Quantum Physical Unclonable Functions: Possibilities and Impossibilities

A Physical Unclonable Function (PUF) is a device with unique behaviour that is hard to clone hence providing a secure fingerprint. A variety of PUF structures and PUF-based applications have been explored theoretically as well as being implemented in practical settings. Recently, the inherent unclonability of quantum states has been exploited to derive the quantum analogue of PUF as well as new proposals for the implementation of PUF. We present the first comprehensive study of quantum Physical Unclonable Functions (qPUFs) with quantum cryptographic tools. We formally define qPUFs, encapsulating all requirements of classical PUFs as well as introducing a new testability feature inherent to the quantum setting only. We use a quantum game-based framework to define different levels of security for qPUFs: quantum exponential unforgeability, quantum existential unforgeability and quantum selective unforgeability. We introduce a new quantum attack technique based on the universal quantum emulator algorithm of Marvin and Lloyd to prove no qPUF can provide quantum existential unforgeability. On the other hand, we prove that a large family of qPUFs (called unitary PUFs) can provide quantum selective unforgeability which is the desired level of security for most PUF-based applications.


Introduction
Canetti and Fischlin's result on the impossibility of achieving secure cryptographic protocols without any setup assumptions [9] has motivated a rich line of research investigating the advantages of making hardware assumptions in protocol design. The idea was first introduced by Katz in [27], and attracted the attention of researchers and developers as it adopts physical assumptions and eliminates the need to trust a designated party or to rely on computational assumptions. Among different hardware assumptions, Physical Unclonable Functions (PUFs) have greatly impacted the field [4].
PUFs are hardware structures designed to utilize the random physical disorder which appear in any physical device during the manufacturing process. Because of the uncontrollable nature of these random disorders, building a clone of the device is considered impractical. The behaviour of a PUF is usually equivalent to a set of Challenge-Response Pairs (CRPs) which are extracted through physically querying the PUF and measuring its responses. The PUF's responses depend on its physical features and are assumed to be unpredictable, i.e. even the manufacturer of the PUF, with access to many CRPs, cannot predict the response to a new challenge [42]. This property makes PUFs different from other hardware tokens in the sense that the manufacturer of a hardware token is completely aware of the behaviour of the token they have built [7].
So far, the cryptographic literature has mainly considered what we will call classical PUFs (or cPUFs) restricted to classical CRPs. Most cPUFs generate only a finite, albeit possibly exponential (in some desired security parameters), number of CRPs [11]. However, most of them remain vulnerable against different attacks like side-channel [50,11] and machine-learning [19,44,43,28]. Thus, considering the importance of cPUFs as a hardware security primitive in several real-world applications, on one hand, [11,26,15,2,33,30,36] 1 and the recent advances in quantum technology, on the other hand, it is worth investigating whether quantum technologies could boost the security of cPUFs or if they, on the contrary, threaten their security. In the current work, we address the general and formal treatment of PUFs in a quantum world for the first time by defining quantum PUFs (qPUFs) as a quantum token that can be challenged with quantum states and respond with quantum states. We identify the requirements a qPUF needs to meet to provide the main security property required for most of the qPUF-based applications, that is unforgeability 2 . All prior similar works [45,46,39,54] (see related work paragraph below) considered the special case of qPUFs where the encoding of the responses is known to the manufacturer and in fact, the evaluation of the qPUF is public information. We provide a general and formal mathematical framework for the study of qPUFs as a new quantum primitive inspired from the theoretical literature of classical PUF while taking into account full capabilities of a quantum adversary. However, it is worth mentioning that designing and implementing concrete qPUFs satisfying our proposed level of security set up remains a challenging task that we are exploring separately as a follow up of this work.

Our Contributions.
We first define qPUFs as quantum channels and formalize the standard requirements of robustness, uniqueness and collision-resistance for qPUFs guided by the classical counterparts to establish the requirements that qPUFs should satisfy to enable their usage as a cryptographic primitive. We then use the game-based framework to define three security notions for qPUFs: quantum exponential unforgeability, quantum existential unforgeability and quantum selective unforgeability capturing the strongest type of attack models where the adversary has access to the qPUF and can query it with his chosen quantum states. In this new model, we demonstrate how quantum learning techniques, such as the universal quantum emulator algorithm of [34], can lead to successful attacks. In doing so we establish several possibility and impossibility results.
• No qPUF provides Quantum Exponential Unforgeability. The presented attack is the correct analogue of the brute-force attack for classical PUFs.
• No qPUF provides Quantum Existential Unforgeability. We show how the universal 1 Recently SAMSUNG announced that in their new processor Exynox 9820 they have integrated SRAM based PUF to store and manage personal data in perfect isolation. Also, a UK company, Quantum Base, has started to mass-produce its patented optical quantum PUFs. quantum emulator algorithm (which is polynomial in the size of the qPUF's dimension) can break this security property of any qPUFs.
• Any qPUF provides Quantum Selective Unforgeability. In other words, no QPT adversary can, on average, generate the response of a qPUF to random challenges.

