"Quantum random number generator and method for the generation thereof

* * * *

DESCRIPTION

The present invention relates to a quantum random number generator and to the method for the generation thereof.

Different applications require the generation of random number sequences, such as for instance cryptography. The purpose of cryptography is to maintain messages safe, that is to make sure that a private message may only be read by the recipient it was addressed to. Cryptography is used so that third parties, who have somehow managed to receive the message, may however not understand it. The degree of secrecy provided by the algorithm is proportionally correlated to its computational cost and to the complexity of the key. The appropriate compromise between the first and the latter must therefore be sought. The use of random numbers is important especially in the heavier encryption mechanisms. Generally, the heavier an encryption mechanism is, the more the ratio between the number of random bits used and the number of information bits is close to the unit. At most, there are systems, designated "One-Time Pad", in which a random bit is used for each information bit. In this case or in similar cases, random number generators are therefore required providing random ciphers at a very high rate although not loosing in quality. The price to pay for the One-Time Pads is that the key may only be used once (therefore, one key for each message). Furthermore, the numbers used for the key must really be random. The mechanism used is very simple: an arithmetic combination with a key bit is made for every information bit. Therefore, a random bit is required for every datum bit.

A cryptographic mechanism may also be exploited to protect the authenticity of a message. For example, this is the case where a client accesses a restricted server. Here, the object is to make sure that, for safety reasons, the access key (the password) is never transmitted on the communication channel. A typical example consists in financial transactions carried out on the Internet. The server has a copy of the access keys of all potential clients. When a client intends to connect in a restricted manner to the server, the latter sends him/her a stream or sequence of random numbers. The client then sends back a function of its access key and of this stream. The server interprets it and grants access authorisation or not. Therefore, a different stream is used at each client's request and the access key is never transmitted on the channel. Good quality random numbers allow this to occur.

Random numbers also gain a great significance in quantum cryptography. Quantum cryptography was developed to address the weaknesses of classical cryptography and substantially represents a future evolution thereof . Indeed, at the current stage of classical cryptography, supposing that good quality random numbers are used in the encryption, the computational power required by anyone attempting to attack the communication is still too high, virtually hardly available. Furthermore, the heavier encryptions are inaccessible to computers with the highest computational powers, even though it may be assumed that in future such a computational ability will be available. The main weakness in classical cryptography is the issuing of the decryption key to all potential recipients of the message. Such an issuing is not an easy task in all networks where a great number of users needs to open restricted communication channels with more than one different user, that is in most cases, because the key needs to be transmitted through a safer, thus more expensive (or slower) channel.

Quantum cryptography allows to solve said problem. The explanation of how this is possible is a direct consequence of the way photons, which are the quantum particles employed, behave. Polarisation, a quantum property thereof, may be exploited to describe different symbols. Firstly, the use of a quantum phenomenon such as this one has an inherent advantage: anyone receiving a stream of "qubits" obviously needs to have a device recognising the polarisation thereof, precisely to recognise whether the received "qubits" are "0" or "1". However, this reading is, in a manner of speaking, "invasive": it is indeed a law of quantum mechanics that the polarisation of a photon may not be observed without altering the polarisation of the same. Therefore, if a recipient other than the recipient the data are addressed to, reads the data, the rightful recipient will easily notice such alterations and detect an attempt of attack. Undoubtedly, such a property represents an excellent advantage, but it is not the basis of the communication mechanism as it provides an a posteriori control, which is very useful in any case. On the other hand, what happens is that a photon flow displaying random polarisations is sent, the photon flow forming the encryption key. If such a flow is intercepted, nothing is lost (it only consists of a random number stream and does not represent the restricted information), otherwise, if the recipient together with the sender verifies the non-interception, such a key is used to encrypt the message. In this manner, there is a different key for each message sent. The importance and the need to be provided with a fast and good quality random number generator is therefore apparent: the faster the qubits are generated, the more qubits it will be possible to send for the encryption.

