Securing the IoT Edge with Quantum Randomness

by

Author: Denis Avetisyan

This research presents a viable architecture for delivering quantum-enhanced entropy to resource-constrained embedded systems, bolstering security in the age of quantum computing.

The system distributes quantum entropy generated by a Quantis QRNG to ESP32 clients via dual access points-OpenSSL and the Linux entropy pool-and utilizes BLAKE2s entropy pools alongside post-quantum cryptography for secure HTTPS and CoAP communication, acknowledging the inevitable transition of cutting-edge security frameworks into future technical debt as production environments stress their limits.
The system distributes quantum entropy generated by a Quantis QRNG to ESP32 clients via dual access points-OpenSSL and the Linux entropy pool-and utilizes BLAKE2s entropy pools alongside post-quantum cryptography for secure HTTPS and CoAP communication, acknowledging the inevitable transition of cutting-edge security frameworks into future technical debt as production environments stress their limits.

A practical Quantum Entropy as a Service (QEaaS) implementation using post-quantum cryptography and CoAP for ESP32 microcontrollers is demonstrated.

Embedded systems demand high-quality entropy for cryptography, yet resource constraints severely limit trustworthy sources and lightweight implementations. This paper presents ‘Post-Quantum Entropy as a Service for Embedded Systems’, detailing a system that delivers quantum random number generator (QRNG)-derived entropy to ESP32-class devices via post-quantum-secured channels. Benchmarks demonstrate that this Quantum Entropy as a Service (QEaaS) architecture not only enables viable post-quantum key exchange and authentication on constrained IoT platforms but also achieves faster handshake times-up to 63%-compared to classical ECDHE P-256 with ECDSA. Could this approach unlock a new era of secure and efficient embedded cryptography, mitigating risks posed by advances in quantum computing?

The Illusion of Randomness: Why We Need Better Entropy

Contemporary cryptographic systems depend critically on the generation of truly random numbers, but established methods are facing increasing scrutiny. Historically, sources like thermal noise or radioactive decay were considered adequately unpredictable; however, modern analysis reveals subtle biases and patterns even in these seemingly chaotic processes. These imperfections, though often minute, can be exploited by sophisticated attackers with sufficient computational power and data. Furthermore, the rise of predictable random number generators – often used for performance reasons – introduces significant vulnerabilities if not carefully seeded with genuine entropy. The consequence is a growing need for randomness sources that are demonstrably unbiased, resistant to manipulation, and capable of meeting the demands of increasingly complex security protocols. A failure to address these vulnerabilities could compromise the confidentiality and integrity of digital systems worldwide.

The surge in interconnected, constrained devices – from wearable sensors and IoT endpoints to embedded systems in vehicles and critical infrastructure – presents a unique challenge to cryptographic security. These devices, characterized by limited processing power, memory, and energy budgets, cannot reliably support traditional entropy generation methods. Consequently, researchers are actively developing novel entropy sources specifically tailored for resource-constrained environments, focusing on techniques like harvesting unpredictable physical phenomena – thermal noise, radio frequency interference, or jitter in oscillators – and employing lightweight algorithms to efficiently extract and amplify randomness. The demand isnā€™t merely for any randomness, but for high-quality entropy demonstrably resistant to bias and prediction, as compromised randomness in even a single device can create vulnerabilities across an entire network, potentially leading to widespread security breaches.

System entropy pools, such as that found within the Linux kernel, represent a crucial, yet often underestimated, component of cryptographic security. These pools gather randomness from various hardware and software sources to seed cryptographic operations; however, their convergence can be surprisingly slow, particularly after system boot or during periods of low environmental noise. This sluggishness leaves systems vulnerable for a period while weak or predictable entropy is used. Furthermore, these pools are not immune to manipulation; a determined attacker can potentially influence the entropy estimation and inject biased data, compromising the randomness and weakening cryptographic keys. Consequently, continuous monitoring, robust entropy estimation techniques, and exploration of alternative entropy sources are vital to maintain the integrity and security of modern systems.

