Joust Security
Joust Quantum RNG Platform
Next-Generation Entropy for Cryptographic Infrastructure
Secure systems rely on unpredictable random numbers. In highly-regulated environments, virtualized infrastructure, or embedded systems, standard pseudo-random number generators (PRNGs) can suffer from entropy starvation or predictability.
The Joust Quantum RNG (QRNG) Platform provides cryptographically secure, high-throughput, rigorously tested quantum entropy to power your most sensitive cryptographic operations. By strictly adhering to FIPS 140-2 and 140-3 operational requirements—through continuous self-tests, pre-operational testing, and health testing—we ensure maximum reliability and the highest-quality random numbers while maintaining an agile, and always evolving platform tracking the latest research and best practices in cryptography and random number generation. From our globally-available API to our secure Linux client daemon, we deliver zero-trust randomness built on modern defense-in-depth principles, and implemented in memory-safe Rust.
The Genesis of Joust QRNG
At Joust Security, our unshakeable commitment to quality drives both our internal engineering and the assessments we deliver to our customers. The Joust QRNG platform was born from a dual necessity: our own internal requirement for high-quality, non-deterministic random numbers, and the critical needs we continually observed in our clients' environments during our advanced security assessments and infrastructure reviews.
Through countless infrastructure engagements, we recognized a recurring vulnerability. Modern software-defined infrastructure and cloud deployments are increasingly susceptible to entropy starvation. The way cloud instance templates and container images are distributed often leads to risks like low-quality entropy capture and entropy reuse. Even in well-architected systems, critical key and secret generation frequently occurs during initial startup—a moment when available entropy is often at its lowest, unless hypervisors are explicitly configured to expose secure random number generators to their guests.
Furthermore, we operate in an era where "Harvest Now, Decrypt Later" (HNDL) attacks are no longer theoretical. Coupled with the rapid advancement of Generative AI and LLMs—which adversaries can use for advanced detection, triage, and agentic review of harvested data—the imperative for high-quality cryptographic material has never been higher. True random numbers are the foundational necessity for safeguarding both data in transit and data at rest against looming post-quantum threats.
Rather than waiting for these risks to materialize into breaches, we decided to pre-empt them. We engineered the Joust QRNG platform from the ground up to secure our own data centers, self-hosted environments, hypervisors, and virtual machines. Today, this exact same platform is available to our customers, ensuring uncompromising security for cloud VMs, encrypted backups, ransomware protection solutions, and core infrastructure operations. It represents our philosophy in action: building robust, future-proof defenses that we trust for ourselves, and confidently extend to you.
The Joust QRNG Ecosystem
Joust QRNG Dashboard (Joust-Hosted or On-Premises)
The command center for your entropy needs. Built for modern DevSecOps and Security teams, our Joust-hosted web-based platform allows you to provision and monitor quantum entropy instantly.
- Granular Access Control: Generate, manage, and revoke API keys for random number generator access.
- Granular Enterprise Limits: Dynamically tailor API request limits, maximum block sizes, and physical hardware source access on a per-user basis to fit exact organizational needs.
- Real-Time Analytics: Monitor your current and historical cryptographic material consumption with overall and per-API key metrics.
- Enterprise-Grade Security: A layered security-in-depth approach including MFA, constant-time cryptographic verification, and rate-limiting to prevent abuse.
- Automated Key Masking: API keys are hashed securely at rest; you retain total control over your credentials.
- Full Canadian Localization: A fully-localized (EN/FR) platform built for global Security and DevSecOps teams. Additional languages can be made available upon request.
Joust RNG Server (Global API or On-Premises)
The high-throughput engine behind our entropy network. Written entirely in memory-safe Rust, it is the bridge between our physical quantum hardware random number generators and your client applications.
- Validated Quantum Source (VQS): Our primary entropy stream. Powered by a NIST SP 800-90A-compliant, configurable HMAC-DRBG (leveraging HMAC-SHA2-512 or HMAC-SHA3-512) for post-processing. It is continuously reseeded from local hardware quantum random number generators.
- Raw Hardware Source (HWQRNG): A raw, unadulterated, and rigorously-tested stream pulled directly from local quantum hardware devices. These devices are based on the quantum shot noise of light, ensuring true non-deterministic randomness. We employ hardware from trusted manufacturers and strictly align our architecture with FIPS 140-2 and 140-3 operational requirements.
- Massive Concurrency: Asynchronous architecture utilizing parallel processing for high-throughput entropy generation and statistical testing. Each Joust RNG Server can serve multiple gigabits per second of entropy to your applications, servers, and instances.
- Joust-Hosted, On-Premises, or Quantum Cloud: Your choice on whether to leverage our Global API platform hosted in our data centers, host our appliances in your own data centers or physical sites, or license our technology for use within public or private quantum cloud environments, with the option to migrate to our Joust-hosted platform at any time.
