The Quantum Random Number Generator (QRNG) Gold Rush

Introduction

In January 2025, a semiconductor company announced it had partnered with a quantum startup to build “the world’s smallest monolithically integrated quantum random number generator.” Two weeks later, another company launched what it called a “cosmic-ray quantum entropy engine.” A month after that, a third vendor began marketing its device as a “self-certifying quantum randomness platform for AI security.”

All three products generate random numbers. Whether any of them deserves the word “quantum” in its marketing materials is a more complicated question, and it is exactly the question that matters if you are a CISO trying to decide whether to write a purchase order.

The quantum random number generator (QRNG) market has entered its gold rush phase. Market reports now count over 120 companies in the space, with market forecasts ranging from $500 million to over $600 million for 2026, depending on how broadly the segment is defined. Investment capital is flowing. Vendors are racing to differentiate, and when the underlying physics offers limited room for differentiation, marketing departments fill the gap. The result is a buyer market cluttered with terminology designed to impress rather than inform: “digitized quantum particles,” “quantum-hardened keys,” “unbreakable encryption,” “quantum-grade security,” “provably unpredictable entropy,” “cosmic quantum randomness.”

Some of these products are excellent. Some are competent hardware random number generators with a quantum label attached for fundraising purposes. A few are quantum snake oil in a shiny enclosure. The problem for buyers is that the marketing materials for all three categories look nearly identical.

This article is the guide I wish existed when organizations started asking me whether they should buy a QRNG. It covers the physics of randomness from the ground up, maps the real taxonomy of random number generation (which is murkier than vendors admit), dissects the marketing terminology currently flooding the market, explains what QRNG does and does not protect against, catalogs the standards and certifications that actually matter, and provides a concrete set of questions to put to any vendor before signing a contract.

The bottom line: QRNG is a real technology that solves a real (but narrowly defined) problem. If you understand what that problem is and whether you have it, you can make a good procurement decision. If you don’t, you are a target for the fastest-growing segment of quantum marketing.

Entropy: The Currency of Cryptographic Security

Before we get into the machinery of random number generation, we need to talk about why randomness matters and what cryptographers actually mean when they say “entropy.” The term is thrown around in QRNG marketing materials with the casual confidence of a word everyone understands. Most buyers don’t, and that gap is where vendors operate.

What Entropy Actually Is

In information theory, entropy measures unpredictability. One bit of entropy means the observer has a 50/50 chance of guessing the value, no better than a coin flip. Eight bits of entropy means 256 equally likely outcomes. If you generate a 256-bit cryptographic key with full entropy, an attacker faces 2^256 possible values and has no way to narrow the search. If your 256-bit key was generated with only 30 bits of actual entropy (because the random number generator had a subtle bias, or was seeded from a predictable source), the attacker faces only 2^30 possibilities: roughly a billion, which a modern computer can exhaust in seconds.

This is why entropy quality is a security-critical parameter, not a theoretical abstraction. Every TLS session, every SSH key, every VPN tunnel, every digital signature depends on random numbers. If the randomness is predictable, the cryptography fails. Silently, without warning, and often without any visible sign that anything is wrong.

How Entropy Gets Used

In a typical cryptographic system, entropy flows through a layered architecture. At the bottom sits an entropy source: a physical process that generates raw, unpredictable bits. These raw bits are typically biased (more 1s than 0s, or vice versa) and may have subtle correlations. A conditioning component cleans them up, applying a deterministic extractor (often based on AES or SHA-256) that compresses the biased raw bits into a shorter sequence of near-uniform output. This conditioned output then seeds a deterministic random bit generator (DRBG), a cryptographically secure algorithm that stretches the seed into a long stream of pseudorandom bits on demand.

The key insight is that the entire chain is only as strong as the entropy source at the bottom. A perfect DRBG fed a predictable seed produces predictable output. A flawed DRBG fed perfect entropy produces flawed output. Both layers matter, but entropy is the foundation.

When Entropy Goes Wrong: A Short History of Disasters

The consequences of entropy failures are not hypothetical. They fill the CVE databases and the case law.

In 2008, a Debian maintainer accidentally removed two lines of code from OpenSSL’s random number generator, reducing its effective entropy to approximately 15 bits. For two years, every SSL certificate, SSH key, and OpenVPN key generated on Debian and Ubuntu systems was drawn from a pool of roughly 32,768 possibilities. The keys looked fine. They passed statistical tests. But they were trivially guessable. An attacker could precompute all possible keys and try them until one worked.

In 2013, a vulnerability in Android’s SecureRandom implementation allowed attackers to steal Bitcoin from Android wallets. The ECDSA signature scheme used by Bitcoin requires a unique random number for every transaction signature. Android’s flawed PRNG occasionally reused random values, which allowed attackers to extract private keys from the blockchain using simple algebra. Users lost funds to an address that accumulated over 55 BTC before the exploit was patched.

