Enhanced security for multidetector Quantum Random Number Generators
Abstract
Quantum random number generators (QRNG) represent an advanced solution for randomness generation, essential in every cryptographic applications. In this context, integrated arrays of single photon detectors have promising applications as QRNGs based on the spatial detection of photons. For the employment of QRNGs in Cryptography, it is necessary to have efficient methods to evaluate the so called quantum minentropy that corresponds to the amount of the true extractable quantum randomness from the QRNG. Here we present an efficient method that allow to estimate the quantum minentropy for a multidetector QRNG. In particular, we will consider a scenario in which an attacker can control the efficiency of the detectors and knows the emitted number of photons. Eventually, we apply the method to a QRNG with detectors.
I Introduction
Randomness is the fundamental ingredient of any cryptographic protocol. Classical, quantum and even postquantum algorithms are indeed based on the availability of genuine and secret random numbers. Cryptographic random number generators are required to meet two main requisites: the first is to generate unbiased and uncorrelated random numbers; the second requirement is to provide no information about its output to the “environment”. In this respect, random number generators based on quantum physical processes (QRNG) are considered more secure than chaosbased RNGs and algorithmicRNGs: indeed, for QRNGs, unpredictability comes from the intrinsic probabilistic nature of a measurement in Quantum Mechanics. However, realistic implementations of QRNGs must take into account “imperfections” of the physical devices used in the generator. The latters might introduce statistical flaws, e.g. bias and correlations in the generated numbers and, more importantly, might provide side information to an attacker. Hence, it is of paramount importance to estimate the leakage of information of the QRNG (also called side information) in order to discard the bits which might have been guessed by an eavesdropper.
The purpose of this work is the evaluation of such side information and the extraction of random numbers for a QRNG based on an integrated array of single photon detectors. In the framework of discrete variable QRNG, this scheme is promising because it is equivalent to “parallelize” multiple generators (1) and indeed it has been explored in recent works (2); (3); (4); (5). However, an advanced security model for the estimation of the maximal extractable randomness, was still missing. In this work we provide it, by generalizing a novel paradigm recently introduced in (6) for the side information of a twodetector QRNG. We will present a computationally efficient method to estimate the quantum minentropy for systems with a generic number of detectors. We finally experimentally applied our method to a single photon camera that we converted into a QRNG.
The paper is organized as follows: in Section II.1 we describe how raw random numbers can be generated with the single photon camera system. In Section II.2 we introduce the enhanced security model for the QRNG, which is based on the estimation of its minentropy conditioned on the accessible side information. In Section III, we show how the entropy can be efficiently evaluated by a combinatorial approach. In Section IV the new paradigm is applied to the QRNG and the results are discussed.
Ii Methods
ii.1 Raw randomness generation
Our generator is based on the detection of photons by an array of single photon detectors. The system consists of a light source which uniformly illuminates the Single Photon Counting Camera SPC manufactured by Micro Photon Devices (7); (8) and originally intended for the acquisition of images at low level of illumination. Random numbers are generated according to which detector has clicked during a given time interval, as detailed below. The Camera is based on single photon detectors arranged in a matrix of pixels. Every pixel is equipped with a single photon avalanche detector (SPAD) and its quenching circuit. Contrarily to normal CMOS or CCD sensors, where many photoelectrons are accumulated and converted in a digital value, here every single detected photon increases a counter associated to every pixel.
Raw random numbers are generated by using the setup schematically reported in Fig.1A. A laser ( nm) coupled with a SMoptical fiber, is arranged in front of the camera to provide a controlled photon flux on the sensor. The laser intensity is not stricktly uniform on the array as it features the typical Gaussian profile of a TEM00 mode. However, according to the distance between the fiber output and the sensor, the laser intensity can be considered “locally” uniform on pixels (where increases as function of ; the data considered here were collected for cm).
