Statistical Invisibility of a Physical Attack on QRNGs After Randomness Extraction

Current prevailing designs of quantum random number generators (QRNGs) designs typically employ post-processing techniques to distill raw random data, followed by statistical verification with suites like NIST SP 800-22. This paper demonstrates that this widely adopted practice harbors a critical flaw. We show that the powerful extraction process can create a false sense of security by perfectly concealing physical-layer attacks, rendering the subsequent statistical tests blind to a compromised entropy source. We substantiate this claim across two major QRNG architectures. Experimentally, we severely compromise an QRNG based on amplified spontaneous emission (ASE) with a power supply ripple attack. While the resulting raw data catastrophically fails NIST tests, a standard Toeplitz extraction transforms it into a final sequence that passes flawlessly. This outcome highlights a profound danger: since the validation process is insensitive to the quality of the raw data, it implies that even a fully predictable input could be processed to produce a certified, yet completely insecure, random sequence. Our theoretical analysis confirms this vulnerability extends to phase-noise-based QRNGs, suggesting a need for security validation to evolve beyond statistical analysis of the final output and consider the entire generation process.