^†^†thanks: [email protected]^†^†thanks: [email protected]

Bounds on semi-device-independent quantum random number expansion capabilities

Vaisakh Mannalath Jaypee Institute of Information Technology, A-10, Sector 62, Noida UP 201309, India Anirban Pathak Jaypee Institute of Information Technology, A-10, Sector 62, Noida UP 201309, India

Abstract

The randomness expansion capabilities of semi-device-independent (SDI) prepare and measure protocols are analyzed under the sole assumption that the Hilbert state dimension is known. It’s explicitly proved that the maximum certifiable entropy that can be obtained through this set of protocols is $-\log_{2}\left[\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)\right]$ and the same is independent of the dimension witnesses used to certify the protocol. The minimum number of preparation and measurement settings required to achieve this entropy is also proven. An SDI protocol that generates the maximum output entropy with the least amount of input setting is provided. An analytical relationship between the entropy generated and the witness value is obtained. It’s also established that certifiable entropy can be generated as soon as dimension witness crosses the classical bound, making the protocol noise-robust and useful in practical applications.

I Introduction

Randomness plays an important role in simulation algorithms [1, 2, 3], cryptography [4, 5, 6], fundamental sciences [7, 8, 9] and much research has been devoted to the generation of random numbers [10]. Deterministic algorithms can at best create ‘pseudo-random numbers’ that mimic the statistics of ‘true’ random numbers [11]. One needs access to unpredictable physical processes in order to generate truly random numbers [10, 12]. Quantum theory provides well-defined theoretical models which are inherently probabilistic and serve us with good entropy sources to extract randomness [13]. Generating randomness from quantum systems is a matured field [14]. There are now even commercially available quantum random number generators (QRNGs) [15, 16, 17]. These devices are based on methods that are only applicable to their specific experimental setup and corresponding entropy estimates of the output randomness depend on a number of assumptions. Ultimately, these devices require a level of trust in the manufacturer which is not ideal for a number of reasons [10].

For the above-mentioned reasons, it is highly advantageous to have a setup that provides certifiable entropy while making minimal assumptions about its working. Device-independent QRNGs (DI-QRNGs) [18, 19] provide a solution to this problem. By consuming input randomness and using non-locality of quantum theory it can, theoretically, certify the output randomness without characterizing the inner workings of the setup. There has also been numerous experimental demonstrations of this approach [20, 21, 22, 23]. However, protocols for DI-QRNG suffer from practical issues which make them hard to implement outside of a laboratory setup compared to one-way protocols commonly used in commercial devices.

A more practical approach to random number generation is provided by the so-called semi-device-independent QRNGs (SDI-QRNGs) [24, 25, 26, 27, 28, 29]. Unlike, DI-QRNG, complete knowledge of a part of the setup used for random number generation is allowed in SDI-QRNGs. Even though this incurs a weaker form of security compared to the DI counter part, it is much more practical. Realistically, there might be parts of the device that are more error-prone than others. The SDI approach lets you design protocols that can still generate certifiable randomness while leaving such parts uncharacterized [30, 31, 32, 33]. These protocols are also easier to implement since non-local sources are not required and is thus more consumer-friendly. Hence the entropy generation capabilities of the SDI protocols are of particular interest to cryptographers and others who use random numbers for various practical purposes.

In this work, we derive a general upper bound on the amount of entropy generated by a class of SDI protocols. Specifically, we consider prepare and measure protocols of two-dimensional systems and two-outcome measurements. Even though various protocols belonging to this class have been studied previously [24, 25], their analysis has been restricted to some particular dimension witnesses which are used to distinguish quantum processes from classical processes. Our results, however, are independent of dimensional witnesses. We prove that the maximum amount of entropy which could be generated by any protocol of this class is equal to $-\log_{2}\left[\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)\right]$ . Moreover, the minimum number of preparation and measurement settings to certify this much entropy is also proven. We give an explicit example of a unique protocol that matches these bounds, proving them to be tight. Furthermore, we derive an analytical relationship between the witness values and the entropy generated with this protocol.

The rest of the paper is organized as follows. In Section II, we briefly describe the SDI model and state some definitions that we use in the subsequent sections. Section III contains results on the limits of output/input randomness. We report an explicit protocol matching these limits and its subsequent analysis in Section IV. In Section V, we present a brief discussion along with some relevant open questions for further research.

II Semi-Device Independent Model

We first illustrate the general structure of the SDI-QRNG protocol that we have considered here. It involves two black boxes shielded from the outside world (see Figure 1). One of the devices (boxes) is used for state preparation while the other one is used for the measurement. The preparation black box, $A$ has $\mathcal{X}$ settings, and the measurement black box, $B$ has $\mathcal{Y}$ settings; $\mathcal{X},\mathcal{Y}\geq 2$ . Depending on the randomly chosen setting among $\mathcal{X}$ , $A$ outputs a quantum system $\rho_{x}$ , $x\in[\mathcal{X}]$ (we use $[N]$ to denote a set of cardinality $N$ ), which will then be sent to the second black box $B$ for measurement. We assume that the state $\rho_{x}\in\mathbb{C}^{2}$ ; is a two-dimensional system. The measurement device takes $\rho_{x}$ as input and measures it in one of the randomly chosen settings $\mathcal{Y}$ and outputs $b\in\{0,1\}$ . This forms one round of the prepare and measure protocol. We can repeat this procedure multiple times to get a probability distribution given by

p(b|x,y)=\operatorname{Tr}\left(\rho_{x}M^{b}_{y}\right),

(1)

where $M^{b}_{y}$ is the measurement operator acting on $\rho_{x}$ with input parameter $y\in[\mathcal{Y}]$ and output $b$ .
In order to identify whether the probability distributions truly have a quantum origin or not, dimension witnesses of the form

W\equiv\sum_{x,y}w_{x,y}E_{x,y}

(2)

are usually used, where $w_{x,y}$ are real coefficients and

E_{x,y}=P(b=0|x,y).

