Quantum random number generation 9783319725949, 9783319725963

Table of contents :
Foreword......Page 7
Preface......Page 11
References......Page 17
Acknowledgements......Page 18
Contents......Page 19
1 Motivation......Page 20
2.1 Classical Description of BS......Page 21
2.2 Quantum Mechanics of BS......Page 23
References......Page 29
Quantum Random Number Generation......Page 30
2 Techniques for Quantum Random Number Generation......Page 31
2.1 Random Number Generators Based on Noise......Page 32
2.2 Random Number Generators Based on Quantum Optics......Page 36
2.3 Random Number Generators Based on Non-optic Quantum Effects......Page 44
2.4 Summary......Page 45
3.3 PicoQuant Random Number Generator......Page 46
3.7 Qutools GmbH......Page 47
4.2 Humboldt-Universität Zu Berlin......Page 48
References......Page 50
1 Motivation......Page 54
2 Preliminaries......Page 57
3 Construction......Page 58
4 Security......Page 61
5 Efficiency......Page 62
References......Page 63
1 Motivation......Page 64
2 Principles of Statistical Testing......Page 65
3 Statistical Tests for Assessing the ``randomness'' of RNGs......Page 69
3.1 Tests on a Random Number Stream of m Bits......Page 72
3.2 Tests Based on Sub-sequences of Length k of a Random Bit Stream with Length m......Page 74
3.3 Tests Based on a Sequence of n Random Numbers in the Interval [0,1]......Page 75
4 Experiments: Description of RNGs Under Test......Page 76
5 Results......Page 77
6 Outlook: Uniformity and Discrepancy......Page 80
References......Page 82
1 Introduction......Page 84
2 Concept of a Low-Latency QRNG......Page 86
3.1 Sub-nanosecond Pulsed Laser......Page 88
3.2 Single-Photon Detectors......Page 89
4 Random Number Generation Modeling and Practical Realization......Page 91
5 Results with SLiK-Based Detectors......Page 96
6 Results with SUR500-Based Detector......Page 97
7 Discussion......Page 99
8 Further Research—Next Steps......Page 100
References......Page 101
1 Quantum Randomness......Page 103
2 Quantifying the Randomness......Page 106
2.1 Shannon Entropy......Page 107
3.1 Block Description of a QRNG......Page 108
3.2 Continuous Variable Quantum Information......Page 109
4 Side-Information......Page 110
4.2 Mutual Information Between Measured Data and Quantum Entropy......Page 111
4.3 Entropy of Measured Data Conditioned on Classical Noise......Page 113
4.5 Conditional Min-entropy......Page 115
4.6 Quantum Side-Information......Page 116
4.8 Source and Device Independent Randomness......Page 117
5.1 Homodyne Detection of a Vacuum State......Page 118
5.2 Characterization of Noise and Measurement......Page 120
6.1 Worst-Case Min-entropy......Page 122
6.2 Average Conditional Min-entropy......Page 125
6.3 Experimental Implementation......Page 126
7 Summary and Outlook......Page 127
References......Page 128
1 Motivation......Page 131
2.1 Service Oriented End-to-End Security......Page 132
2.2 Infrastructure Oriented End-to-End Security......Page 135
References......Page 138

Citation preview

Quantum Science and Technology

Christian Kollmitzer Stefan Schauer Stefan Rass Benjamin Rainer Editors

Quantum Random Number Generation Theory and Practice

Quantum Science and Technology Series Editors Raymond Laflamme, Waterloo, ON, Canada Gaby Lenhart, Sophia Antipolis, France Daniel Lidar, Los Angeles, CA, USA Arno Rauschenbeutel, Vienna University of Technology, Vienna, Austria Renato Renner, Institut für Theoretische Physik, ETH Zürich, Zürich, Switzerland Maximilian Schlosshauer, Department of Physics, University of Portland, Portland, OR, USA Yaakov S. Weinstein, Quantum Information Science Group, The MITRE Corporation, Princeton, NJ, USA H. M. Wiseman, Brisbane, QLD, Australia

The book series Quantum Science and Technology is dedicated to one of today’s most active and rapidly expanding fields of research and development. In particular, the series will be a showcase for the growing number of experimental implementations and practical applications of quantum systems. These will include, but are not restricted to: quantum information processing, quantum computing, and quantum simulation; quantum communication and quantum cryptography; entanglement and other quantum resources; quantum interfaces and hybrid quantum systems; quantum memories and quantum repeaters; measurement-based quantum control and quantum feedback; quantum nanomechanics, quantum optomechanics and quantum transducers; quantum sensing and quantum metrology; as well as quantum effects in biology. Last but not least, the series will include books on the theoretical and mathematical questions relevant to designing and understanding these systems and devices, as well as foundational issues concerning the quantum phenomena themselves. Written and edited by leading experts, the treatments will be designed for graduate students and other researchers already working in, or intending to enter the field of quantum science and technology.

More information about this series at http://www.springer.com/series/10039

Christian Kollmitzer Stefan Schauer Stefan Rass Benjamin Rainer •

•

•

Editors

Quantum Random Number Generation Theory and Practice

123

Editors Christian Kollmitzer Security and Communication Technologies Center for Digital Safety and Security AIT Austrian Institute of Technology GmbH Klagenfurt, Austria Stefan Rass Institute of Applied Informatics Universität Klagenfurt Klagenfurt, Austria

Stefan Schauer Security and Communication Technologies Center for Digital Safety and Security AIT Austrian Institute of Technology GmbH Klagenfurt, Austria Benjamin Rainer Security and Communication Technologies Center for Digital Safety and Security AIT Austrian Institute of Technology GmbH Klagenfurt, Austria

ISSN 2364-9054 ISSN 2364-9062 (electronic) Quantum Science and Technology ISBN 978-3-319-72594-9 ISBN 978-3-319-72596-3 (eBook) https://doi.org/10.1007/978-3-319-72596-3 © Springer Nature Switzerland AG 2020 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Dedicated to Judith and Sophie. —Christian Kollmitzer To my family —Stefan Schauer To my family —Stefan Rass For my wife Karin and children, Killian and Zoey. —Benjamin Rainer

Foreword

From coincidence to randomness. A philosophical introduction. The problem of coincidence is virulent especially where humans are affected concretely and existentially. This means that through an occurrence, be it positive or negative, that throws someone out of their routine or seeming confidence, the question gets aroused whether someone or something can be held responsible for this occurrence. This question arises through a beneficial coincidence. Like Aristotle said already at the beginning of Nicomachean Ethics, all humans search for the highest good, namely, eudaimonia (Aristot. EN 1095a). However, eudaimonia can occur in two ways. On the one hand, one can work for one’s happiness and try to create conditions for a successful life. On the other hand, luck stays unavailable. One cannot influence it in order to force it to happen. Because not only the freedom of others, which is not at one’s disposal, is affected by it, but also the fundamental inability to influence all the events that have to do with one’s own life. Luck, including bad luck, make someone feel existential concern, which people generally cannot identify themselves as causes for. But if you believe that events usually have causes for happening, then these causes have to be looked for beyond the spheres of one’s own influence. At first, other people, who support or harm those around them, are considered. These people can be held responsible for one’s good or bad luck, because one may have been exploited for their goals and therefore could have suffered misfortunes. But there are also events that seem to be completely withdrawn from human influence, because nobody can be recognized as the cause for such an event. Religious people will hold a divine or transcendent power responsible for these events. For them, this power is able to induce inexplicable occurrences. Coincidence as an existentially touching experience has the character of fate, which does not have a merely immanent cause. Nevertheless, this coincidence is attributed a particular intention. A divine power causes something to happen to someone because it is able to do so and additionally has a certain intention for its actions.

vii

viii

Foreword

According to the classical theory of the four causes, which distinguishes between the efficient and the final cause, the divine or the transcendent according to the outlined thesis about coincidence is the trigger of an event, as well as the origin of a certain intention that the affected person has for its recipient. Coincidence in the form of good or bad luck, religiously seen, hints at a supernatural authority that intentionally causes an event that can neither be predicted nor anticipated to happen to someone. In this sense, the transcendent has to be regarded as an authority that on the one hand has power over developments both in nature and in human history, and on the other hand has its own intentions and goals, as long as it is connected to the world or humans. If the mentioned occurrences, which are classified as coincidences, are denied their final aspect, meaning that the transcendent power is denied its ability of intention, then this authority is depersonalized. Behind a favorable or unfavorable coincidence, there is no intention anymore, but an event that has befallen one without any addressing. If coincidence is handled that way, one interprets it as fate or kismet, an event that has not been caused by a divine power, but that, even though it interrupted history, also the history of the individual, does not have a purpose. While one expects addressing of an event in the case of it being caused by the divine, a stroke of fate hits the individual unplanned and without the possibility of seeing a higher meaning in it. A person is affected without any possible explanation of why exactly this person is allowed to be fortunate or has to suffer from misfortune. Fate influences history, but does not have purpose, and is without teleology. Modern natural sciences look for coincidence on the basis of understanding it as fate. Doing so, they follow methodical guidelines of their own disciplines, which hold causality as central category of scientific mode of explaining, but differentiate strictly between effective and final causality. Intentions, purposes, and aims have been almost completely eliminated as possibilities of explaining natural phenomena. Ignoring the anthropic principle, which, in its attenuated form, serves as a principle of explanation ex post, final causality does not apply anymore as a legitimate way of explanation. This is based on the dictum handed down by Pierre-Simon de Laplace, which he is said to have responded to Napoleon when he asked why Laplace consistently did not speak of God in his “Mécanique Céleste”. Laplace said: “Je n’avais pas besoin de cette hypothèse-là”. This denial of God as a method of explanation for scientifically explainable nature can be set equal to the elimination of the question of a goal or purpose of nature, which God had previously been regarded as final instance for. Charles Darwin follows this view in “On the Origin of Species” and in “The Descent of Man” also for animate nature and conceived evolutionary natural phenomena in this way as development without intention. With methodical exclusion of final possibilities, it becomes necessary for the understanding of coincidence—even if its existential meaning for the human is kept in mind—not to consult final but, exclusively, effective causality. Coincidence is considered as a causal, but no longer as a final event. For a scientific theory, this requirement means that one is able to explain coincidence strictly by efficient

Foreword

ix

causality. For this it suggests itself to set an accidental event in a way that a causal nexus, which is supposed to help explain an event, meets another one in such a way that both cross at one point and, therefore, something coincidental happens. A crossing like this causes an element of surprise, since, partially, two causal conditions can be stated for the event, but it is impossible to find a causal nexus that is sufficient for the explanation and in which all causal chains are at least indirectly linked to one another. Two events, which can both be declared as causal for themselves (but the coincidence of the two cannot) meet. This view of coincidence is characterized on the one hand by the lack of final causality and on the other hand by the attempt to discover the reason of the event via effective causality without naming a structure of causally linked conditions, much less a closed complex of causes. This perspective on coincidence stays unsatisfactory in the way that the question why the involved causal chains have overlapped exactly at this moment, will not cease to arise. Usually, one assumes that there has to be a reason for this, because we hold the proposition of the (sufficient) reason (nihil est sine ratione sufficiente) as true. This means that— ontologically spoken—nothing can happen without any sufficient reason that evokes the event. If one thinks this way, then the for coincidence assumed unfoundedness is attempted to be cast aside. So it is tried to not hold the coincidence of the event as true, but to defend the causal uniformity of all natural events. There are two possible ways to escape this difficult situation. First, one can try to assess the causal connection as still needing to be found. The connection is assumed to, on principle, be able to be found, even though this approach—due to an unknown reason—is not seen as possible in the present. Second, one can try to justify the unfoundedness of coincidence. In this case, reasons for the inability to find links between the causal chains are looked for. One asks for reasons why there are no causes that connect all the events together. On a meta level, reasons should be found that explain why there are no causes on the first level. With this, it is attempted to keep the causal unity, even if it is attenuated. The absence of the possibility to explain an event by means of causes on the first level is admitted, but on the second level, it is attempted to find reasons for the fact that causes cannot be found. More radical than the mentioned attempts to rescue causal unity and to relativize coincidence along with this process is the assumption that for certain events, neither causal links nor algorithms can be found. Instead of finding reasons for the lack of causes, one admits that the fact has to be treated ontologically, that there are contradictions in natural events that make the principle of sufficient reason and a causally closed nature seem questionable. This is not the assumption that one’s inability to think or the temporary lack of scientific explanation forces one to speak of coincidence. Rather, this concept of coincidence assumes that reality is partially chaotic and, in this sense, not explainable. Unlike a chaos theory, which, despite the multiplying of small differences at the beginning to big differences in the result (after many iterations), assumes the fundamental causality of the event, coincidence, viewed like this, is

x

Foreword

based on fundamental ontological chaos. This means that coincidence lacks both final and global efficient causality. Coincidence has become randomness. For a scientific concept of coincidence, such a theory signifies getting to the limits of causal thought in general. Extending beyond the methodical guidelines of Laplace and Darwin to eliminate final causes as possibilities of explanation as a whole, one arrives at the limits of the explicable if randomness is focused on. Because apart from the only for a thing-ontology relevant types of causation (namely the material and the formal cause in the Aristotelian sense) with the cessation of teleology only efficient causation stays scientifically relevant. If this is questioned, too, then the venture of explaining nature or reality causally has come to its own limit. The methodic possibilities of causation seem to be exhausted by coincidence in the sense of randomness. Such coincidences are only discovered without having the possibility of being explained. Natural sciences, in consequence, are set back to reflect their own preconditions. Maybe this is the reason why the question of coincidence and randomness is highly attractive even, or especially to, natural sciences. Graz, Austria November 2019

Reinhold Esterbauer

Preface

When speaking about randomness, people tend to think toward statistics, like distributions and likelihoods for certain outcomes, and—especially in cryptography—unpredictability. Somewhat ironically, statistics defines a random variable as a measurable mapping, which in no way alludes to matters of unpredictability (the term is not even used in any of the common definitions). So, randomness in statistics and randomness in cryptography are inherently different things, albeit the latter clearly relies on the former. In cryptography, we are primarily interested in independence, uniform distributions, and unpredictability. None of these is necessarily implied by good statistical properties if we think about distributions only: consider the infinite bit-sequence 0101010101…. Obviously, the distribution of 0 and 1 within that string is perfectly uniform, but it is equally obvious to predict; even worse, it is clearly periodic. Sequences that are nonperiodic are easy to find (like the mantissa of any irrational number such as pffiffiffi e; p; 2) but are usually not useful for cryptography. Spigot algorithms for many such numbers allow the computation of individual digits without having to compute the whole mantissa up to the sought digit, and we could use a secretly chosen irrational1 to seed the pseudorandom generator that just computes digits in the mantissa. But such numbers may have bad statistical properties that make them easy to predict from a record of past values. Are there sequences that are easy to compute, have good statistical properties, and never become periodic? Yes, there are, such as the famous Champernowne constant, which is defined by concatenating all naturals into the mantissa in increasing order, i.e., C :¼ 0:1234567891011121314151617. . . This number is clearly irrational, since it will eventually contain sequences of zeroes (or other digits) of arbitrary length, so there cannot be a fixed period. Even better, it can be shown that it is a normal number, meaning the following: Let a 1

Picking such numbers from integer parameters is easy, since, for example, p theffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi polynomial ax2 þ bx þ c has all irrational roots whenever a; b; c are odd numbers; likewise, n 1 þ ða=bÞn is necessarily irrational by the Fermat–Wiles theorem for positive integers a; b.

xi

xii

Preface

random string w over the alphabet R be given, say R ¼ f0; 1; 2; . . .; 9g. Assume that the symbols (digits) in w occur independently and uniformly distributed over R, i.e., we create w by drawing its symbols with replacement from R. Then, w has a “natural” probability of PrðwÞ ¼ jRjjwj , when jwj denotes the length of w (in digits). A normal number, such as the Champernowne constant, is characterized by the fact that every random string w will occur throughout the mantissa with its natural probability (just as defined before). So, C, as well as any other normal number, would have the perfect statistical properties: In computing digits from it and concatenating them into strings toward our random output, we get an output with perfect statistical properties. A celebrated theorem of E. Borel even states that almost all numbers are normal in that sense. Though very many of them exist, however, only a few are explicitly known, and the Champernowne constant is one of them. Though it is very easy to compute and has the perfect properties regarding the distribution of substrings over the mantissa, its trivial predictability makes them useless for cryptographic purposes. For these (among other) reasons, cryptographic random number generators typically use a transformation function f to compute fresh random values from past random values. Different constructions such as pseudorandom number generators (PRNGs) or pseudorandom functions (PRFs) exist [1], all of which have their predictability properties tightly tied to computational intractability hypotheses (see [3] for an overview). Let us look at a typical way of how a PRNG based on iterations can be constructed: we have a function f and pick a random value x0 from which we iterate a sequence xn þ 1 :¼ f ðxn Þ for n ¼ 0; 1; . . .. If f is a mapping between finite sets, any such sequence necessarily becomes periodic, and estimates about when this happens are known [2]. Can we escape the issue by letting f work on infinite domains? More explicitly, can we use a function f that evaluates deterministically but acts stochastically? Again, the answer is positive, since every chaotic function does so. Why not use one of the two most famous examples, which are the logistic map f ðxÞ ¼ k  xð1  xÞ or the tent map f ðxÞ :¼ l  minfx; 1  xg, where the actual behavior is governed by the choice of k [ 0 or l [ 0. The two are closely related (in fact, they are topological conjugates), but the tent map has some very appealing properties: • If the iteration starts from an irrational value x0 , the resulting sequence never becomes periodic. • It has sensitive dependence on initial conditions, intuitively meaning that any arbitrarily close but incorrect guess of x00 6¼ x0 will make the resulting sequence diverge arbitrarily far from the true sequence originating from x0 . This is sometimes understood as “loss of information” upon every step, since the tent map is non-injective, meaning that for every image, there are at least two pre-images possible. Effectively, this means that we could never infer the seed from just observing the sequence, which at first glance sounds like a perfect property to go for. Unfortunately, we will see that although this is true, the effect is nonetheless devastating.

Preface

xiii

• Given an irrational number x0 to start from and using l ¼ 2, the tent map’s action on an irrational number in binary with bits b1 b2 b3 . . . is simply this: – shift the decimal point one place to the right. – If a 1 is left to the decimal point, invert all upcoming bits. The tent map’s action can be described by a simple Mealy-automaton: let the state transition “a/b” mean that whenever the automaton reads a symbol “a” it outputs the symbol “b”. According to the above, we need an “inverting state” (INV) and a “non-inverting” state (NI) to compute the tent map from an irrational starting point x0 by the automaton:

1/1 0/0

NI

INV

1/0

0/1 Let us analyze the intuition of combining a starting point like C with a chaotic map to unify the benefits of both: perfect statistical properties (from the normality of C) with unpredictability based on deterministic chaos (from the tent map). It is indeed a nice exercise to verify that the automaton will eventually “burn” all information contained in the seed (as we would expect from the sensitive dependence on initial conditions and the non-injectivity of the tent map), but two sequences may nonetheless converge into the same pseudorandom sequence sooner or later. More precisely, let x0 6¼ x00 be two starting values that differ from C only in a finite number of digits. Then, both starting points will eventually end up in the same output, meaning that whatever seed we use together with a fixed normal number (our choice of C was arbitrary here), the so-constructed pseudorandom generator is not even remotely useful for cryptographic purposes. Intuitively, this becomes evident when looking at the Mealy-automaton to evaluate the tent map: the machinery to compute the random outputs is finite, but for unpredictability, we need new information in each output that cannot be obtained from past observations. Since the irrational value C is part of the algorithm, with only the deviation from it being the secret, a deterministic (finite) machinery can obviously not be expected to “create” the necessary lot of information to ultimately gain unpredictability. This is what J. von Neumann expresses in his famous quote: Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.

xiv

Preface

What is the lesson from all this? It tells us that we cannot naively assemble primitives with good statistical properties into a cryptographically useful random number generator (RNG); such intuitions can easily be misleading. The above ideas were chosen only for illustration but in general demonstrate that even perfect statistical properties, or seeming unconditional unpredictability (that we hoped to get from chaos theory, which is—unlike much of cryptography—not based on computational intractability) may together fail to deliver good results for cryptography. It ends up being that, at least for pseudorandom number sequences (whose reproducibility is often the only reason to prefer them over true randomness), seem to require more complex constructions and computational intractability remains an unavoidable fundament up to today. A working construction that is simple and has maximal periodicity is, for example, an AES-encryption of a secret counter, which could be implemented in one line of C++-like pseudocode: letting i be initialized to some secret value i0 , we get the next random number as AES(++i,k) where k is another secret stored within the PRNG. This is indeed a working construction, and the standard quality assessments for PRNG that we will later (in the book) see that the output meets the requirements of cryptographic applications. The security of such a construction lies in the secrecy of the initial value i0 and the secret k. Let us adopt a more general view, calling s the secret random seed, which is sampled from a random variable S. How would we quantify the “goodness” of the random seed? Shannon-entropy is commonly proposed as a measure, but this is only half-correct: “entropy” is the right direction, but not of Shannon’s type! Indeed, since we cannot prevent guessing a secret, how difficult would guessing s be? Let the distribution of S be fðsi ; pi ¼ PrðS ¼ si ÞÞgni¼1 with si 2 f0; 1g‘ and pi  0 so that p1 þ p2 þ . . . þ pn ¼ 1. The min-entropy of S is defined as 



H1 ðSÞ ¼  log maxfPrðS ¼ si Þg : i

By this definition, we have for all s : PrðS ¼ sÞ  2H1 ðSÞ . Now, let’s turn to the experiment of guessing the unknown seed s0 , which occurs with probability p0 : the average number N of trials until we succeed follows a geometric distribution with parameter p0 , whose mean is N¼

1  2H1 ðSÞ : p0

So, H1 ðSÞ obviously provides a lower bound for the average number of guesses until a success, so H1 ðSÞ can be taken as a measure of the difficulty! Can the Shannon-entropy be such a measure too? The answer is negative in general, due to the following example:

Preface

xv

Let 0\q\1 be a fixed value, and define the random variable S over the set f0; 1; . . .; ng to come out as • S ¼ 0 with probability 1  q, • S 2 f1; 2; . . .; ng with uniform probability q=n each. The min-entropy is H1 ðSÞ ¼ logðqÞ. But the Shannon-entropy is HðSÞ ¼ 

n X i¼0

pi  logðpi Þ ¼ ð1  qÞ  logð1  qÞ 

n X q i¼1

n

log

 q n

 q ¼ ð1  qÞ  logð1  qÞ  q  log 2 Xðlog nÞ n Obviously, HðSÞ ! 1 if we let n tend to infinity, while the min-entropy remains constant at logðqÞ for all n. This means that we can define a random variable with arbitrarily large Shannon-entropy, whose guessing is constantly simple, since all we need to do is take S ¼ 0 as being the most likely outcome. Unfortunately, the general term “entropy” is often by default interpreted as Shannon-entropy, though for cryptographic purposes, min-entropy is meant and required whenever the quality of seeds for a random generator is spoken about2. This directly leads to ways how backdoors can be implemented in an RNG: assume that an RNG is (sloppily) specified of having a seed with some high “entropy” (not telling the type, so that the assertion is truthfully made about Shannon-entropy), then adding a bad seed like the above has devastating consequences: • The specification is compliant to requirements like “random generators need seeds with at least 128 Bit of entropy” • but guessing the seed and reproducing the RNG’s output is easy for the vendor of the RNG. Even if the RNG is correctly initialized with seeds of high min-entropy, another attack could attempt to substitute the honest generator with a bad one. For example, let two generators be given, both based on AES-encryption of counters, where G1 has seeds and keys of high min-entropy, while G2 has seeds and keys of high Shannon- but low min-entropy. Then, the output of G1 is practically indistinguishable from the output of G2 (since AES was empirically verified to provide this), so the unsuspecting user may unknowingly use random values that a third party can easily guess and reproduce. Any cryptographic keys or other parameters

2

This is not always made explicit in the documentation of software or devices. As of January 19, 2020, the documentation of OpenSSL (see https://wiki.openssl.org/index.php/ Random_Numbers) only talks about “entropy”, not making explicit that min-entropy is actually meant. So, a user may mistakenly supply seeds with high Shannon-entropy instead, which is due to the inexact documentation even compliant with the specification, though can still be an insecure parameterization.

xvi

Preface

created in this way are intrinsically insecure, irrespectively of how good the rest of the cryptography is. Moreover, the meaning of “high” for entropy also needs to be clarified: is it sufficient to simply demand, say, 128 bit? If we seek to escape the progress of computational power, then “high” must be understood asymptotically as the min-entropy satisfying H1 ðSÞ 2 xðlog tÞ, where t is the security parameter, and x is the Landau-symbol. Under the latter condition, there exists a constant c [ 0 so that for all sufficiently large n, we get H1 ðSÞ [ c  log ðnÞ. In turn, however, this implies that PrðS ¼ sÞ  2H1 ðSÞ \2clogðnÞ ¼ nc so that the effort to guess a key is at least nc on average, i.e., takes polynomially many trials. Since c [ 0 was arbitrary, so the effort is larger than any polynomial. That is exactly the kind of computational intractability that cryptography widely depends on. Also, this is the reason why true randomness based on non-numeric techniques is so important and what the rest of this book is going to be about. Though the quality of randomness that quantum phenomena deliver is beyond question, different methods to use the quantum phenomena may be suitable for individual applications. Chapters 1 and 2 lay the fundamentals, subsequently operationalized in practical work mentioned in Chaps. 5 and 6 both on random bit generator devices. Measuring the quality of a RNG, especially one based on quantum phenomena, is a nontrivial matter, and the previous discussion will be largely extended in the discussion given in Chap. 4 where they study how well quantum-based RNG perform under the criteria that classical (computational) cryptographic RNG undergo. Essentially, the findings indicate that the tests of randomness mostly assess the quality of the post-processing, but usually tell nothing about the quality of the generation process itself. This is the final reason why quality assessment of quantum RNG calls for its own specialized methods. The remaining issue of verifiable originality of a random sequence to thwart the aforementioned attack can be treated by classical cryptographic means; Chap. 3 on authenticity of quantum random numbers shows how. Applications of quantum RNG in networks given in Chap. 7 finally conclude the book. Klagenfurt, Austria May 2019

Christian Kollmitzer Stefan Schauer Stefan Rass Benjamin Rainer

Preface

xvii

References 1. Goldreich, O., Goldwasser, S., Micali, S. (1986). How to construct random functions. Journal of the ACM 33(4), 792–807. doi:10.1145/6490.6503. 2. Menezes, A., van Oorschot, P. C., Vanstone, S. A. (1997). Handbook of applied cryptography. CRC Press LLC. 3. Zimand, M. (2004). Compuational complexity: A quantitative approach. North-Holland Mathematical Studies 196. Elsevier

Acknowledgements

We would like to give thanks to the AIT Austrian Institute of Technology GmbH Klagenfurt and Vienna for their support of this book. Jing Yan Haw, Syed Muhamad Assad and Ping Koy Lam acknowledge the support from the Australian Research Council (ARC) under the Centre of Excellence for Quantum Computation and Communication Technology (CE170100012). Christian Kollmitzer and Stefan Petscharnig would like to thank Syed Assad of Australian National University and Michael Wahl of Humboldt Universität zu Berlin for their contribution to Chap. 2. We also want to thank Claus Ascheron, Ashok Arumairaj and Raghavy Krishnan for their work in the process of making this book and our reviewers for their fruitful comments.

xix

Contents

Introduction: Fundamental Principles of Quantum Random Number Generation with Beam Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Suda and Gerald Dißauer

1

Quantum Random Number Generation . . . . . . . . . . . . . . . . . . . . . . . . . Christian Kollmitzer, Stefan Petscharnig, Martin Suda and Miralem Mehic

11

Authentic Quantum Nonces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stefan Rass and Peter Schartner

35

Assessing the Statistical Quality of RNGs . . . . . . . . . . . . . . . . . . . . . . . . Benjamin Rainer, Jürgen Pilz and Martin Deutschmann

45

A No-History, Low Latency Photonic Quantum Random Bit Generator for Use in a Loophole Free Bell Tests and General Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mario Stipčević and Rupert Ursin Secure Random Number Generation in Continuous Variable Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jing Yan Haw, Syed M. Assad and Ping Koy Lam

65

85

Trusted Quantum Back Bone Leveraging Secure Communication . . . . . 113 Benjamin Rainer and Oliver Maurhart

xxi

Introduction: Fundamental Principles of Quantum Random Number Generation with Beam Splitters Martin Suda and Gerald Dißauer

1 Motivation This introduction describes one of the most important elements for the generation of quantum mechanical random numbers—the beam splitter (BS). A BS is a passive element to split light beams (e.g., laser beams) into two outgoing beams. Quantum mechanical random numbers are random numbers that are derived from the fundamental principles of random processes from quantum mechanics. Thus, knowledge about the basic principles of quantum optics are necessary. Basically, it is not easily possible to explore quantum theory of light in such a short chapter. Nevertheless some important theoretical information about the mode of operation of a BS can be presented in a hopefully comprehensible manner. The present chapter is organized as follows: Primarily the classical BS is discussed. Therefore, this optical element, its input and its output states are illustrated by amplitudes of plane waves representing electric light fields. Concerning the quantum mechanical BS, both the input and the output modes are denoted as quantum mechanical operators according to quantum electrodynamics of light. Here, the input states are so-called Fock-states (photons) which are the energy eigen-states of the quantum mechanical harmonic oscillator. It describes quantum mechanical processes of the quantized light field. More detailed information about the quantum mechanical harmonic oscillator can be found in [1–5]. Three examples should explain how the BS works in this case, i.e., how this BS element is able to produce genuine physically created random numbers (i.e., true randomness derived from quantum mechanical phenomena). The three examples M. Suda (B) AIT, Vienna, Austria e-mail: [email protected] G. Dißauer A-SIT, Vienna, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_1

1

2

M. Suda and G. Dißauer

are: (1) one single photon at the first input mode and a vacuum state (which is the ground state of the quantum mechanical oscillator and it is denoted by |0) at the second input mode, (2) one coherent state (it is denoted by |α) at the first input and a vacuum state at the second, and (3) one photon each at the 2 input modes. By means of these examples the physical basics are provided in order to gather the mode of operation how quantum mechanical random number generators that are based on BSs operate. The most important references dealing with quantum optics of the BS can be found in [1–5].

2 Beam-Splitter (BS) Below we will describe the beam splitter (BS)—a semi-permeable mirror—both classically and quantum mechanically. To obtain true randomness, we choose a semipermeable BS where the incident light is transmitted with a 50% probability and thus 50% of the incident light are reflected (denoted by 50:50). Alternatively, one can choose arbitrary configurations of the BS. However, only the 50:50 configuration derives true randomness. Such a device is constructed so that it has 2 input modes and 2 output modes (Fig. 1). From such general considerations, we first derive a 2 × 2 matrix and afterwards we will show how the operators and the quantum states transform. Hence, the amplitudes of the input will be linked to the output, respectively.

2.1 Classical Description of BS Consider plane waves with 2 input amplitudes a0 and a1 and 2 output amplitudes a2 and a3 (Fig. 1). In this figure the amplitudes are drawn as operators (denoted with “hat”) for later use. Moreover, absorption is not taken into account because we use

Fig. 1 BS: Classical and quantum mechanical description

Introduction: Fundamental Principles of Quantum Random Number …

3

BS in conjunction with ideal circumstances and thus, we assume that there are no imperfections of the glass. (a) Reflection and transmission: a2 = t  a0 + ra1 , a3 = r  a0 + ta1

(1)

t  , t ... complex transmission coefficients r  , r ... complex reflection coefficients The specific details of the BS, i.e., its dielectric properties, are defined by the aforementioned coefficients. The two equations (1) can formally be written as a single matrix equation: 

a2 a3



 =

t r r t



a0 a1



= Hˆ



a0 a1

 .

(2)

Hˆ is the transformation matrix of the BS. (b) In case of lossless BS energy conservation has to be applied: |a0 |2 + |a1 |2 = |a2 |2 + |a3 |2

(3)

In detail one obtains |a2 |2 + |a3 |2 = = (|t  |2 + |r  |2 )|a0 |2 + (|t|2 + |r |2 )|a1 |2 + (t r ∗ + t ∗r  )a0 a1∗ + (tr ∗ + t ∗r )a0∗ a1 whereupon immediately, one can infer from Eq. (3): |t  |2 + |r  |2 = |t|2 + |r |2 = 1 , t r ∗ + t ∗r  = tr ∗ + t ∗r = 0 t ∗r  t ∗r → t  = − ∗ , t = − ∗ r r

(4)

For a symmetric BS, which is constructed with a 50:50 probability configuration (i.e., half of the particles are reflected and the other half is transmitted) one obtains |t  |2 = |r  |2 = |t|2 = |r |2 = 21 . Moreover, out of these 4 parameters 3 can be chosen freely. We therefore choose the following particular BS: 1 1 t = t = √ → r = r = i √ . 2 2 i = eiπ/2 means a phase shift of π/2 in case of reflecion. As a consequence, we obtain a result for outgoing amplitudes as follows: 1 1 a2 = √ (a0 + ia1 ) , a3 = √ (ia0 + a1 ) 2 2

4

M. Suda and G. Dißauer

or 

a2 a3



1 =√ 2



1i i 1



a0 a1



= Tˆ



a0 a1

 .

(5)

Here the particular symmetric BS-transformation Tˆ has been defined. Now the intensities of the 2 outputs of the BS can be calculated: I2 = |a2 |2 = 21 |a0 + ia1 |2 , I3 = |a3 |2 = 21 |ia0 + a1 |2 ; I2 + I3 = 1. (a) For a0 = 0, a1 = 1 (only 1 input mode) → I2 = I3 = 21 → |a2 | = |a3 | = (b) For a0 = a1 =

√1 2

(2 input modes with input intensity 21 each) → I2 =

√1 2 I3 = 21 .

2.2 Quantum Mechanics of BS Here, we consider a BS in the full quantum mechanical context. If one takes into account a thermal input spectrum of a large amount of photons or strong coherent beams with a Poissonian distribution, a classical description would be sufficient to describe the intensity distribution of the outputs, approximately. But in case of a single photon input or only few input photons a classical description does not succeed and is at this point incomplete and—what’s more—will lead to wrong results. We now show that a classical description of the BS leads to a contradiction using quantum operators. Figure 2 displays on the left side the classical field components (E i ) of input and output. One has E 2 = r E 1 and E 3 = t E 1 . For a balanced BS (50:50) we have to write |r | = |t| = √12 and |r |2 + |t|2 = 1. Energy conservation claims |E 1 |2 = |E 2 |2 + |E 3 |2 . Applying operators (Fig. 2 right) we have to write aˆ 2 = r aˆ 1 and aˆ 3 = t aˆ 1 . Here, aˆi is the annihilation operator of the quantum harmonic oscillator [5]. Likewise, the creation operator aˆi + can be defined. Now comes the most important point in quantum theory of light. These creation and annihilation operators satisfy Heisenberg’s uncertainty relation: (6) [aˆ i , aˆ +j ] = δi j .

