Loss-tolerant measurement-device-independent quantum random number generation

Quantum random number generators (QRNGs) output genuine random numbers based upon the uncertainty principle. A QRNG contains two parts in general --- a randomness source and a readout detector. How to remove detector imperfections has been one of the most important questions in practical randomness generation. We propose a simple solution, measurement-device-independent QRNG, which not only removes all detector side channels but is robust against losses. In contrast to previous fully device-independent QRNGs, our scheme does not require high detector efficiency or nonlocality tests. Simulations show that our protocol can be implemented efficiently with a practical coherent state laser and other standard optical components. The security analysis of our QRNG consists mainly of two parts: measurement tomography and randomness quantification, where several new techniques are developed to characterize the randomness associated with a positive-operator valued measure.


Introduction
Random numbers have applications in many fields including industry, scientific computing, and cryptography [1,2]. In particular, the randomness of the key is the security foundation for all the cryptographic tasks. Any bias on random numbers may result in security loopholes [3].
Traditionally, there are two types of random number generators (RNGs), pseudo-RNGs and physical RNGs. A pseudo-RNG is a deterministic expansion of random seeds and hence not random [4]. A physical RNG is based on chaotic physical process such as noise in electric devices [5], oscillator jitter [6], and circuit decay [7]. Since a full characterization of a physical RNG process may enable an adversary to predict the outcomes, the randomness is not information-theoretically provable. In practice, it is very challenging to rule out the bias in output random numbers, and hence these physical RNGs may lead to security loopholes when employed in cryptographic tasks.
On the other hand, quantum random number generators (QRNGs), stemming from the intrinsic uncertainty of quantum measurement outcomes, are able to output randomness that is guaranteed by quantum mechanics. Some popular QRNG schemes include single photon detection [8,9,10], vacuum state fluctuation [11] and quantum phase fluctuation [12,13]. The output randomness of these QRNG relies on assumptions on the realization devices. In practice, however, device imperfections may lead to potential loopholes, which can be exploited by an adversary.
To solve this problem, device-independent QRNG (DIQRNG) schemes, whose output randomness does not rely on specific physical implementations, have been proposed [14]. Based on quantum non-locality, such a DIQRNG is mainly designed with entangled particles and can certify genuine randomness. By performing measurements on two entangled systems and checking whether the correlation violates a certain Bell inequality, true random numbers are generated. It has been proved that high detection efficiency (over 2/3) and space separation are necessary in such a device-independent scheme [15,16]. However, normal optical detectors, with which all practical fast QRNGs are built, only have an overall efficiency around 10% and do not satisfy this condition. In fact, loophole-free DIQRNGs have not yet been demonstrated in labs up till now [17].
Similar issues also exist in another quantum cryptographic task -quantum key distribution (QKD). In order to solve the practical issues in the device-independent schemes, additional assumptions are added to make the schemes more practical [18,19]. In particular, a measurement-device-independent (MDI) QKD scheme is proposed [20] such that all the detection loopholes can be removed using trusted source devices. The MDIQKD scheme turns out to be loss-tolerant and very effective to defend against practical attacks [21,22], without using complicated characterization on devices [23]. The security of MDIQKD stems from the time-reversed EPR-based QKD protocols [24,25,26].
Unfortunately, the idea of MDIQKD cannot directly apply to the task of QRNG due to the subtle difference between QKD and QRNG in practice. In QKD, local randomness is assumed to be a free resource, while in QRNG, (local) randomness is the goal to pursue. In fact, the randomness generated by the measurement (at most 2 bit per run) is less than the randomness required for the state preparations (4 bit per run) in MDIQKD [20]. Intuitively, the measurement in MDIQKD only establishes correlation between the two communication parties and helps to generate a shared randomness, but it does not generate additional randomness.
Recently, there are a few attempts that tackle the challenge of MDI QRNG, including a qubit-modeled QRNG [27] and an MDI entanglement witness (MDIEW) based QRNG [28]. These schemes are more secure than conventional QRNGs, in the sense that some of the assumptions on the devices are removed. Comparing to DIQRNGs, they are more practical on loss-tolerance. However, a key assumption in the first scheme [27], that both the source and the measurement device are assumed to be qubit systems, is difficult to be fulfilled in practice. For the second scheme [28], it cannot tolerate basis-dependent losses, which puts strict constraints on measurement devices.