Under such dimension witnesses, an SDI protocol does not demand any restriction on pre-shared classical correlations between the preparation and measurement devices [34]. Although we do assume that they don’t share any quantum correlations. If we denote by $W_{c}$ and $W_{Q}$ the classical and quantum upper-bounds of the witness value using two-dimensional systems, whenever,

W_{c}<W\leq W_{Q}

(3)

we can be certain that the protocol has no classical description [34, 24]. Hence the output $b$ of $B$ is truly probabilistic in nature and can be used to extract randomness [35, 36].

The entropy in the output $b$ can be quantified by the following min-entropy function [37]

H_{\infty}(B|\mathcal{X},\mathcal{Y})=-\log_{2}\left[\max_{b,x,y}p(b|x,y)\right].

(4)

This entropy is considered to be ‘certifiable’ if the corresponding probability distribution satisfies the constraint Equation 3.
Since our witnesses defined by Equation 2 are linear in probabilities, we just need to consider pure states for our analysis as any arbitrary mixed state can be written as a convex combination of pure states [34]. It has also been proven that POVMs can be depicted as a convex combinations of projective measurements in the case of two-measurement outcomes [38, 39]. Furthermore, its known that projective measurements on two dimensional systems can be represented as antipodal unit vectors on the Bloch sphere. In general, the basis elements can be expressed as

M^{0}_{y}=\frac{1}{2}(\mathbb{I}+\overrightarrow{t}_{y}\cdot\sigma)\leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ M^{1}_{y}=\frac{1}{2}(\mathbb{I}-\overrightarrow{t}_{y}\cdot\sigma),

(5)

where $\overrightarrow{t}_{y}$ is a unit vector on the Bloch sphere and $\sigma=(\sigma_{x},\sigma_{y},\sigma_{z})$ , the Pauli matrices. For preparations, it is enough to consider pure states represented using unit vectors $\overrightarrow{s}_{x}$ as

\rho_{x}=\frac{1}{2}\left(\mathbb{I}+\overrightarrow{s}_{x}\cdot\sigma\right).

(6)

Under this representation, probability distribution $p(b|x,y)$ can be expressed as

p(b|x,y)=\operatorname{Tr}\left(\rho_{x}M^{b}_{y}\right)=\frac{1}{2}\left(1+\overrightarrow{s}_{x}\cdot\overrightarrow{t}_{y}\right).

(7)

We may now proceed to prove some general results related to the capabilities of SDI-QRNGs using the definitions and notations introduced in this section.

Refer to caption — Figure 1: We consider the prepare and measure scenario of two-dimensional systems, $\rho_{x}$ . Protocol features two black boxes $A$ and $B$ , for preparation and measurement, respectively. $A$ has $\mathcal{X}$ input settings and $B$ has $\mathcal{Y}$ input settings. Based on the input, $A$ will output a state $\rho_{x}$ and $B$ will output $b\in\{0,1\}$ based on its input and the state sent by $A$ .

III Results: Bounds on certifiable entropy

Theorem 1.

A prepare and measure protocol of two-dimensional systems and two-outcome measurements can generate at most $-\log_{2}\left[\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)\right]$ bits of certifiable entropy.

Proof.

Maximizing the entropy in Equation 4 amounts to minimizing the quantity $\max_{b,x,y}p(b|x,y)$ over all prepare and measure protocols. We shall achieve this by first defining a lower bound for the quantity to be minimized and then deriving the lowest possible value for the lower bound.
Consider the quantity

p_{lb}=\max_{x}\frac{1}{\mathcal{Y}}\sum_{y}\max_{b}p(b|x,y)

where the average is taken over all the measurement settings. Since mean over a set is lower than the maximum of a set, $p_{lb}$ forms a lower bound to $\max_{b,x,y}p(b|x,y)$ . We may now derive an expression for $p_{lb}$ .
Let us represent the measurement basis for $\mathcal{Y}$ measurement settings as

\mathcal{T}_{\mathcal{Y}}=\{\{\overrightarrow{t}_{1},-\overrightarrow{t}_{1}\},\{\overrightarrow{t}_{2},-\overrightarrow{t}_{2}\},\cdots,\{\overrightarrow{t}_{\mathcal{Y}},-\overrightarrow{t}_{\mathcal{Y}}\}\}.

Each of these measurement bases can be represented by a diameter of the Bloch sphere with the basis elements as its endpoints. For example the basis $\{\overrightarrow{t}_{1},-\overrightarrow{t}_{1}\}$ represents a diameter with $\overrightarrow{t}_{1}$ and $-\overrightarrow{t}_{1}$ as its endpoints. It is trivial to see that given any two non-perpendicular diameters of a sphere in ${\rm I\!R}^{3}$ the smallest angle between them would be less than or equal to $\pi/2$ . To further illustrate our point, let us consider the bases $\{\overrightarrow{t}_{i},-\overrightarrow{t}_{i}\}$ and $\{\overrightarrow{t}_{j},-\overrightarrow{t}_{j}\}$ . If the angle between the vectors $\overrightarrow{t}_{i}$ and $-\overrightarrow{t}_{j}$ is greater than $\pi/2$ , then the angle between $\overrightarrow{t}_{i}$ and $\overrightarrow{t}_{j}$ will definitely be less than $\pi/2$ ; for any $i,j\in[\mathcal{Y}]$ .
Keeping the above arguments in mind, consider a particular case: $\mathcal{Y}=2$ , with measurement bases as $\{\overrightarrow{t}_{1},-\overrightarrow{t}_{1}\}$ and $\{\overrightarrow{t}_{2},-\overrightarrow{t}_{2}\}$ . If we consider the angle between $\overrightarrow{t}_{1}$ and $\overrightarrow{t}_{2}$ to be less than or equal to $\pi/2$ , then the state $\rho_{x}$ with $\overrightarrow{s}_{x}=\frac{\overrightarrow{t}_{1}+\overrightarrow{t}_{2}}{|\overrightarrow{t}_{1}+\overrightarrow{t}_{2}|}$ maximizes $\frac{1}{\mathcal{Y}}\sum_{y}\max_{b}p(b|x,y)$ , yielding $p_{lb}$ . It is easy to see that $p_{lb}$ is minimum when $\overrightarrow{t}_{1}$ and $\overrightarrow{t}_{2}$ are perpendicular to each other.
For now, let us assume that $0\leq\theta_{i,j}\leq\pi/2$ , where $\theta_{i,j}$ is the angle between the measurement vectors $\overrightarrow{t}_{i}$ and $\overrightarrow{t}_{j}$ for $i,j\in[\mathcal{Y}]$ . This is in general not true for $\mathcal{Y}\geq 3,$ but we will give an argument at the end of the proof as to why this assumption is valid enough to find out the minimum value of $p_{lb}$ .
Given this setup, consider $\rho_{x}$ with $\overrightarrow{s}_{x}=\frac{\overrightarrow{t}_{1}+\overrightarrow{t}_{2}+\cdots+\overrightarrow{t}_{\mathcal{Y}}}{|\overrightarrow{t}_{1}+\overrightarrow{t}_{1}+\cdots+\overrightarrow{t}_{\mathcal{Y}}|}$ . Note that given the choice of measurement vectors $\{\overrightarrow{t}_{1},\overrightarrow{t}_{2},\cdots,\overrightarrow{t}_{\mathcal{Y}}\}$ , this state maximizes $\frac{1}{\mathcal{Y}}\sum_{y}\max_{b}p(b|x,y)$ since it lies along the average direction of the measurement vectors. Simplification yields

