Recognition: 2 theorem links
· Lean TheoremHigher rates for semi-device-independent randomness expansion by recycling input randomness
Pith reviewed 2026-05-10 18:44 UTC · model grok-4.3
The pith
Recycling input randomness enables semi-device-independent expansion at high rates after 10^5 to 10^6 rounds
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
In a semi-device-independent prepare-and-measure scenario, recycling the input randomness used to select measurement settings yields randomness expansion at high rates after only 10^5 to 10^6 rounds, with security proven against quantum side information while trusting solely the testing device.
What carries the argument
The input-randomness recycling step inside the semi-device-independent prepare-and-measure protocol, which reuses the same random bits to reduce the net consumption while preserving the security bound.
If this is right
- Randomness expansion becomes practical with far fewer experimental rounds than previous semi-device-independent schemes.
- Quantum random number generators can operate while trusting only a simple detector such as a photodiode.
- The same security guarantee holds when the source and measurement devices are manufactured by an untrusted party.
- Biased-input variants extend the method to settings where input recycling cannot be applied.
Where Pith is reading between the lines
- Recycling techniques developed here may reduce the round count required in other semi-device-independent tasks such as quantum key distribution.
- Realistic noise models from current photonic experiments could be inserted into the security analysis to obtain tighter rate estimates.
- The protocol could be combined with existing trusted-device QRNG hardware to lower overall trust requirements without redesigning the source or detectors.
Load-bearing premise
The testing device can be trusted and fully characterized while the source that prepares states and the measurement device remain completely uncharacterized.
What would settle it
An experiment in which the observed output randomness fails to exceed the input randomness by the predicted margin, or in which an adversary with access to the untrusted devices can guess the output with probability higher than the security analysis allows, would falsify the claimed expansion.
Figures
read the original abstract
Although quantum random number generators rely on the inherent indeterminism of quantum mechanics, ensuring that the numbers produced are secure remains a significant challenge. We introduce two semi-device-independent randomness expansion protocols in a prepare-and-measure setting, where the source and measurement devices are treated as uncharacterised and we assume trust only in testing device, which could be implemented using a photodiode. One protocol achieves expansion by recycling the input randomness, while the other uses a biased input distribution to achieve expansion in settings where recycling is not possible. The protocols are proven secure against quantum side information. Our results show that high randomness rates are achievable under experimentally realistic conditions, with expansion obtained in as few as $10^5$ to $10^6$ rounds with the recycling protocol.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript introduces two semi-device-independent randomness expansion protocols in the prepare-and-measure setting. The source and measurement devices are uncharacterized, with trust placed solely in a testing device (e.g., a photodiode). One protocol achieves expansion by recycling input randomness; the other employs a biased input distribution. Both protocols are proven secure against quantum side information, with numerical results indicating that positive expansion rates are achievable in as few as 10^5 to 10^6 rounds under realistic experimental conditions.
Significance. If the security analysis and finite-size bounds hold, the work advances practical semi-device-independent quantum random number generation by demonstrating higher rates via input recycling and biased inputs. This reduces the experimental overhead compared to prior SDI protocols while maintaining security against quantum adversaries, with the trust model limited to the testing device offering a realistic implementation path.
minor comments (3)
- [Abstract] Abstract: the statement that expansion is obtained 'in as few as 10^5 to 10^6 rounds' would benefit from a parenthetical reference to the specific parameters (e.g., observed violation level, noise model, or block size) that yield this threshold, to allow immediate assessment of the numerical claim.
- [Security Analysis] The security proof section should explicitly state the form of the min-entropy bound used for the recycled-input case and how the finite-size correction terms are computed (e.g., via Chernoff or Hoeffding bounds), as this is central to verifying the reported rates.
- [Numerical Results] Figure captions for the rate-vs-rounds plots should include the exact values of the input bias parameter and the testing-device efficiency assumed in the optimization.
Simulated Author's Rebuttal
We thank the referee for their positive assessment of our manuscript, accurate summary of the contributions, and recommendation for minor revision. No specific major comments were provided in the report.
