Source-independent quantum random number generator against tailored detector blinding attacks

Wen-Bo Liu; Wen-Bo Liu; Yu-Shuo Lu; Yu-Shuo Lu; Yao Fu; Yao Fu; Yao Fu; Si-Cheng Huang; Si-Cheng Huang; Ze-Jie Yin; Kun Jiang; Hua-Lei Yin; Zeng-Bing Chen; Zeng-Bing Chen; Zeng-Bing Chen

doi:10.1364/OE.481832

1. Introduction

The unpredictability of random numbers was originally intended to refer to a lack of correlation between numbers. In the current study, pseudorandom numbers [1,2] are obtained through deterministic formulas implying some correlation of these numbers and, hence, some predictability of subsequent numbers. For the physical true random numbers [3,4], the source of its randomness has not been fully studied. In contrast, quantum random numbers [5,6] are considered to have inherent randomness based on the completeness of quantum mechanics. Quantum random number generators (QRNGs) have thus been widely investigated to obtain unpredictable random numbers. In addition to their lack of correlation, the practical security of quantum random numbers has received considerable attention as their fields of application [7–9] expand to cryptographic tasks [10–14].

A QRNG typically consists of a randomness source and a detection device. The randomness source provides light with quantum properties, and the detection device extracts randomness by measurements of light in a superposition state. As a solution to almost all security concerns, device-independent QRNGs [15–18] are the most stringent, making no assumption about either randomness sources or detection devices. Recently, device-independent QRNGs that can extract random numbers after deducting the consumed randomness have been implemented for the first time. The net gains reached 2290 bps [19], 3606 bps [20] and 3718 bps [21]. However, they all required approximately 10 hours to accumulate data, which would lead to high latency in practical use. Furthermore, random numbers are consumed rapidly in most cryptographic tasks. Thus, we unavoidably consider the trade-off between security and the generation rate [22–25]. An adoptable choice is the source-independent QRNG (SI-QRNG) [26–30], in which the detection devices are assumed to be trusted by well characterizing them. There is no secure assumption on the randomness source and the channel between the source and the detection device. Different from device-independent QRNGs, SI-QRNGs can measure both discrete variables [26] and continuous variables [27–30]. Here we focus on the discrete-variable QRNG since it needs no additional local oscillators and is realized by a single measurement. In practice, SI-QRNG has a wide selection of untrusted sources, from lasers to light bulbs to sunlight, depending on the situations, thus becoming a popular choice.

Perfectly characterizing detectors is complex and difficult [31,32]. Researchers have tried to solve the known vulnerabilities one by one. But they believe in the assumption that detectors can detect a single photon under any attack. Tailored detector blinding attacks [33–35], first introduced in quantum key distribution [36], is the most powerful attack targeting detectors. It causes the detector to respond to signals up to a certain intensity by change the physical state of detectors. The adversary Eve thus can manipulate the detector using trigger light with specific optical power and determines the detection outcomes with a probability of almost 100%. Such attacks can be launched on either avalanche photodiodes [37] or superconducting nanowire single-photon detectors (SNSPDs) [38].

Inspired by the interpretation of no-click events in Bell tests [39], we find that the change of the physical state of detectors breaks the fair sampling assumption. In this work, we present a source-independent protocol that is secure against the tailored detector blinding attacks by counting no-click events. Additionally, our protocol has composable security against quantum coherent attacks and can be easily expanded to high-dimensional measurement cases. We experimentally demonstrate the feasibility of generating random numbers in the two-dimensional measurement case. Detector imperfections such as dark count and after pulse are also considered. Our protocol achieves higher security than previous SI-QRNGs and maintains a meaningful generation rate. In our experiments, we realize the generation rate 0.103 with 1 Gb of data accumulation. For low-latency applications, our experimental system is able to generate 640 kbit quantum random numbers every 2 seconds with a 5 MHz experimental system. The extracted quantum random numbers pass the NIST test.

2. Tailored detector blinding attacks

Detector blinding attacks originate from flaws in the single-photon detector. Strictly speaking, only in specific mode can detectors detect a single photon. After changing conditions such as bias voltage and temperature, the detector may require stronger light to respond. This flaw gives Eve the opportunity to change conditions by injecting special light, and then arbitrarily set the threshold of detectors in his favor, which is the tailored detector blinding attack [33]. We first construct a threshold detection model for detectors under bright illumination. Based on this model, we describe the attacks we aim to solve. Finally, we describe the performance of attacks in high-dimensional measurement cases.

2.1 Threshold detection model

As the receiver, Alice detects signals randomly in one of two incompatible bases $\mathbb {X}$ and $\mathbb {Z}$. Without loss of generality, we agree that the outcomes in $\mathbb {Z}$ are used to generate raw random numbers and the outcomes in $\mathbb {X}$ are used to judge the amount of information obtained by Eve. In the two-dimensional measurement scheme, we notate the eigenstates of $\mathbb {Z}$ as $\{\left | 0 \right \rangle, \left | 1 \right \rangle \}$, and the eigenstates of $\mathbb {X}$ as $\{\left | \pm \right \rangle = \frac {1}{\sqrt {2}}(\left | 0 \right \rangle \pm \left | 1 \right \rangle )\}$. When the $\mathbb {X}$ basis is chosen, the outcome $\left | + \right \rangle$ is considered the correct outcome, and the outcome $\left | - \right \rangle$ is an error event [26].

We define the threshold of a detector as the intensity $I$, which means that the detector fires when the intensity of the signal is stronger than $I$ and not when it is equal to or weaker than $I$. In the tailored detector blinding attack scenario, Eve can arbitrarily determine the value of $I$ by exploiting the tailored bright illumination, and Alice cannot obtain this value unless additional monitoring is performed. Under the active-basis-choice, we can assume that the threshold of the detector representing $\left | 0 \right \rangle$ and $\left | + \right \rangle$ is $I_0=I_+$ and that the threshold of the detector representing $\left | 1 \right \rangle$ and $\left | - \right \rangle$ is $I_1=I_-$. $I_0 = I_1 = 0$ when detectors are in the single-photon response mode. When Eve sends signals with bright illumination, the thresholds of the different detectors are governed by Eve. Here, we assume that the detectors have perfect efficiency. The inefficiency occurs only when $I_0 = I_1 = 0$ and the detector can be considered a perfect detector with some loss in the channel. When the thresholds of the detectors are higher than $0$, the physical property of the detectors is changed. The signal is detected in the form of light intensity, and there is no concept of detection efficiency.

2.2 Attack description

We first state that the Eve’s control over the threshold is not instantaneous. The attack we discuss here does not allow Eve to change the threshold of the detector every detection window because Eve blinds the detector through bright continuous-wave. This assumption is realistic and avoids an ideal attack: sending $\left | + \right \rangle$ all the time, but changing the thresholds of detectors representing $\left | 0 \right \rangle$ and $\left | 1 \right \rangle$ to determine which detector responds each time. Second, we assume that Eve is greedy, and she only wants the value she chooses to be detected, not a value that is more likely to be detected. In this regard, Eve’s method changes the detector threshold so that the signal he sends accurately enters a certain detector, and the response he expects occurs.

