Source-independent quantum random number generator against tailored detector blinding attacks

Randomness, mainly in the form of random numbers, is the fundamental prerequisite for the security of many cryptographic tasks. Quantum randomness can be extracted even if adversaries are fully aware of the protocol and even control the randomness source. However, an adversary can further manipulate the randomness via tailored detector blinding attacks, which are hacking attacks suffered by protocols with trusted detectors. Here, by treating no-click events as valid events, we propose a quantum random number generation protocol that can simultaneously address source vulnerability and ferocious tailored detector blinding attacks. The method can be extended to high-dimensional random number generation. We experimentally demonstrate the ability of our protocol to generate random numbers for two-dimensional measurement with a generation speed of 0.1 bit per pulse.


I. INTRODUCTION
The unpredictability of random numbers was originally intended to refer to a lack of correlation between numbers. In the current study, pseudorandom numbers [1, 2] are obtained through deterministic formulas implying some correlation of these numbers and, hence, some predictability of subsequent numbers. For the physical true random numbers [3,4], the source of its randomness has not been fully studied. In contrast, quantum random numbers [5,6] are considered to have inherent randomness based on the completeness of quantum mechanics. Quantum random number generators (QRNGs) have thus been widely investigated to obtain unpredictable random numbers. In addition to their lack of correlation, the practical security of quantum random numbers has received considerable attention as their fields of application [7][8][9] expand to cryptographic tasks [10][11][12][13][14].
A QRNG typically consists of a randomness source and a detection device. The randomness source provides light with quantum properties, and the detection device extracts randomness by measurements of light in a superposition state. As a solution to almost all security concerns, device-independent QRNGs [15][16][17][18] are the most stringent, making no assumption about either randomness sources or detection devices. Recently, deviceindependent QRNGs that can extract random numbers after deducting the consumed randomness have been im-plemented for the first time. The net gains reached 2290 bps [19], 3606 bps [20] and 3718 bps [21]. However, they all required approximately 10 hours to accumulate data, which would lead to high latency in practical use. Furthermore, random numbers are consumed rapidly in most cryptographic tasks. Thus, we unavoidably consider the trade-off between security and the generation rate [22][23][24][25]. An adoptable choice is the sourceindependent QRNG (SI-QRNG) [26][27][28][29][30], in which the detection devices are assumed to be trusted by well characterizing them. There is no secure assumption on the randomness source and the channel between the source and the detection device. Different from device-independent QRNGs, SI-QRNGs can measure both discrete variables [26] and continuous variables [27][28][29][30]. Here we focus on the discrete-variable QRNG since it needs no additional local oscillators and is realized by a single measurement. In practice, SI-QRNG has a wide selection of untrusted sources, from lasers to light bulbs to sunlight, depending on the situations, thus becoming a popular choice.
Perfectly characterizing detectors is complex and difficult [31,32]. Researchers have tried to solve the known vulnerabilities one by one. But they believe in the assumption that detectors can detect a single photon under any attack. Tailored detector blinding attacks [33][34][35], first introduced in quantum key distribution [36], is the most powerful attack targeting detectors. It causes the detector to respond to signals up to a certain intensity by change the physical state of detectors. The adversary Eve thus can manipulate the detector using trigger light with specific optical power and determines the detection outcomes with a probability of almost 100%. Such attacks can be launched on either avalanche photodiodes [37] or superconducting nanowire single-photon detectors (SNSPDs) [38].
Inspired by the interpretation of no-click events in Bell tests [39], we find that the change of the physical state of detectors breaks the fair sampling assumption. In this work, we present a source-independent protocol that is secure against the tailored detector blinding attacks by counting no-click events. Additionally, our protocol has composable security against quantum coherent attacks and can be easily expanded to high-dimensional measurement cases. We experimentally demonstrate the feasibility of generating random numbers in the two-dimensional measurement case. Detector imperfections such as dark count and after pulse are also considered. Our protocol achieves higher security than previous SI-QRNGs and maintains a meaningful generation rate. In our experiments, we realize the generation rate 0.103 with 1 Gb of data accumulation. For low-latency applications, our experimental system is able to generate 640 kbit quantum random numbers every 2 seconds with a 5 MHz experimental system. The extracted quantum random numbers pass the NIST test.

