A simple quantum generator of random numbers

Cryptography techniques rely on chains of random numbers used to generate safe encryption keys. Since random number generator algorithms are in fact pseudo-random their behavior can be predicted if the generation method is known and as such they cannot be used for perfectly safe communications. In this article, we present a perfectly random generator based on quantummeasurement processes. Themain advantage of such a generator is that using quantum mechanics, its behavior cannot be predicted in any way. We verify the randomness of our generator and compare it to commonly used pseudo-random generators.


Introduction
With the increasing need of secure online communications, cryptography has become one of the cornerstones of computer science. The security of the communications relies on the strength of the algorithm used: for instance the widely used RSA algorithm is only partially secure since its security is based on the difficulty of factorizing large numbers [1]. On the other hand, encryption algorithms based on random keys provide perfectly safe communication protocols [2]. According to Kerckhoffs's principle [3], the strength of this class of cryptographic algorithms rely entirely the randomness of the key. If the behavior of the generator can be in any way predicted, so does the key, and as a result the privacy of the communication is compromised. This problem has been studied thoroughly, for example in the case of Windows operating system [4].
Computer generated random sequences are only pseudo-random. They are based on deterministic algorithms and they use the entropy generated by the user's actions and the computer components to generate randomness. An example of such a pseudo-random number generator (PRNG) is Linux's/dev/random [5]. The main drawback of this kind of generator is that they can easily loop, or create low-entropy numbers. As a consequence, one must be extra careful when using a PRNG [6]. A possible solution would be to use quantum random numbers generators (QRNGs) [7]. Being based on the intrinsic probabilistic nature of quantum measurements, their main advantage is that they can produce a string which is fundamentally unpredictable, even if the device's behavior is fully known. QRNGs have been implemented on different experimental platforms, for example using the quantum fluctuations of vacuum [8], parametric oscillators [9], Raman scattering [10,11] or photon shot-noise [12].
Here, we present a simple quantum randomizer based onthe statistics of arrival times of single photons on an avalanche photodiode. We show that the randomness of the generator is directly related to its bit-rate and that for a single detector, an almost perfectly random chain of 0 and 1 can be obtained for a bit rate of ≃20 bit/s.

Principle of the generator
Every number can be written in base 2, and if this number has been chosen randomly, then every bit of its decomposition in base 2 follows a Bernoulli law of parameter 0.5; the reciprocal is also true. Then, to get a random number, we only have to generate random bits.
The principle of our generator relies on the fact that photon emission is an intrinsically quantum process [13]. As a consequence, their emission time is a random quantity which can be used to generate a string of random bits. Let ðt n Þ n∈N be the times at which photons are detected and let us define the duration between two subsequent detection events (see Fig. 1). If the photon pairs corresponding to the time intervals d m and d n are independent, we expect to have P (d n > d m ) = P (d m > d n ). But we have P (d n > d m ) + P (d m > d n ) + P (d n = d m ) = 1 and P (d n = d m ) = 0 for we consider continuous probabilities. Thus, if two durations are independent, there is a 1/2 probability that the first is greater than the second and 1/2 probability that the second is greater than the first: From this 1/2 probability, we can extract easily a bit by We thus have a sequence of bits b n randomly chosen. However, if n and m are too close, the random variables d n and d m are not independent. These correlations have various origins, from the dead time of the detector that introduces anti-correlation at short-time, to quantum-statistics effect arising fromthe bosonic nature of photons [13].