A simple attack for Eve is to tune the detectors to have the same threshold $I_{th}$, as shown in Fig. 1(a). Eve wants Alice to obtain an outcome specified by Eve when Alice measures the signal in $\mathbb {Z}$. In other words, a signal with intensity $I_e > I_{th}$ enters either the detector representing $\left | 0 \right \rangle$ or the detector representing $\left | 1 \right \rangle$ in accordance with Eve’s arrangement. At the same time, Eve requires the detector representing $\left | - \right \rangle$ not to fire if Alice happens to measure the signal in $\mathbb {X}$. Since half of the photons in the signal arrive at the $\left | + \right \rangle$ detector and the others arrive at the $\left | - \right \rangle$ detector, Eve sets $0.5 I_e \leqslant I_{th}$ to cause a no-click event. In squashing models [40–43], no-click events are treated as receiving vacua and thus are discarded without increasing the error count. Therefore, by emitting signals with $I_{th}<I_e \leqslant 2I_{th}$, Eve can control the outcomes of $\mathbb {Z}$-basis measurements without increasing the error rate in $\mathbb {X}$.

Fig. 1. Tailored detector blinding attacks in two-dimensional measurement. (a) The case in which both detectors have the same thresholds. Although Eve controls the outcomes of measuring signals in $\mathbb {Z}$, both detectors do not fire if Alice happens to measure signals in $\mathbb {X}$. (b) The case in which the detector representing $\vert +\rangle$ has a lower threshold than the other. When Eve controls the outcomes of measuring signals in $\mathbb {Z}$, she can also cause the detector representing $\vert +\rangle$ to fire if Alice happens to measure signals in $\mathbb {X}$.

Download Full Size | PDF

The general case is that the thresholds of the different detectors are different, as shown in Fig. 1(b), A more favorable option for Eve is $I_+ < I_-$ since $\left | + \right \rangle$ represents the correct outcome. For the active-basis-choice, we have $I_0=I_+$ and $I_1=I_-$, which means that $I_0 < I_1$. In this case, Eve can cheat both bases at the same time, i.e., she controls the outcomes in $\mathbb {Z}$ while ensuring that only the $\left | + \right \rangle$ detector fires in $\mathbb {X}$. If Eve wants Alice to obtain an outcome of $\left | 0 \right \rangle$, she emits a signal with $I_e>I_0$, and all photons in it are sent to the $\left | 0 \right \rangle$ detector under the $\mathbb {Z}$ basis. If Eve wants Alice to obtain an outcome of $\left | 1 \right \rangle$, she emits the signal with $I_e>I_1$, and all photons in it are sent to the $\left | 1 \right \rangle$ detector under the $\mathbb {Z}$ basis. To make the outcomes in $\mathbb {Z}$ credible, she also requires $0.5I_e \leqslant I_-$ and $0.5I_e > I_+$ under the $\mathbb {X}$ basis. Overall, the intensity of the signal should be $\max \{I_1,2I_0\} < I_e \leqslant 2I_1$, which does not violate the premise $I_0 < I_1$.

2.3 d-dimensional case

Tailored detector blinding attacks also work in the $d$-dimensional measurement scenario. Two measurement bases $\mathbb {X}$ and $\mathbb {Z}$ are both $d$-dimensional and ideally have the relation $\left \vert _{z}\langle i\vert j \rangle _x\right \vert = 1/\sqrt {d}$ between any eigenstate $\vert i \rangle _z$ ($i \in \{1,2,\ldots,d\}$) of $\mathbb {Z}$ and any eigenstate $\vert j \rangle _x$ ($j \in \{1,2,\ldots,d\}$) of $\mathbb {X}$. The outcome $\left | 0 \right \rangle _x$ is the correct outcome in $\mathbb {X}$. Eve will emit signals with intensity $I_{th}<I_e \leqslant d I_{th}$ if she sets the same threshold $I_{th}$ for all detectors. When Alice measures the $\mathbb {X}$ basis, the light intensity entering each detector is $I_e/d$, which is less than the threshold $I_{th}$.

The situation will be slightly more complicated if Eve wants to control both bases perfectly. She can adjust the threshold of the detector representing $\left | 0 \right \rangle _x$ to the lowest among all detectors’ thresholds. Thus the $\left | 0 \right \rangle _x$ detector is the one that is most easily responded when using the $\mathbb {X}$ basis to measure signals that are the eigenstate in the $\mathbb {Z}$ basis. The light intensity should be $d$ times higher than the threshold of the $\left | 0 \right \rangle _x$ detector to ensure the response of the detector. To avoid multiple-click events in $\mathbb {X}$, the light intensity should also be less than $d$ times the sub-smallest threshold. This, in turn, constrains the thresholds of the other detectors to be less than $d$ times the sub-smallest threshold. Otherwise, those detectors with a threshold higher than $d$ times the sub-smallest threshold will fail to fire because the light intensity is not sufficient.

3. Defensive strategy

In general, Eve controls the detectors while causing no click in the $\mathbb {X}$ basis, which is a hint for us. In terms of this hint, we should reconsider what no click means. First, we briefly review the concept of squashing models and analyze why this hint has been ignored in previous works. Then, we introduce a strategy for handling this hint, which modifies previous squashing models. The uncertainty relation for smooth entropy is used as a critical tool for generating quantum random numbers that are secure against general attacks. Finally, we generalize the security analysis to the $d$-dimensional case.

3.1 Squashing model

The dimension of the signals output from the channel is unknown since the channel is controlled by Eve. However, security analysis is usually qubit-based for two-dimensional measurements by virtue of simplicity. The squashing model [40–43] is developed to resolve this conflict. A squashing operation is applied to the signal, which virtually maps the multi-photon signal into a qubit. A virtual qubit measurement on this virtual qubit follows. Therefore, qubit-based security analysis is applicable for sources with unknown dimensions.

Measuring a qubit yields one of two outcomes corresponding to its two eigenstates. However, an unknown signal subjected to two-dimensional measurement actually yields one of four outcomes: a single click in one detector, a single click in the other detector, a double-click or no click. To reconcile this difference in outcomes, there are three treatments for different outcomes of signals. Single-click events in either detector are naturally related to the outcomes of measuring qubits. Double-click events are valid events but tell us nothing about randomness. They are used to evaluate the upper bound of the error rate [41]. Note that another squashing model [40,42] randomly assigns values for double-click events, and thus has a lower error rate and higher randomness consumption.

No-click events are regarded as vacua after losses. The positions of the losses in both bases are assumed to be uniformly random. Under this assumption, there are no qualms about discarding no-click events without disturbing the error rate. The protocol treating no-click events as vacua is described in Supplement 1. However, tailored detector blinding attacks break this confidence since the thresholds of the detectors can be changed such that a signal can definitely cause clicks in one basis and no click in the other. In the worst case, all no-click events in $\mathbb {X}$ are caused by tailored detector blinding attacks. Therefore, squashing models fail under such attacks.

3.2 Security analysis

The key point of our security analysis is how to securely deal with no-click events. Tasks such as Bell tests and device-independent quantum key distribution also suffer from the loophole introduced by no-click events, called the fair sampling loophole. An ingenious method is presented in Bell tests [39], in which some no-click events are retained to close this loophole; otherwise, the experimental results may have been screened by unknown factors. Inspired by this idea, we retain all no-click events. No-click events should have the same status as double-click events since they both have no randomness and can cover up attacks. Therefore, we treat no-click events in the same way as double-click events. They are error events in the $\mathbb {X}$ basis and correct events in the $\mathbb {Z}$ basis. The squashing model can now work under tailored detector blinding attacks.

