up:: Quantum-Native Security MOC
Quantum Random Number Generation (QRNG)
Quantum random number generation (QRNG) is the production of random bits by measuring a quantum physical process whose outcome is fundamentally unpredictable, such as which way a single photon reflects off a beam splitter or the amplitude of vacuum noise in a laser. The appeal is that the unpredictability comes from physics rather than from a deterministic algorithm or from hard-to-model classical noise. A QRNG is an entropy source: it feeds raw randomness into the same random-bit-generator stack that every cryptographic key already depends on. It is deployable today, it is a separate technology from QKD, and it sits alongside PQC rather than replacing it.
The short version:
- A QRNG makes random bits by reading out a quantum event whose result has no predetermined value, so the randomness is guaranteed by the physics rather than by the difficulty of modeling a classical noise source.
- Good randomness is the foundation under every key, nonce, salt, and initialization vector, and weak randomness has silently broken real systems at internet scale.
- A QRNG still earns trust the same way any entropy source does, by passing NIST SP 800-90B validation against its measured output. The certificate does not award points for being “quantum.”
- QRNG and QKD get confused constantly. QRNG makes random bits locally; QKD distributes a shared key between two endpoints over a special link. They solve different problems.
- QRNG is real and useful, and it is not a post-quantum solution by itself. The quantum threat is about algorithms, so improving your randomness leaves RSA and ECC exactly as breakable as before.
Think of randomness like rolling dice to pick a secret. A pseudo-random generator is a very long printed book of dice rolls: unpredictable to anyone who does not know which page you opened to, but perfectly readable to anyone who does. A classical hardware generator rolls real dice, and in principle a perfect physics model of the throw could call the result. A QRNG rolls a die whose outcome, under quantum mechanics, has no answer to know in advance until it is measured. That is the whole pitch, and the rest of this note is about how much of it survives contact with a real device.
What is quantum random number generation?
A QRNG is an entropy source, in the precise sense of NIST SP 800-90B, whose noise source is a quantum phenomenon. An entropy source has four parts: a noise source (the physical origin of the randomness), a digitization step that turns the physical measurement into bits, health tests that watch for the source degrading, and optional conditioning that cleans up the raw output. What makes a QRNG a QRNG is that the noise source draws its unpredictability from quantum indeterminacy, the intrinsic probabilistic nature of a quantum measurement, where standard quantum mechanics says there is no hidden deterministic value waiting to be discovered.
This is the property vendors point to. A classical noise source such as thermal noise, ring-oscillator jitter, or avalanche noise is unpredictable in practice because modeling it exactly is hard, yet it remains deterministic in principle given complete knowledge of the physical state. A quantum noise source is meant to be unpredictable in principle. To count as a QRNG rather than a generic true random number generator, a device has to source its entropy from a quantum measurement and carry a defensible entropy model that ties the measured output to the physics of the noise source, exactly as SP 800-90B requires of any entropy source.
Source: NIST SP 800-90B, “Recommendation for the Entropy Sources Used for Random Bit Generation,” January 2018, DOI 10.6028/NIST.SP.800-90B, csrc.nist.gov.
Why does good randomness matter for cryptography?
Random number generation is the foundation under every cryptographic operation that matters: key generation, nonces, initialization vectors, salts, ephemeral Diffie-Hellman exponents, and the seeds that drive deterministic generators. When the randomness is weak or predictable, the mathematics of the cipher stays perfectly sound and the system is broken anyway, because an attacker can reconstruct or guess the secret directly. Two real incidents make the stakes concrete.
-
In 2008, a Debian-specific change to OpenSSL crippled the seeding of its random number generator so that the only varying input was the process ID, which on Linux gave roughly 32,768 possible seeds. Every SSH key, TLS key, OpenVPN key, and DNSSEC key generated on affected Debian and Ubuntu systems between September 2006 and May 2008 had to be treated as compromised and regenerated, because the entire keyspace was small enough to enumerate.
-
In 2012, a study called “Mining Your Ps and Qs” scanned the whole IPv4 internet and found that about 5.57% of TLS hosts shared keys because of insufficient entropy at key-generation time, and that the private keys for hundreds of thousands of network devices (around 0.50% of TLS hosts) were computable by anyone
[OPERATOR VERIFY the exact percentages against the paper]. The devices ran correct RSA and DSA implementations; the failure was the randomness feeding them at first boot.
Source: Debian Security Advisory DSA-1571-1, “openssl: predictable random number generator,” CVE-2008-0166, debian.org. Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman, “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” USENIX Security 2012, usenix.org.
This is why the quality of the entropy source is a security property in its own right, and why a physically grounded, well-validated source is worth caring about. It is also the honest scope of what a QRNG improves: the quality and defensibility of the randomness that feeds key generation, and nothing above that layer.
