Intercept-Resend Emulation Attacks Against a Continuous-Variable Quantum Authentication Protocol with Physical Unclonable Keys

Optical physical unclonable keys are currently considered to be rather promising candidates for the development of entity authentication protocols, which offer security against both classical and quantum adversaries. In this work we investigate the robustness of a continuous-variable protocol, which relies on the scattering of coherent states of light from the key, against three different types of intercept-resend emulation attacks. The performance of the protocol is analysed for a broad range of physical parameters, and our results are compared to existing security bounds.


I. INTRODUCTION
Entity authentication (or identification) is a fundamental cryptographic task, which aims at providing a verifier with assurance about the identity of another entity (a claimant) [1].In order to offer high levels of security, modern protocols combine in the framework of a challenge-response mechanism, something that the claimant possesses together with something that the claimant knows [2].For instance, a typical transaction through an automatic-teller machine (verifier), relies on the smart card that the user possesses, and a secret personal identification number (PIN).In each transaction, the PIN is used to verify the user to the smart card, while the latter is equipped with a chip which runs a publiclyknown algorithm, and involves a numerical secret key on the card for which the verifier has a matching counterpart i.e., either shares the secret key with the verifier or holds the public key to the secret key.Verification of the smart card is performed only if the PIN is correct, and involves a number of random and independent numerical challenges, for which the chip on the card computes a response based on the implemented algorithm and the key.The user is authenticated only if the responses agree with the ones expected by the verifier.Attacks against conventional smart cards and dynamic entity-authentication protocols (EAP) are difficult but not impossible (e.g., see [3][4][5] and references therein).More precisely, physical invasive and non-invasive attacks, as well as software attacks (e.g., viruses), constitute a severe threat as they allow adversaries to extract the secret key from the card.The necessity for entity-authentication protocols that are robust against such types of attacks, has motivated the development of physical unclonable functions (PUFs) [6][7][8].
In general terms, a PUF is a cryptographic primitive which converts an input challenge into an output response, by means of a random physical unclonable key (PUK).The randomness of the PUK is introduced explicitly or implicitly during its fabrication, and it is considered to be technologically hard to clone (hence the term physical unclonable).The physical mechanism underpin-ning the operation of a PUF, as well as the nature of the challenge, depend on the nature of the PUK.Hence, one can have electronic, optical, magnetic, biological PUFs, etc.For a rather extensive list of PUFs and their classification the reader may refer to Ref. [8].So far, electronic and optical PUFs appear to be the most prominent classes of PUFs.An advantage of the former is that they are compatible with existing technology and hardware, but their robustness against various types of modelling attacks does not seem to be as strong as expected (see [9][10][11][12] and references therein).On the contrary, optical PUFs are not fully compatible with existing technology, but they offer many advantages relative to certain types of electronic PUFs, including high complexity, security against modeling attacks, and low cost [13].
Another advantage of optical PUFs is that they accept quantum states of light as challenges, thereby enabling for the design of EAPs whose security relies on fundamental principles of quantum physics [14,15].Typically, the operation of such an EAP relies on a set of numerical challenge-response pairs (CRPs), which is generated during the enrollment stage, and it is stored in a secure database (see Fig. 1).There is also a publicly known bijective map of the set of numerical challenges onto a set of non-orthogonal quantum states of light.Whenever the holder of the PUK has to authenticate himself in a potentially unsecured verification set-up, his PUK undergoes a verification procedure, where it is interrogated by a random sequence of non-orthogonal quantum states of light.Each state corresponds to a random and independently chosen numerical challenge.The optical response of the PUK to each quantum challenge is measured and processed so that to obtain a numerical response.The user is authenticated if the recorded numerical responses do not deviate considerably from the expected numerical responses listed in the set of CRPs.The precise quantification of the deviations depends strongly on the details of the protocol, and plays a pivotal role in its security.The main point is that even when an adversary knows the set of numerical CRPs to be used for the verification of a PUK, the impersonation of the legitimate user requires interaction of the adversary with the quan-FIG.1.General schematic representation of the main stages and the typical operations of an EAP with quantum readout of a PUK.The enrollment stage is performed before the PUK is given to the user, and aims at the generation of a set of numerical CRPs.In the verification stage, M 1 numerical challenges are chosen at random and independently from the available set of CRPs for the particular PUK.Each numerical challenge is encoded independently in the quantum state of a laser pulse, which is scattered from the PUK.The scattered light is measured and the outcome (response) is returned to the server.The PUK is accepted or rejected based on a publicly known function, which quantifies the deviations of the recorded responses from the expected ones.
tum states used for the interrogation of the PUK.This is the only way for the adversary to estimate the numerical challenges encoded on the quantum states, and to send the corresponding responses to the verifier by looking the estimated challenges up in the set of CRPs.However, fundamental theorems of quantum physics prevent perfect discrimination between non-orthogonal quantum states.As a result, the intervention of the adversary will inevitably introduce errors, that will be detected by the verifier, who can abort the authentication process.
In this context, we proposed recently a continuousvariable quantum authentication of optical PUKs, which relies on standard wavefront-shaping and homodynedetection techniques [15].So far, the protocol has been shown to offer cloning and collision resistance, while its security against an emulation attack, in which an adversary knows the challenge-response properties of the PUK and he can access the challenges during the verification, has been analyzed in Ref. [16].The analysis of Ref. [16] is rather general and does not involve any assumptions about the type of the state-discrimination strategy adopted by the adversary.Hence, the natural question arises whether the security bound obtained in Ref. [16] can be attained by means of standard statediscrimination techniques, which are within reach of current or future technology.In the present work this question is addressed for unambiguous state discrimination, minimum-error discrimination and dual-homodyne detection.
The paper is organized as follows.In Sec.II we discuss briefly the EAP, while the intercept-resend attacks under consideration are formulated in Sec.III.Our main results and the robustness of the protocol are discussed in Sec.IV.A summary with concluding remarks is given in Sec.V.

