⚛ QUANTUM ENTROPY ON SOLANA ⚛// CHAINLINK VRF IS MATH — WE USE PHYSICS //⚛ NOT PSEUDO. NOT VRF. QUANTUM. ⚛// ANU 🇦🇺 CANBERRA + PICOQUANT 🇩🇪 BERLIN — BOTH REAL PHOTONS //⚛ TWO CONTINENTS. TWO LABS. ONE XOR. ⚛// VACUUM FLUCTUATIONS → UR SMART CONTRACT //⚛ FIRST QUANTUM ORACLE ON SOLANA ⚛// NOT ONE LAB. TWO CONTINENTS. BOTH PHYSICS. NEITHER MATH. //⚛ 5.7 GBPS 🇦🇺 + 150 MBIT/S 🇩🇪 = PHYSICS BRRR ⚛// BMBF FUNDED · BERLIN-ADLERSHOF · REAL PHOTONS //⚛ UNPREDICTABLE IN PRINCIPLE NOT JUST PRACTICE ⚛// THE UNIVERSE IS UR RNG SER — FROM TWO DIRECTIONS //⚛ QUANTUM ENTROPY ON SOLANA ⚛// CHAINLINK VRF IS MATH — WE USE PHYSICS //⚛ NOT PSEUDO. NOT VRF. QUANTUM. ⚛// ANU 🇦🇺 CANBERRA + PICOQUANT 🇩🇪 BERLIN — BOTH REAL PHOTONS //⚛ TWO CONTINENTS. TWO LABS. ONE XOR. ⚛// VACUUM FLUCTUATIONS → UR SMART CONTRACT //⚛ FIRST QUANTUM ORACLE ON SOLANA ⚛// NOT ONE LAB. TWO CONTINENTS. BOTH PHYSICS. NEITHER MATH. //⚛ 5.7 GBPS 🇦🇺 + 150 MBIT/S 🇩🇪 = PHYSICS BRRR ⚛// BMBF FUNDED · BERLIN-ADLERSHOF · REAL PHOTONS //⚛ UNPREDICTABLE IN PRINCIPLE NOT JUST PRACTICE ⚛// THE UNIVERSE IS UR RNG SER — FROM TWO DIRECTIONS //
← back quantum entropy oracle · whitepaper · v0.1

Not Math. Not a Seed, Not a Formula.
A laser measures nothing and finding everything —
from Canberra and Berlin.

QSol: A Quantum-Sourced Entropy Oracle for the Solana Virtual Machine

A Technical Whitepaper and Cryptographic Research Note

Version 0.1 — Devnet Specification

Abstract

Deterministic blockchain runtimes cannot generate entropy locally. Every node executing the same program must produce the same state transition, so any source of randomness must be supplied externally and identically to all validators. The dominant solutions in production today — verifiable random functions (VRFs), threshold BLS beacons, trusted execution environment (TEE) enclaves, and commit-reveal hash chains — all share a common security foundation: cryptographic hardness assumptions. They produce sequences that are computationally indistinguishable from random under specific number-theoretic conjectures, but the sequences are themselves deterministic functions of a secret seed. A party in possession of that seed can reproduce every output forever.

This paper specifies QSol, a Solana-native oracle that supplies smart contracts with entropy derived from quantum mechanical processes — vacuum fluctuation homodyne detection at the Australian National University, photon arrival time measurements at Humboldt University Berlin, and Bell-test certified entanglement beacons published by the National Institute of Standards and Technology. We describe a commit-reveal callback protocol that binds an oracle operator to a specific entropy value before that value is publicly revealed, achieving unpredictability under a security model that does not rely on any computational hardness assumption. We analyze the protocol against four classes of adversary, present a latency budget showing end-to-end fulfillment in 1.6–3.0 seconds under typical Solana mainnet conditions, and discuss application domains where the distinction between physical and computational randomness has direct legal, economic, and regulatory consequences — most prominently online gambling, lottery operations, and high-value non-fungible token mints.

Keywords: quantum random number generation; blockchain oracles; commit-reveal; provable fairness; Solana; SP 800-90B; Bell theorem.

1. Introduction

The discrete-event simulation that constitutes a blockchain — a deterministic state machine replicated across thousands of mutually distrusting nodes — has no native source of randomness. This is not a defect of any particular chain. It is a structural consequence of consensus: if validators disagreed about the value of a coin flip, they would disagree about the resulting state, and the chain would fork. Every transaction that requires randomness must therefore obtain it from outside the consensus boundary and inject it through an interface the chain treats as authoritative.

For the past seven years, the dominant approach to this problem on Ethereum and its derivatives has been Chainlink VRF, a verifiable random function based on elliptic curve cryptography. On Solana, the dominant providers are Switchboard On-Demand (which uses Intel SGX trusted execution environments), ORAO VRF (a multi-node Ed25519 VRF with Byzantine quorum), and Pyth Entropy (a two-party commit-reveal hash chain mixed with the recent block hash). All four solutions deliver high availability, low latency, and verifiable integrity. None of them produces randomness in the sense that a physicist would recognize.

A VRF output is a deterministic function F(sk, x) → (y, π) where sk is a secret key, x is an input, y is an output that appears uniformly random, and π is a proof that y was correctly computed. The output y looks random to anyone who does not know sk. To anyone who does know sk — most relevantly, the oracle operator — the output is fully predictable given x. The security argument is that the secret key was generated honestly and remains secret, and that the underlying elliptic curve discrete logarithm problem remains computationally hard. Both assumptions are reasonable. Neither is a guarantee.

A growing class of applications require something stronger than computational unpredictability. A regulated online casino must demonstrate to a gaming authority that the outcomes of its games are not only fair after the fact but were not knowable to any party — including the casino — before they were generated. A high-value non-fungible token mint that allocates rare traits based on a "random" seed must defend against the accusation that the seed was chosen to favor a specific minter. A lottery protocol distributing eight or nine figures of prize money cannot rely on a single party's keypair, however carefully managed, as the foundation of its fairness claim.

