Quantum readout is a method to verify the authenticity of an object. The method is secure provided that the object cannot be copied or physically emulated.
When authenticating an object, one can distinguish two cases.
In the hands-on scenario, physical unclonable functions (PUFs) of various types can serve as great authentication tokens. Their physical unclonability, combined with the verifier's ability to detect spoofing, makes it exceedingly hard for an attacker to create an object that will pass as a PUF clone. However, hands-on authentication requires that the holder of the PUF relinquishes control of it, which may not be acceptable, especially if there is the risk that the verifier is an impostor.
In the hands-off scenario, however, reliable authentication is much more difficult to achieve. It is prudent to assume that the challenge-response behavior of each PUF is known publicly. (An attacker may get hold of a genuine PUF for a while and perform a lot of measurements on it without being discovered.) This is a "worst case" assumption as customary in security research. It poses no problem in the hands-on case, but in the hands-off case it means that spoofing becomes a real danger. Imagine for instance authentication of an optical PUF through a glass fiber. The attacker does not have the PUF, but he knows everything about it. He receives the challenge (laser light) through the fiber. Instead of scattering the light off a physical object, he does the following:
This attack is known as "digital emulation".
For a long time spoofing in the hands-off scenario has seemed to be a fundamental problem that cannot be solved.
The traditional approach to remote object authentication is to somehow enforce a hands-on environment, e.g. by having a tamper-proof trusted remote device probing the object. Drawbacks of this approach are (a) cost and (b) unknown degree of security in the face of ever more sophisticated attacks.
The problem of spoofing in the hands-off case can be solved using twofundamental information-theoretic properties of quantum physics:
Based on these principles, the following scheme was proposed.[2]
Steps 2-4 are repeated multiple times in order to exponentially lower the false accept probability.
The crucial point is that the attacker cannot determine what the actual challenge is, because that information is packaged in a "fragile" quantum state. If he tries to investigate the challenge state by measuring it, he destroys part of the information. Not knowing where exactly to look in his challenge-response database, the attacker cannot reliably produce correct responses.
A continuous-variable quantum authentication of PUFs has been also proposed in the literature, which relies on standard wave-front shaping and homodyne detection techniques.[3]
Using the same techniques, an optical scheme for cryptographic commitments with physical unclonable functions has also been proposed in the literature.[4]
The scheme is secure only if the following conditions are met,
In multiple-scattering optical systems the above requirements can be met in practice.
Quantum Readout of PUFs is unconditionally secure against digital emulation, but conditionally against physical cloning and physical emulation.
Quantum readout of PUFs achieves
Imagine Alice and Bob wish to engage in quantum key distribution on an ad hoc basis, i.e. without ever having exchanged data or matter in the past. They both have an enrolled optical PUF. They look up each other's PUF enrollment data from a trusted source. They run quantum key distribution through both optical PUFs; with a slight modification of the protocol, they get quantum key distribution and two-way authentication. The security of their key distribution is unconditional, but the security of the authentication is conditional on the two assumptions mentioned above.
Security has been proven in the case of Challenge Estimation attacks, in which the attacker tries to determine the challenge as best as he can using measurements. There are proofs for n=1,[5] for quadrature measurements on coherent states[6] and for fixed number of quanta n>1.[7] The result for dimension K and n quantais that the false acceptance probability in a single roundcannot exceed (n+1)/(n+K).
The security of the continuous-variable quantum authentication of PUFs against an emulation attack, has been also addressed in the framework of Holevo's bound and Fano's inequality,[8] as well as a man-in-the-middle attack.[9]
All of the above security proofs assume a tamper-resistant authentication set-up, which is hard to justify in a remote authentication scenario.
Quantum readout of speckle-based optical PUFs has been demonstrated in the lab.[10] [11] This realization is known under the name Quantum-Secure Authentication.
This protocol, as well as the protocol in reference, are limited to short distances (< 10 km), due to practical issues associated with the transmission of the quantum states. In a classical setting, by encrypting the entries in the database of challenge-response pars, one can build a protocol which operates over arbitrary distances, and offers security against both classical and quantum adversaries (including emulation attack).[12]