QRNG Entropy Demos

1. Why Classical Encryption Fails — Quick Refresher

Classical encryption (like AES and RSA) is built on strong math, but that math assumes one critical thing: the keys are unpredictable. If the key (or the seed used to make the key) comes from a small or predictable set, attackers can guess or brute-force it long before the math becomes relevant.

In simple terms: Encryption is a lock, and the key must be truly hard to guess. If the key was made from something predictable—like the current time, a VM boot pattern, or a weak random generator—then attackers don't need to “break AES” or “break RSA.” They just need to re-create the same key.

• Weak seed space: only \(2^{12}\) possibilities (4096) is tiny for a computer.
• Repeated seeds: clones/containers/VMs can start with similar state and generate the same “random” values.
• Early-boot entropy: right after boot, systems often have less randomness available.
• “Looks random” is not enough: patterns you can't see can still be exploited.

In our demos, we show exactly this: weak entropy (e.g. timestamp or tiny seed space) leads to breakable keys or shared primes; strong entropy avoids that.

2. How Quantum Entropy Is Different from Classical Entropy (and Why It's Undeterministic)

Most “classical randomness” is generated from physical processes that are very hard to model (timing jitter, thermal noise, user input timing, etc.). That can be good enough, but at the deepest level classical physics is still cause-and-effect: if you knew everything, you could (in principle) predict the outcome.

Quantum entropy is different: in quantum mechanics, certain outcomes are not determined until measurement. Even with perfect knowledge of the setup, you can’t predict the next bit. This is often described as non-deterministic randomness.

How QRNG cards generate quantum entropy (high level): Hardware QRNGs typically measure a quantum-scale effect (often in optics or electronics) where the next outcome is fundamentally unpredictable. The device turns those measurements into bits, then runs conditioning so the final output is uniformly random and safe to use for cryptography.

• Quantum “event”: a measurement with inherently random outcomes (not just “unknown”).
• Digitization: convert the physical measurement into a stream of raw bits.
• Health checks: detect hardware faults or bias (e.g., stuck signals).
• Randomness extraction: mix/condense raw bits (e.g., using hashing) so the output is statistically clean.

What quantum mechanics “type” is used? Many QRNG designs use quantum optics (photons and measurement), or they rely on quantum fluctuations that show up as measurable noise at the device level. The key idea is the same: the bit stream is based on a measurement whose outcome is not deterministically set ahead of time.

Why this can be more secure than system entropy: Modern operating systems usually provide a cryptographically secure random generator, but it still depends on how well it was seeded and how healthy the environment is. In VMs/containers, early boot, or misconfigured systems, entropy can be weaker or correlated across instances. A QRNG card provides an independent physical source of high-quality entropy, reducing those real-world risks.

In simple terms: A coin flip looks random because you don’t know all the details. A quantum measurement is random because the universe doesn’t “decide” the result until you measure.

That's why we use quantum entropy in the demos: it provides a source that, in principle, cannot be predicted even by an attacker with full knowledge of the system.

3. Shor's Algorithm in Layman Terms — Why It Breaks RSA

RSA works by multiplying two secret prime numbers \(p\) and \(q\) to make a public number \(N = p \times q\). Everyone can see \(N\) (it’s in the public key), but \(p\) and \(q\) are kept secret. If an attacker can find \(p\) and \(q\), they can derive the private key and decrypt messages or forge signatures.

Why RSA is safe today (classical computers): For large keys (like 2048-bit RSA), factoring \(N\) back into \(p\) and \(q\) is so slow that it’s effectively impossible with classical computers.

What changes with Shor’s algorithm: Shor’s algorithm is a quantum method that can factor large numbers dramatically faster (on a sufficiently large, fault-tolerant quantum computer). That removes the “factoring is too hard” assumption that RSA depends on.

What Shor’s algorithm actually does (high level): it transforms the factoring problem into a different problem called period finding. A quantum computer can find that period efficiently using quantum effects (superposition + interference). Once the period is known, the prime factors can be computed with a few classical math steps.

