A New High-Dimensional Quantum Entropic Uncertainty Relation with Applications

Walter O. Krawec University of Connecticut Department of Computer Science and Engineering Storrs, CT, USA 06269 Email: [email protected]

Abstract—In this paper we derive a new quantum entropic [14] that it can be extended to more general areas of quantum uncertainty relation, bounding the conditional smooth quantum . In particular we proved a quantum entropic min based on the result of a measurement using a uncertainty relation, however our previous relation from [14] two outcome POVM and the failure probability of a classical sampling strategy. Our relation works for systems of arbitrary was only applicable to qubits (dimension two systems) and did dimension. We apply it to analyze a new source independent not involve the conditional min entropy. As we consider condi- quantum random number generation protocol and show our tional entropy here, our new bound is immediately applicable relation provides optimistic results compared to prior work. to quantum cryptographic applications. We demonstrate this This is a (slightly) extended version of a paper to appear by considering and analyzing a new high-dimensional source in IEEE ISIT 2020. independent quantum random number generator (QRNG). Thanks to our new entropic uncertainty relation, and in par- I.INTRODUCTION ticular it’s need for only a two-outcome POVM in one of Quantum entropic uncertainty relations have numerous ap- the measurements, our new QRNG does not require a full plications in quantum information, communication, and cryp- basis measurement in the test case making it potentially more tography. Informally, typical relations of this kind bound practical (though, we stress, we are not interested in practical the amount of uncertainty in two different measurements issues in this paper, only theoretical analyses). We show performed on a quantum system. This bound is typically a that our new bound provides very optimistic random number function of the overlap between the measurements performed. generation rates when compared to other high dimensional Though there are many varieties [1]–[6] (just to list a few - QRNG’s, even considering our protocol’s simplicity in its see [7]–[9] for a general survey). quantum capabilities. Conditional quantum min entropy (which we define for- Our main result is described formally in Theorem 2. At mally later but denote H∞(A|E)) is a very useful resource a high level, our main result shows that for a given quantum in quantum cryptography [10] and so discovering new uncer- state ρAE (which is not necessarily i.i.d.), where the A register tainty bounds involving the min entropy of a system is impor- acts on n + m copies of a d-dimensional Hilbert space, if tant in various applications (though, outside of applications, one were to measure part of the A system using a particular such bounds are also interesting in and of themselves). For two-outcome POVM, then, with high probability, one can instance, a useful quantum min entropy uncertainty relation bound the min entropy in the remaining unmeasured portion   was shown in [2] and states that H∞(Z|E)+Hmax(X|B) ≥ γ, of the partially measurement state should a measurement where γ is a function of the overlap of the two measurements in a d dimensional basis be performed on the remaining

arXiv:2005.04773v2 [quant-ph] 23 May 2020 (used to produce registers Z and X respectively) and Hmax is system. This bound is a function of the observed outcome of the max entropy [10]–[12]. Such a relation may be used, for the POVM measurement (in particular, the Hamming weight instance, to bound an adversary’s uncertainty on a quantum of this outcome) and also a function of the measurements system given that the X and B registers are highly correlated. performed. This has interesting cryptographic applications as In this work, we introduce a new quantum uncertainty it allows one to argue about the entropy in partially measured relation, bounding the conditional quantum