A High Speed Integrated Quantum Random Number Generator with on-Chip Real-Time Randomness Extraction
Francesco Regazzoni, Emna Amri, Samuel Burri, Davide Rusca, Hugo Zbinden, Edoardo Charbon
11 A High Speed Integrated Quantum RandomNumber Generator with on-Chip Real-TimeRandomness Extraction
Francesco Regazzoni , ∗ + , Emna Amri , , Samuel Burri , Davide Rusca , Hugo Zbinden and Edoardo Charbon University of Amsterdam, Amsterdam (The Netherlands); ALaRI, Universit`a della Svizzera italiana, Lugano(Switzerland); Group of Applied Physics (GAP), University of Geneva, Geneva (Switzerland); Id Quantique SA(IDQ), Geneva (Switzerland); ´Ecole Polytechnique F´ed´erale de Lausanne (EPFL), Neuchˆatel (Switzerland) Abstract —The security of electronic devices has become akey requisite for the rapidly-expanding pervasive and hyper-connected world. Robust security protocols ensuring secure com-munication, device’s resilience to attacks, authentication controland users privacy need to be implemented. Random NumberGenerators (RNGs) are the fundamental primitive in most secureprotocols but, often, also the weakest one. Establishing security inbillions of devices requires high quality random data generatedat a sufficiently high throughput. On the other hand, the RNGshould exhibit a high integration level with on-chip extractionto remove, in real time, potential imperfections. We present thefirst integrated Quantum RNG (QRNG) in a standard CMOStechnology node. The QRNG is based on a parallel array ofindependent Single-Photon Avalanche Diodes (SPADs), homo-geneously illuminated by a DC-biased LED, and co-integratedlogic circuits for postprocessing. We describe the randomnessgeneration process and we prove the quantum origin of entropy.We show that co-integration of combinational logic, even of highcomplexity, does not affect the quality of randomness. Our CMOSQRNG can reach up to 400 Mbit/s throughput with low powerconsumption. Thanks to the use of standard CMOS technologyand a modular architecture, our QRNG is suitable for a highlyscalable solution.
With the ubiquity and density of mobile devices, securityhas become a very serious concern and, at the same time,a key enabler for next generation Internet-of-Things (IoT)and cyber-physical systems. True random number generators(TRNGs) are the core building block in almost all securityschemes today [17], [19]. TRNGs exploit complex physicalphenomena in order to generate randomness. However, theirgeneration process is taken to be random without a com-plete physical model that could describe their behavior. Thismeans that a possibly perfect entropy source could becomecompletely deterministic with a higher understanding of thephysical process. QRNGs solve this problem by exploitingthe intrinsic probabilistic nature of quantum mechanics. Infact, the measurement result of quantum processes can notbe predicted, not even by an all powerful malicious thirdparty. Several implementations have been proposed, while thespecific requirements are depending on target applications.Numerous works focus on extremely high-speed architec- ∗ Corresponding Author: [email protected], [email protected] + These two authors contributed equally This work has been submitted to the IEEE for possible publication.Copyright may be transferred without notice, after which this version mayno longer be accessible.
Raw SequenceExtracted SequenceExtractor Matrix X = LIGHT
Lossy channel
Analog Domain η HLVoltage TimePhoton detector 1Readout HLVoltage TimePhoton detector 2Readout HLVoltage TimePhoton detector 3Readout HLVoltage TimePhoton detector 4Readout
Fig. 1: High level schematic illustration of the proposedQRNG and its operational principle. A light source illuminatesa photon detector through a lossy channel with a transmissionprobability η including all the optical coupling losses andthe photon detection efficiency of the detector. The photondetector plays the role of the transducer and outputs digitalbits correlated to the amount of detected photons. Raw data,that are directly accessible for testing purpose, are immediatelyforwarded into an entropy extractor, also implemented on chip,that produces the sequence of true random numbers.tures [20], some on extracting entropy from existing devicessuch as FPGAs [14] or general-purpose processors [11] andothers on using optical entropy sources [9]. Our QRNG lieswithin the last category and can be modelled at the first levelas a light source emitting photons with a certain statisticaltime distribution and illuminating a photon detector through alossy channel with a transmission probability η including allthe optical coupling losses and the photon detection efficiencyof the detector. The photon detector plays the role of thetransducer and outputs digital bits correlated to the amountof detected photons. Due to hardware imperfections and ex-ternal classical noise, the quantum randomness is inevitablymixed with classical randomness. To distill the randomness ofquantum origin, one needs to quantify it using an appropriatephysical modelling and apply a specialized mathematical post-processing called randomness extractor. Figure 1 shows ademonstration of this model.In this paper, we present an integrated QRNG with on-chipreal-time randomness extraction. The QRNG is based on a a r X i v : . [ qu a n t - ph ] F e b Fixed ✕ extractor ‘A’…… ✕
128 pixels
Variable 1024 ✕ On ChipOff Chip