Furthermore, considering $I_- > I_+ > 0$, it seems that no no-click event exists. In response to this situation, the $\left | + \right \rangle$ detector should be randomly assigned by Alice. Eve thus cannot accurately forecast it and has at most a 50% chance of firing in the $\left | + \right \rangle$ detector. Since we need only a small percentage of rounds to measure $\mathbb {X}$, the consumption of random numbers for deciding which detector will be used to measure $\left | + \right \rangle$ in each round is not an unbearable burden.

Our security analysis adopts the uncertainty relation for smooth entropy [44,45] to offer security against the most general attacks. This relation involves three parties, namely, the user Alice, the virtual user Bob and the adversary Eve, and is expressed as

(1)$$\begin{aligned} H_{\rm{min}}^{\epsilon}(\textbf{Z}_{\rm A} \vert \textbf{E}) + H_{\rm{max}}^{\epsilon}(\textbf{X}_{\rm A} \vert \textbf{B}) & \geqslant q, \end{aligned}$$

where $\textbf {X}_{\rm A}$ ($\textbf {Z}_{\rm A}$) means that Alice measures her system ${\rm A}$ in the $\mathbb {X}$ ($\mathbb {Z}$) basis. The bound $q$ is an evaluation of the “incompatibility" of the measurement bases $\mathbb {X}$ and $\mathbb {Z}$. The smooth min-entropy $H_{\rm {min}}^{\epsilon }(\textbf {Z}_{\rm A} \vert \textbf {E})$ is Eve’s minimum uncertainty about $\textbf {Z}_{\rm A}$, which quantifies how much randomness can be extracted. The smooth max-entropy $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B})$ is related to the error rate of Bob guessing the value of $\textbf {X}_{\rm A}$. Bob is introduced as a virtual trusted user. He works with Alice and guesses the result of measuring the signal in the $\mathbb {X}$ basis. Ideally, measuring the signal in the $\mathbb {X}$ basis leads to $\textbf {X}_{\rm A} = \left | + \right \rangle$. Bob thus can guess $\textbf {X}_{\rm A} = \left | + \right \rangle$ to obtain a higher random number generation rate if Eve abandons her attack.

3.3 d-dimensional case

We can extend the security analysis against tailored detector blinding attacks to the $d$-dimensional measurement scenario. In $d$-dimensional measurement, the squashing model will squash the input signal into a qudit. There are $d$ possible outcomes when one measures the qudit in any qudit basis. The possible real outcomes of signals are no-click events, multiple-click events, and $d$ kinds of single-click events. The first two types of events are considered error events in $\mathbb {X}$-basis measurement and correct events in $\mathbb {Z}$-basis measurement. Single-click events are naturally related to the qudit measurement outcomes. Similarly, the $\left | 0 \right \rangle _x$ detector must be randomly selected.

4. Protocol description

Because the protocol is source independent, it focuses only on the measurement of unknown light and subsequent processing steps. Nevertheless, we offer a state preparation step before measurement, considering that Alice can provide an untrusted source to generate favorable signals and then improve the generation rate if Eve does not attack. We directly describe our protocol in the $d$-dimensional measurement case. Alice measures the signals in two partially complementary bases $\mathbb {X}$ and $\mathbb {Z}$ with eigenstates $\{\left | i \right \rangle _x\}$ and $\{\left | j \right \rangle _z\}$ ($i,j\in \{0,1,\ldots,d\}$), respectively. Here, $d$ is the measurement dimension.

State preparation. According to the specific structure of the detection devices, the source is expected to emit $N$ signals that cause only the $\left | 0 \right \rangle _x$ detector to fire. Although the source is not trusted, Bob can guess that the outcomes of measuring signals in the $\mathbb {X}$ basis are always $\left | 0 \right \rangle _x$. This may help improve the extractable randomness in practice. This step is public. Eve can change or replace signals at will before they enter the detection device.

$d$-dimensional measurement. Alice partially trusts her detection equipment. She randomly measures signals in basis $\mathbb {X}$ or $\mathbb {Z}$ with probability $p_x$ or $p_z=1-p_x$, respectively. Usually, $p_x$ is much lower than $p_z$, which is beneficial for the generation rate. When measuring signals in $\mathbb {X}$, she should randomly choose one of the detectors to detect $\left | 0 \right \rangle _x$.

Post-processing. In the $\mathbb {X}$ basis, the measurement outcomes can be divided into two parts: $N^c_x$ and $N^e_x$. $N^c_x$ is the number of correct outcomes in which only the detector that measures $\left | 0 \right \rangle _x$ fires. Other outcomes, including multiple-click events, single-click events on the incorrect detector and no-click events, are considered error outcomes and are counted in $N^e_x$. In the $\mathbb {Z}$ basis, we care only about single-click events, the total number of which is $N^s_z$.

Extract randomness. We analyze randomness $H_{\rm {min}}^{\epsilon }(\textbf {Z}_{\rm A} \vert \textbf {E})$ we can extract by the uncertainty relation for smooth entropy in Eq. (1). To bound $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B})$, we should evaluate the conflict between the guesses of Bob and the measurement outcomes of Alice on the $\mathbb {X}$ basis. This entropy formula concerns the outcomes that we suppose to use the $\mathbb {X}$ basis to measure signals that have actually been measured in $\mathbb {Z}$. Although we cannot obtain the outcomes directly, we can evaluate the probability that Bob guessed incorrectly by randomly choosing several rounds to test the outcome distribution in $\mathbb {X}$. This is why we introduce the monitoring basis $\mathbb {X}$, and the bit error rate $e_x=N^e_x/N_x$ reflects the probability that Bob guessed incorrectly in the asymptotic regime.

When considering the finite-key effect, we can apply the random sampling method to $e_x$ and obtain the upper bound $\bar {e}_x=e_x+\gamma (N_z,N_x,e_x,\epsilon _{rand})$ in the signals measured in $\mathbb {Z}$ with failure probability $\epsilon _{rand}$, where $\gamma$ is a fluctuation that can be numerically determined [46]:

(2)$$\gamma(n, k, \lambda, \epsilon)=\frac{\frac{(1-2\lambda)AG}{n+k}+ \sqrt{\frac{A^2G^2}{(n+k)^2}+4\lambda(1-\lambda)G}}{2+2\frac{A^2G}{(n+k)^2}},$$

with $0 < \lambda < \lambda + \gamma \leq 0.5$, $A=\max \{n,k\}$ and $G=\frac {n+k}{nk}\ln {\frac {n+k}{2\pi nk\lambda (1-\lambda )\epsilon ^{2}}}$.

Furthermore, only the single-click events in $\mathbb {Z}$ are valid random numbers. Other events, such as multiple-click events and no-click events, have no extractable randomness. The upper bound of the error rate in these single-click rounds [41] is $\bar {\phi }_z=(\bar {e}_x\times N_z)/N^s_z$, which means that all errors occurred in single-click events.

