Written by Nicole Kosel, freelancer at cyberunity AG, in collaboration with Xenia Bogomolec, Information Security Specialist and CEO at Quant-X Security & Coding, Maximiliane Weishäupl, PhD Candidate in Cryptography at the University Regensburg, Mehrzad Firoozi, PhD Candidate in Physics at Fraunhofer IPMS and Peter Kosel, Founder at cyberunity

The relevance of stochastic processes has expanded and evolved significantly from their initial application in the gaming industry to their current use in cryptography. In the age of information technology, the generation of random numbers has become essential for information security, modelling, simulations and myriad other digital processes. Given that the quality-requirements for random numbers and randomness overall are generally highest in cryptographical contexts, it is also important to distinguish between random numbers for modelling purposes and those meant for cryptographic applications.

As a result of the exponential growth in data volumes and the increasing connectivity of devices, the demand for cryptographic methods that are based on reliable randomness is growing. Entropy, which in information security contexts refers to unpredictability and thus the quality of randomness, plays a decisive role here. Quantum random number generators (QRNGs) represent an advanced technology that utilises the principles of quantum mechanics to generate random numbers with high levels of entropy. These numbers are of particular importance for cryptography due to their pronounced unpredictability – a result of quantum phenomena such as the polarisation of individual photons. The randomness generated by such processes is an indispensable component of key generation within encryption methods and various other security protocols that aim to secure information against unauthorised access. The validation of cryptographic systems, including algorithms, protocols and their practical implementations, poses an immense challenge to governments worldwide. When it comes to the theoretical definition and standardisation of such cryptographic systems, competitions are often held in which interdisciplinary research teams develop reference implementations – however, these are generally not market-oriented. To support their conversion into market-ready products, various government institutions have launched programmes that enable the independent review and certification of standards and practical implementations like modules, libraries and devices according to clearly defined criteria. In the United States, for example, the National Institute of Standards and Technology (NIST) has taken on a pioneering role by establishing the Cryptographic Module Validation Program (CMVP), a framework that evaluates the practical security of cryptographic applications and confirms their trustworthiness. At the centre of the CMVP is the validation of entropy sources, a requirement that emphasises the vital importance of random numbers in cryptography.

NIST further reinforces this importance through the Entropy Source Validation (ESV) programme, which is specifically designed to assess the quality and reliability of entropy sources. Several projects are currently researching the use of QRNGs, using the general BSI requirements for TRNGs (true random number generators) as a basis for development and evaluation. While the German Federal Office for Information Security (BSI) has not yet defined any specific guidelines for QRNGs and is still examining their suitability relative to currently certified TRNGs, it is interested in classifying QRNGs according to the functional classes of the AIS 20/31 standard. Corresponding research projects have been commissioned to address these open questions and to develop a solid basis for future standards.

“Quant-ID” is one such project and aims to create quantum-safe digital identities. Under the direction of Quant-X Security & Coding and in collaboration with Fraunhofer IPMS, MTG AG and the University of Regensburg, the project is developing a prototype for quantum-safe authorisation. It is pursuing said quantum-safe authorisation by way of a QRNG developed by IPMS and an identity provider with clients implemented by Quant-X in order to generate high-quality random values for secure digital authentication and authorisation in critical infrastructures. MTG AG provides the post-quantum secure PKI and the Faculty of Data Security and Cryptography of the University of Regensburg analyses the security of the QRNG and post-quantum algorithms in practice. The respective contributions of the individual partners can be found under https://Quant-ID.de. In the context of the Quant-ID project, post-quantum secure cryptographic methods and random values produced by IPMS’ QRNG are applied to secure network communications, web applications and databases, after which the results are tested for their suitability for certification. Below, three members of the Quant-ID team provide insights into their specific roles and discuss the impending implications that QRNGs could have for the IT security landscape in general and for end users in particular. Among these three team members are two dedicated PhD candidates, Maximiliane Weishäupl from the University of Regensburg and Mehrzad Firoozi from the Fraunhofer Institut for Photonic Microsystems (IPMS).

Maximiliane Weishäupl is a PhD candidate at the Chair of Data Security and Cryptography at the University of Regensburg concentrating on cryptographic analysis on the one hand and measuring the security of QRNGs on the other.

“Cryptographic analysis begins with the identification of necessary requirements that cryptographic algorithms must fulfil within the relevant protocols. An example of such a requirement in our use case is derived from the fact that the authorisation of users must occur rapidly. On a cryptographic level, this translates into the need for rapid verification of digital signatures, which in turn must be taken into account when selecting post-quantum secure procedures”, explains Weishäupl. The analysis looks at current developments in post-quantum cryptography and the ongoing NIST standardisation process. When selecting suitable methods for the Quant-ID project, NIST candidates, supplemented by other promising methods, are compared with regard to the identified requirements. For the cryptography implemented in the Quant-ID project, it is essential that the randomness produced by the QRNG is of exemplary quality.

