Abstract
We analyze the information an attacker can obtain on the numbers generated by a user by measurements on a subsystem of a system consisting of two entangled two-level systems. The attacker and the user make measurements on their respective subsystems, only. Already the knowledge of the density matrix of the subsystem of the user completely determines the upper bound on the information accessible to the attacker. We compare and contrast this information to the appropriate bounds provided by quantum state discrimination.
Export citation and abstract BibTeX RIS
Original content from this work may be used under the terms of the Creative Commons Attribution 4.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
1. Introduction
Random numbers have wide applications [1], ranging from Monte Carlo simulations [2] via lotteries and gambling to classical and quantum cryptography protocols [3–6]. For most of these tasks, the privacy of the generated numbers, that is the condition that the random numbers are neither predictable by any model, nor that an attacker can obtain information that allows him to at least partially predict them, plays a crucial role.
A quantum random number generator (QNRG) offers at least theoretically the possibility to create such unpredictable random numbers [7, 8], due to the physical nature of their generation process and the inherent indeterminism of quantum theory. Typical examples of QRNG implementations are photons on a beam splitter [9], homodyne measurements of the vacuum [10], or laser phase noise [11].
However, real life implementations of QRNG usually suffer from imperfections that open the door for an attacker to get at least partial information about the generated numbers. In this article, we employ an elementary two-qubit model for such a non-ideal QRNG to determine how much information an attacker can maximally gain by exploiting the imperfections of a QRNG.
In order to implement our model experimentally, two conditions have to be fulfilled: (i) the control and entanglement of two qubit systems, and (ii) the tomography of both qubits. Fortunately, both requirements can be achieved readily. Over the past years, a wide range of experiments controlling and measuring two-qubit systems have been realized, ranging from superconducting qubits [12], over trapped ions [13, 14] and Rydberg atoms [15], to entangled photons [16]. Tomography has also been demonstrated for different systems [17, 18].
1.1. Formulation of problem
Throughout our article we follow an operational approach toward quantum mechanics à la Lamb [19]. We consider a QRNG with an imperfect source from which an attacker can obtain information. In particular, we make a model which includes the state that is prepared, and the measurements which are performed. Based on this model we then calculate all the relevant quantities.
Figure 1 depicts our QRNG model consisting of a single qubit system A, that is prepared in a quantum state . The user performs projective measurements in the direction of the unit vector eA on the Bloch sphere of the system A. To each of the two possible outcomes he assigns a bit value a, with a = 0 or a = 1. We denote the probability that the user obtains the bit value a for the measurement direction eA by .
Since the user wants to maximize the entropy, his measurement is chosen in a way, that the measurement outcomes, and thus the assigned bit values, have equal probability. In the ideal case, the state would be a pure state, but due to imperfections it is in general assumed to be a mixed state. By extending the system with a qubit environment B, we can purify to a pure state in the system A + B.
In the worst case, an attacker, who wants to gain as much knowledge about the generated random numbers as possible, knows or might even have prepared the complete state . The attacker is also aware of the user's measurement, and can perform a projective measurement on the subsystem B. We denote the measurement direction by the unit vector eB on the Bloch sphere of the subsystem B. This measurement yields a bit value outcome b with probability , where b = 0 or b = 1.
We note that for a practical QRNG the experiment has to be performed many times, since every run only provides us with a single bit of information. Moreover, we make the assumption that the state and the measurements are identical in every run. Under this condition, the Born rule guarantees that in our model the measured bit values are independent and identically distributed. By performing an appropriate measurement, the user can obtain a uniform distribution of his bits.
The question the user has to ask then is: How much information can the attacker gain from his own measurement result b about the user's random bit a?
In order to quantify this information, we use the mutual information, which reflects the amount of information the attacker will gain on average from his measurement result b about the user's measurement result a. It is therefore closely related to the conditional Shannon entropy, which quantifies the average uncertainty of the user's bit a, depending on the attacker's bit b. In fact, if the user's bits are obtained from a uniform distribution, the mutual information is complementary to the conditional Shannon entropy.
We note that in similar models [20–28] the conditional min-entropy Hmin(X|E) [29] has often been used, which quantifies the uncertainty the attacker has about the user's bit value a, when he guesses the most likely measurement outcome considering his own measurement result b. In contrast to the conditional Shannon entropy, the conditional min-entropy only considers the most probable result, while less probable results are neglected, and is thus always lower than the conditional entropy.