Circularity Check
No significant circularity in derivation chain
full rationale
The paper introduces two prepare-and-measure protocols for semi-device-independent randomness expansion, with security proven against quantum side information. The central claims of achievable rates in 10^5-10^6 rounds follow from independent security analysis and numerical bounds rather than any self-definitional reduction, fitted inputs renamed as predictions, or load-bearing self-citations. No step reduces by construction to its own inputs via the paper's equations or prior author work; the derivation remains self-contained against external quantum information benchmarks.
Axiom & Free-Parameter Ledger
axioms (2)
- standard math Quantum mechanics holds and provides the basis for randomness and security proofs
- domain assumption Only the testing device is trusted while source and measurement devices are uncharacterized
Lean theorems connected to this paper
-
IndisputableMonolith/Cost/FunctionalEquation.leanwashburn_uniqueness_aczel unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
We establish security using the Entropy Accumulation Theorem (EAT)... Jordan’s lemma... convex envelope of G_pX(ω,Θ)
-
IndisputableMonolith/Foundation/RealityFromDistinction.leanreality_from_one_distinction unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
overlap Θ... score ω... finite-size rates with 10^5–10^6 rounds
What do these tags mean?
- matches
- The paper's claim is directly supported by a theorem in the formal canon.
- supports
- The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
- extends
- The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
- uses
- The paper appears to rely on the theorem as machinery.
- contradicts
- The paper's claim conflicts with a theorem or certificate in the canon.
- unclear
- Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.
Reference graph
Works this paper leans on
-
[1]
Seti= 1for the first round, or increaseiby 1
-
[2]
HereXi = 0occurs with probability p0
Randomly chooseX i ∈ {0,1}, which is input to the source deviceS. HereXi = 0occurs with probability p0. The deviceSsends a system to the switchW
-
[3]
Randomly chooseTi ∈ {0,1}, whereT i = 0has probability1−γ, and inputT i toW.Wsends the system to the measurement deviceMifT i = 0or sends it to the testing deviceTifT i = 1
-
[4]
(b) IfT i = 1(test round):Wreceives the system and outputsY i ∈ {0,1}
(a) IfT i = 0(measurement round):Mreceives the system and outputsY i ∈ {0,1}. (b) IfT i = 1(test round):Wreceives the system and outputsY i ∈ {0,1}
-
[5]
Return to Step 1 unlessi=n
-
[6]
SetU i = (Ti, Xi, Yi)and compute the empirical scoresΘ# andω # as Θ# := 1 2 X x |{i:U i = (1, x,0)}| npX(x)γ , ω # := 1 2 X x |{i:U i = (0, x, x)}| npX(x)(1−γ)
-
[7]
Abort the protocol if eitherΘ# <Θ exp −δ Θ orω # < ω exp −δ ω
-
[8]
Since a strong extractor is used, the final outcome can be taken to be the concatenation ofRandExt(XYT,R)
Processtheconcatenationofalltheoutputswithaquantum-proofstrongextractorExttoyieldExt(XYT,R), whereRis a random seed for the extractor. Since a strong extractor is used, the final outcome can be taken to be the concatenation ofRandExt(XYT,R). The final step of Protocol 1 uses both the input strings (T,X) and the output stringYin the extractor (the use ofTa...
-
[9]
1 2 pΩ∥ρZE|Ω − 1 dZ IZ ⊗ρE|Ω∥1 ≤ϵ S, whereEis the quantum system held by the adversary, anddZ is the dimension of systemZ; and
-
[10]
Here,ϵ S is the soundness error, andϵC is the completeness error
There exists a quantum strategy such thatpΩ ≥1−ϵ C. Here,ϵ S is the soundness error, andϵC is the completeness error. The completeness error is the probability that an honest protocol aborts, whereas the soundness error bounds how well the real protocol can be distinguished from an ideal protocol whose output is fully uncorrelated with any other system (i...