II. TAILORED DETECTOR BLINDING ATTACKS
Detector blinding attacks originate from flaws in the single-photon detector. Strictly speaking, only in specific mode can detectors detect a single photon. After changing conditions such as bias voltage and temperature, the detector may require stronger light to respond. This flaw gives Eve the opportunity to change conditions by injecting special light, and then arbitrarily set the threshold of detectors in his favor, which is the tailored detector blinding attack [33]. We first construct a threshold detection model for detectors under bright illumination. Based on this model, we describe the attacks we aim to solve. Finally, we describe the performance of attacks in high-dimensional measurement cases.

A. Threshold detection model
As the receiver, Alice detects signals randomly in one of two incompatible bases X and Z. Without loss of generality, we agree that the outcomes in Z are used to generate raw random numbers and the outcomes in X are used to judge the amount of information obtained by Eve. In the two-dimensional measurement scheme, we notate the eigenstates of Z as {|0 , |1 }, and the eigenstates of X as {|± = 1 √ 2 (|0 ± |1 )}. When the X basis is chosen, the outcome |+ is considered the correct outcome, and the outcome |− is an error event [26].
We define the threshold of a detector as the intensity I, which means that the detector fires when the intensity of the signal is stronger than I and not when it is equal to or weaker than I. In the tailored detector blinding attack scenario, Eve can arbitrarily determine the value of I by exploiting the tailored bright illumination, and Alice cannot obtain this value unless additional monitoring is performed. Under the active-basis-choice, we can assume that the threshold of the detector representing |0 and |+ is I 0 = I + and that the threshold of the detector representing |1 and |− is I 1 = I − . I 0 = I 1 = 0 when detectors are in the single-photon response mode. When Eve sends signals with bright illumination, the thresholds of the different detectors are governed by Eve. Here, we assume that the detectors have perfect efficiency. The inefficiency occurs only when I 0 = I 1 = 0 and the detector can be considered a perfect detector with some loss in the channel. When the thresholds of the detectors are higher than 0, the physical property of the detectors is changed. The signal is detected in the form of light intensity, and there is no concept of detection efficiency.

B. Attack description
We first state that the Eve's control over the threshold is not instantaneous. The attack we discuss here does not allow Eve to change the threshold of the detector every detection window because Eve blinds the detector through bright continuous-wave. This assumption is realistic and avoids an ideal attack: sending |+ all the time, but changing the thresholds of detectors representing |0 and |1 to determine which detector responds each time. Second, we assume that Eve is greedy, and she only wants the value she chooses to be detected, not a value that is more likely to be detected. In this regard, Eve's method changes the detector threshold so that the signal he sends accurately enters a certain detector, and the response he expects occurs.
A simple attack for Eve is to tune the detectors to have the same threshold I th , as shown in Fig. 1a. Eve wants Alice to obtain an outcome specified by Eve when Alice measures the signal in Z. In other words, a signal with intensity I e > I th enters either the detector representing |0 or the detector representing |1 in accordance with Eve's arrangement. At the same time, Eve requires the detector representing |− not to fire if Alice happens to measure the signal in X. Since half of the photons in the signal arrive at the |+ detector and the others arrive at the |− detector, Eve sets 0.5I e I th to cause a no-click event. In squashing models [40][41][42][43], no-click events are treated as receiving vacua and thus are discarded without increasing the error count. Therefore, by emitting signals with I th < I e 2I th , Eve can control the outcomes of Z-basis measurements without increasing the error rate in X.
The general case is that the thresholds of the different detectors are different, as shown in Fig. 1b, A more favorable option for Eve is I + < I − since |+ represents the correct outcome. For the active-basis-choice, we have I 0 = I + and I 1 = I − , which means that I 0 < I 1 . In this case, Eve can cheat both bases at the same time, i.e., she controls the outcomes in Z while ensuring that only  The case in which the detector representing |+ has a lower threshold than the other. When Eve controls the outcomes of measuring signals in Z, she can also cause the detector representing |+ to fire if Alice happens to measure signals in X.
the |+ detector fires in X. If Eve wants Alice to obtain an outcome of |0 , she emits a signal with I e > I 0 , and all photons in it are sent to the |0 detector under the Z basis. If Eve wants Alice to obtain an outcome of |1 , she emits the signal with I e > I 1 , and all photons in it are sent to the |1 detector under the Z basis. To make the outcomes in Z credible, she also requires 0.5I e I − and 0.5I e > I + under the X basis. Overall, the intensity of the signal should be max{I 1 , 2I 0 } < I e 2I 1 , which does not violate the premise I 0 < I 1 .