Fig. 2 BS: a Classical field amplitude b Operators

Introduction: Fundamental Principles of Quantum Random Number …

5

Therefore, we obtain for the operators aˆ i and aˆ +j [aˆ 2 , aˆ 2+ ] = |r |2 [aˆ 1 , aˆ 1+ ] = |r |2 and [aˆ 3 , aˆ 3+ ] = |t|2 [aˆ 1 , aˆ 1+ ] = |t|2 . Moreover, one obtains [aˆ 2 , aˆ 3+ ] = r t ∗ [aˆ 1 , aˆ 1+ ] = r t ∗ = 0, and this contradicts Eq. (6). This approach therefore, cannot be a correct quantum mechanical description of the BS. Hence one can infer that the unused input mode has to be spent as a vacuum port |0. This is executed below. It can be observed that the vacuum field plays a fundamental role and—on top of that—is really necessary for the internal consistency of the formalism. The vacuum field cannot be neglected. It has certain consequences in quantum electrodynamics and has no analogy in a classical point of view. In the quantum mechanical picture the so far unused input port contains a quantized field even if it is a vacuum field. The vacuum fluctuations, which always exist cause important physical effects which are also particularly relevant here. In Fig. 1 there are 2 inputs and 2 outputs. Now, instead of amplitudes, operators aˆ 0 and aˆ 1 respectively aˆ 2 and aˆ 3 appear. Additionally, we distinguish a reflection coefficient r and a transmission coefficient t for input 1 (operator aˆ 1 ) arriving from the left side, and r  respectively t  for an input (operator aˆ 0 ), coming from top. Instead of Eqs. (1) and (2) we combine these input and output operators as usually: aˆ 2 = t  aˆ 0 + r aˆ 1

, aˆ 3 = r  aˆ 0 + t aˆ 1

(7)

respectively 

aˆ 2 aˆ 3



 =

t r r t



aˆ 0 aˆ 1

 .

(8)

The energy balance is |aˆ 0 |2 + |aˆ 1 |2 = |aˆ 2 |2 + |aˆ 3 |2 r , t, r  as well as t  depend on the construction of the BS. Again we use a dielectric layer as given in Eqs. (4) and (5) where reflection and transmission differ by a factor i = eiπ/2 for the symmetric BS. We obtain for the following operators 1 aˆ 2 = √ (aˆ 0 + i aˆ 1 ) 2

1 , aˆ 3 = √ (i aˆ 0 + aˆ 1 ) 2

(9)

or the matrix equation 

aˆ 2 aˆ 3



1 =√ 2



1i i 1



aˆ 0 aˆ 1



= Tˆ



aˆ 0 aˆ 1

 .

(10)

Tˆ is a unitary matrix where Tˆ Tˆ + = 1ˆ holds. From Eq. (9) the following relations can be deduced:

6

M. Suda and G. Dißauer

1 aˆ 2+ = √ (aˆ 0+ − i aˆ 1+ ) , aˆ 3+ = 2 1 aˆ 0+ = √ (aˆ 2+ + i aˆ 3+ ) , aˆ 1+ = 2

1 √ (−i aˆ 0+ + aˆ 1+ ) → 2 1 √ (i aˆ 2+ + aˆ 3+ ) . 2

(11)

Below, 3 examples are given in order to demonstrate the mode of operation of a BS with genuine quantum input states.

2.2.1

Example: One Photon in Input 1: |00 |11

Preliminary note: In case of 2 inputs which are vacuum states, written as a product state |00 |01 , then the output states are vacuum product states |02 |03 as well. One writes |00 |01 → B S → |02 |03 . Now in this first example the input state is |00 |11 = aˆ 1+ |00 |01 . Remember that in quantum optics [1–5] a photon can be created from vacuum by√means of the creation operator: aˆ + |0 = |1. Generally, for n photons, aˆ + |n = n + 1|n + 1 √ and a|n ˆ = n|n − 1 holds. Experimentally, a single photon state (denoted by |1) can be generated by parametric down-conversion using non-linear crystals [1–5]. That means that two photons are created simultaneously, where one of those photons is used for the BS-experiment. The other one is registered in terms of synchronization purposes of the created photon pair. On the other hand, weak coherent states are able to be used for the generation of approximately single photon states (see Example 2). Using Eq. (11) one gets behind the BS 1 1 |00 |11 → B S → √ (i aˆ 2+ + aˆ 3+ )|02 |03 = √ (i|12 |03 + |02 |13 ) . 2 2

(12)

This is an important result of a balanced BS. It means that a single input photon in mode 1 together with a vacuum input in mode 0 is equally transmitted and reflected with probability 21 . An important method of generating quantum random numbers relies on this method. This result is exactly what is expected. It explains also that there are no coincidences. If one measures the photon in output port 2(3) no photon is measured in output 3(2). One can say as well that the photon is entangled with the vacuum behind the BS. Conversely, one can say: If there are in fact no coincidences then we have a genuine single photon source. Obviously, the BS is a “passive” element which neither creates nor annihilates photons. The density operator ρˆ23 of the output states behind the BS is: ρˆ23 = =

1 (i|12 |03 + |02 |13 )(−i 2 1| 3 0| + 2 0| 3 1|) = 2

1 {|12 |03 2 1| 3 0| + |02 |13 2 0| 3 1| + i|12 |03 2 0| 3 1| − i|02 |13 2 1| 3 0|} . (13) 2

Introduction: Fundamental Principles of Quantum Random Number …

7

This density operator contains the full information of coherence. It includes all off-diagonal elements. If only one output is measured (e.g., output 2) one has to apply the partial trace over output 3: ρˆ2 = T r3 ρˆ23 =

∞ 

3 n|ρˆ23 |n3

=

n=0

1 (|02 2 0| + |12 2 1|) 2

(14)

and analog ρˆ3 = 21 (|03 3 0| + |13 3 1|). Equation (14) describes a statistical mixture. After performing the measurement, no off-diagonal terms exist which would imply coherence. The output states appear with 50% probability each and there are no coincidences. Measuring the particle number for output 2 one keeps the following result: n¯ 2 = T r2 (ρˆ2 nˆ 2 ) = 21 ( 2 0|nˆ 2 |02 + 2 1|nˆ 2 |12 ) = 21 (0 + 1) = 21 . This result signifies the mean particle number in output 2. Similar results are obtained for output 3.

2.2.2

Example: Coherent State |α in Input 1

The coherent state [1–5] |α = e−|α|

2

/2

∞ n=0

αn √ |n n!

= e−|α|

2

/2

[ |0 + α|1 +

α2 √ |2 2

+ ... ]

(15)

is similar to a classical state. Depending on |α|2 (which represents the number of photons), a coherent state can contain a high number of photons. Hence it is rather contrary to the highly non-classical single-photon state considered in the first example. Experimentally, a coherent state can be created by a laser beam. α is a complex number and |α|2 is the mean photon number. |n are the Fock states of light. Coherent states are solutions of the eigen-value equation a|α ˆ = α|α. The displacement + ∗ ˆ operator D(α) = eαaˆ −α aˆ applied on a vacuum state |0 is able to generate a coherˆ ent state |α: D(α)|0 = |α. In our example we have in input mode 1 a coherent state and in input mode 0 a vacuum state: |00 |α1 = Dˆ 1 (α)|00 |01 . Using Eq. (11) one obtains: |00 |α1 → B S → e =e

α∗ √α (i a ˆ 2+ +aˆ 3+ )− √ (−i aˆ 2 +aˆ 3 ) 2 2

( √iα2 )aˆ 2+ −( √iα2 )∗ aˆ 2

|02 |03 =

( √α2 )aˆ 3+ −( √α2 )∗ aˆ 3

e |02 |03 = iα α iα α = Dˆ 2 ( √ ) Dˆ 3 ( √ )|02 |03 = | √ 2 | √ 3 2 2 2 2

(16)

The appropriate density operators are: iα α iα α iα iα ρˆ23 = | √ 2 | √ 3 2  √ |3  √ | , ρˆ2 = T r3 (ρˆ23 ) = | √ 2 2  √ | 2 2 2 2 2 2

(17)

8

M. Suda and G. Dißauer

Equation (16) can be interpreted as follows: Similar to the classical picture in 2 each output 2 or 3 exactly half of the photons |α|2 are reflected or transmitted by means of the balanced BS. The phase shift i = eiπ/2 of the reflected wave appears automatically. There is no entanglement with respect to coherent states. The result is a product state as can be seen in Eq. (16). Three important remarks: (a) For α = 0 the coherent state |α achieves the vacuum state |0, but e.g. for α = 1 the 1-photon-state |1 is not obtained: |α = 1 = |1. |α = 1 and |1 are entirely different states. (b) √12 (i|12 |03 + |02 |13 ) from Eq. (12) can be obtained in no way from | √iα2 2 | √α2 3 of Eq. (16) because the first expression is an entangled state (no coincidences are possible) and the last one is a product state. The attempt to call a weak classical field a quantum field is misleading and absolutely incorrect. However, for 1 i.e. weak coherent state) the coherent state can be used very well |α|2 1 (α ≈ 10 for generating quantum numbers by considering at Eqs. (16) and (15): α α iα | √ 2 | √ 3 ≈ |02 |03 + √ [ i|12 |03 + |02 |13 ] + ... 2 2 2

(18)

As a result, it can be seen that mostly vacuum states are arising, but (with probability |α|2 ) the same entangled state as in Eq. (12) appears. Because parametric down2 conversion (cf. (12) from Example 1) is a very rare event the method presented here could be superior. (c) The mean particle number in output mode 2 is iα iα 1 n¯ 2 = T r2 (nˆ 2 ρˆ2 ) = 2  √ |aˆ 2+ aˆ 2 | √ 2 = |α|2 . 2 2 2

(19)

The same is valid for output 3.

2.2.3

Example: Input |10 |11

Experimentally, such an input can be possible if the 2 photons simultaneously produced by means of parametric down-conversion are injected in the two input modes. Photon |10 has two possibilities: either being transmitted or being reflected. The same applies for photon |11 . One obtains: 1 + (aˆ + i aˆ 3+ )(i aˆ 2+ + aˆ 3+ )|02 |03 = 2 2 i i = (aˆ 2+ aˆ 2+ + aˆ 3+ aˆ 3+ )|02 |03 = √ (|22 |03 + |02 |23 ) 2 2

|10 |11 = aˆ 0+ aˆ 1+ |00 |01 → B S →

(20)

Introduction: Fundamental Principles of Quantum Random Number …

9

Fig. 3 Two hypothetical events: both photons are a transmitted b reflected

This equation means entanglement of two photons with vacuum. There are either 2 photons in output 2 or 2 photons in output 3. There are neither coincidences using a balanced BS. But contrary to a single photon process discussed in example 1 here the appearence of no coincidences is a matter of an interference effect between 2 possibilities of reflection or transmission at the BS. This is explained below. There could be 2 possibilities for coincidences (i.e., output |12 |13 , not appearing here) sketched in Fig. 3. These are 2 hypothetical events where either both photons are transmitted (left picture in Fig. 3) or reflected (right picture in Fig. 3). But these 2 events are indistinguishable. Therefore, the probability amplitudes have to be added and subsequently the absolut value has to be squared. One obtains: A T = √12 ... amplitude for transmission of single photons A R = i √12 ...amplitude for reflection of single photons A T A T ... amplitude for transmission of both photons A R A R ... amplitude for reflection of both photons Because both processes are equally likely the obtained possibitity P11 of an output |12 |13 is 1 1 1 1 P11 = |A T A T + A R A R |2 = | √ √ + i √ i √ |2 = 0 2 2 2 2

(21)

Thus, we have no coincidences. This is indicated by Eq. (20) as well. This fact is experimentally tested in the so-called Hong-Ou-Mandel experiment [6]. Completely analog the density operators ρˆ23 , ρˆ2 and ρˆ3 can be composed using Eq. (20). For example one gets ρˆ2 =

1 1 (|02 2 0| + |22 2 2|) , ρˆ3 = (|03 3 0| + |23 3 2|) 2 2 n¯ 2 = T r (nˆ 2 ρˆ2 ) = 1 , n¯ 3 = T r (nˆ 3 ρˆ3 ) = 1

(22)

This third example explicitely shows that the two single input photons created by means of a parametric down-conversion process can be used in order to generate quantum random numbers. This is an additional possibility besides the first example where only one single photon impinges the BS.

10

M. Suda and G. Dißauer

3 Conclusion Conventional computers are finite machines. As a result, it is very hard to compute true randomness from running algorithms on it. True random number generators require physical random processes as inputs rather than applying algorithms on data. 50:50 beam splitters can be used as true random number generators and we have shown that it is possible to generate quantum random numbers very elegantly by operating such beam splitters. The underlying randomness is based on the fundamental principles of quantum mechanics. Unpredictable and thus real random numbers that are generated with non-deterministic quantum random number generators can be used—but are not limited—in the field of cryptography, for instance. Such random data can be applied to derive random data sequences for securing cryptographic protocols, to create non-deterministic session keys and thus to protect data in transit, to strengthen cryptographic algorithms, or to compute a salt (i.e., random data to protect stored passphrases) for password-based cryptography. Moreover, true random numbers are adjoined to obtain unpredictable digital signatures to sign electronic documents (e.g., to negotiate contracts).

References 1. Mandel, L., & Wolf, E. (1995). Optical Coherence and Quantum Optics. Cambridge: Cambridge University Press. 2. Leonhardt, U. (1997). Measuring the Quantum State of Light. Cambridge: Cambridge University Press. 3. Loudon, R. (2000). The Quantum Theory of Light. Oxford: Oxford University Press. 4. Schleich, W. P. (2001). Quantum Optics in Phase Space. Berlin: Wiley-Vch. 5. Gerry, C. C., & Knight, P. L. (2005). Introductory Quantum Optics. Cambridge: Cambridge University Press. 6. Hong, C. K., Ou, Z. Y., & Mandel, L. (1987). Physical Review Letters, 59, 2044.

Quantum Random Number Generation Christian Kollmitzer , Stefan Petscharnig, Martin Suda and Miralem Mehic

Abstract The unpredictability of random numbers has found their applications in various fields such as lotteries, scientific simulations and fundamental physics tests. However, their most obvious application is in cryptographic protocols that inevitably include random number generators to generate seeds, initial random values, nonces (salts), blinding values and padding bytes. To be used for such tasks, number generators need to fulfil specific criteria to ensure the cryptographic protocol security performance. This primarily refers to the unpredictability of the generated numbers values even if the attacker knows the random number generator design. In contrast to deterministic random number generators that generate random values with entropy that is limited by the entropy of the initial seed, in this chapter we consider nondeterministic random number generators that rely on the quantum state of matter for generation of random numbers. Non-deterministic random number generators use various techniques such as radioactive decay, shot noise in semiconductors, photons and other.

C. Kollmitzer (B) · S. Petscharnig AIT, Lakesidepark B10, 9020 Klagenfurt, Austria e-mail: [email protected] M. Suda AIT, Giefinggasse 4, 1210 Vienna, Austria e-mail: [email protected] M. Mehic Department of Telecommunications, Faculty of Electrical Engineering, University of Sarajevo, Zmaja od Bosne bb, Kampus Univerziteta, 71000 Sarajevo, Bosnia and Herzegovina e-mail: [email protected] VSB - Technical University of Ostrava, 17. listopadu 15/2172, 708 33 Ostrava-Poruba, Czech Republic © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_2

11

12

C. Kollmitzer et al.

1 Introduction Although deterministic random-order generators are convenient due to low cost and ease of execution, which allows application for numerical computations such as Monte-Carlo simulations, their use is limited due to the existence of a strong longrange correlation which can undermine cryptographic security, introduce unexpected errors or loopholes in scientific simulations or physics tests. For such needs, it is advisable to use non-deterministic generators that rely on physical phenomena that are unquestionably random. Since the randomness of a random sequence can be thoroughly tested but not fully proven, it is of great interest to fully understand the behaviour of random processes that are the basis for generating random values. In this chapter, we discuss the most commonly used techniques for generating random numbers, considering their advantages, disadvantages and practical application.

2 Techniques for Quantum Random Number Generation The physical random number generation consists of two blocks. The first block, which is often defined as a high entropy source, consists of the physical processes that determine the trustworthiness, entropy and performance of the entire system. As shown in Fig. 1, the measurement devices are used to provide the “raw” random binary numbers by measuring an analogue or digital signal in the process which is often defined as bit extraction. Measured values are forwarded to postprocessing block to eliminate imperfections present in “raw” random numbers produced by physical systems [50, 51]. The main idea is to produce more random set by sacrificing a certain percentage of generated bits mostly using techniques such as: 1. 2. 3. 4.

Ad hoc simple correctors based on XORing neighboring bits [12, 27] Extractor algorithms based on stateless functions [43, 44] Resilient functions [8, 55] Whitening process using cryptographic hash functions [63]

Fig. 1 A typical physical random number generator consisting of a source of entropy with a physical system, a measurement unit and a postprocessing unit for the final extraction of random values [22]

Quantum Random Number Generation

13

The devices that use quantum effects for generation of random numbers are called quantum random number generators (QRNGs). Simply said, QRNG represents the system that satisfies the single random quantum effect of reseting to the initial settings after system value measurements. Due to the laws of quantum physics, each measurement with identical initial conditions and the same measurement mode provides different values. Therefore, such a system has a broad application of random number generators where the randomness of measured values is highly desirable. Such systems include the smallest units such as electrons (smallest quantity of charge) or qubits (smallest quantity of information). A single quantum of light (photon) can be used as qubit carrier which is favourable due to laws of quantum mechanics that prevents making a faithfully qubit’s copy. In the early development of QRNGs, schemes based on measuring qubit states were widely adopted due to theoretical simplicity. A qubit cannot be split, copied or amplified without introducing detectable disturbances and it can be represented as a linear combination of two basic states (horizontal and vertical): |ψ = α · |  + β · | ↔ (1) Parameters α and β are probability amplitudes: the probability that the outcome of the measurement will be a vertical or a horizontal base, respectively. Unlike the classical bit, which can only have two possible values, 0 or 1, Equation (1) shows that the qubit can also have these values, as well as it can potentially have a superposition of both. It means to find out the value carried by a qubit it is necessary to measure photon’s polarization. However, such “spatial principle” in practice depends on the environment, ageing and unequal detection efficiency. To overcome this issue, QRNG can be based on a usage of one detector and “temporal principle” such as the arrival time or the number of photons detected in a time period as described in Sect. 2.2.2. Other popular entropy sources include radioactive decay, the random photon emission period from trapped ions, quantum optics, chaos systems, the random spatial distribution of laser speckle, various types of noises, and other non-optic sources. In the early years, random numbers were generated using an electric roulette wheel and various mechanical methods to generate random numbers [11]. Later, radioactive decay source was considered to provide true randomness. The Geiger-Müller (GM), tubes were used as a detector to capture and amplify α, β or γ radiation. The detector produces a pulse for each detected particle, and a digital counter is used to convert pulses into random digits. These detectors had limitations due to restricted availability of radioactive source and its management as well as the achievable low bit rate [15]. A number of types of generators that share common elements were proposed as research progressed.

2.1 Random Number Generators Based on Noise The noise can be described as the fluctuations in time of measurement. As such, it can be used as a source of information that is not present in the time-averaged value.

14

C. Kollmitzer et al.

Fig. 2 A simplified view of noise measurements. The voltage value is compared with the limit value to generate a digital signal with random transition times. [22]

The noise had always attracted the attention of the scientist, especially after 1909 when Einstein noticed that electromagnetic fluctuations depend on the carrier of the energy. For classical waves, the magnitude of energy fluctuations scales linearly with the mean energy while for classical particles it scales with the square root of the mean energy. In the 1960s it was noticed that the difference between radiation from the laser and the black body can be identified based on their fluctuating signals. Yet, not all noises are equally informative. Here, we discuss the most commonly used noises in quantum random number generators that can be roughly divided into two categories: those that use electronic noise and those that rely on the noise of quantum physical origin. Thermal electronic noise or often simply noted as thermal noise was discovered in 1928 [34]. Johnson and Nyquist noted that stochastic fluctuations of the electric charges exist in all resistive material at a temperature higher than absolute zero. It extends over all frequencies up to the quantum limit at kT / h with an electrical power of 4ktΔf . The origin of the noise is the random thermal motion of quantised electric charges which can still have a specific correlation in the movement of electric charges when it comes to long-range carrier correlations. The most straightforward approach to measure thermal noise is to isolate the fluctuations in a bandwidth Δf around some frequency f and periodically sample the spectrally filtered voltage which comes from Johnson’s effect. As shown in Fig. 2, the obtained values are compared to a certain threshold which is set to value that gives the same probabilities for outputs 0 and 1. Although theoretically sounds simple, this approach is limited in practice due to sensitivity to environmental changes (temperature, changes of supply voltage and other) and the constant need to adjust the threshold to the appropriate value. Other approaches include usage of thermal noise to determine states of a dual differential metastable latch that is formed by two cross-coupled inverters. Such a method was used to create an entropy source of digital random number generator at a rate around a 3 GHz in Intel’s Ivy Bridge processors (Fig. 3). In practice, thermal noise appears side by side with shot noise that originates from quantum effects due to the granularity of the current. It 1918 Walter Schottky

Quantum Random Number Generation

15

Fig. 3 Block scheme of delay flip-flop (DFF) noise-based RNG. The sampled value of uncorrelated noise is directed to the comparator with hysteresis with a fast response time to obtain a binary signal. The DFF samples the binary signal based on clock CK2 and generates the binary sequence [4]

used vacuum tubes to demonstrate that kind of noise exists even if all the extrinsic noise sources are eliminated. The noise that is entirely controlled by the polarisation current and originates from the discreteness of the electrical charge (shot noise) and thermal dither of electrons (thermal noise) are often difficult to separate in practice. Although electrons share the particle-wave duality with photons and electrical noise coming from shot fluctuations can be categorised as quantum, quantum random number generators are usually based on other methods in which the quantum nature of the noise can be more clearly controlled. This applies primarily to the resistance to external forces such as electromagnetic radiation that can be used for side-channel manipulation of system measurements. Consider tunnelling of carriers through quantum barriers of ideally constant height and width which is known as Zener noise [49]. When current is low enough, movement of carriers through barriers will be recorded as voltage peaks across Zener diode, forming a pink noise with randomness properties. Due to issues with the isolation of the Zener effect in physical devices from other effects and issues with memory effect, such an approach does not give desired results. Besides, due to lowlevel voltage values that are produced using noise source, additional amplification is required before digitalisation. In that process, the deviations from randomness might occur due to gain non-linearity and limited bandwidth of the amplifier. There are methods to improve the performance of electronic noise utilization [3, 25, 58], but researchers are turning to more fundamental noise origin sources that are less sensitive to technological advances and environmental fluctuations that can lead to memory effects. To avoid dependence on adjusting the threshold value of QRNGs based on noise, different solutions were introduced. Bagini proposed periodic sampling of the noisemeasured values and comparison with the threshold value at the comparator. The compared value is used for triggering flip-flop T-type (TFF) which should work in theory, and for the stationary random process, result in improved randomness.

16

C. Kollmitzer et al.

Fig. 4 Block scheme of the laser noise-based and delayed self-homodyne QRNG. The vertical cavity surface emitting laser (VSEL; Δvlaser = 200 MHz; τcoh = 1.59 ns) is directed over the beam splitter to the avalanche photodetector with the low cutoff frequency. The measured signal is sampled using analog-digital converter working at 40 MHz producing the final generation rate of 20 Mbit/s as reported in [19]

Figure 3 shows the block scheme of the slightly modified approach based on delay flip-flop (DFF) [4]. However, due to the memory effect in capacitors and the final impedance in the circuit that introduces autocorrelation of voltage values, such an approach produces limited randomness. Since the electronic component manufacturers and chip makers tend to minimise electronic noise, researchers are turning to sources that generate fluctuations similar to electrical noise but whose origin is less dependent on technological development. One such case is the use of lasers. The phase noise of the laser originates from spontaneous emission of photons and is known for its advantages over electrical noise due to the independence of the technical details of the laser. A random phase of each spontaneously emitted photon contributes a random phase fluctuation to the total electric field and laser linewidth broadening. As such, spontaneous emission and corresponding noise have an origin in quantum mechanics [38]. Since the quantum phase noise is inversely proportional to the laser output power [21], the laser with a lower intensity close to the leasing threshold can be used to produce quantum uncertainty as dominant noise. Then, an unbalanced Mach Zehnder interferometer can be used to measure the phase diffusion as shown in Fig. 4. As reported in [19], a 795 nm vertical cavity surface emitting laser (VCSEL) working at 1.5 mA (the current threshold 1.0 mA) and the laser linewidth Δvlaser = 200 MHz inversely proportional to the laser power, generated signals that were brought to 8-bit APD detector via “homodyne” detector. A software processing was applied in a way that the least-significant bit (LSB) of each 8-bit sampled voltage defined the measurement parity. To uniform the parity, a subtraction between two consecutive sampled voltages is performed generating a half-size sequence of 8-bit binary values. Then, the LSB of the processed 8-bit binary value determines the random bit at the generation rate of 20 Mbit/s. The phase compensation system in the interferometer can be used to avoid phase drift effects that mask quantum signals [38]. However, since the voltage follows the Gaussian distribution, the digitised bits are used to feed a randomness extraction algorithm to obtain uncorrelated bits [28, 68]. Although a higher output rate can be achieved by increasing the sampling rate, there are limitations due to the correlation of bits [72].

Quantum Random Number Generation

17

This effect can be avoided when short pulses drive a laser source to provide output with a known amplitude that is controlled using a gain saturation and a random phase. Since the phase is uniformly random, the phase differences between adjacent pulses follow the same distribution. The interferometer is used to convert phase into an amplitude variation that after processing, provides almost uniformly distributed measurement values [18]. Such a system can achieve rates up to 43 Gbps as in case of [1]. A deterministic chaotic process can be used to amplify the random quantum noise from semiconductor lasers to expand small fluctuations at the quantum level into a fast random output up to hundreds of Gbps [23, 40]. The amplified spontaneous emission noise (ASE) which is the result of optical amplification can be turned into a good source of entropy in QRNGs. Statistically independent random variables can be obtained by random sampling amplitudes of ASE values on different frequencies. This provides a fast fluctuating signal, much stronger than the electronic background noise and which is limited by the bandwidths of the optical filter and electrical photoreceiver. Using threshold detection or XOR decorrelation techniques, QRNGs with rates of several Gbps can be achieved [33, 66]. Superluminescent light diodes with internal optical gain can be used as an alternative source of ASE. By using bandpass filters for different frequency filters, the light from a SLED can be divided into multiple channels with a detector. The obtained value is compared with a threshold to generated random bits and XOR-ed with the bit sequence of delayed values. With additional filters, the number of parallel wavelengths channels could potentially be increased, resulting in a cumulative generation rate more than 200 Gbps using a single SLED source [27]. The most significant advantage of quantum phase noise compared to electronic noise is the independence of the technological settings of the laser, that is dependence on the fundamental laws of physics.

2.2 Random Number Generators Based on Quantum Optics A large number of QRNGs available are based on quantum optics. The inherent randomness in the quantum state of photons provides a straightforward choice for use these as an entropy source. The availability of low-cost laser diode and LED or single photon source provide an affordable and convenient alternative to earlier radioactive sources [2]. However, there are limitations reflected on the side of the detectors.

2.2.1

QRNG Based on Single Photon Splitting

A “spatial principle” system is a system in which the output random bit is determined by the place at which the photon is detected [50]. In single photon splitting QRNG, a single photon source impinges a semitransparent mirror or splitter as shown in Fig. 5. Numerical simulations showed that there are no significant differences in

18

C. Kollmitzer et al.

Fig. 5 QRNG based on single photon splitting where a photon is directed to a balanced beam splitter. The path of the photon is random, and is used to determine the output bit value [2]

photon statistics between a heavily attenuated LED of thermal state and a laser of a coherent state. Therefore as well considering the lower cost, LED is often used to emit photons. A single photon cannot be divided, and each photon has equal probability to be found in either output of the 50:50 beam splitter. In both outputs, a single photon detector (SPD, usually InGaAs avalanche photodiode) is connected to detect the presence of the photon. The detector generates a click when the photon is detected, and the click is taken as either 1 or 0. Since the choice made by a photon is random, it provides a good entropy source for QRNG, and it was used in various experiments [15, 24]. When a polarising beam splitter (PBS) is used, each photon polarised at 45◦ has equal probability to be detected in the horizontal or vertical polarisation output of the polariser. The quantum theory predicts for both cases that individual clicks are independent of each other and genuinely random. In practice, QRNGs implemented using single photon splitting scheme have several drawbacks that limit the maximal generation rate of random numbers. After a click, photodetectors need a certain amount of time, often referred to as “dead time”, to return to their initial position which can generate anticorrelation of consecutive bits or result in a lower sensitivity until photodetector is not fully recovered. Although there are certain photodetectors with improvements [24], in general, the effect of afterpulsing or effect of the dark count, when photodetector clicks when no photon is present, limit the output to few Mbps. Usage of an array of singlephoton avalanche photodetectors calibrated for different settings and in combination with postprocessing is proposed to increase generation rate of random numbers but involves effects of crosstalk which increases the complexity of the system due to the need for a particular design and an increased number of detectors [6, 53]. An additional drawback is that the generated bits using this method are not free from bias. In practice, it is demanding to ensure that the beam splitter has equal

Quantum Random Number Generation

19

Fig. 6 The spatial encoding of the random photon position. The extracted bit is defined as the concatenation of x-coordinate and y-coordinate values of the measured photon [69]

transmission/reflection probabilities and that SPDs have the same detection efficiency. Besides, practical devices are susceptible to supply voltage fluctuations, temperature drift, ageing and component tolerances. To overcome listed drawbacks, it is proposed to use the Fresnel multiple prism that can behave like the perfect 50:50 beam splitter or to use only one SPD and differentiate between the two outputs by detecting the time of arrival of the photon as reported in [47]. An 830 nm LED was used to generate weak pulses that are coupled into a 2-meter long monomode fiber that unifies the generated photons irrespective of the terminal fluctuations of the LED. Two multimode fibers (one with 60 ns delay) are placed only several mm away from the fiber and coupled to the same photon counter (Si-APD in the Geiger mode). The photons are pointed to fibers, and random bits are obtained by measuring the paths that photon takes. These settings raise complexity but are feasible on integrated circuits [17]. The generation rate can be increased using Micro Channel Plate (MCP) based single photon detector with continuous measurement of the photon arrival positions. As shown on Fig. 6 specified the rectangular area of the planar detector is limited by planar detector input face and it is divided into multiple equal parts/unit. Binary or Gray coding is used to encode each unit while the extracted raw bit is defined as the concatenation of the x-coordinate and y-coordinate of the rectangular area for the measured photon. A random bit generation rate of 8 Mbit/s have been reported using such an approach with a very good degree of randomness of the generated numbers [69]. In practice, QRNG based on single photon splitting require the specific application of postprocessing processing of “raw” generated bits. Usually, this involves mathematical procedures such as von Neumann [61] or Peres [36] approaches for the uniform distribution of generated bits. Also, effects such as dead time and afterpulsing can introduce additional drawbacks that are reflected in correlated bits or

20

C. Kollmitzer et al.

simultaneous detections. Therefore, the maximum generation rate of “spatial principle” QRNGs is limited to a few Mbps.

2.2.2

Random Number Generators Based on Time of Arrival

“Timing principle” QRNG are introduced to relieve the dependency on hardware settings. Instead of relying on space information, the system counts events in time intervals to determine random values. Such approaches are resistant to mechanical and temperature oscillations which is desirable for practical usage. The number of photons in the coherent state is defined by Poisson’s statistics, but the randomness can be obtained observing whether the generated pulse actually results in a photon. As shown in Fig. 7, the number of generated pulses is divided into subgroups of equal probability, and the number of generated photons from each group is monitored. If the pulse from the first group resulted in the generated photon, the output value of 1 is defined. The photon from the second group determines the value 0. At last, the measurement is rejected if pulses from both groups result in a photon [70]. Another interesting approach is to consider the difference between time intervals. Since photons arriving at the detector can be described using Poisson’s statistics, the time between two independent Poissonian events is exponentially defined. As shown in Fig. 8, a comparison of the duration of two consecutive time intervals can be used to generate random values [51]. Because of the independence of the event, the described system is considered to be completely random in theory. In practice,

Fig. 7 Schematic of the logical timing sequence. The subgroup of generated pulses is used to define the output bit. The simplest case is to consider division to two groups (k = 2). When the first group pulse triggers the single photon counting module (SPCM) the generated output is “1”. Otherwise, the output value is “0” [70]

Quantum Random Number Generation

21

Fig. 8 Schematic of the logical timing sequence based on the duration of consecutive time intervals. The output value “0” is obtained when t1 < t2 while the case when t1 > t2 defines the output value “1”. Due to digitization and rounding of values, a short-term correlation can limit outputs randomness [51]

Fig. 9 Schematic of the logical timing sequence based on the timing of detector output. The output value is “0” is obtained when the detector signal is received between first and second clock signal (period I) while in the case when the signal is received between the second and third clock signal defines the output value “1” (period III) [29]

due to the digitization of values and rounding to integer numbers, it is possible that the intervals are equal (t1 = t2 ). In that case, the defined value is discarded [51]. In [29], QRNG based on usage of a time-to-amplitude converter (TAC) is proposed. The signal from a pulsed laser diode (wavelength 1310 nm, bandwidth 3 nm, repetition rate 1 MHz; pulse width 100 ns) is attenuated to obtain the low average number of pulses. Further, signals are directed to a fiber-pigtailed InGaAs avalanche photodiode, and the output from the photodiode is forwarded to TAC. As shown in

22

C. Kollmitzer et al.

Fig. 9, the output value is denoted based on the time of the signal. If the TAC receives the signal within 1 µs, a low-amplitude voltage is generated, and TAC is reset using a stop signal to await the next detector output (period I). When no signal is detected, no TAC stop signal is generated, and TAC automatically resets without any output (period II). However, if the signal is detected after 1 µs, a larger amplitude output signal is generated (period III). The obtained values are processed by a multichannel analyser (MCE), and random rate up to several kbps can be achieved [29]. Instead of the instantaneous generation of random bits using the methods mentioned above, the available entropy can be distilled using mathematical functions. The transmitted photons are detected using an avalanche photodiode whose output is connected to reset input of the synchronous counter. The detected photon resets the counter to zero, and the value is incremented until the next detection event. The random value is defined based on the time (counts) elapsed between subsequent detection events. The obtained values are stored until 432 bits are collected which are whitened with an SHA-256 hash algorithm [64]. Due to the delay introduced by batch collection, the system has a latency of several µs which limits the application to specific physical experiments. When the time period in which the number of counts is counted is fixed, the dead time can be used as an advantage. The detection events with a fixed sampling time interval τs are interpreted as “0” for an even number of counts or as “1” for odd reading. The Poissonian distribution of the detected photons can be significantly altered due to the dead time of a photomultiplier tube (PMT) which is used instead of avalanche photodiodes operating in Geiger-mode that has characteristical long dead time in the order of 50–100 ns. The dead time τd can be defined as extendable in the high intensity regime where large number of pulses overlap. Such approach allows the generation of random numbers originating from the of quantum physics randomness. This significantly reduces the bias of the generated values and enables generating random numbers up to tenths of Mbps [16]. Temporal principle greatly simplifies implementation due to the use of only one detector. However, the crucial question with this approach is related to the measurement of time intervals. The clock measuring time interval needs to be synchronised with the beginning of each interval to avoid correlation of bits [51]. To obtain the random number generation rate, more then one bit of random number can be extracted from a single bit [13]. This method is immune to imperfections such as intensity change of the source, dead time, change of efficiency photon detector afterpulsing. It is worth to mention that generators based on such method were first to pass algorithmic randomness and statistical tests [41, 42]. Temporal QRNG, as opposed to spatial QRNG, are not significantly sensitive to changes in laser gain and bandwidth influence. Such occurrences affect the speed of operation, but not the randomness of the generated values. Besides, electronic disturbances such as jitter, shot noise and dark counts, because of their randomness in nature, can be exploited to avoid bias between generated values. Temporal QRNG systems are robust in terms of mechanical and temperature variations and are therefore suitable for installation and operation with only one optical detector.

