Practical randomness amplification and privatisation with implementations on quantum computers

We present an end-to-end and practical randomness amplification and privatisation protocol based on Bell tests. This allows the building of device-independent random number generators which output (near-)perfectly unbiased and private numbers, even if using an uncharacterised quantum device potentially built by an adversary. Our generation rates are linear in the repetition rate of the quantum device and the classical randomness post-processing has quasi-linear complexity - making it efficient on a standard personal laptop. The statistical analysis is also tailored for real-world quantum devices. Our protocol is then showcased on several different quantum computers. Although not purposely built for the task, we show that quantum computers can run faithful Bell tests by adding minimal assumptions. In this semi-device-independent manner, our protocol generates (near-)perfectly unbiased and private random numbers on today's quantum computers.


Introduction
Unpredictable numbers, often termed randomness or entropy, are the cornerstone of numerous applications in computer science. In cryptography for example, so-called keys need to be generated using (near-)perfectly uniform and private numbers for secrecy not to be compromised. In quantum cryptography too, randomness is essential, e.g. in quantum key distribution in which distant parties consume local randomness to generate a shared secret key. In addition, randomness is a crucial resource for mathematical simulations such as Monte-Carlo techniques, for gambling, or for assuring a fair, unbiased, choice in a political context. Consequently, an equally fundamental and practical question is: How can one be sure that some generated numbers truly are unpredictable and private, i.e. (near-)perfectly uniformly distributed and independent of an adversary's information?
A possible approach is to aim directly at building a trustful random number generator (RNG). Such a device should then be characterised well enough to always function as promised or the security of the task could be compromised. Physical RNGs generate random numbers from a physical process that is either chaotic [1] or quantum [2,3]. 1 The idea is then that the outcomes of this process are hard to predict or even, in the case of certain quantum processes, intrinsically random. Unfortunately, there are at least three problems following this approach: 1. An accurate model of the underlying physical process is necessary yet hard to build. It is also challenging to completely isolate the desired process from undesired noise or its environment. In short, hardware characterisation is difficult and prone to errors. Moreover, the RNG provider should be trusted or the device seriously inspected.
2. Many RNGs require an initial (near-)perfect random seed as a resource 2 , the existence of which is very difficult to justify.
3. Most RNGs do not offer security against a quantum adversary which might share quantum correlations with the device.
An alternative approach is to accept that the direct building of an RNG outputting (near-)perfect randomness is challenging, if not practically impossible. The objective is then to build a scheme in which a source of randomness is instead amplified in a way that the amplified output is provably (near-)perfectly random and private -i.e. relaxing the need to build a trustful RNG directly.
It is known that an imperfect source of randomness alone can not be amplified using classical processes without making strong assumptions about the source [5]. 3 This changes when one has access to quantum resources [6]. Indeed, with the addition of a quantum device it is possible to perform device-independent randomness amplification and privatisation [7]. That is, an RNG whose output is neither uniform nor private to the user is amplified to generate provably (near-)perfect uniform and private numbers [7][8][9][10][11][12][13][14]. The device-independent approach allows to certify the random and private nature of the output without the need to model the internal functioning of the quantum device, which can essentially be seen as a black box and therefore requires minimal trust (see [15] for a review). This is an important feature especially in the field of quantum technologies since quantum hardware is notoriously noisy.

The need for device-independence
As opposed to building directly a trustful RNG, we follow the idea outlined above, namely, building so-called device-independent protocols for randomness certification, in which only minimal assumptions are made on the quantum hardware that is used. By seeing the devices essentially as black boxes, it is possible to obtain lower bounds on the entropy generated without relying on a precise description of the internal functioning of the devices. Because of this, we can obtain a higher level of security that is mostly independent of hardware assumptions and therefore solving problem 1 mentioned above. This is possible because of the violations of Bell inequalities, which we explain in more detail in Sec.4.3. To understand the benefits of the device-independent certification approach that we follow, we give several examples of known attacks on existing cryptographic systems that are avoided. A famous example is the vulnerability discovered in dual EC, a pseudo-RNG that was favoured by the U.S. National Security Agency (NSA) and standardised by the National Institute of Standards and Technology (NIST). A weakness in the design allowed to predict future outcomes from a small sample of generated ones [16][17][18]. More generally, numerous weaknesses and attacks on pseudo-RNG were found and implemented [19][20][21]. Attacks on physical RNGs based on non-quantum (e.g. chaotic) processes should also not be underestimated, as for example side-channel attacks [22] -in which leaking information from the device is exploited -or active implementation attacks, e.g. by injecting undetected errors to compromise the system [23]. Finally, quantum hardware is also known to be vulnerable to different attacks. The popular quantum random number generator (QRNG) based on quadrature measurements on shot-noise limited states are susceptible to attacks if the hardware is not well characterised (or can not be trusted fully) [24]. Quantum key distribution (QKD) systems have also been successfully attacked, for example by exploiting mismatches between theory and implementation [25], but also by active light injection to extract useful information [26,27]. Another generic problem with quantum devices is that badly characterised measurement can lead to wrong claims, e.g. in state tomography or witnessing entanglement [28], opening avenues for systematic errors and potential attacks. Even without active attacks, QRNG requiring trust in their components are known to suffer from defects showing up in advanced statistical tests, see for example [29,30].
In contrast, the approach that we follow offers the following features: • Device-independence: the mismatch between the theory and the physical implementation is reduced to a minimum. In particular, the number of possible active implementation attacks is reduced and unavoidable implementation imperfections are allowed.
• Continuous self-checking: the device tests itself continuously, certifying that the output is freshly generated and can be used safely. This check accounts for undesired effects, including experimental noise and tampering by an eavesdropper, leading to aborting the protocol if sufficient randomness and privacy can not be guaranteed. Silent failure and false claims are avoided.
• Privacy: the protocol processes a public source of randomness -one whose output is not private to the user -into a provably private output, i.e. it generates and certifies privacy.
• Composability: the random numbers can be used safely in another cryptographic application 4 , for example in a public-key algorithm or a QKD protocol.
• Quantum-proof security: the protocol is secure against an unbounded quantum adversary 5 , who can be entangled with the devices or use a futuristic powerful quantum computer.

The advantages of randomness amplification
The device-independent (DI) framework that we follow allows for a very high level of security, as explained above. Nevertheless, the framework does not specify what the protocol achieves. Indeed, several DI tasks are possible and it is very important to understand their relevance in a cryptographic scenario. We now discuss two different tasks related to randomness generation: DI randomness amplification and expansion. We argue that, although randomness expansion is a useful task, randomness amplification is both strictly stronger and necessary in practice.
In contrast to an amplification protocol, in a randomness expansion protocol an initial seed of (near-)perfect randomness is expanded into a longer output. It is therefore assumed that initial (near-)perfect randomness is available as a resource, an assumption that is often difficult to justify (and often not discussed). Moreover, in the task of randomness amplification, correlations between the RNG to amplify and the quantum devices are allowed. This reduces the need for an independence-type assumption between the devices which might be unjustified, especially if they share the same environment. Once generated from an amplification protocol, the (near-)perfect randomness may then subsequently be used as the (now well justified) seed in an expansion protocol if desired, for example to increase the generation rates 6 .

The impossibility of cryptography with weak randomness
An important resource needed in almost all cryptographic applications is the access to a (near-)perfect source of randomness. This assumption, as discussed before, is generally very hard to justify in practice. Another important question is then "what is the impact of using weak randomness in cryptography?". In other words, what happens if the randomness is only somewhat unpredictable and not essentially perfectly random? We will see that it leads to security being compromised in many situations.
In [31], the authors show that using randomness that is not near-perfectly unbiased, i.e. for which every single bit is not almost unpredictable 7 , are insecure for encryption, bit commitment, secret sharing, zero-knowledge proofs (interactive or not) and two party computations. This result holds even against computationally bounded adversaries. In [32], the authors show that in order to encrypt a message with unconditional security, one needs to be able to deterministically extract a (near-)perfectly random string at least as long as the message from the randomness that is consumedwhich, as discussed before, is impossible with most weak sources of randomness alone [5]. The authors then generalise their results to include all privacy primitives that are perfectly or statistically binding, e.g. commitment or computationally secure private-and public-key cryptography. Other works also tackle the question of the impact of weak randomness, as for example [33][34][35], but their results can be seen as special cases of the ones described before.
Some positive results also exist, for example in tasks with differential privacy [35] or for authentication [31] (intuitively requiring no secrecy). Finally, note that many of these results we have mentioned discuss the impact of a weakly random shared secret key -i.e. shared randomness and not directly local randomness. We use those results to show the consequences of using imperfect RNGs to create (or distribute) those shared keys.

Our results
Theory and software for randomness amplification and privatisation. The first part of our work amounts to the continuation of [6,7,12,13] on device-independent randomness amplification and privatisation (DIRAP) -in particular we follow the techniques for the statistical analysis as in [7]. Our main result is to give an end-to-end and practical DIRAP protocol.
The technical contributions in the first part of our work are: • The Bell inequality and statistical analysis are optimised for real world quantum devices, using three quantum bits in an entangled state.
• The resulting protocol has a large noise tolerance and, in the noiseless limit, can amplify all non-deterministic Santha-Vazirani (SV) sources (see Sec.4.2 for the definition of these sources). Note that the good noise resistance of our protocol is impossible to achieve in the simplest set-up for device-independence (with 2 parties, inputs and outputs).
• The classical post-processing in the form of randomness extractors is designed, implemented and optimised for randomness amplification. In particular, we implemented several seeded and 2-source randomness extractors in near-linear complexity and used the Number Theoretic Transform (NTT) for efficiency and security 8 -a result of independent interest. This allows us to reach rates of several Mbits/sec for large block sizes using a standard personal laptop. We will make several of our randomness extractors software implementations available in a future work [36].

Implementations of our protocol on different quantum computers.
The main objective of the second part of our work is to provide implementations of our protocol on real-world devices available today. Indeed, although they do not allow for a loophole-free Bell test, today's quantum computers are now widely accessible and awaiting real-world applications. Our protocol makes today's quantum computers useful to generate (near-)perfect randomness for cryptography in a semi-device-independent manner in which the hardware is only partially trusted.
The contributions in the second part of our work are: • We show that one can use today's quantum computers in order to run faithful Bell tests under minimal added assumptions -making the implementation semi-device-independent only. For this, we develop methods to account for undesired signalling effect (e.g. cross-talk) in devices which do not close the locality loophole. At a high level, our method amounts to trusting that the quantum computer has not been purposely built to trick the user, but otherwise allows for the device to remain mostly uncharacterised.
• We showcase our software with implementations on different quantum computers and different types of physical qubits: those from the IBM Quantum Services (superconducting), from Quantinuum (ion traps) and from AQT/UIBK (Univ. of Innsbruck based on AQT system; ion traps). By tailoring the Bell inequality, statistical analysis and circuit implementation, we obtain high Bell inequality values allowing our protocol to generate random numbers for cryptography. Our protocol can also be understood as a way of benchmarking and comparing the performances of the different devices.
• We illustrate the quantum advantage of our protocol by showing that several pseudo-RNG (PRNG), a classical RNG based on a chaotic process and a commercially available QRNG are successfully amplified through our protocol. More precisely, we show that the numbers generated by the PRNG and QRNG fail at certain statistical tests, but pass them successfully once amplified by our protocol implemented on quantum computers. This suggests that, from a statistical perspective, our protocol was successful. To strengthen our results, we also show an example that the (weaker) classical alternative for randomness amplification, i.e. 2-source extraction on two PRNGs, is unable to generate numbers passing the statistical tests.
2 Relation to previous work