BLAKE2s entropy pool latency increases with buffer size due to the need for full state hashing during extraction, while injection benefits from incremental <span class="katex-eq" data-katex-display="false">BLAKE2s</span> mixing.
BLAKE2s entropy pool latency increases with buffer size due to the need for full state hashing during extraction, while injection benefits from incremental BLAKE2s mixing.

Quantum Randomness as a Service: A Pragmatic Solution

Quantum Random Number Generators (QRNGs) achieve true randomness by harnessing fundamentally unpredictable physical processes at the quantum level, such as photon arrival times or vacuum fluctuations. Unlike pseudorandom number generators (PRNGs) used in classical computing, which rely on deterministic algorithms and therefore exhibit patterns given sufficient observation, QRNGs are non-deterministic. This is because the outcomes of quantum mechanical events are inherently probabilistic and cannot be predicted with certainty, even in principle. The randomness generated is therefore not merely statistically random, but fundamentally irreducible, offering a demonstrable advantage for applications requiring high-quality, unpredictable entropy, such as cryptography and scientific simulations. While classical methods can approximate randomness, QRNGs provide a source of entropy bounded only by the limitations of measurement and the principles of quantum mechanics.

The Quantum Entropy as a Service (QEaaS) architecture facilitates the distribution of quantum-derived randomness to devices with limited computational resources and bandwidth. This is achieved through the implementation of lightweight communication protocols, specifically Constrained Application Protocol (CoAP) and Datagram Transport Layer Security (DTLS). CoAP, designed for constrained environments, minimizes overhead compared to HTTP, while DTLS provides secure, authenticated communication channels. By utilizing these protocols, QEaaS enables resource-limited devices – such as those found in IoT deployments or edge computing scenarios – to access high-quality entropy generated from Quantum Random Number Generators (QRNGs) without requiring direct hardware integration or substantial processing capabilities. This approach allows clients to request and receive random data via standard network connections, enhancing the security of cryptographic operations and other applications reliant on true randomness.

Offloading quantum entropy generation to a dedicated service, rather than integrating Quantum Random Number Generator (QRNG) hardware directly into constrained devices, simplifies system design and reduces resource demands. Direct integration requires significant processing power, memory, and specialized hardware interfaces, which are often unavailable in IoT devices or edge computing platforms. A Quantum Entropy as a Service (QEaaS) architecture enables these clients to access high-quality randomness via lightweight communication protocols, minimizing their computational burden and development complexity. This approach allows resource-limited devices to benefit from the security advantages of true randomness without incurring the costs and challenges of local QRNG implementation and maintenance.

Latency distributions for the DTLS 1.3 handshake and first request show that enabling certificate verification slightly increases latency across all key exchange algorithms-ECDHE P-256, X25519, and ML-KEM-512-with ECDSA (green) and ML-DSA-44 (blue) providing similar performance, as indicated by mean Ā± 1 standard deviation markers.
Latency distributions for the DTLS 1.3 handshake and first request show that enabling certificate verification slightly increases latency across all key exchange algorithms-ECDHE P-256, X25519, and ML-KEM-512-with ECDSA (green) and ML-DSA-44 (blue) providing similar performance, as indicated by mean Ā± 1 standard deviation markers.

DTLS and Post-Quantum Cryptography: Future-Proofing the Connection

Datagram Transport Layer Security (DTLS) establishes a secure association for data transmission, specifically utilized in the Quantum Entropy as a Service (QEaaS) architecture to deliver random entropy over the Constrained Application Protocol (CoAP). This security is fundamentally dependent on underlying cryptographic algorithms for authentication, integrity, and confidentiality. Traditional DTLS implementations typically leverage algorithms like ECDHE for key exchange and ECDSA for digital signatures. However, these algorithms are vulnerable to attacks from sufficiently powerful quantum computers. Therefore, the continued viability of DTLS as a secure channel for entropy delivery requires the adoption of quantum-resistant cryptographic primitives.

