Quantum readout

Quantum readout is a method to verify the authenticity of an object. The method is secure provided that the object cannot be copied or physically emulated.

Hands-off versus hands-on authentication of objects
When authenticating an object, one can distinguish two cases.
 * Hands-on authentication: The object is fully under the control of the verifier. The verifier can see if the object is of the correct type, size, weight etc.. For example, he can see the difference between a real tooth and a hologram representing the tooth.
 * Hands-off authentication: The verifier does not have full control. For example, he has line-of-sight but cannot touch the object.

In the hands-on scenario, physical unclonable functions (PUFs) of various types can serve as great authentication tokens. Their physical unclonability, combined with the verifier's ability to detect spoofing, makes it exceedingly hard for an attacker to create an object that will pass as a PUF clone. However, hands-on authentication requires that the holder of the PUF relinquishes control of it, which may not be acceptable, especially if there is the risk that the verifier is an impostor.

In the hands-off scenario, however, reliable authentication is much more difficult to achieve. It is prudent to assume that the challenge-response behavior of each PUF is known publicly. (An attacker may get hold of a genuine PUF for a while and perform a lot of measurements on it without being discovered.) This is a "worst case" assumption as customary in security research. It poses no problem in the hands-on case, but in the hands-off case it means that spoofing becomes a real danger. Imagine for instance authentication of an optical PUF through a glass fiber. The attacker does not have the PUF, but he knows everything about it. He receives the challenge (laser light) through the fiber. Instead of scattering the light off a physical object, he does the following: This attack is known as "digital emulation".
 * 1) measure the incoming wave front;
 * 2) look up the corresponding response in his database;
 * 3) prepare laser light in the correct response state and send it back to the verifier.

For a long time spoofing in the hands-off scenario has seemed to be a fundamental problem that cannot be solved.

The traditional approach to remote object authentication is to somehow enforce a hands-on environment, e.g. by having a tamper-proof trusted remote device probing the object. Drawbacks of this approach are (a) cost and (b) unknown degree of security in the face of ever more sophisticated attacks.

The basic scheme
The problem of spoofing in the hands-off case can be solved using two fundamental information-theoretic properties of quantum physics:
 * 1) A single quantum in an unknown state cannot be cloned.
 * 2) When a quantum state is measured most of the information it contains is destroyed.

Based on these principles, the following scheme was proposed. Steps 2-4 are repeated multiple times in order to exponentially lower the false accept probability.
 * 1) Enrollment. The usual PUF enrollment. No quantum physics needed. The enrollment data is considered public.
 * 2) Challenge. A single quantum (e.g. a photon) is prepared in a random state. It is sent to the PUF.
 * 3) Response. The quantum interacts with the PUF (e.g. coherent scattering), resulting in a unitary transform of the state.
 * 4) Verification. The quantum is returned to the verifier. He knows exactly what the response state should be. This knowledge enables him to perform a "yes/no" verification measurement.

The crucial point is that the attacker cannot determine what the actual challenge is, because that information is packaged in a "fragile" quantum state. If he tries to investigate the challenge state by measuring it, he destroys part of the information. Not knowing where exactly to look in his challenge-response database, the attacker cannot reliably produce correct responses.

A continuous-variable quantum authentication of PUFs has been also proposed in the literature, which relies on standard wave-front shaping and homodyne detection techniques.

Using the same techniques, an optical scheme for cryptographic commitments with physical unclonable functions has also been proposed in the literature.

Security assumptions
The scheme is secure only if the following conditions are met,
 * Physical unclonability of the PUF.
 * The attacker cannot perform arbitrary unitary transformations on the challenge quantum (i.e. physical emulation of the PUF is supposed to be infeasible).

In multiple-scattering optical systems the above requirements can be met in practice.

Quantum Readout of PUFs is unconditionally secure against digital emulation, but conditionally against physical cloning and physical emulation.

Special security properties
Quantum readout of PUFs achieves
 * Hands-off object authentication without trusted hardware at the side of the object.
 * Authentication of a quantum communication channel without a priori shared secrets and without shared entangled particles. The authentication is based on public information.

Imagine Alice and Bob wish to engage in quantum key distribution on an ad hoc basis, i.e. without ever having exchanged data or matter in the past. They both have an enrolled optical PUF. They look up each other's PUF enrollment data from a trusted source. They run quantum key distribution through both optical PUFs; with a slight modification of the protocol, they get quantum key distribution and two-way authentication. The security of their key distribution is unconditional, but the security of the authentication is conditional on the two assumptions mentioned above.

Security proofs
Security has been proven in the case of Challenge Estimation attacks, in which the attacker tries to determine the challenge as best as he can using measurements. There are proofs for n=1, for quadrature measurements on coherent states and for fixed number of quanta n>1. The result for dimension K and n quanta is that the false acceptance probability in a single round cannot exceed (n+1)/(n+K).

The security of the continuous-variable quantum authentication of PUFs against an emulation attack, has been also addressed in the framework of Holevo's bound and Fano's inequality, as well as a man-in-the-middle attack.

All of the above security proofs assume a tamper-resistant authentication set-up, which is hard to justify in a remote authentication scenario.

Experimental realization
Quantum readout of speckle-based optical PUFs has been demonstrated in the lab. This realization is known under the name Quantum-Secure Authentication.

This protocol, as well as the protocol in reference, are limited to short distances (< 10 km), due to practical issues associated with the transmission of the quantum states. In a classical setting, by encrypting the entries in the database of challenge-response pars, one can build a protocol which operates over arbitrary distances, and offers security against both classical and quantum adversaries (including emulation attack).