The Quantum Random Number Generator (QRNG) Gold Rush

Introduction

In January 2025, a semiconductor company announced it had partnered with a quantum startup to build “the world’s smallest monolithically integrated quantum random number generator.” Two weeks later, another company launched what it called a “cosmic-ray quantum entropy engine.” A month after that, a third vendor began marketing its device as a “self-certifying quantum randomness platform for AI security.”

All three products generate random numbers. Whether any of them deserves the word “quantum” in its marketing materials is a more complicated question, and it is exactly the question that matters if you are a CISO trying to decide whether to write a purchase order.

The quantum random number generator (QRNG) market has entered its gold rush phase. Market reports now count over 120 companies in the space, with the market projected to reach nearly $500 million by 2026. Investment capital is flowing. Vendors are racing to differentiate, and when the underlying physics offers limited room for differentiation, marketing departments fill the gap. The result is a buyer market cluttered with terminology designed to impress rather than inform: “digitized quantum particles,” “quantum-hardened keys,” “provably unpredictable entropy,” “cosmic quantum randomness.”

Some of these products are excellent. Some are competent hardware random number generators with a quantum label attached for fundraising purposes. A few are quantum snake oil in a shiny enclosure. The problem for buyers is that the marketing materials for all three categories look nearly identical.

This article is the guide I wish existed when organizations started asking me whether they should buy a QRNG. It covers the physics of randomness from the ground up, maps the real taxonomy of random number generation (which is murkier than vendors admit), dissects the marketing terminology currently flooding the market, explains what QRNG does and does not protect against, catalogs the standards and certifications that actually matter, and provides a concrete set of questions to put to any vendor before signing a contract.

The bottom line: QRNG is a real technology that solves a real (but narrowly defined) problem. If you understand what that problem is and whether you have it, you can make a good procurement decision. If you don’t, you are a target for the fastest-growing segment of quantum marketing.

Entropy: The Currency of Cryptographic Security

Before we get into the machinery of random number generation, we need to talk about why randomness matters and what cryptographers actually mean when they say “entropy.” The term is thrown around in QRNG marketing materials with the casual confidence of a word everyone understands. Most buyers don’t, and that gap is where vendors operate.

What Entropy Actually Is

In information theory, entropy measures unpredictability. One bit of entropy means the observer has a 50/50 chance of guessing the value, no better than a coin flip. Eight bits of entropy means 256 equally likely outcomes. If you generate a 256-bit cryptographic key with full entropy, an attacker faces 2^256 possible values and has no way to narrow the search. If your 256-bit key was generated with only 30 bits of actual entropy (because the random number generator had a subtle bias, or was seeded from a predictable source), the attacker faces only 2^30 possibilities: roughly a billion, which a modern computer can exhaust in seconds.

This is why entropy quality is a security-critical parameter, not a theoretical abstraction. Every TLS session, every SSH key, every VPN tunnel, every digital signature depends on random numbers. If the randomness is predictable, the cryptography fails. Silently, without warning, and often without any visible sign that anything is wrong.

How Entropy Gets Used

In a typical cryptographic system, entropy flows through a layered architecture. At the bottom sits an entropy source: a physical process that generates raw, unpredictable bits. These raw bits are typically biased (more 1s than 0s, or vice versa) and may have subtle correlations. A conditioning component cleans them up, applying a deterministic extractor (often based on AES or SHA-256) that compresses the biased raw bits into a shorter sequence of near-uniform output. This conditioned output then seeds a deterministic random bit generator (DRBG), a cryptographically secure algorithm that stretches the seed into a long stream of pseudorandom bits on demand.

The key insight is that the entire chain is only as strong as the entropy source at the bottom. A perfect DRBG fed a predictable seed produces predictable output. A flawed DRBG fed perfect entropy produces flawed output. Both layers matter, but entropy is the foundation.

When Entropy Goes Wrong: A Short History of Disasters

The consequences of entropy failures are not hypothetical. They fill the CVE databases and the case law.