II. AUTHENTICATION SCHEME
The EAP under consideration and the related verification set-up have been discussed in detail elsewhere [15,16], but for the sake of completeness we will give here a brief overview, focusing mainly on the aspects of the EAP that are directly pertinent to the present work.The interested reader may refer to Refs.[15,16] for a detailed description.
The main parts of the verification set-up are shown in Fig. 2. A coherent probe is directed to the interrogation chamber via a single-mode fiber (SMF A), and its wavefront is shaped by a phase-only spatial light modulator (SLM) thereby obtaining the quantum challenge, which is focused on the PUK.The scattered light (speckle), is collected by means of a polarizing beam-splitter and an objective.One of the speckle grains is coupled to a properly positioned single-mode fiber (SMF B), which leads to a standard homodyne detection (HD) set-up.SMF B can be translated in a controlled manner at the output plane so that to collect light from different speckle grains (different target modes).The field in the mode of the fiber is the response of the PUK to the particular challenge, and in the HD set-up, the verifier measures at random one of the two conjugate quadratures using a strong local oscillator (LO) as reference.
The set-up operates in the diffusive limit [15,16], and the phase-mask of the SLM is optimized so that the intensity of the scattered light in SMF B is maximized.The optimization can be performed with standard algorithms [17][18][19], and for a fixed set-up the optimal phase mask Φ of the SLM, depends strongly on the PUK K and the chosen target mode at the output s, while it is independent of the details of the probe state [20,21].Moreover, having obtained the optimal phase pattern, one can apply a global phase shift to it, thereby determining the phase of the field at the target mode relative to the LO, without affecting the intensity [22].Throughout this work we assume that the probe is in a coherent state with fixed mean number of photons µ P , which is chosen at random and independently from the symmetric set where Z N = {0, 1, . . ., N − 1} and N 1.We associate a randomly chosen phase shift with each possible value of k, which is applied on the optimal phase pattern of the SLM when the probe state |α k is used.Hence, the optimal phase pattern for the probe state |α k becomes Φ k := Φ + ω k , where ω k denotes the applied global shift, and is chosen at random and independently from a uniform distribution over finite set Ω.In the diffusive limit, the action of the entire set-up on the input probe can be represented by a linear transformation, which depends on various parameters of the set-up, including the PUK, and the (shifted) phase pattern of the SLM.The main quantity of interest is the quantum mechanical expectation value of the θ-quadrature of the electric field in SMF B at the entrance of the HD set-up, which is given by [15,16] where the mean number of photons µ R that reach the HD The angles θ = 0 and π/2 refer to the quadratures X and Ŷ of the field in SMF B at the entrance of the HD set-up, respectively (see Fig. 2).

