In short

A quantum random number generator (QRNG) produces bits whose unpredictability is guaranteed by the laws of quantum mechanics rather than by the cleverness of an algorithm. The simplest recipe: prepare a qubit in the superposition |+\rangle = \tfrac{1}{\sqrt{2}}(|0\rangle + |1\rangle) and measure in the computational basis. The outcome is 0 or 1 with exactly probability \tfrac{1}{2} each, and no hidden variable — in the sense of Bell's theorem — can predict it in advance. Commercial QRNGs implement this with photons: a single photon hits a 50/50 beam splitter and triggers one of two detectors; the click pattern is the bit stream. Variants measure vacuum-field quadratures or laser phase noise and extract many megabits per second. A self-testing QRNG goes further: it violates a Bell inequality so strongly that the measured randomness is certified even if the hardware was built by your adversary. QRNGs already run inside SIM cards (ID Quantique), lottery draws, Monte Carlo simulations, and the Indian QNu Labs Tropos and Armos stacks — and the National Quantum Mission funds a certified randomness infrastructure that UPI, Aadhaar, and defence systems can draw on.

Every cryptographic key, every simulated dice roll in a finance Monte Carlo, every session token your UPI app prints — starts life as a random bit. Ask a classical laptop to produce a billion of them and it will run an algorithm: take a seed, apply a deterministic shuffle, output the result. That output looks random. It passes statistical tests. But given the seed, anyone can recompute the sequence exactly. This is pseudo-random, and it is the only kind of randomness a purely classical deterministic machine can manufacture.

A qubit sitting in the superposition |+\rangle is different. When you measure it in the computational basis, it gives you 0 or 1 — but the choice is not the output of any algorithm and not the readout of any hidden variable. It is, as far as physics can tell, drawn fresh from the universe at that instant. This is the core promise of a quantum random number generator: a machine that bottles up quantum measurement and pours it out as bits.

This chapter builds the idea from one qubit up to commercial hardware. Along the way it answers the three questions that matter for a cryptographer: Can we trust the bits? Can we certify them even if the device was built by someone we do not trust? And is any of this deployed in India today?

Why classical randomness is not random

Your laptop's random() function does not flip a coin. It runs a pseudo-random number generator — a deterministic function f such that, given a 256-bit seed s, it produces a long sequence

s, \ f(s), \ f(f(s)), \ f(f(f(s))), \ \ldots

that looks statistically random. The Mersenne Twister, Xorshift, ChaCha20-based CSPRNGs — all of them are deterministic. Two laptops with the same seed produce the same stream. There are no coin flips inside.

For most tasks that is fine. For cryptography it is a time bomb: if the adversary ever guesses the seed, every past and future output is known. Linux's /dev/urandom and Windows' CryptGenRandom mitigate this by harvesting noise — mouse jitter, disk-access timing, network packet arrivals, thermal fluctuations in a ring oscillator — and folding it into the seed. That is hardware randomness, and it is good. But it is not provably random. A sufficiently clever attacker who models the machine precisely enough might, in principle, predict it. Intel's RDRAND instruction (Ivy Bridge and later) is of this kind: a thermal-noise ring oscillator feeding a conditioning chain. It is hardware-based, but not quantum — the noise source is classical thermal physics, not a quantum superposition.

Three kinds of randomness sourcesA three-column comparison. Left column pseudo-random number generator shows a closed box with a seed arrow coming in and a deterministic stream coming out, marked reproducible given seed. Middle column hardware RNG shows thermal noise or ring oscillator producing bits, marked statistical but not provable. Right column quantum RNG shows a qubit in the plus state with a measurement box producing bit zero or one, marked certified by physics.Three kinds of randomnessPseudo-RNGdeterministic functionseed → f → f² → f³ → ...reproduciblelooks random, isn't(Mersenne, ChaCha)Hardware RNGclassical noise sourcethermal, jitter, ring-osc.unpredictable in practicemodel-dependent(RDRAND, /dev/urandom)Quantum RNGquantum measurement|+⟩ → measure Z → 0 or 1certified by physicsno hidden variable(ID Quantique, QNu)
The three strategies. A pseudo-RNG is deterministic by design. A hardware RNG taps a physical noise source but cannot rule out a sufficiently detailed model of that source. A QRNG taps a single-qubit quantum measurement, whose outcome Bell's theorem forbids any hidden-variable theory from predicting.

