# MHz-rate semi-device-independent quantum random number generators based on unambiguous state discrimination

## Abstract

An approach to quantum random number generation based on unambiguous quantum state discrimination (USD) is developed. We consider a prepare-and-measure protocol, where two non-orthogonal quantum states can be prepared, and a measurement device aims at unambiguously discriminating between them. Because the states are non-orthogonal, this necessarily leads to a minimal rate of inconclusive events whose occurrence must be genuinely random and which provide the randomness source that we exploit. Our protocol is semi-device-independent in the sense that the output entropy can be lower bounded based on experimental data and few general assumptions about the setup alone. It is also practically relevant, which we demonstrate by realising a simple optical implementation achieving rates of 16.5 Mbits/s. Combining ease of implementation, high rate, and real-time entropy estimation, our protocol represents a promising approach intermediate between fully device-independent protocols and commercial QRNGs.

^{1}

^{2}

Many tasks in modern science and technology make use of random numbers, including Monte Carlo simulation, statistical sampling, cryptography, and gaming applications Hayes (2001). In general, a good random number generator is desired to produce output with a high entropy and at a high rate. For applications requiring security, such as cryptography and gambling, the randomness must be certified relative to any untrusted parties. Due to the inherent randomness in quantum physics, in recent years, intense effort has been devoted to extracting randomness from quantum systems, and quantum random number generation (QRNG) devices are now commercially available Herrero-Collantes and Garcia-Escartin (2017); Bera *et al.* (2016).

QRNG can be implemented in a simple setup, exploiting the randomness in a quantum measurement. For example, one may send a single photon onto a balanced beam splitter and detect the output path Rarity *et al.* (1994); Stefanov *et al.* (2000); Jennewein *et al.* (2000). Other variants measure the arrival time of single photons Dynes *et al.* (2008); Wahl *et al.* (2011); Nie *et al.* (2014); Stipčević and Rogina (2007); Stipčević and Ursin (2015), the phase noise of a laser Qi *et al.* (2010); Uchida *et al.* (2008); Abellán *et al.* (2014), vacuum fluctuations Gabriel *et al.* (2010); Symul *et al.* (2011), and shot-noise in mobile phone cameras Sanguinetti *et al.* (2014). However, the principle is essentially the same. The device produces a string of raw bits, which in general contains some amount of randomness but is not perfectly random. In order to extract a final (almost) perfectly random bit string, one uses a randomness extractor Nisan and Ta-Shma (1999). The correct use of such extractors requires a good estimate of the entropy of the raw data. This can be obtained via detailed theoretical modelling of the setup Frauchiger *et al.* (2013); Ma *et al.* (2013), but this is usually cumbersome and challenging. Moreover, any mismatch between the model and the implementation, or the instability of the device may jeopardize the security of the protocol.

It turns out that these problems can be circumvented via the so-called device-independent (DI) approach to randomness certification. In a setup violating a Bell inequality, the entropy of the output data can be certified without any detailed knowledge of the physical implementation Colbeck (2009); Pironio *et al.* (2010); see Acin and Masanes (2016) for a review. This provides a highly reliable and secure form of randomness, as it allows the physical devices to be completely untrusted and is thus robust against imperfection in implementation. However, it is technologically extremely challenging to realise as it requires Bell-inequality violation with no post-selection. So far, only proof-of-principle experiments were reported Pironio *et al.* (2010); Christensen *et al.* (2013), achieving very low bit rates.

More recently, an intermediate approach termed semi-DI has been discussed, exploring the trade-off between ease of implementation and strong security Pawłowski and Brunner (2011); Li *et al.* (2011, 2012); Bowles *et al.* (2014); Woodhead and Pironio (2015). Usually based on a prepare-and-measure setup (hence avoiding the complication of a Bell test), these schemes gain ease of implementation by introducing some level of trust in the devices used. Still, they require only general assumptions about the physical implementation, such as bounded dimension Lunghi *et al.* (2015); Cañas *et al.* (2014); Mironowicz *et al.* (2016), trusted measurement devices Vallone *et al.* (2014); Marangon *et al.* (2017); Cao *et al.* (2016); Xu *et al.* (2016), or a trusted source Cao *et al.* (2015). While significant progress has been achieved, it is fair to say that the right balance between simplicity, performance, and security has yet to be identified.