We furthermore note that in order to perform adequate post-processing of the raw bit string, one is usually interested in the min-entropy of the complete sequence of n bits, and not only of a single measurement outcome. For our ORNG model we assume that all bits are obtained from the same distribution and are independent of each other. In the asymptotic limit of infinitely many bits, the most probable bit string is a sequence which contains the bits distributed according to the probability distribution, and not only the most probable bit in every instance. The min-entropy of the complete sequence of n bits therefore converges to n times the conditional Shannon entropy in this asymptotic limit. Hence, the asymptotic limit of the conditional min-entropy can also be derived from the mutual information we calculate in this paper.
1.2. Discussion of the literature
The question raised in this article of how private the random numbers generated in a non-ideal QRNG are, is of course not completely new. There already exist different approaches [20–28] that allow to estimate the unpredictability of the 'raw' random numbers generated in a non-ideal QRNG. All strategies have in common that one tries to find a lower bound to the min-entropy of a long sequence of raw random numbers. This quantity is then used by a randomness extractor to produce a shorter, but unpredictable sequence of 'perfect' random numbers [30–32].
One approach is to model the setup and its imperfections, and then calculate the min-entropy from this model [20, 21]. However, in many cases this is quite a difficult task, and one has to make sure that the model is a good description of the experimental implementation.
Our approach is very much in the line of reference [20] but much more specific. In comparison to the latter paper, we discuss how much information an attacker can get, and how this information depends on the measured quantum state and the chosen measurements. This approach gives us the possibility to show how the attacker can gain information, and how the user of the QRNG can protect himself against it.
Semi-device-independent QRNGs [22–25], in which states are prepared and measured in random bases in order to make Bell-like tests on the raw data represent a different approach. Here, the violation of certain (in-)equalities, for example Bell inequalities [33], of these data then certifies the non-classicality of the physical process, and determines a lower bound on the min-entropy. This procedure has the advantage that one does not need a specific model of the QRNG, while only certain weaker assumptions on the preparation and/or the measurement devices have to be fulfilled.
Source-independent QRNGs relax the conditions of semi-device-independent QRNGs to the extent, that the user trusts the measurement but not the state preparation. These assumptions are reasonable when the user experimentally fully controls the measurement device, but not the preparation devices of the state. Source-independent QRNGs have already been studied for both, discrete systems [26, 27], and continuous systems, like homodyne measurements of the vacuum [28].
In these cases the randomness relevant for the privacy question of a QRNG originates from the fact that the state is not in an eigenstate or a mixture of eigenstates of the measurement operator. In order to guarantee this condition and therefore the randomness a measurement in at least one complementary basis has to be performed at random instances. From the measurement results in the complementary basis a lower bound on the min-entropy can then be deduced [26–28].
The resource theory of quantum coherence [34] plays an essential role in the determination of these boundaries. In these considerations the quantum coherence of a state in a given basis is quantified by an abstract measure in terms of the distance of the state from the set of incoherent states in that basis. It has been demonstrated [35] that the maximal randomness, which can be obtained from a state represented in a basis complementary to the measurement basis, can be connected to a coherence measure.
The question which coherence measure one has to use in order to describe the extractable randomness, depends on the measure quantifying the randomness and the model of the attacker. In fact, in reference [36] two different coherence measures are needed for a 'classical' and a 'quantum' Eve, that is two different types of attackers. The latter case considers a scenario where Eve does not perform measurements on her subsystem, and the randomness is quantified by entropy of her subsystem. In the 'classical' Eve case, the attacker also performs measurements on her subsystem, and is therefore quite similar to our scheme.
In our article we also follow a source-independent approach, since we only consider imperfect sources, but perfect measurements. However, we suspect that our model might also be suitable for the description of imperfect measurements.
In contrast to references [26–28, 35, 36], we do not use the abstract concept of coherence measures, but follow an operational approach to model the QRNG. For a given state of the two-qubit system and the measurements of both the user and the attacker, we first calculate the resulting probability distributions from this model. Then we maximize the information the attacker can gain over all of his possible strategies. Our calculations therefore directly show the setting the attacker has to choose in order to maximize the mutual information. Moreover, it provides us with the dependence of the mutual information on the strategy of the attacker.
