Intercept-Resend Emulation Attacks against a Continuous-Variable Quantum Authentication Protocol with Physical Unclonable Keys

Abstract

Optical physical unclonable keys are currently considered to be rather promising candidates for the development of entity authentication protocols, which offer security against both classical and quantum adversaries. In this work, we investigate the robustness of a continuous-variable protocol, which relies on the scattering of coherent states of light from the key, against three different types of intercept–resend emulation attacks. The performance of the protocol is analyzed for a broad range of physical parameters, and our results are compared to existing security bounds.

1. Introduction

Entity authentication (or identification) is a fundamental cryptographic task, which aims at providing a verifier with assurance about the identity of another entity (a claimant) [1]. In order to offer high levels of security, modern protocols combine in the framework of a challenge–response mechanism, something that the claimant possesses together with something that the claimant knows [2]. For instance, a typical transaction through an automatic-teller machine (verifier) relies on the smart card that the user possesses, and a secret personal identification number (PIN). In each transaction, the PIN is used to verify the user to the smart card, while the latter is equipped with a chip that runs a publicly-known algorithm, and involves a numerical secret key on the card for which the verifier has a matching counterpart i.e., either shares the secret key with the verifier or holds the public key to the secret key. Verification of the smart card is performed only if the PIN is correct, and involves a number of random and independent numerical challenges, for which the chip on the card computes a response based on the implemented algorithm and the key. The user is authenticated only if the responses agree with the ones expected by the verifier. Attacks against conventional smart cards and dynamic entity-authentication protocols (EAP) are difficult but not impossible (e.g., see [3,4,5] and references therein). More precisely, physical invasive and non-invasive attacks, as well as software attacks (e.g., viruses), constitute a severe threat as they allow adversaries to extract the secret key from the card. The necessity for entity-authentication protocols that are robust against such types of attacks has motivated the development of physical unclonable functions (PUFs) [6,7,8].

In general terms, a PUF is a cryptographic primitive which converts an input challenge into an output response, by means of a random physical unclonable key (PUK). The randomness of the PUK is introduced explicitly or implicitly during its fabrication, and it is considered to be technologically hard to clone (hence the term physical unclonable). The physical mechanism underpinning the operation of a PUF, as well as the nature of the challenge, depend on the nature of the PUK. Hence, one can have electronic, optical, magnetic, biological PUFs, etc. For a rather extensive list of PUFs and their classification, the reader may refer to Ref. [8]. Up to now, electronic and optical PUFs appear to be the most prominent classes of PUFs. An advantage of the former is that they are compatible with existing technology and hardware, but their robustness against various types of modelling attacks does not seem to be as strong as expected (see [9,10,11,12] and references therein). On the contrary, optical PUFs are not fully compatible with existing technology, but they offer many advantages relative to certain types of electronic PUFs, including high complexity, security against modeling attacks, and low cost [13].

Another advantage of optical PUFs is that they accept quantum states of light as challenges, thereby enabling the design of EAPs whose security relies on fundamental principles of quantum physics [14,15]. Typically, the operation of such an EAP relies on a set of numerical challenge–response pairs (CRPs), which is generated during the enrollment stage, and it is stored in a secure database (see Figure 1). There is also a publicly known bijective map of the set of numerical challenges onto a set of non-orthogonal quantum states of light. Whenever the holder of the PUK has to authenticate himself in a potentially unsecured verification set-up, his PUK undergoes a verification procedure, where it is interrogated by a random sequence of non-orthogonal quantum states of light. Each state corresponds to a random and independently chosen numerical challenge. The optical response of the PUK to each quantum challenge is measured and processed in order to obtain a numerical response. The user is authenticated if the recorded numerical responses do not deviate considerably from the expected numerical responses listed in the set of CRPs. The precise quantification of the deviations depends strongly on the details of the protocol, and plays a pivotal role in its security. The main point is that, even when an adversary knows the set of numerical CRPs to be used for the verification of a PUK, the impersonation of the legitimate user requires interaction of the adversary with the quantum states used for the interrogation of the PUK. This is the only way for the adversary to estimate the numerical challenges encoded on the quantum states, and to send the corresponding responses to the verifier by looking at the estimated challenges up in the set of CRPs. However, fundamental theorems of quantum physics prevent perfect discrimination between non-orthogonal quantum states. As a result, the intervention of the adversary will inevitably introduce errors that will be detected by the verifier, who can abort the authentication process.

In this context, we recently proposed a continuous-variable quantum authentication of optical PUKs, which relies on standard wavefront-shaping and homodyne–detection techniques [15]. Up to now, the protocol has been shown to offer cloning and collision resistance, while its security against an emulation attack, in which an adversary knows the challenge–response properties of the PUK and he can access the challenges during the verification, has been analyzed in Ref. [16]. The analysis of Ref. [16] is rather general and does not involve any assumptions about the type of the state-discrimination strategy adopted by the adversary. Hence, the natural question arises as to whether the security bound obtained in Ref. [16] can be attained by means of standard state-discrimination techniques, which are within reach of current or future technology. In the present work, this question is addressed for unambiguous state discrimination, minimum-error discrimination, and dual-homodyne detection.

The paper is organized as follows. In Section 2, we discuss briefly the EAP, while the intercept–resend attacks under consideration are formulated in Section 3. Our main results and the robustness of the protocol are discussed in Section 4. A summary with concluding remarks is given in Section 5.

2. Authentication Scheme

The EAP under consideration and the related verification set-up have been discussed in detail elsewhere [15,16], but, for the sake of completeness, we will give here a brief overview, focusing mainly on the aspects of the EAP that are directly pertinent to the present work. The interested reader may refer to Refs. [15,16] for a detailed description.

