Practical No-Signalling proof Randomness Ampliﬁcation using Hardy paradoxes and its experimental implementation

Device-Independent (DI) security is the gold standard of quantum cryptography, providing information-theoretic security based on the very laws of nature. In its highest form, security is guaranteed against adversaries limited only by the no-superluminal signalling rule of relativity. The task of randomness ampliﬁcation, to generate secure fully uniform bits starting from weakly random seeds, is of both cryptographic and foundational interest, being important for the generation of cryptographically secure random numbers as well as bringing deep connections to the existence of free-will. DI no-signalling proof protocols for this fundamental task have thus far relied on esoteric proofs of non-locality termed pseudo-telepathy games, complicated multi-party setups or high-dimensional quantum systems, and have remained out of reach of experimental implementation. In this paper, we construct the ﬁrst practically relevant no-signalling proof DI protocols for randomness ampliﬁcation based on the simplest proofs of Bell non-locality and illustrate them with an experimental implementation in a quantum optical setup using polarised photons. Technically, we relate the problem to the vast ﬁeld of Hardy paradoxes, without which it would be impossible to achieve ampliﬁcation of arbitrarily weak sources in the simplest Bell non-locality scenario consisting of two parties choosing between two binary inputs. Furthermore, we identify a deep connection between proofs of the celebrated Kochen-Specker theorem and Hardy paradoxes that enables us to construct Hardy paradoxes with the non-zero probability taking any value in (0 , 1]. Our methods enable us, under the fair-sampling assumption of the experiment, to realize up to 25 bits of randomness in 20 hours of experimental data collection from an initial private source of randomness 0 . 1 away from uniform. two binary inputs. Furthermore, we show that just as proofs of the Kochen-Specker theorem give rise to pseudo-telepathy games, substructures within these proofs termed 01-gadgets give rise to Hardy paradoxes and we use them to construct Hardy paradoxes with the non-zero probability taking any value in (0 , 1]. The inter-relationship between Hardy paradoxes and Kochen-Specker proofs, also enables us to construct customized Hardy paradoxes with interesting properties. Finally, we provide a partial characterization of the Bell scenarios in which Hardy paradoxes can be used to certify randomness against a no-signaling adversary. We illustrate the realizability of our protocol with state-of-art experimental setups by performing an experimental implementation in a quantum optical setup using polarised photons. Up to the fair-sampling assumption, this thus constitutes the ﬁrst experimental realization of a protocol that enables a weakening of the fundamental freedom-of-choice assumption.

Device-Independent (DI) security is the gold standard of quantum cryptography, providing information-theoretic security based on the very laws of nature. In its highest form, security is guaranteed against adversaries limited only by the no-superluminal signalling rule of relativity. The task of randomness amplification, to generate secure fully uniform bits starting from weakly random seeds, is of both cryptographic and foundational interest, being important for the generation of cryptographically secure random numbers as well as bringing deep connections to the existence of free-will. DI no-signalling proof protocols for this fundamental task have thus far relied on esoteric proofs of non-locality termed pseudo-telepathy games, complicated multi-party setups or high-dimensional quantum systems, and have remained out of reach of experimental implementation. In this paper, we construct the first practically relevant no-signalling proof DI protocols for randomness amplification based on the simplest proofs of Bell non-locality and illustrate them with an experimental implementation in a quantum optical setup using polarised photons. Technically, we relate the problem to the vast field of Hardy paradoxes, without which it would be impossible to achieve amplification of arbitrarily weak sources in the simplest Bell non-locality scenario consisting of two parties choosing between two binary inputs. Furthermore, we identify a deep connection between proofs of the celebrated Kochen-Specker theorem and Hardy paradoxes that enables us to construct Hardy paradoxes with the non-zero probability taking any value in (0, 1]. Our methods enable us, under the fair-sampling assumption of the experiment, to realize up to 25 bits of randomness in 20 hours of experimental data collection from an initial private source of randomness 0.1 away from uniform. An eavesdropper Eve has a source that distributes quantum particles to two parties Alice and Bob. These parties perform measurements on the received particles using apparata with two settings each, constituting the simplest possible (2, 2, 2) Bell scenario. The choice of the settings (in each run of the experiment) is made according to bits (x, y) obtained from a Santha-Vazirani (SV) source of weakly random bits, which also produces further bits z to be fed into a randomness extractor in a subsequent step of the protocol. Eve is taken to hold some classical side information e about the weakly random source, as well as some no-signalling side information about the devices held by Alice and Bob. The outputs (a, b) produced by these devices are described by a family of probabilities {P AB|XY (ab|xy)}. Note that in the figure, a single run of the experiment is depicted while in practice the scheme is repeated many times producing sequences of bits. The assumption here is that the SV source is private, i.e., that the bits held by Alice and Bob are unknown to Eve. The goal is to produce, out of the outcomes (a, b) and some further bits z from the SV source, a sequence of final output bits that are secure and fully random from the perspective of Eve. This is achieved by further processing of the outputs in the second step of the protocol (Fig. 2).