Host PCPowerSupplyControlFPGA USB bridgeState Machine ControlSignalsFIFO MemoryLED current supplySPAD bias voltageChip power supplyGlobal Control SWData Analysis ControlUnit
Fig. 2: Overview of the experimental setup architecture: Itcomprises a LED source, the QRNG integrated chip, and acustom made FPGA used to control the QRNG chip and toformat and transmit the bit stream to the host PC where thesequence of data are analyzed.parallel array of independent CMOS Single-Photon AvalancheDiodes (SPADs), homogeneously illuminated by a DC-biasedLED. Digital post-processing is implemented on chip andprovides a true random bit-stream through two parallel digitalinterfaces. Our device is suitable for applications requiring anintegrated architecture, capable of guaranteeing the requiredthroughput in real time [19]. We describe the Integrated Circuit(IC) architecture and we discuss the randomness generationprocess and the quantum entropy extraction. We propose amodel to ensure that the produced randomness is indeedoriginated from a quantum phenomenon and we evaluatethe influence that the co-integrated digital post-processingmay have on the raw randomness quality, before performingstatistical analysis on data after randomness extraction. OurCMOS QRNG can output up to 400 Mbit/s of data withsignificant area reduction and low energy per generated bit.I. QRNG
WITH I NTEGRATED E NTROPY E XTRACTION A RCHITECTURE
Our system is depicted in Figure 2; it features a QRNG ICimplementing the SPADs matrix, two extractors, and a high-speed digital interface. The entropy source is obtained from aLED illuminating an array of 16,384 single-photon avalanchediodes (SPADs), which convert photons Poissionian distributedin time, onto a 2D constellation of binary digits ’1’ if at least aphoton is detected and ’0’ otherwise. The chip features two ex-tractors based on vector-matrix multiplication to generate highentropy bit sequences starting from the original constellation.The two extractors target different application requirements.The first is a fixed extractor, denominated ‘A’; it is realizedfrom standard logic gates using a hard-coded n x k matrixpre-generated from an independent QRNG; this extractor isintended for applications requiring higher throughput andminimal area. The second is a variable extractor, denominated‘B’; it is a matrix of memory elements, realized by means ofscan chain registers to minimize the amount of pads neededfor programming it and to allow the use of design tools; thisextractor is intended for applications requiring one to extractan ad hoc matrix in the field for a higher security level. We implemented both extractors on this proof-of-principle chip inorder to demonstrate the feasibility of the co-integration withboth extraction methods.The QRNG IC was fabricated using a technology where theSPADs exhibit low noise, negligible afterpulsing, and lowcrosstalk. These characteristics are essential to enable themaximum speed with the desired randomness quality. raw
512 output registers … … RST
Column Pull-up512-to-64 multiplexer
RST
SPAD
To column pull-upsTo output registers
SELTOPGATE
VOP VDD VDD VQ
128 128 ✕ pixels SEL5-bit addressclk r s loadmat ou t r eg i s t e r s clk ✕ (xor reduction) ou t r eg i s t e r s ✕ mux varfixaddr T1 T2T1 T3 T4 T7 T8T9T6T5
Fig. 3: Block and timing diagram of the proposed QRNGchip. The chip comprises an array of 16,384 independentSPADs illuminated through a diffuser made of a standard4 µ m polyimide layer. The SPADs act as entropy sources thatgenerate a fast bit stream, which is then transformed ontoa fully randomized 400Mbit/s binary stream via an extractorintegrated on chip. The timing diagram of the readout processis shown in the inset.The block diagram of the QRNG is shown in Figure 3. Thechip comprises an array of SPADs organized in a matrix of128x128 pixels, whose schematic is shown in the inset of thefigure. The architecture of the pixel is depicted in Figure 4. Ineach pixel, a SPAD implemented as a P+/N-well junction withlightly doped N wells as guard rings, is passively quenched andrecharged by means of the transistor T1. Transistor T2 is usedto trigger the static embedded all-NMOS memory (T3, T4,T5, T6), while T7 is used as reset, and T8 and T9 are used toread out the content of the memory in a random access fashion.The matrix is read out four-rows-in-parallel every 40 ns andthe raw data is stored in a 512-bit register whose content isdiverted to the two extractors. All the pixels belonging to thesame group of four rows are connected to the same reset ( rst )and the same selection signal ( sel ), as depicted in Figure 5.The entire matrix is read out in 1.3 µ s.Extractor ‘A’ comprises 1024x32 XOR reduction cells fedthrough an intermediate 1024-bit register. Extractor ‘B’, de-picted in Figure 6 is an array of 8x1024 SRAM cells whosecontent is provided externally. Both extractors are operatingwithin the chip in real time: extractor ‘A’ can reach a through-put of 400 Mbit/s, extractor ‘B’ of 100 Mbit/s, both producingrandom words at 12.5MHz. The resulting bit streams are readout from the chip in 8-bit and 32-bit packets, using two parallelinterfaces. In test mode, we can independently access theraw entropy source output at 1.6 Gbit/s to verify the qualityof raw data at the source in accordance with high security Quenching
VOP
VQT1T1
Fig. 4: One pixel’s architecture. The quenching circuit on theright. A scheme of the SPAD cross-section on the left.