The main parts of the verification set-up are shown in Figure 2. A coherent probe is directed to the interrogation chamber via a single-mode fiber (SMF A), and its wavefront is shaped by a phase-only spatial light modulator (SLM) thereby obtaining the quantum challenge, which is focused on the PUK. The scattered light (speckle) is collected by means of a polarizing beam-splitter and an objective. One of the speckle grains is coupled to a properly positioned single-mode fiber (SMF B), which leads to a standard homodyne detection (HD) set-up. SMF B can be translated in a controlled manner at the output plane in order to collect light from different speckle grains (different target modes). The field in the mode of the fiber is the response of the PUK to the particular challenge, and, in the HD set-up, the verifier measures at random one of the two conjugate quadratures using a strong local oscillator (LO) as reference.

The set-up operates in the diffusive limit [15,16], and the phase-mask of the SLM is optimized so that the intensity of the scattered light in SMF B is maximized. The optimization can be performed with standard algorithms [17,18,19], and, for a fixed set-up, the optimal phase mask $\mathsf{\Phi }$ of the SLM depends strongly on the PUK $\mathcal{K}$ and the chosen target mode at the output s, while it is independent of the details of the probe state [20,21]. Moreover, having obtained the optimal phase pattern, one can apply a global phase shift to it, thereby determining the phase of the field at the target mode relative to the LO, without affecting the intensity [22]. Throughout this work, we assume that the probe is in a coherent state with a fixed mean number of photons ${\mu }_{\mathrm{P}}$, which is chosen at random and independently from the symmetric set

$$\begin{array}{c}\hfill {\mathbb{S}}_N:=\left\{|{\alpha }_k\rangle =|\sqrt{{\mu }_{\mathrm{P}}}{e}^{i{\phi }_k}\rangle :{\phi }_k:=\frac{2\pi k}{N},k\in {\mathbb{Z}}_N\right\},\end{array}$$

(1)

where ${\mathbb{Z}}_N=\{0,1,\dots ,N-1\}$ and $N\gg 1$. We associate a randomly chosen phase shift with each possible value of k, which is applied on the optimal phase pattern of the SLM when the probe state $|{\alpha }_k\rangle$ is used. Hence, the optimal phase pattern for the probe state $|{\alpha }_k\rangle$ becomes ${\mathsf{\Phi }}_k:=\mathsf{\Phi }+{\omega }_k$, where ${\omega }_k$ denotes the applied global shift, and is chosen at random and independently from a uniform distribution over finite set $\mathsf{\Omega }$. In the diffusive limit, the action of the entire set-up on the input probe can be represented by a linear transformation, which depends on various parameters of the set-up, including the PUK, and the (shifted) phase pattern of the SLM. The main quantity of interest is the quantum mechanical expectation value of the $\theta$-quadrature of the electric field in SMF B at the entrance of the HD set-up, which is given by [15,16]

$$\begin{array}{c}\hfill {\langle \widehat{Q}(\theta )\rangle }_k=\sqrt{2{\mu }_{\mathrm{R}}}cos({\chi }_k-\theta ),\end{array}$$

(2)

where the mean number of photons ${\mu }_{\mathrm{R}}$ that reach the HD set-up is smaller than ${\mu }_{\mathrm{P}}$. Equation (2) encapsulates possible losses, and various other parameters pertaining to the set-up and the applied wavefront-shaping technique. For a fixed set-up with publicly-known parameters, ${\mu }_{\mathrm{R}}$ can be considered fixed and known, while the phase ${\chi }_k$ is fully determined by the phase of the probe state ${\phi }_k$, the associated random phase shift ${\omega }_k$, and the PUK. For $\theta =0$ and $\pi /2$, one obtains the expectation values of the conjugate quadratures of the field $\widehat{X}$ and $\widehat{Y}$, respectively.

There are two distinct stages in the EAP under consideration i.e., the enrollment and the verification stages (see Figure 1). The enrollment stage takes place only once, before a PUK is given to a user, it is performed by the manufacturer, and aims at a reliable characterization of the PUK with respect to its responses to a finite set of challenges. The typical list of CRPs for the protocol under consideration is given in

Table 1. Illustration of a set of CRPs used for authentication of a PUK. The set is identified by a unique identification number (see discussion in Section 5). The angles $\theta =0$ and $\pi /2$ refer to the quadratures $\widehat{X}$ and $\widehat{Y}$ of the field in SMF B at the entrance of the homodyne detection (HD) set-up, respectively (see Figure 2).

Identification Number
Challenge		Response
k	Phase mask	$\theta =0$	$\theta =\pi /2$
0	${\mathsf{\Phi }}_0$	${\langle \widehat{X}\rangle }_0$	${\langle \widehat{Y}\rangle }_0$
1	${\mathsf{\Phi }}_1$	${\langle \widehat{X}\rangle }_1$	${\langle \widehat{Y}\rangle }_1$
2	${\mathsf{\Phi }}_2$	${\langle \widehat{X}\rangle }_2$	${\langle \widehat{Y}\rangle }_2$
⋮		⋮	⋮
$N-1$	${\mathsf{\Phi }}_{N-1}$	${\langle \widehat{X}\rangle }_{N-1}$	${\langle \widehat{Y}\rangle }_{N-1}$

. We assume that the enroller has all the resources needed for the reliable estimation of the response $R_k:=\{{\langle \widehat{X}\rangle }_k,{\langle \widehat{Y}\rangle }_k\}$ for each challenge $C_k:=\{k,{\mathsf{\Phi }}_k\}$ [15]. After the enrollment stage, the list of CRPs is stored in a database of a server, and the PUK is given to a user.

