ARTICLE

https://doi.org/10.1038/s42005-020-0375-6 OPEN Experimental device-independent certified randomness generation with an instrumental causal structure

Iris Agresti1, Davide Poderini1, Leonardo Guerini 2, Michele Mancusi 1, Gonzalo Carvacho1, Leandro Aolita3, ✉ 1234567890():,; Daniel Cavalcanti4, Rafael Chaves5,6 & Fabio Sciarrino 1

The intrinsic random nature of quantum physics offers novel tools for the generation of random numbers, a central challenge for a plethora of fields. Bell non-local correlations obtained by measurements on entangled states allow for the generation of bit strings whose randomness is guaranteed in a device-independent manner, i.e. without assumptions on the measurement and state-generation devices. Here, we generate this strong form of certified randomness on a new platform: the so-called instrumental scenario, which is central to the field of causal inference. First, we theoretically show that certified random bits, private against general quantum adversaries, can be extracted exploiting device-independent quantum instrumental-inequality violations. Then, we experimentally implement the corre- sponding randomness-generation protocol using entangled photons and active feed-forward of information. Moreover, we show that, for low levels of noise, our protocol offers an advantage over the simplest Bell-nonlocality protocol based on the Clauser-Horn-Shimony- Holt inequality.

1 Dipartimento di Fisica, Sapienza Università di Roma, Piazzale Aldo Moro 5, I-00185 Roma, Italy. 2 International Center of Theoretical Physics - South American Institute for Fundamental Research, Instituto de Física Teórica - UNESP, R. Dr. Bento T. Ferraz 271, 01140-070 São Paulo, Brazil. 3 Instituto de Física, Universidade Federal do Rio de Janeiro, Caixa Postal 68528, Rio de Janeiro, RJ 21941-972, Brazil. 4 ICFO - Institut de Ciencies Fotoniques, The Barcelona Institute of Science and Technology, E-08860 Castelldefels, Barcelona, Spain. 5 International Institute of Physics, Federal University of Rio Grande do Norte, 59078-970P. O. Box 1613, Natal, Brazil. 6 School of Science and Technology, Federal University of Rio Grande do Norte, 59078-970 Natal, Brazil. ✉ email: [email protected]

COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys 1 ARTICLE COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6