Experimental implementation
The experimental setup is presented in Figure 2. The laser source is a 50 mW laser diode shining a Thorlabs SPCM50A avalanche photodiode (APD). A cardboard tube is placed between them to reduce the dark photon count to 3 photon/s. Data acquisition was performed using a Python program based on the NI Visa Python library.
The achievable photon flux is limited by the bin time duringwhich photon counting is performed and the deadtime separating two bins. To avoid multiple-photon events, we reduced the bin time to 1 ms, leading to less than 1% of multiple events. The dead-time of the detector t is 19 ms. For a flux comparable or larger than 1/t, a significantnumber of photons will not be detected, leading to strong anticorrelations in the statistics of arrival times. To avoid this bias, we reduced the photon flux to 1700 counts/s by inserting two neutral density filters decreasing the beam intensity by a factor 10 4 and 10 3 , respectively.Then we made sure the beam was centered on the detector, and used the fact that the beam was much largerthan the detector. The detector was 50 mm wide, and our beam was 30 times wider (radius of 1.5 mm) yielding an intensity reduction by an additional factor 900.

Experimental results and randomness tests
To obtain a sufficient number of values, we ran our program several times and then concatenated the obtained arrays. Using this sample, we could generate a chain of 2 933 920 bits on which we performed a series of statistical tests to assess the randomness of the sequence.
We first display in Figure 3 the histogram of time intervals d n used to generate the random sequence. It can be fitted by an exponential law, showing that the probability of detection per unit time is constant. This corresponds to a Poissonnian distribution of the times between two emissions. We then estimate the average and the variance of the b n and compare them to the ideal Bernoulli distribution. The experimental average and the variance are respectively 0.49995 and 0.25000. These values are extremely close to those we would theoretically obtain with a probability 1 2 . To make sure the theoretical value was coherent with our results, we computed the trust intervals at 99.7% and 68% using Student's coefficients [14].
Thus, the generator is a compatible with a Bernoulli random variable of parameter 0.5.
To further test the quality of the generator, we estimate first the autocorrelation function of the data defined by Fig. 1. Scheme of the durations received (each vertical bar represents a photon). t n is the arrival time of the nth photon and d n = t n+1 À t n . We define a random bit from the sign of d n À d m for sufficiently different values of n and m to avoid correlations between arrival times. In Figure 4 we plotted the autocorrelation of the first bits. We observe that correlations vanish after the first bins.
To refine the characterization of the random sequence, we run two common statistical tests. Firstly, we use the Monte-Carlo method to estimate the numerical value of p, by randomly sampling points in a unit square. The fraction of points at a distance to the origin lower than 1 is then an approximation of p/4 and any bias in the random sequence translates into a systematic error on the determination of the computed value of p. The result is shown in Figure 5 where we generated the random sequence by comparing d n and d n+i . We can see that the result of the method is acceptably comparable to Python's random as soon as we take i = 15, which is a sharper condition than the one obtained solely from Figure 4. To be precise, in this case the error produced by our random number generator is around 0.3% and it is comparable to that obtained using Python's built-in generator.
As a final test, we implemented the birthday spacing test [15], which is a commonly-used process used to test random numbers generators: if random points are chosen on an interval; the spacing between the points should be exponentially distributed (this is the source of the so-called birthday paradox demonstrating our poor grasp of random phenomena). The test generates "birthdays" based on the output of our generator and compares them to the theoretical distribution by computing the chi-square and the associated p-value. If the p-value is greater than 0.05, the test is generally considered has being successful. Just like with the Monte-Carlo test, our generator passed the test when we took only one duration out of 15.

Conclusion and outlook
In this article, we have presented a quantum randomnumber generator based on the arrival time of individual photons on an avalanche photodiode. We have shown that the optimal protocol is the result of a trade-off between the bit-rate and the quality of the random sequence. Based on the outcome of the Monte-Carlo test, the maximum bitrate allowed by our setup is about 20 bits⋅s -1 , for 1700 photons per second photon count. The main limiting factor is probably the dead-time of the APD but further study is required to confirm this assumption. In the spirit of [12], one can increase the bit-rate using the same protocol by using an array of single-photon detectors, using for instance an EMCCD (electron-multiplying CCD) camera.
In the course of the project, we also considered the possibility of using a pair of APD and place them at the two output ports of a 50/50 beam-splitter. We would have then defined the value of each bit from the output channel of each detected photon. This solution is actually used commercially by Swiss company ID Quantique but the cost of the two APD prevented us from implementing it experimentally.