The verification stage takes place each time the user wishes to authenticate himself. He has to input the PUK in a potentially unsecured verification set-up, which is connected to the database over a secure and authenticated classical channel. The server sends to the verifier a sequence of $M\gg 1$ challenges, chosen at random from the available challenges, together with a sequence of M angles $({\theta }_1,{\theta }_2,\dots ,{\theta }_M)$ chosen at random and independently from a uniform distribution over $\{0,\pi /2\}$. The PUK is interrogated sequentially by the M challenges. In the jth challenge $C_{k_j}:=\{k_j,{\mathsf{\Phi }}_{k_j}\}$, the verifier measures the ${\theta }_j$-quadrature of the field in SMF B. Assuming very strong LO field, the outcome of the measurement in the HD set-up follows a normal distribution $\mathcal{N}({\langle \widehat{Q}({\theta }_j)\rangle }_{k_j},{\sigma }^2)$, which is centered at the expectation value of the measured quadrature and its standard deviation $\sigma =1/\sqrt{2\eta }$, is determined by the detection efficiency $\eta$ of the HD set-up. The outcomes from all of the M measurements are returned to the server, over the classical channel. Acceptance or rejection of the PUK is decided upon the fraction of outcomes $p_{\mathrm{in}}$ that fall within an interval (bin) of width $\Delta$, which is centered at the expectation value of the measured quadrature ${\langle \widehat{Q}({\theta }_j)\rangle }_{k_j}$. The theoretically expected probability for an outcome to fall inside the interval is given by [16]

$$\begin{array}{c}\hfill P_{\mathrm{in}}^{(0)}=\mathrm{erf}\left(\frac{\overline{\Delta }}{2\sqrt{2}}\right)\end{array}$$

(3)

with $\overline{\Delta }=\Delta /\sigma$, which is independent of k and $\theta$. For sufficiently large values of M, one can ensure with high confidence that for the true PUK and in the absence of cheating, the empirical probability $p_{\mathrm{in}}$ will lie in an interval of size $2\epsilon$ around the theoretically expected probability $P_{\mathrm{in}}^{(0)}$ [15,16]. Hence, the PUK is accepted if $|p_{\mathrm{in}}-P_{\mathrm{in}}^{(0)}|<\epsilon$, and is rejected otherwise. As we will see later on, the security parameter $\epsilon$ plays a central role in the protocol, as it determines the regime of parameters for which an attack can be detected by the verifier.

3. Intercept–Resend Emulation Attacks

The emulation attacks under consideration follow closely the general theoretical framework of Ref. [16], which is summarized in Figure 3. We assume that the adversary does not have access to the preparation of the probe states, the actual PUK, the SLM, or the HD set-up. However, he has obtained somehow a copy of all the possible CRPs to be used in the authentication of the PUK, and moreover he has obtained access to the incoming and outgoing SMFs, without being detected. Hence, if the adversary were able to estimate exactly the probe state, he would be able to impersonate successfully the holder of the PUK, by looking at the CRPs and by sending to the HD set-up the expected response state. However, quantum physics does not allow for perfect discrimination between non-orthogonal quantum states, or the measurement of non-communting quantum observables with arbitrary accuracy. As a result, it is inevitable for the adversary’s intervention to introduce errors in the HD performed by the verifier.

Given that the probe states in the M queries are chosen at random and independently from a uniform distribution over the set ${\mathbb{S}}_N$, from now on, we can focus on one of the queries and let $|{\alpha }_k\rangle$ denote the incoming probe state. The adversary’s task is to obtain an estimate of the integer k, which determines fully the challenge and the expected response. To this end, he performs a measurement on the incoming probe state, and, based on the outcome, the adversary makes an educated guess about k, to be denoted by $\tilde{k}$. For the reasons discussed above, this guess may or may not be equal to the actual k used by the verifier, and thus the adversary’s intervention will affect the probability with which the verifier obtains an outcome in the expected bin. More precisely, instead of Equation (3), one has [16]

$$\begin{array}{c}\hfill P(\mathrm{in}|k,\tilde{k},\theta )=\frac{1}{2}\left\{\mathrm{erf}\left[\frac{2\left({\langle \widehat{Q}(\theta )\rangle }_k-{\langle \widehat{Q}(\theta )\rangle }_{\tilde{k}}\right)+\Delta }{2\sqrt{2}\sigma }\right]-\mathrm{erf}\left[\frac{2\left({\langle \widehat{Q}(\theta )\rangle }_k-{\langle \widehat{Q}(\theta )\rangle }_{\tilde{k}}\right)-\Delta }{2\sqrt{2}\sigma }\right]\right\},\end{array}$$

(4a)

where ${\widehat{Q}}_k(\theta )$ and ${\widehat{Q}}_{\tilde{k}}(\theta )$ denote the $\theta$-quadratures of the response field, when the adversary deduces the correct and the wrong value of k. Both of them are given by Equation (2) for k and $\tilde{k}$, respectively.

Given that the verifier samples from both quadratures at random and independently, after M queries, the verifier will obtain an estimate of the average probability [16]

$$\begin{array}{ccc}\hfill P_{\mathrm{in}}& =& \sum _{k=0}^{N-1}\sum _{\tilde{k}=0}^{N-1}\sum _{\theta \in \{0,\pi /2\}}P(\mathrm{in},k,\tilde{k},\theta )=(1-P_{\mathrm{err}})P_{\mathrm{in}}^{(0)}+\frac{1}{2N}\sum _k\sum _{\tilde{k}\ne k}P(\tilde{k}|k)\sum _{\theta =0,\pi /2}P(\mathrm{in}|k,\tilde{k},\theta )\hfill \end{array}$$

(4b)

where $P(\mathrm{in}|k,\tilde{k},\theta )$ is given by Equation (4a) and

$$\begin{array}{c}\hfill P_{\mathrm{err}}:=\sum _{k}P(k,\tilde{k}\ne k)=1-\frac{1}{N}\sum _{k}P(\tilde{k}=k|k)\end{array}$$

(5)

is the probability for the adversary to make an error in his estimation of k.