SOURCE OF PAIRS
In this paper, we provide the first practically feasible no-signalling proof DI protocol for randomness amplification. 1 We do this by relating the problem of finding experimentally friendly randomness amplification schemes to the vast 2 field of Hardy paradoxes (see Fig. ??) and, as a consequence, present a device-independent randomness amplification 3 protocol secure against no-signaling adversaries in the simplest experimentally feasible Bell scenario of two parties 4 with two binary inputs. Furthermore, we show that just as proofs of the Kochen-Specker theorem give rise to 5 pseudo-telepathy games, substructures within these proofs termed 01-gadgets give rise to Hardy paradoxes and we 6 use them to construct Hardy paradoxes with the non-zero probability taking any value in (0, 1]. The inter-relationship 7 between Hardy paradoxes and Kochen-Specker proofs, also enables us to construct customized Hardy paradoxes with 8 interesting properties. Finally, we provide a partial characterization of the Bell scenarios in which Hardy paradoxes 9 can be used to certify randomness against a no-signaling adversary. We illustrate the realizability of our protocol with 10 state-of-art experimental setups by performing an experimental implementation in a quantum optical setup using 11 polarised photons. Up to the fair-sampling assumption, this thus constitutes the first experimental realization of a 12 DI protocol that enables a weakening of the fundamental freedom-of-choice assumption.

13
For clarity, all the proofs of the Propositions and the security proof of the randomness amplification protocol are 14 deferred to the Appendices.

15
Background and Statement of the problem.-The problem of randomness amplification has gained interest since 16 the initial breakthrough work by Colbeck and Renner who showed that quantum non-local correlations enable the 17 amplification of weak sources of specific type, a task which was shown to be impossible with purely classical resources.  Fig. 1, a sequence of outputs in n runs of the experiment, denoted as a = a1, . . . , an, b = b1, . . . , bn is obtained for inputs x = x1, . . . , xn, y = y1, . . . , yn. Alice and Bob first calculate the Bell parameter L n (a, b, x, y) and verify that this is above some threshold value δ > 0. They apply a hash function f to the bits (a, b, x, y) to obtain a bit sequence s = s1, . . . , sn that is partially random and secure from Eve. They feed this bit sequence together with a further bit sequence z1, . . . , zn from the weakly random SV source to a classical randomness extractor to obtain a final output sequence o1, . . . , o k that is fully random and secure from Eve. The magic of the quantumness is manifested in the fact that the bits s happen to be decorrelated from z, which could never happen if the particles in the experiment from Fig. 1 were classical. This -quantumly originated -decorrelation is the crucial fact that makes the classical independent-source extractor work. The surprising power of the whole scenario is that the final bits stay strongly random even from the perspective of an eavesdropper who is only limited by the fundamental no-superluminal signalling principle of special relativity.
individual coin tosses are not independent but rather the bits Y i produced by the source obey Here 0 ≤ < 1 2 is a parameter describing the reliability of the source, the task being to convert a source with 2 < 1 2 into one with → 0. Since then, several works have proposed DI protocols for the task, and proven security  Usually, the scheme for randomness amplification consists of two ingredients: (i) quantum correlations -whose 12 interaction with the initial weak source of randomness generate additional quantum randomness, and (ii) a classical 13 protocol for amplifying the obtained randomness. Regarding implementation of the scheme in practice, the first 14 ingredient describes the quantum hardware to be built, while the second ingredient describes the needed traditional 15 software, i.e., an algorithm to be run on a standard computer. The main technological challenge is therefore to 16 implement the quantum part, hence it is mandatory to make it as simple as possible. 1 The level of technological challenge is to a large extent related to (a) the property of each single device, and here it is desired to have the minimal number of settings and outputs, (b) the number of devices (= the number of parties needed 3 to have quantum correlations), (c) the feasibility of implementation of the quantum states and measurements required 4 (here, two qubit entangled states are preferred in order to achieve the high fidelities required in DI applications) (d) 5 the quality of "raw" quantum randomness -i.e. the probability distribution of a chosen outcome (to be later amplified 6 by the software part) should be as close as possible to the fair coin distribution ( 1 2 , 1 2 ). The ultimate bound for (a) 7 and (b) is the Bell scenario (2, 2, 2), meaning, one needs at least two devices, with each device having at least binary 8 inputs and binary outputs (note that throughout this paper we will denote by (n, k, m) the Bell scenario with n 9 parties, each with k inputs and m outputs per input). For typical photonic implementations, the cheapest here seems 10 to be the number of settings, which may be increased if it could lead to better quality of raw randomness.