-
[11]
We now outline our notation for different registers: •X i: classical register storing the input of roundi
Different systems In this work we use the notationB(H)andS(H)to be the set of bounded operators and density operators on a Hilbert spaceHrespectively. We now outline our notation for different registers: •X i: classical register storing the input of roundi. •Y i: classical register storing the output of roundi. •R i: register representing the quantum syst...
-
[12]
Each round consists of three distinct types of channels: the preparation channelPi, the source channelMi, and the test channelT i
Channels of the protocol This section provides a detailed description of a single round of the protocol, as illustrated in Figure C2. Each round consists of three distinct types of channels: the preparation channelPi, the source channelMi, and the test channelT i. Here we describe the action of these channels on an initial state in detail. At the beginnin...
-
[13]
Asymptotic randomness rate The Entropy Accumulation Theorem [20, 26], shows that, in order to compute the asymptotic rates for the protocol, it suffices to focus only on a single representative round of the protocol. The CQ state after one round of the protocol takes the following generic form: X t,x,y p(t)|t⟩ ⟨t| ⊗pX(x)|x⟩ ⟨x| ⊗pY|x,t (y)|y⟩ ⟨y|Y ⊗ρ t,x,...
-
[14]
convex floor
Reducing the strategy space Our first step for solving the optimization problem (C23) is to simplify the set over which the entropyH(Y|X, T= 0, E)is optimized. The goal of this section is to show that, in order to compute the rate, it suffices to consider strategies where the adversary holds a purification of the state prepared by the source, and where th...
-
[15]
(C31)) is thatH B could have an arbitrarily large dimension
Reduction to qubit strategies The main issue with the optimization problem in the definition ofGpX (ω,Θ)(cf. (C31)) is thatH B could have an arbitrarily large dimension. The aim of this section is to reduce the optimization strategy space of the problem to strategies where the source prepares a qubit state and the measurement device performs projective me...
-
[16]
Our primary objective is to reformulate the problem into an optimization over a reduced number of bounded real variables
Simplifying the qubit optimization problem In this section, we simplify the optimization problem (C56). Our primary objective is to reformulate the problem into an optimization over a reduced number of bounded real variables. This transformation not only reduces the complexity of the problem but also renders it tractable for solving using known numerical ...
-
[17]
Ifω≥ 1 2, takeη x = 1,˜a0 = ˜a1 =a= 2ω−1,ξ 0 = 0,ξ 1 =π, and any ϕ
= 0for allω∈[0,1]. Ifω≥ 1 2, takeη x = 1,˜a0 = ˜a1 =a= 2ω−1,ξ 0 = 0,ξ 1 =π, and any ϕ. ThenP x ηx + ˜ax cos(ξx +ϕ) = 2 = 4· 1 2 ,and P x −ηx + (−1)x˜ax cosξ x = 2(a−1) = 4ω−4,so feasibility holds withΘ = 1 2 andω≥ 1 2. Ifω≤ 1 2, takeηx = 1,˜a0 = ˜a1 =a= 1−2ω,ξ 0 =π,ξ 1 = 0, andϕ=π. Then again P x ηx+˜ax cos(ξx+ϕ) = 2 = 4· 1 2 , andP x −ηx + (−1)x˜ax cosξ ...
-
[18]
Similarly,G pX ( 1 2 ,Θ) = 0for allΘ∈[0,1]
= 0for allω∈[0,1]. Similarly,G pX ( 1 2 ,Θ) = 0for allΘ∈[0,1]. Takeη x = 1,ξ 0 =ξ 1 = 0. Then the score constraint gives X x −ηx + (−1)x˜ax cosξ x = 4· 1 2 −4, i.e.,ω= 1
-
[19]
•IfΘ≤ 1 2, setϕ=π,˜a 0 = ˜a1 =a= 1−2Θ: P x(ηx + ˜ax cos(ξx +ϕ)) = 2−2a= 4Θ
For the overlap constraint: •IfΘ≥ 1 2, setϕ= 0,˜a 0 = ˜a1 =a= 2Θ−1: P x(ηx + ˜ax cos(ξx +ϕ)) = 2 + 2a= 4Θ. •IfΘ≤ 1 2, setϕ=π,˜a 0 = ˜a1 =a= 1−2Θ: P x(ηx + ˜ax cos(ξx +ϕ)) = 2−2a= 4Θ. ThusG pX ( 1 2 ,Θ) = 0for allΘ. By monotonicity in bothωandΘwe have that,G pX (ω,Θ) = 0wheneverω≤ 1 2 orΘ≤ 1 2. c. Eliminating an additional variable In this subsection we el...