Quantum Random Number Generation

2.2.3

23

QRNG Based on Raman Scattering

Unlike the previously listed methods operating in the range of kbps and Mbps, systems based on the phase measurement of Raman scattered light in the macroscopic regime can provided rates up to Tbps. The inelastic scattering of photons from rotational, vibrational, or electronic excitations in the Raman-active medium (such as diamond) is defined as Raman scattering. When an incoming “pump” photon is annihilated and scattered in interaction with the medium, a red-shifted “Stokes” photon with a larger wavelength is created. The energy of the incident photon is converted into a phonon. However, when the energy gain is present, and the wavelength of the scattered photon is lower, such photon is defined as “anti-Stokes” photon. To limit scattering in a narrow spatial direction, stimulated Raman scattering can be used. The photon of frequency ω is produced when the photon with an energy difference of corresponding frequency ω between a “pump” photon and the matching phonon is stimulated using spontaneous Raman scattering. Such a mechanism is suitable for various wavelength conversions and amplification, but it can be used in QRNGs as well [7]. As proposed in [7], Stokes field of a uniformly random phase [0, 2π ] is obtained from the pump field when a pulsed pump laser signal is pointed into the diamond. The use of diamonds in combination with short pulses is desirable due to diamonds high Raman gain coefficient and broad transparency range. It was shown that the quantum mechanical zero-point motion of the phonon field is the basis of the spontaneous emissions [39]. As such, it can be preserved and amplified using noise-free amplification process to a macroscopic level that is suitable as a source of randomness. To realise such amplification, Bustard proposed monitoring of the evolution of an almost pure vacuum state into a state with highly unpredictable physical observables. Two methods can be applied: Stokes pulse energy method by observing the number of photons or observing the optical phase. The first method requires a stable pump pulse source to avoid influencing the statistics with the energy fluctuation of the pump pulse. However, such requirements are not placed when observing the Stokes phase fluctuations [7]. As shown in Fig. 10, a bandpass filter is used to filter the Stokes field. By combining the Stokes field and a reference pulse at a beam splitter, random phases are converted into interference patterns at a charge-coupled device (CCD) camera. Using a cosine model to fit the interference pattern, the random phase is recovered and assigned to a bin out of possible phase ranges. Then, a bit extraction algorithm is used to remove any remaining bias. To avoid masking the quantum effect due to power fluctuations in the pump pulses, the pump power should be monitored and controlled (Fig. 11). Since the QRNGs based on Raman scattering dephase in times of the order of a few picoseconds, they can provide high generation rates. Besides, the Stokes light phase is determined only by the vacuum field which provides insensitivity to pulse energy fluctuations. The limiting factor is the repetition rate of the pump pulse laser and considerable power required to produce a strong output signal. Therefore, highly nonlinear waveguides are used to confinement the system which enables stronger

24

C. Kollmitzer et al.

Fig. 10 Schematic diagram of Raman random number generator. A Stokes field with random phase is generated by focusing a pump pulse into a diamond plate. The filter is used to identify the Stokes field that is combined at a beamsplitter with a reference signal. A CCD camera operating at 200 Hz of 2048-pixel records the resulting interfering pattern. [7]

interaction and usage of power in the range of faster repetition lasers. Such combination enables output rate of QRNGs up to 145 Mbps [7, 14]. To achieve even higher rates, the spectrum can be divided into multiple channels. Spontaneous Raman scattering is a quantum phenomenon caused by pump photons scattering from broadband vacuum fluctuations of the electromagnetic field. The phonon vacuum fluctuations are used to obtain quantum randomness when a strong pump inside a highly nonlinear fiber generates Raman photons. The limitation of the random bit generation rate is defined by Raman response function since photons generated with a smaller separation time than Raman response time have frequency correlations. However, such a correlation can be controlled with the power of the power laser [9, 10].

2.2.4

Random Number Generators Based on Optical Parametric Oscillators

The effect of spontaneous parametric down conversion which is often used in entanglement generation, optical squeezing and parametric amplifiers, can be used in QRNGs. In the absence of other inputs, photons generated using spontaneous down

Quantum Random Number Generation

25

Fig. 11 Schematic diagram of optical quantum random number generation using optical parametric oscillators. The pump signal (1560 nm mode-locker Er-fiber laser; 300 mW, 100 Mhz; 70 fs) is directed into two optical parametric oscillators whose outputs are mixed on a 50:50 beam splitter. The output signal is a result of interference of signal defining sequence of “ones” and “zeros” [32]

conversion of the pump can oscillate in a cavity. In fact, due to gain mechanism in continuous wave type I degenerate optical parametric oscillator (OPO) which is known for indistinguishability of signal and idler wave, oscillations can be found in only two states [32]. The amplitude gain of these states can be seen as a function of the phase difference between the pump and the signal θs . The maximal deamplification occurs at θs = π2 while the energy flows from the pump to the signal occurs at θs = 0 and θs = π resulting in the maximum amplification. Marandi proposed the combination of two synchronously pumped femtosecond degenerate OPOs that are pumped with the same source and an optical switch to reset the OPOs. The output signals from OPOs are connected on a beam splitter where the interference of signals toggle between high and low-intensity levels (Fig. 11). To avoid the correlation of the phase values, the field inside the cavity needs to decay to the quantum noise level before a build of new oscillation. This can be controlled by blocking the pump, but it limits the output rate of QRNGs to several tens of kbps. Additionally, with the simplification of the experiment, Marandi proposes the use of twin OPO that consists of two identical OPOs operating in the same ring resonator. QRNG based on the randomness in spontaneous parametric down-conversion does not require a computer or electronic post-processing that simplifies operations and can result in high-speed operation. In case of use with micro- or nano resonators, Gbps rates can be achieved.

2.3 Random Number Generators Based on Non-optic Quantum Effects In addition to generators based on optical quantum effects, some generators do not depend on quantum light. The p-n junction with the tunnel effect in MOS transistors can be used to produce random numbers. When the electron tunnels through the insulating layer under the gate, it introduces a varying current that is followed by shot noise which can use ring oscillators to generate random values [65]. Following such

26

C. Kollmitzer et al.

and similar approaches, the shot noise is obtained from discrete elements of current instead of optical sources of light and can be used as in the previously described generators. In addition to using p-n connections, the tunneling principle can be used with radioactive alpha decay [60]. QRNGs based on experimental tests of quantum mechanics such as measurements of trapped ions, are demanding for implementation. Also, they result in slower generation rate when compared to optical implementations. However, such systems provide a high level of detection efficiency [37]. A collection of atoms enables the spin noise that is reflected in a random magnetic moment. A precise measurement of the global magnetic field from the optical power can be performed since the fluctuations in the optical power due to spin noise dominate over the electric and the photon shot noise. The amplitude of the horizontal and vertical component of the light can be measured after a polarizing beam splitter. These are affected by spin noise that produces a random change in polarization that can be used to produce random bits when the measured values are compared with the threshold of background noise [26]. Similar to the previously described generators, the generation rate which is in the range of kbps is limited by the relaxation time of the system. To reach higher rates, systems with lower relaxation times such as solid state systems are proposed [35, 48].

2.4 Summary Table 1 provides short summary of the discussed methods, while more information about the other suitable methods for design of QRNG can be found in [22, 30, 49, 50].

Table 1 Summary of the optical methods for quantum random number generation Type Rate (order) Representative references Single photon splitting Noise Raman scattering Vacuum fluctuations Optical parametric oscillators Time of arrival Non-optic quantum effects

Mbps Gbps Tbps Gbps kbps Mbps kbps

[24, 69] [1, 27, 33, 38] [7, 10, 14] [45, 56] [31, 32, 54] [51, 52, 59] [35, 48]

Quantum Random Number Generation

27

3 Available QRNG Devices The following section gives an overview of the currently available devices. It should be noted that both new suppliers and new devices are constantly being introduced. Furthermore, the specifications of individual devices change due to revisions while other devices are withdrawn from the market. The following overview is therefore without any guarantee.

3.1 ComScire True Random Number Generator ComScire PQ128MU is a USB-connected true random number generator fully compliant with the NIST SP 800-90 B recommendations providing a data rate of up to 128 Mbit/sec. It uses random noise generated by a semiconductor as entropy source. It provides a USB 2.0 interface and works with Windows 32/64 bit and Linux. Drivers, interface and software for testing are available.

3.2 ID Quantique Quantis Random Number Generator Quantis QRNG is based on the single photon splitting principle. The product is offered in two hardware RNG versions compatible with most platforms: as USB device with a random stream of 4 Mbit/sec and as PCI Express (PCIe) board with random streams of 4 Mbit/sec and 16 Mbit/sec. The system comes with the EasyQuantis application with graphical user interface and provides the Quantis library for easy integration into other systems. It is also compatible with all major operating systems. It has got a compliance certification from NIST SP 800-22, METAS, CTL, BSI AIS 31 and iTech Labs. The product is available as PCI card.

3.3 PicoQuant Random Number Generator The PQRNG 150 is a Quantum Random Number Generator produced by PicoQuant. It is based on the quantum randomness of photon arrival times providing a bit rate of 150 Mbits/sec using an USB 2.0 interface. The product is supplied along with drivers and a user library (DLL) for Windows XP, Vista, Windows 7 and Windows 8. Demos and a simple GUI for data retrieval are also available. It requires a PC with a 1 GHz CPU clock and 512 MB memory. The system works from 100 VAC to 240 VAC.

28

C. Kollmitzer et al.

3.4 Quintessence Labs qStream is a product from QuintessenceLabs using advanced laser optics to provide random numbers at the speed of 1 Gbit/sec. In raw entropy output mode it provides a speed of 8 Gbit/sec. It meets the NIST SP 800-90 series of draft standards for NonDeterministic Random Bit Generator (NRBG) construction. qStream delivers the random numbers through a centrally managed service via OASIS Key Management Interoperability protocol (KMIP). The random number can also be received by TCP. The product comes with the qClient software develompent kit for the integration into other systems. The generator works from 90 VAC to 264 VAC, 47 H to 63 H power.

3.5 Crypta Labs Crypta Labs are developing their own chip (QRB121) by combining a light source, a detector and a processor into a singe Application Specific Integrated Circuit (ASIC) chip. The company uses the randomness inherent in light to generate true random numbers. The product is yet to be commercially available.

3.6 Micro Photon Devices The Quantum Random Number Generator is based on the intrinsic statistical behavior of a quantum detector ignited by electron-hole pairs generated within a semiconductor using their patent pending method. The product passed NIST Statistical Test Suite for randomness. The digital interface is USB 2.0. The DLLs are provided for easy customization. The product provides random numbers at bit rates of 16 Mbit/sec, 32 Mbit/sec, 64 Mbit/sec and 128 Mbit/sec. It supports Windows and Linux.

3.7 Qutools GmbH qutool’s quRNG 50 is a QRNG that produces true random numbers with a maximum bit rate of 50 Mbit/sec. It is read out via a USB 2.0 interface. The source of randomness is based on the uncertainty of the detection time of photons emitted from a light emitting diode (LED). The photons are collected by a single photon detector at a high rate and subsequently digitized. The random bit stream can be set at an adjustable rate. The proper tuning of the LED’s light intensity allows complete omission of post processing.

Quantum Random Number Generation

29

It provides a graphical user interface that could be used to set and read parameters. An API and sample code working with C/C++ and LabVIEW™ are also available. They work with Windows XP, Vista, 7 and Linux. Devices web references ComScire

comscire.com

ID Quantique

www.idquantique.com/

PicoQuant

www.picoquant.com/

Quintessence Labs

www.quintessencelabs.com

Crypta Labs

www.cryptalabs.com

Micro Photon Devices

www.micro-photon-devices.com/

Qutools GmbH

www.qutools.com/

4 Quantum Random Number Generation as a Service (see Table 2) 4.1 Australian National University (ANU) The Australian National University runs a QRNG based on quantum vacuum fluctuations. It provides the service through a web site allowing everybody to see, listen or download the quantum random numbers and assess the quality of the numbers generated in real time. It continuously runs the NIST statistical test suite to verify the randomness of the generated numbers. The live random number can be accessed in various formats such as hex, binary, colors, character blocks etc.

4.2 Humboldt-Universität Zu Berlin The service is a part of a joint research and development effort of PicoQuant GmbH and the Nano-Optics groups at the Department of Physics of Humboldt University. The QRNG is based on the quantum randomness of photon arrival time (see Sect. 2.2.2) and is also sold as a product (PQRNG 150) by PicoQuant GmbH. The service is free of charge, but requires registration. Service web references Australian National University (ANU)

qrng.anu.edu.au

Humboldt-Universität zu Berlin

qrng.physik.hu-berlin.de

Physical principle for the generation

No The users enjoy the benefit of a truly random number service and avoid the drawbacks of pseudo-random number generator Published in [20, 57] and used and cited in [5, 22, 46, 71] etc.

Commercialization planned Benefits for customers

Publications

Special area of use Server Access

Service certified Applications already in use

The raw sampled random numbers follow a Gaussian distribution. A randomness extraction algorithm (AES 128) is performed on the raw data. The amount of randomness to be extracted is calculated based on the conditional min-entropy of the quantum source No The service has been used by research institutions, gaming websites and software companies No An average of 1900 visits per day in 2018. With 224 GByte downloaded between January and May 2018

Algorithmic postprocessing of the raw data

Technical characteristics of the service (restrictions/limitations, speed, APIs, ...)

ANU

Measuring the quadrature fluctuations of a vacuum field using a homodyne measurement (see Sect. 2.2.3) No limits or speed restrictions. Download of blocks of random data in various formats. There are APIs available that returns JSON responses, C, C++, Ruby, Python, C#, Matlab, Perl, .NET and Java

Specifications

Table 2 Comparison of QRNG-as-a-service provider

Published in [62] and cited in several publications

No Simulations, cryptography, academic teaching, art, gambling No On average 3 logins per day for data retrieval. Total data delivered = 1.27 PB since November 2010 No Free service

Quantum randomness in photon arrival time differences (see Sect. 2.2.2) 150 Mbits/s from the generator hardware, server speed is on par, connected via DFN, unused data is cached on disc, all data is delivered only once, download of files or via API (DLL) for Linux, Windows or Mac OS Yes, resilient function, details see [62]

HU Berlin

30 C. Kollmitzer et al.

Quantum Random Number Generation

31

5 Conclusion Quantum random number generators use principles of quantum mechanics as a source of entropy. By doing so they are able to provide true random numbers. There are many different methods of using quantum physics principles as an entropy source. The various QRNG products available in the market use either shot noise generated by Zener diodes or MOSFET transistors as an entropy source or photons as entropy source. ComScire PQ128MU uses a MOS transistor as a shot noise source.The maximum number of QRNGs available are based on quantum optics. The inherent randomness in quantum state of photons provide a good and simple choice for use these as entropy source. The single-photon splitting is used by Quantis QRNG. The Australian National University runs a QRNG based on quantum vacuum fluctuations. PicoQuant and qutool QRNGs are based on the arrival time of photons. The QuintessenceLabs QRNG provides the highest speed of 1 GBps using quantum vacuum fluctuations.

References 1. Abellán, C., Amaya, W., Jofre, M., Curty, M., Acín, A., Capmany, J., Pruneri, V., & Mitchell, M. W. (2014). Ultra-fast quantum randomness generation by accelerated phase diffusion in a pulsed laser diode. Optics express, 22(2), 1645–1654. 2. Alliance, C. S. (2016). Quantum Random Number Generators. 3. Bagini, V., & Bucci, M. (1999). A design of reliable true random number generator for cryptographic applications. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 204–218). Springer. 4. Bagini, V., & Bucci, M. (2007). A design of reliable true random number generator for cryptographic applications, pp. 204–218. 5. Bennet, A., Vértesi, T., Saunders, D. J., Brunner, N., & Pryde, G. J. (2014) Experimental semidevice-independent certification of entangled measurements. Physical Review Letters, 113(8), 80,405. https://doi.org/10.1103/PhysRevLett.113.080405. 6. Burri, S., Stucki, D., Maruyama, Y., Bruschini, C., Charbon, E., & Regazzoni, F. (2014). SPADs for quantum random number generators and beyond. In Design Automation Conference (ASPDAC), 2014 19th Asia and South Pacific (pp. 788–794). IEEE. 7. Bustard, P. J., Moffatt, D., Lausten, R., Wu, G., Walmsley, I. A., & Sussman, B. J. (2011). Quantum random bit generation using stimulated Raman scattering. Optics Express, 19(25), 25173–25180. 8. Chor, B., Goldreich, O., Hasted, J., Freidmann, J., Rudich, S., & Smolensky, R. (1985). The bit extraction problem or t-resilient functions. In 26th Annual Symposium on Foundations of Computer Science (pp. 396–407). IEEE. 9. Collins, M. J., Clark, A., Yan, Z., Xiong, C., Steel, M. J., & Eggleton, B. J. (2014). Quantum random number generation using spontaneous raman scattering. In CLEO: QELS-Fundamental Science (pp. JTh2A–123). Optical Society of America. 10. Collins, M. J., Clark, A. S., Xiong, C., Mägi, E., Steel, M. J., & Eggleton, B. J. (2015). Random number generation from spontaneous Raman scattering. Applied Physics Letters, 107(14), 141,112.

32

C. Kollmitzer et al.

11. Corporation, R. (1955). A million random digits with 100,000 normal deviates. Free Press. 12. Davies, R. B. (2002). Exclusive OR (XOR) and hardware random number generators. Retrieved May 31, 2013. 13. Dynes, J. F., Yuan, Z. L., Sharpe, A. W., & Shields, A. J. (2008). A high speed, postprocessing free, quantum random number generator. Applied Physics Letters, 93(3), 31,109. https://doi. org/10.1063/1.2961000. 14. England, D. G., Bustard, P. J., Moffatt, D. J., Nunn, J., Lausten, R., & Sussman, B. J. (2014). Efficient Raman generation in a waveguide: A route to ultrafast quantum random number generation. Applied Physics Letters, 104(5), 51,117. 15. Friedman, H. (1949). Geiger counter tubes. Technical report., Naval Research Lab Washington DC. 16. Fürst, H., Weier, H., Nauerth, S., Marangon, D. G., Kurtsiefer, C., & Weinfurter, H. (2010). High speed optical quantum random number generation. Optics Express, 18(12), 13029–13037. 17. Gräfe, M., Heilmann, R., Perez-Leija, A., Keil, R., Dreisow, F., Heinrich, M., et al. (2014). On-chip generation of high-order single-photon W-states. Nature Photonics, 8(10), 791. 18. Guang-Zhao, T., Mu-Sheng, J., Shi-Hai, S., Xiang-Chun, M., Chun-Yan, L., & Lin-Mei, L. (2013). Quantum random number generation based on quantum phase noise. Chinese Physics Letters, 30(11), 114,207. 19. Guo, H., Tang, W., Liu, Y., Wei, W. (2010) Truly random number generation based on measurement of phase noise of a laser. Physical Review E, 81(5), 51,137. 20. Haw, J. Y., Assad, S. M., Lance, A. M., Ng, N. H. Y., Sharma, V., Lam, P. K., & Symul, T. (2015). Maximization of extractable randomness in a quantum random-number generator. Physical Review Applied, 3(5), 54,004. https://doi.org/10.1103/PhysRevApplied.3.054004. 21. Henry, C. (1982). Theory of the linewidth of semiconductor lasers. IEEE Journal of Quantum Electronics, 18(2), 259–264. 22. Herrero-Collantes, M., Garcia-Escartin, J. C. (2017). Quantum random number generators. Reviews of Modern Physics, 89(1). https://doi.org/10.1103/RevModPhys.89.015004. 23. Hirano, K., Yamazaki, T., Morikatsu, S., Okumura, H., Aida, H., Uchida, A., et al. (2010). Fast random bit generation with bandwidth-enhanced chaos in semiconductor lasers. Optics Express, 18(6), 5512–5524. 24. Jennewein, T., Achleitner, U., Weihs, G., Weinfurter, H., Zeilinger, A., & Wien, A. (2000). A fast and compact quantum random number generator. Review of Scientific Instruments, 71(4), 1675–1680. 25. Jun, B., & Kocher, P. (1999). The Intel random number generator. Cryptography Research Inc. White paper, 27, 1–8. 26. Katsoprinakis, G. E., Polis, M., Tavernarakis, A., Dellis, A. T., Kominis, I. K. (2008). Quantum random number generator based on spin noise. Physical Review A, 77(5), 54,101. 27. Li, X., Cohen, A. B., Murphy, T. E., & Roy, R. (2011). Scalable parallel physical random number generator based on a superluminescent LED. Optics Letters, 36(6), 1020–1022. 28. Liu, Y., Zhu, M., Guo, H. (2010). Truly random number generation via entropy amplification. arXiv:1006.3512. 29. Ma, H. Q., Xie, Y., & Wu, L. A. (2005). Random number generation based on the time of arrival of single photons. Applied Optics, 44(36), 7760–7763. 30. Ma, X., Yuan, X., Cao, Z., B., Q., & Zhang, Z. (2016). Quantum random number generation. Nature. 31. Marandi, A., Leindecker, N. C., Pervak, V., Byer, R. L., & Vodopyanov, K. L. (2012). Coherence properties of a broadband femtosecond mid-IR optical parametric oscillator operating at degeneracy. Optics Express, 20(7), 7255–7262. 32. Marandi, A., Leindecker, N. C., Vodopyanov, K. L., & Byer, R. L. (2012). All-optical quantum random bit generation from intrinsically binary phase of parametric oscillators. Optics Express, 20(17), 19322–19330.

Quantum Random Number Generation

33

33. Martin, A., Sanguinetti, B., Lim, C. C. W., Houlmann, R., & Zbinden, H. (2015). Quantum random number generation for 1.25-GHz quantum key distribution systems. Journal of Lightwave Technology, 33(13), 2855–2859. 34. Nyquist, H. (1928). Thermal agitation of electric charge in conductors. Physical Review, 32(1), 110. 35. Oestreich, M., Römer, M., Haug, R. J., & Hägele, D. (2005). Spin noise spectroscopy in GaAs. Physical Review Letters, 95(21), 216,603. 36. Peres, Y. (2007). Iterating Von Neumann’s procedure for extracting random bits. The Annals of Statistics. https://doi.org/10.1214/aos/1176348543. 37. Pironio, S., Acín, A., Massar, S., de La Giroday, A. B., Matsukevich, D. N., Maunz, P., Olmschenk, S., Hayes, D., Luo, L., Manning, T. A., et al. (2010). Random numbers certified by Bell’s theorem. Nature, 464(7291), 1021. 38. Qi, B., Chi, Y. M., Lo, H. K., & Qian, L. (2010). High-speed quantum random number generation by measuring phase noise of a single-mode laser. Optics Letters, 35(3), 312–314. 39. Raymer, M. G., & Walmsley, I. A. (1990). The quantum coherence properties of stimulated Raman scattering. Progress in Optics, 28(C), 181–270. https://doi.org/10.1016/S00796638(08)70290-7. 40. Reidler, I., Aviad, Y., Rosenbluh, M., & Kanter, I. (2009). Ultrahigh-speed random number generation based on a chaotic semiconductor laser. Physical Review Letters, 103(2), 24,102. 41. Ruhkin, A. (2011). Statistical testing of randomness: Old and new procedures. In Randomness through computation 42. Rukhin, A., Soto, J., Nechvatal, J., Smid, M., & Barker, E. (2001). A statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical report, Booz-Allen and Hamilton Inc Mclean Va. 43. Shaltiel, R. (2002). Recent developments in explicit constructions of extractors. Bulletin of the EATCS, 77(67–95), 10. 44. Shaltiel, R. (2008). How to get more mileage from randomness extractors. Random Structures & Algorithms, 33(2), 157–186. 45. Shen, Y., Tian, L., & Zou, H. (2010). Practical quantum random number generator based on measuring the shot noise of vacuum states. Physical Review A, 81(6), 063,814. https://doi.org/ 10.1103/PhysRevA.81.063814. 46. Sigwart, J. D., Sutton, M. D., & Bennett, K. D. (2018). How big is a genus? Towards a nomothetic systematics. Zoological Journal of the Linnean Society, 183(2), 237–252. https://doi.org/ 10.1093/zoolinnean/zlx059. 47. Stefanov, A., Gisin, N., Guinnard, O., Guinnard, L., & Zbinden, H. (2000). Optical quantum random number generator. Journal of Modern Optics, 47(4), 595–598. https://doi.org/10.1080/ 09500340008233380. 48. Stich, D., Zhou, J., Korn, T., Schulz, R., Schuh, D., Wegscheider, W. et al. (2007). Effect of initial spin polarization on spin dephasing and the electron g factor in a high-mobility twodimensional electron system. Physical Review Letters, 98(17), 176,401. 49. Stipcevic, M. (2012). Quantum random number generators and their applications in cryptography. 8375, 837,504–837,504–15. arXiv:quant-ph. arXiv:1103.4381. https://doi.org/10. 1117/12.919920. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5967293& isnumber=5967009%5Cn. http://proceedings.spiedigitallibrary.org/proceeding.aspx? articleid=1354136. 50. Stipcevic, M. (2014). Open problems in mathematics and computational science. https://doi. org/10.1007/978-3-319-10683-0. 51. Stipˇcevi´c, M., & Rogina, B. M. (2007). Quantum random number generator based on photonic emission in semiconductors. Review of Scientific Instruments, 78(4), 45,104.

34

C. Kollmitzer et al.

52. Stipˇcevi´c, M., & Ursin, R. (2015) An on-demand optical quantum random number generator with in-future action and ultra-fast response. Scientific Reports, 5, 10,214. 53. Stucki, D., Burri, S., Charbon, E., Chunnilall, C., Meneghetti, A., & Regazzoni, F. (2013). Towards a high-speed quantum random number generator. In Emerging Technologies in Security and Defence; and Quantum Security II; and Unmanned Sensor Systems X (Vol. 8899, p. 88990R). International Society for Optics and Photonics. 54. Sunada, S., Harayama, T., Arai, K., Yoshimura, K., Tsuzuki, K., Uchida, A., et al. (2011). Random optical pulse generation with bistable semiconductor ring lasers. Optics Express, 19(8), 7439–7450. 55. Sunar, B., Martin, W. J., & Stinson, D. R. (2007). A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers, 56(1). 56. Symul, T., Assad, S. M., & Lam, P. K. (2011). Real time demonstration of high bitrate quantum random number generation with coherent laser light. Applied Physics Letters, 98(23), 231,103. https://doi.org/10.1063/1.3597793. 57. Symul, T., Assad, S. M., & Lam, P. K. (2011). Real time demonstration of high bitrate quantum random number generation with coherent laser light. Applied Physics Letters, 98(231103), 1–3. 58. Taylor, G., & Cox, G. (2011). Behind Intel’s new random-number generator. IEEE Spectrum, 24. 59. Tisa, S., Villa, F., Giudice, A., Simmerle, G., & Zappa, F. (2015). High-speed quantum random number generation using CMOS photon counting detectors. IEEE Journal of Selected Topics in Quantum Electronics, 21(3), 23–29. 60. Vartsky, D., Bar, D., Gilad, P., & Schon, A. (2011) High-speed, true random-number generator. 61. Von Neumann, J. (1951). Various techniques used in connection with random digits. National Bureauof Standards Applied Mathematics. DOI citeulike-article-id:10404544. 62. Wahl, M., Leifgen, M., Berlin, M., Röhlicke, T., Rahn, H. J., & Beson, O. (2011). An ultrafast quantum random number generator with provably bounded output bias based on photon arrival time measurements. Applied Physics Letters, 98(17). 63. Wang, A. B., Wang, Y. C., & Wang, J. F. (2009). Route to broadband chaos in a chaotic laser diode subject to optical injection. Optics Letters, 34(8), 1144–1146. 64. Wayne, M. A., Jeffrey, E. R., Akselrod, G. M., & Kwiat, P. G. (2009). Photon arrival time quantum random number generation. Journal of Modern Optics, 56(4), 516–522. 65. Wilber, S. A. (2013). Entropy analysis and system design for quantum random number generators in CMOS integrated circuits. 66. Williams, C. R. S., Salevan, J. C., Li, X., Roy, R., & Murphy, T. E. (2010). Fast physical random number generator using amplified spontaneous emission. Optics Express, 18(23), 23584– 23597. 67. Wu, L. A., Kimble, H. J., Hall, J. L., & Wu, H. (1986). Generation of squeezed states by parametric downconversion. Physical Review Letters, 57(20), 2520. 68. Xu, F., Qi, B., Ma, X., Xu, H., Zheng, H., & Lo, H. K. (2012). Ultrafast quantum random number generation based on quantum phase fluctuations. Optics Express, 20(11), 12366–12377. 69. Yan, Q., Zhao, B., Liao, Q., & Zhou, N. (2014). Multi-bit quantum random number generation by measuringpositions of arrival photons. Review of Scientific Instruments, 85(10). https://doi. org/10.1063/1.4897485. 70. Yu, L. M., Yang, M. J., Wang, P. X., & Kawata, S. (2014). Note: A sampling method for quantum randombit generation. Review of Scientific Instruments, 046107(2010), 2008–2011 (2014). https://doi.org/10.1063/1.3397179. 71. Zheng, J., & Zheng, C. (2017). Stationary randomness of quantum cryptographic sequences on variant maps. In: Proceedings of the 2017 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining 2017, ASONAM ’17 (pp. 1041–1048). ACM, New York, USA. https://doi.org/10.1145/3110025.3110151. 72. Zhou, H., Yuan, X., & Ma, X. (2015) Randomness generation based on spontaneous emissions of lasers. Physical Review A, 91(6), 62,316.

Authentic Quantum Nonces Stefan Rass

and Peter Schartner

1 Motivation Random numbers play different roles in cryptographic systems. Mostly, they are used to generate keys or create uncertainty towards better security in different attack scenarios. Concerning the latter, it is often necessary to assure a certain minimum entropy of a random value, and to prevent coincidental equality of two random numbers chosen at different times or different places. While the former requirement is obvious, revealing the problem with the latter requires some more arguing: as a simple example, consider two independent persons A, B instantiating individual RSA encryption systems. Both choose large primes p A , q A and p B , q B , respectively, making up the key-parameters n A = p A q A and n B = p B q B . If { p A , q A } ∩ { p B , q B } = ∅ and n A = n B , then gcd(n A , n B ) ∈ { p A , p B , q A , q B }, which defeats security of both RSA instances. Adhering to recommended key-sizes, it is tempting to think that the chances of a match of two, say 512 bit long, primes is negligible. Even mathematically, the prime number theorem (Eq. (1)) assures that there are at least 1.84 × 10151 primes within the range {2511 , . . . , 2512 − 1}, so there appears to be no problem in choosing those parameters independently from each other. Unfortunately, reality differs from the theoretical expectations in a devastating manner: according to findings of [10], approximately 12,500 out of a random sample of more than 4.7 million RSA-moduli, downloaded from public sources, could be factored by humble pairwise greatest common division computation! While it is difficult to exactly pin down the reasons for this phenomenon, one possibility is the computation of those numbers by pseudorandom sequences whose seed is by coincidence unknowingly S. Rass (B) · P. Schartner System Security Group, Alpen-Adria Universität Klagenfurt, Universitätsstrasse 65-67, 9020 Klagenfurt, Austria e-mail: [email protected] P. Schartner e-mail: [email protected] © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_3

35

36

S. Rass and P. Schartner

chosen identically by different persons. That is, if the key generation algorithm is implemented to use a (perhaps) user-supplied randomness or randomness from “low quality sources”, then the effective chances of two users starting with the same seed are much higher than what theoretical considerations (such as those based on the prime number theorem or assuming a simple uniform choice-distribution) would indicate. At least for this reason, quantum randomness would—at first glance—be a good replacement for user-supplied randomness (such as mouse movements). However, a proper post-processing to authenticate a generator’s output and to avoid random number generators coming up with identical outputs is nevertheless an advisable precaution. Stressing the prime number theorem further, we know (see [1]) that the number π(n) of primes within the range [2, n] where n ≥ 55 is bounded as n n ≤ π(n) ≤ log n + 2 log n − 4

(1)

Now, suppose we wish to generate primes having at least k bits, i.e., we harvest primes from the interval I = [a, b] = [2k−1 , 2k − 1]. The number of primes inside I is by (1) bounded as a b a b − ≤ π(b) − π(a) ≤ − . log b + 2 log a − 4 log b − 4 log a + 2    =:N

For k = 512 bit primes, we thus have no more than 1.939 × 10151 primes among b − a = 2k−1 − 1 numbers. Hence, the interval I contains at least one gap of ≥ (b − a)/N = 345 consecutive composite numbers. If the random prime generator is implemented to look for the first prime appearing in some monotone search sequence starting off a random seed, then two prime number generators hitting the same gap of composite numbers may nevertheless output the same resulting prime. Figure 1 shows a situation in which the same prime is found by two different algorithms via distinct search sequences over the integers. Despite the magnitudes being still small in our example, it illustrates that the probability of locating identical primes during two independent key generation processes would be dramatically underestimated if we erroneously assume a uniformly random draw from the set of primes. While the statistical odds to accidentally hit the same integer over a search in the range of 512 bit or higher is sure negligible, reframing this possibility towards a potential attack scenario is worthwhile to look at. Especially so, as standard cryptosystems like RSA or ElGamal (and hence also the digital signature standard) can be attacked most easily, when the involved randomness source gets under the attacker’s control or influence, regardless of whether or not the randomness is used to find primes or simply as a general input. Suppose that an adversary somehow manages to replace the randomness source of a system by another source of low entropy, in an attempt to make the above trivial factoring possible and feasible. We call this a randomness substitution attack. Scaling up

Authentic Quantum Nonces

37

this thought, distributed attacks on random number generators that make only a portion of those emit random numbers with low entropy may already suffice to establish a significant lot of RSA instances [13] that are vulnerable to simple gcd-based factorization, or instances of ElGamal signatures [4, 11] (such as the digital signature standard is based on) that are vulnerable to the following attack: suppose that the ElGamal system parameters are (for simplicity) a prime p, generator g of Z p and some cryptographic hash function h. To sign a message m, Alice chooses k ∈ R {2, . . . , p − 2} randomly and relatively prime to p − 1 and computes r = g k MOD ( p − 1). Taking the message hash h(m) (to thwart existential forgery attempts), the signature pair (s, r ) is completed by computing s ≡ k −1 (h(m) − sk · r ) mod ( p − 1), using her secret key sk. The latter, however, can be recovered easily if the same k is used twice by Alice, say, if her random number generator has been hacked. In that case, anyone getting two signatures using the same such k is presented with two equations in two unknowns, namely k and sk, from which both are trivially recovered. Similar attacks are possible for ElGamal encryption. Finally, in the zero-knowledge area, it is even mandatory to avoid responding to two identical first messages (witnesses), in which case the necessarily existent knowledge extractor directly outputs the secret information of the prover (see [7]). Since theoretical arguments for the security of such common primitives usually rest on uniformly distributed random values, whose values match with only negligible likelihood, the source of randomness can be a neuralgic spot in an implementation. The foremost danger of randomness substitution is not its sophistication, but its simplicity and apparent insignificance that may cause countermeasures to be hardly considered as necessary. Nevertheless, authentic random values with lower-bounded entropy and explicit avoidance of coincidental matches are easy to construct yet advisable to use. The remainder of this chapter is organized as follows. In Sect. 2, we will sketch the basic cryptographic building blocks used to embed certain additional information into a quantum-generated random bitstring. This additional information will not only assure distinctness of values generated by otherwise independent generators, but also assure uniqueness of values over an exponentially long range in the (infinite) sequence of random numbers emitted by the same generator. We call such numbers nonces. Section 3 shows the construction and how to verify the origin of a random number. Notice that in this context, we neither claim nor demand information-theoretic

Fig. 1 Coincidentally hitting the same prime during key-generation

38

S. Rass and P. Schartner

security (as would be common in a full-fledged quantum cryptographic setting), but our focus is on classical applications that use quantum randomness to replace usersupplied random values. However, replacing the generator itself is an issue that must as well be avoided, which is doable by classical techniques, as we will outline here.