Here, we explore a novel approach to quantum random number generation, based on unambiguous quantum state discrimination (USD). Specifically, a quantum system is prepared in one out of two quantum states which are non-orthogonal and hence cannot be distinguished with certainty. However, by performing a USD measurement, the two states can be unambiguously distinguished (i.e. without false positives), at the price of having a certain minimal rate of inconclusive events Ivanovic (1987); Dieks (1988); Peres (1988); see also Chefles (2000); Barnett and Croke (2009). The occurrence of these inconclusive events must be genuinely random (if not, the states could be distinguished better), and this is the source of quantum randomness that we use. Our protocol is semi-DI in the sense that the output entropy can be lower bounded based on experimental data and a few general assumptions about the setup. The concept is general, and can thus be implemented in a variety of physical systems. We have implemented the protocol in a simple optical setup using time-bin or photon number encoding. Our setup features only standard components and achieves a rate of 16.5 Mbits/s, comparable with commercial QRNGs. Hence our protocol combines high performance and ease of implementation with the possibility for the user to verify the generation of certified quantum randomness in real-time.

## I Protocol

The conceptual scheme is illustrated in Fig. 1. The protocol consists in three steps. (1) data collection from measurements on quantum states, (2) estimation of the genuinely quantum entropy in the data, and (3) randomness extraction.

In step (1), a preparation device takes a binary input and emits a quantum system in state . The central assumption of the protocol is that the overlap of the two possible states is lower-bounded, . In other words, we assume that the states are non-orthogonal and hence not deterministically distinguishable. However, a detailed description of the states is not required. For simplicity, we keep the states pure for now. At the end of this section, we discuss the precise assumptions which our protocol is based on.

The state is sent to a measurement device, which provides a ternary output . The main idea of our protocol is that the measurement device performs USD. The goal is thus to maximize the probability of identifying which state has been prepared without errors, i.e. maximize while ensuring that . While quantum theory allows for such a measurement, it imposes a minimal rate of inconclusive events Barnett and Croke (2009). Note that this is a fundamental limit of quantum theory; if a better measurement were possible, this would have dramatic consequences, e.g. instantaneous transmission of information. Importantly, it is not possible to predict in advance whether a particular round of the experiment will be conclusive or inconclusive. Clearly, if that were possible, then a better measurement could be implemented. Therefore, the occurrence of inconclusive events is a genuinely random quantum phenomena.

The protocol exploits this randomness source in order to generate a final random bit string. In each round of the protocol, we thus define a bit which encodes whether this round was conclusive or not, i.e. if and if . The value of when the measurement is conclusive (i.e. or ) will not be directly used for extracting randomness. This value is however important, and will be used in order to estimate the entropy in the data. One can understand this as verifying that the measurement device is indeed performing a USD measurement, i.e. self-testing of the device.

Our goal is now to bound the amount of randomness in given the overlap and the observed , that is, the probability of obtaining output given preparation . To see that the idea makes sense, consider first the ideal case in which the preparation device emits two states with overlap , and the measurement device implements a perfect USD. Here we have that , no errors , and . Hence the probability of guessing is . In particular, for the choice , a perfectly random bit can thus be certified.

Now consider the general case, where the statistics are not assumed to originate from a perfect USD measurement, for instance due to unavoidable technical imperfections. Given the probabilities and a bound on the overlap , we show how to bound the probability of guessing for an observer with complete knowledge of the inner workings of the device, the input states, and the details of the measurement, which may vary from run to run. We label the measurement strategies by . The guessing probability averaged over inputs and measurement strategies, occurring with probabilities and respectively, is then given by

(1) |

where , and are the elements of a three-outcome positive-operator-value measure (POVM) describing the measurement. To certify randomness, we need to upper bound over all possible measurement strategies which are consistent with the observed experimental data. Because the trace is invariant under unitary transformations, only the overlap of the input states matter, and not the states themselves. As we explain in App. A, upper bounds on can be established by means of semidefinite programming (SDP). Specifically,

(2) |

for any numbers which fulfil that there exists four hermitian matrices , with such that

(3) |

Coefficients that are optimal for particular data can be found by SDP. However, given valid and fixed , the bound (2) holds for any . This implies that it is not necessary to run an SDP every time is updated. One only needs to evaluate (2) which is a simple, linear function of the data, using fixed values of (or a few tabulated values and take the tightest bound). This enables fast QRNG and simple incorporation of finite-size effects. Note that for perfect USD of states with overlap , we find (numerically, using SDP to optimise ), that our bound certifies ^{3}

In step (2) of the protocol, from the experimental data of a number of runs, the input-output probability distribution is estimated, and the bound (2) is evaluated. This also provides a bound on the genuinely quantum entropy in the string of raw bits , given by the min-entropy

(4) |

The min-entropy quantifies the number of certified random bits that can be extracted per bit of the raw data Konig *et al.* (2009). The final step (3) of the protocol consists in extracting a final random bit string via a randomness extraction procedure, based on the bound on .

