Randomness sounds like the easiest thing in the world to produce. Flip a coin, roll a die, pick a number between one and a hundred. But there is a problem, and it runs surprisingly deep: every coin is slightly uneven, every die fractionally weighted, every algorithm that claims to conjure unpredictability built atop a foundation of rules. For as long as mathematicians and cryptographers have needed truly random numbers, they have been stuck with numbers that are merely random enough. Now, a team at ETH Zurich has done something the field had long considered impossible by purely classical means: they have taken imperfect randomness and, using quantum entanglement, turned it into the real thing. Certified. Provably. Forever.
The result, published in Nature, closes a gap that has been quietly undermining digital security for decades. It is also, depending on your philosophical bent, either deeply reassuring or rather strange.
The trouble with random numbers is not obvious until you look carefully. In cryptography, random numbers are the raw material of encryption keys. If an adversary can predict even a fraction of the bits going into a key, the whole edifice starts to wobble. And predicting a fraction turns out to be easier than it should be. In 2012, researchers combing through millions of publicly accessible RSA encryption keys found something unsettling: a non-trivial proportion of the corresponding private keys could be reconstructed. The culprit was weak randomness baked into the generators that had produced them. Some bits were slightly more probable than others. That slight bias, imperceptible in casual use, was enough.
Quantum mechanics seemed like it might rescue the situation. A photon hitting a 50-50 beam splitter and then being measured for which path it took is, according to quantum theory, genuinely unpredictable; the outcome is not just unknown but unknowable in advance. But here’s where things get awkward. Any real device is imperfect. Mirrors are not exactly 50-50, detectors have quirks, temperature fluctuations introduce correlations. The bit you get out of a real quantum device is almost perfectly random, perhaps, but almost is a word cryptographers would rather avoid.
“It may seem strange, but it is almost impossible to create a perfect coin or a perfect die,” says Renato Renner, professor of theoretical physics at ETH Zurich. “Even modern random number generators, which are based on quantum mechanical effects like the reflection of photons from beam splitters, are not entirely immune to such a systematic error or ‘bias’,” adds his colleague Andreas Wallraff. The pair have spent years thinking about this problem from their respective vantage points, Renner from theory, Wallraff from experiment, and their collaboration has now produced a method called randomness amplification.
The core idea is counterintuitive but elegant. Rather than trying to build a perfect random number generator, they start with an imperfect one and use quantum entanglement to wash out the residual bias. The key is a so-called Bell test, the type of experiment that won Alain Aspect, John Clauser and Anton Zeilinger the Nobel Prize in Physics in 2022. Bell tests probe entangled particles to confirm that their correlated behavior cannot be explained by any hidden local variable, that is, no pre-existing information could have determined the outcome. If the test passes, the measurement results must contain genuine unpredictability. Crucially, Renner and Wallraff’s team devised a version of the Bell test that works even when the random bits used to choose the measurement settings are themselves slightly biased, tolerating an input bias of up to 0.75%.
Two Refrigerators, 30 Metres Apart
The experimental setup is, by the standards of modern quantum physics, neither tiny nor simple. Two superconducting qubits sit in separate dilution refrigerators, cooled to around 15 millikelvin, connected by a 30-metre aluminium waveguide that snakes between them inside an evacuated tube. Microwave photons shuttle back and forth to entangle the qubits on demand. The separation matters: 30 metres is enough that, during the time it takes to measure one qubit, no signal traveling at the speed of light could reach the other. This closes the so-called locality loophole, ensuring the two sides genuinely cannot coordinate. The team ran the experiment for roughly nine hours, conducting 1.34 billion individual Bell test trials at 50,000 per second. They fed in around five billion low-quality random bits and extracted 45 million bits of certified perfect randomness. “The resulting sequence of zeros and ones is now really perfectly random, and we can even certify that,” says Renner.
The certification part is worth dwelling on. It is mathematically impossible to verify that a string of bits is random simply by looking at it, since any random-looking string could in principle have been generated by a deterministic process that someone knows. What the ETH team can show instead is that their output is uncorrelated with anything outside the future light cone of the experiment, essentially uncorrelated with everything that existed before the measurement happened. “The technical improvements allowed us, for the first time, to create random numbers that will remain perfectly random for all eternity,” says Renner, “no matter what analytical methods are used to assess their randomness.”