Here, we present a loss-tolerant MDI QRNG scheme, stemming from a simple qubit scheme that measures a state |+ = (|0 + |1 )/ √ 2 in the basis of {|0 , |1 }. The randomness is originated in breaking the coherence of the input state [29]. In order to validate the measurement devices, several additional quantum input states need to be sent. Such validation procedure is related the concept of self-testing [30]. For example, the source could check if the measurement device always outputs the correct eigenstate when inputting the state |0 . Note that if the measurement device faithfully measures in the {|0 , |1 } basis, it should always output |0 deterministically. To reduce the input randomness, testing input states should be rarely sent. In our analysis, we do not require the source to be a single photon source. Instead, practical photon sources, such as a weak coherent state source, can be used in our scheme.
The organization of the paper is as follows. In Section 2, we give a formal description of our protocol. In Sections 3 to 6, we analyze our protocol. Our protocol can be divided into two parts, measurement tomography and randomness quantification of a POVM, thus Section 3 and Section 4 are devoted to these two parts respectively. In Section 5, we analyze the finite size effect. Section 6 extends the analysis from a single-photon source to a coherent-state source. Finally we conclude in Section 7.

Brief description of MDI QRNG
In our MDI QRNG scheme, a quantum source emits signals, which is measured by an untrusted and uncharacterized device. The process is repeated for n times, among which some of the runs are chosen as test runs and the rest for randomness generation. In test runs, a measurement tomography is performed, while in a generation run, random numbers are generated. The protocol is presented in Fig. 1.
Here is the intuition why the protocol works. From the test runs, the measurement tomography is used to monitor the devices in real time. If the tomography result passes Table 1: The measurement device is designed to measure in the σ z basis for n runs. At the end of the protocol, the measurement device outputs a uniformly random string of length rn, where r is the product of the ratio for generation runs and the min-entropy of the raw measurement outcomes.
(iii) Generation mode: For the runs not in B, Alice sends the measurement device a fixed state of |+ . Again, the measurement device outputs bits b ∈ {0, 1}.
(iv) Extraction: Randomness extraction is performed on the raw outputs to obtain a uniformly random string of length rn. The min-entropy of the raw data is determined by the tomography results.
certain threshold, the user is sure that the measurement devices function properly. Of particular interest is that how the protocol deals with losses in order to make it losstolerant. We emphasize that in the protocol we do not discard the loss events. Instead, the measurement device should always output 0 or 1. In practice, if there is no detection click, the measurement device outputs 0. Intuitively, the positions of the loss are mixed with real detected bits 0, restricting the adversary's ability to output a fixed string. Let us consider a simple attack that works for conventional QRNGs when the measurement devices are untrusted and the loss is over 50%. A successful attack can be defined as follows: an adversary, Eve, can manipulate the QRNG so that it outputs a predetermined string (which could appear random to Alice) ‡. When Eve can fully control the measurement devices, she first performs the faithful measurement (without losses) designated by the protocol. Then within the measurement outcomes, Eve postselects a string according to her predetermined string (which could appear random to Alice). The post-selection works as follows: if a measurement outcome matches the corresponding bit in Eve's predetermined string, Eve announces the outcome, otherwise she announces a loss. Then if the measurement outcomes contain an equal number of 0s and 1s, approximately 50% of outcomes will be announced as losses. Thus the output string could be predetermined without being noticed by the user.
Such attack will not work for our MDI QRNG. If Eve performs this attack and outputs 0 when she wishes to announce a loss, each bit of the outcomes will now independently have probability 3/4 to be 0 and 1/4 to be 1. Thus the randomness of the output is log 2 (4/3) per bit, which is nonzero. By the protocol description, the randomness analysis can be naturally decomposed into two parts, measurement tomography and randomness quantification given a known positive-operator-valued measure (POVM). We thus divide the analysis into the following two sections accordingly.

Measurement tomography
In this section, we investigate the following question. Given a trusted single photon source, which is treated as a qubit, how to make a measurement tomography on a detection device, whose dimension is unknown? Later, we will discuss how to replace the single photon source with a more practical coherent state source.