This paper describes a system that closes this gap on Solana. We propose QSol: an oracle that delivers, on request, sequences of bits whose unpredictability rests not on a computational conjecture but on the laws of quantum mechanics. We are not the first to attempt this on a public blockchain — API3 operated a quantum random number generator service across thirteen Ethereum-compatible chains from May 2022 until its shutdown on January 1, 2025 [API3-2024] — but we are, to our knowledge, the first to deliver such a service natively on Solana with cross-program invocation callbacks, multi-source entropy aggregation, and a commit-reveal protocol that binds the oracle operator before the entropy value is revealed on chain.

Section 2 reviews the cryptographic and physical foundations. Section 3 surveys the existing randomness landscape on public chains and identifies the security gap. Sections 4 and 5 specify the threat model and protocol. Section 6 analyzes security under each adversary class. Section 7 presents performance measurements. Section 8 examines the industries that have a direct stake in the outcome — most importantly online gambling, where the distinction between "random" and "verifiably random by physical principles" determines licensing, audit cost, and liability. Section 9 discusses limitations and open problems.

2. Background

2.1 Randomness, Entropy, and Predictability

A bit string s ∈ {0,1}^n is informally called "random" if there is no procedure shorter than s itself that produces it. Formally, this is Kolmogorov complexity, and it is uncomputable. For practical purposes, cryptographic literature uses two more tractable measures.

The Shannon entropy of a random variable X over alphabet Σ is

H(X) = -Σ_{x∈Σ} Pr[X=x] log₂ Pr[X=x]

and quantifies the average uncertainty of X measured in bits. The min-entropy

H_∞(X) = -log₂ max_{x∈Σ} Pr[X=x]

is a stricter measure: it captures the unpredictability of the most likely single outcome, and is the figure that matters for cryptographic key generation. NIST Special Publication 800-90B [NIST-90B-2018] specifies min-entropy as the metric against which all certified entropy sources must be evaluated.

A pseudorandom number generator (PRNG) takes a short seed s of length k and stretches it deterministically to a long output of length n >> k. The Shannon entropy of the output is at most k bits regardless of how long the output is. This is a hard information-theoretic ceiling. No matter how cryptographically strong the PRNG, an adversary who can guess or recover the seed has the entire output stream.

A true random number generator (TRNG) extracts entropy from a physical process whose outcome is, by hypothesis, not determined in advance. Thermal noise generators, ring oscillators, and reverse-biased diode generators all qualify. They produce entropy at modest rates and require careful health-checking and statistical extraction (typically via NIST SP 800-90B-compliant conditioners) to remove environmental bias.

A quantum random number generator (QRNG) is a TRNG whose underlying physical process is governed by quantum mechanics. The defining property — and the property that distinguishes a QRNG from a thermal-noise TRNG — is that quantum measurement outcomes are not merely unknown to the experimenter but are, under the standard interpretation, not determined prior to the measurement. This is the substantive content of Bell's theorem [Bell-1964] and its experimental confirmations [Aspect-1982; Hensen-2015; Shalm-2015]: no local hidden variable theory can reproduce the predictions of quantum mechanics, which means that quantum measurement outcomes cannot be "leaked" by any observer, no matter how privileged.

The practical consequence: a properly constructed QRNG produces output that is unpredictable not because we cannot compute the output in time, but because the output does not exist as a determinate value until the measurement is performed.

2.2 Quantum Random Number Generation: Three Methods

Three QRNG architectures are relevant to this work.

Vacuum fluctuation homodyne detection. A continuous-wave laser is split on a balanced beamsplitter, the two outputs are detected on matched photodiodes, and the difference photocurrent is sampled at high speed. In the absence of any signal, the difference current is dominated by quantum vacuum fluctuations of the electromagnetic field — the zero-point energy that the vacuum state cannot suppress. Symul, Assad, and Lam [Symul-2011] demonstrated 2 Gbit/s extraction with this method at the Australian National University; the current ANU Quantum Optics Group apparatus, which feeds the public ANU QRNG service, generates raw entropy at 5.7 Gbit/s.

Photon arrival time measurement. A weak coherent light source illuminates a single-photon detector. The arrival time of each photon, measured against a reference clock, is fundamentally indeterminate (modulo the mean rate, which is set by the source intensity). Wahl, Leifgen, et al. [Wahl-2011] achieved 150 Mbit/s with a provably bounded output bias by carefully accounting for detector dead time and dark count rate. This apparatus, developed jointly by PicoQuant GmbH and the Nano-Optics group at Humboldt University Berlin, is operated as a free public service at qrng.physik.hu-berlin.de.

Bell-test certified entanglement. A pair of polarization-entangled photons is generated by spontaneous parametric downconversion and the polarizations are measured at two spatially separated stations. When the measurement bases are chosen according to Bell's inequality, the resulting outcomes contain certified randomness whose unpredictability is proven by the violation of the inequality itself, independent of any assumption about the internal workings of the source or the detectors. Kavuri, Palfree, and Shalm et al. [Kavuri-2025] demonstrated this in production with the National Institute of Standards and Technology's loophole-free Bell test, and now publish daily certified entropy via the Colorado University Randomness Beacon (CURBy).

The three methods occupy different points on the trade-off between throughput, certifiability, and engineering complexity. Homodyne detection is the highest throughput but requires the experimenter to trust the source. Bell-test methods give the strongest cryptographic guarantee but are slower (currently ~512 bits per several minutes, in CURBy's production deployment) and require a working entangled photon source. Photon arrival time methods sit in between.

2.3 The Compliance Layer: NIST SP 800-90B

For any QRNG to be used in a regulated context — whether financial cryptography, government information systems, or licensed gambling — it must demonstrate compliance with a recognized standard. The relevant standard in the United States and most of Europe is NIST SP 800-90B, which specifies the requirements for entropy sources used in key generation. The standard requires (i) a noise source with documented physical operation, (ii) continuous health tests detecting catastrophic failure of the source, (iii) statistical estimation of min-entropy under defined conditions, and (iv) a conditioning component that produces full-entropy output.

