A tunable quantum random number generator based on a fiber-optical Sagnac interferometer

Quantum random number generators (QRNGs) are based on naturally random measurement results performed on individual quantum systems. Here, we demonstrate a branching-path photonic QRNG implemented using a Sagnac interferometer with a tunable splitting ratio. The fine-tuning of the splitting ratio allows us to maximize the entropy of the generated sequence of random numbers and effectively compensate for tolerances in the components. By producing single-photons from attenuated telecom laser pulses, and employing commercially-available components we are able to generate a sequence of more than 2 gigabytes of random numbers with an average entropy of 7.99 bits/byte directly from the raw measured data. Furthermore, our sequence passes randomness tests from both the NIST and Dieharder statistical test suites, thus certifying its randomness. Our scheme shows an alternative design of QRNGs based on the dynamic adjustment of the uniformity of the produced random sequence, which is relevant for the construction of modern generators that rely on independent real-time testing of its performance.


Introduction
Quantum information science is an interdisciplinary field where computer science meets physics, and where long lasting principles of information transfer, cryptography and secret sharing are challenged [1].Quantum random number generators (QRNG) are mature devices that directly benefit from the properties of quantum systems in order to produce truly random numbers [2].By harnessing the fundamental randomness from the outputs of quantum mechanical measurements it is possible to generate sequences of fundamentally unpredictable random numbers.A popular implementation for QRNGs is based on performing measurements on single-photons.Typically, in these photonic QRNGs, one degree of freedom of a photon is used to prepare a superposition state of the form |ψ = α |0 + β |1 , where |α| 2 + |β| 2 = 1, which is then projected onto the basis formed by |0 and |1 .By letting one of the basis vectors represent a binary "0" and the other a binary "1", we can utilize the fact that measurements of an equally weighted superposition state yield uniformly distributed random measurement outcomes to generate a random sequence by performing repeated measurements.
One type of photonic QRNG is known as a branching-path generator [2][3][4][5][6], and is typically implemented either using polarized light and polarizing beamsplitters, or with unpolarized light and conventional beamsplitters.Regardless of the scheme, it is of utmost importance that the beamsplitters' splitting ratio is 50 : 50 for transmitted and reflected light respectively, in order to guarantee an unbiased sequence.In practice, due to manufacturing limitations, the splitting ratio will not be perfectly balanced, and this leads to non-uniformity of the bit distribution of the generated sequence.Furthermore, the splitting ratio may also change over time, due to temperature fluctuations and other environmental factors, as well as component degradation.Branching-path generators may also suffer from detector imbalances, where two identical detectors used at each of the beamsplitter's outputs have slightly different detection efficiencies that also lead to a bias in the sequence [2].Such a bias reduces the unpredictability of the sequence, and also so does its usability, not only for cryptography, but also for uses like Monte-Carlo simulations and gambling.For cryptography specifically, the security is directly proportional to the randomness of the secret key, and therefore a low-entropy sequence increases the probability that an attacker is able to successfully guess the key, which thus reduces the effective strength of the cipher [7].
In this article, we demonstrate a tunable-ratio branching-path photonic QRNG by implementing a dynamically tunable beamsplitter using a fiber-optical Sagnac interferometer.The tunable beamsplitting function is implemented with an active phase modulator placed in a Sagnac loop working as a single-photon router [8].By modulating the phase of a light packet propagating in the clockwise direction vs the counter-clockwise one, we are able to tune the output probabilities from the Sagnac interferometer through a change in the amplitude of the driving signal fed to the phase modulator.This allows us to change the entropy of the generated sequence as we wish.Both outputs are then detected through a time-division multiplexing scheme to allow detection with only one single-photon detector.Interferometers in a Sagnac-type configuration have previously been used to modulate polarization [9,10] and intensity [11] in order to prepare states for quantum key distribution experiments.While building on the same principle, our system is the first demonstration of interferometric routing of single photons for quantum random number generation.In this work we are able to generate a continuous stream of random numbers over 36 hours of continuous operation at an average rate of 131 kbit/s.The generation rate and entropy are highly stable over time due to the intrinsic phase stability of the Sagnac interferometer configuration.We finally demonstrate the randomness of the sequence by passing it successfully through the stringent statistical test suites NIST 800-22 [12] and Dieharder [13] aimed at assessing random number generators.A critical issue in QRNGs, especially the ones aimed at cryptographic applications, is whether the user can trust the device.A solution to this problem is performing independent real-time testing of the internal devices of the QRNG, usually through the user changing either the prepared quantum states, or a measurement parameter [14].In order to test the device and achieve high confidence that the generated sequence is private, a high interferometric visibility is necessary [15].The dynamic tunability provided by our setup is therefore useful to tackle this issue, and is particularly appealing to recently demonstrated measurement-device-independent QRNGs [15,16].Our results show that Sagnac interferometers can be successfully employed as tunable beamsplitters for the construction of quantum random number generators, thus opening up for implementation of state-of-the-art measurement-device independent quantum random number generators.