The Quantum Entropy as a Service (QEaaS) architecture incorporates post-quantum cryptography to mitigate risks posed by the potential development of large-scale quantum computers. Currently utilized cryptographic algorithms, such as those based on elliptic curve cryptography, are vulnerable to attacks from quantum algorithms like Shorā€™s algorithm. To address this, the QEaaS implementation integrates ML-KEM and ML-DSA, which are key encapsulation and digital signature algorithms respectively, designed to resist known quantum attacks. These algorithms leverage lattice-based cryptography, a class of algorithms considered post-quantum secure, thereby ensuring the long-term confidentiality and integrity of entropy delivery even in a post-quantum threat landscape.

Performance testing of a verified Datagram Transport Layer Security (DTLS) handshake on an ESP32 microcontroller demonstrates significant speed improvements using post-quantum cryptographic algorithms. Specifically, a handshake utilizing ML-KEM-512 and ML-DSA-44 completed in 249 milliseconds with full verification. This represents a 63% reduction in handshake time compared to a traditional approach employing ECDHE P-256 and ECDSA with verification. Furthermore, disabling verification reduced the ML-KEM/ML-DSA handshake time to 225 milliseconds, achieving a 35% speedup over the traditional, verified handshake.

Analysis of DTLS 1.3 handshake latency reveals that network overhead accounts for approximately three round trips, with remaining latency primarily attributed to key exchange and certificate verification computation <span class="katex-eq" data-katex-display="false">(3 imes plain CoAP mean)</span>, and client-side certificate chain verification, as demonstrated for both ECDSA and ML-DSA-44 groups.
Analysis of DTLS 1.3 handshake latency reveals that network overhead accounts for approximately three round trips, with remaining latency primarily attributed to key exchange and certificate verification computation (3 imes plain CoAP mean), and client-side certificate chain verification, as demonstrated for both ECDSA and ML-DSA-44 groups.

From Lab to Reality: Client-Side Implementation and Optimization

The integration of Quantum Entropy as a Service (QEaaS) into devices with limited computational resources presents a significant engineering challenge. To address this, researchers utilized the ESP32 microcontroller, powered by the Zephyr RTOS, as a practical testbed. This selection is deliberate; the ESP32 represents a common class of embedded systems – those with constrained memory and processing power – frequently found in IoT deployments and edge computing scenarios. Successfully implementing QEaaS on this platform demonstrates the feasibility of extending the benefits of quantum-enhanced randomness to a broad range of resource-limited applications. The ESP32ā€™s performance serves as a crucial benchmark, proving that robust quantum entropy generation and secure communication protocols are attainable even within the tight constraints of such devices, paving the way for wider adoption of quantum-resistant security measures.

The client-side implementation hinges on a streamlined communication protocol and robust entropy generation. Constrained environments benefit from the efficiency of Libcoap, a lightweight alternative to HTTP, facilitating secure communication with the QEaaS server. Crucially, the system constructs a resilient Entropy Pool utilizing the BLAKE2s cryptographic hash function. BLAKE2s efficiently mixes multiple entropy sources, including data from the deviceā€™s True Random Number Generator (TRNG), ensuring a high-quality seed for cryptographic operations. This approach minimizes reliance on external randomness and fortifies the system against potential entropy depletion, providing a secure foundation for key generation and data encryption even on resource-limited devices.

To bolster security and reliability, the system integrates a True Random Number Generator (TRNG) alongside the Quantis Quantum Random Number Generator (QRNG), with the latter employing Universal-2 hashing for post-processing to refine randomness. This combined approach ensures continued operation even if one entropy source is compromised. Crucially, the cryptographic handshake – utilizing ML-KEM-512 and ML-DSA-44 – has been verified to operate within the constrained memory environment of the ESP32 microcontroller, requiring only 97kB of peak heap usage from its 105kB available. Performance analysis reveals that, following the handshake, the Datagram Transport Layer Security (DTLS) round trip time remains consistently low at 24.1ms, and is notably independent of the chosen asymmetric algorithm, demonstrating efficient and predictable communication overhead.

