Technical field

The present invention pertains to a device and method for generating quantum random numbers, which offers the possibility to precisely quantify the amount of entropy of a raw output stream due to the quantum nature of the process in an improved manner.

Background of the art

In general, the present invention is in the context of the generation of random numbers. Many tasks in modem science and technology make use of random numbers, including simulation, statistical sampling, gaming applications, and cryptography, both classical and quantum. A good random number generator should produce a chain of bits with high entropy at a high rate. By high entropy, it is meant that nobody can predict the value of the bit before the bit is revealed, entropy can also be understood as randomness. This is an essential requirement in most of the modem methods of data encryption. Indeed, all the cryptography protocols commonly employed, such as DSA-, RSA- and Diffie-Hellman-algorithms, follow Kerckhoffs’ principle, which dates back to the 19th century, and states that the security of a cypher must reside entirely in the key, i.e. in the random sequence used as seed. It is therefore of particular importance that the key used in a cryptographic algorithm is secure, which in practice requires it to be chosen perfectly at random, i.e. randomly generated.

Currently, most random keys are generated by arithmetic approaches and are thus only pseudo-random. In this context, most recent breaches of cryptography protocols have exploited random-number-generator weaknesses, such as reported by A.K. Lenstra, and co-authors in their article “Ron was wrong, whit is right” in Cryptology ePrint Archive, 2012. Such attacks can happen in many different fields including operating system security (see the article “Cryptanalysis of the random number generator of the windows operating system” by L. Dorrendorf, Z. Gutterman, and B. Pinkas published in ACM Trans. Inf. Syst. Secur., 13(1 ):1- 32, 2009), communication protocols (see “openssl - predictable random number generator” by L. Bello published in Debian security advisory 1571-1, 2008), digital rights management (see the publication “Ps3 epic fail” by Bushing, Marcan, Segher, and Sven at the 27th Chaos Communication Congress, 2010), and financial systems (see “Android bug batters bitcoin wallets” by R. Chirgwin in The Register, 2013).

Pseudo random number generation can be used advantageously for some applications such as numerical simulation, making results reproducible, but limitations need to be taken into account. For other applications, however, different methods need to be employed to avoid loopholes. For this reason, random number generators based on physical systems were developed, which in principle ensure the uniqueness and, most importantly, the randomness of the generated bit string. Example are given by C. H. Vincent in “The generation of truly random binary numbers”, Journal of Physics E: Scientific Instruments, 3(8):594, 1970, Y. Saitoh, J. Hori, and T. Kiryu, in “Generation of physical random number using frequency- modulated oscillation circuit with shot noise”, Electron Comm. Jpn. 3, 88(5): 12-19, 2005. These types of random number generators use physical processes, which are ruled by deterministic laws but cannot be easily predicted due to the complexity and incomplete knowledge of the initial system state. We call this type of random number generators, chaotic random number generators. This random number generator type is now commonly used, notably it is implemented in Intel processors, see “Analysis of Intel’s IVY bridge digital random number generator”, by M. Hamburg, P. Kocher and M.E. Marson in Cryptography research Inc. Other examples of this kind of physical random number generators are disclosed in US 6,831 ,980, US 6,215,874, WO2013/003943, EP 1 821 196, W001/95091. The security of these generators crucially relies on the fact that nobody has enough information to predict the behavior of the physical system or influence it.

