary is assumed to be computa- tract randomness quantified by average conditional min-
tionally bounded. The reason for utilizing them over entropy.
universal hashing functions is that they can have high We note several possible extensions of our work. For
throughput due to efficient hardware implementation. instance, one can apply entropy smoothing [39, 53] on
Previously, cryptographic hashing extractors have been the worst-case min-entropy to tighten the analysis. Our
deployed in [11, 13, 18, 24], with functions such as SHA- framework can also be generalized to encapsulate poten-
512 and Whirlpool. Most of the implementations keep tial quantum side information by considering the analysis
exactly min-entropy number of bits, which might not be described in Ref. [27]. A detailed cryptoanalysis of our
fully secure (see Appendix D). framework can also increase the final throughput of the
Here, we demonstrate randomness extraction with QRNG [47]. Last, a hybrid of an information-theoretic
the Advanced Encryption Standard (AES) [49] crypto- provable and cryptographic randomness extractor is also
graphic hashing algorithm of 128 bits (see Appendix E). an interesting avenue to be explored in the construction
Since a detailed cryptoanalysis of our framework is non- of a high-speed, side-information (classical and quantum)
trivial and beyond the scope of this paper, we keep only proof QRNG [44].
half of our conditional min-entropy [45, 50] to obtain To conclude, this work allows the maximization of ex-
an almost perfectly uniform output. The final real-time tractable high-quality randomness without compromis-
guaranteed-secure random number generation rate of our ing both the integrity and the speed of a QRNG. In
CV QRNG is 3.55 Gbps. If all the available bandwidth fact, within our framework, when the QRNG is appro-
from our detector (approximately 2.5 GHz) can be sam- priately calibrated, the generated random numbers are
pled, with sufficient resources, we can achieve up to 35 secure even if the electronic noise is fully known. This is
Gbit/s (cf. Sec. III B). This corresponds to a rate of 14 of practical importance, given the fact that QRNGs play
Mbps/MHz in term of bits per bandwidth. Our random a decisive role in the implementation of cryptographic
numbers consistently pass the standard statistical tests protocols such as quantum key distribution. From a prac-
(NIST [51], DieHard [52]) and the results are available tical point of view, our method also relaxes the QCNR
on the Australian National University Quantum Random requirement on the detector, thus allowing QRNGs that
Number Server (https://qrng.anu.edu.au). are more cost effective and smaller in size. As such, we
believe that our work paves the way towards a reliable,
high bitrate, and environmentally-immune QRNG [54]
IV. CONCLUDING REMARKS for information security.
Note added.- We note several recent papers considering
the security aspects of QRNGs [55–58]. A related work
In this work, we propose a generic framework for se-
by Mitchell et al. [59] was published recently. Similar
cure random-number generation, taking into account the
to our work, a lower bound of the average min-entropy
existence of classical side information, which, in princi-
was established by assuming the worst-case behavior of
ple could be manipulated or predicted by an adversary.
various untrusted experimental noise and errors. The
If the adversary is assumed to have access to the classical
study asserts that high-bitrate randomness generation
noise, for example, the detectors’ noise can be originat-
with strong randomness guarantee remains possible even
ing from preestablished values, the worst-case conditional
under paranoid analysis, which supports our conclusion.
min-entropy should be used to quantify the available se-
cure randomness. Meanwhile, if we restrict the third
party to passive eavesdropping, one can use the average
ACKNOWLEDGEMENT
conditional min-entropy instead to quantify extractable
randomness. By treating the dynamical ADC range as a
free parameter, we show that QCNR is not the sole de- This research was conducted by the Australian Re-
cisive factor in generating secure random bits. Surpris- search Council Centre of Excellence for Quantum Com-
ingly, one can still extract a nonzero amount of secure putation and Communication Technology (project num-
randomness even when the classical noise is comparable ber CE110001027). N. N. is funded by the National
to the quantum noise. This is done simply by optimizing Research Foundation Competitive Research Programme
the dynamical ADC range via conditional min-entropies. Space Based Quantum Key Distribution”.
