Katie Lloyd
Marketing Communications Lead
This blog was first published by techUK as part of its ‘Unleashing Innovation’ campaign. The original article can be found here.
The UK’s National Quantum Strategy, published in March 2023, commits £2.5 billion to developing quantum technologies in the UK over the next 10 years – part of the government’s commitment to transforming the UK into a quantum-enabled economy by 2033. The strategy sets out the key activities necessary to drive the commercialisation of quantum technologies. One of which is to engage in standards development in collaboration with leading international bodies.
Standards and certifications play an important role in guiding emerging technologies from conception to widespread adoption. They help build trust, accelerate product development, and reduce obstacles to commercialisation. But for them to fulfil this role effectively, everyone in the industry needs to understand them clearly. In this article, we will explain one example of international standards that apply to a quantum-enabled technology: the certification of Quantum Random Number Generators (QRNGs).
Why is the certification of QRNGs important?
The security of a system relies on preventing attackers from obtaining keys, therefore it is crucial not only to keep keys secret but also to avoid choosing them in a predictable way. Instances like the failure of Linux.Encoder.1, the first Linux ransomware, underscore the dangers of neglecting this. Its downfall resulted from a non-random key selection, derived from easily retrievable information such as the system timestamp, and allowed the key to be compromised without requiring decryption. This is why it is essential to use high-quality entropy for key generation. By doing so, we strengthen entire cryptographic systems against potential weaknesses and safeguard them from malicious attacks.
Since the generation of high-quality randomness is central to cryptography, having a process for verifying the quality of an entropy source means organisations can be assured they are using the highest quality and most reliable source of entropy available. Reliable assessment of the quality of randomness can only be done with considerable expertise and detailed examination of the process that generates it.
What international standards apply to QRNGs?
The Federal Information Processing Standard (FIPS) 140, issued by the National Institute of Standards and Technology (NIST) in the US, is regarded as the de facto standard for the testing of products that carry out encryption and decryption. In 2022, the National Physical Laboratory (NPL) in the UK signed a memorandum of understanding (MOU) with NIST, as a commitment to work together more closely in the quantum field – including in the development of standards.
The certification scope of FIPS 140 was amended in its latest version, FIPS 140-3, which supersedes FIPS 140-2 and changed the process for the certification of QRNGs. In FIPS 140-2, testing and validation were carried out on the entire cryptographic module, including an entropy source. FIPS 140-3 acknowledges that entropy generation differs from other functions used in cryptography by splitting this element out into a separate approval called Entropy Source Validation (ESV).
FIPS 140-3 is now divided into three distinct elements:
- The Cryptographic Module Verification Program (CMVP)
- The Cryptographic Algorithm Validation Program (CAVP)
- Entropy Source Validation (ESV)
What are the advantages of the ESV certification for QRNGs?
- It eliminates the need to repeat entropy testing: An entropy source now only needs to be approved once and is issued its own certificate meaning it can be used with multiple products.
- It enables a more thorough assessment of entropy sources: Separate approval ensures that entropy sources meet stringent criteria for randomness, without being constrained by the requirements of an entire cryptographic module’s certification.
- It streamlines the certification process: The ESV certificate facilitates customers’ certifications through the NIST’s Cryptographic Module Validation Program (CMVP).