The SPC detects the light by acquiring multiple “frames” as we illustrate in Fig.1B. Every frame is characterized by an integration interval , that we set to ns (the shortest integration interval achievable by the camera). Frames are obtained at a rate of kHz, corresponding to a temporal distance between two frames of . The counter of each pixel detector in each frame can take only two values, and , corresponding to a nondetection and a photondetection respectively. Hence, for each frame, a random number is generated by concatenating the pixel outputs in a string bits long. We indicate by X the random variable that takes the values. To illustrate the process, in Fig.1C, we show a submatrix of pixels. In the figure the submatrix is characterized by incoming photons from the laser which are independently acquired by the pixel detectors. Due to inefficiencies of the detectors or deadtime, some of the incoming photon are not registered by the pixel detectors.
The probabilities to obtain or from a pixel are respectively denoted by and . Such probabilities depend on the mean photon number at detector and from the detector features. By properly adjusting the is then possible to obtain an “unbiased” sequence, i.e. . In order to simplify the evaluation of the probability of generating a string , it can be assumed that on a small submatrix the light intensity is uniform, i.e. . For the case considered in the scheme, we are considering the pixel square corresponding to the centre of the matrix. Furthermore, as the SPADs are approximately characterized by the same efficiency, it can be also assumed that . With these assumptions, as the pixels detect the photons independently, we have that and , . Then, the probability of generating a string with bits 1 and bits 0 is given by .
If we assume that the QRNG is a perfectly isolated system, the number of random bits that can be obtained in each frame by the generator is measured by the so called classical minentropy
(1) 
When , the classical minentropy can be easily evaluated as . The unbiased randomness rate thus becomes . In Fig.2 (left) we report as a function of with the relative experimental data. In Fig.2 (right), the ten inequivalent probabilities , for are plotted: for the values of (from 0 to 15 photons/pixel) considered in the experiment, the most likely outcome is the string with all bits equal to zero. The accordance of the experimental points with the theoretical prediction shows that the approximations and are well justified. To achieve the maximal rate, a proper value of should be used, which enables an uniform distribution of the outcomes . For the case considered in Fig.2, such value is photons per pixels. For this optimal value it is possible to achieve the maximum generation rate of corresponding to a minentropy . However, when the QRNG is used in a cryptographic scenario, the content of true random bits must be evaluated in a different way and the maximum generation rate is achieved with lower values of , as demonstrated below.
ii.2 Secure randomness generation
For cryptographic applications, the classical minentropy cannot be used and more advanced measures of randomness are needed: indeed, beside the requirement of being independent and identically distributed, it is also necessary that the numbers are not known to anyone else but the legitimate user. In this case, it is necessary to evaluate the so called conditional quantum minentropy (9); (10); (11). The obtained random sequence will be postprocessed with a seeded randomness extractor, obtaining a random stream whose lenght is determined by .
The quantum minentropy is related to the correlations that the quantum system has with the environment that can be controlled by an adversary. These possible correlations follow from nonidealities of the QRNG devices: for instance the input state may be mixed and the performed measurements may correspond to positive operator value measurements (POVM) rather than projectors. For ideal QRNGs, where the random numbers are generated by measuring an isolated system with devices implementing perfect projector operators, the reduces to the classical minentropy. However, for realistic QRNGs, cannot be exactly known and a typical approach consists in finding a lower bound. For instance, by assuming trusted measurement devices and a completely untrusted source, a lower bound on can be found (12); (13).
In (6), Frauchiger et al. addressed this problem for the “welcher weg” QRNG, implemented by a diagonally polarized photon impinging on a polarizing beam splitter (PBS): depending on its polarization (horizontal or vertical ), the photon is transmitted or reflected by the PBS. There, the photonic state is assumed to be pure but the measurements on the PBS output spatial modes are described by POVMs. In this framework, the residual randomness is measured by means of . The classical random variable encodes classical information about the degrees of freedom associated to the hardware nonidealities. In particular, describes the state of the generator with respect to the multiphoton emission from the light source, (i.e. the number of emitted photons) and the detectors inefficiencies. The significant advantage of this paradigm is that is accessible and measurable by the QRNG user. Furthermore, the authors demonstrate that , i.e. by conditioning on the classical information the QRNG is at least as secure as by conditioning on . In the following we will show that such model can be adapted to the camera QRNG.