Other works on device-independent randomness amplification
The first ones to consider the task of randomness amplification were Colbeck and Renner, providing the proof-of-concept work [6]. Later work focused on obtaining some noise resistance and the possibility to amplify imperfect sources with arbitrary bias [8], but has the caveat of requiring an unrealistic number of devices, and having vanishing generation rates, making it unsuitable for implementations. In some other works [9][10][11], more general correlations between the imperfect RNG and the quantum device are allowed 9 , although this comes at a high cost: amplification is possible for very small bias only (δ < 0.0144 [9] in (2) below), large number of devices (polynomial in 1/ε sec [11] and exponential in 1/ε sec [10], where ε sec is the protocol error, see (1) below), low or no noise tolerance [9][10][11] and/or extremely computationally expensive processing steps (in [10,11] a quantum-proof randomness extractor with 2 d steps needs to be applied at the start of the protocol, to perform extraction on the imperfect RNG and every possible seed, where d is the seed length). These issues make these works unsuited for implementation. The only works that could allow for a potential implementation are [7,[12][13][14]. However, our work is the only one to offer all the following features: • Our protocol is efficient: the randomness generation rates go linearly with the runtime of the quantum device. The only other work with this property is [7], although it is unclear if this protocol is practical to implement. The protocols in [12][13][14] would give at best an output that is sublinear in the runtime of the quantum device 10 .
• Our randomness post-processing has near-linear complexity and was implemented using the Number Theoretic Transform, guaranteeing information-theoretic security and making it fast in practice on a standard personal laptop. This is not the case in all other works, which have generic polynomial complexity and/or generally use the Fast Fourier Transform (FFT) for efficiency, therefore having rounding issues opening up potential attacks.
• We perform both randomness amplification and privatisation, as otherwise only done in [7]. Although our statistical analysis relies on the results of [7], our work has the advantage of offering a much larger noise resistance, which is impossible to be achieved in the simpler setup that they consider. This noise resistance difference was clearly observed when we implemented the two different protocols on quantum computers, allowing ours to be implemented in practice. A detailed explanation of our claim is given in Sec.4.3.
• As a consequence of all the other points, we could optimise and implement our protocol on real-world quantum computers.
As said before, our statistical analysis mostly consists of applying the latest techniques developed in [7,12,37,38] to a set-up allowing for a practical implementation.
2.2 Other quantum randomness "generators": one name, many meanings As discussed before, there exist other protocols that fall into the generic name of randomness generation, in particular device-independent randomness expansion as discussed in Sec. 1.1.2. For randomness expansion, the seminal works of [39,40] were later followed by loophole-free Bell tests implementations [41][42][43], with rates of about 180 bits/sec reported in [42] and 3.6k bits/sec in [43] (albeit against adversaries with classical side-information only). This was made possible by building on the great efforts in closing all loopholes in Bell experiments [44][45][46][47]. As discussed previously, the difference between our work (randomness amplification) and the ones mentioned (randomness expansion) is that we relax the assumption that a source of (near-)perfectly unbiased random numbers is required to be used as a resource, but also that no correlations exist between that source and the quantum devices' behaviour, i.e. that they are independent. Remark that both protocols for randomness expansion and amplification require the use of another RNG -either as the weak source to be amplified or to provide the seed to be expanded -and therefore, perhaps better understood as "physical" randomness extractors.
Another line of research is the work on semi-device-independence (SDI), in which the device-independent framework is followed but some additional assumptions are made about the devices. Some of these SDI protocols have the advantage that they do not require the generation of entanglement, greatly increasing the repetition rate of the device. Without entanglement, the set-up is the one in which a preparation device sends different quantum states to a measurement device -there is therefore no space-like separation constraint and an additional assumption is needed. Examples of such added assumptions are a bound on the Hilbert space dimension [48][49][50][51], an overlap assumption [52] or a photon number type bound [53][54][55] on the prepared states. Those protocols, although interesting in terms of generation rates, require additional assumptions on certain components of the devices, making them less secure. Finally, different protocols have appeared in which some parts of the devices are treated in a device-independent manner, but the other parts still need to be fully trusted. An example is [56], in which the state of the source may remain uncharacterised but the rest of the device needs to be fully trusted (in particular the measurement device). In addition, all of these works focus on the task of randomness expansion. Although our protocol allows for a device-independent implementation, our implementation using quantum computers falls into the category of SDI, in the sense that additional assumptions are made (a detailed analysis of which is the subject of Sec.6.2). Comparing different SDI protocols is usually complicated and amounts to choosing the additional assumption(s) that are believed to be most valid.
Finally, the last category are "standard" quantum random number generators 11 (QRNG), in which a quantum process is measured to generate random outcomes, see [3] for a review. Such QRNG require a high level of trust in the components and, as said before, are more prone to errors and implementation attacks.

Idea of the protocol
The idea and main ingredients of the protocol should be understandable for non-experts in quantum cryptography. The technical material with all the details and proofs is deferred to Appendices A -F.

Setup
Our setting is depicted in Fig. 1. In order to run a device-independent randomness amplification protocol, one needs an initial imperfect RNG, a quantum device capable of running a Bell test and a classical computer for storing data, performing the randomness verification step and post-processing.

Interaction with the quantum device -data collection
The first part of the protocol consists of collecting data which will serve to analyse the behaviour of the quantum device. It is the only step requiring quantum hardware. The quantum device is being driven in different settings, called inputs, and its response, called outputs, are recorded. Both inputs and outputs are saved for later analysis. After sufficiently many rounds of such interactions The setup for device-independent randomness amplification is of the same type as in previous work [6,7,12,13]. The parts that require quantum hardware have been highlighted in red, i.e. the quantum device and optionally the imperfect RNG. The user's facility is assumed to be in a safe environment shielded from the outside once the protocol starts. The steps are as follows: (0) Before the beginning of the protocol, the adversary may have received numbers generated by the imperfect RNG and generally a description of it, this is the history or side-information h. The adversary may also have built the quantum device, using the information h, with which it might still be correlated by storing quantum systems Q that are entangled with it. (1) The imperfect RNG serves to challenge the quantum device by repeatedly sending it inputs. (2) The quantum device generates outputs each time that inputs are given to it. (3) After numerous interaction rounds, a verification is performed on the input-output statistics, which serves to certify the unpredictability of the device's outcomes. (4) Upon successful verification, the outcomes of the quantum device together with a fresh string of numbers from the imperfect RNG, are sent to the randomness post-processing step. (5) Classical algorithms process the two strings of numbers and output a near-perfect random and private string of numbers -the final output of the protocol (6).
with the quantum device, one can build a faithful joint input-output probability distribution for the device -this is its observed behaviour that will serve to certify that it truly generates unpredictable outputs.

Randomness certification
In the second step, the collected data is analysed in order to certify private randomness in the output of the quantum device. There exist certain input-output statistics that can only be generated by devices relying on specific quantum processes. Observing such distinctive statistics therefore serves as a certificate that the underlying process in the device truly is quantum. Furthermore, this opens up the possibility to show that the output of the device has some private randomness 12 . Note that, with this approach, the user does not assume that a specific implementation generates randomness from a quantum process, but instead verifies it from the behaviour of the device. In the device-independent approach that we follow, this verification additionally only requires a minimal modelling of the internal machinery of the quantum hardware, which is essentially seen as a black box. The security of the protocol is then mostly independent of the implementation of the quantum hardware.

Randomness post-processing
The third and final step consists of extracting the private randomness that has been certified in the outcomes of the quantum device. This step is performed by a classical computer. The outcomes of the quantum device, which are only partially private and random, are processed by algorithms on the classical computer together with a fresh string from the imperfect RNG. The function of these algorithms, or extractors, is to transform the partially random and private strings into a shorter output that is near-perfect.

Main tools and ingredients 4.1 What is cryptographic randomness?
The concept of randomness is present in numerous disciplines and its definition varies for different applications. Here we ask for the most stringent definition as given by randomness for cryptography. In particular, randomness in the cryptographic setting that we follow means that the generated output is unpredictable to any adversary that is only assumed to respect the laws of quantum physics. We do not, for example, rely on computational assumptions on the adversary (is it really random otherwise?). This unpredictability requires two concepts: uniformity and privacy. Indeed, even if used in a safe environment protected from the outside, a device generating a pre-determined sequence of numbers would not make a good RNG. The same applies to random numbers that are truly unpredictable when generated but immediately known to an adversary afterwards 13 . In both cases, the numbers are not suited for cryptographic use.
As the security criterion, we ask that [57,58] the joint state of the user (describing the random numbers that are generated at the output of the protocol) and of the adversary is essentially indistinguishable from a state in which the user's state is uniform and uncorrelated to the adversary's: in which U denotes the system of the user, E the one of the adversary,1 1 U the (normalised) identity state on the user's side, and ||.|| 1 is the trace distance. The security of the protocol is conditioned on the probability of not aborting, 1 − p abort . As an example, when the protocol does not abort and in the trivial case ε sec = 1, there is no constraint on the joint quantum state ρ U E of the user and adversary, which may therefore be correlated. Condition (1) reflects the requirement that the adversary's system E be uncorrelated to the system U held by the user and that the state of the user is the uniform one, i.e. privacy and uniformity as discussed above. The security parameter ε sec ∈ [0, 1] quantifies the joint probability of not aborting and the probability of distinguishing the joint state ρ U E from the ideal one1 1 U ⊗ ρ E -even to an extremely powerful adversary possessing information h and Q about the quantum device (see Fig. 1). Note that the adversary is only assumed to respect the laws of quantum physics and is otherwise unbounded. It may for example possess a powerful futuristic quantum computer.
Importantly, this security definition is composable [57], which means that the generated random numbers can safely be used in another protocol. Note that composability for device-independent protocols only holds, strictly speaking, when the physical devices used to run the protocol are not used again (and that the adversary is never given access to the devices afterwards). Indeed, as noted in [59], if the devices were to be re-used, for example to run the same protocol again, then there is in principle nothing forbidding a malicious device from storing information from the first execution and leaking it during the second one 14 . This obliges one to make the assumption that the devices do not use such memory effects between two executions of protocols using the same physical deviceswhich is implicit when fully trusting the devices, but not in the device-independent framework that we follow.
Finally, because of this stringent definition, random numbers that are useful for cryptographic applications can also be used in all other applications such as mathematical simulations, computations, gambling, etc.

Imperfect random number generators
The starting point of the protocol is an imperfect RNG that needs to be amplified into cryptographic randomness satisfying the definition in (1). We consider RNGs that output sequentially, i.e. output bits r i ∈ {0, 1} with t(r i ) < t(r i+1 ) the time at which each bit is generated. Contrary to other approaches for randomness generation, as for example in randomness expansion, in randomness amplification those bits are not assumed to be completely unpredictable, private to the user nor distributed in an identical and independent way (the IID assumption). The starting assumption is that each bit is only somewhat unpredictable, conditioned on the previously generated bits and on any additional information h an external observer has about this source (see Fig. 1). Following the literature, we say that such imperfect RNGs generate weak randomness only 15 . Such a weak source of randomness is called a Santha-Vazirani (SV) source and was first studied in [5]. The quality of an SV source is quantified by the parameter δ ∈ [0, 1 2 ] such that: where r i−1 = (r i−1 , r i−2 , ..., r 1 ) are all the bits that were previously generated and p(r i | r i−1 , h) denotes the probability of guessing outcome bit r i given the history h and the previous bits generated during the protocol. It is known that it is impossible to amplify an SV source using classical processes without additional assumptions [5]. More precisely, it is impossible to process the outcomes of the SV source with δ > 0 into an outcome string with δ < δ. Additionally, in our work the output of the SV source is not assumed to be private. Such a public source of randomness is one that is not perfectly predictable before the numbers are generated, but once generated these numbers are possibly known to anyone. An example of such a public source is a randomness beacon available on the internet. Such numbers are obviously not (directly) usable in cryptographic applications requiring privacy.
With additional quantum resources, it becomes possible to amplify SV sources [6]. The objective of a protocol for randomness amplification and privatisation is to process the outcomes of a public SV source with parameter δ ∈ [0, 1 2 ] into a final output that is provably near-perfectly random and private, i.e. δ → 0 (in particular, this is the case if (1) is satisfied for some ε sec ). For this, one needs an additional quantum device.

Quantum devices, Bell tests, and guessing probabilities
The central building block of any device-independent protocol is the quantum device that is used together with the certification process associated to it. In this work, the quantum device is composed of three parts that are shielded 16 from each other or separated so that communication is impossible between them during each interaction round (see Fig. 3). The three parts are labelled, respectively, A, B, C and are seen as black boxes of which we do not model the internal functioning. The objective is to interact with these three boxes in order to verify that they indeed make measurements on quantum states with certain properties, i.e. to discard any alternative classical (and hence deterministic) explanation for their behaviour. To do so, the verifier (the user) repeatedly chooses different inputs to the black boxes, which then generate outputs at each round. The inputs to the three boxes A, B and C are labelled, respectively, x, y, z and the generated outputs of each box a, b, c. In our set-up, all Figure 2: In a randomness amplification and privatisation protocol, the imperfect RNG is used twice: first to generate the inputs to drive the quantum device and then as an input to the randomness extractors. We assume that the external adversary had access to the imperfect RNG prior to the beginning of the protocol and hence holds information h about it (see Fig. 1). The quantum device might have been built using information h, for example to partially correlate its behaviour to the one of the imperfect RNG.
variables are bits x, y, z, a, b, c ∈ {0, 1}. After many rounds of such inputs-outputs interactions with the three boxes, one can estimate the joint conditional probability distribution called the observed behaviour of the device. In the device-independent approach that we follow, one is not allowed to rely on a description of the internal functioning of the boxes. Instead, everything needs to be done working with the observed behaviour P obs alone. The objective is to build a quantum device which outputs in such a way that it proves to the verifier that it indeed relies on quantum processes. This verification by the user is done with a Bell test, i.e. by evaluating a so-called Bell inequality. An ideal Bell test will be implemented in order to avoid the possibility of tricking the verification process, called a loophole (see [60] for a review on Bell tests and in particular Sec.VII B about loopholes).
In our work, we evaluate the Mermin inequality [61], which reads where The violation of the Mermin inequality M obs > 2 is only possible when the three boxes share quantum systems in an entangled state on which they perform quantum measurements. Its violation therefore certifies their true quantum nature from the observed statistics only. The advantage of using the Mermin inequality for randomness amplification is that, in the noiseless limit, a quantum device can reach the algebraic maximum M obs = 4. This property is what allows our protocol to generate cryptographic randomness from any SV source that is not completely deterministic, i.e. ∀δ < 1 2 in (2) (amplifying it to δ → 0).
These properties of the Mermin inequality are what provided us with a practical advantage over the setup (and Bell inequality) used in [7], in that we were able to amplify much weaker SV sources (i.e. larger δ in (2)) on quantum computers. Indeed, the quantum correlations that need to be generated in [7], although requiring a simpler setup (with only two qubits), are closer to the set of classical correlations and therefore tolerate very low noise. As opposed to this, the correlations The quantum device is itself made of three separate parts A, B, C that are kept from communicating with each other during each interaction round (indicated by dashed lines), for example by imposing spacial separation or shielding. For every round, each of the three parts of the quantum device is being driven with fresh inputs x, y, z and generates outputs a, b, c which are recorded. After sufficiently many rounds, one can build a faithful estimate of the input-output distribution P obs ≡ {p(abc|xyz)} a,b,c x,y,z of the three parts -its observed behaviour. This behaviour is then later analysed in order to certify randomness in the outcomes of the quantum device. generated in our work lie in a region for which the distance to the set of classical correlations is greater -in turn allowing for greater noise resistance. For example, if adding white noise, i.e. mixing the ideal (noise free) correlations with the uniform distribution, we get a maximal amount of 50% fraction of tolerated noise in our work versus the maximal amount of 1 − 1 √ 2 ≈ 30% in the setup with two players, inputs and outputs considered in [7] (see, e.g. [62] for a discussion on this). Note that, in general, the tolerated noise might not compensate for the added complexity of the set up (e.g. adding qubits), but in our case it allowed for an implementation.
In addition, using this inequality requires the evaluation of 4 input settings which can be described by just two input bits, x, y. Each setting can be constructed using the result that the last input bit is the sum modulo 2 of the first two input bits, namely, x, y, z = x ⊕ y.
In turn, from the violation of a Bell inequality it is also possible to bound the predictive power that the external adversary (modelled in Fig. 1) has on the outcomes of the boxes. This predictive power is formalised by the maximum guessing probability P g (ABC|x * , y * , z * , Q, M ) 17 , which is the maximum probability that an external observer manages to guess the outcomes given some inputs x * , y * , z * , a quantum system Q which may be entangled with the device (see Fig. 1) and for some M which is calculated from the observed behaviour. Specifically M is a function of M obs based on the protocol security analysis, such that M ≤ M obs , see the details in (6). Note that this guessing probability only concerns the outcomes of the quantum device and is different from the security of the final outcomes of the protocol (after extraction) in (1). In our protocol we upper bound the adversarial guessing probability of the three outcomes from a known analytical bound [63] on any two of the three outcomes since P g (ABC|x * , y * , z * , Q, M ) ≤ P g (AB|x * , y * , z * , Q, M ), Note that P g (M ) in (5) holds for all input triplets (x * , y * , z * ), so we took the freedom to get rid of them in the notation. The min-entropy of the outputs A, B, C is then H min (ABC|x * , y * , z * , Q, M ) = − log 2 (P g (M )), ∀x * , y * , z * . In our set-up, it is important to note that the inputs are chosen from a public source of randomness, i.e. the inputs are known to the adversary in order to guess the outputs.