The gap between "hardware RNG" and "QRNG" is subtle but real. A thermal resistor is noisy because trillions of electrons jiggle in complicated ways you cannot track — it is effectively unpredictable. A qubit in |+\rangle measured in Z is different: Bell's theorem (chapter 139) proves that no local hidden-variable theory can account for the correlations produced by such measurements. The randomness is not effective — it is structural.

The simplest QRNG — one qubit, one measurement

The cleanest QRNG you can describe fits on a single line of pseudocode.

Recipe.

  1. Prepare a qubit in the state |+\rangle = \tfrac{1}{\sqrt{2}}(|0\rangle + |1\rangle).
  2. Measure in the computational (Z) basis.
  3. Output the outcome as one random bit.

The first time Dirac notation appears in this chapter: |0\rangle is the 2-dimensional column vector \begin{pmatrix}1 \\ 0\end{pmatrix}, |1\rangle is \begin{pmatrix}0 \\ 1\end{pmatrix}, and the state

|+\rangle = \frac{1}{\sqrt{2}}|0\rangle + \frac{1}{\sqrt{2}}|1\rangle = \frac{1}{\sqrt{2}}\begin{pmatrix}1 \\ 1\end{pmatrix}

is the equal superposition — the point on the Bloch sphere's equator at +x. A Z-basis measurement projects the state onto |0\rangle with probability |\langle 0 | + \rangle|^2 and onto |1\rangle with probability |\langle 1 | + \rangle|^2. Compute:

\langle 0 | + \rangle = \frac{1}{\sqrt{2}}\langle 0 | 0 \rangle + \frac{1}{\sqrt{2}}\langle 0 | 1 \rangle = \frac{1}{\sqrt{2}}(1) + \frac{1}{\sqrt{2}}(0) = \frac{1}{\sqrt{2}}

Why this step matters: \langle 0|0\rangle = 1 because |0\rangle has unit length; \langle 0|1\rangle = 0 because |0\rangle and |1\rangle are orthogonal basis states. The inner product of a bra and a ket is a single complex number, and for basis states it is the Kronecker delta.

So the probability of outcome 0 is |1/\sqrt{2}|^2 = 1/2. By the same calculation, outcome 1 also has probability 1/2. The bit is a perfect coin flip.

The simplest QRNGA circuit-style diagram. On the left a qubit wire starts in the zero state. A Hadamard box labelled H is applied producing the plus state. Then a measurement meter box produces a bit labelled b. Below is a Bloch sphere with the plus state marked at positive x on the equator, and two dashed arrows showing projection onto the north pole ket zero with probability one half and the south pole ket one with probability one half.The one-qubit QRNG: |0⟩ → H → measure → bit|0⟩H|+⟩ = (|0⟩+|1⟩)/√2measure Zb ∈ {0,1}|0⟩|1⟩|+⟩P(0) = |⟨0|+⟩|² = ½P(1) = |⟨1|+⟩|² = ½why this bit is truly random• no algorithm produced it• no hidden variable predicts it• Bell's theorem rules outany local determinism— and you can run it 10⁹ times per second
The simplest QRNG. Apply Hadamard to $|0\rangle$ to reach $|+\rangle$, then measure in Z. The Bloch sphere shows $|+\rangle$ on the equator at $+x$; the dashed arrows show that the measurement projects onto $|0\rangle$ or $|1\rangle$, each with probability $1/2$. Repeat for as many bits as you need.

Run this circuit n times and you get n independent, uniformly distributed random bits. That is a QRNG. Everything else in this chapter is engineering — how to realise this one-qubit loop in hardware that spits bits out fast enough to be useful, and how to convince a sceptic that the bits really are random.

Optical QRNGs — what the hardware actually looks like

You can technically run the one-qubit QRNG on a superconducting or trapped-ion machine, but it would be wasteful — these devices cost tens of millions of rupees and are shared between many users. Commercial QRNGs use photons instead, because photons are cheap, fast, and behave as qubits in polarisation or path.

Beam-splitter QRNG

The cleanest optical realisation of the one-qubit idea: a single photon meets a 50/50 beam splitter. The photon's "left path" and "right path" form a two-dimensional state space — a qubit. A symmetric beam splitter is the optical equivalent of a Hadamard: a photon incident on one port comes out in the equal superposition |+\rangle = (|L\rangle + |R\rangle)/\sqrt{2} of left-path and right-path. Two single-photon detectors, one on each output, project onto the path basis; whichever fires gives the bit.