In contrast, coherence measures only provide us with the minimal randomness of the system, but cannot reveal the attacker's measurement strategy. Thus, our results can easily be adopted to cases, where restrictions on the attacker's measurement strategy are applied.
1.3. Outline
Our article is organized as follows: in section 2, we consider the case of fixed projective measurement directions in both the system and the environment, and derive a general expression for the mutual information. We then focus in section 3 on the case of a QRNG, where the user selects his measurement in such a way that the bit a is uniformly distributed, and obtain the maximal information any attacker can gain. Finally, in section 4 we conclude by summarizing our results and providing a short outlook.
In order to keep our article self-contained while focused on the essential ideas we have included additional material and extensive calculations in four appendices. In appendices
2. Mutual information for projective measurements
In this section we derive a general expression for the mutual information in our QRNG model for the case, when only projective measurements are performed on both A and B. We discuss the dependence of the mutual information on the entanglement of the two qubit subsystems as well as on the measurement directions. The results provided in this section will serve as the foundation of our analysis of the worst case presented in section 3.
2.1. Mutual information and entanglement
We quantify the information the attacker can gain from his bit value b about the user's bit value a using the mutual information [4, 37, 38]
that a measurement on the system B can provide about the measurement outcome in the system A, and vice versa. Here, is the joint probability of getting the measurement results a and b when performing a measurement on A and on B.
We note, that for a separable state , the measurement results in both subsystems are independent of each other, that is the joint probability is given by the product
of the marginals for all combinations of measurement results a and b, and the logarithm and hence the mutual information both vanish, that is
In order to achieve a non-vanishing mutual information, the two subsystems A and B must be entangled. Indeed, we shall show that the entanglement between the two subsystems plays a crucial role for the mutual information.
We gain a deeper insight into the role of the entanglement by noting from equation (1) that the mutual information depends only on the measurement probabilities, which result from the measurement operators of the user and the attacker as well as from the state of the complete system.
Since, we want to model a quantum random number generator, the user chooses the measurement such that a uniform distribution arises. The user's measurement is therefore fixed with respect to the state of the subsystem of the user. The mutual information is then only dependent on the measurement of the attacker and the state of the complete system.
To obtain the maximal mutual information, the attacker has to choose his measurement accordingly. The requirements of a constant distribution for the user and the maximal mutual information for the attacker reduce the number of degrees of freedom and the mutual information can only depend on the entanglement of the two subsystems.
2.2. States of system and subsystems
We start from the pure two-qubit state
representing the state of the combined system of A and B by complex coefficients Ψij, which can be interpreted as the elements of a 2 × 2 matrix Ψ. We quantify the entanglement between the two subsystems of the state by the concurrence
which can take values between zero, for being a separable state, and one, when is a maximally entangled state.
When we trace out the subsystem B(A), we obtain the reduced density operator
of the subsystem A(B), which can be written in the form
Here, the vector aA(B) denotes the Bloch vector of the reduced subsystem , and is the vector of Pauli matrices.
We note that for the two density operators and , which are derived from the same common pure state , the eigenvalues and thus the lengths of the respective Bloch vectors have to be the same [4], that is |aA| = |aB|. These lengths are furthermore related to the concurrence, equation (5), by
Alternatively, we can relate these lengths to the purity
of the density operator of the subsystem. From equation (8), we find the relation
between the purity and the concurrence.
2.3. Projective measurements and probabilities
So far we have concentrated on the state of the combined system. We now analyze measurements on the subsystems.
For this purpose we assume that the user makes a projective measurement described by the projection operators
while the attacker performs a projective measurement given by the operators
with a = 0, 1 and b = 0, 1.
The probability to find the bit a given that the user measures in the direction eA and the system is in the state follows from the Born rule as
Analogously, the probability to obtain b provided the attacker measures in the direction eB takes the form
By inserting equations (11) and (12) into equations (13) and (14) respectively, and exploiting equations (6) and (7), we find the marginal probabilities
for the subsystem of the user, and
for the subsystem of the attacker.