Bell tests with inputs drawn from a weak source of randomness
In Sec.4.3, we have implicitly assumed that the inputs x, y, z were chosen independently of the device, i.e. we considered no possible correlations between the source of inputs and the device's behaviour. This is not the case in our scenario, in which we only have access to an imperfect RNG generating weak randomness and which moreover might be partially correlated to the quantum device through the adversary information h and quantum systems Q (see Fig 1) 18 . In such a set-up, standard Bell inequalities, such as M obs in (4), can not be used directly since it can not be assumed that the measurement inputs are chosen independently of the device's behaviour.
In order to circumvent this problem, we consider instead another type of inequality which is valid in our set-up with correlations between the inputs and the device. This type of inequality was termed a measurement dependent locality (MDL) inequality in [64] and can serve to bound the possible values of M which are compatible with the observed MDL inequality value (through the observation of M obs ). This M then allows us to bound the adversarial guessing probability using (5). In other words, we bound the power given to the adversary when allowed to correlate the underlying state and measurements of the device with the source generating the inputs (or measurement choices) through the classical side-information h. We have detailed the derivation in App.A.2.
As stated earlier, the Mermin inequality (4) only requires input-output statistics from 4 (of 8 possible) input settings. This means we can use two weakly random input bits to select one of the four input settings, by generating the inputs as x, y, z = x ⊕ y. This gives an improvement to the bound. Intuitively, this improvement in the bound can be seen to come from the adversary only getting additional guessing power of the input setting from 2 weak inputs versus 3 weak inputs.
The result is that one can use the following bound on the value M for the guessing probability in (5). This bound accounts both for the effect of choosing the inputs with an SV source of quality δ and finite statistical effects, Here, ∆f denotes the width of the statistical confidence interval for the estimation test and we refer to App.A.2 for the technical details and computation. Note that this bound is valid when p obs (x, y, z) = 1 4 ∀x, y, z appearing in the Mermin inequality (4), i.e. the observed frequencies of each relevant input triplet is the same. This is easily generalisable to different observed inputs statistics (following App.A.3).

Statistical analysis
The previous section explained how the outputs of the quantum device could be certified to contain some randomness and privacy. In this subsection, we evaluate how such randomness accumulates through multiple rounds of the data collection process. We discuss everything in terms of the guessing probability P g (M ) of the adversary, but this can also equivalently be understood in terms of min-entropy H min (M ) = − log 2 P g (M ) , which is (roughly) the quantity that can be extracted during post-processing.
Identically and independently distributed rounds in the limit of large n. In the case that the different rounds of interaction with the quantum device are assumed to be independent and identical (I.I.D.), then the probability P g (A n B n C n |Q, h, M ) of guessing the outcomes (A n B n C n ) generated by n uses of the quantum device is simply the product of the guessing probabilities P g (ABC|Q, h, M ) of the outcomes generated at each round For details we refer to App.A.4. Assuming that the quantum device behaves identically and independently may be a reasonable assumption in certain cases, for example if the device provider can be trusted and functions at very slow speed (possibly avoiding memory effects).
Accounting for memory based quantum attacks. In the most general case, the adversary is allowed to perform memory based quantum attacks (MBQA). Indeed, assuming that a device built by an adversary behaves identically and independently each round might be a too restrictive assumption.
To generalise the results to account for the most general MBQA, we apply the entropy accumulation theorem as developed in [37,65] to the Mermin inequality and the guessing probability described in Sec.4.3. The result is that the guessing probability P g (A n B n C n |Q, h, M ) in n uses of the quantum device is upper bounded as where v and t are related to the single round guessing probability P g (ABC|Q, h, M ) (5) as well as some other parameters 19 , details on how v and t relate to the single round guessing probability are deferred to App.A.5 (34), which is written in terms of min-entropy rather than guessing probability, using the fact that H min = − log 2 (P g ). This guessing probability can be loosely understood as the one that would be obtained assuming I.I.D. rounds as in (7), giving the term 2 −nt , but with a penalty multiplicative term 2 v √ n to account for the most general attacks by the adversary and memory effects in the device. We refer to App.A.5 for the details and computations of all parameters.

Post-processing randomness
Overview. Whenever the verification was successful, the last step of the protocol is to turn the raw string of numbers that are hard to guess into bits that are (near-)indistinguishable from perfectly random numbers in the sense of (1). This is achieved by post-processing the outcomes of the quantum device with so-called randomness extractors, which are classical algorithms from the theory of pseudo-randomness in theoretical computer science [66]. In this work, we use two different types of extractors: multi-source and seeded extractors. Multi-source randomness extractors take multiple sources of weakly random numbers and turn them into a shorter string of information-theoretically secure random bits defined in (1) (see [67,68] for the latest developments). Seeded extractors use a seed of (near-)perfect randomness and another input from a weak source, outputting a secure bit string that is longer than the seed size. No quantum hardware is needed for the implementation of this last step.
In order for our protocol to be secure against unbounded quantum adversaries, it is crucial to employ randomness extractors that are themselves secure against potential attacks from quantum adversaries. Such adversaries are malicious third parties that have quantum technologies at hand, for example allowing them to store information in a quantum memory [69]. It is well-known that not all randomness extractors fulfil this stringent security criterion [70,71] and for that reason we work in the quantum-secure Markov chain framework developed in [38]. This allows us to build secure randomness extractors even in the presence of quantum adversaries.
In Section 4.7 we collect the precise security assumptions of our model. For full technical details about the randomness post-processing discussed in this section, we refer to Appendices B -E.  Fig. 1) for randomness amplification but not privatisation. All steps are performed by mathematical functions on a classical computer: [1] The outcomes of the quantum device, together with a string of numbers from the imperfect RNG, are processed by a two-source randomness extractor. The two incoming bit strings are only somewhat hard to guess but not perfectly random in an information-theoretic sense -indicated by the dashed lines. [2] The two-source randomness extractor transforms the two input strings into a string of physically secure random numbers -indicated by the solid line. [3] The generated string of physically secure random numbers together with a string of numbers from the imperfect RNG, are processed by a seeded randomness extractor. [4] The seeded randomness extractor outputs an extended, final string of physically secure random numbers.  Fig. 1) for randomness amplification and privatisation. All steps are performed by mathematical functions on a classical computer: [1] and [2] are the same as for randomness amplification in Fig. 4. [3] The outcomes of the quantum device, together with the generated string of physically secure random numbers, are processed by a seeded randomness extractor. [4] is the same as for randomness amplification in Fig. 4.

Contribution.
We distinguish two slightly different tasks: • Randomness amplification from private, imperfect RNGs as depicted in Fig. 4.
• Randomness amplification and privatisation from public (non-private), imperfect RNGs as depicted in Fig. 5.
For both tasks we describe the setting and the randomness extractors we have implemented. We follow the theoretical approach laid out in [12] -together with the statistical analysis from [7].
For randomness amplification as in Fig. 4, the output of the imperfect RNG is assumed to be private. We first feed the outcomes of the quantum device together with an additional string of bits from the imperfect RNG into a two-source randomness extractor. Second, the resulting short string of near-perfect private and random bits is extended by means of a seeded randomness extractor using the bits from the imperfect RNG. For randomness and privacy amplification as in Fig. 5, the RNG is no longer assumed to be private. The first step of the protocol is identical, but for the second step we extend the resulting string of near-perfect private and random bits by employing a seeded randomness extractor that uses the outcomes of the quantum device.
For the software implementation of these steps, it is crucial that the randomness extractors used do not only have a polynomial runtime in principle, but that they can be efficiently implemented in practice. In particular, sensible security parameters for realistic quantum hardware dictate the need for input blocks larger than approximatively n ≈ 10 7 bits in order to achieve non-zero output size when using the MBQA analysis. Furthermore, asking the post-processing to be done on a standard laptop machine only really leaves algorithms of linear runtime to be practically feasible. As such, the main contribution of our work on randomness extractors is twofold: • We improve the complexity of some theoretically available randomness extractor schemes from a generic polynomial dependence to quasi-linear time O(n log(n)) in the input size n.
• We give explicit implementations of these algorithms based on the Number Theoretic Transform (NTT) [72]. In contrast to alternative schemes based on the Fast Fourier Transform (FFT) [73, App.C], the NTT has the advantage of being information-theoretically secure and therefore preventing potential attacks stemming from rounding issues related to the finite implementation of the FFT. 20 Importantly, the software implementation of our randomness extractors reaches rates of the order of several Mbits/sec using a standard laptop machine with input blocks of n ≈ 10 7 bits. In fact, with our current code they can even be run with input sizes up to n ≈ 10 9 bits. In the following, we give a more detailed description of this implementation.

Santha-Vazirani source.
As mentioned in Sec.4.2, we model the imperfect RNG as a Santha-Vazirani source (2) with parameter δ > 0. Hence, any n raw bits generated by the imperfect RNG can be guessed by the adversary with probability p SV [n] at most Thus, the probability of guessing an n-bit string generated by a Santha-Vazirani source decreases exponentially with n. All the logarithms are always taken in base 2 in this work.
20 Concerning this issue, we also refer to the discussion in [73, App.A]. 21 Namely, we lose a single output bit compared to the optimal theoretical construction. 22 Note that if asking for security against a classical adversary, one can multiply the output in (10) by roughly 5.
where ε sec > 0 denotes the security parameter of the output string. That is, for sufficiently large block sizes n, this extractor allows to distil near perfect randomness roughly as soon as the sources have the quality For the details around the theory of the construction we refer to App.B.1.
To put in some numbers, for our statistical analysis we have the guessing probabilities and we then get an output string of perfectly random numbers of size roughly with ξ > 0 a free parameter relating the output size m 2 [n] to the security parameter of the extractor ε sec [n] ≈ 2 −ξ·n/8 . For example, if we obtain c Q = 0.35 from an experiment, when combining this with an imperfect RNG of quality δ = 0.036 (c SV = 0.9), we find for the linear output rate The crucial technical step for the implementation of the Dodis et al. extractor is efficient finite field multiplication in the binary Galois field GF [2 n ]. For that, we employ the scheme proposed in [73, App.D] that is based on the efficient algebra of circulant matrices via the NTT -resulting in quasi-linear complexity O(n log(n)) for certain input sizes n. Even though this comes at the cost of some polynomial time pre-processing based on prime testing, we emphasise that this additional one-time step runs immediate in practice for the relevant range of parameters. For more we refer to App.D.1.