he generation of random numbers has applications in a their dimension. Furthermore, in our case, the causal assumption wide range of fields, from scientific research—e.g. to consists in the requirement that A’s measurement choice does T — — fl simulate physical systems to military scopes e.g. for not have a direct in uence over B. In practical applications, this effective cryptographic protocols—and every-day concerns—like premise can be enforced, by shielding A’s measurement station, ensuring privacy and gambling. From a classical point of view, the in order to allow only for the communication of its outcome bit concept of randomness is tightly bound to the incomplete to B and prevent any other unwanted communication. To knowledge of a system; indeed, classical randomness has a sub- implement the protocol in all of its parts, we have set up a jective and epistemological nature and is erased when the system classical extractor following the theoretical design by Trevisan34. is completely known1. Hence, classical algorithms can only gen- Moreover, we prove that DI randomness generation protocols erate pseudo-random numbers2, whose unpredictability relies on implemented in this scenario, for high state visibilities, can bring the complexity of the device generating them. Besides, the certi- an advantage in the gain of random bits when compared to those fication of randomness is an elusive task, since the available tests based on the simplest two-input-two-output Bell scenario, the can only verify the absence of specific patterns, while others may Clauser–Horn–Shimony–Holt (CHSH)35. Therefore, this work go undetected but still be known to an adversary3. paves the way to further applications of the instrumental sce- On the other hand, randomness is intrinsic to quantum sys- nario in the field of DI protocols, which, until now, have relied tems, which do not possess definite properties until these are primarily on Bell-like tests. measured. In real experiments, however, this intrinsic quantum randomness comes embedded with noise and lack of complete Results control over the device, compromising the security of a quantum Randomness certification via instrumental violations. Let us random-number generator. A solution to that is to devise first briefly review some previous results obtained in the context quantum protocols whose correctness can be certified in a device- of Bell inequalities4. In a CHSH scenario35, two parties, A and B, independent (DI) manner. In such a framework, properties of the share a bipartite system and, without communicating to each considered system can be inferred under some causal assump- other, perform local measurements on their subsystems. If A and tions, not requiring a precise knowledge of the devices adopted in B choose between two given operators each, i.e. (A1, A2) and (B1, the implementation. For instance, from the violation of a Bell B2) respectively, and then combine their data, the mean value of 4,5 ¼jhiÀ; hiþ; hiþ; hij; inequality , under the assumption of measurement indepen- the operator S A1 B1 A1 B2 A2 B1 A2 B2 dence and locality, one can ensure that the statistics of certain should be upper-bounded by 2, for any deterministic model quantum experiments cannot be described in the classical terms respecting a natural notion of locality. However, as proved in of local deterministic models, hence being impossible to be ref. 35,ifA and B share an entangled state, they can get a value deterministically predicted by any local observer. Moreover, the exceeding this bound, whose explanation requires the presence of extent of such a violation can provide a lower bound on the non-classical correlations between the two parties. Hence, Bell certified randomness characterizing the measurement outputs of inequalities have been adopted in ref. 7 to guarantee the intrinsic the two parties performing the Bell test, as introduced and random nature of A’s and B’s measurements’ outcomes, within a developed in refs. 6–8. Several other seminal works based on Bell fi – DI randomness generation and certi cation protocol. inequalities have been developed9 22, advancing the topics of In the instrumental causal model, which is depicted in Fig. 1a, randomness amplification (the generation of near-perfect ran- the two parties (Alice and Bob) still share a bipartite state. Alice domness from a weaker source), randomness expansion (the 1 can choose among l possible d-outcome measurements (OA, ..., expansion of a short initial random seed), and quantum key l OA), according to the instrument variable x, which is independent distribution (sharing a common secret string through commu- of the shared correlations between Alice and Bob (Λ) and can nication over public channels). In particular, loophole-free Bell assume l different values. On the other hand, Bob’s choice y is tests based on randomness generation protocol have been among d observables (O1 , ..., Od ) and depends on Alice’s outcome implemented7,20,23 and more advanced techniques have been B B a, specifically y = a. In other words, as opposed to the spatially- developed to provide security against general adversarial separated correlations in a Bell-like scenario, the instrumental attacks19,21,24,25. process constitutes a temporal scenario, with one-way commu- From a causal perspective, the non-classical behavior revealed nication of Alice’s outcomes to select Bob’s measurement. This by a Bell test lies in the incompatibility of quantum predictions – implies, first, that Alice and Bob are not space-like separated, to with our intuitive notion of cause and effect26 28. Given that ensure that the causal structure’s constraints are fulfilled, unlike the causal structure underlying a Bell-like scenario involves five in Bell-like scenarios. Secondly, due to the communication of variables (the measurement choices and outcomes for each of Alice’s outcome a to Bob, Bob’s outcome b is not independent of the two observers and a fifth variable representing the common x; however, the instrumental network specifies this influence to be cause of their correlations), it is natural to wonder whether a indirect, formalized by the constraint p(b∣x, a, λ) = p(b∣a, λ) and different, and simpler, causal structure could give rise to an justifying the absence of an arrow from X to B in Fig. 1a. This is analogous discrepancy between quantum and classical causal the aforementioned causal assumption within our protocol. predictions29,30. The instrumental causal structure31,32, where the Similarly to Bell-like scenarios, the causal structure underlying two parties (A and B) are linked by a classical channel of com- an instrumental process imposes some constraints on the classical munication, is the simplest model (in terms of the number of joint probabilities {p(a, b∣x)} that are compatible with it31,32 involved nodes) achieving this result33. This scenario has fun- a,b,x (the so-called instrumental inequalities). In the particular case damental importance in causal inference, since it allows the where the instrument x can assume three different values (1,2,3), estimation of causal influences even in the presence of unknown while a and b are dichotomic, the following inequality holds32: latent factors31. In this letter, we provide a proof-of principle demonstration of I¼hiA À hiB þ 2hiB À hiAB þ 2hiAB ≤ 3 ð1Þ the implementation of a DI random number generator based on 1 1 2 1 3 instrumental correlations, secure against general quantum P þ 19 hi¼ ðÀ Þa b ð ; j Þ attacks . where AB x a;b¼0;1 1 p a b x . Remarkably, this Our protocol is DI, since it does not require any assumption inequality can be violated with the correlations produced by about the measurements and states used in the protocol, not even quantum instrumental causal models33, up to the maximal value