The ANU homodyne apparatus, the PicoQuant photon-timing apparatus, and IDQ's Quantis devices all hold or have held SP 800-90B validation in various forms. This compliance is the bridge between the laboratory and the regulated industry — a casino that uses an SP 800-90B-validated entropy source has a defensible audit trail; one that does not, does not.

3. The Blockchain Randomness Problem

3.1 The Determinism Constraint

Solana validators execute the same program against the same state and must produce the same output. Any state-modifying operation that depends on a value not derivable from the current account set will diverge across nodes. The Solana runtime exposes a small number of in-program randomness sources: the recent block hashes (SlotHashes sysvar), the current slot number, and the recent block hash itself. None of these is suitable for high-stakes randomness. Slot leaders have direct or indirect influence over each, and a sophisticated adversary controlling even a single validator's block production schedule can bias outcomes that depend on slot hashes.

This forces all production-grade randomness on Solana out of the runtime and into oracle services. The four major options as of mid-2026:

Switchboard On-Demand Randomness Service (SRS). Program ID RANDMo5gFnqnXJW5Z52KNmd24sAo95KAd5VbiCtq5Rh. Generates random bytes inside an Intel SGX enclave and delivers them in the same transaction that initiates the request, achieving sub-second latency. Security depends on Intel SGX integrity. SGX has been the subject of multiple side-channel attacks in published academic literature [Van-Bulck-2018; Ragab-2021], and Intel has discontinued SGX in newer consumer CPUs. The security argument relies on the assumption that the specific SGX implementations used by Switchboard's enclave operators have not been compromised in ways not yet public.

ORAO VRF. Program IDs VRFzZoJdhFWL8rkvu87LpKM3RbcVezpMEc6X5GVDr7y (classic) and VRFCBePmGTpZ234BhbzNNzmyg39Rgdd6VgdfhHwKypU (callback variant). A multi-node Ed25519 VRF with Byzantine quorum, charging 0.001 SOL per request. Security depends on the Ed25519 signature scheme and the honesty of at least 2/3 of the operator set.

Pyth Entropy v2. A two-party commit-reveal hash chain, mixed at reveal time with the recent block hash. The protocol launched in production in July 2025 and processed 4.22 million requests in Q3 2025 according to Messari [Messari-2025]. Security depends on SHA-256 preimage resistance and on the requesting application correctly handling the recent block hash component.

Solana native sources (SlotHashes, recent block hash). Documented in the Solana specification. Used by some developers despite known manipulability by validator collusion.

3.2 The Shared Foundation

Every solution above produces output that is, in the strict sense, deterministic. The randomness is computational — a sequence that cannot feasibly be distinguished from random by any polynomial-time adversary who does not possess the relevant secret key, but a sequence that is uniquely determined by that key.

This is sufficient for the great majority of randomness applications on a blockchain, including ordinary game mechanics, NFT trait assignment, and routine sortition. It is not sufficient for applications where the security model must defend against the possibility that the secret key itself was chosen adversarially, leaked to a privileged party, or recovered by future cryptanalysis. We discuss specific examples in §8.

3.3 Documented Failures

The literature on blockchain randomness manipulation is now substantial. Three cases serve as benchmarks.

SmartBillions (2017). An Ethereum lottery used the block hash of the block containing the winning transaction as its entropy source. Researchers demonstrated that miners could selectively include or exclude their own transactions across multiple blocks to bias the outcome. Approximately 400 ETH was lost to manipulation [SmartBillions-2017].

FOMO3D (2018). A pyramid-game contract had its end-of-game payout determined in part by the block hash of the final block. The eventual winner — known as "the FOMO3D bot" — submitted a flood of transactions with high gas prices to ensure their own transaction landed in a favorable position, while filling adjacent blocks to prevent competing transactions. The winner extracted approximately 10,469 ETH [FOMO3D-2018].

Multiple NFT mint manipulations (2021–2023). Several high-profile NFT projects derived rare-trait assignment from the mint transaction's block hash or a similar manipulable source. In at least three documented cases, sophisticated minters used MEV bundling and validator collusion to ensure that their mint transactions landed in blocks whose hashes produced rare traits. The economic damage in these cases is harder to quantify but is estimated in the tens of millions of dollars across the affected projects.

These failures share a common pattern: the randomness was sourced from a value that was, in principle, available to a privileged party (the miner, the validator, or a colluding pool of either) before the transaction depending on it was finalized. A properly designed oracle, including all four listed above, addresses this attack class through commit-reveal or similar binding protocols. None of them addresses the more fundamental question of whether the entropy source itself was honest.

4. Threat Model

We consider four adversary classes.

A1. Validator adversary. Controls some fraction α < 1 of Solana stake. Can selectively include, exclude, or reorder transactions within blocks they propose, and can withhold blocks. Cannot forge signatures, modify state outside their proposal authority, or break standard cryptographic primitives.

A2. User adversary. Controls one or more user keypairs. Can submit transactions at chosen times, attempt to front-run other transactions visible in the mempool, and analyze on-chain state. Cannot affect block production directly.

A3. Oracle operator adversary. Operates the off-chain QSol node. Has access to entropy values returned by upstream QRNG sources before they are committed on chain. Can choose to delay, drop, or modify deliveries. Cannot forge signatures of other operators in a multi-operator deployment.

A4. Quantum adversary. Possesses a fault-tolerant quantum computer of sufficient scale to run Shor's algorithm against current elliptic-curve and RSA primitives, and Grover's algorithm against symmetric primitives. Threat models in this paper assume this capability arrives no earlier than 2030 [Mosca-2024].

We define the following security goals.

G1. Pre-reveal unpredictability. No adversary in classes A1–A3, or any combination thereof, can predict the entropy value e_i for request i with probability significantly greater than 2^{-256} before the reveal transaction T_reveal,i is included in a finalized block.