There are in general three classes of methods for the generation of random numbers: the pseudorandom generation, the chaotic generation and the quantum generation.

Pseudorandom generators do not employ a physical process to generate random numbers. On the contrary, they rely on a mathematical and deterministic method. Substantially, a pseudorandom generator is an algorithm producing a random number from another random number, and a system at the input of which an arbitrary sample is provided and which provides the following sample at its output. Its implementation will be a software implementation due to its mathematical-algorithmic nature. It is only a matter of encoding a procedure in which the starting datum (designated as seed) is processed by a certain number of mathematical steps. Therefore, an arithmetical- logical function of the input will be obtained at the output. The number and the nature of such steps are arbitrary and need to adapt to the quality requirements of the sequence to be generated. The purpose of these steps is to somehow make the output as uncorrelated to the input as possible, at most independent. The core of each pseudorandom generator is thus the cyclic and continuous repetition of the same algorithm. The parameter characterising the quality thereof is the time after which the sequence resumes repeating identically. This is why these generators are defined as pseudorandom. The great advantage, which is the reason why such generators are more and more widespread, is undoubtedly their low cost (due to the absence of specific hardware), their convenience and the high rate at which random bits may be generated. A great disadvantage, besides the already mentioned "low randomness degree" is that a seed, that is the first input, is required to generate a sequence of pseudorandom numbers. It often occurs that precisely the choice of the seed has a considerable effect on the quality of the generated sequence; thus pseudorandom generators require a seed that must be as random as possible.

Chaotic generators exploit the behaviour of a classical physical system to generate randomness, such as for instance, the recording of the results obtained by the toss of a coin or by the throw of dice. However, it must be noted that this is not true randomness, but instead something very similar thereto. Indeed, to be precise, even chaotic systems are deterministic and therefore non-random systems. What leads such generators to appear random, is that a chaotic system is a system in which very small alterations of the initial conditions may induce the values of the state variables to be modified completely and, therefore induce the outcome of the generator and the predictability of the outcome itself to vary totally. This allows to make generators fully exploiting this possibility and, furthermore, the best situation will be the case in which the inherent chaoticity of a multi-particle system will generate noise which may be sampled. In the field of electronics, multiple methods have been developed which are precisely based on noise, whether it is thermal, shot or phase noise. In any case, a circuit will be obtained having a logical output which indeed produces a sequence of random "0" and "1". The types of chaotic generators mainly fall under three categories.

The first category displays a direct amplification of the thermal or shot noise, as described in the generator of US patent No. 6571263. Problems connected to this technique are the susceptibility to disturbances on inputs and other possible sources (substrate couplings or electromagnetic interferences) which make the integration of such circuits very laborious.

Indeed, if noise is (at least ideally) a source of Gaussian amplitude and is therefore random, the disturbances, although not deterministic, may be greatly polarised and thus need to be attenuated as much as possible with respect to the input Gaussian noise. In the second category an oscillator sampling is carried out. This technique results being more robust with respect to the direct amplification in the presence of deterministic disturbances (because of non-linear effects due to aliasing) although generators employing ring oscillators typically display a time inaccuracy that does not allow to guarantee an appropriate degree of randomness.

In the third category there occurs an amplification and an analog- digital reconversion of the quantisation error of an analog-digital converter. This technique is also more robust with respect to the direct amplification in the presence of deterministic disturbances. The advantage thereof is that it exploits the inaccuracy of an analog-digital converter, which usually is a limiting factor for it, to create random numbers.

Very often, in practice, these three methods are used together, by integrating them in a single system. Therefore, not only is there an increase in the quality of the bits produced, but also a considerable increase in the rate the bits are provided with (higher than 1 MHz). In this manner, or by other similar configurations, very robust systems may be obtained with respect to various disturbances.