2 COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6 ARTICLE

constraint is imposed by exploiting the NPA hierarchy38. Indeed, such a general method can be applied to any casual model involving a shared bipartite system, on whose subsystems local measurements are performed. Note that, when adopting the NPA method for an instrumental process, no constraints are applied to the untested terms of the form p(a, b∣e, x, y ≠ a) and that the solution of such an optimization will, in general, provide a lower amount of certifiable randomness, with respect to a scenario where all the combinations were tested (for further details, see Supplementary Information note 1). The functions fx are convex 101001 and grow monotonically with I; so, the higher the violation of 1001 Secure inequality (1) is, the higher the min-entropy lower bound will be. 010010 110001 random bits Nevertheless, in real experimental conditions, in order to evaluate Seed à the quantum violation extent I (or, analogously, the probability Fig. 1 Randomness generation and certification protocol. a Instrumental * distribution p (a, b∣x)) to compute fx, several experimental runs 26 causal structure represented as a directed acyclic graph (DAG), where are necessary. Therefore, unless one makes the “iid assumption” each node represents a variable and the arrows link variables between (i.e. all the experimental runs are assumed to be identically and which there is causal influence. In this case, X, A, and B are observable, independently distributed, “iid”, so both the state source, as well while Λ is a latent variable. b The plot shows the smooth min-entropy as Alice’s and Bob’s measurement devices, are supposed not bound for the CHSH (Clauser–Horn–Shimony–Holt) inequality and the ðI ÃÞ to exhibit time-dependent behaviors), this bound f x will not instrumental scenario (respectively dashed and continuous curve), in terms hold in the presence of an adversary that could include a v of the state visibility , i.e. considering the extent of violation that would be (quantum) memory in the devices, introducing interdependences given by the following state: ρ ¼ vjiψÀ hjþðψÀ 1 À vÞ I. The bounds were 4 among the runs. Several DI protocols have been proposed so far 19 obtained through the analysis of ref. , secure against general quantum addressing the most general non-iid case13,16,39, but at the cost of adversaries, which was adapted to our case. The choice of parameters was a low feasibility. Only very recently feasible solutions have been n = 12 ϵ = ϵ = −6 δ0 ¼ À4 γ = n the following: 10 , EA 10 , 10 and 1. In detail, is proposed19,24,25,40. In particular, we will consider the technique ϵ the number of runs, is the smoothing parameter characterizing the min- developed in ref. 19, resorting to the “Entropy Accumulation entropy Hϵ , ϵ is the desired error probability of the entropy min EA Theorem” (EAT), in order to deal with processes not necessarily δ0 accumulation protocol, is the experimental uncertainty on the evaluation made of independent and identically distributed runs. Such a I γ of the violation and is the parameter of the Bernoulli distribution method has been recently applied to the CHSH scenario21. “ ” “ ” according to which we select test and accumulation runs throughout Here we adapt the technique developed in ref. 19 to the fi the protocol. c Simpli ed scheme of the proposed randomness generation instrumental scenario, making our randomness certification, fi γ = and certi cation protocol (in the case 1): (i) initial seed generation whose scheme is depicted in Fig. 1c, secure against general fi (de ning, at each run, Alice's choice among the operators), (ii) quantum attacks. According to the EAT, for a category of instrumental process implementation, (iii) classical randomness extractor. processes that comprehends also an implemented instrumental The initial seed is obtained from the random bits provided by the NIST process composed of several runs, the following bound on the Randomness Beacon42. In the second stage, Alice's and Bob's outputs are à smooth min-entropy holds: collected and the corresponding value of the instrumental violation I is pffiffiffi ϵ computed. If it is higher than a threshold set by the user, the smooth min- H ð nj n nÞ À ν ; ð Þ min O S E >nt n 2 entropy is bounded by inequality (2), otherwise the protocol aborts. The value of the min-entropy indicates the maximum number of certified where O are the quantum systems given to the honest parties random bits that can be extracted. At the end, if the protocol does not Alice and Bob, at each run, S constitutes the leaked side- abort, the output strings are injected in a classical randomness extractor information, while E represents any additional side information (Trevisan's extractor34) and the final string of certified random bits is correlated to the initial state. Then, t is a convex function which obtained. The extractor's seed is as well provided by the NIST Randomness depends on the extent of the violation, expected by an honest, Beacon. although noisy, implementation of the protocol, i.e. in a scenario ν with no eavesdropper (Iexp). On the other hand, depends also pffiffiffi on the smoothing parameter ϵ, which characterizes the smooth of I¼1 þ 2 2. Recently, the relationship of the instrumental Hϵ ϵ 36 min-entropy min,and EA, i.e. the desired error probability of processes with the Bell scenario has been studied in ref. . the entropy accumulation protocol; in other words, either the In this context, we rely on the fact that if a given set of statistics − ϵ ∣ protocol aborts with probability higher than 1 EA or bound {p(a, b x)}a,b,x violates inequality (1), then the system shared by (2) holds (for further detail, see Supplementary Information the two parties exhibits non-classical correlations that impose note 2). non-trivial constraints on the information a potential eaves- Our protocol is implemented as follows (see Fig. 2): for each dropper could obtain, represented in the probability distributions ∣ run, a random binary variable T is drawn according to a Bernoulli {p(a, b, e x)}a,b,e,x, where e is the eventual side information of the distribution of parameter γ (set by the user); if T = 0, the run is eavesdropper. Consequently, this restricts the values of the an “accumulation” run, so x is deterministically set to 2 (which conditional min-entropy,P a randomness quantifier defined as ðIÞ H ¼À ½ ð Þ ð ; j ; ފ37 guarantees a higher f , see Supplementary Information note 2); min log 2 eP e max P a b e x . Indeed, it is possible = “ ” a;b on the other hand, if T 1, the run is a test run, so x is to obtain a lower-bound on the min-entropy, for each x,asa randomly chosen among 1, 2 and 3. After m test runs (with m I H ≥ ðIÞ chosen by the user), the quantum instrumental violation is function fx of : min f x (or, equivalently, of the visibility, see Fig. 1b). For each x and I, the lower bound f ðIÞ can be evaluated from the bits collected throughout the test runs and, if x À δ0 δ0 I computed via semidefinite programming (SDP), by maximizing P lower than Iexp ( being the experimental uncertainty on ), (a, b∣e, x), under the constraint that the observable terms of the the protocol aborts; otherwise the certified smooth min-entropy is probability distribution are compatible to the laws of quantum bounded by inequality (2). This lower bound on the certified min mechanics and that the corresponding violation is I. The first entropy represents the maximum certified amount of bits that we

COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys 3 ARTICLE COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6