The model that we are considering for the multipixel QRNG is thus the following:

the eavesdropper has information on the photon number emission of the source;

the eavesdropper may determine the activation of single pixels during each acquisition;
We now explain in detail the above mentioned model. The multiphoton emission is characterized by the probability distribution of the classical random variable , which depends on the source itself (for a laser source ). Eve is supposed to know the number of photons emitted in each pulse. Moreover, detectors inefficiencies and dead times can be modelled by perfect detectors that are activated, with a given probability , by the eavesdropper. In such scenario, the eavesdropper has the ability to deactivate any pixels in order to “set” to 0 the bits . The probabilities must match the measured probabilities and of obtaining 0 or 1 at pixel , namely
(2) 
In the above equations, is the probability that no photon arrives at the pixel detector . The probabilities can be regarded as an “equivalent efficiency” which accounts for the effects of both the quantum efficiency of the SPAD, , and its dead time.
Depending on , the probability will change and Eve adjusts in order to satisfy Eq. (2). This can be understood by considering Fig.4, where the value of is reported as function of . We associate a random variable to the status of a pixel , such that labels the inactive status, while corresponds to the active status. In each frame, Eve selects a pixel configuration vector with probability from the set of cardinality .
Within this framework, the accessible classical information is therefore identified by . We will demonstrate that, even if the eavesdropper has this information at hand, secure random numbers may be generated. In our model, additional hardware defects, such as afterpulses (intended as the enhanced probability of having a detection at frame if the pixel clicked at frame ) and crosstalks among the pixels, are not included. Indeed their effect can be neglected since we measured a negligible afterpulse probability and a probability for the crosstalk. By using the approach introduced in (6) the minentropy can be evaluated by the following relation:
(3) 
where
(4) 
and is the probability of obtaining the random string conditioned on the chosen pixel configuration vector and the emitted number of photons . In the above equation the sum runs over all the possible status configurations. We note that, if Eve has no information on the emitted number of photons, the minentropy should be evaluated as with .
Eq. (3) generalizes the relation introduced in (6) from two detectors to detectors. From Eq. (3), the conditional entropy depends on the largest conditional probability . In fact, according to our model, knowing the number of photons emitted by the source and the sensor configuration, the best guessing strategy for Eve is to bet on the string with the largest probability of appearance. As described in Eq. (3), in order to obtain a lower bound on the conditional quantum minentropy, such maximal probability must be “weighted” with the probability of having a given . In the next section we will present our main result, which is an efficient method to evaluate the conditional probabilities (see in particular Eq. (8)).
Iii Results
In order to calculate , we need to evaluate the evolution of photon Fock states and
how such photons arrive at the different detectors.
If the spatial wavefunction of each photon is pure,
the equivalent quantum optical model of our setup corresponds to the socalled “multinomial tree” of
beam splitters (with 50:50 reflection:transmission ratio) followed by detectors,
as schematically reported in Fig. 3 for
If photons are emitted by the source within the integration time , the quantum state before the detectors can be written as
(5)  
(6) 
where is the joint vacuum of all modes, are the output modes creation operators and is the normalized state with photons arriving at detector . We note that the Kronecker delta implements the condition . In our model, the output mode entangled state is the equivalent of bimode entangled output state at the polarizing beamsplitter in (6). In addition, because the tree has not common knots, interference effects are excluded; therefore the probability that all photons arrive at pixel is given by .