11
As yet, none of the protocols based on the simple no-signalling paradigm, has entered the regime of experimental to reach the required level, there will always be a demand for simpler, and cheaper schemes.

20
The second problem is more conceptual, namely, there are no general easy methods for finding such new schemes.

21
For instance, the scheme of [8] was obtained through extensive symbolic search. In this paper, we resolve both 22 problems, by providing a general method of finding new schemes, as well as achieving the simplest possible scheme 23 involving two devices each having binary inputs and outputs, which was beyond reach thus far.

24
Methodology.-To this end we combine three ingredients. One of them is the application of the simplest Hardy 25 paradox, following Ref. [7] where it was shown that the Hardy paradox is a natural tool for generating randomness 26 -namely, if the correlations exhibit Hardy paradox, then for a quantum adversary the probability of the so-called 27 Hardy output is often bounded both from both below and from above (however it must be noted that the important 28 problem of randomness amplification was not considered in this context). The power of using Hardy paradoxes as 29 opposed to the pseudo-telepathy games considered so far, is illustrated in Fig. 3.

30
Second, we employ a novel form of Bell inequalities -ones testing so called "measurement dependent locality" 31 (MDL) of [14,38]. Finally, we employ a protocol of randomness amplification of [8] which turns out to be ideal to 32 amplify randomness just by use of Hardy paradoxes. 33 We show that the three ingredients combined together result in a qualitative advance in the case of a no-signaling 34 adversary -the possibility of randomness amplification in (2, 2, 2) (the protocol is depicted in Figures 1 and 2). We 35 further analyse which Hardy paradoxes can be used for randomness amplification, and prove that any Hardy paradox 36 with 2 settings for one party and arbitrary n ≥ 2 settings for the other party gives rise to a randomness amplification 37 scheme.

38
Remarkably, in the simplest (2, 2, 2) case, we show that for every input, half of the outputs has probability bounded 39 from above and from below. This allows for huge simplification of the original protocol of Ref.  The quantum correlations outside the classical set enable violation of a Bell inequality. Thus far, it was believed that randomness amplification schemes against no-signalling adversaries required quantum correlations that reached a "pure" nosignalling boundary as in the figure (a) above. These "pseudo-telepathic" correlations (depicted by the dashed line in (a)) met the stringent requirement that their convex decomposition admitted no classical fraction. However, such a stringent requirement was only possible in Bell scenarios with many inputs and outputs and high-dimensional quantum systems making them completely infeasible for practical experimental implementation. A novelty in this paper is the identification that much simpler quantum correlations that violate Hardy paradoxes, i.e., which only reach "partial" no-signalling boundaries as in figure (b) above, can still enable DIRA against a general no-signalling adversary. Crucially, our protocol enables the application of these correlations to the task, despite the fact that these correlations admit a significant classical fraction, denoted by the circle •, when considered as a convex mixture of general no-signalling behaviors. Furthermore, the special Hardy behaviors such as the point denoted by (*) in the figure (b), are already realizable in the simplest possible (2, 2, 2) Bell scenario of two parties choosing two binary inputs, which corresponds to simple polarization-entangled photon experiments that are realized everyday in photonic laboratories with high fidelities. It is noteworthy that the pseudo-telepathic part of the boundary is well-known to not exist in this simple case, as illustrated in (b).
To this end, we present a DIRA protocol based on Hardy paradoxes, which are proofs of non-locality with a similar 1 flavour to pseudo-telepathy games, in that they also impose the probability of a particular subset of events to be zero. Hardy's original paradox [3,4] was regarded by Mermin to be the "simplest form of Bell's theorem" [31]. In the 3 (2, 2, 2) Bell scenario, the two parties Alice and Bob choose between two inputs X, Y taking values x, y ∈ {0, 1} 4 respectively, and obtain outcomes A, B taking values a, b ∈ {0, 1} respectively. The observed probability distribution 5 of their outputs conditioned upon the inputs is then denoted by P A,B|X,Y (a, b|x, y). In this scenario, the paradox is 6 formulated by the following four constraints: While classically, it is simple to verify that conditions (i)-(iii) impose the probability of the "Hardy output" to be 8 zero, i.e., P A,B|X,Y (0, 0|0, 0) = 0, there exist a suitable two-qubit non-maximally entangled state and dichotomic 9 measurements such that all four conditions are obeyed. Explicitly, Alice and Bob perform on the shared state measurements in the bases 2 {|0 , |1 } for x, y = 1, {sin θ|0 − cos θ|1 , cos θ|0 + sin θ|1 } for x, y = 0.
The constraints (i)-(iv) are satisfied for any value 0 < θ < π/2, and the optimal value of P A,B|X,Y (0, 0|0, 0) (= paradox, and the Hardy's output probability is used as a source of min-entropy needed for obtaining randomness.