The joint probability to find the values a and b, provided the measurements are in the directions eA and eB, is given by
and with the definitions of the projection operators, equations (11) and (12), this probability takes the form
where we have introduced the (3 × 3) matrix
accounting for the correlation between the two subsystems.
2.4. Bias and correlation
So far, we have defined the state and the measurement operators for our two-qubit model. We are now in the position to calculate the mutual information for a general pure two-qubit state and projective measurements in both subsystems.
2.4.1. Definitions
Inserting the probabilities, equations (15), (16) and (18), back into the definition of the mutual information, equation (1), we find
where we have introduced the three parameters
Here, α and β quantify the bias in the measurement outcome on the subsystem A and B, respectively, which can be seen by comparing the definition of these parameters with the marginal probabilities equations (15) and (16). Moreover, κ reflects the influence of the correlation between the two subsystems on the joint measurement.
The three parameters are not independent of each other. The bias parameters α and β both depend on the density operators of their respective subsystem, which are in general not independent, since both result from a common entangled pure state. The parameter κ also depends on this pure state, as well as on the measurement directions, which also enter in the bias parameters.
In the following we will derive a constraint on these three parameters. For this purpose, we first derive an explicit expression for
2.4.2. Constraints
A general state , given by equation (4), can always be written in the form
due to the Schmidt decomposition [4], where we have introduced new basis sets in both subsystems A and B. Note that in the state , in general the spins do not have to point into the same direction anymore.
In appendix
for the correlation matrix.
From the definition of the concurrence, equation (5), we obtain from equation (22)
Together with equation (8) and the normalization condition λ1 + λ2 = 1, we arrive at
and
When we insert equations (25) and (26) into the correlation matrix, equation (23), we obtain
Furthermore, by calculating the density matrices and with help of equations (6) and (22), and comparing the result with equation (7), we find , that is the Bloch vectors point along the z-axis of their respective subsystem.
We are now in the position to calculate the three parameters α, β and κ. From their definition, equation (21), we obtain
for the correlation parameter, as well as
and
for the bias of the user and the attacker, respectively. Here, we have defined .
In appendix
For any fixed parameter α, that is for a fixed measurement direction of the user, the equality in equation (31) describes an ellipse in the κ–β-plane. All valid combinations of the parameters β and κ therefore have to lie inside or on the boundary of this ellipse.
2.4.3. Special cases
We conclude our discussion by considering the two extreme limits of the concurrence : (i) a separable bipartite state, and (ii) a maximally entangled state.
For any separable state, that is , the constraint becomes
which is only fulfilled for κ = αβ.
As a consequence, we find that the logarithm of equation (20) vanishes leading us to
as one would expect.
In the other extreme, when the state is maximally entangled, that is , the bias parameters vanish in both subsystems, that is α = β = 0, and the correlation is bounded by −1 ⩽ κ ⩽ 1.
Inserting these values into equation (20), the mutual information takes the form
which after performing the summation reads
For κ = ±1, we get
allowing the attacker to obtain complete information about the user's random bit, independent of the user's measurement choice. We emphasize that for a maximally entangled state the user cannot prevent the attacker from finding out his random bit.
3. Worst-case scenario
In the preceding section we have derived a general expression for the mutual information of a two-qubit system which depends on the concurrence and the measurements performed relatively to the reduced density matrices on both subsystems. We now discuss special measurement strategies of user and attacker and highlight the important role of entanglement in our scheme. Throughout this section we consider the worst case for the user, that is the attacker somehow knows the user's measurement directions, as well as the complete state .
3.1. User's choice of measurement direction
For a QRNG, a user would naturally maximize the entropy of the bits and therefore choose his measurements in such a way that he obtains uniformly distributed bits with
According to equation (15) this requirement translates into condition
for the user's measurement.
Geometrically, this prescription means eA ⊥ aA, that is the measurement is perpendicular to the Bloch vector of . There are infinitely many vectors eA that fulfill this condition. Throughout this section, we consider this situation with a fixed eA but generalize it slightly in appendix
When we substitute equation (38) into equation (20), we obtain the mutual information
The parameters κ and β are not independent, but constrained by the inequality
corresponding to an ellipse with the semi-major and semi-minor axes coinciding with the κ and β axes, which follows directly from equation (31) for α = 0.