128 pixels
512 Out pixelpixelpixelpixel pixelpixelpixelpixel
32 Instances
Fig. 5: Pixels connections and Readout. The 512 pixels belong-ing to the same group of 4 rows are connected to the same
Sel and
Rst but are connected to 512 independent outputs. Eachof the 32 groups 4 lines has independent
Sel and
Rst signal,but they are sharing, using a multiplexer, the same 512 outputregister.standards [6].
512 registers 512 registers
Fig. 6: Extraction using Extractor ’B’. The 512 entropy bitsat the input are feed the first group of 512 registers. Whena input is ready, the data in the first group of registers areshifted into the second group. Once all the 1024 bit are filledwith new data, they are ANDed with each line of the matrixand XORed to produce the output.The SPADs characterization results are gathered in Figure 7.The figure shows a plot of the breakdown voltage distributionand of the dark count rate (DCR) across the entire populationof pixels. The afterpulsing probability (APP) was characterizedby means of the autocorrelation of several pixels in time,based on their digital output. Crosstalk was measured as thecross-correlation of a central pixel with all the surroundingpixels. The plot in the figure shows central pixel (7,7) within a surrounding 11x11 pixel matrix. The excess bias voltage anddead time used in this chip were 2.1 V and 1.3 µ s, respectively,so as to keep APP and crosstalk below 0.1%.II. E FFECTS OF I NTEGRATION ON E NTROPY
Our first concern was the effect of electromagnetic inter-ference introduced on the entropy source by the neighboringcircuitry used for on-chip digital post-processing. That is why,we started by evaluating the influence of on-chip extractorson the quality of the generated randomness. This informationis crucial to demonstrate the feasibility of a fully integratedQRNG in a commercially relevant CMOS technology. Wecompared the statistical distribution of raw data (before post-processing) when the two extractors are not powered on, whenonly one of them is working and when both are performingon-the-fly extraction for four QRNG chips. Figure 8 showsthe constellations generated by the SPAD array for these sameconditions. From the figure the equi-probability of ‘1’s and ‘0’sis apparent (and actually we computed a probability of 50.36%of ’1’ vs 49.64% of ’0’) with a homogeneous distributionamong the pixels, irrespective of the state of the extractors, atbetter than 2 σ deviation from the 50% distribution mark. Thisobservation was confirmed when we compared the detectionhistograms (8-bits hamming weight distributions) in all fourcases (shown in Figure 9). Therefore, we can conclusivelyconfirm that the analog-digital co-integration doesn’t have anyquality-deterioration effect on the quantum process generationand measurement.III. M ODELING THE Q UANTUM R ANDOMNESS
Before evaluating the performance of our device as aquantum random number generator, we need to ensure thatthe produced randomness is due to a quantum process (andnot coming , for instance, from classical parasitic noise). Wepropose a model to demonstrate that, under given assumptionsof the possible knowledge of an adversary, the randomnessproduced by our QRNG is indeed quantum.In the QRNG that we propose here, the entropy comes froman LED that illuminates a matrix of SPADs. The quantumprocess that is exploited is the distribution of photons over thesurface of the detectors. The position of each photon is notdeterministically known before its detection. The probabilitydistribution of its position is given by the intensity profileof the electromagnetic field impinging on the detectors. Thedistance between the detectors and the source is chosen suchthat the light intensity profile on the detectors is uniform.Considering the time interval defined by the acquisition timeand the space mode spanned by the area of the detectors matrix(spatially we consider the state in a single mode), the quantumstate emitted by the LED is a mixed state in the Fock space,where the probability of having n photons is given by thePoisson distribution P N : P N ( n ) = e − λ λ n n ! . (1)We model the matrix of SPADs as a collection of indepen-dent detectors. Their efficiency η is considered in our model,
0 2048 4096 6144 8192 10240 12288 14336 16384VQ = 0.5V, Veb = 1V-4VVQ = 0.5V, Veb = 1V-4V D a r k C oun t R a t e [ H z ] Number of pixelsCumulative DCRExtractorsnonefixedvariableboth (a) − bd = 20.22V, σ bd = 213mV F r equen cy Breakdown [V]Breakdown voltage (b)