C. d-dimensional case
Tailored detector blinding attacks also work in the d-dimensional measurement scenario. Two measurement bases X and Z are both d-dimensional and ideally have the relation | z i|j x | = 1/ √ d between any eigenstate |i z (i ∈ {1, 2, ..., d}) of Z and any eigenstate |j x (j ∈ {1, 2, ..., d}) of X. The outcome |0 x is the correct outcome in X. Eve will emit signals with intensity I th < I e dI th if she sets the same threshold I th for all detectors. When Alice measures the X basis, the light intensity entering each detector is I e /d, which is less than the threshold I th .
The situation will be slightly more complicated if Eve wants to control both bases perfectly. She can adjust the threshold of the detector representing |0 x to the lowest among all detectors' thresholds. Thus the |0 x detector is the one that is most easily responded when using the X basis to measure signals that are the eigenstate in the Z basis. The light intensity should be d times higher than the threshold of the |0 x detector to ensure the response of the detector. To avoid multiple-click events in X, the light intensity should also be less than d times the sub-smallest threshold. This, in turn, constrains the thresholds of the other detectors to be less than d times the sub-smallest threshold. Otherwise, those detectors with a threshold higher than d times the sub-smallest threshold will fail to fire because the light intensity is not sufficient.

III. DEFENSIVE STRATEGY
In general, Eve controls the detectors while causing no click in the X basis, which is a hint for us. In terms of this hint, we should reconsider what no click means. First, we briefly review the concept of squashing models and analyze why this hint has been ignored in previous works. Then, we introduce a strategy for handling this hint, which modifies previous squashing models. The uncertainty relation for smooth entropy is used as a critical tool for generating quantum random numbers that are secure against general attacks. Finally, we generalize the security analysis to the d-dimensional case.

A. Squashing model
The dimension of the signals output from the channel is unknown since the channel is controlled by Eve. However, security analysis is usually qubit-based for twodimensional measurements by virtue of simplicity. The squashing model [40][41][42][43] is developed to resolve this conflict. A squashing operation is applied to the signal, which virtually maps the multi-photon signal into a qubit. A virtual qubit measurement on this virtual qubit follows. Therefore, qubit-based security analysis is applicable for sources with unknown dimensions.
Measuring a qubit yields one of two outcomes corresponding to its two eigenstates. However, an unknown signal subjected to two-dimensional measurement actually yields one of four outcomes: a single click in one detector, a single click in the other detector, a double-click or no click. To reconcile this difference in outcomes, there are three treatments for different outcomes of signals. Single-click events in either detector are naturally related to the outcomes of measuring qubits. Double-click events are valid events but tell us nothing about randomness. They are used to evaluate the upper bound of the error rate [41]. Note that another squashing model [40,42] randomly assigns values for double-click events, and thus has a lower error rate and higher randomness consumption.
No-click events are regarded as vacua after losses. The positions of the losses in both bases are assumed to be uniformly random. Under this assumption, there are no qualms about discarding no-click events without disturbing the error rate. The protocol treating no-click events as vacua is described in "Supplemental Document". However, tailored detector blinding attacks break this confidence since the thresholds of the detectors can be changed such that a signal can definitely cause clicks in one basis and no click in the other. In the worst case, all no-click events in X are caused by tailored detector blinding attacks. Therefore, squashing models fail under such attacks.