Fig. 2 Implementation of the device-independent randomness certification protocol. The implementation of our proposed protocol involves three steps. First of all, an instrumental process is implemented on a photonic platform. Then, for each round of the experiment, a binary random variable T is evaluated. Specifically, T can get value 1 with probability γ, previously chosen by the user (in our implementation, γ = 1). If T = 0, the run is an “accumulation” one, and x is deterministically equal to 2. If T = 1, the run is a “test” run and x is randomly chosen among 1, 2, and 3. Note that, in our case, we only have “test” runs. Secondly, after n runs, through the bits collected in the test runs, we evaluate the corresponding instrumental violation and see whether it is higher than the expected violation for an honest implementation of the protocol, i.e. in a scenario with no eavesdroppers. In our case, we set the threshold to 3.5. If itis lower, the protocol aborts, otherwise, the protocol reaches the third stage, where we employ the Trevisan extractor, to extract the final certified random bit string. The extractor takes, as input, the raw data (weak randomness source), a random seed (given by the NIST Randomness Beacon42) and the min- −6 entropy of the input string. In the end, according to the classical extractor statistical error (ϵext) set by the user (in our case 10 ), the algorithm extracts m truly random bits, with m < n. can extract from our collected data. Hence, feeding the raw bit seed, made of a string of trits (indeed, in our case, we take γ = 1, Hϵ 34 string and the min to the classical extractor , the algorithm will so x is chosen among (1,2,3) at every run). This seed is obtained Hϵ ð nj n nÞ fi 42 output at most min O S E certi ed random bits, the exact from the NIST Randomness Beacon , which provides 512 ϵ fi value depending on its internal error parameter ext. Speci cally, random bits per minute. After Alice has performed her 34 0 we resorted to the classical extractor devised by Trevisan . This measurement, whenever she gets output 1 (i.e. DA registers an algorithm takes as inputs a “weak randomness source”, in our event), the detector’s signal is split to reach the coincidence case the 2n raw bits long string, and a seed, which is poly- counter and, at the same time, trigger the Pockels cell on path 2. logarithmic in the input size (our code for the classical extractor Bob’s station is made of a half waveplate (HWP) followed by this can be found at41 and, for a detailed description of the classical fast electro-optical device. When no voltage is applied to the ’ 1 randomness extractor, see Supplementary Information note 3). Pockels cell, Bob s operator is OB and, when it is turned on, there 2 ’ is a swift change to OB (the cell s time response is of the order of Experimental implementation of the protocol. The DI random nanoseconds). In order to have the time to register Alice’s output numbers generator, in our proposal, is made up of three main and select Bob’s operator accordingly, the photon on path 2 is parts, which are seen as black boxes to the user: the state gen- delayed, through a 125 m long single-mode fiber. eration and Alice’s and Bob’s measurement stations. The causal The four detectors are synchronized in order to distinguish the correlations among these three stages are those of an instrumental coincidence counts generated by the entangled photons’ pairs scenario (see Fig. 1a,c) and are implemented through the pho- from the accidental counts. Let us note that our proof of principle tonic platform depicted in Fig. 3. is not loophole free, since it requires the fair sampling Within this experimental apparatus, the qubits are encoded in assumption, due to our overall low detection efficiency. However, the photon’s polarization: horizontal (H) and vertical (V) such a limitation belongs to this specific implementation and not polarizations represent, respectively, qubits 0 and 1, eigenstates to the proposed method. The measurementpffiffiffi operators achieving σ of the Pauli matrix z. A spontaneous parametric down- maximal violation of I¼1 þ 2 2, whenp appliedffiffiffi to the state conversion (SPDC) process generates the two-photon maximally jψÀi, are the following: O1 ¼Àðσ À σ Þ= 2, O2 ¼Àσ , O3 ¼ À j iÀj i pAffiffiffi z x pAffiffiffi x A entangled state jΨ i¼ HVpffiffiVH . One photon is sent to path 1, σ 1 ¼ðσ À σ Þ= 2 ¼Àðσ þ σ Þ= 2 z and OB x z 2, OB x z 2. ’ 1 2 Once the instrumental process is implemented, the threshold towards Alice s station, where an observable among OA, OA and 3 I is set, corresponding to the violation that is expected by an OA is measured, applying the proper voltage to a liquid crystal exp device (LCD). The voltage must be chosen according to a random honest implementation of the protocol. In our case, given that our

4 COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6 ARTICLE

¼ : expected visibility amounts to 0.915, Iexp 3 5. Then, the desired NIST 1 2 EPR level of security is imposed by tuning the internal parameters, detailed in the SI, contributing to ν. As next step, according to Eq. (2), one can either fix the number of the desired output random fi D0 bits and perform the required number of runs or, viceversa, x A the amount of initial randomness to feed the protocol, and hence the number of feasible runs. In the end, the classical randomness D1 ALICE A extractor is applied to the raw bit strings. Specifically, in our case, we adopted the one devised by Trevisan34. The complete Feed-Forward BOB procedure is summarized in Fig. 2.

