1 Introduction
The recent advances in developing the quantum internet have enabled a broad range of applications from simple secure communication all the way to delegated quantum computation, with no counterparts in classical networks [broadbent2016quantum, fitzsimons2017private, wehner2018quantum, QuantumPZoo, pirandola2019advances, diamanti2019demonstrating, kumar2019practically, unruh2013everlasting]. For most of such applications, a key security feature is the ability of secure authentication which provides a central role in performing secure communications over untrusted channels [alagic2017quantum, dulek2019secure, boneh2013quantum]. Amongst different types of required security features, including confidentiality and authentication of data, mutual entity authentication is a crucial, yet most neglected, aspect [kang2018controlled]. Entity authentication also referred to as identification, is a method to prove the identity of one party called prover to another party called verifier. The focus of this work is to propose resourceefficient solutions for the purpose of mutual entity authentication between two parties in a quantum network by exploring the advantages of quantum communication. We consider both complementary scenarios where either the trusted verifier or a potentially malicious prover has limited resources in the identification protocol. To motivate the two scenarios better, consider the quantum cloud service platforms that are commercially available today such as Rigetti, IBM among others. In the first setting, a client with a low quantum resource (such as the one defined in [broadbent2009universal]) wishes to identify a highresource quantum centre that they perhaps have had a previous contract with, before proceeding to access their platform and load its sensitive data. In the complimentary setting, the quantum cloud provider wishes to verify the identity of its customer possessing low quantum resources before providing them with access. This asymmetry between the verifier and the prover calls for ’party resourcespecific’ identification protocols which exploit this asymmetry to enhance the efficiency.
Among the recent works, Physical Unclonable Functions (PUF) have emerged as costefficient, lowresource, secure hardware tokens to achieve entity authentication [delvaux2017security, herder2014physical, vskoric2012quantum, nikolopoulos2017continuous]. A PUF device solely utilises the random physical disorders that occur during the manufacturing process to provide security features. This randomness provides the desired high minentropy feature, and hence the PUF does not rely on extra cryptographic properties in the device [herder2014physical, armknecht2016towards]. Assessing information from a PUF involves querying the device with a ‘challenge’ (for example an electrical signal, an optical pulse, temperature signal, etc.) and obtaining a recognizable ‘response’. This response should be robust for a particular PUF device but highly variable for different but very similar PUFs in a way that for an adversary, each device seems to output a completely random response. An example of a PUF is an optical glass slab with an inhomogeneous refractive index such that shining a laserpulse with a fixed frequency and angle of incidence, results in the output pulse with fixed (or very less divergent) frequency. However, another glass slab with a slight difference in the distribution of index of refraction results in the output pulse with different characteristics for the same incident light [pappu2002physical]. This uniqueness in the challengeresponse pair for a particular PUF is the core feature in realising entity authentication and other cryptographic functionalities. Other hardware realisations of PUF include SRAM PUF, Ring Oscillator PUF, Arbiter PUF among others [guajardo2007fpga, gassend2002silicon, suh2007physical]. However, recent cryptanalysis has shown that conventional PUF hardware devices do not provide rigorous security guarantees as anticipated and the high minentropy feature is compromised by modelling attacks [ruhrmair2010modeling, ganji2016strong].
Some of these security issues are overcome with the recently proposed PUFs that utilise the properties of quantum mechanics [arapinis2019quantum, vskoric2010quantum, goorden2014quantum, nikolopoulos2017continuous]. Referred to as quantum PUF, or qPUF, these are completely positive trace preserving operations that are accessed via sets of unique challengeresponse pairs which are quantum states. One major advantage of qPUF compared to previous PUF proposals is that apart from the highmin entropy of the qPUF device, the challenges and responses also exhibit highmin entropy due to the unclonability property in quantum mechanics [arapinis2019quantum, vskoric2010quantum, goorden2014quantum, nikolopoulos2017continuous]. This extra feature is nonexistent in previous PUFs since the challenges and responses being classical states, can be perfectly cloned. Hence it serves as a great motivation to study qPUF resource and security performance in achieving various cryptographic functionalities. Our current work provides two proposals for achieving entity authentication (or identification) using qPUF.
With the objective of performing lowcost secure identification of the prover by the verifier using qPUF, we give a categorisation of the resources into three major segments. First is the ‘memory resource’ which quantifies the type and amount of resources that a party possesses. It can either be a classical memory that we label as low cost or a quantum memory which is high cost since such a memory tends to be highly fragile and dissipative to the environment [lvovsky2009optical]. Second is the ‘computing ability’ resource which indicates the kind of operations a given party has the ability to perform. We denote a party with high computing ability as the one that can perform any bounded quantum polynomial quantum circuit operations [watrous2003complexity], and a low ability party as the one who is restricted to generation and measurement of quantum states in certain basis. This is quantified by the gatecomplexity of the quantum circuit. And the third resource is the type and number of communication rounds required between the parties to establish identification. Often it is not possible to devise an identification scheme which minimises all the three types of resources for both the involved parties without compromising the underlying security. Hence, in this work, we propose two qPUF based identification schemes which achieve similar security guarantees but are vastly different in terms of the resource requirement for the involved parties. This allows the flexibility to deploy either of these schemes depending on individual constraints.
Our first proposal is a secure qPUFbased device identification protocol which requires the prover to only have access to the valid qPUF device without the requirement for any quantum memory or quantum computational resource, while the verifier is required to possess a local quantum database and the ability to perform quantum operations. This covers the scenario presented before where a quantum cloud provider wants to identify its customer. This type of qPUFbased identification protocols has been previously studied with different qPUF formalism [vskoric2012quantum, nikolopoulos2017continuous]. In our work, we follow the formal definitions of a qPUF as proposed in [arapinis2019quantum] which assumes that a qPUF is modelled by an unknown unitary operation of exponential size i.e. none of the involved parties, with polynomial resources, have a complete description of the device. This property of qPUF necessitates the use of a quantum distinguishing test in the protocol since the resulting response stats of the qPUF device are unknown states [montanaro2013survey, buhrman2001quantum, chabaud2018optimal]. This is in contrast with the previous quantum identification proposals, where some knowledge of the quantum operation was implicitly assumed to be known the parties, thus not necessitating the use of quantum distinguishability tests. However, this extra information allows proving the security against an only specific type of adversarial attacks. Our work generalises to provide exponentially high security against any quantum polynomialtime (QPT) adversary.