Generally, there are three types of attacks for security protocols, individual attack where Eve performs an identical and independent attack on each run, collective attack where Eve probes the input state in each run separately and performs a joint postprocessing, and coherent attack where Eve might exploit the correlation between the runs by probing all the inputs jointly [32]. In our protocol, to be more specific, an individual attack means that the POVM of Eve in different runs will be the same; a collective attack means Eve performs different POVMs in different runs but uncorrelated; a coherent attack means the POVMs in different runs are correlated. We will extend our security proof framework from individual attack to collective attack, and leave coherent attack for future research.
Recall that we have restricted the measurement device to always output 1 and 0 in each run. Though the adversary could add an arbitrary number of ancillaries to perform a high-dimensional PVM, its measurement operator can always be described by a two-dimensional POVM with two outcomes {F 0 , F 1 } where F 0 + F 1 = I, because of the qubit input. Here, we start with the analysis under individual attacks and hence we can assume the POVM elements are the same for every run. The extension to collective attacks will be presented in Sec. 4.4.
For a qubit input state ρ, the probabilities of outputting 0 and 1 are given by Any two-dimensional POVM has the form [33] F 0 = a 1 (I + n 1 · σ), where σ is the vector composed of three Pauli matrices, n 1 = (n x , n y , n z ) and n 2 are three-dimensional real number vectors. The coefficients are real numbers and satisfy a 1 , a 2 ≥ 0, a 1 + a 2 = 1, In measurement tomography, one can input the four basis of two-dimensional density matrices, (I + σ z )/2, (I − σ z )/2, (I + σ x )/2, and (I + σ y )/2, which correspond to pure states |0 , |1 , |+ , and |+i , respectively. The probabilities of outputting 0 for the four states can be estimated through counting the ratio of 0s in the test runs. When there are an infinite number of runs, the estimation can be done accurately. From Eq. (3.1), these probabilities are given by Then the coefficients a 1 , n x , n y , n z can be solved given the measurement results, the left side quantities of Eq. (3.4). Note that if the input is a linear combination of these four inputs, the probability of outputting 0 will also be a corresponding linear combination of the above four probabilities. Without loss of generality and for ease of discussion, we will assume a 1 ≤ a 2 hereafter.
There also exist tomography methods for coherent state source [34,35,36], thus our MDI QRNG is readily extendable to practical sources, which will be detailed in Section 6.

Quantifying randomness
After obtaining the two-output POVM set, {F 0 , F 1 } in Eq. (3.2), we need to quantify how much randomness when an input state |+ is fed into the measurement device. Here, we employ the widely-used min-entropy to quantify the randomness.
Given an (even pure) state, the evaluation of the output genuine randomness from a POVM set, {F 0 , F 1 }, is not straightforward. A naive approach that the randomness is just the entropy of the outcomes is not working. Consider the case of F 0 = F 1 = I/2, then for any qubit input, both probabilities of outputting 0 and 1 are 1/2, and hence the outcome entropy is 1. However, Eve could simply output this statistics using a predetermined string (unknown to Alice) without being noticed §. That is, for this pair of POVMs, no true randomness can be obtained by Alice. Thus, we need to find a way to distinguish classical and quantum randomness. Similar issues are dealt when randomness is used to quantify quantum coherence [29].
To lower bound the randomness, we should allow Eve to implement the two POVMs in an arbitrary way. Denote Eve's implementation as D and the randomness corresponding to this implementation as R(F 0 , F 1 , D). Consider the worst implementation D that minimizes R(F 0 , F 1 , D), the randomness of the POVM set, (4.1) As an example of Eve's implementation, Eve can choose a measurement of the following form (the number of terms in the summation below is decided by Eve), which we call standard decomposition form. In this decomposition, with a probability of c, Eve outputs 1 deterministically, while with probability 1 −c, Eve chooses a set of twodimensional projection-valued measure (PVM), {ψ i , ψ ⊥ i }, with a probability distribution {p i }, and outputs the measurement outcome 0 or 1. Note that F 0 and F 1 are fixed due to measurement tomography presented in Sec. 3.