The experiment
The principle for a QRNG scheme using a TBS is based on a source of strongly attenuated pulses, a beamsplitter with a variable splitting ratio and single-photon detection of the two outputs of the beamsplitter (figure 1).A detection at one output is assigned the bit "0", while "1" is assigned to the other one.The entire system works synchronously, driven by Field Programmable Gate Array (FPGA) electronics, which also performs the data acquisition.If both outputs are simultaneously detected (either from two photons generated together, or from noise sources), the FPGA discards that result in order to remove the effects of after-pulsing and multiphoton events.Similarly, if no photons are detected for a generated pulse (due to absorption) no result is recorded.The generated bits are then streamed from the FPGA to a personal computer for randomness extraction and storage.The bitstream then passes through statistical tests to certify its randomness.
The key aspect in our experiment is the use of a tunable beamsplitter (figure 1).Although in principle it is possible to create one by adding extra attenuators in each output of a conventional beamsplitter, or by using a half-wave plate in tandem with Light from a photon source is split using a tunable beamsplitter (TBS).Detectors (D1, D2) placed at the outputs of the TBS register photon events and record a binary "0" or a binary "1" depending on whether the photon impinges on D1 or D2.The choice of assignment of "0"/"1" to D1/D2 is arbitrary.
a polarizing beamsplitter, these options do not provide possibilities of fast tuning.Furthermore, in the case of the first option, extra losses are added to the system.
Here we pursue an interferometric approach to implement tunability.For instance, a Mach-Zehnder interferometer can realize a tunable beamsplitter, with the tunability provided by setting the relative phase φ between the interferometer arms [17].The output probability of the single-photon is then given by a sinusoidal function of φ.However, the drawback of using conventional Mach-Zehnder interferometers is that they suffer from intrinsic phase instability, and therefore require either mechanical isolation (i.e.dampened tables, environmental protection, etc) [18] or active stabilization [19,20].In our work we follow the approach of [8] where we employ a Sagnac interferometer to provide the same functionality, with the added benefit of intrinsic phase stability.
In our Sagnac interferometer a high-speed telecom fiber-pigtailed phase modulator is placed to give a relative phase shift φ between the two propagation directions (figure 2).This is done by synchronizing the phase shift with the wave packet, such the phase shift is only applied in one direction by the modulator.
We employ a continuous wave (CW) distributed feedback telecom laser diode, centered at λ = 1546.92nm, connected to variable optical attenuators (ATT) to produce weak coherent states.The FPGA board generates electrical pulses at a repetition rate of 250 kHz in order to drive an intensity modulator which chops the CW input light into optical pulses.The electronic pulses are shaped to 20 ns width, as limited by the employed electronics driver before being fed to the intensity modulator.The attenuated optical pulses pass through an optical circulator before entering one of the input ports of a bidirectional 50 : 50 fiber coupler.The output ports form the Sagnac loop, together with a phase modulator and a 50 m long optical fiber spool (L s ) that works as a delay line (figure 2).The delay line is needed to ensure there is sufficient time separation for the phase modulation signal to act on the wave packet propagating in only in one The CW-laser is first fed to an intensity modulator (IM) that chops the laser into 20 ns pulses, which are then attenuated using a variable attenuator (ATT) to weak coherent pulses (WCP) with an average photon probability of approximately 10 photons per pulse.The WCPs are then fed to a Sagnac interferometer that acts as a tunable beamsplitter where the superposition |ψ = 1/ √ 2 |CW + ie iφ |CCW is prepared, and CW and CCW denote the photon state of propagation inside the Sagnac loop.At the output of the Sagnac loop, we use a 150 meter fiber-optic delay line (L T B ) to add ≈ 750 ns of delay to one term, effectively time-bin multiplexing the two outputs from the Sagnac interferometer into an early and a late time-bin for detection using one single-photon detector.direction and not in the opposing one, thus creating the necessary relative phase shift to generate the different output probabilities in the interferometer outputs [8].Not shown in figure 2 are two manual polarization controllers added in the Sagnac loop, where one is used to align the pulses' polarization with the input polarization of the phase modulator, while the second one is used to ensure that the two counter-propagating terms have the same polarization at the recombining beamsplitter.
Inside the Sagnac loop the attenuated pulses can be represented as a coherent superposition of the two counter-propagating paths as |ψ = 1/ √ 2(|CW + ie iφ |CCW ) where |CW and |CCW represent the clockwise and counter-clockwise propagation paths respectively.The detection probabilities at the outputs A and B of the Sagnac loop are proportional to cos 2 ( φ 2 ) and sin 2 ( φ 2 ).For voltages corresponding to φ = π/2, 3π/2 the Sagnac works as a beamsplitter with a perfectly balanced splitting ratio.The phase shift φ is proportional to the modulator's driving voltage, thus allowing us to precisely control the splitting ratio between 0 and 1 in the ideal case.We fine-tune the desired ratio by applying a small offset δV φ to the theoretical voltage value V φ .Therefore, the voltage we apply to achieve a balanced splitting ratio is V π/2 = V π/2 + δV π/2 .Due to insertion losses and propagation losses in the time-bin multiplexer, a balanced splitting ratio between the early and late time bin does not imply a 50:50 probability for a photon to emerge at the outputs A:B of the Sagnac interferometer.The two outputs of the Sagnac (denoted A and B in figure 2) are then routed to the detection system (with output A passing through the circulator to decouple it from the attenuated pulses coming from the source, propagating in to the Sagnac loop).We opted to use one SPD and mapped each output path to an early or a late time-bin, with both time slots detected sequentially by the SPD.The time-bin separation is created by a 750 ns time delay (a ≈150 m optical fiber spool) placed at the A output path from the Sagnac loop.The two paths are then recombined with a 50:50 bidirectional fiber coupler, and one of its outputs is connected to the SPD (idQuantique id210), operating in Geiger mode with 10% detection efficiency, 2.5 ns gate width and approximately 10 −5 dark count probability per gate.The SPD is externally gated by the FPGA by sending pairs of pulses, each separated by the time-bin delay, that are synchronized with the signal sent to the intensity modulator that generates the photon pulses.Each of these pulses correspond to a gate in the early and late bin respectively.The output signals from the SPD are also read by the FPGA for data acquisition.We set the deadtime of the SPD to 500 ns, so that it is shorter than the time separation between the early and late time-bins.We then let a detection of a photon in the early time-bin represent a "0" and a detection in the late time-bin represent a "1".