In 2008, a Debian maintainer accidentally removed two lines of code from OpenSSL’s random number generator, reducing its effective entropy to approximately 15 bits. For two years, every SSL certificate, SSH key, and OpenVPN key generated on Debian and Ubuntu systems was drawn from a pool of roughly 32,768 possibilities. The keys looked fine. They passed statistical tests. But they were trivially guessable. An attacker could precompute all possible keys and try them until one worked.

In 2013, a vulnerability in Android’s SecureRandom implementation allowed attackers to steal Bitcoin from Android wallets. The ECDSA signature scheme used by Bitcoin requires a unique random number for every transaction signature. Android’s flawed PRNG occasionally reused random values, which allowed attackers to extract private keys from the blockchain using simple algebra. Users lost funds to an address that accumulated over 55 BTC before the exploit was patched.

In 2015, Juniper Networks disclosed that unauthorized code had been inserted into the ScreenOS firmware used in its NetScreen VPN routers. The change modified a parameter in the Dual_EC_DRBG pseudorandom number generator, a NIST-approved algorithm already suspected of containing an NSA-designed backdoor. The result was a passive VPN decryption capability: anyone who knew the modified parameter could silently decrypt VPN traffic without the router’s operator ever detecting an anomaly.

In each of these cases, the cryptographic algorithms were fine. The protocols were correctly implemented. The entropy source was the weak link.

The Randomness Stack: What You’re Actually Buying

With entropy established as the foundation, let me walk through the full taxonomy of how random numbers are generated in practice. The terminology is a mess (the industry uses overlapping names for overlapping categories), but the underlying architecture is simpler than it appears.

Software: Pseudorandom Number Generators (PRNGs)

A PRNG is a deterministic algorithm. You feed it a seed value, and it produces a long sequence of numbers that look random by every statistical test. But the sequence is entirely determined by the seed. Know the seed, know the output. As John von Neumann famously warned in 1951: “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.”

For most applications (Monte Carlo simulations, game mechanics, statistical sampling), PRNGs work well. The numbers are statistically uniform, computationally cheap, and reproducible (which is a feature in scientific computing, where you want to replay an experiment).

For cryptography, a specialized variant called a cryptographically secure pseudorandom number generator (CSPRNG) adds a critical property: even if an attacker sees some of the output, they cannot efficiently compute previous or future output bits. NIST SP 800-90A specifies three approved DRBG constructions: Hash_DRBG, HMAC_DRBG, and CTR_DRBG. These algorithms underpin nearly all deployed cryptographic systems today.

The weakness of every PRNG and CSPRNG is the same: they are only as unpredictable as the seed. The Debian and Juniper incidents above are what happens when that seed fails.

Hardware: True Random Number Generators (TRNGs)

A true random number generator (also called a hardware RNG, or non-deterministic random bit generator) extracts randomness from a physical process. The bit sequence is not algorithmically generated. It comes from measuring something in the physical world.

Common entropy sources in deployed TRNGs include thermal noise in resistors or diodes (Johnson-Nyquist noise), jitter in ring oscillators (used in Intel’s RDRAND/RDSEED instructions and AMD’s equivalent), shot noise in electronic components, and radioactive decay.

But the most creative entropy sources come from organizations that have thought carefully about the problem and decided to have some fun with it. Cloudflare famously uses a wall of 100 lava lamps in its San Francisco lobby as an entropy source. A camera photographs the constantly shifting wax blobs, and the image data feeds a cryptographic hash function. The principle is sound: the fluid dynamics governing lava lamp motion are deterministic in theory but chaotic in practice, producing patterns that are computationally infeasible to predict. The original LavaRand concept dates to a 1996 Silicon Graphics patent. Cloudflare has since expanded the concept: their London office uses double pendulums (whose chaotic motion is a textbook example of sensitive dependence on initial conditions), their Singapore office measures radioactive decay from a sealed isotope source, and their Lisbon headquarters recently deployed 50 custom wave machines in constant motion.