2 Preliminaries We will write x ∈ {0, 1} to mean bitstrings of length , and let {0, 1}∗ be the set of all bitstrings (of arbitrary length). The notation x y denotes any encoding of x and y into a new string, from which a unique recovery of x and y is possible (e.g., concatenation of x and y, possibly using a separator symbol). Sets are written in sans serif letters, such as M, and their cardinality is |M|. We will employ classical cryptographic techniques to establish a binding between a random number and its origin device, and to assure uniqueness of random values over time and across different generators. To this end, we will use digital signatures with message recovery, and symmetric encryption. Recall the general framework of these, into which RSA-, Rabin or Nyberg-Rueppel signatures fit [12]: take t ∈ N as a security parameter that governs the setup of the following sets and parameters: let M ⊆ {0, 1}∗ be the message space, and let M S be the signing space, i.e., the set of all (transformed) messages on which we may compute a digital signature. Furthermore, let R : M → M S be an invertible redundancy function that is publicly known, and equate R(M) = Im(R) = M S for simplicity, i.e., we compute signatures exclusively on image values of R applied to messages. Furthermore, define the mappings Sign : M S × K → S and E xtract : S × K → Im(R) as the signing and verification functions, where S is the signature space and K is the keyspace, where the secret signature key and public verification key come from. A digital signature is obtained by computing s = Sign(R(m), sk). As we demand message recovery, the verification proceeds in four steps, assuming that we received the signature s ∗ to be validated: 1. Obtain the signer’s public key pk from a valid certificate (also provided by the signer), 2. Compute m  = E xtract (s ∗ ). 3. Verify that m  ∈ Im(R) = M S , otherwise reject the signature. m ). 4. Recover the message m = R −1 ( Notice the apparent similarity to a conventional signature with appendix, in which we would sign the hash-value h(m) instead of m to avoid existential forgery. Our construction to follow in Sect. 3 will crucially rely on the recovery feature of the signature, so that resilience against existential forgery mostly hinges on a proper choice of the redundancy function R. We stress that care has to be taken in this regard, as, for example, the IEC/ISO standards 9796 recommendations on this matter have been broken in various versions [2, 3]. In general, this choice should be made dependent on the signature scheme in charge, and to thwart existential forgery, the

Authentic Quantum Nonces

39

redundancy function should not exhibit any homomorphic properties. One possible choice is R(m) = m m, which is admissible under the hypothesis that M ⊂ {0, 1} for some large  that depends polynomially on the security parameter (in which case |M| / |M S | = 2−(t) becomes small as the security parameter t gets larger), and the signature scheme being such that it is unlikely to obtain a value s such that s d ∈ Im(R) (existential forgery). Another possible choice would be R(m) = m h(m), where h is a cryptographic (or universal) hash-function, where we emphasize that no rigorous security proof for either choice is provided here. As a second ingredient, we will use a symmetric encryption E, e.g. AES, writing E k (m) to mean the encryption of m under key k and transformation E. The respective decryption is denoted as E k−1 (m). Our recommended choice for practicality is AES. Finally, we assume that each random generator is equipped with a world-wide unique identification number, such as is common for network cards (MAC address) or smartcards (integrated circuit card serial number ICCSN [9]). Hereafter, we will refer to this quantity as the I D of the generator.

3 Construction Given a generator with a unique identifier I D, let it internally maintain a counter c ∈ N (initialized to zero), and let r ∈ {0, 1}∗ denote a raw random bitstring that the quantum random generator emits per invocation. The final output of the random generator is constructed over the following steps, illustrated graphically in Fig. 2. Notice that only parts of this process need to happen inside some tamper-proof environment (say, a hardware security module or similar), namely those that involve secret authentication keys (signature data). 1. Increment c ← c + 1 2. Compute x ← I D c r 3. Apply a digital signature with message recovery, using the secret signature key sk, i.e., compute s ← Sign(R(x), sk). 4. Append the generator’s public key pk and identity I D to get y ← s pk I D 5. Choose another (quantum) random number k and deliver the final output R := E k (y) k. It is easy to see that the so-constructed sequence of numbers enjoys all the properties that we are looking for. The purpose of the last step is to add randomness so as to avoid parts of the random values (the public key and identity) remain constant over time. Note that all of the above transformations are invertible and hence injective. We examine each of the properties separately in the following. Uniqueness We refer the interested reader to [14] for a comprehensive discussion of how to assure uniqueness and unlinkability of random numbers, and confine ourselves

40

S. Rass and P. Schartner

Fig. 2 Schematic of post-processing for authentic nonces

to only a brief discussion of the construction in the following. To this end, let R1 = E k1 (y1 ) k1 , R2 = E k2 (y2 ) k2 be two outputs of a generator (possibly the same one or different devices). Uniqueness is trivial if k1 = k2 , so assume a coincidental match between the two. At this point, we stress that this value in a faithful implementation would come from the quantum randomness source, but as we are in the post-processing stage here, we must consider the possibility that k1 , k2 come from the attacker. If R1 , R2 match upon the least significant bits making up the keys

Authentic Quantum Nonces

41

k1 = k2 = k, then uniqueness requires E k (y1 ) = E k (y2 ). Since E k is injective, we hence look at y1 = s1 pk1 I D1 and y2 = s2 pk2 I D2 . Again, so far there is nothing that would stop an attacker from replacing any of these components. As before, uniqueness is obvious upon different identities, or different public keys. Otherwise, say if R1 , R2 come from the same generator so that I D1 = I D2 = I D, then the problem rests with s1 hopefully being different from s2 . Here comes the signature with message recovery into play. Recover x1 = I D1 c1 r1 from s1 and x2 = I D2 c2 r2 from s2 , which can be done unambiguously. Here, we ultimately have a difference, as either the generator is the same, but then the counters are different at least. Or, the generators are different, in which case the IDs distinguish the two. It follows that the entire output of the generator, regardless of adversarial influence at any postprocessing stage—excluding the signature generation—is unique. Authenticity Having stripped all layers of signatures and encryptions as sketched above, we are left with two identity strings I D and I D  when we reach the innermost piece of data x = I D c r , being wrapped inside s pk I D  . One indicator of an attacker having made changes is a mismatch between I D and I D  . However, a stronger indication is of course provided by the digital signature verification, which is the primary measure to assure authenticity. At this point, it is important to stress the need for the manufacturer’s certificate that links the public key of the generator to its I D (for otherwise, an attacker could create his own signature key pair and trick the user of the random number generator into using the wrong key to check authenticity). The certificate can be standard (say, X.509), such as used in most conventional public-key infrastructures. Entropy Notice that besides randomness that possibly went into the signature (e.g., if a Nyberg-Rueppel signature was in charge) or later stages of the postprocessing (i.e., the key k), the assured entropy coming out of the quantum random generator is limited by what has been authenticated. Hence, only the innermost value r can be used to lower-bound the entropy of the final output (assuming possible adversarial modifications), leading to the entropy bound H (R) ≥ H (r ). Besides Shannon-entropy, min-entropy of the generator’s output may be of interest. However, most applications demand high min-entropy for matters of randomness extraction, which is most easily done by extracting the authenticated quantum random bitstring r from the generator’s output R. Harvesting further randomness is of course possible by standard techniques (e.g., based on universal hashing or similar), yet this would no longer be guaranteed to come from the quantum source. The question of whether this perhaps additional information would nevertheless be out of the attacker’s scope of deterministic influence, is here left to be debated in light of the particular application.

42

S. Rass and P. Schartner

4 Security Our application of digital signatures naturally puts the chosen signature scheme in jeopardy of a known-message attack. Assuming that the generator is tamperproof (at least to protect its internal identity information from forgery), chosen- or adaptive chosen message attacks (cf. [8]) are not of primary danger in this setting. Nevertheless, to avoid an attacker replacing the randomness source by another one (with low entropy), the signature scheme must be chosen with care. In the presented form so far, authenticity is assured on grounds of computational intractability, assuming that the signature function is secure against known-message attacks. Besides, hardware security precautions to protect the secret key against physical leakage and backward inference towards it are advisable. However, this attack requires physical access to the generator device. If one wishes to go without computational intractability based security, the digital signature with message recovery may be replaced by a conventional message authentication code (MAC), based on universal hashing and continuous authentication. We borrowed this term from the quantum key distribution area [5], as it basically describes the following idea (in our and their application): start with an initial secret s0 shared between the peers of a communication link. Use the initial secret s0 to authentically exchange another secret s1 (in the application of [5], s1 would be a quantum cryptographically established secret key). For the next run (of the protocol, application, etc.), use s1 to authenticate the establishment of a further secret s2 , and so on. We can basically play the same trick here, putting an initial secret s0 in charge of authenticating the first random values emitted by our quantum random generator. The role of the signature with message recovery is taken over by a “MAC with appendix”. That is, we use a function M AC : {0, 1}∗ × K → {0, 1} , say a universal hash-family [15], and authenticate the string I D c r simply by adding a keyed checksum as R(I D 1 r ) M AC(R(I D 0 r ), s0 ), when r is the first random number ever emitted by our generator. After then, the authentication is done using the respective last number r , i.e., we emit R(I D c + 1 r  ) M AC(R(I D c r  ), r ), whenever r  follows r in the sequence (see Fig. 3 for an illustration). By a proper choice of the MAC, it is possible to assure security without resting on computational intractability. However, we run into issues of synchronization here, thus opening another potential attack scenario, when the adversary succeeds in blocking some of the random values. In that case, we would either have to attach multiple MACs and maintain a list of past authenticators, or periodically re-synchronize the process (which requires a fresh authentic key exchange with the generator). Hence, this variant may not necessarily preferable in practical applications.

Authentic Quantum Nonces

43

Fig. 3 Variant with continuous authentication instead of digital signatures

5 Efficiency Roughly, the postprocessing stage adds some redundancy to the randomness r , which depends on the concrete implementations of the signature and encryption. In case of RSA and AES, we would thus end up with (currently [6]) 4096 bits for R(I D c r ). Taking R(m) = m h(m), where h is a cryptographic hash like SHA-2 or Keccak, outputting 256 bit hashes, this leaves 4096 − 256 = 3840 bits for I D c r . Let the counter have 128 bits, and take the ID with 80 bits (such as the ICCSN in a smartcard, which takes up 10 bytes), we are left with a remainder of 3840 − 128 − 80 = 3632 bits of raw quantum randomness r . To the 4096 bit RSA block, we attach the ID (80 bits) and pk being a (short) RSA public key (say with 16 bits), expanding the input to AES-CBC (with ciphertext stealing) to 4096 + 80 + 16 = 4192 bits. To this, we attach another 128 bits for the AES key k, thus giving a final output of 4192 + 128 = 4320 bits, among which 3632 bits are pure quantum randomness. The relative overhead is thus ≈19%.

44

S. Rass and P. Schartner

6 Conclusions Applications that require high-quality random sources like quantum physics based ones, most likely do so because the upper level cryptographic application crucially rests on the statistical properties of the involved random quantities. Binding a random number to its origin is thus perhaps an easily overlooked precaution to avoid working with low-entropy or potentially coincidental random values in a cryptographic application. Interactive proofs of knowledge, as well as recent empirical findings [10] on parameter selection for RSA and the digital signature standard, dramatically illustrate the need for such post-processing.

References 1. Bach, E., & Shallit, J. (1996). Algorithmic number theory: Volume 1—efficient algorithms. MIT Press. 2. Coppersmith, D., Coron, J., Grieu, F., Halevi, S., Jutla, C., Naccache, D., et al. (2008). Cryptanalysis of ISO/IEC 9796–1. Journal of Cryptology, 21(1), 27–51. https://doi.org/10.1007/ s00145-007-9007-5. 3. Coron, J. S., Naccache, D., Tibouchi, M., & Weinmann, R. P. (2009). Practical cryptanalysis of ISO/IEC 9796-2 and EMV signatures. In: S. Halevi (Ed.) Advances in cryptology—CRYPTO. Lecture notes in computer science (vol. 5677, pp. 428–444). Springer. https://doi.org/10.1007/ 978-3-642-03356-8_25. 4. ElGamal, T. (1984). A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO 84 on Advances in Cryptology (pp. 10–18). New York, NY, USA: Springer New York, Inc. 5. Gilbert, G., & Hamrick, M. (2000). Practical quantum cryptography: A comprehensive analysis (part one). http://www.citebase.org/abstract?id=oai:arXiv.org:quant-ph/0009027. 6. Giry, D. (2013) Bluecrypt—cryptographic key length recommendation. Retrieved October 18th, 2013, from http://www.keylength.com/. 7. Goldreich, O. (2003). Foundations of cryptography 1, 2. Cambridge University Press. 8. Goldwasser, S., Micali, S., & Rivest, R. L. (1988). A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2), 281–308. https://doi. org/10.1137/0217017. 9. ISO/IEC: ISO/IEC 7812-1:2006 Identification cards—Identification of issuers—Part 1: Numbering system (2006). http://www.iso.org. 10. Lenstra, A. K. Hughes, J. P., Maxime, A., Bos, J. W., Thorsten, K., & Christophe, W. (2012). Ron was wrong, whit is right. Cryptology ePrint Archive, Report 2012/064. http://eprint.iacr. org/. 11. Locke, G., & Gallagher, P. (2009). Digital signature standard (DSS). Technical report. FIPS PUB 186-3, Federal Information Processing Standards (FIPS). 12. Menezes, A., van Oorschot, P. C., & Vanstone, S. (1997). Handbook of applied Cryptography. CRC Press LLC. 13. Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2), 120–126. https://doi.org/ 10.1145/359340.359342. 14. Schartner, P. (2012). Random but system-wide unique unlinkable parameters. Journal of Information Security (JIS), 3(1), 1–10. http://www.scirp.org/journal/jis. ISSN Print: 2153-1234, ISSN Online: 2153-1242. 15. Wegman, M., & Carter, J. (1981). New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences.

Assessing the Statistical Quality of RNGs Benjamin Rainer , Jürgen Pilz and Martin Deutschmann

1 Motivation There has and still is an ongoing discourse on how to measure the quality of random numbers generated by Random Number Generators (RNGs). We differentiate between two classes of random number generators namely, True Random Number Generators (TRNGs) and Pseudo Random Number Generators (PRNGs). The former class of random number generators are typically implemented by hardware devices which generate random numbers by utilizing physical phenomena which cannot be deterministically described with current methods in mathematics and physics (e.g., quantum phenomena, atmospheric/thermal noise). The latter one are random number generators which implement an (deterministic) algorithm which generates a sequence of numbers approximating the properties of (true) random numbers. In order to generate a sequence of numbers, PRNGs use a so-called seed which is used as initial input for generating numbers but also pre-determines the output. However, TRNGs have one disadvantage in comparison to PRNGs in general. Exploiting physical phenomena and, thereof measuring and generating a numerical representation of the measurement can be expensive (photo detector(s), laser(s)). One may miss the argument of performance but recent TRNGs based on chaotic semiconductor lasers with time-delayed optical feedback are able to achieve rates up to 2.2 Tbit/s [19].

B. Rainer (B) AIT, Ladeside B10a, Vienna, Austria e-mail: [email protected] J. Pilz · M. Deutschmann Alpen-Adria-Universität Klagenfurt Alumni, Klagenfurt, Austria e-mail: [email protected] M. Deutschmann e-mail: [email protected] © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_4

45

46

B. Rainer et al.

We may investigate the goodness of a RNG from different view points. One may ask the question how prone a given RNG is to attacks allowing to introduce determinism into the produced sequence of numbers. The cryptographic analysis of RNGs is topic to the so-called cryptanalysis and is out of scope of this chapter. One may also ask for the goodness of the output of RNGs. Here, goodness refers to statistical properties of the sequence of numbers produced. For instance, one can simply ask for the uniformity of the bit sequence produced by an RNG. This, simple question can lead to a various different statistical tests where we test the output of an RNG. The goal of this chapter is to introduce the reader to the principles of statistical testing and statistically assessing the goodness of RNGs, summarizes the existing statistical tests, and provides statistical test results from PRNGs, TRNGs, and biased PRNGs.

2 Principles of Statistical Testing In the 1920s Sir R. Fisher introduced the null hypotheses testing as a tool for researchers to judge whether an effect in the obtained data of an experiment is worth to be investigated further or if its occurrences is purely random and is not worth a second look. It is important to note that the idea of Fisher was to provide a tool-set for a first glimpse at the obtained data from an experiment and not to finally judge whether specific effects or properties are really contained in the population from which the sample at hand is drawn. Statistical testing may aid us in drawing conclusions (under a significance level) for a population given a sample. We speak of a null hypothesis (H0 ) which assumes a certain effect in the population and an alternative hypothesis (Ha ) which assumes that the effect is not present in the population. Conducting an (random) experiment yields random variables X 1 , X 2 , . . . , X n , these are clustered under the test statistics Y = g(X 1 , X 2 , . . . , X n ), g being a transformation. A sample is the realisation of the random variables X 1 = x1 , X 2 = x2 , . . . , X n = xn and the corresponding statistics y = g(x1 , x2 , . . . , xn ). Thus, the distribution of Y is derived from the null hypothesis (we will provide an example later on). Table 2 depicts the possible outcomes of a statistical test under the null hypothesis (some authors call it the null). We differentiate between two types of errors (Table 1). Type I (false positive) with probability α and Type II (false negative) with probability β. Let c be the critical value corresponding to a given significance level α (false positive probability). The power of a statistical test is given by the probability to not obtain a false negative 1 − P(accept H0 |H0 is false) = 1 − β = 1 − P(Y ≤ c|H0 is false). However, when we conduct an experiment and by setting α and the sample size we indirectly determine β. We further have the identities α = P(reject H0 |H0 is true) = P(H0 is true) = P(H0 is true|accept H0 )P(accept H0 ) + P(Y > c|H0 is true), P(H0 is true|reject H0 )P(reject H0 ). The following example shows the limits of arguing with fixed significance levels.

Assessing the Statistical Quality of RNGs

47

Table 1 Possible outcomes of a statistical test knowing whether H0 is true H0 is true H0 is false Test positive (accept H0 ) Test negative (reject H0 )

No error Type I error (α)

Type II error (β) No error

Example 4.1 (Hypotheses testing and the misleading significance level.) As null hypothesis we assume that the coin is fair ( p0 = 21 ), while the alternative hypothesis says that the coin is biased and, thus, not fair. We conduct an experiment where we throw the coin n-times and we note the outcome. As test statistics we simply n 1 {head} (X i ). Then, Y follows a binomial distribution, Y ∼ Bi(n, p). use Y = i=1 Assume that we do n = 30 throws and that y = 19-times the coin shows head. For the two-sided p-value ( p = p0 ) we have, P(Y ≥ y|H0 is true) + P(Y ≤ n − y|H0 is true) =   i  30−i    i  30−i 30  11   1 1 1 1 30 30 + = 0.200488. i i 2 2 2 2 i=19 i=0 Therefore, the two-sided p-value is 0.200488 which is greater than α = 0.05 and we do not reject our null hypothesis, thus the obtained data from the experiment does not allow to conclude that the coin is not fair. Assume that the outcome of the experiment would have been y = 21, the two-sided p-value would be 0.0427739 which is lower than our set significance level and we would reject the null hypothesis (thus concluding that the coin is not fair). However, this only tells us that we have to conduct further tests for the assumed significance level and/or our sample size was just too small, but the data does not allow to conclude that the coin is not fair. Example 4.1 broaches the issue of thresholding the significance level (false positive probability) and the impact of too low sample sizes. Therefore, as proposed in [2] the p-value should be seen as a continuous measure of evidence against the null hypothesis. However, a very important aspect in experiment design and for obtaining meaningful results is the test power. We differentiate between a-priori and post-hoc (or observed power) power analysis. In [14], the authors discuss and shows that post-hoc power analysis leads to non-informative values which do not allow for any conclusion on the power of the conducted test. The authors of [14] show that there exists a one-to-one mapping between the p-value and the post-hoc test power. Before we take a look at another example showing how flawed post-hoc power tests are, we need the following result stating that p-values which themselves are random variables, P, are uniformly distributed on [0, 1]. Proposition 4.1 Assuming H0 is true and a point null (e.g., H0 : μ = 0), F being the cumulative distribution function (c.d.f.) of the continuous probability measure of Y under H0 , then P ∼ U (0, 1).

48

B. Rainer et al.

Proof Note that p-values are just a simple transformation P = 1 − F(Y ), where Y is the random variable for the selected test statisticsand for a random variable, P, uniformly distributed on [0, 1] it holds P(P ≤ p) = [0,1] 1 [0, p] (x)dλ(x) = λ([0, p]) = p, where λ is the Lebesgue-Borel measure. Then, we have P(P ≤ p) = P(1 − F(Y ) ≤ p) = P(−F(Y ) ≤ p − 1) = P(F(Y ) ≥ 1 − p) = P(F −1 (F(Y )) ≥ F −1 (1 − p)) = P(Y > F −1 (1 − p)) + P(Y = F −1 (1 − p)) = 

 =0

1 − P(Y ≤ F −1 (1 − p)) = 1 − F(F −1 (1 − p)) = p. The same holds for 1 − P = F(Y ).



We want to emphasize again that Proposition 4.1 does only hold when H0 is true and a point null. Any deviation from these assumptions leads to P not being uniformly distributed. Let us take a look at the following example (adapted from [14]) which illustrates the relation of post-hoc test power and the p-value. Example 4.2 (The misconception of post-hoc power analysis.) Assume an one-sample Z test with the null hypothesis H0 : μ ≤ 0 and alternative hypothesis Ha : μ > 0 with known σ 2 . We denote the c.d.f of the normal distribution with √expected value 0 and variance 1 (N (0, 1)) as Φ(x). As test statistics we use y = σn x¯ . Then Fμ0 ( p) := Pμ0 (P ≤ p) = 1 − Φ(Φ −1 (1 − p) − μ0 ). We further have F0 ( p) = p if H0 is true. Now the post-hoc power is obtained by setting the parameter μ0 to the observed statistic and finding the percentile for which P < α, this is given by FΦ −1 (1− p) (α) = 1 − Φ(Φ −1 (1 − α) − Φ −1 (1 − p)) and, therefore, the post-hoc power is directly given by the p-value. However, this adds nothing to the interpretation of the results at hand. Furthermore, we observe that for p = α we have FΦ −1 (1−α) (α) = 1 − Φ(Φ −1 (1 − α) − Φ −1 (1 − α)) = 1 − Φ(0) = 0.5. Example 4.2 states that post-hoc power analysis is useless and non-informative because we do not add anything to the interpretation of the results, everything we know (from the data at hand) is already expressed by the p-value. Figure 1 depicts the post-hoc power analysis as a function of the p-value for Example 4.2. It is evident that for “non significant” results the obtained post-hoc power is lower than for “significant results”. Thus, one should not use the post-hoc power analysis as evidence supporting the null hypothesis nor for comparing two experiments which of them provides stronger support for (not) rejecting the null hypothesis. [14] discusses further postexperiment power calculations such as “detectable effect size” and “biologically significant effect size” which suffer from the same problem as the presented posthoc power analysis and, therefore, are also logically flawed. In order to obtain strong statistical power for a test the a-priori power analysis allows determining the sample size needed in order to witness a certain effect. Thus, we set a level for β and α and try to calculate (in most situations we try to estimate) the needed sample size n by solving (1 − β) < P(Y > c|H0 is false) for n, which in most cases is no trivial task.

Assessing the Statistical Quality of RNGs

49

Fig. 1 Post-hoc test power (or “Observed Power”) as a function of the p-value for an one-sample Z test with a significance level of α = 0.05. Grid lines indicate that for p = 0.05 the post-hoc test power is given by FΦ −1 (1−α) ( p) = 0.5

Example 4.3 (Assessing the sample size by an a-priori power analysis.) Let us consider the null hypothesis and Z test (one-sided) from Example 4.2. We set α = 0.05 (c = Φ −1 (1 − α) = 1.64485) and β = 0.1. Then, ∀ε > 0 we have, P(Y > Φ



−1

x¯ − ε + ε

1

(1 − α)|H0 is false) = 1 − P ≤ c|μ = ε = 1 σ n− 2     ε ε x¯ − ε = =1−Φ c− 1−P 1 ≤ c − 1 |μ = ε 1 σ n− 2 σ n− 2 σ n− 2   ε . 1 − Φ 1.64485 − 1 σ n− 2

(1)

According1 to this equation for a specific value of ε the power increases with higher values for n. If ε → 0, the probability is equal to the effect size, α. Figure 2 shows what we already asserted before. Since we know σ 2 we obtain the following result.  1 − β < 1 − Φ 1.64485 −

1X ¯



ε σ n− 2

1

 2 1.64485 − Φ −1 (β) ⇐⇒ n > σ ε

∼ N (μ, σn ), the proof is left to the interested reader. Hint: show that for (X i )i∈N ∼ N (μ, σ 2 ), i.i.d. n 2 X¯ := i=1 X i : E[ X¯ ] = μ and V ar ( X¯ ) = σn . 2

50

B. Rainer et al.

Fig. 2 A-priori Z test power for σ = 2.4, α = 0.05, and different sample sizes n given by Eq. 1

If we want to know the sample size to use if we want to witness an effect of ε > 1 assuming σ = 2.4 and α = 0.05 we obtain a needed sample size of 2  n > 2.4(1.64458 − Φ −1 (0.1)) ≈ 49.33. In the case of unknown variance σ 2 one may calculate the needed sample size as shown by Rasch et al. [21]. Before advancing to the next sections, the reader should now understand the following principles: (i) basics of hypothesis testing; (ii) pitfalls and fallacies of fixed significant thresholds and post-hoc power analysis; (iii) a-priori power analysis.

3 Statistical Tests for Assessing the “randomness” of RNGs The question which arises when thinking of RNGs is “When is a RNG considered good?”. This question motivates the empirical testing of RNGs. From a statistical point of view we may argue as follows. We may assume as null hypothesis H0U that the output of a RNG is i.i.d. U(0,1) which reflects our understanding of randomness. However, we may also assume as H0D that obtaining a 0 or 1 from the RNG’s output is equiprobable. Hypothesis H0U is equivalent to saying that for any n > 0 the vector (x1 , . . . , xn )T is uniformly distributed on the hypercube [0, 1)n . Since the output of

Assessing the Statistical Quality of RNGs

51

PRNGs is finite and is determined by its initial state (seed), the vector takes its values from the set Ωn a finite lattice of points in [0, 1)n , thus, H0U cannot be true. Vectors in Ωn can only uniformly approximate [0, 1)n under the assumption that the seed is chosen randomly. The same holds for H0D where we take a sequence of bits of length n. If n > m, m denoting the RNGs’ internal state bit length (therefore, only 2m distinct bit sequences are possible), the fraction of all 2n sequences with length n that can be visited is at most 2m−n . Thus, the goal is to spread those sequences such that they are visited “uniformly” in the set of all 2n sequences. The structure of Ωn plays the most important role when designing RNGs. A good (in the sense of incoherent) Ωn is what makes an excellent PRNG. From a cryptographic point of view it is of utter importance that sequences generated by RNGs are not predictable. From the discussed hypotheses many tests can be derived. As the interested reader might have perceived that it is not easy to find an answer to the question asked in the beginning of this section. We will later come back to this question and may find an answer how we can determine if a RNG is “good”. In the following we will take a look at the classes of tests that are available in the most prominent software suites which provide a collection of statistical tests for empirically assessing the randomness of a given RNG. The most prominent are Dieharder [23], TestU01 [18], and NIST SP 800-22 [24]. We generally distinguish between first and second level tests. Any test directly deriving a test statistics for obtaining evidence against the null hypothesis is a first level test. But, we may use the result from Proposition 4.1 and test whether the transformed observations Z 1 = F(Y1 ), . . . , Z n = F(Yn ) are i.i.d. U(0,1) distributed with the assumptions of Proposition 4.1 (continuous probability distribution F under H0 ). We then test whether these observations (in our case p-values) obtained by a RNG at hand, follow an uniform distribution by using a goodness of fit (GoF) test to obtain evidence that the empirical distribution (cf. Definition 4.1) is close to a theoretical distribution F ∗ , e.g., Kolmogorov-Smirnov test, Cramér-von Mises test, Anderson-Darling-Test, χ 2 test, etc. Definition 4.1 Let z 1 , . . . , z n be observations then the empirical distribution function is given by n 1 Fn (x) = 1 [−∞,x] (z i ). (2) n i=1 (i) Let u 1 ≤ u 2 ≤ . . . ≤ u n be the increasingly ordered observations of the random variables Z 1 , . . . , Z n then the test statistics for the Kolmogorov-Smirnov test is Dn := ||Fn − F ∗ ||∞ = sup |Fn (x) − F ∗ (x)| (the continuous case), x∈X

j

+ ∗ ∗

dn := max |Fn (u j ) − F (u j )| 

= max − F (u j )

, 1≤ j≤n 1≤ j≤n n Def. 4.1

52

B. Rainer et al.



j −1

− F ∗ (u j )

, dn− := max |Fn (u j−1 ) − F ∗ (u j )| 

= max

1≤ j≤n 1≤ j≤n n Def. 4.1

dn := max{dn+ , dn− }, where we set Fn (u 0 ) = 0. (ii) The test statistics for the Cramér-von Mises test is 2 n   2i − 1 1 ∗ Tn = + − F (u i ) . 12n 2n i=1 (iii) For the Anderson-Darling test the test statistics is as follows (we again use increasingly ordered observations) A2n = n −

n 1 ((2i − 1) · (ln(F ∗ (u i )) + ln(1 − F ∗ (u n+1−i ))). n i=1

On the first glimpse, second level tests seem to be more powerful than first level tests, but this is not true. Assume a given bit sequence of length 105 and we test if it has equally many 0s and 1s. Splitting the sequence into 100 sequences with length 103 and conducting a second level test (first the intended first level test and then the GoF test whether the obtained p-values are U(0,1)) won’t provide more evidence against the null hypothesis than the first level test does. Let us pick up the idea of the p-value as evidence against the null hypothesis (without saying when to reject a hypothesis) and assume that the assumptions of Proposition 4.1 hold. Testing on the uniformity of p-values results in a less flawed approach than rejecting the null hypothesis at given thresholds. Another important aspect of second level tests is that they are very useful when we run out of resources. For instance, if the selected sequence length exceeds the memory capacity. The NIST SP 800 22 [24] is a test suite which applies second level tests if more than a single bit-stream is provided. More specifically, the unit interval is divided into ten equidistant categories, then for a test each bit sequence is subject to the specified test and the p-value is used to index one of the m = 10 categories. After applying the specified test to all test sequences the categories and their frequencies are subject to a χ 2 test which looks as follows. χ2 =

m  (Ni − n i∗ )2 , n i∗ i=1

n i∗ = pi∗ · n, where Ni is the frequency for the i-th category, n the total number of observations, and pi∗ the theoretical probability that the feature falls in the i-th category. We have discussed the most common GoF tests which are used by the mentioned test suites for conducting second level tests. Now, we take a look at first level tests and which

Assessing the Statistical Quality of RNGs

53

types of them are used for statistical testing of RNGs. We will not cover all tests but only the most prominent ones which are also part of the aforementioned test suites because there is a sheer number of statistical tests that could be applied.

3.1 Tests on a Random Number Stream of m Bits Tests on a sequence of numbers or a stream of bits may look at local and/or global features. The discussed tests have the null hypotheses that the given sequence or bit stream is truly random. We often will provide the asymptotic distribution for the reference distribution of the tests otherwise they can be found in the corresponding literature. (i) The frequency (monobit) tests measures uniformity at a global level by taking m bits and each bit represents the observation of the random variables X 1 , . . . , X m , the test statistic is given by sm =

|

m

i=1 (2x i

− 1)|

m

.

The reference distribution is half normal (if m is large). The p-value is given by 1 − Φ(sm ). The frequency test is a very simple test and only badly designed RNGs will fail this test or RNGs with a bad structure of Ωn . (ii) The runs test [24] is again based on the bit stream itself and requires the frequency test to be passed. Therefore, we compute the average of the bit sequence’s value as follows. rm =

m 1  xi m i=1

A simple criterion to check whether the runs test needs not to be performed is if |rm − 21 | ≥ τ , where τ = √2m . The test statistic for the runs test is given by Rm = 1 +

m−1 

g(xi ),

i=1

 0 xi = xi+1 , g(xi ) = 1 xi = xi+1 which is just counting the run of 0s or 1s. The reference distribution is χ 2 and m (1−rm )| ). the p-value is computed by erfc( |R2m√−2mr 2mrm (1−rm ) (iii) The cumulative sums test operates on the bit level and we, again, transform the bits to values in {−1, 1} by yi = 2xi − 1. Then, the partial cumulative sums

54

B. Rainer et al.

j m− j+1 are computed by f j = i=1 y j (forward) or b j = i=m yi (backward). The max1≤ j≤m | f j | max1≤ j≤m |b j | √ √ test statistics is given by z f = or z b = , the reference m m distribution is a normal distribution and the (asymptotic) p-value is computed by m −1 2

p =1−

4 

(Φ((4k + 1)z u ) − Φ((4k − 1)z u )))+

− m +1 k= 24 m −1 2

4 

(Φ((4k + 3)z u ) − Φ((4k + 1)z u ))),

− m −3 k= 24

where z u ∈ {z f , z b }. (iv) The random excursions / random walk tests focus on the number of cycles having exactly k visits of a cumulative sum random walk [4, 22]. Again, the bits are transformed to values in {−1, 1}. We then use the forward partial sums f j (cf. the cumulative sums test) for 1 ≤ j ≤ m and we interpret each partial sum as a state of the random walk, if we start in 0 and end in 0, extending the random walk to W = {0, f 1 , . . . , f m , 0}. We partition W into cycles crossing 0, e.g., W = {0, 1, 2, 0, −3, 4, 0} we have two cycles C1 = {0, 1, 2, 0} and C2 = {0, −3, 4, 0}. For each state and cycle we count how often a state is visited within a cycle and we compute ck (s) which is the total number of cycles in which state s occurs k-times. For each state we conduct a χ 2 whether it is as frequent as theoretically expected. This collection of tests can be arbitrarily extended by choosing s and k. (v) The Fourier test (test on periodicity) aims on finding periodicity in the bit stream. Therefore, the bits are again transformed to values in {−1, 1} and afterwards are Fourier transformed by cj =

m−1 

(2xk − 1)e

−ιj2πk m

∀ 0 ≤ j ≤ m − 1.

k=0

Then, the c j are compared to a constant threshold T which represents under H0 (assumption of randomness) the peak height value, e.g., under the assumption of randomness the reference distribution is a normal distribution and we set the threshold  such that we want to have 95% of c j s below this threshold.