p_{lb}=\frac{1}{2}\left(1+\frac{|\overrightarrow{t}_{1}+\overrightarrow{t}_{2}+\cdots+\overrightarrow{t}_{\mathcal{Y}}|}{\mathcal{Y}}\right).

(8)

We can represent Equation 8 as

p_{lb}=\frac{1}{2}\left(1+\frac{\sqrt{\mathcal{Y}+2(\cos{\theta_{1,2}}+\cdots+\cos{\theta_{\mathcal{Y}-1,\mathcal{Y}}}})}{\mathcal{Y}}\right).

(9)

Lemma 1.

For $\mathcal{Y}$ unit vectors that lie in an octant of a sphere in $\mathbb{R}^{3}$ , the minimum of the sum of cosines of the angles formed between them is equal to $\frac{3}{2}\mu(\mu-1)+r\mu$ where $\mathcal{Y}=3\mu+r$ for positive integers $\mu$ and $r\in\{0,1,2\}$ .

Proof.

Consider $\mathcal{Y}$ vectors $\{\overrightarrow{t}_{1},\cdots,\overrightarrow{t}_{\mathcal{Y}}\}$ . The sum to be minimized is

\cos{\theta_{1,2}}+\cos{\theta_{1,3}}+\cdots+\cos{\theta_{\mathcal{Y}-1,\mathcal{Y}}}.

We can rewrite it as

\left(\cos{\theta_{1,2}}+\cos{\theta_{1,3}}+\cdots+\cos{\theta_{1,\mathcal{Y}}}\right)+\cdots+\cos{\theta_{\mathcal{Y}-1,\mathcal{Y}}}.

The terms in the bracket is equal to

\overrightarrow{t}_{1}\cdot\left(\overrightarrow{t}_{2}+\cdots+\overrightarrow{t}_{\mathcal{Y}}\right).

Since every vector lies in the same octant, the dot product is minimized when $\overrightarrow{t}_{1}$ is along one of the axis. We can repeat the same process for every other vector until all of them lines up with one of the $3$ axes. We have three scenarios based on the value of $r\in\{0,1,2\}$ ;

•

$\mathcal{Y}=3\mu$ : It is trivial to see that the sum is minimum when the vectors are equally distributed among the axes; $\mu$ vectors along each axis. The sum of cosines is equal to $3\prescript{\mu\mkern-0.5mu}{}{C}_{2}$ .
•

$\mathcal{Y}=3\mu+1$ : An additional vector along any one of the axes, say $x$ axis. The sum becomes $2\prescript{\mu\mkern-0.5mu}{}{C}_{2}+\prescript{\mu+1\mkern-0.5mu}{}{C}_{2}$ .
•

$\mathcal{Y}=3\mu+2$ : Consider the sum of vectors

$\overrightarrow{t}_{1}+\cdots+\overrightarrow{t}_{3\mu+1}.$

Since they have an arrangement dictated by the previous case, the vector $\overrightarrow{t}_{3\mu+2}$ should end up at $y$ or $z$ axis. The sum becomes $\prescript{\mu\mkern-0.5mu}{}{C}_{2}+2\prescript{\mu+1\mkern-0.5mu}{}{C}_{2}$ .

Putting it all together, we have the sum as

(3-r)\prescript{\mu\mkern-0.5mu}{}{C}_{2}+r\prescript{\mu+1\mkern-0.5mu}{}{C}_{2}.

Simplifying it we obtain

\frac{3}{2}\mu(\mu-1)+r\mu.

∎

Since our measurement vectors $\{\overrightarrow{t}_{1},\overrightarrow{t}_{2},\cdots,\overrightarrow{t}_{\mathcal{Y}}\}$ are atmost $\pi/2$ away from each other, we can consider them to lie in the same octant. Applying Lemma 1, Equation 9 becomes,

p_{lb}=\frac{1}{2}\left(1+\frac{\sqrt{\mathcal{Y}+3\mu(\mu-1)+2r\mu}}{\mathcal{Y}}\right).

(10)

Substituting $\mathcal{Y}=3\mu+r$ we obtain

\displaystyle p_{lb}

\displaystyle=

\displaystyle\frac{1}{2}\left(1+\frac{\sqrt{3\mu^{2}+r(2\mu+1)}}{3\mu+r}\right).

(11)

Thus, for $r=0$ , we have

	$\displaystyle p_{lb}$	$\displaystyle=$	$\displaystyle\frac{1}{2}\left(1+\frac{\sqrt{3\mu^{2}}}{3\mu}\right)$		(12)
		$\displaystyle=$	$\displaystyle\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right).$		(12)

For $r\in\{1,2\}$ , $p_{lb}>\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)$ and $p_{lb}\rightarrow\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)$ as $\mu\rightarrow\infty$ . Thus in general,

p_{lb}\geq\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right).