3.2. Maximum of mutual information
In order to guarantee the secrecy of his random bits, the user has to address the question: What is the maximal information following from (39) any attacker can obtain about the bit a for the given setting?
3.2.1. Exact expression
Since the mutual information is a convex function in the κ–β-plane, its maximum has to lie on the boundary of the ellipse. In figure 2 we show that the mutual information is maximized on the intersection of the ellipse given by the constraint, equation (40), and the κ-axis. These points lead to the two conditions
and
Download figure:
Standard image High-resolution imageThe condition on the attacker's bias, equation (41), means that the measurement direction of the attacker eB is perpendicular to the Bloch vector aB of his subsystem. Hence, the attacker will also obtain a uniform distribution of his bits. As for the user, there are infinitely many measurement directions, which fulfill this condition.
The second condition, equation (42), together with equations (28), (29) and (38) leading to , poses the requirement
on the choice of the attacker's measurement, which restricts the attacker's measurement to two directions. He can either choose eB = (eA,x, −eA,y, 0) or eB = (−eA,x, eA,y, 0).
As a result, by inserting equations (41) and (42) into (39), we find
and after performing the summations the maximal mutual information an attacker can gain by performing a measurement on the environment reads
This expression is the central result of our article. We note, that we can also find equation (45) analytically. This rather lengthy calculation is shown in detail in appendix
It is interesting to note that a similar equation holds true if the user switches between different measurements. In appendix
Figure 3 shows the maximal mutual information, equation (45), in its dependence on both the concurrence and the purity. The more the two systems are entangled, that is the less pure the state of the user, the more information can be gained from one measurement result about the other.
Download figure:
Standard image High-resolution image3.2.2. Asymptotic expressions
If the complete state is only weakly entangled corresponding to C ≪ 1, we can perform a Taylor expansion
of the logarithm to second order and thus approximate equation (45) by
Hence, for small concurrences the maximal mutual information only grows quadratically, and there is almost no mutual information. The additional information on the more probable bit is almost compensated by the less information about the less probable bit. Thus, for small concurrences , the information an attacker can gain is almost negligible, providing a certain robustness of such a QRNG scheme against small entanglement between the QRNG's system and the environment.
From the viewpoint of the user, equation (47) means that the mutual information decreases linearly with the purity for . Indeed, when we substitute the connection, equation (10) between and into equation (47) we find
On the other hand, for values of the mutual information grows rapidly with increasing , since the positive term in equation (45) is weighted with a high probability, while the factor decreasing the mutual information becomes smaller.
We finally remark that in our scheme the user needs to know the state of his subsystem, which in general can be obtained by state tomography. The connection, equation (10), between the concurrence and the purity of the user's subsystem then allows the user to find an upper bound on the privacy of his data.
3.3. Binary entropy
We remark that the maximal mutual information, equation (45), is closely related to the randomness for the 'classical' Eve defined by (24) in reference [36] which is expected due to a similar setup. In contrast to our result, the randomness used in reference [36] is described by a Shannon entropy, while we use the mutual information.
These two quantities are closely related. In fact, equation (45) enjoys an elementary interpretation, based on the binary entropy
for a probability p. Indeed, equation (45) can be written as
The first term on the right-hand side corresponds to the entropy of the user's random number without any correlation to another measurement result. This value is one, due to the fact that the user's bit is equally distributed.
The second term on the right-hand side, which subtracts from the user's entropy, is the conditional entropy of the user's bit, when the attacker's bit is known. This contribution corresponds to the entropy that remains, even when the attacker has made a measurement, and therefore reduces the information he can gain. Interestingly, this entropy corresponds to a binary entropy, with probabilities
Hence, the concurrence is a measure of the deviation from a uniform binary distribution. For a vanishing concurrence the user's bit is equally likely for any value of the attacker's bit, while with increasing concurrence the probability of having coincidental results between the user's and the attacker's outcome increases.
3.4. Privacy of the quantum random numbers and quantum state discrimination
We conclude our discussion of the worst case scenario by taking a different point of view on the privacy of the random numbers generated by a QRNG. Indeed the question of how much information an attacker can maximally gain can also be considered as a quantum state discrimination task [39–41]. By performing a measurement on the subsystem A, the state of the attacker in the subsystem B is a pure state, depending on the outcome a of the measurement performed on the subsystem A. The task of the attacker is to discriminate his two states.