1 )m and then we should have N0 = 0.95m values below Thus, T = log( 0.05 2 the selected threshold. We compare this to the empirical number of peaks e −N0 and we compute the p-value below the given threshold T by d = √Nm·0.95·0.05

by p = 2(1 − Φ(|d|)) (two-sided).

4

Assessing the Statistical Quality of RNGs

55

(vi) The auto-correlation test focuses on the self-similarity of a given random bit sequence shifted by b bits, such that 1 ≤ b ≤ m − 1. The auto-correlation is defined as follows m−b  (xi + xi+b mod 2). Ab = i=1

Under H0 , Ab ∼ Bi(m − b, 21 ) which can be approximated using a normal distribution if m − b is very large. (vii) The linear complexity test deals with examining how the linear complexity Cb of the first b bits of the given sequence increases as a function of b. The linear complexity Cb is defined as the smallest degree of a linear recurrence which the sequence follows. Cb is non-decreasing in b. In most implementations (e.g., NIST SP 800-22 [24], and TestU01 [18]) the Berlekamp-Massey algorithm [5] is used to compute Cb and requires O(m 2 log m) time. In fact there are more ways of testing how Cb develops. For instance the jump complexity and the jump size test have been introduced by [6] and [8]. There is a third type of testing the linear complexity given by NIST which is a second-level test and, therefore, splits the bit sequence at hand into M blocks of length N [24].

3.2 Tests Based on Sub-sequences of Length k of a Random Bit Stream with Length m (i) The frequency test within a block is basically the frequency (monobit) test but for N =  mk  blocks. We proceed with the frequency test for each sub–sequence and under H0 we expect that each sub–sequence has 2k 1s or that the probability of seeing a 1 is p = 2kk = 21 , Thus, we first compute for every sequence p j = 1  j N +k i= j N +1 x i for 0 ≤ j ≤ N − 1. We then compare the empirical probability k to the theoretical one by conducting a χ 2 -test. (ii) The binary matrix rank test detects linear dependencies between sub-sequences of the given random bit stream. Therefore, the bit sequence at hand is divided into sub–sequences with length N = m × l. We take m rows with a length of l bits and compute the rank. For the  Nn  ranks we conduct a χ 2 test whether the empirical distribution of the ranks follows the theoretical distribution. (iii) The longest run of ones test, introduced by [10, 12], uses sub-sequences of length N and counts the longest run of ones in each of those N sub–sequences. This is done  Nn  times and the empirical distribution is compared to the theoretical distribution by conducting a χ 2 test.

56

B. Rainer et al.

3.3 Tests Based on a Sequence of n Random Numbers in the Interval [0, 1] (i) There are also runs tests based on a sequence of numbers such as the runs test given for a bit stream. For instance [17] provides a run test examining the monotonicity of sub-sequences (“runs up” and “runs down”). We refer the interested reader to [17] for the test statistics and the reference distribution. (ii) The gap test [17] uses a sequence of numbers. We project the obtained numbers from an RNG on [0, 1] and we select a subset U ⊂ [0, 1], U = [α, β], 0 ≤ α < β ≤ 1, we then investigate the gap r until the RNG revisits the set U . Let X i be the random variables that denote the gaps of size i such that i ≥ 0. Then, the test compares the frequencies X 0 , X 1 , . . . to their expected values under H0 are subject to a χ 2 test. An RNG that stays in U for a long time and then moves aways from U for a long time is likely to fail or to produce extreme p-values. (iii) The serials tests provide a battery of tests focusing on testing the uniformity of patterns (remember H0U ). This test is based on m sub-sequences. Here, the unit hypercube [0, 1]k is split into N = d k sub-unit-hypercubes of volume N1 by dividing the interval [0, 1] into d equally sized partitions of each dimension with d ∈ N>0 and k ∈ N>0 dimensions, with pi = N1 , 1 ≤ i ≤ N . The serial tests then measure the uniformity of the random variables X j which denote the frequency for each category and their expectation λ = mk [17]. For detailed information on the original serials test we refer the interested reader to [11, 17]. A more general class of serial tests, called generalized φ-divergence statistics is discussed in [28]. (iv) The permutation test [17] utilizes another way of partitioning the unit hypercube. Here, we take a portion of the sequence and divide it into m groups with N elements. We obtain groups of the form (X j N , X j N +1 . . . , X j N +(N −2) X j N +(N −1) ), 0 ≤ j ≤ m − 1. Thus, we have k = N ! possible permutations of ordering the elements of the groups and each permutation shall be equally likely expressed by a probability of p j = k1 , 1 ≤ j ≤ N . Knuth [17] proposes to conduct a χ 2 test on the likeliness of the possible permutations. (v) The poker test, initially developed by Kendall and Babington–Smith [16] and later on picked up and described by Knuth [17], its name already suggests its description. Again, we divide the sequence at hand into m groups (nonoverlapping) of five (consecutive) integers (X j5 , X j5+1 , X j5+2 , X j5+3 , X j5+4 ) such that 0 ≤ j ≤ m − 1 and classify the groups according to the following categories: all different (e.g., 1, 2, 3, 4, 5), one pair (e.g., 1, 1, 2, 3, 4), two pairs (e.g., 1, 1, 2, 2, 3), three of a kind (e.g., 1, 1, 1, 2, 3), full house (e.g., 1, 1, 1, 2, 2), four of a kind (e.g., 1, 1, 1, 1, 2) and five of a kind (e.g., 1, 1, 1, 1, 1). For a list of probabilities for the mentioned categories we refer the interested reader to [17]. We then compare the empirically obtained frequencies to the theoretical ones using a χ 2 test. We want to emphasize that the parameter selection for some tests is very important. For instance the binary matrix rank test, for low values of m (the number of rows)

Assessing the Statistical Quality of RNGs

57

the test may not be very powerful as for large m it may be possible to detect linear dependencies between the rows easier. However, the list of statistical tests is by far not complete, for a more complete list and further details on the tests we refer the interested reader to [18, 23, 24].

4 Experiments: Description of RNGs Under Test The goal of the previous sections was to introduce the reader to the principles of statistical testing and statistical testing of RNGs with the focus on trying to assess the quality of the produced output number stream. As we already noticed earlier that concluding whether a RNG provides real random numbers, and, therefore is considered as good is not possible. We may only investigate whether the RNG at hand is constructed in such a way that its’ inner state and output can be guessed. In the following sections we will investigate some RNGs and assess their goodness via statistical testing by using the aforementioned test suites. Therefore, we investigate the following RNGs. 1. Advanced Encryption Standard (AES) based RNG (a deterministic RNG); This PRNG uses the AES encryption [1] to generate pseudo random numbers using a seed. Algorithm 1 provides the pseudo code for obtaining a single random number from the AES based RNG. It uses the intrinsic AES functions which are: _mm_aesenc_si128 (an encoding round of AES), _mm_aesenclast_si128 (the last encoding round of AES), and _mm_stor eu_si128 (stores the cipher). Algorithm 1 executes a single AES encoding with E N C_R OU N DS rounds provided a key (in our case seed) and returns the cipher (in our case the random number). We want to emphasize that the provided RNG is a deterministic one, thus, once the seed is known the produced output can be regenerated or even future output can be guessed. Therefore, the NIST SP800 90A [3] provides a recommendation on when to reseed deterministic RNGs and for the AES based RNG it suggests a reseeding interval of 248 (reseed after 248 numbers have been generated). Algorithm 1: AES based PRNG Input: A natural number (seed) between 0 and 232 . icipher ← seed ⊕ icipher; for i=1..ENC_ROUNDS do if i < (END_ROUNDS - 1) then cipher = _mm_aesenc_si128(icipher, seed); else icipher = _mm_aesenclast_si128(icipher, seed); _mm_storeu_si128(&num, icipher);

58

B. Rainer et al.

2. SHA256 based biased PRNG. In order to investigate how well the aforementioned statistical tests are able to reveal introduced problems in the structure of Ωn . Therefore, we implemented a biased PRNG which uses the SHA256 hash function to generate pseudo random numbers. Algorithm 2 depicts the algorithm used for generating a pseudo random number using the secure hash function SHA256. In our implementation we use the SHA256 implementation provided by OpenSSL. Algorithm 2: SHA256 based PRNG Input: A natural number (i) between 0 and 232 . seed ← i++; n = SHA256(&seed);

3. Quantis Random Number Generator is a hardware random number generator manufactured by ID Quantique [15] that uses quantum optic effects as source of true randomness. IDQ claims that the numbers generated by this device pass all statistical tests of the NIST SP 800-22 [24] test suite. We use this device to obtain numbers from a TRNG and test them with the three aforementioned test suites. 4. Mersenne Twister is a PRNG [20] and has a very long period of p = 219937 − 1 which is a Mersenne-Prime number, this also explains the name of the PRNG. For a detailed explanation of the algorithm we refer the interested reader to [20]. 5. The famous rand function from C which is a Linear Congruential Generator (LCG). Algorithm 3 provides the corresponding LCG. Depending on the size of the state the LCG may pass several statistical test / or batches of tests. However, in C libraries following values were used: m = 231 , a = 1103515245, and c = 12345; and it returns only bits 30 . . . 16 as output. This early LCG has a very bad structure of Ωn which we will investigate later. Algorithm 3: Linear Congruential Generator Input: A natural number (seed) between 0 and 232 . seed = (a · seed + c) mod m ;

5 Results We take first a look at the numbers generated by the RNGs discussed in Sect. 4 visually. Therefore, we generate 25000 numbers (only a small subset of Ωn ) with each of the discussed RNGs (cf. Section 4) and map them to [0, 1)3 which is depicted by Fig. 3. It is evident that the LCG (cf. Fig. 3a) with the parameters m = 231 , a = 1103515245, and c = 12345 has a bad structure of Ωn because the numbers are clustered into planes which allows to compute future numbers from the already

Assessing the Statistical Quality of RNGs

59

(a) Linear Congruential RNG

(b) Biased SHA256 RNG

(c) Quantis Hardware RNG

(d) AES based RNG

(e) Mersenne Twister 19937 RNG Fig. 3 Numbers generated by the discussed PRNGs and TRNG mapped to [0, 1)3

obtained output. The other RNGs do provide a quite uniformly distributed point cloud on [0, 1)3 . This first look at a small portion of numbers generated by the RNGs shall only provide hints whether there are strong flaws in the structure of Ωn . For further insights we have to conduct statistical tests because plotting many numbers (e.g. > 232 ) is not feasible. Thus, all five RNGs were subject to the statistical tests provided by Dieharder, NIST SP 800 22, and TestU01. We generated with every of the five RNGs 500 GB of binary data which then was fed (for Dieharder we converted the binary file to the desired format using a decimal representation of the numbers) into the test suites. TestU01 provides three batches of statistical tests and each of them require even

60

B. Rainer et al.

Table 2 Number of tests passed by the five RNGs for each of the discussed test suites Dieharder NIST2 TestU01 Battery1 TestU01 Battery2 Linear Congruential Generator Biased SHA256 Quantis Hardware RNG AES based RNG Mersenne Twister

19/61 61/61 51/61 61/61 61/61

123/188 188/188 185/188 188/188 187/188

6/10 10/10 10/10 10/10 10/10

0/96 94/96 69/96 95/96 94/96

more data, e.g., the first battery is similar to Dieharder and comprises ten statistical tests with different parameter settings (called “Small Crush”), where the second battery/batch of statistical tests comprises 96 tests with different parameter settings (called “Medium Crush”), and the third battery/batch of statistical tests comprises 160 tests (called “Big Crush”). We used the first and second battery as they already provide a good set of statistical tests. For the NIST SP 800 22 we use 100 nonoverlapping bit streams with a length of 107 bits each. If we speak of failing a test, we mean that the p-value exceeded the significant threshold. Even if we do not support this viewpoint (as we pointed out in the beginning of this chapter), Dieharder and TestU01 do declare a statistical test as failed if the p-value exceeds the significant threshold. Table 2 provides an overview on how many statistical tests have been passed for each of the tested RNGs and test suite. We will discuss the results for each RNG in detail. For the Dieharder suite we selected those tests which Robert G. Brown thinks they are reliable. LCG. For the2 LCG we see that a vast amount of statistical tests show extreme p-values against the null hypothesis and also confirms our foreboding. We already saw that the structure of Ωn must be extremely flawed by taking a look at Fig. 3a. Thus, we can safely say that this formerly very often used PRNG provides really bad random numbers. Biased SHA256 RNG. From the description in Sect. 4 of Algorithm 2 one would expect that the introduced bias (using a non-random seed, even worse, we re-seed every number we generate by only linearly incrementing the seed) would have a strong influence on the structure of Ωn but, the SHA256 function seems to absorb the introduced bias, at least to a certain degree. The only tests that showed extreme p-values are located in the “Medium Crush” of TestU01. Our biased RNG failed the following tests, the sample correlation test and the overlap test with parameter t = 20. Quantis Hardware RNG. According to the specification and description of the Quantis RNG one may think that a TRNG has to pass all statistical tests. However, in the specification of the Quantis RNG it is mentioned that it is biased (their white paper [15] states that the probability of obtaining a 0 or 1 is between 45% and 55%) and that a step is introduced to unbias the output. This could be one explanation 2 The

high number of statistical tests is due to a vast parameter variation of the random excursion (variant) and non-overlapping template tests.

Assessing the Statistical Quality of RNGs

61

why the output of the Quantis RNG fails many statistical tests, especially tests in the TestU01 suite. Among the failed tests are the gap test (r ∈ {0, 22, 27}), max-of-t test (t ∈ {5, 10, 20, 30}), Fourier test, runs test, auto correlation test with d = 1, and many more. In Fig. 3c we are not able to see any of the properties of Ωn that have been revealed by the statistical tests. AES based RNG. The AES based RNG does only fail one statistical test which is provided by TestU01 and this is the auto correlation test with a displacement of d = 30. Mersenne Twister 19937 RNG. The Mersenne Twister 19937 RNG also passes nearly all statistical tests and only fails one test in the NIST SP 800 22 and two tests from the TestU01 suite. A random excursion variant test showed slightly skewed p-values (a slight accumulation of lower p-values in the categories C1 to C5) which is not critical. The test that failed using the TestU01 suite is the linear complexity test with r = 0 and r = 29.

6 Outlook: Uniformity and Discrepancy In this final section, we will formulate some ideas on the comparison of different RNGs based on the theory of experimental design (DoE). We have seen that the concept of uniformity of the sequences of random numbers is of utmost importance for generating “good” sequences of random numbers. Uniformity is a major characteristics of so-called space-filling designs that have been successfully used in spatial data analysis and design problems and, more recently, also in the design of computer experiments, see e.g., Vollert et al. [25, 26]. Coming back to the idea of defining a lattice structure for the sequences of random numbers such that the output stream (x1 , x2 , . . . , xm )T of a large sequence of random numbers is divided into n vectors of length s ≥ 1, each, xi = (xi1 , xi2 , . . . , xis )T , i = 1, . . . , n and m = ns, where we now look at the empirical c.d.f Fdn (x) =

n 1 1 (xk1 ≤ x1 , xk2 ≤ x2 , . . . , xks ≤ xs ) n k=1

where x = (x1 , x2 , . . . , xs )T ∈ [0, 1)s . Here, dn = {x1 , . . . , xn } is considered as a collection of n points (design) in the experiment region Cs = [0, 1)s . In generalization of Definition 4.1, a “good” RNG should minimize the L p -norm ||Fdn (·) − Fs (·)|| p for some suitable p > 0, where Fs (·) denotes the c.d.f. of the uniform distribution on Cs . For a given point x = (x1 , . . . , xs )T ∈ Cs let Hx denote the hyper-rectangle Hx := [0, x1 ) × . . . × [0, xs ) and N (x, dn ) = |{x ∈ dn : x ∈ Hx }|. The difference D(x, dn ) = | n1 N (x, dn ) − Vol(Hx )| is called the discrepancy of the design dn at the point x, where Vol(Hx ) denotes the volume of the hyper-rectangle Hx . It should be close to zero if points in dn are uniformly scattered on Cs .

62

B. Rainer et al.

Definition 4.2 (Star L p -discrepancy) The integrated (over Cs ) discrepancy D p∗ (dn )

 =

D(x, dn ) dx p

 1p

Cs

is called the star L p -discrepancy of the design dn . This (integrated) discrepancy measure plays a central role in the theory of spacefilling designs. The following special cases have been used in the literature. ∗ (i) Star discrepancy D∞ (dn ) = lim p→∞ D p∗ (dn ). It is well-known that the star discrepancy coincides with the KS-statistics on Cs , i.e. ∗ (dn ) = max |Fdn (x) − Fs (x)|. D∞ x∈Cs

This quantity is not easy to compute for medium to large-sized dimensions s. An algorithm for the exact calculation of the star discrepancy measure in small dimensions s was given by Bundschuh and Zhu [7], an approximation can be found in Winker and Fang [29]. (ii) For p = 2, we obtain the star L 2 -discrepancy criterion, for which an analytical formula is known, see Warnock [27]. However, it has been shown that D2∗ (·) ignores differences on any low-dimensional subspace. (iii) A reasonable modification of the star L 2 -discrepancy which also takes account of projection uniformity over subspaces Cu , where u is a subset of {1, . . . , s}, ∗ ) was introduced by Hickernell [13]. He defined centered L 2 -discrepancy (D2,c as

2  

1

∗ 2

D2,c (dn ) :=

n N (Jxu , dn u ) − Vol(Jxu ) dxu , Cu u=∅

where dn u is the projection of dn on Cu , Jxu is a hyper-rectangle uniquely determined by xu pointing to the corner point of Cu which is closest to xu ∈ [0, 1)|u| . This leads to 



 n s 2  1

1

1

2 1

= − 1 + xkl − − xkl − + n k=1 l=1 2 2 2 2



  n n s

1

1  1

1

1

1

1 + xkl − + x jl − − xkl − x jl . n 2 k=1 j=1 l=1 2 2 2 2 2

∗ D2,c (dn )2



13 12

s

For this and other generalizations see Fang, Li and Sudjianto [9]. For comparing ∗ point configurations generated by different RNGs, the lower the D2,c value is, the more uniform, and in that sense more desirable, the configuration is.

Assessing the Statistical Quality of RNGs

63

7 Conclusion We want to conclude this chapter by reviewing the aspects we tried to procure. First, we introduced statistical testing from the scratch and also showed the fallacies and pitfalls. Especially, we tried to show how flawed post-hoc power analysis is and how easily it can be invalidated. We tried to provide examples whenever it supports the understanding. Second, we presented a subset of statistical tests used in the most important test suites. We briefly introduced those tests suits and discussed their finesse. Third, we showed how a set of random number generators can be evaluated by the statistical tests and what one may conclude from the results. We put special emphasis on showing that even biased TRNGs or PRNGs may pass statistical tests. Fourth, and finally, we gave an outlook on measuring uniformity by means of a discrepancy measure.

References 1. Federal information processing standards publication (FIPS 197). (2001). Advanced Encryption Standard (AES). 2. Amrhein, V., Korner-Nievergelt, F., & Roth, T. (2017). The earth is flat (p>0.05): significance thresholds and the crisis of unreplicable research. PeerJ, 5, e3544 . https://doi.org/10.7717/ peerj.3544. 3. Barker, E., & Kelsey, J. (2010). Recommendation for random number generation using deterministic random bit generators. National Institute of Standards and Technology (NIST), TechRep. 4. Baron, M., & Rukhin, A.L. (1999). Distribution of the number of visits of a random walk. Communications in Statistics Stochastic Models, 15(3), 593–597. https://doi.org/10.1080/ 15326349908807552. 5. Berlekamp, E. (2015). Algebraic Coding Theory. World Scientific Publishing Co Pte Ltd. 6. Blackburn, S., Carter, G., Gollmann, D., Murphy, S., Paterson, K., Piper, F., Wild, P. (1994). Aspects of Linear Complexity (pp. 35–42). Boston, MA: Springer US. https://doi.org/10.1007/ 978-1-4615-2694-0_4. 7. Bundschuh, P., & Zhu, Y. (1993). A method for exact calculation of the discrepancy of lowdimensional finite point sets i. In Abhandlungen aus dem Mathematischen Seminar der Universität Hamburg (Vol. 63, no. 1, pp. 115–133). https://doi.org/10.1007/BF02941337. 8. Erdmann, E.D. (1992). Empirical tests of binary keystreams. 9. Fang, K.T., & Sudjianto, L.R. (2015). Design and modeling for computer experiments. 10. Földes, A. (1979). The limit distribution of the length of the longest head-run. Periodica Mathematica Hungarica, 10(4), 301–310. https://doi.org/10.1007/BF02020027. 11. Good, I. J. (1953). The serial test for sampling numbers and other tests for randomness. Mathematical Proceedings of the Cambridge Philosophical Society, 49(2), 276284. https://doi.org/ 10.1017/S030500410002836X. 12. Gordon, L., Schilling, M.F., & Waterman, M.S. (1986). An extreme value theory for long head runs. Probability Theory and Related Fields, 72(2), 279–287. https://doi.org/10.1007/ BF00699107. 13. Hickernell, F.J. (1998). A generalized discrepancy and quadrature error bound. Mathematics of Computation, 67(221), 299–322. https://doi.org/10.1090/S0025-5718-98-00894-1. 14. Hoenig, J.M., & Heisey, D.M. (2001). The abuse of power. The American Statistician, 55(1), 19–24. https://doi.org/10.1198/000313001300339897.

64

B. Rainer et al.

15. ID Quantique: IDQ Random Number Generator White Paper (2017) 16. Kendall, M.G., & Babington-Smith, B. (1939). Second paper on random sampling numbers. Supplement to the Journal of the Royal Statistical Society6(1), 51–61. http://www.jstor.org/ stable/2983623 17. Knuth, D.E. (1997). The Art of Computer Programming, vol. 2: Seminumerical Algorithms (3rd ed.,). Addison–Westley Professional. 18. L’Ecuyer, P., & Simard, R. (2007). Testu01: AC library for empirical testing of random number generators. ACM Transactions on Mathematical Software, 33(4), 22:1–22:40. https://doi.org/ 10.1145/1268776.1268777 19. Li, N., Kim, B., Chizhevsky, V.N., Locquet, A., Bloch, M., Citrin, D.S., et al. (2014). Two approaches for ultrafast random bit generation based on the chaotic dynamics of a semiconductor laser. Optics Express, 22(6), 6634–6646. https://doi.org/10.1364/OE.22.006634, http:// www.opticsexpress.org/abstract.cfm?URI=oe-22-6-6634. 20. Panneton, F., L’Ecuyer, P., & Matsumoto, M. (2006). Improved long-period generators based on linear recurrences modulo 2. ACM Transactions on Mathematical Software (TOMS), 32(1), 1–16. 21. Rasch, D., Pilz, J., Verdooren, R., & Gebhardt, A. (2011). Optimal experimental design with R. Taylor & Francis Group: CRC Press. 22. Révész, P. (2013). Random walk in random and non-random environments. World Scientific,. https://doi.org/10.1142/8678. 23. Robert G.B. Dieharder: A random number test suite. http://webhome.phy.duke.edu/~rgb/ General/dieharder.php. 24. Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., et al. (2010). A statistical test suite for random and pseudorandom number generators for cryptographic applications. National Institute of Standards and Technology (NIST): Tech-Rep. 25. Vollert, N., Ortner, M., & Pilz, J. (2017). Benefits and application of tree structures in Gaussian process models to optimize magnetic field shaping problems (pp. 159–168). Berlin: Springer. 26. Vollert, N., Ortner, M., & Pilz, J. (2018). Robust additive gaussian process models using reference priors and cut-off-designs. Applied Mathematical Modeling. 27. Warnock, T.T. (1972). Computational investigations of low-discrepancy point sets*. In S. Zaremba (Ed.) Applications of number theory to numerical analysis (pp. 319 – 343). Academic Press. https://doi.org/10.1016/B978-0-12-775950-0.50015-7. https://www. sciencedirect.com/science/article/pii/B9780127759500500157 28. Wegenkittl, S. (1998). Generalized φ-divergence and frequency analysis in Markov chains. Ph.D. thesis, University of Salzburg. 29. Winker, P., & Fang, K. T. (1998). Optimal u–type designs. In H. Niederreiter, P. Hellekalek, G. Larcher, & P. Zinterhof (Eds.), Monte Carlo and Quasi-Monte Carlo Methods 1996 (pp. 436–448). New York: Springer.

A No-History, Low Latency Photonic Quantum Random Bit Generator for Use in a Loophole Free Bell Tests and General Applications Mario Stipˇcevi´c and Rupert Ursin

Abstract Random numbers are essential for our modern information-based society. Unlike frequently used pseudo-random generators, physical random number generators do not depend on deterministic algorithms but rather on a physical process to provide true randomness. In this work we present a conceptually simple optical quantum random number generator that features special characteristics necessary for application in a loophole-free Bell inequality test, namely: (1) very short latency between the request for a random bit and time when the bit is generated; (2) all physical processes relevant to the bit production happen after the bit request signal; and (3) high efficiency of producing a bit upon a request (100% by design). This generator is characterized by further desirable characteristics: ability of high bit generation rate, possibility to use a low detection-efficiency photon detector, a high ratio of number of bits per detected photon (≈2) and simplicity of the bit generating process. Generated sequences of random bits pass NIST STS test without further postprocessing.

1 Introduction Digital data processing in computers, mobile devices, ATM machines etc., does have a huge impact on our information-based society. Digital processing is strictly deterministic. But sometimes randomness is required. Ability to generate random numbers is required for cryptographic protocols which are necessary to ensure digital security, privacy and integrity of communicated data, as well as for many other digital applications including but not limited to: internet trade, crypto currency, cloud computing, e-banking, secure e-mail access, online gambling, Monte Carlo modeling of M. Stipˇcevi´c (B) Photonics and Quantum Optics Unit of - Boškovi´c Institute, the Center of Excellence for Advanced Materials and Sensing Devices, Ruder Bijeniˇcka 54, 10000 Zagreb, Croatia e-mail: [email protected] R. Ursin Institute for Quantum Optics and Quantum Information, Austrian Academy of Sciences, Boltzmanngasse 3, 1090 Vienna, Austria © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_5

65

66

M. Stipˇcevi´c and R. Ursin

natural phenomena, randomized algorithms and scientific research. While computers can generate long sequences of numbers that have good statistical properties via so-called pseudo-random algorithms, such number sequences remain deterministic and thus predictable. In contrast to computational methods used by pseudo-random number generators, physical random numbers generators derive random numbers from a physical source of a reasonably random process e.g. flipping a coin. However, systems relying on classical motion actually do have a component of deterministic prediction that will be transferred to the random numbers obtained thereof. On the other extreme is the quantum theory (also known as Quantum Mechanics or QM for short), a branch of physics that strives to understand and predict the properties and behavior of tiny objects, such as elementary particles. One intriguing aspect of QM is that properties of a particle are not determined with arbitrary precision until one measures them, consequently the individual result of a measurement contains an inevitable intrinsic random component. This characteristic of the quantum theory provides fundamental randomness that can be used for generating true random numbers. While QM allows for completely random number generators, in practice “the devil is in the detail” of practical realization: whether a certain part is doing what it is supposed to do in theory and with what precision. It is therefore crucial to investigate and build such parts and bit generating methods that come as close as possible to their theoretical ideal. Quite generally, quantum random number generators (QRNG) can be divided into two broad categories depending on their type of operation: firstly continuous which produce random numbers at their own pace and secondly triggered which produce a single random number (e.g. one bit or one set of bits) upon a request, as illustrated in Fig. 1. Both, continuous and triggered RNGs feature the Strobe output which generates a short logic pulse when the new random bit is available at the Random Bit output. Additionally, the triggered type features a Trigger input. When a pulse is sent to that input it triggers a series of physical events and measurements—resulting in generation of a new random bit. Examples of continuous generators include those that extract random numbers from time-wise random events such as radioactive decay [1], photon arrival [2], or beamsplitter based [3, 4] RNG’s. Examples of a triggered RNG include sampled time-wise random toggling flip-flop [5, 6] (bit generating probability equal to 1) and beamsplitter with a pulsed or on-demand single-photon light source [4] (bit gen. probability < 1). An important consideration is the latency

Fig. 1 Continuous (a) and triggered (b) random number generators

A No-History, Low Latency Photonic Quantum Random Bit Generator …

67

between a moment of trigger and the moment when the random bit is available for readout (technically the delay between the Trigger and the Strobe pulses). An interesting further requirement does come from experimental loophole-free Bell inequality tests. Bell test allows distinguishing quantum mechanics from local hidden variable theories. These experiments are also quite important for future implementation of quantum key distribution devices [7]. Experimental tests performed so far do suffer from so called “loopholes” [8]. In order to close the “locality” [9] as well as the “freedom-of-choice” loophole [10] one needs to decide on random setting of detection basis by means of a RNG that satisfies three properties: (1) all physical processes required for production of a bit must happen completely in the future of the trigger, that is anything that happened before the trigger must not have any influence on the generated bit value; (2) a random bit is produced upon a request with certainty within a bounded time (τ L ); (3) in order to enable realistic experimental implementation of a loophole-free Bell test, including detection loophole [11, 12], the delay τ L must be shorter than qubit flight times from the production to the detection sites which is typically a few tens of nanoseconds. None of the generators or generating principles known so far satisfies all those requirements simultaneously to that extent. This work is based on our previous research of a QRNG whose randomness can be brought close to theoretical perfection by suitable tuning of the device’s controllable parameters in order to minimize effect of the hardware imperfections [13] and thus mitigate the “devil in the detail” problem. This particular QRNG is unique in simultaneously satisfying three characteristics mentioned above, having a 100% efficiency of producing a bit upon a request by design and a latency τ L = (9.8 ± 0.2) ns. Generated bits pass the NIST Statistical Test Suite (STS) [14]. All this make this QRNG suitable for even the most demanding applications, including the loophole-free Bell test.

2 Concept of a Low-Latency QRNG Our generator, shown in Fig. 2, comprises: a bit request input (Trigger Input), a laser diode (LD), a single photon detector (PD), and a coincidence circuit consisting of a single AND gate. It functions in the following way. The external trigger signal causes LD to emit a short (sub-nanosecond) light pulse. We define that one random bit is generated upon every trigger signal. The value of the random bit is defined as the state of the detector’s output at the moment of positive-going edge of the synchronous Strobe signal which is derived from the Trigger signal by a suitable delay (latency). Note, if emission and detection of light were classical processes then detection would either happen every time (if pulse energy is higher than some given threshold) or never (if below the threshold). However, due to the quantum nature of light, detection of a photon arising from the laser pulse is a binomial process with success probability p1 that can take on any value in the range [0, 1]. The energy of the light pulse falling upon the detector is carefully set such that the probability p1 of detecting a photon (and thus generating a value of “1”) is as close as possible to the ideal value of

68

M. Stipˇcevi´c and R. Ursin

Fig. 2 Conceptual schematic diagram of the low-latency quantum random number generator

p1 = 0.5. We assumed that the laser is stable in power and the detector’s efficiency is constant during the measurement time. Note, the detection efficiency of the chosen PD is irrelevant since it is always possible to set pulse power such that the above condition is met. This is in contrast with e.g. pulsed beam-splitter method [4] where efficiency of detector affects the bit generation rate and thus it can never reach unity. In this device however, for each and every trigger signal we get a bit from the QRNG, hence we call the device 100% efficient. Under the assumption that both, the light source and the detector, are completely reset to their initial conditions between subsequent triggers, it is impossible for generated bit values to “communicate”, i.e. influence each other. Consequently there would be no correlation among successive bits. We will elaborate later how this assumption can be guaranteed in practice. Having these two characteristics (probability of ones equal to 0.5 and absence of correlation among successive bits) a pool of generated bits has no other possibility than to be random. Namely, according to min-entropy theory, laid out in Ref. [15], a sufficient condition for a RNG to generate truly random bits is that it generates any n-bit string with an a priori probability of 1/2n . Now, for n = 1 this is simply a condition that probability of ones is equal to 1/2, which is probably the most intuitive characteristic of a random bit string. Interesting thing happens for n ≥ 2 where the RNG must have (at least) n bits of memory to store the substring and be able to recognize it as one that needs to be generated with probability different than some other substring of the same length. Note that this type of behavior is absolutely impossible without a memory. But what if we make sure there is no memory in our RNG and yet engineer it such that it generates ones and zeros with equal probability? To the extent to which we can make these assumptions, the RNG has no other option that to generate truly random bits! We conclude that for the generator depicted n Fig. 2., in principle, a bit generated upon a trigger has no history prior to that trigger because all relevant physical processes, namely: (1) powering of the laser diode and subsequent light pulse emission, (2) photon detection and (3) detector-strobe coincidence, are all happening after the

A No-History, Low Latency Photonic Quantum Random Bit Generator …

69

trigger. In practice, we will make sure that it has no memory either. The bit-generating efficiency of the method is high: it yields two random bits per photon detection as compared to ≤ 1 bit for beamsplitter [4] and ≤ 0.5 for arrival-time [2] methods. Even though this high efficiency does not allow for higher bit generation rate, because the ultimate rate is bounded by inverse of the dead time, it does put a less strain to the detector reducing its power consumption and possibly extending its lifetime.

3 Experimental Setup 3.1 Sub-nanosecond Pulsed Laser In the experimental realization of the QRNG shown in Fig. 2, light pulses are obtained from a single mode laser diode LD (Sony DL3148-025, 650 nm). The laser diode is driven by a sub-nanosecond current pulse formed by a simple RLC circuit upon each positive-going edge of the trigger pulse. Passive driver design ensures smallest delay between the driving electrical pulse and the light pulse. Coarse adjustment of the energy of light pulses is made by the variable capacitor C. The RLC network circuit and the laser diode are mounted on an XY translation stage and can move relative to a 50 µm pinhole placed in front of the photon detector thus allowing for a fine tuning of the pulse detection probability p1 . The attenuation of light is performed by means of geometric misalignment between the laser mode and the aperture of the pinhole. The goal of this adjustment is to have p1 as close as possible to the ideal value of 0.5. The energy of the light pulse also depends on the bias voltage V BIAS which, in principle, allows for automatic bias zeroing via a negative feedback loop. The simplicity of the electrical and mechanical designs is intended to minimize the time lapse between a trigger pulse and the arrival of the optical pulse to the single-photon detector. The optical pulse from the laser diode circuit, shown in Fig. 2, features a jitter of 190 ps FWHM with respect to the trigger raising-edge. In order to avoid degradation of pulse power and shape, shortest period between two consecutive triggers should be ≥40 ns. The combined delay between the trigger input and photon detector output corresponding to detected photon(s) from the light pulse is (6.5 ± 0.2) ns and has a jitter of 370 ps FWHM for detectors with SLiK SPAD, as shown in Fig. 3, and about 750 ns FWHM for detectors with SUR500. The SUR500 diode has significantly smaller diffusion tail than SLiK diode, thus in both cases virtually all detection pulses are contained within 8.5 ns delay from the laser trigger pulse. The laser can be triggered at will with a shortest period between two consecutive pulses of about 40 ns (maximum 25 MHz repetition rate). At shorter delays pulse power and shape degrades.