For a standard decomposition D, we define the randomness when the input is |+ as is the binary min-entropy function. Here is the intuition behind this definition. The total randomness contains two parts: (1) Randomness due to the choice of PVM from the decomposition D. This part contains classical randomness (known to Eve) and thus should be discarded. (2) Randomness associated with each PVM. This part contains real quantum randomness. For a PVM {ψ i , ψ ⊥ i }, the randomness is quantified by H ∞ (| +|ψ i | 2 ), as presented in Sec. 4.3. Note that this definition of randomness also holds for general decompositions.
Although from Alice's point of view, the POVM, {F 0 , F 1 }, is two-dimensional, Eve can implement it with arbitrarily large dimension PVMs by adding ancillary systems. Thus, as the first step shown in Sec. 4.1, we need to reduce their dimensions down to two. In Sec. 4.2, we reduce a general two-dimensional PVM decomposition to the standard decomposition form in Eq. (4.2). After that, we evaluate the genuine randomness with the standard decomposition form in Sec. 4.3 and obtain the following theorem. In Sec. 4.4, we extend this result from individual attacks to collective attacks. Theorem 1. When |+ is fed into the measurement device, described by a POVM set of {F 0 , F 1 } where F 0 = a 1 (I + n x σ x + n y σ y + n z σ z ), the output randomness is given by

Reduce general measurement to two-dimensional PVM
Note that every mixed state is a mixture of pure states. Naturally, we can imagine that every POVM can be decomposed into more basic building blocks, PVMs, as shown in Fig. 1. Note that from Alice's view, the measurement is described by a two-dimensional POVM, but she does not know its inner working. While from Eve's view, she is the one who implements POVM with a mixture of different quantum processes, as shown by the branches in Fig. 1. Generally, every POVM is a mixture of PVMs on the original state and some ancilla α k (not necessarily of the same dimension), followed by assigning the outcomes of PVMs to the outcomes of the POVM. The mixture of PVMs can be implemented by Eve choosing PVM index k according to some random variable. If the random variable is classical, we call it classical adversary. If it is quantum, we call it quantum adversary.
In general, each ancilla α k can be a mixed state, which is decomposed to a spectrum of pure states β kj . So, a PVM on the input state ρ and the mixed state ancilla α k can be further decomposed into the PVM on the input state ρ and a statistical mixture of pure state ancillas β kj , as shown in Fig. 1. Thus in the decomposition of a POVM, the ancilla can be assumed to be a pure state β kj , without loss of generality. Moreover, since a unitary transformation can evolve |0 to any pure ancilla state β kj , and a unitary transformation can always be encompassed into a PVM, the ancilla can also be viewed to be always in the state of |0 . Here, the dimension of |0 can be large. Figure 1: POVM decomposition. On the first level of the tree, the POVM on the input ρ is implemented by Eve as an average of projective measurements PVM k on ρ and a mixed ancilla state α k . On the second level of the tree, each node PVM k on the first level is further decomposed to PVM k on ρ and a pure ancilla state β kj . Note here β kj is a decomposition of the mixed state α k . Now, we can show that decomposing a POVM set into high-dimensional PVMs is equivalent to decomposing into two-dimensional ones. From Eve's point of view, the use of high-dimensional PVMs cannot reduce the output randomness further than using only two-dimensional ones. We first characterize the randomness of a high-dimensional PVM implementation of a POVM set. Then, we decompose the high-dimensional PVM to two-dimensional PVMs, and show that the decomposition cannot increase the output randomness. According to Born's rule, the outcomes of PVM is intrinsically random [29]. Now we can quantify the randomness of a high-dimensional PVM. While grouping the output results of PVMs to the ones of the original POVMs, as shown in Fig. 2, we can view it as a projection onto subspaces, which is still inherently random.
Take the following projection, which is performed as a branch of the decomposition of the original POVM, for an example. It projects 0 to 0, and projects 1 and 2 to 1: So according to Born's rule, projecting to the orthogonal subspaces, |0 and |1 , is still random. In this example, and so the randomness of this three-dimensional PVM is H ∞ (Prob(0)) which is the maximally possible given that the probability of outputting 0 is of value a 2 . Thus viewing this part as a virtual two-dimensional POVM (note this is different from the original POVM because there are many branches and this is just one of them) and further decompose this POVM to multiple two-dimensional PVMs will only decrease the randomness.
This can always be done by, e.g., the decomposition in Eq. (4.12) for an arbitrary two-dimensional POVM.