Finally, we discuss all assumptions required in our protocol. First, we assume that the input is generated independently from the devices, in particular should be independent from . In our experimental implementation, will be generated from a classical RNG (e.g. a pseudo randomness generator). The second assumptions concerns the overlap of the two prepared states. We assume that, in each round of the protocol, the two prepared states cannot be perfectly distinguished (using any possible quantum measurement procedure). If the two states are pure, it is possible to discriminate them without any error, at the price of having a minimal rate of inconclusive rounds, given by the overlap between the two states. Note that if the states are mixed, with overlapping support, then they cannot be distinguished unambiguously anymore.
We assume that the two prepared states, and fulfill , where is the fidelity. This condition must hold with respect to any observer, in particular from the point of view of the measuring device. No additional information is available which allows picking out specific terms in any decomposition of the states. This ensures that and have a minimal indistinguishability from the point of view of the measuring device. Hence, no measurement procedure allowed in quantum theory would allow one to distinguish the two states better. In particular, no fault in the implementation of the measuring device can make the states more distinguishable. Since, without additional information, going from pure to mixed states with the same fidelity cannot help in distinguishing the states, taking and pure is the most conservative choice when bounding the guessing probability, and hence our bound above is general under this assumption. We note that our requirement is similar to assuming that the prepared states in different rounds are independent and identically distributed (i.i.d.) with respect to all observers, however it is strictly weaker as we do not need the states in every round to be the same, only that their relative fidelity is bounded ^{4}

## Ii Implementations

We now discuss different possible implementations of our protocol. In the next section we report the experimental realization of two of these schemes, thus demonstrating practical relevance in situations involving loss and imperfections.

*Implementation 1.* A first implementation uses a time-bin encoding, see Fig. 2 (a). Here the two states are encoded by weak coherent pulses emitted in pairs of time-bins

(5) |

where denotes the vacuum and a coherent state with mean photon number . The overlap of these states is directly related to , namely

(6) |

For weak pulses (), the overlap is significant. Note that this encoding is reminiscent of the QKD protocol COW Stucki *et al.* (2005).

A practical advantage of this implementation is the simplicity of realizing the (optimal) USD measurement, which simply requires a single-photon detector with timing resolution sufficient to distinguish the two time bins. If a click is registered in the early (late) time-bin, the system outputs (), while if no click is registered, the outcome is inconclusive . It is straightforward to check that in the absence of losses and noise, , hence the measurement achieves the minimal rate of inconclusive outcomes, while giving no errors.

In practice the measurement does not achieve the optimal USD exactly. Typically, detector inefficiency increases the inconclusive rate above that of the perfect USD, while detector dark counts increase the error rate. Nevertheless, randomness can still be extracted, as our protocol is sufficiently robust.

*Implementation 2.* Another possible implementation consists in using only a single weak coherent pulse, see Fig. 2 (b). The two non-orthogonal states are now simply

(7) |

This corresponds to an encoding in the photon number degree of freedom. The overlap between the two states is .

As above, we use as a measurement a simple single-photon detector. If a click is registered, the output is , while if no click is registered, the output is . The output thus never occurs. Note that the measurement is now effectively binary, and corresponds to a partial USD measurement, in the sense that it is only the state that is identified unambiguously, hence . So, the randomness is effectively generated from the state , while the state is used to test that the device correctly performs the USD. Similarly to quantum key distribution protocols, it will then be advantageous to bias the input probability, i.e. setting , in order to increase the output entropy. This will be discussed in the next section where we implement this protocol.

*Further implementations.* Our approach can be implemented using more general encodings. For instance, a polarization encoding also represents a practical solution. Given two non-orthogonal states of polarization, the optimal USD measurement can be realized using a partial polarizer (i.e. polarization dependent losses) Huttner *et al.* (1996). Encodings using frequency or spatial modes could also be considered.

## Iii Experiments

We have experimentally realized our QRNG based on USD, using the two main implementations discussed above, namely based on time-bins (two pulses) and photon number encodings (single pulse). Both implementations are essentially based on the same setup, with only minor modifications.

We first discuss the time-bin implementation. In order to generate the two non-orthogonal states (5), a field-programmable gate array (FPGA) triggers a fibered laser diode at a rate of 50 MHz, as presented in Fig. 3. A pseudo-random generator generates the input . If the electronic pulse is delayed by 10 ns, while nothing happens if . This generates the states and , respectively. At each trigger signal, the laser diode emits light pulses of 40 ps at 655 nm. To set the appropriate light intensity, two adjustable attenuators are placed at the output of the laser after a 50/50 beam-splitter (BS). The second port of the BS is connected to a calibrated power meter which monitors the laser power, and the attenuation is adjusted based on this reading.