B. Security analysis
The key point of our security analysis is how to securely deal with no-click events. Tasks such as Bell tests and device-independent quantum key distribution also suffer from the loophole introduced by no-click events, called the fair sampling loophole. An ingenious method is presented in Bell tests [39], in which some no-click events are retained to close this loophole; otherwise, the experimental results may have been screened by unknown factors. Inspired by this idea, we retain all no-click events. Noclick events should have the same status as double-click events since they both have no randomness and can cover up attacks. Therefore, we treat no-click events in the same way as double-click events. They are error events in the X basis and correct events in the Z basis. The squashing model can now work under tailored detector blinding attacks.
Furthermore, considering I − > I + > 0, it seems that no no-click event exists. In response to this situation, the |+ detector should be randomly assigned by Alice. Eve thus cannot accurately forecast it and has at most a 50% chance of firing in the |+ detector. Since we need only a small percentage of rounds to measure X, the consumption of random numbers for deciding which detector will be used to measure |+ in each round is not an unbearable burden.
Our security analysis adopts the uncertainty relation for smooth entropy [44,45] to offer security against the most general attacks. This relation involves three parties, namely, the user Alice, the virtual user Bob and the adversary Eve, and is expressed as where X A (Z A ) means that Alice measures her system A in the X (Z) basis. The bound q is an evaluation of the "incompatibility" of the measurement bases X and Z. The smooth min-entropy H ǫ min (Z A |E) is Eve's minimum uncertainty about Z A , which quantifies how much randomness can be extracted. The smooth max-entropy H ǫ max (X A |B) is related to the error rate of Bob guessing the value of X A . Bob is introduced as a virtual trusted user. He works with Alice and guesses the result of measuring the signal in the X basis. Ideally, measuring the signal in the X basis leads to X A = |+ . Bob thus can guess X A = |+ to obtain a higher random number generation rate if Eve abandons her attack.

C. d-dimensional case
We can extend the security analysis against tailored detector blinding attacks to the d-dimensional measurement scenario. In d-dimensional measurement, the squashing model will squash the input signal into a qudit. There are d possible outcomes when one measures the qudit in any qudit basis. The possible real outcomes of signals are no-click events, multiple-click events, and d kinds of single-click events. The first two types of events are considered error events in X-basis measurement and correct events in Z-basis measurement. Single-click events are naturally related to the qudit measurement outcomes. Similarly, the |0 x detector must be randomly selected.