The probability $P_{\mathrm{in}}$ takes into account all of the events irrespective of whether the adversary deduced the correct value of k or not. In the second equality of Equation (4b), we have taken into account the uniform distribution of k over ${\mathbb{Z}}_N$ and of $\theta$ over $\{0,\pi /2\}$. Moreover, we have used the fact that the state of the probe and the outcome of the adversary are independent of the quadrature to be measured by the verifier. A straightforward calculation [16] shows that $P_{\mathrm{in}}$ is always smaller than the corresponding expression in the absence of cheating [which is given by Equation (3)], and the difference

$$D:=P_{\mathrm{in}}^{(0)}-P_{\mathrm{in}}$$

(6a)

basically quantifies the adversary’s intervention. The adversary’s intervention will be detected by the verifier when the observed deviations from $P_{\mathrm{in}}^{(0)}$ exceed the statistical deviations i.e., when

$$\begin{array}{c}\hfill D>2\epsilon .\end{array}$$

(6b)

As mentioned above, the security threshold $2\epsilon$ is determined by the sample size M in the verification stage, while, in general, the exact values of $P_{\mathrm{err}}$, $P_{\mathrm{in}}$, and D, depend on the measurement applied by the adversary. However, working along the lines of Ref. [16], one readily obtains a lower bound on $P_{\mathrm{err}}$, which in turn yields the following lower bound on D

$$\begin{array}{c}\hfill D\ge P_{\mathrm{err}}^{(\mathrm{low})}\left[P_{\mathrm{in}}^0-P_{max}(\mathrm{in}|\mathrm{error})\right]:=D_{\mathrm{low}},\end{array}$$

(7)

where $P_{max}(\mathrm{in}|\mathrm{error}):={max}_{k,\tilde{k}}{\left\{P(\mathrm{in}|k,\tilde{k})\right\}}_{\tilde{k}\ne k}$. This bound is expected to hold irrespective of the adversary’s measurement, and its dependence on various parameters of the protocol has been discussed in detail elsewhere [16]. In particular, it has been shown that, for any given combination of parameters $\{\epsilon ,\Delta ,{\mu }_P,{\mu }_R\}$, the secure operation region for the protocol becomes wider for increasing $\eta$. Typical HD set-ups have $\eta >0.5$, and $\eta =0.5$ can be considered as the worst-case scenario for the security of the protocol. The size of the bin width $\Delta$ relative to the detection efficiency is a free parameter that can be chosen at will, in order to optimize the performance of the protocol. For any given combination of $\{\epsilon ,\eta ,{\mu }_P,{\mu }_R\}$, it has been shown that the optimal value is $\Delta \simeq 2\sigma$. Hence, although our simulations have been extended to various combinations of $\eta$ and $\Delta$, throughout the present work, we focus on numerical results for $\eta =0.5$ and $\Delta =2\sigma$. To facilitate the analysis of our results for the three different attacks, in Figure 4, we plot the lower bound $D_{\mathrm{low}}$ as a function of N, for different values ${\mu }_{\mathrm{P}}$ and ${\mu }_{\mathrm{R}}$. As explained in Ref. [16], the depicted asymmetric bell-shape stems from the fact that $D_{\mathrm{low}}$ is a product of two functions of N with opposite monotonicity (see Equation (7)). More precisely, $P_{\mathrm{err}}^{(\mathrm{low})}$ increases with increasing N approaching a non-zero value determined by the classical limit, while $P_{\mathrm{in}}^{(0)}-P_{max}(\mathrm{in}|\mathrm{error})$ decreases with increasing N, approaching zero for large values of N. A crucial parameter for the security of the protocol is the mean number of photons that reach the HD set-up. The larger ${\mu }_{\mathrm{R}}$ is for a fixed N, the easier the verifier can discriminate between $\langle {\widehat{Q}}_k(\theta )\rangle$ and $\langle {\widehat{Q}}_{\tilde{k}\ne k}(\theta )\rangle$. In general, ${\mu }_{\mathrm{R}}$ can be increased in two different ways: (i) increasing ${\mu }_{\mathrm{P}}$ for fixed losses in the set-up; (ii) improving the set-up, thereby reducing the losses. Figure 4a,b refers to these two cases, and in both of them we see that, for a given $\epsilon$, the secure region gets wider with increasing ${\mu }_R$, which is in agreement with the aforementioned role of ${\mu }_{\mathrm{R}}$ in the discrimination of different responses.

3.1. Dual Homodyne–Detection Attack

In a dual homodyne–detection attack (DHA), for each probe, the adversary performs a joint measurement of the non-commuting observables $\{{\widehat{X}}_k,{\widehat{Y}}_k\}$, by means of an eight-port interferometric set-up [23,24], thereby obtaining a bivariate random variable $(x,y)$, which follows the two-dimensional normal distribution

$$\begin{array}{c}\hfill P_k^{(\mathrm{DH})}(x,y)=\frac{1}{2\pi }exp\left(-\frac{{\left[x-{\langle {\widehat{X}}_A\rangle }_k\right]}^2+{\left[y-{\langle {\widehat{Y}}_A\rangle }_k\right]}^2}{2}\right),\end{array}$$

(8a)

where ${\langle {\widehat{X}}_A\rangle }_k$ and ${\langle {\widehat{Y}}_A\rangle }_k$ refer to the expectation values of the quadratures of the electric field in SMF A, when the field is in state $|{\alpha }_k\rangle$. Assuming negligible losses in SMF A and in the set-up of the adversary, we have

$$\begin{array}{c}\hfill {\langle {\widehat{X}}_A\rangle }_k=\langle {\alpha }_k|{\widehat{X}}_A|{\alpha }_k\rangle =\sqrt{2{\mu }_{\mathrm{P}}}cos({\phi }_k),{\langle {\widehat{Y}}_A\rangle }_k=\langle {\alpha }_k|{\widehat{Y}}_A|{\alpha }_k\rangle =\sqrt{2{\mu }_{\mathrm{P}}}sin({\phi }_k).\end{array}$$

(8b)

Moreover, in Equation (8a), we have assumed perfect detection efficiency for the adversary $({\sigma }_{\mathrm{DH}}=1)$, which is the worst-case scenario for the security of the protocol. Hence, when the efficiency in the HD set-up of the verifier is $\eta \ge 0.5$, we have $\sigma \le {\sigma }_{\mathrm{DH}}$. This suggests that, for either of the quadratures, the adversary samples from a distribution, which is at least as broad as the distribution sampled by the verifier.