Identification Number Challenge
Response set-up is smaller than µ P .Equation (2) encapsulates possible losses, and various other parameters pertaining to the set-up and the applied wavefront-shaping technique.
For a fixed set-up with publicly-known parameters, µ R can be considered fixed and known, while the phase χ k is fully determined by the phase of the probe state ϕ k , the associated random phase shift ω k , and the PUK.For θ = 0 and π/2 one obtains the expectation values of the conjugate quadratures of the field X and Ŷ , respectively.There are two distinct stages in the EAP under consideration i.e., the enrollment and the verification stages (see Fig. 1).The enrollment stage takes place only once, before a PUK is given to a user, it is performed by the manufacturer, and aims at a reliable characterization of the PUK with respect to its responses to a finite set of challenges.The typical list of CRPs for the protocol under consideration is given in Table I.We assume that the enroller has all the resources needed for the reliable estimation of the response R [15].After the enrollment stage, the list of CRPs is stored in a database of a server, and the PUK is given to a user.
The verification stage takes place each time the user wishes to authenticate himself.He has to input the PUK in a potentially unsecured verification set-up, which is connected to the database over a secure and authenticated classical channel.The server sends to the verifier a sequence of M 1 challenges, chosen at random from the available challenges, together with a sequence of M angles (θ 1 , θ 2 , . . ., θ M ) chosen at random and independently from a uniform distribution over {0, π/2}.The PUK is interrogated sequentially by the M challenges.In the jth challenge C kj := {k j , Φ kj }, the verifier measures the θ j −quadrature of the field in SMF B. Assuming very strong LO field, the outcome of the measurement in the HD set-up follows a normal distribution N ( Q(θ j ) kj , σ 2 ), which is centered at the expectation value of the measured quadrature and its standard deviation σ = 1/ √ 2η, is determined by the detection efficiency η of the HD set-up.The outcomes from all of the M measurements are returned to the server, over the classical channel.Acceptance or rejection of the PUK is decided upon the fraction of outcomes p in that fall within an interval (bin) of width ∆, which is centered at the expectation value of the measured quadrature Q(θ j ) kj .The theoretically expected probability for an outcome to fall inside the interval is given by [16] with ∆ = ∆/σ, which is independent of k and θ.For sufficiently large values of M , one can ensure with high confidence, that for the true PUK and in the absence of cheating, the empirical probability p in will lie in an interval of size 2ε around the theoretically expected probability P (0) in [15,16].Hence, the PUK is accepted if in | < ε, and is rejected otherwise.As we will see later on, the security parameter ε plays a central role in the protocol, as it determines the regime of parameters for which an attack can be detected by the verifier.

