{"id":15372720,"url":"https://github.com/bitfield/qrand","last_synced_at":"2025-04-15T12:32:01.426Z","repository":{"id":52491366,"uuid":"225025252","full_name":"bitfield/qrand","owner":"bitfield","description":"Quantum randomness source using the ANU hardware QRNG","archived":false,"fork":false,"pushed_at":"2024-02-08T11:03:46.000Z","size":38,"stargazers_count":16,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-28T21:12:29.964Z","etag":null,"topics":["quantum-mechanics","random-number-generators"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitfield.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null},"funding":{"github":"bitfield"}},"created_at":"2019-11-30T14:35:52.000Z","updated_at":"2024-12-12T10:17:08.000Z","dependencies_parsed_at":"2024-02-08T12:25:11.066Z","dependency_job_id":"ac7f47da-7059-4c43-94c0-1de479099470","html_url":"https://github.com/bitfield/qrand","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitfield%2Fqrand","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitfield%2Fqrand/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitfield%2Fqrand/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitfield%2Fqrand/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitfield","download_url":"https://codeload.github.com/bitfield/qrand/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249072345,"owners_count":21208175,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["quantum-mechanics","random-number-generators"],"created_at":"2024-10-01T13:52:55.732Z","updated_at":"2025-04-15T12:32:01.192Z","avatar_url":"https://github.com/bitfield.png","language":"Go","readme":"[![Go Reference](https://pkg.go.dev/badge/github.com/bitfield/qrand.svg)](https://pkg.go.dev/github.com/bitfield/qrand)\n[![Go Report Card](https://goreportcard.com/badge/github.com/bitfield/qrand)](https://goreportcard.com/report/github.com/bitfield/qrand)\n[![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go)\n![Tests](https://github.com/bitfield/qrand/actions/workflows/test.yml/badge.svg)\n\n# What is `qrand`?\n\n`qrand` is a Go package that provides random numbers derived, ultimately, from a non-deterministic, quantum-mechanical process. \n\n```go\nimport \"github.com/bitfield/qrand\"\n```\n\nThe random data is provided by the [ANU Quantum Numbers](https://quantumnumbers.anu.edu.au/) (AQN) API. You'll need an API key for this service, but it's free for limited use (see the website for details on how to pay for more data if you need it).\n\n# Usage\n\nHere are a couple of example programs that show how you might use `qrand`.\n\n## Reading random bytes\n\nA common use of `crypto/rand` in Go programs is to read a sequence of cryptographically secure random bytes (an initialization vector, for example). `qrand` can do the same thing, but deriving its data from the quantum randomness provider.\n\nThe [`numbers`](example/numbers/main.go) example shows how to do this:\n\n```go\nq := qrand.NewReader(apiKey)\nbuf := make([]byte, 10)\n_, err := q.Read(buf)\n```\n\nAs you can see, this is very similar to the corresponding [`crypto/rand` example](https://pkg.go.dev/crypto/rand#example-Read). The only difference here is that we need to create the reader first with `NewReader`, because the provider requires an API key.\n\n## Generating random numbers\n\nGo's `math/rand`, on the other hand, is commonly used to provide random numbers within a desired interval, using something like `rand.Intn`. This is useful in games, for example, or other programs that need “random-seeming” behaviour, but not strict cryptographic security.\n\nThe [`password`](example/password/main.go) example shows how to do this with `qrand`, by creating a *randomness source*:\n\n```go\nrnd := rand.New(qrand.NewSource(qrand.NewReader(apiKey)))\npassword := make([]byte, 32)\nfor i := range password {\n    password[i] = chars[rnd.Intn(len(chars))]\n}\n```\n\n# The CLI tool\n\nThere's a simple CLI tool to request and display a given number of random (hex) bytes. To install it:\n\n```sh\ngo install github.com/bitfield/qrand/cmd/qrand@latest\n```\n\nTo use it, pick the number of bytes you need (for example, 32), and run:\n\n```sh\nqrand 32\n```\n```\n8e8c2771be5c2bb10d541a5bf6aa51203e0bce2d6d4fa267afd89a6e20df11f1\n```\n\n# Sources of randomness\n\n\u003e *Random numbers should not be generated with a method chosen at random.*\n\u003e\n\u003e —Donald Knuth, [“The Art of Computer Programming, Vol 2: Seminumerical Algorithms”](https://amzn.to/3Y8uMt3)\n\nMost computer random number generators (RNGs) use a deterministic process, which means that given an initial seed value, the sequence of generated numbers is predictable.