70

M. Stipˇcevi´c and R. Ursin

Fig. 3 Time profile of the optical pulse emitted by the laser diode convoluted with the jitter of a detector with a SLiK SPAD. The main part has full width at half maximum of 370 ps. Virtual all pulses are emitted within ≈2 ns

3.2 Single-Photon Detectors For this study we use two types of home-made single-photon detectors which differ in the silicon single-photon avalanche photodiode (SPAD) that is used as a sensor. Each detector consists of a silicon single-photon avalanche diode (SPAD) operated in Geiger mode and actively quenched. We will show how different characteristics of the detectors affect quality of the generated random numbers. The distinctive and important characteristic of the avalanche quenching circuits (AQC) used in this study is that the delay between the avalanche and the output pulse (the detection delay) is quite small, equal to about 6.5 ns and that they contain an integrated pulse shaping circuit, shown in Fig. 4, which allows setting the output

Fig. 4 Pulse stretching/blanking part of the avalanche quenching circuit

A No-History, Low Latency Photonic Quantum Random Bit Generator …

71

pulse to any value between 8 ns and 50 ns by means of potentiometer P1, without changing the detection delay. The first detector type makes use of SPADs recovered from PerkinElmer SPCMAQR modules, also known as “SLiK”. We have built two detectors of this type. Active quenching circuit is a modification of the AQC described in Ref. [9] optimized for this particular SPAD type. A photodiode is operated at −10°C and excess voltage of 19 V. Characteristics of this detector type are: dead time τdead = 22 ns, output pulse width τ pd = 8 − 50 ns (adjustable), detection efficiency of 71% at 650 nm, jitter of 320 ps FWHM and dark counts of 200 cps and 750 cps for each detector respectively. The second detector type makes use of a silicon avalanche photodiode SUR500 manufactured by Laser Components. Even though the manufacturer states that this SPAD cannot be used for photon counting in photon-counting Geiger mode, we succeed to obtain reproducible avalanches that correspond to detection of photons. The avalanche current triggered by a single photon is quite small, a few times smaller than that of the SLiK diode, so we use a modification of the AQC described in Ref. [16] optimized for this type of SPAD. A photodiode is operated at −10°C and an excess voltage of 18 V. Characteristics of this detector type are: dead time τdead = 25.5 ns, output pulse width τ pd = 8 − 50 ns (adjustable), detection efficiency of 38% at 650 nm, jitter of 730 ps FWHM, and dark counts of 84.6 kHz. Since, as it will become clear later, afterpulsing has a crucial impact on performance of the QRNG, we also measure afterpulsing probability and afterpulsing lifetime for the detectors, using single lifetime afterpulsing model [17] and method described in Ref. [18]. Measured distributions of time intervals between successive detections, for the two detector types, are shown in Fig. 5. From this, we obtain total afterpulsing probability P P = 0.047 and lifetime τa = 33 ns for SliK detectors, while P = 0.016, τa = 8.0 ns for the SUR500 detector. Note that P is just a parameter of exponential distribution and by itself does not give a realistic estimate of afterpulsing. Namely, dead time absorbs a fraction of afterpulses that depends on τa .

Fig. 5 Distributions of time intervals between successive detections, for the two detector types: SLiK (dashed line) and SUR500 (full line). Afterpulses are apparent as peaks above the flat background

72

M. Stipˇcevi´c and R. Ursin

Fig. 6 Strobe—detector timing detail (4 ns/div time scale). Width of the photon counter pulse is τ pd = 8 ns, and duration of the strobe pulse is τtrig = 8 ns. By means of the variable delay line (shown in Fig. 2) the relative delay t between the two signals is set to 2 ns, which is enough to overcame mutual jitter of the pulsed laser and the photon detector, thus enabling readout of a well-defined random state of the detector’s output

For SLiK detector visible afterpulses amount 2.3% of all pulses, while for SUR500 detector visible afterpulses constitute only 0.055% of all pulses.

3.3 Strobe Signal Due to the laser jitter and intrinsic time resolution of single-photon detectors, photon detections jitter with respect to the trigger signal. Therefore, the Strobe signal should appear a bit later than the detector’s output (as shown in Fig. 6) in order to read a well-defined bit value. For both types of detectors, taking the delay of 2 ns, the total latency budget between the Trigger signal and the Strobe has to be set to about 8.5 ns. The variable delay line, depicted in Fig. 2, is realized as a coaxial cable of suitable length.

4 Random Number Generation Modeling and Practical Realization Even though, in theory, as explained above, there should be no correlation among generated bits, due to inevitable memory effects in realistic devices some autocorrelation appears also in experimental realization of the QRNG. Successive pulses of a pulsed laser diode are phase randomized exhibiting a Poisson statistics of number of emitted photons per pulse (n) [19, 20]. The detection of such a state is ether

A No-History, Low Latency Photonic Quantum Random Bit Generator …

73

supposed to be ballistic (n independent detection trials) or superlinear [21]. Crucial insight into the present QRNG is that any details of photon emission or detection are irrelevant as long as all physical processes pertaining to one emission and subsequent detection event are completed (i.e. die off) before the next trigger (a random bit request moment). This would ensure no correlations among generated bits. However, while the turn-on and turn-off processes in a laser diode have typical lifetimes on the order of 1) are obtained by shifting the boundaries of both integrals in Eq. 2 by T , that is: , that is bit generation is a Markov process and correlation among ak = a1 exp (k−1)T τa bits can indeed be characterized well by only the serial correlation coefficient with lag 1, namely a1 . In case of the SLiK detector, where τ pd = 8 ns and τdead = 22 ns, the net autocorrelation a1 is negative because the integration interval of the second term (of length τdead ) is longer than that of the first term (length τ pd ) and because Pa (t) is larger in the second integral. However, since the two integrals are the contiguous parts of an integral over a fixed interval (of length τ pd + τdead ) it could be possible to choose τ pd such that the correlation vanishes. If a simple exponential model of afterpulsing is assumed, i.e. Pa (t) = τPa e−t/τa [17] where P is the total afterpulsing probability, by requiring a1 = 0 one gets: e

τ pd τa

 τdead 3 − e τa = 2

(3)

A No-History, Low Latency Photonic Quantum Random Bit Generator …

75

from which τ pd can be expressed as:

τ pd = τa ln



2 3−e

τdead τa

.

(4)

We note that if P = 0 in Eq. (2) then a1 = 0 regardless of all other parameters. Interestingly, there is yet another possibility that leads to the same effect: for a hypothetical detector with an overwhelming afterpulsing lifetime (i.e. τa → ∞) Eq. (3) would be satisfied even if P > 0 and any value of τ pd would be optimal. This is because afterpulses would then be virtually randomly distributed over time, like dark counts, not correlated to any particular detection and thus not able to cause correlations. However, in our realistic, SLiK SPAD based detector diode we have τa = 33 ns, P = 0.047 and τdead = 22 ns. Inserting τa and τdead in Eq. (4) yields τ pd ≈ 21 ns. Apparently, the value of τ pd so obtained, is optimal for cancelation of a1 is independent of T. To verify that experimentally, we vary the width of the detector’s output pulse at the AQC and a evaluate autocorrelation as a function of τ pd for several bit rates (10 MHz, 15 MHz, 17.5 MHz and 20 MHz). Experimental results shown in Fig. 9 indicate that an overall minimum of the autocorrelation is indeed obtained for τ pd ≈ 21 ns and that is rather insensitive on the bit rate. We further note that following a detection of a photon at −t, the detector goes into the dead time and therefore afterpulses would contribute to the second integral  in Eq. (1) only if its starting range ( T + t − τ pd − τdead is greater than τdead , that is: T > 2τdead + τ pd − t

(5)

which corresponds to bit rate of about 1/T < 16 MHz. For higher trigger rates the second integral in Eq. (1) would become smaller and the autocorrelation would rise sharply, as indeed observed for bitrates of 17.5 and 20 MHz. Fig. 9 Serial autocorrelation coefficient a1 as a function of detector’s pulse width (τ pd ), measured for a set of bit rates. An overall minimum is obtained for τ pd ≈ 21 ns

76

M. Stipˇcevi´c and R. Ursin

After setting τ pd to the optimal value of 21 ns, correlation coefficient a1 has been evaluated again as a function of bit generation rates in the range 1–25 MHz. Results displayed in Fig. 7 (filled dots) show a significant improvement with respect to the result obtained with the original pulse width of 8 ns (hollow dots). The absolute value of a1 is less than 1.25 · 10−4 for bit rates all the way up to 20 MHz. At higher rates correlation quickly diverges because our simple model fails due to the effects explained above and possibly other smaller imperfections not taken into account. In practice Eq. (4) cannot be exactly satisfied for physical devices. It is therefore interesting to investigate the sensitivity of autocorrelation to variation of parameters such as detector pulse width (τ pd ), dead time (τdead ) and bit generation period (T ). By substituting the exponential afterpulsing model in Eq. (2) and taking partial derivative of a1 with respect to τ pd we get:  ∂a1 P  3 − eτdead /τa e−(T +t−τ pd )/τa . = ∂τ pd 4τ pd

(6)

Evaluated at τ pd = 21 ns, for T = 100 ns, τdead = 22 ns, τa = 33 ns, t = 2 ns and P = 0.047, Eq. (6) predicts sensitivity of a1 with respect to τ pd of 32 · 10−6 ns−1 which is indeed in a good agreement with the slope of the 10 MHz curve in Fig. 9. Similar analysis for dead time yields a sensitivity of −59 · 10−6 ns−1 , whereas for generation period the variation sensitivity is 0.2 · 10−6 ns−1 only. Since the three parameters (τ pd , τdead , T ) can be engineered with high precision and stability on the order of 1 ns, randomness quality of the present generator is predominantly affected by stability of bias which is about 500 · 10−6 . We find that serial correlation coefficients ak with lag 1 < k ≤ 64 are consistent with zero within statistical error for T = 100 ns and N = 109 . This is to be expected since with every lag the afterpulsing probability (and consequently the serial correlation) drops roughly by a factor of exp(T /τa ) ≈ 21, and thus the second and all further serial coefficients are much smaller than our statistical error. In order to further improve on both the statistical bias and the autocorrelation, one could use the Von Neumann extractor [26]. However, while on average it takes a block of 4 bits to generate one corrected bit, the time to gather enough bits to generate one corrected bit is not bounded and can span anywhere from 4T to infinity. In our case that would result in lowering of the bit production efficiency to only 25% and enlargement of the delay between the request and availability of the random bit. Therefore we chose an alternative, well known approach, which enabled us to keep the 100% efficiency and bounded latency: we built two independent generators of the type shown in Fig. 2, distributed the same trigger signal to their inputs and logically XORed their outputs. The XOR gate added another 1.3 ns of propagation delay, therefore the delay between the trigger and strobe was enlarged by the same amount, i.e. to 9.8 ns. According to [27] XORing two independent random strings each with bias b and autocorrelation a1 results in a new string with an improved bias b and autocorrelation a1 : b = −2b2

(7)

A No-History, Low Latency Photonic Quantum Random Bit Generator …

a1 = a12 + 8a1 b2

77

(8)

At 10 Mbit/s (i.e. T = 100 ns) for a single QRNG we measured: b ≤ 5 · 10−4 ; a1 ≤ 5 · 10−5 . Higher lag correlations were consistent with zero, within statistical errors, as expected in our model. By applying Eqs. (7) and (8) we estimate the upper bias and autocorrelation of the   bounds for the residual  XORed QRNGs to be: b  ≤ 5 · 10−7 and a1  ≤ 3 · 10−9 , respectively. In our theoretical model of thus QRNG, illustrated in Fig. 8, there are no deviations from randomness other than bias and serial autocorrelation and we saw that coefficients with lag k > 2 contribute to non-randomness negligibly, both theoretically and as confirmed by measurements. To detect statistically the above imperfections as a 3 sigma effect, one would need to generate at least 1013 bits for bias, and 1018 for correlation, showing that bias is the leading imperfection. However, afterpulsing is generally more complex [17] and there could be other imperfections in the setup that were not accounted for in our model, all of which could limit the achievable randomness.

5 Results with SLiK-Based Detectors As explained above, in order to arrive to a long sequence of random bits that is statistically indistinguishable from a perfectly random one, we may resort to XORing of two independent QRNGs. To that end, outputs of two independent and identical QRNGs are built and their outputs XORed. Since the XOR gate adds 1.3 ns propagation delay, the overall delay budget (latency) of the XORed SLiK-based QRBGs arrives at τ L = (9.8 ± 0.2) ns. This is the delay that has to be set between the Trigger and Strobe. As deduced in Ref [28], XORing two independent Markov processes each with bias b and correlation a1 results in an improved bias: b = −2b2 and correlation: a1 = a12 + 8a1 b2 . At 10 Mbit/s (or T = 100 ns) for a single QRNG we −4 which we conclude that the tandem measured: b ≤ 5 · 10−4 ; |a1 | ≤  1 · 10 , from  −7    performs: b ≤ 5 · 10 and a1 ≤ 1.1 · 10−8 . At that level, at least ~1013 bits are required to statistically detect deviation from randomness which is orders of magnitude more than would be required by any conceivable Bell test. A sequence of 109 bits (1000 samples of 1 Mbits) generated by the tandem generator at 10 Mbit/s passes NIST’s randomness test suite STS-2.1.2 with high scores. Typical results are shown in Table 1. The test results confirm that indeed this tandem QRBG performs undistinguishably from perfect randomness as long as the shortest time lapse between two bit requests is >= 100 ns and for string length of 109 bits. Finally, as an alternative approach to improve randomness, non-overlapping pairs of bits from a single QRNG operated at 10 Mbit/s have been XORed. In that case, the resulting bias and correlation are given by [27]:

78

M. Stipˇcevi´c and R. Ursin

Table 1 Typical results of NIST statistical test suite STS-2.1 for 1000 samples of 1 Mbits generated by XORing outputs of two independent QRNGs based on SLiK-based single-photon detector. For each statistical test an overall p-value as well as proportion of samples that passed the test versus theoretical threshold are given Statistical test

p-value

Proportion/threshold

Result

Frequency

0.784927

994/980

Pass

Block frequency

0.096578

992/980

Pass

Cumulative sums

0.767582

997/980

Pass

Runs

0.775337

995/980

Pass

Longest run

0.103138

991/980

Pass

Rank

0.657933

994/980

Pass

FFT

0.251837

993/980

Pass

Non overlapping template

0.574903

994/980

Pass

Overlapping template

0.867692

987/980

Pass

Universal

0.697257

994/980

Pass

Approximate entropy

0.348869

993/980

Pass

Random excursions

0.588541

626/615

Pass

Random excursions variant

0.235040

625/615

Pass

Serial

0.637119

990/980

Pass

Linear complexity

0.880145

986/980

Pass

b ≈ −2b2 − a1 /2

(9)

a1 ≈ 4a1 b2

(10)

which gives b ≈ −2.6 · 10−6 and a1 ≈ 5 · 10−11 . Again, 1000 samples of 1 Mbits have passed NIST test suite. The drawback of this approach is halving of the effective bit rate (to 5 Mbits/s) and doubling the latency, while the good side is requirement for only one photon detector.

6 Results with SUR500-Based Detector We now realize the QRBG shown in Fig. 2 with the second type of detector, namely the one based on SUR500 SPAD. This detector has been realized using an active quenching circuit similar to one described in [29]. In the discussion above we realized that afterpulsing is the dominant effect that generates correlations among bits. The main advantage of the detector based on SUR500 is its low and short-lived afterpulsing. Because of that, for a long enough bit generating period T , probability to encounter an afterpulse at the next strobe signal becomes negligible. This intuitive argument, in fact, points out to even a third possible solution of Eq. (2) which yields

A No-History, Low Latency Photonic Quantum Random Bit Generator …

79

Fig. 10 A series of autocorrelation coefficients a1 as a function the triggered bit rate, measured for the pulse width τ pd = 10 ns, for a detector based upon SUR500 SPAD. Statistics per coefficient is 109 bits. One sigma error bars are barely visible being roughly equal to the dot size

a1 = 0. Namely, if Pα (t) tends to 0 when t satisfies: t > T + t − τ pd − τdead

(11)

then both integrals in Eq. (2) also tend to zero, and the pulse width τ pd does not matter anymore. In practice, the shorter τ pd the better, since then condition in Eq. (11) is satisfied to a greater extent. For practical reasons of clean readout we chose τ pd = 10 ns. With this setting, random bits have been generated upon a periodic trigger with frequency spanning from 1 to 25 MHz in the same manner as for the SLiK detector. Obtained autocorrelation coefficient a1 shown in Fig. 10 features lower absolute value further towards high bit rate end, when compared to the performance of the SLiK-based QRNG shown in Fig. 7. On top of that, now we do not need to adjust τ pd because it does not affect the autocorrelation unless it is so large that Eq. (5) is violated, which we confirmed by measurements. According to Eq. (5), for τ pd = 10 ns, we expect that the highest bit generation rate is about 17 MHz. Indeed, we see that after that point correlation rises towards positive values, as expected, while above 22 MHz dead time proximity (1/T ≈ τdead ) starts to cause large anti-correlation and our generator becomes useless. In order to improve on both the bias and the correlation, a second, we generate two sets of 109 random bits at a rate of 17 MHz and XOR them bit-by-bit in order to obtain a single string of 109 bit. For a typical string we measure: |b| and |ak | for lags 1 ≤ k ≤ 64 to be within statistical errors of 1.6 · 105 and 3.2 · 105 respectively. Table 2 summarizes test results obtained by the NIST test suite of a typical string of 109 bits obtained in this manner. To test possibility to generate high-quality bits with the SUR500-based photon detector, we generate a string of 2 · 109 bits at 17 MHz and XOR neighboring bits to arrive to a new string of 109 bits. This new string also has bias and serial correlations within statistical errors and passes NIST statistical test, confirming that a statistically good random bits can be generated at a pace of 8.5 MHz or every 118 ns (or more). We see that the QRNG realized with SUR500-based detector performs significantly better and faster than the one utilizing SLiK diode, allowing bit generation of

80

M. Stipˇcevi´c and R. Ursin

Table 2 Typical results of NIST statistical test suite STS-2.1 for 1000 samples of 1 Mbits generated by XORing outputs of two independent QRNGs based on SUR500-based single-photon detector. For each statistical test an overall p-value as well as proportion of samples that passed the test versus theoretical threshold are given Statistical test

p-value

Proportion/threshold

Result

Frequency

0.745908

991/980

Pass

Block frequency

0.897763

994/980

Pass

Cumulative sums

0.619590

990/980

Pass

Runs

0.996996

989/980

Pass

Longest run

0.603841

985/980

Pass

Rank

0.735908

992/980

Pass

FFT

0.556460

983/980

Pass

Non overlapping template

0.474837

990/980

Pass

Overlapping template

0.643366

986/980

Pass

Universal

0.834308

990/980

Pass

Approximate entropy

0.932333

987/980

Pass

Random excursions

0.573467

622/614

Pass

Random excursions variant

0.499546

620/614

Pass

Serial

0.765922

996/980

Pass

Linear complexity

0.572847

995/980

Pass

up to 17 MHz for the (simulated) tandem configuration or 8.5 MHz for a configuration with successive bit XORing. We conclude that this improvement in performance is solely due to lower afterpulsing of SUR500 SPAD, even though it is inferior as single-photon sensor, having only half the quantum efficiency and over two orders of magnitude higher dark counts rate than SLiK SPAD.

7 Discussion A conceptually simple, on-demand optical quantum random number generator is presented that simultaneously features: (1) ultra-fast response upon a bit request (9.8 ns), (2) 100% bit generation efficiency upon the trigger and (3) in-future-ofrequest random action. While its characteristics are of particular relevance to some applications (such as Bell tests or random logic [30]), it can be used for a much wider range of applications. It can deliver random bits at a maximum rate of currently 10 MHz featuring very low randomness errors without post-processing. Sources of randomness errors and their sensitivity to variations in hardware components have been studied, modeled and shown to be small. In comparison, other post-processing free-running QRNGs have achieved 100% efficiency and nanosecond scale response by quick sampling of a randomly toggling flip-flop [6, 31], but with all relevant

A No-History, Low Latency Photonic Quantum Random Bit Generator …

81

physical processes happening hundreds of nanoseconds in the past of the request due to long delays in optical and electrical paths or long range correlations among bits. A post-processing-free QRNG based on self-differencing technique [32] operated at a clock 1.03 GHz delivers bits randomly at an average rate of 4.01 Mbit/s thus having efficiency of only about 4‰. In a setup having a similar topology to ours [33] a gain-switched laser diode feeds an asymmetric Mach-Zender interferometer whose output intensity is measured by a photodiode and digitized by 8-bit ADC, whereas in [34] an in-future-of-request continuous-variable QRNG is based on phase diffusion in a laser diode. Both QRNGs feature unavoidable requirement for ADC conversion followed by complex post-processing which results in long response times. Furthermore, none of the above discussed constructs has been tested random for strings longer than ~109 bits, which can be too short for applications like Monte Carlo calculations and simulations. For the XORed QRNG, assuming the validity of our model, we estimated that randomness imperfections can not be statistically detected for a sequence of generated bits shorter than ~1013 bits. A notable success in randomness estimation is achieved in [35] by calculating propagation of min-entropy through privacy amplification claiming randomness for strings of up to ~1096 bits, but at the expense of time-consuming post-processing and long history of physical events prior to the bit request. Finally, achieved delay between a request and availability of random bit in our QRNG is arguably the shortest possible with a given state of technology since only a logically minimal sequence of processes is required to generate one bit, namely a light pulse emission followed by a photon detection.

8 Further Research—Next Steps We have demonstrated that using our concept, one can generate a random bit every 59 ns (or more) with a latency below 10 ns. The cost of this generator is two pulsed lasers and two photon detectors per bit, which seems high when considered in terms of usual bulk components that we used in this study. On top of that, low bias of this QRNG cannot be guaranteed “off the shelf”, rather it must be obtained by a careful adjustments of each laser or, alternatively, by some kind of electrical auto adjustment via a negative feedback loop, that was not demonstrated here. While expensive when made with bulk components, thanks to its simplicity, this QRNG seems ideally suited for realization on a chip. Namely, recent advances in silicon CMOS-process-based camera chips, allow for thousands of independent singlephoton counting pixels on a single silicon chip along with all required logic circuits and analog amplifiers needed for automatic bias adjustment, thus reducing the price for detectors. The need for a large number of lasers can be eliminated by use of a single pulsed laser that uniformly illuminates all pixels at the same time. The presented bit generating method, in principle, allows for miniaturization of the QRNG to a chip level with the existing technology. This would open possibility for wider range of applications.

82

M. Stipˇcevi´c and R. Ursin

References 1. Figotin, A., et al. (2004). inventors; The Regents of the University of California, asignee; A random number generator based on spontaneous alpha-decay. PCT patent application WO0038037A1. 2. Stipˇcevi´c, M., & Rogina, B. M. (2007). Quantum random number generator based on photonic emission in semiconductors. Review of Scientific Instruments, 78(045104), 1–7. 3. Rarity, J. G., Owens, P. C. M., & Tapster, P. R. (1994). Quantum random-number generator and key sharing. Journal of Modern Optics, 41, 2435–2444. 4. Stefanov, A., Gisin, N., Guinnard, O., Guinnard, L., & Zbinden, H. (2000). Optical quantum random number generator. Journal of Modern Optics, 47, 595–598. 5. Fürst, H., et al. (2010). High speed optical quantum random number generation. Optics Express, 18, 13029–13037. 6. Stipˇcevi´c, M. (2004). Fast nondeterministic random bit generator based on weakly correlated physical events. Review of Scientific Instruments, 75, 4442–4449. 7. Scarani, V., et al. (2009). The security of practical quantum key distribution. Reviews of Modern Physics, 81, 1301–1350. 8. Merali, Z. (2011). Quantum mechanics braces for the ultimate test. Science, 331, 1380–1382. 9. Weihs, G., Jennewein, T., Simon, C., Weinfurter, H., & Zeilinger, A. (1998). Violation of Bell’s inequality under strict Einstein locality conditions. Physical Review Letters, 81, 5039–5043. 10. Scheidl, T., et al. (2010). Violation of local realism with freedom of choice. Proceedings of the National Academy of Sciences of the United States of America, 107, 19708–19713. 11. Giustina, M., et al. (2013). Bell violation using entangled photons without the fair-sampling assumption. Nature, 497, 227–239. 12. Christensen, B. G., et al. (2013). Detection-loophole-free test of quantum nonlocality, and applications. Physical Review Letters, 111, 130406. 13. Stipˇcevi´c, M., & Ursin, R. (2015). An on-demand optical quantum random number generator with in-future action and ultra-fast response. Scientific Reports, 5(10214), 1–8. 14. Rukhin, A., et al. (2010). NIST Special Publication 800-22rev1a. April 2010, http://csrc.nist. gov/rng. Accessed 01 Feb 2012. 15. Frauchiger, D., Renner, R., & Troyer, M. (2013). True randomness from realistic quantum devices. SPIE Security + Defense Conference Proceedings (Vol. 8899). arXiv:1311.4547 (quant-ph). 16. Stipˇcevi´c, M., Christensen, B. G., Kwiat, P. G., & Gauthier, D. J. (2017). An advanced active quenching circuit for ultra-fast quantum cryptography. Optics Express, 25, 21861–21876. 17. Giudice, A. C., Ghioni, M., & Cova S. (2003). A process and deep level evaluation tool: afterpulsing in avalanche junctions. In Proceedings of European Solid-State Device Research 2003 (ESSDERC 03) (pp. 347–350). 16–18 Sept 2003. 18. Humer, G., Peev, M., Schaeff, C., Ramelow, S., Stipˇcevi´c, M., Ursin, R. (2015) A simple and robust method for estimating afterpulsing in single photon detectors. Journal of Lightwave Technology, 33, 3098–3107. 19. Henry, C. (1982). Theory of the line width of semiconductor lasers. IEEE Journal of Quantum Electronics, 18, 259–264. 20. Henry, C. (1986). Phase noise in semiconductor lasers. Journal of Lightwave Technology, 4, 298–311. 21. Lydersen, L., et al. (2011). Superlinear threshold detectors in quantum cryptography. Physical Review A, 84, 032320. 22. Pesquera, L., Revuelta, J., Valle A., & Rodriguez, M.A. (1997). Theoretical calculation of turn-on delay time statistics of lasers under PRWM. In M. Osinski, & W. W. Chow (Eds.), Physics and Simulation of Optoelectronic Devices V (SPIE, San Jose, 1997). (Proceedings of SPIE Vol. 2994). 23. Stipˇcevi´c M., & Gauthier D. J. (2013). Precise monte carlo simulation of single-photon detectors. In M. A. Itzler, J. C. Campbell (Eds.),: Advanced Photon Counting Techniques VII (SPIE, Baltimore, 2013). (Proceedings of SPIE Vol. 8727).

A No-History, Low Latency Photonic Quantum Random Bit Generator …

83

24. Knuth D. (1997). The art of computer programming Volume 2: Seminumerical Algorithms (3rd ed., pp. 70-71). Reading: Addison-Wesley. 25. Walker, J. (2003). ENT-A Pseudorandom Number Sequence Test Program. http://www. fourmilab.ch/random/. Access: 05 Feb 2014. 26. Von Neumann J. (1963). Various techniques for use in connection with random digits (Von Neumann Collected Works, Vol 5, pp. 768–770). New York: Macmillan. 27. Davies, R. (2002). Exclusive OR (XOR) and hardware random number generators. 28 Feb 2002, http://www.robertnz.net/pdf/xor2.pdf. Accessed 05 Feb 2014. 28. Stipˇcevi´c, M., & Bowers, J. (2015). Spatio-temporal optical random number generator. Optics Express, 23, 11619–11631. 29. Stipˇcevi´c, M. (2009). Active quenching circuit for single-photon detection with Geiger mode avalanche photodiodes. Applied Optics, 48, 1705–1714. 30. Stipˇcevi´c M. (2013). Quantum random flip-flop based on random photon emitter and its applications, arXiv:1308.5719. (quant-ph). 31. Jennewein, T., Achleitner, U., Weihs, G., Weinfurter, H., & Zeilinger, A. (2000). A fast and compact quantum random number generator. Review of Scientific Instruments, 71, 1675–1680. 32. Dynes, J. F., Yuan, Z. L., Sharpe, A. W., & Shields, A. J. (2008). A high speed, postprocessing free, quantum random number generator. Applied Physics Letters, 93, 0311109. 33. Yuan, Z. L., et al. (2014). Robust random number generation using steady-state emission of gain-switched laser diodes. Applied Physics Letters, 104, 261112. 34. Abellán, C., et al. (2014). Ultra-fast quantum randomness generation by accelerated phase diffusion in a pulsed laser diode. Optics Express, 22, 1645–1654. 35. Sanguinetti, B., Martin, A., Zbinden, H., & Gisin, N. (2014). Quantum Random Number Generation on a Mobile Phone. Physical Review X, 4, 031056.

Secure Random Number Generation in Continuous Variable Systems Jing Yan Haw , Syed M. Assad

and Ping Koy Lam

Abstract Intrinsic uncertainty is a distinctive feature of quantum physics, which can be used to harness high-quality randomness. However, in realistic scenarios, the raw output of a quantum random-number generator (QRNG) is inevitably tainted by classical technical noise. The integrity of such a device can be compromised if this noise is tampered with, or even controlled by some malicious parties. In this chapter, we first briefly discuss how the quantum randomness can be characterised via information theoretic approaches, namely by quantifying the Shannon entropy and min-entropy. We then consider several ways where classical side-information can be taken into account via these quantities in a continuous-variable QRNG. Next, we focus on side-information independent randomness that is quantified by min-entropy conditioned on the classical noise. To this end, we present a method for maximizing the conditional min-entropy from a given quantum-to-classical-noise ratio. We demonstrate our approach on a vacuum state CV-QRNG. Lastly, we highlight several recent developments in the quest of developing secure CV-QRNG. Keywords Continuous variable quantum information · Quantum random number generation · Entropy quantification

1 Quantum Randomness From a philosophical point of view, the notion of randomness has always been an intriguing concept. It is inherently linked to the understanding of whether our world is deterministic, and also whether free-will is possible or not. From a pragmatist’s perspective, however, randomness can be simply seen as the result of subjective ignorance, i.e. when an observer does not have a complete description of the particular J. Y. Haw (B) · S. M. Assad · P. K. Lam Centre for Quantum Computation and Communication Technology, Department of Quantum Science, The Australian National University, Canberra, ACT 2601, Australia e-mail: [email protected] © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_6

85

86

J. Y. Haw et al.

physical system. For example, the outcome of a coin toss can be seen as random since we do not know, with infinite precision, all the parameters involved, such as the angle of toss, the force applied and so on. Randomness is a vital resource in many information and communications technology applications, such as computer simulations, statistics, gaming, and cryptography. To ensure the integrity of these applications, a high-quality entropy source which produces good randomness, i.e. uniform and unpredictable, is paramount. The unbreakable security of the one-time pad in cryptography is also based on the assumption of availability of uniformly random bits, unpredictable by any eavesdropper. There exists also applications which are not concerned with matters of security, and therefore do not have a high demand on perfect randomness. In such cases, a sequence of uniformly distributed numbers mostly suffices. Such sequences can be generated using a pseudorandom number generator (PRNG) that works via certain deterministic algorithms. Although PRNGs can offer highly unbiased random numbers, they cannot be used for applications that require information-theoretic security for two reasons: Firstly, PRNG-generated sequences are unpredictable only under limitations of computational power, since PRNGs are inherently based on deterministic algorithms. One famous example is randu, a type of linear congruential generators which generates numbers by recurrence relations. Though being widely used in the 70s for Monte Carlo simulations, this generator actually fails the spectral test due to the correlation between the triplets in the sequence [35], thus rendering the aforementioned simulations questionable (Fig. 1). Secondly, the random seeds, which are required to define the initial state of a PRNG, limit the amount of entropy in the random-number sequences they generate. This compromises the security of an encryption protocol. For cryptographic applications [52], a random sequence is required to be truly unpredictable and to have maximum entropy. To achieve this, intensive efforts have been devoted to developing high-speed hardware RNGs that generate randomness

Fig. 1 Randu, an ill-conceived pseudo RNG. The three-dimensional scatter plot of the triplets of three consecutive numbers, while seemingly random from an arbitrary perspective (a), turns out to be falling on 15 2-dimensional plane (b) due to correlations between the triplets. Generated from codes in [25]

Secure Random Number Generation in Continuous Variable Systems

87

via physical noise [24, 34, 54, 58, 64]. Hardware RNGs are attractive alternatives because they provide fresh randomness based on physical processes that are extremely hard to predict. Moreover, they also provide a solution to the problem of having insufficient entropy. Because of the deterministic nature of classical physics, however, some of these hardware generators may be only truly random under practical assumptions that cannot be validated. All PRNGs and hardware RNGs can be categorised as processes that are apparently random. Ultimately, the produced randomness arises from a lack of full knowledge of the system, such as the seed or the initial condition of the system. On the other hand, RNGs that rely on quantum processes (quantum RNG, or QRNGs), offer guaranteed indeterminism and entropy, since quantum processes are intrinsically random [8, 55]. This is the implication of Born’s rule in quantum mechanics [6], where the measurement outcome of a quantum state is inherently probabilistic—and not just because the observer is ignorant. Meanwhile, the Heisenberg’s uncertainty principle, which bounds the precision of the outcome of two non-commuting measurements, necessitates unpredictability in the statistics of quantum measurement. The very first quantum entropy source was conceived in 1956, which was based on the radioactive decay counts [22]. Contemporary QRNG realisations are usually in favour of optical systems, owing to the ease of implementation and affordability of the source. For optical QRNGs, two major camps can be identified: photon(s) detection and coherent detection. The simplest example in the former camp is the detection of paths taken by a single photon after a beam splitter, assigning say ‘0’ for a particular detector and ‘1’ for the other [14, 23]. More sophisticated realisations are based on photon detection including photon arrival time [13, 60, 61] and the Poissonian distribution of coherent light [47]. The generation rate of these RNGs is generally limited by the speed of the photon detectors (either single photon detectors or photon number resolving detectors). One can overcome this speed bottleneck by means of coherent detection, where highly efficient detectors are used to measure continuous variable properties of light encoded in the quadratures, such as quantum phase fluctuations [1, 18, 45, 63], spontaneous emission noise [29, 53, 62], stimulated Raman scattering [7] and vacuum fluctuations [16, 51, 56]. These QRNGs resolve the shortcomings of apparent RNGs. Theoretically, it would always be desirable to have quantum randomness. However in practice, in order to distil randomness from quantum-mechanical sources, we inevitably need to manipulate or measure the quantum state. Therefore, the final output is often a mixture of genuine quantum randomness and classical noise. The distillation of good quality randomness from such a mixture is, therefore, a question of utmost importance. Without proper characterization, the security of the generator may be compromised if the noise is untrusted. For example, even in a trusted lab, a malicious vendor can supply a detector with predetermined values that may be added on top of the measurement signal, causing the output bits to be less unpredictable. By modelling the physical devices adequately, the effect of these noise contributions can be minimised or eliminated. In cases where the internal working of the devices is either unknown or inaccessible, genuine randomness based on quantum physics can still be obtained in a device-

88

J. Y. Haw et al.

independent fashion. In particular, certification of randomness based on observing the violation of fundamental inequalities such as Bell-inequalities will guarantee that the randomness produced has no classical counterpart, and is genuinely random independent of the working principle of the measurement devices [42]. If only either the source or the measuring device is untrusted, an intermediate approach called semi self-testing is conceivable [32].