To proceed further, we have to define a strategy for the adversary to make an educated guess for the probe stare $|{\alpha }_k\rangle$, given the random outcome of the dual-homodyne detection $(x,y)$. Recall here that the adversary has obtained a copy of the list of the CRPs for the particular PUK, which allows him to discretize the phase space as shown in Figure 5. The k-th sector corresponds to the probe state $|{\alpha }_k\rangle$. It is centered at $\{{\langle {\widehat{X}}_A\rangle }_k,{\langle {\widehat{Y}}_A\rangle }_k\}$, and its angular extension is from ${\phi }_k-\pi /N$ to ${\phi }_k+\pi /N$, while its radius $\rho$ extends from 0 to $\pm \infty$. Thus, when the random outcome $(x,y)$ falls in the $\tilde{k}$-th sector, the adversary concludes that the probe state was $|{\alpha }_{\tilde{k}}\rangle$, and thus the response expected by the verifier is $R_{\tilde{k}}$. Working in polar coordinates, the probability for the random outcome $(x,y)$ to fall within the $\tilde{k}$-th sector given that the probe state was $|{\alpha }_k\rangle$ is given by the integral

$$\begin{array}{c}\hfill P^{(\mathrm{DH})}(\tilde{k}|k)=\frac{1}{2\pi }{\int }_{{\phi }_{\tilde{k}}-\frac{\pi }{N}}^{{\phi }_{\tilde{k}}+\frac{\pi }{N}}\mathrm{d}\gamma {\int }_0^{\infty }\rho exp\left[-\frac{{\rho }^2+2{\mu }_{\mathrm{P}}-\sqrt{8{\mu }_{\mathrm{P}}}\rho cos(\gamma -{\phi }_k)}{2}\right]\mathrm{d}\rho ,\end{array}$$

(9)

where we have set $x=\rho cos(\gamma )$, $y=\rho sin(\gamma )$, and used Equations (8a) and (8b). Setting ${\gamma }^{\prime }=\gamma -{\phi }_k$, one can readily confirm that this probability depends only on the difference $n:=(\tilde{k}-k)modN$. Therefore, the probability for the adversary to deduce the wrong probe state is given by

$$\begin{array}{c}\hfill P_{\mathrm{err}}^{(\mathrm{DH})}=1-\sum _{k=0}^{N-1}p(k)P^{\mathrm{DH}}(\tilde{k}=k|k)=1-P^{\mathrm{DH}}(\tilde{k}=k|k).\end{array}$$

(10)

After the measurement, the adversary prepares and sends to the verifier a coherent state $|{\beta }_{\tilde{k}}\rangle$, which is consistent with his educated guess about the probe state, and will induce the expected statistics at the HD set-up of the verifier. The average probability $P_{\mathrm{in}}^{(\mathrm{DH})}$ for the state $|{\beta }_{\tilde{k}}\rangle$ to result in an outcome within the expected bin is given by Equation (4b), after substituting $P(\tilde{k}|k)$ by $P^{(\mathrm{DH})}(\tilde{k}|k)$, which is given by Equation (9). Hence, the adversary’s intervention will introduce errors in the estimate to be obtained by the verifier, which are quantified by the difference

$$\begin{array}{c}\hfill D^{(\mathrm{DH})}:=P_{\mathrm{in}}^{(0)}-P_{\mathrm{in}}^{(\mathrm{DH})}=P_{\mathrm{err}}^{(\mathrm{DH})}\left\{P_{\mathrm{in}}^{(0)}-\frac{1}{P_{\mathrm{err}}^{(\mathrm{DH})}}\left[\frac{1}{2N}\sum _k\sum _{\tilde{k}\ne k}{P}^{(\mathrm{DH})}(\tilde{k}|k)\sum _{\theta =0,\pi /2}P(\mathrm{in}|k,\tilde{k},\theta )\right]\right\}.\end{array}$$

(11)

The term inside the brackets is the joint probability for the adversary to deduce the wrong value for k, and the outcome of the HD of the verifier to fall within the expected bin.

3.2. Unambiguous State-Discrimination Attack

Assume now that the adversary applies an ideal unambiguous discrimination (UD) measurement to each probe, in order to deduce which of the N possible coherent states is used by the verifier [25,26,27,28]. The adversary will either obtain a conclusive result, or an inconclusive result. In the former case, he learns the actual state of the probe with certainty, whereas, in the latter, he learns nothing about the incoming state, which is destroyed by the measurement, and additional measurement on it will not provide any useful information. Given that the adversary has the list of CRPs, a conclusive result implies that the adversary knows precisely the response expected by the verifier, whereas, in the case of an inconclusive result, all of the possible responses are equally probable.

The minimum probability for an inconclusive result is [25]

$$\begin{array}{c}\hfill P_{\mathrm{inc}}=1-N·{\min }_{r\in {\mathbb{Z}}_N}\left(\frac{1}{N}\sum _{j=0}^{N-1}{e}^{-\mathrm{i}2\pi jr/N}·e^{{|\alpha |}^2(e^{\mathrm{i}2\pi j/N}-1)}\right),\end{array}$$

(12)

which is independent of the value of k i.e., independent of the probe state. In the case of a conclusive outcome, the adversary will prepare and send a coherent state, which will induce the expected statistics at the HD set-up of the verifier. Hence, the probability for the verifier to get a result inside the bin, given that the adversary obtained a conclusive outcome, is equal to $P_{\mathrm{in}}^{(0)}$ (see Equation (3)). On the contrary, in the case of an inconclusive result, the adversary has no information on the probe state or on the response expected by the verifier. Given that the verifier expects a response state for each probe, the adversary has to send a state to the HD set-up of the verifier. Hence, we assume that, in the case of an inconclusive outcome, the adversary has to choose at random one of the N equally probable responses, and send a coherent state $|{\beta }_{\tilde{k}}\rangle$ that will induce the corresponding statistics at the HD set-up of the verifier. This choice is independent of the probe state, and thus the conditional probability for the random choice to yield $\tilde{k}$, given an inconclusive result on the input state $|{\alpha }_k\rangle$ is given by

$$\begin{array}{c}\hfill P^{(\mathrm{UD})}(\tilde{k}|\mathrm{inc},k)=P^{(\mathrm{UD})}(\tilde{k})=\frac{1}{N}.\end{array}$$