Our second proposal is a qPUF based protocol where the prover has a high computational resource, while, the verifier runs a purely classical algorithm, hence does not require to perform quantum operations. The verifier is however required to possess a local quantum database. This protocol can enable an almost classical client, to identify a quantum server in a quantum network. This protocol has a major advantage compared to the previous protocol that requires only oneway quantum communication. Construction of this protocol has taken inspiration from the ideas of blind quantum computing [broadbent2009universal] to introduce the idea of randomly placing trap quantum states inbetween the valid states. This, coupled with the unknown property of qPUF device provides exponential security against any QPT adversary.
Related Works: The idea of taking advantage of quantum communication between the verifier and the proved in PUFbased identification protocols was first introduced by Skoric in [vskoric2010quantum]. He defined the concept of quantum readout of PUF (QRPUF) and designed an identification protocol based on it. The security of this protocol has been proved against special kinds of attacks including interceptresend [vskoric2010quantum, vskoric2012quantum]
, Challenge Estimation
[vskoric2016security] and Quantum Cloning [yao2016quantum] attacks. The practical realization of this protocol was shown by Goorden et al. [goorden2014quantum]. In another work, Nikolopoulos and Diamanti introduced a different setup for QRPUFbased identification protocol in which classical data is encoded to the continuous quadrature components of the quantized electromagnetic field of the probe [nikolopoulos2017continuous]. The security of this scheme has also been proved in [nikolopoulos2018continuous, fladung2019intercept] against a bounded adversary who can only prepare and measure the quantum states. The common feature of the mentioned protocols [vskoric2010quantum, nikolopoulos2017continuous] is full or partial knowledge of the verifier from the unitary modelling the QRPUF. Recently, Arapinis et al. [arapinis2019quantum] have introduced a novel notion of PUF, called qPUF. According to their definition, unlike the QRPUFs and the same as classical PUFs, no one even the manufacturer and the verifier has no knowledge about the unitary of qPUF. This requirement leads to provable security of qPUFs against forgery attacks. Due to the considerable security features of qPUFs, we propose our identification protocols based on this kind of PUFs. The main advantage of our proposals over the previous ones is their provable security against the most general form of attacks considering a QPT adversary. The other related works in the context of quantum related PUFs are [gianfelici2020theoretical] and [young2019quantum] where the former presents a theoretical framework for QRPUF and the later is a different type of PUF based on quantum mechanics laws.2 Preliminaries
This section presents the different ingredients required to construct a secure qPUFbased authentication scheme.
2.1 Quantum Physical Unclonabe Functions
A quantum PUF, or qPUF, is a secure hardware cryptographic device which utilises the property of quantum mechanics [arapinis2019quantum]. Similar to a classical PUF [armknecht2016towards], a qPUF is assessed via challenge and response pairs (CRP). However, in contrast to a classical PUF where the CRPs are classical states, the qPUF CRPs are quantum states.
A qPUF manufacturing process involves a quantum generation algorithm, ‘QGen’, which takes as an input a security parameter and generates a PUF with a unique identifier id,
(1) 
Next we define the mapping provided by which takes any input quantum state to the output state . Here and are the input and output Hilbert spaces respectively corresponding to the mapping that provides. This process is captured by the ‘qEval’ algorithm which takes as an input a unique device and the state and produces the state ,
(2) 
A qPUF is labelled secure if it satisfies a few necessary cryptographic properties. The first property, robustness, ensures that if the qPUF is queried separately with two input quantum states and that are indistinguishable to each other, then the output quantum states and must also be indistinguishable,
(3) 
where is a negligible quantity dependent on the desired security parameter. Here  indistinguishability for any two quantum states and is defined as , where is the fidelity distance measure between the quantum states. Alternatively, other distance measures such as trace norm, euclidean norm (any shattenp norm) can also be used to define security requirements for qPUF.
The second property, collision resistance, ensures that if the same qPUF is queried separately with two input quantum states and that are distinguishable, then the output states and must also be
distinguishable with an overwhelmingly high probability,
(4) 
The parameters and are determined by the security parameter . The properties defined above are crucial for the correctness of secure systems composed of qPUFs. Also for qPUFs, the condition must be satisfied to desired characteristics of a qPUF.
All the above properties can be satisfied by a unitary map i.e. if , where
is an identity matrix. As a consequence, here we consider the qPUF construction to be a unitary matrix
, where . ^{1}^{1}1Other CPTP maps that attach an ancilla such that also satisfy all the properties. We do not consider such maps for the construction of PUFs. This could however be an interesting line of extension of PUFs.A crucial security feature of the qPUF device is the unforgeability property. It states that estimating the response of the device with high enough fidelity when a challenge is picked uniformly at random from the Haar measure states is exponentially unlikely without possessing the device. Formally this means that for a challenge state ,
(5) 
where is the optimal response generated to a given challenge , is the response generate by qPUF device on the given challenge and .
2.2 Quantum Adversarial Model and Security Definitions
Strong notions of the security of quantum cryptographic proposals require cryptanalysis against adversaries which also possess quantum capabilities of varying degree [boneh2011random, mosca2018cybersecurity, song2014note]. The strongest such notion is achieved by assuming no restrictions on the adversary’s computational power and resources. This security model, also known as security against unbounded adversary, is usually too strong to be achieved by most cryptographic primitives such as qPUFs. It has been shown in [arapinis2019quantum], that unitary qPUFs cannot remain secure against an unbounded adversary. Thus the standard security model that we also use in this paper is the notion of security against efficient quantum adversaries or in other words quantum polynomial time (QPT) adversaries. We define such an adversary attack in the context of qPUFs. A QPT adversary with query access to qPUF is defined as an adversary that can query the qPUF oracle with polynomially many (in the security parameter) challenges and has polynomial sized quantum register to store the quantum CRPs. The QPT adversary is also allowed to run any efficient quantum algorithm in the class BQP. The security of most qPUFbased cryptographic protocols relies on the unforgeability property of qPUF which is described previously.
Here we follow the same definitions of existential and selective unforgeability defined in [arapinis2019quantum] and restate them as follows:

Existential unforgeability: A qPUF satisfies existential unforgeability if given access to a register containing a polynomial number of challengeresponse pairs of qPUF, the probability that any QPT adversary chooses a quantum challenge which is distinguishable from all challenges , and successfully generates a response which is indistinguishable from the valid qPUF’s response , is bounded by a negligible function of the security parameter. In other words, no QPT adversary can generate even a single valid new quantum challengeresponse pair with nonnegligible probability,
(6) where is the set of all challenges in the register.

Selective unforgeability: A qPUF satisfies selective unforgeability if given access to a register containing a polynomial number of challengeresponse pairs of qPUF, the probability that any QPT adversary receives a quantum challenge chosen uniformly at random , and successfully generates a response which is indistinguishable from the valid qPUF’s response , is bounded by a negligible function of the security parameter. In other words, no QPT adversary can generate even a single valid new quantum challengeresponse pair with nonnegligible probability,
(7) where is the set of all challenges in the register and is picked uniformly randomly from the set.
Note that in both the attack models, we allow for the possibility of adaptive kind of attacks from the adversary [armknecht2016towards]. The results in [arapinis2019quantum] shows that a unitary qPUF cannot satisfy existential unforgeability against QPT adversaries. This is due to the existence of a quantum emulation based algorithm which states that picking a new challenge in the subspace spanned by the challenges in register such that is distinguishable from all the challenges in , it is efficiently possible to output a response state such that . qPUFs however do satisfy selective unforgeability [arapinis2019quantum]. Their result states that the success probability of any QPT adversary to output the response of a Haar random challenge state with nonnegligible fidelity is bounded by:
where is the set of challenges in the register and is the dimension of the challenge subspace known to the via the register. is the size of the qPUF unitary and is a negligible function in poly. In our work, we assume the qPUF is an unknown unitary transformation. This assumption allows us to use the qPUF as a selectively unforgeable device according to the above definition. We restate the proof of qPUF unforgeability in the Appendix A.1.
2.3 Quantum Equality Tests
Distinguishing two unknown quantum states is a central ingredient in quantum information processing. This task is often referred to as the ‘state discrimination task’. The celebrated HolevoHelstrom bound [holevo1973bounds] relates the optimal state distinguishability of two unknown states with the trace distance between the states. This implies that unless the states are the same (up to a global factor), it is impossible to deterministically distinguish the two states. An important application of state discrimination is the task of Equality testing [buhrman2001quantum, barenco1997stabilization, xu2015experimental]. This is an extremely simple task but a building block for lots of complicated quantum protocols. The objective of Equality testing, one that we consider in our work, is to test whether two unknown quantum states are the same. This is a wellstudied topic and we describe the optimal quantum protocols for Equality testing.
2.3.1 SWAP test
Given a single copy of two unknown quantum states and , is there a simple test to optimally determine whether the two states are equal or not? This question was answered in affirmative by Buhrman et al [buhrman2001quantum] when they provided a test called the SWAP test. This test was initially used by the authors to prove an exponential separation between classical and quantum resources in the simultaneous message passing model. Since then it has been used as a standard tool in the design of various quantum algorithms [buhrman2010nonlocality, kumar2017efficient]. A SWAP test circuit takes as an input the two unknown quantum states and and attaches an ancilla . A Hadamard gate is applied to the ancilla followed by the controlSWAP gate and again a Hadamard on the ancilla qubit. Finally, the ancilla is measured in the computational basis and we conclude that the two states are equal if the measurement outcome is ‘0’ (labelled accept). Figure 2 illustrates this test in the special case when the state is a pure state and shown by .
It can be shown that the probability the SWAP test accepts the states and is [kobayashi2003quantum],
(8) 
In the special case of when at least one of the states (let’s say ) is a pure state , the probability of acceptance is,
(9) 
Thus when atleast one of the two states is a pure state, the acceptance probability is related to the fidelity between the states. This implies when the states are the same, the probability of acceptance is 1. However, when the states are different then if the SWAP test accepts the states, this implies an error. Thus the error in the SWAP test when the states are different (also called the onesided error) is . This error can, however, be brought down to any desired error by running multiple instances of the SWAP test circuit. The number of instances required to bring down the error probability to a desired is,
where and we use the fact that fidelity is independent of .
2.3.2 Generalised SWAP test
The above SWAP test is optimal in Equality testing (in a single instance) of two unknown quantum states when one has a single copy of the two states. However, there are certain quantum protocols where one has access to multiple copies of one unknown state and only a single copy of the other unknown state and the objective is to provide an optimal Equality testing circuit. Considering this scenario, Chabaud et al. [chabaud2018optimal] provided an efficient construction of such a circuit, generalised SWAP (GSWAP) test circuit. A GSWAP circuit takes as an input a single copy of , M copies of and copies of the ancilla qubit . The generalised circuit is then run on the inputs, and the ancilla qubits are measured in the computational basis. Figure 3 is a generic illustration of such a circuit. For more details on the circuit refer to the original work [chabaud2018optimal].
It can be shown that the probability the GWAP circuit accepts two quantum states and is,
(10) 
where . We note that in the special case of , the GSWAP test reduces to the SWAP test. Also in a single instance, GSWAP provides a better Equality test compared to the SWAP test since it reduces the onesided error probability. In the limit , we obtain the optimal acceptance probability of . Another important feature of GSWAP is that it can achieve any desired success probability in just a single instance which is impossible to achieve using SWAP circuit. However, the number of copies required is exponentially more than the number of instances that the SWAP circuit has to run to achieve the same error probability,
(11) 
Hence one decides the use of either SWAP test or GSWAP test depending on the specific application.
2.3.3 Abstract and ideal quantum Equality test
From the tests described above, we define an abstract and ideal version of the quantum Equality test when atleast one of the states is a pure state, and relate it to the fidelity distance as discussed in [arapinis2019quantum] paper.
Definition 1 (Quantum Testing Algorithm).
Let and be and copies of two quantum states and , respectively. A Quantum Testing algorithm is a quantum algorithm that takes as input the tuple (,) and some ancilla states and generates an outcome ‘1’(accept) when and are equal with the probability,
where is the fidelity between the two states and satisfies the following limits:
with is the statistical error due to the Equality test algorithm.
As an example, for the GSWAP test where and , we obtain from Eq 11 that the probability of acceptance in the limit is 1, while it is in the limit . It can be inferred from the above definition that the quantum test can be idealized by forcing the to be zero for any given number of copies. This implies that one can abstractly construct an ideal test in a single instance case (when one is provided with a single copy of one quantum state and multiple copies of the other state),
Definition 2 (Single Instance Ideal Test Algorithm).
We call a test algorithm according to Definition 1, a test algorithm when one is provided a single copy of the state and multiple copies of the state (or viceversa) with fidelity the test responds as follows:
(12) 
3 Description of qPUFbased identification protocol
An identification protocol, also called a deviceauthentication protocol, is run between a verifier and a prover. A verifier’s task is to identify whether the prover is the correct owner of a valid device. Our setting assumes that the verifier and the prover having a valid device behave honestly. The security is provided against an adversary who has had limited access to the valid device in the past and currently does not possess the valid device. Based on the limited knowledge that the adversary has, her objective is to correctly identify herself as the valid owner of the device. Prior to providing the details of the construction of device identification protocols using qPUF, we describe a common structure in these protocols. Any such protocol consists of three sequential phases:
setup phase (or enrollment phase), identification phase and verification phase [nikolopoulos2017continuous, vskoric2010quantum, pappu2002physical].