Other Related Works
The concept of Physical Unclonable Functions was first introduced by Pappu et al. [41] in 2001, devising the first implementation of an Optical PUF. Optical PUFs were subsequently improved as to generating an independent number of CRPs [35]. Several structures of Physical Unclonable Functions were further introduced including Arbiter PUFs [20], Ring-Oscillator based PUFs [49,16] and SRAM PUFs [24]. For a comprehensive overview of existing PUF structures, we refer the reader to [32,25]. Recently, the concept of "quantum read-out of PUF (QR-PUF)" was introduced in [45] to exploit the no-cloning feature of quantum states to potentially solve the spoofing problem in the remote device identification. The QR-PUF-based identification protocol has been implemented in [22]. In addition to the security analysis of this protocol against intercept-resend attack in [45], its security has also been analysed against other special types of attacks targeting extracting information from an unknown challenge state [47,53]. In another work, [39], the continuous variable encoding is exploited to implement another practical QR-PUF based identification protocol. The security of this protocol has also been analysed only against an attacker who aims to efficiently estimate or clone an unknown challenge quantum state [38,18]. Moreover, some other applications of QR-PUFs have been introduced in [48] and [51].
In another independent recent work, Gianfelici et al. have presented a common theoretical framework for both cPUFs and QR-PUFs [21]. They quantitatively characterize the PUF properties, particularly robustness and unclonability. They also introduce a generic PUF-based identification scheme and parameterize its security based on the values obtained from the experimental implementation of PUF.

Quantum Emulation Algorithm
In this section, we describe the Quantum Emulation (QE) algorithm presented in [34] as a quantum process learning tool that can outperform the existing approaches based on quantum tomography [14]. The main idea behind quantum emulation comes from the question on the possibility of emulating the action of an unknown unitary transformation on an unknown input quantum state by having some of the input-output samples of the unitary. An emulator is not trying to completely recreate the transformation or simulate the same dynamics. Instead, it outputs the action of the transformation on a quantum state. The original algorithm was developed and proposed in the context of quantum process tomography, thus the analysis did not consider any adversarial behaviour. For our cryptanalysis purposes, we need to provide a new fidelity analysis for challenges not fully lying within the subspace of the learning phase. We further optimise the success probability of our attack by optimising the choice of the reference state.

The Circuit and Description
The circuit of the quantum emulation algorithm is depicted in Figure 1 also in [34] and works as follows: Let U be a unitary transformation on a D-dimensional Hilbert space H D , S in = {|φ i ; i = 1, ..., K} be a sample of input states and S out = {|φ out i ; i = 1, ..., K} the set of corresponding outputs, i.e |φ out i = U |φ i . Also, let d be the dimension of the Hilbert space H d spanned by S in and |ψ , a challenge state. The goal of the algorithm is to find the output of U on |ψ , that is U |ψ . Figure 1: The circuit of the quantum emulation algorithm. |φ r is the reference state and |φ out r is the output of the reference state. R( * ) gates are controlled-reflection gates. In each block of Step 1, a reflection around the reference and another sample state is being performed.
The main building blocks of the algorithm are controlled-reflection gates described as: A controlled-reflection gate acts as the identity (I) if the control qubit is |0 , and as R(φ) = e iπ|φ φ| = I − 2 |φ φ| if the control qubit is |1 . The circuit also uses Hadamard and SWAP gates and consists of four stages. Stage 1. K number of sample states and a specific number of ancillary qubits are chosen and used through the algorithm. We assume the algorithm uses all of the states in S in . The ancillary systems are all qubits prepared at |− . Let |φ r ∈ S in be considered as the reference state. This state can be chosen at random or according to a special distribution. The first step consists of K − 1 blocks wherein each block, the following gates run on the state of the system and an ancilla: In each block represented by equation (2), a controlled-reflection around the reference state |φ r is performed on |ψ with the control qubit being on the |− ancillary state. Then a Hadamard gate (H) runs on the ancilla followed by another controlled-reflection around the sample state |φ i . This is repeated for each of the K states in S in such that the input state is being entangled with the ancillas and also it is being projected into the subspace H d in a way that the information of |ψ is encoded in the coefficients of the general entangled state. This information is the overlap of |ψ with all the sample inputs. By reflecting around the reference state in each block, the main state is pushed to |φ r and the probability of finding the system at the reference state increases. The overall state of the circuit after Stage 1 is: where |Ω(anc) is the entangled state of K ancillary qubits. The approximation comes from the fact that the state is not only projected on the reference quantum state but it is also projected on other sample quantum states with some probability. We present a more precise formula in the next subsection.
Stage 2. In this stage, first a reflection around |φ r is performed and after applying a Hadamard gate on an extra ancilla, that ancilla is measured in the computational basis {|0 , |1 }. Based on the output of the measurement, one can decide whether the first step was successful (i.e. the output of the measurement is 0) or not. If the first step is successful, the main state has been pushed to the reference state. In this case, the algorithm proceeds with Stage 3. If the output is 1, the projection was unsuccessful and the input state remains almost unchanged. In this case, either the algorithm aborts or it goes back to the first stage and picks a new state as the reference. This stage has a post-selection role which can be skipped to output a mixed state of two possible outputs.