Theoretical results. The DI random number generation protocol Pockels HWP SPDC cell we propose for the instrumental scenario was developed adapting Liquid 0 19,21 Single Coupler 1 Crystal mode fiber DB the pre-existing techniques for the Bell scenario , and is secure DB Fiber Detector against general quantum adversaries. The most striking aspect of delay PBS QWP our protocol, shown in Fig. 4, is that, under given circumstances, our protocol proves to be more convenient than its CHSH-based Fig. 3 Experimental apparatus. A polarization-entangled photon pair is counterpart. This becomes visible if we compare the amount of generated via spontaneous parametric down-conversion (SPDC) process in truly random bits within Alice’s and Bob’s output strings a nonlinear crystal. Photon 1 is sent to Alice's station, where one of three ϵ throughout all the experimental runs (given by H ) for our observables (O1 , O2 , and O3 ) is measured through a liquid crystal followed min A A A protocol and its CHSH-based counterpart, in the case of a fixed by a polarizing beam splitter (PBS). The choice of the observable relies on ’ 42 0 amount of invested bits, for the parties inputs and for T. This will the random bits generated by the NIST Randomness Beacon . Detector DA acts as trigger for the application of a 1280 V voltage on the Pockels cell, result in a different number of feasible runs for the two cases. whenever the measurement output 0 is registered. The photon 2 is delayed Such a difference, in the regime of high state visibilities v (~ 0.98), fi considering a violation extent compatible to the following state 600 ns before arriving to Bob's station by employing a single-mode ber ρ ¼ jiψÀ hjψÀ þð À Þ I 125 m long. After leaving the fiber, the photon passes through the Pockels v 1 v 4, and large amounts of invested ran- ϵ ϵ ∘ H Instr=H CHSH cell, followed by a fixed half waveplate (HWP) at 56.25 and a PBS. If the dom bits, brings the ratio of the two gains ( min min ), as Pockels cell has been triggered (in case of A measurement outcome is 0), shown in Fig. 4, to be higher than 1. its action combined to the fixed HWP in Bob's station allows us to perform O1 A B. Otherwise (if measurement outcome is 1), the Pockels cell acts as the Experimental results. We implemented the instrumental scenario O2 identity and we implement B. on a photonic platform and provided a proof of principle of the proposed quantum adversary-proof protocol in our experimental conditions. In particular, for our expected visibility, of 0.915, we put ¼ : δ0 ¼ : our threshold to Iexp 3 5, with 0 011. Furthermore, we set ϵ = ϵ = −1 fi EA 10 and xed the amount of initial randomness to 172,095 experimental runs. Since the registered violation was of ρ ¼ jiψÀ hjψÀ þð À Þ I 3.516 ± 0.011, compatible to a state v 1 v 4, with v = 0.9186 ± 0.030, our certified smooth min-entropy bound, according to inequality (2), was 0.031125, which allowed us to gain, through the classical extractor, an overall number of 5270 random ϵ = −6 bits, with an error on the classical extractor of ext 10 .Note that each experimental run lasted ~1s and the bottleneck of our implementation is the time response of the liquid crystal, ~700 ms, that implements Alice’s operator. Hence, in principle, significantly higher rates can be reached on the same platform, adopting a fast electro-optical device also for Alice’s station, with a response time of ~100 ns. Fig. 4 Comparison between Clauser–Horn–Shimony–Holt (CHSH) and The length of the seed required by the classical extractor, as Instrumental random bits gain. The plot shows the ratio between the mentioned, is poly-logarithmic in the input size and its length ϵ random bits gained throughout all the runs of the proposed protocol (given also depends on the chosen error parameter ext (which is the Hϵ by min), involving the instrumental scenario, over those gained in its tolerated distance between the uniform distribution and the one regular CHSH-based counterpart19,21, when fixing the amount of random of the final string) and on the particular algorithm adopted. In bits feeding both the protocols. Under these circumstances, given that for our case, we used the same implementation of refs. 41,43, which 44 each test run the instrumental test requires log2(3) input bits, instead of the was proven to be a strong quantum proof extractor by De et al. . 2 of the regular CHSH, the final amounts of random bits in the two cases With respect to other implementations of the Trevisan extrac- will differ, due to the different amounts of performed runs, besides their tor45, ours requires a longer seed, but allows to extract a higher different min-entropies per run. Note that the amount of performed runs amount of random bits. Let us note that, since the length of the depends on the value of γ, i.e. the probability of a test run, which was seed grows as log(2n)3, where n is the number of experimental optimized separately for the two scenarios. In particular, the curves runs, the randomness gain is not modified if we take also into represent different amounts of initially invested random bits, in particular account the bits invested in the classical extractor’s seed. Indeed, n = 108 (blue, lowest curve), n = 109 (golden, middle curve) and n = 1010 the number of extracted bits grows polynomially in n. Hence, if v ϵ ϵ À À (red, highest curve), in terms of the state visibility , i.e. corresponding to HminInstr >HminCHSH , then mInstr dInstr>mCHSH dCHSH, where m the extent of violation that would correspond to the following state: is the length of the final string (after the classical extraction) and ρ ¼ vjiψÀ hjψÀ þð À vÞ I ’ 1 4. d the length of the required extractor s seed. For more details

COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys 5 ARTICLE COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6 about the internal functioning of the classical randomness 2. Matsumoto, M. & Nishimura, T. 623-dimensionally equidis- tributed uniform extractor and its specific parameter settings, see Supplementary pseudo-random number generator. ACM Trans. Modeling Comput. Simul. 8, – Information note 3. 3 30 (1998). 3. Rukhin, A., Soto, J., Nechvatal, J., Smid, M. & Barker, E. A Statistical Test Suite for Random and Pseudo-random Numbers Generators for Cryptographic Discussion Applications Technical Report (Booz-Allen and Hamilton Inc. McLean VA, In this work we implemented a DI random number generator 2001). based on the instrumental scenario. This shows that instrumental 4. Bell, J. S. On the Einstein–Podolsky–Rosen paradox. Physics 1, 195 (1964). 5. Brunner, N., Cavalcanti, D., Pironio, S., Scarani, V. & Wehner, S. Bell processes constitute an alternative venue with respect to Bell-like nonlocality. Rev. Mod. Phys. 86, 419–478 (2014). scenarios. Moreover, we also showed that, in regimes of high 6. Colbeck, R. Quantum and Relativistic Protocols for Secure Multi-Party visibilities and high amounts of performed runs, the efficiency of Computation. Ph.D. thesis, University of Cambridge (2007). the randomness generated by the violation of the instrumental 7. Pironio, S. et al. Random numbers certified by bellas theorem. Nature 464, inequality (1) can surpass that of efficiency of the CHSH 1021–1024 (2010). 8. Colbeck, R. & Kent, A. Private randomness expansion with untrusted devices. inequality, as shown in Fig. 4. Indeed, for high visibilities, as it can J. Phys. A: Math. Theor. 44, 095305 (2011). be seen in Fig. 1b, the min-entropy per run guaranteed in the two 9. Colbeck, R. & Renner, R. Free randomness can be amplified. Nat. Phys. 8, scenarios has a similar value and, when the number of runs raises, 450–453 (2012). the advantage brought by the instrumental test, by needing only 10. Gallego, R. et al. Full randomness from arbitrarily deterministic events. Nat. log (3) input bits, instead of 2, prevails. Commun. 4, 2654 (2013). 2 11. Brandão, F. G. S. L. et al. Realistic noise-tolerant randomness amplification Through the proposed protocol, we could extract an overall using finite number of devices. Nat. Commun. 7, 11345 (2016). number of 5270 random bits, considering a threshold for the 12. Ramanathan, R. et al. Randomness amplification under minimal ¼ : −1 117 instrumental violation of Iexp 3 5 and 10 , both as error fundamental assumptions on the devices. Phys. Rev. Lett. , 230501 (2016). probability of the entropy accumulation protocol (ϵEA), as well as smoothing parameter (ϵ). The conversion rate, from public to 13. Miller, C. A. & Shi, Y. Robust protocols for securely expanding randomness and distributing keys using untrusted quantum devices. J. ACM 63, 33:1–33:63 private randomness, as well as the security parameters, could be (2016). improved on the same platform, by raising the number of 14. Vazirani, U. V. & Vidick, T. Certifiable quantum dice: or, true random invested initial random bits, or, analogously, the number of runs. number generation secure against quantum adversaries. In Proc. of the Forty- To access the regime in which the instrumental scenario is more Fourth Annual ACM Symposiumon Theory of Computing, STOC ’12, 61–76 convenient than the CHSH one, we should invest a number of (Association for Computing Machinery, New York, NY, USA, 2012). https:// 9 doi.org/10.1145/2213977.2213984. random bits over 10 and obtain a visibility of ~0.98 (note that, 15. Liu, Y. et al. High-speed device-independent quantum random number the more the amount of invested bits grows, the more the generation without a detection loophole. Phys. Rev. Lett. 120, 010503 (2018). threshold for the visibility lowers down). 16. Vazirani, U. & Vidick, T. Fully device-independent quantum key distribution. This proof of principle opens the path for further investigations Phys. Rev. Lett. 113, 140501 (2014). of the instrumental scenario as a possible venue for other infor- 17. Chung, K. M., Shi, Y., & Wu, X. Physical randomness extractors: generating random numbers with minimal assumptions. Preprint at https://arxiv.org/abs/ mation processing tasks usually associated to Bell scenarios, such as 1402.4797 (2014). 