Setup phase: A setup phase is the beginning phase of the protocol. Here the verifier has the qPUF device and locally prepares a database consisting of multiple quantum challenge and response pairs of this device. This is done by picking a set of challenges from the input Hilbert space of qPUF and obtaining the corresponding response states. The challenges and responses, namely ChallengeResponse pairs (CRPs) are stored in the verifier’s local database. As the challenges are picked by the verifier, their classical description is known and thus there is no requirement to store them as quantum states. But the responses are usually unknown quantum states to the verifier and needs to be stored in a quantum memory. For protocols we define over the next sections, we assume that the verifier’s quantum capabilities are restricted to quantum polynomial time. Hence the size of verifier’s database can only be polynomial while the qPUF device of exponential size. Once the local database is generated, the qPUF device is physically transferred to the prover over a public channel.

Identification phase: The setup phase is followed by the identification phase where the verifier sends one or multiple challenges, usually chosen at random, to the prover from the CRP database. The quantum state of the challenge(s) is sent over a public quantum channel to the prover.
The prover who has the valid qPUF device obtains the responses of the received challenges by interacting them with the qPUF which produces quantum outputs as the response. Then the prover sends either the response state directly, or sends some classical or quantum information related to the response to the verifier. We note that qPUFbased identification protocols would mostly differ in this phase by varying the number of challenges sent to the prover and the type of information received by the verifier.

Verification phase: In the verification phase, the verifier runs a quantum or classical verification algorithm on the information received from the prover. We denote that the verifier correctly identifies the prover if the verification algorithm outputs 1. Otherwise, it aborts.
4 Notations
We first fix the notations for the following qPUFbased identification protocols. We name the verifier as Alice, the prover as Bob and the adversary as Eve. We denote to be Alice’s CRP database where is the number of distinct () CRPs in the database and denotes the number of copies of the responses for each challenge. Here the delta function if and 0 otherwise. Multiple copies () may be needed for the verification phase. Note that as the classical description of the challenge is known, they can be prepared anytime by the verifier, thus no quantum registers are needed for them and we do not count the challenges as resource overhead.
Let where is a dimensional Hilbert space denoting the domain and range of the unitary qPUF. We also call this the size of qPUF. When the challenges and responses are qubit states, . We assume the verifier, prover and the adversary have quantum polynomial time (QPT) capability. Thus the challenges in the verifier database span a dimensional Hilbert space where for qubit CRPs.
The prover’s response state for the challenge is denoted as . More generally, if the response is produced by the valid qPUF, then . We denote the verification algorithm as qVer() when the prover sends quantum state to the verifier in the identification phase. If the prover instead sends the classical information of the response state, then the corresponding verification algorithm is denoted as cVer(). Also, we denote to be the number of rounds of communication between the verifier and the prover in the identification phase. is the total number of communicated states needed for the protocol. Finally, we denote as the security parameter.
5 qPUF identification protocol with highresource verifier
The first qPUFbased device identification protocol we propose is the quantum analogue of the standard PUFbased identification scheme between the verifier (Alice) and the prover (Bob). Before describing the details, we list the salient features of our protocol,

The protocol requires the prover to have no quantum memory and no computing ability resource, whereas the verifier is required to have high quantum memory and high computing ability resource (restricted to QPT memory and computation).