More generally, for a general d-dimensional PVM, we should also group its outputs to the two outcomes of the original POVM. Suppose the values v 1 , · · · , v k are projected to 0 (0 ≤ k ≤ d) and v k+1 , · · · , v d are projected 1, then The randomness is H ∞ ( k i=1 a 2 v i ) and can be similarly reduced through replacing this d-dimensional PVM by several branches of two-dimensional PVMs.

Reduce two-dimensional PVM to standard decomposition form
The reduction from a two-dimensional PVM decomposition to the standard decomposition form consists of two steps: express the two-dimensional PVM decomposition in a concise form, and then reduce it to the standard decomposition form.
Recall that in the previous subsection, the outcomes of each d-dimensional PVM will be grouped to two values 0 and 1. Take the specific case of d = 2, there are four types of such grouping, as shown in Fig. 3. Denote the two bases of a two-dimensional projective measurement PVM i as |ψ i and ψ ⊥ i , which are orthogonal ¶. In the first type, |ψ i ψ i | and ψ ⊥ i ψ ⊥ i contribute to F 0 and F 1 respectively. In the second type, ψ ⊥ i ψ ⊥ i and |ψ i ψ i | contribute to F 0 and F 1 respectively. By a change of variable |ψ i = φ ⊥ i , it is the same as the first case. In the third type, both |ψ i ψ i | and ψ ⊥  contribute to F 0 and F 1 respectively. In the second type, by a change of variable |ψ i = φ ⊥ i , it is similar to the first case. In the third type, I contributes to F 0 . In the fourth type, I contributes to F 1 . ¶ Here the bases of two-dimensional PVM i are not simply |0 and |1 because different PVM i have different reference frames. To be consistent, we take the reference frame of the original POVM and PVM i will accordingly have bases |ψ i and ψ ⊥ i .
By combining all PVMs with assignments of the third type (i.e., F 0 will have a term b 1 I), and combining all PVMs with assignments of the fourth type (i.e., F 1 will have a term b 2 I), a decomposition D 1 has the expression, where the summation comes from PVMs with assignments of the first type and the second type. Next, we prove it can be reduced to the standard decomposition form in the sense that the value of R(F 0 , F 1 ) will not change when restricting the minimization over the standard decomposition form. Take c = b 2 − b 1 , we obtain a decomposition D 2 , which is equivalent to D 1 . Finally, we just need to prove that On one hand, F 0 = I and F 1 = 0 means that the output is always 0 and there is no randomness. On the other hand, H ∞ ( +|+ ) = H ∞ ( +|− ) = 0 also gives no randomness. Thus the difference between the two decompositions gives no randomness and thus they are equal in all cases.

Minimization of standard decomposition form
From the previous two subsections, we conclude that without loss of generality, the strategy of Eve can be restricted to the standard decomposition form. In this subsection, we allow Eve to choose the best strategy within the standard decomposition form. Recall that in this case, the randomness measure for the POVM can be expressed as
(4.12) whose randomness property and relation to the standard decomposition form is proven in Appendix A. In particular, note that a 1 (| n 1 |I + n 1 ·σ) and a 2 (| n 2 |I + n 2 ·σ) are a set of PVMs because a 1 n 1 + a 2 n 2 = 0. Thus one can obtain a random measurement outcome for this decomposition. However, this may not be the optimized decomposition for Eve, because the output randomness for this decomposition will be larger than R(F 0 , F 1 ). Then following some previous work, which utilizes a general decomposition to quantify randomness [37], we try to obtain an accurate expression of the minimum randomness R(F 0 , F 1 ) corresponding to an optimized decomposition of the POVM. A general expression of a mixed state can be written as: (4.13) When performing a measurement on the bases {|+ , |− }, the outcome randomness can be expressed as (4.14) where the first term H ∞ (q i ) represents the classical randomness originating from the probability distribution of q i , and it should be discarded in the following analysis. Thus, the net quantum randomness output is given by When performing the POVM given in Eq. (4.2) on an input state |+ , since the term cI generates no randomness, the output randomness has a similar form The bases in the PVM {|ψ , ψ ⊥ } and an arbitrary pure state |φ have a natural duality. That is, the probability of projecting |φ on |ψ is equal to that of projecting |ψ on |φ : (4.17) Then we can easily find the quantum randomness in Eq. (4.15) and Eq. (4.16) are the same.