min entropy of states given a particular measurement outcome, with high a system based on the Hamming weight of a measurement probability. Due to the two-outcome nature of the POVM case, outcome performed using a two-outcome POVM and the error it also allows for easy analysis of cryptographic primitives probability of a classical sampling technique. Our relation where users do not need to distinguish all d basis states in a applies to systems of arbitrary, but known and finite, dimen- “test” case. Experimentally, one need only distinguish a single sion. To our knowledge this form of uncertainty relation has basis state for the test basis and a full basis measurement, not been discovered before. To prove our relation, we utilize in an alternative, potentially easier to distinguish, basis, for a quantum sampling framework introduced by Bouman and the subsequent measurement. That is, one need not be able to Fehr in [13]. This sampling framework was used in [13] to distinguish all basis states in two different bases. This may lead prove the security of BB84. Only recently, we discovered in to simpler cryptographic protocols and we show an example in this work. Above, IA is the identity operator on HA and X ≥ 0 implies We make several contributions in this work. First, we derive that X is positive semi-definite. If the E system is trivial, it a new quantum entropic uncertainty relation, relating condi- can be shown that H∞(A)ρ = − log λmax, where λmax is the tional min entropy and the Hamming weight of a measure- maximal eigenvalue of ρ. If ρ is a classical state (i.e., ρA = P ment outcome performed through a two-outcome measurement x px[x] for some orthonormal basis {|xi}), then H∞(A)ρ =  (regardless of the dimension of the underlying system). Our − log max px. The smooth min entropy, denoted H∞(A|E)ρ relation is connected to the quantum sampling framework is defined as [10]: introduced in [13] thus showing, in addition to our prior work  in [14], that this sampling framework has strong potential for H∞(A|E)ρ = sup H∞(A|E)σ, σ∈Γ(ρ) applications in general quantum information theory while also showing a fascinating connection between classical and quan- where: tum science. Finally, we analyze a new source-independent Γ(ρ) = {σ | ||σ − ρ|| ≤ }, QRNG protocol using high dimensional quantum states, which and ||X|| is the trace distance of operator X. is also potentially more practical than prior protocols in this Let Z = {|ii} be an orthonormal basis of HA and let ρAE setting. We use our entropic uncertainty relation to prove be some density operator. Then we write H (Z|E) to mean the security of this protocol and show it can support very ∞ ρ the conditional min entropy of the state ρZE which results optimistic bit generation rates. In fact, for many settings, our from a measurement of the A system using basis Z. If ρ new protocol, thanks to our new entropic uncertainty relation, AE is pure (i.e., ρAE = [ψ]), then we may write H∞(Z|E)ψ. can actually outperform more complex protocols. This shows Similarly for the smooth min entropy. the great potential benefits of using quantum sampling based Given a quantum-classical state ρAC of the form ρAC = entropic uncertainty relations as discussed here and in our PN c c=0 pcρA ⊗ [c], then it is easy to prove from the definition previous work [14]. of min entropy that: A. Notation H∞(A|C)ρ ≥ min H∞(A)ρc . (3) We begin by introducing some notation and concepts we c A will use. Let Ad = {0, 1, ··· , d − 1} be an alphabet of size Min-entropy is a very useful quantity to measure and has d (the exact characters do not matter so long as there is a many applications. In quantum cryptography, one may use N distinguished “0” element). Given q ∈ Ad , and a subset min-entropy to determine how many uniform independent t = {t1, ··· , tm} of {1, 2, ··· ,N}, we write qt to mean the random bits may be extracted from a quantum state. In substring of q indexed by t, namely qt = qt1 ··· qtm . We use particular, through a privacy amplification process, one may q−t to mean the substring of q indexed by the complement take as input a classical-quantum (cq) state ρAE and process of t. We define the Hamming weight of q to be the number the A register which is N bits long to transform it into the of non-zero characters in q. The relative Hamming weight of cq-state σKE, where the K register is ` bits long by hashing q, denoted w(q) is the number of non-zero characters in q it through a two-universal hash function. Then, as shown in divided by the total number of characters in q. That is: [10], it holds that:

1  w(q) = |{i | q 6= 0}|/|q|. (1) ` − 2 (H∞(A|E)ρ−`) i σKE − IK /2 ⊗ σE ≤ 2 + 2. (4) A density operator acting on Hilbert space H is a Hermitian An important lemma concerning min-entropy was proven in positive semi-definite operator of unit trace. Given element [13] (also based on a Lemma from [10]). |ψi ∈ H, we write [ψ] to mean the projector |ψi hψ|. We use Hd to denote a d-dimensional Hilbert space. Lemma 1. (From [13]): Let Z = {|ii} and X = {|xii} The Shannon entropy of a random variable X is denoted be two orthonormal bases of HZ . Then for any pure state P H(X). The d-ary entropy function, denoted hd(x) for x ∈ |ψi = i∈J αi |ii ⊗ |φiiE ∈ HZ ⊗ HE (where |φiiE are [0, 1] is defined to be: arbitrary, normalized, states in HE), if we define the mixed P 2 state ρ = i∈J |αi| [i] ⊗ [φi], then: hd(x) = x logd(d − 1) − x logd x − (1 − x) logd(1 − x). H (X|E) ≥ H (X|E) − log |J|. We also define the extended d-ary entropy function, denoted ∞ ψ ∞ ρ 2 ¯ Hd(x), for any x ∈ R, as: II.CLASSICALAND QUANTUM SAMPLING  0 if x ≤ 0 As our entropic uncertainty relation is based on the quantum ¯  Hd(x) = hd(x) if 0 ≤ x ≤ 1 − 1/d (2) sampling technique introduced in [13], we take time here to  1 if x > 1 − 1/d review the relevant information. Note that everything in this

Let ρAE be a density operator acting on Hilbert space HA ⊗ section is derived from [13]. N HE. Then, the conditional quantum min entropy [10], denoted Let q ∈ Ad .A sampling strategy is a process of choosing H∞(A|E)ρ, is defined to be: a random subset t ⊂ {1, ··· ,N} and then, given qt, outputs a w(q ) −λ  “guess” or estimate as to the value of −t . That is, given H∞(A|E)ρ = sup max λ ∈ R | 2 IA ⊗ σE − ρAE ≥ 0 . an observation of the string q indexed by t, the strategy will σE compute an estimate as to the relative Hamming weight in Actually, in [13], a more general statement was proven the unobserved portion of the string, q−t. In this work, we for arbitrary sampling strategies, though we focus only on are interested in the sampling strategy that chooses t of size Φ(d, m, n) here. We also reword their result from [13] slightly m, uniformly at random and, when given qt (from a string to give a more applicable form of their result, for our work m+n q ∈ Ad ), will output w(qt) as a guess for w(q−t). We here (see also [14]), however the above follows immediately denote this strategy Φ(d, m, n) (when the context is clear, we from the proof of their main theorem. forgo writing the m and n parameters). The following lemma, proven in [13] will be important. Let Bδ be the set of all words in Am+n such that the t,d d Lemma 2. (From [13]): Let δ > 0 and d ≥ 2. Consider estimate given by sampling strategy Φ(d) is δ close to the 2 cl  −δ m(n+m)  actual value given a particular, fixed, subset t. Formally: Φ(d, m, n) for m < n. Then: δ,d ≤ 2 exp m+n+2 .

δ n+m Bt,d = {q ∈ Ad | |w(qt) − w(q−t)| ≤ δ}. III.MAIN RESULT Then, the error probability of Φ(d) is defined to be: We are now in a position to state and prove our new entropic cl δ  δ,d = max P r q 6∈ BT,d , uncertainty relation. We consider the following experiment, q∈An+m denoted Exp. This experiment takes as input a quantum P t where the above probability is over the choice of subset. Note system of the form ρT AE = t pt[t]⊗ρAE, where the sum is the “cl” superscript is used to enforce the notion that this is a over all subsets t of a fixed size m, and a two element POVM t t0 0 classical sampling strategy still. However, a