60 61 62 63 64 65 66 67 68 69 70 60 61 62 63 64 65 66 67 68 69 70 y xCross-correlation with center pixel 2*10 -3 -3 -2 -2 -2 (c) C o rr e l a t i on Lagtime [us]Autocorrelation Pixel7,765,7122,77,6565,65122,657,12265,122122,122 (d)
Fig. 7: Performance of the SPAD used in this work. Clockwise from top-left: (a) Cumulative dark count rate for different excessbias and under different operation conditions (Extractors ON and/or OFF). Note that the 512 noisy pixels called ”hot pixels”are taken into account in the entropy model; (b) Breakdown voltage distribution; (d) Autocorrelation function for several pixelsvs. lag time; (c) Cross-correlation function with respect to surrounding 11 x 11 pixels. All measurements at room temperature. (a) (b)(c) (d)
Fig. 8: Performance of the QRNG when different extractorsare active. Raw binary constellations. (a) Both extractors areOFF; (b) the fixed extractor is ON and the variable extractor isOFF; (c) the fixed extractor is OFF and the variable extractoris ON; (d) both extractors are ON.as the probability that one photon is detected. If n photonsarrive on one detector, the probability that at least one of themis detected (probability that the detector clicks) is given by P ndet = 1 − (1 − η ) n . Similarly, we can model the dark countsprobability with a random variable S i = 0 , for each detector.In the case of S i = 1 the i th detector will click independently P r o b a b ili t y OFF_OFFOFF_ONON_OFFON_ON
Fig. 9: Detection histogram. Detection histogram (8-bits Ham-ming Weight distributions) of raw data for different operatingconditions: (green) Both extractors are OFF; (grey) the fixedextractor is OFF and the variable extractor is ON; (white) thefixed extractor is ON and the variable extractor is OFF; (blue)both extractors are ON.of the light coming into it. This event has probability p dark equal to the probability of having a dark count on one pixel.Using the methods proposed by Frauchiger et al . [4] toevaluate the amount of quantum randomness of our device weevaluate the min-Entropy of the output distribution conditionedon the distribution of all the predictable side information. Inour case, the side information is modeled as classical anddetermined by the random variable E . The conditional min-Entropy that we need to compute is thus the following: Fig. 10: Chip micrograph. Complete chip micrograph of theproposed QRNG chip implemented in standard 0.35 µ m CMOStechnology. From left, it is possible to see the Extractor A andits read out at the bottom, the entropy source composed by amatrix of 128 ×
128 SPADs and its readout at the bottom, theExtractor B and its readout at the bottom. H min ( X | E ) = − (cid:88) e P E ( e ) log [max x P X | E = e ( x | e )] , (2)where X represents the random variable of the output se-quence, P X | E is the conditional probability distribution of X knowing the variable E , and the quantity − H min ( X | E ) represents the maximum guessing probability of X given E .In order to find the probability distribution of the outputsequence we have to characterize the quantum state of ourdevice ρ , and the measurement represented by the operators Π x , where x is a possible output bit string. Moreover, allside information is represented by the value e which is theresult of the measurement E e that represent the part of theprocess considered to be deterministic. Provided the physicalcharacterization of the device, the probability distribution isgiven by the Born rule: P X,E ( x, e ) = T r [Π x E e ρ ( E e ) † ] (3)without any need for a stochastic model (see Appendix VIIIfor more information). The most critical part of a QRNG ishowever defining all the possible side information. In our case,the photon distribution of the source and the random variablescorresponding to the dark counts are the principal sources ofclassical side information and are considered as completelyforeseeable. The event of a photon to be detected (describedby the efficiency η ) is considered to be independent of anypossible observer. However, in this conservative model, weconsider a possible shot to shot uncertainty with respect tothe average observed value of the efficiency.All the possible sources of side information have been char-acterized and the following parameters have been measuredaccurately in order to certify that the extracted randomness isof quantum