Real Random takes an even more visually striking approach: a sealed container filled with hundreds of colorful dice in fluid, continuously tumbled and photographed. The company, founded in Florida in 2014, positions itself as providing hardware-based entropy for post-quantum security.

The League of Entropy, a consortium including Cloudflare, EPFL, Protocol Labs, the University of Chile, and others, combines entropy from multiple independent sources into a decentralized randomness beacon, a publicly verifiable source of randomness that no single party can manipulate.

These creative approaches illustrate an important principle: the physics of randomness is not exotic. Chaos, thermal fluctuations, and quantum effects are everywhere. The hard part is not finding randomness in the physical world. The hard part is measuring it reliably, characterizing it rigorously, and building a provable bound on how much entropy you are actually extracting.

The Boundary Problem: Where Does “Quantum” Start?

This is the question the entire QRNG industry would prefer you not ask too precisely, because the honest answer undermines the clean dichotomy that makes QRNG easy to sell.

Here is the uncomfortable truth: all physical noise sources are ultimately quantum-mechanical in origin. Thermal noise arises from the quantum-mechanical motion of charge carriers. Shot noise is a direct consequence of the quantization of electric charge. Even ring oscillator jitter has quantum-mechanical contributions from electron tunneling and thermal fluctuations at the device level. Cloudflare’s lava lamps are governed by fluid dynamics, but the thermal convection driving the wax is rooted in molecular motion that is, at bottom, quantum mechanical.

This creates an awkward definitional problem. If I measure thermal noise across a resistor and call the result a “hardware random number generator,” the entropy is quantum in origin. If I package the same resistor in a box with a quantum logo and call it a “quantum random number generator,” the entropy is still quantum in origin. The physics hasn’t changed. The marketing has.

The academic community has arrived at a working definition that goes roughly like this: a device qualifies as a QRNG when its entropy source relies on a specific, well-characterized quantum process with an explicit theoretical model that allows the output entropy to be bounded from first principles of quantum mechanics, rather than merely measured statistically.

Under this definition, the distinction is not “quantum physics vs. classical physics.” The distinction is between devices where you have a quantum-mechanical proof that the output contains at least X bits of entropy per sample (because the Born rule guarantees it), and devices where you have statistical evidence that the output looks random but no theoretical guarantee it must be. The first kind gives you a provable lower bound. The second gives you a measurement that could, in principle, miss a subtle pattern.

This is a meaningful distinction. But it is narrower than the marketing suggests, and it does not automatically make a QRNG superior to a well-certified TRNG.

“Certified” vs. “Self-Certifying” — and Why a Good TRNG Can Beat a Mediocre QRNG

This might be the most important point in this entire article, and the one most likely to irritate QRNG vendors: the word “quantum” does not automatically make a random number generator better.

A TRNG that has passed BSI AIS 31 P2 validation (which requires a stochastic model of the noise source, beyond statistical testing alone) may provide stronger entropy guarantees than a QRNG that has never been independently evaluated. Intel’s RDRAND instruction, based on ring oscillator jitter, feeds billions of cryptographic operations daily and has been evaluated under FIPS 140-2 (now transitioning to FIPS 140-3). It works. It has a long operational track record. It does not need the word “quantum” to be effective.

The security of a random number generator depends on the entire system: the quality of the entropy source, the rigor of the conditioning, the correctness of the implementation, the presence of continuous health monitoring, the thoroughness of the independent evaluation, and the robustness of the failure modes. A QRNG with a genuine quantum-mechanical model but sloppy conditioning, no health monitoring, and no independent certification is less trustworthy than a TRNG that has been through a rigorous FIPS 140-3 or Common Criteria evaluation.

The “Certified” vs. “Self-Certifying” Trap

This confusion is worth addressing head-on, because vendors benefit from buyers conflating two very different concepts.

