QRNG API User Guide

Complete documentation for integrating quantum-grade cryptographic entropy into your applications. API Version 0.9.0 · Last Updated December 2025

Introduction

The RION AI Quantum Random Number Generation (QRNG) API provides cryptographically secure random numbers and cryptographic keys derived from quantum mechanical entropy sources. This API enables organizations to integrate quantum-grade randomness into their security infrastructure without requiring specialized quantum hardware.

Key Benefits

Benefit Description
Quantum-Grade Entropy 7.53 bits/byte min-entropy validated to NIST SP 800-90B
No Quantum Hardware Software-only implementation using computational quantum mechanics
Full NIST Compliance Complete compliance with SP 800-90A, SP 800-90B, SP 800-90C, and SP 800-22
Post-Quantum Ready Native support for NIST FIPS 204 Dilithium signatures
Cryptographic Attestation HMAC-SHA256 signatures prove entropy origin
Enterprise Security HSM-backed key management with FIPS 140-2 Level 3

Use Cases

NIST Compliance

RION AI implements a complete Random Bit Generator (RBG) construction in full compliance with NIST Special Publication 800-90 series.

Standard Title RION AI Implementation Status
SP 800-90A DRBG Mechanisms Hash_DRBG for deterministic generation Compliant
SP 800-90B Entropy Source Validation 7.529456 bits/byte min-entropy Validated
SP 800-90C RBG Constructions Full RBG combining entropy + conditioning + DRBG Compliant
SP 800-22 Statistical Testing 99.5% pass rate (15/15 tests) Passed

SP 800-90A: DRBG Implementation

RION AI implements Hash_DRBG as specified in SP 800-90A:

SP 800-90B: Entropy Source Validation

The quantum entropy source has been validated per SP 800-90B:

Metric Requirement RION AI Result
Min-Entropy >1 bit/byte 7.529456 bits/byte
Health Tests Continuous Implemented
Conditioning Required for high entropy HKDF (RFC 5869)

SP 800-90C: RBG Construction

SP 800-90C defines how to properly construct a complete Random Bit Generator (RBG) by combining multiple components. RION AI implements a full entropy source RBG:

NIST SP 800-90C RBG Construction
Entropy Source
(800-90B)
Quantum mechanical calculations 7.53 bits/byte min-entropy
Conditioning
(HKDF)
RFC 5869 HKDF Extract-Expand
DRBG
(800-90A)
Hash_DRBG (SHA-256) Prediction resistance
Output

SP 800-90C Construction Components:

  1. Entropy Source (SP 800-90B): Quantum mechanical calculations providing raw entropy
  2. Conditioning Component: HKDF (RFC 5869) for entropy extraction and expansion
  3. DRBG (SP 800-90A): Hash_DRBG for deterministic, reproducible output generation
  4. Health Testing: Continuous monitoring of entropy source quality

SP 800-22: Statistical Testing

All output passes NIST SP 800-22 statistical test suite with 99.5% pass rate (exceeds 96% threshold):

Authentication

The API supports two authentication methods. API Keys are recommended for most use cases.

API Key Authentication (Recommended)

API Keys are long-lived credentials suitable for server-to-server integration.

X-API-Key: qrng_k7m2p9x4_a3b8c1d6e9f2g5h0j4k7m1n8p3q6r9s2t5u0v3w6x9y2z5a8b1c4d7e0f3

Characteristics:

JWT Authentication (Admin Only)

JWT tokens are short-lived (24 hours) and used primarily for administrative operations.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Role-Based Access Control

Role Rate Limit Max Bytes Key Types Admin
basic 10/min 1,024 HMAC, AES, Custom No
standard 100/min 8,192 + RSA, Dilithium2/3 No
premium 1,000/min 65,536 + All Dilithium, All RSA No
admin 10,000/min 65,536 All Yes

API Endpoints

System Endpoints

GET /

Returns API identification and status.

GET /v1/health

Returns detailed system health and component status. No authentication required.

Random Generation

POST /v1/random

Generate cryptographically secure random bytes with attestation per NIST SP 800-90C RBG construction.

Parameter Type Default Description
num_bytes integer 32 Bytes to generate (1-65536)
format string "hex" Output format: "hex" or "base64"
quality string "high" Quality level: "standard" or "high" 
{
  "num_bytes": 64,
  "format": "hex",
  "quality": "high"
}

Verification

POST /v1/verify

Verify the cryptographic attestation on random data or keys. Public endpoint—no authentication required.

Parameter Type Description
data string The random data to verify
format string Data format: "hex", "base64", "binary"
attestation object The attestation object from generation

Key Generation

All keys are generated using the NIST SP 800-90C compliant RBG construction with quantum entropy seeding.

HMAC Keys

POST /v1/keys/hmac

Generate HMAC keys for message authentication.