The protocol requires a 2way quantum communication link between the prover and verifier.

The protocol has a quantum verification phase i.e. the prover sends information in quantum states to the verifier who then performs a verification test to certify if the device is valid.

The protocol provides perfect completeness and an exponentiallyhigh security guaranty against any adversary with QPT resources.
5.1 Protocol description
This protocol is run between the Alice, the verifier, and Bob, the prover. As described in section 3, the protocol is divided into three sequential phases,

Setup phase:

Alice has the qPUF device.

She randomly picks classical strings .

She applies a private encoding unitary operation to create the corresponding quantum states in ,
(13) 
Alice queries the qPUF individually with each quantum challenge number of times to obtain copies of the response state , which is denoted as .

She creates a local database for .

Alice transfers the qPUF to Bob over a public quantum channel.
To be able to investigate the security in a strong and general setting, we do not assume the qPUF’s transition to be secure, in the sense that any QPT adversary Eve is allowed to query the qPUF during transition an number of times and thus build its own local database. Due to the conditions on the selective unforgeability of the qPUF (Appendix A.1), it is important that Alice picks her challenges at random from a distribution over the Hilbert space . This in turn implies that the encoding unitary operation is a haar random unitary [arapinis2019quantum]. We note that efficient simulation of exists as proposed in [alagic2020efficient].


Identification phase:

Alice uniformly selects a challenge labelled (), and sends the state over a public quantum channel to Bob.

Bob generates the output by querying the challenge received from Alice to the qPUF device.

The output state is sent to Alice over a public quantum channel.

This procedure is repeated with the same state or different states a total of number of times.


Verification phase:

Alice runs a quantum equality test algorithm on the received response from Bob and the copies of the correct response that she has in the database. This algorithm is run for all the CRP pairs.

She outputs ‘1’ if the test algorithm returns the outcome ‘1’ on all CRP pairs. This implies that Bob’s qPUF device has been successfully identified. And the output is ‘0’ otherwise.
Sections 5.2 and 5.3 describe the quantum verification algorithm run by Alice.