A certified random number generator, whether TRNG or QRNG, has been independently evaluated by a third party against a published standard. An external lab tested the device, examined its entropy model, ran the prescribed test suites, and issued a certificate. “Certified” means someone other than the vendor checked the work. NIST ESV, FIPS 140-3, BSI AIS 31 P2, Common Criteria: these are all independent certifications.

A “self-certifying” QRNG, in the way most commercial hardware vendors use the term, means the device monitors its own quantum source and attests to its own output quality. The device is grading its own homework. The vendor designed the source, designed the health monitor, defined the pass/fail thresholds, and tells you it passed. No external party is involved in the ongoing certification claim.

The fully device-independent version of self-certification (based on Bell inequality violations) is a stronger theoretical guarantee. A Bell test produces a mathematical proof that the output must contain quantum randomness, regardless of how the device is constructed. But no commercial hardware product ships with a loophole-free Bell test running continuously. Quantinuum’s Quantum Origin uses a Bell test on its quantum computer to generate its seed, and that is a real and rigorous application of the concept. But the Bell test runs on Quantinuum’s hardware, not in your rack, and the ongoing local randomness generation is no longer device-independent.

So in practice: a TRNG or QRNG with independent third-party certification (NIST ESV, FIPS 140-3, AIS 31 P2) gives you externally audited assurance of entropy quality. A “self-certifying” QRNG, absent that independent certification, gives you the vendor’s own claim, backed by internal monitoring. The first carries the weight of independent evaluation. The second carries the weight of marketing copy.

The ideal is a QRNG that is both: a genuine quantum source with a rigorous entropy model and independent third-party certification. ID Quantique’s Quantis chips (NIST ESV IID + AIS 31 P2) and Quantinuum’s Quantum Origin (NIST validated) are in this category. But “self-certifying” alone, without independent certification, is a weaker assurance than a certified TRNG, regardless of the quantum physics involved.

Regulators understand this distinction. NIST SP 800-90B does not give QRNGs a free pass. It applies the same entropy source validation requirements to quantum and non-quantum sources alike. The ESV program evaluates what the device does, not what physics the vendor claims it uses. A QRNG that cannot pass ESV validation is, from a regulatory perspective, inferior to a TRNG that can.

When evaluating a QRNG, do not let the physics dazzle you into skipping the due diligence you would apply to any other security product. Certifications, independent evaluations, failure mode analysis, and operational track record matter more than the quantum prefix.

The Taxonomy of Quantum Entropy Sources

With that caveat firmly stated, let me map what actually exists in the QRNG market. Not all QRNGs exploit the same quantum phenomenon, and the choice of entropy source has practical implications for throughput, miniaturization, cost, and the strength of the theoretical security model.

Photon-Based QRNGs (The Mainstream)

The vast majority of commercial QRNGs measure some property of photons. Within this category, several architectures compete:

Beam-splitter QRNGs send individual photons (or heavily attenuated laser pulses) into a 50/50 beam splitter. Quantum mechanics dictates that each photon takes one path or the other with exactly equal probability. This is a direct manifestation of the Born rule. A detector on each output port registers which path the photon chose, producing one random bit per detection event. ID Quantique’s earliest commercial products used this approach, and it remains the conceptually cleanest QRNG architecture. The downside is speed: single-photon detection limits the bit rate to megabits per second in practical implementations.

Vacuum fluctuation QRNGs measure the quantum noise of the electromagnetic vacuum using homodyne detection. Even in the absence of any photons, the electromagnetic field fluctuates. These “zero-point fluctuations” are a fundamental prediction of quantum electrodynamics, confirmed to extraordinary precision. By measuring the field quadrature with a balanced homodyne detector (splitting a local oscillator beam on a 50/50 beam splitter and subtracting the two photocurrents), you can extract the quantum noise with the classical noise canceled out. This approach achieves higher bit rates (into the gigabit-per-second range) because it operates in a continuous-variable regime rather than counting individual photons. Quside Technologies (Spain) has commercialized vacuum-fluctuation-based QRNG chips.