17
Last but not least, recently a concept of measurement dependent locality inequalities appeared, which is suitable 18 for randomness amplification problems.

19
Combining the above concepts, we will show in this paper that a DIRA protocol can be constructed starting from  In answering the first question, we observe that any no-signaling box in the (2,2,2) Bell scenario that satisfies Section IE of the Appendix. We now consider whether such a phenomenon is generic to all Hardy paradoxes, i.e., is 33 it the case that every two-party Hardy paradox which certifies that P A,B|X,Y (a * , b * |x * , y * ) > 0 also guarantees that probability of the Hardy output is bounded as P A,B|X,Y (a * , b * |x * , y * ) ≤ n−1 n , again giving rise to partial randomness.

39
Finally, we consider the case where both parties measure more than two observables with more than two outputs 40 each, i.e., |A| = |B| = m > 2. In this case, we show in Section ?? that for all m > 2, there exist Hardy paradoxes such 41 that 0 < P q A,B|X,Y (a * , b * |x * , y * ) < 1 and yet P ns A,B|X,Y (a * , b * |x * , y * ) = 1. In other words, in this case, even though 42 the probability of the Hardy output is strictly bounded below 1 in quantum theory, there exist no-signaling boxes 43 that achieve the value 1 while satisfying the same Hardy constraints. Therefore, in using paradoxes with more than 44 two outputs for device-independent randomness certification, a linear programming check is needed in each specific 45 instance to ensure that the Hardy probability is strictly bounded below 1. We now proceed to answer the second 46 interesting question as to how far the Hardy output probability can be boosted, and relate this problem to a class of local contextuality sets recently studied in [19,20].
Protocol I 1. The -SV source is used to choose the measurement settings (xi, yi) for n runs on a single device consisting of two components. The device produces output bits x = (ai, bi) with i ∈ {1, . . . , n}.
2. The parties perform an estimation of the violation of a measurement-dependent locality inequality from the Hardy paradox by computing the empirical average L n (a, b, x, y) := 1 n n i=1 wi( )BH(ai, bi, xi, yi). The protocol is aborted unless L n (a, b, x, y) ≥ δ for fixed constant δ > 0.
3. Conditioned on not aborting in the previous step, the parties apply an independent source extractor [29,30] to the sequence of outputs from the device and further n bits from the SV source. gadget substructures within these proofs similarly lead to Hardy paradoxes neatly connecting these domains of study. 20 We now outline a generic procedure to design DIRA protocols against no-signaling adversaries using Hardy paradoxes.

21
A generic procedure to obtain DIRA protocols using Hardy paradoxes.-

23
(b) obtain the maximal quantum value probability P A,B|X,Y (a * , b * |x * , y * ) denoted by p * Q .

24
(c) Use linear programming to find the maximal no-signaling value of the probability P A,B|X,Y (a * , b * |x * , y * ) denoted 25 by p * N S .

26
(d) Check for each input if at least one of the output probabilities is bounded strictly below unity. This can be 27 verified using linear programming.

28
(e) If item (d) applies, use the software part Protocol I (Fig. 4). If not, apply the software part Protocol II ( Fig.   29 11 stated in Section I of the Appendix.

30
Remark. The linear programming part is replacing the semidefinite programming used in works such as [7] for a 31 quantum adversary.