requirement on  

0  0  no requirement 
0  1  
1  0  no arrangement is compatible 
1  1 
Because, as presented in (6), the detection operators applied on are all diagonal in the Fock basis, the estimation of the probabilities can be approached classically by means of the multinomial distribution. From Eq. (5), the probability that photons arrive at the different detectors with a given arrangement is indeed given by the multinomial distribution. Then, for a given set of classical variables , can be computed by the sum of the probabilities of obtaining the arrangements that are compatible with the output and the given detector configuration . The term compatible means the following: if , the compatible arrangements are only those with and (a detection at location requires an active detector and at least one photon arriving at it). If , only the arrangements with and or those with are compatible (a nondetection may correspond to an active detector with no photon impinging on it or to an inactive detector). If and there are no compatible arrangements (when the detector is inactive it cannot detect any photons). The conditions for a compatible arrangement are summarized in Table 1. Furthermore, the equation must be satisfied: it corresponds to the condition that the numbers of detections cannot be greater than the number of incoming photons. Then, when the probability can be written as
(7)  
where is the set of indices defined by and is its cardinality. The last relation in (7) is obtained by explicitly considering the arrangements that are compatible as reported in table 1. An example of the probabilities evaluated for a matrix with and photons is reported in the “matrix plot” of Fig. 5 (Left), with different colors related to the values of the probabilities. Rows and columns account for all the possible configurations of and respectively. The fractal structure that is obtained resembles the Sierpinsky triangle (14), where the white areas correspond to combinations of for which no photon arrangement is compatible.
The finding of the largest probability can be simplified by exploiting the symmetries of . Indeed, for the values of and admitting compatible arrangements (namely those values for which ) the probability is uniquely determined by the Hamming weights of and , defined as and and it is not vanishing only for . We note that and correspond to the numbers of detections and active pixels respectively. We also define as the number of inactive pixels, namely . Since and range from 0 to , inequivalent values of , denoted by , can be listed in a reduced matrix, simplifying the maximization in (4) from a set with at most elements to a set with at most cardinality .
However, the computation of the conditional probabilities remains hard due to the sums contained in the r.h.s. of Eq. (7). We note that may be as large as , implying an increasing complexity with the number of detectors. As we will demonstrate soon, the evaluation of can be simplified by the following relation:
(8) 
where
(9) 
The symbol represents the rrestricted Stirling number of the second kind, defined as the number of partitions of the set into nonempty disjoint subsets, such that the numbers are in distinct subsets (15). As demonstrated in appendix the Stirling numbers can be explicitly evaluated as the r.h.s. of Eq. (9). We recall that in the equation (8) we have defined and . With the introduction of the Stirling numbers we therefore achieved a dramatic reduction of the time necessary to compute . Indeed, the evaluation of in Eq. (8) has just a single sum, that must be compared with the sums required to evaluate Eq. (7). The rest of the section will be devoted to demonstrate Eq. (8).
We first note that, when and , the number corresponds to the number of ways of distributing photons on pixels such that of them (the active pixels that have ) receive at least one photon. Indeed, as indicated by Eq. (7) we must consider the events in which the photons arrive only at pixel and with and , with the extra requirements that at least one photon arrive at each active pixel . To evaluate the number we may proceed as follow. Let’s consider a set with “real” photons and “fictitious” photons. By definition, the number of partitions of the photons into nonempty disjoint subsets, such that the fictitious photons are always in distinct subsets is given by the Stirling numbers . We note that, due to the presence of “fictitious” photons, subsets have at least one “real” photon, while the remaining subsets may have any number of “real” photons. Now we can associate a pixel to each of the subsets: in this way, pixels receive at least one photon, as required in the definition of . However, the number underestimates : indeed, different associations of the subsets containing no fictitious photons with the active pixels will give rise to different photon distributions. On the other hand, the subsets with one fictious photon can be uniquely associated to the inactive pixels. Then, is obtained by multiplying by the permutation of pixels, namely . Since , we have demonstrated Eq. (8).