III. INTERCEPT-RESEND EMULATION ATTACKS
The emulation attacks under consideration follow closely the general theoretical framework of Ref. [16], which is summarized in Fig. 3.We assume that the adversary does not have access to the preparation of the probe states, the actual PUK, the SLM, or the HD setup.However, he has obtained somehow a copy of all the possible CRPs to be used in the authentication of the PUK, and moreover he has obtained access to the incoming and outgoing SMFs, without being detected.Hence, if the adversary were able to estimate exactly the probe state, he would be able to impersonate successfully the holder of the PUK, by looking at the CRPs and by sending to the HD set-up the expected response state.However, quantum physics does not allow for perfect discrimination between non-orthogonal quantum states, or the measurement of non-communting quantum observables with arbitrary accuracy.As a result, it is inevitable for the adversary's intervention to introduce errors in the HD performed by the verifier.
Given that the probe states in the M queries are chosen at random and independently from a uniform distribution over the set S N , from now on we can focus on one of the queries and let |α k denote the incoming probe state.The adversary's task is to obtain an estimate of the integer k, which determines fully the challenge and the expected response.To this end, he performs a measurement on the incoming probe state, and based on the outcome, the adversary makes an educated guess about k, to be denoted by k.For the reasons discussed above, this guess may or may not be equal to the actual k used by the verifier, and thus the adversary's intervention will affect the probability with which the verifier obtains an outcome in the expected bin.More precisely, instead of Eq. ( 3) one has [16] FIG. 3. Schematic representation of the attack under consideration [16].The adversary has a copy of the set of the numerical CRPs, from which the challenges are chosen at random.He intercepts each one of the M incoming probe states, and measures it in order to deduce the value of k (see table I).Based on the outcome of his measurement the adversary makes an educated guess about k, say k, and he looks k up in the set of CRPs in order to find the corresponding expected response R k .Finally, the adversary prepares and sends to the HD set-up of the verifier a quantum state that will induce statistics consistent with R k .
where Qk (θ) and Q k (θ) denote the θ−quadratures of the response field, when the adversary deduces the correct and the wrong value of k.Both of them are given by Eq.
(2) for k and k, respectively.
Given that the verifier samples from both quadratures at random and independently, after M queries the verifier will obtain an estimate of the average probability [16] where P (in|k, k, θ) is given by Eq. (4a) and is the probability for the adversary to make an error in his estimation of k.
The probability P in takes into account all of the events irrespective of whether the adversary deduced the correct value of k or not.In the second equality of Eq. (4b) we have taken into account the uniform distribution of k over Z N and of θ over {0, π/2}.Moreover, we have used the fact that the state of the probe and the outcome of the adversary are independent of the quadrature to be measured by the verifier.A straightforward calculation [16] shows that P in is always smaller than the corresponding expression in the absence of cheating [which is given by Eq. ( 3)], and the difference basically quantifies the adversary's intervention.The adversary's intervention will be detected by the verifier when the observed deviations from P (0) in exceed the statistical deviations i.e., when As mentioned above, the security threshold 2ε is determined by the sample size M in the verification stage while, in general, the exact values of P err , P in , and D, depend on the measurement applied by the adversary.However, working along the lines of Ref. [16] one readily obtains a lower bound on P err , which in turn yields the following lower bound on D D ≥ P (low) err where . This bound is expected to hold irrespective of the adversary's measurement, and its dependence on various parameters of the protocol has been discussed in detail elsewhere [16].
In particular, it has been shown that for any given combination of parameters {ε, ∆, µ P , µ R }, the secure operation region for the protocol becomes wider for increasing η.Typical HD set-ups have η > 0.5, and η = 0.5 can be considered as the worst-case scenario for the security of the protocol.The size of the bin width ∆ relative to the detection efficiency is a free parameter that can be chosen at will, so that to optimize the performance of the protocol.For any given combination of {ε, η, µ P , µ R } it has been shown that the optimal value is ∆ 2σ.Hence, although our simulations have been extended to various combinations of η and ∆, throughout the present work we focus on numerical results for η = 0.5 and ∆ = 2σ.To facilitate the analysis of our results for the three different attacks, in Fig. 4 we plot the lower bound D low as a function of N , for different values µ P and µ R .As explained in Ref. [16], the depicted asymmetric bell-shape stems from the fact that D low is a product of two functions of N with opposite monotonicity [see Eq. ( 7)].More precisely, P (low) err increases with increasing N approaching a non-zero value determined by the classical limit, while P (0) in − P max (in|error) decreases with increasing N , approaching zero for large values of N .A crucial parameter for the security of the protocol is the mean number of photons that reach the HD set-up.The larger µ R is for a fixed N , the easier the verifier can discriminate between Qk (θ) and Q k =k (θ) .In general, µ R can be increased in two different ways: (i) increasing µ P for fixed losses in the set-up; (ii) improving the set-up, thereby reducing the losses.Figures 4(a) and 4(b), refer to these two cases, and in both of them we see that for a given ε the secure region gets wider with increasing µ R , which is in agreement with the aforementioned role of µ R in the discrimination of different responses.

