# Certified finite randomness expansion

Randomness expansion is a protocol for Quantum Random Number Generator which takes as input a private, uniformly random string and outputs a longer string which is (close to) private and uniformly random. The protocol of Pironio et. al. enables randomness expansion of such an input using only two identical untrusted (i.e. provided by an adversary) measurement devices. Privacy of the output string is guaranteed to a given confidence level and its length depends on the stochastic outcome of a CHSH game, the confidence level desired and the randomness extractor used in post-processing.

Such a protocol is useful in the case where one already has access to a private source for true randomness, but whose use is prohibitively expensive or whose access is limited. By applying randomness expansion, it is possible to make this resource go further using potentially much cheaper or more simple methods.

## Assumptions

• Quantum theory is correct.
• The measurement devices do not interact during measurements.
• The measurement devices are not correlated with the input string.

## Outline

In this protocol, Alice has an initial private random string (the seed) and has been provided with two identical measurement devices by Eve. Each of the devices has two settings and can produce two outputs. Prior to beginning the protocol, Alice has to decide with which confidence she would like her output string to be private from Eve, and which strong randomness extractor she would like to perform post-processing with. She then splits her seed into two portions - the sizes of which are determined by the chosen randomness extractor.

Alice then takes two bits from the start of the first portion of her initial string and uses these to choose the settings of her measurement devices (i.e. if the pair is ${\displaystyle (0,1)}$ then she sets the first device to setting $0$ and the second device to setting ${\displaystyle 1}$). She prepares an EPR state and shares it across the two measurement devices, then performs measurements using each device with the chosen settings and records the output. She repeats this process until this portion of her input string has been exhausted, resulting in a binary string of recorded outputs of equal length to the input.

Using the input and output strings, Alice estimates the violation of the CHSH inequality her experiment has produced. This allows her to place a bound on the conditional min-entropy of the output string with respect to both the input string and any information Eve may have.

Finally, Alice passes her output string, the second portion of her initial seed and the determined min-entropy bound to a strong randomness extractor to generate a processed string which is (close to) uniform and private from Eve with the confidence specified at the beginning of the protocol. As Alice has kept her seed private throughout and the randomness extractor used is a strong one, she can then simply append her entire seed to the output of the randomness extractor to produce a final expanded string, which is guaranteed to be longer than the seed so long as a super-classical CHSH game has occurred.

## Notation

• ${\displaystyle n}$: number of measurement iterations
• ${\displaystyle x_{i}}$: measurement setting for device A on iteration ${\displaystyle i}$
• ${\displaystyle y_{i}}$: measurement setting for device B on iteration ${\displaystyle i}$
• ${\displaystyle A_{bases}}$: tuple of measurement bases for device A; ${\displaystyle A_{bases}=\{X,Z\}}$
• ${\displaystyle B_{bases}}$: tuple of measurement bases for device B; ${\displaystyle B_{bases}=\{1/{\sqrt {2}}(X+Z),1/{\sqrt {2}}(X-Z)\}}$
• ${\displaystyle a_{i}}$: measurement result for device A on iteration ${\displaystyle i}$ (0 or 1)
• ${\displaystyle b_{i}}$: measurement result for device B on iteration ${\displaystyle i}$ (0 or 1)
• ${\displaystyle s}$: string of measurement basis pairs; ${\displaystyle s=(x_{1},y_{1};\ldots ;x_{n},y_{n})}$
• ${\displaystyle r}$: string of measurement result pairs; ${\displaystyle r=(a_{1},b_{1};\ldots ;a_{n},b_{n})}$
• ${\displaystyle {\overline {r}}}$: output string from classical randomness extraction of ${\displaystyle r}$
• ${\displaystyle t}$: initial private random seed
• ${\displaystyle u}$: final randomness expanded string
• ${\displaystyle {\hat {I}}}$: experimental estimate of CHSH correlation
• ${\displaystyle k}$: lower bound on conditional min-entropy of measurement results ${\displaystyle r}$ with respect to measurement settings ${\displaystyle s}$ and any information held by an adversary
• ${\displaystyle f}$: function which takes as input a(n estimated) CHSH correlation and returns a per-use lower bound on the conditional min-entropy of the measurement results with respect to measurement settings and any information held by an adversary in the limit of a large number of uses (determined using semi-definite programming in Pironio et. al.)
• ${\displaystyle \epsilon }$: term to account for finite statistics effects
• ${\displaystyle \alpha }$: the chosen confidence with which the returned entropy lower bound is correct
• ${\displaystyle {\textrm {Ext}}}$: strong seeded (classical) randomness extractor