IV. PROTOCOL DESCRIPTION
Because the protocol is source independent, it focuses only on the measurement of unknown light and subsequent processing steps. Nevertheless, we offer a state preparation step before measurement, considering that Alice can provide an untrusted source to generate favorable signals and then improve the generation rate if Eve does not attack. We directly describe our protocol in the d-dimensional measurement case. Alice measures the signals in two partially complementary bases X and Z with eigenstates {|i x } and {|j z } (i, j ∈ {0, 1, ..., d}), respectively. Here, d is the measurement dimension.
State preparation. According to the specific structure of the detection devices, the source is expected to emit N signals that cause only the |0 x detector to fire. Although the source is not trusted, Bob can guess that the outcomes of measuring signals in the X basis are always |0 x . This may help improve the extractable randomness in practice. This step is public. Eve can change or replace signals at will before they enter the detection device.
d-dimensional measurement. Alice partially trusts her detection equipment. She randomly measures signals in basis X or Z with probability p x or p z = 1 − p x , respectively. Usually, p x is much lower than p z , which is beneficial for the generation rate. When measuring signals in X, she should randomly choose one of the detectors to detect |0 x .
Post-processing. In the X basis, the measurement outcomes can be divided into two parts: N c x and N e x . N c x is the number of correct outcomes in which only the detector that measures |0 x fires. Other outcomes, including multiple-click events, single-click events on the incorrect detector and no-click events, are considered error outcomes and are counted in N e x . In the Z basis, we care only about single-click events, the total number of which is N s z . Extract randomness.
We analyze randomness H ǫ min (Z A |E) we can extract by the uncertainty relation for smooth entropy in Eq. (1). To bound H ǫ max (X A |B), we should evaluate the conflict between the guesses of Bob and the measurement outcomes of Alice on the X basis. This entropy formula concerns the outcomes that we suppose to use the X basis to measure signals that have actually been measured in Z. Although we cannot obtain the outcomes directly, we can evaluate the probability that Bob guessed incorrectly by randomly choosing several rounds to test the outcome distribution in X. This is why we introduce the monitoring basis X, and the bit error rate e x = N e x /N x reflects the probability that Bob guessed incorrectly in the asymptotic regime. When considering the finite-key effect, we can apply the random sampling method to e x and obtain the upper boundē x = e x + γ(N z , N x , e x , ǫ rand ) in the signals measured in Z with failure probability ǫ rand , where γ is a fluctuation that can be numerically determined [46]: with 0 < λ < λ + γ ≤ 0.5, A = max{n, k} and G = n+k nk ln n+k 2πnkλ(1−λ)ǫ 2 . Furthermore, only the single-click events in Z are valid random numbers. Other events, such as multiple-click events and no-click events, have no extractable randomness. The upper bound of the error rate in these singleclick rounds [41] isφ z = (ē x × N z )/N s z , which means that all errors occurred in single-click events.
The smooth entropy H ǫ is the Shannon entropy function [47,48] in the case of d-dimensionality. The entropy h d (x) is concave and reaches its maximum value of log 2 d at x = (d − 1)/d. When x is greater than (d − 1)/d, i.e., the error rate is higher than that of random guesses, with error rate x. The entropy h 2 (x) reaches its maximum value of 1 at e x = 0.5. When x is greater than 0.5, we set H ǫ max (X A |B) = 1. Additionally, we need the leftover hashing method [49] to distill random numbers from the randomness H ǫ min (Z A |E). For random number generation tasks, we focus on the secrecy in the composable security. In our protocol, there are three components that contribute to secrecy: smooth entropy, random sampling fluctuation and leftover hashing. They all have probabilities of failure. The failure probabilities of these components are labeled ǫ, ǫ rand and ǫ hash , respectively. According to the composable security, the protocol has ε sec -secrecy when ε sec ǫ + ǫ rand + ǫ hash . For simplicity, we take ǫ = ǫ rand = ǫ hash = ε sec /3. Through leftover hashing, we can generate a random number string of length ℓ: In accordance with Eq. (1), we finally obtain the length of secret random numbers with ε sec -secrecy is given by whereφ z is the upper bound of the error rate assuming that we used the X basis to measure the signals leading to single-click events in the Z basis.
For the active-basis-choice, we need to consume some random numbers while generating them. First, the basis choice consumes approximately N x log 2 N [26]. Second, we should assign the detection channel for measuring the eigenstate |+ every time we measure the state in X. This consumes approximately N x log 2 d, where d is the dimensionality of the measurement. Therefore, the term n seeds in Eqs. (A1) is n seeds = N x log 2 N + N x log 2 d.
The relation between the extracted randomness per pulse and the dimensionality of the measurement basis is shown in Fig. 2. For simplicity, we assume perfect detection here with a dark count of 10 −5 . In the simulation, we assume that the states are coherent states. The yield when the signal contains n photons and the measurement in X causes a single click on the |0 x detector is Y where d is the dimensionality of measurement, p d is the dark count and η evaluates the total loss, including the detection inefficiency. The gain of this kind of single-click event is Here, we can consider the light intensity and loss collectively as µ ′ = µη, since both of them are insecure. The experiment indicates that the misalignment error is e d = 0.004. We roughly use . The yield when the signal contains n photons and the measurement in Z causes a single click on one detector is

The gain of all single click events is
We optimize both the light intensity and the basis choice ratio. Although the consumption of random seeds increases as the dimension increases, the increase in dimension is beneficial for the extracted randomness per pulse. Different data sizes have an impact on the generation rate. Note that the data size here refers to the number of pulses sent. Even if the data size is only 10 6 , the random number can be extracted effectively, which implies the possibility of real-time random number generation.