classical sampling Λ = {Λ0, Λ1}. Note that ρAE may be equal to ρAE for t 6= t strategy may be extended to a quantum one in a natural (i.e., the AE portion may be independent of the T register way [13]. Let Z = {|a0i , ··· , |ad−1i} be an orthonormal initially) and we assume the A portion acts on a Hilbert space ⊗(m+n) basis of Hd. Then, given a state |ψi ∈ HA ⊗ HE, where Hd where d, m, and n are known to the experiment. ∼ ⊗N HA = Hd , if we can write |ψi = |ai1 , ai2 , ··· aiN i ⊗ |φiE, This experiment will first measure the T register resulting in N t where i = i1 ··· iN ∈ Ad , then |ψi is said to have relative outcome t and causing the state to collapse to ρAE. Next, it Hamming weight w(i) in A with respect to basis Z. Note that will measure those d-dimensional subspaces of the A register this definition is basis dependent, and not any arbitrary |φiAE as indexed by subset t using POVM Λ resulting in outcome can be said to have Hamming weight β using this definition - q ∈ {0, 1}m and, then tracing out the measured portion leaving only those that are of this particular basis form. Note we often only the n unmeasured subspaces of A and the E system, denote |ai ··· ai i as simply |aii if the context is clear. results in post-measurement state ρ(t, q). The values t, q, and 1 N   δ the quantum state ρ(t, q) are returned by the experiment. A Next, we define span Bt,d to be  N  particular run of this experiment, with a particular output, is span |aii | i ∈ Ad and |w(it) − w(i−t)| ≤ δ . Notice δ denoted (t, q, ρ(t, q)) ← Exp (ρT AE, Λ). that if |ψi ∈ span(Bt,d) ⊗ HE, then if sampling is done on the state |ψi by measuring in the Z basis on fixed subset Our main result involves a bound on the min entropy of the t, it is guaranteed that the state will collapse to one which remaining system if it is measured in a d dimensional basis as a is a superposition of states that are δ close to the observed function of the specific returned q. With high probability, given Hamming weight with respect to the basis used. a particular observation q, one may argue that the min entropy The main result from [13], besides introducing the above in the remaining portion, if measured in an alternative basis, definitions, was to prove the following: may be lower bounded by a function of the basis choice and the Hamming weight of q. In particular, with high probability, Theorem 1. (Modified from [13]): Let m < n and con- if the Hamming weight of q is small, one may argue there is sider the sampling strategy Φ(d, m, n). Then, for every pure a high amount of min entropy in the remaining portion of the ⊗(m+n) state |ψi ∈ Hd ⊗ HE, there exists a collection of system if measured in an alternative basis. “ideal states” denoted {|φit}, indexed over all subsets t ⊂ t δ Theorem 2. Let  > 0, 0 < β < 1/2, and ρAE an {1, ··· , m + n} of size m such that |φ i ∈ span(Bt,d) ⊗ HE ∼ arbitrary quantum state acting on HA ⊗ HE, where HA = and: ⊗(n+m) d−1 Hd for d ≥ 2 and m < n. Let Z = {|zii}i=0 and d−1 1 1 X 1 X q X = {|xii} be two orthonormal bases of Hd and Λ be [t] ⊗ [ψ] − [t] ⊗ φt ≤ cl . (5) i=0 2 T T δ,d the two outcome POVM with elements {Λ0 = [x0], Λ1 = t t I−[x0]} (where, [x0] = |x0i hx0|). Finally, let (t, q, ρ(t, q)) ← n+m Exp 1 P  Above, T = and the sum is over all subsets t of size T t [t] ⊗ ρAE, Λ , where the sum is over all subsets m n+m m and, again, || · || is the trace distance. t ⊂ {1, 2, ··· , n + m} of size m and T = m . Then it holds that: Proof. To show that the above follows from Theorem 3 in  ¯  [13], note that, in their proof, they show that for any fixed 0 nHd(w(q) + δ) 00 |ψi, there exists a suitable ideal state satisfying the needed P r H∞(Z|E)ρ(t,q) + ≥ nγ ≥ 1 −  , logd 2 inequality. (6) where the probability is over the choice of subset t and the Then it holds that H∞(Z|E)σ(t,q) ≥ H∞(Z|EK)σ(t,q). By measurement outcome q. Above: reordering terms, we may write this purification as:

2 X γ = − log2 max | hza|xbi | , |σKRE(t, q)i = βi |xii |EeiiEK , a,b∈Ad i∈Jq and 0 = 4 + 2β, 00 = 21−2β and finally: where Jq was defined in Equation 9 and the |Eeii are nor- s 2 malized states in H ⊗ H . Define the mixed state χ = (m + n + 2) ln(2/ ) h iE K δ = (7) P |β |2[i] ⊗ E . Then, from Lemma 1, we have: m(m + n) i∈Jq i e i

Proof. Our proof follows similar techniques we used first H∞(Z|EK)σ(t,q) ≥ H∞(Z|EK)χ − log2 |Jq|. in [14], though with suitable modifications for higher- dimensional systems entangled with an ancilla system. We We first consider a bound on H∞(Z|EK)χ. After measuring in the Z basis, the resulting state may be written as the density first consider the case where ρAE is pure; that is ρAE = [ψ]. Consider the sampling strategy Φ(d) as discussed earlier. From operator χZEK : Theorem 1 using ρAE and Φ(d), we know there exits an ideal   state σ = 1 P [t] ⊗ φt such that: X 2 X h i T t χZEK = |βi|  p(j|i)[zj] ⊗ Ee i , (10)   n EK t δ i∈Jq j∈A 1) |φ i ∈ span Bt,d ⊗ HE d q 1 1 P 1 P  t cl where: p(j|i) = | hz |x i |2 = Qn | hz |x i |2 ≤ cn, and 2) t [t] ⊗ ρAE − t [t] ⊗ φ ≤ δ . j i `=1 j` i` 2 T T 2 q c = maxa,b∈Ad | hza|xbi | . We add an additional register HI cl From Lemma 2, along with our choice of δ, we have δ = . spanned by orthonormal basis {|Iii} and define the state: We first analyze the ideal state σ.   Consider running (t, q, σ(t, q)) ← Exp (σ, Λ). First, the X 2 X h i experiment will choose a random sample by measuring the χZEKI = |βi|  p(j|i)[zj] ⊗ Ee i ⊗ [Ii] i∈J j∈An T register, causing σ to collapse to the ideal |φti. Next, q d | {z } a measurement is performed using POVM Λ resulting in χi outcome q ∈ {0, 1}m. The experiment then traces out the The EKI register may be considered, taken together, as a measured portion resulting in σ(t, q), a density operator acting classical system and, so, using Equation 3, we have: ⊗n t  δ  on Hd ⊗HE. Since |φ i ∈ span Bt,d ⊗HE, we claim that the post measurement state is of the form: H∞(Z|EKI)χ ≥ min H∞(Z)χi i     = min − log max p(j|i) X X (k) (k) i j σ(t, q) = pk · P  α |xii ⊗ |E i , (8)  i i  n wt(q) (k) = − max log p(j|i) ≥ − log c = nγ. k∈Ad−1 i∈Jq i,j

∗ where P (z) = zz , Ad was defined in the Notation section, Using the well-known bound on the volume of a Hamming n wt(q) is the (non-relative) Hamming weight of q, and: sphere, we have |Jq| ≤ |{i ∈ Ad | w(i) ≤ w(q) + δ}| ≤ ¯ dnHd(w(q)+δ) (here, we use our extended version to avoid the (k) n Jq ⊂ Jq = {i ∈ Ad | |w(i) − w(q)| ≤ δ}. (9) case when w(q)+δ > 1−1/d; indeed, in that case, the above That this is the form of the post measurement state after the holds trivially). Combining everything, we conclude: experiment is clear. Indeed, note that |φti is a superposition H∞(Z|E)σ(t,q) ≥ H∞(Z|EK)σ(t,q) of vectors of the form |x i with |w(i ) − w(i )| ≤ δ. Thus, i t −t ≥ H (Z|EK) − log |J | on observing q using POVM Λ on subspace indexed by t, but ∞ χ 2 q before tracing out the measured portion, the state is of the ≥ H∞(Z|EKI)χ − log2 |Jq| form:  H¯ (w(q) + δ) ≥ n γ − d . (11) X √ X (k) (k) logd 2 pk |xkiQ αi |xii ⊗ |Ei i , k∈Kq (k) Of course, this was only the ideal state where the sampling i∈Jq process is guaranteed to produce a good result. We now turn m where Kq = {k ∈ Ad | ki = 0 iff qi = 0}. Tracing out the our attention to the real case ρAE. Consider ρT QRE, a density Q register, the final step of the experiment, yields Equation 8. operator describing the output of the experiment in its entirety, ¯ We now claim that H∞(Z|E)σ(t,q) ≥ n(γ − Hd(w(q) + modeling the output t and q as random variables. We may write δ)/ logd 2). Consider a purification of Equation 8: this state as: X √ X (k) (k) 1 X X |σKRE(t, q)i = pk |ki αi |xiiR |Ei i . ρ = [t] ⊗ p(q|t)[q] ⊗ ρ(t, q), T QRE T T Q k (k) m i∈Jq t q∈{0,1} where p(q|t) is the probability of observing q given that subset Of course, if ρAE is not pure, it may be purified by adding t was chosen. Of course ρ(t, q) is the post measurement state an ancilla system HI . In that case, due to strong sub additivity, (acting on space RE) output in that event, tracing out the the above analysis still