The main state is swapped with |φ out r = U |φ r that is the output of the reference state. This is done by means of a SWAP gate. At this point, the overall state of the system is: (SWAP ⊗ I ⊗K ) |φ out r |φ r |Ω(anc) = |φ r |φ out r |Ω(anc) .
By tracing out the first qubit, the state of the system becomes |φ out r |Ω(anc) .
Stage 4. The last stage is very similar to the first one except that all blocks are run in reverse order and the reflection gates are made from corresponding output quantum states. The action of stage 4 is equivalent to: After repeating this gate for all the output samples, U is acted on the projected components of |ψ and by restoring back the information of |ψ from the ancilla, the input state approaches U |ψ . The overall output state of the circuit at the end of this stage is: where equality is obtained whenever the success probability of Stage 2 is equal to 1.

Output fidelity analysis
We are interested in the fidelity of the output state |ψ QE of the algorithm and the intended output U |ψ to estimate the success. In the original paper, the fidelity analysis is first provided for ideal controlled-reflection gates and later a protocol is presented to implement them efficiently. In this paper, as we are more interested in the theoretical bounds for the fidelity, all the gates including the controlled-reflection gates are assumed to be ideal keeping in mind that the implementation is possible [34,31]. We recall the main theorem of [34]: Theorem 1 [34] Let E U be the quantum channel that describes the overall effect of the algorithm presented above. Then for any input state ρ, the Uhlmann fidelity of E U (ρ) and the desired state UρU † satisfies: where ρ QE = |ψ QE ψ QE | is the main output state(tracing out the ancillas) when the postselection in Stage 2 has been performed. E U (ρ) is the output of the whole circuit without the post-selection measurement in Stage 2 and P succ−stage1 is the success probability of Stage 1.
For the purpose of this paper, we need a more precise and concrete expression for the output fidelity not covered in [34]. From the proof of Theorem 1 in [34], it can be seen that the success probability of Stage 1 is calculated as follows: where |χ f is the final state of the circuit after Stage 1 and T r anc (·) computes the reduced density matrix by tracing out the ancillas. The overlap of the resulting state and the reference state equals the success probability of Stage 1. Now relying on Theorem 1, we only use equation (8) for our analysis henceforward. The fidelity of the output state of the circuit highly depends on the choice of the reference state (equation (8)) such that it may increase or decrease the success probability of the adversary in different security models as we will discuss in the Section 3. We establish the following recursive relation for the state of the circuit after the i-th block of Stage 1, in terms of the previous state: Now by using this relation, we can prove the following theorem. The proof can be found in Appendix B Theorem 2 Let |χ K be the output state of K-th block of the circuit (Figure 1). Let |ψ be the input state of the circuit, |φ r the reference state and |φ i other sample states. We have: where l ij , x ij , y ij , z ij , l ij , x ij , y ij and z ij are integer values indicating the power of the terms of the coefficient. Note that f ij and g ij can be 0, 1 or -1 and q anc (i, j) and q anc (i, j) output a computational basis of K qubits (other than |0 ⊗K ).
Having a precise expression for |χ f from Theorem 2, one can calculate P succ−step1 of equation (8) by tracing out all the ancillary systems from the density matrix of |χ f χ f |. Also, now it is clear that if |ψ is orthogonal to the H d , the only term remaining in equation (10) is |ψ |1 ⊗K . So, the input state remains unchanged after the first stage and P succ−step1 = 0.
For states projected in the subspace spanned by S in , the overall channel describing the quantum emulation algorithm has always a fixed point inside the subspace [34]. Hence, Stage 1 is successful with probability close to 1 by assuming the gates to be ideal.

Quantum Physical Unclonable Functions
We consider a set of quantum devices that have been created through the same manufacturing process. These devices respond with a general quantum state when challenged with a quantum state. Similar to the classical setting (see Appendix A), we formalize the manufacturing process of qPUFs by defining a QGen algorithm: where id is the identifier of qPUF id and λ the security parameter.
We also need to define the QEval algorithm mapping any input quantum state ρ in ∈ H d in to an output quantum state ρ out ∈ H dout where H d in and H dout are the domain and range Hilbert spaces of qPUF id , denoted as: For now, we allow for the most general form of trace-preserving quantum maps, i.e. CPT maps for QEval. So, we have: Apart from these common algorithms (that are analogue to the classical setting), we also require qPUFs to include an efficient test algorithm T as we will formally define in Definition 4 to test the equality between two unknown quantum states. We will also need the concept of quantum state distinguishability, which can be defined with different quantum distance measures such as trace distance or fidelity. Here we use the fidelity-based definition as follows: Let F (·, ·) denote the fidelity, and µ and ν the distinguishability and indistinguishability threshold parameters respectively such that 0 ≤ µ, ν ≤ 1. We say two quantum states ρ and σ are µ-distinguishable if 0 ≤ F (ρ, σ) ≤ 1−µ and ν-indistinguishable if ν ≤ F (ρ, σ) ≤ 1. Finally, we can define a Quantum Physical Unclonable Function as follows.