V. EXPERIMENTAL IMPLEMENTATION
We experimentally implement our QRNG protocol using the setup shown in Fig. 3, which includes an untrusted randomness source and a trusted detection device with the structure disclosed. Random number generation with two-dimensional measurement is demonstrated. The measurement bases used here are the polarization bases, and all fiber paths in our setup are polarizationmaintaining fibers. We refer to the state that propagates through the slow (fast) axis of the polarizationmaintaining fiber as the eigenstate |H (|V ) of basis Z.
In the detection part, a dense wavelength division multiplexer and a circulator are utilized to resist wavelength-dependent attacks [50] and detector backflash attacks [51], respectively. The DWDM can be replaced with a DWDM series to better isolate other wave-lengths. The optical pulses from the source enter the circulator and are fully transmitted through a polarization beam splitter (PBS). The pulses are split by a 45 •aligned polarization beam splitter (45 • PBS) and enter a Sagnac interferometer. In the Sagnac interferometer, a phase modulator (PM) driven by an arbitrary waveform generator is utilized to realize the active-basis-choice by modulating the relative phase between clockwise and anticlockwise propagating pulses. The anticlockwise propagating pulses arrive at the PM with a 25 ns delay relative to clockwise propagating pulses, although they pass through the same fiber. The selections of the measurement basis and the detector representing |+ are commanded by quantum random numbers generated from a previous quantum key distribution experiment [52]. In the experiment, the sequence with length 10 4 is circularly fed to the AWG. The probability of selecting the Z basis is 99.95%. When the Z basis is chosen for measurement, the PM adds a π/2 phase shift on the earlier arrived pulse. When the X basis is chosen, to avoid the attack with I 0 = I 1 , PM randomly adds a 0 or π phase shift on the pulse, where the choice of the phase shift determines the detector representing |+ . The two pulses are recombined into one in the 45 • PBS. After exiting the Sagnac interferometer, the pulse is split by the PBS. Two channels of a SNSPD, D H and D V , are utilized to detect the signals that leave the circulator and the PBS, respectively. When the insertion loss of the circulator (1.05 dB) is considered, the detection efficiency is approximately 39 %, The dark count rates of the two SNSPD channels are 24 cps and 5 cps, respectively, and the dead time is 50 ns. The detection efficiency of the SNSPD is timeindependent. Thus, it is immune to the time-shift attack [53]. In our data analysis, all detection events from the entire time period are used in phase error rate estimation instead of using the preset time window. This enables our experimental system to resist dead time attacks [54] and afterpulse attacks [31]. Note that this strategy is effective for both SNSPD and avalanche photodiodes.
The randomness source can theoretically be offered by any other party. To demonstrate the ability to generate random numbers with our protocol, we desire |H pulses to achieve the best generation performance according to the design of our detection equipment. Thus, we use the uncharacterized light emitted by a 14-pin butterfly laser diode with a homemade driving circuit and pump it into the slow axis of the polarization maintaining fiber. The laser is triggered by the arbitrary waveform generator and emits pulses with a 5 MHz repetition rate. The best scenario is when the output state of the source is |H . If the output state is another polarization state, it affects only the generated randomness per pulse. The security analysis provided here universally fits the unknown input state.
The intensity of the pulse influences the type of click event and thus affects the generation rate. In Fig. 4, the The orange line represents the simulation results, and red stars represent the experimental results. In the experiment, the random number generation rate is 0.101 when the intensity is µ = 9.6. With 5 MHz system repetition, we accumulate data for approximately 200 seconds at each point, corresponding to a data size of 10 9 , and a random number generation speed of 505 kbps is achieved.