nature: η = 0 . ± . (considering a possibledeviation of 25% from the average efficiency), p dark =8 . · − per detection window, to this probability we addedalso the probability of cross-talk of around P cross = 0 . (this corresponds to the worst case scenario where each clickprovoked by the click of another detector is known by an adversary) and the mean photon number λ of photons arrivingon the detectors chosen in such a way that the probability ofeach of them to click is equal to . (as set experimentally).Moreover in the post-processing we took into account the512 hot pixels which are always on, this accounts for anadditional lowering of the entropy. With this characterizationof the device, the min-Entropy per bit has been estimated to be H min ( X | E ) /m ≈ , which fixes a limit on the possibleextractable randomness from the raw generated sequence ofbits.In this work an extractor based on vector-matrix multipli-cation [18] was used. This extractor is applied to vectors of n raw bits and output shorter vectors of k random bits. Once thelength of the raw string n is chosen ( in our case n is equal to1024), the parameter k will be bound by the probability thatthe output bit string deviates from perfectly random output bits (cid:15) . The extraction function used in our QRNG is taken froma two-universal family of hash functions, so it is possible toquantify this failure probability by the Leftover Hash Lemmawith side information: (cid:15) = 2 − ( H min ( X | E ) · n − k ) / . (4)For instance with the obtained value of min-Entropy andfor a vector of 1024 raw bits, the parameter k should be lowerthan 548 for efficient entropy extraction ( (cid:15) = 2 − ). In ourcase the parameter k is equal to 32 for the fixed extractor andequal to 8 for the variable extractor which confirms the highefficiency of our on-chip extraction. Note that these values of k were chosen according to a trade-off between a sufficientlyhigh throughput and a minimum area.IV. E XPERIMENTAL METHODS
A. Fabrication of the Integrated QRNG
The QRNG integrated circuit was fabricated in a standard0.35 µ m 1P4M high-voltage CMOS technology through Eu-ropractice multi-project wafer foundry service. The SPADdevice junction is formed between a p+ anode and deep n-well cathode embedded in the standard p-type substrate. A p-well guard ring is used to realize a uniform electric field andprevent premature edge-breakdown of the device. The SPADis of circular shape with an active diameter of 6 µ m. B. Measurements
For measurements the IC was bonded in a ceramic PGA-256 package and inserted in a socket on a adapter PCBfor connection with the FPGA main board. The FPGA mainboard contains a Xilinx Spartan 6 FPGA connecting directlyto the QRNG I/O and a Cypress FX3 USB transceiver forcommunication with a control computer. Voltage supplies forthe chip are provided through the main board with separatejumpers for the extractor supply.A Rohde&Schwarz HMP2030 dc power supply was usedto provide controllable operating bias and quenching volt-age for the SPAD and pixel circuit. A custom-built matrixof relay switches (Kemet EC2-12TNU) and a USB-SMU(Agilent/Keysight U2723A) were used to respectively switch power of the extractor matrices and control the LED illumi-nation current. For measurements in a temperature-controlledenvironment the QRNG together with the FPGA board wasput in an ESPEC SU-262 temperature control chamber. Thetemperature chamber is outfitted with a nitrogen purge to avoidcondensation.To evaluate the breakdown voltage of the individual detec-tors the voltage was swept in steps of 50 mV from a voltagewhere no events are detected to where all detectors showactivity. Through readout of individual detectors, the numberof events during one second at each voltage step has beenrecorded and fitted with a two-piecewise linear function. Thefunction evaluates to zero below the breakdown voltage andincreases thereafter, thus providing the breakdown voltage foreach detector.Data from the extraction matrices is acquired through thecontrol FPGA in the same way as the raw data needed toevaluate the breakdown voltage. The operating conditions,namely excess bias and quenching voltage and LED illumi-nation current are set. Then synchronous control signals areapplied to read out the data from the output register of thematrices. The control FPGA relays the data to a computerwhere they are stored on disk for analysis.
