Estimating the privacy of quantum-random numbers

Throughout our article we follow an operational approach toward quantum mechanics à la Lamb [19]. We consider a QRNG with an imperfect source from which an attacker can obtain information. In particular, we make a model which includes the state that is prepared, and the measurements which are performed. Based on this model we then calculate all the relevant quantities.

Figure 1 depicts our QRNG model consisting of a single qubit system A, that is prepared in a quantum state ${\hat{\varrho }}_{A}$. The user performs projective measurements in the direction of the unit vector e_A on the Bloch sphere of the system A. To each of the two possible outcomes he assigns a bit value a, with a = 0 or a = 1. We denote the probability that the user obtains the bit value a for the measurement direction e_A by ${W}_{{\mathbf{e}}_{A}}\left(a\right)$.

Zoom In Zoom Out Reset image size

Since the user wants to maximize the entropy, his measurement is chosen in a way, that the measurement outcomes, and thus the assigned bit values, have equal probability. In the ideal case, the state ${\hat{\varrho }}_{A}$ would be a pure state, but due to imperfections it is in general assumed to be a mixed state. By extending the system with a qubit environment B, we can purify ${\hat{\varrho }}_{A}$ to a pure state $\left\vert {\Psi}\right\rangle$ in the system A + B.

In the worst case, an attacker, who wants to gain as much knowledge about the generated random numbers as possible, knows or might even have prepared the complete state $\left\vert {\Psi}\right\rangle$. The attacker is also aware of the user's measurement, and can perform a projective measurement on the subsystem B. We denote the measurement direction by the unit vector e_B on the Bloch sphere of the subsystem B. This measurement yields a bit value outcome b with probability ${W}_{{\mathbf{e}}_{B}}\left(b\right)$, where b = 0 or b = 1.

We note that for a practical QRNG the experiment has to be performed many times, since every run only provides us with a single bit of information. Moreover, we make the assumption that the state and the measurements are identical in every run. Under this condition, the Born rule guarantees that in our model the measured bit values are independent and identically distributed. By performing an appropriate measurement, the user can obtain a uniform distribution of his bits.

The question the user has to ask then is: How much information can the attacker gain from his own measurement result b about the user's random bit a?

In order to quantify this information, we use the mutual information, which reflects the amount of information the attacker will gain on average from his measurement result b about the user's measurement result a. It is therefore closely related to the conditional Shannon entropy, which quantifies the average uncertainty of the user's bit a, depending on the attacker's bit b. In fact, if the user's bits are obtained from a uniform distribution, the mutual information is complementary to the conditional Shannon entropy.

We note that in similar models [20–28] the conditional min-entropy H_min(X|E) [29] has often been used, which quantifies the uncertainty the attacker has about the user's bit value a, when he guesses the most likely measurement outcome considering his own measurement result b. In contrast to the conditional Shannon entropy, the conditional min-entropy only considers the most probable result, while less probable results are neglected, and is thus always lower than the conditional entropy.

We furthermore note that in order to perform adequate post-processing of the raw bit string, one is usually interested in the min-entropy of the complete sequence of n bits, and not only of a single measurement outcome. For our ORNG model we assume that all bits are obtained from the same distribution and are independent of each other. In the asymptotic limit of infinitely many bits, the most probable bit string is a sequence which contains the bits distributed according to the probability distribution, and not only the most probable bit in every instance. The min-entropy of the complete sequence of n bits therefore converges to n times the conditional Shannon entropy in this asymptotic limit. Hence, the asymptotic limit of the conditional min-entropy can also be derived from the mutual information we calculate in this paper.

The question raised in this article of how private the random numbers generated in a non-ideal QRNG are, is of course not completely new. There already exist different approaches [20–28] that allow to estimate the unpredictability of the 'raw' random numbers generated in a non-ideal QRNG. All strategies have in common that one tries to find a lower bound to the min-entropy of a long sequence of raw random numbers. This quantity is then used by a randomness extractor to produce a shorter, but unpredictable sequence of 'perfect' random numbers [30–32].

One approach is to model the setup and its imperfections, and then calculate the min-entropy from this model [20, 21]. However, in many cases this is quite a difficult task, and one has to make sure that the model is a good description of the experimental implementation.

Our approach is very much in the line of reference [20] but much more specific. In comparison to the latter paper, we discuss how much information an attacker can get, and how this information depends on the measured quantum state and the chosen measurements. This approach gives us the possibility to show how the attacker can gain information, and how the user of the QRNG can protect himself against it.

Semi-device-independent QRNGs [22–25], in which states are prepared and measured in random bases in order to make Bell-like tests on the raw data represent a different approach. Here, the violation of certain (in-)equalities, for example Bell inequalities [33], of these data then certifies the non-classicality of the physical process, and determines a lower bound on the min-entropy. This procedure has the advantage that one does not need a specific model of the QRNG, while only certain weaker assumptions on the preparation and/or the measurement devices have to be fulfilled.

Source-independent QRNGs relax the conditions of semi-device-independent QRNGs to the extent, that the user trusts the measurement but not the state preparation. These assumptions are reasonable when the user experimentally fully controls the measurement device, but not the preparation devices of the state. Source-independent QRNGs have already been studied for both, discrete systems [26, 27], and continuous systems, like homodyne measurements of the vacuum [28].

In these cases the randomness relevant for the privacy question of a QRNG originates from the fact that the state is not in an eigenstate or a mixture of eigenstates of the measurement operator. In order to guarantee this condition and therefore the randomness a measurement in at least one complementary basis has to be performed at random instances. From the measurement results in the complementary basis a lower bound on the min-entropy can then be deduced [26–28].

The resource theory of quantum coherence [34] plays an essential role in the determination of these boundaries. In these considerations the quantum coherence of a state in a given basis is quantified by an abstract measure in terms of the distance of the state from the set of incoherent states in that basis. It has been demonstrated [35] that the maximal randomness, which can be obtained from a state represented in a basis complementary to the measurement basis, can be connected to a coherence measure.

The question which coherence measure one has to use in order to describe the extractable randomness, depends on the measure quantifying the randomness and the model of the attacker. In fact, in reference [36] two different coherence measures are needed for a 'classical' and a 'quantum' Eve, that is two different types of attackers. The latter case considers a scenario where Eve does not perform measurements on her subsystem, and the randomness is quantified by entropy of her subsystem. In the 'classical' Eve case, the attacker also performs measurements on her subsystem, and is therefore quite similar to our scheme.

In our article we also follow a source-independent approach, since we only consider imperfect sources, but perfect measurements. However, we suspect that our model might also be suitable for the description of imperfect measurements.

In contrast to references [26–28, 35, 36], we do not use the abstract concept of coherence measures, but follow an operational approach to model the QRNG. For a given state of the two-qubit system and the measurements of both the user and the attacker, we first calculate the resulting probability distributions from this model. Then we maximize the information the attacker can gain over all of his possible strategies. Our calculations therefore directly show the setting the attacker has to choose in order to maximize the mutual information. Moreover, it provides us with the dependence of the mutual information on the strategy of the attacker.

In contrast, coherence measures only provide us with the minimal randomness of the system, but cannot reveal the attacker's measurement strategy. Thus, our results can easily be adopted to cases, where restrictions on the attacker's measurement strategy are applied.

Our article is organized as follows: in section 2, we consider the case of fixed projective measurement directions in both the system and the environment, and derive a general expression for the mutual information. We then focus in section 3 on the case of a QRNG, where the user selects his measurement in such a way that the bit a is uniformly distributed, and obtain the maximal information any attacker can gain. Finally, in section 4 we conclude by summarizing our results and providing a short outlook.

In order to keep our article self-contained while focused on the essential ideas we have included additional material and extensive calculations in four appendices. In appendices A and B we evaluate explicitly the correlation matrix and the constraints on three parameters that fully define the mutual information. Moreover, we dedicate appendix C to a detailed derivation of the maximal mutual information. Appendix D is devoted to extending the user's measurement strategy.