Definition 1 (Quantum Physical Unclonable Function) Let λ be the security parameter, and δ r , δ u , δ c ∈ [0, 1] the robustness, uniqueness and collision resistance thresholds. A (λ, δ r , δ u , δ c )-qPUF includes the algorithms: QGen, QEval and T satisfying Requirements 1, 2, and 3 defined below: Requirement 1 (δ r -Robustness) For any qPUF id generated through QGen(λ) and evaluated using QEval on any two input states ρ in and σ in that are δ r -indistinguishable, the corresponding output quantum states ρ out and σ out are also δ r -indistinguishable with overwhelming probability, Requirement 2 (δ u -Uniqueness) For any two qPUFs generated by the QGen algorithm, i.e. qPUF id i and qPUF id j , the corresponding CPT map models, i.e. Λ id i and Λ id j are δ u -distinguishable with overwhelming probability, Requirement 3 (δ c -Collision-Resistance (Strong)) For any qPUF id generated by QGen(λ) and evaluated by QEval on any two input states ρ in and σ in that are δ c -distinguishable, the corresponding output states ρ out and σ out are also δ c -distinguishable with overwhelming probability, 3 In qPUF-based applications such as device authentication (or identification), it is necessary that there be a clear distinction between different qPUF instances generated by the same QGen algorithm running on the same parameters λ [3]. To this end, the following conditions should be satisfied: δ c ≤ 1 − δ r and δ u ≤ 1 − δ r . So, we can drop δ u and δ c from the notation and characterize the qPUF as (λ, δ r ) − qPUF.
We also need to mention that, δ r and δ c parameters can allow for some specific noise models for each PUF device. More specifically, the collision resistance parameter i.e. δ c or the ratio of δ o c /δ i c is directly related to the channel parameters of the qPUF evaluation. Although, as the collision-resistance is an important requirement for achieving a secure PUF, similar to classical PUFs, we choose the strong collision-resistance as the main requirement for the quantum PUF. We specify that the strong collision-resistance parameter can allow for noisy PUF evaluation under the coherent noise models. Such noise models preserve distances between the input and output states of the qPUF and this property makes them suitable candidates for quantum PUF. Also, it has been shown in [23] that a general noise can be modelled as a combination of coherent and incoherent noises. Hence only the class of noise model with an almost close to zero incoherent factor can be considered to satisfy the δ c (strong) collision resistance. Hence for the rest of this work, aiming to formalise the first general security framework, we consider a noiseless setting and leave further investigation that would be linked to particular construction to future works.
We have initially allowed for any CPT map as QEval algorithm. Now, we let the QEval algorithm be a CPT map with the same dimension of domain and range Hilbert space, i.e. d in = d out . We show that under this assumption, only unitary transformations and CPT maps that are negligibly close to unitary, can simultaneously provide the (strong)collisionresistance and robustness requirements of qPUFs.
Theorem 3 Let E(ρ) be a completely positive and trace-preserving (CPT) map described as follows: where U is a unitary transformation,Ẽ is an arbitrary (non-negligibly) contractive channel and 0 ≤ ≤ 1. Then E(ρ) is a (λ, δ r , δ c )-qPUF for any λ, δ r , and δ c and with the same dimension of domain and range Hilbert space, if and only if = negl(λ).
Proof: First, we note that The contractive property of trace-preserving operations [37] states that CPT maps on the same Hilbert space, can only preserve or decrease distances thus we have: Thus the robustness is generally satisfied. As a result, the proof of the theorem reduces to proving for collision-resistance. Let ρ and δ be two δ c -distinguishable challenge with fidelity F (ρ, σ) ≤ 1 − δ c . Again with the above argument the fidelity of the outputs cannot 3 A weaker variant of Collision-Resistance, with separate input/output bound can be also defined in a similar fashion where the responses generated by QEval on any two δ i c -distinguishable input states ρin and σin, should be at least δ o c -distinguishable. In fact, if δ i c = δ o c = δc we call the requirement a strong collision-resistance. Note that this equality holds up to a negligible value in the security parameter, i.e. if δ i c = δ o c ± negl(λ), the strong collision-resistance requirement has still been satisfied. If δ o c < δ i c (the difference is non-negligible) then this is referred to as weak collision-resistance. be smaller than F (ρ, σ). Thus the δ c requirement is satisfied if the fidelity of the response density matrices are equal up to a negligible value. Now let ρ 1 = U ρU † , σ 1 = U σU † , ρ 2 =Ẽ(ρ), and σ 2 =Ẽ(σ). We use the joint concavity of the fidelity [37] to obtain the following relation for the channel's output fidelity: Since the first part of the channel is unitary which is distance preserving, we have F (ρ 1 , σ 1 ) = F (ρ, σ). Also due to contractive property of trace-preserving operations we know that Now since the channelẼ is non-negligibly contractive, the value F (ρ 2 , σ 2 ) − F (ρ, σ) is not necessarily negligible and in order for the LHS of 19 to be always negligible, has to be negligible. So we have proved that CPT maps of the form 17 can be δ c collision resistance qPUFs only if = negl(λ). Now we show that all channels of the form of Equation 17 where is negligible satisfy the strong collision resistance property up to a negligible value. To show that we use the relation between fidelity and trace distance which we denote as D tr , which is D tr (ρ, σ) ≤ 1 − F (ρ, σ). We use this inequality to relate the distance between the states E(ρ) and E(σ) and the original distance between ρ and σ and we subtract both sides to get the following inequality: In Appendix C, Lemma 2 we show that the difference between the trace distance of the input and output for channels described as Equation 17, is bounded by D tr (ρ, σ). Thus we have: Now since = negl(λ) and 0 ≤ D tr (ρ, σ) ≤ 1, we can conclude that the difference between the fidelity is also negligible and hence the δ c collision-resistance is satisfied up to a negligible value, and the proof is complete. The above theorem shows that only unitary or more generally, -disturbed unitary maps where is small, are suitable candidates for qPUF, especially when strong collision resistance is required. Thus, in the rest of the paper, we choose the QEval algorithm to be a unitary map, and also for simplicity, we establish some of our theorems with pure quantum states, noting that considering the mixed states would not affect the main results. We call this type of qPUFs, Unitary qPUFs (or simply UqPUFs) and formally define them in Definition 3. Nevertheless, we believe studying more general non-unitary qPUFs will be interesting future research directions in this field.