How does a QRNG actually work?
A quantum event happens, a detector reads it out, the readout is digitized into raw bits, those bits are health-checked and conditioned, and the result is either consumed directly or used to seed a deterministic generator that produces the working stream. The quantum part is only the first step; everything after it is the same plumbing any entropy source uses.
The quantum noise sources in shipping products and published demonstrations fall into a few families:
-
Beam-splitter which-way. A single photon meets a 50/50 beam splitter, and which of two detectors fires is a quantum-random bit. This is the textbook QRNG and the basis of the early ID Quantique devices.
-
Photon arrival time. The intervals between photon detections from a weak source are quantum-random, and digitizing those intervals yields entropy.
-
Vacuum fluctuations and shot noise. Measuring the fluctuations of the electromagnetic vacuum, or the shot noise of a laser, gives a continuous quantum-random signal. This family reaches gigabit-per-second rates, which is why it dominates high-throughput commercial products.
-
Photon-emission statistics. The random timing of spontaneous emission from an LED or laser diode striking an image sensor drives chip-scale QRNGs aimed at mobile and embedded use.
The output of any of these is a stream of bits carrying an associated min-entropy estimate, which is the conservative measure of how much genuine unpredictability each output bit actually holds. The only security property a QRNG provides is unpredictability of that output, up to the validated entropy claim. It offers no confidentiality, integrity, or authentication of its own. It is purely a source of unpredictable bits, and it appears in three deployment shapes:
-
Raw entropy source. Outputs digitized noise plus an entropy claim, and a downstream deterministic generator does the cryptographic conditioning. This is the standard deployment.
-
Full random-bit appliance. Bundles the quantum noise source with conditioning and a deterministic generator into a turnkey unit, often a PCIe card, a USB device, or a hardware-security-module component.
-
Software delivery. Quantinuum’s Quantum Origin extracts entropy seeded from measurements run on quantum hardware and then delivers as self-contained software. It reached NIST SP 800-90B validation as the first software QRNG on 2 April 2025.
Source: Quantinuum, “Quantum Origin Becomes First Software Quantum Random Number Generator to Achieve NIST Validation,” 2 April 2025, quantinuum.com.
What is the difference between QRNG, a hardware TRNG, and a pseudo-random generator?
There are three layers here, and conflating them is the most common mistake in the whole conversation. A pseudo-random generator holds no physical entropy and stretches a seed into a long stream with a cryptographic algorithm, so its security rests entirely on the secrecy of that seed. A true random number generator sources entropy from a physical process. A QRNG is a true random number generator whose physical process is specifically quantum.
| Pseudo-random generator (DRBG) | Classical hardware TRNG | QRNG | |
|---|---|---|---|
| Source of randomness | A deterministic algorithm expanding a seed | A physical process (thermal noise, oscillator jitter, avalanche noise) | A quantum measurement (photon path, vacuum noise, arrival time) |
| Predictable in principle? | Yes, fully, given the seed and algorithm | Yes, given complete physical state | No, by the standard reading of quantum mechanics |
| Holds real entropy? | No | Yes | Yes |
| Role in the stack | Produces the working key stream | Seeds the deterministic generator | Seeds the deterministic generator |
| How it is validated | NIST SP 800-90A (as a DRBG) | NIST SP 800-90B (as an entropy source) | NIST SP 800-90B (as an entropy source) |
In a real system these are layered, not chosen between. A physical entropy source, classical or quantum, seeds a deterministic generator, and the deterministic generator produces the stream that applications consume through a KDF and the rest of the pipeline. That layering is exactly what NIST SP 800-90 describes: 800-90B governs the entropy source, 800-90A the deterministic generator, and 800-90C how they combine. A QRNG is a candidate for the entropy-source slot. It does not replace the deterministic generator, and it does not replace the migration to PQC.
Source: NIST Random Bit Generation project, SP 800-90A / 800-90B / 800-90C, csrc.nist.gov.
How does QRNG relate to NIST’s entropy-source guidance (SP 800-90B)?
Certification flows through NIST SP 800-90B, and SP 800-90B is source-agnostic. It specifies design requirements and a validation battery for entropy sources, and it awards no special credit for the noise source being quantum. Validation requires tester access to the raw, unconditioned noise output, a documented entropy model that justifies the claimed min-entropy, an estimation track for whether the samples are independent and identically distributed, and continuous health tests running in the field. A QRNG and a classical CMOS true random number generator pass through the same gate, and the certificates come from NIST’s Entropy Source Validation program under the Cryptographic Module Validation Program.