Such an approach not only provides a rigorous justifica-
tion for choosing the suitable ADC parameter, but also
largely increases the range of QCNR for which true ran- Appendix A: Optimized conditional min-entropy
domness can be extracted, thus relaxing the condition of with dc offset
high QCNR clearance in conventional CV QRNGs. We
also notice that we can increase the min-entropy per bit In a realistic scenario, the mean of the measured sig-
simply by increasing the number of digitization bits. We nal’s probability distribution is often nonzero. It is pos-
9
mi : -R - R+Δ δ R R+Δ
To evaluate the expression for the discretized conditional
m’i: - R - Δ -R R-Δ R probability distribution, we make use of the mean value
i : -2n-1 ... -2 -1 0 1 2 ... 2n-1-1 theorem stated below:
Theorem 1 Mean value theorem: For any continuous
Figure 8. Model of the n-bit ADC, with analog input in the function f (x) on an interval [a, b], there exists some x̄ ∈
ADC dynamical range [−R + δ/2, R − 3δ/2] and bin width [a, b] such that,
δ = R/2n−1 . Offset of the distribution is modeled by another
reference frame m′ centered at offset ∆. In the original frame Z b
m, the lowest and highest bins are now centered around −R− f (x)dx = (b − a)f (x̄) (B3)
∆ and R − δ − ∆. a
Table II. Optimized Hmin (Mdis |E) (and R) for an 8-bit ADC
|e + ∆|
QCNR (dB)
0 5σE 10σE 15σE 20σE
∞ 7.03 (2.45) 7.03 (2.45) 7.03 (2.45) 7.03 (2.45) 7.03 (2.45)
20 6.79 (2.90) 6.58 (3.35) 6.40 (3.81) 6.23 (4.27)
10 6.37 (3.88) 5.91 (5.35) 5.55 (6.85) 5.26 (8.36)
0 5.50 (7.10) 4.75 (11.92) 4.25 (16.82) 3.88 (21.75)
-∞ 0 0 0 0
Table III. Optimized Hmin (Mdis |E) (and R) for a 16-bit ADC
|e + ∆|
QCNR (dB)
0 5σE 10σE 15σE 20σE
∞ 14.36 (3.90) 14.36 (3.90) 14.36 (3.90) 14.36 (3.90) 14.36 (3.90)
20 14.20 (4.38) 14.05 (4.85) 13.91 (5.33) 13.79 (5.81)
10 13.89 (5.40) 13.53 (6.92) 13.25 (8.46) 13.00 (9.99)
0 13.20 (8.70) 12.56 (13.59) 12.12 (18.51) 11.77 (23.45)
-∞ 0 0 0 0
in Appendix A, giving For an ADC discretization with bin size δ less than
δ0 and with range large enough such that the probabil-
Pguess (Mdis |E) ities of the two end bins given e, PMdis|E (mmin |e), and
√
1
Z e1
e + ∆ + R − δ/2
PMdis|E (mmax |e) are less than δ0 / 2π, the most likely
= pE (e − ∆) 1 − erf √ de √
2 2 bin given e will have a probability of δ0 / 2π. The min-
−∞
entropy of this distribution is then
e2 − ∆ e1 − ∆ δ
+ erf √ − erf √ erf √ Hmin (Mdis |e)
2σE 2σE 2 2
Z ∞ !
e + ∆ − R + 3δ/2 = − log2 max PMdis |E (m|e)
+ pE (e − ∆) erf √ + 1 de , m∈Mdis
e2 2
(B8) δ0
= − log2 √
2π
1
= − log2 √ . (C2)
2π |α|
Appendix C: Upper bound on Hmin for limited laser
power Averaging over e, this gives the bound to the average
√ con-
ditional entropy as H̄min (Mdis |E) ≤ − log2 1/ 2π |α| .
