Certified randomness using a trapped-ion quantum processor

TL;DR

This work demonstrates certifiable randomness generation on a 56-qubit trapped-ion quantum processor connected over the internet. By leveraging a mixed-cross-entropy benchmark approach (MLXEB) across many distinct circuits and analyzing a finite-size adversary with realistic infrastructure, the authors certify entropy and perform randomness extraction, achieving 71,313 bits of entropy under their restricted model. The protocol differs from prior schemes by sampling one output per circuit and using cross-circuit statistics to bound entropy, supported by an extensive security analysis and a tensor-network-based verification on large HPC resources. The results constitute a practical step toward applying current quantum hardware for certified randomness expansion with rigorous security foundations and explicit experimental parameters.

Abstract

While quantum computers have the potential to perform a wide range of practically important tasks beyond the capabilities of classical computers, realizing this potential remains a challenge. One such task is to use an untrusted remote device to generate random bits that can be certified to contain a certain amount of entropy. Certified randomness has many applications but is fundamentally impossible to achieve solely by classical computation. In this work, we demonstrate the generation of certifiably random bits using the 56-qubit Quantinuum H2-1 trapped-ion quantum computer accessed over the internet. Our protocol leverages the classical hardness of recent random circuit sampling demonstrations: a client generates quantum "challenge" circuits using a small randomness seed, sends them to an untrusted quantum server to execute, and verifies the server's results. We analyze the security of our protocol against a restricted class of realistic near-term adversaries. Using classical verification with measured combined sustained performance of $1.1\times10^{18}$ floating-point operations per second across multiple supercomputers, we certify $71,313$ bits of entropy under this restricted adversary and additional assumptions. Our results demonstrate a step towards the practical applicability of today's quantum computers.

Figures (7)

• Figure S1: Illustration of the security definition of certified randomness. In the ideal functionality, the generated bitstring $K$ should be random and independent on any classical information available at the start of the protocol (described as a snapshot $I_{\rm sn}$ of all classical information).
• Figure S2: Model of classical client and malicious server in the certified randomness protocol. The server is split into a classical control unit $\Xi$, a classical computer $S_{\rm C}$, and a quantum computer $S_{\rm Q}$. Without assuming authenticated communication, the server $S=\tilde{S}E$ in general refers to the actual server $\tilde{S}$, along with all parties $E$ that have access to the communication channel between the client and server.
• Figure S3: Numerical evidence of convergence to Porter--Thomas (A) Circuit-wise expectation (blue) and variance (red) of Shannon entropy, defined as $-\sum_{x \in \{0, 1\}^{n}} p(x) \log p(x)$ with $p(x) = |\langle x|C|0\rangle|^2$, for distributions induced by $d=10$ circuits $C$ with different $n$. (B) Circuit-wise expectation (blue) and variance (red) of Total Variation Distance (TVD) from Porter-Thomas distributions induced by $d=10$ circuits with different $n$. To compute the TVD, we convert the vector or probabilities $p(x)$ into a histogram, counting frequencies over discretized probability intervals. Then, we sum the difference in frequency counts so obtained with those expected from Poter-Thomas distribution. For both plots, each data point summarizes 1,000 realizations of random circuits over a fixed two-qubit topology obtained via edge coloring of an $n$-node graph. Standard error is too small to be visible on the plot.
• Figure S4: The frugal rejection sampling algorithm.
• Figure S5: Distribution of the probability $p_{\vert\psi\rangle}(x)$. A random circuit with depth $8$ acts on $n=20$ qubits. The tensor network representation is sliced into $K=1024$ total slices of which we only contract $k = \phi \cdot K$ slices. The partial amplitudes are used to sample bitstrings following the frugal rejection sampling process (Fig. \ref{['fig:frugal_rejection_sampling']}). For each $\phi$, we sample ten thousand samples via partial contraction (dots).

Theorems & Definitions (39)

• Definition 1.1: Long List Quantum Supremacy Verification LLQSV$(\mathcal{D})$, restated from Problem 2 of aaronson2023certified
• Definition 1.2: Long List Hardness Assumption $\text{LLHA}_{B}(\mathcal{D})$, restated from Eq. 3 of aaronson2023certified and Assumption 5.1 of aaronson2023certifiedArxiv
• Definition 1.3: Linear Cross-Entropy Benchmarking $\text{LXEB}_{b,k}(\mathcal{D})$, restated from Problem 1 of aaronson2023certified
• Theorem 1.4: $\text{LXEB}_{b,k}$ ensures von Neumann entropy, restated from Theorem 5.10 of aaronson2023certifiedArxiv
• Definition 1.5: Mixed Linear Cross-Entropy Benchmarking $\text{MLXEB}_{b,k}(\mathcal{D})$
• Theorem 1.6: ${\rm MLXEB}_{b,k}$ ensures von Neumann entropy.
• proof
• Theorem 1.7: Low-entropy algorithm solving LXEB also solves LLQSV, modified from Theorem 5.8 of aaronson2023certifiedArxiv
• Theorem 1.8: Low-entropy algorithm solving MLXEB also solves LLQSV
• Lemma 1.9