We quantify the information the attacker can gain from his bit value b about the user's bit value a using the mutual information [4, 37, 38]

$$\begin{equation}I\left({\mathbf{e}}_{A},{\mathbf{e}}_{B},\left\vert {\Psi}\right\rangle \right)=\sum _{a,b=0}^{1}{W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right){\mathrm{log}}_{2}\left(\frac{{W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)}{{W}_{{\mathbf{e}}_{A}}\left(a\right){W}_{{\mathbf{e}}_{B}}\left(b\right)}\right),\end{equation} \tag{ 1 }$$

that a measurement on the system B can provide about the measurement outcome in the system A, and vice versa. Here, ${W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)$ is the joint probability of getting the measurement results a and b when performing a measurement ${\mathbf{e}}_{A}$ on A and ${\mathbf{e}}_{B}$ on B.

We note, that for a separable state $\left\vert {{\Psi}}_{\text{s}}\right\rangle$, the measurement results in both subsystems are independent of each other, that is the joint probability is given by the product

$$\begin{equation}{W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)={W}_{{\mathbf{e}}_{A}}\left(a\right){W}_{{\mathbf{e}}_{B}}\left(b\right)\end{equation} \tag{ 2 }$$

of the marginals for all combinations of measurement results a and b, and the logarithm and hence the mutual information both vanish, that is

$$\begin{equation}I\left({\mathbf{e}}_{A},{\mathbf{e}}_{B},\left\vert {{\Psi}}_{\text{s}}\right\rangle \right)=0.\end{equation} \tag{ 3 }$$

In order to achieve a non-vanishing mutual information, the two subsystems A and B must be entangled. Indeed, we shall show that the entanglement between the two subsystems plays a crucial role for the mutual information.

We gain a deeper insight into the role of the entanglement by noting from equation (1) that the mutual information depends only on the measurement probabilities, which result from the measurement operators of the user and the attacker as well as from the state of the complete system.

Since, we want to model a quantum random number generator, the user chooses the measurement such that a uniform distribution arises. The user's measurement is therefore fixed with respect to the state of the subsystem of the user. The mutual information is then only dependent on the measurement of the attacker and the state of the complete system.

To obtain the maximal mutual information, the attacker has to choose his measurement accordingly. The requirements of a constant distribution for the user and the maximal mutual information for the attacker reduce the number of degrees of freedom and the mutual information can only depend on the entanglement of the two subsystems.

We start from the pure two-qubit state

$$\begin{equation}\left\vert {\Psi}\right\rangle \equiv \sum _{i=0}^{1}\sum _{j=0}^{1}{{\Psi}}_{ij}{\left\vert i\right\rangle }_{A}{\left\vert j\right\rangle }_{B},\end{equation} \tag{ 4 }$$

representing the state of the combined system of A and B by complex coefficients Ψ_ij, which can be interpreted as the elements of a 2 × 2 matrix Ψ. We quantify the entanglement between the two subsystems of the state $\left\vert {\Psi}\right\rangle$ by the concurrence

$$\begin{equation}\mathcal{C}\equiv 2\vert \mathrm{det}{\Psi}\vert ,\end{equation} \tag{ 5 }$$

which can take values between zero, for $\left\vert {\Psi}\right\rangle$ being a separable state, and one, when $\left\vert {\Psi}\right\rangle$ is a maximally entangled state.

When we trace out the subsystem B(A), we obtain the reduced density operator

$$\begin{equation}{\hat{\varrho }}_{A\left(B\right)}\equiv {\text{tr}}_{B\left(A\right)}\left(\left\vert {\Psi}\right\rangle \left\langle {\Psi}\right\vert \right)\end{equation} \tag{ 6 }$$

of the subsystem A(B), which can be written in the form

$$\begin{equation}{\hat{\varrho }}_{A\left(B\right)}=\frac{1}{2}\left(\hat{\mathbb{1}}+{\mathbf{a}}_{A\left(B\right)}\cdot {\hat{\boldsymbol{\sigma }}}_{A\left(B\right)}\right).\end{equation} \tag{ 7 }$$

Here, the vector a_A(B) denotes the Bloch vector of the reduced subsystem ${\hat{\varrho }}_{A\left(B\right)}$, and ${\hat{\boldsymbol{\sigma }}}_{A\left(B\right)}$ is the vector of Pauli matrices.

We note that for the two density operators ${\hat{\varrho }}_{A}$ and ${\hat{\varrho }}_{B}$, which are derived from the same common pure state $\left\vert {\Psi}\right\rangle$, the eigenvalues and thus the lengths of the respective Bloch vectors have to be the same [4], that is |a_A| = |a_B|. These lengths are furthermore related to the concurrence, equation (5), by

$$\begin{equation}\mathcal{C}=\sqrt{1-\vert {\mathbf{a}}_{A}{\vert }^{2}}.\end{equation} \tag{ 8 }$$

Alternatively, we can relate these lengths to the purity

$$\begin{equation}\mathcal{P}\equiv \text{tr}\left({\hat{\varrho }}_{A}^{2}\right)=\frac{1}{2}\left(1+\vert {\mathbf{a}}_{A}{\vert }^{2}\right),\end{equation} \tag{ 9 }$$

of the density operator ${\hat{\varrho }}_{A}$ of the subsystem. From equation (8), we find the relation

$$\begin{equation}\mathcal{P}=1-\frac{1}{2}{\mathcal{C}}^{2}\end{equation} \tag{ 10 }$$

between the purity and the concurrence.

So far we have concentrated on the state of the combined system. We now analyze measurements on the subsystems.

For this purpose we assume that the user makes a projective measurement described by the projection operators

$$\begin{equation}{\hat{{\Pi}}}_{{\mathbf{e}}_{A}}\left(a\right)\equiv \frac{1}{2}\left(\hat{\mathbb{1}}+{\left(-1\right)}^{a}{\mathbf{e}}_{A}\cdot {\hat{\boldsymbol{\sigma }}}_{A}\right)\end{equation} \tag{ 11 }$$

while the attacker performs a projective measurement given by the operators

$$\begin{equation}{\hat{{\Pi}}}_{{\mathbf{e}}_{B}}\left(b\right)\equiv \frac{1}{2}\left(\hat{\mathbb{1}}+{\left(-1\right)}^{b}{\mathbf{e}}_{B}\cdot {\hat{\boldsymbol{\sigma }}}_{B}\right),\end{equation} \tag{ 12 }$$

with a = 0, 1 and b = 0, 1.

The probability ${W}_{{\mathbf{e}}_{A}}\left(a\right)$ to find the bit a given that the user measures in the direction e_A and the system is in the state $\left\vert {\Psi}\right\rangle$ follows from the Born rule as

$$\begin{equation}{W}_{{\mathbf{e}}_{A}}\left(a\right)=\left\langle {\Psi}\right\vert {\hat{{\Pi}}}_{{\mathbf{e}}_{A}}\left(a\right)\left\vert {\Psi}\right\rangle .\end{equation} \tag{ 13 }$$

Analogously, the probability ${W}_{{\mathbf{e}}_{B}}\left(b\right)$ to obtain b provided the attacker measures in the direction e_B takes the form

$$\begin{equation}{W}_{{\mathbf{e}}_{B}}\left(b\right)=\left\langle {\Psi}\right\vert {\hat{{\Pi}}}_{{\mathbf{e}}_{B}}\left(b\right)\left\vert {\Psi}\right\rangle .\end{equation} \tag{ 14 }$$

By inserting equations (11) and (12) into equations (13) and (14) respectively, and exploiting equations (6) and (7), we find the marginal probabilities

$$\begin{equation}{W}_{{\mathbf{e}}_{A}}\left(a\right)=\frac{1}{2}\left(1+{\left(-1\right)}^{a}{\mathbf{e}}_{A}\cdot {\mathbf{a}}_{A}\right),\end{equation} \tag{ 15 }$$

for the subsystem of the user, and

$$\begin{equation}{W}_{{\mathbf{e}}_{B}}\left(b\right)=\frac{1}{2}\left(1+{\left(-1\right)}^{b}{\mathbf{e}}_{B}\cdot {\mathbf{a}}_{B}\right),\end{equation} \tag{ 16 }$$

for the subsystem of the attacker.