Joust RNG Daemon (Linux Endpoint Integration)
A specialized daemon that seamlessly bridges the gap between the Joust RNG Server and your local Linux kernel. It fetches high-quality entropy over the network and securely injects it into the kernel's entropy pool (/dev/random), ensuring your OS never runs dry.
- Kernel-Level Integration: Securely adds entropy using the RNDADDENTROPY ioctl, fully supporting both modern (>= 5.18) and legacy Linux kernels. It is implemented in memory-safe Rust.
- Source Multiplexing & Fallback: Configure multiple network nodes or local hardware devices. Features intelligent circuit-breakers to instantly fallback to secondary sources if a node becomes degraded.
- Init-System Native: Deep integration with systemd for resilient, unsupervised operation. Can also be run as a standalone daemon managed by your own init system.
Uncompromising Safeguards & Security Architecture
Security is the foundational layer of the Joust QRNG ecosystem.
Server-Side Defenses
- Continuous Health Checks: Every block of quantum hardware entropy undergoes immediate testing, looking for anomalies and potential signs that the sources could be behaving unreliably or have been tampered with, including a Repetition Count Test and Adaptive Proportion Test in alignment with SP 800-90B. A Hardware Source (HWQRNG) failure safely marks the source as unavailable, allowing the server to use alternative HWQRNG sources, while a Validated Quantum Source (VQS) failure triggers an immediate fail-safe server shutdown, seamlessly transitioning the load to alternative Joust RNG servers within the region.
- FIPS 140-2 and 140-3 Alignment: We strictly align with FIPS continuous self-tests, pre-operational testing, and health testing. We utilize formally validated quantum hardware sourced from trusted manufacturers, relying on the fundamentally unpredictable quantum shot noise of light.
- Rigorous Statistical Validation: Both hardware and VQS blocks are rigorously validated in parallel using NIST SP 800-22 statistical test suites (including Monobit, Poker, Runs, Long Runs, Spectral, and more). The output from our random number generators passes tests from the Dieharder suite, and stochastic modeling.
- Cryptographic Memory Security: Sensitive internal states are securely zeroize upon drop. The server ensures that entropy pools are never swapped to disk or captured in core dumps, and that entropy blocks are only ever used once. No entropy is ever reused.
- Strong Transport Security: Requires TLS 1.3 with Perfect Forward Secrecy (PFS) and Post-Quantum Cryptography (PQC) ciphers. Can optionally support TLS 1.2 for legacy clients.
Daemon-Side Defenses
- Strict Privilege Separation: The daemon operates using a privileged supervisor and an unprivileged worker process. All network I/O and untrusted data handling occur in the worker process.
- Seccomp-BPF & Capability Drops: Upon startup, the worker permanently drops root privileges, clears all Linux capabilities, and is confined by a strict Seccomp-BPF sandbox filter.
- Pre-Injection Validation: Even after server-side block verification, the daemon's parent process independently performs statistical testing, and NIST SP 800-90B health checks (continuous self-tests) on all incoming entropy before it is permitted to touch the kernel, aligning with FIPS 140-2 and 140-3 operational requirements.
- Cryptographic Whitening: Optional pre-injection whitening utilizing SHA-256, SHA-512, SHA3-256, or SHA3-512 can be applied to the incoming entropy before sending it to the kernel.
Service Tiers & Pricing
Whether you are a developer working on secure applications or an enterprise securing corporate VPNs and site-to-site encrypted links, we have a tier suited for your infrastructure.
| Feature | Developer | Pro | Pro Max | Enterprise |
|---|---|---|---|---|
| Ideal For | Sandbox testing & development | Consultants, Startups, and SMEs | SaaS Vendors, Cloud Users, and Corporate VPNs | Enterprise Infrastructure & Site-to-Site Tunnels |
| Price | Free (By Invitation Only) | TBA at public launch | TBA at public launch | TBA at public launch |
| Validated Quantum Source (VQS) | Yes | Yes | Yes | Yes |
| Raw Hardware Source (HWQRNG) | - | - | - | Available |
| Number of API Keys Available | 1 API Key | TBA at public launch | TBA at public launch | Custom / Unlimited |
| Hourly Request Limit | 100 requests/key/hr | TBA at public launch | TBA at public launch | Custom / Unlimited |
| Max Blocks Per Request | 10 blocks (10 KB) | TBA at public launch | TBA at public launch | Custom |
| Joust RNG Daemon Support | Yes | Yes | Yes | Yes |
| Prometheus Metrics Endpoint | - | - | - | Available |
| Dedicated RNG Appliances, Servers, or Stacks | - | - | - | Available |
| Support | Low-Priority Email Support | Standard Email Support | Standard Email Support | Phone Support & Slack Support |
The pricing above applies to our Joust-hosted offering only. Contact us for a personalized quote for our On-Premises pricing.
Joust QRNG is currently invite-only, come back here soon to create your account, or Contact our Infrastructure Team to schedule a demo of the Joust QRNG ecosystem.