2 Quantifying the Randomness Defining randomness is by no means trivial. Inspired by Kolmogorov complexity [26], Martin-Löf put forth an algorithmic definition [37]: a random sequence should pass all possible statistical tests and should be incompressible. In this context, incompressibility means that the random sequence cannot be generated by a program shorter than its length. This definition, however, is only applicable for infinitely long sequences. Moreover, its shortcomings become more apparent because the algorithmic complexity for a sequence is generally incomputable [15]. Meanwhile, statistical test suites, such as NIST [4] and Diehard [36] tests, consist of a series of hypothesis tests to detect inherent patterns in the sequence. Such tests, however, do not guarantee its privacy. For example, a random sequence possessed by a user may pass all conceivable statistical tests, yet can be fully predictable by a malicious provider who might own an exact copy of the sequence. This predicament can be resolved by anchoring our definition on the process that generates this randomness. Instead of relying on the sequence itself, the randomness is guaranteed as long as the process that generates it is inherently probabilistic. Such is the case for QRNGs, whose randomness is guaranteed by the law of quantum physics (Sect. 1). In practice, bias cannot be avoided in implementation due to the inherent measurement outcome distribution, as well as the classical noise accompanying the measurement process. A properly designed QRNG always comes with a post-processing stage to ensure that the final output is (almost) uniformly distributed and uncorrelated with existing information, such as all previous device settings or side information. This ensures that the final output of the QRNG is genuinely random. To perform source characterization, we explain several different measures of entropy that have been commonly used in the literature to quantify randomness. We also see how one may account for randomness in the eyes of an observer who potentially has access to side information. This is particularly important whenever randomness is used for cryptographic purposes, and needs to be kept private from a malicious eavesdropper. When such side information is classical, depending on physical assumptions of the eavesdropper, we show that variants of the conditional min-entropy quantify the maximum amount of bits produced by the source which are fully random conditioned on the eavesdropper. This will be the main quantity of interest for the setting of our QRNG described in Sect. 5. In the case where side information is quantum, for example, when the eavesdropper may be entangled with

Secure Random Number Generation in Continuous Variable Systems

89

the quantum source itself, a quantum version of the conditional min-entropy must be used instead, which we briefly mention in Sect. 4.6.

2.1 Shannon Entropy With his seminal work published in 1948 [50], Claude Shannon laid down the cornerstone of information theory. In this work, he introduced the Shannon entropy as a uniquely well-behaved measure of unpredictability. This quantity, often denoted as H (X ), is assigned to a piece of information X , which mathematically can simply be viewed as a random variable associated with some probability distribution PX . It is defined as  PX (xi ) log2 PX (xi ), (1) H (X ) := − i

where PX (xi ) is the probability of obtaining outcome xi . Equation 1 tells us about how much information we gain on average once we have learned about the outcome of X . In fact, it can also be seen as how uncertain we are, on average, about X . This quantification is sufficient if we want to gauge the uncertainty in a particular distribution used over many instances, but it is inadequate for single-shot tasks, especially those of a cryptographic setting. As an example, consider the distributions shown in Fig. 2. The uniform distribution in Fig. 2a describes an event with 23 equally probable outcomes. In this case, the Shannon entropy of the distribution is maximal and is equal to log2 (23 ) = 3. As the distribution departs from being uniform (Fig. 2b), the Shannon entropy reduces. This can be interpreted as a case where some outcomes are more likely to occur, hence there is less surprise upon obtaining a particular outcome on average. In an extreme case, where the distribution is particularly skewed, Shannon entropy ceases to be a good indicator of the unpredictability. For example, in Fig. 2c, we plot a distribution with 2q + 1 outcomes, where there is an extreme outlier, with the rest of (a)

(b)

(c)

Fig. 2 The Shannon entropy of an uniform distribution is maximal (a), and decreases when the the distribution deviates from uniformity (b). For an extremely skewed distribution (c), the Shannon entropy is no longer sufficient to quantify the unpredictability of the outcomes

90

J. Y. Haw et al.

the outcomes being equally likely, i.e. PX (x1 ) = 1/2, PX (x j ) = 1/2q+1 for j = 1. In the limit of q  1, H (X ) → q/2. In this case, even though the Shannon entropy of the distribution is large, the outcome of the event is highly predictable, since with a very good chance the outcome x1 is obtained. The moral of this example is that the Shannon entropy is an inadequate measure when it comes to quantifying randomness. In fact, it is at best an upper bound of the randomness [5].

2.2 Min-entropy With the definition of randomness as unpredictability, the guessing probability emerges naturally as a figure of merit. This quantity tells us what is the best chance we have in predicting the outcome of a random variable X . In the unit of bits, this quantity is linked to the min-entropy, which is defined as [12, 27]:   Hmin (X ) := − log2 max PX (xi ) . xi ∈X

(2)

Operationally, this corresponds to the entropy associated with the optimal strategy for an eavesdropper to guess X , which is to bet on the most likely outcome. The min-entropy also gives a common lower bound on all the Rényi entropies.1 For a uniform distribution, the min-entropy coincides with the Shannon entropy. For example, the min-entropy for Fig. 2a is log2 23 = 3. Remarkably, for the distribution in Fig. 2c, the min-entropy is always the logarithm of the bin with highest probability, i.e. − log2 0.5 = 1, regardless of the number of outcomes. Contrary to the Shannon entropy, min-entropy thus is more robust against skewness of a distribution. The min-entropy is also a crucial parameter for the randomness extractor mentioned in Sect. 3.1. It quantifies the maximum amount of (almost) uniform randomness that can be extracted out of the distribution PX (see Sect. 4.7).

3 Preliminaries 3.1 Block Description of a QRNG Generally, a QRNG can be subdivided into the following stages: quantum entropy, classical entropy, measurement and randomness extraction (Fig. 3). Ideally, the intrinsic entropy is obtained from physical processes of quantum origins. The quantum signal inevitably mixed with noise of classical origin due to factors such as imperfect source preparation. Classical noises also added into the system during the measure  1 α Rényi entropy is defined as Hα (X ) = 1−α log2 xi ∈X PX (x i ) , with respect to a realvalued parameter α ≥ 0. Min-entropy comes from taking the limit α → ∞.

1 The

Secure Random Number Generation in Continuous Variable Systems

91

Fig. 3 The stages in a QRNG, where the measurement registers both the classical and quantum entropy. The randomness extractor distills the randomness of quantum origin

ment process, such as electrical noises and dark counts. In order to access the intrinsically secure randomness, both the classical entropy and the noise of quantum origin, which may be untrusted, have to be treated as side-information. In the postprocessing stage, also known as randomness extraction stage, the non-uniform raw sequences in the measurement outcome will be transformed to uniform, yet shorter sequences that is independent from the side information. We will now briefly describe several ways to quantify this extractable randomness via an information-theoretic approach, and how it can be made independent of side information (classical or quantum).

3.2 Continuous Variable Quantum Information Preempting our discussion on continuous variable system, here we give a basic description on the continuous variable quantum information theory. For the transmission of information using a continuous quantum source, a continuous version of the Shannon entropy has to be considered. For a continuous variable X with probability density p X (x), it is defined as [10]  h(X ) = −

p X (x) log2 p X (x)d x.

(3)

This definition, which is also known by the name of differential entropy, is maximized by the normal distribution for all distributions having a fixed variance. Let us now consider a case where a sender (Alice) is transmitting information to a receiver (Bob) by encoding her data onto the quadrature of a CV quantum state with variance Δ2 Xˆ N . Alice’s data is a random number S drawn from Gaussian distributions with zero mean and a variance of Δ2 S A . This forms an additive white Gaussian noise (AWGN) channel, allowing the signal that Bob receives in a lossless channel to be written as Xˆ B = S A + Xˆ N in terms of quadrature. Since both the signal and the noise are from independent normal distributions, Xˆ B has a variance of Δ2 Xˆ B = Δ2 S A + Δ2 Xˆ N . With Eq. (3), the differential entropies for Alice and Bob can be expressed as

92

J. Y. Haw et al.



1 log2 2πeΔ2 S A , 2  1 h(B) = log2 2πe(Δ2 S A + Δ2 Xˆ N ) , 2 h(A) =

(4) (5)

where e is the Euler’s constant, and the Shannon entropy is in units of bits/symbol. The information transmission rate between Alice and Bob through the quantum channel is given by Alice’s mutual information with Bob: I (A : B) = h(B) − h(B|A) = h(B) − h(N )

 Δ2 S A 1 . = log2 1 + 2 Δ2 Xˆ N

(6) (7) (8)

Here, we have used the fact that h(B|A) = h(A + N |A) = h(N ) since the encoding signal is independent from the quantum noise. By encoding Gaussian signals on the quadrature of the light field, Alice can transmit information to Bob at the Shannon capacity of a continuous quantum channel, where the information capacity is dependent on the ratio between the variance of the Gaussian signal Δ2 S A and the variance of the quantum noise Δ2 Xˆ N .

4 Side-Information In most existing literature of QRNG development, usually, the side information is not accounted for since the lab is assumed to be trusted. However, such an assumption is inapplicable when it comes to stringent circumstances such as those in quantum cryptography. Moreover, knowing the source of the randomness is paramount for choosing measurement settings in fundamental physics tests [2]. For example, in experiments that are aimed at investigating fundamental physics, such as those of a Bell test, the choice of measurement settings has to be genuinely random for the collected data to be even considered as valid. The main goal of entropy evaluation of a secure QRNG is to quantify the amount of randomness available in the measurement outcome M, conditioned upon side-information E. This side information might be accessible by, controllable by, or correlated with an adversary. The concept of side-information-independent randomness, which includes privacy amplification and randomness extraction, is well established in both classical and quantum information theory [11, 27, 38, 49]. As the framework of QRNG matures and enters the domain of application, the security aspect of randomness generation started to get considerable attention [1, 7, 14, 15, 28, 31, 56, 59]. We will now review several approaches for dealing with untrusted side information, focusing on classical side information, while seeing that conditional min-entropy best accomplishes the task. Finally in Sect. 4.8 we briefly discuss device-independent randomness generation.

Secure Random Number Generation in Continuous Variable Systems

93

4.1 Classical Side-Information Classical side information arises from various sources of classical origin, such as technical electronic noise and thermal noise (Fig. 3). Since these sources are not from the desired quantum source, it could be known by the adversary either due to monitoring or direct manipulation. For example, imagine a malicious detector which contaminates the measurement result with pre-established values known to the detector. The raw randomness, though is still correlated to the quantum source, has its security compromised since it is also correlated to the eavesdropper. Hence, unless the lab is completely secure, classical side-information has to be taken into account. Plus, this step is necessary if we want to call our device a bona fide QRNG. For example, in the case where the detector is noisy or has low efficiency, without any form of calibration or validation, the randomness is more likely to be of classical origins, such as from dark counts.

4.2 Mutual Information Between Measured Data and Quantum Entropy One way of getting randomness of quantum origin would be to quantify the correlation between the measured data M and the quantum data Q. For a channel with additive Gaussian noise introduced in Sect. 3.2, these quantities are related to each other by M = Q + E, where E is the electronic noise. From a cryptographic perspective, E can be viewed as any classical noise generated by a malicious party. The mutual information between M (m ∼ N (0, σ 2M )) and Q (q ∼ N (0, σ 2Q )) is2 : I (M : Q) = H (M) − H (M|Q)   =− P(m i ) log2 P(m i ) − dq P(q)H (M|q).

(9) (10)

all bins

Maximum entropy for H (M) can be achieved by partitioning the measured bins with N = 2n bins of equal probability, thus giving H (M) = n. This approach is used in [16] for a QRNG based on the quantization of self-homodyning detection. With this binning method, there will be more bins near the origin. As a result, the conditional entropy H (M|q) is largest when evaluated at q = 0, which is equivalent to the entropy of the measured data without any quantum fluctuation contributions H (E). We can then derive a lower bound for I (M : Q) by having: I (M : Q) ≥ n − H (M|q = 0) = n − H (E).

2 Here

for brevity we omit the subscripts for the distributions.

(11)

94

J. Y. Haw et al.

(a)

(b)

Fig. 4 a Shannon entropy for the measured signal H (M) and the electronic noise H (E). b The mutual information between the measured signal and the quantum entropy I (M : Q), together with the difference between H (M) and H (E). The dashed line is the upper bound for I (M : Q) at the infinite binning limit. The SNR is 15 dB

This equation can also be reinterpreted as H (M) − H (E), the entropy of the measured signal subtracted the noise entropy. This approach, as shown in Fig. 4 for signal-to-noise ratio (SNR) of 15 dB,3 however does not allow us to extract more randomness even if we increase the number of bins. Upon observation of Fig. 4a, the entropy of the electronic noise increases at almost the same rate as the measured signal after a threshold binning value. Due to equal-probability binning of the measured signal, the closer the bin to the origin, the smaller is the bin width. As the number of bins n increases, the electronic noise distribution experiences binning at the same rate as the measured noise distribution. Hence, increasing the number of bins does not lead to any further increase in the effective number of bits, as reflected in Fig. 4b. The mutual information I (M : Q) can be calculated exactly (for arbitrary amounts of partitioning) once we obtain the joint probability table between M and Q. This is done using the formula I (M : Q) =



P(m ∈ Ai , q ∈ B j ) log2

all bins(Ai ,B j )

P(m ∈ Ai , q ∈ B j ) . P(m ∈ Ai )P(q ∈ B j )

(12)

On the other hand, in the limit of infinitely many bins n → ∞, we can calculate the maximum value of I (M : Q) with Eq. (8)   σ 2Q 1 I (M : Q) = log2 1 + 2 , 2 σE

3 SNR

(13)

is defined as 10 log10 (σ 2M /σ 2E ), where M is the measurement signal and E is the noise.

Secure Random Number Generation in Continuous Variable Systems

95

where σ 2E = σ 2M − σ 2Q . We see that the exact amount of I (M : Q) approaches the asymptotic value, and does not increase with further binning. This is rather undesirable, as it unnecessarily limits the extractable randomness, and ultimately the speed of the QRNG. To shed light to the reason behind this bound on the entropy, we note that the quantity I (M : Q) tell us how easy it is to recover Q given M. However, for the purposes of an RNG, it is actually not our goal to recover the quantum signal. Consider an example of M = Q + E mod 2, where both Q and E represent a single random bit and an eavesdropper Eve has access to E. Therefore, the measurement outcome M is also one random bit. This means M and Q are not correlated at all, implying that the mutual information vanishes, i.e. I (M : Q) = 0. However, the eavesdropper Eve cannot learn the value of M since I (M : E) is also zero. The measured signal conditioned on the electronic noise, in this case, is H (M|E) = H (M) and is hence 1 bit. Therefore, even though I (M : E) is zero, one can still hope to extract random bits [63]. Hence, this quantity does not seem to have the desired operational significance in terms of quantifying extractable randomness. This motivates the detailing of our next approach, where we consider H (M|E), the entropy of M conditioned on the classical sideinformation E.

4.3 Entropy of Measured Data Conditioned on Classical Noise In order to evaluate H (M|E), we need to figure out the amount of correlation between M and E. As before, given the joint probability table between the measured data and the electronic noise, we can calculate the mutual information I (M : E). To obtain an upper bound for this, we assume that Eve has a continuous noise source to grant her infinite measurement precision I (M : E) =

 all bins(Ai )

 de P(M ∈ Ai , E = e) log2

P(M ∈ Ai , E = e) . (14) P(M ∈ Ai )P(E = e)

This quantity is plotted in Fig. 5a for various number of bins with an 15dB of SNR. It is bounded from above,   1 σ 2E I (M : E) ≤ log2 1 + 2 , (15) 2 σQ and approaches the bound as the number of measurement bins goes to infinity. For equal area binning of the measured data, the quantity H (M|E) is evaluated via the following relation: H (M|E) = n − I (M : E). (16)

96

J. Y. Haw et al.

(a)

(b)

(c)

Fig. 5 a The mutual information between the measured and the electronic noise I (M : E). Dashed line represent the upper bound at infinite binning limit. b The effective number of bits quantified by the conditional Shannon entropy H (M|E). c The ratio between I (M : E) and H (M|E) decreases as the binning increases. The SNR is 15 dB

We plot this in Fig. 5b. In contrary to what we see in the case of I (M : Q), as we have more binning, the effect of the electronic noise E is actually bounded rather than increasing. In this case, increasing the binning allow us to continuously increase the conditional Shannon entropy H (M|E). As shown in Fig. 5c, the ratio of I (M : E)/H (M|E) reduces by 5 times from a 1-bit to an 8-bit binning. For the case of infinite binning, we can adopt the use of differential entropy h(X ), which is an extension of the Shannon entropy for continuous variables (Sect. 3.2). In this case, we have h(M|E) = h(M) − I (M : E)

  1 σ 2E 1 2 = log2 (2πeσ M ) − log2 1 + 2 2 2 σQ =

1 log2 (2πeσ 2Q ) = h(Q), 2

(17)

where we see that h(M|E) is actually equal to the continuous Shannon entropy of the quantum signal Q alone. This is expected as h(M|E) = h(Q + E|E) = h(Q|E) =

Secure Random Number Generation in Continuous Variable Systems

97

h(Q) since we have assumed that the quantum noise and the classical noise are independent of each other. The variance σ 2Q is inferred by subtracting the σ 2E from σ 2M . Despite the advantage of being useful in utilising the binning methods, this quantification based on conditioning of measured data over classical noise seems to be overly generous. For example, in the case of finite binning, in Fig. 5b, 99.72% of 8 bits can be considered as the effective entropy independent of the eavesdropper. Ultimately, as the number of bits increases, the bits to be subtracted is bounded too. Also, we remind the reader that in Sect. 2, we have seen that the min-entropy is the appropriate candidate, instead of the Shannon counterpart.

4.4 Min-entropy of Quantum Contribution In [31], Ma et al. proposed a framework to obtain randomness that is independent of classical noise. By using min-entropy as the quantifier for randomness, similar to the previous case in Sect. 4.3, the quantum contribution of the randomness was obtained by inferring the signal-to-noise ratio. This method, though provides a more realistic description, calls for a more rigorous mathematical treatment. For example, the min-entropy version for Eq. (17) might not work here, i.e. the relation between Hmin (M|E) and Hmin (Q) is not immediate. Furthermore, as we will demonstrate in the Sect. 5, this approach misses the opportunity to maximise the randomness, since there are no other parameters (such as the bounding of the electronic noise and the choice of dynamical range) left to be optimised.

4.5 Conditional Min-entropy Given a random variable X potentially correlated with some other classical information K , the worst-case conditional min-entropy Hmin (X |K ) is defined as [46]  Hmin (X |K ) := − log2

max

 max PX |K (xi |k j ) ,

k j ∈supp(PK ) xi ∈X

(18)

where the support supp( f ) is the set of values xi such that f (xi ) > 0. It tells us the amount of (almost) uniform and independent random bits that one can extract from a biased random source, with respect to untrusted parameters. For the purpose of illustration, let us consider the two extreme cases: 1. I (X : K ) = 0, i.e. the random variable does not depend on the classical information K . In this case, we get PX |K (xi |k j ) = PX (xi ), and Hmin (X |K ) = Hmin (X ) (Eq. 2). 2. X = K , i.e. we are only detecting the untrusted classical information. In this case PX |K (xi |k j ) = δ(xi − k j ), and max PX |K (xi |k j ) = 1, hence Hmin (X |K ) = 0, implying that there is no randomness remaining to be extracted.

98

J. Y. Haw et al.

Applying this quantity in the case of randomness quantification of a QRNG, Eq. 18 takes the form of Hmin (Mdis |E), where Mdis is the discretized measured signal, and E is the classical noise. The worst-case conditional min-entropy is a very stringent quantifier for randomness since it grants the malicious party control over E. As we will demonstrate in Sect. 6.1, without a bound on the range of E, one cannot extract any secure randomness at all! More realistically, assuming a passive attack, one can estimate the average chance of successful eavesdropping with the average guessing probability of Mdis given E dis [12, 27, 43], Pguess (Mdis |E dis ) ⎡ ⎤  = ⎣ PEdis (e j ) max PMdis |Edis (m i |e j )⎦ ,

(19)

m i ∈Mdis

e j ∈E dis

which denotes the probability of correctly predicting the value of discretized measured signal Mdis using the optimal strategy, given access to discretized classical noise E dis . Here PEdis (e j ) is the discretized probability distribution of the classical noise. The extractable secure randomness from our device is then quantified by the average conditional min-entropy H¯ min (Mdis |E dis ) = − log2 Pguess (Mdis |E dis ).

(20)

4.6 Quantum Side-Information Analogous to classical side-information, a random variable X can also be correlated with another quantum system R. An observer with access to system R can, by measuring or performing quantum operations on R, gain knowledge about X . In this case, a generalisation of the conditional min-entropy to the quantum regime is warranted. Let us first understand how the joint state of X and R looks like. Since X is classical and R is quantum, such states are also known as cq-states: ρX R =



PX (x)|x x| ⊗ ρxR ,

(21)

x∈X

where one thinks of the classical value x ∈ X as encoded in mutually orthogonal states {|x }x∈X on a quantum system X . The conditional min-entropy of X given R is then defined as [57] Hmin (X |R) := max sup{λ : 2−λ I X ⊗ σ R − ρ X R ≥ 0; σ R ≥ 0, tr(σ R ) ≤ 1} . (22) σ R ∈H R

Secure Random Number Generation in Continuous Variable Systems

99

Here, I X is the identity matrix of the Hilbert space H X and the maximisation is performed over the reduced density matrix σ R of the subsystem R. Conditional minentropy tells us how much we know about X , inferred from measurements on R alone. It has been shown that this corresponds to the maximum probability of guessing X given system R [27], and therefore naturally generalises the classical conditional min-entropy defined above in Eq. (20).

4.7 Notes on the Leftover Hash Lemma From an information-theoretic standpoint, the most prominent advantage of universal hashing functions is that the randomness of the output guaranteed unconditionally by the leftover hash lemma (LHL). More specifically, LHL states that for any real-valued parameter ε > 0, if the output of a universal hashing function has length l ≤ t − 2 log2 (1/ε),

(23)

where t denotes the (conditional) min-entropy, then the output will be ε-close in terms of statistical distance to a perfectly uniform distribution [57]. Moreover, a universal hashing function constructs a strong extractor, where the output string is also independent of the seed of the function [3, 49].

4.8 Source and Device Independent Randomness The quantification of the entropy in the QRNG we discussed so far made the assumptions that the underlying quantum physical process and measurement device can be characterized and calibrated. This type of device falls under the category of practical QRNG, where effect from the unwanted classical (or quantum) noises can be isolated with appropriate modelling. In situation such as a black-box scenario, where the source and the measurement devices are unknown, it is hard to pinpoint whether the “QRNG” produces fresh random bits. The worst case would be the scenario where the device is merely a pseudo-random number generator in disguise, which could be correlated to the malicious provider. To prevent these scenarios, certifiable randomness based on a violation of fundamental inequalities has recently been proposed and demonstrated [9, 42, 43]. These self-testing devices do not rely on the assumption of a trusted device. For example, consider a device independent QRNG based on the violation of Bell correlations. Even if the output randomness is tainted with spurious noise, genuine randomness can be certified and bounded based on the measured correlations alone; it is thus independent from the internal structure of the generator [42]. However, achieving a high generation rate with such devices is experimentally challenging, since a large portion of the raw output has to be used for statistical analysis. Moreover, for the

100

J. Y. Haw et al.

generated randomness to be considered fully device-independent, all the loopholes in the experiments have to be addressed simultaneously too. And this milestone has only been checked off very recently with state-of-the-art devices [17, 21, 48]. As described in the block description of QRNG (Fig. 3), the entropy sources involve the quantum source and the measurement device. In a practical scenario, usually at least a part is fully characterized to the user. This opens up the possibility of an intermediate solution known as semi-self-testing. By making realistic assumptions on either the source or the measuring devices, a semi-self-testing QRNG offers a trade-off between the practical QRNGs and self-testing QRNGs. The key idea is that by using some initial randomness, the measurement basis or the quantum state can be chosen according to some random variables, in order to bound the effect of untrusted parties. We refer our reader to [28, 32] for a more detailed exposition of these regimes. In particular, Ref. [28] examines the amount of randomness extractable under various levels of characterisation of the device and power given to the adversary.

5 Continuous Variable QRNG In this section, we apply the method described in Sect. 4.5 to quantify the randomness in a continuous variable (CV) QRNG.

5.1 Homodyne Detection of a Vacuum State Following the previous work in [56], our source of randomness is the based on the CV homodyne measurement of a vacuum state. Due to the non-zero ground state energy of a vacuum state, it exhibits dynamical quantum fluctuations in the electromagnetic field. These quantum vacuum fluctuations lead to uncertainty in both the amplitude ˆ quadratures of the vacuum state, whereby the quantum entropy is ( Xˆ ) and phase ( P) harnessed. The projection of the Wigner function, or the distribution of the amplitude quadrature of the vacuum state Xˆ vac , follows a Gaussian random distribution.

Fig. 6 A self-homodye detection system

Secure Random Number Generation in Continuous Variable Systems

101

We now describe briefly the how this quadrature is probed via a homodyne detector. The scheme of a balanced homodyne detector is illustrated in Fig. 6. The vacuum mode is first mixed with a classical field on a 50/50 beam splitter. The output modes are then detected by a pair of identical photodetector. Lastly, the generated photocurrents are subtracted, giving an output proportional to the field amplitude quadrature. This setup is also termed as self-homodyning since one of the input ports is empty. Qualitatively, the detection process of a vacuum state can be described by the bosonic mode operators. The output modes after the 50/50 beam-splitter, aˆ 1,2 are 1 aˆ 1 = √ (aˆ LO + aˆ vac ), 2 1 aˆ 2 = √ (aˆ LO − aˆ vac ). 2

(24)

Here, aˆ LO denotes the classical field, which acts as the local oscillator and aˆ vac is the vacuum mode. The photocurrents detected at the output modes are proportional to the photon numbers † aˆ 1,2 i 1,2 ∝ nˆ 1,2 = aˆ 1,2 1 † † † ˆ † = (aˆ LO aˆ LO + aˆ vac aˆ vac ± aˆ LO aˆ vac ). b ± aˆ LO 2

(25)

Finally, the difference of the photocurrents are given by i − ∝ nˆ 1 − nˆ 2

† † = aˆ LO aˆ vac + aˆ vac aˆ LO

† = αLO aˆ vac + aˆ vac

= αLO  Xˆ vac .

(26)

Here we have used the assumption that the local oscillator field can be classically † can thus be treated as aˆ LO = αLO .4 The amplitude quadrature, Xˆ vac = aˆ vac + aˆ vac probed with a magnification factor proportional to αLO . There are several distinct advantages of this approach. First, the quantum entropy source, the vacuum state, is readily available over the electromagnetic spectrum. This in turn allows high speed generation of the random numbers with wide-band detectors. Secondly, a balanced homodyne detection cancels the excess classical noise on the local oscillator, thus making the detection setup more robust over external influences [16].

4 Since the phase between the local oscillator and the vacuum field is arbitrary, it is therefore

set as 0.

102

J. Y. Haw et al.

5.2 Characterization of Noise and Measurement We first discuss the model for our CV-QRNG. A homodyne measurement of the vacuum state gives Q, the quadrature values of the vacuum state. It has a probability density function (PDF) p Q which is Gaussian and centred at zero with variance σ 2Q . In practice, these quadrature values cannot be measured in complete isolation from sources of classical noise E. The measured signal M is then M = Q + E. Denoting the PDF of the classical noise as p E , the resulting measurement PDF, p M is then a convolution of p Q and p E . Assuming that the classical noise follows a Gaussian distribution centred at zero and with variance σ 2E , the measurement PDF is p M (m) = √

1 2πσ M



m2 exp − 2 , 2σ M

(27)

for m ∈ M where the measurement variance σ 2M = σ 2Q + σ 2E . The ratio between the variances of the quantum noise and the classical noise defines the quantumto-classical-noise ratio (QCNR), i.e. QCNR = 10 log10 (σ 2Q /σ 2E ). We note that this characterization is necessary to bound the limit of the eavesdropper’s influence. The sampling is performed over an n-bit analog-to-digital converter (ADC) with dynamical range [−R + δ/2, R − 3δ/2]. Upon measurement, the sampled signal is discretized over 2n bins with bin width δ = R/2n−1 . The range is chosen such that the central bin is centered at zero. The resulting probability distribution of discretized signal Mdis reads PMdis (m i ) ⎧ −R+δ/2 p M (m)dm, i = i min , ⎪ ⎨−∞ m i +δ/2 = i min < i < i max , m i −δ/2 p M (m)dm, ⎪ ⎩ ∞ p (m)dm, i = i max , R−3δ/2 M

(28)

as shown in Fig. 7 and m i = δ × i, where the i are integers ∈ {−2n−1 , ..., 2n−1 − 1}. The two extreme cases i = i min and i = i max are introduced to model the saturation on the first and last bins of an ADC with finite input range. In other words, all the input signals outside [−R + δ/2, R − 3δ/2] will be accumulated at the end bins. Figure 8 shows the discretized distribution PMdis (m i ) with different R. We see that an appropriate choice of dynamical ADC range for a given QCNR and digitization resolution n is crucial, since overestimating or underestimating the range will either lead to excessive unused bins or unnecessary saturation at the edges of the bins [41]. Too much unused bins bypass the possibility of higher entropy rate, while saturated bins will cause the measurement outcome to become more predictable. However, in designing a secure CV-QRNG, R should not be naively optimized over the measured distribution PMdis (m i ) but over the distribution conditioned on the classical noise. The conditional PDF between the measured signal M and the classical noise E, p M|E (m|e) is given by

Secure Random Number Generation in Continuous Variable Systems

103

Fig. 7 Model of the n-bit ADC, with analog input in the ADC dynamical range [−R + δ/2, R − 3δ/2] and bin width δ = R/2n−1 . Adapted from Ref. [20]

(a)

(b)

(c)

Fig. 8 Numerical simulations for the measured distribution probabilities PMdis (m i ) versus quadrature values, with different dynamical ADC range parameters R = a 5, b 2 and c 8. Without optimization, one will have either an oversaturated or unoccupied ADC bins, which will compromise both the rate and the security of the random-number generation. The parameters used are n = 8 and QCNR = 10 dB. From Ref. [20]

  (m − e)2 exp − p M|E (m|e) =  2(σ 2M − σ 2E ) 2π(σ 2M − σ 2E )   (m − e)2 1 exp − = √ . 2σ 2Q 2πσ Q 1

(29)

This is the PDF of the quantum signal shifted by the classical noise outcome e. By setting σ 2Q = 1, we normalize all the relevant quantities by the quantum noise. From Eq. (28), the discretized conditional probability distribution is, thus, PMdis |E (m i |e) ⎧ −R+δ/2 p M|E (m|e)dm, i = i min , ⎪ ⎨−∞ m i +δ/2 = p i min < i < i max , M|E (m|e)dm, m i −δ/2 ⎪ ⎩ ∞ i = i max . R−3δ/2 p M|E (m|e)dm,

(30)

With these, we are now ready to discuss how R should be chosen under two different definitions of (conditional) min-entropy discussed in Sect. 4.5, namely worst-case min-entropy and average min-entropy.

104

J. Y. Haw et al.

6 Maximising the Conditional Min-entropy 6.1 Worst-Case Min-entropy In the case of Gaussian distributions, the support of the probability distribution will be R. Following Eq. (30), upon discretization of the measured signal M, the worst-case min-entropy conditioned on classical noise E is   Hmin (Mdis |E) = − log2 max max PMdis |E (m i |e) . e∈R m i ∈Mdis

(31)

Here we assumed that from the eavesdropper’s perspective, the classical noise is known fully with arbitrary precision. Performing the integration in Eq. (30), the maximization over Mdis in Eq. (31) becomes max PMdis |E (m i |e) ⎧    e+R−δ/2 1 ⎪ √ 1 − erf , ⎪ ⎪ 2 ⎨2  = max erf 2√δ 2 , ⎪    ⎪ ⎪ ⎩ 1 erf e−R+3δ/2 √ + 1 , 2 2 m i ∈Mdis

(32)

√ x 2 where erf(x) = 2/ π 0 e−t dt is the error function. We note that we have maxe∈R maxm i ∈Mdis PMdis |E (m i |e) = 1, achieved when e → −∞ or e → ∞. This results in Hmin (Mdis |E) = 0 [see inset of Fig. 9a]. Indeed it is intuitive to see that in the case where the classical noise e takes on an extremely large positive value, the outcome of Mdis is almost certain to be m imax with large probability. Hence if an eavesdropper has completely full control over the values of side-information E, no randomness can be extracted [28]. One way to handle this situation is through randomized calibration of the untrusted noise to determine the variance σ E .5 With this calibration, one can then bound the maximum excursion of e, for example −5σ E ≤ e ≤ 5σ E , which is valid for 99.9999% of the time. With this bound on the classical noise, we now have max PMdis |E (m i |e) ⎧    1 ⎪ √ 1 − erf emin +R−δ/2 , ⎪ ⎪ 2 2 ⎨  = max erf 2√δ 2 , ⎪    ⎪ ⎪ ⎩ 1 erf emax −R+3δ/2 √ +1 , 2 2 max

e∈[emin ,emax ] m i ∈Mdis

5 This

(33)

can be done through an initial private random sequence, followed by recycling part of the generated random bits from the QRNG.