Seeded extractor.
Our second extractor is based on an explicit implementation of the work of Hayashi and Tsurumaru [73], that is known to be secure against quantum adversaries [73, Sec.III.D]. These concepts were originally developed for quantum key distribution networks, but some adaptations make the work applicable to our settings. In particular, for an n S -bit input source with a guessing probability quality p[n S ] and a seed of m 2 = n S − m S bits of perfect randomness, the output size is 23 where ε sec > 0 denotes the security parameter of the output string. This leads to linear output rates as long as the guessing probability is Here, the input source of quality For example, having α = 9/10 leads to c ≤ 10 and for c = 9 we get an output size m S = 8 · m 2 with error ε sec ≤ 10 −150 for the seed size m 2 = 10 4 . Strongly building on the work of Hayashi and Tsurumaru [73], our implementation is again based on the efficient algebra of circulant matrices via the NTT leading to quasi-linear complexity O(n S log(n S )) for certain input sizes n S and seed sizes m 2 . For details, we refer to App.D.2.
Output rates. We emphasise that for both our randomness extractors, we get linear output rates m[n] ∝ n -see (13) and (17). As discussed, this comes from our statistical bounds on the guessing probability decreasing exponentially with the input block size n. We note that in the previous works [12][13][14] -secure against not only quantum but so-called non-signalling adversaries -the output is only of sublinear size.
Extensions. Whereas our implementation thus far is fully explicit and efficient, it can not amplify two arbitrarily weak sources of randomness. Consequently, we consider the following extensions: • For the two-source extractor, the construction of Raz [76, Theorem 1] works for sources with lower quality than needed for the Dodis type construction in (11). On paper, this would translate to a higher noise tolerance of the quantum hardware used and for that reason we improved the constants in the Raz construction for our specific applications. We find that for two n-bit input sources with a guessing probability quality of p SV [n] and p Q [n], respectively, the constructed two-source extractor secure against quantum adversaries has for any δ > 0 with for a security parameter ε sec ≤ √ 3·2 −1.375 ·2 −m 2 [n]/8 of the output string. Notice that in principle this allows for an arbitrarily low value in the guessing probability p Q [n] of the quantum source. For the details around the theory of the construction we refer to App.E.
• For the seeded extractor, Trevisan based constructions [75] are known to be quantum-proof [77] and work with exponentially shorter seed size m 2 ≈ log(n S ) compared to the Hayashi-Tsurumaru construction with m 2 = n S −m S . For some of our settings, this allows in principle the extraction of higher rates of randomness. Unfortunately, Trevisan based constructions come with the downside of a cubic runtime O(n 3 ) in the input size n S . Nevertheless, implementations of Trevisan based constructions have been optimised in [78].
In particular, in the setting of randomness and privacy amplification (Fig. 5) employing a noisy quantum device generating outcomes with p Q ≤ 2 −α Q ·n for α Q < 1/2, a seeded randomness extractor capable of extracting from such a weak source is required. This is not the case for the implemented Hayashi-Tsurumaru construction, but can indeed be achieved with the off-the-shelf Trevisan based constructions from [78].
Outlook. It is important to further improve on the parameters of the implemented randomness extractors: • For the two-source extractor, Raz' construction is on paper again outperformed by Li's two-source extractor [68]. It would be interesting to work out the practical efficiency of this construction. Importantly, this extension would allow the use of arbitrarily low quality SV sources.
• For the seeded extractor, for further improvements one would need to show that the state-of-the-art constructions are secure against quantum adversaries. We refer to [79] for an overview.
• A follow-up work [80] implemented another efficient 2-source extractor based on the Toeplitz construction and made efficient using the FFT. An advantage of this implementation over ours is that the output size for quantum-proof security comes without a penalty (our output is roughly divided by 5).

List of assumptions
For clarity, we here collect a list of all the assumptions needed to run our device-independent randomness amplification and privatisation protocol. One can find such a list in other works such as [7], to which we have added some additional assumptions necessary for a realistic implementation: 1. Quantum mechanics is correct and any potential adversary respects its laws.
2. The classical computer that is used (see Fig. 1) functions properly.
3. The user's facility in which the protocol is run is shielded from the outside -in particular there is no back-door. 4. The quantum device is made of three separated parts which do not exchange information during a round of the experiment (see Fig. 3). 25 5. The adversary only holds classical information h about the imperfect RNG, that is, a (public) SV source. Whenever explicitly stated, the output of the imperfect RNG is additionally assumed to be private -in which case the protocol only performs randomness amplification (and not privatisation).
6. Given the classical and quantum information of the adversary, denoted by h and Q respectively, the imperfect RNG and the quantum device are independent, see App.B for the formal statement.
7. If the devices running the Bell test are later re-used, they do not leak any relevant information about previous protocols that were run on them 26 , see the discussion in Sec. 4.1.
We note that without Assumptions 2 and 3 no cryptography would be possible. Assumption 1 has been generalised in some works [12][13][14] to adversaries who are not necessarily constrained by the laws of quantum mechanics, but only by the more general constraints of no-signalling 27 . We remark that, firstly, there is today no evidence that quantum mechanics is not correct and, secondly, the no-signalling generalisation obliges to reduce the output size to sublinear rates (and therefore severely reduces the efficiency of the protocol). Assumptions 4, 5 and 6 are related to our specific setting and are necessary to obtain security. Finally, note that Assumption 4 can and should be verified by minimal inspection of the device.

Protocol and concrete numerical examples
We use this section to illustrate the results that can be obtained with our protocol. All results are first given directly at the output of the two-source extractor that we implemented and then other theoretical constructions for comparison. We then also give results when appending a seeded extractor to increase the output, and therefore randomness generation rates. Remark that our protocol can be used in two sensibly different manners: a-together with a public imperfect source of randomness, it generates a near-perfectly private and uniform output -i.e. randomness amplification and privatisation; b-together with a private imperfect source of randomness -i.e. randomness amplification only. In case b, although relying on the stronger assumption that the imperfect source of randomness output is private to the user, one can then repeatedly feed a seeded extractor with fresh outputs from the imperfect source in order to obtain, after a latency, randomness generation rates linear in the output rate of the imperfect source. If we do not state explicitly that the results are for randomness amplification only, the results are given for the task of randomness amplification Box 1: Randomness amplification and privatisation protocol

Data collection
During n rounds, do: a. Generate 2 bits x, y with the imperfect RNG of quality δ defined in (2).
b. Drive the quantum device with settings x, y, z = x ⊕ y and collect the 3 output bits a, b, c. Save the 6 bits of that round.

Verification
a. Compute the observed behaviour P obs ≡ {p(abc|xyz)} a,b,c x,y,z and observed Bell value M obs = M (P obs ) using (4).
b. If M obs is sufficiently high to verify the device's behaviour, continue to randomness post-processing, otherwise abort. c. The two-source extractor outputs an m 2 -bit string of physically secure random numbers in the sense of the security definition in (1).
d. (Optional) The m 2 -bit string is further expanded by a seeded extractor either re-using the string of outcomes from the quantum device (randomness amplification and privatisation) or another fresh string from the imperfect RNG (amplification only). The output m S of the seeded extractor is a larger bit string m S > m 2 of physically secure random numbers. and privatisation.
At the end of this section, we give some results from a showcase of our protocol ran on today's available quantum computers. These results show that, under some added assumptions, these devices are capable of performing randomness amplification (and privatisation) today (the validity and implementation is discussed in Sec.6). Then, in Sec.5.6, we show how we took several imperfect RNG consistently failing statistical tests and used our showcase protocol to obtain an output successfully passing statistical tests -showing, from a statistical perspective, our protocol was successful in performing randomness amplification. The imperfect RNGs that we used were pseudo-RNGs, a classical hardware RNG built in house and a QRNG available commercially. We also show how an example classical alternative to our protocol fails, even though our showcase protocol is successful, illustrating the advantage of our protocol (and thus, the use of quantum resources) from this statistical perspective.

Steps of the protocol
For clarity, we have summarised the steps of our protocol in Box. 1. These are for the task a− of randomness amplification and privatisation. The only difference when performing task b (i.e. when the imperfect RNG is private) is the last step, where the seeded randomness extractor is instead fed with a freshly generated output from the imperfect source instead of the quantum device's output.

Efficiency of the protocol
An important measure of the quality of our protocol is its overall efficiency η = m 2 n (or η S = m S n when appending a seeded extractor), i.e. the total output size of the protocol m 2 (or m S ) divided by the total number of uses of the quantum device n. The derivation and exact formula for m 2 are given in (52) in App.C. The randomness generation rate of a particular implementation will then be the product of the repetition rate of the quantum device with the efficiency of the protocol. For what follows, we set ε sec ≤ 2 −32 and ∆ f = 0, where ε sec is the total protocol security parameter and ∆ f is the penalty to account for finite statistics. These choices are made to for simplicity, since ∆ f decreases exponentially with n, and note that ε sec ≤ 2 −32 ≈ 10 −10 .The efficiency η = m 2 n as a function of the total number of uses n of the quantum device is plotted in Fig. 6, and of M obs in Fig. 7. The results for the greater efficiency η S = m S n > m 2 n obtained by appending a seeded extractor is discussed in Sec.5.4 and plotted in Fig. 10. As a reminder, δ = 0 corresponds to a source that is already perfectly random. δ = 0.05 (each bit can be predicted correctly with 0.45 ≤ p(r i | r i−1 , h) ≤ 0.55, see (2)) means that the imperfect RNG is about 86% random (− log 2 ( 1 2 + δ)), δ = 0.1 about 74% random, δ = 0.2 about 51% random and δ = 0.3 about 32% random only. Figure 6: The protocol efficiency η = m2 n at the output of the 2-source extractor (i.e. without a seeded extractor), which is the number of output bits m 2 from the protocol per use of the quantum device, as a function of the total number of quantum device uses n (where n = 10 x ). We chose δ = 0.05 -corresponding to an imperfect RNG that is roughly 86% random M obs = 3.62 is the best Mermin value that we obtained from superconducting quantum computers and M obs = 3.9 is the best we attained from Ion-trap devices, see Table. 1. MBQA: most general memory based quantum attacks and I.I.D: assumption that the rounds are identical and independent, see Sec. 4.5. . Remark that, although all parameters are explicit, we did not find an implementation of the extractor from [76]. Moreover, it does not have quasi-linear complexity but it can amplify larger δ in general.

Maximum δ that can be amplified
As shown in the figure, full amplification and privatisation is possible in the I.I.D case using the Dodis two-source extractor, but not in the MBQA case, where the maximum is ∼ 0.3. Note the non-trivial behaviour of Raz's extractor in the region M obs 3.3, this is because the min entropy rate of one source must always be above 0.5, which the imperfect RNG does not satisfy for δ 0.21. This  means that, in order for any imperfect RNG's to be amplified with δ 0.21, the quantum output must have min entropy rate above 0.5, which only happens close to M obs 3.97 in the MBQA case for n = 10 8 and M obs 3.9 in the I.I.D case.

Improving the efficiency by appending a seeded extractor
In order to increase the protocol efficiency and therefore the generation rates too, one can append a seeded extractor as explained in Sec.4.6 and depicted in Fig. 4 and 5. We present the results with both our implementation based on [73] and using a Trevisan-based construction for randomness amplification and, optionally, privatisation.
In Fig. 9, we have plotted the amount of randomness per use of the quantum device, as a function of the observed Mermin value M obs , for different values of δ. The region in which the quantum device is good enough to apply our implementation of an efficient seeded extractor is highlighted in blue -in this region the post-processing has quasi-linear complexity only.
Our implementation based on [73]. This construction has the advantage of having quasi-linear complexity, allowing it to run on a standard laptop with relevant block sizes. The drawback of our construction is that it requires that one of the sources has a high min-entropy rate -namely, a guessing probability of p S [n] ≤ 2 −α·n with α ≥ 0.5. The entropy gain m S − m 2 , where m S is the output of the seeded extractor and m 2 of the 2-source extractor, when appending this seeded extractor, can then be computed roughly as m S − m 2 = (c − 1) · m 2 with c = 1 1−α . For example, if α = 0.9 + δ > 0.9 with any δ > 0, then the output of the seeded extractor is m S = 9 · m 2 , i.e. at least 9 time larger than the one of the 2-source extractor. The error added is then basically negligible for our typical choice of parameters and block size, see (17). This is particularly advantageous in the setup for randomness amplification without privatisation. Note that in our case, to re-use the quantum device's output as input to the seeded extractor in order to perform randomness amplification and privatisation, requires α Q > 0.5, which occurs when M obs 3.9 in the MBQA case and M obs 3.72 in the I.I.D case, see the blue highlighted region in Fig.9.
Trevisan-based construction. This construction of seeded extractors has higher complexity O(n 3 ) but has the benefit of extracting roughly all entropy from the source using a short seed only. More precisely, when using Trevisan's extractor one can extract α Q · n − 4 log 1 ε − 6 bits from a quantum output with total min-entropy α Q · n, requiring a seed (the output m 2 from the 2-source extractor) of size logarithmic in α Q · n. For example, when using the modular implementation in [78], given a source with min-entropy k, one obtains an output of size m S = k − 4 log 1 ε − 6 bits where ε is the error per bit. For randomness amplification and privatisation, the protocol efficiency η S = m S n then becomes roughly η S ≈ α Q . The protocol efficiency η S with Trevisan's extractor as a function of the observed Mermin value M obs and different δ is plotted in Fig.10, for both the MBQA and I.I.D cases.    Table of results containing, for different quantum computers, the observed Mermin value, the maximum δ that can be amplified and the protocol efficiencies with or without a seeded extractor. The samples collected from ion-trap devices were small compared to the ones we could collect from superconducting ones: n = 6 · 10 4 (AQT/UIBK), n = 4 · 10 4 (Quantinuum H1), n = 3 · 10 4 (Quantinuum H0) and 50 experiments of n = 10 7 on each IBM device. The maximum δ, the protocol efficiency η (the number of random output bits per use of the quantum device, without appending a seeded extractor) and η S (appending Trevisan's seeded extractor) are given for n = 10 8 , ε sec = 2 −32 , ∆ f = 0 and δ = 0.05 and the most general MBQA attacks. Specifically, this means we did the statistical analysis as if we had attained M obs from 10 8 rounds for each device. These parameters were picked based on practicality: they are useful for applications and attainable on quantum computers today.