Photon arrival time QRNGs exploit the randomness in when individual photons arrive at a detector, given a source with a known average emission rate. If a dim LED emits photons at an average rate of N per second, the exact timing of each photon is governed by quantum statistics (a Poisson process for coherent sources, super-Poissonian for thermal sources). The timing jitter between successive detection events contains extractable quantum entropy. This is the basis for several chip-scale QRNG designs, including ID Quantique’s Quantis chip series, which was the first QRNG to achieve NIST ESV certification on the IID track in September 2023.

Quantum shot noise QRNGs measure the shot noise on a photocurrent generated by a laser or LED source. Since photon-detection events are independent quantum processes, the photocurrent fluctuates with quantum-limited noise. This is the approach used by many newer market entrants, and it is where the boundary between “QRNG” and “well-designed TRNG” gets thinnest. A silicon photodiode illuminated by an LED exhibits quantum shot noise regardless of whether the manufacturer calls it a QRNG or not. Whether measuring it counts as “quantum random number generation” depends on whether the manufacturer has a rigorous quantum-mechanical entropy model and how that model is validated.

Software QRNGs: The Quantum Origin Approach

Quantinuum’s Quantum Origin takes a different path entirely. Rather than shipping a hardware entropy source, Quantinuum uses its H-Series trapped-ion quantum computer to perform a Bell test, a quantum experiment that produces measurement correlations provably impossible to replicate by any classical system. The output of this Bell test generates a “quantum seed” that is packaged into software clients and deployed to customer environments. The seed then feeds a local entropy generation process that does not require a network connection or dedicated hardware.

In April 2025, Quantum Origin became the first software QRNG to achieve NIST validation. Quantinuum positions it as a tool for organizations migrating to post-quantum cryptography under NSM-10 requirements.

The approach is technically interesting: a Bell test is the gold standard for certifying that a physical process is quantum, because the CHSH inequality violation cannot be faked by any classical device. But buyers should understand the architecture clearly: the quantum component runs on Quantinuum’s hardware, not yours. You receive a seed whose provenance you trust based on Quantinuum’s attestation and NIST’s validation. The ongoing randomness in your environment is generated locally from that seed, which is a very different trust model than a hardware QRNG sitting in your own rack producing fresh quantum entropy continuously.

Non-Photonic Approaches (The Outliers)

Radioactive decay QRNGs measure the timing of nuclear decay events, which are governed by quantum tunneling. The physics is impeccable. Radioactive decay is among the most random processes in nature, and its quantum randomness has been understood since the 1920s. The engineering is less appealing: you need a radioactive source (even a weak one), the bit rate is low, and regulatory complications around radioactive materials make commercial deployment difficult. These remain niche products.

Cosmic ray “QRNGs” detect muons or other secondary particles from cosmic ray showers. The Muon-Ra paper from 2020 demonstrated the concept using silicon photomultipliers and plastic scintillators, converting the time interval between crossing muons into random bits. A 2023 study published in MDPI showed that random bits extracted from cosmic ray detections on a common smartphone passed established randomness tests. The researchers themselves placed “quantum” in quotes, noting they were using the term loosely. The throughput limitation is fundamental: cosmic muon flux at sea level is roughly 10,000 per square meter per minute. Compare this to photonic QRNGs achieving gigabits per second. Cosmic-ray QRNG is a curiosity with a memorable marketing hook, not a practical entropy source.

Quantum dot and solid-state QRNGs aim to produce QRNG-on-chip at CMOS scale. Companies like Crypto Quantique and KETS Quantum Security are developing designs that could be embedded directly in standard semiconductor chips, which would bring the cost of quantum entropy down to pennies per device. This is potentially the most commercially significant development in the QRNG space, though mature products are still emerging.

The Marketing BS Decoder Ring

With the taxonomy established, let me translate the specific terms currently circulating in the QRNG market.

