Why Randomness May Be Cybersecurity’s Most Undervalued Asset

At the QSECDEF workshop, Dave and Jose set out Quside’s view of quantum random number generation and highlighted a point that deserves far more attention. Many digital systems look secure when judged by their visible controls, yet their safety often rests on a far less examined foundation - the quality of the randomness they use. That matters because modern cryptography depends on unpredictability. Encryption keys, digital signatures, cryptocurrency wallets, VPNs and even fairness mechanisms in blockchain systems all rely on numbers that cannot be anticipated. Quside argues that quantum-based entropy can provide a firmer basis for that unpredictability and, through its work with Deloitte, seeks to turn it into something that can be measured and evidenced rather than simply trusted.

A simple analogy helps. Imagine a factory that produces high-security locks. Most observers would focus on the metal, the engineering and the apparent sophistication of the mechanism. Yet if the same factory repeatedly issued keys based on a narrow set of patterns, the strength of the lock itself would become almost irrelevant. Weak randomness creates an equivalent weakness in digital systems. It rarely attracts attention because it is buried deep in the machinery, but that hidden position is exactly what makes it so dangerous.

One of the most important distinctions raised in the discussion was the difference between output that appears random and entropy that is genuinely strong. A sequence may look disorderly while still being generated from a constrained and therefore more predictable set of possibilities. In cryptography, appearance is not enough. What matters is how much real uncertainty exists behind the output. This is reflected in NIST’s framework. SP 800-90B addresses entropy sources and the estimation of min-entropy, whereas SP 800-90C sets out how random bit generators should be constructed by combining entropy sources with deterministic generators. In other words, the question is not merely whether a stream of bits looks chaotic, but whether it is supported by sufficient unpredictability at the source.

That distinction becomes easier to grasp through a practical example. Consider a raffle in which every ticket carries a different number, but most of those numbers have been drawn from only a small pool. To participants, the process may seem fair. In reality, it is skewed from the outset. Cryptographic keys suffer from the same problem when generated from poor entropy. AES-256 offers formidable theoretical strength, but that strength assumes the underlying key is truly unpredictable. If the key is derived from weak or repetitive patterns, the headline security level is misleading.

This is why quantum random number generators, or QRNGs, have drawn such interest. The argument is not that classical methods are useless. Rather, many classical approaches derive randomness from software state, indirect measurements or hardware noise sources that can be difficult to validate continuously and rigorously. NIST’s standards have increasingly pushed the field towards demonstrable assurance. For applicable FIPS 140-2 and FIPS 140-3 submissions, vendors must already document conformity with SP 800-90B, and the publication of SP 800-90C in 2025 further clarified how approved entropy sources and deterministic random bit generators should be combined. The broad direction is clear - trust alone is no longer enough.

Quside and Deloitte have framed this issue through a four-level model of randomness, ranging from weak or artificial forms of apparent randomness to what they call Level 4 quantified uncertainty. Whatever one thinks of the branding, the strategic point is persuasive. Senior decision-makers, auditors and product teams increasingly want more than the mere presence of an RNG. They want evidence that its quality can be monitored, certified and linked to a defensible physical source of entropy. Quside’s claim that its photonic quantum entropy sources achieved NIST SP 800-90B certification in September 2024 clearly strengthens its appeal in regulated environments where assurance matters as much as performance.

The workshop became especially compelling when it moved from principles to failures. Security history shows that poor randomness can produce outsized consequences. Debian’s 2008 OpenSSL flaw made key generation dangerously predictable and forced widespread regeneration of affected keys. Cisco has also published advisories in cases where insufficient entropy in deterministic random bit generation created risks such as cryptographic collisions and exposure of private keys. These incidents were not spectacular in the cinematic sense. They were far more significant than that. They compromised the quiet infrastructure on which countless other systems depend.