Moreover, we require UqPUF transformations to be initially unknown (or exponentially hard to recover) as we will formally define in Definition 2. This is a hardware assumption that is also considered in the classical setting where the PUF behaviour is unknown even for the manufacturer [42]. Although from a construction point of view, this may not seem an easily achievable requirement, from a practical point of view this assumption is reasonable considering limited fabrication capabilities or the fact that simulating the same unitary on a quantum computer is not technologically easy due to noise or accumulated errors in each gate, even when the structure of the unitary is known. Moreover, there are promising constructions such as the family of optical schemes implemented using crystals or optical scattering media [39], where usually even the manufacturer does not know the underlying unitary unless querying it. On the other hand, in gate-based construction, one cannot avoid the fact that the manufacturer knows the underlying unitary. Hence this type of constructions cannot provide security against an adversarial manufacturer. Nevertheless, if predicting the evolution of a quantum state is difficult this is enough for security under the usual PUF assumptions. Hence such devices are still useful and practical for many applications as they can still provide security against any malicious adversary other than the manufacturer. We also note that from the theoretical point of view, this requirement is a minimal and pre-challenge requirement that can be achieved by sampling a family of unitaries indistinguishable from the Haar family of unitary transformations in single-shot, and we believe there are efficient ways to do this sampling [13,1]. Finally, our framework and results cover both adversarial models where the manufacturer could be trusted or not.

Definition 2 (Unknown Unitary Transformation)
We say a family of unitary transformations U u , over a D-dimensional Hilbert space H D is called Unknown Unitaries, if for all QPT adversaries A the probability of estimating the output of U u on any randomly picked state |ψ ∈ H D is at most negligibly higher than the probability of estimating the output of a Haar random unitary operator on that state: where µ denotes the Haar measure and the average probability has been taken over al; the states |ψ .
Note that UqPUFs also satisfy a natural notion of unclonability, known as no-cloning of unitary transformation [12] which states that two black-box unitary transformations O 1 and O 2 cannot be perfectly cloned by a single-use apart from the trivial cases of perfect distinguishability or when O 1 = O 2 . Thus, two UqPUFs, as long as they correspond to different unitaries, which is satisfied by the uniqueness requirement, are unclonable by quantum mechanics through a single-use. In the following section, we then show how this unclonability property can be extended to the case where the transformation has been used multiple times by formally introducing the notion of unforgeability. Thus, we define the unitary qPUFs as follows.
As a result of the distance-preserving property of UqPUFs, we drop δ r from the notation and simply characterise UqPUF as λ-UqPUFs.

Security notion for qPUFs
The security of most PUF-based applications such as PUF-based identification protocols relies on the unforgeability of PUFs [3]. Informally, unforgeability means that given a subset of challenge-response pairs of the target PUF, the probability of correctly guessing a new challenge-response pair shall be negligible in terms of the security parameter. In this section, we formally define this security notion for qPUFs in a game-based framework which is a standard framework for defining security of cryptographic primitives and analysing their security [3,5,15].
Accordingly, we define unforgeability as a game between an adversary who represents the malicious party and a challenger who plays the role of the honest party. The game is run in four steps: Setup, Learning, Challenge and Guess.
In the setup phase, the necessary public and private parameters and functions are shared between the adversary and the challenger.
The learning phase models the amount of knowledge that the adversary can get from the challenger. Similar to [3], we consider chosen-input attacks modelling an adversary that has access to the qPUF and can query it with his own chosen inputs from the domain Hilbert space. Because of the quantum nature of the adversary's queries, the adversary has to prepare two copies of each query, keep one in his database and send the other one to the challenger.
The challenge phase captures the intended security notion. We consider here two types of challenge phase: Existential and Selective. In an existential challenge phase, the adversary chooses the challenge state while in a selective one, the challenge state is chosen by the challenger. We characterize a "new" existential challenge by imposing the adversary to choose a state that is µ-distinguishable from all the inputs queries in the learning phase. In the selective case, to ensure the adversary has no knowledge about the challenge, we impose the challenger to choose the challenge uniformly at random from the domain Hilbert space.