At the output of the source, the light is detected by a silicon avalanche photodiode single-photon detector (PerkinElmer - SPCM-AQR) with an efficiency of 77% and a temporal jitter smaller than 1 ns, which is enough to temporally discriminate the pulses separated by 10 ns. The detector has around 300 Hz of dark counts and a dead-time of 50 ns. All the detection events are recorded by the FPGA. Every second, after taking data, the conditional probabilities are evaluated. This generates 50 M of raw bits, the entropy of which will be estimated via our protocol. The estimation of the probabilities is made from a finite number of trials N. To take into account the error on the estimation of these probabilities due to finite statistics effect we use the Chernoff-Hoeffding tail inequality Hoeffding (1963), which provides an upper (lower) bound on the probability that the sum of random variables deviates from its expected value. From the experimental statistics , where denote the number of events with outcome and input , we get:

(8) |

with . Here, is the confidence index, which represents the probability that the above relation is not satisfied. In our experiments, we choose . From this, we can lower bound the relation of Eqs. (2) by:

(9) |

Note that the above bound is conservative, but essentially optimal when is very small; a tighter bound can be obtained by further imposing that the distribution is normalized. To generate the final bit string with quasi-perfect entropy, an extractor is applied to the raw bit string, with a compression factor which depends on the target entropy and the min-entropy contained in the raw data, . Hence, the final bit rate of the QRNG is adapted in such a way that the min-entropy per output bit is constant.

In our configuration, the light pulse energy is the only adjustable parameter that can be tuned to optimize the min-entropy per raw bit. Fig. 4 (left) represents the min-entropy as a function of which is directly related to the overlap between the two states through (6). The upper red curve represents the theoretical prediction taking into account the finite statistic effect when we consider single-photon detection with an efficiency of 77% (i.e. matching our experimental value, but without saturation effects) ^{5}

Let us now move to the second implementation, using photon number as a degree of freedom. In this single pulse approach, the only difference is the configuration of the FPGA. Indeed, instead of delaying or not the optical pulse, the FPGA now sends or not the pulse (hence the emitted state is the vacuum) with a probability . This probability bias is optimal when we consider a block size of 50 Mbits. Note that the bias can be increased for a larger block size, in order to increase the generation rate. As shown in Fig. 4 (right), we obtain here an entropy per bit of 0.33 for , which allows us to generate 16.5 MHz of final random bits after extraction.

Finally, let us comment on the justification of the assumptions required in our protocol. These are essentially the same in both configurations. The first assumption concerns the fact that the generation of the input must be independent from the devices. This is easily realized since is generated by the FPGA. The second assumption is the crucial one. Here we must ensure that the pulse energy of the source is well characterized, in order to satisfy the assumption that the overlap of the two states is at least . Importantly, the overlap must be bounded in each round of the protocol, which can be delicate if the source features non-negligible power fluctuations, e.g. due to instabilities in the laser itself or in the attenuator in Fig. 3. When the energy per pulse becomes higher, the overlap of the output states decreases, hence if such fluctuations are not accounted for, the overlap may decrease below , violating the assumption. There are several possibilities to address this point. First, one can choose in a conservative manner, and not based directly on the (mean) power of the source , but rather with respect to a maximal energy per pulse . That is, the protocol can be run under the assumptions of a given overlap (corresponding to ), while the mean pulse energy of the source corresponds in fact to a much larger overlap, i.e. . This will decrease the entropy per bit, as shown in Fig. 5, but final randomness can nevertheless still certified, given that power fluctuations are not too large. Another possibility would be to use an optical fuse Todoroki and Inoue (2004), i.e. an optical channel breaking down above a certain threshold intensity.

## Iv Conclusion

We have proposed an approach to quantum random number generation based on USD measurements. The protocol is in prepare-and-measure configuration, and based on the fact that the occurrence of inconclusive events in unambiguous state discrimination must be genuinely random. Our protocol offers semi-DI security, in the sense that the amount of trust in the physical implementation is low. Specifically, the main assumption is a bound on the overlap of the prepared states, but no assumption about the measurement device is needed. At the same time, the protocol is practical, which we demonstrated by implementing it using a simple optical setup. We achieved a random bit rate of 16.5ṀHz, which is comparable to commercial QRNGs QRN (). Our approach thus combines strong security, allowing the user to monitor the entropy of the output in real time, as well as ease of implementation and high rates.