## Requirements

• Network stage: Entanglement Distribution
• Random number generator
• Authenticated quantum channel
• Authenticated classical channel
• Hardware:
• Multi qubit non-separable state preparation
• Single qubit measurement
• Single qubit gates

## Properties

• Output string is of length ${\displaystyle \theta (n^{2})}$
• Requires only two measurement devices.
• Devices can be untrusted.
• Imposes no constraints on input states or measurements (i.e. Bell inequality tested can be changed from what is specified here).
• Allows for devices to have an internal quantum memory.
• Length of expanded string dependent on magnitude of CHSH correlation (as this tells us how much min-entropy can be contained in the results string) and the choice of randomness extractor (as different constructions have varying degrees of performance).

## Pseudocode

Input: ${\displaystyle t}$, ${\displaystyle \alpha }$, ${\displaystyle {\textrm {Ext}}v'''Output''':[itex]u}$

• split ${\displaystyle t}$ into ${\displaystyle t=(t^{(1)},t^{(2)})}$ where ${\displaystyle |t^{(1)}|}$ and ${\displaystyle |t^{(2)}|}$ are determined by ${\displaystyle {\textrm {Ext}}}$
• ${\displaystyle n\leftarrow {\big \lfloor }{\frac {|t^{(1)}|}{2}}{\big \rfloor }}$
• initialize arrays ${\displaystyle r}$, ${\displaystyle s}$ of length ${\displaystyle n}$
• For ${\displaystyle i\leftarrow 1}$ to ${\displaystyle n}$:
• prepare state ${\displaystyle |\Psi ^{+}\rangle }$ and share across devices A and B
• ${\displaystyle x_{i}\leftarrow t_{i}^{(1)}}$
• ${\displaystyle y_{i}\leftarrow t_{i+1}^{(1)}}$
• ${\displaystyle a_{i}\leftarrow }$ measurement result from device A in basis ${\displaystyle A_{bases}[x_{i}]}$
• ${\displaystyle b_{i}\leftarrow }$ measurement result from device B in basis ${\displaystyle B_{bases}[y_{i}]}$
• ${\displaystyle s[i]\leftarrow (x_{i},y_{i})}$
• ${\displaystyle r[i]\leftarrow (a_{i},b_{i})}$
• ${\displaystyle {\hat {I}}\leftarrow 0}$
• ${\displaystyle i\leftarrow 1}$ to ${\displaystyle n}$:
• ${\displaystyle x_{i},y_{i}\leftarrow s[i]}$
• ${\displaystyle a_{i},b_{i}\leftarrow r[i]}$
• ${\displaystyle {\hat {I}}\leftarrow {\hat {I}}+{\frac {4}{n}}(-1)^{x_{i}\wedge y_{i}}(-1)^{a_{i}\oplus b_{i}}}$
• ${\displaystyle \epsilon \leftarrow 4{\sqrt {-{\frac {2{\sqrt {2}}}{n}}\ln {(1-\alpha )}}}}$
• ${\displaystyle k\leftarrow nf{\big (}{\hat {I}}-\epsilon {\big )}}$
• flatten ${\displaystyle r}$ into an array of bits
• ${\displaystyle {\overline {r}}\leftarrow {\textrm {Ext}}(r,t^{(2)},k)}$
• ${\displaystyle u\leftarrow (t,{\overline {r}})}$

## Further Information

• Pironio et. al. implement the protocol using two ionic Yttrium qubits, separated by a distance of ${\displaystyle 1}$, and a uniform probability distribution (i.e. ${\displaystyle P(x,y)={\frac {1}{4}}}$). Over the course of one month, they were able to produce ${\displaystyle n=3016}$ entanglements and recorded a correlation of ${\displaystyle {\hat {I}}=2.414}$; implying at least 42 new random qubits had been produced with a confidence of 99%. The seed used in the experiment was generated from a combination of sources: radioactive decay, atmospheric noise and network activity on a remote computer.
• The protocol presented here implements the simplest design choices throughout. It is possible to use arbitrary Bell inequalities (rather than the CHSH inequality), to use the seed to generate ${\displaystyle x_{i}}$ and ${\displaystyle y_{i}}$ from some joint probability distribution ${\displaystyle P(x,y)}$, and to contsruct the protocol with more than two devices.
contributed by Neil Mcblane