At Crypta Labs, we develop quantum random number generators (QRNGs). These devices produce true random numbers from the unpredictable nature of quantum phenomena. Recently, we have been experimenting with using this quantum entropy in post-quantum cryptography (PQC), the next generation of encryption that aims to stay secure against future quantum computers.
For this work, we integrated our QRNG with the wolfCrypt library from wolfSSL, which is available through the STM32CubeMX ecosystem. This setup allows us to explore how to inject quantum entropy in a practical and reproducible way.
But our motivation goes beyond just integration.
When we think about security risks, we often focus on complex cryptographic algorithms. There is a common belief that stronger schemes guarantee safety. However, cryptographic systems can be compromised if this belief leads us to overlook the most essential part of any secure system: randomness. This is true in PQC as well. For example, when cryptographic mechanisms like ML-KEM, NIST’s standardized post-quantum key encapsulation scheme, generate keys, they need initial entropy of high quality to ensure security. The source of entropy directly impacts whether the resulting keys can withstand both classical and quantum attacks.
It is hard, if not impossible, to find a better source of entropy than the inherently random nature of quantum phenomena. This raises a natural question: why not use quantum randomness in PQC?
To this, we respond: we have done it.
Three Ways to Use Randomness in Cryptography
In our experiments, we explored three different approaches.
1. The Standard Way: Using System Randomness
Most cryptographic software relies on randomness supplied by the system. This often works well for general use. However, the quality of this randomness can depend heavily on the platform and the implementation details. Entropy sources can differ across devices, virtual environments, or early-boot conditions, and their unpredictability is not always easy to verify from the outside. In certified contexts, like those requiring FIPS/NIST validation, a true entropy source is necessary. This entropy is used to seed a DRBG (Deterministic Random Bit Generator), which then feeds its output into cryptographic algorithms.
This is the standard model: entropy enters once, and determinism expands it from there.
2. The Hybrid Approach: Quantum Randomness Through the Standard System
A natural improvement is to retain the standard pipeline but replace the underlying entropy source with quantum randomness. By using a seed callback in wolfSSL, we can input our QRNG entropy into the DRBG system. This maintains the security and compatibility of the traditional method while grounding it in truly unpredictable quantum phenomena. Importantly, this approach remains FIPS 140-3 compliant and certifiable, making it our recommended solution for production deployments.
It creates a complete quantum-safe chain: from entropy, through certified processing, into post-quantum algorithms.
3. Our Study for the Future: Quantum Randomness Straight to Cryptography
Finally, we looked into a more direct possibility. With a quick and fundamentally unpredictable QRNG, we believe it might be possible to bypass the DRBG layer entirely and feed quantum randomness directly into cryptographic operations. This belief comes from the fact that our QRNG does not expand entropy; instead, it uses a NIST-approved conditioning component that compresses raw quantum measurements into high-quality output bits. And because it is fast enough for key generation, even under demanding communication requirements, direct injection becomes possible.
While this method shows the long-term potential of using direct quantum entropy, the seeding approach is still our preferred option for certifiable, production-ready systems.
wolfCrypt PQC
We chose wolfCrypt for our post-quantum cryptography implementation for three main reasons. First, wolfCrypt offers strong support for the STM32 platform, making integration with our QRNG easy. Second, as a trusted and well-established cryptographic library, wolfCrypt provides the reliability necessary for security-critical applications. Lastly, wolfCrypt allows us to use randomness directly in key generation through functions such as wc_KyberKey_MakeKeyWithRandom(). This functionality enabled us to test our idea of feeding quantum entropy directly into ML-KEM key generation.
We have written a guest post for the wolfSSL blog that includes many technical details, which you can find here.
Key Takeaway
Integrating our QRNG with wolfCrypt PQC is straightforward. Our QRNG hardware conditions entropy to NIST standards before delivery, making it suitable for direct seeding of cryptographic operations in WolfSSL’s ML-KEM implementation, and for use within standard DRBG pipelines.
For organizations moving to WolfSSL-based post-quantum solutions, using QRNG-based seeding addresses a commonly overlooked risk: weak or unclear entropy sources. The outcome is post-quantum cryptography supported by truly quantum-safe entropy. This means not just algorithms that resist quantum attacks, but also randomness that does the same.
That is what true quantum resilience requires.