Scaling Quantum Entropy: A Vision for the Future

The Quantum Entropy as a Service (QEaaS) server benefits from a deployment strategy centered around Docker and Nginx, ensuring both scalability and reliability for broad accessibility. Docker containerization packages the QEaaS application with all its dependencies, simplifying deployment across diverse environments and facilitating consistent operation. Nginx acts as a robust reverse proxy and load balancer, efficiently distributing client requests to multiple QEaaS instances. This architecture allows the system to handle a growing number of users without performance degradation, and provides automatic failover in case of server issues, guaranteeing continuous access to quantum-derived random numbers. The combination creates a highly available and easily expandable infrastructure, making secure, quantum-based entropy readily available as a service to a wide range of applications and devices.

The implementation of HTTPS, facilitated by the Nginx web server, represents a crucial step in making quantum entropy services broadly accessible. While tailored quantum communication protocols offer enhanced security, their adoption is often limited by compatibility issues with existing infrastructure. By leveraging the widely-supported HTTPS protocol, the Quantum Entropy as a Service (QEaaS) server seamlessly integrates with a vast range of client systems-from standard web browsers and mobile applications to legacy servers-without requiring substantial modifications. This pragmatic approach ensures that the benefits of quantum-derived randomness are not restricted to specialized environments, fostering widespread adoption and enhancing the security posture of diverse digital applications and services.

The deployment of Quantum Entropy as a Service (QEaaS) signifies a potential paradigm shift in digital security, moving beyond computationally generated randomness towards harnessing the fundamentally unpredictable nature of quantum mechanics. This architecture envisions a future where every device, from smartphones and laptops to critical infrastructure systems, can access truly random numbers derived from quantum processes, bolstering defenses against increasingly sophisticated cyberattacks. By offering quantum-backed randomness as a readily available service, the system aims to eliminate vulnerabilities inherent in pseudorandom number generators, which, while efficient, are ultimately predictable given enough computational power. The broad accessibility of this technology promises to enhance privacy by enabling stronger encryption keys and more secure authentication protocols, ultimately fortifying the foundations of trust in the digital realm and offering a robust defense against future threats to data security.

The pursuit of unbreakable systems, as demonstrated by this ā€˜Quantum Entropy as a Serviceā€™ architecture, feelsā€¦ familiar. Itā€™s the same old story: elegant theory meeting the unyielding force of production realities. The researchers managed to get viable performance on ESP32 microcontrollers, which isā€¦ mildly impressive, considering. It reminds one of Blaise Pascalā€™s observation: ‘The eloquence of angels is silence.’ All this cryptographic complexity, this striving for perfect entropyā€¦ ultimately, the system will likely fail in some predictable, yet frustrating, manner. Itā€™s not a matter of if something breaks, but when, and what obscure edge case triggers it. The Zephyr RTOS provides a nice base, but even thatā€™s just another layer of abstraction destined to become technical debt. One canā€™t help but think they donā€™t write code-they leave notes for digital archaeologists.

What’s Next?

The demonstrated viability of Quantum Entropy as a Service on resource-constrained hardware merely shifts the problem, it does not solve it. The immediate challenge isn’t the entropy source itself, but the scaling of trust. Every CoAP endpoint now requires a root of trust traceable back to a quantum source, introducing a new single point of failure-albeit one rooted in physics rather than code. The architecture presented will inevitably become a target for side-channel attacks focused not on cryptographic algorithms, but on the noise characteristics of the quantum random number generator.

Further research will undoubtedly focus on minimizing the operational overhead of post-quantum key exchange. However, the real bottleneck isn’t computational cost; itā€™s the logistical burden of key management at scale. Every ‘secure’ device becomes a dependency, and dependencies accrue technical debt. The promise of perfect randomness simply raises the bar for imperfect implementations.

Ultimately, this work reinforces a familiar pattern. Innovation isnā€™t about finding new solutions; itā€™s about reinventing existing crutches with better branding. The field doesnā€™t need more microservices-it needs fewer illusions. The next iteration won’t be about stronger cryptography, but about accepting a degree of inherent uncertainty.

Original article: https://arxiv.org/pdf/2603.10274.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-12 08:48