*Note added.* The setup of the single-pulse protocol was independently discussed by the authors of Ref. Himbeeck *et al.* (2016), but analyzed under different technical and security assumptions.

*Acknowledgements.* We thank Stefano Pironio and Eric Woodhead for discussions. We acknowledge financial support from the Swiss National Science Foundation (Starting grant DIAQ, Grant SNF , and QSIT) and the AXA Chair in Quantum Information Science, a Severo Ochoa Grant SEV-2015-0522 and Fundacion CELLEX.

## Appendix A Bounding by semidefinite programing

In this Appendix, we show how the guessing probability can be bounded via SDP. We discuss both the primal and dual programs. We start our analysis by assuming a fixed overlap between the two prepared states, and show in the end that this is general, i.e. that the case is covered.

### a.1 Primal

For a fixed overlap and given data , the guessing probability is bounded by the maximisation over all measurement strategies and their distribution, reproducing the data. Assuming that the inputs are balanced, , and denoting the distribution of measurement strategies by and the density matrices , we have that

(10) |

with the constraint that the data is reproduced, i.e. that . We note that, although it looks like the above expression depends on the states , this is not actually the case, as the trace is invariant under unitary transformations. Furthermore, since there are just two states we can restrict to a 2-dimensional Hilbert space without loss of generality. Hence, we can take the two states to be and in some basis . It is then clear that the maximum depends only on and the observed data .

A priori, the number of measurement strategies is unbounded. However, following Bancal *et al.* (2014), all strategies for which the inner maximization occurs for the same term can be grouped together. It is then sufficient to consider four different measurement strategies corresponding to the max occurring for the first or second term for each , and one can remove the inner maximization without loss of generality. We label these strategies by where determines which term is maximal for the input . We thus have four POVMs with elements . Defining , the bound can be written

(11) |

Finally, we absorb the weights into the POVM elements and define , and . With this, we arrive at a bound which can be computed by semidefinite programming

(12) |

subject to the constraints that the be hermitian, positive semidefinite, sum to the identity, that they form a valid, subnormalised measurement for each , and that the data is reproduced. That is

(13) | ||||

(14) | ||||

(15) | ||||

(16) |

Note that normalisation of and together with conditions (15) and (16) imply that . Since (12) is linear in the , and the constraints are semidefinite, the maximisation defines an SDP and can be solved efficiently, providing optimal bounds on for every given state overlap and observed data.

### a.2 Dual

While the primal SDP above gives optimal bounds on the guessing probability for given observed data and a fixed state overlap, it is not practical to incorporate directly into the QRNG for several reasons. The first is speed. Every time the distribution is updated based on the raw data, the SDP must be evaluated to update the bound. This evaluation typically takes on the order of a second, potentially slowing down the bit rate significantly. Second, experimentally the state overlap is not known exactly, but a lower bound can be established with high certainty. Hence, one would like a bound which is valid for any larger overlap. Third, since is estimated from finite raw data, finite-size effects must be accounted for in the bound. It is not obvious how to incorporate this into the primal SDP in an efficient manner.

Fortunately, all of these concerns can be addressed by using the dual SDP. A solution of the dual provides an upper bound on the solution of the primal, and hence on . When the data changes, a new bound can be found by evaluating a simple, linear function of with no need to run the full SDP as long as is fixed. Furthermore, because the function is linear, finite-size effects can be incorporated straightforwardly. The bound can be shown to hold for any overlap , as discussed at the end of this section.

We now derive the dual SDP in a manner which makes it clear that it upper bounds the primal. For each of the constraints in (14)-(16) we introduce Lagrangian multipliers, respectively hermitian 2x2 matrices , , and real scalars . We define a Lagrangian function of the primal SDP variables and these new variables, given by

(17) | |||

We further define to be the supremum of the Lagrangian over the primal SDP variables. That is

(18) |

For any particular solution of the primal SDP (12)-(16), the two last terms in the Lagrangian (A.2) vanish, because the solution fulfills the constraints (15)-(16). Similarly, because of (14), the second term in the Lagrangian is positive if the are restricted to be positive. The first term of the Lagrangian is the target function of the primal (12). It follows that is an upper bound on the value of the primal, , when , and thus also an upper bound on the guessing probability .

To get good bounds, we should minimise over the Lagrangian multipliers. To this end, we first rewrite in a more convenient form. We collect all terms which multiply the primal variables.