∎

Note that our assumption that $0\leq\theta_{i,j}\leq\pi/2$ for $i,j\in[\mathcal{Y}]$ is valid enough since the minimum value for $p_{lb}$ is obtained when the measurement vectors are along the $3$ D axes. This implies that by induction, using $\mathcal{Y}=2$ as the initial step and the freedom to relabel any measurement basis, we can take any $\mathcal{Y}$ measurement vectors to lie in the same octant.

Theorem 2.

A prepare and measure protocol of two-dimensional systems needs at least $4$ preparation settings and $3$ measurement settings to generate the maximum amount of entropy.

Proof.

From Theorem 1, the maximum entropy is generated when $\mathcal{Y}=3\mu$ . For $\mu=1$ , we have the minimum number of measurement settings, $\mathcal{Y}=3$ . We will now try to minimise the number of preparation settings when $\mathcal{Y}=3$ .
As for the number of preparation settings $\mathcal{X}$ , note that it can’t be $2$ since the states will be perfectly distinguishable; there is no entropy in the output. When $\mathcal{X}=3$ and $\mathcal{Y}=3$ , a general dimension witness defined by Equation 2 can be expressed as

	$\displaystyle W$	$\displaystyle=$	$\displaystyle w_{1,1}E_{1,1}+w_{1,2}E_{1,2}+w_{1,3}E_{1,3}+w_{2,1}E_{2,1}+w_{2,2}E_{2,2}$		(13)
			$\displaystyle+w_{2,3}E_{2,3}+w_{3,1}E_{3,1}+w_{3,2}E_{3,2}+w_{3,3}E_{3,3},$		(13)

From Theorem 1, maximum entropy generation needs at least $3$ measurement settings. Since maximization is over the entire probability distribution, this holds for every preparation setting. Hence, none of the coefficients $w_{x,y}$ can be $0$ for a witness which acheives the maximum entropy. For example, suppose $w_{3,3}$ is $0$ . This implies that the state $\rho_{3}$ depends only on the measurement bases $M_{1}$ and $M_{2}$ ; $\rho_{3}$ lies in the plane defined by $M_{1}$ and $M_{2}$ . Subsequently, for a given witness value, $\max_{b,x,y}p(b|x,y)\geq\frac{1}{2}\left(1+\frac{1}{\sqrt{2}}\right)>\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)$ .
Now that we have established that all coefficients in Equation 13 are non-zero, we can model it as an QRAC-like protocol where preparation states correspond to $3$ bit strings and measurement settings determine which bit to guess. Positive coefficients are mapped to bit $0$ and negative coefficients to bit $1$ . For example, consider

	$\displaystyle R_{3,3}$	$\displaystyle\equiv$	$\displaystyle E_{1,1}+E_{1,2}+E_{1,3}+E_{2,1}-E_{2,2}$		(14)
			$\displaystyle-E_{2,3}-E_{3,1}+E_{3,2}-E_{3,3}.$		(14)

Based on our construction, $R_{3,3}$ can be defined as the average success probability of an QRAC protocol where preparation states are represented as $x\in\{000,011,101\}$ and measurement settings dictate which one of the three bits to guess.

For any such task we can construct a protocol based on the $2\rightarrow 1$ QRAC (cf. Figure 2) whose average probability would be greater than $\frac{1}{2}(1+\frac{1}{\sqrt{3}})$ , implying the entropy generated will be lesser than $-\log_{2}\left[\frac{1}{2}(1+\frac{1}{\sqrt{3}})\right]$ (since $\max_{b,x,y}p(b|x,y)\geq\sum_{x,y}p(b=x_{y}|x,y)$ : $x$ represents any of the $3$ -bit strings and $x_{y}$ denotes the $y^{th}$ bit of that string).
The protocol is represented using Figure 2. A $3$ bit string can be written as $x$ where $x\in\{00x_{3},01x_{3},10x_{3},11x_{3}\}$ and $x_{3}$ is the third bit (which could be different for different strings). The task is then straightforward; encode the strings on any three of the four possible states using $2\rightarrow 1$ QRAC, where the encoding can be represented as

\displaystyle\mbox{Encoding}\begin{cases}00\to\frac{1}{2}\left(\mathbb{I}+\frac{1}{\sqrt{2}}\sigma_{x}+\frac{1}{\sqrt{2}}\sigma_{y}\right)\\ 01\to\frac{1}{2}\left(\mathbb{I}+\frac{1}{\sqrt{2}}\sigma_{x}-\frac{1}{\sqrt{2}}\sigma_{y}\right)\\ 10\to\frac{1}{2}\left(\mathbb{I}-\frac{1}{\sqrt{2}}\sigma_{x}+\frac{1}{\sqrt{2}}\sigma_{y}\right)\\ 11\to\frac{1}{2}\left(\mathbb{I}-\frac{1}{\sqrt{2}}\sigma_{x}-\frac{1}{\sqrt{2}}\sigma_{y}\right).\end{cases}

Decode the first two bits using the measurement bases given by

M_{y}\equiv\left\{\frac{1}{2}(\mathbb{I}+\overrightarrow{t}_{y}\cdot\sigma),\frac{1}{2}(\mathbb{I}-\overrightarrow{t}_{y}\cdot\sigma)\right\}

and their corresponding Bloch vectors

\displaystyle\mbox{Decoding}\begin{cases}x_{1}\to\overrightarrow{t}_{i}\equiv(1,0,0)\\ x_{2}\to\overrightarrow{t}_{i}\equiv(0,1,0).\end{cases}

Decode the third bit using

x_{3}\to\overrightarrow{t}_{3}\equiv\frac{1}{\sqrt{2}}(1,1,0).

Given the choice of measurement bases and prepared states the average probability is found to be at least,

\frac{6\left(\frac{1}{2}(1+\frac{1}{\sqrt{2}})\right)+2}{9}\approx 0.79125.

Hence for such a protocol we have average probability greater than $\sim$ $0.79125$ which is greater than $\frac{1}{2}(1+\frac{1}{\sqrt{3}})\approx 0.78867$ .