In 2015, Juniper Networks disclosed that unauthorized code had been inserted into the ScreenOS firmware used in its NetScreen VPN routers. The change modified a parameter in the Dual_EC_DRBG pseudorandom number generator, a NIST-approved algorithm already suspected of containing an NSA-designed backdoor. The result was a passive VPN decryption capability: anyone who knew the modified parameter could silently decrypt VPN traffic without the router’s operator ever detecting an anomaly.

In each of these cases, the cryptographic algorithms were fine. The protocols were correctly implemented. The entropy source was the weak link.

The Randomness Stack: What You’re Actually Buying

With entropy established as the foundation, let me walk through the full taxonomy of how random numbers are generated in practice. The terminology is a mess (the industry uses overlapping names for overlapping categories), but the underlying architecture is simpler than it appears.

Software: Pseudorandom Number Generators (PRNGs)

A PRNG is a deterministic algorithm. You feed it a seed value, and it produces a long sequence of numbers that look random by every statistical test. But the sequence is entirely determined by the seed. Know the seed, know the output. As John von Neumann famously warned in 1951: “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.”

For most applications (Monte Carlo simulations, game mechanics, statistical sampling), PRNGs work well. The numbers are statistically uniform, computationally cheap, and reproducible (which is a feature in scientific computing, where you want to replay an experiment).

For cryptography, a specialized variant called a cryptographically secure pseudorandom number generator (CSPRNG) adds a critical property: even if an attacker sees some of the output, they cannot efficiently compute previous or future output bits. NIST SP 800-90A specifies three approved DRBG constructions: Hash_DRBG, HMAC_DRBG, and CTR_DRBG. These algorithms underpin nearly all deployed cryptographic systems today.

The weakness of every PRNG and CSPRNG is the same: they are only as unpredictable as the seed. The Debian and Juniper incidents above are what happens when that seed fails.

Hardware: True Random Number Generators (TRNGs)

A true random number generator (also called a hardware RNG, or non-deterministic random bit generator) extracts randomness from a physical process. The bit sequence is not algorithmically generated. It comes from measuring something in the physical world.

Common entropy sources in deployed TRNGs include thermal noise in resistors or diodes (Johnson-Nyquist noise), jitter in ring oscillators (used in Intel’s RDRAND/RDSEED instructions and AMD’s equivalent), shot noise in electronic components, and radioactive decay.

But the most creative entropy sources come from organizations that have thought carefully about the problem and decided to have some fun with it. Cloudflare famously uses a wall of 100 lava lamps in its San Francisco lobby as an entropy source. A camera photographs the constantly shifting wax blobs, and the image data feeds a cryptographic hash function. The principle is sound: the fluid dynamics governing lava lamp motion are deterministic in theory but chaotic in practice, producing patterns that are computationally infeasible to predict. The original LavaRand concept dates to a 1996 Silicon Graphics patent. Cloudflare has since expanded the concept: their London office uses double pendulums (whose chaotic motion is a textbook example of sensitive dependence on initial conditions), their Singapore office measures radioactive decay from a sealed isotope source, and their Lisbon headquarters recently deployed 50 custom wave machines in constant motion.

Real Random takes an even more visually striking approach: a sealed container filled with hundreds of colorful dice in fluid, continuously tumbled and photographed. The company, founded in Florida in 2014, positions itself as providing hardware-based entropy for post-quantum security.

The League of Entropy, a consortium including Cloudflare, EPFL, Protocol Labs, the University of Chile, and others, combines entropy from multiple independent sources into a decentralized randomness beacon, a publicly verifiable source of randomness that no single party can manipulate.

These creative approaches illustrate an important principle: the physics of randomness is not exotic. Chaos, thermal fluctuations, and quantum effects are everywhere. The hard part is not finding randomness in the physical world. The hard part is measuring it reliably, characterizing it rigorously, and building a provable bound on how much entropy you are actually extracting.

The Boundary Problem: Where Does “Quantum” Start?

This is the question the entire QRNG industry would prefer you not ask too precisely, because the honest answer undermines the clean dichotomy that makes QRNG easy to sell.

Here is the uncomfortable truth: all physical noise sources are ultimately quantum-mechanical in origin. Thermal noise arises from the quantum-mechanical motion of charge carriers. Shot noise is a direct consequence of the quantization of electric charge. Even ring oscillator jitter has quantum-mechanical contributions from electron tunneling and thermal fluctuations at the device level. Cloudflare’s lava lamps are governed by fluid dynamics, but the thermal convection driving the wax is rooted in molecular motion that is, at bottom, quantum mechanical.

This creates an awkward definitional problem. If I measure thermal noise across a resistor and call the result a “hardware random number generator,” the entropy is quantum in origin. If I package the same resistor in a box with a quantum logo and call it a “quantum random number generator,” the entropy is still quantum in origin. The physics hasn’t changed. The marketing has.