Figure 4 describes the qPUFbased identification protocol with highresource verifier denoted as hrvid.
For this protocol, we can define the completeness and soundness security properties.
Completeness: Completeness of the hrvid protocol is defined as the probability that Alice returns the outcome ‘1’ in the verification phase when there is no presence of an adversary Eve. This implies that the verification algorithm must output ’1’ for all the rounds of the protocol.
More formally, all the states produced by the valid qPUF device during the verification should pass the verification test with a probability very close to 1:
(14) 
where the subscript H denotes the honest device holder.
Soundness: The soundness of the protocol is analysed in the presence of a QPT adversary Eve. We say the hrvid is sound (or secure) if the probability that Alice returns the outcome ‘1’ in the verification phase while she has received a quantum state from Eve is negligible in the security parameter:
(15) 
where is the state sent by Eve in the th round. In the most general case, Eve’s combined state across rounds is , and is obtained by tracing out the instances of the general state. In the special case when Eve attacks each round independently i.e , the soundness probability reduces to,
(16) 
As opposed to the classical PUFbased identification protocols, the most resourceconsuming part of a qPUFbased identification protocol is the verification phase since Alice needs to check the validity of an unknown quantum state. We propose two different quantum verification algorithms for this stage, namely SWAP test and GSWAP test as presented in section 2.3. We compare the two instances of hrvid using SWAP and GSWAP verification in terms of resources and security promises.
5.2 Verification with SWAP test
The first proposal for the verification algorithm for Alice is the SWAP test algorithm defined in section 2.3.1. This test allows Alice to efficiently check if the response received in the identification phase is the valid qPUF response. A single instance of the SWAP test requires a single copy of the received state and valid response state that Alice has stored in her register. To obtain a desired low enough test error rate, the SWAP test is repeated number of times for the same challenge state. Here is proportional to the inverselog of the desired error probability. Thus the SWAP test consumes valid response states of Alice for the same challenge state. An identification protocol performed using distinct challenge states consumes a total of copies of the received state and the valid response state. This is also the total number of quantum communication rounds used to achieve the identification of qPUF device. In the next two theorems, we show that SWAP based test algorithm provides us with the desired completeness and soundness properties required in the protocol.
5.2.1 hrvidSWAP protocol completeness
Theorem 1.
In absence of an adversary Eve, the probability that Bob’s response state generated from the valid qPUF device passes the SWAP test for all the rounds is,
Proof.
When Alice receives Bob’s response which is generated from the valid qPUF device for all the copies of the challenge state, then . This implies that for all . From Eq 9, we see that,
(17) 
Since in the honest setting, the states received from Bob over rounds are all valid qPUF pure states which are unentangled to each other, hence the SWAP tests for all the rounds are independent tests. This implies that,
(18) 
This completes the proof. ∎
5.2.2 hrvidSWAP protocol soundness
Now we show that the hrvidSWAP protocol satisfies the soundness property. This is characterised by an adversary Eve who does not have the valid qPUF device in the identification phase but her objective is to successfully pass Alice’s verification test with a nonnegligible probability. Note that apart from the local database that Eve can create in the setup phase, she also has full access to the channel in the identification phase on which Alice sends the quantum challenge to Bob and Bob sends the response state to Alice.
In order to bound Eve’s success probability in passing the SWAP verification test, we calculate the probability that the generalised state that she sends to Alice is accepted for all the instances of the SWAP test. We note that the SWAP test instances are all independent tests. However, by sending a generalised entangled state , the success probabilities across the rounds is no longer the product of individual SWAP instance success probability. This implies that Eve’s success probability across some rounds can be higher than previous rounds. However, since the distinct challenges being picked by Alice are all uniformly random, hence it can be easily verified that Eve does not gain anything by entangling the states across rounds corresponding to different challenge states. Thus Eve’s probability in passing the verification test by sending the state is the same as that for a generalised state , where is a generalised state sent to instances of the SWAP test corresponding to the same challenge .
Now across the instances corresponding to the SWAP test for the same challenge state , the state received by Alice is , where is obtained by tracing out the M1 instances . Let be the Eve’s response state with the highest fidelity with the correct response, i.e.
(19) 
Since the SWAP test success probability is directly proportional to the fidelity between the two input states, this implies that Eve can maximise her success probability by sending unentangled states to Alice instead of the generalised state . The above Equation 19 can be used to bound Eve’s success probability in passing Alice’s verification test,
(20) 
where , and . Now using the property that the qPUF device exhibits selective unforgeability against any QPT adversary Eve [arapinis2019quantum], we bound her success probability using the following theorem.
Theorem 2 (Security of hrvidSWAP).
Let qPUF be a selectively unforgeable unitary PUF over . The success probability of any QPT adversary Eve to pass the SWAPtest based verification of the hrvidSWAP protocol is at most , given that there are copies for each CRP, different CRPs and rounds of challenge. The is bounded as follows:
Proof.
From Eq 20, we see that the optimal strategy of Eve is to produce the response states which maximises the fidelity for each CRP . Arapinis et al. [arapinis2019quantum] provided an upper bound on the fidelity when Eve has polynomial access to the qPUF. This property also referred to as the selective unforgeability property of qPUF (Appendix A.1), states that the fidelitysquare is bounded as,
(21) 
for any . Here is the dimension of subspace that Eve has learnt from . For , this implies that the maximum fidelity state that Eve can create on average is nonorthogonal to the valid response state with a negligible probability . Hence with overwhelming probability. This bound holds true for all distinct CRPs labelled by .
Thus from Eq 20 and 21, the probability that Eve passes Alice’s SWAP based verification test is,
(22) 
Note that here we also take into account the adaptive strategy of the adversary. That is even by assuming the previous rounds are added as extra states to Eve’s learning phase, the dimension of the subspace will remain polynomial in . This completes the proof. ∎
The bound indicated above shows that one can achieve an exponentially secure qPUFbased identification using SWAP test based verification protocol with just a single challenge state i.e. and repeated for instances. However, nonideal cases would make identification with different challenge states necessary. Hence we provide a general recipe involving multiple distinct challenges each running for multiple instances. Our protocol requires number of rounds and uses number of communicated states.
5.3 Verification with GSWAP test
The second proposal for the verification algorithm for Alice is the GSWAP test algorithm defined in section 2.3.2. A single instance of the GSWAP test requires a single copy of the received state and copies of the valid response state that Alice has stored in her register. Thus the GWAP reduces the number of rounds of communication for the same challenge state from (in the SWAP test case) to 1. However, if one performs the identification protocol with just one challenge state, then using Eq 11, the number of copies that Alice requires in her register for the same challenge state is inverse of the desired error. Thus with GSWAP, we reduce the number of communication rounds to 1 at the expense of adding inverseerror copies compared to the SWAP test which requires inverselog copies. This implies that a polynomial number of copies of only provides a polynomial onesided error rate in the GSWAP protocol (Eq 11). Thus, to be able to achieve exponential security with a polynomial number of copies, the identification protocol must be performed using distinct challenge states consumes a total of copies of the received state and copies of the valid response state. The total number of quantum communication rounds used to achieve the identification of qPUF device is . In the next two theorems, we show that GSWAP based test algorithm provides us with the desired completeness and soundness properties required in the protocol.
5.3.1 hrvidGSWAP protocol completeness
Theorem 3.
In absence of an adversary Eve, the probability that Bob’s response state generated from the valid qPUF device passes the GSWAP test for all rounds is,
Proof.
When Alice receives Bob’s response which is generated from the valid qPUF device for all the copies of the challenge state, then . This implies that for all . From Eq 10, we see that,
(23) 
Since in the honest setting, the states received from Bob over rounds are all valid qPUF pure states which are unentangled to each other, hence the GSWAP tests for all the rounds are independent tests. This implies that,
(24) 
This completes the proof. ∎
5.3.2 hrvidGSWAP protocol soundness
Following similar arguments as the soundness for hrvidSWAP protocol, we show that the hrvidGSWAP protocol satisfies the soundness property. Again, to bound Eve’s success probability in passing the GSWAP verification test, we calculate the probability that the generalised state sent to Alice is accepted for all the instances of the GSWAP test. Similar to the SWAP test, the GSWAP test instances are all independent tests. However, a generalised entangled state no longer makes the success probabilities across the rounds to be a product of individual GSWAP instance success probability. However, since the distinct challenges being picked by Alice are all uniformly random, hence similar to the argument provided in the SWAP test soundness, Eve does not gain anything by entangling the states across rounds corresponding to different challenge states. Thus Eve’s probability in passing the verification test by sending the state is the same as that for a generalised state , where is the state sent to the instance of GSWAP test corresponding to the same challenge . Thus Eve’s success probability in passing Alice’s GSWAP based verification test can be expressed as the product of the individual GSWAP instance success probability,
(25) 
where is the fidelity between Eve’s state and the valid qPUF response state for the th round.
Now using the property that the qPUF device exhibits selective unforgeability against any QPT adversary Eve [arapinis2019quantum], we bound her success probability using the following theorem.
Theorem 4 (Security of hrvidSWAP).
Let qPUF be a selectively unforgeable unitary PUF over . The success probability of any QPT adversary Eve to pass the GSWAPtest based verification of the hrvidGSWAP protocol is at most , given that there are copies for each CRP, different CRPs and rounds of challenge. The is bounded as follows:
Proof.
From Eq 25, we see that the optimal strategy of Eve is to produce the response states which maximises the fidelity for each CRP . We utilise the same selective unforgeability result (Appendix A.1) to bound the fidelitysquare with which Eve can produce the states ,
(26) 
for any . Here is the dimension of subspace that Eve has learnt from . For , this implies that the maximum fidelity state that Eve can create on average is nonorthogonal to the valid response state with a negligible probability . Hence with overwhelming probability. This bound holds true for all distinct CRPs labelled by .
Thus from Eq 25 and 26, the probability that Eve passes Alice’s SWAP based verification test is,
(27) 
Note that here we have also taken into account the adaptive strategy of Eve since our security is analysed for the most general attack strategy. This completes the proof. ∎
The recent bound shows that to achieve an exponentially secure qPUF based identification using GSWAP based verification protocol with only a polynomial sized register , the protocol needs to be repeated for multiple instances. Our protocol requires number of communication rounds and uses number of communicated states.
6 qPUF identification protocol with lowresource verifier
In the previous section, we have described the qPUFbased identification protocol for a prover (Bob) requiring no memory and computing ability resource, but a verifier (Alice) requires high quantum memory and computing ability resource to be able to efficiently run the quantum verification algorithm. From the point of view of the verifier, the first protocol is high resource consuming. In this section, we propose an efficient exponentially secure qPUF based protocol, labelled as lrvid, with a weak verifier i.e. a verifier that requires no quantum computing ability resource. A standout feature of this protocol is the delegation of the quantum verification algorithm on the prover’s side. This is especially important when a weak verifier wants to efficiently identify the device of a powerful prover/server. Before describing the details, we list the salient features of our protocol,