In addition, the measurement basis |ψ i ψ i | has a pure state form Loss-tolerant measurement-device-independent quantum random number generation 13 Combining Eq. (3.2) and Eq. (4.2) we can get Then if we let p ′ i = p i /2a 1 , the quantum randomness R(F 0 , F 1 ) can be rewritten as . (4.20) According to related study to quantify randomness for a mixed state and PVM [38,29], the mixed state randomness in Eq. (4.15) can be expressed as One can see that, as long as n y or n z is nonzero, R(F 0 , F 1 ) is always positive. Note that the choice of |+ is not compulsory. Other input states can be used as randomness generation by a simple rotation of the reference frame. Take |0 for example, the randomness of the outcome corresponding to this new input state is

From individual attack to collective attack
Now, we have showed the quantification of output randomness under individual attacks. For a collective attack, since Eve can perform independent different attacks to each run. That is, for the ith round (1 ≤ i ≤ n), she performs POVM i , thus the total output randomness is If the function R is convex, we have (4.24) where the expression in the bracket on the right hand side is exactly the tomography result. So, in order to generalize individual attacks to collective attacks, it suffices to examine the convexity property of the randomness quantification Eq. (4.22), as shown in Appendix B. Thus, our randomness quantification Eq. (4.22) holds against collective attacks.

Statistical fluctuation
The above analysis assumes that the protocol has an infinite number of runs, such that the parameters can be accurately estimated. However in practice, protocols are only allowed to run for a finite amount of time, which results in imperfect tomography due to statistical fluctuations. Thus in this section, we take account of the finite-size effect by bounding the key parameters a 1 , a 1 n x , a 1 n y , a 1 n z in Eq. (3.4), using the techniques in QKD [39]. Whether to use the upper bound or the lower bound of the parameters, depends on which gives the minimum randomness output according to our previous analysis. This will give the most conservative estimate on the output randomness. In a test run, Alice sends one of the four states ρ 1 = I −σ z , ρ 2 = I + σ x , ρ 3 = I + σ y , ρ 4 = I + σ z and obtains the probabilities of outputting 0, denoted by e x1 , e x2 , e x3 , e x4 that correspond to their asymptotic values a 1 − a 1 n z , a 1 + a 1 n x , a 1 + a 1 n y , a 1 + a 1 n z , respectively. After the protocol finishes, the number of test runs with input ρ i is denoted as N i , i = 1, 2, 3, 4.
Let N 0 denote the number of non-test runs. Recall that in each non-test run, Alice sends ρ 2 = |+ +|. Let e zi be the probability of outputting 0 if the input of the non-test runs were ρ i instead. Define the bound, where θ is the deviation due to statistical fluctuations. Following the random sampling results of Fung et al. [39], we can bound the quantity e z1 when Eq. (5.1) fails, ε θ = Prob(e z1 > e x1 + θ) is the binary Shannon entropy function. Note that in an unlikely event when e x1 = 0, one should re-derive the failure probability or simply replace e x1 with a small value, say, 1/N 1 . Note that the original random sampling trick is applied on variables between [0, 1]. However, the range of e zi is [−1, 1] for i = 2, 3, 4. This requires a normalization which scales from [−1, 1] to [0, 1]. This normalization transforms y to y ′ = (1 + y)/2 which yields ε θ = Prob(e zi > e xi + θ) ∀i = 2, 3, 4 Practically, we can let the failure probability ε θ to be a small number for certain applications, say 2 −100 . Once the upper bound of ε θ is fixed, there is a trade-off between N i /(N 0 + N i ), θ and the ratio of the final random bit length over the raw data size R(F 0 , F 1 ). In addition, a suitable N i can be chosen to optimize R(F 0 , F 1 ).
Also note that the input randomness is on the order of log N 0 to achieve a desired small failure probability, while the output randomness is on the order of N 0 , thus an exponential expansion of randomness is achieved.

From single photon source to coherent source
In practice, a weak coherent state photon source (highly attenuated laser) is widely used as an imperfect single photon source. To make our MDI QRNG scheme practical, we need to use a coherent light as the trusted source. This change introduces two obstacles in analysis. One is that the input states are changed in tomography. The other is the final output randomness is different. Since the intensity of the source can be used to estimate the single photon component emitted from the source, we can bound the output randomness with an "imperfect" tomography.