C. Randomness Evaluation
The random data sequences were stored off-chip and testedusing the NIST Statistical Test Suite (SP 800-22) down-loaded from the NIST website (https://csrc.nist.gov/Projects/Random-Bit-Generation/Documentation-and-Software). Theparameters used to perform these tests are the followings:blockFrequencyBlockLength = 12800, nonOverlappingTem-plateBlockLength = 10, overlappingTemplateBlockLength =9, approximateEntropyBlockLength = 10, serialBlockLength =16 and linearComplexitySequenceLength = 1000. The resultsare stored in an dedicated file, automatically generated whenthe tests are launched. The same data sequences were testedusing the Diehard battery of tests available https://webhome.phy.duke.edu/ ∼ rgb/General/dieharder.phpV. R ESULTS
First, the effect of temperature on the QRNG was evaluatedand we saw a slight decrease of the quantum entropy pergenerated bit when increasing temperature. This decrease isdue to a higher thermally induced noise that can lead to abias toward ‘1’. Afterwards, about 1 Gbit of extracted datausing both extractors, were tested using the NIST statisticaltest suite [2] and the DIEHARD test battery [8] and it passedall of them. The NIST SP 800-22 tests were performed using1000 sequences of 1 Mbit each. The minimum pass ratefor each statistical test with the exception of the randomexcursion (variant) test is approximately = 980 for a samplesize = 1000 binary sequences. The minimum pass rate for therandom excursion (variant) test is approximately = 599 for asample size = 613 binary sequences. The tests results for datagenerated by the fixed and the variable extractor are shownin Table I and Table II respectively. The Diehard tests wereperformed on two data sets of 500 Mbits generated by the fixed TABLE I: NIST tests results: The uniformity of P-values andthe proportion of passing sequences for 1000 samples of 1Mbit each generated by the fixed extractor ’A’
Statistical test P-Value ProportionFrequency 0.99577 988/1000Block-Frequency 0.239266 990/1000CumulativeSums1 0.941144 989/1000CumulativeSums2 0.062427 986/1000Runs 0.928857 989/1000LongestRun 0.473064 993/1000Rank 0.301194 990/1000FFT 0.029205 983/1000NonOverlappingTemplate 0.662091 993/1000OverlappingTemplate 0.735908 988/1000Universal 0.829047 991/1000ApproximateEntropy 0.767582 988/1000RandomExcursions 0.349160 606/613RandomExcursionsVariant 0.359855 607/613Serial 0.800005 994/1000LinearComplexity 0.747898 994/1000
TABLE II: NIST tests results: The uniformity of P-values andthe proportion of passing sequences for 1000 samples of 1Mbit each generated by the variable extractor ’B’
Statistical test P-Value ProportionFrequency 0.614226 991/1000Block-Frequency 0.616305 995/1000CumulativeSums1 0.626709 990/1000CumulativeSums2 0.980341 994/1000Runs 0.190654 989/1000LongestRun 0.612147 986/1000Rank 0.452173 988/1000FFT 0.870856 989/1000NonOverlappingTemplate 0.757790 993/1000OverlappingTemplate 0.039073 988/1000Universal 0.014550 988/1000ApproximateEntropy 0.221317 987/1000RandomExcursions 0.822122 607/613RandomExcursionsVariant 0.367493 610/613Serial 0.777265 994/1000LinearComplexity 0.809249 992/1000 extractor (P-Value ’A’) and the variable extractor (P-value ’B’).The results are presented in Table III. Finally, Figure 11 showsthe P-value distribution for 145 Non-overlapping TemplateMatching (NIST test) done on raw data on 4 different chips.Our chip achieved an extremely low energy per bit com-pared to the ones reported on standard CMOS technology(comparison with state of the art is reported in Table IV),while the overall power at full speed was less than 499mW forthe nominal 3.3V supply voltage at room temperature, makingthe chip suitable for low-power applications. The integrationof the entropy source and the extractors enabled us to achievethe highest level of integration to date with negligible impacton the quality of the random sequence.The micrograph of the QRNG chip is shown in Figure 10; thechip measures 10 × in this CMOS technology, whilemore advanced nodes would enable significant area reductions,provided similar noise, AP, and crosstalk performance inSPADs. TABLE III: Diehard tests results for 500 Mbit of true randomdata (S means “SUCCESS”)
Statistical test P-Value ’A’ P-Value ’B’ ResultBirthday Spacing 0.865773 0.842883 SOverlapping 5-permutation 0.513342 0.471146 SBinary Rank for 31 x 31matrices 0.634721 0.755819 SBinary Rank for 32 x 32matrices 0.415482 0.352107 SBinary Rank for 8 x 8matrices 0.576012 0.361938 SBitstream 0.970227 0.051626 SOverlapping-Paris-Spares-Occupancy 0.219893 0.015640 SOverlapping-Quardruples-Spares-Occupancy 0.173054 0.015065 SDNA 0.150832 0.016380 SCount-the-1’s 0.944274 0.058056 SCount-the-1’s for spe-cific bytes 0.703417 0.365542 SParking lot 0.229559 0.239266 SMinimum distance 0.794391 0.320832 S3D spheres 0.448424 0.064255 SSqueeze 0.317565 0.455628 SOverlapping sums 0.250307 0.988284 SRuns 0.814724 0.194590 SCraps 0.840551 0.823860 S
VI. C
ONCLUSIONS