The smooth entropy $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B})$ is therefore limited by $h_d(\bar {\phi }_z)$, where $h_d(x) = -x\log _{2}(x/(d-1))-(1-x)\log _{2}(1-x)$ is the Shannon entropy function [47,48] in the case of $d$-dimensionality. The entropy $h_d(x)$ is concave and reaches its maximum value of $\log _{2}d$ at $x=(d-1)/d$. When $x$ is greater than $(d-1)/d$, i.e., the error rate is higher than that of random guesses, $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B})$ is set to $\log _{2}d$. In two-dimensional measurement, $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B})$ reduces to the binary Shannon entropy function $h_2(x)=-x\log _{2}(x)-(1-x)\log _{2}(1-x)$ with error rate $x$. The entropy $h_2(x)$ reaches its maximum value of $1$ at $e_x=0.5$. When $x$ is greater than $0.5$, we set $H_{\rm {max}}^{\epsilon }(\textbf {X}_{\rm A} \vert \textbf {B}) = 1$.

Additionally, we need the leftover hashing method [49] to distill random numbers from the randomness $H_{\rm {min}}^{\epsilon }(\textbf {Z}_{\rm A} \vert \textbf {E})$. For random number generation tasks, we focus on the secrecy in the composable security. In our protocol, there are three components that contribute to secrecy: smooth entropy, random sampling fluctuation and leftover hashing. They all have probabilities of failure. The failure probabilities of these components are labeled $\epsilon$, $\epsilon _{rand}$ and $\epsilon _{hash}$, respectively. According to the composable security, the protocol has $\varepsilon _{\rm sec}$-secrecy when $\varepsilon _{\rm sec}\geqslant \epsilon +\epsilon _{rand}+\epsilon _{hash}$. For simplicity, we take $\epsilon =\epsilon _{rand}=\epsilon _{hash}=\varepsilon _{\rm sec}/3$. Through leftover hashing, we can generate a random number string of length $\ell$:

(3)$$\begin{aligned} & \frac{1}{2}\sqrt{2^{\ell - H_{\rm{min}}^{\epsilon}(\textbf{Z}_A\vert \textbf{E})}} \leqslant \epsilon_{hash},\\ & \ell \geqslant H_{\rm{min}}^{\epsilon}(\textbf{Z}_A\vert \textbf{E}) - 2\log_{2}\frac{1}{2\epsilon_{hash}}. \end{aligned}$$

In accordance with Eq. (1), we finally obtain the length of secret random numbers with $\varepsilon _{\rm sec}$-secrecy is given by

(4)$$\begin{aligned} \ell & \geqslant N_{z}^{s}[q-h_d(\bar{\phi}_z)]-2\log_2\frac{3}{2\varepsilon_{\rm sec}}-n_{seeds}, \end{aligned}$$

where $\bar {\phi _z}$ is the upper bound of the error rate assuming that we used the $\mathbb {X}$ basis to measure the signals leading to single-click events in the $\mathbb {Z}$ basis.

For the active-basis-choice, we need to consume some random numbers while generating them. First, the basis choice consumes approximately $N_x \log _{2}N$ [26]. Second, we should assign the detection channel for measuring the eigenstate $\vert +\rangle$ every time we measure the state in $\mathbb {X}$. This consumes approximately $N_x \log _{2}d$, where $d$ is the dimensionality of the measurement. Therefore, the term $n_{seeds}$ in Eq. (4) is $n_{seeds}=N_x \log _{2}N+N_x \log _{2}d$.

The relation between the extracted randomness per pulse and the dimensionality of the measurement basis is shown in Fig. 2. For simplicity, we assume perfect detection here with a dark count of $10^{-5}$. In the simulation, we assume that the states are coherent states. The yield when the signal contains $n$ photons and the measurement in $\mathbb {X}$ causes a single click on the $\vert 0 \rangle _x$ detector is $Y_{n}^{\vert 0 \rangle _x} =(1-p_d)^{d-1}- (1-p_d)^{d}(1-\eta )^n$, where $d$ is the dimensionality of measurement, $p_d$ is the dark count and $\eta$ evaluates the total loss, including the detection inefficiency. The gain of this kind of single-click event is $Q_{\mu }^{x} =(1-p_d)^{d-1}-(1-p_d)^{d}e^{-\mu '}$. Here, we can consider the light intensity and loss collectively as $\mu ' = \mu \eta$, since both of them are insecure. The experiment indicates that the misalignment error is $e_d = 0.004$. We roughly use $N^e_x = N_x(1-Q_{\mu }^{x}+e_d Q_{\mu }^{x})$.

Fig. 2. Dimensions of the measurement basis and generation rates per pulse. The asymptotic case is investigated, in which the amount of data is infinite. Scatter points in different colors represent cases in which the numbers of emitted pulses $N$ are $10^9$, $10^8$, $10^7$ and $10^6$.

Download Full Size | PDF

The yield when the signal contains $n$ photons and the measurement in $\mathbb {Z}$ causes a single click on one detector is $Y_{n}^{sc}=(1-p_d)^{d-1}\left [(1-(d-1)\eta /d)^n - (1-\eta )^n (1-p_d)\right ]$. The gain of all single click events is $Q_{\mu }^{z} =d(1-p_d)^{d-1}e^{-(d-1)\mu '/d}-d(1-p_d)^{d}e^{-\mu '}$. We have $N^s_z = N_z Q_{\mu }^{z}$. We optimize both the light intensity and the basis choice ratio. Although the consumption of random seeds increases as the dimension increases, the increase in dimension is beneficial for the extracted randomness per pulse. Different data sizes have an impact on the generation rate. Note that the data size here refers to the number of pulses sent. Even if the data size is only $10^6$, the random number can be extracted effectively, which implies the possibility of real-time random number generation.

5. Experimental implementation

We experimentally implement our QRNG protocol using the setup shown in Fig. 3, which includes an untrusted randomness source and a trusted detection device with the structure disclosed. Random number generation with two-dimensional measurement is demonstrated. The measurement bases used here are the polarization bases, and all fiber paths in our setup are polarization-maintaining fibers. We refer to the state that propagates through the slow (fast) axis of the polarization-maintaining fiber as the eigenstate $\vert H \rangle$ ($\vert V \rangle$) of basis $\mathbb {Z}$.

Fig. 3. Experimental setup. The untrusted source is composed of a laser and a variable optical attenuator (VOA). The partially trusted detection equipment includes a dense wavelength division multiplexer (DWDM), two circulators (CIR), a polarization beam splitter (PBS), a polarization beam splitter with $45 ^\circ$ alignment ($45^\circ$ PBS), a phase modulator (PM) controlled by an arbitrary waveform generator (AWG), and a superconducting nanowire single-photon detector (SNSPD). All optical fibers are polarization-maintaining fibers.