Another implementation consists in using physical processes, which feature fundamental genuine randomness, such as quantum mechanical processes. This type of generators is called quantum random number generators (QRNGs). With this type of generator, a perfect knowledge of the system is in general insufficient to allow one to predict the bits that will be generated, as explained in more details in the article “Quantum random-number generation and key sharing” by J. G. Rarity, P. C. M. Owens, and P. R. Tapster, J.Mod.Opt., 41 (12):2435-2444, 1994. Known QRNGs are based on specialized hardware, such as single-photon sources and detectors as described by A. Stefanov, N. Gisin, 0. Guinnard, L. Guinnard, and H. Zbinden in their article “Optical quantum random number generator”, J.Mod.Opt., 47(4), 595-598, 2000, photon pair sources in combination with beam splitters such as disclosed by W. Dultz and E. Hildebrandt in their patent US 6,393,448, 2002 entitled “Optical random-number generator based on single-photon statistics at the optical beam splitter”, the device proposed by W. Wei and H. Guo in the article “Bias- free true random-number generator”, Opt. Letters, 34(12): 1876-1878, 2009, or homodyne detection as proposed for example by C. Gabriel, and co-authors in “A generator for unique quantum random numbers based on vacuum states”, Nature Phot., 4(10)711-715, 2010. Other examples of such kind of physical random number generators are disclosed in patents US 7,284,024, US 2012/045053, JP 2009/070009, EP 2 592 547, GB 2 473 078, and W002/091147.

However, while these quantum random number generators can, in theory, generate perfect randomness and therefore high entropy; in practice, their implementation is prone to loopholes due to unavoidable technical imperfections of the devices that inherently generate technical noise. In this configuration, the main difficulty consists in estimating the entropy generated by a quantum process, and separating it from the entropy due to technical noise (such as thermal noise or the like). This requires a precise theoretical modeling of the device, which is usually difficult to establish and analyze because modeling is inherently based on theoretical assumptions in the equations, which are not exactly representing the reality. A further limitation comes from the fact that the properties of the device may change during its lifetime. In particular, if the device malfunctions, or even breaks, low quality randomness is generated without the user being aware of it. Therefore, it is valuable to have a real-time evaluation of the entropy contained in bit streams provided by QRNGs. Recently, to overcome this issue, the concept of a self-testing quantum random generator was introduced, as discussed in references “Self-Testing Quantum Random Number Generator” T. Lunghi, and co-authors, Phys.Rev.Lett.m, 150501 , 2015, and “Source-device-independent Ultra-fast Quantum Random Number Generation”, D.G. Marangon, G. Vallone, and P. Villoresi, ePrint arXiv 1509.07390, 2015. With this approach, the user can quantify the generation of genuine quantum random numbers in real-time. Specifically, the amount of quantum entropy generated by the system can be estimated directly from the observed data. In this way, genuine quantum entropy can be separated from entropy due to technical imperfections of the device or malfunctioning due to aging. However, in practice this approach involves complex setups, including electro- optical modulators with multiple state preparation and single photon detectors. Moreover, only low rates in the range of few bits per seconds may be achieved (e.g.: 23 bps in the case of Lungi et al. publication) which suggests limited interest from applications requiring throughput in the range of Mbps (such as cryptography, security, gaming and scientific simulation).

In addition to the above, more recent work are available in publications such as Rusca D, Tebyanian H, Martin AC, Zbinden H. Fast self-testing quantum random number generator based on homodyne detection. Appl Phys Lett 2020; 116(264004): 1 -5, Rusca D, van Himbeeck T, Martin A, Brask JB, Shi W, Pironio S, et al. Self-testing quantum random-number generator based on an energy bound. Physical Review. A 2019; 100(062338) and Brask J, Martin A, Esposito W, Houlmann R, Bowles J, Zbinden H, et al. Megahertz-Rate Semi-Device- Independent Quantum Random Number Generators Based on Unambiguous State Discrimination. Physical Review Applied 2017;7(5):054018.

Solutions to this problem have been investigated and were published in for example EP 3306464A1 describing an apparatus and a method precisely quantifying the amount of entropy having a quantum nature in the output thereby a realizing a self-testing quantum random number generator at a high rate and preferably not involving a complex setup. To achieve this, the system realizes a self- testing random number generator based on unambiguous quantum state discrimination.

Most notably, the present approach offered ease of implementation, as it only required standard components that may be implemented in a standalone device, thus providing an integrated system that is far less complex than the existing ones, and having a reduced size and cost. This approach offered also high bit rates in the range of few Mbit/s, sufficient for many applications based on random numbers. Finally, yet importantly, the random bit entropy was computed/monitored in real-time at the contrary of all previous solutions where random bit entropy is estimated during the QRNG conception.