G2. Post-reveal unforgeability. After T_reveal,i is finalized, the entropy value e_i is uniquely determined and verifiable on chain. No party can substitute a different value while passing on-chain verification.

G3. Liveness. A request submitted by a well-formed transaction is fulfilled within a bounded number of slots S_max, or auto-refunded after S_timeout > S_max slots if the operator fails to respond.

G4. Source independence. No single QRNG source compromise yields predictability of the final entropy.

4.1 Security Assumptions

We rely on the following assumptions.

  • C1. SHA-256 is collision-resistant and second-preimage-resistant. Under quantum adversary A4, Grover's algorithm reduces the effective security from 256 bits to 128 bits, which remains acceptable for pre-reveal commitment binding [NIST-PQC-2024].
  • C2. The Solana consensus layer is live and provides finality within the bounds specified by [Yakovenko-2018]. Validator adversary A1 controls less than 1/3 of stake.
  • C3. At least one of the QRNG sources used by the oracle operates correctly and unobserved by the adversary at the time of measurement.
  • C4. The standard interpretation of quantum mechanics holds. There exists no local hidden variable theory consistent with experimental tests of Bell's theorem.

C4 is the substantive new assumption introduced by this work, and it is the assumption that distinguishes QSol from existing oracles. It is also, by current scientific consensus, the most defensible cryptographic assumption available — supported by direct experimental confirmation across more than four decades [Aspect-1982; Hensen-2015; Shalm-2015; Kavuri-2025] and not relying on any conjecture about computational difficulty.

5. Protocol Specification

5.1 Overview

QSol implements a four-phase commit-reveal callback protocol, with two on-chain accounts per request and a single off-chain operator (in v0.1; multi-operator extension is sketched in §10). The phases are:

  1. Request. A consumer program performs a CPI into the QSol program, paying lamports for rent and operator fee. The program creates a RequestAccount PDA and emits a EntropyRequested event.
  2. Acquisition. The off-chain operator detects the event via a logsSubscribe WebSocket subscription, fetches entropy from one or more upstream QRNG sources, generates a local nonce, and computes a commitment.
  3. Commit. The operator submits a transaction creating a CommitAccount PDA containing the commitment hash. This transaction is independent of the entropy value and reveals nothing about it.
  4. Reveal. After at least one Solana slot, the operator submits a transaction containing the entropy value and the nonce. The QSol program verifies that the SHA-256 of the entropy and nonce equals the previously committed hash, and on success performs a CPI callback into the consumer program with the entropy value as an instruction argument.

5.2 Account Model

The two PDAs are derived deterministically from the requester's pubkey and a monotonic per-requester request identifier:

RequestAccount PDA seeds:  ["request", requester_pubkey, request_id_le]
CommitAccount PDA seeds:   ["commit",  requester_pubkey, request_id_le]

RequestAccount carries the requester's pubkey, the callback program ID, the eight-byte Anchor instruction discriminator for the callback function, the operator fee in lamports, the slot at which the request was created, the timeout in slots after which the request becomes refundable, and a status enum {Pending, Committed, Fulfilled, Expired}. CommitAccount carries the request identifier, the 32-byte commitment hash, the slot at which the commitment was finalized, and the public key of the operator that submitted it.

5.3 The Commitment

Given an entropy value e ∈ {0,1}^256 returned by the QRNG layer, a fresh nonce n ∈ {0,1}^256 generated locally by the operator from a CSPRNG, and the eight-byte little-endian encoding of the request identifier r, the commitment is

c = SHA-256(e ‖ n ‖ r)

The nonce serves two purposes. First, it prevents an adversary who has any prior knowledge of the QRNG output distribution from precomputing a commitment-to-entropy table. Second, it ensures that two requests produced from the same QRNG batch (which can happen under operator buffering) produce different commitments.

5.4 Verification

On reveal, the QSol program recomputes the commitment using the supplied entropy and nonce and the stored request identifier, and checks for equality with the stored commitment. If verification passes, the program performs the callback CPI and marks the RequestAccount as Fulfilled. If it fails, the program reverts the entire reveal transaction; the request remains Committed and will eventually time out, after which the requester can claim a refund.

Because the commitment is finalized on chain before the entropy value is revealed, the operator is bound to a specific value. An attempt to substitute a different entropy at reveal time will produce a different SHA-256 output and fail verification. The only way for the operator to deliver entropy that satisfies an adversarial preference is for them to choose that preference before the commitment is finalized — that is, before the operator has incentive or even capability to know which preference would be adversarial, since the consumer program's downstream behavior typically depends on the entropy value itself.

5.5 Multi-Source Aggregation

In production deployments, QSol is configured with multiple upstream QRNG sources. The operator queries each source in parallel and aggregates the responses by bitwise XOR:

e_final = e_ANU ⊕ e_PicoQuant ⊕ e_CURBy ⊕ ... ⊕ e_n

The XOR construction has the property that as long as any one of the contributing sources produces full-entropy output that is unobserved by the adversary, the aggregate has full entropy. This generalizes assumption C3 to a disjunctive form: rather than trusting any single QRNG vendor, we require only that at least one of the sources in the configured set is honest at the moment of each measurement.

The on-chain CommitAccount includes a bitmap indicating which sources contributed to a given entropy value, allowing consumers to enforce a minimum number of independent sources as a precondition to accepting the callback.

6. Security Analysis

We argue that the protocol satisfies G1–G4 under assumptions C1–C4.

6.1 G1 — Pre-Reveal Unpredictability

Consider an adversary A from any of classes A1–A3. We show that A's probability of predicting e_i before slot s_reveal is bounded.

Case A1 (validator). A validator can observe the commitment hash c_i once it appears on chain. By assumption C1, SHA-256 is preimage-resistant. The adversary's only path to predicting e_i is to invert c_i, requiring 2^256 queries classically or 2^128 quantumly (under A4). This is infeasible.

Case A2 (user). A user adversary has the same on-chain visibility as A1 minus the ability to influence block content. Their prediction probability is bounded by the same SHA-256 preimage argument.