For a finite coherent state α , the maximum value
of Hmin (Mdis |E) is bounded by the number of photons Appendix D: Notes on the Leftover Hash Lemma
available in α . This limit is attained when the ADC
discretization is fine enough such that events between n
and n + 1 photons at the homodyne output can be dis- From an information-theoretic standpoint, the most
tinguished (regardless of the amount of classical noise). prominent advantage of universal hashing functions de-
The probability density function pM|E (m|e = 0) is then scribed in Sec. III C is the randomness of the output
a probability mass function having support (n1 − n2 )δ0 guaranteed unconditionally by the leftover hash lemma
where n1 and n2 are non-negative integers with a Poisso- (LHL). More specifically, LHL states that for any ε > 0,
2
nian distribution with mean |α| /2. The normalization if the output of an universal hashing function has length
constant δ0 = 1/ |α| sets the variance to 1. For large |α|, l ≤ t − 2 log2 (1/ε), (D1)
the distribution pM|E (m|e = 0) tends to a discretised
Gaussian distribution with zero mean and unit variance, where t denotes the (conditional) min-entropy, then the
output will be ε-statistically close to a perfectly uniform
δ0 distribution [53]. Moreover, a universal hashing function
PMdis |E (m|e = 0) = √ exp −m2 ,
(C1)
2π constructs a strong extractor, where the output string is
also independent of the seed of the function [26, 33].
for m ∈ {0, ±δ0 , ±2δ
√ 0 , . . .}. This function has a maxi- On the other hand, for a strong cryptographic extrac-
mum value of δ0 / 2π at m = 0. tor, the output is ε′ -computationally indistinguishable
11
Figure 9. Autocorrelation plots of raw samples for (a) channel 0 and (b) channel 1 evaluated from a typical record of 107
consecutive samples. Each sample is 12 bits, where the four most significant bits are discarded from 16-bit raw data. The
low values of autocorrelation between the samples are consistent with our raw data being close to independent and identically
distributed random variables. Dashed lines show the theoretical standard deviation of truly random 107 points.
from the uniform distribution (see Refs. [46, 47] for for- Appendix E: AES hashing and auto-correlation
mal definitions). It is shown in Refs. [48, 53] that LHL
can be generalized to take into account almost universal In our QRNG, randomness extraction is performed
functions (functions statistically ξ-close to being univer- with an AES [49] cryptographic hashing algorithm of
sal hashing functions). This generalized LHL takes the 128 bits seeded with a 128-bit secret initialization vec-
form of l = min(t, log2 (1/ξ)) − 2s, where s is an inte- tor. Four most significant bits of the 16-bit samples are
ger related to ε′ . Under suitable parameter constraints discarded before randomness extraction to ensure low au-
and operating modes, an ε′ -cryptographic extractor can tocorrelation among consecutive samples (Fig. 9) before
be treated as a ξ-almost universal function, and, hence a hashing. The resulting output is concatenated with par-
strong randomness extractor [47, 48]. Hence for a cryp- tial raw data from the previous run, forming a 128-bit
tographic extractor, it is necessary to sacrifice some bits block for cryptographic hashing. Since a complete cyp-
according to the desired security parameter e to ensure toanalysis of the cryptographic hashing is intricate and
the security and uniformity of the output. is out of the scope of our work, we simply discard half
of the output to ensure uniformity of the generated ran-
dom sequence [50]. We further strengthen our security
by renewing the seed of our AES extractor with these
discarded bits. The final real-time throughput of our CV
QRNG is 3.55 Gbits/s.
[1] Mario Stipčević, “Quantum random number [5] Ido Kanter, Yaara Aviad, Igor Reidler, Elad Cohen, and
generators and their use in cryptography,” in Michael Rosenbluh, “An optical ultrafast random bit
Proceedings of 34th International Convention MIPRO generator,” Nature Photonics 4, 58–61 (2010).
1474-1479 (2011). [6] Davide G Marangon, Giuseppe Vallone, and Paolo Vil-
[2] P Xu, YL Wong, TK Horiuchi, and PA Abshire, “Com- loresi, “Random bits, true and unbiased, from atmo-
pact floating-gate true random number generator,” Elec- spheric turbulence,” Scientific reports 4 (2014).
tronics Letters 42, 1346–1347 (2006). [7] Cristian S Calude, Michael J Dinneen, Monica Du-
[3] Berk Sunar, William J Martin, and Douglas R Stinson, mitrescu, and Karl Svozil, “Experimental evidence of
“A provably secure true random number generator with quantum randomness incomputability,” Physical Review
built-in tolerance to active attacks,” Computers, IEEE A 82, 022102 (2010).