These devices and methods, also called, semi-Device-lndependent or SelfTesting QRNG had the big advantage compared to other commercial TRNG or QRNG that only little assumptions had to be made on the proper working of the device to which they were referring. Moreover, one could estimate and certify in real time the generated entropy. As mentioned, the optical part of the device was not much more complicated.

The main problem with these devices is that the extraction part requests extracting a huge number of bits, e.g., in the order of a million, and therefore necessitates a powerful FPGA or GPU when carried out at real time at high rates. Indeed, for good statistics the entropy must be estimated over big block sizes (over 10 ⁵ ) and the extraction (using e.g. a Toeplitz matrix) is demanding at high rates (over 10Mb/s).

In addition to this, the ultimate security, as well as bit rates in the range of Mb/s, of self-testing QRNG is not always needed.

There is therefore an increasing demand for Cheaper self-testing QRNG with at the same time higher rates of improved “standard” QRNG. An object of the present invention is therefore of providing an improved selftesting QRNG system and method permitting to provide an improved random ness/entropy extraction at high rates with low cost FGPA embedded in it.

Summary of the invention

In view of the above, the invention is directed to a device and a method carrying out a hybrid approach where a high speed QRNG generates a raw bit stream at a rate of up to 10 Gb/s and where the entropy is estimated based on a fraction of these bits. More particularly, according to the invention, a big block size (>10 ⁵ bits) extractor delivers certified random bits at rate of up to 10 Mb/s and in parallel a fast, small block size extractor (e.g. 512 bits) supplies random bits at rates of up to 1 Gb/s. This hybrid approach for extraction can be applied to any self-testing QRNG, independent of his architecture and maximal raw bit rate. It is foreseeable that using integrated photonic chips, the cost of the entropy source itself becomes negligible with respect to the readout electronics and logic.

The invention permits to have with less resources full self-testing certification at reasonable rates, and at the same time a high rate QRNG still with improved quality with respect to a totally device dependent approach.

More particularly, a first aspect of the invention relates to a Quantum Random Number Generator comprising an emitting device adapted to be triggered by a signal representing an input bit x and adapted to generate and send a stream of one of two possible non-orthogonal quantum states determined by a plurality of said input bit x at a rate in the range of Mb/s up to 10 Gb/s, a measurement device adapted to detect each quantum state of the stream of quantum states sent by the emitting device and to generate an output b based on the detected quantum state, a random selection device adapted to receive said output b and carries out a random selection on said output b so as to select and pick out a first fraction of the bits b’ and a second fraction of the bit b-b' sent to an entropy H^ _in estimation module, wherein the entropy H^ _in estimation module is adapted to receive the input x, the output b’ and the output b-b’ over a certain number of rounds N and to estimate the entropy H^ _in of each output for each quantum state of the stream of quantum states, validating or not an extraction ratio, and at least two parallel randomness extraction devices adapted to carry out a hybrid extraction protocol generating two final random output bit strings via a first extractor which extracts the first fraction of the bits b’ with bit block sizes in a first range and generates a string of certified random bits r’ at a first rate; and a second extractor which extracts the second fraction of the bits b-b’ with bit block sizes in a second range, higher than the first range, and generates a string of true random bits r at a second rate, higher than the first rate.

Preferably, the first extractor is a “slow” extractor which extracts the first fraction of the bits b’ with block sizes in the range of 10 ^A 5-10 ^A 7 bits and generates a string of certified random bits r’ at a rate in the order of 1 Mb/s; and the second extractor is a “fast” extractor which extracts the second fraction of the bits b-b’ with block sizes in the range of 2 ⁸ -2 ¹⁰ bits and generating a string of true random bits r at a rate in the order of 100 Mb/s.

According to a preferred embodiment, the measurement device is an unambiguous state discrimination measurement, where the output b represents whether the quantum state has been identified or not and, if it has been identified, which quantum state among the two possible quantum states to a processing device.