Finally, in the guess phase, the adversary outputs his guess of the response corresponding to the challenge chosen in the challenge phase. The challenger checks the equality between the adversary's guess and the correct response with a test algorithm. The adversary wins the game if the output of the test algorithm is 1. Due to the impossibility of perfectly distinguishing all quantum states, checking equality of two completely unknown states is a non-trivial task. This is one of the major differences between classical and quantum PUFs. Nevertheless, a probabilistic comparison of unknown quantum states can be achieved through the simple quantum SWAP test algorithm [8], and its generalisation to multiple copies introduced recently in [10]. Here we abstract from specific tests and define necessary conditions for a general quantum test.
Definition 4 (Quantum Testing Algorithm) Let ρ ⊗κ 1 and σ ⊗κ 2 be κ 1 and κ 2 copies of two quantum states ρ and σ, respectively. A Quantum Testing algorithm T is a quantum algorithm that takes as input the tuple (ρ ⊗κ 1 ,σ ⊗κ 2 ) and accepts ρ and σ as equal (outputs 1) with the following probability where F (ρ, σ) is the fidelity of the two states and f (κ 1 , κ 2 , F (ρ, σ)) satisfies the following limits: with Err(κ 1 , κ 2 ) characterising the error of the test algorithm and F (ρ, σ) the fidelity of the states.
We also define another abstraction of the test algorithm in an ideal case which later helps us to demonstrate the security of the UqPUF. We formalize the ideal test T ideal δ as follows: We call a test algorithm according to Definition 4, a T ideal δ Test Algorithm when for any two state |ψ and |φ the test responds as follows: Now we are ready to formalize unforgeability through a formal security game.
Game 1 (Formal game-based security of qPUF) Let qPUF = (QGen, QEval, T ) and T be defined as Definition 1 and 4, respectively. We define the following game G qPUF c,µ (A, λ) running between an adversary A and a challenger C: Setup. The challenger C runs QGen(λ) to build an instance of the qPUF family, qPUF id . Then, C reveals to the adversary A, the domain and range Hilbert space of qPUF id respectively denoted by H in and H out as well as the identifier of qPUF id , id. The challenger initialises two empty databases, S in and S out and shares them with the adversary A. Also H d in denotes adversary's input subspace.
Learning. For i = 1 : k -A prepares two copies of a quantum state ρ i ∈ H d in , appends one to S in and sends the other to C; -C runs QEval(qPUF id , ρ i ) and sends ρ out i , to A; -A appends ρ out i to S out .

Challenge. 4
-If c = qEx: A picks a quantum state ρ * ∈ H d in at least µ-distinguishable from all the states in S in and sends κ 1 copies of it to C; -If c = qSel: C chooses a quantum state ρ * at random from the uniform distribution over the Hilbert space H d in . The challenger keeps κ 1 copies of ρ * and sends an extra copy of ρ * to A. Guess.
-A sends κ 2 copies of his guess ρ to C; -C runs QEval(qPUF id , ρ * ) ⊗κ 1 , and gets ρ * ⊗κ 1 out ; -C runs the test algorithm b ← T (ρ * ⊗κ 1 out , ρ ⊗κ 2 ) where b ∈ {0, 1} and outputs b. The adversary wins the game if b = 1. 5 4 The parameter c specifies the type of the challenge phase. 5 Note that all the learning phase queries and the challenges represented with ρ, ρ , |φ , etc. are considered to be any general separable or entangled state of a D-dimensional Hilbert space. Moreover, κ1 and κ2 are a choice of notation that enables us to include any desired quantum test algorithm according to Definition 4 and are independent of the number of the copies that the adversary uses in the learning phase.
Based on the above game, we define the security notions, quantum exponential unforgeability, quantum existential unforgeability and quantum selective unforgeability for qPUFs; where the first one, models unforgeability of qPUFs against exponential adversaries with unlimited access to the qPUF in the learning phase; the second one is the most common and strongest type of unforgeability against Quantum Polynomial-Time (QPT) adversaries; finally the third one is a weaker notion of unforgeability that is sufficient for most qPUF-based applications like qPUF-based identification protocols.
Definition 6 (Quantum Exponential Unforgeability) A qPUF provides quantum exponential unforgeability if the success probability of any exponential adversary A in winning the Definition 7 (µ-Quantum Existential Unforgeability) A qPUF provides µ-quantum existential unforgeability if the success probability of any Quantum Polynomial-Time (QPT) adversary A in winning the game G qPUF Definition 8 (Quantum Selective Unforgeability) A qPUF provides quantum selective unforgeability if the success probability of any Quantum Polynomial-Time (QPT) A in winning the game G qPUF

Security analysis of Unitary qPUFs
Here, we show which security notions defined in Section 4.1 can be achieved by unitary qPUFs (UqPUFs) over a D-dimensional Hilbert space operating on pure quantum states.