∎

IV A specific protocol

An explicit protocol to achieve $H_{\infty}=-\log_{2}[\frac{1}{2}(1+\frac{1}{\sqrt{3}})]\approx 0.34249$ using $4$ preparation settings and $3$ measurement settings is given here. It corresponds to an QRAC-like protocol in which the preparation party $A$ encodes one of the strings $x\in\{000,011,101,110\}$ to a single qubit and the measurement party $B$ attempts to decode $x_{y}\in\{x_{1},x_{2},x_{3}\}$ by suitable measurements. Using arguments similar to those used for proving Theorem 2, this protocol can be proven to be unique up to some relabelling of the measurement bases. A suitable dimension witness is provided by

R_{4,3}\equiv E_{000,1}+E_{000,2}+E_{000,3}+E_{011,1}-\\ E_{011,2}-E_{011,3}-E_{101,1}+E_{101,2}-\\ E_{101,3}-E_{110,1}-E_{110,2}+E_{110,3},

(15)

and whenever

3<R_{4,3}\leq 2\sqrt{3},

(16)

the protocol has no classical description. Equation 16 was derived from the results provided in [40]. They have treated the protocol as a generalized version of the $2\rightarrow 1$ QRAC protocol where $B$ attempts to decode, in addition to the bits encoded by $A$ , the parity of the bits as well. The average success probability of this particular protocol have previously found applications in the SDI security of QKD protocols [41]. The corresponding dimension witness has also been applied previously in self testing of POVMs [42, 43] and in reduction of symmetric dimension witnesses [44].
In order to achieve the maximal quantum value $2\sqrt{3}$ , we may encode the bits using the states given by

\displaystyle\mbox{Encoding}\begin{cases}000\mapsto\frac{1}{2}\left(\mathbb{I}+\frac{1}{\sqrt{3}}\sigma_{x}+\frac{1}{\sqrt{3}}\sigma_{y}+\frac{1}{\sqrt{3}}\sigma_{z}\right)\\ 011\mapsto\frac{1}{2}\left(\mathbb{I}+\frac{1}{\sqrt{3}}\sigma_{x}-\frac{1}{\sqrt{3}}\sigma_{y}-\frac{1}{\sqrt{3}}\sigma_{z}\right)\\ 101\mapsto\frac{1}{2}\left(\mathbb{I}-\frac{1}{\sqrt{3}}\sigma_{x}+\frac{1}{\sqrt{3}}\sigma_{y}-\frac{1}{\sqrt{3}}\sigma_{z}\right)\\ 110\mapsto\frac{1}{2}\left(\mathbb{I}-\frac{1}{\sqrt{3}}\sigma_{x}-\frac{1}{\sqrt{3}}\sigma_{y}+\frac{1}{\sqrt{3}}\sigma_{z}\right).\end{cases}

and decode the bits using the measurement bases given by

M_{y}\equiv\left\{\frac{1}{2}(\mathbb{I}+\overrightarrow{t}_{y}\cdot\sigma),\frac{1}{2}(\mathbb{I}-\overrightarrow{t}_{y}\cdot\sigma)\right\}

with the corresponding Bloch vectors

\displaystyle\mbox{Decoding}\begin{cases}x_{1}\to\overrightarrow{t}_{1}\equiv(1,0,0)\\ x_{2}\to\overrightarrow{t}_{2}\equiv(0,1,0)\\ x_{3}\to\overrightarrow{t}_{3}\equiv(0,0,1).\end{cases}

Note that a general two-dimensional witness for $4$ preparation settings and $3$ measurement settings may not be able to produce the maximum amount of randomness. For example, consider the well known dimension witness $I_{4}$ [34, 45], defined as

$I_{4}\equiv E_{1,1}+E_{1,2}+E_{1,3}+E_{2,1}+E_{2,2}-E_{2,3}+E_{3,1}-E_{3,2}-E_{4,1}$ .

Since the choice of the $4^{th}$ state solely depends on the $1^{st}$ measurement basis, one can always take $E_{4,1}$ to be $0$ . This implies that $p(b=1|4,1)=1$ ; no entropy is generated in this case. The choice of dimension witness is special in that regard and warrants further analysis. We will now derive an analytical bound on the min-entropy based on the value of the dimension witness. The analysis and methods used is similar to what have been done in [46, 47].
Using Equation 5 and Equation 6, Equation 15 can be written as

$\displaystyle R_{4,3}$	$\displaystyle\equiv$	$\displaystyle E_{000,1}+E_{000,2}+E_{000,3}+E_{011,1}-E_{011,2}-E_{011,3}-$
		$\displaystyle E_{101,1}+E_{101,2}-E_{101,3}-E_{110,1}-E_{110,2}+E_{110,3}$
	$\displaystyle=$	$\displaystyle\leavevmode\resizebox{389.89749pt}{}{$\operatorname{\operatorname{Tr}}\left[\rho_{000}\left(M_{1}^{0}+M_{2}^{0}+M_{3}^{0}\right)\right]+\operatorname{\operatorname{Tr}}\left[\rho_{011}\left(M_{1}^{0}-M_{2}^{0}-M_{3}^{0}\right)\right]$}+$
		$\operatorname{\operatorname{Tr}}\left[\rho_{101}\left(-M_{1}^{0}+M_{2}^{0}-M_{3}^{0}\right)\right]+\operatorname{\operatorname{Tr}}\left[\rho_{110}\left(-M_{1}^{0}-M_{2}^{0}+M_{3}^{0}\right)\right]$
	$\displaystyle=$	$\displaystyle\frac{1}{2}\biggl{(}\overrightarrow{s}_{000}\cdot\left(\overrightarrow{t}_{1}+\overrightarrow{t}_{2}+\overrightarrow{t}_{3}\right)\hskip 6.99997pt+$
		$\displaystyle\hskip 14.49998pt\overrightarrow{s}_{011}\cdot\left(\overrightarrow{t}_{1}-\overrightarrow{t}_{2}-\overrightarrow{t}_{3}\right)\hskip 8.00003pt+$
		$\displaystyle\hskip 14.49998pt\overrightarrow{s}_{101}\cdot\left(-\overrightarrow{t}_{1}+\overrightarrow{t}_{2}-\overrightarrow{t}_{3}\right)+$
		$\displaystyle\hskip 14.49998pt\overrightarrow{s}_{110}\cdot\left(-\overrightarrow{t}_{1}-\overrightarrow{t}_{2}+\overrightarrow{t}_{3}\right)\biggl{)}$
	$\displaystyle\leq$	$\displaystyle\frac{1}{2}\biggl{(}\left\|\overrightarrow{t}_{1}+\overrightarrow{t}_{2}+\overrightarrow{t_{3}}\right\|+\left\|\overrightarrow{t}_{1}-\overrightarrow{t}_{2}-\overrightarrow{t}_{3}\right\|+$
		$\displaystyle\hskip 16.49995pt\left\|\overrightarrow{t}_{1}-\overrightarrow{t}_{2}+\overrightarrow{t}_{3}\right\|+\left\|\overrightarrow{t}_{1}+\overrightarrow{t}_{2}-\overrightarrow{t}_{3}\right\|\biggl{)}$
	$\displaystyle\leq$	$\displaystyle\frac{1}{2}\biggl{(}\sqrt{3+2\left(\cos\left(\theta_{1,2}\right)+\cos\left(\theta_{1,3}\right)+\cos\left(\theta_{2,3}\right)\right)}+$
		$\displaystyle\hskip 16.7pt\sqrt{3+2\left(\cos\left(\theta_{1,2}\right)-\cos\left(\theta_{1,3}\right)+\cos\left(\theta_{2,3}\right)\right)}+$
		$\displaystyle\hskip 16.7pt\sqrt{3+2\left(\cos\left(\theta_{1,2}\right)+\cos\left(\theta_{1,3}\right)-\cos\left(\theta_{2,3}\right)\right)}+$
		$\displaystyle\hskip 16.7pt\sqrt{3+2\left(\cos\left(\theta_{1,2}\right)-\cos\left(\theta_{1,3}\right)-\cos\left(\theta_{2,3}\right)\right)}\biggl{)},$

