Service Architecture

How the entropy reservoir, health gating, cryptography layer, and audit pipeline are wired. Every draw is observable. Every response is reproducible.

The Paradigm Shift

Legacy CSPRNG

  • Silent entropy source — the application trusts it
  • No way to verify "where the random came from"
  • No replay procedure for audit
  • Fallback indistinguishable from a normal draw
  • Vendor lock-in: tied to OS or hardware module

QSG

  • Hardware-derived entropy, source disclosed per draw
  • Signed provenance with cryptographic hash chain
  • Replay-ready retention (R2 JSONL, 7-year)
  • Explicit fallback object on every response
  • Edge API — swap regions or vendors without client change

6-Layer Quantum Assurance Pyramid

Six layers back every draw. Three feed the API today (L2, L5, L6). Three remain on the internal calibration loop (L1, L3, L4).

6

Post-Quantum Crypto SHIPPED · API-FEEDING

X25519 + ML-KEM-1024 hybrid secure construction. FIPS 203 Category 5 (256-bit quantum security). AEAD via AES-256-GCM with 96-bit nonces. ML-DSA-65 signatures on provenance records (FIPS 204).

5

NIST Health Gating SHIPPED · API-FEEDING

SP 800-90B Repetition Count Test (RCT) and Adaptive Proportion Test (APT) on every draw against a 1024-byte sample window. rct_passed / apt_passed boolean fields in the response.

4

Diagnostic Tomography ROADMAP · INTERNAL

State-tomography snapshots from the calibration loop. Used to characterize backend fidelity and validate admission thresholds. Not yet surfaced in the API.

3

Quantum Channel ROADMAP · INTERNAL

State-transport fidelity tracking per channel on the calibration loop. Not yet surfaced in the API.

2

Entropy Source SHIPPED · API-FEEDING

Hardware-derived entropy from IBM Quantum backends (Falcon, FEZ, Kingston, Brussels). Per-batch entropy_score admission threshold: ≥ 0.99. source_class enum in every response.

1

Geometry & Topology ROADMAP · INTERNAL

Engineered gate connectivity and backend-specific correlation metrics. Informs the hardware procurement cycle. Not yet surfaced in the API.

API Contract

Every authenticated draw returns the same shape. Fields are stable across versions; additions are versioned.

POST/v1/entropy

Request body

{
  "size_bytes": 32,
  "tier": "standard"
}
200/v1/entropy response

Response body (real shape, abbreviated)

{
  "entropy": "base64:...",
  "size_bytes": 32,
  "key_exchange": "X25519+ML-KEM-1024",
  "source_class": "hardware-derived-premium",
  "entropy_score": 0.999,
  "source_id": "qrng-hardware-001",
  "health_check": {
    "rct_passed": true,
    "apt_passed": true
  },
  "fallback": {
    "is_fallback": false,
    "reason": null,
    "original_source": null
  },
  "provenance_id": "prov_2026_06_23_abc123",
  "issued_at": "2026-06-23T14:22:08.117Z"
}

Field reference

Reservoir Pipeline

Five sequential stages from raw hardware output to signed API response. Each stage gates the next; failure at any stage is observable.

  1. 1. Hardware Validation Pool

    Raw measurement output from IBM Quantum backends. Per-batch min-entropy estimated against the conditioning circuit. Pool byte-age cap: 14 days.

  2. 2. Admission Governance

    entropy_score ≥ 0.99 required for admission. Min unique states per batch: 8,192. Below threshold → batch is rejected, never admitted to reservoir.

  3. 3. Continuous Health Testing

    SP 800-90B RCT and APT run on a rolling 1024-byte sample window. Failed tests force fallback regardless of entropy_score.

  4. 4. Reservoir

    Admitted bytes buffer in the edge layer. Pool threshold: ≥ 1 MB (MIN_POOL_THRESHOLD = 1024 * 1024). Consumption cap: 90% per draw (MAX_BATCH_CONSUMPTION = 0.90).

  5. 5. Edge API Gateway

    Authenticated draw returns entropy bytes + signed provenance record. KV (90-day operational) + R2 (7-year persistent) audit chain attached.

Three Sequential Fallback Checks

Fallback is explicit and customer-visible. The fallback.is_fallback field is true only when one of these checks fails — never silently.

  1. Check 1: Pool size

    Reservoir must hold at least 1 MB plus the requested draw. Failure → reason: "pool_unavailable".

  2. Check 2: Admission

    entropy_score of the candidate batch must be ≥ 0.99. Failure → reason: "entropy_score_below_threshold".

  3. Check 3: Health tests

    RCT and APT must both pass on a 1024-byte sample. Failure of either → reason: "health_tests_failed:RCT,APT" (or whichever test failed).

If any check fails, the response is still issued — with bytes from the documented CSPRNG fallback path and the nested fallback object populated. The original requested source and the failure reason are both preserved in fallback.reason and fallback.original_source.

Dual-Layer Audit

Every draw produces two records: an operational telemetry record (KV) and a permanent compliance record (R2). Both share the same provenance_id.

Operational Layer

Cloudflare KV · 90-day rolling TTL

  • High-speed read/write for telemetry
  • Rate-limit counters per API key
  • Metering hooks for billing
  • Immediate gateway observability
  • Designed for the operational dashboard

Persistent Layer

Cloudflare R2 JSONL · 7-year retention

  • Cryptographic compliance handoff
  • Full-batch provenance and signatures
  • Deep historical forensics
  • Region-pinned for data-residency
  • Replay-ready for regulator review

From Physics to REST

End-to-end latency budget for a normal draw at the edge.

StageComponentTypical
1TLS + auth verification (Cloudflare edge)5–10 ms
2Pool byte extraction (KV-backed)<1 ms
3NIST RCT/APT on 1024-byte sample2–5 ms
4Hybrid KEM encapsulation (X25519 + ML-KEM-1024)1–3 ms
5Provenance record construction + signature3–6 ms
6KV write (operational) + R2 append (persistent)5–15 ms
7Response serialization + edge return<1 ms
TotalEdge P50<30 ms
TotalEdge P95<50 ms

Deployment Posture

The service is delivered via Cloudflare Workers at 300+ edge locations. No infrastructure to manage; no warm-up; no provisioned capacity.

Cloudflare Workers

Edge runtime at 300+ global POPs. Sub-50ms P95 latency.

  • Per-request cold start <5 ms
  • No provisioned concurrency
  • Auto-scaling to global traffic spikes

Cloudflare KV

Operational audit record. 90-day TTL.

  • Reads <10 ms P95 globally
  • Eventually consistent writes
  • Per-API-key rate counters

Cloudflare R2

Persistent audit log. 7-year retention.

  • S3-compatible, zero egress fees
  • Append-only JSONL streams
  • Region-pinned for data-residency

Take it for a test draw

Sandbox keys provisioned within 24–48 hours. Same response shape, same audit chain, capped volume.