Maximiliane explains the challenges in this regard as follows:

“In order to assess the quality of QRNGs, various approaches can be found in the literature – from the pure application of ready-made statistical test suites to security proofs with more or less simplifying assumptions. However, strict conditions must be met for certification by the BSI: A stochastic model must be specified for the physical QRNG, i.e. a family of probability distributions that describes the QRNG as well as possible in all situations (e.g. different environmental conditions such as temperature) and that includes all conceivable secondary information (e.g. interference noise from components). The distribution parameters are then determined using experimentally generated data, allowing the entropy of the raw data (i.e. the direct output of the QRNG) to be calculated. An improvement of the entropy can be achieved by so-called post-processing of the raw data and can, for example, consist of applying a hash function. The final entropy must be above a threshold defined by the BSI and the implementation of tests that guarantee the quality of the random numbers during the operation of the QRNG is also required”.

Mehrzad Firoozi further emphasises the experimental and technical aspects of the project. As a scientific researcher at Fraunhofer IPMS, he focuses on the macroscopic structure and further development of the QRNG. “In this phase, I compared many different conventional QRNGs that could fulfil the project requirements, both theoretically and experimentally. This helped us to select the right QRNG structure for the project. The description of the QRNG using a mathematical model is also of great importance for qualifying its security”, explains Firoozi. In addition to the implementation of the QRNG, his work also includes the development of a post-processing platform that converts non-uniformly distributed random numbers into uniformly distributed random numbers. “The raw output of the QRNG usually is not uniformly distributed (having for example a Gaussian distribution instead). In this phase, this analogue output is first digitised by an analogue-to-digital converter (ADC). Then the digital values are passed to a Field-Programmable Gate Array (FPGA) to be given a uniform probability distribution by a ‘Randomness Extraction’ method. The resulting data is then ready to be transmitted via a suitable interface (e.g. Ethernet)”, explains Firoozi. A key aspect of his work is to optimise the technology to allow BSI certification such that the subsequent miniaturisation of the system for practical application is possible. The collaboration between Weishäupl and Firoozi in the Quant-ID project is demonstrative of the interdisciplinary nature of the post-quantum scene. While Weishäupl discusses the theoretical and analytical aspects of cryptography, Firoozi contributes his extensive experience in experimental physics and technology.

Maximiliane and Mehrzad each decided in favour of joining the quantum cryptography project for different yet complementary reasons. As a PhD candidate with a background in mathematics, Maximiliane finds the practical application of mathematical concepts in cryptography particularly appealing. For her, the fascination lies in the interdisciplinary challenge that combines mathematics, computer science, and physics, a combination that requires extensive familiarisation with various specialist disciplines. Mehrzad on the other hand, is attracted to fundamental quantum phenomena, both in theoretical terms and in terms of the practical observation of these phenomena in his experiments. The need for in-depth knowledge of quantum optics and basic knowledge of information theory emphasises the complexity of the field.

Together they emphasise the importance of creativity and tenacity in their research. Their work not only pushes the boundaries of our current technological understanding, but also lays a solid foundation for the future development of secure cryptographic systems. “Cryptography is already used everywhere today,” notes Weishäupl. “Random numbers are essential and there are examples where bad random numbers have rendered otherwise secure cryptography insecure. QRNGs with good random numbers are therefore of great interest.” Firoozi adds: “With the development of quantum computers, encryption based on mathematical algorithms can be cracked much more easily. Since the randomness in a QRNG is intrinsically indeterministic, QRNGs can potentially provide a higher level of security than traditional RNGs. As a result, companies or organisations where data security is critical (military organisations, substations, banks, etc.) can greatly benefit from this technology.”

Xenia Bogomolec, CEO of Quant-X Security & Coding further emphasises the critical role of randomness in cryptography: “The high degree of randomness of a so-called static cryptographic key with long validity is particularly important. This can be, for example, a certificate for firmware updates of devices, a certificate in the chip on the German electronic passport (ePassport), or root certificates from so-called Certification Authorities (CAs). The latter form the core of the security of all cryptographic certificates issued with them. If the root certificate is compromised, all certificates issued with it are also compromised. Root certificates can be compromised via various attack vectors. However, if a weak entropy source is used whose determinism is known to a particular attacker, the attacker would not even need to hack the CA in question. The impact of such a scenario would be catastrophic, as CAs with a root certificate issue countless certificates for organisations’ applications. Another example of the need for high entropy sources are Monte Carlo simulations – a method originating in probability theory in which random samples of a distribution are repeatedly drawn using randomness-experiments. The higher the entropy, the more valid the resulting conclusions are.”

The Quant-X Security & Coding team, under the leadership of Xenia Bogomolec, supports the security qualification of QRNGs from a traditional information security perspective. Its members’ backgrounds in mathematics and algorithm development allow for well-rounded and effective communication with cryptographers like Maximiliane and physicists like Mehrzad. Additionally, various statistically relevant data across the digital use of quantum entropy are collected and analysed. QRNGs are already commercially available, e.g. the Quantis series from ID-Quantique. The Quantis QRNG chip is certified according to both NIST Entropy Source Validation (ESV) and IID SP 800-90B. Certification of QRNGs by the BSI however is likely still several years away.

As Peter Kosel from cyberunity AG sums up, the Quant-ID project not only represents an impressive fusion of expertise and innovative strength – it also embodies the next decisive step in the development of cryptography and IT security.

Anyone interested in gaining further insight into cryptography and the role it plays in information security can find an informative article on career opportunities in the cryptography scene here: Cryptography Specialists – The Key to a Secure Post-Quantum World If you would like more information on the future potential of this field we invite you to reach out to Xenia or Peter directly.