The academic community has arrived at a working definition that goes roughly like this: a device qualifies as a QRNG when its entropy source relies on a specific, well-characterized quantum process with an explicit theoretical model that allows the output entropy to be bounded from first principles of quantum mechanics, rather than merely measured statistically.

Under this definition, the distinction is not “quantum physics vs. classical physics.” The distinction is between devices where you have a quantum-mechanical proof that the output contains at least X bits of entropy per sample (because the Born rule guarantees it), and devices where you have statistical evidence that the output looks random but no theoretical guarantee it must be. The first kind gives you a provable lower bound. The second gives you a measurement that could, in principle, miss a subtle pattern.

This is a meaningful distinction. But it is narrower than the marketing suggests, and it does not automatically make a QRNG superior to a well-certified TRNG.

“Certified” vs. “Self-Certifying” — and Why a Good TRNG Can Beat a Mediocre QRNG

This might be the most important point in this entire article, and the one most likely to irritate QRNG vendors: the word “quantum” does not automatically make a random number generator better.

A TRNG that has passed BSI AIS 31 P2 validation (which requires a stochastic model of the noise source, beyond statistical testing alone) may provide stronger entropy guarantees than a QRNG that has never been independently evaluated. Intel’s RDRAND instruction, based on ring oscillator jitter, feeds billions of cryptographic operations daily and has been evaluated under FIPS 140-2 (now transitioning to FIPS 140-3). It works. It has a long operational track record. It does not need the word “quantum” to be effective.

The security of a random number generator depends on the entire system: the quality of the entropy source, the rigor of the conditioning, the correctness of the implementation, the presence of continuous health monitoring, the thoroughness of the independent evaluation, and the robustness of the failure modes. A QRNG with a genuine quantum-mechanical model but sloppy conditioning, no health monitoring, and no independent certification is less trustworthy than a TRNG that has been through a rigorous FIPS 140-3 or Common Criteria evaluation.

The “Certified” vs. “Self-Certifying” Trap

This confusion is worth addressing head-on, because vendors benefit from buyers conflating two very different concepts.

A certified random number generator, whether TRNG or QRNG, has been independently evaluated by a third party against a published standard. An external lab tested the device, examined its entropy model, ran the prescribed test suites, and issued a certificate. “Certified” means someone other than the vendor checked the work. NIST ESV, FIPS 140-3, BSI AIS 31 P2, Common Criteria: these are all independent certifications.

A “self-certifying” QRNG, in the way most commercial hardware vendors use the term, means the device monitors its own quantum source and attests to its own output quality. The device is grading its own homework. The vendor designed the source, designed the health monitor, defined the pass/fail thresholds, and tells you it passed. No external party is involved in the ongoing certification claim.

The fully device-independent version of self-certification (based on Bell inequality violations) is a stronger theoretical guarantee. A Bell test produces a mathematical proof that the output must contain quantum randomness, regardless of how the device is constructed. But no commercial hardware product ships with a loophole-free Bell test running continuously. Quantinuum’s Quantum Origin uses a Bell test on its quantum computer to generate its seed, and that is a real and rigorous application of the concept. But the Bell test runs on Quantinuum’s hardware, not in your rack, and the ongoing local randomness generation is no longer device-independent.

One company deserves a separate mention here. Quantum Dice (an Oxford University spin-out) has developed a semi-device-independent protocol called DISC (Device-Independent Self-Certifying) that provides real-time verification of quantum entropy without requiring a full Bell test. The protocol bounds the min-entropy from measurement statistics alone, under specific assumptions about the source, without needing to trust the internal construction of the device. This is a weaker guarantee than full device-independence, but it is a meaningful cryptographic property, not parameter monitoring with a marketing label. Whether “semi-device-independent” earns the label “self-certifying” is debatable, but Quantum Dice’s use of the term refers to something technically substantive.

Most other vendors using the term do not. When they say “self-certifying,” they mean: we monitor laser power, photocurrent levels, bias voltage, and output statistics, and we flag anomalies. That is good engineering. Every well-designed TRNG does it too. Calling it “self-certifying” is marketing inflation.

So in practice: a TRNG or QRNG with independent third-party certification (NIST ESV, FIPS 140-3, AIS 31 P2) gives you externally audited assurance of entropy quality. A “self-certifying” QRNG, absent that independent certification, gives you the vendor’s own claim, backed by internal monitoring. The first carries the weight of independent evaluation. The second carries the weight of marketing copy. And in between sits a small number of devices (Quantum Dice’s being the clearest example) where “self-certifying” refers to a real cryptographic protocol with provable entropy bounds, even if the guarantees are weaker than full device-independence.

The ideal is a QRNG that is both: a genuine quantum source with a rigorous entropy model and independent third-party certification. ID Quantique’s Quantis chips (NIST ESV IID + AIS 31 P2) and Quantinuum’s Quantum Origin (NIST validated) are in this category. But “self-certifying” alone, without independent certification, is a weaker assurance than a certified TRNG, regardless of the quantum physics involved.