holds, thus completing the proof. measured portion of HA (the R portion is the unmeasured portion remaining after measurement). Similarly, we may de- IV. APPLICATION TO QRNGS fine σT QRE to be the result of the entire experiment performed on the ideal state: While interesting in itself, our new entropic uncertainty 1 X X relation has applications to cryptography. Note that we con- σ = [t] ⊗ pˆ(q|t)[q] ⊗ σ(t, q). T QRE T T Q sider the main contribution of this paper to be our Theorem t q∈{0,1}m 2, however, in this section, we show how it can be used in Of course, σ(t, q), the post measurement state for the ideal applications. scenario, was analyzed above. In particular, we use it now to demonstrate the security of Since quantum operations, in particular our experiment, can- the following source independent quantum random number 1 generator (QRNG). The goal of a QRNG is to utilize quantum not increase trace distance, we have ||ρT QRE − σT QRE|| ≤ 2 effects to distill a truly uniform random string. The source . Let δt,q =p ˆ(q|t)−p(q|t). By elementary properties of trace distance, we have: independent model, introduced in [15] assumes the quantum source is controlled by an adversary (though the dimension 1  ≥ ||ρT QRE − σT QRE|| of the system is known and bounded) while the measurement 2 devices are trusted. Furthermore, in this model, the goal is 1 X 1 X = ||p(q|t)ρ(t, q) − pˆ(t, q)σ(t, q)|| to produce a uniform random string, independent of any 2 T t q adversary’s system. The protocol we analyze is the following: 1 X a source, potentially adversarial, produces a quantum state in = ||p(q|t)(ρ(t, q) − σ(t, q)) − δt,qσ(t, q)|| ⊗(n+m) 2T H ⊗HE where d, m, and n are public parameters set by t,q d the users of the protocol. The n+m qudits are sent to the user X 1 X 1 ≥ p(q ∧ t) ||ρ(t, q) − σ(t, q)|| − ||δ σ(t, q)|| Alice, while the HE system is kept by the adversary. Alice 2 2T t,q t,q t,q chooses a subset of size m qudits to measure using POVM X X 1 Λ = {[x0],I − [x0]} where |x0i = F |0i, and F is the d di- = p(q ∧ t)∆ − |δ |, t,q 2T t,q mensional quantum . The remaining n qudits t,q t,q are measured in the computational Z = {|0i , ··· , |d − 1i} 1 r where we define p(q ∧ t) = T p(q|t) and ∆t,q = basis resulting in a string . This is then processed through 1 r ` s 2 ||ρ(t, q) − σ(t, q)||. The above follows from the reverse privacy amplification to hash down to an bit string which triangle inequality and the fact that ||σ(t, q)|| = 1 since σ(t, q) is the final random string output by the protocol. Note that, an ⊗(m+n) is a positive operator of unit trace. Note that ∆t,q ≤ 1 due to honest source should prepare a state of the form |x0i , properties of trace distance. independent of HE. To our knowledge this source independent Since partial trace is a quantum operation, we have (tracing QRNG has not been considered in the past. Indeed, prior work 1 P 1 out the RE registers):  ≥ ||ρTQ − σTQ|| = |δt,q|. in this model requires the user to be able to perform a full 2 P t,q 2T Combining the above yields: t,q p(q ∧ t)∆t,q ≤ 2. Now, basis measurement both for the test and the random distillation we treat ∆t,q as a random variable over the choice of subset modes. Thus, our protocol would be simpler to implement in (t) and measurement outcome (q). It is clear that the expected practice (as one need not distinguish all states in two bases). 2 β value of ∆t,q is E(∆t,q) = µ ≤ 2. The variance, V , is also Let  > 0 and set PA = 9 + 4 be the desired distance bounded by: from an ideal uniform random string of size ` independent of E’s system. Using Equation 4 and Theorem 2, after running 2 X 2 2 X V = p(q ∧ t)∆t,q − µ ≤ p(q ∧ t)∆t,q ≤ 2 the protocol, on observing outcome q during the test with Λ, t,q t,q except with probability 21−2β, it holds that:  H¯ (w(q) + δ) 1 ` ≥ n log d − − 2 log , ∆ ≤ 1 ours (12) The above follows from the fact that t,q . By Cheby- logd 2  shev’s inequality, we have: P r |∆ − µ| ≤ β ≥ 1 − t,q giving a simple, clean, proof of security for this new protocol. 