Case A3 (oracle operator). The operator knows the entropy value before submitting the commitment. The operator does not, however, have any control over the entropy value: it is supplied by the upstream QRNG, which by assumption C4 produces values that are not determined prior to measurement. The operator's malicious capability is therefore restricted to selecting which entropy to commit to among the values received, or delaying a commitment in the hope of a more favorable value arriving.

The first attack — selective committing — is mitigated by the multi-source XOR aggregation: as long as at least one contributing source is honest, the operator cannot anticipate the aggregate value. The second — delay — is mitigated by the timeout mechanism: a request that is not fulfilled within S_timeout slots is refundable, giving the consumer program a deterministic worst-case latency.

A subtle attack remains: the operator could sample many entropy values, commit to one, and discard the others. This does not violate G1 directly (the committed value was indeed generated by an honest QRNG), but it does allow the operator to bias the distribution of committed values if they have any reason to prefer some values over others. We do not consider this a violation of pre-reveal unpredictability — by the time the commitment is on chain, the value is fixed and unknown to all other parties — but we note that an operator with a stake in the consumer program's outcome could exploit this. The countermeasure is the multi-source XOR plus operator slashing in a multi-operator deployment (§10).

6.2 G2 — Post-Reveal Unforgeability

After T_reveal,i is finalized, the entropy value e_i is recorded in the transaction's instruction data and verified against the stored commitment c_i by the on-chain program. Forging a different e'_i requires finding n' such that SHA-256(e'_i ‖ n' ‖ r_i) = c_i. By C1, this is infeasible.

6.3 G3 — Liveness

The protocol enforces liveness through two mechanisms. First, the timeout: after S_timeout slots without fulfillment, the requester can call reclaim_request to refund the operator fee and rent. Second, in a multi-operator deployment, the failure of any single operator does not block the protocol — any operator can submit the commit and reveal transactions for any pending request.

6.4 G4 — Source Independence

The XOR-aggregation property gives source independence in the strong sense: the final entropy has full min-entropy as long as any single contributing source has full min-entropy. Compromise of k-1 of k configured sources does not reduce the min-entropy of the aggregate.

6.5 Quantum Adversary Considerations

Under A4 (Shor-capable quantum adversary), the security of QSol's on-chain primitives requires examination. The relevant primitives are:

  • SHA-256 (commitment scheme). Grover's algorithm reduces the effective preimage security of SHA-256 from 256 to 128 bits. 128-bit security is considered adequate for protocols whose security horizon is on the order of decades [NIST-PQC-2024].
  • Ed25519 (Solana transaction signatures). Vulnerable to Shor's algorithm. This is a property of Solana itself, not of QSol; mitigation is the broader Solana protocol's transition to post-quantum signatures, which the Solana Foundation announced testnet work on in December 2025 [Solana-PQ-2025].

Notably, the unpredictability property of the entropy values themselves is not threatened by a quantum adversary. The output of a properly constructed QRNG is information-theoretically random, and no computational adversary — quantum or classical — can predict it in advance of the measurement. This is one of the structural advantages of physical-source randomness over computational-source randomness in the post-quantum threat landscape: QSol's core security claim is the only major randomness primitive on a public blockchain that does not require an upgrade path against quantum adversaries.

7. Performance

7.1 Latency Decomposition

End-to-end fulfillment latency is the sum of six components:

Component Best case Typical Degraded
Request transaction confirmation 400 ms 700 ms 1200 ms
Operator event detection 20 ms 80 ms 250 ms
QRNG fetch (with pre-buffering: 0 ms) 0 ms 0 ms 150 ms
Commit transaction confirmation 400 ms 700 ms 1200 ms
Mandatory slot wait 400 ms 400 ms 800 ms
Reveal transaction confirmation + callback 400 ms 700 ms 1200 ms
Total ~1.6 s ~2.6 s ~4.8 s

The Solana slot is approximately 400 ms by design [Yakovenko-2018], with current production performance running marginally below this after the Agave 2.2 upgrade [Helius-2024]. RPC providers vary substantially; QuickNode's published p95 latency of 57 ms [QuickNode-2025] is typical of premium endpoints, while shared public RPC frequently exceeds 250 ms.

QRNG fetch latency is the most variable component and the easiest to eliminate. The ANU public API, hosted on AWS since the 2024 migration, returns 32-byte payloads in 50–150 ms from US/EU regions. PicoQuant's Berlin endpoint requires registration and returns at similar latencies. CURBy publishes daily pulses, which is too slow for direct request-time use but suitable as a long-cycle freshness check on buffered pools.

In production deployments the operator maintains a pre-buffered pool of (entropy, nonce) pairs with pre-computed commitments. New requests draw from the head of the pool and trigger background refilling. With sufficient buffer depth, the QRNG fetch leg of the critical path drops to zero.

7.2 Comparison with Existing Solana Oracles

Oracle Mechanism Median latency Per-request fee Security model
Switchboard SRS Intel SGX enclave, same-tx fulfill ~400 ms ~0.0005 SOL TEE integrity
ORAO VRF Multi-node Ed25519 VRF ~800 ms 0.001 SOL Discrete log
Pyth Entropy Hash chain commit-reveal ~1.2 s ~0.0002 SOL SHA-256 + blockhash
QSol (target) Quantum + commit-reveal ~2.6 s TBD Quantum mechanics

QSol is structurally slower than its competitors by approximately two slots (one for the mandatory commit-reveal gap, one for the additional transaction). This is the cost of the security model: the protocol cannot deliver a same-transaction quantum entropy because the operator must fetch from off-chain hardware and the fetch must be bound by an on-chain commitment before the value can be safely revealed. We argue in §8 that this is the right trade-off for the application domains where the security model matters.