The protocol requires the prover to have some quantum memory and high computing ability resource, whereas the verifier is just required to high quantum memory and no computing ability resource (restricted to QPT memory and computation).

The protocol requires a 1way quantum communication link directed from the verifier to the prover. The prover to the verifier directed link is a classical channel.

The protocol has a classical verification phase i.e. the prover locally performs the verification test and sends the classical information to the verifier.

The protocol provides perfect completeness and an exponentiallyhigh security guaranty against any adversary with QPT resources.
6.1 Protocol description
This protocol is run between the Alice, the verifier, and Bob, the prover. As described in section 3, the protocol is divided into three sequential phases,

Setup phase:

Alice has the qPUF device.

Alice randomly picks classical strings .

She applies a private encoding unitary operation to create the corresponding quantum states in ,
(28) 
Alice queries the qPUF individually with each quantum challenge to obtain the response state .

Alice creates a state which is orthogonal to for all .

She queries them with the qPUF device to obtain the response states labeled as with the property that for all .

She creates a local database for all . Thus the registers stores the challenge state and the corresponding valid response state and the trap state which is orthogonal to the response state.

Alice transfers to qPUF to Bob over a public quantum channel.
To be able to investigate the security in a strong and general setting, we do not assume the qPUF’s transition to be secure, in the sense that any QPT adversary Eve is allowed to query the qPUF during transition an number of times and thus build its own local database. Due to the conditions on the selective unforgeability of the qPUF, it is important that Alice picks her challenges at random from a distribution over the Hilbert space .


Identification phase:

Alice randomly selects a subset different challenges and sends them over a public quantum channel to Bob.

On the positions corresponding to selected challenges, she randomly selects positions, marks them and sends to Bob. On the remaining positions, marked as , she sends to Bob. The state is sent over a public channel.
Note that since the quantum channels are public, we assume that Eve can have complete control on them.


Verification phase:

Bob queries the qPUF device with the challenge states received from Alice to generate the response states for all .

He performs a quantum equality test algorithm by performing a SWAP test between and the response state received from Alice. This algorithm is repeated for all the distinct challenges.

Bob labels the outcome of instances of the SWAP test algorithm by and sends them over a classical channel to Alice.

Alice runs a classical verification algorithm cVer() and outputs ‘1’ implying that Bob’s qPUF device has been successfully identified. She outputs ‘0’ otherwise.
We note that if the Alice Bob public channel was not tampered with, then the response state that Alice would generate is for all . Also here we focus on the quantum equality algorithm using SWAP test. However, one can alternatively use the GWAP test as well as the equality testing algorithm.