21−2β. Thus, except with probability at most 21−2β, it holds Thus, to analyze the number of random bits one may distill that: |∆ − µ| ≤ β =⇒ 1 ||ρ(t, q) − σ(t, q)|| ≤ 2 + β. t,q 2 from the protocol we introduced above, one simply observes Since, in such a case, σ(t, q) ∈ Γ β (ρ(t, q)), we conclude: 4+2 q using a test of POVM Λ which does not require a full 4+2β basis measurement. From this, one may, with high probability H∞ (Z|E)ρ(t,q) ≥ H∞(Z|E)σ(t,q) depending on user parameters, determine how many random  H¯ (w(q) + δ) ≥ n γ − , bits are output even if the source is adversarial. log 2 d We compare with two other high dimensional source inde- as desired. pendent QRNG’s - one from [15] (with bit generation length `1 as derived in [15]) and one from [16] (with bit generation length `2 as derived in [16]). Both use alternative entropic uncertainty relations to compute `i. Note that both also require full basis measurements for testing. For the protocol in [15], an adversarial source prepares ⊗(n+m) a state in Hd ⊗ HE. Alice measures a subset in the X = {|xii} basis where |xii = F |ii. The remaining qudits are measured in the computational Z basis and are processed through privacy amplification. The secret random string size is computed in [15] to be:

" d−1 3 #! Γ(m + d) X Γ ci + 2 `1 ≥ n log2 d − 2 log2 , Γ m + d + 1  Γ(c + 1) Fig. 1. Secret random bit generation rates. x-axis: Total number of signals 2 i=0 i N = n + m; y-axis: Secret random bit generation rate: `/N. Solid: ours where ci is the number of measurement outcomes (out of the (`ours/N); Dotted: `1/N from [15]; Dashed: `2/N from [16]. Upper-left: 2 2 m test measurements) resulting in outcome |x i and Γ(x) d = 2 with 2% noise; Upper-Right: d = 2 with 2% noise, higher number i of iterations; Lower-Left: d = 25 with 10% noise; Lower-Right: d = 210 is the Gamma function. To derive the above, they used an with 10% noise. See text for explanation. entropic uncertainty relation from [2], along with the Bayesian estimator for the max entropy from [17]. The protocol introduced in [16] involves an adversarial in between where our new protocol, as analyzed by our new source that prepares an entangled pair of qudits, sending both entropic uncertainty relation, outperforms both systems, even pairs to Alice. On test iterations, Alice measures both pairs though we actually have a simpler protocol. in the basis X (as defined above). On other iterations, she measures only the first pair in basis Z, discarding the second V. CLOSING REMARKS pair. Again, the authors use an entropic uncertainty relation In this paper, we introduced a novel entropic uncertainty from [2], though an alternative method of estimating the max relation bounding the conditional min-entropy of a system entropy using results in [18] and the fact that the source is based on the result of a measurement in a two-outcome POVM preparing entangled pairs. They prove the secret random string and the probability of failure of a classical sampling strategy. length, after privacy amplification, is: Furthermore, this shows yet another fascinating application 0 of the quantum sampling framework as introduced in [13] to `2 ≥ n log2 d − log2 γ(d0 + δ ), areas in general quantum information theory. While interesting where: in and of itself, we also showed how this could be used to x p  x  analyze the security of a novel source independent QRNG γ(x) = (x + 1 + x2) √ , 1 + x2 − 1 utilizing restricted measurement capabilities. We show our new uncertainty relation provides optimistic bit generation rates and: s for our protocol, despite its inability to perform a complete N 2  4  δ0 = d ln . measurement in two bases. We believe the quantum sampling n2m 0 framework can hold even further applications when combined 1 Pm with our proof technique here and in [14], and may shed Above, d0 = m i=1 |cA(i) − cB(i)|, where cA(i) ∈ Ad is measurement outcome on test iteration i of the A register in light on new min entropy bounds of great use in quantum basis X (similar for cB(i)). cryptography. To