Regulators understand this distinction. NIST SP 800-90B does not give QRNGs a free pass. It applies the same entropy source validation requirements to quantum and non-quantum sources alike. The ESV program evaluates what the device does, not what physics the vendor claims it uses. A QRNG that cannot pass ESV validation is, from a regulatory perspective, inferior to a TRNG that can.

When evaluating a QRNG, do not let the physics dazzle you into skipping the due diligence you would apply to any other security product. Certifications, independent evaluations, failure mode analysis, and operational track record matter more than the quantum prefix.

The Taxonomy of Quantum Entropy Sources

With that caveat firmly stated, let me map what actually exists in the QRNG market. Not all QRNGs exploit the same quantum phenomenon, and the choice of entropy source has practical implications for throughput, miniaturization, cost, and the strength of the theoretical security model.

Photon-Based QRNGs (The Mainstream)

The vast majority of commercial QRNGs measure some property of photons. Within this category, several architectures compete:

Beam-splitter QRNGs send individual photons (or heavily attenuated laser pulses) into a 50/50 beam splitter. Quantum mechanics dictates that each photon takes one path or the other with exactly equal probability. This is a direct manifestation of the Born rule. A detector on each output port registers which path the photon chose, producing one random bit per detection event. ID Quantique’s earliest commercial products used this approach, and it remains the conceptually cleanest QRNG architecture. The downside is speed: single-photon detection limits the bit rate to megabits per second in practical implementations.

Vacuum fluctuation QRNGs measure the quantum noise of the electromagnetic vacuum using homodyne detection. Even in the absence of any photons, the electromagnetic field fluctuates. These “zero-point fluctuations” are a fundamental prediction of quantum electrodynamics, confirmed to extraordinary precision. By measuring the field quadrature with a balanced homodyne detector (splitting a local oscillator beam on a 50/50 beam splitter and subtracting the two photocurrents), you can extract the quantum noise with the classical noise canceled out. This approach achieves higher bit rates (into the gigabit-per-second range) because it operates in a continuous-variable regime rather than counting individual photons. Quside Technologies (Spain) has commercialized vacuum-fluctuation-based QRNG chips.

Photon arrival time QRNGs exploit the randomness in when individual photons arrive at a detector, given a source with a known average emission rate. If a dim LED emits photons at an average rate of N per second, the exact timing of each photon is governed by quantum statistics (a Poisson process for coherent sources, super-Poissonian for thermal sources). The timing jitter between successive detection events contains extractable quantum entropy. This is the basis for several chip-scale QRNG designs, including ID Quantique’s Quantis chip series, which was the first QRNG to achieve NIST ESV certification on the IID track in September 2023.

Quantum shot noise QRNGs measure the shot noise on a photocurrent generated by a laser or LED source. Since photon-detection events are independent quantum processes, the photocurrent fluctuates with quantum-limited noise. This is the approach used by many newer market entrants, and it is where the boundary between “QRNG” and “well-designed TRNG” gets thinnest. A silicon photodiode illuminated by an LED exhibits quantum shot noise regardless of whether the manufacturer calls it a QRNG or not. Whether measuring it counts as “quantum random number generation” depends on whether the manufacturer has a rigorous quantum-mechanical entropy model and how that model is validated.

Laser phase-noise QRNGs exploit the spontaneous phase diffusion of a semiconductor laser. When a laser is operated near threshold, each emitted pulse accumulates random phase from spontaneous emission. By interfering successive pulses in an unbalanced interferometer and measuring the resulting intensity fluctuations, the random phase is converted into random amplitude, which a photodetector digitizes. This architecture scales well: research implementations have demonstrated rates exceeding 100 Gbps, and several commercial products are based on this approach. Phase-noise QRNGs are among the most commercially important QRNG families, though they require careful characterization to separate the quantum phase diffusion from classical laser noise.

Software QRNGs: The Quantum Origin Approach

Quantinuum’s Quantum Origin takes a different path entirely. Rather than shipping a hardware entropy source, Quantinuum uses its H-Series trapped-ion quantum computer to perform a Bell test, a quantum experiment that produces measurement correlations provably impossible to replicate by any classical system. The output of this Bell test generates a “quantum seed” that is packaged into software clients and deployed to customer environments. The seed then feeds a local entropy generation process that does not require a network connection or dedicated hardware.

In April 2025, Quantum Origin became the first software QRNG to achieve NIST validation. Quantinuum positions it as a tool for organizations migrating to post-quantum cryptography under NSM-10 requirements.

The approach is technically interesting: a Bell test is the gold standard for certifying that a physical process is quantum, because the CHSH inequality violation cannot be faked by any classical device. But buyers should understand the architecture clearly: the quantum component runs on Quantinuum’s hardware, not yours. You receive a seed whose provenance you trust based on Quantinuum’s attestation and NIST’s validation. The ongoing randomness in your environment is generated locally from that seed, which is a very different trust model than a hardware QRNG sitting in your own rack producing fresh quantum entropy continuously.