The joint probability ${W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)$ to find the values a and b, provided the measurements are in the directions e_A and e_B, is given by

$$\begin{equation}{W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)\equiv \left\langle {\Psi}\right\vert {\hat{{\Pi}}}_{{\mathbf{e}}_{A}}\left(a\right)\otimes {\hat{{\Pi}}}_{{\mathbf{e}}_{B}}\left(b\right)\left\vert {\Psi}\right\rangle \end{equation} \tag{ 17 }$$

and with the definitions of the projection operators, equations (11) and (12), this probability takes the form

$$\begin{equation}{W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(a,b\right)=\frac{1}{4}\left(1+{\left(-1\right)}^{a}{\mathbf{e}}_{A}\cdot {\mathbf{a}}_{A}+{\left(-1\right)}^{b}{\mathbf{e}}_{B}\cdot {\mathbf{a}}_{B}+{\left(-1\right)}^{a+b}{\mathbf{e}}_{A}^{\text{T}}\tilde {K}{\mathbf{e}}_{B}\right),\end{equation} \tag{ 18 }$$

where we have introduced the (3 × 3) matrix

$$\begin{equation}\tilde {K}\equiv \left\langle {\Psi}\right\vert {\hat{\boldsymbol{\sigma }}}_{A}\otimes {\hat{\boldsymbol{\sigma }}}_{B}\left\vert {\Psi}\right\rangle \end{equation} \tag{ 19 }$$

accounting for the correlation between the two subsystems.

So far, we have defined the state and the measurement operators for our two-qubit model. We are now in the position to calculate the mutual information for a general pure two-qubit state $\left\vert {\Psi}\right\rangle$ and projective measurements in both subsystems.

2.4.1. Definitions

Inserting the probabilities, equations (15), (16) and (18), back into the definition of the mutual information, equation (1), we find

$$\begin{equation}I=\frac{1}{4}\sum _{a,b}\left(1+{\left(-1\right)}^{a}\alpha +{\left(-1\right)}^{b}\beta +{\left(-1\right)}^{a+b}\kappa \right){\mathrm{log}}_{2}\left(\frac{1+{\left(-1\right)}^{a}\alpha +{\left(-1\right)}^{b}\beta +{\left(-1\right)}^{a+b}\kappa }{\left(1+{\left(-1\right)}^{a}\alpha \right)\left(1+{\left(-1\right)}^{b}\beta \right)}\right) ,\end{equation} \tag{ 20 }$$

where we have introduced the three parameters

$$\begin{equation}\alpha \equiv {\mathbf{e}}_{A}\cdot {\mathbf{a}}_{A},\quad \beta \equiv {\mathbf{e}}_{B}\cdot {\mathbf{a}}_{B},\quad \kappa \equiv {\mathbf{e}}_{A}^{T}\tilde {K}{\mathbf{e}}_{B}.\end{equation} \tag{ 21 }$$

Here, α and β quantify the bias in the measurement outcome on the subsystem A and B, respectively, which can be seen by comparing the definition of these parameters with the marginal probabilities equations (15) and (16). Moreover, κ reflects the influence of the correlation between the two subsystems on the joint measurement.

The three parameters are not independent of each other. The bias parameters α and β both depend on the density operators of their respective subsystem, which are in general not independent, since both result from a common entangled pure state. The parameter κ also depends on this pure state, as well as on the measurement directions, which also enter in the bias parameters.

In the following we will derive a constraint on these three parameters. For this purpose, we first derive an explicit expression for $\tilde {K}$

2.4.2. Constraints

A general state $\left\vert {\Psi}\right\rangle$, given by equation (4), can always be written in the form

$$\begin{equation}\left\vert {\Psi}\right\rangle =\sqrt{{\lambda }_{1}}\left\vert {\uparrow}\right\rangle \left\vert {\uparrow}\right\rangle +\sqrt{{\lambda }_{2}}\left\vert {\downarrow}\right\rangle \left\vert {\downarrow}\right\rangle ,\end{equation} \tag{ 22 }$$

due to the Schmidt decomposition [4], where we have introduced new basis sets $\left\{\left\vert {\uparrow}\right\rangle ,\left\vert {\downarrow}\right\rangle \right\}$ in both subsystems A and B. Note that in the state $\left\vert {\uparrow}\right\rangle \left\vert {\uparrow}\right\rangle$, in general the spins do not have to point into the same direction anymore.

In appendix A, we derive the expression

$$\begin{equation}\tilde {K}=\mathrm{diag}\left(2\sqrt{{\lambda }_{1}{\lambda }_{2}},-2\sqrt{{\lambda }_{1}{\lambda }_{2}},1\right)\end{equation} \tag{ 23 }$$

for the correlation matrix.

From the definition of the concurrence, equation (5), we obtain from equation (22)

$$\begin{equation}\mathcal{C}=2\sqrt{{\lambda }_{1}{\lambda }_{2}}.\end{equation} \tag{ 24 }$$

Together with equation (8) and the normalization condition λ₁ + λ₂ = 1, we arrive at

$$\begin{equation}{\lambda }_{1}=\frac{1+\vert {\mathbf{a}}_{A}\vert }{2}=\frac{1+\sqrt{1-{\mathcal{C}}^{2}}}{2}\end{equation} \tag{ 25 }$$

and

$$\begin{equation}{\lambda }_{2}=\frac{1-\vert {\mathbf{a}}_{A}\vert }{2}=\frac{1-\sqrt{1-{\mathcal{C}}^{2}}}{2}.\end{equation} \tag{ 26 }$$

When we insert equations (25) and (26) into the correlation matrix, equation (23), we obtain

$$\begin{equation}\tilde {K}=\mathrm{diag}\left(\mathcal{C},-\mathcal{C},1\right).\end{equation} \tag{ 27 }$$

Furthermore, by calculating the density matrices ${\hat{\varrho }}_{A}$ and ${\hat{\varrho }}_{B}$ with help of equations (6) and (22), and comparing the result with equation (7), we find ${\mathbf{a}}_{A\left(B\right)}={\left(0,0,\vert {\mathbf{a}}_{A}\vert \right)}^{T}$, that is the Bloch vectors point along the z-axis of their respective subsystem.

We are now in the position to calculate the three parameters α, β and κ. From their definition, equation (21), we obtain

$$\begin{equation}\kappa =\mathcal{C}{\mathbf{e}}_{A,x}{\mathbf{e}}_{B,x}-\mathcal{C}{\mathbf{e}}_{A,y}{\mathbf{e}}_{B,y}+{\mathbf{e}}_{A,z}{\mathbf{e}}_{B,z}\end{equation} \tag{ 28 }$$

for the correlation parameter, as well as

$$\begin{equation}\alpha =\sqrt{1-{\mathcal{C}}^{2}}\enspace {\mathbf{e}}_{A,z}\end{equation} \tag{ 29 }$$

and

$$\begin{equation}\beta =\sqrt{1-{\mathcal{C}}^{2}}\enspace {\mathbf{e}}_{B,z}\end{equation} \tag{ 30 }$$

for the bias of the user and the attacker, respectively. Here, we have defined ${\mathbf{e}}_{A\left(B\right)}={\left({\mathbf{e}}_{A\left(B\right),x},{\mathbf{e}}_{A\left(B\right),y},{\mathbf{e}}_{A\left(B\right),z}\right)}^{T}$.