Beam-splitter QRNG schematicA horizontal optical setup. A single-photon source on the left emits a photon that travels to a central grey square labelled 50/50 beam splitter. Two output paths emerge, one going up-right to detector D zero producing bit zero, and one going down-right to detector D one producing bit one. A short arrow labelled incident photon connects source to beam splitter. A label to the right indicates fifty-fifty click probability per photon.Beam-splitter QRNG — one photon, two detectorsphotonsourcesingle photon50/50 BSpath |L⟩ (P = ½)path |R⟩ (P = ½)detector D₀click → bit = 0detector D₁click → bit = 1
Beam-splitter QRNG. A single photon meets a 50/50 beam splitter, which is the optical Hadamard: left-path and right-path amplitudes are $1/\sqrt{2}$ each. Each photon produces exactly one detector click. The detector identity — $D_0$ or $D_1$ — is the random bit. Repeat at the photon emission rate to get a stream.

Commercial beam-splitter QRNGs run at tens of megabits per second. The photon source is usually an attenuated laser (a real single-photon source is hard; an attenuated pulse with mean photon number well below 1 is close enough, and rare multi-photon events are handled by post-processing). The detectors are silicon avalanche photodiodes for visible light, or InGaAs detectors for telecom wavelengths. ID Quantique's Quantis product family is the canonical beam-splitter QRNG; units ranging from a USB dongle to a PCIe card run at 4 Mb/s to 16 Mb/s.

Vacuum-fluctuation QRNG

You can go faster by giving up single-photon detection. The vacuum state of the electromagnetic field is not quite zero — it has quadrature fluctuations, a pair of Gaussian-distributed numbers X and P with variance \hbar/2 each. Split a local-oscillator laser on a balanced detector, and the difference current samples one of these quadratures. The analog signal is Gaussian-distributed and carries roughly \log_2(\sigma_{\text{quantum}} / \sigma_{\text{classical}}) bits of certified randomness per sample, where the signal-to-noise ratio separates the quantum contribution from the classical electronics noise. Digitising and hashing gives a stream of gigabit-per-second-class random bits.

Vacuum-fluctuation QRNGs dominate high-speed applications. A typical commercial module runs at 1–10 Gb/s — enough to generate every encryption key a data centre needs, with bandwidth to spare.

Phase-diffusion QRNG

A third common scheme taps the phase noise of a gain-switched laser diode. Turn the laser on from below threshold; each pulse starts from spontaneous emission, whose phase is a uniformly random quantum variable. Interfere consecutive pulses in a Mach-Zehnder interferometer; the intensity at the output is \propto 1 + \cos(\Delta\phi), where \Delta\phi is the quantum-random phase difference. A photodiode samples this intensity, and the digitised output — after conditioning — is another high-speed random stream. Toshiba and the Chinese group at USTC have pushed phase-diffusion QRNGs into the 100 Gb/s regime.

Three optical QRNG variantsA three-row comparison table. Row one beam-splitter QRNG has an icon of a photon hitting a beam splitter with two detectors and a speed label of tens of megabits per second. Row two vacuum-fluctuation QRNG shows a homodyne balanced detector with a Gaussian distribution on its output and a speed label of one to ten gigabits per second. Row three phase-diffusion QRNG shows a laser, a Mach-Zehnder interferometer, and a photodiode with a speed label of up to one hundred gigabits per second.Optical QRNG — three commercial familiesBeam-splittersingle photon → 50/50 BS → 2 detectorsqubit = path mode~10 Mb/sVacuum fluctuationLO laser + balanced detector → Gaussian quadrature samplesqumode = EM vacuum1–10 Gb/sPhase diffusiongain-switched laser → interferometer → photodiodequmode = laser phaseup to 100 Gb/s
The three commercial optical QRNG architectures. Beam-splitter is the textbook picture at the lowest rate; vacuum-fluctuation and phase-diffusion trade the single-photon-detector simplicity for orders of magnitude more throughput. All three are equally "quantum" in the sense that their randomness comes from a non-classical state of the electromagnetic field.

Post-processing — making the bits uniform

Real hardware is never a perfect 50/50. Beam-splitter reflectances drift; detector efficiencies differ; vacuum detectors have classical electronics noise. A QRNG bit stream straight from the detector is typically biased (probability of 0 is not exactly 1/2) and correlated (consecutive bits are not quite independent). The standard fix is a randomness extractor — a deterministic function that takes a long, slightly-biased input and produces a shorter, uniformly random output.

The simplest extractor is the von Neumann trick. Read the raw stream in pairs: 00 and 11 are discarded; 01 outputs a 0; 10 outputs a 1. If the raw bits are biased but independent, the output is perfectly unbiased.