Non-Photonic Approaches (The Outliers)

Radioactive decay QRNGs measure the timing of nuclear decay events, which are governed by quantum tunneling. The physics is impeccable. Radioactive decay is among the most random processes in nature, and its quantum randomness has been understood since the 1920s. The engineering is less appealing: you need a radioactive source (even a weak one), the bit rate is low, and regulatory complications around radioactive materials make commercial deployment difficult. These remain niche products.

Cosmic ray “QRNGs” detect muons or other secondary particles from cosmic ray showers. The Muon-Ra paper from 2020 demonstrated the concept using silicon photomultipliers and plastic scintillators, converting the time interval between crossing muons into random bits. A 2023 study published in MDPI showed that random bits extracted from cosmic ray detections on a common smartphone passed established randomness tests. The researchers themselves placed “quantum” in quotes, noting they were using the term loosely. The throughput limitation is fundamental: cosmic muon flux at sea level is roughly 10,000 per square meter per minute. Compare this to photonic QRNGs achieving gigabits per second. Cosmic-ray QRNG is a curiosity with a memorable marketing hook, not a practical entropy source.

Solid-state on-chip QRNGs aim to produce QRNG-on-chip at CMOS scale. Companies like Crypto Quantique (which uses quantum tunneling current variations in standard CMOS as an entropy source) and KETS Quantum Security (integrated photonic QRNGs) are developing designs that can be embedded directly in standard semiconductor chips, which would bring the cost of quantum entropy down to pennies per device. This is potentially the most commercially significant development in the QRNG space, though mature products are still emerging.

The Marketing BS Decoder Ring

With the taxonomy established, let me translate the specific terms currently circulating in the QRNG market.

“Self-Certifying QRNG”

As I covered in detail above, “self-certifying” in the academic literature means something very specific: device-independent randomness certified through Bell inequality violations, recognized by the 2022 Nobel Prize in Physics. No commercial hardware product does this continuously. Quantum Dice’s semi-device-independent DISC protocol is a legitimate middle ground that provides real entropy bounds without a full Bell test. But most vendors using the term mean something much weaker: they monitor source parameters and flag anomalies. When a vendor says “self-certifying,” two questions matter: self-certifying against what threat model, using what protocol? And has the device also received independent certification (NIST ESV, FIPS 140-3, AIS 31 P2)? If the answer to the first is “we watch the laser power” and the answer to the second is “no,” you are buying a health monitor with a prestigious label.

“Cosmic-Ray Quantum Entropy”

Yes, cosmic rays are quantum events. No, this is not a practical entropy source for any deployment requiring sustained throughput. The marketing value of “cosmic-ray QRNG” lies entirely in the word “cosmic.” It sounds more exotic than “photon shot noise QRNG,” even though the photon-based device is superior in throughput, reliability, consistency, miniaturization, and cost.

“Digitized Quantum Particle”

This phrase means “we detected a photon and wrote down a bit.” That is what every photonic QRNG does. “Digitized” means analog-to-digital conversion. “Particle” means photon. The combination sounds novel. It is not.

“Quantum-Hardened Keys”

Used most prominently by Quantinuum for its Quantum Origin product, this means cryptographic keys generated using random numbers from a quantum source rather than a classical PRNG or TRNG. The kernel of truth: if your conventional entropy source has a subtle bias or correlation an adversary could exploit, a quantum-sourced seed eliminates that specific attack vector.

But the improvement applies only to seed quality. An AES-256 key generated from a QRNG is not “more AES-256” than one generated from a well-implemented CSPRNG with good entropy. And a quantum-sourced RSA-2048 key is just as vulnerable to Shor’s algorithm as a classically-sourced one. The quality of the random number that generated your key does not affect the mathematical structure that a quantum computer attacks.

“QRNG for AI Security”

The reasonable version: AI training and inference rely on random initialization, stochastic sampling, and dropout mechanisms. If an attacker could predict or manipulate these random inputs, they could potentially influence model behavior. Using certified quantum entropy for these operations closes this vector.

The fantasy version: deploying a “self-certifying QRNG” provides general-purpose protection against adversarial attacks, data poisoning, model extraction, or prompt injection. It does not. AI security is a systems problem involving training data integrity, model architecture, access controls, and alignment techniques. Randomness quality occupies a tiny corner of this space. A QRNG does not make your LLM safer any more than premium gasoline makes your car bulletproof.