The reason the standard measures output rather than trusting the physics is that real quantum devices carry classical imperfections. Detector dead time, afterpulsing, bias, drift, temperature dependence, and detector-coupled correlations all inject non-quantum structure into the raw stream. A device that is theoretically perfect can ship measurable bias and correlation, which is why the min-entropy is estimated conservatively from the measured raw output instead of asserted from the ideal. A “quantum” label with no SP 800-90B entropy-source validation behind it tells you about the marketing and nothing about the bits.
Source: NIST SP 800-90B, January 2018, DOI 10.6028/NIST.SP.800-90B, csrc.nist.gov.
Can you trust a QRNG just because it is quantum?
The quantum nature of the noise source is a property of the mechanism, and it says nothing on its own about the integrity of the specific manufactured unit in your rack. A standard “trusted-device” QRNG asks you to believe that the bits genuinely came from the quantum process described and were not biased, substituted, backdoored, or read out by an adversary with access to the hardware. That is the same trust posture you already extend to any hardware entropy source or hardware security module. The realistic upgrade a QRNG offers is a high-rate, physically grounded entropy source with a defensible entropy model and, in good designs, strong on-line health testing. That is a legitimate engineering benefit for high-assurance key generation, and it is the same security model as a well-validated classical source, held to the same evidentiary bar.
There is a research-grade variant that aims to lower how much you have to trust the box. Device-independent QRNG (DIQRNG) uses the violation of a Bell inequality between separated, entangled systems to certify that the output is genuinely quantum, with minimal assumptions about the internals of the devices. If the measured correlations exceed the bound any classical process could produce, the outcomes provably contain a quantified amount of fresh entropy. The leading worked example is CURBy, the Colorado University Randomness Beacon, built by NIST and the University of Colorado Boulder. Entangled photon pairs are sent to detectors more than 100 meters apart, a loophole-free Bell test certifies the quantum origin, and each successful run emits 512 bits of traceable, certified randomness. Over its first 40 days the beacon completed 7,434 of 7,454 attempts, a 99.7% success rate, and a NIST protocol called Twine keeps a tamper-evident record of every output.
Source: Kavuri, Palfree, Reddy, Zhang et al., “Traceable random numbers from a nonlocal quantum advantage,” Nature (2025), DOI 10.1038/s41586-025-09054-3, arXiv:2411.05247. NIST, “NIST and Partners Use Quantum Mechanics to Make a Factory for Random Numbers,” 11 June 2025, nist.gov.
DIQRNG is a genuine advance in trust model, and it is also slow, expensive, and currently tied to laboratory-scale Bell apparatus. CURBy is a public randomness beacon for cases where third-party verifiability is the whole point, such as lotteries, audit sampling, and jury selection. For routine cryptographic key generation, a SP 800-90B-validated trusted-device source stays the operational tool.
How is QRNG different from QKD?
These are two different quantum technologies, and the market blurs them constantly. A QRNG produces the unpredictable bits that feed key generation; QKD transports a shared key over a quantum channel between two endpoints. One is a local component you can drop into a single rack, and the other is a point-to-point link with hard physical constraints.
| QRNG | QKD | |
|---|---|---|
| Function | Generates random bits (entropy) | Distributes a shared secret key between two parties |
| Topology | Local device, no second party | Point-to-point link between two endpoints |
| Range | Local, effectively unlimited | Physical distance limits, plus the trusted-node problem |
| Authentication | Not applicable, there are no parties | None of its own, still needs classical or PQC authentication |
| Deployable today | Yes, mature commercial products | Niche, constrained, not a general PQC alternative |
| Relation to PQC | Complementary, feeds keygen for PQC algorithms | Standardized PQC is the substrate, QKD is a niche tool |
The practical consequence is that a QRNG is broadly deployable because it needs no partner and no dedicated link, while QKD needs a special quantum channel, provides no authentication by itself, and is positioned by the major security agencies as suitable only for narrow, high-assurance settings rather than as a replacement for standardized PQC. See QKD for the full treatment.
Is QRNG a post-quantum solution?
No. The post-quantum migration exists because Shor’s Algorithm breaks the asymmetric algorithms RSA and ECC, and the fix is to replace those algorithms with standardized replacements such as ML-KEM and ML-DSA. That threat lives at the algorithm layer. Random number generation lives at a different layer entirely, and it is untouched by the quantum threat: Grover’s Algorithm gives no way to predict the output of a properly validated entropy source, and there is no quantum attack that recovers good random bits from their downstream use. Swapping a classical entropy source for a QRNG improves the quality of your randomness and leaves every quantum-vulnerable algorithm exactly as vulnerable as it was.