Download Full Size | PDF

In the detection part, a dense wavelength division multiplexer and a circulator are utilized to resist wavelength-dependent attacks [50] and detector backflash attacks [51], respectively. The DWDM can be replaced with a DWDM series to better isolate other wavelengths. The optical pulses from the source enter the circulator and are fully transmitted through a polarization beam splitter (PBS). The pulses are split by a $45^\circ$-aligned polarization beam splitter ($45^\circ$ PBS) and enter a Sagnac interferometer. In the Sagnac interferometer, a phase modulator (PM) driven by an arbitrary waveform generator is utilized to realize the active-basis-choice by modulating the relative phase between clockwise and anticlockwise propagating pulses. The anticlockwise propagating pulses arrive at the PM with a 25 ns delay relative to clockwise propagating pulses, although they pass through the same fiber. The selections of the measurement basis and the detector representing $\vert + \rangle$ are commanded by quantum random numbers generated from a previous quantum key distribution experiment [52]. In the experiment, the sequence with length $10^4$ is circularly fed to the AWG. The probability of selecting the $\mathbb {Z}$ basis is $99.95\%$. When the $\mathbb {Z}$ basis is chosen for measurement, the PM adds a $\pi /2$ phase shift on the earlier arrived pulse. When the $\mathbb {X}$ basis is chosen, to avoid the attack with $I_0 \neq I_1$, PM randomly adds a $0$ or $\pi$ phase shift on the pulse, where the choice of the phase shift determines the detector representing $\vert + \rangle$. The two pulses are recombined into one in the 45$^\circ$ PBS. After exiting the Sagnac interferometer, the pulse is split by the PBS. Two channels of a SNSPD, $D_H$ and $D_V$, are utilized to detect the signals that leave the circulator and the PBS, respectively. When the insertion loss of the circulator (1.05 dB) is considered, the detection efficiency is approximately 39 $\%$,

The dark count rates of the two SNSPD channels are 24 cps and 5 cps, respectively, and the dead time is 50 ns. The detection efficiency of the SNSPD is time-independent. Thus, it is immune to the time-shift attack [53]. In our data analysis, all detection events from the entire time period are used in phase error rate estimation instead of using the preset time window. This enables our experimental system to resist dead time attacks [54] and afterpulse attacks [31]. Note that this strategy is effective for both SNSPD and avalanche photodiodes.

The randomness source can theoretically be offered by any other party. To demonstrate the ability to generate random numbers with our protocol, we desire $\vert H \rangle$ pulses to achieve the best generation performance according to the design of our detection equipment. Thus, we use the uncharacterized light emitted by a 14-pin butterfly laser diode with a homemade driving circuit and pump it into the slow axis of the polarization maintaining fiber. The laser is triggered by the arbitrary waveform generator and emits pulses with a 5 MHz repetition rate. The best scenario is when the output state of the source is $\vert H\rangle$. If the output state is another polarization state, it affects only the generated randomness per pulse. The security analysis provided here universally fits the unknown input state.

The intensity of the pulse influences the type of click event and thus affects the generation rate. In Fig. 4, the abscissa represents the light intensity, and the ordinate represents the generation rate. The orange line represents the simulation results, and the red pentacles are the experimental results. In Eq. (4), the value of $q$ should be calibrated. According to the entropic uncertainty relation, $q=-\log _2{\max _{x,z}{\vert \langle x\vert z \rangle \vert ^2}}$ is the incompatibility between two measurement bases. To realize the calibration, we first modify the light until the ratio of photon counts between the two detection channels is above 24 dB in the $\mathbb {X}$ basis. This means that the light is approximately a perfect eigenstate of $\mathbb {X}$. Subsequently, we measure the light in the $\mathbb {Z}$ basis and obtain the ratio of photon counts between the two detection channels. By comparing the single-click events in the two detection channels, the value of $q$ is calibrated to $q=0.954$ in our detection equipment.

Fig. 4. Random number generation rates in experiments. The orange line represents the simulation results, and red stars represent the experimental results. In the experiment, the random number generation rate is 0.101 when the intensity is $\mu = 9.6$. With 5 MHz system repetition, we accumulate data for approximately 200 seconds at each point, corresponding to a data size of $10^9$, and a random number generation speed of 505 kbps is achieved.

Download Full Size | PDF

The unbalanced detection efficiency should be taken into account [55]. Its impact is introduced as a coefficient of the generation rate [56,57]. This coefficient is $\eta _{e}=2\min \{(\eta _0,\eta _1)\}/(\eta _0+\eta _1)$, which depends on the efficiencies of the two detection channels. The final random number extracted is

(5)$$\begin{aligned} \ell & \geqslant \eta_{e}\left(N_{z}^{s}[q-h_d(\bar{\phi}_z)]-2\log_2\frac{3}{2\varepsilon_{\rm sec}}\right)-n_{seeds}. \end{aligned}$$

The detection efficiencies are $49\%$ and $39\%$, respectively, in calibration. After taking the insert loss circulator (1.05 dB) into account, $\eta _{e}$ is calculated to be $0.9932$. The detailed experimental results are shown in Supplement 1. For each data point, we collect approximately 200 seconds of data, corresponding to a data size of $10^9$. When calculating the error rate in the $\mathbb {X}$ basis, no-click events, single-click events on the incorrect detector, and double-click events are all taken into account. At the optimal point, the intensity of the pulses before entering the detector is 9.3 photons per pulse, and the random number generation rate is 0.101.

We also consider the influence of the channel loss on random number generation. The loss reduces the light intensity reaching the detector, thereby decreasing the generation rate when the source produces pulses with the optimal intensity. Fortunately, our experimental setup enables us to compensate for the channel loss by increasing the intensity of the source. First, to show the stability of the experimental system, the detector count rate and error rate versus time are presented in Fig. 5. We use data collected with a 10 dB channel loss with optimum intensity. During the 200-second test time, the count rate is always approximately 4.15 MHz (corresponding to $\mu$ = 9.17 before entering the detector), and the error rate of the $\mathbb {X}$ basis is approximately $3.5 \%$ (including both no-click and double-click events). We then experimentally show the relation between the loss and the generation rate under a fixed intensity and variable intensity, as shown in Fig. 6. Our protocol is compared with the traditional source-independent scheme in Supplement 1. The difference between the two schemes is whether no-click events are treated as valid events. At each channel loss, the data obtained with fixed intensity are analyzed to calculate the key rate for both our protocol and the traditional source-independent protocol. In the case of high channel loss, the generation rate of our protocol is zero due to the high error rate that results from no-click events. Meanwhile, the traditional source-independent protocol can still generate random numbers, and the generation rate can be as high as 0.387 (corresponding to 1.94 Mbps) when the channel loss is 3 dB. This difference in the generation rate under the same loss reflects the maximal security vulnerabilities caused by tailored detector blinding attacks. By increasing the intensity of the source to compensate for the channel loss, the generation rate can be maintained at the optimal level.

Fig. 5. The detector count rate and error rate over 200 seconds. We use data for a 10 dB channel loss with optimal intensity. Each dot corresponds to the data acquired over two seconds. During testing, the count rate is always approximately 4.15 MHz. No-click events, incorrect detector click events and double-click events are all treated as errors in the $\mathbb {X}$ basis, and the error rate of the $\mathbb {X}$ basis is always less than 4$\%$, which shows the stability of our experimental system.

Download Full Size | PDF

Fig. 6. Relation between the random number generation rates and the channel loss. The blue line is the generation rate when the intensity is always optimal, and the red line is the generation rate when the intensity has a fixed value of $\mu = 9.3$. The gray dashed line is the generation rate of the traditional SI-QRNG protocol with no-click events discarded provided in Supplement 1. Stars in different colors represent the experimental results. Discarding no-click events leads to security risks under bright illumination, as shown in the gray filled area.

