The NCSC also highlights the vulnerabilities that emerge when you place complete trust in the physical correctness of the device. These flawed QRNGs rely on a trusted device model, where every component in the device (or almost every component) is assumed to be functioning correctly at all times. This means that these devices cannot determine when they have been tampered with, or when their components have aged and degraded in performance. This means that end applications will use flawed randomness to create weak security keys, leading to a potential compromise of security.
The NCSC suggests further research in this area is needed, specifically noting a lack of understanding of “modelling and evidencing the real-world properties of physical QRNGs” as well as “understanding changes in behaviour of QRNGs under various physical stresses and through aging”.
The good news is that there is a completely different approach to quantum random number generation that overcomes all of these problems and achieves perfectly unbiased results. This is the approach that Cambridge Quantum has taken with our IronBridge platform.
The Right Way to Build a QRNG
To solve the issues raised by the NCSC, the single most important task is to eliminate trust in the QRNG device. This is easier said than done and virtually all the serious players in this sector have been exploring ways to solve this problem. None has yet succeeded until recently when we at Cambridge Quantum unveiled the first glimpse at our unique patent-protected, device-independent randomness generation protocol, which underpins our IronBridge product.
We have built a new process that literally extracts entropy from nature, with established protocols that follow the fundamental laws of quantum physics. Our protocol has been implemented on a variety of quantum devices, including general-purpose quantum computers, such as those offered by IBM, Honeywell, AQT and IonQ.
Unlike the flawed QRNG approach that has proven itself not to work for security purposes, IronBridge places no trust in the quantum device. Instead, we run a series of experiments on the quantum device, which simultaneously proves to the user (the client) that it’s operating correctly, whilst also providing perfectly random data.
We don’t use the words “perfectly random” lightly, by the way. Unlike every other approach to randomness generation (including the flawed QRNGs), IronBridge generates truly unbiased data. There is precisely a 50/50 chance that each bit is a one or a zero. This is because we rely on quantum mechanics to generate states that collapse into one of two values with precisely 50% likelihood.
Cambridge Quantum’s IronBridge addresses the criticisms that the NCSC has quite rightly levelled at the flawed QRNGs. Our approach doesn’t place trust in the device, which means we’re not impacted by noise or other physical issues. We treat the device as a black box and run our protocol on the results we receive.
For similar reasons, we’re not impacted by the ageing of the device or failing components. Our protocol is automatically self-testing, so we never extract more randomness than is present in the output from the device. This means even a faulty device cannot impact the quality of the randomness.
If you like to get into the details, Cambridge Quantum released a paper last year that describes our protocol in more detail. Since then, Cambridge Quantum has worked with numerous large companies to deliver cryptographic keys into their infrastructure, based on our perfectly random data. These cryptographic keys, which can be classical or “post-quantum” algorithms, are the strongest ever generated. And unless we discover a new model of physics beyond quantum mechanics, they are the strongest keys that can ever be generated.
If you’d like to learn more about Cambridge Quantum’s technology and see how easily it integrates into your cybersecurity systems, please get in touch and we’d be delighted to discuss this in more depth.
CAMBRIDGE QUANTUM ON MEDIUM
Cambridge Quantum’s scientists regularly post on Medium, a hub for social journalism and a hybrid of publications, blogs and publishers.
Follow us there for more of our news and updates.
Read on Medium
The National Cyber Security Centre
Quantum Security Technologies
Quantum Key Distribution and Quantum Cryptography