-
[20]
In this subsection we introduce methods to compute lower bounds on it
Obtaining numerical bounds on the rates The optimization problem (C66) is non-linear and hence challenging to solve. In this subsection we introduce methods to compute lower bounds on it. a. Computing the optimization problem over grids We now address the problem of computing the convex envelope of the functionGpX (ω,Θ). As the functional form of this is ...
-
[21]
Min-tradeoff function A min-tradeoff function is an affine function that is always below the rate function, where by rate function we mean a lower bound on the single-round conditional von Neumann entropy over all EAT channels and input states that give the observed distributionqoverU= (T, X, Y). Given such a distribution the score overlap and test probab...
-
[22]
X i Zi ≤Θ exp −δ Θ # =P
Completeness error We now compute a bound on the probability that an honest protocol aborts. We use the same method as in [33, Section E.3.2]. This relies on Hoeffding’s inequality [39], i.e., that if{Xi}n i=1 are i.i.d. random variables witha≤ Xi ≤b,S= P i Xi andµ=E(S), then fort >0, P(S−µ≥t)≤e − 2t2 n(b−a)2 . 32 For the completeness error we want the pr...
-
[23]
Quantum and relativistic protocols for secure multi-party computation , Year =
R. Colbeck,Quantum and relativistic protocols for secure multi-party computation, Ph.D. thesis, University of Cambridge (2007), also available as arXiv:0911.3814
-
[24]
Private randomness expansion with untrusted devices,
R. Colbeck and A. Kent, “Private randomness expansion with untrusted devices,” Journal of Physics A44, 095305 (2011)
2011
-
[25]
Random numbers certified by Bell’s theorem,
S. Pironio, A. Acin, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich, P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Random numbers certified by Bell’s theorem,” Nature464, 1021–1024 (2010)
2010
-
[26]
Device-independent randomness expansion against quantum side information,
W.-Z. Liu, M.-H. Li, S. Ragy, S.-R. Zhao, B. Bai, Y. Liu, P. J. Brown, J. Zhang, R. Colbeck, J. Fan, Q. Zhang, and J.-W. Pan, “Device-independent randomness expansion against quantum side information,” Nature Physics17, 448–451 (2021)
2021
-
[27]
Device-independent randomness expansion with entangled photons,
L. K. Shalm, Y. Zhang, J. C. Bienfang, C. Schlager, M. J. Stevens, M. D. Mazurek, C. Abellán, W. Amaya, M. W. Mitchell, M. A. Alhejji, H. Fu, J. Ornstein, R. P. Mirin, S. W. Nam, and E. Knill, “Device-independent randomness expansion with entangled photons,” Nature Physics17, 452–456 (2021)
2021
-
[28]
Generalized time-bin quantum random number generator with uncharacterized devices,
H. Tebyanian, M. Zahidy, R. Müller, S. Forchhammer, D. Bacco, and L. K. Oxenløwe, “Generalized time-bin quantum random number generator with uncharacterized devices,” EPJ Quantum Technology11, 15 (2024)
2024
-
[29]
Semi-device-independent random-number expansion without entanglement,
H.-W. Li, Z.-Q. Yin, Y.-C. Wu, X.-B. Zou, S. Wang, W. Chen, G.-C. Guo, and Z.-F. Han, “Semi-device-independent random-number expansion without entanglement,” Physical Review A84, 034301 (2011)
2011
-
[30]
Provably-secure quantum randomness expansion with uncharacterised homodyne detection,
C. Wang, I. W. Primaatmaja, H. J. Ng, J. Y. Haw, R. Ho, J. Zhang, G. Zhang, and C. Lim, “Provably-secure quantum randomness expansion with uncharacterised homodyne detection,” Nature Communications14, 316 (2023)
2023
-
[31]
Semi-device-independent framework based on natural physical assumptions,