However, as already set forth previously, the pseudorandom generation systems are far from producing good quality random bits and chaotic systems, even passing all tests, do nothing more than "hide" their actual non-randomness behind the chaoticity characterising them. Therefore, it appears reasonable to look for randomness where it is the basis of the behaviour of systems: in quantum physics. Quantum mechanics is indeed fundamentally and intrinsically random; even its results may be processed only in probabilistic terms.

In these terms, the opportunities provided by quantum mechanics are countless. One of the first random number generators operating by quantum effect, designated Hot Bits, was made in 1986. The quantum principle exploited was the measurement of the time elapsing between subsequent decays of Krypton 85 atoms by the use of a Geiger counter. The quantum theory states that such decays occur at random intervals. The only drawback is the poor generation rate, only 30 bits/sec, which is insufficient for most applications.

More recently, optic quantum generators have been developed. An example thereof may be a photon striking a partially reflecting surface. In quantum physics, this apparatus is interpreted by stating that a particle encounters a potential barrier during its motion. Well, depending on the ratio between the energy of this photon and the height of the barrier, there will be a reflection coefficient R representing the probability of the photon being reflected or transmitted. By giving the photon flow the appropriate size, R will be equal to 1/2, that is 50% of the probability of the photon being detected by the other part of the reflecting surface.

A random number generator exploiting a quantum effect may indeed be obtained by associating a "1" to the photon detection or a "0" to the non- detection, such as that described in US patent No. 6539410. In some implementations the principle exploited is similar to that previously described: a photon (one at a time, one for each random bit to be generated) is induced to strike a semitransparent mirror which may transmit it on a first detector or reflect it on a second detector. Quantistically, the probability of the first hypothesis taking place is 50%, exactly like the second. If a "1" is associated to the first detector and a "0" is associated to the second one, the generator will issue a "1" or "0" depending on where the photon has actually come to.

In another implementation a single detector is exploited, and the photon may cover two different optical paths with different propagation times. The time elapsed between the synchronism signal and the detection of the photon indicates which path has been covered and therefore identifies the bit, such as described in US patent application 2006/0010182.

In another implementation, the time interval between two subsequent synchronism pulses is subdivided in a certain number of subintervals, such as described in US patent application 2004/0139132. The photon flow is calibrated and modulated in order to have on average only one photon for each interval. The subinterval in which the photon falls, identifies a multiple bit value, which is used to generate the random stream. In yet another implementation the time elapsed between the two photon hits may be measured, thus obtaining a multiple-bit exponential random distribution, such as described in US patent 6542014.

All of these methods have a drawback: even though it has randomness features, the resulting stream may be strongly polarised (that is it has a probability of having "1" other than of having "0", that is other than 50%).

To solve this problem, a posteriori depolarising algorithms or feedback systems removing the polarisation at the source are therefore used. In any case, this makes the system more complicated, leading the miniaturisation thereof to be less convenient, and sometimes also reducing the actual bit rate. In view of the state of the art, the object of the present invention is to provide a quantum random number generator overcoming the above-said drawback.

According to the present invention, said object is achieved by a quantum random number generator comprising a quantum event detector, first means adapted to acquire the signal outputted from such a detector and to generate a corresponding pulse signal, a binary counter adapted to count the pulses of said pulse signal in subsequent preset periods of time and to issue an n-bit digital signal, n being an integer, in response to the pulses counted in each time period, characterised in that it comprises second means adapted to extract a least significant part of each digital signal issued by the binary counter, said least significant part being defined as the integer remainder of the division of said digital signal by 2m, where m is a number varying from 1 to n and is determined by an external command, said least significant part of the digital signal representing a random number.

Again according to the invention, a method for the quantum generation of random numbers according to claim 16 may be provided.

