# Security & Threat Model
## What we do
- When using ANU QRNG, we **XOR-mix** its bytes with local `os.urandom` of equal length.
- If **either** source is honest and unpredictable, the mixed output is unpredictable to any third party.
- Mixing defeats any party that knows *only one* source (e.g., a QRNG operator, or a compromised local RNG), assuming the other source remains secret.
## What we do NOT claim
- We do not claim absolute impossibility. We rely on standard assumptions:
- OS CSPRNG (`os.urandom`) is cryptographically strong unless the local machine is compromised.
- ANU QRNG backend returns true random bytes over TLS but could be logged/observed by the operator.
- Therefore, **mixing** is the default: it removes the need to trust any single source.
## Operational guidance
- Generate mnemonics **offline** (air-gapped), or at least keep outputs off the network and out of logs/clipboard.
- Never type mnemonics/seeds into a browser. Restore **your mnemonic** into a **hardware wallet** and enable a **BIP-39 passphrase** on the device.
- Store secrets on paper/metal, keep redundant copies in separate locations.
- For maximum assurance, test large streams from the QRNG with NIST STS/Dieharder; mixing with `os.urandom` already provides robustness.