evaluate our protocol (`ours), we set β = 1/3 and  = 10−36 which implies the failure probability is 2×10−12 while ACKNOWLEDGMENT −12 PA = 4 × 10 . Note we did not optimize β which may The author would like to acknowledge support from NSF lead to higher rates for our protocol and we use 7% of total grant number 1812070. signals for sampling. When considering noise of x in these evaluations we assume a depolarization channel. For this, we REFERENCES set q = x for our model; for ` we set c = m · x/(d − 1) if 1 i [1] H. Maassen and J. B. M. Uffink, “Generalized entropic uncertainty i 6= 0 and c0 = m(1 − x); and finally for `2, we set d0 = x relations,” Phys. Rev. Lett., vol. 60, pp. 1103–1106, Mar 1988. (which is advantageous for that model; indeed x is only a [2] M. Tomamichel and R. Renner, “Uncertainty relation for smooth en- tropies,” Physical review letters, vol. 106, no. 11, p. 110506, 2011. lower-bound for d0 so `2 may be lower than we plot here). A [3] I. Bialynicki-Birula, “Formulation of the uncertainty relations in terms more detailed comparison for other noise channels would be of the Rényi ,” Phys. Rev. A, vol. 74, p. 052101, Nov interesting future work. 2006. [Online]. Available: https://link.aps.org/doi/10.1103/PhysRevA. The results are shown in Figure 1. We find that, for very few 74.052101 [4] M. Berta, M. Christandl, R. Colbeck, J. M. Renes, and R. Renner, signals, `1 outperforms both while for a very large number of “The in the presence of quantum memory,” Nature signals, `2 outperforms both. However there is a large window Physics, vol. 6, no. 9, p. 659, 2010. [5] F. Adabi, S. Salimi, and S. Haseli, “Tightening the entropic uncertainty vol. 55, no. 9, pp. 4337–4347, 2009. bound in the presence of quantum memory,” Physical Review A, vol. 93, [13] N. J. Bouman and S. Fehr, “Sampling in a quantum population, and no. 6, p. 062123, 2016. applications,” in Annual Cryptology Conference. Springer, 2010, pp. [6] T. Pramanik, P. Chowdhury, and A. Majumdar, “Fine-grained lower limit 724–741. [Online]. Available: arXivpreprintarXiv:0907.4246 of entropic uncertainty in the presence of quantum memory,” Physical [14] W. O. Krawec, “Quantum sampling and entropic uncertainty,” Quantum review letters, vol. 110, no. 2, p. 020402, 2013. Information Processing, vol. 18, no. 12, p. 368, 2019. [7] P. J. Coles, M. Berta, M. Tomamichel, and S. Wehner, “Entropic [15] G. Vallone, D. G. Marangon, M. Tomasin, and P. Villoresi, “Quantum uncertainty relations and their applications,” Rev. Mod. Phys., vol. 89, randomness certified by the uncertainty principle,” Physical Review A, p. 015002, Feb 2017. vol. 90, no. 5, p. 052327, 2014. [8] I. Bialynicki-Birula and Ł. Rudnicki, “Entropic uncertainty relations in [16] F. Xu, J. H. Shapiro, and F. N. Wong, “Experimental fast quantum quantum physics,” in Statistical Complexity. Springer, 2011, pp. 1–34. random number generation using high-dimensional entanglement with [9] S. Wehner and A. Winter, “Entropic uncertainty relations—a survey,” entropy monitoring,” Optica, vol. 3, no. 11, pp. 1266–1269, 2016. New Journal of Physics, vol. 12, no. 2, p. 025009, 2010. [17] D. Holste, I. Grosse, and H. Herzel, “Bayes’ estimators of generalized [10] R. Renner, “Security of quantum key distribution,” International Journal entropies,” Journal of Physics A: Mathematical and General, vol. 31, of Quantum Information, vol. 6, no. 01, pp. 1–127, 2008. no. 11, p. 2551, 1998. [11] R. Renner and S. Wolf, “Smooth Rényi entropy and applications,” [18] F. Furrer, T. Franz, M. Berta, A. Leverrier, V. B. Scholz, M. Tomamichel, in International Symposium onInformation Theory, 2004. ISIT 2004. and R. F. Werner, “Continuous variable quantum key distribution: finite- Proceedings. IEEE, 2004, p. 233. key analysis of composable security against coherent attacks,” Physical [12] R. Konig, R. Renner, and C. Schaffner, “The operational meaning review letters, vol. 109, no. 10, p. 100502, 2012. of min-and max-entropy,” IEEE Transactions on Information theory,