In appendix B we prove that equations (28)–(30) lead to the constraint

$$\begin{equation}\frac{1-{\mathcal{C}}^{2}}{{\mathcal{C}}^{2}\left(1-{\mathcal{C}}^{2}-{\alpha }^{2}\right)}{\kappa }^{2}-\frac{2\alpha }{{\mathcal{C}}^{2}\left(1-{\mathcal{C}}^{2}-{\alpha }^{2}\right)}\kappa \beta +\frac{{\mathcal{C}}^{2}+{\alpha }^{2}}{{\mathcal{C}}^{2}\left(1-{\mathcal{C}}^{2}-{\alpha }^{2}\right)}{\beta }^{2}{\leqslant}1.\end{equation} \tag{ 31 }$$

For any fixed parameter α, that is for a fixed measurement direction of the user, the equality in equation (31) describes an ellipse in the κ–β-plane. All valid combinations of the parameters β and κ therefore have to lie inside or on the boundary of this ellipse.

2.4.3. Special cases

We conclude our discussion by considering the two extreme limits of the concurrence $\mathcal{C}$: (i) a separable bipartite state, and (ii) a maximally entangled state.

For any separable state, that is $\mathcal{C}=0$, the constraint becomes

$$\begin{equation}{\left(\alpha \beta -\kappa \right)}^{2}=0,\end{equation} \tag{ 32 }$$

which is only fulfilled for κ = αβ.

As a consequence, we find that the logarithm of equation (20) vanishes leading us to

$$\begin{equation}I=0,\end{equation} \tag{ 33 }$$

as one would expect.

In the other extreme, when the state $\left\vert {\Psi}\right\rangle$ is maximally entangled, that is $\mathcal{C}=1$, the bias parameters vanish in both subsystems, that is α = β = 0, and the correlation is bounded by −1 ⩽ κ ⩽ 1.

Inserting these values into equation (20), the mutual information takes the form

$$\begin{equation}I=\sum _{a,b}\frac{1}{4}\left(1+{\left(-1\right)}^{a+b}\kappa \right){\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\kappa \right),\end{equation} \tag{ 34 }$$

which after performing the summation reads

$$\begin{equation}I\left(\kappa \right)=\frac{1+\kappa }{2}\enspace {\mathrm{log}}_{2}\left(1+\kappa \right)+\frac{1-\kappa }{2}\enspace {\mathrm{log}}_{2}\left(1-\kappa \right).\end{equation} \tag{ 35 }$$

For κ = ±1, we get

$$\begin{equation}I=1,\end{equation} \tag{ 36 }$$

allowing the attacker to obtain complete information about the user's random bit, independent of the user's measurement choice. We emphasize that for a maximally entangled state the user cannot prevent the attacker from finding out his random bit.

For a QRNG, a user would naturally maximize the entropy of the bits and therefore choose his measurements in such a way that he obtains uniformly distributed bits with

$$\begin{equation}{W}_{{\mathbf{e}}_{A}}\left(0\right)={W}_{{\mathbf{e}}_{A}}\left(1\right)=\frac{1}{2}.\end{equation} \tag{ 37 }$$

According to equation (15) this requirement translates into condition

$$\begin{equation}\alpha ={\mathbf{e}}_{A}\cdot {\mathbf{a}}_{A}=0\end{equation} \tag{ 38 }$$

for the user's measurement.

Geometrically, this prescription means e_A ⊥ a_A, that is the measurement is perpendicular to the Bloch vector of ${\hat{\varrho }}_{A}$. There are infinitely many vectors e_A that fulfill this condition. Throughout this section, we consider this situation with a fixed e_A but generalize it slightly in appendix D by allowing random measurements corresponding to two different e_A, which are both perpendicular to a_A.

When we substitute equation (38) into equation (20), we obtain the mutual information

$$\begin{equation}I=\frac{1}{4}\sum _{a,b}\left(1+{\left(-1\right)}^{b}\beta +{\left(-1\right)}^{a+b}\kappa \right){\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right).\end{equation} \tag{ 39 }$$

The parameters κ and β are not independent, but constrained by the inequality

$$\begin{equation}{\left(\frac{\kappa }{\mathcal{C}}\right)}^{2}+{\left(\frac{\beta }{\sqrt{1-{\mathcal{C}}^{2}}}\right)}^{2}{\leqslant}1\end{equation} \tag{ 40 }$$

corresponding to an ellipse with the semi-major and semi-minor axes coinciding with the κ and β axes, which follows directly from equation (31) for α = 0.

In order to guarantee the secrecy of his random bits, the user has to address the question: What is the maximal information following from (39) any attacker can obtain about the bit a for the given setting?

3.2.1. Exact expression

Since the mutual information is a convex function in the κ–β-plane, its maximum has to lie on the boundary of the ellipse. In figure 2 we show that the mutual information is maximized on the intersection of the ellipse given by the constraint, equation (40), and the κ-axis. These points lead to the two conditions

$$\begin{equation}\beta =0\end{equation} \tag{ 41 }$$

and

$$\begin{equation}\kappa ={\pm}\mathcal{C}.\end{equation} \tag{ 42 }$$

Zoom In Zoom Out Reset image size

The condition on the attacker's bias, equation (41), means that the measurement direction of the attacker e_B is perpendicular to the Bloch vector a_B of his subsystem. Hence, the attacker will also obtain a uniform distribution of his bits. As for the user, there are infinitely many measurement directions, which fulfill this condition.

The second condition, equation (42), together with equations (28), (29) and (38) leading to ${\mathbf{e}}_{A,z}=0$, poses the requirement

$$\begin{equation}{\mathbf{e}}_{A,x}{\mathbf{e}}_{B,x}-{\mathbf{e}}_{A,y}{\mathbf{e}}_{B,y}={\pm}1\end{equation} \tag{ 43 }$$

on the choice of the attacker's measurement, which restricts the attacker's measurement to two directions. He can either choose e_B = (e_A,x, −e_A,y, 0) or e_B = (−e_A,x, e_A,y, 0).

As a result, by inserting equations (41) and (42) into (39), we find

$$\begin{equation}{I}_{\mathrm{max}}=\frac{1}{4}\sum _{a,b}\left(1+{\left(-1\right)}^{a+b}\mathcal{C}\right){\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\mathcal{C}\right),\end{equation} \tag{ 44 }$$

and after performing the summations the maximal mutual information an attacker can gain by performing a measurement on the environment reads

$$\begin{equation}{I}_{\mathrm{max}}=\frac{1+\mathcal{C}}{2}\enspace {\mathrm{log}}_{2}\left(1+\mathcal{C}\right)+\frac{1-\mathcal{C}}{2}\enspace {\mathrm{log}}_{2}\left(1-\mathcal{C}\right).\end{equation} \tag{ 45 }$$

This expression is the central result of our article. We note, that we can also find equation (45) analytically. This rather lengthy calculation is shown in detail in appendix C.

It is interesting to note that a similar equation holds true if the user switches between different measurements. In appendix D we discuss this scenario in detail.

Figure 3 shows the maximal mutual information, equation (45), in its dependence on both the concurrence and the purity. The more the two systems are entangled, that is the less pure the state of the user, the more information can be gained from one measurement result about the other.

Zoom In Zoom Out Reset image size

3.2.2. Asymptotic expressions

If the complete state $\left\vert {\Psi}\right\rangle$ is only weakly entangled corresponding to C ≪ 1, we can perform a Taylor expansion

$$\begin{equation}\mathrm{ln}\left(1{\pm}x\right)\cong {\pm}x-{x}^{2}/2+\mathcal{O}\left({x}^{3}\right),\end{equation} \tag{ 46 }$$

of the logarithm to second order and thus approximate equation (45) by

$$\begin{equation}{I}_{\mathrm{max}}\cong \frac{{\mathcal{C}}^{2}}{2\mathrm{ln}2}+\mathcal{O}\left({\mathcal{C}}^{3}\right).\end{equation} \tag{ 47 }$$

Hence, for small concurrences $\mathcal{C}$ the maximal mutual information only grows quadratically, and there is almost no mutual information. The additional information on the more probable bit is almost compensated by the less information about the less probable bit. Thus, for small concurrences $\mathcal{C}$, the information an attacker can gain is almost negligible, providing a certain robustness of such a QRNG scheme against small entanglement between the QRNG's system and the environment.