For a coherent state with a mean photon number µ, a phase randomization procedure transforms a superposition of Fork state into a mixture. In other words, the final state can be divided into three components, vacuum, single photon, and multiphoton. Since these three parts are orthogonal, they can be treated as different channels separately. By controlling the intensity µ low enough, the multi-photon component can be suppressed. We prove a lower bound on the randomness of our MDI QRNG with a coherent state source, using a series of relaxations.
As for the vacuum component, in the worst case scenario, we assume the adversary Eve is able to determine the outcomes ahead, and hence no true randomness can be generated. As shown in Fig. 4, the measurement is equivalent to a virtual qubit measurement with F 0 = d 1 I and F 1 = (1 − d 1 )I on any qubit state input. With these preparations at hand, we now can perform tomography on the qubit-POVM with a coherent state. Denote the POVM of the single photon component to be Since the proportion of the vacuum and the single photon component are e −µ and µe −µ , we can combine the POVM of the single photon with the virtual POVM on the vacuum, as shown in Fig. 4. Here the combined channel will have a proportion that is the sum of the proportion of single photon and vacuum in the original channels, which is (1+µ)e −µ .
We now verify such a combination will not be an overestimate on the output randomness. Originally the actual randomness comes from each separate component, which corresponds to F 0 , F 1 for the vacuum and F ′ 0 , F ′ 1 for single photon. Since the output randomness of F 0 , F 1 is independent of its qubit input, without loss of generality, the input of F 0 , F 1 can be set to the single photon component input. For example, as illustrated in the middle part of Fig. 4, since the qubit input to the single photon component is I + σ z , the input of the virtual measurement F 0 , F 1 is also set to I + σ z . Recall that the randomness measure is the minimum over all decompositions. Since the decomposition is also a decomposition of a combined POVM and this decomposition corresponds to exactly the sum of the original randomness of vacuum and single photon channels, the randomness measure of the combined POVM can serve as a lower bound on the original randomness. Hence, using this combined POVM will not overestimate the output randomness.
In summary, vacuum component and single photon component can be combined as one source to generate randomness and previous analysis in Sec. 4 still applies. That is, for randomness generation purpose, both vacuum state and single-photon state can be regarded as an ideal qubit state. This is similar to QKD, where vacuum state can also be used to generate secure keys [40]. Now we need to take multi-photons components into account. We consider the worst case scenario [41] where multi-photon components do not contribute to randomness generation.
In addition, multi-photon states have the effect of making the tomography imperfect. We conservatively assume multi-photon states will always lead to a tomography outcome which minimizes the output randomness. In order to make the randomness smaller, according to Eq. (4.22), Eve should make a 1 , n x and n y smaller. Considering the multi-photons components, after POVM on the new input state τ i , (i = 1, 2, 3, 4), the constrains on the probabilities of the output 0 for τ i are respectively (a 1 + a 1 n z )(1 + µ)e −µ ≤ Prob(0|τ 4 ), (6.2) where equalities hold when the multi-photon component does not yield the result of 0 for the last three inequalities. So the bounds of the parameters can be estimated through experimentally obtaining Prob(0|τ i ), (1 ≤ i ≤ 4).
Then we estimate the randomness from the vacuum and single photon component, which are combined as shown in Fig. 4. Thus after calculating randomness of the tomographies POVM with input state (I + σ x )/2, we multiply by a factor of (1 + µ)e −µ , which is the proportion of the single photon and the vacuum components, where the parameters are constrained by Eq. (6.2). We simulate a typical experiment setup to examine the dependency of random bit rate R on the total transmittance η. In this setup, a coherent laser with intensity µ and polarization |+ sends pulses to a measurement apparatus that performs Z basis measurement with low efficiency detectors. The results are shown in Fig. 5, with the simulation details in Appendix C.
In practice, the laser intensity can be adjusted to optimize the performance. Thus in the simulation, we numerically optimize the laser intensity µ to maximize the random bit rate R. By the simulation, the optimal intensity of the coherent state µ is approximately proportional to η (µ ≈ 0.2η), which can be seen from the right panel of Fig. 5.