The features and advantages of the present invention will become apparent from the following detailed description of practical embodiments thereof, which are disclosed by way of non- limitative example in the accompanying drawings, in which: figure 1 shows a quantum random number generator according to the invention; figure 2 shows the quantum events associated to the various time periods; figure 3 is a chart of the probability of counting a number of pulses N in a time window; figure 4 is a diagram of a part of the generator in figure 1 according to a first embodiment of the invention; figure 5 is a diagram of a part of the generator in figure 1 according to a second embodiment of the invention; figure 6 shows two of the digital counts outputted from the counter in figure 1 and the possible truncations; figure 7 is a chart of the probability of the digital count truncated at a cipher being equivalent to "0" and "1"; figure 8 is a chart of the probability of the digital count truncated at two ciphers being equivalent to "00", "01", "10" and "11"; figure 9 is a diagram of a possible implementation of the generator in figure 1 with the use of a single photon SPAD detector. With reference to figure 1 a random number generator according to the invention is shown; the generator comprises a quantum source 1 comprising a detector 3 for at least one quantum event 2 (for instance, single photons, ionising radiations, particles), an electronic front-end circuitry 5, and a counter 7. Said generator comprises a device 10 having the digital count inputted from the output of the counter, which is adapted to generate random numbers corresponding to said digital count outputted from the counter.

The electronic circuitry 5 is a circuit for the acquisition of the signal 4 generated by the detector and for the generation of a pulse signal 6 to be sent to the counter. The counter 7 is a binary counter adapted to count the pulses of the signal 6 in preset time periods T and adapted to generate a signal or digital count Ndig in response to the pulses counted in each time period T.

The duration of the time periods T is determined by an external signal 32; the time intervals T may be identical to one another or different from one another, contiguous or non-contiguous, as shown in figure 2 with the time intervals TA, TB, TX.

The counter 7 sends the completed count, that is the digital signal Ndig associated to the pulses counted for each time period T, to the device 10.

The digital signals outputted from the counter are for instance the numbers

NA (an-l..aθ), NB (bn-l..bθ), NC (cn-l..cθ) etc. associated to the count time periods TA, TB, TC etc. of the counter 7, as noted in figure 2, where the numbers ND are also shown, associated to the time period TD and the generic number NX associated to the generic time period TX, having a different duration with respect to TA, TB, TC, TD, as well as the possible time Tgap elapsing between two subsequent non-contiguous periods. Therefore, a Poisson source of events is available. Having defined the count N aleatory variable having known features on such a source, measuring N for a preset time interval T, and considering precisely the measurement of N as the random number and continuously repeating the experiment could be thought about. For each interval T a random n-bit number N will be outputted. This would be feasible although the numbers generated would be inappropriate to be used as a cryptographic key, this owing to the fact that N, which follows Poisson's law, is far from having a uniform probability distribution.The generated results would inevitably polarise around the average λ, as may be noted from figure 3 showing a chart of the probability P(N) of counting the number N, when the average number of events counted is equivalent to Naverage = λ = 10. Indeed, to generate random numbers, a process having a probability density as uniform as possible needs to be extracted. Furthermore, the distribution obtained would strongly depend on the value of λ and T, which could also vary in time. The apparatus and method according to the invention instead allow to obtain polarisation free sequences having randomness features which are indipendent of these parameters. This is made possible by the extraction of a least significant part from every digital count outputted by the binary counter through a device 10; said least significant part represents a random number.

As shown in figure 4, in accordance to a first embodiment of the invention, the device 10 comprises a dedicated device 11 that receives the digital signals NA (an-l..aθ), NB (bn-l..bθ), NC (cn-l..cθ) etc. outputted from counter 7 and extracts a least significant part Ndigt from said digital signals. The least significant part Ndigt is sent by means of an interface 12 to a processor and represents a random number. An external signal S determines the number of bits required to form said least significant part. The device 11 acts as a selector because it selects which bits of the inputted digital counts NA (an-l..aθ), NB (bn-l..bθ), NC (cn-l..cθ) etc., it must output. The interface 12 has a reading synchronism signal 17.