(13)

Using this equation, the overall error probability reads

$$\begin{array}{c}\hfill P_{\mathrm{err}}^{(\mathrm{UD})}=P_{\mathrm{inc}}\frac{N-1}{N}.\end{array}$$

(14)

Using the fact that a conclusive outcome always yields the correct value of k, while the occurrence of a conclusive or inconclusive result is independent of k, one readily obtains

$$\begin{array}{c}\hfill P^{(\mathrm{UD})}(\tilde{k}\ne k|k)=\frac{P_{\mathrm{inc}}}{N}.\end{array}$$

(15)

The average probability for the verifier to get an outcome inside the expected bin after an unambiguous-state-discrimination attack (UDA) is given by Equations (4a) and (4b), after replacing $P(\tilde{k}|k)$ by Equation (15) and $P_{\mathrm{err}}$ by $P_{\mathrm{err}}^{(\mathrm{UD})}$. Accordingly, the deviations that will be observed by the verifier are quantified by the difference

$$\begin{array}{c}\hfill D^{(\mathrm{UD})}=P_{\mathrm{err}}^{(\mathrm{UD})}\left\{P_{\mathrm{in}}^{(0)}-\frac{1}{P_{\mathrm{err}}^{(\mathrm{UD})}}\left[\frac{1}{2N}\sum _k\sum _{\tilde{k}\ne k}{P}^{(\mathrm{UD})}(\tilde{k}|k)\sum _{\theta =0,\pi /2}P(\mathrm{in}|k,\tilde{k},\theta )\right]\right\},\end{array}$$

(16)

where $P(\mathrm{in}|k,\tilde{k},\theta )$ is given by Equation (4a).

3.3. Minimum-Error State Discrimination Attack

The third attack we consider relies on a minimum-error state-discrimination measurement [29,30]. Each of the possible outcomes $\tilde{k}\in \{0,1,\dots N-1\}$ is characterized by a corresponding probability operator measure element ${\widehat{\Pi }}_{\tilde{k}}$, also referred to as a positive operator-valued measure. The probability for the adversary to obtain outcome $\tilde{k}$, given that the probe state $|{\alpha }_k\rangle$ was used, is

$$\begin{array}{c}\hfill P^{(\mathrm{SR})}(\tilde{k}|k)=\mathrm{Tr}\left({\widehat{\rho }}_k{\widehat{\Pi }}_{\tilde{k}}\right),\end{array}$$

(17)

where ${\widehat{\rho }}_k:=|{\alpha }_k\rangle \langle {\alpha }_k|$. When the adversary obtains the outcome $\tilde{k}$, he concludes that the probe was also in state $|{\alpha }_{\tilde{k}}\rangle$, and thus the response expected by the verifier is $R_{\tilde{k}}=\{\langle {\widehat{X}}_{\tilde{k}}\rangle ,\langle {\widehat{Y}}_{\tilde{k}}\rangle \}$.

Given that the authentication scheme works with the symmetric set of states ${\mathbb{S}}_N$, the optimal measurement that minimizes the error probability is the square-root measurement [29,30], where the operator ${\widehat{\Pi }}_k$ is given by

$$\begin{array}{c}\hfill {\widehat{\Pi }}_k:=\frac{1}{N}{\widehat{\rho }}^{-\frac{1}{2}}{\widehat{\rho }}_k{\widehat{\rho }}^{-\frac{1}{2}},\end{array}$$

(18)

with $\widehat{\rho }:={\sum }_k{\widehat{\rho }}_k/N$. The average probability for the adversary to deduce the wrong probe state is given by

$$\begin{array}{c}\hfill P_{\mathrm{err}}^{(\mathrm{SR})}=\frac{1}{N}\sum _{k=0}^{N-1}\sum _{\tilde{k}\ne k}{P}^{(\mathrm{SR})}(\tilde{k}|k)=1-\frac{1}{N}\sum _{k=0}^{N-1}\mathrm{Tr}\left({\widehat{\rho }}_k{\widehat{\Pi }}_k\right).\end{array}$$

(19)

As in the previous attacks, given the outcome $\tilde{k}$, the adversary prepares and sends to the verifier a coherent state that will induce statistics compatible with the response $R_{\tilde{k}}$. The probability $P_{\mathrm{in}}^{(\mathrm{SR})}$ for the verifier to obtain an outcome within the expected bin is given by Equations (4a) and (4b), after replacing $P(\tilde{k}|k)$ by $P^{(\mathrm{SR})}(\tilde{k}|k)$, which is given by Equations (17) and (18). Hence, the adversary’s intervention will introduce errors in the estimate to be obtained by the verifier, which are quantified by the difference $D^{(\mathrm{SR})}:=P_{\mathrm{in}}^{(0)}-P_{\mathrm{in}}^{(\mathrm{SR})}$. Using Equation (4b) we have for the square-root-measurement attack (SRA)

$$\begin{array}{c}\hfill D^{(\mathrm{SR})}=P_{\mathrm{err}}^{(\mathrm{SR})}\left\{P_{\mathrm{in}}^{(0)}-\frac{1}{P_{\mathrm{err}}^{(\mathrm{SR})}}\left[\frac{1}{2N}\sum _k\sum _{\tilde{k}\ne k}{P}^{(\mathrm{SR})}(\tilde{k}|k)\sum _{\theta =0,\pi /2}P(\mathrm{in}|k,\tilde{k},\theta )\right]\right\}.\end{array}$$

(20)