Parameter Type Default Description
algorithm string "sha256" Algorithm: "sha256", "sha384", "sha512"
description string null Key description for tracking

Key Sizes: SHA-256 (256 bits), SHA-384 (384 bits), SHA-512 (512 bits)

Applications: API signing, webhook verification, JWT signing (HS256/384/512)

AES Keys

POST /v1/keys/aes

Generate AES symmetric encryption keys with optional initialization vector.

Parameter Type Default Description
key_size integer 256 Key size: 128, 192, or 256 bits
include_iv boolean false Include random 128-bit IV

Applications: File encryption, database encryption, secure communications

RSA Keys

POST /v1/keys/rsa

Generate RSA asymmetric key pairs for encryption and digital signatures.

Parameter Type Default Description
key_size integer 2048 Key size: 2048, 3072, or 4096 bits
format string "pem" Output format: "pem" or "der"
Quantum Computing Warning

RSA keys are vulnerable to Shor's algorithm on quantum computers. Plan migration to post-quantum cryptography by 2030.

Custom Keys

POST /v1/keys/custom

Generate keys of arbitrary length in various formats.

Parameter Type Default Description
key_length_bits integer Key length: 64-4096 bits (required)
format string "hex" Format: "hex", "base64", "base58"

Applications: Blockchain wallet seeds, custom protocol keys, token generation

Post-Quantum Cryptography

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms believed to be secure against attacks by quantum computers. RION AI implements NIST FIPS 204 Dilithium, the standardized lattice-based digital signature algorithm.

Why Post-Quantum Matters

Timeline Event
2024-2025 NIST finalizes PQC standards
2025-2030 Transition period - deploy hybrid solutions
2030+ Cryptographically relevant quantum computers expected
Harvest Now, Decrypt Later

Adversaries may collect encrypted data today to decrypt once quantum computers are available. Sensitive data with long-term value should use PQC now.

Dilithium Keys

POST /v1/keys/dilithium

Generate post-quantum digital signature keys using NIST FIPS 204 Dilithium.

Parameter Type Default Description
variant string "dilithium3" "dilithium2", "dilithium3", "dilithium5"
use_quantum_seed boolean true Seed from quantum entropy

Dilithium Variants

Variant NIST Level Classical Equiv. Public Key Private Key Signature
Dilithium2 Level 2 AES-128 1,312 B 2,528 B 2,420 B
Dilithium3 Level 3 AES-192 1,952 B 4,000 B 3,293 B
Dilithium5 Level 5 AES-256 2,592 B 4,864 B 4,595 B
Recommendation

Use Dilithium3 for balanced security and performance.

Hybrid Keys

POST /v1/keys/hybrid

Generate combined classical (RSA) + post-quantum (Dilithium) key pairs for maximum compatibility during the transition period.

Parameter Type Default Description
classical_type string "rsa2048" "rsa2048", "rsa3072", "rsa4096"
pqc_variant string "dilithium3" "dilithium2", "dilithium3", "dilithium5"

Benefits: Backward compatibility with RSA, future-proof with Dilithium, defense in depth.

Rate Limiting

Rate limiting uses a sliding window algorithm to enforce request limits per API key based on assigned role.

Rate Limit Headers

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1701691200
Header Description
X-RateLimit-Limit Maximum requests per minute
X-RateLimit-Remaining Requests remaining in current window
X-RateLimit-Reset Unix timestamp when limit resets

Best Practices

  1. Monitor X-RateLimit-Remaining before making requests
  2. Implement exponential backoff on 429 responses
  3. Request larger byte counts instead of many small requests
  4. Cache random data if your use case allows

Error Handling

HTTP Status Codes

Code Meaning Common Causes
200 Success Request completed successfully
400 Bad Request Invalid parameters, malformed JSON
401 Unauthorized Missing or invalid API key
403 Forbidden Insufficient permissions
422 Validation Error Parameter validation failed
429 Too Many Requests Rate limit exceeded
500 Internal Error Server-side error

Code Examples

Python

import requests

API_KEY = "qrng_k7m2p9x4_a3b8c1d6e9f2..."
BASE_URL = "https://api.rionai.com"

headers = {
    "X-API-Key": API_KEY,
    "Content-Type": "application/json"
}

# Generate random bytes
response = requests.post(
    f"{BASE_URL}/v1/random",
    headers=headers,
    json={"num_bytes": 32, "format": "hex"}
)
data = response.json()
print(f"Random: {data['data']}")

# Generate AES key with IV
response = requests.post(
    f"{BASE_URL}/v1/keys/aes",
    headers=headers,
    json={"key_size": 256, "include_iv": True}
)
key_data = response.json()
print(f"AES Key: {key_data['key']}")

# Generate Dilithium PQC key
response = requests.post(
    f"{BASE_URL}/v1/keys/dilithium",
    headers=headers,
    json={"variant": "dilithium3"}
)
pqc_data = response.json()
print(f"Dilithium Public Key: {pqc_data['public_key'][:50]}...")