When the two states are orthogonal, the attacker can always perform a measurement, which allows him to discriminate between the two states with certainty. In general, however, the two states are not orthogonal and therefore there is no measurement that can decide unambiguously between the two cases.
It is well known, that the maximal mutual information accessible in this case is bounded from above and below by the inequalities
The upper bound is the well known Holevo bound [4]
with and the Shannon entropy
where λk denote the eigenvalues of the density operator .
The lower bound for the maximal accessible information, proposed by Josza, Robb and Wootters [42], is given by
with the subentropy
We now consider the state discrimination task for our problem of the QRNG in the worst-case scenario. As a first step, we show that the states the attacker obtains are not orthogonal, as long as the combined state , defined in equation (4), is not maximally entangled.
For the measurement outcome a, the user finds the state
with an arbitrary but fixed phase φ.
Therefore the state in the subsystem B, conditioned on the measurement result a, reads
where the probability , given by equation (14), in the denominator ensures normalization.
We recall the state in the Schmidt decomposition, equation (22), and find
for the state in the subsystem B, conditioned that the user has measured the bit a.
For |aA| > 0 the scalar product
between the two states and , following from equation (59), does not vanish, and these two states are not orthogonal.
In the next step, we calculate the bounds given by equations (53) and (55). Since the entropy vanishes for a pure state, the Holevo bound is given by the Shannon entropy of the state of the attacker .
With the explicit formulas equations (25) and (26) for the eigenvalues λk and the definition of the Shannon entropy , equation (54), we find
for the Holevo bound.
We note, that the Holevo bound is closely related to the relative entropy of coherence, that is the intrinsic randomness in the 'quantum' Eve case, calculated in reference [36]. This connection is not surprising, since the Holevo bound corresponds to the amount of entropy contained in the state of the attacker's subsystem.
Since the subentropy also vanishes for pure states, the maximal accessible information is given by the subentropy of the attacker's density matrix. By using the eigenvalues, equations (25) and (26), of , which are identical to those of , together with the definition of , equation (56), we obtain
for the minimal accessible information.
In figure 4 we compare our result for the maximal mutual information, equation (45), with the Holevo bound, equation (61), and the minimal accessible information, equation (62). The result of our worst case considerations, equation (45), is thus between the two bounds as expected. However, our result is strictly lower than the Holevo bound except for the boundary values and , and therefore an improvement for the user over just assuming the Holevo bound. This advantage originates from the fact, that the Holevo bound is only dependent on the maximal information contained of the state in the subsystem B, independent of the composition of this state, that is of the exact form of the states and . The Holevo bound is only tight if and are identical or orthogonal, which is only fulfilled if the pure state of the combined system is either separable or maximally entangled. In all the cases in between the Holevo bound is not tight. Our result, equation (45), is exact, and therefore takes the measurement of the user and hence the exact form of and into account.
Download figure:
Standard image High-resolution image4. Conclusions and outlook
We are now in the position to summarize our results and provide a short outlook. Throughout this article we have discussed the privacy of random numbers created by a non-ideal QRNG represented by a single qubit system coupled to another qubit system that models the environment an attacker may have access to and which is due to the fact that the user cannot prepare a perfectly pure quantum state.
We have provided an upper bound, equation (45), on how much information the attacker can gain about the user's random bit. From this expression, we conclude that the limiting factor on this bound is the entanglement between the QRNG system and its environment, quantified by the concurrence. We emphasize that our upper bound holds without any further restrictions on the user's or attacker's measurement scheme.
Moreover, we have shown that our scheme can be interpreted in terms of quantum state discrimination. This point of view allows us to compare the result to the known bounds. Since our worst case analysis is exact, our result improves the well-known Holevo bound in this special case.
We emphasize that our results can directly be applied to different QRNG realizations. Furthermore, our analysis can be extended to generalized measurements, such as POVMs, and measurement strategies, which may lead to a further reduction of the maximal mutual information. This extension also allows us to include the effects of detector efficiencies into our model.