According to a second embodiment of the invention, shown in figure 5, the device 10 comprises the interface 12 that receives the digital counts NA (an-l..aθ), NB (bn-l..bθ), NC (cn-l..cθ) etc. outputted from the counter 7 and sends them to a processor 20 which is capable of extracting a least significant part Ndigt representing a random number from said digital counts by means of an appropriate software. The interface 12 and the processor 20 have a reading synchronism signal 18 and the processor has an external command S that defines the amount of bits of Ndigt, equivalent to the least significant part of Ndig. The information upon the parity of the measured count N may be considered as an example of a random number, only at two levels: that is outputting for instance '0' if the measured count N is even, '1 ' if it is odd. It is apparent that, by operating in this manner, a binary random number generator is obtained, as shown in figure 6, where a truncation at a cipher NA0=a0, NB0=b0 is obtained from the signals NA (an-l..aθ), NB (bn- l..bθ). This is equivalent to considering the probability of the number being even or odd. If, by grouping and adding together these probabilities, a distribution which may be approximated to the uniform probability (a uniform discrete distribution which may only take the values N = "0", "1") is obtained, it then means that the information upon the parity of the random

"candidate" numbers produced, extracted by such a process, is adapted to generate a cryptographic key and the smaller the deviation from the uniform distribution, the better the quality of the bits produced. By performing Poisson's series and grouping both the even and the odd terms, there follows:
- ^{■} (1 + e^{"2λ} )

P[N = "0"] = 2 ^{v} '

P[N = t "t i! 5"5"]! 10 . (1 - e^{"2λ})

where λ is the average value. Therefore, the deviations are analytically:

1 -2λ

— ^{■} e εlbit = εO = -εl = 2

where it may be noted that the error is a function rapidly decreasing with λ.

The expression allows to define a minimum λ, such that the deviations are sufficiently small. For higher values of λ, possible oscillations of λ and T do not deteriorate the quality of the random sequence generated. Figure 7 shows the probability diagram P(Ndigt) of the digital count Ndigt, equivalent to the count Ndig truncated at the first cipher, being a "0" or a "1", when λ=10, and of the distribution being that in figure 3.

In order to increase the actual bit-rate of the generator with the duration T of the count interval being equal (the interval, the minimum value of which may be limited by the performance of the counter 7, by the interface 12, or by the dead time of the detector 3), the method may also be extended to increasingly more significant bits up to the most significant one. If the binary encryption of such measurements is considered, an acquired even number means that the least significant cipher of its binary encryption is a "0", an odd number means that such a cipher is "1". Therefore, stating that the information upon the parity is random or not, corresponds to stating that the least significant bit is a random bit ("0" or "1") or not. Just as making considerations upon the parity of a number corresponds to making considerations on the last bit (the least significant bit) and therefore corresponds to determining whether the integer remainder of the division by 2 is "0" or "1", then making considerations on the last 2 bits corresponds to determining whether the integer remainder of the division by 22 is 0 ="00", l="01", 2="10" or 3="11". So on up to the most significant bit and the integer remainder of the division by 2n, where n is the maximum number of bits of the binary counter, as shown in figure 6 with the digital signals NA(an-L.aO), NB (bn-l..bθ), which are gradually truncated at two ciphers

NAl, NBl, at three ciphers NA2, NB2, at n-1 ciphers NAn-2, NBn-2. Therefore, the least significant part Ndigt extracted from each digital count outputted from the binary counter 7 through means 10, is defined as the integer remainder of the division of the digital signal Ndig by 2m, where m is a number varying from 1 to n and is determined by an external command

S; said least significant part of the digital count represents a random number.

