Much of the discussion about how quantum computing will impact application security (AppSec) has focused on the catastrophic effects from cracking existing cryptography. But quantum computing can benefit AppSec by enabling the creation of truly random numbers, which is essential to secure development — especially for protecting development secrets more robustly.
Jasmine Noel, senior product marketing manager at ReversingLabs, explained the dangers inherent in quantum computing for AppSec — and the how recent breakthroughs on quantum random number generators (QRNG) will aid to teams on securing their software.
"Quantum computers are so fast that they are like having a shortcut to do two things. First, algorithms can be cracked faster. Second, quantum computers can figure out what keys will be created by the random number generators we use today because the numbers aren’t truly random. There is a pattern for quantum computers to find. So having a better source of random numbers will help with half of the problem, and upgrading the algorithms will help with the other half."
—Jasmine Noel
Rebecca Krauthamer, co-founder and CEO of QuSecure, said randomness is foundational to cryptography — but not all randomness is created equal.
"Traditional pseudo random number generators (PRNGs) simulate randomness algorithmically. They’re efficient, but because they’re deterministic, they can be reverse engineered if the algorithm or seed is known."
—Rebecca Krauthamer
Quantum random number generators (QRNGs) are different. "They leverage the inherent unpredictability of quantum phenomena to generate truly random numbers. This is randomness rooted in the laws of physics, not just math," Krauthamer noted.
Arthur Savage, a software engineer at Red Hat, said that some purposes, such as cryptography, require more randomness than others. "Quantum computers can rely on the intrinsic, true randomness of electrons — called spin — to create a number that cannot be traced to any known starting value," he said.
"As a general principle in cryptography, by reducing the ability of an attacker to find patterns in your random numbers, you make it harder to break your cryptographic protocols."
—Arthur Savage
Here's what a recent breakthrough on QRNGs bring to the table for AppSec.
[ Download: 2025 Software Supply Chain Security Report | See the SSCS Report Webinar ]
1. QRNGs are not new, but implementation has been limited
It has been difficult to make QRNG commercially viable for the mass market because it requires a lot of expensive equipment, said Michela Menting, digital security research director at ABI Research. She said that in the last two years or so, however, ID Quantique, Toshiba, and others have managed to integrate QRNG on semiconductor chip-based solutions that can be manufactured using standard mass production processes.
"This bodes well for QRNG, which can now start competing on a level playing field with other RNGs, as it can be more easily integrated into devices."
—Michela Menting
The approach is also being implemented via software. For example, Quantinuum recently announced that its Quantum Origin software QRNG received validation from the National Institute of Standards and Technology (NIST) — as well as announcing the release of the first QRNG commercial application last month. There are some advantages to the software approach, said Duncan Jones, quantum cybersecurity team lead at Quantinuum.
Hardware QRNGs typically require physical installation and recertification of systems, while network-based services need connectivity that may be problematic for sensitive environments, Jones said.
"Quantum Origin, as the only NIST-validated software QRNG, minimizes integration friction by avoiding hardware dependencies or connectivity requirements. Organizations can deploy Quantum Origin through standard interfaces — OS-level enhancements, HSM [hardware security module] integration via PKCS#11, or development SDKs. This software-based approach uniquely serves environments, from enterprise systems to resource-constrained IoT devices, including air-gapped networks with strict security requirements."
—Duncan Jones
As QRNGs become easier to use, developers will be able to use them to create more robust protection of the development secrets in their software, including API keys, encryption keys, passwords, tokens, and certificates.
2. QRNGs are best, but PRNGs still have their place
Jason Soroko, senior vice president of product at Sectigo, said QRNGs won't completely push aside PRNGs. "Standard PRNGs remain sufficient for most everyday applications, including future postquantum cryptography [PQC]," he said.
"Computational efficiency and lower implementation costs of PRNGs outweigh the need for perfect randomness. QRNG technology is particularly valuable in high-security applications where maximum protection is essential."
—Jason Soroko
Anyone generating cryptographic key pairs requires high-quality entropy and should be aware of the limitations of entropy sources available on the devices used for key generation, Soroko said. "QRNGs undoubtedly provide the highest levels of entropy due to their reliance on quantum phenomena, but well-designed PRNGs, typically implemented in dedicated hardware such as hardware security modules HSMs, can also deliver strong entropy suitable for most secure applications," he said.
QRNGs are not necessary for implementing quantum-resistant cryptographic algorithms, though combining them provides an optimal security solution meant for use cases needing the highest level of security, he added.