Blockchain systems illustrate the same principle in a more public way. The session identified three areas where randomness is central - key generation, consensus or leader selection, and application-level functions such as NFT minting or game logic. Examples from practice reinforce the argument. The Meebits mint became widely cited because outcome selection could be anticipated in ways that undermined fairness. More recent work on Ethereum’s RANDAO mechanism has examined the problem of last-revealer bias, where participants may gain by withholding or disclosing information strategically to influence future random outcomes. In such settings, weak randomness is not just a technical defect. It directly affects trust in the system’s fairness.

The broader commercial lesson is straightforward. Weak randomness should not be treated as a narrow cryptographic concern. It is a business risk. In wallets, it can lead to theft. In PKI systems, it can create duplicate or guessable keys. In blockchains, it can distort fairness and invite manipulation. In regulated sectors, it can escalate into an audit issue, a compliance issue, an insurance issue and ultimately a reputational issue. An organisation may invest heavily in visible controls and still fail because a core dependency was never properly tested.

Timing makes this more urgent. Since August 2024, NIST has finalised FIPS 203 for ML-KEM and FIPS 204 for ML-DSA, establishing the first central post-quantum cryptographic standards. In March 2025, the UK’s NCSC published migration milestones that set expectations for planning by 2028, priority migration by 2031 and fuller completion by 2035. The European Union followed in June 2025 with a coordinated roadmap for implementation. Quantum risk is therefore no longer treated as a remote scenario. It has become a present planning issue. Entropy assurance is not the whole answer to post-quantum security, but it is one of the foundations that makes the wider transition credible.

The practical takeaway from the session was sensible and immediate. Organisations should begin by mapping where randomness enters their systems and where it is used in security-critical operations. They should separate superficial output testing from genuine entropy assurance. They should avoid creating single points of failure in entropy generation and should design for cryptographic agility so that both algorithms and entropy sources can be replaced without reconstructing entire platforms. Put simply, it is unwise to discover the weakness in your randomness only after the rest of the security architecture is already under strain.

Key takeaways

Cryptographic security depends on unpredictability, not merely on outputs that look random.

NIST SP 800-90B is concerned with entropy sources and min-entropy estimation, while SP 800-90C defines approved random bit generator constructions.

FIPS 203 and FIPS 204, finalised in August 2024, represent a major milestone in the operational move towards post-quantum cryptography.

Weak randomness has already contributed to serious failures, including Debian’s OpenSSL incident

and Cisco vulnerabilities linked to insufficient entropy.

In blockchain environments, poor randomness can affect wallet security, leader selection and application fairness, as seen in cases such as Meebits and research into RANDAO bias.

Quside and Deloitte advocate a model in which higher-assurance randomness is generated through a quantum process and validated during operation.

Growing migration pressure in the UK and EU is turning entropy assurance into a compliance and business concern, not just a technical one.

Market classification

Quantum cybersecurity infrastructure, with a particular focus on entropy generation and cryptographic trust foundations.

Adjacent segments

Post-quantum cryptography, hardware security modules, PKI modernisation, secure IoT connectivity, blockchain infrastructure, secure edge computing, defence communications, data-centre protection and high-integrity Monte Carlo computation.

Competitor landscape

This market overlaps with classical pseudo-random number generator vendors, hardware TRNG suppliers, HSM providers with embedded entropy capabilities, blockchain randomness and oracle providers, and QRNG specialists offering integration through chips, cards, cloud services or networking platforms.

Market outlook

The direction is increasingly clear. Standards are maturing, compliance expectations are rising and organisations are being forced to catalogue their cryptographic dependencies before large-scale quantum attacks become realistic. That creates stronger demand for certified, auditable entropy - especially in markets where assurance must be demonstrated rather than merely asserted.

Demand drivers

Post-quantum migration programmes

Audit and certification pressure

Zero-trust and root-of-trust upgrades

Concern over harvest-now, decrypt-later exposure

Demand for fairness and anti-manipulation controls in blockchain systems

Need for secure key generation at endpoints as well as in centralised infrastructure