Results
First we demonstrate the variable splitting ratio of the Sagnac interferometer acting as a tunable beamsplitter.We set the attenuators such that we maximize the detection probability at the detector for both time-bins, while still operating in a linear regime (i.e. the detector is not saturating).This is observed from figure 3a, where the number of detection events per integration time fits well with the theoretical prediction that output A [B] from the Sagnac loop should follow a cos 2 ( φ 2 ) [sin 2 ( φ 2 )] distribution.We also observe from these results that the Sagnac interferometer is operating correctly, and complementary output behaviour of the two outputs is observed, as expected.
We then wish to optimize the operating point of the Sagnac loop for optimal random number generation.We scan the driving voltage of the phase modulator and measure the Shannon entropy of the generated bits when considered as 8-bit symbols.The Shannon entropy H is defined as H = − 255 i=0 p i log 2 (p i ), where p i is the probability of finding the i th 8-bit sequence.We increase the voltage V φ applied to the phase modulator in  the range 0 ≤ V φ ≤ 4.2 in steps of 200 mV and measure the entropy, as can be seen in figure 3b.An inset is shown in figure 3b where we also sweep the voltage between 2−2.3 volts in steps of 20 mV, and likewise measure H to identify the optimal operating point where the entropy is maximized.It can be clearly seen that the maximum obtained entropy (7.98 bits/byte) occurs for an applied driving voltage of around 2.15 V.
With the entropy maximized, we then proceed to acquire a long continuous sequence of bits to feed to the statistical randomness tests, and also to demonstrate the robustness of our implementation.The raw bit sequence is buffered in the FPGA in blocks of 32 kilobytes and then transmitted over an Ethernet connection to a personal computer for storage.Before assessing the sequence, it is passed through a Toeplitz randomness extraction procedure in order to remove any remaining non-uniformities from the raw data.To extract randomness, we split the generated sequence into N sequences of length n, and multiply each subsequence with an n × m binary Toeplitz matrix which yields an output of m hashed bits [21].We choose to use n = 400, and as defined in [21], we obtain m = H min −2 log 2 ε where H min is the min-entropy of 8-bit strings which is defined as H min = − log 2 max x∈{0,1} 8 Pr {X = x} .We measure a min-entropy of 7.7451 from the acquired sequence before extraction.We choose a security parameter ε = 2 −100 which is derived from the leftover hash lemma [22].We seed the Toeplitz matrix T at the beginning of the extraction procedure with n + m − 1 bits taken from the raw sequence, as it is sufficient to only specify the first row and first column.The matrix T can be reused for each of the subsequences, and we obtain the extracted sequence of bits by concatenating the results of the multiplications T n 1 , T n 2 , T n 3 , ..., T N , where the subscript represents the subsequence index [21,22].The extraction procedure is lossy, and for our choice of parameters, we are able to achieve an efficiency of ≈ 50%.After extraction we calculate the min-entropy of the sequence to be 7.9982 bits.
While recording the raw data, we also measure the entropy of each streamed 32 kilobyte block, and as can be seen in figure 4a, we achieve an average entropy of 7.9925 ± 0.0014 bits/byte over 36 hours, which demonstrates exceptional phase stability of the QRNG.Likewise, we also measure the raw bitrate when streaming the data, and we achieve an average bitrate of 131.8 ± 2.3 kbps (figure 4b).The bitrate is mainly limited by the delays in the electronics that amplify the signals from the FPGA in order to drive the phase modulator, and in the triggering electronics which is necessary to synchronize the generation of pulses with the detection.By improving the driver electronics, the bitrate is only limited by the separation of the time bins.
After generating 2.2 gigabytes of data, and extracting it, we pass the sequence through the NIST 800-22 Statistical Test Suite [12] (NIST test) and the Dieharder [13] test suite.Both test suites subject the random sequence to a number of statistical tests aimed at assessing the randomness of any given sequence.We run the NIST tests with 1000 bitstreams of length 1 Mb.To deem any given test as passed, we form a confidence bound as defined in [12] for the proportion of bitstreams that must yield a p-value p ≥ 10 −2 using the formula p ± 3 α(1−α) n where α = 10 −2 , n = 1000 is the number of bitstreams and p = 1 − α.This gives us a confidence interval of 0.980 ≤ r < 0.999, and if the ratio of tests that have passed falls outside this range, there is evidence that the sequence is not random [12].Figure 5a shows the proportions of tests that pass, for any given test category, along with the significance level.
The Dieharder test suite yields a verdict ("Fail", "Weak", "Pass") for each test, and a test is deemed to pass if the p-value associated with it is in the interval 10 −2 < p < 1 − 10 −2 .As can be seen in figure 5b, there are parameterized tests where each test yields multiple p-values (one for each value of the parameter).We plot all outputted p-values, and compute a resulting p-value from a Kolmogorov-Smirnov test of all the p-values.As is well-known, the p-values should be uniformly distributed under the null hypothesis that the sequence is indeed random, and the Kolmogorov-Smirnov test is used to eliminate false rejection of the null hypothesis (Type-I error) [23].For three of the tests, we observe that the resulting p-values fall outside the confidence bound, and for those values of the parameter, the test verdict is "weak".Since the Dieharder suite is a statistical test, it is probable that there will be occasional "weak" results.If the generator truly is weak, then it will certainly fail other tests [13].
To further demonstrate that the tunability can be used as a building block in measurement-device independent protocols we run a prepare-and-measure type protocol where we use the TBS to prepare either of the orthogonal states |Ψ and |Φ which are expected to yield deterministic measurement results, and a state |Ω which yields random (but balanced) measurement outcomes.We prepare the states by applying different voltages to the PM inside the Sagnac for each state.From figure 3a we determine the voltages to be V Ψ = 0 V, V Φ = 4.2 V and V Ω = 2.15 V.For each acquired 32 kilobyte block of data we then randomly choose between preparing either of the states with a probability Pr {|Ψ } = Pr {|Φ } = 0.005 and Pr {|Ω } = 0.99, where Pr {|• } is the probability to prepare a certain quantum state, in order to demonstrate the switching of necessary to implement measurement-device independent QRNG protocols.In figure 6 we show the recorded visibilities for each of the states as a function of time, where the visibility ν x ∈ [0, 1] for the state x ∈ {|Ψ , |Φ , |Ω } is defined ν x = n early −n late n early +n late where n early and n late are the detector counts in the early and late bin respectively.We are able to achieve a mean visibility of ν Ψ = 0.997 ± 3.3 • 10 −4 , ν Φ = 0.990 ± 3.1 • 10 −3 and ν Ω = 0.004 • 10 −2 ± 7.7 • 10 −3 for each of the three states without subtracting dark counts.