A. Dual Homodyne-detection Attack
In a dual homodyne-detection attack (DHA), for each probe the adversary performs a joint measurement of the non-commuting observables { Xk , Ŷk }, by means of an eight-port interferometric set-up [23,24], thereby obtaining a bivariate random variable (x, y), which follows the two-dimensional normal distribution where XA k and ŶA k refer to the expectation values of the quadratures of the electric field in SMF A, when the field is in state |α k .Assuming negligible losses in SMF A and in the set-up of the adversary we have Moreover, in Eq. (8a) we have assumed perfect detection efficiency for the adversary (σ DH = 1), which is the worstcase scenario for the security of the protocol.Hence, when the efficiency in the HD set-up of the verifier is η ≥ 0.5 we have σ ≤ σ DH .This suggests that, for either of the quadratures, the adversary samples from a distribution, which is at least as broad as the distribution sampled by the verifier.
To proceed further, we have to define a strategy for the adversary to make an educated guess for the probe stare |α k , given the random outcome of the dual-homodyne detection (x, y).Recall here that the adversary has obtained a copy of the list of the CRPs for the particular PUK, which allows him to discretize the phase space as shown in Fig. 5 .The k-th sector corresponds to the probe state |α k .It is centered at { XA k , ŶA k }, and its angular extension is from ϕ k − π/N to ϕ k + π/N , while its radius ρ extends from 0 to ±∞.So, when the random outcome (x, y) falls in the k-th sector, the adversary concludes that the probe state was |α k , and thus the response expected by the verifier is R k .Working in polar coordinates, the probability for the random outcome (x, y) to fall within the k-th sector given that the probe state was |α k is given by the integral where we have set x = ρ cos(γ), y = ρ sin(γ), and used Eqs.(8).Setting γ = γ−ϕ k one can readily confirm that this probability depends only on the difference n := ( k − k) mod N .Therefore, the probability for the adversary to deduce the wrong probe state is given by After the measurement, the adversary prepares and sends to the verifier a coherent state |β k , which is consistent with his educated guess about the probe state, and will induce the expected statistics at the HD set-up of the verifier.The average probability P (DH) in for the state |β k to result in an outcome within the expected bin is given by Eq. (4b), after substituting P ( k|k) by P (DH) ( k|k), which is given by Eq. ( 9).Hence, the adversary's intervention will introduce errors in the estimate to be obtained by the verifier, which are quantified by the difference The term inside the brackets is the joint probability for the adversary to deduce the wrong value for k, and the outcome of the HD of the verifier to fall within the expected bin.

B. Unambiguous State-Discrimination Attack
Assume now that the adversary applies an ideal unambiguous discrimination (UD) measurement to each probe, in order to deduce which of the N possible coherent states is used by the verifier [25][26][27][28].The adversary will either obtain a conclusive result, or an inconclusive result.In the former case, he learns the actual state of the probe with certainty, whereas in the latter he learns nothing about the incoming state, which is destroyed by the measurement, and additional measurement on it will not provide any useful information.Given that the adversary has the list of CRPs, a conclusive result implies that the adversary knows precisely the response expected by the verifier, whereas in the case of an inconclusive result, all of the possible responses are equally probable.
The minimum probability for an inconclusive result is [25] which is independent of the value of k i.e., independent of the probe state.In the case of a conclusive outcome the adversary will prepare and send a coherent state, which will induce the expected statistics at the HD set-up of the verifier.Hence, the probability for the verifier to get a result inside the bin, given that the adversary obtained a conclusive outcome, is equal to P (0) in [see Eq. ( 3)].On the contrary, in the case of an inconclusive result, the adversary has no information on the probe state or on the response expected by the verifier.Given that the verifier expects a response state for each probe, the adversary has to send a state to the HD set-up of the verifier.Hence, we assume that in the case of an inconclusive outcome, the adversary has to choose at random one of the N equally probable responses, and send a coherent state |β k that will induce the corresponding statistics at the HD set-up of the verifier.This choice is independent of the probe state, and thus the conditional probability for the random choice to yield k, given an inconclusive result on the input state |α k is given by Using this equation, the overall error probability reads Using the fact that a conclusive outcome always yields the correct value of k, while the occurrence of a conclusive or inconclusive result is independent of k, one readily obtains The average probability for the verifier to get an outcome inside the expected bin after an unambiguous-statediscrimination attack (UDA) is given by Eqs. ( 4), after replacing P ( k|k) by Eq. ( 15) and P err by P (UD) err .Accordingly, the deviations that will be observed by the verifier are quantified by the difference where P (in|k, k, θ) is given by Eq. (4a).