46–55 56–58 self-testing and communication complexity problems . 18. Dupuis, F., Fawzi, O. & Renner, R. Entropy accumulation. Preprint at https://arxiv.org/abs/1607.01796 (2016). Methods 19. Arnon-Friedman, R., Dupuis, F., Fawzi, O., Renner, R. & Vidick, T. Practical Experimental details device-independent quantum cryptography via entropy accumulation. Nat. . Photon pairs were generated in a parametric down- 9 conversion source, composed by a nonlinear crystal beta barium borate (BBO) of 2- Commun. , 459 (2018). mm thick injected by a pulsed pump field with λ = 392.5 nm. After spectral 20. Christensen, B. G. et al. Detection-loophole-free test of quantum nonlocality, 111 filtering and walk-off compensation, photons of λ = 785 nm are sent to the two and applications. Phys. Rev. Lett. , 130406 (2013). measurement stations A and B. The crystal used to implement active feed-forward 21. Shen, L. et al. Randomness extraction from bell violation with continuous — parametric down-conversion. Phys. Rev. Lett. 121, 150402 (2018). is a LiNbO3 high-voltage micro Pockels Cell made by Shangai Institute of Ceramics with < 1 ns risetime and a fast electronic circuit transforming each Si- 22. Bancal, J.-D., Sheridan, L. & Scarani, V. More randomness from the same avalanche photodetection signal into a calibrated fast pulse in the kV range needed data. N. J. Phys. 16, 033011 (2014). to activate the Pockels Cell—is fully described in ref. 59. To achieve the active feed- 23. Bierhorst, P. et al. Experimentally generated randomness certified by the forward of information, the photon sent to Bob’s station needs to be delayed, thus impossibility of superluminal signals. Nature 556, 223–226 (2018). allowing the measurement on the first qubit to be performed. The amount of delay 24. Kessler, M. & Arnon-Friedman, R. Device-independent randomness was evaluated considering the velocity of the signal transmission through a single- amplification and privatization. Preprint at https://arxiv.org/abs/1705.04148 mode fiber and the activation time of the Pockels cell. We have used a fiber 125 m (2017). long, coupled at the end into a single-mode fiber that allows a delay of 600 ns of the 25. Knill, E., Zhang, Y. & Fu, H. Quantum probability estimation for second photon with respect to the first. randomness with quantum side information. Preprint at https://arxiv.org/abs/ 1806.04553 (2018). Data availability 26. Pearl, J. Causality (Cambridge University Press, 2009). fi 27. Wood, C. J. & Spekkens, R. W. The lesson of causal discovery algorithms for The data that support the ndings of this study are available from the corresponding quantum correlations: causal explanations of Bell-inequality violations require author upon request. fine-tuning. N. J. Phys. 17, 033002 (2015). 28. Chaves, R., Kueng, R., Brask, J. B. & Gross, D. Unifying framework for Code availability relaxations of the causal assumptions in Bell’s theorem. Phys. Rev. Lett. 114, All the custom code developed for this study is available from the corresponding author 140403 (2015). upon request. Furthermore, the code developed for the classical extractor is available at 29. Henson, J., Lal, R. & Pusey, M. F. Theory-independent limits on correlations https://github.com/michelemancusi/libtrevisan. from generalized bayesian networks. N. J. Phys. 16, 113043 (2014). 30. Carvacho, G., Chaves, R. & Sciarrino, F. Perspective on experimental quantum causality. EPL (Europhys. Lett.) 125, 30001 (2019). Received: 10 February 2020; Accepted: 6 May 2020; 31. Pearl, J. On the testability of causal models with latent and instrumental variables. In Proc. 11th Conference on Uncertainty in Artificial Intelligence 435–443 (Morgan Kaufmann Publishers Inc., 1995). 32. Bonet, B. Instrumentality tests revisited. In Proc. 17th Conference on Uncertainty in Artificial Intelligence 48–55 (Morgan Kaufmann Publishers References Inc., 2001). 1. Grangier, P. & Auffèves, A. What is quantum in quantum randomness? 33. Chaves, R. et al. Quantum violation of an instrumental test. Nat. Phys. 14, Philos. Trans. Roy. Soc. A 376, 20170322 (2018). 291–296 (2018).