We have presented the first integrated Quantum randomnumber generator (QRNG) in a standard CMOS technologynode. To demonstrate the possibility to integrate advancedfunctionalities with the entropy sources, we developed amodular architecture comprising an array of independentlyoperating SPADs, illuminated by a DC-biased LED, and logicfor random number extraction. The fabricated QRNG reachesa throughput of 400 Mbit/s with an extremely low energy perbit for the nominal 3.3 V supply voltage at room temperature.This characteristics make our chip suitable for portable low-power applications. Next steps will target the integration of theLED on the same substrate and an efficient packaging of thewhole chip to fulfill the compactness required by the System-in-Package (SiP) approach. The generation rate could also beimproved by decreasing the number of SPADs and using theavailable space to implement a bigger extraction matrix.VII. A
CKNOWLEDGEMENTS
The work presented in this paper has been partially sup-ported by the Eurostar framework (Progect Q-RANGER,Quantum - RAndom Number GEneRator). Davide Ruscathanks the EUs H2020 program under the Marie Skłodowska-Curie project QCALL (GA 675662) for financial support.R
EFERENCES[1] E. Amri, Y. Felk, D. Stucki, J. Ma, and E. R. Fossum, “Quantum randomnumber generation using a quanta image sensor,”
Sensors , vol. 16, no. 7,p. 1002, 2016. P - v a l u e OFF/OFFOFF/ON ON/OFFON/ON
Fig. 11: QRNG statistical characterization. The figure showsthe P-value distribution for 145 Non-overlapping TemplateMatching (NIST test) done on raw data, provided by 4 chips.The purpose of the test is to detect the presence of a given(non-periodic) pattern in a 1-bit sliding window. We can seethat p-values produced by this test are perfectly distributedbetween ‘0’ and ‘1’ with very few ‘0’ and 0.99 points. [2] L. E. Bassham III, A. L. Rukhin, J. Soto, J. R. Nechvatal, M. E. Smid,E. B. Barker, S. D. Leigh, M. Levenson, M. Vangel, D. L. Banks et al. , Sp 800-22 rev. 1a. a statistical test suite for random and pseudorandomnumber generators for cryptographic applications . National Instituteof Standards & Technology, 2010.[3] J. F. Dynes, Z. L. Yuan, A. W. Sharpe, and A. J. Shields, “A highspeed, postprocessing free, quantum random number generator,” appliedphysics letters , vol. 93, no. 3, p. 031109, 2008.[4] D. Frauchiger, R. Renner, and M. Troyer, “True randomness fromrealistic quantum devices,” arXiv , vol. 1311.4547 [quant-ph], pp. 164–168, 2013.[5] IdQuantique, “Quantis QRNG Chip Brochure,” , 2019.[6] N. I. T. Laboratory, “Cryptographic algorithm validation program: Ran-dom Number Generators,” https://csrc.nist.gov/, accessed: 2020-03-19.[7] U. Leonhardt, “Quantum physics of simple optical instruments,”
Reportson Progress in Physics , vol. 66, no. 7, p. 1207, 2003.[8] G. Marsaglia, “The marsaglia random number cdrom including thediehard battery of tests of randomness, 1995,” , 2008.[9] N. Massari, L. Gasparini, A. Tomasi, A. Meneghetti, H. Xu, D. Peren-zoni, G. Morgari, and D. Stoppa, “16.3 a 16 ×
16 pixels spad-based128-mb/s quantum random number generator with- 74db light rejectionratio and- 6.7 ppm/ °Cbias sensitivity on temperature,” in . IEEE, 2016,pp. 292–293.[10] M. Matsumoto, S. Yasuda, R. Ohba, K. Ikegami, T. Tanamoto, andS. Fujita, “1200 µ m 2 physical random-number generators based on sinmosfet for secure smart-card application,” in . IEEE,2008, pp. 414–624.[11] J. Mechalas, “Intel digital random number generator (drng): Softwareimplementation guide revision 2.0,” 2014.[12] Y.-Q. Nie, H.-F. Zhang, Z. Zhang, J. Wang, X. Ma, J. Zhang, and J.-W. Pan, “Practical and fast quantum random number generation basedon photon arrival time relative to external reference,” Applied PhysicsLetters . IEEE, 2016, pp. 37–42.
TABLE IV: Comparison Table. Comparison of the presented Quantum Random Number Generator with the state of the art
Performance This Work Stefanov[16] Amri[1] Sanguinetti[15], [5] qStream[13] Wei[20] Nie[12] Dynes[3] Matsumoto[10]Bit Rate
Thermal Noise < . % < % < % < % Not specified < . % < . % < % N/A Full Integration yes no no no no no no no no
On-chip Extractor yes no no yes yes no no no no
Dimension ( mm )
45 7728 25 22.5 10,892.4 N/A N/A N/A 0.012
Standard Tests/
NIST, NIST, DIEHARD, NIST NIST, ISTO/ NIST DIEHARD NIST NIST, NIST
Certifications
DIEHARD METAL, CTL, AIS31 IEC-18031 STS DIEHARD
Power (mW)
499 1,500 25 83.44 12,780 N/A N/A N/A 1.9
FOM (nJ/bit) [15] B. Sanguinetti, A. Martin, H. Zbinden, and N. Gisin, “Quantum randomnumber generation on a mobile phone,”
Physical Review X , vol. 4, no. 3,p. 031056, 2014.[16] A. Stefanov, N. Gisin, O. Guinnard, L. Guinnard, and H. Zbinden,“Optical quantum random number generator,”
Journal of Modern Optics ,vol. 47, no. 4, pp. 595–598, 2000.[17] B. Sunar, “True random number generators for cryptography,” in
Cryp-tographic Engineering . Springer, 2009, pp. 55–73.[18] M. Troyer and R. Renner, “Id quantique technical report,”
Phys. Rev. X ,vol. 4, p. 031056, 2012.[19] I. Verbauwhede, J. Balasch, S. S. Roy, and A. Van Herrewege, “24.1circuit challenges from cryptography,” in . IEEE,2015, pp. 1–2.[20] W. Wei, G. Xie, A. Dang, and H. Guo, “High-speed and bias-free opticalrandom number generator,”
IEEE Photonics Technology Letters , vol. 24,no. 6, pp. 437–439, 2011.