Why it works: if each raw bit is 0 with probability p and 1 with probability 1-p, the pair 01 has probability p(1-p) and the pair 10 has probability (1-p)p. These are equal. Conditional on the pair being either 01 or 10 (i.e. not discarded), each outcome is 50-50, and each output bit is uniform. The price is throughput: for p near 1/2, you output one bit per four raw bits on average.

Serious deployments use universal hash functions (Carter-Wegman hashing, Toeplitz-matrix hashing) as extractors, because they can compress the stream at rates closer to the min-entropy H_\infty of the source — a tighter theoretical bound than von Neumann's. A QRNG with raw min-entropy 0.95 bits per sample, hashed by a 2-universal family to output \lfloor 0.9 \cdot n \rfloor bits, is certified near-uniform to any adversary with bounded side information.

The whole pipeline — hardware → raw stream → extractor → NIST statistical tests (SP 800-90B) — is what ships as a "QRNG module" in a bank's HSM. The user gets a clean, uniform, high-rate random stream; the physics guarantee lives in the first stage.

Worked example — the one-qubit QRNG, in full

Example 1: generating 20 random bits from the $|+\rangle$-measurement QRNG

Setup. You have a qubit that you can reset to |0\rangle, apply a Hadamard to, and measure in the computational basis. You want to generate 20 random bits. Repeat the following three-step loop 20 times.

Step 1 — Prepare |+\rangle. Start with |0\rangle. Apply the Hadamard gate:

H = \frac{1}{\sqrt{2}}\begin{pmatrix}1 & 1 \\ 1 & -1\end{pmatrix}, \qquad H|0\rangle = \frac{1}{\sqrt{2}}\begin{pmatrix}1 \\ 1\end{pmatrix} = |+\rangle.

Why start from |0\rangle: hardware resets qubits to the computational-basis ground state, and the Hadamard is the cheapest gate in every standard gate library. The composition H|0\rangle = |+\rangle is the shortest path from a reset qubit to the equal-superposition state.

Step 2 — Measure in Z. Project onto |0\rangle or |1\rangle. The probability of outcome 0 is

P(0) = |\langle 0 | + \rangle|^2 = \left|\frac{1}{\sqrt{2}}\right|^2 = \frac{1}{2}.

By symmetry P(1) = 1/2. The post-measurement state collapses to |0\rangle or |1\rangle accordingly; this is the irreversible, non-unitary half of the quantum world.

Step 3 — Record the outcome. Append the measured bit to the output stream. Reset the qubit and go back to Step 1.

Running 20 times. A possible output — the specific sequence is genuinely undetermined ahead of time, so here is one instance:

0\,1\,1\,0\,1\,0\,0\,1\,1\,1\,0\,0\,1\,0\,1\,1\,0\,0\,1\,0

Count: 10 zeros, 10 ones. Sample mean 0.50, sample variance 0.25 — consistent with a fair coin. A second run would produce a different sequence. You cannot predict either sequence in advance, even knowing the full state vector, because the measurement outcome is not a function of any hidden variable.

Why the sample mean landed exactly on 10-10: that is coincidence. For n = 20 coin flips, the standard deviation of the count of ones is \sqrt{n/4} \approx 2.24, so any count from 8 to 12 is well within one sigma. Asymptotically the sample proportion converges to 1/2 by the law of large numbers.

Result. Twenty certified-uniform bits from twenty runs of the simplest possible quantum circuit. Any adversary — even one who knows the state |+\rangle exactly and has perfect knowledge of your hardware — cannot predict the sequence.

Twenty bits from twenty Hadamard-then-measure runsA horizontal row of twenty small squares representing bits. Some squares are filled dark labelled one and others are lighter labelled zero. Below the row is a timeline showing runs one through twenty, and below that a running tally bar chart of counts of zeros and ones approaching a 10-10 split by the end.20 bits from 20 QRNG runs01101001110010110010run 1run 20count of 1s = 10, count of 0s = 10 → sample mean 0.50another run of 20 would give a different sequence, same statistics
One possible 20-bit output from twenty runs of the $H|0\rangle$-then-measure circuit. The exact sequence is quantum-random — another run would give a different sequence. The statistics — 50% ones on average, uncorrelated, passing any reasonable randomness test — are what is reproducible.

What this shows. The whole apparatus of "quantum randomness" reduces, operationally, to one trivially simple circuit. The philosophical weight — that the bits are not precomputed, not stored in any hidden variable, not derivable by any algorithm — is in the quantum mechanics, not in the code.

