# Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction

**Authors:** Yi-Fan Chen, Dong Wang, Yi-Bo Zhao, Liang Cheng, Yi Zhang, and Yang Zhang

arXiv: 2508.21498 · 2025-09-03

## TL;DR

This paper reveals that current QRNG designs using post-processing and statistical tests can conceal physical attacks, producing seemingly secure random outputs despite underlying vulnerabilities.

## Contribution

It demonstrates that the extraction process can hide physical-layer attacks, compromising the security validation of QRNGs across different architectures.

## Key findings

- Attacks on raw data can be concealed after extraction, passing standard tests.
- The vulnerability extends to phase-noise-based QRNGs.
- Statistical validation of final output alone is insufficient for security assurance.

## Abstract

Current prevailing designs of quantum random number generators (QRNGs) designs typically employ post-processing techniques to distill raw random data, followed by statistical verification with suites like NIST SP 800-22. This paper demonstrates that this widely adopted practice harbors a critical flaw. We show that the powerful extraction process can create a false sense of security by perfectly concealing physical-layer attacks, rendering the subsequent statistical tests blind to a compromised entropy source. We substantiate this claim across two major QRNG architectures. Experimentally, we severely compromise an QRNG based on amplified spontaneous emission (ASE) with a power supply ripple attack. While the resulting raw data catastrophically fails NIST tests, a standard Toeplitz extraction transforms it into a final sequence that passes flawlessly. This outcome highlights a profound danger: since the validation process is insensitive to the quality of the raw data, it implies that even a fully predictable input could be processed to produce a certified, yet completely insecure, random sequence. Our theoretical analysis confirms this vulnerability extends to phase-noise-based QRNGs, suggesting a need for security validation to evolve beyond statistical analysis of the final output and consider the entire generation process.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.21498/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/2508.21498/full.md

## References

38 references — full list in the complete paper: https://tomesphere.com/paper/2508.21498/full.md

---
Source: https://tomesphere.com/paper/2508.21498