This is part three of a three-part series on quantum security – how it works, the implications for society and business, and what it will mean for leaders of organizations that process sensitive data and rely on keeping that data secure.
Part one looked at the basics of quantum computing and cryptography. Part two talked about contending with so-called “steal now, decrypt later” strategies.
Here we’ll look at the role of random number generators in constructing cryptographic keys, and how the quality of randomness influences the strength of those keys.
It’s not easy to make sense of cybersecurity priorities in the pre-quantum era – especially without a solid understanding of random numbers and their role in making data and transactions quantum-safe.
Sequences of numbers are considered random when they’re unpredictable, to one extent or another, and random number generators (RNGs) play a ubiquitous role throughout every category of software from video games to enterprise applications. More to the point, they are also foundational to generating cryptographic keys.
Software-based RNGs are typically baked into the coding language or function libraries that developers use as building blocks in their applications – the programmer writes code that says “hey, RNG, give me a random number between N1 and N2” and a number in the specified range is produced automatically, on demand.
But even a set of numbers or letters that looks random to humans may actually be deterministic. That is, there’s a detectable, underlying pattern lurking in the numbers, and any cryptographic key derived from them is vulnerable to hacking – either now, in instances where less rigorous RNGs are used, or later, when quantum computing emerges as an authentic threat to even the most sophisticated classical RNGs in use today.
All numbers generated algorithmically in software are deterministic by definition. Although typically an application developer neither knows nor needs to know the methodology used by their RNG, in practice, when stakes are high, the method used to produce a random number can matter a great deal.
And as it turns out, some numeric sequences are more random than others.
Classical, software-based RNGs produce so-called pseudo-random number sequences. Pseudo-RNGs (PRNGs) generate a series of seemingly random numbers determined by some starter input value – the “seed” value. The problem is, the seed is chosen by the developer, and for a given seed, PRNGs always produce the identical sequence of numbers – which is as deterministic as it gets. They appear random, but really aren’t.
That’s a distinction without a difference for many less-rigorous use-cases. Pseudo-random numbers work just fine for recreational applications like video games or simulations. But they’re wholly inadequate when the stakes are higher and cybersecurity is a central concern.
Information science describes such pseudo-random number sets as having low entropy, a term that denotes the degree of disorder in data. The higher the entropy in a dataset, the less deterministic, more random the data – and ultimately, the stronger the cryptographic keys derived from it.
Getting there entails turning away from algorithms and measuring naturally occurring “noise”, in one form or another, in the real world.
True Random Numbers
Enter the higher entropy, inaccurately named, ‘true’ (aka ‘hardware’) random number generator (TRNG) – purpose-built hardware, often delivered as a self-contained microchip that can be embedded in everything from cell phones and tablets to routers and IoT devices.
TRNGs are a cryptographically more secure, less deterministic improvement over PRNGs, but they still work by leveraging classical, and thus deterministic, principles. Rather than using algorithms, TRNGs leverage noisy physical phenomena like ambient atmospheric or thermal conditions. They can be susceptible to measurement biases so corrective measures are often built in.
Despite the name, ‘true’ RNGs are not truly random. While they’re considered secure in some contexts, for maximum quantum-safe entropy levels, we still need real-world input, but we have to get away from classical physics altogether.
Thanks to years of quantum computing research, we’ve already worked out the intricacies of measuring quantum states. To achieve maximum entropy, hardware-based quantum RNGs (QRNG) leverage the inherently stochastic nature of quantum phenomena rather than the classical principles that PRNGs and TRNGs rely on.
The distinction between quantum and classical is more than semantic.
Everything in the quantum realm is counter-intuitive and strange, including the fact that events at that scale happen at utterly unpredictable intervals. In other words, the quantum world is naturally stochastic, making quantum randomness immeasurably superior to alleged ‘true’ randomness.
Where are all the QRNGs?
While building production-quality quantum computers still faces technical hurdles, quantum RNGs are commercially available now, and you can deploy them either as a local hardware peripheral or a cloud service.
The underlying quantum hardware varies with OEM or provider, but they’re every bit as exotic as you might expect, exploiting any quantum quirk we can measure – the polarity of a single photon, quantum fluctuations in a vacuum, quantum tunneling events, and numerous other phenomena, all with an innate randomness that approaches maximum entropy.
Because “Steal Now – Decrypt Later” (discussed in part 2 of this series) is already a clear and present threat, there’s every reason for businesses to secure their data right now and to give careful consideration to the quantum-safe strength of QRNGs for protecting business-critical systems.
The opportunities and risks highlighted by the three posts in this series merely scratch the surface of cybersecurity challenges posed by quantum computers.
Decision-makers whose organizations manage sensitive data must take action now, to buttress defenses against SNDL, and to ensure those defenses use cryptographic protection built on a sufficiently random foundation.
Understanding these imperatives will give you an edge against the competition, insure your organization against costly regulatory actions, and ensure that protections you deploy are truly, actually, quantum-safe.
Ultimately, the same strange properties of reality that will render current encryption schemes vulnerable will also pave the way to defeating new threats to your valuable business data and transactions well into the quantum revolution.