32
Note that as we show in Section IE of the Appendix, the condition in item (d) directly applies in the (2,2,2) scenario 33 without resorting to linear programming, i.e., we establish for each input in this scenario, strict and achievable bounds 34 on the output probabilities. constraints such as (i)-(iii) from Eq.(2), and a second test corresponding to constraint (iv). This second test served to lower bound the value of the Hardy output P A,B|X,Y (a * , b * |x * , y * ) in a linear number of runs. In the modified Protocol 1 I proposed above, we combine these two tests into a single test estimating the violation of a measurement-dependent Section IV of the Appendix. In particular, when the test is passed (i.e., the measurement-dependent locality quantity 5 is observed to satisfy L n (a, b, x, y) ≥ δ for some δ > 0), we certify that the outputs constitute a min-entropy source 6 of linear min-entropy h box given by (see Appendix IV A for the derivation of this expression) for parameters 0 < δ Az < δ and 0 < κ < δ − δ Az . Feeding these bits together with some further bits from SV is shown to satisfy where P (ACC) denotes the probability with which the test in the protocol is passed.

30
The obtained joint probability P AB,XY (ab, xy) and corresponding errors (standard deviations in the estimated proba-  Final output randomness from the experimental data.-The detailed analysis of the final output randomness, obtained by applying the randomness extractor to the min-entropy from the device and further bits from the SV source, is performed in Appendix IV. With respect to the specific randomness extractor from [41] that we apply here, our experimental data allows for the production of k( , t) bits of final output randomness, where k( , t) = g(δ exp , , n)n − (t + 3) 2 , A UV pump laser at 390nm was focused onto two beta barium borate (BBO) crystals places in cross-configuration to produce photon pairs emitted into two spatial modes "a" and "b" through type-I SPDC process. To remove any spatial, temporal or spectral distinguishability between the photons we use a pair of Y V O4 crystals (CC), narrow-bandwidth filters (F) (λ = 1 nm), and coupling into single-mode fibers (SMF). To prepare the state 3, the photon polarizations in each mode are rotated through a half wave plate (HWP). Alice's and Bob's measurements were performed using a HWP, a quarter wave plate (QWP), a polarizing beam splitter (PBS) and single-photon avalanche photodiodes Di(i = {1, 2, 3, 4}).
for experimentally obtained MDL value δ exp , experimental number of runs n and a security parameter t > 0. The distribution {q i }, i = 1, . . . , 2 k of the final k( , t) output bits satisfies The explicit form of the function g(δ exp , , n), encapsulating the details of the protocol including also the experimental 1 data, is provided in the Appendix IV. Exemplary data showing the number of output bits k( , t) as a function of the 2 initial from the SV source are shown in the Fig. (6) for particular values of the security parameter t (t = 5, 10, 100, 3 with the final bits deviating from uniform by 2 −t−1 ). One can see that the state-of-art experimental setups are able 4 to achieve the parameters required for reasonable randomness production by our protocol. It must be stressed that, 5 up to the fair-sampling assumption, this is the first time ever that any device-independent protocol secure against a 6 no-signalling adversary has been implemented in the lab, since all previous schemes had stringent requirements far 7 beyond the scope of any experimental technology known to date. Conclusions.
-In this paper, we have shown a generic application of Hardy paradoxes to a scheme of device-9 independent randomness amplification secure against general no-signaling adversaries. Remarkably, the Hardy para-10 dox allows for experimentally friendly parameters in the simplest (2,2,2) Bell scenario, providing the first practically 11 feasible device-independent application against a no-signaling adversary. We have illustrated this feasibility with help 12 of the routine two-photon experiment, achieving the satisfactory rates. This is the first time, when such an illustration 13 is provided, since the previous protocols were out of reach of the state-of-art technology.
14 Furthermore, we answered interesting questions arising with regard to Hardy paradoxes and randomness certifi-15 cation. We have shown that Hardy paradoxes with binary outputs, and those with two observables for one party  allow for generic randomness certification against no-signaling adversaries, while more general Bell scenarios require 1 specific linear programming checks. Moreover, we have shown that just as Kochen-Specker sets give rise to two-player 2 pseudo-telepathy games, subsets within the KS proofs provide a systematic method to construct Hardy paradoxes. An important question in general DIRA schemes is to relax the assumption of independence between source and device 9 which has so far been employed in all finite-device randomness amplification schemes against no-signaling adversaries [11].
the Belgian Science Policy Office under the grant IAP P7-35 photonics@be. This work is supported by the Start-up