Protocol efficiency and randomness generation rates in concrete examples
We discuss three concrete examples: • The previous highest violation of the Mermin inequality from [81].
The value we found is M obs = 3.57, dating back to 2006. This value, when using our protocol already allows the amplification of an imperfect RNG of parameter δ≤0.11 (i.e. roughly 71% random) and an overall protocol efficiency between η = 5% and η = 9% with δ = 0.05 depending on the number of rounds and whether the I.I.D. assumption is made (and without a seeded extractor). With Raz' extractor [76] as discussed in Sec. 4.6, one can amplify a WSR with δ ≤ 0.2 (i.e. roughly 50% random).
• Our semi-device-independent implementations on quantum computers.
The results of our implementations on quantum computers are summarised in Table. 1. We give the details of these implementations, discuss the validity and added assumptions required when running Bell tests on quantum computers in Sec.6 below. These implementations, because of those added assumptions, are semi-device-independent only.
On the superconducting quantum computer ibmq_toronto of IBM we obtained the value of M = 3.62. In the MBQA case, this allows the amplification of an imperfect RNG of quality δ ≤ 0.082 and a protocol efficiency η = 6% when δ = 0.05, without a seeded extractor. The implementations on Quantinuum's ion-trap device H1 gave the Mermin value M = 3.88 and the ion-trap device of AQT/UIBK gave M = 3.9 -the highest reported in the literature, allowing randomness amplification with our 2-source extractor implementation up to δ = 0.132 and an efficiency of 15% for δ = 0.05, without a seeded extractor (again, depending on the assumptions and number of rounds, see Fig.6). These are lower bounds on δ and efficiencies η, η S , which can be improved by increasing the number of rounds or/and adding the I.I.D assumption.
Another important quantity is the speed at which the quantum computer can perform different circuits. Indeed, the protocol's randomness generation rate per second is the amount of circuits implemented per second multiplied by the efficiency of the protocol (which is a function of the performance of the device, i.e. M obs ). At the time of the experiments, the quantum computers of the IBM Quantum Services had a fixed repetition rate of r = 2 · 10 3 circuits per second, which severely limits the generation rates of the protocol. In this case, with an efficiency of the protocol of about η = 6% for M obs = 3.62 and δ = 0.05, this gives an output rate of about η · r = 120 bits per second. Note, however, that this is not a fundamental limitation. Our protocol roughly amounts to performing 2 CNOT gates, which should take roughly 10 3 nanoseconds on the device. This could in principle take the rates up to about 60 kilobits per second. One can then append Trevisan's seeded extractor in order to increase the rates as described before. In this case, we obtain generation rates of 1440 bits per second for δ = 0.05 with the fixed circuit repetition rate of r = 2 · 10 3 circuits per second and an in principle 720 kilobits per second if circuits are implemented in 10 3 nanoseconds. Note that in the latest case, the bottleneck of the protocol becomes the complexity of Trevisan's extractor, which is well below 720 kilobits per second in our setup with large block sizes (about a few kilobits per second only). Unfortunately, in this case the observed Mermin value of M obs = 3.62 is insufficient to exploit our efficient seeded extractor to avoid the bottleneck. One could explore the different implementations of the Trevisan extractor that are fast in-practise, for example, by parrellelising the one-bit-extractor step.
With the H1 device of Quantinuum, working at about 13 circuits/second for our implementation, we obtain roughly 1.8 final random bits per second for M obs = 3.88 and δ = 0.05 (without a seeded extractor). Appending Trevisan's seeded extractor we obtain randomness generation rates of about 14 bits per second (δ = 0.05) and 13 bits/sec (δ = 0.1). The AQT/UIBK device ran at 40 circuits per second, giving randomness generation rates of about 6 bits per second (without a seeded extractor) and about 46 bits/sec (δ = 0.05) or 43 bits/sec (δ = 0.1) when appending Trevisan's extractor. With M obs = 3.9, we are in a setup in which we can use our efficient implementation of a seeded extractor, so we can further increase the efficiency.
• On an ideal quantum device. This would imply achieving M obs = 4, which is impossible in practise but is interesting to understand the limits of the protocol and what will happen when the devices get better. In this case, one would be able to amplify an imperfect RNG with δ → 0.5 (i.e. almost deterministic) and get a protocol efficiency up to η = 40% depending on the number of rounds n and δ without a seeded extractor.
Appending Trevisan's extractor one can increase the efficiency up to η S = 200% in which 2 bits are generated per run of the quantum device. Remember that without further improvements, the current maximal outputting rate of existing Trevisan extractor implementations do not allow going above a few kilobits per second in our setup. On the other hand, with M obs = 4 the outputs of the quantum device have a sufficiently high min-entropy rate to make our efficient implementation of a seeded extractor useful. In this ideal case, the final efficiency of the protocol becomes the same as with Trevisan's extractor and gives the maximal η S = 200%.
Statistical tests. As a sanity check, we have also run the statistical tests of the NIST [82], DieHard 28 and ENT 29 test suites on sets of 5 x 10Gb generated using our showcase quantum computer 28 We refer to DieHarder's webpage. 29 See http://www.fourmilab.ch/random/.
implementation with different imperfect RNGs as inputs. As expected, all tests were passed.
The different imperfect RNGs used as the input to the protocol were: different pseudo-RNGs, a classical chaotic process from the avalanche effect in a reverse-biased diode and a commercially available QRNG -Legacy Quantis-USB. All imperfect RNGs consistently failed, or gave 'suspicious'/'weak' results, in some statistical tests before being processed by our protocol. Once amplified using our showcase protocol implemented on quantum computers, the final output randomness passed all tests. We detail those results in the next section, together with a comparison against classical alternatives to our protocol to illustrate the quantum advantage of the protocol from a statistical perspective.
The amplification protocol was implemented using δ = 0.05 for the imperfect RNG and the ibmq_ourense quantum computer from the IBM Quantum Services.

Our protocol versus classical alternatives
From a statistical perspective we show that several sources of randomness, both hardware quantum and classical RNGs and software pseudo-RNGs are successfully amplified by our protocol. By this we mean that the results of statistical tests are consistently improved with our protocol. These results will be explained in more detail in [36].
Versus a classical RNG built in-house. As mentioned above, this RNG was based on a classical chaotic process from the avalanche effect in a reverse-biased diode built in house, which when tested gave good results but several 'weak' tests. Interestingly, when testing the output generated at the end of our amplification protocol we observed that there were no longer any 'weak' or 'suspicious' test results, so, from a statistical perspective it seemed there had been an improvement in the quality of the random numbers being generated.
Versus a quantum RNG available commercially. We reproduced the results of [29,30] showing that the output the Legacy Quantis-USB QRNG exhibits consistent patterns as witnessed by the ENT statistical test suite, failing the Chi-squared test. After using this QRNG as the input to our showcase protocol, we obtained a final output which passed all statistical tests. Again, this means that from a statistical perspective, it seemed the randomness quality had been improved.
Versus pseudo-RNG. Here, the goal was to test whether classical alternatives could produce similar results to our showcase protocol. We started by finding a PRNG that failed some NIST statistical tests: a class of 64-bit linear congruential generator called MMIX 30 . On average, this PRNG passed only 6/15 of the NIST statistical tests.
• (Quantum resources:) Using the showcase protocol on quantum computers with MMIX as the imperfect RNG, the output randomness passed 15/15 NIST tests (on average).
• (Classical resources:) Using our implemented Dodis et al. extractor on randomness generated from MMIX and a maximal period LFSR, the output randomness passed 6/15 NIST tests (on average). This is a simple example (from a statistical perspective) where we were unable to amplify the quality of the MMIX PRNG with classical resources only, whilst it was successful using our showcase protocol with quantum resources.
6 Implementations on quantum computers 6

.1 Overview
The second part of this work serves as a real-world example of the usefulness and accessibility of quantum technologies, which is one of our main objectives. Although the ideal implementation of our protocol would be to use a quantum device running a loophole-free Bell test, today these are notoriously hard to build and would achieve randomness generation rates that are very low or lead to an almost trivial randomness amplification protocol 31 . In contrast, available today are a wide range of usable quantum technologies and in particular promising quantum computers which are waiting for real-world applications. Such quantum computers moreover have several features making them attractive to run Bell tests, as for example superconducting [83] and ion-traps devices [84] do not suffer from the so-called detection loophole [85] and ion-trap devices have extremely low cross-talk [86].
In this context, our results are: • Under minimal added assumptions which we describe in detail, today's quantum computers can be trusted to run faithful Bell tests and therefore run our protocol securely. For this, we develop a method to account for some signalling effects (e.g. cross-talk) in the statistical analysis, if the signaling can be shown to occur in a fraction of the rounds only. In complement to other techniques [87,88] which allow to account for other forms of signalling, for example considering contributions of join measurements instead of the desired separable ones [88], this allows to consider different signalling effects on the same device. At a high level, this amounts to trusting that the quantum computer has not been purposely built to trick the user, but allows for unavoidable imperfections in its implementation.
• By optimising the circuit implementation as well as the parameters of our protocol to the specific hardware, all the quantum computers we used achieved sufficiently high Bell inequality values to run our protocol, for certain δ > 0, and generate random numbers in a semi-device-independent manner. In particular, although from a small sample only, the results obtained from the devices of Quantinuum and AQT/UIBK gave the highest Mermin inequality value M obs ≈ 3.9. This is also the case on IBM's device ibmq_toronto giving M obs = 3.62. The previous highest Mermin inequality value that we could find was M obs = 3.57 [81] (albeit in 2006).
• We showed in the previous section how our results compare to classical alternatives from a statistical perspective. By running extensive statistical tests, we showed that the output generated by (other commercially available) quantum and classical hardware RNGs and also existing software pseudo-RNGs, is successfully amplified through our protocol run on quantum computers by using them as the imperfect source of randomness. This means that the random numbers from those sources fail, or perform badly, at some commonly used statistical tests without being processed by our protocol, but succeed after being amplified by our protocol.
The numerical results that we obtained are summarised in Table. 1 and the remainder of this section is organised as follows. Sec.6.2 serves to discuss and describe the necessary added assumptions for running a faithful Bell test on quantum computers but also how to account for and quantify some signalling (e.g. cross-talk) in the implementations. We then describe the different quantum computer implementations, in particular how we optimised the circuits for each device, in Sec.6.3.

Validity of quantum computers for Bell experiments and added assumptions
We want to address the questions: How valid is the use of quantum computers to perform Bell tests? Which added assumptions are required?
Quantum computers are not built purposely for the task of running Bell tests and in particular open the so-called locality loophole. Indeed, in a quantum computer the qubits are not strictly shielded from each other and cross-talk can occur. In a loophole-free implementation, the qubits are isolated from each other and the experiment synchronised such that there is no time for possible communications 31 Indeed, to achieve a useful amplification protocol, i.e. one having δ << 1 2 , one needs relatively high Bell inequality violations. Moreover, by "high" we mean that the observed violation of the Bell inequality should be high compared to the algebraic maximum of the inequality (and not only the maximum value achievable with quantum resources).
between the different parts of the quantum device during a round (see Sec. 4.3). We term such possible undesired communication between the sub-parts signalling and cross-talk is a particular type of it. In the presence of signalling, it is known that quantum correlations become possible to generate without quantum resources, given that the amount of such signalling is sufficient [87,89].
In order to account for signalling in Bell tests, we developed methods that include these undesired effects in the statistical analysis, reducing the amount of certified randomness accordingly. Each of these methods implies a different additional assumption about the quantum device's functioning and therefore reduces the implementation to semi-device-independent. Note that the user only needs to make one of the below listed assumptions, not all of them. These assumptions are abstract and only consider the effect of signalling at the level of the observed statistics. One could also consider taking a different approach, for example by allowing for a weak form of signalling each round [88] (still requiring additional assumptions about the devices, as we do here), or in fact combining the different techniques (for example using ours in conjunction with [88] or following the techniques of [87]) to account for a wider range of signalling effects. Because these other techniques have been described in other works, we here focus on ours only.
To use the Bell inequality values obtained from a quantum computer implementation, the user needs to make one of the following assumptions: • Assumption A: The effect of signalling (e.g., cross-talk) is random, in the sense that it is not tailored to the specific Bell inequality that is used.

