Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction Yi-Fan Chen, Dong Wang, Yi-Bo Zhao, Liang Cheng, Yi Zhang, Yang Zhang This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7495469/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Current prevailing designs of quantum random number generators (QRNGs) designs typically employ post-processing techniques to distill raw random data, followed by statistical verification with suites like NIST SP 800-22. This paper demonstrates that this widely adopted practice harbors a critical flaw. We show that the powerful extraction process can create a false sense of security by perfectly concealing physical-layer attacks, rendering the subsequent statistical tests blind to a compromised entropy source. We substantiate this claim across two major QRNG architectures. Experimentally, we severely compromise an QRNG based on amplified spontaneous emission (ASE) with a power supply ripple attack. While the resulting raw data catastrophically fails NIST tests, a standard Toeplitz extraction transforms it into a final sequence that passes flawlessly. This outcome highlights a profound danger: since the validation process is insensitive to the quality of the raw data, it implies that even a fully predictable input could be processed to produce a certified, yet completely insecure, random sequence. Our theoretical analysis confirms this vulnerability extends to phase-noise-based QRNGs, suggesting a need for security validation to evolve beyond statistical analysis of the final output and consider the entire generation process. Physical sciences/Engineering Physical sciences/Mathematics and computing Physical sciences/Physics Quantum Random Number Generator Security Physical Layer Attacks Toeplitz Hashing NIST SP 800-22 Validation Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7495469","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":526126623,"identity":"17a9d9b3-d4ab-4a12-ae8e-f068a24a894c","order_by":0,"name":"Yi-Fan Chen","email":"","orcid":"","institution":"Institute of Software","correspondingAuthor":false,"prefix":"","firstName":"Yi-Fan","middleName":"","lastName":"Chen","suffix":""},{"id":526126624,"identity":"de4aee89-e4cf-4bf1-bc71-f58f620d651e","order_by":1,"name":"Dong Wang","email":"","orcid":"","institution":"Beijing GGQuanta Co. Ltd.","correspondingAuthor":false,"prefix":"","firstName":"Dong","middleName":"","lastName":"Wang","suffix":""},{"id":526126625,"identity":"08c52b54-2ca1-47e9-a362-6b6b7db6c0e5","order_by":2,"name":"Yi-Bo Zhao","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAyklEQVRIiWNgGAWjYDACCSBmbLBJYGNgSCBJSxrpWg4TqxwI5Gc3P3zMu+N8Hh//gWcSDBX37BoIaWGcc8zYmPfM7WI2hgNpEgxnipMJamGWSDCT5m27ndgG9JAEY1tCMkGHsUmkfwNqOZfYxsxApBYeiRyQLQcS29ggWuwIapGQyCk2nHsmObGNhyHZIuFMQgJBLfIz0jc+eLvDLnF+/5nEGx8qEuwJagEBJh6IGxNAkZnYQIwWxh9giv0AiCTOllEwCkbBKBhRAAAnYjmp3bf4QgAAAABJRU5ErkJggg==","orcid":"","institution":"Huzhou Institute of Zhejiang University","correspondingAuthor":true,"prefix":"","firstName":"Yi-Bo","middleName":"","lastName":"Zhao","suffix":""},{"id":526126626,"identity":"f014c6df-acde-4c6c-b3b2-5434c5fafc31","order_by":3,"name":"Liang Cheng","email":"","orcid":"","institution":"Institute of Software","correspondingAuthor":false,"prefix":"","firstName":"Liang","middleName":"","lastName":"Cheng","suffix":""},{"id":526126627,"identity":"fb60e03b-cf51-4bee-b9c5-a5bb34d6a895","order_by":4,"name":"Yi Zhang","email":"","orcid":"","institution":"Institute of Cryptography and Cyberspace Security (Huangpu)","correspondingAuthor":false,"prefix":"","firstName":"Yi","middleName":"","lastName":"Zhang","suffix":""},{"id":526126628,"identity":"119a234b-d4aa-4ad1-abd8-9b2a07deb843","order_by":5,"name":"Yang Zhang","email":"","orcid":"","institution":"Institute of Software","correspondingAuthor":false,"prefix":"","firstName":"Yang","middleName":"","lastName":"Zhang","suffix":""}],"badges":[],"createdAt":"2025-08-30 13:08:18","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7495469/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7495469/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":93733225,"identity":"21b70d83-a733-4727-9324-2f0d2d2ebcbc","added_by":"auto","created_at":"2025-10-17 02:40:28","extension":"json","order_by":0,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":7080,"visible":true,"origin":"","legend":"","description":"","filename":"6e8179d70b7443ba80f3d87e49c42c3b.json","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/e905e77c82a53e53e7cb04f4.json"},{"id":93733447,"identity":"a6d0bac9-aec1-4779-93c9-7f7a7fc8b496","added_by":"auto","created_at":"2025-10-17 02:48:28","extension":"xml","order_by":1,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":87997,"visible":true,"origin":"","legend":"","description":"","filename":"6e8179d70b7443ba80f3d87e49c42c3b1enriched.xml","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/f503a5d1183a3ebb54c18fae.xml"},{"id":93733246,"identity":"14b6cc7e-453b-4261-ad88-6ab5892e74c4","added_by":"auto","created_at":"2025-10-17 02:40:31","extension":"pdf","order_by":2,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":512062,"visible":true,"origin":"","legend":"","description":"","filename":"ArticleTitle1.