Certified finite randomness expansion

From Quantum Protocol Zoo
Jump to: navigation, search

Randomness expansion is a protocol for Quantum Random Number Generator which takes as input a private, uniformly random string and outputs a longer string which is (close to) private and uniformly random. The protocol of Pironio et. al. enables randomness expansion of such an input using only two identical untrusted (i.e. provided by an adversary) measurement devices. Privacy of the output string is guaranteed to a given confidence level and its length depends on the stochastic outcome of a CHSH game, the confidence level desired and the randomness extractor used in post-processing.

Such a protocol is useful in the case where one already has access to a private source for true randomness, but whose use is prohibitively expensive or whose access is limited. By applying randomness expansion, it is possible to make this resource go further using potentially much cheaper or more simple methods.

Tags: Building Blocks, Quantum Functionality, Specific Task


  • Quantum theory is correct.
  • The measurement devices do not interact during measurements.
  • The measurement devices are not correlated with the input string.
  • The adversary does not have access to a quantum memory.


In this protocol, Alice has an initial private random string (the seed) and has been provided with two identical measurement devices by Eve. Each of the devices has two settings and can produce two outputs. Prior to beginning the protocol, Alice has to decide with which confidence she would like her output string to be private from Eve, and which strong randomness extractor she would like to perform post-processing with. She then splits her seed into two portions - the sizes of which are determined by the chosen randomness extractor.

Alice then takes two bits from the start of the first portion of her initial string and uses these to choose the settings of her measurement devices (i.e. if the pair is then she sets the first device to setting $0$ and the second device to setting ). She prepares an EPR state and shares it across the two measurement devices, then performs measurements using each device with the chosen settings and records the output. She repeats this process until this portion of her input string has been exhausted, resulting in a binary string of recorded outputs of equal length to the input.

Using the input and output strings, Alice estimates the violation of the CHSH inequality her experiment has produced. This allows her to place a bound on the conditional min-entropy of the output string with respect to both the input string and any information Eve may have.

Finally, Alice passes her output string, the second portion of her initial seed and the determined min-entropy bound to a strong randomness extractor to generate a processed string which is (close to) uniform and private from Eve with the confidence specified at the beginning of the protocol. As Alice has kept her seed private throughout and the randomness extractor used is a strong one, she can then simply append her entire seed to the output of the randomness extractor to produce a final expanded string, which is guaranteed to be longer than the seed so long as a super-classical CHSH game has occurred.


  • : number of measurement iterations
  • : measurement setting for device A on iteration
  • : measurement setting for device B on iteration
  • : tuple of measurement bases for device A;
  • : tuple of measurement bases for device B;
  • : measurement result for device A on iteration (0 or 1)
  • : measurement result for device B on iteration (0 or 1)
  • : string of measurement basis pairs;
  • : string of measurement result pairs;
  • : output string from classical randomness extraction of
  • : initial private random seed
  • : final randomness expanded string
  • : experimental estimate of CHSH correlation
  • : lower bound on conditional min-entropy of measurement results with respect to measurement settings and any information held by an adversary
  • : function which takes as input a(n estimated) CHSH correlation and returns a per-use lower bound on the conditional min-entropy of the measurement results with respect to measurement settings and any information held by an adversary in the limit of a large number of uses (determined using semi-definite programming in Pironio et. al.)
  • : term to account for finite statistics effects
  • : the chosen confidence with which the returned entropy lower bound is correct
  • : strong seeded (classical) randomness extractor


  • Network stage: Entanglement Distribution
  • Random number generator
  • Authenticated quantum channel
  • Authenticated classical channel
  • Hardware:
    • Multi qubit non-separable state preparation
    • Single qubit measurement
    • Single qubit gates


  • Output string is of length
  • Requires only two measurement devices.
  • Devices can be untrusted.
  • Imposes no constraints on input states or measurements (i.e. Bell inequality tested can be changed from what is specified here).
  • Allows for devices to have an internal quantum memory.
  • Length of expanded string dependent on magnitude of CHSH correlation (as this tells us how much min-entropy can be contained in the results string) and the choice of randomness extractor (as different constructions have varying degrees of performance).


Input: , ,

  • split into where and are determined by
  • initialize arrays , of length
  • For to :
    • prepare state and share across devices A and B
    • measurement result from device A in basis
    • measurement result from device B in basis
  • to :
  • flatten into an array of bits

Further Information[edit]

  • Pironio et. al. implement the protocol using two ionic Yttrium qubits, separated by a distance of , and a uniform probability distribution (i.e. ). Over the course of one month, they were able to produce entanglements and recorded a correlation of ; implying at least 42 new random qubits had been produced with a confidence of 99%. The seed used in the experiment was generated from a combination of sources: radioactive decay, atmospheric noise and network activity on a remote computer.
  • The protocol presented here implements the simplest design choices throughout. It is possible to use arbitrary Bell inequalities (rather than the CHSH inequality), to use the seed to generate and from some joint probability distribution , and to contsruct the protocol with more than two devices.
contributed by Neil Mcblane