Advantageously, the entropy H^ _in estimation module comprises a first processing device adapted to estimates the entropy H^ _in of the output b’ and a second processing device adapted to estimates the entropy H^ _in of the output b-b’.

Preferably, the processing devices estimate the probabilities p(b'|x) and r p(b- b'|x) representing the probability of observing output b' and b-b' for a state preparation x and estimates the entropy H^ _in of the output b' and b-b'.

According to a preferred embodiment, the two possible non-orthogonal quantum states are encoded in one of the temporal mode of photons, the polarization of photons, the frequency mode of photons, the photon number degree of freedom of light, the spatial mode of photons, the path degree of freedom of photons, or the phase of weak coherent pulses.

Advantageously, the two possible non-orthogonal quantum states are encoded using a combination of two or more encodings listed above or using other quantum systems such as atomic systems and superconducting systems.

Preferably, the random selection device carries out the random selection using a pseudorandom number generator.

According to a preferred embodiment, the raw key is 0 if the output b is conclusive or 1 if the output b is inconclusive.

Advantageously, the entropy estimation is made according to H^ _in = -l°g ₂ (p ₅ ), where the guessing probability p _g can be upper bounded from the probabilities p(b|x) as follows: p _g = _lX ,b ^v x,bP b \x' + y, where the parameter v _xb and y are obtained via an adapted semi-definite program (SDP).

Preferably, the randomness extraction is realized by a vector-matrix multiplication between a vector formed by the raw bit value generated at the output of the unambiguous quantum state discrimination measurement device and a random matrix M where the dimension is adapted as a function of the quantity of entropy /^estimated.

A second aspect of the invention relates to a Quantum Key Distribution System comprising at least one Quantum Random Number Generator of the first aspect.

A third aspect of the invention relates to a self-testing method carried out by a Quantum Random Number Generator comprising the steps of: preparing and sending a stream of one of two possible non-orthogonal quantum states determined by a plurality of input bit x at a rate in the range of Mb/s up to 10 Gb/s, detecting and measuring each quantum state of the stream of quantum states sent and generating an output b based on the detected quantum state, carrying out a random selection on the output b so as to select and pick out a first fraction of the bits b’ and a second fraction of the bit b-b' sent to an entropy estimation module, estimating the entropy of each the output b’ and the output b-b’ for each quantum state of the stream of quantum states and validating or not an extraction ratio, and randomness extracting via two parallel randomness extraction procedures adapted to carry out a hybrid extraction protocol generating two final random output bit strings via a first extraction which extracts the first fraction of the bits b’ with bit block sizes in a first range and generates a string of certified random bits r’ at a first rate; and a second extraction which extracts the second fraction of the bits b-b’ with bit block sizes in a second range, higher than the first range, and generates a string of true random bits r at a second rate, higher than the first rate.

Advantageously, the first extraction is a “slow” extraction which extracts the first fraction of the bits b’ with block sizes in the range of 10 ^A 5-10 ^A 7 bits and generates a string of certified random bits r’ at a rate in the order of 1 Mb/s; and the second extraction is a “fast” extraction which extracts the second fraction of the bits b-b’ with block sizes in the range of 2 ⁸ -2 ¹⁰ bits and generating a string of true random bits r at a rate in the order of 100 Mb/s.

Preferably, the preparation device prepares and sends a physical system prepare in any number of non-orthogonal quantum states and the measurement device consists in an adapted unambiguous state discrimination measurement.

Brief description of the drawings

The attached figures illustrate the principles as well as several realizations of the present invention.

- Figure 1 is a schematic representation of the general concept and protocol, relating to the apparatus and the method of the prior art,

- Figure 2 is a detailed method steps associated to the apparatus of the prior art,

- Figure 3 is a schematic representation of the general concept and protocol, relating to the apparatus and the method of the present invention Description of the preferred embodiment of the invention

In the following, the invention is described in detail with reference to the above-mentioned figures. Figures 1 and 2 schematically represent the principle of the prior art.