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/1b985398cb3ed983488d6af2.pdf"},{"id":93733231,"identity":"8108928c-0a72-491d-b441-d27dfd250517","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"eps","order_by":3,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":2890,"visible":true,"origin":"","legend":"","description":"","filename":"empty.eps","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/0c6cc21de5f1fd856a1d93b2.eps"},{"id":93733233,"identity":"ecfff92e-1e15-4294-817c-9b4112fa919b","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"eps","order_by":4,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":91593,"visible":true,"origin":"","legend":"","description":"","filename":"fig.eps","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/d334d3435ed949e53fd28373.eps"},{"id":93733235,"identity":"e406460c-3e37-4fdd-8d65-fc29a6741a9d","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"png","order_by":5,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":189360,"visible":true,"origin":"","legend":"","description":"","filename":"pearsonvoltage.png","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/d29a91075a6d08e2b47da8b3.png"},{"id":93733450,"identity":"36cb4bd4-877e-4bb3-9940-28840fd4161f","added_by":"auto","created_at":"2025-10-17 02:48:29","extension":"png","order_by":6,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":38279,"visible":true,"origin":"","legend":"","description":"","filename":"phasenew.png","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/44fb2f7b10897c0bc4a591b3.png"},{"id":93733242,"identity":"499ad74c-576d-4cc2-855f-f1e5248c6bb3","added_by":"auto","created_at":"2025-10-17 02:40:31","extension":"png","order_by":7,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":61459,"visible":true,"origin":"","legend":"","description":"","filename":"slednew.png","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/3f826676f48a9e1227b9fa45.png"},{"id":93733227,"identity":"58d5a05a-bc46-445b-a7ad-24e458d2924c","added_by":"auto","created_at":"2025-10-17 02:40:29","extension":"bst","order_by":8,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":147148,"visible":true,"origin":"","legend":"","description":"","filename":"snapacite.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/5b5d74ae814e5652fdce57e8.bst"},{"id":93733226,"identity":"4d6ef22b-1f21-407d-837b-39f7cc361baf","added_by":"auto","created_at":"2025-10-17 02:40:29","extension":"bst","order_by":9,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":30423,"visible":true,"origin":"","legend":"","description":"","filename":"snaps.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/0c67c4500855e3940278d0fb.bst"},{"id":93733230,"identity":"e41417fa-67d4-457e-a3de-3f0dbebd97a2","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"pdf","order_by":10,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":390370,"visible":true,"origin":"","legend":"","description":"","filename":"snarticle.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/92208e5aa950e10aa4841547.pdf"},{"id":93733240,"identity":"69b66713-4ba6-437a-bf00-8339ab655d3c","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"bst","order_by":11,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":35733,"visible":true,"origin":"","legend":"","description":"","filename":"snbasic.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/9c8e69906745ce9f505a81a5.bst"},{"id":93733237,"identity":"adacb283-791a-4b17-a6fe-caae090eb15f","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"bst","order_by":12,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":40398,"visible":true,"origin":"","legend":"","description":"","filename":"snchicago.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/2d1e104d63990c98737b45ac.bst"},{"id":93733449,"identity":"41346c10-6dfc-4058-8fc1-2716fcee7478","added_by":"auto","created_at":"2025-10-17 02:48:29","extension":"cls","order_by":13,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":55331,"visible":true,"origin":"","legend":"","description":"","filename":"snjnl.cls","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/820f3aaab259a029256434fa.cls"},{"id":93733232,"identity":"1fa79311-1c9e-4ab9-9eb2-be965615dea3","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"bst","order_by":14,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":64140,"visible":true,"origin":"","legend":"","description":"","filename":"snmathphysay.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/20d967c9bdc0b6db62c356d1.bst"},{"id":93733239,"identity":"0c81fd49-fb6a-4fdb-81d5-f178c59c2b37","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"bst","order_by":15,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":64141,"visible":true,"origin":"","legend":"","description":"","filename":"snmathphysnum.