[dsacco]

It’s relevant in an information theoretic sense. However modern security is explicitly computational rather than information theoretic, which means it’s not relevant for modern security in any practical sense. For example one time pads are only really used (correctly and safely) by agencies like the NSA and GCHQ, and even then only for the strictest, “spare no expense” security requirements.

I’d personally be appalled to see a quantum random number generator utilized in a cryotosystem. Well understood cryptographic failures like nonce reuse and side channel attacks are still routine; I can’t imagine the number of novel side channels and footgun opportunities that would be introduced with a cryptosystem utilizing this thing. The hardware, design and implementation requirements would add an enormous amount of complexity for an extremely small improvement overall.

[asafira]

Genuine question: why would switching out the source of random bits make for that much more complexity? The hardware is more complicated right now for sure --- do you mean to say that the work in checking the hardware doesn't have less obvious exploits (compared to simple Johnson noise measurements) is the tricky bit?

[tptacek]

Because hardware and hardware connectivity can fail, and the one thing cryptography needs from the system CSPRNG is not having failure cases. Since past a threshold the quality of the entropy source does not in fact matter, no amount of added complexity, however marginal, has a positive return on investment.