Figure 5 describes the qPUF based identification protocol with lowresource verification denoted as lrvid.
For this protocol, we define the completeness and soundness security properties.
Completeness: Completeness of the lrvid protocol is defined as the probability that Alice returns the outcome ‘1’ in the verification phase when there is no presence of an adversary Eve. This implies that Alice’s classical verification algorithm cver must return an outcome ’1’ with a probability very close to 1:
(29) 
where are the SWAP test outcome bits sent by Bob.
Soundness: The soundness of the protocol is analysed in the presence of a QPT adversary Eve. We say the lrvid is sound (or secure) if the probability that Alice returns the outcome ‘1’ in the verification phase is negligible in the security parameter:
(30) 
In the following sections, we present the classical verification algorithm cVer and analyse the completeness and soundness of our lrvid protocol when Bob performs the SWAP test based quantum equality algorithm.
6.2 cVer algorithm
cVer is a classical test algorithm employed by Alice on the received classical bits to certify whether Bob’s device has been identified. As described in Algorithm 1, cVer receives an bit binary string as input. The algorithm is divided into two tests. test1 first checks whether in the positions marked as , i.e. the positions where Alice had sent a valid qPUF response state to Bob, if the corresponding bits in are all 0.
If this test succeeds, then the algorithm proceeds to test2 which is a test on the positions where Alice had sent the trap states to Bob. If on these positions, the expected number of bits in which are 0 lie between , then cVer algorithm outputs ‘1’ indicating that the device has been identified. Here is the expected number of bits in positions with outcome ‘0’ that Bob would obtain after the Equality test algorithm measurement, in absence of any adversary Eve. For example, if Bob’s test algorithm is the SWAP test, then . Here, accounts for the statistical error in the measurement.
6.3 Verification using delegatedSWAP test and cVer algorithm
Here we explicitly describe and calculate the completeness and soundness probabilities of the protocol which employs the verification algorithm involving Bob’s SWAP test, followed by Alice’s cVer algorithm. This allows Alice to efficiently identify the valid qPUF device even though the SWAP test algorithm has been delegated to Bob. A single instance of Bob’s SWAP test requires a single copy of the response state received from Alice (either the valid qPUF response state or the trap state) and the response state that Bob generates by querying Alice’s challenge state in his qPUF device. To obtain a desired low enough error rate in the verification algorithm, the SWAP test is performed on distinct instances of the received response state and response state generated by Bob by querying distinct challenges states. The responses of the SWAP test instances are classical bits. Thus the bit binary classical outcome string is sent to Alice who employs the algorithm cVer described in Algorithm 1. An identification protocol performed using distinct challenge states consumes a combined total of copies of the received state and the response state generated by Alice. In the next two sections, we show that SWAP based test algorithm provides us with the desired completeness and soundness properties required in the protocol.
6.3.1 lrvid protocol completeness
Theorem 5.
In absence of an adversary Eve, the probability that the classical bit string sent by Bob, passes Alice’s classical algorithm cVer() is,
where is the classical bit outcome of th instance of Bob’s SWAP test.
Proof.
To prove this theorem, we separately analyse the positions where Alice sends the valid qPUF response state to Bob (marked as ), and the remaining positions where she sends the trap state (marked as ),

positions: When Bob prepares the response state by querying her qPUF device with Alice’s challenge state , then Bob’s generated response state is equal to Alice’s response state sent to Bob, i.e. . This implies that for all marked . From Eq 9, we see that,
(31) From section 2.3.1, we see that corresponds to the classical outcome 0. This implies that for all marked with certainty. Thus when Alice employs the cVer algorithm, Bob always achieves a in the test1 and thus passes it with certainty,

positions: These positions correspond to Alice sending the trap states to Bob such that Bob’s generated response state is orthogonal to the trap state. In other words, for all marked . This implies that,
(32) Thus, half of the positions would produce the classical outcome 1 on average. When Alice employs test2 of the cVer algorithm, . Using the ChernoffHoeffding inequality [upfal2005probability], for any constant ,
From the above results and using the fact that for SWAP test based algorithm,
(33) 
This completes the proof. ∎
The next section details the soundness proof of the lrvid protocol.
7 lrvid protocol soundness
This section provides the soundness property of the lrvid protocol. This is characterised by an adversary Eve who does not have the valid qPUF device in the identification phase but her objective is to successfully pass Alice’s verification test cVer with a nonnegligible probability. Note that apart from the local database that Eve can create in the setup phase, she also has full access to the quantum channel in the identification phase on which Alice sends the quantum challenge and response state to Bob. Further, Eve also has access to the classical communication channel from Bob to Alice in the verification phase.
Since the verification test is reduced to a classical test, we consider the soundness in the presence of two types of Eve. The first is a classical Eve who does not process any quantum resources. The second is the quantum Eve, who possess QPT memory and computing capability. We separately analyse the security against both types of Eve and prove that quantum Eve gains only exponentially small advantage compared to the classical Eve, thus reducing the security to analysing only the classical adversary. We show that since the verification test is classical, the only way for a quantum Eve succeed better than a classical Eve is to succeed at guessing the trap positions better than a random guess of classical Eve. We utilise the unforgeability property of qPUF to prove that a quantum Eve can have only a negligible advantage in guessing the trap positions compared to a classical Eve, thus enabling the reduction.
Since the verification test is reduced to a classical test in this protocol, we consider the soundness in the presence of two types of Eve. The first type is a classical Eve, who does not process any quantum capabilities. Her attack strategy revolves around finding out the positions where Alice sends the valid qPUF response state to Bob. The second type is the quantum EVe, who possess QPT memory and computing capability.
7.1 Security against classical adversary
We first look at the security of the protocol against a fully classical Eve. As the verification algorithm cVer, as well as the communication link between Bob and Alice in the verification phase is classical, a classical Eve might be able to generate the bits of that passes the cVer test with a nonnegligible probability even without using any information about the qPUF. Thus we need to investigate the security against such an Eve. The following theorem bounds the success probability of Eve trying to pass the classical verification test as described in Algorithm 1.
Theorem 6 (Security of lrvid against classical attacks).
The probability that any classical adversary Eve produces a bit string
Comments
There are no comments yet.