Conclusions
We have proposed and experimentally demonstrated a photonic quantum random number generator based on a dynamically tunable beamsplitter.The random numbers are generated depending on which output from the beamsplitter the single-photons are detected.By tuning the beamsplitting ratio we are able to maximize the generated entropy of the random sequence.This also helps maximize the entropy in spite of differences in losses following the two outputs.We implemented the tunable beamsplitter through a Sagnac interferometer, in which the tunability is given by a relative phase between the two counter-propagating paths, applied with an electro-optical telecom phase modulator.This technique allows ultra-fast tunability, due to the short response time of the phase modulator.
We are able to generate a continuous stream of random numbers over 36 hours of continuous operation, showing an average raw generation rate of 131 kbit/s and an average generated entropy of 7.9925 bits per byte in the raw sequence, thus demonstrating a stable source of entropy.As the bitrate is mainly limited by internal delays in the employed driving electronics, by improving the driver circuitry, a considerable bitrate gain can be achieved.By reducing these delays, we would also reduce the lower limits on the time-bin spacing and thus the repetition rate can be increased.Our setup is robust and built using only off-the-shelf telecom fiber components, thus also showing the practicability of our setup.Our results can aid in future designs of dynamically tunable quantum random number generators, and serve as a foundation for measurement-device quantum random number generation due to ease of changing the beamsplitting ratio, through the appropriate selection of the applied phase in the Sagnac loop.
Our system also demonstrates that the tunable beamsplitter enables realization of measurement-device independent quantum random number generators thanks to the high visibility when measuring orthogonal states, as well the fact that the visibilities show minimal degradation over time.