Download Full Size | PDF

To further verify the quality of the final output random numbers, we apply the standard NIST statistical tests [58]. After collecting data for approximately 200 seconds, a total of $1.02 \times 10^9$ pulses have been sent, and the key rate is 0.103. After privacy amplification, the final random number of length $1.05\times 10^8$ is divided into 100 bitstreams, and fifteen statistical tests are implemented. As shown in Table 1, the random numbers generated in the experiment pass all NIST statistical tests.

Table 1. The results of the NIST statistical test.^a

View Table

6. Discussion

In conclusion, we have proposed an SI-QRNG type protocol that can resist the tailored detector blinding attack. By exploiting the uncertainty relation for smooth entropy, our protocol can be easily extended to high-dimensional measurement cases with composable security against coherent attacks under the finite-key effect.

In our experiments, the detection loss and the channel loss can be compensated by improving the emission intensity. Using a 5 MHz experimental system, we achieve a quantum random number generation speed of over 500 kbps. By increasing the saturation count rate of the detectors to GHz [59], the QRNG generation rate can be enhanced to more than 100 Mbps. Through simple experimental tricks, our experimental implementation suppresses most well-known attacks on detector components, realizing an extremely high security level approaching device-independence. Note that our theoretical framework and experimental scheme are a general solution to tailored detector blinding attacks, therefore it is applicable to both SNSPD and avalanche photodiodes.

Here we briefly discuss why detector blinding attacks need to be studied. This kind of attack was first proposed in the quantum key distribution tasks. There are several experimental countermeasures against detector blinding attacks for quantum key distribution tasks. A common solution is to install a beam splitter before signals enter the detection equipment to monitor the light intensity [60]. Crafty adversaries can instead send instantaneous bright trigger light, which blinds the detector without disrupting the monitor [34,35]. Other solutions [61–64], such as randomly changing the attenuation in front of the detector and analyzing the corresponding detection events and errors, also increase the difficulty of experimental operation [65]. While experimental solutions attempt to judge whether the generator is under attack by designing a more sophisticated system, further advanced attacks from Eve usually cannot be avoided [65,66]. Finally, they propose the measurement-device-independent scheme that only trust the sources, and the whole detection component is handed over to an untrusted third party. However, for QRNG, trusting detection component is more reasonable, because there is only one user. SIQRNG protocols can select sources from local materials, which is more practical. In this case, the detector blinding attack needs to be carefully considered. Note that recent work has also considered this attack [67].

Bell tests [39] indicate the importance of the fair sampling assumption. Once the assumption is not established, it is necessary to carefully handle all measurement outcomes, especially no-click events. This comprehensive consideration is an important feature that distinguishes our protocol from others. Furthermore, using the probability correlation of click events, only part of the no-click events will be count into final results in Bell tests. Accordingly, our protocol has the opportunity to reduce the impact of no-click events on the error rate through a certain probability correlation to improve the generation rate.

It is worth noting that we are not device-independent protocols. Thus it is impossible to defend against all attacks on detectors. Here we solved the tailored detector blinding attack that controls random numbers by directly sending the state corresponding to the desired outcome. There may also be more complex attacks. For instance, Eve can carefully analyze detection thresholds of two detectors to generate a superposition state of $\mathbb {Z}$ for attacks. We can avoid this problem through polarization-maintaining fiber in our experiment. In addition, when two detectors have different detection thresholds, Eve can only make the detector with small threshold click. These are all worthy of further consideration.

Finally, a passive-basis-choice approach may also help realize random generation. We apply an active basis choice in our protocol, which consumes a considerable amount of random numbers. For this reason, our protocol is a random expansion rather than an absolutely random generation. Passive-basis-choice can avoid this kind of consumption and enables real random extraction through further discarding the double-basis clicks. To maintain security, some assumptions must be introduced. It is also worth investigating whether these assumptions are reasonable.

Funding

National Natural Science Foundation of China (12274223); Natural Science Foundation of Jiangsu Province (BK20211145); Fundamental Research Funds for the Central Universities (020414380182); Key Research and Development Program of Nanjing Jiangbei New Aera (ZDYD20210101); Program for Innovative Talents and Entrepreneurs in Jiangsu (JSSCRC2021484).

Acknowledgments

We thank P. Liu, X.-Y. Cao, and C.-X. Weng for their valuable discussions.

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

Supplemental document

See Supplement 1 for supporting content.

References

1. F. James, “A review of pseudorandom number generators,” Comput. Phys. Commun. 60(3), 329–344 (1990). [CrossRef]

2. P. L’Ecuyer, “Random number generation,” in Handbook of Computational Statistics: Concepts and Methods, (Springer, 2012, pp. 35–71).

3. V. Fischer and M. Drutarovskỳ, “True random number generator embedded in reconfigurable hardware,” in Cryptographic Hardware and Embedded Systems - CHES 2002, (Springer, 2003, pp. 415–430).

4. I. Reidler, Y. Aviad, M. Rosenbluh, and I. Kanter, “Ultrahigh-speed random number generation based on a chaotic semiconductor laser,” Phys. Rev. Lett. 103(2), 024102 (2009). [CrossRef]

5. X. Ma, X. Yuan, Z. Cao, B. Qi, and Z. Zhang, “Quantum random number generation,” npj Quantum Inf. 2(1), 16021 (2016). [CrossRef]

6. M. Herrero-Collantes and J. C. Garcia-Escartin, “Quantum random number generators,” Rev. Mod. Phys. 89(1), 015004 (2017). [CrossRef]

7. J. Liu, Y. Qi, Z. Y. Meng, and L. Fu, “Self-learning monte carlo method,” Phys. Rev. B 95(4), 041101 (2017). [CrossRef]

8. N. Masuda, M. A. Porter, and R. Lambiotte, “Random walks and diffusion on networks,” Phys. Rep. 716-717, 1–58 (2017). [CrossRef]

9. M.-O. Renou, D. Trillo, M. Weilenmann, T. P. Le, A. Tavakoli, N. Gisin, A. Acín, and M. Navascués, “Quantum theory based on real numbers can be experimentally falsified,” Nature 600(7890), 625–629 (2021). [CrossRef]

10. H.-L. Yin, Y. Fu, and Z.-B. Chen, “Practical quantum digital signature,” Phys. Rev. A 93(3), 032316 (2016). [CrossRef]

11. P. Alikhani, N. Brunner, C. Crépeau, S. Designolle, R. Houlmann, W. Shi, N. Yang, and H. Zbinden, “Experimental relativistic zero-knowledge proofs,” Nature 599(7883), 47–50 (2021). [CrossRef]

12. Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. 114(9), 090501 (2015). [CrossRef]

13. S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. Shamsul Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, “Advances in quantum cryptography,” Adv. Opt. Photonics 12(4), 1012–1236 (2020). [CrossRef]

14. W.-B. Liu, C.-L. Li, Y.-M. Xie, C.-X. Weng, J. Gu, X.-Y. Cao, Y.-S. Lu, B.-H. Li, H.-L. Yin, and Z.-B. Chen, “Homodyne detection quadrature phase shift keying continuous-variable quantum key distribution with high excess noise tolerance,” PRX Quantum 2(4), 040334 (2021). [CrossRef]