“Self-Certifying QRNG”

As I covered in detail above, “self-certifying” in the academic literature means something very specific: device-independent randomness certified through Bell inequality violations, recognized by the 2022 Nobel Prize in Physics. No commercial hardware product does this continuously. What vendors typically mean is that the device monitors its own source parameters: a health check, not a cryptographic proof. When a vendor says “self-certifying,” two questions matter: self-certifying against what threat model? And has the device also received independent certification (NIST ESV, FIPS 140-3, AIS 31 P2)? If not, “self-certifying” is the device grading its own homework.

“Cosmic-Ray Quantum Entropy”

Yes, cosmic rays are quantum events. No, this is not a practical entropy source for any deployment requiring sustained throughput. The marketing value of “cosmic-ray QRNG” lies entirely in the word “cosmic.” It sounds more exotic than “photon shot noise QRNG,” even though the photon-based device is superior in throughput, reliability, consistency, miniaturization, and cost.

“Digitized Quantum Particle”

This phrase means “we detected a photon and wrote down a bit.” That is what every photonic QRNG does. “Digitized” means analog-to-digital conversion. “Particle” means photon. The combination sounds novel. It is not.

“Quantum-Hardened Keys”

Used most prominently by Quantinuum for its Quantum Origin product, this means cryptographic keys generated using random numbers from a quantum source rather than a classical PRNG or TRNG. The kernel of truth: if your conventional entropy source has a subtle bias or correlation an adversary could exploit, a quantum-sourced seed eliminates that specific attack vector.

But the improvement applies only to seed quality. An AES-256 key generated from a QRNG is not “more AES-256” than one generated from a well-implemented CSPRNG with good entropy. And a quantum-sourced RSA-2048 key is just as vulnerable to Shor’s algorithm as a classically-sourced one. The quality of the random number that generated your key does not affect the mathematical structure that a quantum computer attacks.

“QRNG for AI Security”

The reasonable version: AI training and inference rely on random initialization, stochastic sampling, and dropout mechanisms. If an attacker could predict or manipulate these random inputs, they could potentially influence model behavior. Using certified quantum entropy for these operations closes this vector.

The fantasy version: deploying a “self-certifying QRNG” provides general-purpose protection against adversarial attacks, data poisoning, model extraction, or prompt injection. It does not. AI security is a systems problem involving training data integrity, model architecture, access controls, and alignment techniques. Randomness quality occupies a tiny corner of this space. A QRNG does not make your LLM safer any more than premium gasoline makes your car bulletproof.

“Quantum Entropy as a Service” (QEaaS)

Cloud-delivered random numbers from a quantum source. The operational question: do you trust the pipe? If your threat model includes the possibility of interception or manipulation between the QRNG device and your application, receiving entropy over a network introduces the risk you are trying to eliminate. This is not a fatal objection; you can seed a local CSPRNG with the quantum entropy rather than using it directly. But the security properties of the local architecture matter more than the properties of the remote source.

What QRNG Is Not

QRNG Is Not Quantum Cryptography

QRNG is not quantum key distribution (QKD). It is not post-quantum cryptography (PQC). It is not a quantum communication protocol. QRNG is a component, an entropy source, that can feed into any cryptographic system. Buying a QRNG does not make your network “quantum-secure.”

I encounter this conflation routinely. A vendor sells a QRNG chip, and the buyer checks a box labeled “quantum security.” That box should remain unchecked. The quantum threat to cryptography comes from quantum computers running Shor’s algorithm against RSA and ECC, and Grover’s algorithm against symmetric ciphers. Defending against that threat requires migrating to PQC algorithms: ML-KEM (formerly CRYSTALS-Kyber), ML-DSA (formerly CRYSTALS-Dilithium), SLH-DSA (formerly SPHINCS+). Not upgrading your random number generator.