Therefore, the extraction of 2 or more bits for each count interval is nothing more than an extension of the single-bit case. The object is indeed to produce a 2m- symbol alphabet having uniform probabilities starting from a Poisson series. For instance, in the 2-bit case (for instance starting from the

NA (an-l..aθ), NB (bn-l..bθ) signals, to obtain the numbers truncated at two ciphers NAl, NBl in figure 6), thus codifying the 22 symbols of such an alphabet with the usual binary encryptions "00"=0, "01"=l, "10"=2 and "11"=3 there follows, by taking the first, the fifth, the ninth term etc. on the Poisson series (and the same for the other results):

)
^{e"λ •} T ^{■} (l + 2e^{"λ}sinλ - e^{"2λ} ) P ["01"] =
= 4 ^{v 7} °° λ^{(4i+2)} ^{ e"λ ■} ∑TTTTTSf T ^{■} 0 - 2e^{"λ}cosλ + e^{"2λ} ) P["10"] = i=o l^{4}« + ^{2}/ = 4 ^{v} '

P["l l"] = ^{e"λ}
_{=} τ 4 - ( vl - 2e^{"λ}sinλ - e^{"2λ} ) ^{/}

Therefore, the deviations are analytically:
-^{•}(2e^{λ})=--e ε2bit≡εθθ≡εθl≡εlθ≡εll< 4 ^{v} ' 2

From these probabilities P["0"] and P["l"] are readily obtained, as:

P["0"]=P[0|00]P[00]+P[0|10]P[10]+P[0|01]P[01]+P[0|ll]P[ll] P["l"]=P[l|00]P[00]+ P[l|10]P[10]+ P[l|01]P[01]+ P[l|ll]-P[ll]

There is obtained:

1 e^{"2λ} e^{"λ} IH 1 (sinλ + cosλ)

P["0"]= ^{2} 2 2

The deviations are therefore:

- ^{•} e^{"λ •} (e^{"λ} + sinλ + cosλ)< - ^{•} e^{"2λ} + - ^{•} e^{"λ} = - ^{■} ,-λ _{ε0}=._{ε}l=4 ^{V J} 4 2 2

Figure 8 shows a probability diagram P(Ndigt) of the digital signal

Ndigt, equivalent to the digital count Ndig truncated at the last two ciphers, being "00", "01", "10" o "11".

Now supposing that, instead of taking 2 bits at a time from a window having a duration T and an average λ, 1 bit is taken from a window having a duration of T/2 and an average of λ/2. The bit rate will therefore be the same in the two cases, such as the rate v, given by v=λ/T, and the expression of the error does not change by taking 2 bits at a time in T or taking 1 bit at a time twice every T/2. This indicates that the bit rate may be increased by using both devices. In particular, by reducing the measurement time up to the minimum allowed by the specific implementation of the apparatus, and then by extracting an increasingly higher number of bits, up to the limit allowed by the uniformity of the distribution obtained on the basis of the maximum operative rate of the generator. Therefore, by operating on the signal 32, the periods of time for the count of the pulses 6 as a function of the least significant part of bits to be extracted, may be reduced or increased.

As shown in greater detail in figure 9, where an implementation of the generator of figure 1 is shown, the detector 3 is preferably a single-photon detector and is specifically comprised of a single photon avalanche photodiode (SPAD) and the electronic circuitry 5 is comprised of an Active Quenching Circuit (AQC). Said figure shows a possible non- limiting practical embodiment of the invention, in which the second means 10 are comprised of a binary counter 7 (at most a single flip-flop in a toggle configuration), in which only the least significant bit is physically connected to the interface 12, thus allowing the extraction of the Ndigt number, equivalent to the truncation at a single bit in the Ndig number. The interface

12 communicates with a remote apparatus 23 through the serial lines 24 and 25, thus allowing to set the signal 32 defining the duration T of the count windows through a timing circuit 26. In any case any other detector adapted to detect single quantum events (photons, particles, ionising radiations, Poisson events, etc.) is intended to be used for this purpose.