T. Van Himbeeck, E. Woodhead, N. J. Cerf, R. García-Patrón, and S. Pironio, “Semi-device-independent framework based on natural physical assumptions,” Quantum1, 33 (2017)
2017
-
[32]
Correlations and randomness generation based on energy constraints,
T. Van Himbeeck and S. Pironio, “Correlations and randomness generation based on energy constraints,” arXiv preprint (2019), 1905.09117
-
[33]
Self-testing quantum random-number generator based on an energy bound,
D. Rusca, T. Van Himbeeck, A. Martin, J. B. Brask, W. Shi, S. Pironio, N. Brunner, and H. Zbinden, “Self-testing quantum random-number generator based on an energy bound,” Physical Review A100, 062338 (2019)
2019
-
[34]
Semi-device-independent randomness fromd-outcome continuous- variable detection,
H. Tebyanian, M. Avesani, G. Vallone, and P. Villoresi, “Semi-device-independent randomness fromd-outcome continuous- variable detection,” Physical Review A104, 062424 (2021)
2021
-
[35]
Megahertz-rate semi-device- independent quantum random number generators based on unambiguous state discrimination,
J. B. Brask, A. Martin, W. Esposito, R. Houlmann, J. Bowles, H. Zbinden, and N. Brunner, “Megahertz-rate semi-device- independent quantum random number generators based on unambiguous state discrimination,” Physical Review Applied 7, 054018 (2017)
2017
-
[36]
Fast self-testing quantum random number generator based on homodyne detection,
D. Rusca, H. Tebyanian, A. Martin, and H. Zbinden, “Fast self-testing quantum random number generator based on homodyne detection,” Applied Physics Letters116, 264004 (2020), 2004.08307
-
[37]
Semi-device-independent heterodyne-based quantum random- number generator,
M. Avesani, H. Tebyanian, P. Villoresi, and G. Vallone, “Semi-device-independent heterodyne-based quantum random- number generator,” Physical Review Applied15, 034034 (2021)
2021
-
[38]
Semi-device independent randomness generation based on quantum state’s indistinguishability,
H. Tebyanian, M. Zahidy, M. Avesani, A. Stanco, P. Villoresi, and G. Vallone, “Semi-device independent randomness generation based on quantum state’s indistinguishability,” Quantum Science and Technology6, 045026 (2021)
2021
-
[39]
Source-independent quantum random number generation,
Z. Cao, H. Zhou, X. Yuan, and X. Ma, “Source-independent quantum random number generation,” Physical Review X6, 011020 (2016)
2016
-
[40]
Composable framework for device-independent state certification,
R. Bhavsar, L. Wooltorton, and J. Bae, “Composable framework for device-independent state certification,” PRX Quantum 6, 040356 (2025)
2025
-
[41]
Why quantum state verification cannot be both efficient and secure: a categorical approach,
F. Wiesner, Z. Chaoui, D. Kessler, A. Pappa, and M. Karvonen, “Why quantum state verification cannot be both efficient and secure: a categorical approach,” e-print arXiv:2411.04767 (2024)
-
[42]
Entropy accumulation,
F. Dupuis, O. Fawzi, and R. Renner, “Entropy accumulation,” Communications in Mathematical Physics379, 867–913 (2020)
2020
-
[43]
Entropy accumulation with improved second-order term,
F. Dupuis and O. Fawzi, “Entropy accumulation with improved second-order term,” IEEE Transactions on Information Theory65, 7596–7612 (2019)
2019
-
[44]
Generalisedentropyaccumulation,
T.Metger, O.Fawzi, D.Sutter, andR.Renner,“Generalisedentropyaccumulation,” in2022 IEEE 63rd Annual Symposium on Foundations of Computer Science (FOCS)(IEEE, 2022) pp. 844–850
2022
-
[45]
Quantum detection and estimation theory,
C. W. Helstrom, “Quantum detection and estimation theory,” J. Statist. Phys.1, 231–252 (1969)