Figure 1 schematically illustrates the principle of the quantum random number generator and its conceptual scheme where a source 110 prepares a physical system 130 in one of two possible non-orthogonal quantum states according to an input bit x and sends it to the measurement device 120. The measurement device 120 performs a quantum measurement to try to determine the received states, preferably an unambiguous state discrimination (USD) measurement, and gives an output b. The output b is either conclusive, indicating which state was prepared by the source, or inconclusive if it does not succeed to discriminate between the two possible states.

More precisely, the setup comprises two devices: a “non-orthogonal state preparation device” 110 and a “USD measurement device” 120, respectively. The “non-orthogonal state preparation device” 110 sends a physical system, prepared in one out of two possible quantum states, to the “USD measurement device” 120. The “USD measurement device” 120 attempts to identify which state was sent. Thus, it implements a quantum measurement able to distinguish between the two quantum states. The setup permits to identify which state is being sent with as little error as possible. If the two states are non-orthogonal, i.e. with a non-zero overlap, it is impossible, according to the laws of quantum theory, to continuously discriminate them with certainty. Nevertheless, probabilistically it is possible to perfectly discriminate them. This means that it is possible to distinguish them without error, i.e. the measurement device never outputs ‘b=T when the state was ‘x=0’ and vice versa, at the price of sometimes outputting an inconclusive result ‘b = 0’.

The entropy of the output bits is quantified by verifying that the measurement distinguishes the two states without error. Therefore, based on a promise on how non-orthogonal the states are (i.e. what their overlap is), it is possible to estimate the entropy contained in the output data in real time 140. Then, based on this entropy estimate, a final string of random bits is generated via an adapted procedure of randomness extraction 150.

Figure 2 is a detailed description of the method associated to the prior art apparatus presented in Figure 1. The first step 510 consists in preparing and sending one out of two possible non-orthogonal states \t _x }. In a second step 520, the quantum state sent is detected and measured by the “USD measurement device” 120 that implements a USD measurement. In a third step 530, the state is measured and, the "USD measurement device" 120 returns a ternary output h; output b=0 or b=1 indicates that the emitted state was conclusive, while b = 0 represents an inconclusive result. Once the state is detected and measured by the “USD measurement device” 120, the value of the output bit stored and the detection is counted as an event and added to the statistics in a further step 540. The stored output is added to the output stream. If output stream size is bigger than N, with N being an output stream size with sufficient statistical event then the apparatus proceeds with the entropy estimation 550 and randomness extraction process 560. Otherwise, another input bit x is generated, and the corresponding state is prepared and sent by the “non-orthogonal state preparation device” 110 and another 510 to 540 step cycle is achieved. The last step 560 consists in randomness extraction procedure, which provides a final random output bit stream with entropy close to one for each bit.

Figure 3 is a detailed description of the method and the apparatus associated to the invention. As we can see, the first steps S101 and S102 are quite similar to the ones described in figure.2.

More particularly, in the first step S101 an emitting device 1 , preferably a non- orthogonal state preparation device, is triggered by a random input bit x and adapted to generate and send a stream of one of two possible non-orthogonal quantum states \t _x } determined by a plurality of said input bit x at a rate in the range of Mb/s up to 10 Gb/s, also called raw rate. This quantum state refers to one degree of freedom of the emitted system. For instance, \t _x } may represent the state of polarization of photons, a temporal mode of photons, or the phase of a weak coherent state.

Preferably, the two possible non-orthogonal quantum states are encoded in one of the temporal mode of photons, the polarization of photons, the frequency mode of photons, the photon number degree of freedom of light, the spatial mode of photons, the path degree of freedom of photons, or the phase of weak coherent pulses. Furthermore, the two possible non-orthogonal quantum states can be encoded using a combination of two or more encodings listed above or using other quantum systems such as atomic systems and superconducting systems.

In addition, the emitting device 1 also transfers, in step S102, the random input bit x to a processing device 4’ (and 4) in order to compare the output of the receiver (Bob) with the input of the emitter (Alice) and calculate the entropy on that basis. In this context, Bob comprises the measurement device 2 and the random selection device 3 while Alice comprises the emitting device 1 .