Secure Random Number Generation in Continuous Variable Systems

(a)

105

(b)

Fig. 9 Numerical simulations of: a conditional probability distributions PMdis |E (m i |e), with e = {−10σ E , 0, 10σ E } (from left to right) and R = 5. Without optimizing R, when e = ±10σ E , saturations in the first and last bins affect the maximum of the conditional probability distribution. Inset: PMdis |E (m i |e), with e = {−100σ E , 0, 100σ E } (from left to right). Unbounded classical noise will lead to zero randomness due to the oversaturation of dynamical ADC. b Optimized PMdis |E (m i |e), with e = {−10σ E , 0, 10σ E } (from left to right). From Eq. (35), the optimal R is chosen to be 5.35. The parameters are n = 8, QCNR = 10 dB. Dashed lines indicate m i = ±10σ E . From Ref. [20]

and when emin = emax ,  Hmin (Mdis |E) = − log2

   

 1 δ emax − R + 3δ/2 max + 1 ; erf √ erf , √ 2 2 2 2 (34)

which can be optimized by choosing R such that  

  δ emax − R + 3δ/2 1 + 1 = erf √ . erf √ 2 2 2 2

(35)

This optimized worst-case min-entropy Hmin (Mdis |E) is directly related to the extractable secure bits that are independent of the classical noise. As shown in Fig. 9a, when Eq. (34) is not optimized with respect to R, the saturation in the first (last) bin for emin/max = ±10σ E becomes the peaks of the conditional probability distribution, hence compromising the attainable min-entropy. By choosing the optimal value for R via Eq. (35), as depicted in Fig. 9b, the peaks at the first and last bins will always be lower than or equal to the probability within the dynamical range. Thus, by allowing the dynamical ADC range to be chosen freely, one can obtain the lowest possible conditional probability distribution, and hence produce the highest possible amount of secure random bits per sample for a given QCNR and n-bit ADC. In Fig. 10a, we show the extractable secure random bits for different digitization n under the confidence interval of 5σ E ≤ |e| ≤ 20σ E . At the high QCNR regime, the classical noise contribution does not compromise the extractable bits too much. As the classical noise gets more and more comparable to the quantum noise, although more bits have to be discarded, one can still extract a decent amount of secure random bits.

106

(a)

J. Y. Haw et al.

(b)

Fig. 10 a Optimized Hmin (Mdis |E) and b normalized Hmin (Mdis |E) as a function of QCNR for different n-bit ADCs. Shaded areas: 5σ E ≤ |e| ≤ 20σ E . The extractable bits are robust against the excursion of the classical noise, especially when the QCNR is large. A non-zero amount of secure randomness is extractable even when the classical noise is larger than the quantum noise. The extractable secure randomness per bit increases as the digitization resolution n is increased. From Ref. [20]

Fig. 11 Normalized worst-case conditional min-entropy Hmin (Mdis |E) as a function of n-bit ADC for different QCNR values with |e| ≤ 5σ E . The interplay between the QCNR and digitization resolution n is shown, where one can improve the rate of secure randomness per bit either by improving the QCNR or increasing n. Inset: Zoom in for Hmin (Mdis |E)/n ≥ 0.85 (dashed line). Even when the classical noise is more dominating compared to the quantum noise (QCNR = −3 dB), 85 % of the randomness per bit can be recovered by having at least approximately 22 bits of digitization. From Ref. [20]

More surprisingly, even if the QCNR goes below 0, that is, classical noise becomes larger than quantum noise, in principle, one can still obtain a nonzero amount of random bits that are independent of classical noise. From Fig. 10b, we notice the extractable secure randomness per bit increases as we increase the digitization resolution n. This interplay between the digitization resolution n and QCNR is further explored in Fig. 11, where normalized Hmin (Mdis |E) is plotted against n for several values of QCNR. We can see that for higher ratios of quantum-to-classical-noise,

Secure Random Number Generation in Continuous Variable Systems

107

a lesser amount of digitization resolution is required to achieve a certain value of secure randomness per bit. In other words, even if QCNR cannot be improved further, one can achieve a higher ratio of secure randomness per bit simply by increasing n.

6.2 Average Conditional Min-entropy As described in Sect. 6.1, without a bound on the range of classical noise, one cannot extract any secure randomness. Relaxing the assumption of control over the classical noise, we can minimize the sensitivity of our quantifier to very unlikely scenario and quantify the extractable secure randomness from our device by the average conditional min-entropy H¯ min (Mdis |E dis ) = − log2 Pguess (Mdis |E dis ).

(36)

where Pguess (Mdis |E dis ) is defined in Eq. 19. Here, we again assume that the eavesdropper can measure the full spectrum of the classical noise, with arbitrary precision. This gives the eavesdropper maximum power, including an infinite ADC range Re → ∞ and infinitely small binning δe → 0. As detailed in Ref. [20], under these limits, Pguess (Mdis |E dis ) in Eq. (36) takes the form of lim Pguess (Mdis |E dis )

δe →0

= Pguess (Mdis |E)   ∞ p E (e) max PMdis |E (m i |e)de . = −∞

(37)

m i ∈Mdis

Together with Eq. (32), we finally arrive at Pguess (Mdis |E)   ∞ p E (e) max PMdis |E (m i |e)de = m i ∈Mdis −∞ 

 e1 

e + R − δ/2 1 de Pe (e) 1 − erf = √ 2 −∞ 2   

 e2 e1 δ + erf √ − erf √ erf √ 2σ E 2σ E 2 2      ∞ e − R + 3δ/2 + 1 de , + Pe (e) erf √ 2 e2

(38)

where e1 and e2 are chosen to satisfy the maximization upon Mdis for a given R. The optimal R is then determined numerically. The optimized result for the average

108

J. Y. Haw et al.

Table 1 Optimized H¯ min (Mdis |E) (and R) for 8and 16-bit ADCs. From Ref. [20]

QCNR (dB)

n=8

n = 16

∞ 20 10 0 −∞

7.03 (2.45) 6.93 (2.59) 6.72 (2.93) 6.11 (4.33) 0

14.36 (3.90) 14.28 (4.09) 14.11 (4.55) 13.57 (6.48) 0

min-entropy H¯ min (Mdis |E) with the corresponding dynamical ADC range R is depicted in Table 1. Similar to the worst-case min-entropy scenario in Sect. 6.1, one can still obtain a significant amount of random bits even if the classical noise is comparable to quantum noise. On the contrary, a conventional unoptimized QNRG requires high operating QCNR to access the high-bitrate regime. When QCNR → ∞, the measured signal does not depend on the classical noise and the result coincides with that of the worst-case conditional min-entropy. In fact, the worst-case conditional min-entropy (Eq. (31)) is the lower bound for the average conditional min-entropy (Eq. (36)). In the absence of side-information E, both entropies will reduce to the usual min-entropy Eq. (2) [43]. Compared to the worst-case min-entropy, the average conditional min-entropy is more robust against degradation of QCNR; hence, it allows one to extract more secure random bits for a given QCNR.

6.3 Experimental Implementation We implement the method described in Sect. 6 to the CV-QRNG described in Ref. [20]. The schematic of the CV-QRNG is depicted in Fig. 12. After the homodyne detection of the vacuum noise (Sect. 5.1), the electronic output is split and mixed down at 1.375 and 1.625 GHz to suppress the effect of technical noise. Electronic filters are used to minimize the correlation between the sampling points. The average QCNR clearances for two measurement channels of our CV-QRNG in Ref. [20] are 13.52 and 13.32 dB, respectively. Taking into account the intrinsic dc offsets,6 the worst-case conditional min-entropies are 13.76 bits (channel 1) and 13.75 bits (channel 2), while the average conditional min-entropies are 14.19 bits for both channels. Here, assuming that the classical noise is free from manipulation, yet untrusted, we evaluate our entropy with average conditional min-entropy and set R as 4.32σ Q according to Eq. (38). Secure randomness can be extracted from the raw data based on this quantification with informational-theoretic extractor [49], such as the Toeplitz extractor [31] and the Trevisan extractor [11]. These functions act to recombine bits within a sample according to a randomly chosen seed, and map them to truncated, almost uniform random strings.

6 The

generalization to account for the offset is detailed in Ref. [20].

Secure Random Number Generation in Continuous Variable Systems

109

Fig. 12 Experimental setup of the CV-QRNG

7 Summary and Outlook In this chapter, we provide a survey on the randomness quantification taking into account potentially untrusted side information. We propose a generic framework based on the conditional min-entropy, allowing the user to obtain secure randomnumber generation independent of the classical side information. By treating the dynamical ADC range as a free parameter, we show that QCNR is not the sole decisive factor in generating secure random bits. Interestingly, by further optimizing the dynamical range via the conditional min-entropy, one can still extract a nonzero amount of secure randomness under a low QCNR regime. Finally, we apply these observations to analyze the amount of randomness produced by our CV-QRNG setup. Going beyond the scope of this chapter, several comments on recent and future developments are in order. First, to ensure the quantum origin of the entropy source, a conservative and rigorous approach was performed in [40], where the experimental imperfections and potential errors are analysed in a paranoid fashion by assuming the worst case behavior for the untrusted variable. Related work in [19] calls for an examination of the physical limits of optical QRNGs, in particular, an explicit consideration of the measurement and digitization process via dedicated entropy estimate. For CV-QRNGs based on quadrature measurement, there are ongoing efforts in relaxing the assumptions of the input state, for example the entropy quantification based on entropic-uncertainty principle [33] and using trusted thermal state from broadband amplified spontaneous emission [44]. Since the approach proposed in [33] captures quantum side-information and offers real-time secure entropy monitoring, it can be useful in self-testing scenario [30], where CV quantum states other than pure vacuum state, such as squeezed states, may serve as the entropy source [39].

110

J. Y. Haw et al.

References 1. Abellán, C., Amaya, W., Jofre, M., Curty, M., Acín, A., Capmany, J., et al. (2014). Ultra-fast quantum randomness generation by accelerated phase diffusion in a pulsed laser diode. Optics Express, 22(2), 1645–1654. 2. Abellán, C., Amaya, W., Mitrani, D., Pruneri, V., & Mitchell, M. W. (2015). Generation of fresh and pure random numbers for loophole-free bell tests. Physical Review Letters, 115(25), 250403. 3. Barak, B., Shaltiel, R., & Tromer, E. (2003). True random number generators secure in a changing environment (pp. 166–180) 4. Barker, E., & Kelsey, J. (2012). Recommendation for the entropy sources used for random bit generation. NIST DRAFT Special Publication 800-90B 5. Bera, M. N., Acín, A., Ku´s, M., Mitchell, M. W., & Lewenstein, M. (2017). Randomness in quantum mechanics: Philosophy, physics and technology. Reports on Progress in Physics, 80(12), 124001. 6. Born, M. (1926). Quantenmechanik der stoßvorgänge. Zeitschrift für Physik, 38(11–12), 803– 827. 7. Bustard, P. J., England, D. G., Nunn, J., Moffatt, D., Spanner, M., Lausten, R., et al. (2013). Quantum random bit generation using energy fluctuations in stimulated raman scattering. Optics Express, 21(24), 29350–29357. 8. Calude, C. S., Dinneen, M. J., Dumitrescu, M., & Svozil, K. (2010). Experimental evidence of quantum randomness incomputability. Physical Review A, 82(2), 022102. 9. Christensen, B., McCusker, K., Altepeter, J., Calkins, B., Gerrits, T., Lita, A., et al. (2013). Detection-loophole-free test of quantum nonlocality, and applications. Physical Review Letters, 111(13), 130406. 10. Cover, T. M., & Thomas, J. A. (2012). Elements of information theory. Wiley. 11. De, A., Portmann, C., Vidick, T., & Renner, R. (2012). Trevisan’s extractor in the presence of quantum side information. SIAM Journal on Computing, 41(4), 915–940. 12. Dodis, Y., Ostrovsky, R., Reyzin, L., & Smith, A. (2008). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139. 13. Dynes, J. F., Yuan, Z. L., Sharpe, A. W., & Shields, A. J. (2008). A high speed, postprocessing free, quantum random number generator. Applied Physics Letters, 93(3), 031109. 14. Fiorentino, M., Santori, C., Spillane, S., Beausoleil, R., & Munro, W. (2007). Secure selfcalibrating quantum random-bit generator. Physical Review A, 75(3), 032334. 15. Frauchiger, D., Renner, R., & Troyer, M. (2013). True randomness from realistic quantum devices. arXiv:1311.4547 16. Gabriel, C., Wittmann, C., Sych, D., Dong, R., Mauerer, W., Andersen, U. L., et al. (2010). A generator for unique quantum random numbers based on vacuum states. Nature Photonics, 4(10), 711–715. 17. Giustina, M., Versteegh, M. A., Wengerowsky, S., Handsteiner, J., Hochrainer, A., Phelan, K., et al. (2015). Significant-loophole-free test of bell’s theorem with entangled photons. Physical Review Letters, 115(25), 250401. 18. Guo, H., Tang, W., Liu, Y., & Wei, W. (2010). Truly random number generation based on measurement of phase noise of a laser. Physical Review E, 81(5), 051137. 19. Hart, J. D., Terashima, Y., Uchida, A., Baumgartner, G. B., Murphy, T. E., & Roy, R. (2017). Recommendations and illustrations for the evaluation of photonic random number generators. APL Photonics, 2(9), 090901. 20. Haw, J. Y., Assad, S. M., Lance, A. M., Ng, N. H. Y., Sharma, V., Lam, P. K., et al. (2015). Maximization of extractable randomness in a quantum random-number generator. Physical Review Applied, 3, 054004. 21. Hensen, B., Bernien, H., Dréau, A. E., Reiserer, A., Kalb, N., Blok, M. S., et al. (2015). Loophole-free Bell inequality violation using electron spins separated by 1.3 km. Nature, 526(7575), 682–686

Secure Random Number Generation in Continuous Variable Systems

111

22. Isida, M., & Ikeda, H. (1956). Random number generator. Annals of the Institute of Statistical Mathematics, 8(1), 119–126. 23. Jennewein, T., Achleitner, U., Weihs, G., Weinfurter, H., & Zeilinger, A. (2000). A fast and compact quantum random number generator. Review of Scientific Instruments, 71(4), 1675– 1680. 24. Kanter, I., Aviad, Y., Reidler, I., Cohen, E., & Rosenbluh, M. (2010). An optical ultrafast random bit generator. Nature Photonics, 4(1), 58–61. 25. Kinzel, W., & Reents, G. (1996). Physik per computer. Spektrum Akademischer Verlag, Heidelberg, 22, 33–35. 26. Kolmogorov, A. N. (1963). On tables of random numbers. Sankhy¯a: The Indian Journal of Statistics, Series A, 369–376 27. Konig, R., Renner, R., & Schaffner, C. (2009). The operational meaning of min-and maxentropy. IEEE Transactions on Information Theory, 55(9), 4337–4347. 28. Law, Y. Z., Bancal, J. D., Scarani, V., et al. (2014). Quantum randomness extraction for various levels of characterization of the devices. Journal of Physics A: Mathematical and Theoretical, 47(42), 424028. 29. Liu, Y., Zhu, M., Luo, B., Zhang, J., & Guo, H. (2013). Implementation of 1.6 Tb s−1 truly random number generation based on a super-luminescent emitting diode. Laser Physics Letters, 10(4), 045001 30. Lunghi, T., Brask, J. B., Lim, C. C. W., Lavigne, Q., Bowles, J., Martin, A., et al. (2015). Self-testing quantum random number generator. Physical Review Letters, 114(15), 150501. 31. Ma, X., Xu, F., Xu, H., Tan, X., Qi, B., & Lo, H. K. (2013). Postprocessing for quantum random-number generators: Entropy evaluation and randomness extraction. Physical Review A, 87(6). 32. Ma, X., Yuan, X., Cao, Z., Qi, B., & Zhang, Z. (2016). Quantum random number generation. npj Quantum Information, 2, 16021 33. Marangon, D. G., Vallone, G., & Villoresi, P. (2017). Source-device-independent ultrafast quantum random number generation. Physical Review Letters, 118(6), 060503. 34. Marangon, D., Vallone, G., & Villoresi, P. (2014). Random bits, true and unbiased, from atmospheric turbulence. Scientific Reports, 4, 5490. 35. Marsaglia, G. (1968). Random numbers fall mainly in the planes. Proceedings of the National Academy of Sciences, 61(1), 25–28. 36. Marsaglia, G. (1998). Diehard test suite 37. Martin-Löf, P. (1966). The definition of random sequences. Information and Control, 9(6), 602–619. 38. Mauerer, W., Portmann, C., & Scholz, V. B. (2012). A modular framework for randomness extraction based on trevisan’s construction. arXiv:1212.0520 39. Michel, T., Haw, J. Y., Marangon, D. G., Thearle, O., Vallone, G., Villoresi, P., et al. (2019). Physical Review Applied, 12, 034017 40. Mitchell, M. W., Abellan, C., & Amaya, W. (2015). Strong experimental guarantees in ultrafast quantum random number generation. Physical Review A, 91(1), 012314. 41. Oliver, N., Soriano, M. C., Sukow, D. W., & Fischer, I. (2013). Fast random bit generation using a chaotic laser: Approaching the information theoretic limit. IEEE Journal of Quantum Electronics, 49(11), 910–918. 42. Pironio, S., Acín, A., Massar, S., de La Giroday, A. B., Matsukevich, D. N., Maunz, P., et al. (2010). Random numbers certified by bell’s theorem. Nature, 464(7291), 1021–1024. 43. Pironio, S., & Massar, S. (2013). Security of practical private randomness generation. Physical Review A, 87(1), 012336. 44. Qi, B. (2017). True randomness from an incoherent source. Review of Scientific Instruments, 88(11), 113101. 45. Qi, B., Chi, Y. M., Lo, H. K., & Qian, L. (2010). High-speed quantum random number generation by measuring phase noise of a single-mode laser. Optics Letters, 35(3), 312–314. 46. Renner, R. (2008). Security of quantum key distribution. International Journal of Quantum Information, 6(01), 1–127.

112

J. Y. Haw et al.

47. Sanguinetti, B., Martin, A., Zbinden, H., & Gisin, N. (2014). Quantum random number generation on a mobile phone. Physical Review X, 4, 031056. 48. Shalm, L. K., Meyer-Scott, E., Christensen, B. G., Bierhorst, P., Wayne, M. A., Stevens, M. J., et al. (2015). Strong loophole-free test of local realism. Physical Review Letters, 115(25), 250402. 49. Shaltiel, R. (2002). Recent developments in explicit constructions of extractors. Bulletin of the EATCS, 77, 67–95. 50. Shannon, C. E. (1948). A mathematical theory of communication. The Bell System Technical Journal, 27(3), 379–423. 51. Shen, Y., Tian, L., & Zou, H. (2010). Practical quantum random number generator based on measuring the shot noise of vacuum states. Physical Review A, 81(6), 063814. 52. Stipcevic, M. (2012). Quantum random number generators and their applications in cryptography. In SPIE Defense, Security, and Sensing (p. 837504). International Society for Optics and Photonics 53. Stipˇcevi´c, M., & Rogina, B. M. (2007). Quantum random number generator based on photonic emission in semiconductors. Review of Scientific Instruments, 78(4), 045104. 54. Sunar, B., Martin, W. J., & Stinson, D. R. (2007). A provably secure true random number generator with built-in tolerance to active attacks. IEEE Transactions on Computers, 56(1), 109–119. 55. Svozil, K. (2009). Three criteria for quantum random-number generators based on beam splitters. Physical Review A, 79(5), 054306. 56. Symul, T., Assad, S., & Lam, P. K. (2011). Real time demonstration of high bitrate quantum random number generation with coherent laser light. Applied Physics Letters, 98(23), 231103. 57. Tomamichel, M., Schaffner, C., Smith, A., & Renner, R. (2011). Leftover hashing against quantum side information. IEEE Transactions on Information Theory, 57(8), 5524–5535. 58. Uchida, A., Amano, K., Inoue, M., Hirano, K., Naito, S., Someya, H., et al. (2008). Fast physical random bit generation with chaotic semiconductor lasers. Nature Photonics, 2(12), 728–732. 59. Vallone, G., Marangon, D. G., Tomasin, M., & Villoresi, P. (2014). Quantum randomness certified by the uncertainty principle. Physical Review A, 90(5), 052327. 60. Wahl, M., Leifgen, M., Berlin, M., Röhlicke, T., Rahn, H. J., & Benson, O. (2011). An ultrafast quantum random number generator with provably bounded output bias based on photon arrival time measurements. Applied Physics Letters, 98(17), 171105. 61. Wayne, M. A., & Kwiat, P. G. (2010). Low-bias high-speed quantum random number generator via shaped optical pulses. Optics Express, 18(9), 9351–9357. 62. Williams, C. R., Salevan, J. C., Li, X., Roy, R., & Murphy, T. E. (2010). Fast physical random number generator using amplified spontaneous emission. Optics Express, 18(23), 23584– 23597. 63. Xu, F., Qi, B., Ma, X., Xu, H., Zheng, H., & Lo, H. K. (2012). Ultrafast quantum random number generation based on quantum phase fluctuations. Optics Express, 20(11), 12366–12377. 64. Xu, P., Wong, Y., Horiuchi, T., & Abshire, P. (2006). Compact floating-gate true random number generator. Electronics Letters, 42(23), 1346–1347.

Trusted Quantum Back Bone Leveraging Secure Communication Benjamin Rainer

and Oliver Maurhart

1 Motivation This chapter discusses the different use-cases of a trusted Quantum Back Bone (QBB) and their advantages, disadvantages and open problems. Furthermore, we try to provide insights why a QBB may also use PRNGs, seeded using quantum based random numbers, to increase the key bit generation rate. RNGs and there empirical “goodness” have been extensively discussed in the Chapters before. In detail, we will discuss how a trusted Quantum Back Bone (QBB) is used to obtain key material for providing secure communication over highly hostile networks, such as the Internet. The discussion in this chapter builds on top of the actions ongoing in the European Telecommunication Standardization Institute (ETSI) which has recently picked up the standardization of Quantum Key Distribution (QKD) within the standardization initiative ISG-QKD [1]. Even more recent activities revolve around the protocols for making use of the QBB (and the Quantum Key Distribution) and where these protocols reside within the ISO/OSI model. We will provide an outlook where one could see these protocols and what functionality one shall expect of them with respect to the ISO/OSI model [2]. We will discuss the issue of using quantum key material for providing information theoretic security for end-to-end communication. There are different approaches for providing secure end-to-end communication, namely, service-wise or infrastructurewise. Both approaches assume that security considerations of the connection to the trusted QBB over which each AS or client receives the requested key are out of scope and is considered as sufficiently secure. However, the utter goal is to provide information theoretic secure end-to-end communication using a trusted QBB.

B. Rainer · O. Maurhart (B) AIT Austrian Institute of Technology GmbH, Center for Digital Safety & Security, Lakesidepark B10A, 9020 Klagenfurt, Austria e-mail: [email protected] © Springer Nature Switzerland AG 2020 C. Kollmitzer et al. (eds.), Quantum Random Number Generation, Quantum Science and Technology, https://doi.org/10.1007/978-3-319-72596-3_7

113

114

B. Rainer and O. Maurhart

2 End-to-End Security via QBB Beforehand we have to make some assumptions and clarify them. In the use cases presented here we assume symmetric encryption for providing end-to-end security between two (or more) autonomous systems or clients. The best case would be to have a One-Time-Pad (OTP). However, this is impractical when solely relying on QRNGs because the key generation rate may not suffice. We will discuss possibilities how sufficient high generation rates may be achieved using PRNGs. Relying on encryption schemes like the Advanced Encryption Scheme (AES) [3] degrade security to the security of the used encryption scheme. The used key for encrypting data is provided by and through the QBB for both ends. As already mentioned we assume that the connection between the AS and the QBB is secure and cannot be compromised. We further assume that the QBB is trusted and no adversary can gain access to the optical repeaters or other components of the QBB. Other components, which reside for example in the autonomous systems connected to the QBB are completely open to adversaries and, therefore, they are seen as highly hostile to attacks. End-to-end security can be seen from different viewpoints, namely, from a service point of view and from an infrastructure point of view. We will discuss both approaches in the following sections. For the sake of simplicity we assume that a key synchronization protocol is in place and that encryption keys used by Alice and Bob are synchronized.

2.1 Service Oriented End-to-End Security End-to-end security for services used in two different autonomous systems is obtained by securing the transport between those two entities, here Alice and Bob (cf. Fig. 1). Figure 1 depicts our use-case with the trusted QBB and the other hostile components. The Quantum Back Bone Service Point (QBBSP) is the egress/ingress point to the QBB and trusted parties only communicate with them in order to obtain key material. The goal is to establish a secure end-to-end communication channel between Alice and Bob for a specific service or application. From an OSI/ISO model point of view the best option to achieve this is to introduce the encryption on the session layer (layer six of the ISO/OSI model). Introducing a quantum based encryption scheme at the session layer allows securing the transport on a session/service basis. Thus having the advantage that the encryption scheme isn’t coupled to any transport or network protocol, e.g., the Internet Protocol Security (IPSec) which has been subject to various studies in [4–6], but that we can make use of the service-specific information. Mink et al. [7] introduced quantum cryptography for TLS and discussed the necessary changes which shall be made to the handshake of TLS. However, they also discussed the potential problems which arise when using quantum cryptography. The prevalent problem is the generation rate of key material for the OTP because the communicating entities have to

Trusted Quantum Back Bone Leveraging Secure Communication

115

Internet

Secure Communication Channel AS

AS

End-To-End Communication Alice

Bob

QBBSP

Trusted QBB

QBBSP

Fig. 1 Service oriented secure end-to-end communication using the trusted QBB. Both end points (Alica and Bob) retrieve an encryption keys via the QBB securing their communication over hostile networks by symmetric encryption

agree on how to treat the lack of enough key material. Thus, they have to agree on one of the following options: 1. close the connection and establish a new connection once more key material is available, 2. hold the connection and wait until enough key material is available or, 3. fall back on conventional cryptographic algorithms. Another problem that arises from key bit generation rates below the data stream bit rate generated by the services/applications is the resource allocation of the highly valuable resource, the quantum key bits. Thus, the question arises to which of the applications/services does the session layer encryption assigns how many key bits? Finding a possible answer to this question is not a trivial task. One has to consider that an assignment at one entity has an impact on all entities involved in this specific service. The in-dependency of any network and transport protocol and flexibility of accounting services/applications separately introduces even more problems. The biggest challenge is to synchronize all entities involved in a service such that all entities use the same key bits (provided by the quantum key pool [8]) for the same service without having overlaps in the used key bits. Furthermore, even if there is enough key material available in the QKP, other services may suffer from

116

B. Rainer and O. Maurhart

down-times when another service is acquiring key material for encrypting its data stream because we have to lock the QKP for duration of acquiring the needed key material. Therefore, a mechanism for parallelizing the key acquisition is highly desired. Let us illustrate those issues by an example. Assume two hosts Alice and Bob, with a QBB setup such as depicted in Fig. 1, Alice has three services (a, b, c) running two in common with Bob and Bob also runs three services (a, b, d) which shall be protected by quantum cryptography. We further assume that the keys obtained by the QBB via QKD are synchronized and are available at every host within the quantum key pool. As a result, we have two services that use the same QKP service (a) and (b). Thus, we have a n-to-one relation of services to QKPs. If both services want to send data, the encryption mechanism located on the session layer has to acquire enough key material for securing their data streams. However, we have only a single QKP and, therefore, for the duration of acquiring key material the QKP will be locked. This will postpone the encryption process of the other service and, therefore, may introduce unwanted delay. Or, there is enough key material for service (b) but service (a) is locking the QKP and still waiting for even more key material instead of letting service (b) sending its data using the available key material. The example illustrates three issues. First, the need for logical quantum key pools (LQKP). Second, preemption and the resource allocation of services on their shared logical quantum key pool. Third, the topology of the QBB(s) which is crucial for the instantiation of quantum key pool(s) and, therefore, for the dynamic creation of logical quantum key pools. Figure 2 depicts how a QKP can be split into several logical QKPs. For the QBB’s topology We have the following cases: 1. A QBB (or more QBBs) connecting only two or more nodes or a subset of nodes involved in the secure communication, and 2. A QBB topology that connects all nodes. In the former case we have the problem that there exist different QKPs and, thus, services cannot be matched arbitrarily to LQKPs. In the latter case, it does not matter which services are matched to which logical key pools from a QBB point of view (such as depicted by Fig. 2). However, it does matter from a performance point of view because LQKPs can be used to have more than a single service acquiring quantum key bits. These LQKPs have to be separately synchronized or at least the resource scheduling needs to assign key bits in a synchronized manner among LQKPs in different hosts/nodes. We call this scheduling and resource allocation mechanism the Synchronized Logical Quantum Resource Scheduler (SLQRS). We start with a synchronized QKP among all nodes that use the same QBB and we create several LQKPs for different services/applications (used by the same nodes that are connected via the QBB). These LQKPS are then filled with key material and are synchronized among all nodes by the SLQRS. The SLQRS can be a central instance which instruments the creation of LQKPS and manages the resource allocation for them or the SLQRS is realised using a distributed synchronization protocol (distributed transactions, etc.). The allocation of key material from the QKP to the LQKPs may rely on different

Trusted Quantum Back Bone Leveraging Secure Communication

117 Bob

Alice Service B Service C

Service A

LQKP 1010101010

LQKP 1010101010

LQKP . ..

1001000101

Service B Service C

Service A

LQKP . ..

Synchronized

1001000101

0101010110

0101010110

1010101010

1010101010

. ..

. ..

SLQRS

SLQRS QKP 1010101010 1001000101 0101010110 1010101010

QKP 1010101010 1001000101 0101010110 1010101010

Synchronized

QBBSP

Trusted QBB

QBBSP

Fig. 2 Splitting a QKP into several logical QKPs stating where synchronized key material shall be available managed by a Synchronized Logical Quantum Resource Scheduler (SLQRS)

parameters. One may use a fair allocation, i.e., round-robin, or an allocation that is based on priority, fullness, expected demand or on other Quality of Service (QoS) parameters. A further point of interest is each LQKP itself because more than a single service can be mapped to a single LQKP we also need an allocation of key material from each LQKP to the services assigned to it. Thus, we end up with resource allocation, mutual exclusion, preemption, partitioning and synchronization issues. All these topics are subject to current research and, there are yet no solutions that cover all aspects to enable a seamless service oriented quantum cryptographic end-to-end communication.

2.2 Infrastructure Oriented End-to-End Security In this section we want to shed some light on a completely different approach for providing end-to-end security using quantum cryptography compared to Sect. 2.1. The idea is to move the responsibility of encrypting traffic from the clients in autonomous systems to gateway nodes which handle the encryption and the handshake with the QBB(s). Figure 3 depicts how two nodes communicate with each other when the infrastructure provides the quantum secure end-to-end communication. The gateway(s) at the two autonomous systems are responsible for managing the quantum key pools and for encrypting/decrypting the corresponding flows. This approach relies on the assumption that the autonomous systems cannot be attacked by an

118

B. Rainer and O. Maurhart Internet Secure Communication Channel AS

AS

End-To-End CommunicaƟon Alice

Bob

QBBSP

Trusted QBB

QBBSP

Fig. 3 Infrastructure oriented end-to-end security using the trusted QBB. Here, only the gateways at the autonomous system provide a quantum cryptographic service

adversary because the traffic between the client(s) and the gateway(s) within their AS may not be sufficiently secured. This is a very strong assumption which is only applicable in few cases. Having only gateways dealing with encryption/decryption simplifies the management of key pools because only the gateways need to manage the corresponding quantum key pools. However, there has to be a mechanism in place that allows clients to mark the traffic for encryption. The corresponding gateway then has to filter those marked packets and encrypt their payload as request (Fig. 4). Therefore, the gateways will need to have stateful packet inspection (SPI) in place. Since all traffic from an autonomous system has to pass the gateway(s), the gateway(s) may evolve to bottlenecks. The flow-based encryption and decryption is necessary because it may happen that the gateway holds several QKPs. Nevertheless, the infrastructure oriented end-to-end security demands a way to label/tag/mark the packets that belong to a specific service/application or QKP. We have the following options on how we identify to be encrypted and decrypted: 1. nodes just tag (traffic class or flow label field of IPv6 or in the optional options field of IPv4) their packets that need to be encrypted and the gateway is responsible to figure out which QKP shall be used (deep packet inspection) but we again need some sort of resource allocation mechanism for assigning key bits to the packets from different nodes, or

Trusted Quantum Back Bone Leveraging Secure Communication

119 From hos le networks

To AS

Unencrypted traffic SPI Flow-based decryp on

QKP 101010 101010 010001

Encrypted Traffic

QKP 101010 101010 010001

Flow-based encryp on SPI

From AS

To hos le networks

Fig. 4 An AS gateway with SPI, identifying different flows/services which have to be encrypted separately due to different QKPs

2. the nodes do tag their flows correspondingly to the available QKPs at the gateways, such that the gateways do only need to look up the flow label/tagging and then use the appropriate quantum key pool (resource allocation). The latter option provides the possibility of introducing priorities for certain flows/services but is the more complex case. In any case there must be some signalling from the gateways to their respective nodes that signalling which QKPs are available. However, solutions for infrastructure oriented end-to-end security are tightly coupled with the network protocol(s) used, e.g., IPv4 or/and IPv6. One may rely on wellknown and established protocols such as Multiprotocol Label Switching (MPLS) [9] and the Label Distribution Protocol (LDP) [10] for distributing the available QKPs. However, the resource allocation and the problem of potential bottlenecks at the gateways do persist.

120

B. Rainer and O. Maurhart

References 1. Länger, T., & Lenhart, G. (2009). Standardization of quantum key distribution and the ETSI standardization initiative ISG-QKD. New Journal of Physics, 11(5), 055051. [Online]. Available: http://stacks.iop.org/1367-2630/11/i=5/a=055051. 2. Information Technology—Open Systems Interconnection—Basic Reference Model: The Basic Model, Also published as ITU-T Recommendation X.200, ISO, Geneva, Switzerland, ISO/IEC 7498-1:1994, November 1994. [Online]. Available: http://www.iso.org/iso/iso_catalogue/ catalogue_tc/catalogue_detail.htm?csnumber=20269. 3. Federal information processing standards publication (FIPS 197). (2001). Advanced Encryption Standard (AES). 4. Sfaxi, M. A., Ghernaouti-hlie, S., Ribordy, G., & Gay, O. (2005). Using quantum key distribution within IPSEC to secure MAN communications. In In MAN 2005 conference. 5. Marksteiner, S., Rainer, B., & Maurhart, O. (2018) On the resilience of a QKD key synchronization protocol for IPsec. CoRR. arXiv:1801.01710. 6. Nagayama, S., & Meter, R. (2014). IKE for IPsec with QKD. Internet Engineering Task Force, Internet-Draft draft-nagayama-ipsecme-ipsec-with-qkd-01, October 2014, work in Progress.[Online]. Available: https://datatracker.ietf.org/doc/html/draft-nagayama-ipsecmeipsec-withqkd-01. 7. Mink, A., Frankel, S., & Perlner, R. A. (2009). Quantum key distribution (QKD) and commodity security protocols: Introduction and integration. CoRR. arXiv:1004.0605. 8. Tysowski, P. K., Ling, X., Lütkenhaus, N., & Mosca, M. (2018). The engineering of a scalable multi-site communications system utilizing quantum key distribution (QKD). Quantum Science and Technology, 3(2), 024001. [Online]. Available: http://stacks.iop.org/2058-9565/ 3/i=2/a=024001. 9. Rosen, E., Viswanathan, A., & Callon, R. (2001). Multiprotocol label switching architecture. [Online]. Available: www.ietf.org/rfc/rfc3031.txt. 10. Anderson, L., Minei, I., & Thomas, B. (2007). Label distribution protocol. [Online]. Available: www.ietf.org/rfc/rfc5036.txt.