Certified Randomness Using a Trapped-Ion Quantum Processor

What are near-term quantum computers actually good for? The authors of Certified Randomness Using a Trapped-Ion Quantum Processor answer: to generate random numbers that can be verified to be truly random.

Random numbers are essential to cryptography schemes and quantum key distribution. They are also important in various algorithms (e.g. machine learning, Monte Carlo, genetic algorithms) and even games and lotteries. Regular computers can only generate pseudorandom numbers, because classical computation is deterministic. For high-stakes applications, such as secure communication, that may not be enough. You need to know that the random numbers are actually random and not spoofed by an adversary.

Nature has its own random-number generator (RNG): quantum physics. Such a quantum random-number generator (QRNG) can produce numbers that cannot be predicted, even with perfect information about the design of the process and/or device that generates these numbers. A natural question to ask is whether we can use quantum physics to generate random numbers. A Geiger counter next to a radioactive material would do the trick, but there are obvious health concerns to such a setup. More than ten years ago, researchers used quantum noise with CCD cameras to generate truly random numbers. A similar idea is behind Sequre Quantum’s hardware QRNGs, which consists of a laser, an optical attenuator, and a Mach–Zehnder interferometer. Quantum computers, therefore, seem ideal candidates for random-number generation.

There have recently been several dubious claims about massive speedups in random circuit sampling (RCS), a problem quantum computers excel at. The only problem is that random circuit sampling does not appear to be useful other than to generate impressive marketing materials. Until now, that is.

The authors adapted a protocol by Aaronson & Hung (2023) to generate random numbers that can be verified to be random. They implemented it on a trapped-ion QPU from Quantinuum with 56 qubits. Their scheme works as follows:

1. A classical client generates \(n\)-qubit circuits pseudorandomly and sends these in batches to a quantum server. Each circuit is initialized with \(\vert 0\rangle\), upon which layers of one-qubit and two-qubit (ZZ) gates are applied. The circuits are sent to the QPU in batches because of overhead from circuit preparation, regular device calibrations, and network latency.
2. The quantum server returns length-\(n\) bitstrings sampled from the output distribution of these circuits within a pre-determined amount of time. If the server does not respond within that time, the batch is discarded.
3. When enough samples are collected, a subset \(\mathcal{S}\) of size \(m\) samples is used to compute the cross-entropy benchmark score: \(\mathrm{XEB} = \frac{2^{n}}{m}\sum_{i\in\mathcal{S}}{\mathbb{P}_{C_{i}}(x_{i})-1}\). Here, \(\mathbb{P}_{C}(x) = \lvert\langle x\vert C \vert 0\rangle\rvert^{2}\) is the probability of measuring a bitstring \(x\) from a quantum computer that executes circuit \(C\). Responses with a high XEB score, generated in a short amount of time, have a high probability of being random.
4. The randomness is verified based on two criteria: i) the average time per sample is lower than a threshold such that it precludes simulation on a classical machine, and ii) the XEB is higher than a pre-determined threshold. As such, these numbers are guaranteed to be reasonably random.
5. The client uses a randomness extractor to process the samples.

The reported cross-entropy benchmarking (XEB) score was 0.32. That is not as close to unity as we might expect of perfectly random bitstrings. But, based on the fidelity of 0.3, it would require at least four Frontier supercomputers to simulate the samples from the depth-10 circuits fast enough.

The protocol’s security depends on pseudorandom circuits, for which no known classical algorithm exists today that is able to spoof the results within the two seconds the researchers used as a cut-off. It is, however, on the client to ensure these circuits are hard to simulate within the time constraints given.

The Insight

Why is this research relevant? In the words of Scott Aaronson, one of the inventors of the original protocol:

It’s the first experimental demonstration of a protocol to generate cryptographically certified random bits with the use of a quantum computer.

That said, it is not immediately practical:

Verifying the results using a classical computer is extremely expensive. […] Most people will probably pass on this solution in the near future.