From the viewpoint of the user, equation (47) means that the mutual information decreases linearly with the purity for $\mathcal{P}\lesssim 1$. Indeed, when we substitute the connection, equation (10) between $\mathcal{P}$ and ${\mathcal{C}}^{2}$ into equation (47) we find

$$\begin{equation}{I}_{\mathrm{max}}\cong \frac{1}{\mathrm{ln}2}\left(1-\mathcal{P}\right).\end{equation} \tag{ 48 }$$

On the other hand, for values of $\mathcal{C}\lesssim 1$ the mutual information grows rapidly with increasing $\mathcal{C}$, since the positive term in equation (45) is weighted with a high probability, while the factor decreasing the mutual information becomes smaller.

We finally remark that in our scheme the user needs to know the state ${\hat{\varrho }}_{A}$ of his subsystem, which in general can be obtained by state tomography. The connection, equation (10), between the concurrence and the purity of the user's subsystem then allows the user to find an upper bound on the privacy of his data.

We remark that the maximal mutual information, equation (45), is closely related to the randomness for the 'classical' Eve defined by (24) in reference [36] which is expected due to a similar setup. In contrast to our result, the randomness used in reference [36] is described by a Shannon entropy, while we use the mutual information.

These two quantities are closely related. In fact, equation (45) enjoys an elementary interpretation, based on the binary entropy

$$\begin{equation}{H}_{b}\left(p\right)\equiv -p\enspace {\mathrm{log}}_{2}\enspace p-\left(1-p\right){\mathrm{log}}_{2}\left(1-p\right),\end{equation} \tag{ 49 }$$

for a probability p. Indeed, equation (45) can be written as

$$\begin{equation}{I}_{\mathrm{max}}=1-{H}_{b}\left(\frac{1+\mathcal{C}}{2}\right).\end{equation} \tag{ 50 }$$

The first term on the right-hand side corresponds to the entropy of the user's random number without any correlation to another measurement result. This value is one, due to the fact that the user's bit is equally distributed.

The second term on the right-hand side, which subtracts from the user's entropy, is the conditional entropy of the user's bit, when the attacker's bit is known. This contribution corresponds to the entropy that remains, even when the attacker has made a measurement, and therefore reduces the information he can gain. Interestingly, this entropy corresponds to a binary entropy, with probabilities

$$\begin{equation}{p}_{{\pm}}\equiv \frac{1}{2}\left(1{\pm}\mathcal{C}\right).\end{equation} \tag{ 51 }$$

Hence, the concurrence $\mathcal{C}$ is a measure of the deviation from a uniform binary distribution. For a vanishing concurrence the user's bit is equally likely for any value of the attacker's bit, while with increasing concurrence the probability of having coincidental results between the user's and the attacker's outcome increases.

We conclude our discussion of the worst case scenario by taking a different point of view on the privacy of the random numbers generated by a QRNG. Indeed the question of how much information an attacker can maximally gain can also be considered as a quantum state discrimination task [39–41]. By performing a measurement on the subsystem A, the state ${\left\vert {\psi }_{a}\right\rangle }_{B}$ of the attacker in the subsystem B is a pure state, depending on the outcome a of the measurement performed on the subsystem A. The task of the attacker is to discriminate his two states.

When the two states are orthogonal, the attacker can always perform a measurement, which allows him to discriminate between the two states with certainty. In general, however, the two states are not orthogonal and therefore there is no measurement that can decide unambiguously between the two cases.

It is well known, that the maximal mutual information accessible in this case is bounded from above and below by the inequalities

$$\begin{equation}{\chi }_{\text{JRW}}{\leqslant}{I}_{\mathrm{max}}{\leqslant}{\chi }_{\text{H}}.\end{equation} \tag{ 52 }$$

The upper bound is the well known Holevo bound [4]

$$\begin{equation}{\chi }_{\text{H}}\equiv S\left({\hat{\varrho }}_{B}\right)-\sum _{a}{W}_{{\mathbf{e}}_{A}}\left(a\right)S\left({\hat{\varrho }}_{B\vert a}\right)\end{equation} \tag{ 53 }$$

with ${\hat{\varrho }}_{B\vert a}\equiv {\left\vert {\psi }_{a}\right\rangle }_{B}\left\langle {\psi }_{a}\right\vert$ and the Shannon entropy

$$\begin{equation}S\left(\hat{\varrho }\right)=-\text{tr}\left(\hat{\varrho }\enspace {\mathrm{log}}_{2}\enspace \hat{\varrho }\right)=-\sum _{k}{\lambda }_{k}{\mathrm{log}}_{2}{\lambda }_{k},\end{equation} \tag{ 54 }$$

where λ_k denote the eigenvalues of the density operator $\hat{\varrho }$.

The lower bound for the maximal accessible information, proposed by Josza, Robb and Wootters [42], is given by

$$\begin{equation}{\chi }_{\text{JRW}}\equiv Q\left({\hat{\varrho }}_{B}\right)-\sum _{a}{W}_{{\mathbf{e}}_{A}}\left(a\right)Q\left({\hat{\varrho }}_{B\vert a}\right)\end{equation} \tag{ 55 }$$

with the subentropy

$$\begin{equation}Q\left(\hat{\varrho }\right)\equiv -\sum _{k}\left(\sum _{l\ne k}\frac{{\lambda }_{k}}{{\lambda }_{k}-{\lambda }_{l}}\right){\lambda }_{k}{\mathrm{log}}_{2}{\lambda }_{k}.\end{equation} \tag{ 56 }$$

We now consider the state discrimination task for our problem of the QRNG in the worst-case scenario. As a first step, we show that the states the attacker obtains are not orthogonal, as long as the combined state $\left\vert {\Psi}\right\rangle$, defined in equation (4), is not maximally entangled.

For the measurement outcome a, the user finds the state

$$\begin{equation}{\left\vert {\psi }_{a}\right\rangle }_{A}=\frac{1}{\sqrt{2}}\left({\left\vert {\uparrow}\right\rangle }_{A}+{\left(-1\right)}^{a}{\text{e}}^{\text{i}\varphi }{\left\vert {\downarrow}\right\rangle }_{A}\right),\end{equation} \tag{ 57 }$$

with an arbitrary but fixed phase φ.

Therefore the state ${\left\vert {\psi }_{a}\right\rangle }_{B}$ in the subsystem B, conditioned on the measurement result a, reads

$$\begin{equation}{\left\vert {\psi }_{a}\right\rangle }_{B}=\frac{{\;}_{A}\langle {\psi }_{a}\vert {\Psi}\rangle }{\sqrt{{W}_{{\mathbf{e}}_{A}}\left(a\right)}}=\sqrt{2}\enspace {\;}_{A}\langle {\psi }_{a}\vert {\Psi}\rangle ,\end{equation} \tag{ 58 }$$

where the probability ${W}_{{\mathbf{e}}_{A}}\left(a\right)=1/2$, given by equation (14), in the denominator ensures normalization.

We recall the state $\left\vert {\Psi}\right\rangle$ in the Schmidt decomposition, equation (22), and find

$$\begin{equation}{\left\vert {\psi }_{a}\right\rangle }_{B}=\sqrt{\frac{1+\vert {a}_{A}\vert }{2}}{\left\vert {\uparrow}\right\rangle }_{B}+{\left(-1\right)}^{a}\sqrt{\frac{1-\vert {a}_{A}\vert }{2}}{\text{e}}^{-\text{i}\varphi }{\left\vert {\downarrow}\right\rangle }_{B}\end{equation} \tag{ 59 }$$

for the state in the subsystem B, conditioned that the user has measured the bit a.

For |a_A| > 0 the scalar product

$$\begin{equation}{\;}_{B}{\langle {\psi }_{0}\vert {\psi }_{1}\rangle }_{B}=\frac{1+\vert {\mathbf{a}}_{A}\vert }{2}-\frac{1-\vert {\mathbf{a}}_{A}\vert }{2}=\vert {\mathbf{a}}_{A}\vert \end{equation} \tag{ 60 }$$

between the two states ${\left\vert {\psi }_{0}\right\rangle }_{B}$ and ${\left\vert {\psi }_{1}\right\rangle }_{B}$, following from equation (59), does not vanish, and these two states are not orthogonal.

