Global digital network security relies on public key infrastructure, which uses digital signatures, encryption key distribution and key generation, now threatened by the inevitable scaling of quantum computers. Cryptographically relevant quantum computers (CRQCs) that implement Shor’s and Grover’s algorithms make the current asymmetric standard obsolete and impose stricter constraints, such as key lengths, on symmetric key algorithms. This led to the August 2024 release of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) standards, which leverages mathematical complexity to harden against future quantum computing threats. The National Cybersecurity Center of Excellence (NCCoE) and NIST are working together to provide guidelines to migrate to these standards efficiently and to transition fully by 2035. However, there is also a strong consensus among industry and government institutions leading this transition of the lack of a ‘soak’ of NIST PQC standards in deployed environments and that other hybrid approaches may be needed to ensure end-to-end security in case PQC algorithms don’t stand the test of time.
While CRQCs can easily exploit most internet traffic and global networks today, historically, the preferred and more accessible method is discovering key generation vulnerabilities at the cryptosystem’s foundation. Conventionally, key generation schemes have depended on complex algorithmic models seeded by physical sources of classical noise (thermal, chaotic ring oscillators, CPU jitter, etc.) or other non-physical deterministic processes.
These generators are specifically designed to pass statistical tests of randomness, which are inherently biased (in their accuracy) towards certain input distributions and sample sizes, as seen with the NIST 800-90b non-IID/IID tests and 800-22 Statistical Test Suites (STS). These tests are also not equipped to estimate randomness quality or validity. They are useful tools that check an input stream’s independence against a null hypothesis for non-random behavior. These tests also do not assess the source that produces a random stream, relying heavily instead only on the output distribution – Imagine a source of entropy that is supposed to output a normally distributed random bitstream but somehow outputs a pseudo-uniform distribution. Statistical tests would be incapable of detecting that design and output flaw and may even give better results for the unexpected mode of operation.
Unfounded reliance on statistical tests as proofs for randomness for keys implemented in commercial cybersecurity stacks could further allow focused key-attacks that vastly reduce the compute resources required to exploit ‘harvest now, decrypt later’ methodologies. AI and ML will only further exacerbate the risk of flawed randomness, where pattern recognition models could detect hidden order in seemingly unique keys deemed random by a set of statistical tests.
We are currently at a crossroads – quantum mechanics and its derivative theories are expected to cripple classical cryptography and current encryption standards soon. On the other hand, new avenues are needed that go beyond classical key generation approaches to quantum-harden conventional cryptographic and PQC algorithms and fully realize their estimated security level.
In this white paper, Quantum Random Number Generator (QRNG) Specification Guide, we introduce quantum key generation (QRNG) technology, which is at the forefront of methods that generate encryption keys using physical laws that cannot be traced back to a deterministic event. A quantum process yields an outcome by collapsing to a state with a probability amplitude attached to it. QRNGs, using this principle, extract entropy from an inherently probabilistic distribution of outcomes and convert it into a random stream of digitized bits. We propose a simple architecture that can be standardized and evaluated based on specific requirements rather than relying only on biased statistical tests. We also weigh the importance of implementation and first-principles calculation of minimum entropy (or maximum extractable randomness) using analytical approaches allowed within the quantum model.
At Qrypt, our mission is to address the threat that quantum technology poses to current cryptographic standards and harness its immense potential to develop resilient and quantum-safe key generation technologies for the future.