C. Minimum-error State Discrimination Attack
The third attack we consider relies on a minimum-error state-discrimination measurement [29,30].Each of the possible outcomes k ∈ {0, 1, . . .N − 1} , is characterized by a corresponding probability operator measure element Π k , also referred to as a positive operator-valued measure.The probability for the adversary to obtain outcome k, given that the probe state |α k was used, is where ρk := |α k α k |.When the adversary obtains the outcome k, he concludes that the probe was also in state |α k , and thus the response expected by the verifier is Given that the authentication scheme works with the symmetric set of states S N , the optimal measurement that minimizes the error probability is the square-root measurement [29,30], where the operator Π k is given by with ρ := k ρk /N .The average probability for the adversary to deduce the wrong probe state is given by Tr ρk Πk . ( As in the previous attacks, given the outcome k, the adversary prepares and sends to the verifier a coherent state that will induce statistics compatible with the response R k .The probability P (SR) in for the verifier to obtain an outcome within the expected bin is given by Eqs.
(4), after replacing P ( k|k) by P (SR) ( k|k), which is given by Eqs. ( 17) and (18).Hence, the adversary's intervention will introduce errors in the estimate to be obtained by the verifier, which are quantified by the differ-ence D (SR) := P (0) in − P (SR) in .Using Eq. (4b) we have for the square-root-measurement attack (SRA)

IV. NUMERICAL RESULTS AND DISCUSSION
We have performed extensive simulations on the aforementioned three different types of intercept-resend attacks, and in this section we discuss our main findings on the security of the proposed protocol.As discussed in Sec.III, the protocol is secure when the difference of probabilities (6a) exceeds the security threshold 2ε, attained by sampling.Hence, for a given value of ε, the main quantity of interest for the security of the protocol is the difference of probabilities D, which for the three different attacks is given in Eqs. ( 11), ( 16) and (20).A lower bound on D has been obtained in Ref. [16], through the Holevo bound and Fano's inequality, and it is given in Eq. (7).In all of the cases, we see that D is of the form D = P err [P (0) in − P (in|error)], where P err is the error probability in each case, P in is the probability for the verifier to obtain an outcome inside the bin in the absence of any attack [see Eq. ( 3)], and P (in|error) is the corresponding probability in the presence of the attack, and given that the adversary has made in error in deducing the right probe state.
Both of P err and P (in|error) depend on the attack under consideration.Hence, it is instructive to look at them separately, in comparison with the corresponding quantities determining the lower bound in Eq. ( 7), before we discuss the dependence of D on the various parameters of the protocol.In Fig. 6(a) we plot the probability for the adversary to deduce the wrong probe state, as a function of the number of different probe states N used in the protocol, and for fixed mean number of photons in the probe.The error probabilities for the three attacks are given by Eqs. ( 10), (14), and (19), while for the sake of comparison, we also show the lower bound on the error probability P (low) err (blue curve).In all of the cases we find a monotonic increase of the error probability with N .For N < 50, the error probabilities for all of the three attacks are very close to the lower bound, and they start deviating from it as we increase N .The deviation is slower in the case of the square-root-measurement attack (green curve), which is practically indistinguishable from the lower bound (blue curve) up to N 60, and it remains close to it for values of N up to about 100.The error probability for the unambiguous-state-discrimination attack exhibits the fastest increase, and P (UD) err 1 for N 100 (gray curve).The dual-homodyne-detection attack stands between the other two attacks.The same behavior has been found for other values of µ P , and the main difference is that the error probability increases slower with N , for increasing values of µ P .
Let us turn now to the other quantity of interest, namely the conditional probability P (in|error) relative to P (0) in .As depicted in Fig. 6(b), for either of the three attacks under consideration P (in|error) increases with N , approaching an asymptotic value which is below P (0) in as well as below the asymptotic value of P err for the same attack [compare to Fig. 6(a)].This is in contrast to the behavior of P max (in|error) (blue curve), which approaches P (0) in (dashed vertical line) as we increase N .Based on these findings, we expect the lower bound D low to approach zero as we increase N (which is in accordance with Fig. 4), whereas for all of the three attacks, D is expected to approach a non-zero value as we increase N .Indeed, as shown in Fig. 7, this is confirmed by our simulations.As a result, for a given security threshold ε and fixed losses (i.e., fixed ratio µ R /µ P ), there is a very broad regime of values for N and µ P where D exceeds 2ε and the protocol is secure against all of the three attacks.The secure regime is considerably broader than the one predicted by the lower bound (compare to Fig. 4).The strongest attack seems to be the square-rootmeasurement attack.Consider, for instance, the case of 2ε = 15 × 10 −4 .We have D (SR) > 2ε for N > 100 [see Fig. 7(e)], whereas for the other two attacks we find D (DH) > 2ε for N > 45 [see Fig. 7(a)], D (UD) > 2ε for N > 60 [see Fig. 7(c)].By contrast to the lower bound D low [see Fig. 4(a)], where there is an upper bound on the values of N for which the condition D low > 2ε is satisfied, we do not find any such bound for either of the three attacks we have considered in this work.Moreover, for all the three attacks we find that the rise of D with N gets slower as we increase µ P , which is in agreement with the analogous behavior obtained for the error probability.
Keeping the mean number of photons µ P in the probe constant, and increasing the losses in the set-up (i.e., decreasing the mean number of photons that reach the HD set-up relative to µ P ), we find that lower security thresholds have to be attained by the verifier, so that to ensure the security of the protocol against both of the dual- homodyne-detection and the square-root-measurement attack.For example, we see that the protocol is not secure against the square-root-measurement attack when 2ε = 4 × 10 −4 and µ P = 600, with µ R = 0.05µ P , but it is secure against the dual-homodyne-detection attack if N > 50 [see Figs.7(f) and (b), respectively].Moreover, for the particular chosen value of 2ε, we find that the protocol becomes secure against both of these attacks if µ R = 0.1µ P and N > 110.Security against the two attacks when the losses in the set-up are such that µ R = 0.05µ P , requires N ≥ 110 and sufficiently large sample size M so that 2ε 3×10 −4 .By contrast, we find small changes in the variation of D (UD) with N , which suggests that the unambiguous-state-discrimination attack is weaker than the other two.