The logarithm of the optimal random bit rate is approximately proportional to the logarithm of η, as can be seen from the left panel of Fig. 5. Moreover, by examining the figure more carefully, the random bit rate decreases by 10 6 when the transmittance η decreases from 0 db to 30 db. Thus the optimal random bit rate R scales quadratically with η.
These scalings are similar to the early analysis of QKD [41], where the optimal intensity is also linear with the transmittance and the key rate is quadratic with the transmittance. In the development of QKD, the decoy state technique has increased the key rate to be linear with the transmittance [42]. It would be interesting to explore whether similar ideas can be used to improve the random bit rate in our protocol.
With a typical 100 MHz repetition rate laser and a typical total transmittance value η = 10%, the simulation shows that the random bit rate is over 5 × 10 4 bit/sec, which is five magnitudes higher than the current record of DIQRNG, 0.4 bit/sec [17].

Conclusion
In summary, we have proposed a measurement-device-independent QRNG. Our QRNG works when the detectors have low efficiency and have arbitrary imperfections. In contrast to MDI-QKD and MDI-EW, our protocol does not need space-like separation, which can be intuitively explained by the fact that one should perform error correction and privacy amplification in QKD, while one only needs to perform privacy amplification in QRNG. There are two possible implementations of our scheme, either by using a single photon source or by using a coherent state. The former has higher random bit rate while the latter is more practical.
For future work, it would be interesting to extend the analysis to coherent attack. Intuitively, the best coherent attack is usually just the collective attack. Since our protocol is permutation invariant, that is, the order of different runs can be arbitrarily changed, we can extend the analysis from collective attack to coherent attack possibly by applying the Post-Selection principle [43], which may give a moderate increase on the security parameter. Or we can possibly use the work of Miller and Shi [31] to extend from a classical adversary to a quantum adversary, which is essentially the difference between collective attack and coherent attack. have a 1 | n 1 | = a 2 | n 2 | (A.2) a 1 n 1 · σ = −a 2 n 2 · σ (A.3) Therefore the rest part a 1 (| n 1 |I + n 1 · σ) and a 2 (| n 2 |I + n 2 · σ) have the same coefficients, which compose the other terms of p i |ψ i ψ i | and p i ψ ⊥ i ψ ⊥ i . Figure A1: The first and third dashed boxes have no contribution to the randomness, while the second one does.
For such a decomposition, considering an arbitrary input state in |0 , |1 , |+ , |+i , we can easily check that the output randomness only originate from the term a 1 (| n 1 |I + n 1 · σ) and a 2 (| n 2 |I + n 2 · σ), as shown in Fig. A1, which is consistent with our previous results.
There is another way to prove the convex property of R. Recall that the randomness measure R is obtained by a minimization over all possible decomposition of a POVM. For such a convex roof measure, since the best decomposition of POVM i (1 ≤ i ≤ n), {p ij , |ψ ij } j=1,···,m i also constitutes a decomposition of POVM i /n, {p ij /n, |ψ ij } i=1,···,n,j=1,···,m i , we have thus the convexity holds.

Appendix C. Simulation
Here are details for the simulation model. A phase randomization procedure transforms a coherent state to a mixture of Fock states. With a mean photon number µ, the probabilities of vacuum component, single photon component and multi-photon component are respectively e −µ , µe −µ , 1 − e −µ − µe −µ . Considering the Z basis measurement on such a input mixed state, assuming a no-detection event to be mapped into output 1, the probability of output 0 is given by In experiments, the polarization of the single photon component can be adjusted into the following four states = I, I + σ x , I + σ y , I + σ z . Setting Prob(0|multiphoton) to be 0 and 1, the bound of Prob(0) of the corresponding four input coherent state τ ′ i (i = 1, 2, 3, 4) are Comparing with Eq. (6.2), we can easily obtain the constrains on parameters a 1 , n y , and n z . According to Eq. (6.3), for an arbitrary set of a 1 , n y , and n z , we can find an optimal µ to maximize the final randomness R(F 0 , F 1 ). Then R(F 0 , F 1 ) can be calculated based on its monotonicity and an optimal µ.
The result of our simulation model is shown in Fig. 5. We can easily check that the final output randomness will be positive.