Self-testing QRNG — certifying randomness from untrusted hardware

The beam-splitter QRNG is secure against an outside adversary who has not touched the box. It is not secure against a malicious vendor who ships you a device with a hidden pseudo-random generator inside. If the vendor pre-computed the "random" stream and the box just replays it, you would have no way to tell from the output statistics alone — a good cryptographic PRNG passes every statistical test.

The fix is extraordinary: test the device by playing a Bell game with it. If the device's output violates a Bell inequality by enough, Bell's theorem guarantees that the output contains genuine, certified randomness — even if the device was designed by your adversary.

The CHSH game as a randomness certificate

The CHSH inequality (chapter 139) bounds the correlations achievable by any local hidden-variable theory: for any such theory, the CHSH quantity S = |E(00) + E(01) + E(10) - E(11)| satisfies S \le 2. Quantum mechanics allows S up to 2\sqrt{2} \approx 2.828 — Tsirelson's bound.

Set up the device with two separated components, call them A and B, that produce bits in response to binary inputs. A trusted source of input randomness (small, call it the "seed") selects the measurement settings; the device produces outputs. Estimate S from the statistics. If S \le 2, no certification — the outputs might have been pre-programmed. If S > 2 by a statistically significant margin, the outputs cannot be the replay of any pre-agreed strategy, and Bell's theorem gives a quantitative lower bound on the min-entropy of the output string, conditioned on any side information the adversary could have.

Self-testing QRNG via a Bell testA block diagram. On the left a trusted seed source feeds random inputs x and y into two separated device boxes labelled A and B. The devices are enclosed in a dashed untrusted boundary. They share a common quantum source drawn as a pair of entangled photons. The devices output bits a and b. On the right a CHSH quantity S is computed from the statistics; a dial shows S equals 2.7 beyond the classical bound of 2, certifying quantum randomness. A labelled arrow shows the output bit stream is certified min-entropy per bit.Self-testing QRNG — outputs certified by Bell violationtrusted seedshort random bitsuntrusted device (adversary may have built it)device Ainput x → bit adevice Binput y → bit bentangled pairbits (a,b) outconditioned on (x,y)CHSH auditS = |E₀₀ + E₀₁ + E₁₀ − E₁₁|classical: S ≤ 2quantum: S ≤ 2√2 ≈ 2.828measured S = 2.70⇒ H∞(output | Eve) ≥ ~0.5 bitper output pair (Pironio 2010)
The self-testing architecture. The device is treated as a black box, potentially built by the adversary. A small trusted seed feeds random inputs; the outputs are audited by computing $S$ from the statistics. A value of $S > 2$ by a statistical margin certifies a lower bound on the min-entropy of the output conditional on any information the adversary has — even though the device's internals are opaque.

Randomness expansion and amplification

Two remarkable theorems make self-testing QRNGs not just audit tools but entropy amplifiers:

These are theoretical results, but they have been demonstrated experimentally — Pironio et al.'s original 2010 experiment with trapped ions [1], and a series of follow-ups using photonic loophole-free Bell tests (Delft 2018, NIST 2018). A self-testing QRNG is not a pure-theory artefact; it is a working, if finicky, class of device.

Commercial deployments

QRNGs are one of the few quantum technologies in widespread commercial use today.

India's National Quantum Mission (2023, ₹6003 crore) identifies certified randomness infrastructure as a strategic priority alongside QKD and quantum computing. The mission's roadmap includes a national QRNG-as-a-service backbone that critical infrastructure — UPI transaction signing, Aadhaar authentication, CERT-In-protected government links — can draw on. The Raman Research Institute and IIT Bombay both run QRNG testbeds; CDAC and QNu Labs are partnering on a production-grade deployment scheduled through 2028.

Applications — where QRNG bits actually go

A megabit of quantum-random bits a second is more than enough for most real cryptographic workloads. Where do they go?

Common confusions

Going deeper

If you see that a Hadamard on |0\rangle followed by a Z-measurement gives a perfect coin flip, that commercial QRNGs realise this with beam splitters, vacuum quadratures, or laser phase diffusion, and that a Bell-inequality violation certifies randomness even when the device is untrusted — you have chapter 157. The material below is for readers who want the quantitative security definitions, the min-entropy extractor analysis, the CHSH-to-entropy-rate theorem, and the details of India's QNu Labs deployment.

