This post was co-authored by Richard Searle, Chief AI Officer at Fortanix
When people think about encryption breaking, they often imagine futuristic quantum computers cracking today’s strongest ciphers. But in reality, some of the most devastating breaches don’t require quantum at all—they rely on something far more subtle and all too common: flawed randomness.
Why Randomness Matters in Cryptography
Randomness is at the heart of nearly every encryption protocol and mathematical proof of security. If the process of generating those random numbers is compromised through sloppy implementation, insecure defaults, or even intentional backdoors, encryption is effectively a useless facade. And here’s the most alarming part: the “harvest now, decrypt later” (HNDL) attack is already happening at scale, fueled by this weakness. Flawed randomness is the silent killer of modern cryptography, often the go-to technique of sophisticated nation-state actors.
Researchers regularly expose new vulnerabilities in encryption key generation at major cybersecurity conferences like Black Hat. These aren’t academic hypotheticals; they’re real-world exploits, demonstrated live and celebrated by a professional audience. Prestige in the security community is now earned by showing how easily assumed to be “secure” systems can be broken when the use of randomness goes wrong.
The Blockchain Bandit: A Case Study in Weak Keys
Consider the infamous Blockchain Bandit, who quietly amassed millions by exploiting weak Ethereum wallet keys:
- Blockchain Bandit Moves $172M in ETH
- Stole $54M by Guessing Weak Keys
- Shifting $90M in Stolen Crypto
He resurfaces every few years to replenish his coffers. These attacks don’t require quantum computers. They rely on a disturbingly effective strategy, that can be deployed against today’s encryption standards and those on the horizon.
Beyond Crypto: The National Security Risks of Weak Randomness
The threat posed by flawed randomness goes beyond digital wallets and crypto. It reaches into the heart of public safety and national defense. The TETRA radio encryption backdoor exposed vulnerabilities in police and emergency responder communications worldwide. If encryption flaws in those systems can be quietly exploited, the implications are staggering, from disrupting emergency response to interfering with military operations.
And then there’s the Samsung Galaxy flaw, reported in 2022. Over 100 million Android phones were shipped with compromised encryption due to a poorly implemented nonce in GSM communication (The Register, Schneier on Security). Even if the basic cryptographic implementation is sound, the risk of reduced randomness due to systemic “starvation” can compromise the strength of the cryptographic keys it is used to generate, ask Cisco. (Cisco)
Built-In Vulnerabilities: The Danger of Backdoored Systems
It’s not just mistakes—sometimes it’s intentional. The Crypto AG scandal revealed how backdoored encryption devices were sold worldwide, giving the CIA and other intelligence services access to foreign governments for decades. These types of “designed” flaws may seem useful and even justifiable in the short term, until that same exploit leaks into the hands of terrorists or anarchists. While backdoors are eventually discovered by determined researchers and leaked to the public for remediation, a window of opportunity for cyber criminals and hostile nation states constitutes a threat to our collective security.
Quantum computing will eventually deliver its “ChatGPT moment”—a sudden, visible leap forward that jolts the world awake. But just like AI, the quiet groundwork is already being laid. And if we wait for quantum supremacy and cryptanalysis before adapting our encryption strategy, it will be too late. Now is the time to focus on our dependence upon cryptographic security and the methods used in its implementation.
Building Resilient Encryption with Quantum and Classical Tools
The cyber threat landscape is shifting rapidly and unpredictably. The solution lies in the combined strengths of both quantum and classical approaches. Instead of completely discarding classical encryption, we must enhance it with additional quantum resilience. One effective step is the integration of Quantum Random Number Generators (QRNGs) into established cryptographic systems, such as Hardware Security Modules (HSMs). This combined capability supports a secure transition to Post-Quantum Cryptography (PQC) by ensuring verifiable availability of device independent randomness in ley generation processes. Generating and storing encryption keys is an essential foundation for global digital security. Doing it poorly provides a launchpad for potentially catastrophic security breaches.
Why QRNGs Are Fundamentally Different
Quantum randomness is fundamentally unpredictable, as the pioneers of quantum mechanics determined a century ago. Unlike pseudo-random software-based generation, or hardware systems seeded with noise prone to subtle bias or exploitation, QRNGs draw entropy from quantum effects, an irrefutable and irreplicable source of true randomness. The difference is that the outcome of a quantum measurement is fundamentally unknowable, not just difficult to predict. Chaotic systems are often misidentified as random due to their volatility over long timescales but are inherently predictable as a consequence of subtle patterns in their longitudinal or behavioral response.
A Global Shift Toward Quantum-Secure Key Generation
Saudi Arabia is already making this leap, transitioning its national cryptographic infrastructure to QRNG-based key generation. This isn’t just forward-thinking; it’s a recognition that classical randomness is an unnecessary risk when there’s an easy fix available.
Inaction today paves the way for tomorrow’s cyberattacks. Organizations, especially those managing critical infrastructure, defense systems, or sensitive personal data, must begin integrating quantum technologies into their cybersecurity stack now.
Inaction today paves the way for tomorrow’s cyberattacks. Organizations, especially those managing critical infrastructure, defense systems, or sensitive personal data, must begin integrating quantum technologies into their cybersecurity stack now.
Where to Start: Six Actions To Take Now
Here’s how to start:
- Audit your current key generation and randomness mechanisms. Identify any that rely on potentially biased or predictable systems.
- Adopt hybrid architectures that combine QRNGs with existing classical HSMs to enhance entropy provision, without overhauling existing infrastructures and services.
- Prepare for post-quantum cryptography (PQC) by following NIST’s recommendations and understanding which algorithms are quantum-safe and deployment-ready. (NIST)
- Ensure the integration of “crypto agility” within cryptographic systems to mitigate the risks posed by new cryptographic exploits and potential revision of existing PQC algorithms.
- Raise internal awareness about the real-world risks of flawed randomness in cryptographic implementation. This isn’t just a cryptographer’s problem anymore the risks transfer to emerging scenarios, such as initialization of AI models.
- Push for transparency in vendor implementations. Ask how randomness is handled. Don’t assume “AES-256” means your keys are secure if those keys are seeded using a weak or unreliable source of randomness.
In cybersecurity and cryptography, a system’s strength relies heavily on the quality of its randomness. By combining the unpredictability of quantum physical systems with the established reliability of classical cryptographic systems, we can develop encryption ecosystems that are more resilient to the existing and future threats to their security. This approach ensures reduced vulnerability to current threats and preparedness for tomorrow’s, unforeseen, technological advancements.