The Atomic Clock Analogy
Getting the experiment to work required overhauling the setup from a previous loophole-free Bell test the group published in 2023. The channel loss in the quantum link connecting the two qubits was reduced from around 19% to about 12-14% by replacing normal-metal coaxial cables with superconducting ones and removing a circulator that had been leaking a few percentage points of signal. The classical processing overhead was cut by two orders of magnitude, from more than 200 microseconds per trial to under two, by switching from Python-based data handling to compiled C++. Without those changes, the experiment would have taken over 31 hours rather than nine, and might not have been stable enough to run at all.
Some limitations remain. The output rate, around 45 million bits in nine hours, is comparable to NIST’s publicly available randomness beacon, but not exactly a fire hose. Scaling up would require better Bell-test performance, lower loss, and possibly multi-node quantum networks where the classical processing overhead can be distributed. The current setup is also somewhat bespoke; packaging this into something a certificate authority or a lottery commission could actually use is a longer-term project.
Still, Renner draws an analogy to atomic clocks. Atomic clocks did not replace every clock on every wall; instead, they became the certified reference that other timekeeping systems calibrate against. A source of certified perfect randomness could play the same role in digital infrastructure, a single trusted beacon whose output underpins cryptographic keys, lotteries, blockchains, and quantum key distribution protocols. The latter is particularly appealing: quantum key distribution is only as secure as the random numbers used to choose measurement settings, so a certified source feeding into a QKD system would give end-to-end security guarantees under minimal assumptions.
It is a strange thing to have certified, when you think about it. That a sequence of numbers is random is normally something you can only believe, not prove. The ETH Zurich experiment makes it, for the first time, something you can demonstrate.
https://doi.org/10.1038/s41586-026-10521-8
Frequently Asked Questions
Why can’t we just generate random numbers using regular computers?
Classical computers are entirely deterministic; they follow rules, so any number they produce is, in principle, predictable by someone who knows those rules and the starting conditions. Most random numbers from software are really pseudorandom, which means they look unpredictable but were generated by an algorithm. Even hardware generators that rely on physical noise sources introduce small, measurable biases that can accumulate into exploitable weaknesses, particularly in cryptographic applications where the stakes are high.
What’s a Bell test, and why does it prove the randomness is real?
A Bell test measures two entangled particles and checks whether their correlated outcomes could have been pre-arranged by any hidden information they shared before the measurement. If the test is passed under the right conditions, quantum mechanics guarantees that no hidden variable determined the outcomes, which means the results were genuinely unpredictable. The ETH Zurich team’s variant goes further, showing that the guarantee holds even when the random bits used to set up the measurement are themselves imperfect, which is what makes randomness amplification possible.
Could weak randomness really break real-world encryption?
It already has. In 2012, researchers analysing millions of publicly available RSA public keys found that a significant fraction of the corresponding private keys could be reconstructed, because the random number generators used to create them had subtle biases that introduced shared factors. The attack required no sophisticated quantum computing, just careful arithmetic. Stronger randomness certification would make that class of attack mathematically impossible rather than merely unlikely.
Is this technology ready to use in everyday security systems?
Not quite yet. The current setup produces around 45 million certified bits in nine hours, which is comparable to existing public randomness beacons but far below what large-scale cryptographic infrastructure would need. The researchers envision it playing a role similar to atomic clocks, a certified reference source that other systems calibrate against rather than a direct replacement for existing generators. Practical deployment would also require packaging the superconducting qubit hardware into something more accessible than two dilution refrigerators connected by a 30-metre waveguide.
Why does it matter that the randomness is certified rather than just very good?
Certification means the randomness comes with a mathematical proof grounded in the laws of physics, not just a statistical test that showed no obvious patterns. A sequence of bits can pass every statistical test ever devised and still have been generated by a process someone knows and can predict. The ETH approach produces a certificate in the form of Bell violation data, which demonstrates that the output is uncorrelated with anything that existed before the measurement was made. That distinction matters most in high-stakes contexts where an adversary is actively trying to predict or reproduce the randomness.
ScienceBlog.com has no paywalls, no sponsored content, and no agenda beyond getting the science right. Every story here is written to inform, not to impress an advertiser or push a point of view.
Good science journalism takes time — reading the papers, checking the claims, finding researchers who can put findings in context. We do that work because we think it matters.
If you find this site useful, consider supporting it with a donation. Even a few dollars a month helps keep the coverage independent and free for everyone.