where the first inequality follows from $|\overrightarrow{s}_{x}|<1$ . Using Equation 9 we can write $p_{lb}$ for our example as

p_{lb}=\frac{1}{2}\leavevmode\resizebox{403.98956pt}{}{{\hbox{ \left(1+\frac{\sqrt{3+2\left(\cos\left(\theta_{1,2}\right)+\cos\left(\theta_{1,3}\right)+\cos\left(\theta_{2,3}\right)\right)}}{3}\right)}}}.

(18)

In order to obtain a bounded value of $R_{4,3}$ as a function of $p_{lb}$ we will use the extreme value problem of multi-variable function. Changing variables as

\mathcal{P}=\frac{\left(3\left(2p_{lb}-1\right)\right)^{2}-3}{2}\leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ a=\cos{\theta_{1,3}}\leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ \leavevmode\nobreak\ b=\cos{\theta_{2,3}}

and applying it to LABEL:Wlong, we obtain

R_{4,3}\leq\max_{\{(q,r)\}}\biggl{\{}\frac{1}{2}\biggl{(}\sqrt{3+2\mathcal{P}}+\sqrt{3+2\left(2q-\mathcal{P}\right)}+\\ \sqrt{3+2\left(2r-\mathcal{P}\right)}+\sqrt{3+2\left(\mathcal{P}-\left(2q+2r\right)\right)}\biggl{)}\biggl{\}},

(19)

where $\left(q,r\right)$ is one of the real roots of equation set with variables $\left(a,b\right)$ given by,

	$\displaystyle\frac{1}{2}\left(\frac{2}{\sqrt{2(2a-\mathcal{P})+3}}-\frac{2}{\sqrt{2(\mathcal{P}-2a-2b)+3}}\right)=0,$
	$\displaystyle\frac{1}{2}\left(\frac{2}{\sqrt{2(2b-\mathcal{P})+3}}-\frac{2}{\sqrt{2(\mathcal{P}-2b-2a)+3}}\right)=0.$
			(20)

The equation set provided above is obtained by taking the derivatives of LABEL:Wlong with respect to $a$ and $b$ . It turns out that the solutions of Equation 20 should satisfy the condition

a=b=\mathcal{P}/3\implies\cos{\theta_{1,2}}=\cos{\theta_{1,3}}=\cos{\theta_{2,3}}.

(21)

Since $p_{lb}$ is defined as $\max_{x}\frac{1}{\mathcal{Y}}\sum_{y}\max_{b}p(b|x,y)$ , by Equation 21 all the terms in the summation are equal. This means that when $R_{4,3}$ is maximized, $p_{lb}$ is equivalent to $\max_{b,x,y}p(b|x,y)$ . Hence the maximization will yield a tight upper bound on the randomness generated by this protocol. Also, Equation 21 reduces our problem to a single variable one.
Substituting Equation 21 in LABEL:Wlong and Equation 18, we get

	$\displaystyle R_{4,3}$	$\displaystyle\leq$	$\displaystyle\frac{1}{2}\left(3\sqrt{3-2a}+\sqrt{6a+3}\right),$
	$\displaystyle p_{lb}$	$\displaystyle=$	$\displaystyle\frac{1}{2}\left(\frac{1}{3}\sqrt{6a+3}+1\right).$		(22)

Solving Equation 22 we obtain

p_{lb}\leq\frac{1}{12}\left(R_{4,3}+6+\sqrt{3(12-R_{4,3}^{2})}\right).

(23)

This forms a min-entropy bound for the particular protocol as shown in Figure 4. Since the choice of angles is unique when $R_{4,3}=2\sqrt{3}$ i.e.,

\theta_{1,2}=\theta_{1,3}=\theta_{2,3}=\pi/2,

it yields the maximum amount of certifiable randomness; $H_{\infty}\approx 0.34249$ . Also note that since $p_{lb}$ forms an upper bound to the average success probability of the protocol, Equation 23 implies that certifiable randomness can be generated as soon as one violates the classical bound on witness. This is particularly relevant in practical setups, which might not be able to achieve the maximum possible quantum violation. The protocols is thus noise-robust, and has immediate applications in practical SDI-QRNG setups.
Since we assume that devices are shielded from the outside world, the randomness used to choose the input settings in each round can be used for other purposes. Hence the total output randomness from each round is more than what is being used to start the process. In order to increase randomness expansion even further, one can consider using a fixed subset of input setting for randomness generation for most rounds and a randomly chosen input setting for rest of the rounds [48, 46, 49]. If the number of rounds is large enough, one can use the subset of rounds wherein the input setting where randomly chosen in order to estimate the witness value [20].