In the next step, we calculate the bounds given by equations (53) and (55). Since the entropy vanishes for a pure state, the Holevo bound is given by the Shannon entropy of the state ${\hat{\varrho }}_{B}$ of the attacker $S\left({\hat{\varrho }}_{B}\right)$.

With the explicit formulas equations (25) and (26) for the eigenvalues λ_k and the definition of the Shannon entropy $S\left(\hat{\varrho }\right)$, equation (54), we find

$$\begin{equation}{\chi }_{\text{H}}=-\frac{1+\sqrt{1-{\mathcal{C}}^{2}}}{2}\enspace {\mathrm{log}}_{2}\left(\frac{1+\sqrt{1-{\mathcal{C}}^{2}}}{2}\right)-\frac{1-\sqrt{1-{\mathcal{C}}^{2}}}{2}\enspace {\mathrm{log}}_{2}\left(\frac{1-\sqrt{1-{\mathcal{C}}^{2}}}{2}\right)\end{equation} \tag{ 61 }$$

for the Holevo bound.

We note, that the Holevo bound is closely related to the relative entropy of coherence, that is the intrinsic randomness in the 'quantum' Eve case, calculated in reference [36]. This connection is not surprising, since the Holevo bound corresponds to the amount of entropy contained in the state of the attacker's subsystem.

Since the subentropy also vanishes for pure states, the maximal accessible information is given by the subentropy $Q\left({\hat{\varrho }}_{B}\right)$ of the attacker's density matrix. By using the eigenvalues, equations (25) and (26), of $\left\vert {\Psi}\right\rangle$, which are identical to those of ${\hat{\varrho }}_{B}$, together with the definition of $Q\left(\hat{\varrho }\right)$, equation (56), we obtain

$$\begin{equation}{\chi }_{\text{JRW}}=-\frac{{\left(1+\sqrt{1-{\mathcal{C}}^{2}}\right)}^{2}}{4\sqrt{1-{\mathcal{C}}^{2}}}\enspace {\mathrm{log}}_{2}\left(\frac{1+\sqrt{1-{\mathcal{C}}^{2}}}{2}\right)+\frac{{\left(1-\sqrt{1-{\mathcal{C}}^{2}}\right)}^{2}}{4\sqrt{1-{\mathcal{C}}^{2}}}\enspace {\mathrm{log}}_{2}\left(\frac{1-\sqrt{1-{\mathcal{C}}^{2}}}{2}\right)\end{equation} \tag{ 62 }$$

for the minimal accessible information.

In figure 4 we compare our result for the maximal mutual information, equation (45), with the Holevo bound, equation (61), and the minimal accessible information, equation (62). The result of our worst case considerations, equation (45), is thus between the two bounds as expected. However, our result is strictly lower than the Holevo bound except for the boundary values $\mathcal{C}=0$ and $\mathcal{C}=1$, and therefore an improvement for the user over just assuming the Holevo bound. This advantage originates from the fact, that the Holevo bound is only dependent on the maximal information contained of the state ${\hat{\varrho }}_{B}$ in the subsystem B, independent of the composition of this state, that is of the exact form of the states ${\left\vert {\psi }_{0}\right\rangle }_{B}$ and ${\left\vert {\psi }_{1}\right\rangle }_{B}$. The Holevo bound is only tight if ${\left\vert {\psi }_{0}\right\rangle }_{B}$ and ${\left\vert {\psi }_{1}\right\rangle }_{B}$ are identical or orthogonal, which is only fulfilled if the pure state $\left\vert {\Psi}\right\rangle$ of the combined system is either separable or maximally entangled. In all the cases in between the Holevo bound is not tight. Our result, equation (45), is exact, and therefore takes the measurement of the user and hence the exact form of ${\left\vert {\psi }_{0}\right\rangle }_{B}$ and ${\left\vert {\psi }_{1}\right\rangle }_{B}$ into account.

Zoom In Zoom Out Reset image size

It is well known that the mutual information is convex as a function of the conditional probability ${W}_{{\mathbf{e}}_{A},{\mathbf{e}}_{B}}\left(b\vert a\right)$ for a fixed marginal distribution ${W}_{{\mathbf{e}}_{A}}\left(a\right)$, however, it is not obvious that it is also convex in the κ–β-plane. We now show, that the mutual information I is a convex function in the κ–β-plane, that is

$$\begin{equation}I\left(\lambda {\kappa }_{1}+\left(1-\lambda \right){\kappa }_{2},\lambda {\beta }_{1}+\left(1-\lambda \right){\beta }_{2}\right){\leqslant}\lambda I\left({\kappa }_{1},{\beta }_{1}\right)+\left(1-\lambda \right)I\left({\kappa }_{2},{\beta }_{2}\right)\end{equation} \tag{ C.3 }$$

for every λ with 0 ⩽ λ ⩽ 1.

We prove the relation, equation (C.3), by starting from the right-hand side of the inequality. By definition, we find

$$\begin{align}\hfill \lambda I\left({\kappa }_{1},{\beta }_{1}\right)+\left(1-\lambda \right)I\left({\kappa }_{2},{\beta }_{2}\right)& =\sum _{a,b}\sum _{i=1}^{2}{x}_{i}\enspace {\mathrm{log}}_{2}\left(\frac{{x}_{i}}{{y}_{i}}\right),\hfill \end{align} \tag{ C.4 }$$

where we have introduced the abbreviations

$$\begin{equation}{x}_{1}\equiv \frac{\lambda }{4}\left(1+{\left(-1\right)}^{b}{\beta }_{1}+{\left(-1\right)}^{a+b}{\kappa }_{1}\right)\end{equation} \tag{ C.5 }$$

and

$$\begin{equation}{x}_{2}\equiv \frac{1-\lambda }{4}\left(1+{\left(-1\right)}^{b}{\beta }_{2}+{\left(-1\right)}^{a+b}{\kappa }_{2}\right),\end{equation} \tag{ C.6 }$$

as well as

$$\begin{equation}{y}_{1}\equiv \frac{\lambda }{4}\left(1+{\left(-1\right)}^{b}{\beta }_{1}\right)\end{equation} \tag{ C.7 }$$

and

$$\begin{equation}{y}_{2}\equiv \frac{1-\lambda }{4}\left(1+{\left(-1\right)}^{b}{\beta }_{2}\right).\end{equation} \tag{ C.8 }$$

According to the log sum inequality [38] we have

$$\begin{equation}\sum _{i=1}^{2}{x}_{i}\enspace {\mathrm{log}}_{2}\left(\frac{{x}_{i}}{{y}_{i}}\right){\geqslant}x\enspace {\mathrm{log}}_{2}\left(\frac{x}{y}\right)\end{equation} \tag{ C.9 }$$

with x ≡ x₁ + x₂ and y ≡ y₁ + y₂.

Hence, we find

$$\begin{equation}\lambda I\left({\kappa }_{1},{\beta }_{1}\right)+\left(1-\lambda \right)I\left({\kappa }_{2},{\beta }_{2}\right){\geqslant}\sum _{a,b}x\enspace {\mathrm{log}}_{2}\left(\frac{x}{y}\right).\end{equation} \tag{ C.10 }$$

By explicitly calculating x and y and comparing it with the definition of the mutual information we find

$$\begin{equation}\sum _{a,b}x\enspace {\mathrm{log}}_{2}\left(\frac{x}{y}\right)=I\left(\lambda {\kappa }_{1}+\left(1-\lambda \right){\kappa }_{2},\lambda {\beta }_{1}+\left(1-\lambda \right){\beta }_{2}\right)\end{equation} \tag{ C.11 }$$

which with equation (C.10)proves the convexity of the mutual information, equation (C.3).