4. Numerical Results and Discussion

We have performed extensive simulations on the aforementioned three different types of intercept–resend attacks, and, in this section, we discuss our main findings on the security of the proposed protocol. As discussed in Section 3, the protocol is secure when the difference of probabilities (6a) exceeds the security threshold $2\epsilon$, attained by sampling. Hence, for a given value of $\epsilon$, the main quantity of interest for the security of the protocol is the difference of probabilities D, which, for the three different attacks, is given in Equations (11), (16), and (20). A lower bound on D has been obtained in Ref. [16], through the Holevo bound and Fano’s inequality, and it is given in Equation (7). In all of the cases, we see that D is of the form $D=P_{\mathrm{err}}[P_{\mathrm{in}}^{(0)}-P(\mathrm{in}|\mathrm{error})]$, where $P_{\mathrm{err}}$ is the error probability in each case, $P_{\mathrm{in}}^{(0)}$ is the probability for the verifier to obtain an outcome inside the bin in the absence of any attack (see Equation (3)), and $P(\mathrm{in}|\mathrm{error})$ is the corresponding probability in the presence of the attack, and given that the adversary has made an error in deducing the right probe state.

Both $P_{\mathrm{err}}$ and $P(\mathrm{in}|\mathrm{error})$ depend on the attack under consideration. Hence, it is instructive to look at them separately, in comparison with the corresponding quantities determining the lower bound in Equation (7), before we discuss the dependence of D on the various parameters of the protocol. In Figure 6a, we plot the probability for the adversary to deduce the wrong probe state, as a function of the number of different probe states N used in the protocol, and for a fixed mean number of photons in the probe. The error probabilities for the three attacks are given by Equations (10), (14), and (19), while, for the sake of comparison, we also show the lower bound on the error probability $P_{\mathrm{err}}^{(\mathrm{low})}$ (blue curve). In all of the cases, we find a monotonic increase of the error probability with N. For $N<50$, the error probabilities for all of the three attacks are very close to the lower bound, and they start deviating from it as we increase N. The deviation is slower in the case of the square-root-measurement attack (green curve), which is practically indistinguishable from the lower bound (blue curve) up to $N\simeq 60$, and it remains close to it for values of N up to about 100. The error probability for the unambiguous-state-discrimination attack exhibits the fastest increase, and $P_{\mathrm{err}}^{(\mathrm{UD})}\simeq 1$ for $N\simeq 100$ (gray curve). The dual-homodyne–detection attack stands between the other two attacks. The same behavior has been found for other values of ${\mu }_{\mathrm{P}}$, and the main difference is that the error probability increases slower with N, for increasing values of ${\mu }_{\mathrm{P}}$.

Let us turn now to the other quantity of interest, namely the conditional probability $P(\mathrm{in}|\mathrm{error})$ relative to $P_{\mathrm{in}}^{(0)}$. As depicted in Figure 6b, for either of the three attacks under consideration $P(\mathrm{in}|\mathrm{error})$ increases with N, approaching an asymptotic value that is below $P_{\mathrm{in}}^{(0)}$ as well as below the asymptotic value of $P_{\mathrm{err}}$ for the same attack (compare to Figure 6a). This is in contrast to the behavior of $P_{max}(\mathrm{in}|\mathrm{error})$ (blue curve), which approaches $P_{\mathrm{in}}^{(0)}$ (dashed vertical line) as we increase N.

Based on these findings, we expect the lower bound $D_{\mathrm{low}}$ to approach zero as we increase N (which is in accordance with Figure 4), whereas, for all three of the attacks, D is expected to approach a non-zero value as we increase N. Indeed, as shown in Figure 7, this is confirmed by our simulations. As a result, for a given security threshold $\epsilon$ and fixed losses (i.e., fixed ratio ${\mu }_{\mathrm{R}}/{\mu }_{\mathrm{P}}$), there is a very broad regime of values for N and ${\mu }_{\mathrm{P}}$ where D exceeds $2\epsilon$ and the protocol is secure against all of the three attacks. The secure regime is considerably broader than the one predicted by the lower bound (compare to Figure 4). The strongest attack seems to be the square-root-measurement attack. Consider, for instance, the case of $2\epsilon =15\times {10}^{-4}$. We have $D^{(\mathrm{SR})}>2\epsilon$ for $N>100$ (see Figure 7e), whereas, for the other two attacks, we find $D^{(\mathrm{DH})}>2\epsilon$ for $N>45$ (see Figure 7a), $D^{(\mathrm{UD})}>2\epsilon$ for $N>60$ (see Figure 7c). By contrast to the lower bound $D_{\mathrm{low}}$ (see Figure 4a), where there is an upper bound on the values of N for which the condition $D_{\mathrm{low}}>2\epsilon$ is satisfied, we do not find any such bound for either of the three attacks we have considered in this work. Moreover, for all three of the attacks, we find that the rise of D with N gets slower as we increase ${\mu }_{\mathrm{P}}$, which is in agreement with the analogous behavior obtained for the error probability.

Keeping the mean number of photons ${\mu }_{\mathrm{P}}$ in the probe constant, and increasing the losses in the set-up (i.e., decreasing the mean number of photons that reach the HD set-up relative to ${\mu }_{\mathrm{P}}$), we find that lower security thresholds have to be attained by the verifier, so that to ensure the security of the protocol against both the dual-homodyne–detection and the square-root-measurement attacks. For example, we see that the protocol is not secure against the square-root-measurement attack when $2\epsilon =4\times {10}^{-4}$ and ${\mu }_{\mathrm{P}}=600$, with ${\mu }_{\mathrm{R}}=0.05{\mu }_{\mathrm{P}}$, but it is secure against the dual-homodyne–detection attack if $N>50$ (see Figure 7b,f, respectively). Moreover, for the particular chosen value of $2\epsilon$, we find that the protocol becomes secure against both of these attacks if ${\mu }_{\mathrm{R}}=0.1{\mu }_{\mathrm{P}}$ and $N>110$. Security against the two attacks when the losses in the set-up are such that ${\mu }_{\mathrm{R}}=0.05{\mu }_{\mathrm{P}}$ requires $N\ge 110$ and sufficiently large sample size M so that $2\epsilon \lesssim 3\times {10}^{-4}$. By contrast, we find small changes in the variation of $D^{(\mathrm{UD})}$ with N, which suggests that the unambiguous-state-discrimination attack is weaker than the other two.