"While postquantum cryptographic methods like Module Lattice-Based Key Encapsulation Mechanism [ML-KEM] can operate with traditional random number generators, integrating a QRNG enhances their security by providing higher-quality randomness."
—Jason Soroko
3. QRNGs can make cryptographic protocols more secure
Cryptographic security depends entirely on the unpredictability of random numbers, explained Quantinuum's Jones. "Attacks like Polynonce and Randstorm demonstrate how randomness vulnerabilities can persist undetected for years, compromising sensitive systems without leaving evidence," he said.
Jones said those attacks exploit fundamental weaknesses in traditional randomness generation that industry-standard testing simply cannot detect. By providing mathematically verified, unbiased randomness, QRNGs strengthen the entire security stack from encryption to authentication, he said.
"This approach doesn't just patch specific vulnerabilities. It eliminates an entire attack vector, strengthening security posture against both classical and quantum threats."
—Duncan Jones
QuSecure's Krauthamer added that secure protocols such as TLS, SSH, and IPsec all rely on random values for key generation, nonces, and ephemeral keys. If these values are weak or predictable, attackers may be able to exploit them to reconstruct private keys or forge sessions — something that has been seen in real-world breaches. She explained that a QRNG injects entropy that is theoretically unpredictable, making such attacks no longer feasible.
"In combination with postquantum cryptography, QRNG can help build even stronger protections against 'harvest now, decrypt later' threats, where adversaries store encrypted traffic today in the hope of breaking it tomorrow with quantum computers."
—Rebecca Krauthamer
The combination can also provide stronger protection of software develop secrets, protecting them from unauthorized access and tampering.
4. Significant challenges remain for implementing QRNG
While QRNGs can strengthen the protection of secrets, they come with some challenges for organizations that want to use them. As with many technologies rooted in physics, QRNG comes with hardware, throughput, and trust and transparency challenges, Krauthamer explained.
"Not all environments can host QRNG chips or modules, especially IoT or constrained devices. QRNGs have also historically lagged PRNGs in speed, though that’s rapidly changing with new optical- and cloud-based models. And then there's the question of 'How do we know a QRNG is producing truly random values and hasn’t been compromised?'"
—Rebecca Krauthamer
These are solvable problems, but they underscore the need for cryptographic visibility — a capability sorely lacking in most organizations today, she said. "The solution is not just better QRNGs, but better orchestration around them. That means being able to centrally verify entropy sources, enforce cryptographic policy, and rapidly pivot if issues arise."
Red Hat's Savage said that one of the biggest challenges facing QRNGs is that quantum computers are out of scope for most users. "Building and running them costs millions of dollars, and many researchers who use them are focused on other things, such as the breaking of public-key encryption," he said. "Using these same computers to generate random numbers is less urgent."
Additionally, Savage said that distributing these random numbers securely and quickly is a huge task that may be more trouble than it is worth from a security perspective.
5. QRNGs help to boost data privacy
As privacy increases in importance for AppDev, QRNGs can be an important asset for developers. Since all digital information requires encryption to remain private, the quality of randomness directly impacts privacy outcomes, Cambridge Quantum's Jones explained.
"The unpredictability provided by quantum randomness ensures that encryption protecting sensitive data remains resilient against computational advances. Organizations are increasingly recognizing this fundamental relationship between randomness quality and long-term data privacy protection."
—Duncan Jones
Krauthamer said QRNGs can protect privacy into the future. "With PQC protections augmented by QRNGs, privacy protections based on encryption, tokenization, or anonymization can become more robust and future-proof, especially in environments like health care, finance, and national security, where data must remain protected for decades," she said.
"But QRNG solves only part of the puzzle. The other part is ensuring that cryptographic policies are enforced consistently, even in sprawling, heterogeneous environments. That’s where orchestrated crypto agility becomes foundational to leveraging tools like QRNGs."
—Rebecca Krauthamer
QRNGs deliver a new era of digital trust
Krauthamer asserted that QRNGs aren't just a new source of entropy for generating random numbers. "It's a signal that we're entering a new era in digital trust," she said. "But to realize its potential, we have to rethink how cryptography is deployed."
"The future isn’t just about better algorithms. It’s about architectures that support dynamic, policy-driven, end-to-end cryptographic management. That includes orchestrating entropy, algorithms, protocols, and lifecycle — all in service of one goal: keeping sensitive data safe, now and in the quantum future."
—Rebecca Krauthamer
Organizations that embrace orchestrated cryptographic agility, rooted in technologies such as QRNG and PQC, are not just reacting to the quantum threat — they’re building resilience into the foundation of their systems, Krauthamer said.
"That’s not hype. That’s good security design."
—Rebecca Krauthamer