With these modifications our model will constitute an elementary yet useful tool to estimate the maximal information the attacker can gain on the numbers created by QRNGs. We will also be able to extend our model to self-testing QRNG devices, by further including the state tomography directly into the measurement protocol. Finally we might improve existing lower bounds on the min-entropy. These topics, however, go beyond the scope of the present article and will be addressed in a future publication.
Acknowledgments
We are grateful to A Friedrich, E Giese, M Steiner, A Wolf and S Wölk for many fruitful discussions. We thank M Beck for sending us reference [18] before publication. JS thanks the Center for Integrated Quantum Science and Technology (IQST) for a fellowship within the framework of the Quantum Alliance sponsored by the Ministry of Science, Research and Arts, Baden-Württemberg. TS acknowledges support from the EU Quantum Flagship project QRANGE (Grant No. 820405). WPS is grateful to Texas A&M University for a Faculty Fellowship at the Hagler Institute for Advanced Study at Texas A&M University and to Texas A&M AgriLife Research for the support of this work. The research of IQST is financially supported by the Ministry of Science, Research and Arts, Baden-Württemberg.
Appendix A.: Calculation of the correlation matrix
In this appendix we calculate the correlation matrix , defined in equation (19), for a general entangled two qubit state
as defined in equation (22). Since this state is symmetric in the two subsystems, it is obvious that the matrix has to be symmetric too, that is .
Thus, we only have to evaluate six coefficients. We start with the three off-diagonal coefficients. The first one is
By inserting the definition of the state, equation (A.1), as well as of the Pauli matrices, we obtain
which then becomes
Furthermore, in the case of i = x, y and j = z, we find
with some coefficients ci,1 and ci,2, depending on i = x, y. These states are clearly orthogonal to the state , and therefore we find .
Hence, the correlation matrix is diagonal in the Schmidt basis. The only remaining task is therefore to find the diagonal components. For i = j = x we find
which gives
Analogously, for i = j = y, we have
leading to
Finally, for the case i = j = z we find
since the state is normalized.
Combining all of the above results, we finally obtain the correlation matrix
Appendix B.: Parameter constraints
In this appendix, we derive the constraints for the parameters α, β and κ for a general state . In fact, we show that for an arbitrary but fixed measurement parameter α the two parameters β and κ lie inside an ellipse in the κ–β-plane, while the shape of the ellipse is determined by α.
We have shown in the main part of the article that the three parameters are given by
as well as
and
By introducing spherical coordinates in both subsystems A and B, that is
the parameters of equations (B.1)–(B.3) can be rewritten as
as well as
and
From equation (B.5) we get
by bringing the second term on the right-hand side of equation (B.5) to the left-hand side and squaring the resulting equation. Since we have cos x ⩽ 1 for all x, we furthermore find
which is equivalent to
Solving equations (B.6) and (B.7) for cos θA and cos θB, respectively, and inserting these relations into equation (B.10) gives
which can be rewritten as
Note, that for a fixed parameter α, this inequality describes the area enclosed by an ellipse in the κ–β-plane, where the shape and orientation of the ellipse are determined by α and the concurrence .
Appendix C.: Maximizing the mutual information
In this appendix, we analytically derive the maximal mutual information an attacker can have access to, in the case of a QRNG setting. The measurement of the user is described by a vector eA with eA ⋅ aA = 0.
The mutual information for this setting is given by
while the two parameters κ and β are constraint by the inequality
which means that they lie inside an ellipse in the κ–β-plane.
C.1. Convexity
It is well known that the mutual information is convex as a function of the conditional probability for a fixed marginal distribution , however, it is not obvious that it is also convex in the κ–β-plane. We now show, that the mutual information I is a convex function in the κ–β-plane, that is
for every λ with 0 ⩽ λ ⩽ 1.
We prove the relation, equation (C.3), by starting from the right-hand side of the inequality. By definition, we find
where we have introduced the abbreviations
and
as well as
and
According to the log sum inequality [38] we have
with x ≡ x1 + x2 and y ≡ y1 + y2.
Hence, we find
By explicitly calculating x and y and comparing it with the definition of the mutual information we find
which with equation (C.10)proves the convexity of the mutual information, equation (C.3).
C.2. Extrema
Due to the convexity of the mutual information, the maximum of the mutual information lies on the boundary of the ellipse. Hence, it is sufficient to restrict ourselves to the constraint
which is an equality instead of an inequality.
