Post-Quantum Entropy as a Service for Embedded Systems

TL;DR

A Quantum Entropy as a Service (QEaaS) system that moves QRNG-derived entropy from a Quantis device to ESP32-class clients over post-quantum-secured channels over post-quantum-secured channels is built.

Abstract

Embedded cryptography stands or falls on entropy quality, yet small devices have few trustworthy sources and little tolerance for heavyweight protocols. We build a Quantum Entropy as a Service (QEaaS) system that moves QRNG-derived entropy from a Quantis device to ESP32-class clients over post-quantum-secured channels. On the server side, the design exposes two paths: direct quantum entropy through a custom OpenSSL provider and mixed entropy through the Linux system pool. On the client side, we extend libcoap's Zephyr support, integrate wolfSSL-based DTLS 1.3 into the CoAP stack, and add a BLAKE2s entropy pool that preserves the standard Zephyr extraction interface while introducing an injection API for server-provided entropy. Benchmarks on ESP32 hardware, targeting 100 iterations per configuration, show that ML-KEM-512 completes a DTLS 1.3 handshake in 313 ms on average without certificate verification, 35% faster than ECDHE P-256. Pairing ML-KEM-512 with ML-DSA-44 lowers the mean to 225 ms. Certificate verification adds roughly 194 ms for ECDSA but only 17 ms for ML-DSA-44, so the fully post-quantum configuration remains 63% faster than classical ECDHE P-256 with ECDSA even under full verification. Local BLAKE2s pool operations stay below 0.1 ms combined. On this platform, post-quantum key exchange and authentication are not only feasible; they are faster than the classical baseline.

Figures (4)

• Figure 1: QEaaS system architecture for quantum entropy distribution from Quantis QRNG via dual access (OpenSSL and Linux entropy pool) to ESP32 clients with BLAKE2s entropy pools, using post-quantum cryptography for HTTPS and CoAP.
• Figure 2: BLAKE2s entropy pool operation latency by buffer size. Extraction requires full pool state hashing while injection performs incremental BLAKE2s mixing.
• Figure 3: DTLS 1.3 handshake + first request latency distribution per algorithm combination. Each dot is one iteration (fresh session); black markers show mean $\pm$ 1 std. Algorithms are grouped by key exchange (ECDHE P-256, X25519, ML-KEM-512), with ECDSA (green) and ML-DSA-44 (blue) variants within each group. Filled markers: no certificate verification; open markers: verification enabled.
• Figure 4: Decomposition of DTLS 1.3 handshake latency (with verification enabled) into three components: estimated network overhead (grey; 3 round trips $\times$ plain CoAP mean), lower-bound residual estimates for key exchange and CertificateVerify signing computation (green; non-verify residual after subtracting the estimated network component), and directly measured client-side certificate chain verification (blue; verify$-$non-verify mean). ECDSA group (left) and ML-DSA-44 group (right). Green segment labels show the lower-bound residual; blue annotations show the verification cost; totals above each bar give the full handshake latency, all in milliseconds.