1969
-
[46]
Optimal quantum measurements,
A. S. Holevo, “Optimal quantum measurements,” Teoreticheskaya i Matematicheskaya Fizika17, 319–326 (1973)
1973
-
[47]
Bosonic data hiding: power of linear vs non-linear optics,
K. K. Sabapathy and A. Winter, “Bosonic data hiding: power of linear vs non-linear optics,” e-print arXiv:2102.01622 (2021)
-
[48]
Simple and tight device-independent security proofs,
R. Arnon-Friedman, R. Renner, and T. Vidick, “Simple and tight device-independent security proofs,” SIAM Journal on Computing48, 181–225 (2019). 34
2019
-
[49]
A framework for quantum-secure device-independent randomness expansion,
P. J. Brown, S. Ragy, and R. Colbeck, “A framework for quantum-secure device-independent randomness expansion,” IEEE Transactions on Information Theory66, 2964–2987 (2020)
2020
-
[50]
Computing conditional entropies for quantum correlations,
P. J. Brown, H. Fawzi, and O. Fawzi, “Computing conditional entropies for quantum correlations,” Nature Communications 12, 575 (2021)
2021
-
[51]
Device-independent lower bounds on the conditional von Neumann entropy,
P. J. Brown, H. Fawzi, and O. Fawzi, “Device-independent lower bounds on the conditional von Neumann entropy,” e-print arXiv:2106.13692 (2021)
-
[52]
thesis, University of York (2023), also available as arXiv:2311.13528
R.Bhavsar,Improvements on Device Independent and Semi-Device Independent Protocols of Randomness Expansion,Ph.D. thesis, University of York (2023), also available as arXiv:2311.13528
-
[53]
Prepare-and-measure scenarios with photon-number con- straints,
C. R. i Carceller, J. Pauwels, S. Pironio, and A. Tavakoli, “Prepare-and-measure scenarios with photon-number con- straints,” Physical Review Letters135, 140802 (2025)
2025
-
[54]
Advances in quantum cryptography,
S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ot- taviani,et al., “Advances in quantum cryptography,” Advances in Optics and Photonics12, 1012 (2020)
2020
-
[55]
Improved device-independent randomness expansion rates using two sided ran- domness,
R. Bhavsar, S. Ragy, and R. Colbeck, “Improved device-independent randomness expansion rates using two sided ran- domness,” New Journal of Physics25, 093035 (2023)
2023
-
[56]
Essai sur la géométrie à n dimensions,
C. Jordan, “Essai sur la géométrie à n dimensions,” Bulletin de la S. M. F.3, 103–174 (1875)
-
[57]
Rockafellar,Convex Analysis(Princeton University Press, Princeton, NJ, 1970)
R. Rockafellar,Convex Analysis(Princeton University Press, Princeton, NJ, 1970)
1970
-
[58]
FasterthanthefastLegendretransform, thelinear-timeLegendretransform,
Y.Lucet,“FasterthanthefastLegendretransform, thelinear-timeLegendretransform,” NumericalAlgorithms16,171–185 (1997)
1997
-
[59]
A linear-time approximate convex envelope algorithm using the double Legendre– Fenchel transform with application to phase separation,
L. Contento, A. Ern, and R. Vermiglio, “A linear-time approximate convex envelope algorithm using the double Legendre– Fenchel transform with application to phase separation,” Computational Optimization and Applications60, 231–261 (2015)
2015
-
[60]
A better bound on the variance,
R. Bhatia and C. Davis, “A better bound on the variance,” The American Mathematical Monthly107, 353–357 (2000)
2000
-
[61]
Probability inequalities for sums of bounded random variables,
W. Hoeffding, “Probability inequalities for sums of bounded random variables,” Journal of the American Statistical Asso- ciation58, 13–30 (1963)
1963
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.