7.3 Throughput

The ANU apparatus generates raw entropy at 5.7 Gbit/s. PicoQuant's apparatus produces 150 Mbit/s. CURBy publishes 512 bits per pulse on a multi-minute cadence. For a 32-byte payload per request, the ANU rate alone supports approximately 22 million requests per second at the source — far exceeding any plausible Solana oracle demand. In practice, operator throughput is bounded by Solana transaction throughput (each request requires three transactions: request, commit, reveal) and by operator account compute budget. We estimate sustained throughput of 100–500 requests per second per operator instance, which accommodates expected demand by a comfortable margin.

8. Application Domains

8.1 Online Gambling and Provable Fairness

The global online gambling industry generated approximately $97 billion in gross gaming revenue in 2024 [H2GC-2024], with projections placing the figure at $153 billion by 2030. Crypto-native gambling represents a growing share, with major offshore operators (Stake, Roobet, Rollbit, BC.Game) collectively reporting wagered volumes in the tens of billions of dollars annually.

Operators in this space have, since approximately 2014, marketed their games as "provably fair" — a term that has acquired specific technical content. The standard provably fair scheme uses HMAC-SHA256 to combine a server seed (chosen by the operator), a client seed (chosen by the player), and a nonce (incremented per round). The operator commits to the server seed by publishing its hash before the round; after the round, the server seed is revealed and the player can verify that the outcome was consistent with the committed seed.

This protocol is genuinely useful: it prevents the operator from changing the seed after seeing the player's bet. It does not address — and was never intended to address — the question of whether the server seed was random at all. The operator chooses the seed. Nothing in the protocol requires the operator to use a high-entropy seed, and nothing prevents the operator from selecting seeds that are favorable to the house in expectation. A competent implementation will use a CSPRNG to generate the server seed; a malicious or careless implementation will not, and the player has no cryptographic recourse.

The distinction matters for regulators. The Malta Gaming Authority, the UK Gambling Commission, the Curaçao Gaming Control Board, and the Isle of Man Gambling Supervision Commission all require licensed operators to demonstrate that the random number generator backing their games meets defined entropy and integrity standards, typically referencing NIST SP 800-90B or eCOGRA's testing protocols. The compliance audit examines the operator's RNG implementation and can result in license suspension for non-compliance [eCOGRA-2024].

A QSol-based gaming protocol on Solana inherits this audit chain directly. The entropy source — ANU's homodyne apparatus, PicoQuant's photon-timing apparatus, or CURBy's Bell test — can be independently audited by a gaming authority's technical reviewers. The on-chain commit-reveal proves that the operator did not substitute a different value. The XOR aggregation proves that no single source compromise would have allowed the operator to bias the outcome. The result is a gambling primitive whose fairness claim survives an adversarial audit by a regulator who is not required to trust the operator at all.

The economic stakes of this property are substantial. A licensed online casino in Malta typically pays €5,000–€25,000 in initial license fees, €10,000–€100,000 in annual fees, and ongoing compliance costs of several hundred thousand euros per year. Operators bearing these costs are willing to pay significant premiums for infrastructure that simplifies the audit. A randomness oracle that is itself certified against SP 800-90B reduces the operator's compliance scope from "audit our entire RNG and key management stack" to "audit the integration with QSol and demonstrate that our game logic correctly consumes its output."

8.2 NFT Mints and Trait Distribution

A large NFT collection — say, 10,000 items with rare traits — distributes economic value at the mint. Items with the rarest traits trade at multiples of 10x to 1000x the floor price within hours of reveal. The total value transferred at mint can easily exceed eight figures.

The mechanism by which traits are assigned to mint indices is therefore a critical fairness question. Three patterns are common:

  • Pre-revealed JSON. The trait assignment is fixed before mint and stored off-chain, with on-chain references via a Merkle root. This is fair if the order of mint is itself unpredictable, but mint-order manipulation (via priority fees, MEV bundles, or validator collusion) breaks the fairness.
  • Post-mint reveal. The trait assignment is computed after all items mint, using a randomness oracle. This requires a single high-stakes randomness call.
  • Per-mint randomness. Each mint draws traits at the time of minting using a randomness oracle. This requires many lower-stakes randomness calls.

In all three patterns, the integrity of the underlying randomness directly determines the integrity of the trait distribution. A compromised oracle or a manipulable entropy source allows an attacker to mint items with chosen traits — the most economically damaging attack a generative NFT project can suffer.

QSol provides a randomness primitive that closes this attack surface to the limits of physical possibility. The operator does not see the trait assignment in advance (because the consumer program's mapping from entropy to trait is internal). The validators do not see the entropy in advance (commit-reveal). The QRNG sources do not coordinate with the operator (multi-source XOR with public sources like ANU and PicoQuant).

8.3 Lottery and Raffle Protocols

State-run and licensed lotteries handle billions of dollars annually and operate under regulatory regimes that explicitly require certified entropy sources for prize draws. The US Powerball and Mega Millions lotteries use mechanical drawings audited by independent observers; European national lotteries typically use NIST SP 800-90B-validated electronic systems with mechanical verification.

A blockchain-native lottery — whether for charitable purposes, DeFi protocol distributions, or pure entertainment — that aspires to the same level of audit credibility requires an entropy source that meets the same bar. The current oracle market on Solana does not provide this: VRF outputs and SGX enclave outputs do not, and cannot, satisfy the SP 800-90B requirement for a documented physical noise source. QSol does.

8.4 DeFi Liquidations and Auctions

A specific class of DeFi protocols — most prominently those running auction-based liquidations or raffle-based distributions — has surfaced demand for tamper-evident randomness in financially consequential operations. Liquidation auctions where the price discovery is partially randomized to defeat front-running, raffle-distributed governance tokens, and protocol-determined NFT lottery drops all have in the past two years experienced documented manipulation when their underlying randomness was insufficient.

8.5 Prediction Markets

A prediction market with a sufficiently large user base requires both pricing oracles (for the underlying truth) and randomness oracles (for tie-breaking, sortition of disputed claims, and randomized auditing of resolution). The fairness perception of the platform — and therefore its regulatory standing in jurisdictions that distinguish between gambling and prediction markets on the basis of "skill versus chance" — depends on the auditability of the randomness used in tie-breaking and dispute resolution.