5. Concluding Remarks

In this work, we have analyzed the seurity of the verification stage in the EAP of Ref. [15] against three specific intercept–resend emulation attacks. Our results suggest that the protocol is secure against all of the attacks simultaneosuly for a broad range of values for the relevant parameters of the protocol. Moreover, the performance of all of these attacks has been compared to the lower security bound obtained in Ref. [16], by means of the Fano’s inequality and the Holevo bound. None of the attacks considered here saturates the expected lower bound. Hence, the existence as well as the details of the attack that will saturate the lower security bound remain a subject of future work. One may wonder whether the displaced-photon counting [31] can achieve this goal. We believe that this is not the case for a number of reasons. Firstly, the probability for the adversary to deduce the wrong state is expected to be higher for the displaced-photon counting than for the square-root measurement discussed here. This is because our protocol relies on a set of symmetric states, and it is well-known that the square-root measurement minimizes the probability of error in this case [29,30]. Higher error probability means that it is easier for the verifier to detect the adversary’s intervention. Secondly, the displaced-photon counting has been shown to outperform the dual-homodyne measurement in phase estimation, only for phases in a narrow region around $\phi =0$ [31]. Outside this region, the dual-homodyne measurement outperforms by the same amount the displaced-photon counting. In our protocol, the random phase of a probe state lies in the interval $[0,2\pi )$, and all of the possible values are equally probable. As a result, on average, the performance of the displaced-photon counting is expected to be very close to the performance of the dual-homodyne detection discussed here.

As far as experimental realizations of the present attacks are concerned, the dual-homodyne– detection attack can be implemented with current technology [32]. On the contrary, to the best of our knowledge, the experimental realization of the unambiguous-state-discrimination attack and of the square-root measurement attack for arbitrary number of symmetric coherent states is not known. A rather simple linear-optics implementation of unambiguous state-discrimination has been proposed in Ref. [33], which is far from optimal for large values of N.

The present work focuses on the verification of a PUK, assuming that the user has already been verified successfully to the PUK (see Section 1). Analogous to conventional smart cards, the verification of the user to the PUK can be achieved through a PIN which is known to the legitimate owner of the PUK. This is necessary for any EAP, in order to prevent impersonation in case the PUK is stolen. When the PUK is given to a legitimate user, it is accompanied by the PIN, which has been generated during the enrollment stage, and it is not shown in Figure 1. One way to combine an optical PUK with a PIN is to exploit the techniques of Refs. [6,34]. For example, one can assume that the PUK is illuminated by classical light, whose wavefront has been modified by a random SLM phase mask $\mathsf{\Psi }$ [The pattern $\mathsf{\Psi }$ should not be confused with the optimal phase masks $\mathsf{\Phi }$ (and ${\mathsf{\Phi }}_k$), which are used for the verification of the PUK as discussed in the previous sections of the present work. The former is a totally random phase mask, whereas the latter are optimized with respect to a particular target mode at the output.]. The response of the PUK to classical light with random wavefront $\mathsf{\Psi }$ is a random speckle, which can be processed with standard algorithms to result in a numerical random binary string, say $w=w_{\mathrm{id}}||w_{\mathrm{pin}}$ [34]. We may assume, that the last n bits of $w$, denoted by $w_{\mathrm{pin}}$, define the n-bit PIN, whereas the first part $w_{\mathrm{id}}$ serves as an identification number for the list of CRPs to be used for the authentication of the particular PUK (see Table 1). In this way, the list of CRPs, the PUK, and the PIN are linked through a random phase mask, which is known only to the verifier, as well as to the authority that issues and distributes the PUKs.

Analogous to conventional smart cards, at the beginning of the verification stage, the user types in his PIN and inserts his PUK to the verifier’s set-up. The verifier imprints the pattern $\mathsf{\Psi }$ on the wavefront of the incoming light by means of his SLM, and the speckle of the scattered light is processed to yield the classical string $w$. If the last n bits of $w$ agree with the PIN of the user, the verifier proceeds to the verification of the PUK; otherwise, the authentication is aborted immediately. For the verification stage, the verifier sends to the server the key $w_{\mathrm{id}}$ over a secure and authenticated classical channel, and the server returns a sequence of M challenges chosen at random and independently from the list of CRPs with identification number equal to $w_{\mathrm{id}}$. The verification stage proceeds as discussed in Section 2, as well as in Refs. [15,16]. If an adversary has stolen the PUK, he cannot impersonate the legitimate owner without knowledge of the PIN, while the probability for an adversary to guess correctly the $n-$bit PIN is negligible. Moreover, the random string $w$ is essentially the output of a physical one-way function with input $\mathsf{\Psi }$, while the probability for the jth bit of $w$ to be 0 or 1 is expected to be approximately equal to 0.5 [6,34]. As a result, it is hard for an adversary to infer the random pattern $\mathsf{\Psi }$, or the PIN from $w_{\mathrm{id}}$. It is worth emphasizing that one can incorporate both of the validation of the PIN and the verification of the PUK in the set-up of Figure 2, after a few amendments. More precisely, by adding a half-wave plate and an additional PBS at the output, one can select to image the speckle onto a camera (for the PIN validation), or onto the optical plane where SMF B is positioned (for the PUK verification) [20,21]. Hence, the set-up can operate in two different modes. Note also that, in the “PIN-validation” mode, an intense probe has to be used in order to obtain a clear speckle, whereas, in the “PUK-verification” mode, the set-up has to operate with parameters that are dictated by the present as well as previous security analyses. Finally, we cannot exclude alternative ways to link an optical PUK to a PIN e.g., through the control of laser parameters (such as the angle of incidence and the wavelength) [6], and/or the control of the target mode at the output [35].