“Unbreakable Keys” / “Unbreakable Encryption”

Multiple vendors and market reports describe QRNG-generated keys as “unbreakable.” This is wrong in two distinct ways. First, “unbreakable” is a claim about the algorithm using the key, not the entropy source that generated it. An AES-256 key is computationally infeasible to brute-force regardless of whether the entropy came from a QRNG or a well-seeded CSPRNG. The QRNG didn’t make it unbreakable; the mathematics of AES did. Second, and more importantly, an RSA-2048 key generated from a QRNG is very much breakable by Shor’s algorithm. The quantum origin of the key provides zero protection against a quantum attack on the algorithm. “Unbreakable” is marketing copy that collapses under the slightest technical scrutiny.

“Quantum-Grade Randomness” / “Quantum-Level Security”

These terms appear across vendor brochures and market reports as if there is a defined quality tier called “quantum” that sits above other tiers. There is not. NIST SP 800-90B does not define a “quantum grade.” Neither does FIPS 140-3, BSI AIS 31, or any other recognized standard. Entropy quality is measured in min-entropy per sample. You either pass the validation requirements or you don’t. The label “quantum-grade” is an invented quality tier designed to sound like it maps to a standard. It doesn’t. For a full treatment of this term, see my Quantum Snake Oil Dictionary entry on Quantum-Grade Security.

“Highest Level of Randomness Possible”

At least one vendor uses this phrase on its product page. Randomness quality is measured in min-entropy per output bit. A perfect source produces 1 bit of min-entropy per output bit. Any well-designed QRNG or TRNG that passes SP 800-90B validation with vetted conditioning achieves full entropy output. There is no “highest level” that one product reaches and others don’t. The phrase is an empty superlative.

“Pure Entropy” / “Pure Randomness”

Multiple vendors describe their QRNG output as “pure entropy” or claim their device is “the source for applications that rely on pure randomness.” Entropy is a mathematical measure of unpredictability, not a substance that comes in pure and impure forms. Every physical QRNG produces raw output that mixes quantum noise with classical noise (thermal fluctuations, electronic interference, detector dark counts). The entire point of conditioning and randomness extraction is to distill near-uniform bits from this imperfect mixture. The vendors’ own published research papers typically report raw quantum min-entropy of around 0.98 bits per output bit, not 1.0. Calling the conditioned output “pure entropy” is like describing a distilled liquid as “pure filtration.” The word confuses the process with the product.

“Perfect Randomness”

Even credible vendors use this phrase on their product pages. No physical system produces perfect anything. The entire field of entropy source validation (NIST SP 800-90B, BSI AIS 31, the NIST ESV program) exists precisely because physical randomness sources are imperfect and require rigorous characterization, conditioning, and independent evaluation. The word “perfect” does not appear in these standards as a quality descriptor, because the scientists and engineers who wrote them understand that perfection is not what physical devices deliver. What a good QRNG delivers is “full entropy” in the SP 800-90B sense: conditioned output where each bit contains very close to 1 bit of min-entropy. That is an excellent engineering achievement. It is not perfection, and calling it that tells the buyer more about the marketing department than the physics.

“Quantum Entropy as a Service” (QEaaS)

Cloud-delivered random numbers from a quantum source. The operational question: do you trust the pipe? If your threat model includes the possibility of interception or manipulation between the QRNG device and your application, receiving entropy over a network introduces the risk you are trying to eliminate. This is not a fatal objection; you can seed a local CSPRNG with the quantum entropy rather than using it directly. But the security properties of the local architecture matter more than the properties of the remote source.

The Outer Fringe: QRNGs as Divination Tools

The marketing terms above are exaggerations of what QRNGs do. There is also a community that has reimagined what QRNGs are.

The Princeton Engineering Anomalies Research (PEAR) lab, which operated at Princeton University from 1979 to 2007, spent decades claiming that human consciousness could influence the output of hardware random number generators through mental intention. The lab closed, but its ideas didn’t. The Global Consciousness Project still maintains a worldwide network of 65+ random number generators, searching for statistical anomalies during major world events as evidence of “global consciousness.” Psyleron, Inc., founded by PEAR alumni, sells consumer random event generators to people who believe they can influence quantum outcomes with their thoughts. Podcasts in this space describe QRNGs as tools for “Applied Metaphysics” and claim they can “prove we can tap into the Eternal Field.” One episode connects QRNGs to the Mandela Effect, a debunked theory about parallel universes based on collective false memories.

I mention this not to mock (well, not only to mock) but because these claims occasionally surface in procurement contexts. When “quantum” becomes a synonym for “mysterious and powerful,” the distance between a FIPS-validated entropy source and a consciousness-detection device shrinks in the buyer’s mind. If someone in your supply chain is citing quantum randomness as evidence that the universe responds to human intention, that is a useful signal about the rigor of their other technical claims. For the full history of how quantum hardware became a prop for pseudoscience, see my Quantum Snake Oil Dictionary entry on Quantum Consciousness.

What QRNG Is Not

QRNG Is Not Quantum Cryptography

QRNG is not quantum key distribution (QKD). It is not post-quantum cryptography (PQC). It is not a quantum communication protocol. QRNG is a component, an entropy source, that can feed into any cryptographic system. Buying a QRNG does not make your network “quantum-secure.”