15. S. Pironio, A. Acín, S. Massar, A. B. de La Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Random numbers certified by bell’s theorem,” Nature 464(7291), 1021–1024 (2010). [CrossRef]

16. Y. Liu, Q. Zhao, M.-H. Li, J.-Y. Guan, Y. Zhang, B. Bai, W. Zhang, W.-Z. Liu, C. Wu, X. Yuan, H. Li, W. J. Munro, Z. Wang, L. You, J. Zhang, X. Ma, J. Fan, Q. Zhang, and J.-W. Pan, “Device-independent quantum random-number generation,” Nature 562(7728), 548–551 (2018). [CrossRef]

17. Y. Zhang, L. K. Shalm, J. C. Bienfang, M. J. Stevens, M. D. Mazurek, S. W. Nam, C. Abellán, W. Amaya, M. W. Mitchell, H. Fu, C. A. Miller, A. Mink, and E. Knill, “Experimental low-latency device-independent quantum randomness,” Phys. Rev. Lett. 124(1), 010505 (2020). [CrossRef]

18. P. Bierhorst, E. Knill, S. Glancy, Y. Zhang, A. Mink, S. Jordan, A. Rommal, Y.-K. Liu, B. Christensen, S. W. Nam, M. J. Stevens, and L. K. Shalm, “Experimentally generated randomness certified by the impossibility of superluminal signals,” Nature 556(7700), 223–226 (2018). [CrossRef]

19. M.-H. Li, X. Zhang, W.-Z. Liu, S.-R. Zhao, B. Bai, Y. Liu, Q. Zhao, Y. Peng, J. Zhang, Y. Zhang, W. J. Munro, X. Ma, Q. Zhang, J. Fan, and J.-W. Pan, “Experimental realization of device-independent quantum randomness expansion,” Phys. Rev. Lett. 126(5), 050503 (2021). [CrossRef]

20. L. K. Shalm, Y. Zhang, J. C. Bienfang, C. Schlager, M. J. Stevens, M. D. Mazurek, C. Abellán, W. Amaya, M. W. Mitchell, M. A. Alhejji, H. Fu, J. Ornstein, R. P. Mirin, S. W. Nam, and E. Knill, “Device-independent randomness expansion with entangled photons,” Nat. Phys. 17(4), 452–456 (2021). [CrossRef]

21. W.-Z. Liu, M.-H. Li, S. Ragy, S.-R. Zhao, B. Bai, Y. Liu, P. J. Brown, J. Zhang, R. Colbeck, J. Fan, Q. Zhang, and J.-W. Pan, “Device-independent randomness expansion against quantum side information,” Nat. Phys. 17(4), 448–451 (2021). [CrossRef]

22. Y. Zhang, H.-P. Lo, A. Mink, T. Ikuta, T. Honjo, H. Takesue, and W. J. Munro, “A simple low-latency real-time certifiable quantum random number generator,” Nat. Commun. 12(1), 1056 (2021). [CrossRef]

23. A. Tavakoli, “Semi-device-independent framework based on restricted distrust in prepare-and-measure experiments,” Phys. Rev. Lett. 126(21), 210503 (2021). [CrossRef]

24. Y.-Q. Nie, J.-Y. Guan, H. Zhou, Q. Zhang, X. Ma, J. Zhang, and J.-W. Pan, “Experimental measurement-device-independent quantum random-number generation,” Phys. Rev. A 94(6), 060301 (2016). [CrossRef]

25. T. Gehring, C. Lupo, A. Kordts, D. Solar Nikolic, N. Jain, T. Rydberg, T. B. Pedersen, S. Pirandola, and U. L. Andersen, “Homodyne-based quantum random number generator at 2.9 gbps secure against quantum side-information,” Nat. Commun. 12(1), 605 (2021). [CrossRef]

26. Z. Cao, H. Zhou, X. Yuan, and X. Ma, “Source-independent quantum random number generation,” Phys. Rev. X 6(1), 011020 (2016). [CrossRef]

27. D. G. Marangon, G. Vallone, and P. Villoresi, “Source-device-independent ultrafast quantum random number generation,” Phys. Rev. Lett. 118(6), 060503 (2017). [CrossRef]

28. M. Avesani, D. G. Marangon, G. Vallone, and P. Villoresi, “Source-device-independent heterodyne-based quantum random number generator at 17 gbps,” Nat. Commun. 9(1), 5365 (2018). [CrossRef]

29. D. Drahi, N. Walk, M. J. Hoban, A. K. Fedorov, R. Shakhovoy, A. Feimov, Y. Kurochkin, W. S. Kolthammer, J. Nunn, J. Barrett, and I. A. Walmsley, “Certified quantum random numbers from untrusted light,” Phys. Rev. X 10(4), 041048 (2020). [CrossRef]

30. J. Cheng, J. Qin, S. Liang, J. Li, Z. Yan, X. Jia, and K. Peng, “Mutually testing source-device-independent quantum random number generator,” Photonics Res. 10(3), 646–652 (2022). [CrossRef]

31. X. Lin, S. Wang, Z.-Q. Yin, G.-J. Fan-Yuan, R. Wang, W. Chen, D.-Y. He, Z. Zhou, G.-C. Guo, and Z.-F. Han, “Security analysis and improvement of source independent quantum random number generators with imperfect devices,” npj Quantum Inf. 6(1), 100 (2020). [CrossRef]

32. Y.-H. Li, X. Han, Y. Cao, X. Yuan, Z.-P. Li, J.-Y. Guan, J. Yin, Q. Zhang, X. Ma, C.-Z. Peng, and J.-W. Pan, “Quantum random number generation with uncharacterized laser and sunlight,” npj Quantum Inf. 5(1), 97 (2019). [CrossRef]

33. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

34. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

35. L. Lydersen, N. Jain, C. Wittmann, Ø. Marøy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinear threshold detectors in quantum cryptography,” Phys. Rev. A 84(3), 032320 (2011). [CrossRef]

36. F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, “Secure quantum key distribution with realistic devices,” Rev. Mod. Phys. 92(2), 025002 (2020). [CrossRef]

37. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2(1), 349 (2011). [CrossRef]

38. L. Lydersen, M. K. Akhlaghi, A. H. Majedi, J. Skaar, and V. Makarov, “Controlling a superconducting nanowire single-photon detector using tailored bright illumination,” New J. Phys. 13(11), 113042 (2011). [CrossRef]

39. N. Brunner, D. Cavalcanti, S. Pironio, V. Scarani, and S. Wehner, “Bell nonlocality,” Rev. Mod. Phys. 86(2), 419–478 (2014). [CrossRef]

40. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef]

41. C.-H. F. Fung, H. F. Chau, and H.-K. Lo, “Universal squash model for optical communications using linear optics and threshold detectors,” Phys. Rev. A 84(2), 020303 (2011). [CrossRef]

42. O. Gittsovich, N. J. Beaudry, V. Narasimhachar, R. R. Alvarez, T. Moroder, and N. Lütkenhaus, “Squashing model for detectors and applications to quantum-key-distribution protocols,” Phys. Rev. A 89(1), 012325 (2014). [CrossRef]