or
• Assumption B: The effect of signalling (e.g., cross-talk) is not random in the sense of A, but is fixed in the sense that its effect is the same each time it occurs.
or • Assumption C: The effect of signalling (e.g., cross-talk) in the quantum computer is a mixture of the effects described in assumptions A and B.
Assumption A is probably generic if the device was not purposely built in a malicious way and is similar to random noise. Indeed, accidental signalling or other classical effects are complex and changing, making it unlikely to be exactly such that they contribute positively to the Bell inequality that is used. Moreover, for each Bell test there exist several equivalent Bell inequalities that can be used, each requiring a different tailored signalling effect -which was not observed when we tested the devices.
Assumption B considers the opposite situation in which, for some reason, the signalling occurs in a way that positively contributes to the Bell inequality that is used. In this case, the assumption is that this positive contribution occurs the same way every time. This could be thought of happening, for example, if there was a systematic imperfection in the device leading to a fixed signalling effect. The opposite situation, in which this effect is not systematic but random, is captured in Assumption A.
Assumption C allows to consider a mixture of the effects in Assumptions A and B, which could in principle occur side by side. Indeed, one could imagine that there is a systematic signalling effect in the device but, for some reason, in some rounds this effect gets randomised because of other phenomena.
For the sake of clarity, note that it is important that the Bell test is run on a device that is trusted to be a quantum device. Although the device might be noisy or mostly uncharacterised, if the Bell test is run, for example, on a classical computer simulating a quantum device there is no way for the user to distinguish it from a fair Bell experiment without inspecting the device. Such a simulator would violate the assumptions we made above, but there may be no way to witness it for the user. The user therefore needs to make sure that the Bell test is indeed run by what has been built, in good faith, as a quantum device. This can be insured, for example, by inspecting the device or by trusting the provider.
In order to account for signalling effects in our statistical analysis, we follow a worst-case approach and apply the largest hit on the generated randomness these could imply. We show that the signalling effect in assumption A actually increases the amount of generated randomness that can be certified and therefore the worst-case is to ignore its contribution 32 . This is a very positive sign that when random forms of cross-talk (in the sense of assumption A) diminish in quantum computers, the efficiency of our protocol will get even higher. The effect of signalling as in Assumption B is negative on the amount of randomness that can be certified, but because of its fixed assumed effect it can be quantified, and therefore bounded, from the observed statistical behaviour of the device. This contribution is then accounted for in a worst-case manner: the Bell value and the number of rounds that can be used for certifying randomness diminish. Assumption C, in the worst-case scenario, amounts to taking the hit from Assumption B alone. The details are given in App.F. From the experimental results that we obtained, the penalty for accounting for signalling in the quantum computers that we used is quite low and does not impact on the capacity of quantum computers to run our protocol. The impact of the signalling effect of Assumption B and the typical effect we observed in the superconducting quantum computer ibmq_toronto of the IBM Quantum Services are plotted in Fig. 11 (green). We note here that we believe that on superconducting devices we do not have a strong reason to consider that the cross-talk only occurs in a fraction of the rounds (as opposed to, for example, weak cross-talk occurring every round [88]). In this case, it would then be desirable to combine our technique with the techniques in [88] in order to account for signalling in a more general way. When using ion-trap devices, the effect of potential cross-talk is so low [86] that it could be ignored, but one can also apply the same techniques if desired. As opposed to superconducting devices, in the case of ion-traps (Quantinuum's and AQT's) we additionally believe that using our technique is well justified because of the particular device structure and functioning. More precisely, in those devices ions (i.e. qubits) are located in traps and cross-talk can occur because of a failure in focusing the laser [86,90], therefore affecting another ion, or from light scattered from one ion to another during measurement, which can also happen with some probability [90,91]. Because of this probability to fail to shield one ion from another, we believe that our model of signalling is particularly well justified for this specific case. For completeness, we also plot the impact on the observed Mermin value from the AQT/UIBK device in Fig. 11 (orange). Again, we believe that our assumptions are sensible if the quantum device was not built in a malicious way. This is reasonable to expect, for example, from devices that are readily available to other users running quantum algorithms. Indeed, we find it hard to believe that quantum computers were built in order to trick the specific users that will be running our protocol. The advantage of our method using quantum computers is that it allows the use of a non-malicious yet mostly uncharacterised quantum device. This is in contrast to the standard physical methods for generating randomness. In this sense, it at least partially solves the problem in question 1 (as well as 2 and 3) stated in the introduction.

Implementations of Mermin inequality violations on quantum computers
In order to use quantum computers to perform the Bell test in (4), the implementations used circuits first preparing the so-called Greenberger-Horne-Zeilinger (GHZ) state of three qubits [92] The prepared state is then measured with the Pauli X or Y measurement on each qubit depending on the circuit that is chosen. Remark that these (graph) states and measurements allow for a very simple circuit implementation, which is what in turn leads to high Bell inequality violations. Also note that in all our implementations we fix the state preparation in all circuits corresponding to different measurements, i.e. only the measurement bases vary from one circuit to another. We believe that our results also serve as a nice way to benchmark the performance of several quantum computers across two types (superconducting and ion-traps), which might be of independent interest.

Superconducting quantum computers from the IBM Quantum Services
We optimised for physical qubits and gate implementation of the circuits on every available quantum computer available on IBM Quantum Services using the compiler t|ket [93]. This is what allowed us to achieve high Mermin inequality values. All implemented circuits (after optimisation) have minimal depth 6, prepare the same quantum state (the measurements only are different) and are run on the optimal physical qubits for each machine. Examples of circuits, for the devices ibmq_ourense and ibmq_valencia before and after compilation are given in Fig. 12 (left). The physical qubit layout of certain machines can be found in Fig. 12 (right) and it is the same for both machines ibmq_ourense and ibmq_valencia. The physical qubits that were chosen for the implementation by t|ket were qubits 0, 1, 2 on both machines. Implementations on different machines follow the same steps, but have different layouts and therefore optimised circuits. The highest Mermin value was obtained on the quantum computer ibmq_toronto (M obs = 3.62) with 26 qubits although we use 3 of them only. Other good machines were ibmq_ourense and ibmq_valencia (respectively M obs = 3.35 and M obs = 3.11), both of which are 5-qubit machines. Numerous other machines from the IBM Quantum Services give sufficiently good Bell values for our protocol. Our results for IBM Quantum Services devices were computed as the average obtained from 50 tests with n = 10 7 number of circuits, i.e. the number of rounds. Interestingly, some machines performing well have low number of qubits, which is good in order to minimise the required resources. M obs = 3.62 was the highest Bell inequality value we could find in the literature before the ones that we obtained on ion-trap devices (see below). We summarised all results for the quantum computer implementations in Table. 1. As mentioned in the previous section, the typical maximum signalling fraction we observed from ibmq_toronto was n s ∈ [0.0014, 0.014], i.e. a minimal impact on the performance of the device for our protocol (see App.F and Fig. 11).

Ion-trap quantum computers from Quantinuum and AQT/UIBK
Our implementation on these devices lead to the very high Mermin value M obs = 3.9 on AQT/UIBK's device and M obs = 3.88 on Quantinuum's H1 device, which are the highest reported in the literature. We remind the reader that those values were not obtained in a loophole-free manner. We also obtained the values M obs = 3.835 from Quantinuum's H0. Note that we optimised the circuits (either by hand or using the compiler t|ket ) for all implementations othen than for AQT/UIBK, where they performed the circuit optimisation themselves. Although they gave high violations, the small amount of time and slow repetition rate meant we were only able to collect data from n ≈ 10 4 (AQT/UIBK) and n ≈ 5 · 10 4 (Quantinuum), rounds in which we tested the inputs appearing in the Bell inequality only.
As said in the previous section, cross-talk on ion-trap devices is notoriously low and we therefore ignored signalling effects with such devices. One can easily include them in the analysis as described before.

Conclusion
In the first part of our work, we have presented an end-to-end protocol for device-independent randomness and privacy amplification. The setup, parameters, randomness post-processing, and statistical analysis were all optimised for real-world quantum devices. Our protocol has linear rates in the runtime of the quantum device and maximal noise tolerance. The randomness post-processing was also tailored to the task of randomness and privacy amplification. In particular, it was implemented keeping information-theoretic security whilst its complexity was taken down to near linear -allowing it to run efficiently on a standard personal laptop with large block sizes.
In the second part of our work, we have implemented our protocol on several quantum computers from the IBM Quantum Services, Quantinuum and AQT/UIBK. This can be understood either as a concrete example of the results that can be obtained with our protocol or, under minimal added hardware assumptions, as a semi-device-independent implementation. In the second case, one can run our protocol on today's quantum computers in order to generate private random numbers. The Mermin inequality violations we observed are the highest reported in the literature, a testimony to the work achieved by the different teams building quantum computers.
Future work -Some important further developments to our results are already being worked on, among which: • After running a significantly large experiment on the Quantinuum H1 ion-trap quantum computer, we have managed to collect enough output to test our protocol on a number of different imperfect RNGs. With this, we can continue to test the limits and demonstrate the practicality of our protocol in real world applications.
• It would be interesting to explore the implication of the recent generalisation [94] of the entropy accumulation theorem that we use [37,65] to the particular set-up for randomness amplification.
• It is important to further improve on the randomness post-processing. This could lead to even higher δ that can be amplified, but also higher efficiencies. The challenge is to manage to keep the complexity low in the actual software implementations, see Sec.4.6 for more details about this. In [36], we will expose further results on the topic of randomness extractors and their implementations.

A.1 Preliminaries
We start the appendices by formalising the set-up we consider, see Fig.1. An adversary, E, holds side information h about the weak source of randomness which will be used to choose the inputs to the quantum device. This initial source of randomness is assumed to be a Santha-Vasirani source, i.e. it outputs sequentially such that its outputs r i satisfy (2). E is allowed to build the quantum device which is later given to the user, with which she might be entangled by keeping a quantum system entangled with the device in a quantum memory. After it has been handed to the user, the adversary is not allowed to access the device any more.

A.2 Generalising the Mermin inequality to account for weakly random inputs
Inequality (4) can be written in the equivalent form with ⊕ denoting the sum modulo 2 and where 1 8 is the local (or classical) bound. We then have the following relation between L and M : L = 4−M 16 . The inequality written in this form can be understood as a losing probability at the Mermin-Bell game -and requires quantum resources to obtain losing probability L < 1 8 . Indeed, under this form one sees that minimising L implies trying to minimise the terms p(a ⊕ b ⊕ c = 1|011), p(a ⊕ b ⊕ c = 1|101), p(a ⊕ b ⊕ c = 1|110) and p(a ⊕ b ⊕ c = 0|000) -i.e. the combination of outputs the quantum device should avoid outputting, depending on the inputs that were chosen. An important property of this inequality is that there exist quantum states and local measurements such that all these terms vanish (in a noiseless implementation), i.e. p(a ⊕ b ⊕ c = 1|011) = 0 and similarly with the other terms.
As discussed in the main text, standard Bell inequalities can not be used in our set-up in which there are correlations between the input choices and the device's behaviour. To account for such correlations, we first build a new inequality from (20), which can be understood as a measurement dependent locality (MDL) type inequality [64]. From an initial Bell inequality, one essentially performs the mapping p(abc|xyz) → p(abcxyz), i.e. considers joint distributions of both inputs and outputs instead of conditional ones. We then obtain δ a⊕b⊕c=1 p(abc011)+p(abc101)+p(abc110) +δ a⊕b⊕c=0 ·p(abc000) .

(21)
One can further estimate inequality L MDL by evaluating a losing condition l i , which is computed at each round of interaction with the quantum device: where a i , b i , c i and x i , y i , z i are the outputs and inputs in round i ∈ {1, 2, ..., n}. One then estimates

A.3 Single-round min-entropy from the losing probability
The goal of this subsection is to relate the value of the losing probability (20) to the single round min-entropy. The next step will be to see how this single-round quantity can be related to the total accumulated entropy in the n rounds of the protocol (this is why we compute them), which depends on the set-up and assumptions considered.
Without loss of generality, we assume that the three boxes A, B, C and the adversary share a 4-partite quantum state ρ ABCE h on which the three parts in the quantum device make measurements M A a|x,h , M B b|y,h , M C c|z,h . Note that, contrary to a standard Bell experiment, the measurements and state might depend on the side-information h of the adversary. The adversary performs a measurement O E e|w,h on their share Q of the system, obtaining outcome e. All measurements are assumed to act locally on the state, i.e. the user's outcomes statistics is given by for some unknown state and measurements (in particular, the Hilbert space dimension is not bounded) and for some h which is not accessible to the user. For simplicity of the notation, we took the freedom to label a specific quantum realisation with quantum state ρ ABCE h and measurements The guessing power that the adversary E has over the outcomes of the experiment is quantified by a guessing probability P g (ABC|(xyz) * , Q, h), given their quantum system Q and side-information h. Moreover, as in our set-up the SV source is not assumed to be private, we want to quantify the guessing probability for given inputs, which we label by (xyz) * . Remember that z = x ⊕ y, so z is not generated directly from the imperfect RNG. The objective is to upper bound this quantity, i.e. certify some unpredictability. In our case, we upper bound the guessing probability of the adversary over the outcomes a, b, c by using a bound on the guessing probability over two outcomes, say a, b (without loss of generality in our case). The interested reader is referred to [95] for a detailed discussion about guessing probabilities. The result takes the form of the following optimisation problem In words, this optimisation problem corresponds to allowing for the most advantageous quantum realisation (through the maximisation over Q h ) for the adversary to correlate their outcome with the outcomes she is trying to guess, i.e. maximise p E (e = (ab)|(xyz) * , (ab), w, Q h ) for each combination of a, b. Clearly, this corresponds to a worst-case bound. In addition to requiring that the realisation Q h is of the form (23) (that it is quantum), we also require that the realisation reproduces the observed MDL inequality value (21). Because we only have a constraint on the MDL inequality, and not on a Bell inequality, it is unclear how to solve this optimisation directly. Instead, we constrain the possible values of a Bell inequality which are compatible with the observed violation of the MDL inequality as follows.
For all realisations Q h (i.e. for any h), we note that where l(a, b, c, x, y, z) is given in (22). In the first step, we have used the relation between observable quantities L obs MDL (p ABC obs (abcxyz)) = 2L obs (p ABC obs (abc|xyz)) from equ. (21) and (20) respectively, where we assume that p obs (xyz) = 1 4 ∀x, y, z 33 appearing in the Mermin inequality. In the second line, we have related joint probabilities with conditional probabilities. In the third line, we have used that ( 1 2 − δ) 2 ≤ p(xyz|h) = p(xy|h) ≤ ( 1 2 + δ) 2 (the SV assumption (2) over the source, where we only require 2 bits from the imperfect RNG as z = x ⊕ y) and in the last step we used the definition of the losing probability of the Mermin game as given in (20). In the end, we can use In words, and in some sense, we can bound the value that would have been obtained for the Bell inequality from the observed MDL inequality value. The constraint L MDL (p(abcxyz, Q h )) = L obs MDL in (24) can then be replaced by condition (26), i.e. a guessing probability as in a standard Bell test (with a worst-case bound on the Bell inequality violation instead). The resulting guessing probability was derived in [63] and, when written as a function of L b , reads Once again, note that because of the symmetries in our set-up this guessing probability holds for all input triplets (xyz) * . Finally, the min-entropy of the outcomes is then In the main text, in order to simplify the notation, we have instead used the object M obs = M ( P obs ), see (4). Although, as discussed, this can not directly be used as a Bell inequality as in the standard set-up it still represents an intuitive quantity to evaluate. For example, the result in (6) can be obtained by using M obs = 4 − 16L obs and that L obs MDL = 2L( P obs ) if p obs (x, y, z) = 1 4 ∀x, y, z = x ⊕ y. By doing this, we restrict the analysis to set-ups in which the inputs frequencies are equal.