6 COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys COMMUNICATIONS PHYSICS | https://doi.org/10.1038/s42005-020-0375-6 ARTICLE

34. Trevisan, L. Extractors and pseudorandom generators. J. ACM (JACM) 48, 59. Giacomini, S., Sciarrino, F., Lombardi, E. & De Martini, F. Active teleportation 860–879 (2001). of a quantum bit. Phys. Rev. A 66, 030302 (2002). 35. Clauser, J. F., Horne, M. A., Shimony, A. & Holt, R. A. Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett. 23, 880–884 (1969). Acknowledgements 36. Van Himbeeck, T. et al. Quantum violations in the Instrumental scenario and The authors aknowledge Gláucia Murta for stimulating discussion. We acknowledge their relations to the Bell scenario. Quantum 3, 186 (2019). support from John Templeton Foundation via the grant Q-CAUSAL No. 61084 (the 37. Pironio, S. & Massar, S. Security of practical private randomness generation. opinions expressed in this publication are those of the authors and do not necessarily Phys. Rev. A 87, 012336 (2013). reflect the views of the John Templeton Foundation). I.A., D.P., M.M., G.C., and F.S. 38. Navascués, M., Pironio, S. & Acín, A. Bounding the Set of Quantum aknowledge project Lazio Innova SINFONIA. D.C. acknoledges a Ramon y Cajal fel- Correlations. Phys. Rev. Lett. 98, 010401 (2007). lowship, Spanish MINECO (Severo Ochoa SEV-2015-0522), Fundació Privada Cellex 39. Reichardt, B. W., Unger, F. & Umesh, V. Classical command of quantum and Generalitat de Catalunya (CERCA Program). L.G. and L.A. acknowledge financial systems. Nature https://doi.org/10.1038/nature12035 (2013). support from the São Paulo Research Foundation (FAPESP) under grants 2016/01343-7 40. Dupuis, F. & Fawzi, O. Entropy accumulation with improvedsecond-order and 2018/04208-9. RC acknowledges the Brazilian ministries MCTIC, MEC and the term. IEEE Transactions on Information Theory 65, 7596–7612 (2019). CNPq (grants No. 307172/2017-1 and 406574/2018-9 and INCT-IQ) and the Serra- 41. GitHub. https://github.com/michelemancusi/libtrevisan (2019). pilheira Institute (grant number Serra-1708-15763). G.C. aknowledges Conicyt and Becas 42. Fischer., M. J., Iorga., M. & Peralta., R. A public randomness service. In Proc. Chile. L.A. acknowledges financial support also from the Brazilian agencies CNPq (PQ of the International Conference on Security and Cryptography 1, 434–438 grant No. 305420/2018-6 and INCT-IQ), FAPERJ (JCNE E-26/202.701/2018), CAPES (SciTe Press, 2011). (PROCAD2013 project), and the Brazilian Serrapilheira Institute (grant number Serra- 43. Mauerer, W., Portmann, C. & Scholz, V. B. A modular framework for 1709-17173). randomness extraction based on trevisan’s construction. Preprint at https:// arxiv.org/abs/1212.0520 (2012). Author contributions 44. De, A., Portmann, C., Vidick, T. & Renner, R. Trevisan’s extractor I.A., D.P., L.G., G.C., F.S., R.C., L.A., D.C. developed the theory; I.A., D.P., G.C., F.S., in the presence of quantum side information. SIAM J. Comput. 41, 915–940 L.G., L.A., D.C., R.C. designed the experiment; I.A., D.P., M.M., G.C., F.S. performed the (2012). experiment; all the authors participated in the discussions and contributed to writing the 45. Gross, R. & Aaronson, S. Bounding the seed length of miller and shi’s manuscript. unbounded randomness expansion protocol. Preprint at https://arxiv.org/abs/ 1410.8019(2014). 46. Mayers, D. & Yao, A. Self testing quantum apparatus. Quantum. Inf. Comput. Competing interests 4, 273 (2004). The authors declare no competing interest. 47. Yang, T. H. & Navascués, M. Robust self-testing of unknown quantum 87 systems into any entangled two-qubit states. Phys. Rev. A , 050102 Additional information (2013). Supplementary information is available for this paper at https://doi.org/10.1038/s42005- 48. McKague, M., Yang, T. H. & Scarani, V. Robust self-testing of the singlet. J. Phys. A: Math. Theor. 45, 455304 (2012). 020-0375-6. 49. Bamps, C. & Pironio, S. Sum-of-squares decompositions for a family of Correspondence and requests for materials should be addressed to F.S. clauser-horne-shimony-holt-like inequalities and their application to self- testing. Phys. Rev. A 91, 052111 (2015). Reprints and permission information is available at http://www.nature.com/reprints 50. Wu, X., Bancal, J.-D., McKague, M. & Scarani, V. Device-independent parallel self-testing of two singlets. Phys. Rev. A 93, 062121 (2016). Š ć Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in 51. upi , I., Augusiak, R., Salavrakos, A. & Acín, A. Self-testing protocols based fi on the chained bell inequalities. N. J. Phys. 18, 035013 (2016). published maps and institutional af liations. 52. Coladangelo, A., Goh, K. T. & Scarani, V. All pure bipartite entangled states can be self-tested. Nat. Commun. 8, 15485 (2017). 53. McKague, M. Self-testing in parallel with chsh. Quantum 1, 1 (2017). Open Access This article is licensed under a Creative Commons 54. Šupić, I., Coladangelo, A., Augusiak, R. & Acín, A. Self-testing multipartite Attribution 4.0 International License, which permits use, sharing, entangled states through projections onto two systems. N. J. Phys. 20, 083041 adaptation, distribution and reproduction in any medium or format, as long as you give (2018). appropriate credit to the original author(s) and the source, provide a link to the Creative 55. Bowles, J., Šupić, I., Cavalcanti, D. & Acín, A. Self-testing of pauli observables Commons license, and indicate if changes were made. The images or other third party for device-independent entanglement certification. Phys. Rev. A 98, 042336 material in this article are included in the article’s Creative Commons license, unless (2018). indicated otherwise in a credit line to the material. If material is not included in the 56. Brukner, Č., Żukowski, M., Pan, J.-W. & Zeilinger, A. Bell’s inequalities article’s Creative Commons license and your intended use is not permitted by statutory and quantum communication complexity. Phys. Rev. Lett. 92, 127901 (2004). regulation or exceeds the permitted use, you will need to obtain permission directly from 57. Buhrman, H., Cleve, R., Massar, S. & De Wolf, R. Nonlocality and the copyright holder. To view a copy of this license, visit http://creativecommons.org/ 82 communication complexity. Rev. Mod. Phys. , 665 (2010). licenses/by/4.0/. 58. Buhrman, H. et al. Quantum communication complexity advantage implies violation of a bell inequality. Proc. Natl Acad. Sci. 113, 3191–3196 (2016). © The Author(s) 2020

COMMUNICATIONS PHYSICS | (2020) 3:110 | https://doi.org/10.1038/s42005-020-0375-6 | www.nature.com/commsphys 7