Transactions on 56, 109–119 (2007). [8] Karl Svozil, “Three criteria for quantum random-number
[4] Atsushi Uchida, Kazuya Amano, Masaki Inoue, Kunihito generators based on beam splitters,” Physical Review A
Hirano, Sunao Naito, Hiroyuki Someya, Isao Oowada, 79, 054306 (2009).
Takayuki Kurashige, Masaru Shiki, Shigeru Yoshimori, [9] Bing Qi, Yue-Meng Chi, Hoi-Kwong Lo, and Li Qian,
et al., “Fast physical random bit generation with chaotic “High-speed quantum random number generation by
semiconductor lasers,” Nature Photonics 2, 728–732 measuring phase noise of a single-mode laser,” Optics
(2008). Letters 35, 312–314 (2010).
12
[10] Hong Guo, Wenzhuo Tang, Yu Liu, and Wei Wei, “Truly [25] Bruno Sanguinetti, Anthony Martin, Hugo Zbinden, and
random number generation based on measurement of Nicolas Gisin, “Quantum random number generation on
phase noise of a laser,” Physical Review E 81, 051137 a mobile phone,” Phys. Rev. X 4, 031056 (2014).
(2010). [26] Xiongfeng Ma, Feihu Xu, He Xu, Xiaoqing Tan,
[11] M Jofre, M Curty, F Steinlechner, G Anzolin, JP Torres, Bing Qi, and Hoi-Kwong Lo, “Postprocessing
MW Mitchell, and V Pruneri, “True random numbers for quantum random-number generators: En-
from amplified quantum vacuum,” Optics Express 19, tropy evaluation and randomness extraction,”
20665–20672 (2011). Physical Review A 87, 062327 (2013).
[12] Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan [27] Daniela Frauchiger, Renato Renner, and Matthias
Zheng, and Hoi-Kwong Lo, “Ultrafast quantum ran- Troyer, “True randomness from realistic quantum de-
dom number generation based on quantum phase fluc- vices,” arXiv preprint arXiv:1311.4547 (2013).
tuations,” Optics Express 20, 12366–12377 (2012). [28] Neus Oliver, Miguel Cornelles Soriano, David W.
[13] C Abellán, W Amaya, M Jofre, M Curty, A Acı́n, J Cap- Sukow, and Ingo Fischer, “Fast Random
many, V Pruneri, and MW Mitchell, “Ultra-fast quan- Bit Generation Using a Chaotic Laser: Ap-
tum randomness generation by accelerated phase diffu- proaching the Information Theoretic Limit,”
sion in a pulsed laser diode,” Optics Express 22, 1645– IEEE Journal of Quantum Electronics 49, 910–918 (2013).
1654 (2014). [29] T. Yamazaki and A. Uchida, “Performance of Random
[14] Mario Stipčević and B Medved Rogina, “Quantum ran- Number Generators Using Noise-Based Superlumines-
dom number generator based on photonic emission in cent Diode and Chaos-Based Semiconductor Lasers,”
semiconductors,” Review of scientific instruments 78, IEEE Journal of Selected Topics in Quantum Electronics 19, 060030
045104 (2007). [30] S Pironio, A Acı́n, and S Massar, “Random numbers cer-
[15] Caitlin RS Williams, Julia C Salevan, Xiaowen Li, Ra- tified by Bell’s theorem,” Nature 464, 1021–1024 (2010).
jarshi Roy, and Thomas E Murphy, “Fast physical ran- [31] Stefano Pironio and Serge Massar, “Security of practical
dom number generator using amplified spontaneous emis- private randomness generation,” Physical Review A 87,
sion,” Optics Express 18, 23584–23597 (2010). 012336 (2013).