V. DISCUSSION
In this work we have analysed the seurity of the verification stage in the EAP of Ref. [15] against three specific intercept-resend emulation attacks.Our results suggest that the protocol is secure against all of the attacks simultaneosuly for a broad range of values for the relevant parameters of the protocol.Moreover, the performance of all of these attacks has been compared to the lower security bound obtained in Ref. [16], by means of the Fano's inequality and the Holevo bound.None of the attacks considered here saturates the expected lower bound.Hence, the existence as well as the details of the attack that will saturate the lower security bound, remain a subject of future work.One may wonder, whether the displaced-photon counting [31] can achieve this goal.We believe that this is not the case for a number of reasons.
Firstly, the probability for the adversary to deduce the wrong state is expected to be higher for the displacedphoton counting, than for the square-root measurement discussed here.This is because our protocol relies on a set of symmetric states, and it is well-known that the square-root measurement minimizes the probability of error in this case [29,30].Higher error probability means that it is easier for the verifier to detect the adversary's intervention.Secondly, the displaced-photon counting has been shown to outperform the dual-homodyne measurement in phase estimation, only for phases in a narrow region around ϕ = 0 [31].Outside this region, the dual-homodyne measurement outperforms by the same amount the displaced-photon counting.In our protocol, the random phase of a probe state lies in the interval [0, 2π), and all of the possible values are equally probable.As a result, on the average, the performance of the displaced-photon counting is expected to be very close to the performance of the dual-homodyne detection discussed here.
As far as experimental realisations of the present attacks are concerned, the dual-homodyne-detection attack can be implemented with current technology [32].On the contrary, to the best of our knowledge, the experimental realization of the unambiguous-state-discrimination attack and of the square-root measurement attack for arbitrary number of symmetric coherent states is not known.A rather simple linear-optics implementation of unambiguous state-discrimination has been proposed in Ref. [33], which is far from optimal for large values of N .
The present work focuses on the verification of a PUK, assuming that the user has already been verified successfully to the PUK (see Sec. I).In analogy to conventional smart cards, the verification of the user to the PUK can be achieved through a PIN which is known to the legitimate owner of the PUK.This is necessary for any EAP, so that to prevent impersonation in case the PUK is stolen.When the PUK is given to a legitimate user it is accompanied by the PIN, which has been generated during the enrollment stage, and it is not shown in Fig. 1.One way to combine an optical PUK with a PIN is to exploit the techniques of Refs.[6,34].For example, one can assume that the PUK is illuminated by classical light, whose wavefront has been modified by a random SLM phase mask Ψ [The pattern Ψ should not be confused with the optimal phase masks Φ (and Φ k ), which are used for the verification of the PUK as discussed in the previous sections of the present work.The former is a totally random phase mask, whereas the latter are optimized with respect to a particular target mode at the output.].The response of the PUK to classical light with random wavefront Ψ is a random speckle, which can be processed with standard algorithms to result in a numerical random binary string, say w = w id ||w pin [34].The last n bits of w, denoted by w pin , define the n−bit PIN, whereas the first part w id serves as an identification number for the list of CRPs to be used for the authentication of the particular PUK (see table I).In this way, the list of CRPs, the PUK and the PIN are linked through a random phase mask, which is known only to the verifier, as well as to the authority that issues and distributes the PUKs.
In analogy to conventional smart cards, at the beginning of the verification stage the user types in his PIN, and inserts his PUK to the verifier's set-up.The verifier imprints the pattern Ψ on the wavefront of the incoming light by means of his SLM, and the speckle of the scattered light is processed to yield the classical string w.If the last n bits of w agree with the PIN of the user, the verifier proceeds to the verification of the PUK, otherwise the authentication is aborted immediately.For the verification stage, the verifier sends to the server the key w id over a secure and authenticated classical channel, and the server returns a sequence of M challenges chosen at random from the list of CRPs with identification number equal to w id .The verification stage proceeds as discussed in Sec.II, as well as in Refs.[15,16].If an adversary has stolen the PUK, he cannot impersonate the legitimate owner without knowledge of the PIN, while the probabil-ity for an adversary to guess correctly the n−bit PIN is negligible.Moreover, the random string w is essentially the output of a physical one-way function with input Ψ, while the probability for the jth bit of w to be 0 or 1, is expected to be approximately equal to 0.5 [6,34].As a result, it is hard for an adversary to infer the random pattern Ψ, or the PIN from w id .It is worth emphasizing that one can incorporate both of the validation of the PIN and the verification of the PUK in the set-up of Fig. 2, after a few amendments.More precisely, by adding a half-wave plate and an additional PBS at the output, one can select to image the speckle onto a camera (for the PIN validation), or onto the optical plane where SMF B is positioned (for the PUK verification) [20,21].Hence, the set-up can operate in two different modes.Note also that in the "PIN-validation" mode, intense probe has to be used so that to obtain a clear speckle, whereas in the "PUK-verification" mode the set-up has to operate with parameters that are dictated by the present as well as previous security analyses.Finally, we cannot exclude alternative ways to link an optical PUK to a PIN e.g., through the control of laser parameters (such as the angle of incidence and the wavelength) [6], and/or the control of the target mode at the output [35].