1  {2}, {3}, {4}, {,1}, {} 

2  {2}, {3}, {4}, {}, {,1} 
3  {1}, {3}, {4}, {,2}, {} 
4  {1}, {3}, {4}, {}, {,2} 
5  {1}, {2}, {4}, {,3}, {} 
6  {1}, {2}, {4}, {}, {,3} 
7  {1}, {2}, {3}, {,4}, {} 
8  {1}, {2}, {3}, {}, {,4} 
9  {1,4}, {2}, {3}, {}, {} 
10  {1}, {2,4}, {3}, {}, {} 
11  {1}, {2}, {3,4} , {}, {} 
12  {1,2}, {3}, {4}, {}, {} 
13  {1}, {2,3}, {4}, {}, {} 
14  {2}, {3,1}, {4}, {}, {} 
To better illustrated the procedure, we show in Table II the case of pixels, photons, and . In this case, and . Since and , no photon must impinge on . To evaluate , we must count all the distributions of 4 photons on 5 detectors, such that three of them (, and ) receive at least one photon. Since , two fictitious photons, labelled and , are added to the set of the real photons. In Table II we list all the partitions of the set in 5 subsets, such that the fictitious photons are in distinct subsets. The number of partitions is indeed counted by . The sets with and can be uniquely associated with the inactive pixels and . Indeed, the Table accounts for all the inequivalent “real” photon arrangements on the inactive pixels. However, the Table does not take into account inequivalent “real” photon arrangements on the active pixels: for instance, in partition 1 we have the three possible associations with the detectors: , and ; the same happens for the other listed partitions. Then, the number of permutations of the active pixel should be considered, in order to obtain .
Iv Discussion
By using the results presented in the previous section we are now ready to evaluate the quantum randomness of the generator. By further assuming that the detectors have all the same efficiency (such that ), the conditional minentropy simplifies to
(10)  
that evaluates the amount of bits which can be considered random and secure after the application of a quantum randomness extractor.
In Fig. 6 we compare the classical minentropy (red solid line) and (blue solid line) as function of the parameter , for the pixel submatrix considered in Fig. 1.
As shown in Fig.6, when the eavesdropper has information on the emitted photon number and can gate the detectors, the classical minentropy is not suitable to estimate the real content of randomness as it yields a too optimistic estimation. In particular we observe that by using , the user might be induced to increase the value of to maximize the entropy. In reality, by doing so, the user gives to Eve a dramatic guessing advantage as only bits out of 9 can be considered secure for . In fact, when the mean number of photons per pixel is high, although the input state is pure, all the active pixels will output a bit with high probability, while all the inactive pixels will output a bit with certainty: by knowing the detector status , Eve may guess with high probability the output string .
As it can be derived from the plot, the best strategy to obtain a high secure rate it is to keep low the average number of photon per pixel: in this way, although Eve already knows that the inactive pixels will output , thanks to the purity of the state, she cannot predict the outcomes of the active pixels.
In this condition, we applied the efficient relation of Eq. (10) on a large number of detectors and we estimated the entropy of the four pixels submatrices as if they were illuminated by an uniform intensity (an improved code for evaluating Eq. (10) is required for a larger number of pixels). The comparison of the classical and quantum minentropies is presented in Fig. 7. We conservatively assumed that the whole sensor was illuminated with the largest value of registered: in this way it is possible to increase the relative secure rate. By this approach we were able to generate secure random numbers at a rate of . We note that such rate can be improved by using a laser light at a different wavelength, where the detection efficiency is higher. Indeed, when the measured detection efficiency is high, Eve must keep the detector active with high probability, giving her less chance to guess the output string .