Due to the convexity of the mutual information, the maximum of the mutual information lies on the boundary of the ellipse. Hence, it is sufficient to restrict ourselves to the constraint

$$\begin{equation}{\left(\frac{\kappa }{\mathcal{C}}\right)}^{2}+{\left(\frac{\beta }{\sqrt{1-{\mathcal{C}}^{2}}}\right)}^{2}=1,\end{equation} \tag{ C.12 }$$

which is an equality instead of an inequality.

We can parametrize the ellipse by an angle φ, such that we have

$$\begin{equation}\kappa \left(\varphi \right)=\mathcal{C}\mathrm{cos}\varphi \end{equation} \tag{ C.13 }$$

and

$$\begin{equation}\beta \left(\varphi \right)=\sqrt{1-{\mathcal{C}}^{2}}\mathrm{sin}\varphi .\end{equation} \tag{ C.14 }$$

Inserting these two equations back into equation (C.1), the mutual information becomes a function only dependent on a single parameter φ. In order to maximize this function, we calculate the derivative with respect to φ

$$\begin{equation}\frac{\mathrm{d}I\left(\varphi \right)}{\mathrm{d}\varphi }=\frac{\partial I\left(\kappa ,\beta \right)}{\partial \kappa }\frac{\mathrm{d}\kappa }{\mathrm{d}\varphi }+\frac{\partial I\left(\kappa ,\beta \right)}{\partial \beta }\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }.\end{equation} \tag{ C.15 }$$

First, from equations (C.13) and (C.14), we obtain the derivatives

$$\begin{equation}\frac{\mathrm{d}\kappa }{\mathrm{d}\varphi }=-\mathcal{C}\mathrm{sin}\varphi =-\frac{\mathcal{C}}{\sqrt{1-{\mathcal{C}}^{2}}}\beta \left(\varphi \right)\end{equation} \tag{ C.16 }$$

and

$$\begin{equation}\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }=\sqrt{1-{\mathcal{C}}^{2}}\mathrm{cos}\varphi =\frac{\sqrt{1-{\mathcal{C}}^{2}}}{\mathcal{C}}\kappa \left(\varphi \right).\end{equation} \tag{ C.17 }$$

We will now calculate the partial derivatives of the mutual information with respect to κ and β. For the derivative with respect to κ, we find

$$\begin{equation}\frac{\partial I}{\partial \kappa }=\frac{1}{4}\sum _{a,b}{\left(-1\right)}^{a+b}\enspace {\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right)+\frac{1}{4\mathrm{ln}2}\sum _{a,b}{\left(-1\right)}^{a+b}.\end{equation} \tag{ C.18 }$$

The second sum vanishes due to symmetry, such that we are left with

$$\begin{equation}\frac{\partial I}{\partial \kappa }=\frac{1}{4}\sum _{a,b}{\left(-1\right)}^{a+b}\enspace {\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right),\end{equation} \tag{ C.19 }$$

which is in general non-vanishing.

The derivative with respect to β is given by

$$\begin{equation}\frac{\partial I}{\partial \beta }=\frac{1}{4}\sum _{a,b}{\left(-1\right)}^{b}\enspace {\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right)+\frac{1}{4\mathrm{ln}2}\sum _{a,b}{\left(-1\right)}^{a}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }.\end{equation} \tag{ C.20 }$$

The second sum vanishes again due to symmetry relations, and we find

$$\begin{equation}\frac{\partial I}{\partial \beta }=\frac{1}{4}\sum _{a,b}{\left(-1\right)}^{b}\enspace {\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right).\end{equation} \tag{ C.21 }$$

When we insert this result together with equation (C.19) into equation (C.15), we obtain

$$\begin{align}\hfill \frac{\mathrm{d}I\left(\varphi \right)}{\mathrm{d}\varphi }& =\frac{1}{4}\sum _{a,b}\left({\left(-1\right)}^{b}\frac{\sqrt{1-{\mathcal{C}}^{2}}}{\mathcal{C}}\kappa \left(\varphi \right)-{\left(-1\right)}^{a+b}\frac{\mathcal{C}}{\sqrt{1-{\mathcal{C}}^{2}}}\beta \left(\varphi \right)\right)\hfill \\ \hfill & \quad {\times}{\mathrm{log}}_{2}\left(1+{\left(-1\right)}^{a+b}\frac{\kappa }{1+{\left(-1\right)}^{b}\beta }\right)\hfill \end{align} \tag{ C.22 }$$

This derivative has roots at β = 0 and κ = 0. Unfortunately, it is not obvious from an analytical point of view that those are the only two extrema. However, numerical simulations show, that these are indeed the only ones.

For κ = 0 it follows from equation (C.1), that the mutual information vanishes for every value of β. Since the mutual information cannot be negative, κ = 0 represents a minimum of the mutual information.

We finally prove that β = 0 is indeed a maximum of the mutual information. In order to do so, we take a look at the second order derivative

$$\begin{align}\hfill \frac{{\mathrm{d}}^{2}I\left(\varphi \right)}{\mathrm{d}{\varphi }^{2}}& =\frac{{\partial }^{2}I\left(\kappa ,\beta \right)}{\partial {\kappa }^{2}}{\left(\frac{\mathrm{d}\kappa }{\mathrm{d}\varphi }\right)}^{2}+2\frac{{\partial }^{2}I\left(\kappa ,\beta \right)}{\partial \beta \partial \kappa }\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }\frac{\mathrm{d}\kappa }{\mathrm{d}\varphi }+\frac{{\partial }^{2}I\left(\kappa ,\beta \right)}{\partial {\beta }^{2}}{\left(\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }\right)}^{2}\hfill \\ \hfill & \quad +\frac{\partial I\left(\kappa ,\beta \right)}{\partial \kappa }\frac{{\mathrm{d}}^{2}\kappa }{\mathrm{d}{\varphi }^{2}}+\frac{\partial I\left(\kappa ,\beta \right)}{\partial \beta }\frac{{\mathrm{d}}^{2}\beta }{\mathrm{d}{\varphi }^{2}},\hfill \end{align} \tag{ C.23 }$$

which, in the case of β = 0, simplifies to

$$\begin{equation}{\left.\frac{{\mathrm{d}}^{2}I\left(\varphi \right)}{\mathrm{d}{\varphi }^{2}}\right\vert }_{\beta =0}={\left.\frac{\partial I\left(\kappa ,\beta \right)}{\partial \kappa }\frac{{\mathrm{d}}^{2}\kappa }{\mathrm{d}{\varphi }^{2}}\right\vert }_{\beta =0}+{\left.\frac{{\partial }^{2}I\left(\kappa ,\beta \right)}{\partial {\beta }^{2}}{\left(\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }\right)}^{2}\right\vert }_{\beta =0}.\end{equation} \tag{ C.24 }$$

Calculating both terms explicitly, we find

$$\begin{equation}{\left.\frac{\partial I\left(\kappa ,\beta \right)}{\partial \kappa }\frac{{\mathrm{d}}^{2}\kappa }{\mathrm{d}{\varphi }^{2}}\right\vert }_{\beta =0}=-\frac{\mathcal{C}}{2}\left({\mathrm{log}}_{2}\left(1+\mathcal{C}\right)-{\mathrm{log}}_{2}\left(1-\mathcal{C}\right)\right)\end{equation} \tag{ C.25 }$$

as well as

$$\begin{equation}{\left.\frac{{\partial }^{2}I\left(\kappa ,\beta \right)}{\partial {\beta }^{2}}{\left(\frac{\mathrm{d}\beta }{\mathrm{d}\varphi }\right)}^{2}\right\vert }_{\beta =0}=\frac{{\mathcal{C}}^{2}}{\mathrm{ln}2}.\end{equation} \tag{ C.26 }$$