V Discussions and outlook

A tight bound on the entropy generation rate is derived for SDI prepare and measure protocols for two-dimensional systems and two-outcome measurements solely from geometrical arguments. The maximum entropy generated from such a class of protocols is found to be equal to $-\log_{2}\left[\frac{1}{2}\left(1+\frac{1}{\sqrt{3}}\right)\right]$ . Here it will be apt to note the results of a previous work [50] which suggests an upper bound on the certifiable randomness from a quantum black box as $-\log_{2}\left[\min\{l,k+1\}\right]$ , where $l$ is the number of outputs for a measurement ( $2$ in our case) and $k$ is the number of preparation settings. For the particular class of protocols that we are considering, this result forms a trivial bound of $1$ bit of certifiable entropy. Our results are much more strict in that regard. It was also conjectured in [25] that $3\rightarrow 1$ QRAC generates the maximum amount of randomness among $n\rightarrow 1$ QRAC protocols. We have proved that this is indeed the case. Our results are more general than QRAC protocols and also independent of any dimension witness. We have also provided an explicit protocol generating the maximum amount of entropy while having the least amount of input settings. The protocol generates as much entropy as $3\rightarrow 1$ QRAC protocol does, however it requires lesser input settings. Note that even though the protocol generates maximum entropy when $W=W_{Q}$ , it still remains an open question if one can extract more randomness than what is given in Figure 4 when $W<W_{Q}$ . Since Equation 23 is tied to a specific dimension witness i.e., $R_{4,3}$ , it would be worthwhile to investigate whether the methods by Wang et. al. [51] would be able to extract more randomness when $3<R_{4,3}<2\sqrt{3}$ . Inspired by the DI approach used in [49, 52], they used the full observed statistics to certify randomness rather than restricting to a particular inequality.
The results reported here are not only new and useful, it also opens up possibilities for a set of interesting investigations. An immediate generalisation of the presented work would be to consider the limits on entropy generation for $l$ -outcome measurements on $d$ -dimensional systems; $l,d>2$ . It would also be interesting to investigate the randomness expansion capabilities of such protocols with partially free random sources as the input seed [53, 54]. Given the advantage of our protocol over the $3\rightarrow 1$ QRAC with perfect random sources, it would be interesting to see a comparison with partially free sources [55]. Another possible avenue for research would be to consider the randomness generation ability for multiple users as discussed in [56].

Acknowledgment

Authors acknowledge the support from the QUEST scheme of Interdisciplinary Cyber Physical Systems (ICPS) program of the Department of Science and Technology (DST), India (Grant No.: DST/ICPS/QuST/Theme-1/2019/14 (Q80)). They also thank Manik Banik, Ram Krishna Patra, Sandeep Mishra, R Srikanth, H. S. Karthik, H. Akshata Shenoy and Kishore Thapliyal for their interest and feedback on the work.