In the classical setting, cPUFs can be fully described by the finite set of CRPs, and this suffices for breaking unforgeability. More precisely, an unbounded or exponential adversary can extract the entire set of CRPs by querying the target cPUF with all possible challenges [11]. If the challenges are n-bit strings, the number of possible challenges is 2 n . However, in the quantum setting, a UqPUF can generate an infinite number of quantum challenge-response pairs such that extracting all of them is hard, even for exponential adversaries. This, combined with limitations imposed by quantum mechanics such as nocloning [52] and the limits on state estimation [6], raise the question if UqPUFs could satisfy unforgeability against exponential adversaries. We now prove that no UqPUF provides quantum exponential unforgeability as defined in Definition 6.
Theorem 4 (No UqPUF provides quantum exponential unforgeability) For any λ-UqPUF and any 0 ≤ µ ≤ 1, there exists an exponential quantum adversary A such that Proof: The key idea of the proof is based on complexity analysis of unitary tomography and implementation of a general unitary by single and double qubit gates, since for an exponential quantum adversary, it will be feasible to extract the unitary matrix by tomography and then build the extracted unitary by general gate decomposition method. By using the Solovay-Kitaev theorem [37], we then show that the adversary can build the unitary matrix of the UqPUF performing on n-qubits, within an arbitrarily small distance using O(n 2 4 n log c (n 2 4 n )) gates and hence win the game with any test algorithm T . Let UqPUF id operate on n-qubit input-output pairs where n = log(D). In the learning phase, A selects a complete set of orthonormal basis of H D denoted as {|b i } 2 n i=1 and queries UqPUF id with each base 2 n times. So, the total number of queries in the learning phase is k 1 = 2 2n .
Then, A runs a unitary tomography algorithm to extract the mathematical description of the unknown unitary transformation corresponding to the UqPUF id , say U id . It has been shown in [37] that the complexity of this algorithm is O(2 2n ) for n-qubit input-output pairs. This is feasible for an exponential adversary. It is clear that once the mathematical description of the unitary is extracted, A can simply calculate the response of the unitary to a known challenge quantum state and wins the game G UqPUF qEx,µ (λ, A) for any value of µ. So, we have: We can also show the exponential adversary wins even the weaker notion of the security, i.e. quantum selective unforgeability, where he has only one copy of the challenge quantum state. To win the game with the selective challenge phase, the adversary needs to implement the unitary. It is known that any unitary transformation over H 2 n requires O(2 2n ) two-level unitary operations or O(n 2 2 2n ) single qubit and CNOT gates [37] to be implemented. However, according to Solovay-Kitaev theorem [37], to implement a unitary with an accuracy using any circuit consisting of m single qubit and CNOT gates, O(m log c (m/c)) gates from the discrete set are required where c is a constant approximately equal to 2. Thus, an arbitrary unitary performing on n-qubit can be approximately implemented within an arbitrarily small distance using O(n 2 4 n log c (n 2 4 n )) gates.
So, A implements the unitary U id with error . Let A get the challenge state |ψ in the qSel Challenge phase. The adversary queries U id with |ψ and gets |ω = U id |ψ as output. Since the can be arbitrary small, then F (U id |ψ , U id |ψ ) ≥ 1 − negl(λ). So, A's output |ω passes any test algorithm T (|ψ out ⊗κ 1 , |ω ⊗κ 2 ) with probability close to 1. Again, an unbounded adversary wins the game G UqPUF qSel,µ (λ, A) with probability 1. We note that this result is expected as any qPUF (same as a classical PUF), can in principle, be simulated with enough computational resources. That is why the reasonable and achievable security model is usually against a qPUF in hands of the adversary for a limited time or limited query such as QPT adversaries. It is also worth mentioning that from an engineering point of view, limiting the adversary to a certain number of queries on a hardware level, can depend on the construction and it might be possible in some qPUF implementations, while might not be feasible with some others. While this is an interesting problem to be considered in qPUF implementations, from a cryptanalysis point, our security analysis against a quantum adversary who is given polynomial time in the security parameter, is independent of the construction.
Exploiting the quantum emulation algorithm introduced in Section 2 we now turn to quantum existential unforgeability, and show that no UqPUF provides quantum existential unforgeability for any µ = 1 as defined in Definition 7. Note that the case µ = 1 corresponds to the existential challenge state being orthogonal to all the queried states in the learning phase. With µ = 1, the adversary is prevented from taking advantage of its quantum access to the qPUF to win the game.

Theorem 5 (No UqPUF provides quantum existential unforgeability) For any λ-
UqPUF, and 0 ≤ µ ≤ 1 − non-negl(λ), there exits a QPT adversary A such that Proof: We show there is a QPT adversary A who wins the game G UqPUF qEx,µ (λ, A) with non-negligible probability in λ. The adversary A runs the learning phase of the game G UqPUF qEx,µ (λ, A) with |φ 1 and |φ 2 such that |φ 1 can be any quantum state in H D and Without loss of the generality, we assume A chooses one of the computational basis of H D as |φ 1 . Then, A chooses an orthogonal state to |φ 1 as |φ 3 and sets |φ 2 the superposition of these two states. In the existential challenge phase, A sets |φ 3 as his chosen challenge. Note that |φ 3 satisfies the µ-distinguishability of the challenge state with both |φ 1 and |φ 2 . In the guess phase, to estimate the output of UqPUF to |φ 3 , the adversary A runs the quantum emulation (QE) algorithm defined in Section 2 with the reference state |φ r = |φ 2 .