In a second step S103, the quantum state sent is detected and measured by a measurement device 2 adapted to detect each quantum state of the stream of quantum states \t _x } and to generate an output b (b=0 or b=1 ).

Since the two incoming quantum states are non-orthogonal, the outputs b=0 and b=1 do not correspond perfectly to the input states 0 and 1. Random errors appear, which can be used to generate random numbers.

If the state is measured by an USD measurement device, the output b may have different three values: output b=0 or b=1 indicates that the emitted state was state 0 or state 1 (in other words the result is conclusive), while b = 0 represents an inconclusive result (one cannot say which state has been sent). Therefore, in this second step S103, either the measurement device 2 can output a conclusive or an inconclusive result. The appearances of inconclusive and conclusive results are random and can be used to generate random numbers. Once this output b is prepared, it is sent to a random selection device 3. This random selection device 3 carries out a random selection using a pseudorandom number generator.

The random selection device 3 is adapted to divide (or separate) the output b into two fractions. More particularly, the random selection device 3 randomly selects and pick out a first fraction of the bits b to form a first group of bits b' and sends this group (or fraction) through step S104, to the processing device 4’ for an entropy estimation and sends, through step S106, the remaining group (or second fraction) b-b' to a processing device 4 for an entropy estimation.

The processing devices 4' and 4, respectively, which receive the input x from the emitting device 1 and the output b' and b-b’, respectively, from random selection device 3 over a certain number of rounds N, estimate the entropy H^ _in of the output b' for each quantum state of the stream of quantum states and the entropy H^ _in of the output b-b' for each quantum state of the stream of quantum states . Preferably, the processing device estimates the probabilities p(b’|x) representing the probability of observing output b' for a state preparation x and estimates the entropy H^ _in of the output b’, and analogously for p (b-b’|x).

Once the entropy has been estimated, the extraction is carried out. The device therefore comprises at least two randomness extraction devices 5 and 5’ which have been prepared for a given extraction ratio. If the estimated entropy H^ _in is higher than this fraction, then one can proceed to the extraction step (S105). If not then, the process is aborted and repeated.

Alternatively, it is possible that different extraction devices with different extraction ratios are be prepared and used according to the measured entropy. Therefore, if the estimated entropy is not higher than a given threshold it may proceed further with a different extractor.

This permits to obtain a device carrying out a hybrid extraction protocol comprising two parallel randomness extraction devices, i.e. a slow extractor 5’ and a fast extractor 5, generating two final random output bit strings. A first one via the first “slow” extractor (5’) with block sizes in the range of 10 ^A 5-10 ^A 7 bits and generating a string of certified random bits r’ at a rate in the order of 1 Mb/s; and a second one via the “fast” extractor (b) with block sizes in the range of 2 ⁸ -2 ¹⁰ bits and generating a string of certified random bits r’ at a rate in the order of 100 Mb/s. (limited by Hmin times raw rate b).

Of course, if preferred, it is also possible to use the two fast and slow extractors not in parallel, but one or the other depending on the actual need of rate and quality of the random numbers.

Preferably, the randomness extractors 5’ and 5 are realized by a vectormatrix multiplication between a vector formed by the raw bit value generated at the output of the measurement device and a random matrix M where the dimension is adapted as a function of the quantity of entropy /^ _in estimated.

According to a preferred embodiment, the entropy estimation is made according to H^ _in = -log ₂ (p ₅ ), where the guessing probability p _g can be upper bounded from the probabilities p(b|x) as follows: p _g = ' x,b ^v x,bP(b\x) + y, where the parameter v _xb and y are obtained via an adapted semi-definite program (SDP).

The invention also relates to a quantum Key Distribution System comprising at least one Quantum Random Number Generator defined above.

While the embodiments have been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications and variations would be or are apparent to those of ordinary skill in the applicable arts. Accordingly, this disclosure is intended to embrace all such alternatives, modifications, equivalents and variations that are within the scope of this disclosure. This for example particularly the case regarding the different apparatuses, types of states, raw rate and size of blocks which can be used.