\n\nFor example, Go's standard `math/rand` library uses a fairly simple algorithm to generate a random-looking, but still deterministic sequence of numbers. For most applications this is absolutely fine when seeded with a suitable value, such as the current Unix time in nanoseconds (which is the default from Go 1.20 onwards). \n\nFor any cryptographic purposes, though, `math/rand` is insecure, and we should use `crypto/rand` instead. `crypto/rand` will use the most secure randomness source provided by the operating system; for example, on Linux systems this might be the `/dev/urandom` or `/dev/random` devices. \n\nWhile this is still technically a pseudo-random source, it uses environmental 'noise' such as I/O activity, keystrokes, and so on, to generate numbers which are in practice (though not in principle) unpredictable.\n\nFor very high-security applications, though, we can use quantum-mechanical sources, such as the cosmic microwave background radiation:\n\n* [Lee, J. S., \u0026 Cleaver, G. B. (2017). The cosmic microwave background radiation power spectrum as a random bit generator for symmetric-and asymmetric-key cryptography. Heliyon, 3(10).](https://arxiv.org/abs/1511.02511) \n\nThe outcomes of quantum measurements, such as the spin of an electron or the polarization of a photon, are *in principle* unpredictable, to the best of our knowledge:\n\n* [Bierhorst, P., Knill, E., Glancy, S., Zhang, Y., Mink, A., Jordan, S., ... \u0026 Shalm, L. K. (2018). Experimentally generated randomness certified by the impossibility of superluminal signals. Nature, 556(7700), 223-226.\n](https://arxiv.org/abs/1803.06219)\n\nHardware RNGs are available that can use such measurements to generate random data at fairly high bitrates (many GiB/s). \n\n# The AQN service\n\nAustralia National University provides a public quantum randomness source, derived from a hardware RNG, via its [AQN](https://quantumnumbers.anu.edu.au/) service. This has a public API, which is the source of the data obtained with `qrand`.\n\nThe random data is generated by a device that uses a laser to measure the quantum fluctuations of the vacuum:\n\n* [Symul, T., Assad, S. M., \u0026 Lam, P. K. (2011). Real time demonstration of high bitrate quantum random number generation with coherent laser light. Applied Physics Letters, 98(23)](https://arxiv.org/abs/1107.4438)\n* [Haw, J. Y., Assad, S. M., Lance, A. M., Ng, N. H. Y., Sharma, V., Lam, P. K., \u0026 Symul, T. (2015). Maximization of extractable randomness in a quantum random-number generator. Physical Review Applied, 3(5), 054004](https://arxiv.org/abs/1411.4512).\n\n# Why do I need quantum randomness?\n\nYou don't. The standard randomness source provided by your operating system, available via `crypto/rand`, is almost certainly good enough for any application requiring strong randomness, such as cryptography (otherwise, we're all in trouble).\n\nHowever, it's fun to use a source of randomness which is entirely non-deterministic (so far as we know) and provided directly by the Universe itself. \n\n# Security note\n\n`qrand` is primarily for fun, but just in case you're thinking of using it in programs, here's an important caveat. \n\nFor games and other non-cryptographic applications, as I mentioned, any reasonably random-looking data is fine. For speed, you'd normally use `math/rand` for this.\n\nBut when you're doing cryptography (for example, hashing, signing, initializing ciphers, generating keys, and so on), `math/rand` is not good enough, and that's what `crypto/rand` is for. \n\nSince `crypto/rand` will use as secure a source of randomness as the local computer can provide, that's about as good as we can hope to get. This will probably derive from the operating system, as mentioned earlier.\n\nData from `qrand` is both more and less secure than `crypto/rand`'s. More secure, because the outcomes of quantum measurements are unpredictable in principle, as we saw earlier, whereas software-based RNGs are merely unpredictable in practice.\n\nLess secure, because it's coming over the network. Although the connection to the API uses TLS, and is thus encrypted, it's still possible that the data could be intercepted or modified by a third party (via a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack), for example). To put it another way, the random data obtained by `qrand` is only as secure as your TLS connection to the AQN server.\n\nAnd, of course, it all rather depends on whether you trust the AQN service itself. I offer no warranty of any kind that data obtained with `qrand` is cryptographically secure. Nor could I if I wanted to, because `qrand` itself is merely a client for this third-party service.\n\nYou have been warned.\n","funding_links":["https://github.com/sponsors/bitfield"],"categories":["Security","安全"],"sub_categories":["HTTP Clients","HTTP客户端"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitfield%2Fqrand","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitfield%2Fqrand","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitfield%2Fqrand/lists"}