JavaScript / Node.js

const API_KEY = 'qrng_k7m2p9x4_a3b8c1d6e9f2...';
const BASE_URL = 'https://api.rionai.com';

async function generateRandom(numBytes = 32) {
    const response = await fetch(`${BASE_URL}/v1/random`, {
        method: 'POST',
        headers: {
            'X-API-Key': API_KEY,
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({
            num_bytes: numBytes,
            format: 'hex'
        })
    });
    return response.json();
}

async function generateDilithiumKey() {
    const response = await fetch(`${BASE_URL}/v1/keys/dilithium`, {
        method: 'POST',
        headers: {
            'X-API-Key': API_KEY,
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({
            variant: 'dilithium3',
            use_quantum_seed: true
        })
    });
    return response.json();
}

// Usage
generateRandom(64).then(data => console.log(data));

cURL (Bash / macOS / Linux)

# Generate random bytes
curl -X POST "https://api.rionai.com/v1/random" \
  -H "X-API-Key: qrng_k7m2p9x4_a3b8c1d6e9f2..." \
  -H "Content-Type: application/json" \
  -d '{"num_bytes": 32, "format": "hex"}'

# Generate AES key with IV
curl -X POST "https://api.rionai.com/v1/keys/aes" \
  -H "X-API-Key: qrng_k7m2p9x4_a3b8c1d6e9f2..." \
  -H "Content-Type: application/json" \
  -d '{"key_size": 256, "include_iv": true}'

# Generate Dilithium PQC key
curl -X POST "https://api.rionai.com/v1/keys/dilithium" \
  -H "X-API-Key: qrng_k7m2p9x4_a3b8c1d6e9f2..." \
  -H "Content-Type: application/json" \
  -d '{"variant": "dilithium3"}'

# Generate Hybrid key
curl -X POST "https://api.rionai.com/v1/keys/hybrid" \
  -H "X-API-Key: qrng_k7m2p9x4_a3b8c1d6e9f2..." \
  -H "Content-Type: application/json" \
  -d '{"classical_type": "rsa3072", "pqc_variant": "dilithium3"}'

Windows PowerShell

Windows Note

PowerShell's curl is an alias for Invoke-WebRequest, not real cURL. Use the PowerShell syntax below, or use curl.exe if you have Git for Windows installed.

# Generate random bytes
Invoke-RestMethod -Uri "https://api.rionai.com/v1/random" -Method POST `
  -Headers @{"X-API-Key"="qrng_k7m2p9x4_a3b8c1d6e9f2..."; "Content-Type"="application/json"} `
  -Body '{"num_bytes": 32, "format": "hex"}'

# Generate AES key with IV
Invoke-RestMethod -Uri "https://api.rionai.com/v1/keys/aes" -Method POST `
  -Headers @{"X-API-Key"="qrng_k7m2p9x4_a3b8c1d6e9f2..."; "Content-Type"="application/json"} `
  -Body '{"key_size": 256, "include_iv": true}'

# Generate Dilithium PQC key
Invoke-RestMethod -Uri "https://api.rionai.com/v1/keys/dilithium" -Method POST `
  -Headers @{"X-API-Key"="qrng_k7m2p9x4_a3b8c1d6e9f2..."; "Content-Type"="application/json"} `
  -Body '{"variant": "dilithium3"}'

# Generate Hybrid key
Invoke-RestMethod -Uri "https://api.rionai.com/v1/keys/hybrid" -Method POST `
  -Headers @{"X-API-Key"="qrng_k7m2p9x4_a3b8c1d6e9f2..."; "Content-Type"="application/json"} `
  -Body '{"classical_type": "rsa3072", "pqc_variant": "dilithium3"}'

Security Best Practices

API Key Security

  1. Never expose keys in code repositories — Use environment variables or secrets management
  2. Rotate keys regularly — Create new keys before revoking old ones
  3. Use minimum required permissions — Request appropriate role level
  4. Monitor key usage — Review statistics for unusual activity

Transport Security

Compliance

Requirement RION AI Capability
FIPS 140-2 Level 3 via IBM Key Protect HSM
NIST SP 800-90A/B/C Full compliance
NIST SP 800-22 Statistical testing passed
SOC 2 Audit logging enabled

Glossary

Term Definition
AES Advanced Encryption Standard — symmetric block cipher
Attestation Cryptographic proof of data origin and integrity
Conditioning Processing raw entropy to improve statistical properties
DRBG Deterministic Random Bit Generator
Dilithium NIST-standardized post-quantum signature algorithm
Entropy Measure of randomness/unpredictability
HKDF HMAC-based Key Derivation Function
HSM Hardware Security Module
Min-Entropy Worst-case measure of entropy (bits per byte)
PQC Post-Quantum Cryptography
QRNG Quantum Random Number Generator
RBG Random Bit Generator (per SP 800-90C)
SP 800-90A NIST standard for DRBG mechanisms
SP 800-90B NIST standard for entropy source validation
SP 800-90C NIST standard for RBG constructions
SP 800-22 NIST statistical test suite for randomness

Support

Email: [email protected]

API Status: https://api.rionai.com/v1/health

Interactive Documentation: https://api.rionai.com/docs