43. T. Tsurumaru and K. Tamaki, “Security proof for quantum-key-distribution systems with threshold detectors,” Phys. Rev. A 78(3), 032302 (2008). [CrossRef]

44. M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,” Phys. Rev. Lett. 106(11), 110506 (2011). [CrossRef]

45. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. 3(1), 634 (2012). [CrossRef]

46. H.-L. Yin, M.-G. Zhou, J. Gu, Y.-M. Xie, Y.-S. Lu, and Z.-B. Chen, “Tight security bounds for decoy-state quantum key distribution,” Sci. Rep. 10(1), 14312 (2020). [CrossRef]

47. Y. Ding, D. Bacco, K. Dalgaard, X. Cai, X. Zhou, K. Rottwitt, and L. K. Oxenløwe, “High-dimensional quantum key distribution based on multicore fiber using silicon photonic integrated circuits,” npj Quantum Inf. 3(1), 25 (2017). [CrossRef]

48. N. T. Islam, C. C. W. Lim, C. Cahall, J. Kim, and D. J. Gauthier, “Provably secure and high-rate quantum key distribution with time-bin qudits,” Sci. Adv. 3(11), e1701491 (2017). [CrossRef]

49. M. Tomamichel, C. Schaffner, A. Smith, and R. Renner, “Leftover hashing against quantum side information,” IEEE Trans. Inf. Theory 57(8), 5524–5535 (2011). [CrossRef]

50. H.-W. Li, S. Wang, J.-Z. Huang, W. Chen, Z.-Q. Yin, F.-Y. Li, Z. Zhou, D. Liu, Y. Zhang, G.-C. Guo, W.-S. Bao, and Z.-F. Han, “Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources,” Phys. Rev. A 84(6), 062308 (2011). [CrossRef]

51. P. V. P. Pinheiro, P. Chaiwongkhot, S. Sajeed, R. T. Horn, J.-P. Bourgoin, T. Jennewein, N. Lütkenhaus, and V. Makarov, “Eavesdropping and countermeasures for backflash side channel in quantum cryptography,” Opt. Express 26(16), 21020–21032 (2018). [CrossRef]

52. H.-L. Yin, P. Liu, W.-W. Dai, Z.-H. Ci, J. Gu, T. Gao, Q.-W. Wang, and Z.-Y. Shen, “Experimental composable security decoy-state quantum key distribution using time-phase encoding,” Opt. Express 28(20), 29479–29485 (2020). [CrossRef]

53. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

54. H. Weier, H. Krauss, M. Rau, M. Fürst, S. Nauerth, and H. Weinfurter, “Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors,” New J. Phys. 13(7), 073024 (2011). [CrossRef]

55. K. Wei, H. Ma, and X. Yang, “Trustworthiness of devices in a quantum random number generator based on a symmetric beam splitter,” J. Opt. Soc. Am. B 34(10), 2185–2189 (2017). [CrossRef]

56. C.-h. F. Fung, K. Tamaki, B. Qi, H.-K. Lo, and X. Ma, “Security proof of quantum key distribution with detection efficiency mismatch,” Quantum Inf. Comput. 9(1-2), 131–165 (2009). [CrossRef]

57. D. Ma, Y. Wang, and K. Wei, “Practical source-independent quantum random number generation with detector efficiency mismatch,” Quantum Inf. Process. 19(10), 384 (2020). [CrossRef]

58. A. Rukhin, J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson, M. Vangel, D. Banks, N. Heckert, J. Dray, and S. Vo, “A statistical test suite for random and pseudorandom number generators for cryptographic applications,” Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD (Accessed February 3, 2023)

59. W. Zhang, J. Huang, C. Zhang, L. You, C. Lv, L. Zhang, H. Li, Z. Wang, and X. Xie, “A 16-pixel interleaved superconducting nanowire single-photon detector array with a maximum count rate exceeding 1.5 ghz,” IEEE Trans. Appl. Supercond. 29(5), 1–4 (2019). [CrossRef]

60. Z. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in qkd,” Nat. Photonics 4(12), 800–801 (2010). [CrossRef]

61. Y.-J. Qian, D.-Y. He, S. Wang, W. Chen, Z.-Q. Yin, G.-C. Guo, and Z.-F. Han, “Robust countermeasure against detector control attack in a practical quantum key distribution system,” Optica 6(9), 1178–1184 (2019). [CrossRef]

62. M. Fujiwara, T. Honjo, K. Shimizu, K. Tamaki, and M. Sasaki, “Characteristics of superconducting single photon detector in dps-qkd system under bright illumination blinding attack,” Opt. Express 21(5), 6304–6312 (2013). [CrossRef]

63. C. C. W. Lim, N. Walenta, M. Legré, N. Gisin, and H. Zbinden, “Random variation of detector efficiency: A countermeasure against detector blinding attacks for quantum key distribution,” IEEE J. Sel. Top. Quantum Electron. 21(3), 192–196 (2015). [CrossRef]

64. G. Gras, D. Rusca, H. Zbinden, and F. Bussières, “Countermeasure against quantum hacking using detection statistics,” Phys. Rev. Appl. 15(3), 034052 (2021). [CrossRef]

65. Z. Wu, A. Huang, X. Qiang, J. Ding, P. Xu, X. Fu, and J. Wu, “Robust countermeasure against detector control attack in a practical quantum key distribution system: comment,” Optica 7(10), 1391–1393 (2020). [CrossRef]

66. S. Sajeed, A. Huang, S. Sun, F. Xu, V. Makarov, and M. Curty, “Insecurity of detector-device-independent quantum key distribution,” Phys. Rev. Lett. 117(25), 250505 (2016). [CrossRef]

67. X. Lin, R. Wang, S. Wang, Z.-Q. Yin, W. Chen, G.-C. Guo, and Z.-F. Han, “Certified randomness from untrusted sources and uncharacterized measurements,” Phys. Rev. Lett. 129(5), 050506 (2022). [CrossRef]

Test name	$P$ - $v a l u e_{T}$	Proportion	Result
Frequency	0.1538	1.00	Pass
BlockFrequency	0.9357	0.98	Pass
CumulativeSums	0.2023	1.00	Pass
Runs	0.1816	1.00	Pass
LongestRun	0.1626	0.99	Pass
Rank	0.9781	0.98	Pass
FFT	0.5955	0.98	Pass
NonOverlappingTemplate	0.0118	0.99	Pass
OverlappingTemplate	0.4559	1.00	Pass
Universal	0.2493	0.99	Pass
ApproximateEntropy	0.4559	1.00	Pass
RandomExcursions	0.0106	0.984	Pass
RandomExcursionsVariant	0.0022	0.984	Pass
Serial	0.8165	0.99	Pass
LinearComplexity	0.5749	0.97	Pass

Source-independent quantum random number generator against tailored detector blinding attacks

Abstract

1. Introduction

2. Tailored detector blinding attacks

2.1 Threshold detection model

2.2 Attack description

2.3 d-dimensional case

3. Defensive strategy

3.1 Squashing model

3.2 Security analysis

3.3 d-dimensional case

4. Protocol description

5. Experimental implementation

6. Discussion

Funding

Acknowledgments

Disclosures

Data availability

Supplemental document

References

Supplementary Material (1)

Data availability

Cited By

Figures (6)

Tables (1)

Equations (5)

Optics Express