Min-entropy and the leftover-hash lemma

The right quantitative notion of randomness for cryptography is min-entropy:

H_\infty(X) = -\log_2 \max_x \Pr[X = x].

A stream has k bits of min-entropy if no outcome has probability greater than 2^{-k}. Min-entropy is the adversary-facing entropy: even knowing the distribution, the adversary's best single guess succeeds only with probability 2^{-H_\infty}. Shannon entropy is the wrong quantity here — it measures average surprise, which can be large even when one outcome is very likely.

The leftover-hash lemma (Impagliazzo-Levin-Luby 1989; refined by Tomamichel-Schaffner-Smith 2011 for conditional min-entropy against quantum side information) says that for any source X with conditional min-entropy H_\infty(X|E) \ge k relative to an adversary E, a 2-universal hash h : \{0,1\}^n \to \{0,1\}^\ell with \ell \le k - 2\log(1/\epsilon) produces output statistically \epsilon-close to uniform. This is the quantitative foundation of QRNG post-processing: measure H_\infty of the raw source (e.g. from detection-efficiency calibration), choose \ell, pick a hash function, and the output is provably near-uniform.

NIST SP 800-90B testing

The standards body NIST publishes SP 800-90B — Recommendation for the Entropy Sources Used for Random Bit Generation — with a battery of statistical tests that any certified entropy source must pass. The tests include:

Commercial QRNGs publish SP 800-90B certification reports; BIS (Bureau of Indian Standards) IS 18033 is the Indian counterpart, explicitly called out for government procurement under NQM.

The CHSH-to-entropy-rate theorem

Pironio, Acín, Massar, Boyer de la Giroday, Matsukevich, Maunz, Olmschenk, Hayes, Luo, Manning, and Monroe (Nature 2010 [1]) proved a quantitative link: for a device with estimated CHSH value \hat{S}, the conditional min-entropy per output round satisfies

H_\infty(\text{output} | \text{adversary}) \ge 1 - \log_2\left(1 + \sqrt{2 - \hat{S}^2/4}\right)

for \hat{S} \in (2, 2\sqrt{2}]. At \hat{S} = 2 (classical boundary), the bound is 0 — no randomness certified. At \hat{S} = 2\sqrt{2} (Tsirelson), the bound approaches \log_2 2 = 1 bit per round — full randomness. The theorem is what lets a self-testing QRNG quantify the randomness it produces rather than merely assert it.

Randomness expansion vs amplification

Both are active research; neither is in commercial deployment today. But they draw the theoretical ceiling — the most randomness that can be extracted from a device given the smallest input of trust.

QNu Labs Tropos in depth

QNu Labs' Tropos module uses a vacuum-fluctuation architecture: a 1550 nm telecom-wavelength local oscillator with a balanced homodyne detector, digitised at 1 GSa/s, producing a raw stream at 2 Gb/s before conditioning. Post-processing: AES-based seeding conditioner, a Toeplitz-matrix randomness extractor with a compression rate of 0.5, delivering 1 Gb/s of NIST SP 800-22 certified output. Health monitoring runs NIST SP 800-90B adaptive-proportion and repetition-count tests on a 1 MB window continuously; if either fails, the module drops into a degraded mode and alerts the host. Tropos is deployed in several Indian bank HSMs and is undergoing Common Criteria EAL4+ evaluation for government defence procurement.

Side-channel considerations

Even a certified QRNG can leak through side channels: electromagnetic emissions from the detector electronics, timing correlations with the host processor, power-consumption variations. Production deployments shield the quantum stage in a Faraday cage, use constant-time conditioning, and sample the raw stream through optocoupler-isolated interfaces. The careful engineering of the classical envelope around the quantum heart is, in practice, most of what makes a QRNG trustworthy.

Where this leads next

References

  1. Stefano Pironio et al., Random numbers certified by Bell's theorem (2010) — Nature 464, 1021 / arXiv:0911.3427.
  2. Roger Colbeck, Quantum and relativistic protocols for secure multi-party computation (PhD thesis, 2006) — arXiv:0911.3814.
  3. Xiongfeng Ma, Xiao Yuan, Zhu Cao, Bing Qi, Zhen Zhang, Quantum random number generation (2016) — npj Quantum Information 2, 16021 / arXiv:1510.08957.
  4. Wikipedia, Hardware random number generator.
  5. QNu Labs, Tropos QRNG product overview.
  6. John Preskill, Lecture Notes on Quantum Computation, Chapter 8 — theory.caltech.edu/~preskill/ph229.