References

Metropolis and Ulam [1949] N. Metropolis and S. Ulam, Journal of the American Statistical Association 44, 335 (1949).
Karp [1991] R. M. Karp, Discrete Applied Mathematics 34, 165 (1991).
Motwani and Raghavan [1996] R. Motwani and P. Raghavan, ACM Computing Surveys 28, 33–37 (1996).
Shannon [1949] C. E. Shannon, The Bell System Technical Journal 28, 656 (1949).
Gennaro [2006] R. Gennaro, IEEE Security Privacy 4, 64 (2006).
Bouda et al. [2012] J. Bouda, M. Pivoluska, M. Plesch, and C. Wilmott, Physical Review A 86, 062308 (2012).
Bell [1964] J. S. Bell, Physics Physique Fizika 1, 195 (1964).
Wheeler [1978] J. A. Wheeler, The “past” and the “delayed-choice” double-slit experiment, in Mathematical Foundations of Quantum Theory (Academic Press, 1978) pp. 9–48.
Shadbolt et al. [2014] P. Shadbolt, J. C. F. Mathews, A. Laing, and J. L. O’Brien, Nature Physics 10, 278 (2014).
Herrero-Collantes and Garcia-Escartin [2017] M. Herrero-Collantes and J. C. Garcia-Escartin, Reviews of Modern Physics 89, 015004 (2017).
L’Ecuyer [2012] P. L’Ecuyer, Springer Handbooks of Computational Statistics , 35 (2012).
Calude [2015] C. S. Calude, Indeterminism and randomness (2015).
Ma et al. [2013] X. Ma, F. Xu, H. Xu, X. Tan, B. Qi, and H.-K. Lo, Physical Review A 87, 062327 (2013).
Ma et al. [2016] X. Ma, X. Yuan, Z. Cao, B. Qi, and Z. Zhang, npj Quantum Information 2, 16021 (2016).
Qua [2021] Quantum random number generation (qrng) - id quantique, https://www.idquantique.com/random-number-generation/overview/ (2021), (Accessed on 11/21/2021).
Jacak et al. [2021] M. M. Jacak, P. Jóźwiak, J. Niemczuk, and J. E. Jacak, Scientific Reports 11, 16108 (2021).
Huang et al. [2021] L. Huang, H. Zhou, K. Feng, and C. Xie, npj Quantum Information 7, 107 (2021).
Colbeck [2009] R. Colbeck, Ph.D. thesis, University of Cambridge (2009), arXiv:quant-ph/0911.3814 .
Colbeck and Kent [2010] R. Colbeck and A. Kent, Journal of Physics A 44, 095305 (2010).
Pironio et al. [2010] S. Pironio, A. Acín, S. Massar, A. B. de la Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, Nature 464, 1021 (2010).
Pironio and Massar [2013] S. Pironio and S. Massar, Physical Review A 87, 012336 (2013).
Liu et al. [2018] Y. Liu, Q. Zhao, M.-H. Li, J.-Y. Guan, Y. Zhang, B. Bai, W. Zhang, W.-Z. Liu, C. Wu, X. Yuan, H. Li, W. J. Munro, Z. Wang, L. You, J. Zhang, X. Ma, J. Fan, Q. Zhang, and J.-W. Pan, Nature 562, 548 (2018).
Liu et al. [2021] W.-Z. Liu, M.-H. Li, S. Ragy, S.-R. Zhao, B. Bai, Y. Liu, P. J. Brown, J. Zhang, R. Colbeck, J. Fan, Q. Zhang, and J.-W. Pan, Nature Physics 17, 448 (2021).
Li et al. [2011] H.-W. Li, Z.-Q. Yin, Y.-C. Wu, X.-B. Zou, S. Wang, W. Chen, G.-C. Guo, and Z.-F. Han, Physical Review A 84, 034301 (2011).
Li et al. [2012] H.-W. Li, M. Pawłowski, Z.-Q. Yin, G.-C. Guo, and Z.-F. Han, Physical Review A 85, 052308 (2012).
Rusca et al. [2019] D. Rusca, T. van Himbeeck, A. Martin, J. B. Brask, W. Shi, S. Pironio, N. Brunner, and H. Zbinden, Physical Review A 100, 062338 (2019).
Nie et al. [2016] Y.-Q. Nie, J.-Y. Guan, H. Zhou, Q. Zhang, X. Ma, J. Zhang, and J.-W. Pan, Physical Review A 94, 060301 (2016).
Cao et al. [2016] Z. Cao, H. Zhou, X. Yuan, and X. Ma, Physical Review X 6, 011020 (2016).
Tavakoli [2021] A. Tavakoli, Physical Review Letters 126, 210503 (2021).
Lunghi et al. [2015] T. Lunghi, J. B. Brask, C. C. W. Lim, Q. Lavigne, J. Bowles, A. Martin, H. Zbinden, and N. Brunner, Physical Review Letters 114, 150501 (2015).
Brask et al. [2017] J. B. Brask, A. Martin, W. Esposito, R. Houlmann, J. Bowles, H. Zbinden, and N. Brunner, Physical Review Applied 7, 054018 (2017).
Avesani et al. [2021] M. Avesani, H. Tebyanian, P. Villoresi, and G. Vallone, Physical Review Applied 15, 034034 (2021).
Pivoluska et al. [2021] M. Pivoluska, M. Plesch, M. Farkas, N. Ružičková, C. Flegel, N. H. Valencia, W. McCutcheon, M. Malik, and E. A. Aguilar, npj Quantum Information 7, 50 (2021).
Gallego et al. [2010] R. Gallego, N. Brunner, C. Hadley, and A. Acín, Physical Review Letters 105, 230501 (2010).
Trevisan [2001] L. Trevisan, J. ACM 48, 860–879 (2001).
Carter and Wegman [1979] J. Carter and M. N. Wegman, Journal of Computer and System Sciences 18, 143 (1979).
Konig et al. [2009] R. Konig, R. Renner, and C. Schaffner, IEEE Transactions on Information Theory 55, 4337 (2009).
Masanes [2005] L. Masanes, Extremal quantum correlations for n parties with two dichotomic observables per site (2005), arXiv:quant-ph/0512100 .
Tomamichel and Hänggi [2013] M. Tomamichel and E. Hänggi, Journal of Physics A: Mathematical and Theoretical 46, 055301 (2013).
Mannalath et al. [2021] V. Mannalath, R. K. Patra, M. Janpandit, S. Sen, M. Banik, and A. Chaturvedi, Physical Review A 104, 012420 (2021).
Pawłowski and Brunner [2011] M. Pawłowski and N. Brunner, Physical Review A 84, 010302 (2011).
Tavakoli et al. [2020] A. Tavakoli, M. Smania, T. Vértesi, N. Brunner, and M. Bourennane, Science Advances 6, eaaw6664 (2020).
Mironowicz and Pawłowski [2019] P. Mironowicz and M. Pawłowski, Physical Review A 100, 030301 (2019).
Mironowicz et al. [2014] P. Mironowicz, H.-W. Li, and M. Pawłowski, Physical Review A 90, 022322 (2014).
Hendrych et al. [2012] M. Hendrych, R. Gallego, M. Mičuda, N. Brunner, A. Acín, and J. P. Torres, Nature Physics 8, 588 (2012).
Li et al. [2015a] H.-W. Li, Z.-Q. Yin, M. Pawłowski, G.-C. Guo, and Z.-F. Han, Physical Review A 91, 032305 (2015a).
Li et al. [2015b] D.-D. Li, Q.-Y. Wen, Y.-K. Wang, Y.-Q. Zhou, and F. Gao, Scientific Reports 5, 15543 (2015b).
Mironowicz et al. [2016] P. Mironowicz, A. Tavakoli, A. Hameedi, B. Marques, M. Pawłowski, and M. Bourennane, New Journal of Physics 18, 065004 (2016).
Bancal et al. [2014] J.-D. Bancal, L. Sheridan, and V. Scarani, New Journal of Physics 16, 033011 (2014).
Ioannou et al. [2019] M. Ioannou, J. B. Brask, and N. Brunner, Physical Review A 99, 052338 (2019).
Wang et al. [2015] Y.-K. Wang, S.-J. Qin, X. Wu, F. Gao, and Q.-Y. Wen, Physical Review A 92, 052321 (2015).
Nieto-Silleras et al. [2014] O. Nieto-Silleras, S. Pironio, and J. Silman, New Journal of Physics 16, 013035 (2014).
Colbeck and Renner [2012] R. Colbeck and R. Renner, Nature Physics 8, 450 (2012).
Zhou et al. [2015] Y.-Q. Zhou, H.-W. Li, Y.-K. Wang, D.-D. Li, F. Gao, and Q.-Y. Wen, Physical Review A 92, 022331 (2015).
Zhou et al. [2016] Y.-Q. Zhou, F. Gao, D.-D. Li, X.-H. Li, and Q.-Y. Wen, Physical Review A 94, 032318 (2016).
Wang et al. [2021] X. Wang, J. Yuan, Y. Zhou, Y. Liu, and L. Fan, Quantum Information Processing 20, 346 (2021).