VIII. A
PPENDIX : E
NTROPY CALCULATION
The model used in our paper follows the method introducedin Frauchiger et al. [4]. We specify first the density operator ρ corresponding to our QRNG. We consider our state asrepresented by different subsystems. A subsystem I that,following a Poissonian distribution, encodes the number ofphotons. A subsystem D that encodes the state of the detectorsgiven by the random variable S . If S = 1 the detectors willexperience a dark count and it will click independently ofthe absorption of a photon, otherwise the detector will behavenormally. The string s corresponds to the state of each detector.Finally the subsystem P considers the position of the photonswith respect to the matrix of SPADs. ρ = (cid:88) n,s P N ( n ) P S ( s ) | n (cid:105)(cid:104) n | I ⊗| s (cid:105)(cid:104) s | D ⊗| φ (cid:105)(cid:104) φ | ⊗ nP (5)The state of the n photons is in the form | φ (cid:105) ⊗ n . Thiscorresponds to considering the photons as distinguishable anddue to the fact that in beam-splitting experiment the behaviourof photons can be in principle described in this way as it isshown in the work of U. Leonhardt [7]. Since the illuminationof the SPAD matrix has been calibrated to be uniform, wecan consider that each photon has equal probability to hit anydetector. This means that we model the state | φ (cid:105) to be the | W (cid:105) state of dimension m . If the illumination is imbalanced, thenthis state should be adjusted accordingly.The positive-operator valued measure (POVM) can be de-scribed in terms of different operators for each detector D i .The following expression describes the POVM’s elementsrelative to the detection or no detection of a photon: P n, D i := ( η ( − | (cid:105)(cid:104) | )) ⊗ n P n, D i := ((1 − η ) + η | (cid:105)(cid:104) | ) ⊗ n (6)For each photon arriving on the detector we consider aprobability η that the photon is absorbed by the detector. Thisinformation is considered to be unforeseeable by a third party.The operator related to generating a sequence x is now givenby: Π x = (cid:88) n,s | n, s (cid:105)(cid:104) n, s | D (cid:79) i P n,x i ,s i i (7)where the sum over s considers all the sequences consistentwith the output sequence x (if s i = 1 this means x i isnecessarily ) and P n,x i ,s i i = (cid:40) P n,x i , if s i = 0 id ⊗ n , if s i = 1 (8)meaning that if the random variable s i = 1 , the detector willclick independently of the photon state | φ (cid:105) ⊗ n .Once the measurement operator and the preparation state ofthe device are defined we have to consider the classical noise.In order to model this we consider the following measurement: E n,s = | n, s (cid:105)(cid:104) n, s | (cid:79) i ⊗ n (9)the classical noise is defined by its outcome and correspondsto the random variable N ∈ { , ..., ∞} corresponding to thenumber of photon and S which is the sequence of randomvariables corresponding to the state of each detector withrespect to a possible dark-count.The probability to have a certain output string of bits ateach sampling event is given now by the Born rule: P ( x ) = T r (Π x ρ ) (10)which corresponds to the observed experimental distributionof the obtained bits strings.However the probability distribution of importance in thepresented model is given by the joint probability of the outputvariable and the classical noise, given again by the Born rule: P ( x, n, s ) = T r (Π x E n,s ρ ( E n,s ) † ) (11)By simple combinatorial calculation it is possible to obtainthe expression given in the main text: P ( x, n, s ) = P N ( n ) P S ( s ) H ( x ) − H ( s ) (cid:88) i =0 ( − i (cid:18) H ( x ) − H ( s ) i (cid:19) (cid:18) − η − H ( x ) − im η (cid:19) n (12)where the vector s = s , s , ..., s m collects all the variablesfor dark counts for each detector, H ( · ) is the Hammingweight function and mm