By Denis Mandich, Co-Founder and Chief Technology Officer of Qrypt
Software supply chain security is a major concern in today’s digital world. In 2019, bad actors hacked the software compilation process for SolarWinds Orion platform and placed a backdoor inside legitimate Orion software updates. It had a domino effect impacting 18,000 customers and thirty-seven defense companies. SolarWinds was a major lesson learned for all organizations to scrutinize their supply chain and what is inside the hardware and software they purchase. This is especially important when it comes to future technology like artificial intelligence (AI) or quantum, as many organizations will use the buzzword label for marketing and sales without backing up the claims.
For example, in the field of quantum-secure encryption, an attack on the random numbers used to generate secure encryption keys can fundamentally compromise the security of sensitive data and digital identities. It is therefore critical that organizations confirm the security of the quantum random number generator (QRNG) technology coming to market.
The Importance of Random Number Generators
There is an unfortunate and surprising problem regarding quantum random number generators (QRNG) – our entire universe is quantum, and there is some quantum effect in everything, including coin-flipping (which incidentally is not random at all).
Random numbers are fundamental to all digital security and identity and indeed the entire internet. If encryption software requires keys 256-bits long, but the randomness generator we are using is based on classical algorithms, then predictability becomes an issue. Although seemingly producing random numbers, these generators can be reverse-engineered and their output calculated, especially with the increasing sophistication of machine learning and AI. This can compromise our security.
In science, randomness indicates an event that cannot be predicted or known in advance, even with perfect knowledge of the physical system. The outcome is fundamentally unknowable; not simply difficult to guess. Many methods exist for generating random numbers, such as tossing dice or the motion in a lava lamp. However, these seemingly unpredictable methods are not as unbiased as we might think. Modern computers, adept at finding patterns within a sequence to predict outcomes, can compromise these classical and traditional sources of apparent randomness. This is where the power of quantum physics shines – it offers truly random phenomena unlike anything in classical physics. In the quantum world, certain events, like the decay of a radioactive atom, are fundamentally unpredictable. This unpredictability is not due to a lack of knowledge or measurement precision but a unique feature of the quantum realm itself. Scientists can tap into this unpredictability by performing experiments to measure quantum phenomena. These experiments produce a fundamentally unpredictable and truly random result. This inherent quantum randomness is crucial for QRNGs, powerful tools for digital security. As more QRNGs come to market, they promise to offer the only provably unpredictable events known to science, which are essential to fortifying cybersecurity.
Quantum Randomness and its Role in Security
Why are random numbers essential to cybersecurity? They are used to generate encryption keys, secure passwords, and enable secure communications and data privacy. The foundation of all secure technology, invisible as it might be to many users, assumes secure cryptography, and that, in turn, relies on random numbers. Quantum random numbers, due to their inherent unpredictability, play a crucial role in mitigating the risk of attacks that could compromise our digital security infrastructure.
Unfortunately, many products today labeled “quantum” may often be more marketing gimmicks than scientific facts. Caveat emptor—buyers must demand to know what’s inside their hardware and software purchases. Much like the software bill of materials (SBOM), which provides a detailed inventory of software components to promote transparency and security, the industry is correctly trending towards greater visibility in hardware. With QRNGs, you might hear that it is impossible to “prove” randomness. However, here are a few considerations to help navigate this evolving landscape:
- Vendor Transparency: Demand full disclosure about their technology, particularly about the quantum mechanisms they claim to use. Additionally, you should request min-entropy values to help in evaluating claims.
- Public Disclosure: Verify if the vendor’s underlying entropy methodology has been openly disclosed for peer review by engineering professionals.
- 3. Independent Tests: Ensure independent tests, like those from the National Institute of Standards and Technology (NIST), were conducted on the RNGs raw output to check for patterns implying the numbers were not randomly generated.
Remember, a collapse in fundamental cryptography via an attack on random numbers crumbles all the security infrastructure built on top of it. SolarWinds was a warning, perhaps even an omen of worse to come. Thus, it is crucial that vendors are held to high standards of transparency to prevent cascading effects.
New research from my team and I at Qrypt and teams at Advanced Quantum Architecture (AQUA) Laboratory, École Polytechnique Fédérale de Lausanne (EPFL), Ruder Boskovic, and Global Foundries discovered a single-photon avalanche diode (SPAD)-based QRNG design, which utilizes the quantum random flip-flop (QRFF) method. This type of integrated circuit on a SPAD array at the 55nm scale was science fiction a few years ago. The ability to detect a single particle of light, a photon, billions of times a second across thousands of pixels on a 2mm chip would have stunned most technologists of the previous generation. Leveraging quantum events like this at these speeds is essential to making security guarantees further up the encryption stack in any network.
Research like this contributes to our understanding of quantum randomness and its applications in digital security. As more QRNGs come to market, it is crucial that we, as consumers and stakeholders in digital security, demand transparency from vendors and stay informed about the latest developments in the rapidly evolving field of quantum.
About the Author
Denis Mandich, Co-Founder and Chief Technology Officer of Qrypt.
As Co-Founder & CTO of Qrypt, Denis drives the technology roadmap and secures the global expertise to achieve the company vision to protect against quantum computing threats. Previously, he served 20 years in the US Intelligence Community, working on singular, innovative technology essential to National Security. Denis is a board member of Quside, advisor to the Quantum Startup Foundry, and NSF-funded Mid-Atlantic Region Quantum Internet. He speaks native-level Croatian and Russian.
Qrypt can be reached online at our company website https://www.qrypt.com/