QRNG Does Not Fix Broken Algorithms

If your organization still relies on RSA-2048 for key exchange, the quality of the random numbers used to generate those keys is approximately the 47th most important factor in your quantum security posture. Factor number one is that RSA-2048 will be factorable by a cryptographically relevant quantum computer (CRQC), which the latest resource estimates suggest will require approximately 1,400 logical qubits running roughly 6.5 billion Toffoli gates. No improvement to your entropy source changes this math.

I have seen QRNG vendors position their products as part of a “quantum-safe” strategy. This framing is accurate only in the most limited sense. Organizations spending their quantum security budget on QRNG instead of PQC migration are fixing the weather stripping while the foundation is cracked.

QRNG Does Not Solve Harvest Now, Decrypt Later

The Harvest Now, Decrypt Later (HNDL) threat, where adversaries record encrypted traffic today for decryption when quantum computers become available, is a function of the encryption algorithm, not the key generation method. An RSA-2048 session encrypted with quantum-sourced keys is just as harvestable as one encrypted with classically-sourced keys. The attacker doesn’t need to guess your key; they will factor it.

The HNDL defense is PQC migration and hybrid key exchange. QRNG contributes nothing to this defense.

When QRNG Actually Matters

Having spent considerable space on what QRNG does not do, I want to be equally direct about where QRNG provides genuine value. It solves a specific and important problem. The issue is scope, not substance.

The Entropy Starvation Problem

The most compelling use case for QRNG is environments where entropy starvation is a real operational risk. Entropy starvation occurs when a system’s demand for random bits outpaces the available supply, forcing the CSPRNG to stretch inadequate seeds or blocking operations until entropy accumulates.

This is genuine in several deployment scenarios. Virtual machines and containers, which lack dedicated hardware entropy sources and may share a host’s entropy pool with dozens of other VMs, historically suffer from entropy starvation, particularly at boot, before sufficient environmental noise has accumulated. Embedded systems and IoT devices with limited hardware and deterministic boot sequences face the same challenge. High-volume HSMs and key management systems need continuous high-throughput entropy.

A dedicated QRNG providing a reliable, high-rate entropy stream solves this cleanly. The quantum physics matters less here than the engineering: a well-designed QRNG is a fast, reliable, non-blocking entropy source. That is its primary practical value.

High-Assurance and Regulatory Environments

Systems governed by FIPS 140-3, Common Criteria, or country-specific standards like Germany’s BSI AIS 31 may require or prefer entropy sources with a theoretical model guaranteeing output quality. A QRNG with a well-characterized quantum model and NIST ESV certification on the IID track provides exactly this.

Long-Lived Key Material

For keys that must remain secure for decades (sovereign encryption keys, root CA keys, keys protecting classified archives), using the best available entropy source for generation is a defensible risk management decision, even if the marginal improvement over a well-implemented CSPRNG seeded by a certified TRNG is hard to quantify.

Future-Proofing as Part of PQC Migration

A reasonable case exists for deploying QRNG as part of a general crypto-agility posture. If you are already migrating to PQC algorithms, upgrading your entropy subsystem at the same time adds another layer of defense-in-depth at modest incremental cost. The key word is “incremental.” QRNG as a complement to PQC migration is sensible. QRNG as a substitute for PQC migration is negligent.

The Standards and Certification Map

NIST Standards (United States)

NIST SP 800-90B. The foundational standard for entropy source validation. It specifies requirements and testing procedures for entropy sources, defining two tracks: IID (Independent and Identically Distributed), for sources whose output samples are statistically independent, and non-IID, for sources with dependencies. IID certification is the higher bar and the more relevant one for QRNG, since a well-functioning QRNG should produce IID output by design.

NIST SP 800-90A. Specifies the DRBG algorithms that consume entropy from a source validated under SP 800-90B.

FIPS 140-3. The general cryptographic module validation standard, with four security levels. To achieve FIPS 140-3 validation for a product containing a QRNG, the entropy source must satisfy SP 800-90B, and the DRBG must satisfy SP 800-90A.