abscissa represents the light intensity, and the ordinate represents the generation rate. The orange line represents the simulation results, and the red pentacles are the experimental results. In Eq. (A1), the value of q should be calibrated. According to the entropic uncertainty relation, q = − log 2 max x,z | x|z | 2 is the incompatibility between two measurement bases. To realize the calibration, we first modify the light until the ratio of photon counts between the two detection channels is above 24 dB in the X basis. This means that the light is approximately a perfect eigenstate of X. Subsequently, we measure the light in the Z basis and obtain the ratio of photon counts between the two detection channels. By comparing the single-click events in the two detection channels, the value of q is calibrated to q = 0.954 in our detection equipment. The unbalanced detection efficiency should be taken into account [55]. Its impact is introduced as a coefficient of the generation rate [56,57]. This coefficient is η e = 2 min{(η 0 , η 1 )}/(η 0 + η 1 ), which depends on the efficiencies of the two detection channels. The final random number extracted is The detection efficiencies are 49% and 39%, respectively, in calibration. After taking the insert loss circulator (1.05 dB) into account, η e is calculated to be 0.9932. The detailed experimental results are shown in "Supplemental Document". For each data point, we collect approximately 200 seconds of data, corresponding to a data size of 10 9 . When calculating the error rate in the X basis, no-click events, single-click events on the incorrect detector, and double-click events are all taken into account. At the optimal point, the intensity of the pulses before entering the detector is 9.3 photons per pulse, and the random number generation rate is 0.101. We also consider the influence of the channel loss on random number generation. The loss reduces the light intensity reaching the detector, thereby decreasing the generation rate when the source produces pulses with the optimal intensity. Fortunately, our experimental setup We use data for a 10 dB channel loss with optimal intensity. Each dot corresponds to the data acquired over two seconds. During testing, the count rate is always approximately 4.15 MHz. No-click events, incorrect detector click events and double-click events are all treated as errors in the X basis, and the error rate of the X basis is always less than 4%, which shows the stability of our experimental system. enables us to compensate for the channel loss by increasing the intensity of the source. First, to show the stability of the experimental system, the detector count rate and error rate versus time are presented in Fig. 5. We use data collected with a 10 dB channel loss with optimum intensity. During the 200-second test time, the count rate is always approximately 4.15 MHz (corresponding to µ = 9.17 before entering the detector), and the error rate of the X basis is approximately 3.5% (including both no-click and double-click events). We then experimentally show the relation between the loss and the generation rate under a fixed intensity and variable intensity, as shown in Fig. 6. Our protocol is compared with the traditional source-independent scheme in "Supplemental Document". The difference between the two schemes is whether no-click events are treated as valid events. At each channel loss, the data obtained with fixed intensity are analyzed to calculate the key rate for both our protocol and the traditional source-independent protocol. In the case of high channel loss, the generation rate of our protocol is zero due to the high error rate that results from no-click events. Meanwhile, the traditional sourceindependent protocol can still generate random numbers, and the generation rate can be as high as 0.387 (corresponding to 1.94 Mbps) when the channel loss is 3 dB. This difference in the generation rate under the same loss reflects the maximal security vulnerabilities caused by tailored detector blinding attacks. By increasing the intensity of the source to compensate for the channel loss, the generation rate can be maintained at the optimal level. To further verify the quality of the final output ran- dom numbers, we apply the standard NIST statistical tests [58]. After collecting data for approximately 200 seconds, a total of 1.02 × 10 9 pulses have been sent, and the key rate is 0.103. After privacy amplification, the final random number of length 1.05×10 8 is divided into 100 bitstreams, and fifteen statistical tests are implemented. As shown in Table I, the random numbers generated in the experiment pass all NIST statistical tests.