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/9cbf685e31670438abdbf1ce.bst"},{"id":93733451,"identity":"4636f75c-cbed-44a3-9c19-3032db2e3a1d","added_by":"auto","created_at":"2025-10-17 02:48:30","extension":"bst","order_by":16,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":38349,"visible":true,"origin":"","legend":"","description":"","filename":"snnature.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/a2244ef6dbf30327b42f0b76.bst"},{"id":93733448,"identity":"7e870fe5-e82b-47bb-b6c9-c5ef8d10841b","added_by":"auto","created_at":"2025-10-17 02:48:29","extension":"bst","order_by":17,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":41304,"visible":true,"origin":"","legend":"","description":"","filename":"snvancouver.bst","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/19595df8c5ccd5a0572910ea.bst"},{"id":93733241,"identity":"5f77038f-6762-43f1-81e7-0d117ee406ce","added_by":"auto","created_at":"2025-10-17 02:40:30","extension":"pdf","order_by":18,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":415247,"visible":true,"origin":"","legend":"","description":"","filename":"usermanual.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/a60aa0ca85a41fbfa2e090f9.pdf"},{"id":93733243,"identity":"c835c496-ce15-4b81-9ed3-bd3c3c0fbd31","added_by":"auto","created_at":"2025-10-17 02:40:31","extension":"xml","order_by":22,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":94395,"visible":true,"origin":"","legend":"","description":"","filename":"6e8179d70b7443ba80f3d87e49c42c3b1structuring.xml","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/9657a8af7ba6bbc79fc98575.xml"},{"id":93733248,"identity":"17f63639-5076-4f2c-a19f-fa785b0e4d73","added_by":"auto","created_at":"2025-10-17 02:40:32","extension":"html","order_by":23,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":99957,"visible":true,"origin":"","legend":"","description":"","filename":"earlyproof.html","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1/76ebc7bcfe9f36aecf4d8399.html"},{"id":96241081,"identity":"51191059-60c1-4a49-ab35-e4be08794b42","added_by":"auto","created_at":"2025-11-19 07:10:03","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":572655,"visible":true,"origin":"","legend":"","description":"","filename":"ArticleTitle1.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7495469/v1_covered_3f438a36-e47f-4806-99f4-2433fed303bc.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Quantum Random Number Generator Security, Physical Layer Attacks, Toeplitz Hashing, NIST SP 800-22 Validation","lastPublishedDoi":"10.21203/rs.3.rs-7495469/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7495469/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eCurrent prevailing designs of quantum random number generators (QRNGs) designs typically employ post-processing techniques to distill raw random data, followed by statistical verification with suites like NIST SP 800-22. This paper demonstrates that this widely adopted practice harbors a critical flaw. We show that the powerful extraction process can create a false sense of security by perfectly concealing physical-layer attacks, rendering the subsequent statistical tests blind to a compromised entropy source. We substantiate this claim across two major QRNG architectures. Experimentally, we severely compromise an QRNG based on amplified spontaneous emission (ASE) with a power supply ripple attack. While the resulting raw data catastrophically fails NIST tests, a standard Toeplitz extraction transforms it into a final sequence that passes flawlessly. This outcome highlights a profound danger: since the validation process is insensitive to the quality of the raw data, it implies that even a fully predictable input could be processed to produce a certified, yet completely insecure, random sequence. Our theoretical analysis confirms this vulnerability extends to phase-noise-based QRNGs, suggesting a need for security validation to evolve beyond statistical analysis of the final output and consider the entire generation process.\u003c/p\u003e","manuscriptTitle":"Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-10-17 02:40:22","doi":"10.21203/rs.3.rs-7495469/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"371459fa-2a9a-4246-825f-09cd94c288b2","owner":[],"postedDate":"October 17th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":55920828,"name":"Physical sciences/Engineering"},{"id":55920829,"name":"Physical sciences/Mathematics and computing"},{"id":55920830,"name":"Physical sciences/Physics"}],"tags":[],"updatedAt":"2025-11-13T17:23:33+00:00","versionOfRecord":[],"versionCreatedAt":"2025-10-17 02:40:22","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7495469","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7495469","identity":"rs-7495469","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.