NIST SP 800-22. The older statistical test suite for randomness. Often cited by QRNG vendors (“our device passes all NIST SP 800-22 tests”), but passing these tests is necessary, not sufficient. Any reasonable PRNG also passes them. SP 800-90B is the higher bar.

BSI Standards (Germany)

AIS 31 Defines two classes: P1 (non-cryptographic) and P2 (cryptographic). P2 requires a stochastic model of the noise source: a theoretical argument for why the noise is unpredictable, beyond statistical evidence alone. This makes AIS 31 P2 particularly well-suited to the QRNG value proposition. ID Quantique’s Quantis became the first QRNG to pass AIS 31 in 2014.

ITU-T Standards (International)

Recommendation X.1702 (approved 2019, with contributions from ID Quantique and SK Telecom) defines a framework architecture for quantum noise random number generators and provides a taxonomy distinguishing QRNGs from other physical TRNGs.

What Certifications to Look For

In roughly descending order of rigor: NIST ESV on the IID track, FIPS 140-3 validation (Level 2 or above for serious applications), BSI AIS 31 P2, Common Criteria at EAL4+. If a vendor cites only NIST SP 800-22 or proprietary testing, that is a starting point, not a finish line.

The Buyer’s Checklist

Before signing a purchase order, put these questions to the vendor.

On the quantum source: What is the specific quantum process generating your entropy? (Expect a precise answer: vacuum fluctuations, photon arrival times, beam-splitter path selection.) What is the quantum-mechanical model of your entropy source? (A genuine vendor can point to a published paper or technical document.) How do you separate quantum noise from classical noise? (Every physical device generates both.)

On conditioning: What is the ratio of raw entropy to output bits? (Near 1:1 = high raw quality. 10:1 or higher = the conditioning is doing heavy lifting.) What conditioning algorithm do you use? (NIST SP 800-90B specifies “vetted conditioning components” with full entropy extraction guarantees.)

On failure modes: What happens if the quantum source degrades or fails? (Good answer: fails closed. Bad answer: falls back to a PRNG silently.) Does the device support SP 800-90B continuous health tests? (Both startup and continuous tests should be implemented.)

On certifications: Which of the following has this device achieved? NIST ESV (IID or non-IID), FIPS 140-3 (which level), BSI AIS 31 (P1 or P2), Common Criteria (which EAL). Ask for certificate numbers, not marketing claims.

On integration: What is the sustained output rate under production load, after health checks and conditioning? (Marketing materials cite peak rates. You need the sustained number.)

The Bottom Line for CISOs

QRNG solves a real problem (entropy quality) that is one component of a comprehensive cryptographic architecture. It does not solve the quantum computing threat to cryptography, which requires PQC migration. It does not address Harvest Now, Decrypt Later. It does not make your algorithms stronger. It does not secure your AI systems.

Before evaluating QRNG procurement, ask yourself three questions. Do I have an entropy quality problem today? (Most well-configured modern systems do not, but virtual environments, embedded devices, and high-volume HSMs might.) Am I subject to regulatory requirements that mandate or prefer quantum-sourced entropy? Am I already executing a PQC migration? (If not, that is where your quantum security budget should go first.)

If at least one answer is yes, QRNG is a defensible procurement decision. Look for products with NIST ESV certification, a published quantum-mechanical entropy model, continuous health monitoring, and an integration path that fits your architecture. And look just as seriously at certified TRNGs. The best TRNG on the market may serve you better than a mediocre QRNG that happens to have the right buzzword on the label.

If all three answers are no, the vendor is solving a problem you don’t have while leaving unaddressed the problems you do. Start with the PQC Readiness Self-Assessment Scorecard and the PQC Migration Framework, and revisit QRNG once the foundational migration work is underway.

The quantum threat to cryptography is real and serious. The response to that threat is PQC migration, not better random numbers. Anyone telling you otherwise is selling something, and it probably has the word “quantum” on the label.