[16] Y Liu, MY Zhu, B Luo, JW Zhang, and H Guo, “Im- [32] BG Christensen, KT McCusker, JB Altepeter, B Calkins,
plementation of 1.6 tb s- 1 truly random number genera- T Gerrits, AE Lita, A Miller, LK Shalm, Y Zhang,
tion based on a super-luminescent emitting diode,” Laser SW Nam, et al., “Detection-loophole-free test of quan-
Physics Letters 10, 045001 (2013). tum nonlocality, and applications,” Physical Review Let-
[17] Michael Wahl, Matthias Leifgen, Michael Berlin, Tino ters 111, 130406 (2013).
Röhlicke, Hans-Jürgen Rahn, and Oliver Benson, “An [33] Ronen Shaltiel, “Recent developments in explicit con-
ultrafast quantum random number generator with prov- structions of extractors,” Bulletin of the EATCS 77, 67–
ably bounded output bias based on photon arrival time 95 (2002).
measurements,” Applied Physics Letters 98, 171105 [34] Anindya De, Christopher Portmann, Thomas Vidick,
(2011). and Renato Renner, “Trevisan’s extractor in the pres-
[18] Michael A Wayne and Paul G Kwiat, “Low-bias high- ence of quantum side information,” SIAM Journal on
speed quantum random number generator via shaped op- Computing 41, 915–940 (2012).
tical pulses,” Optics Express 18, 9351–9357 (2010). [35] R Konig, Renato Renner, and Christian Schaffner, “The
[19] Hai-Qiang Ma, Yuejian Xie, and Ling-An Wu, “Random operational meaning of min-and max-entropy,” Infor-
number generation based on the time of arrival of single mation Theory, IEEE Transactions on 55, 4337–4347
photons,” Appl. Opt. 44, 7760–7763 (2005). (2009).
[20] Philip J Bustard, Duncan G England, Josh Nunn, Doug [36] Wolfgang Mauerer, Christopher Portmann, and
Moffatt, Michael Spanner, Rune Lausten, and Ben- Volkher B Scholz, “A modular framework for random-
jamin J Sussman, “Quantum random bit generation us- ness extraction based on trevisan’s construction,” arXiv
ing energy fluctuations in stimulated raman scattering,” preprint arXiv:1212.0520 (2012).
Optics Express 21, 29350–29357 (2013). [37] Yun Zhi Law, Jean-Daniel Bancal, Valerio Scarani, et al.,
[21] M Fiorentino, C Santori, SM Spillane, RG Beau- “Quantum randomness extraction for various levels of
soleil, and WJ Munro, “Secure self-calibrating quantum characterization of the devices,” Journal of Physics A:
random-bit generator,” Physical Review A 75, 032334 Mathematical and Theoretical 47, 424028 (2014).
(2007). [38] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and
[22] Giuseppe Vallone, Davide G Marangon, Marco Tomasin, Adam Smith, “Fuzzy extractors: How to generate strong
and Paolo Villoresi, “Quantum randomness certified by keys from biometrics and other noisy data,” SIAM Jour-
the uncertainty principle,” Physical Review A 90, 052327 nal on Computing 38, 97–139 (2008).
(2014). [39] Renato Renner, “Security of quantum key distribution,”
[23] Thomas Symul, SM Assad, and Ping K Lam, “Real time International Journal of Quantum Information 6, 1–127
demonstration of high bitrate quantum random number (2008).
generation with coherent laser light,” Applied Physics [40] Yong Shen, Liang Tian, and Hongxin Zou, “Practical
Letters 98, 231103 (2011). quantum random number generator based on measuring
[24] Christian Gabriel, Christoffer Wittmann, Denis Sych, the shot noise of vacuum states,” Physical Review A 81,
Ruifang Dong, Wolfgang Mauerer, Ulrik L Andersen, 063814 (2010).
Christoph Marquardt, and Gerd Leuchs, “A generator [41] Thomas Durt, Carlos Belmonte, Louis-Philippe Lam-
for unique quantum random numbers based on vacuum oureux, Krassimir Panajotov, Frederik Van den Berghe,
states,” Nature Photonics 4, 711–715 (2010). and Hugo Thienpont, “Fast quantum-optical random-
number generators,” Physical Review A 87, 022339
13