Hence, we arrive at

$$\begin{equation}{\left.\frac{{\mathrm{d}}^{2}I\left(\varphi \right)}{\mathrm{d}{\varphi }^{2}}\right\vert }_{\beta =0}=\frac{{\mathcal{C}}^{2}}{\mathrm{ln}2}-\frac{\mathcal{C}}{2}\left({\mathrm{log}}_{2}\left(1+\mathcal{C}\right)-{\mathrm{log}}_{2}\left(1-\mathcal{C}\right)\right).\end{equation} \tag{ C.27 }$$

Since the values of $\mathcal{C}$ are restricted to the interval $0{< }\mathcal{C}{< }1$, we can evaluate the logarithms with help of the series representation

$$\begin{equation}\mathrm{ln}\left(1+x\right)=\sum _{n=1}^{\infty }{\left(-1\right)}^{n+1}\frac{{x}^{n}}{n}\end{equation} \tag{ C.28 }$$

valid for |x| < 1, and the relation

$$\begin{equation}{\mathrm{log}}_{2}\enspace x=\frac{\mathrm{ln}x}{\mathrm{ln}2}\end{equation} \tag{ C.29 }$$

for converting the binary to the natural logarithm leads us to the identity

$$\begin{equation}{\mathrm{log}}_{2}\left(1+\mathcal{C}\right)-{\mathrm{log}}_{2}\left(1-\mathcal{C}\right)=\frac{2}{\mathrm{ln}2}\sum _{n=0}^{\infty }\frac{{\mathcal{C}}^{2n+1}}{2n+1}\end{equation} \tag{ C.30 }$$

or

$$\begin{equation}{\mathrm{log}}_{2}\left(1+\mathcal{C}\right)-{\mathrm{log}}_{2}\left(1-\mathcal{C}\right)=\frac{2\mathcal{C}}{\mathrm{ln}2}+\frac{2}{\mathrm{ln}2}\sum _{n=1}^{\infty }\frac{{\mathcal{C}}^{2n+1}}{2n+1}.\end{equation} \tag{ C.31 }$$

When we insert this relation into equation (C.29), we find

$$\begin{equation}{\left.\frac{{\mathrm{d}}^{2}I\left(\varphi \right)}{\mathrm{d}{\varphi }^{2}}\right\vert }_{\beta =0}=-\frac{\mathcal{C}}{\mathrm{ln}2}\sum _{n=1}^{\infty }\frac{{\mathcal{C}}^{2n+1}}{2n+1}{\leqslant}0,\end{equation} \tag{ C.32 }$$

with equality if and only if $\mathcal{C}=0$. Thus, the extremum β = 0 corresponds to a maximum.

We now consider the scenario in which the user randomly chooses with equal probability from the two measurement directions ${\mathbf{e}}_{A}^{\left(1\right)}$ and ${\mathbf{e}}_{A}^{\left(2\right)}$ which are both perpendicular to the Bloch vector a_A, but differ by an angle γ with 0 ⩽ γ ⩽ π.

Here, the constraint of the vectors being perpendicular to the Bloch vector, is again made in order to obtain uniformly distributed bits a, that is

$$\begin{equation}{W}_{{\mathbf{e}}_{A}^{\left(1\right)}}\left(a\right)={W}_{{\mathbf{e}}_{A}^{\left(2\right)}}\left(a\right)=\frac{1}{2}\end{equation} \tag{ D.1 }$$

following from equation (15). In contrast, the attacker uses a single measurement direction e_B.

The joint probability

$$\begin{equation}{W}_{\left\{{\mathbf{e}}_{A}^{\left(j\right)}\right\},{\mathbf{e}}_{B}}\left(a,b\right)=\frac{1}{2}\left({W}_{{\mathbf{e}}_{A}^{\left(1\right)},{\mathbf{e}}_{B}}\left(a,b\right)+{W}_{{\mathbf{e}}_{A}^{\left(2\right)},{\mathbf{e}}_{B}}\left(a,b\right)\right),\end{equation} \tag{ D.2 }$$

is the average value of the probabilities ${W}_{{\mathbf{e}}_{A}^{\left(1\right)},{\mathbf{e}}_{B}}$ and ${W}_{{\mathbf{e}}_{A}^{\left(2\right)},{\mathbf{e}}_{B}}$, which are given by equation (18), of the individual measurement directions, since both measurement directions ${\mathbf{e}}_{A}^{\left(1\right)}$ and ${\mathbf{e}}_{A}^{\left(2\right)}$ are independent of each other and occur with the same probability.

We write equation (D.2) in the form

$$\begin{equation}{W}_{\left\{{\mathbf{e}}_{A}^{\left(j\right)}\right\},{\mathbf{e}}_{B}}\left(a,b\right)=\frac{1}{4}\left(1+{\left(-1\right)}^{b}\beta +{\left(-1\right)}^{a+b}{\kappa }_{\text{eff}}\right)\end{equation} \tag{ D.3 }$$

with a new effective correlation parameter

$$\begin{equation}{\kappa }_{\text{eff}}\equiv {\left(\frac{{\mathbf{e}}_{A}^{\left(1\right)}+{\mathbf{e}}_{A}^{\left(2\right)}}{2}\right)}^{T}\tilde {K}{\mathbf{e}}_{B}\end{equation} \tag{ D.4 }$$

When we define the unit vector

$$\begin{equation}{\overline{\mathbf{e}}}_{A}\equiv \frac{{\mathbf{e}}_{A}^{\left(1\right)}+{\mathbf{e}}_{A}^{\left(2\right)}}{\vert {\mathbf{e}}_{A}^{\left(1\right)}+{\mathbf{e}}_{A}^{\left(2\right)}\vert },\end{equation} \tag{ D.5 }$$

which is again perpendicular to the Bloch vector a_A, we obtain

$$\begin{equation}{\kappa }_{\text{eff}}=\mathrm{cos}\left(\frac{\gamma }{2}\right){\overline{\mathbf{e}}}_{A}^{T}\tilde {K}{\mathbf{e}}_{B},\end{equation} \tag{ D.6 }$$

since we have

$$\begin{equation}\vert {\mathbf{e}}_{A}^{\left(1\right)}+{\mathbf{e}}_{A}^{\left(2\right)}\vert =\sqrt{2\left(1+\mathrm{cos}\gamma \right)}=2\enspace \mathrm{cos}\left(\frac{\gamma }{2}\right).\end{equation} \tag{ D.7 }$$

Apart from the constant factor cos(γ/2) the correlation parameter κ_eff, equation (D.6), is the same as the correlation parameter κ, equation (21), for the case of single measurement.

By using equation (19), together with ${\overline{\mathbf{e}}}_{A,z}=0$, we find

$$\begin{equation}{\kappa }_{\text{eff}}={\mathcal{C}}_{\text{eff}}{\overline{\mathbf{e}}}_{A,x}{\mathbf{e}}_{B,x}-{\mathcal{C}}_{\text{eff}}{\overline{\mathbf{e}}}_{A,y}{\mathbf{e}}_{B,y},\end{equation} \tag{ D.8 }$$

with the effective correlation

$$\begin{equation}{\mathcal{C}}_{\text{eff}}\equiv \mathcal{C}\mathrm{cos}\left(\frac{\gamma }{2}\right).\end{equation} \tag{ D.9 }$$

By comparing equation (D.8) with equation (28) for the case of e_A,z = 0, we see that they only differ by in their concurrence. Hence, the maximal mutual information still has the form of (45), with the concurrence $\mathcal{C}$ being replaced by ${\mathcal{C}}_{\text{eff}}$.

The case γ = 0, that is when both measurements coincide with another, reduces to the one of a single measurement direction, discussed in section 3. However, for γ > 0, we have cos(γ/2) < 1, and thus the maximal mutual information is decreased compared to a single measurement direction. Indeed, by choosing γ = π, the maximal achievable mutual information is reduced to I_max = 0, independent of the concurrence of the state.

In this scenario the user randomly chooses orthogonal measurement directions. Hence, the randomness originates from the fact that he randomly assigns different bit values to the same measurement result. As a consequence, the user would need another QRNG to create this randomness, in this way he puts turtles on top of turtles.