FIG. 2 .
FIG. 2. Schematic representation of the set-up for the EAP under consideration[15].

FIG. 4 .
FIG. 4. The lower bound D low , as a function of the number of different probe states N , for various values of µP but fixed ratio µR/µP (a); and various values of µR for fixed µP (b).The vertical dashed line marks the security threshold 2ε = 15 × 10 −4 , and the protocol is secure against any interceptresend attack for D low > 2ε.

7 FIG. 5 .
FIG.5.Discretization of the phase space for N = 8.The segment for the actual probe state k = 0 (green) and all other possible probe states (blue) are shown.The coloring displays the probabilities P DH ( k|k = 0) for k = 0, 1, . . ., N − 1 (dark: high probability).

FIG. 6 .
FIG.6.(a) Probability for the adversary to deduce the wrong probe state in the case of dual-homodyne-detection attack (red curve, DHA), square-root-measurement attack (green curve, SRA) and unambiguous-state-discrimination attack (gray curve, UDA), as a function of the number of different probe states N .The lower bound is also shown (blue curve).(b) Conditional probability P (in|error) for the verifier to obtain a result inside the expected bin given that the adversary inferred the wrong probe state, as function of N and for different attacks.The maximum value Pmax(in|error) is also shown (blue curve), and all of the probabilities are compared to the probability P 0 in in the absence of an attack (dashed vertical line).

FIG. 7 .
FIG. 7. Difference of probabilities D = P 0 in − Pin as a function of the total number of different probe states N , for the dualhomodyne-detection attack (a,b); the unambiguous-state-discrimination attack (c,d); and the square-root-measurement attack.The horizontal dashed lines mark the security threshold 2ε = 15 × 10 −4 (l.h.s) and 2ε = 4 × 10 −4 (r.h.s).The protocol is secure against a specific type of intercept-resend attack when the corresponding value of D exceeds 2ε.

TABLE I .
Illustration of a set of CRPs used for authentication of a PUK.The set is identified by a unique identification number (see discussion in Sec.V).