The SPAD is substantially a strongly polarised reverse p-n junction. Under these conditions, the electric field is so high that a single electron- hole pair, which is designated as primary pair, generated within the unoccupied space may lead to the production by impact ionisation of an avalanche of carriers. The space charge area may be exposed to external light, thus the primary pair may be photo-generated. In this case, the leading edge of the avalanche signal signals the approach of a photon on the detector. Thermally generated carriers may activate the avalanche as well: the parameter quantifying these triggers is indeed the rate of "dark" events. For the purposes involved, the two thermal and photonic generation effects represent two indipendent Poisson sources having a quantum nature. The generator of figure 9 comprises means 200 capable of varying the rate of photons detected by the detector 3.

In series to the photodiode 3, and within the electronic circuitry 5, there is a resistance RB (not shown in the figures) which passively starts to depolarise it with the voltage drop due to the avalanche current. In addition to this, there is an actual sensing circuit which, once the pulse has been detected, through a positive reaction, switches the photodiode off (that is it restores it to the avalanche voltage). The hold-off time the monostable within the circuit waits for before sending the reset signal may be externally set. The set of switching off, hold-off and reset times represents the dead time tdead of the detector, and therefore sets the maximum count rate thereof. In the current implementation such a saturation rate of the detector is on the order of 30 MHz. By way of example of the performances that may be obtained by the apparatus, the following parameters may be considered, when the method is applied to the preferred implementation of the invention, based on a single photon avalanche photodiode (SPAD). The average of the Poisson distribution λ is therefore the average of the number of avalanches detected. Therefore, if T were equivalent for instance to 100 μs (and therefore the updating frequency of the counter sampling were f = 1 OkHz), there would be an outputted random bit rate equivalent to fbit = m-f. Taking for instance m = 2bits, fbit = 20kbit/s would be obtained. Now setting as a uniformity limit ε2bit < 10-6, a minimum λ equivalent to 13 will be obtained. In this case the minimum process intensity required results being v = λ / T = 130kHz. This event rate may be provided without distinction from the dark counts of the detector or, if insufficient, from an external illumination through means 200. The intensity being equivalent, attempting to subdivide the time window by outputting less bits, leads neither to a higher rate, nor to better performance. It is clear, though, that by increasing v by means of illumination, more events will occur in the window (λ = vT) and therefore it will be possible to output more bits even on reduced windows preserving the quality of the generated stream. By reducing the window time, a new v may be set so as to maintain unaltered the value of λ. For instance, with T° = °10μs, outputting 2 bits, fbit = nbit f = 200kbit/s will follow. In this case, the minimum process intensity required would result being v = 1.3MHz, still far from the saturation limit of the detector.

The analysis performed up to now has been carried out in ideal conditions, that is under conditions in which the event, intended as the trigger of the detector and the creation of the pulse by the electronics, has an infinitesimal duration. This hypothesis was required to treat the generation process as a Poisson process. However, as the detector and the electronics (such as the SPAD and the AQC) are physical objects, they introduce a finite time required for the detection and the acquisition of the event. Each detected avalanche is followed by a time interval td_{ea}d during which the detector does not detect any further trigger causes (whether these are photons or thermal generations). This means that if an avalanche is triggered at a time tl and a second avalanche is triggered at a time t2, if t2° - tl° = °tdead, the second avalanche will not be detected. Strictly speaking, the process resulting from the introduction of this non-ideality is no longer a Poisson process. In any case, modifications may be made to the model selected to verify how and how much the results deviate from the results expected with the model itself.

Theoretically, if λ avalanches are expected to fall on average in a time window having a duration of T in the absence of the dead time, then to a first approximation, by considering it, the average number of avalanches detected λr_{ea}i is expected to be equivalent to that of a window having a duration of:

^{1} dead

Treal ^{~~} T — λr_{ea}l tdead " T - 1 — λ ^real
As the intensity of the two processes does not vary, then:

^{1} T real ^{1} T '

from which:

λ_{re}a_{l}
The latter relation allows to adjust the intensity of the process even in the presence of a dead time td_{ea}d, provided that the latter is reasonably shorter than the measurement time T. As noted, if for instance T were 100 μs and ε2bit < 10-6 were required, a minimum λ_{rea}i equivalent to 13 would be obtained. In the presence for instance of a dead time equivalent to 2 μs, this requires λ=17.5, equivalent to a minimum intensity required v = λ / T = 175kHz, instead of 130kHz, such as in the ideal case having no dead time.