9. Why "Provable Fairness" Requires More Than Hash Commits

We return briefly to the distinction introduced in §8.1, because it bears on the broader question of what cryptographic guarantees achieve and what they do not.

The standard provably fair scheme proves consistency: the outcome of round n was consistent with a server seed committed before round n. It does not prove honest seed selection: the server seed itself was chosen from the uniform distribution. The scheme is asymmetric in the operator's favor — the operator can re-roll seeds privately until they find one whose distribution of future game outcomes is favorable, then commit and play out the consequence. This attack is undetectable to the player because the player has no oracle on the seed-generation process.

The cryptographic literature has long recognized this gap. The standard answer in academic protocols is trusted setup: a multi-party computation in which multiple parties contribute to seed generation and any honest party suffices to keep the result honest. This is what threshold BLS beacons (drand, League of Entropy) and what Aptos's native randomness module accomplish: validators contribute, and a single honest validator suffices.

Physical-source randomness offers an alternative path. If the seed is generated by a quantum measurement, the question of "honest selection" becomes ill-formed — there is no party who selected the seed, only a measurement that produced it. The operator does not choose, the validators do not choose, and the QRNG vendor does not choose. The seed exists because the universe did not have it before the measurement.

This is the cryptographic content of QSol's claim. The scheme is not that QSol is more secure than existing oracles in the sense of stronger computational assumptions — under standard assumptions, Pyth Entropy and Chainlink VRF and Switchboard SRS are all secure. The claim is that QSol's security holds under a strictly weaker set of assumptions: it does not require any computational hardness conjecture for the entropy generation step, only the standard interpretation of quantum mechanics. This is the strongest guarantee the cryptographic literature has identified for the unpredictability of a single bit.

10. Limitations and Open Problems

10.1 Single-Operator Trust

The v0.1 protocol places all liveness and most security responsibility on a single operator. While the multi-source XOR ensures that the operator cannot bias the entropy distribution as long as one source is honest, the operator can still censor requests, delay deliveries, or fail entirely. A multi-operator extension is the natural next step. We sketch the design briefly.

In a federated deployment with m operators, a request is fulfilled when any single operator submits a valid reveal. The on-chain program enforces the commit-reveal constraint per-operator: each operator must independently commit before revealing. The first valid reveal wins the operator fee; the others receive nothing. This creates a performance-based incentive to fulfill quickly, with no operator able to bias outcomes (since each commits independently).

A more aggressive design uses BFT-style threshold cryptography: each operator commits a share, and the entropy is reconstructed only when t-of-n shares are revealed. This achieves stronger censorship resistance at the cost of higher latency and more complex on-chain verification.

10.2 QRNG Vendor Trust

The protocol's security argument requires assumption C3: at least one upstream QRNG source produces full-entropy output unobserved by the adversary. This assumption is weaker than trusting any single source, but it is not vacuous. If all configured sources are compromised — for instance, if a state-level adversary has covertly placed backdoors in ANU, PicoQuant, and IDQ hardware — the protocol's guarantees fail.

The standard mitigation is to include a Bell-test certified source like CURBy in the configured set. CURBy's security argument does not require trusting NIST or CU Boulder beyond their honest operation; it requires only that the experimental setup correctly implements a loophole-free Bell test, which is independently verifiable from the published statistics of the test outcomes. A future version of this protocol will publish CURBy violation statistics on chain alongside each entropy delivery, allowing consumers to verify the Bell-test certification without trusting any party.

10.3 Decentralized Source Verification

A more fundamental open problem is the decentralized verification of the QRNG output itself. Currently, when the operator queries ANU, the operator receives bytes and cannot independently verify that the bytes came from the homodyne apparatus rather than from a software simulation. The 2025 V-ZOR proposal [V-ZOR-2025] sketches a zero-knowledge proof system for this, and Kavuri et al.'s Twine protocol [Kavuri-2025] addresses it for Bell-test sources. Integration of either into QSol is left for future work.

10.4 Throughput at Scale

If QSol becomes the dominant randomness oracle for Solana gambling, the request rate could exceed the throughput limits of any single QRNG source. The XOR aggregation property mitigates this — entropy from N sources can be batched and consumed at N times the rate of a single source — but at sustained loads of hundreds of thousands of requests per second, the protocol would require either federated operator scaling or direct integration with a high-throughput on-premises QRNG appliance such as IDQ's Centauris (250 Mbit/s) or QuintessenceLabs's qStream (8 Gbit/s).

10.5 The Cost of Pure-Quantum at Scale

Per-request, QSol's cost is dominated by transaction fees on Solana (three transactions per request) and by upstream QRNG fees (negligible for ANU's free service, modest for commercial sources). At 100,000 requests per day, the operator transaction fees alone are on the order of several SOL daily. Sustainable operation requires either subscription pricing, per-request fees in line with Pyth Entropy, or revenue from premium tiers (dedicated streams, sub-second SLA, audit certificates).

11. Related Work

API3 QRNG. Operated from May 2022 to January 2025, providing ANU-sourced and QuintessenceLabs-sourced quantum randomness via the Airnode protocol on thirteen EVM chains. Decommissioned by the API3 DAO in favor of revenue-generating data feed services. Approximately 85,000 cumulative requests fulfilled at the time of the QuintessenceLabs integration in March 2023 [API3-2024].

random-oracle.com. An independent Ethereum-only quantum oracle service operated by undisclosed parties, citing the homodyne detection methodology of Symul et al. [Symul-2011]. The associated public demonstration page returned HTTP 404 at the time of this writing; we treat the service as effectively defunct.

Krown Network and Quantum eMotion. A vertically integrated Layer 1 blockchain that uses Quantum eMotion's QRNG2 hardware (semiconductor shot-noise detection) for internal key generation and consensus randomness. Mainnet went live January 3, 2026 [Krown-2026]. The QRNG2 hardware is not exposed as an external oracle service; the system is closed within the Krown ecosystem.