Where the two efforts touch is that every PQC algorithm needs high-quality randomness for key generation, and ML-DSA in its randomized signing mode needs it for signing. A QRNG is a legitimate way to supply that entropy, in the same way a SP 800-90B-validated classical source is. So QRNG is complementary to PQC and orthogonal to the reason the migration is happening. The substrate of the post-quantum transition is standardized PQC. QRNG is an optional entropy-quality choice underneath it, and buying one is a separate decision from the algorithm migration, recorded in a CBOM as one entropy source among many rather than as a step toward being quantum-safe.
Where does QRNG show up in real systems?
QRNG appears wherever high-assurance entropy is wanted, and it almost always sits behind a deterministic generator rather than feeding applications directly.
-
Hardware security modules and key managers. Some HSMs and key-management appliances seed their key generation from a QRNG entropy pool.
-
Entropy cards and cryptographic appliances. ID Quantique, Quantinuum in software, and others sell products that present as an entropy source or a full random-bit generator over PCIe or USB.
-
Cloud and chip scale. Vacuum-fluctuation QRNGs reach the throughput a data center wants, while chip-scale photon-counting designs target phones and embedded devices.
-
Public randomness beacons. CURBy and the NIST Randomness Beacon broadcast publicly verifiable randomness for fairness applications where anyone needs to check the draw was honest.
In every one of these, the enterprise is procuring a validated module rather than building the quantum noise source itself, which is why the useful evidence about a QRNG is the same evidence you would gather for any entropy source: the make and model, its SP 800-90B validation, the claimed min-entropy rate, and which deterministic generator it seeds.
Common misconceptions
-
“Quantum entropy is automatically safer, so a quantum label is enough.” The security of the bits comes from the validated entropy behavior of the specific device, not from the word “quantum.” A QRNG with no SP 800-90B entropy-source validation is an unproven box.
-
“Buying a QRNG advances my PQC posture.” The migration replaces quantum-vulnerable algorithms. A QRNG works in the entropy layer beneath them and does nothing to make RSA or ECC quantum-safe.
-
“QRNG and QKD are the same quantum-security thing.” One generates random bits locally, and the other distributes a key between two endpoints over a special link. They have different costs, constraints, and use cases.
-
“A perfect quantum source produces perfect randomness out of the box.” Real detectors add dead time, afterpulsing, bias, and drift, so the entropy is estimated conservatively from the measured output and the raw stream is conditioned before use.
-
“The QRNG replaces my deterministic random generator.” It seeds that generator. The deterministic generator still does the cryptographic conditioning and produces the working stream.
Questions people ask
Do I need a QRNG to be post-quantum ready? No. The post-quantum transition is about replacing quantum-vulnerable algorithms with standardized PQC. A QRNG is an optional entropy-quality upgrade that lives in a different layer and is neither required for nor part of that migration.
Is a QRNG better than a good classical hardware random generator? For most purposes a well-validated classical entropy source and a well-validated QRNG give you the same security model, because both are judged by the same SP 800-90B evidence. The QRNG’s theoretical advantage is that its unpredictability is fundamental rather than a modeling limitation, which matters most in the highest-assurance settings and in the device-independent variants.
How do I know a QRNG is trustworthy? Look for a NIST SP 800-90B entropy-source validation, a stated min-entropy rate, and documentation of which deterministic generator it seeds. The trust posture is the same one you apply to any hardware entropy source or HSM: you are trusting the manufactured device, and the quantum physics alone does not certify a specific unit.
Does a QRNG protect data against a quantum computer? No. It improves the randomness feeding key generation and has no effect on whether the algorithms protecting your data survive Shor’s Algorithm. That protection comes from migrating to PQC.
Can I use a public randomness beacon like CURBy to generate my keys? Public beacons are built for cases where everyone needs to verify the randomness was honest, such as lotteries and audits. They are the wrong tool for secret key generation, because the whole point of a key is that the value stays private, and a beacon broadcasts its output to the world.
What is min-entropy and why does it matter? Min-entropy is the conservative measure of how much genuine unpredictability each output bit carries, based on the most likely outcome an attacker could guess. It matters because it is the number SP 800-90B validation actually certifies, and it is what tells you how many raw bits you need to produce one bit of full-strength randomness.
Is QRNG the same as a quantum computer? No. A QRNG is a small, single-purpose measurement device that reads out a quantum event to produce random bits. It has nothing to do with the large, error-corrected quantum computers that would be needed to run Shor’s Algorithm against public-key cryptography.
Where would a QRNG actually help my organization? In high-assurance key generation, where a physically grounded, high-rate entropy source with strong health testing is genuinely valuable. Treat it as an entropy-quality decision inventoried in your CBOM, separate from the algorithm migration.
Everything here is the map, given freely. When your team needs its cryptographic estate assessed and sequenced into a real post-quantum migration plan, that is what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.