I encounter this conflation routinely. A vendor sells a QRNG chip, and the buyer checks a box labeled “quantum security.” That box should remain unchecked. One vendor’s product page currently states that powering TLS and IPsec with “quantum-grade randomness” ensures “resilience against both today’s attackers and tomorrow’s quantum adversaries.” It does not. Adding a QRNG to your TLS stack does nothing to protect against a quantum computer running Shor’s algorithm on the RSA or ECC keys negotiated during that TLS handshake. The algorithm is the vulnerability, not the entropy source. The quantum threat to cryptography comes from quantum computers running Shor’s algorithm against RSA and ECC, and Grover’s algorithm against symmetric ciphers. Defending against that threat requires migrating to PQC algorithms: ML-KEM (FIPS 203, formerly CRYSTALS-Kyber), ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium), SLH-DSA (FIPS 205, formerly SPHINCS+). Not upgrading your random number generator.

QRNG Does Not Fix Broken Algorithms

If your organization still relies on RSA-2048 for key exchange, the quality of the random numbers used to generate those keys is approximately the 47th most important factor in your quantum security posture. Factor number one is that RSA-2048 will be factorable by a cryptographically relevant quantum computer (CRQC), which the latest resource estimates suggest will require approximately 1,400 logical qubits running roughly 6.5 billion Toffoli gates. No improvement to your entropy source changes this math.

I have seen QRNG vendors position their products as part of a “quantum-safe” strategy. This framing is accurate only in the most limited sense. Organizations spending their quantum security budget on QRNG instead of PQC migration are fixing the weather stripping while the foundation is cracked.

QRNG Does Not Solve Harvest Now, Decrypt Later

The Harvest Now, Decrypt Later (HNDL) threat, where adversaries record encrypted traffic today for decryption when quantum computers become available, is a function of the encryption algorithm, not the key generation method. An RSA-2048 session encrypted with quantum-sourced keys is just as harvestable as one encrypted with classically-sourced keys. The attacker doesn’t need to guess your key; they will factor it.

The HNDL defense is PQC migration and hybrid key exchange. QRNG contributes nothing to this defense.

When QRNG Actually Matters

Having spent considerable space on what QRNG does not do, I want to be equally direct about where QRNG provides genuine value. It solves a specific and important problem. The issue is scope, not substance.

The Entropy Starvation Problem

The most compelling use case for QRNG is environments where entropy starvation is a real operational risk. Entropy starvation occurs when a system’s demand for random bits outpaces the available supply, forcing the CSPRNG to stretch inadequate seeds or blocking operations until entropy accumulates.

This is genuine in several deployment scenarios. Virtual machines and containers, which lack dedicated hardware entropy sources and may share a host’s entropy pool with dozens of other VMs, historically suffer from entropy starvation, particularly at boot, before sufficient environmental noise has accumulated. Embedded systems and IoT devices with limited hardware and deterministic boot sequences face the same challenge. High-volume HSMs and key management systems need continuous high-throughput entropy.

A dedicated QRNG providing a reliable, high-rate entropy stream solves this cleanly. The quantum physics matters less here than the engineering: a well-designed QRNG is a fast, reliable, non-blocking entropy source. That is its primary practical value.

High-Assurance and Regulatory Environments

Systems governed by FIPS 140-3, Common Criteria, or country-specific standards like Germany’s BSI AIS 31 may require or prefer entropy sources with a theoretical model guaranteeing output quality. A QRNG with a well-characterized quantum model and NIST ESV certification on the IID track provides exactly this.

Long-Lived Key Material

For keys that must remain secure for decades (sovereign encryption keys, root CA keys, keys protecting classified archives), using the best available entropy source for generation is a defensible risk management decision, even if the marginal improvement over a well-implemented CSPRNG seeded by a certified TRNG is hard to quantify.

Future-Proofing as Part of PQC Migration

A reasonable case exists for deploying QRNG as part of a general crypto-agility posture. If you are already migrating to PQC algorithms, upgrading your entropy subsystem at the same time adds another layer of defense-in-depth at modest incremental cost. The key word is “incremental.” QRNG as a complement to PQC migration is sensible. QRNG as a substitute for PQC migration is negligent.

The Standards and Certification Map

NIST Standards (United States)

NIST SP 800-90B. The foundational standard for entropy source validation. It specifies requirements and testing procedures for entropy sources, defining two tracks: IID (Independent and Identically Distributed), for sources whose output samples are statistically independent, and non-IID, for sources with dependencies. IID certification is often considered the cleaner validation path for a well-designed QRNG, since a properly functioning quantum source should produce statistically independent samples. The non-IID track uses a more complex set of entropy estimators and may apply to sources with inherent correlations. Both tracks are rigorous; the distinction is about source characteristics, not a quality ranking.