Figure 1 :
Figure1: Principle of a tunable-ratio beamsplitter for quantum random number generation.Light from a photon source is split using a tunable beamsplitter (TBS).Detectors (D1, D2) placed at the outputs of the TBS register photon events and record a binary "0" or a binary "1" depending on whether the photon impinges on D1 or D2.The choice of assignment of "0"/"1" to D1/D2 is arbitrary.

Figure 3 :
Figure 3: a) Characterization of detected photon events measured in the early and late time-bin, as a function of applied voltage to the phase modulator.The error bars are calculated assuming Poissonian photon statistics (σ =√ N for a photon count of N ).Also plotted is a fit of the theoretical detection probabilities that are proportional to cos 2 [sin 2 ] for the early [late] time-bin, respectively.b) Raw entropy (before extraction) as a function of applied voltage to the phase modulator Also shown in the inset is a plot of the entropy versus applied voltage to the phase modulator with a smaller step size.

Figure 4 :
Figure 4: Characterization of the stablity of the raw bitrate a) and entropy stability b) over a period of 36 hours.Each of the data points represents the average over 30 minutes.

Figure 5 :
Figure5: Results from statistical testing of randomness from NIST STS 800-22[12], a) and Dieharder[13] b).In figure5awe plot the proportion of tests that have passed, along with the confidence interval that the proportion must fall within.For figure5b, each colored vertical line corresponds to a p-value from the tests.Lines in green are p-values that fall outside of the confidence bound 10 −2 < p < 10 0 .The red lines are the resulting p-value of a Kolmogorov-Smirnov test done on test results that yield multiple p-values.

Figure 6 :
Figure 6: Achieved visibilities for the states |Ψ and |Φ that are expected to yield deterministic measurement results, together with the visibilities for the balanced state |Ω used for randomness generation.