(19) |

where

(20) |

Since here the are not restricted to being positive, we see that the supremum in (19) will be infinite, unless vanishes. Hence, to get good bounds on we must impose that . Since the operators are positive semidefinite but not otherwise restricted, this is equivalent to dropping from (A.2) and requiring that the remaining expression is negative semidefinite. Using this, we finally arrive at our dual SDP

(21) |

subject to

(22) | ||||

(23) |

From the above, it should be clear that . We also see that the data does not appear in the dual constraints (22)-(A.2). This means that given one feasible dual solution (a set of and fulfilling the constraints), valid bounds on can be computed for any data by evaluating the right-hand-side of (21). This is a simple linear function and can be evaluated very fast in practice. Furthermore, this form allows us to treat finite-size effects easily, as explained in the main text; see Eq. (9).

The dual bound also remains valid when the overlap of the input states increases. To see this, consider the space of conditional distributions thought of as vectors . A bound of the form

(24) |

for fixed numbers , defines a hyperplane in this space, with all distributions fulfilling the bound lying in one of the corresponding half spaces. Let us denote the set of all distributions which can be generated from a pair of pure states with overlap by . It is easy to see that this set must be convex. We then have a picture as in Fig. 6. Since the bound on holds for all points in , to show that it also holds for all , it is sufficient to show that , i.e. that any distribution which can be obtained from two states with overlap can also be obtained from two states with smaller overlap .

This can be shown as follows. Consider two pure states , with overlap . We add an ancilla system, and define states , and , , where is some fixed state and a different state. Then , and , where can be set to any value by adjusting the overlap of the ancilla states .

Now, any distribution which can be obtained from the states can clearly also be obtained from by extending the POVM trivially, . However, the same POVM acting on the states will give the same distribution, because it is acting trivially on the ancilla, . Hence, for any distribution obtained from a POVM on a pair of pure states with overlap , there exists another pair of pure states with overlap and a POVM reproducing the distribution.

Finally, we observe that since we are working only with pairs of states, the ancilla is in fact unnecessary. Any obtained from a pair of pure states can be obtained from a pair of qubit states (with the same overlap). Also, since any pair of pure qubit states is unitarily related to any other pair with the same overlap, it follows that any pair with overlap can reproduce the measurement statistics from any pair with overlap .

### Footnotes

- thanks: These authors contributed equally to this work.
- thanks: These authors contributed equally to this work.
- Note that this bound assumes . If , then the outcome will be most likely be conclusive, and therefore we have that .
- Note though, that the assumption cannot be relaxed to a bound on the average overlap over many rounds, as there is then a classical strategy reproducing the USD probability distribution.
- The two peaks of the top curve on the left plot in Fig. 4 arise from two different measurement strategies maximising the guessing probabilities, while reproducing the observed data, in different loss regimes. Disregarding finite size effects, for low loss, a USD strategy is optimal, and fixing the conclusive rate at 1/2 requires a choice of . For increasing loss, a mixture of strategies where only one state is identified (i.e. one of the outputs 0 or 1 has vanishing probability) becomes optimal. In this case the inconclusive rate is and the optimal .