V Conclusions
We here presented a protocol which enable the user of a multidetector QRNG to extract secure random bits for cryptographic applications. In our framework an eavesdropper may have access to the “classical information” of the QRNG, that can be used to enhance his chances to guess the generator outcomes. Such “classical information” is represented by the number of photons emitted by the source and the detector status. Indeed, in our model, the measured detector inefficiencies are modeled by perfect detectors that are randomly activated by the adversary. As we demonstrated, an efficient combinatorial method can be used to calculate the conditional minentropy. Once the quantum minentropy is known, the generated sequence must be postprocessed by a randomness extractor that will generate bits with the rate imposed by . In this “paranoid scenario”, we were able to generate secure random numbers at a rate of . It is worth noticing that, if the information available to Eve is reduced (for instance by assuming that she does not known the number of photons emitted by the source or by assuming that she cannot control the detector gating), the secure key rate will be increased.
By comparing the conditional minentropy and the commonly used classical minentropy , we have shown how the use of the latter, while it may increase the generation rate up to , it might endanger the QRNG security.
Vi Aknowlegements
We thank Micro Photon Devices for the loan of the SPCcamera.
Appendix A Evaluation of the rrestricted Stirling numbers
As reported in Eq. (31) of (15), the restricted Stirling numbers of the second kind satisfy the following relation
(11) 
for any integer such that . By replacing , and using we obtain . Now, we may exploit the property that the Stirling numbers can be evaluated by the explicit formula (16)
(12) 
Then (11) may be written as
(13)  
We have thus demonstrated Eq. (9) of the main text.
Footnotes
 If is not a power of 2, a multinomial tree can be also obtained. In this case the beam splitters are no more 50:50, but their transmissivity is set such that a single photon entering in the tree has the same probability of arriving at each detector.
References
 D. Stucki, S. Burri, E. Charbon, C. Chunnilall, A. Meneghetti, and F. Regazzoni, in K. L. Lewis, R. C. Hollins, T. J. Merlet, M. T. Gruneisen, M. Dusek, J. G. Rarity, and E. M. Carapezza, editors, Proc. SPIE 8899, 88990R (2013).
 S. Burri, D. Stucki, Y. Maruyama, C. Bruschini, E. Charbon, and F. Regazzoni, in International Image Sensor Workshop, EPFLCONF191217, 5–8 (2013).
 Q. Yan, B. Zhao, Q. Liao, and N. Zhou, Review of Scientific Instruments 85, 103116 (2014).
 B. Sanguinetti, A. Martin, H. Zbinden, and N. Gisin, Physical Review X 4, 031056 (2014).
 Y. Li, S.K. Liao, F.T. Liang, Q. Shen, H. Liang, and C.Z. Peng, Chinese Physics Letters 33, 030303 (2016).
 D. Frauchiger, R. Renner, and M. Troyer, [arXiv:1311.4547] (2013).
 F. Guerrieri, S. Tisa, A. Tosi, and F. Zappa, in E. Bodegom and V. Nguyen, editors, Proc. SPIE 7536, 753605 (2010).
 SPC2 camera: http://www.microphotondevices.com/Products/PhotonCounters/SPC2.
 R. Konig, R. Renner, and C. Schaffner, IEEE Transactions on Information Theory 55, 4337 (2009).
 M. Tomamichel, R. Renner, C. Schaffner, and A. Smith, in 2010 IEEE International Symposium on Information Theory, 2703–2707, IEEE (2010), ISBN 9781424478927.
 J. M. Renes and R. Renner, IEEE Transactions on Information Theory 58, 1985 (2012).
 G. Vallone, D. G. Marangon, M. Tomasin, and P. Villoresi, Phys. Rev. A 052327, 2 (2014).
 D. G. Marangon, G. Vallone, and P. Villoresi, [arXiv: 1509.07390] (2015).
 M. Sierpinski, Compte Rendus hebdomadaires desseance de l’Academie des Science de Paris 160, 302 (1915).
 A. Z. Broder, Discrete Mathematics 49, 241 (1984).
 H. Sharp, Journal of Combinatorial Theory 5, 82 (1968).