CLAIMS

1. A quantum random number generator comprising a quantum event (2) detector (3), first means (5) adapted to acquire the signal (4) outputted from the detector and to generate a corresponding pulse signal (6), a binary counter (7) adapted to count the pulses of said pulse signal (6) in subsequent preset periods of time (T) and to issue an n-bit digital signal (Ndig), n being an integer, in response to the pulses counted in each time period, characterised in that it comprises second means (10) adapted to extract a part (Ndigt) from each digital signal (Ndig) issued by the binary counter (7), said part being defined as the integer remainder of the division of said digital signal by 2m, where m is a number varying from 1 to n and is determined by an external command (S), said part of the digital signal representing a random number.

2. A generator according to claim 1, characterised in that said part (Ndigt) is a least significant part and is comprised of the least significant bit of the digital signal.

3. A generator according to claim 1, characterised in that said part (Ndigt) is a least significant part and is comprised of the two least significant bits of the digital signal. 4. A generator according to claim 1, characterised in that said time periods (T) have the same time duration.

5. A generator according to claim 1, characterised in that said time periods (T) have a different time duration.

6. A generator according to claim 1, characterised in that said time periods (T) are contiguous.

7. A generator according to claim 1, characterised in that said time periods (T) are non-contiguous.

8. A generator according to claim 1, characterised in that it comprises further means (32) adapted to vary the count time period as a function of said part (Ndigt) defined by said second means (10).

9. A generator according to claim 1, characterised in that said second means (10) comprise a selector (11) for the bits which form said digital signal (Ndig) and an interface (12) arranged between the output of said selector and a remote apparatus. 10. A generator according to claim 1, characterised in that said second means (10) comprise a processor (20) provided with a software adapted to determine said least significant part (Ndigt) and an interface (12) arranged between the output of said counter (7) and the input of said processor.

11. A generator according to claim 1, wherein the quantum event detector (3) is a photon detector (2).

12. A generator according to claim 11, characterised in that said photon detector consists of a SPAD detector (21).

13. A generator according to claim 11, characterised in that the quantum events used to generate the random numbers comprise the dark events of the photon detector (3) itself.

14. A generator according to claim 11, characterised in that the quantum events used to generate the random numbers comprise photons (2) incident on the photon detector (3).

15. A generator according to claim 13 or 14, characterised in that it comprises means (200) adapted to adjust the photon (2) rate as a function of said part (Ndigt) defined by said second means (10).

16. A method for the quantum generation of random number comprising the detection of quantum events, the generation of a pulse signal (6), representative of the amount of detected events, the binary count of the pulses of said pulse signal in subsequent preset periods of time (T) and the generation of an n-bit digital signal (Ndig), n being an integer, in response to the pulses counted in each time period, the extraction of a part (Ndigt) of each digital signal generated, said part being defined as the integer remainder of the division of said digital signal by 2m, where m is a number varying from 1 to n and is determined by an external command (S), said least significant part of the digital signal representing a random number.

17. A method according to claim 16, characterised in that said part (Ndigt) is a least significant part and is comprised of the least significant bit of the digital signal. 18. A method according to claim 16, characterised in that said part

(Ndigt) is a least significant part and is comprised of the two least significant bits of the digital signal.

19. A method according to claim 16, characterised in that said time periods (T) have the same time duration. 20. A method according to claim 16, characterised in that said time periods (T) have a different time duration.

21. A method according to claim 16, characterised in that said time periods (T) are contiguous.

22. A method according to claim 16, characterised in that said time periods (T) are non-contiguous.

23. A method according to claim 16, characterised in that it comprises the variation of the count time period (T) as a function of said part (Ndigt).