A.4 Identical and independent rounds for large n
The first situation that we consider is the one in which one can assume that the different rounds of interactions with the quantum device are identical and independent of each other. More precisely, the global quantum state describing the joint system of the adversary E and the one of the quantum device ABC (see Fig.3) over the entire run of n interactions with the quantum device is assumed to have the structure 34 ρ n where ⊗ denotes the tensor product and we have labelled the systems over n rounds in bold. Note that we do not assume knowledge of the state σ ABCE , only that such state exists and that the decomposition holds. Similarly, the measurements made in the device A are assumed to take the form (M a x ) ⊗n (and the same holds for the measurements of B and C). These conditions imply that the variables l 1 , l 2 , ... used to evaluate L are independently and identically distributed (I.I.D) random variables, and the same holds for the outcomes a 1 , a 2 , ... (and similarly for outcomes b i and c i ). In the limit of large n, we can evaluate the total accumulated entropy Assuming that the quantum device behaves identically and independently may be a reasonable assumption in certain cases, for example when the device provider can be trusted and functions at slow speed (possibly avoiding memory effects). Importantly, the I.I.D assumption in the asymptotic limit n → ∞ also serves to test the ultimate limits of the protocol since the results in the most general set-up (MBQA, non I.I.D.) tend to the one in this simpler I.I.D. set-up [37] for large n.

A.5 Memory based quantum attacks
Although making the assumption of identical and independent rounds of interactions can be interesting in some cases, this assumption clearly goes against the mindset of device-independence. Indeed, in general it is very limiting to assume that there is no correlation between the different interaction rounds -such as memory effects for example. To generalise the security proof to the most general case, in which the I.I.D. assumption is dropped and where the adversary can also make general operations on its share of the quantum state, one can use the framework developed in [7,37,96]. There, the authors explain how to use the entropy accumulation theorem (EAT) [65] in the set-up that we are considering.
Even if the results are more general, the idea is still to go through a reduction to the single-round quantities introduced in Sec.A.3. That is, the total of entropy accumulated in n interaction rounds can be computed from single round quantities (which is why we considered them) and some penalty terms.
Remark, however, that all structure is not lost. Indeed, the interaction rounds with the quantum device are made in a sequential manner: if the inputs (x i , y i , z i ) and outputs (a i , b i , c i ) of one round can depend on the ones generated in previous rounds, the opposite is not allowed. Namely, the inputs and outputs generated during an interaction round can not depend on the ones generated during a later interaction round -the future does not influence the past. This sequential structure is one of the ingredients that allows to obtain non-trivial results.
In order to use the EAT, we first need to show that our experiment and protocol satisfies certain conditions (see [37,96]), namely that [n] , the outputs, are all finite dimensional measurement outcomes (classical random variables). The same holds for {L i } i∈ [n] (the losing condition evaluated at each round, see (22)) and {X i Y i Z i } i∈ [n] , the inputs, which represent the information that "leaks" to the adversary (the SV source is public, i.e. its outputs can not be assumed to be private once generated). Finally, {R i } i∈ [n] (the quantum register holding the information about the state at round i) is an arbitrary quantum system.
• At every round of the protocol, the losing condition l i (22) can be evaluated directly from the classical systems a i , b i , c i , x i , y i , z i at that round, i.e. without changing the underlying state.
• For all i, we have the Markov chain condition i.e. in our set-up at each round i the inputs X i , Y i , Z i do not reveal "new" information about the previous outcomes A 1 , B 1 , C 1 , A 2 , ..., A i−1 , B i−1 , C i−1 (information that was not already obtained through the previous inputs made public and the side-information E of the adversary). Remark the importance of assumption number 6 in Sec.4.7, which excludes the situation in which the weak source of randomness would update its state depending on the outcomes of the Bell test.
We are now in a position where we can apply the EAT and need to compute the necessary quantities. For the details (and why these are the relevant quantities), we refer the reader to [96] (lemma 10) as adapted for the setup for randomness amplification in [7] (theorem 33 and claim 1, p.27), but also to [37].
The derivative of the min-entropy with, again, L b (L obs MDL , δ) given in (26).
We now define the function f min (our min-tradeoff function, see [37]) as a function of a new variable L cut (a degree of freedom which we will optimise on) We can now evaluate the total conditional smooth min-entropy accumulated in the outputs A n B n C n over successive n rounds, which is the main quantity of interest (as it is roughly the randomness that can be extracted). This is computed similarly to (33) in [7] (p.28), in the proofs and explanations following lemma 10 and claim 1, replacing the quantities with the ones in our setup as derived above with κ a smoothing parameter (which will also be optimised on) and ε EA a (small) security parameter corresponding to the failure probability of this entropy accumulation step -i.e. one can show [37] that either the entropy accumulation step fails with probability higher than ε EA or the total accumulated entropy respects (34). Note that since the total min-entropy relates to the guessing probability according to H min = − log 2 (P g ), this equation (34) is written in terms of P g in (8). The security parameters will be taken into account (and optimised) later when we consider the security of the full protocol in Sec.C. The entropy rate of the quantum device, i.e. the average amount of entropy per bit in the 3n-bit string containing the outcomes of all rounds, is given by Remark that because we are using a bound on the guessing probability of two of the three outcomes, we have that β ≤ 2 3 , which is a limitation of our protocol. It would be interesting to be able to bound the guessing probability of two outcomes directly whilst being able to use the EAT to accumulate entropy over n rounds. Note that in our case this is currently not possible, as our channels would then not satisfy the three conditions exposed above in order to use the EAT (see the interesting discussion about this limitation of the EAT in [97], just after lemma 11.3).

B Proofs for the randomness post-processing
Before giving the formal proofs and details regarding our randomness extraction routines, following [7,38] we explain why the so-called Markov model is needed in our setup (see Fig. 1 and 2 for our setup). In Fig. 13, one can see the relations between the variables in the protocol and an explanation of why those relations are valid or correspond to one of the required assumptions. The difficulty in this setup comes from the fact that the inputs to the 2-source extractor are not independent of each other but only conditionally independent (on the other variables generated before and that are known to the adversary), see (39). 2-source extractors secure in the Markov model work in the presence of this particularly strong form of possible side information.

B.1 Two-source extractor
The following definition is standard, see for example [76,Definition 1].
where U M denotes the uniform random variable on m bit strings. The function Ext is called strong in the i = 1, 2 input if We call n 1 , n 2 the input length of the first and second source, resp., m ∈ N the output length, and ε ∈ [0, 1] the security parameter.
Following Arnon-Friedman et al. [38], we extend this security criteria to adversaries holding quantum information Q about X 1 and X 2 . The enabling concept are quantum Markov chains. This information gives the adversary predictive power over the outcomes of the imperfect RNG, which is first used to choose the measurement basis in the experiment (X n Y n Z n ) and later as fresh input to the randomness post-processing (W d , where for example using our implemented Dodis extractor d = 3n). Before the string W d is generated, the quantum device produces its output A n B n C n . Finally, both W d and A n B n C n are processed together by a 2-source extractor secure in the Markov model. Note, in particular, that the variables W d and A n B n C n are assumed to be independent conditionally on the other variables generated before, see (39). This Markov condition is necessary to obtain security in our setup and corresponds to assumption 6 in our list 4.7.

Definition 2.
A classical-classical-quantum state ρ X 1 X 2 Q is a Markov source if where I(X 1 : denotes the conditional mutual information.
The stronger security criteria in the presence of quantum adversaries is then as follows [38,Definition 8].
We note that it is on open question if the parameter loss ε → √ 3ε · 2 m/2−1 is needed. For our protocols, we implement the following quantum-proof version of the Dodis et al. [74] construction based on cyclic shift matrices commonly attributed to Vazirani [98].

Proposition 5.
Let A i be n × n-matrices such that the j-th row has a 1 in the j − i + 1 mod n column and zero elsewhere, i.e., A i implements a cyclic shift by i − 1 bits. For n prime with 2 as primitive root, 35

the function Ext
gives a quantum-proof (n, k 1 , n, k 2 , m, ε) two-source extractor with 36 which can be rewritten as in (10) The construction is quantum-proof strong in either one source.
A couple of comments are in order: • The threshold for this construction to work is that the difference between k 1 + k 2 + 1 and n is positive. Then, roughly one fifth of this difference can be extracted. Finally, we need to operate quantum-proof two-source extractors on sources for which we only have a guarantee on the smooth min-entropy instead of the min-entropy. This is covered by the following lemma. k 1 , n 1 , k 2 , m, ε) two-source extractor, κ ∈ (0, 1], and ε 2 ∈ (0, 1). Then, for any Markov source ρ X 1 X 2 Q with we have that Proof of Prop. 6. This is proven as in [38,Lemma 17] that covers the variant of two smooth min-entropy sources. 35 That is, for i = 1, . . . , n − 1 there exists pi ∈ N such that 2 p i = i mod n. 36 It is implicitly claimed in [38,Sec.6.1] that the Dodis et al. [74] construction is directly quantum-proof with better parameters than stated here. However, the exact parameters of this remain to be worked out.

B.2 Seeded extractor
For the special case when the second source is already perfectly random and independent of any side information Q, i.e., n 2 = k 2 , two-source extractors are known as seeded extractors with the seed d := n 2 = k 2 . In particular, we need quantum-proof seeded extractors that are quantum-proof strong in the seed and call such functions strong quantum-proof seeded extractors. We reproduce the self-contained definition here. 1} m is called a strong quantum-proof (n, k, d, m, ε) seeded extractor if for sources ρ XQ with H min (X|Q) ρ ≥ k, we have where τ D denotes the fully mixed state on C 2 d . We call n ∈ N the input length, d ∈ N the seed size, m ∈ N the output length, and ε ∈ [0, 1] the security parameter.
Note that the extractor Ext can be seen as a family {f i } i∈2 The product operation · in (48) stands for binary finite field multiplication in F 2 n−m .
A couple of comments are in order: • Compared to standard two-universal hashing constructions with seed size n or m (see, e.g., [99]), the Hayashi-Tsurumaru construction Ext HT comes with the seed size d = n − m. This gives a relatively short seed size for high min-entropy sources k ≈ n, while keeping the near optimal output size m ≈ k. We need to operate strong quantum-proof seeded extractors on sources for which we only have a guarantee on the smooth min-entropy instead of the min-entropy. This is covered by the following lemma.

C Security analysis: putting everything together
We now put together the statistical analysis of the quantum part of the protocol, as discussed in App.A, with the classical post-processing steps, as discussed in App.B, in order to arrive at a full security proof. This is straightforward as all cryptographic components used are composable [57]. Namely, after having performed the Bell test from App.A, following Fig.4, the first step of the randomness post-processing is as follows: if one desires to make the I.I.D assumption (see Sec.A.4), one can then use the min-entropy as given in (7) instead. (In the I.I.D setting, we get 2n bits from the quantum device and so, only require 2n bits from the imperfect RNG. Note: here we do the analysis in the device-independent setting (MBQA).) • From the imperfect RNG, which we model as an SV source (2), we get 3n bits with min-entropy rate α, abbreviated as [3n, 0, k 1 = 3αn]. Here, α is a function of the SV source parameter δ, namely α = − log( 1 2 + δ). • The output of the quantum device is 3n bits with κ-smooth min-entropy rate β as given in (35) and abbreviated as [3n, κ, k κ 2 = 3βn]. Note that in the case of MBQA (i.e. non-I.I.D), we have an additional security parameter ε EA associated to the failure probability of the entropy accumulation step and a smoothing parameter κ. The smoothing parameter comes from concentration inequalities used in the proof of the EAT, whereby for large n the total min-entropy for the whole experiment is well approximated by the sum of the von Neumann entropy in the individual rounds.. By imposing ε EA ≤ ε sec , we can effectively ignore this parameter when computing the final security parameter ε sec (note, however, that ε EA still contributes indirectly in the accumulated entropy during the entropy accumulation step, i.e. (34) with ε EA = ε sec ). The smoothing parameter κ is effectively a free parameter which will be chosen to optimise the final randomness generation rates.
• The quantum-proof (3n, k 1 , 3n, k 2 , m 2 , ε ext ) two-source extractor from Prop.5 is run on the inputs [3n, 0, k 1 ] and [3n, κ, k κ 2 ], in the smooth min-entropy form of Lemma 6. We note that the two-source extractor can be chosen quantum-proof strong in any of the two sources (but not both).
• The output is m 2 bits of randomness with security parameter ε 1 , abbreviated as [m 2 , ε 1 ]. Here, m 2 is a function of the parameters of the min-entropy sources (via Prop.5) and ε 1 is a function of the parameters ε and κ (because of working with the smooth min-entropy) and the security parameter ε ext of the two-source extractor (via Lemma 6).
The output size |m 2 | of the 2-source extractor is then given by using (44) with total error ε 1 = 3κ + ε + ε ext as in (46). When applying the MBQA statistical analysis, we further compute (34), because we need to account for the smoothing parameter since randomness extractors take min-entropy (not smooth min-entropy) as an initial input, so we must lower bound the min-entropy. From the Santha-Vazirani condition (2), we get k 1 = 3nα with α = − log( 1 2 + δ) computed. Finally, the optimal value for m 2 (to get the largest output size at a given security parameter) without a seeded extractor and for a desired overall security parameter ε 1 = ε sec , for a given δ and observed L obs MDL can be obtained as the result of the following optimisation: (52) with ν(L cut , δ, ε EA = ε sec ) the penalty term in (36), L b = L obs 4( 1 only runs for input sizes n prime with 2 as primitive root. Hence, for general input bit strings of size n ∈ N, the idea is to give an n ≤ n such that n is prime with 2 as primitive root -while keeping n − n as small as possible. The Dodis et al. extractor is then run on the input size n, discarding n − n bits for potential later use. We view finding an appropriate n as a pre-computation step and generated a sufficiently dense list of such integers up to n ≈ 10 8 . As mentioned in App.B.1, this is based on [73, App.D.G] employing efficient algorithms for primality testing and integer factorization [101] -where the latter is only needed for integers of size o(log n ).
For n prime with 2 as primitive root, our Dodis et al. extractor is then defined as taking two n-bit strings x, y to the m-bit string z = (A 1 x)y, · · · , (A m x)y (53) with A i the n × n-matrices such that the j-th row has a one in the j − i + 1 mod n column and zero elsewhere. In the following, we give an algorithm based on the number-theoretic transform (NTT) [72] that provably computes z with complexity O(n log n). This is inspired from [73, App.C].
We start with a definition.