We can parametrize the ellipse by an angle φ, such that we have
and
Inserting these two equations back into equation (C.1), the mutual information becomes a function only dependent on a single parameter φ. In order to maximize this function, we calculate the derivative with respect to φ
First, from equations (C.13) and (C.14), we obtain the derivatives
and
We will now calculate the partial derivatives of the mutual information with respect to κ and β. For the derivative with respect to κ, we find
The second sum vanishes due to symmetry, such that we are left with
which is in general non-vanishing.
The derivative with respect to β is given by
The second sum vanishes again due to symmetry relations, and we find
When we insert this result together with equation (C.19) into equation (C.15), we obtain
This derivative has roots at β = 0 and κ = 0. Unfortunately, it is not obvious from an analytical point of view that those are the only two extrema. However, numerical simulations show, that these are indeed the only ones.
For κ = 0 it follows from equation (C.1), that the mutual information vanishes for every value of β. Since the mutual information cannot be negative, κ = 0 represents a minimum of the mutual information.
C.3. Maximum
We finally prove that β = 0 is indeed a maximum of the mutual information. In order to do so, we take a look at the second order derivative
which, in the case of β = 0, simplifies to
Calculating both terms explicitly, we find
as well as
Hence, we arrive at
Since the values of are restricted to the interval , we can evaluate the logarithms with help of the series representation
valid for |x| < 1, and the relation
for converting the binary to the natural logarithm leads us to the identity
or
When we insert this relation into equation (C.29), we find
with equality if and only if . Thus, the extremum β = 0 corresponds to a maximum.
Appendix D.: Random measurements of the user
In section 3 we have considered the case in which the same projective measurement direction was chosen in each subsystem and for each experimental run. However, in general both the user and the attacker are not restricted to a specific measurement direction but can select in each measurement a different one. In this appendix, we discuss the special case in which the user is able to choose between two distinct measurement directions at random, while we assume that the attacker stays with one.
This procedure is not necessarily the best approach for the attacker to pursue in order to maximize his information on the user's bit, but a realistic one if the attacker has neither the possibility to know the user's specific choice each time, or if he can only act passively, that is he cannot control the measurement on the environment.
If, on the other hand, the attacker knew the measurement strategy, he could also perform measurements in two directions, correlated to the user's measurements. In this case the user's advantage is lost, since it reduces to the case of a single measurement direction in both A and B, discussed in section 2.
D.1. Joint probabilities
We now consider the scenario in which the user randomly chooses with equal probability from the two measurement directions and which are both perpendicular to the Bloch vector aA, but differ by an angle γ with 0 ⩽ γ ⩽ π.
Here, the constraint of the vectors being perpendicular to the Bloch vector, is again made in order to obtain uniformly distributed bits a, that is
following from equation (15). In contrast, the attacker uses a single measurement direction eB.
The joint probability
is the average value of the probabilities and , which are given by equation (18), of the individual measurement directions, since both measurement directions and are independent of each other and occur with the same probability.
We write equation (D.2) in the form
with a new effective correlation parameter
When we define the unit vector
which is again perpendicular to the Bloch vector aA, we obtain
since we have
Apart from the constant factor cos(γ/2) the correlation parameter κeff, equation (D.6), is the same as the correlation parameter κ, equation (21), for the case of single measurement.
By using equation (19), together with , we find
with the effective correlation
D.2. Discussion and caveat
By comparing equation (D.8) with equation (28) for the case of eA,z = 0, we see that they only differ by in their concurrence. Hence, the maximal mutual information still has the form of (45), with the concurrence being replaced by .
The case γ = 0, that is when both measurements coincide with another, reduces to the one of a single measurement direction, discussed in section 3. However, for γ > 0, we have cos(γ/2) < 1, and thus the maximal mutual information is decreased compared to a single measurement direction. Indeed, by choosing γ = π, the maximal achievable mutual information is reduced to Imax = 0, independent of the concurrence of the state.
In this scenario the user randomly chooses orthogonal measurement directions. Hence, the randomness originates from the fact that he randomly assigns different bit values to the same measurement result. As a consequence, the user would need another QRNG to create this randomness, in this way he puts turtles on top of turtles.