### References

- B. Hayes, “Randomness as a Resource,” Am. Sci. 89, 300 (2001).
- M. Herrero-Collantes and J. C. Garcia-Escartin, “Quantum random number generators,” Rev. Mod. Phys. 89, 015004 (2017).
- M.N. Bera, A. Acin, M. Kus, M. Mitchell, and M. Lewenstein, “Randomness in Quantum Mechanics: Philosophy, Physics and Technology,” arXiv:1611.02176 [quant-ph] (2016).
- J.G. Rarity, P.C.M. Owens, and P.R. Tapster, “Quantum random-number generation and key sharing,” J. Mod. Opt. 41, 2435–2444 (1994).
- A. Stefanov, N. Gisin, O. Guinnard, L. Guinnard, and H. Zbinden, “Optical quantum random number generator,” J. Mod. Opt. 47, 595–598 (2000).
- T. Jennewein, U. Achleitner, G. Weihs, H. Weinfurter, and A. Zeilinger, “A fast and compact quantum random number generator,” Rev. Sci. Instrum. 71, 1675–1680 (2000).
- J. F. Dynes, Z. L. Yuan, A. W. Sharpe, and A. J. Shields, “A high speed, postprocessing free, quantum random number generator,” Appl. Phys. Lett. 93, 031109 (2008).
- M. Wahl, M. Leifgen, M. Berlin, T. Röhlicke, H.-J. Rahn, and O. Benson, “An ultrafast quantum random number generator with provably bounded output bias based on photon arrival time measurements,” Appl. Phys. Lett. 98, 171105 (2011).
- You-Qi Nie, Hong-Fei Zhang, Zhen Zhang, Jian Wang, Xiongfeng Ma, Jun Zhang, and Jian-Wei Pan, “Practical and fast quantum random number generation based on photon arrival time relative to external reference,” Appl. Phys. Lett. 104, 051110 (2014).
- M. Stipčević and B. Medved Rogina, “Quantum random number generator based on photonic emission in semiconductors,” Rev. Sci. Instrum. 78, 045104 (2007).
- M. Stipčević and R. Ursin, “An On-Demand Optical Quantum Random Number Generator with In-Future Action and Ultra-Fast Response,” Sci. Rep. 5, 10214 (2015).
- Bing Qi, Yue-Meng Chi, Hoi-Kwong Lo, and Li Qian, “High-speed quantum random number generation by measuring phase noise of a single-mode laser,” Opt. Lett. 35, 312–314 (2010).
- A. Uchida, K. Amano, M. Inoue, K. Hirano, S. Naito, H. Someya, OowadaIsao, T. Kurashige, M. Shiki, S. Yoshimori, K. Yoshimura, and P. Davis, “Fast physical random bit generation with chaotic semiconductor lasers,” Nat. Photon. 2, 728–732 (2008).
- C. Abellán, W. Amaya, M. Jofre, M. Curty, A. Acín, J. Capmany, V. Pruneri, and M. W. Mitchell, “Ultra-fast quantum randomness generation by accelerated phase diffusion in a pulsed laser diode,” Opt. Express 22, 1645–1654 (2014).
- C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. L. Andersen, C. Marquardt, and G. Leuchs, “A generator for unique quantum random numbers based on vacuum states,” Nat. Photon. 4, 711–715 (2010).
- T. Symul, S. M. Assad, and P. K. Lam, “Real time demonstration of high bitrate quantum random number generation with coherent laser light,” Appl. Phys. Lett. 98, 231103 (2011).
- B. Sanguinetti, A. Martin, H. Zbinden, and N. Gisin, “Quantum random number generation on a mobile phone,” Phys. Rev. X 4, 031056 (2014).
- Noam Nisan and Amnon Ta-Shma, “Extracting randomness: A survey and new constructions,” J. Comput. Syst. Sci. Int. 58, 148 – 173 (1999).
- Daniela Frauchiger, Renato Renner, and Matthias Troyer, “True randomness from realistic quantum devices,” arXiv preprint arXiv:1311.4547 (2013).
- Xiongfeng Ma, Feihu Xu, He Xu, Xiaoqing Tan, Bing Qi, and Hoi-Kwong Lo, “Postprocessing for quantum random-number generators: Entropy evaluation and randomness extraction,” Phys. Rev. A 87, 062327 (2013).
- R. Colbeck, “Quantum and relativistic protocols for secure multi-party computation,” Ph.D. Thesis, University of Cambridge (2009), arXiv:0911.3814 [quant-ph].
- S. Pironio, A. Acín, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Random numbers certified by bell’s theorem,” Nature 464, 1021–1024 (2010).
- A. Acin and Ll. Masanes, “Certified randomness in quantum physics,” Nature 540, 213 (2016).
- B. G. Christensen, K. T. McCusker, J. B. Altepeter, B. Calkins, T. Gerrits, A. E. Lita, A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam, N. Brunner, C. C. W. Lim, N. Gisin, and P. G. Kwiat, “Detection-loophole-free test of quantum nonlocality, and applications,” Phys. Rev. Lett. 111, 130406 (2013).
- M. Pawłowski and N. Brunner, “Semi-device-independent security of one-way quantum key distribution,” Phys. Rev. A 84, 010302 (2011).
- Hong-Wei Li, Zhen-Qiang Yin, Yu-Chun Wu, Xu-Bo Zou, Shuang Wang, Wei Chen, Guang-Can Guo, and Zheng-Fu Han, “Semi-device-independent random-number expansion without entanglement,” Phys. Rev. A 84, 034301 (2011).