NIST SP 800-90A. Specifies the DRBG algorithms that consume entropy from a source validated under SP 800-90B.

FIPS 140-3. The general cryptographic module validation standard, with four security levels. To achieve FIPS 140-3 validation for a product containing a QRNG, the entropy source must satisfy SP 800-90B, and the DRBG must satisfy SP 800-90A.

NIST SP 800-22. The older statistical test suite for randomness. Often cited by QRNG vendors (“our device passes all NIST SP 800-22 tests”), but passing these tests is necessary, not sufficient. Any reasonable PRNG also passes them. SP 800-90B is the higher bar.

BSI Standards (Germany)

AIS 31 In its current AIS 20/31 form, defines classes PTG.1 (non-cryptographic) and PTG.2/PTG.3 (cryptographic). Older documentation and many vendors still refer to these as P1 and P2. P2 requires a stochastic model of the noise source: a theoretical argument for why the noise is unpredictable, beyond statistical evidence alone. This makes AIS 31 P2 particularly well-suited to the QRNG value proposition. ID Quantique’s Quantis became the first QRNG to pass AIS 31 in 2014.

ITU-T Standards (International)

Recommendation X.1702 (approved 2019, with contributions from ID Quantique and SK Telecom) defines a framework architecture for quantum noise random number generators and provides a taxonomy distinguishing QRNGs from other physical TRNGs.

Emerging: NIST CURBy (Public Randomness Beacon)

Worth watching: NIST’s CURBy project (Colorado University Randomness Beacon), launched in 2025, uses a loophole-free Bell test to produce verifiable quantum randomness as a public service. If CURBy achieves ESV validation (which the NIST team has indicated it expects), it would represent the first continuously operating, genuinely device-independent certified randomness source available to the public. For buyers, CURBy matters as a benchmark: it will provide a reference point against which vendor claims of “self-certifying” or “device-independent” randomness can be measured.

What Certifications to Look For

In roughly descending order of rigor: NIST ESV on the IID track, FIPS 140-3 validation (Level 2 or above for serious applications), BSI AIS 31 P2, Common Criteria at EAL4+. If a vendor cites only NIST SP 800-22 or proprietary testing, that is a starting point, not a finish line.

The Buyer’s Checklist

Before signing a purchase order, put these questions to the vendor.

On the quantum source: What is the specific quantum process generating your entropy? (Expect a precise answer: vacuum fluctuations, photon arrival times, beam-splitter path selection.) What is the quantum-mechanical model of your entropy source? (A genuine vendor can point to a published paper or technical document.) How do you separate quantum noise from classical noise? (Every physical device generates both.)

On conditioning: What is the ratio of raw entropy to output bits? (Near 1:1 = high raw quality. 10:1 or higher = the conditioning is doing heavy lifting.) What conditioning algorithm do you use? (NIST SP 800-90B specifies “vetted conditioning components” with full entropy extraction guarantees.)

On failure modes: What happens if the quantum source degrades or fails? (Good answer: fails closed. Bad answer: falls back to a PRNG silently.) Does the device support SP 800-90B continuous health tests? (Both startup and continuous tests should be implemented.)

On certifications: Which of the following has this device achieved? NIST ESV (IID or non-IID), FIPS 140-3 (which level), BSI AIS 31 (P1 or P2), Common Criteria (which EAL). Ask for certificate numbers, not marketing claims.

On integration: What is the sustained output rate under production load, after health checks and conditioning? (Marketing materials cite peak rates. You need the sustained number.)

The Bottom Line for CISOs

QRNG solves a real problem (entropy quality) that is one component of a comprehensive cryptographic architecture. It does not solve the quantum computing threat to cryptography, which requires PQC migration. It does not address Harvest Now, Decrypt Later. It does not make your algorithms stronger. It does not secure your AI systems.

Before evaluating QRNG procurement, ask yourself three questions. Do I have an entropy quality problem today? (Most well-configured modern systems do not, but virtual environments, embedded devices, and high-volume HSMs might.) Am I subject to regulatory requirements that mandate or prefer quantum-sourced entropy? Am I already executing a PQC migration? (If not, that is where your quantum security budget should go first.)

If at least one answer is yes, QRNG is a defensible procurement decision. Look for products with NIST ESV certification, a published quantum-mechanical entropy model, continuous health monitoring, and an integration path that fits your architecture. And look just as seriously at certified TRNGs. The best TRNG on the market may serve you better than a mediocre QRNG that happens to have the right buzzword on the label.

If all three answers are no, the vendor is solving a problem you don’t have while leaving unaddressed the problems you do. Start with the PQC Readiness Self-Assessment Scorecard and the PQC Migration Framework, and revisit QRNG once the foundational migration work is underway.

The quantum threat to cryptography is real and serious. The response to that threat is PQC migration, not better random numbers. Anyone telling you otherwise is selling something, and it probably has the word “quantum” on the label.