VI. DISCUSSION
In conclusion, we have proposed an SI-QRNG type protocol that can resist the tailored detector blinding attack. By exploiting the uncertainty relation for smooth entropy, our protocol can be easily extended to highdimensional measurement cases with composable security against coherent attacks under the finite-key effect.
In our experiments, the detection loss and the channel loss can be compensated by improving the emission intensity. Using a 5 MHz experimental system, we achieve a quantum random number generation speed of over 500 kbps. By increasing the saturation count rate of the detectors to GHz [59], the QRNG generation rate can be enhanced to more than 100 Mbps. Through simple experimental tricks, our experimental implementation suppresses most well-known attacks on detector components, realizing an extremely high security level approaching device-independence. Note that our theoretical framework and experimental scheme are a general solution to Here we briefly discuss why detector blinding attacks need to be studied. This kind of attack was first proposed in the quantum key distribution tasks. There are several experimental countermeasures against detector blinding attacks for quantum key distribution tasks. A common solution is to install a beam splitter before signals enter the detection equipment to monitor the light intensity [60]. Crafty adversaries can instead send instantaneous bright trigger light, which blinds the detector without disrupting the monitor [34,35]. Other solutions [61][62][63][64], such as randomly changing the attenuation in front of the detector and analyzing the corresponding detection events and errors, also increase the difficulty of experimental operation [65]. While experimental solutions attempt to judge whether the generator is under attack by designing a more sophisticated system, further advanced attacks from Eve usually cannot be avoided [65,66]. Finally, they propose the measurement-device-independent scheme that only trust the sources, and the whole detection component is handed over to an untrusted third party. However, for QRNG, trusting detection component is more reasonable, because there is only one user. SIQRNG protocols can select sources from local materials, which is more practical. In this case, the detector blinding attack needs to be carefully considered. Note that recent work has also considered this attack [67].
Bell tests [39] indicate the importance of the fair sampling assumption. Once the assumption is not established, it is necessary to carefully handle all measurement outcomes, especially no-click events. comprehensive consideration is an important feature that distinguishes our protocol from others. Furthermore, using the probability correlation of click events, only part of the no-click events will be count into final results in Bell tests. Accordingly, our protocol has the opportunity to reduce the impact of no-click events on the error rate through a certain probability correlation to improve the generation rate.
It is worth noting that we are not device-independent protocols. Thus it is impossible to defend against all attacks on detectors. Here we solved the tailored detector blinding attack that controls random numbers by directly sending the state corresponding to the desired outcome. There may also be more complex attacks. For instance, Eve can carefully analyze detection thresholds of two detectors to generate a superposition state of Z for attacks. We can avoid this problem through polarizationmaintaining fiber in our experiment. In addition, when two detectors have different detection thresholds, Eve can only make the detector with small threshold click. These are all worthy of further consideration Finally, a passive-basis-choice approach may also help realize random generation. We apply an active basis choice in our protocol, which consumes a considerable amount of random numbers. For this reason, our protocol is a random expansion rather than an absolutely random generation. Passive-basis-choice can avoid this kind of consumption and enables real random extraction through further discarding the double-basis clicks. To maintain security, some assumptions must be introduced. It is also worth investigating whether these assumptions are reasonable. In the Z basis, the gain of click events is also Q z = 1 − (1 − p d ) 2 e −µη . The number of click events is n z = N p z Q z . The gain of all single-click events is Q s z = 2(1 − p d )e −µη/2 − 2(1 − p d ) 2 e −µη . The number of single-click events is n s z = N p z Q s z .

Appendix B: Detailed experimental results
In Tab. II, III, IV, V and VI we report the detailed results obtained in the experiment. In all the tables, we report the random number generation rate R := ℓ/N , the number of time windows that Alice choose to measure in Z(X) basis N Z(X) , the total number of click events in detector D H (D V ) in the Z basis, the number of single click events in detector D H (D V ) in the Z basis, the error rate in the X basis e x and the upper bound of phase error rate in the Z basis φ z .