- Hong-Wei Li, Marcin Pawłowski, Zhen-Qiang Yin, Guang-Can Guo, and Zheng-Fu Han, “Semi-device-independent randomness certification using quantum random access codes,” Phys. Rev. A 85, 052308 (2012).
- J. Bowles, M. T. Quintino, and N. Brunner, “Certifying the dimension of classical and quantum systems in a prepare-and-measure scenario with independent devices,” Phys. Rev. Lett. 112, 140407 (2014).
- E. Woodhead and S. Pironio, “Secrecy in prepare-and-measure clauser-horne-shimony-holt tests with a qubit bound,” Phys. Rev. Lett. 115, 150501 (2015).
- T. Lunghi, J. B. Brask, C. C. W. Lim, Q. Lavigne, J. Bowles, A. Martin, H. Zbinden, and N. Brunner, “Self-testing quantum random number generator,” Phys. Rev. Lett. 114, 150501 (2015).
- G. Cañas, J. Cariñe, E. S. Gómez, J. F. Barra, A. Cabello, G. B. Xavier, G. Lima, and M. Pawłowski, “Experimental quantum randomness generation invulnerable to the detection loophole,” arXiv:1410.3443 (2014).
- P. Mironowicz, A. Tavakoli, A. Hameedi, B. Marques, M. Pawłowski, and M. Bourennane, “Increased certification of semi-device independent random numbers using many inputs and more post-processing,” New J. Phys. 18, 065004 (2016).
- G. Vallone, D. G. Marangon, M. Tomasin, and P. Villoresi, “Quantum randomness certified by the uncertainty principle,” Phys. Rev. A 90, 052327 (2014).
- D. G. Marangon, G. Vallone, and P. Villoresi, “Source-device-independent ultrafast quantum random number generation,” Phys. Rev. Lett. 118, 060503 (2017).
- Z. Cao, H. Zhou, X. Yuan, and X. Ma, “Source-Independent Quantum Random Number Generation,” Phys. Rev. X 6, 011020 (2016).
- Feihu Xu, Jeffrey H. Shapiro, and Franco N. C. Wong, “Experimental fast quantum random number generation using high-dimensional entanglement with entropy monitoring,” Optica 3, 1266–1269 (2016).
- Z. Cao, H. Zhou, and X. Ma, “Loss-tolerant measurement-device-independent quantum random number generation,” New J. Phys. 17, 125011 (2015).
- I.D. Ivanovic, “How to differentiate between non-orthogonal states,” Phys. Lett. A 123, 257 – 259 (1987).
- D. Dieks, “Overlap and distinguishability of quantum states,” Phys. Lett. A 126, 303 – 306 (1988).
- A. Peres, “How to differentiate between non-orthogonal states,” Phys. Lett. A 128, 19 – (1988).
- A. Chefles, “Quantum state discrimination,” Contemp. Phys. 41, 401–424 (2000).
- S. M. Barnett and S. Croke, “Quantum state discrimination,” Adv. Opt. Photonics 1, 238 (2009).
- Note that this bound assumes . If , then the outcome will be most likely be conclusive, and therefore we have that .
- R. Konig, R. Renner, and C. Schaffner, “The Operational Meaning of Min- and Max-Entropy,” IEEE Trans. Inf. Theory 55, 4337–4347 (2009).
- Note though, that the assumption cannot be relaxed to a bound on the average overlap over many rounds, as there is then a classical strategy reproducing the USD probability distribution.
- D. Stucki, N. Brunner, N. Gisin, V. Scarani, and H. Zbinden, “Fast and simple one-way quantum key distribution,” Appl. Phys. Lett. 87, 194108 (2005).
- B. Huttner, A. Muller, J. D. Gautier, H. Zbinden, and N. Gisin, “Unambiguous quantum measurement of nonorthogonal states,” Phys. Rev. A 54, 3783–3789 (1996).
- W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Am. Stat. Assoc. 58, 13–30 (1963).
- The two peaks of the top curve on the left plot in Fig. 4 arise from two different measurement strategies maximising the guessing probabilities, while reproducing the observed data, in different loss regimes. Disregarding finite size effects, for low loss, a USD strategy is optimal, and fixing the conclusive rate at 1/2 requires a choice of . For increasing loss, a mixture of strategies where only one state is identified (i.e. one of the outputs 0 or 1 has vanishing probability) becomes optimal. In this case the inconclusive rate is and the optimal .
- Shin-ichi Todoroki and Satoru Inoue, “Optical Fuse by Carbon-Coated TeO 2 Glass Segment Inserted in Silica Glass Optical Fiber Circuit,” Jpn. J. Appl. Phys. 43, L256–L257 (2004).
- “http://www.idquantique.com & http://www.picoquant.com,” .
- T. Van Himbeeck, E. Woodhead, R.S. Garcia-Patron, N. Cerf, and S. Pironio, “Semi-device-independent framework based on natural physical assumptions,” arXiv [quant-ph] , 1612.06828 (2016).
- Jean-Daniel Bancal, Lana Sheridan, and Valerio Scarani, “More randomness from the same data,” New J. Phys. 16, 033011 (2014).