CURBy (NIST + CU Boulder). A daily-pulse Bell-test certified randomness beacon launched June 2025 [Kavuri-2025]. Public, free, and cryptographically certified, but published at a cadence unsuitable for real-time blockchain applications. We use CURBy as a long-cycle verification source rather than a primary entropy feed.

Quantum Chain (QCC). A self-marketed "quantum-resilient" Layer 1 launched in 2025 with on-chip QRNG for key generation. Trading volume in the low single-digit thousands of dollars per day; treated as commercially marginal.

TSOTCHKE QRNG. A Solana program marketed as "true randomness" but implemented using SplitMix64 with quantum-themed variable naming [TSOTCHKE-2024]. We flag this for completeness; it is not a quantum random number generator under any standard definition.

V-ZOR. A research proposal [V-ZOR-2025] for verifiable cross-blockchain communication using quantum-driven ZKP oracle relays. Prototype on Sepolia and Scroll testnets; not deployed on mainnet as of this writing.

12. Conclusion

The randomness oracles deployed on public blockchains in 2026 are uniformly built on cryptographic hardness assumptions. They are secure under those assumptions, and the assumptions are reasonable. They are not, however, the strongest possible foundation for unpredictability, and they leave specific application domains — most notably regulated gambling, high-value NFT mints, and protocols whose fairness perception is a regulatory or commercial asset — without an oracle whose security argument satisfies the relevant audit standards.

QSol fills this gap on Solana. The protocol is not novel in its individual components: commit-reveal is well-established, multi-source aggregation by XOR is a standard cryptographic construction, and the ANU and PicoQuant QRNG services have been operating reliably for over a decade. The contribution is the integration: a Solana-native CPI callback oracle whose security model rests on Bell's theorem rather than on the discrete logarithm problem.

The cost is roughly two slots of additional latency relative to the fastest existing Solana oracles. For applications that need that latency back, existing oracles remain the right choice. For applications where the marginal seconds are immaterial against the marginal value of an audit-defensible entropy source, QSol is, to our knowledge, the only such option on Solana as of this writing.

We invite review, criticism, and proposed improvements from the cryptographic and quantum information communities, and from operators in the regulated gambling and gaming industries whose downstream requirements have shaped this design.

References

  • [API3-2024] API3 DAO. "QRNG service deprecation announcement." X (formerly Twitter), Nov 1, 2024.
  • [Aspect-1982] Aspect, A., Dalibard, J., Roger, G. "Experimental Test of Bell's Inequalities Using Time-Varying Analyzers." Physical Review Letters 49, 1804 (1982).
  • [Bell-1964] Bell, J. S. "On the Einstein-Podolsky-Rosen Paradox." Physics 1, 195 (1964).
  • [eCOGRA-2024] eCOGRA. "Generally Accepted Practices and Player Protection." 2024 edition.
  • [FOMO3D-2018] Various analyses of the FOMO3D end-game extraction, Aug 2018.
  • [H2GC-2024] H2 Gambling Capital. "Global Gambling Industry Estimates and Forecasts 2024–2030." Industry report, 2024.
  • [Helius-2024] Helius. "Solana Slot Times After Agave 2.2." Technical blog post, 2024.
  • [Hensen-2015] Hensen, B. et al. "Loophole-free Bell inequality violation using electron spins separated by 1.3 kilometres." Nature 526, 682 (2015).
  • [Kavuri-2025] Kavuri, A. S., Palfree, J. C., Shalm, L. K. et al. "Traceable random numbers from a non-local quantum advantage." Nature (2025).
  • [Krown-2026] Krown Technologies. "Mainnet launch announcement." Press release, January 2026.
  • [Messari-2025] Messari. "State of Pyth Q3 2025." Quarterly research report, October 2025.
  • [Mosca-2024] Mosca, M., Piani, M. "Quantum Threat Timeline Report 2024." Global Risk Institute.
  • [NIST-90B-2018] National Institute of Standards and Technology. "Recommendation for the Entropy Sources Used for Random Bit Generation." Special Publication 800-90B, January 2018.
  • [NIST-PQC-2024] National Institute of Standards and Technology. "Module-Lattice-Based Key-Encapsulation Mechanism Standard." FIPS 203, August 2024.
  • [QuickNode-2025] QuickNode. "Solana RPC Latency Benchmark." Technical report, August 2025.
  • [Ragab-2021] Ragab, H. et al. "CrossTalk: Speculative Data Leaks Across Cores Are Real." IEEE S&P, 2021.
  • [Shalm-2015] Shalm, L. K. et al. "Strong Loophole-Free Test of Local Realism." Physical Review Letters 115, 250402 (2015).
  • [SmartBillions-2017] Various post-mortems of the SmartBillions lottery contract manipulation.
  • [Solana-PQ-2025] Solana Foundation. "Project Eleven partnership for post-quantum signatures." Announcement, December 16, 2025.
  • [Symul-2011] Symul, T., Assad, S. M., Lam, P. K. "Real time demonstration of high bitrate quantum random number generation with coherent laser light." Applied Physics Letters 98, 231103 (2011).
  • [TSOTCHKE-2024] Tsotchke Corporation. SolanaQuantumFlux GitHub repository. Public source code review available at multiple third-party sites.
  • [Van-Bulck-2018] Van Bulck, J. et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution." USENIX Security, 2018.
  • [V-ZOR-2025] "V-ZOR: Enabling Verifiable Cross-Blockchain Communication via Quantum-Driven ZKP Oracle Relays." arXiv:2509.10996, September 2025.
  • [Wahl-2011] Wahl, M., Leifgen, M., Berlin, M., Röhlicke, T., Rahn, H.-J., Benson, O. "An ultrafast quantum random number generator with provably bounded output bias based on photon arrival time measurements." Applied Physics Letters 98, 171105 (2011).
  • [Yakovenko-2018] Yakovenko, A. "Solana: A new architecture for a high performance blockchain." Whitepaper, 2018.