Definition 10.
For n ∈ N and x, y ∈ Z n the convolution x * y is defined by x j y k (54) and the reversal function R : Z n → Z n is defined by It is then straightforward to verify that the extractor function in (53) can be rewritten for i = 0, · · · , m − 1 as Hence, it is sufficient to give an algorithm to compute the convolution R(x) * y in complexity O(n log n). Such algorithms have been proposed in the literature based on the Fast Fourier Transform (FFT), see, e.g., [73, App.C]. However, these algorithms are not information-theoretically secure because of potential rounding errors due to the floating point arithmetic.
In contrast, we now present an information-theoretically secure algorithm based on the NTT that is equally fast as FFT based implementations. For this, let L ≥ 2n − 1, p > n, and consider the ring Now, assume for a moment that we can do multiplication efficiently in R. Given a, b ∈ {0, 1} n , in order to compute the convolution a * b modulo 2 as in (56), we may instead compute the product with 0 ≤ c i < p. It is easily checked that the sought after convolution can then be written as This shifts the problem of computing convolution as in (56) to multiplication in R -or equivalently convolutions in Z L p . However, we now have freedom to choose p and L and if we choose them appropriately we can make use of the NTT [72]. Definition 11. For L a power of 2, p a prime with p ≡ 1 (mod L), and ω a primitive L-th root of unity in Z p the number-theoretic transform N : Z L p → Z L p is defined by and its inverse is where L −1 is the inverse of L in Z p .
Crucially, since L is a power of 2, the NTT can be computed in complexity O(L log L) by the same divide-and-conquer technique as in the FFT [72]. Moreover, like the Fourier transform, the NTT has the property that [72] N (x * y) = N (x)N (y) , (62) allowing convolutions in Z L p to be computed by point-wise multiplication of terms. We note that in order to speed up the modular multiplications, we can choose p in advance and take advantage of compiler optimization or custom code for computing remainders with fixed modulus [102]. For example, we can choose p = 3 × 2 30 + 1 allowing for values of n up to 2 29 > 5 × 10 8 .
The implementation of computing the extractor function (53) via the convolution form (56) then proceeds as follows. Formally, let us define the embedding η : Z n 2 → Z L p by η(x) i := 1 i < n and x i = 1 (mod 2) 0 otherwise (63) and the coercion function φ : with 0 ≤ x i < p for all i. For x, y ∈ Z n 2 the convolution x * y can then be computed in the form with appropriately chosen L and p, and in complexity O(L log L). Thus, the extractor function (53) is computed via the convolution form (56) in complexity O(n log n).

D.2 Seeded extractor
This appendix explains how the Hayashi-Tsurumaru construction from Prop.8 is implemented with quasi-linear complexity in the input size. This largely follows the implementation from [73, App.C], but in contrast to this previous work our algorithm is information-theoretically secure as it is based on the number-theoretic transform. The way we employ Prop.8, we are given d random bits and a linear min-entropy source with rate k = αn for input size n, with the goal of expanding the d random bits to a longer string of random bits. First, we need to give d ≤ d such that d is prime with 2 as primitive root -while keeping d − d as small as possible. The Hayashi-Tsurumaru construction is then run on the seed size d, discarding d −d bits for potential later use. As in App.D.1, we view finding an appropriate n as a pre-computation step (cf. the comments in App.D.1). Second, for seed size d prime with 2 as primitive root, the Hayashi-Tsurumaru construction proceeds by choosing c ∈ N with the requirement c < 1 1−α . For an input size n = cd, the extractor then generates m = (c − 1)d random bits 37 with security parameter ε ≤ (c − 1)2 −d/2(1+c(α−1)) .
(66) 37 Since the Hayashi-Tsurumaru construction is a strong quantum-proof seeded extractor (Prop.8), the seed can safely be outputted as well if wanted -leading to the total output size (c − 1)d + d = cd.
Equ.(66) is obtained starting from [73, Sec. V, B, after theorem 5], where they obtain 38 a seeded quantum-proof extractor Note the seed length d = n − m which can get very small for large m, e.g., from a high quality source with high min-entropy rate. For our purposes we are given the seed of size d = n − m coming from two-source extractor (its output) and we want to choose n, m such that c := n n−m ∈ N as the scheme then becomes much simpler. Moreover, the n-bit string comes from the SV source and typically has linear min-entropy of k = αn for some α ∈ (0, 1). Hence, it becomes sufficient to choose c such that for a desired ε . One can see that (68) • Output: D y (1) , . . . , D y (c−1) ∈ {0, 1} m . 38 Note that in [73] they use t to denote the min-entropy whereas here we use k.
We note that the total number of iterations is c − 1, which is constant. Furthermore, all operations have complexity O(d) = O(n) except for the bottleneck matrix-vector multiplications of the form C(s)· y (c) T . However, following Definition 10 it is straightforward to verify that this can be rewritten as the convolution of vectors of size d: R(s) * y (c) in terms of the reversal function R . (74) This makes the implementation amenable to the NTT methods as introduced in App.D.1 and ultimately leads to the overall complexity O(n log n).
In the following, we reuse the material on the NTT from App.D.1, including in particular the functions N , N −1 , η, φ with the only difference that the vector arguments are now of size d. Furthermore, we define η as η applied to the reversed sequence as well as the consecutive functions N 0 := N • η, N 0 := N • η , and ρ := φ • N −1 . We then have the convolution This in turn leads itself to the following efficient algorithm for (69) -(73): • Let s 0 = E(r).
This involves 4c−5 forward or inverse NTTs, each of complexity O(d log d) = O(n log n). However, the computation of s i+1 depends only on s i and thus we can execute most of these computations (which require 2 NTTs each) in parallel with the output computations (which also require 2 NTTs each). The initial computations of σ and ζ can also be parallelized. Therefore, with two concurrent threads we can reduce the algorithm to 4c − 5 − 1 − 2(c − 2) = 2c − 2 consecutive NTTs. The performance of this algorithm is depicted in Fig. 14 and at least as fast as the state-of-the-art FFT based implementations discussed in [73, App.E].
We postpone the proof to App.E.2 and only note that Prop.12 is the basis for the plots in Fig. 8 in the main text -comparing the Dodis et al. and Raz construction. Compared to Raz' [76, Theorem 1], the improved pre-factor for the output condition in (84) becomes possible because we additionally ask for the condition k 2 ≤ 2(n 1 − k 1 ). Now, for example choosing β = 0.25 leads for large enough input size n = n 1 ≡ n 2 and linear min-entropy rates k 1 = α 1 n and k 2 = α 2 n with α 2 ≤ 2(1 − α 1 ) to the conditions m ≤ 1 18.5 δα 2 n − 1 and ε ≤ √ 32 −1.375 2 −m/8 (85) for some δ ≈ α 1 − 0.5. That is, we now have the improved ratio 1 18.5 ≈ 5.4% for the security parameter scaling as 2 −m/8 . Next, we check by means of a numerical example that these parameters indeed work well in practice.

Example 13.
For two linear min-entropy sources k 1 = 0.75n 1 , k 2 = 0.1n 2 , n = n 1 ≡ n 2 , typical for our use case, we are interested in the efficiency η := m n of Prop.12 for sufficiently small security parameter ε ≥ 0. 39 For that we need to check the following conditions: • The condition k 2 ≤ 2(n 1 − k 1 ) holds. (83) is fulfilled for n ≥ 64.

• The first condition in
• For the second condition in (83) we can, e.g., choose δ = 0.2, which then requires n ≥ 1024.
We end this appendix with a remark about the potential implementation of Raz' construction.
The following lemma from Raz then gives two-source extractors constructed from sequences of 0 − 1 valued random variables Y 1 , · · · , Y N that are ζ-biased for linear tests of size p .
Lemma 15. [76,Lemma 3.4] Let N = m2 n 2 and Z 1 , . . . , Z N be 0 − 1 random variables that are ζ-biased for linear tests of size p that can be constructed using n 1 random bits. Furthermore, define the function Then, for any even integer p ≤ p m and any k 1 , k 2 , γ such that the function E is a (n 1 , k 1 , n 2 , k 2 , m, γ ) two-source extractor with Employing the construction of 0 − 1 random variables as given in (89) leads to the following two-source extractor.
We note that this slightly improves on Raz' original construction [76, Theorem 1] for our needed range of parameters -but is in contrast to [38,Corollary 24] not quantum-proof yet.
To finish the proof of Prop.12, it remains to make the construction from Lemma 16 quantum-proof.
Proof of Prop.12. We apply Lemma 4 to Lemma 16, in the same way as done for the proof of [38,Corollary 24].

F Signalling effects in Bell tests
In a setup where there is possible signalling in a certain fraction of rounds n s ∈ [0, 1] only, the input-output probability distribution decomposes as the convex mixture of rounds with signalling and rounds without p obs (abc|xyz) = qns q ns p ns (abc|xyzq ns ) + qs q s p s (abc|xyzq s ), of a signalling contribution and a non signalling one. Randomness can, of course, only be obtained during the no-signalling rounds, as when signalling occurs there exist deterministic strategies capable of saturating the Mermin inequality M = 4. From now on, we omit to label the inputs and outputs and use instead the notation p qs s ≡ p s (abc|xyz) and p qns ns ≡ p ns (abc|xyz).
For clarity, we state the assumptions again: • Assumption A: The effect of signalling (eg cross-talk) is random, in the sense that it is not tailored to the Bell test that is ran.
• Assumption B: The effect of signalling (eg cross-talk) is not random in the sense of A, but is fixed in the sense that its effect is the same each time.
• Assumption C: The effect of signalling (eg cross-talk) in the quantum computer is a mixture of the effects described in assumptions A and B.
The consequences of each of these assumptions and how to account for the signalling effects is derived in the next few paragraphs. Figure 15: An example of the quantum device randomness rate as a function of the signalling fraction of rounds n s for M obs = 3 and δ = 0.05. The rates were computed taking into account that n(1 − n s ) rounds only can be used for randomness generation.
Assumption A. In the case that one does not bias the decomposition of probability distribution towards having higher weights on contributions with a positive contribution to the Bell inequality value, we get that qs q s M (p qs s ) = 0.
Remember that the possible values that the Mermin inequality takes over all probability distributions is contained in the interval M ∈ [−4, 4] and a random sampling of contributions over the entire set of possible quantum distributions would, for example, give M = 0. The random probability distribution p 1 1 (abc|xyz) = 1 4 ∀a, b, c, x, y, z = x ⊕ y is a particular case giving M = 0 and sampling randomly over the signalling probability distribution space also gives M = 0. This assumption thus means that, when signalling occurs, it does not "sample" more from the signalling distribution giving a positive contribution to the Mermin inequality. We believe that this assumption is reasonable if the user believes that the quantum device was not purposely built with signalling effects tailored to the Bell inequality that is chosen and/or that there are no systematic forms of noise (which are captured in assumption B).
Using this assumption, we therefore obtain that M obs = qns q ns M (p qns ns ).
If we now denoteM ns = 1 1−ns qns q ns M (p qns ns ) the average Mermin value during the rounds in which there is no signalling (i.e. in 1 − n s fraction of rounds), we have that which also sets a limit n s ≤ 1 − M obs since before we used p(b|y, x) = a p(ab|xy) when it really should be p(b|y, x) = a,c p(abc|xyz) for some z. Finally, we have considered signalling from A to B, when in reality it might well occur in any direction between all three A, B and C. Since there are 6 such possibilities, we use n s = 6 max α,β,Γ,Ξ s Γ→Ξ α,β (p) = max γ p(α|β, γ, ξ = 0) − p(α|β, γ, ξ = 1) , where Γ, Ξ ∈ {A, B, C}, (α, β) is a pair of output and input of Ξ, ξ is the input of Γ and γ labels the input of the last party / ∈ {Γ, Ξ} which is traced out. This quantity corresponds to taking the maximal value of the signalling quantifier s(p) between any two sub-parts of the quantum device, maximised also on the pair of input-output that exhibits most signalling and on the input of the last sub part that is not involved in the signalling. Finally, the factor 6 comes because in the worst case, it is possible that this type of signalling occurs between any pair of sub parts and in any direction. The factor 6 is a worst case in which none of these effects overlap in a single round. Table. 2 summarises the results we have observed and their typical effect on the Bell inequality value is plotted in Fig. 11. As noted in the main text, it is interesting that ibmq_ourense exhibits almost the double amount of signalling than ibmq_valencia.