• Key insight: factoring can be reduced to finding a hidden repeating pattern (“period”) in a function related to \(N\).
• Quantum advantage: quantum states can represent many possibilities at once, and interference amplifies the right pattern.
• Output: after measurement, you get information that reveals the period, which leads to \(p\) and \(q\).
• Reality check: this requires a large, fault-tolerant quantum computer (many stable logical qubits). Small “lab demos” don’t scale to real RSA sizes yet.

Past research (how RSA has been attacked historically): long before large quantum computers exist, researchers have repeatedly shown that RSA security depends on both math hardness and real-world implementation quality (especially entropy).

Important distinction: Better entropy prevents weak-key failures (predictable or repeated keys), but it does not stop Shor’s algorithm from breaking RSA once a sufficiently capable quantum computer exists. That’s why post-quantum cryptography matters too.

4. Why the QSE Hybrid Approach Helps

The QSE hybrid approach focuses on a common root cause of real-world crypto failures: weak entropy during key generation. Instead of relying only on OS randomness (which can be strong, but can also be weak in certain environments), QSE brings in quantum entropy from QRNG cards and uses it as the source material to derive cryptographic keys.

In simple terms: we don’t “change the lock.” We make sure the key is made from something an attacker can’t guess or reproduce. Strong entropy is the foundation that makes everything else reliable.

Why this matters in practice: Even if your encryption algorithm is excellent, many operational environments can accidentally make entropy weaker than people assume—especially virtualized infrastructure, auto-scaling fleets, early boot time, cloned images, and containers. QSE adds an independent physical entropy source so deployments don’t all “feel the same” from a randomness perspective.

• Reduces predictability: no tiny seed space for attackers to search.
• Reduces accidental reuse: different deployments/devices are far less likely to generate related keys or repeated primes.
• Improves reliability under stress: good entropy even in early-boot or scaled-out environments where OS seeding can be fragile.
• Supports crypto agility: you can feed high-quality entropy into today’s algorithms (AES/RSA) and tomorrow’s post-quantum algorithms.

QSE doesn’t replace post-quantum algorithms (like Kyber (ML-KEM) and Dilithium (ML-DSA)); it strengthens how keys are generated today, so existing systems are less vulnerable to entropy-related attacks while the industry migrates.

5. Why Kyber and Dilithium Aren't an Immediate Solution (Adoption Takes Time)

Kyber (ML-KEM, key establishment) and Dilithium (ML-DSA, digital signatures) are post-quantum algorithms selected by NIST. They are designed to remain secure even if large quantum computers become available. However, standardization is not the same as industry-wide deployment.

In simple terms: Rolling out new cryptography is like changing the locks on every door in a city. You must update servers, browsers, mobile apps, routers, VPNs, HSMs, certificate infrastructure, third-party vendors, and monitoring systems. That takes time, testing, and coordinated upgrades.

Why it takes time: crypto is embedded into protocols, devices, and supply chains. Even a “simple” switch has ripple effects: performance, message sizes, certificate formats, interoperability, hardware acceleration, and compliance validation.

• Compatibility: every client and server must understand the new algorithms.
• Protocol upgrades: TLS, VPNs, and internal protocols need new negotiation logic (often “hybrid” during transition).
• Infrastructure: certificate chains, PKI, code signing, and HSM support must mature.
• Performance & sizes: different key/ciphertext sizes and CPU cost affect latency and bandwidth.
• Operational readiness: logging/monitoring, troubleshooting, and key management tooling must catch up.
• Compliance: regulated industries require validation, policy updates, audits, and rollout governance.
• Long tail: embedded/legacy devices can remain in the field for many years.

In the meantime, improving entropy quality with QSE hybrid approach reduces risk from weak randomness and keeps existing crypto stronger while the industry moves toward post-quantum algorithms.