Relying on Theorem 2, the output state of Stage 1 of the QE algorithm is: Note that φ 1 | φ 3 = 0 and we set φ 2 | φ 3 = α and φ 2 | φ 1 = β based on the choice of |φ 2 , the above equation can be simplified as: Now, according to Theorem 1, the final fidelity in terms of the success probability of Stage 1 can be obtained by calculating the density matrix of |χ f and tracing out the ancillas: We have different choices for the reference state depending on the distinguishability parameter µ. For cases where the adversary is allowed to produce a new state with at least overlap half with all the states in the learning phase, by choosing the uniform superposition of the states where α = β = 1 √ 2 , the output fidelity will be: where |φ out 3 and |φ out 3 are the output of the QE algorithm and UqPUF to |φ 3 , respectively.
As can be seen, these two states are completely indistinguishable So, the success probability of A for any test according to Definition 4 is: which is the optimal choice of the reference. On the other hand, for the cases where the adversary is restricted to produce a challenge more than half distinguishable, we can still create a superposed state with α = √ 1 − µ and β = √ µ and end up with the following fidelity of the emulation by setting µ = 1 − non-negl(λ) Recall that the security parameter λ includes the number of copies used in the test algorithm (κ 1 , κ 2 ), by increasing them the probability of accepting will converge to the above fidelity thus for any 1 2 < µ ≤ 1 − non-negl(λ): And the proof is complete. This theorem implies that the adversary can always generate the correct response to his chosen challenge provided that he can query it in superposition with other quantum states during the learning phase in terms of the parameter µ. Note that since output quantum states in the learning phase are unknown to the adversary, the more straightforward strategy of superposing the learnt output quantum states cannot be efficiently performed. More precisely, the adversary cannot prepare the precise target superposition of the output states that are completely unknown [40,17]. Hence the proposed attack is general but non-trivial. We now further relax the level of security and consider quantum selective unforgeability. We show that any UqPUF can provide this weaker notion of security. Note that in most of the PUF-based applications such as PUF-based identification protocols, selective unforgeability is sufficient.
We need the following lemma to prove the quantum selective unforgeability feature of UqPUFs. The lemma implies the average probability of any state in H D to be projected in a subspace H d where d ≤ D. Based on this lemma, we calculate the probability of a state chosen uniformly at random from H D to be projected in the orthogonal subspace of the adversary's database where the quantum emulation or similar attacks does not work.
Proof: The proof is mainly based on the symmetry of the Hilbert space and the fact that the probability of falling into each subspace is equal for any state uniformly picked at random. Note that Any state |ψ ∈ H D can be written in terms of the orthonormal bases of H D denoted by |b i , as follows: where α i are complex coefficients. A projection into a smaller subspace consists of choosing d bases of H D in the form of d−1 j=0 |b j b j |. Without loss of generality, we can assume D = md where m is an integer. This assumption is always correct for qubit spaces. This means that the larger Hilbert space can be divided into m smaller subspaces each with dimension d. Let {|e i } d−1 i=0 be a subset of H D which makes a complete set of bases for one of the d-dimensional subspaces. A projector projects |ψ into one of the subspaces. As |ψ has been picked at random and the subspaces are symmetric, the probability of falling into each subspace is the same and equal to 1 m which is d D . Otherwise either the sum of all probabilities would not be 1 or the |ψ has not been picked uniformly at random from H D . This shows that on average the probability of projecting a state ψ is d D . This can also be seen by the fact that the sum of all projectors in a complete set of projectors is equal to one. In this case, we have By sandwiching |ψ on both sides we have: where |d ij s are the bases associated to the subspace that the projector Π i projects into. This corresponds to all the permutations of d number of the coefficient |α i | 2 which will be 1 d on average. Since we have D−1 i=0 P r Π i d = 1, we can conclude that the average probability P r Π for all the projectors will be d D and the proof is complete.
To establish our possibility result, we first present a preliminary theorem which demonstrates the security of the UqPUF considering an ideal test algorithm which asymptotically satisfies the notion of distance as defined in Definition 5.
Theorem 6 For any unitary qPUF characterised by UqPUF = (QGen, QEval, T ideal δ ), and any non-zero δ, the success probability of any QPT adversary A in the game G UqPUF qSel (λ, A) is bounded as follows: where D is the dimension of the Hilbert space that the challenge quantum state is picked from, and 0 ≤ d ≤ D − 1 is the dimension of the largest subspace of H D that the adversary can span in the learning phase of G UqPUF qSel (λ, A).

Proof (Sketch):
The complete proof can be found in Appendix D, here we only sketch the main idea. We are interested in the average success probability of the adversary running the game G UqPUF qSel (λ, A). Let the subspace spanned by the learnt queries be a d-dimensional subspace of H D denoted by H d . We calculate the average fidelity of the adversary's estimated output state |ω and the correct output |ψ out , over all choices of the qSel challenge state |ψ . We require this fidelity to be greater than a value δ imposed by the T ideal δ : Note that because of the quantum nature of queries in the learning phase and the limited number of queries that the QPT adversary A can make, A might not have the classical description of the responses to his queries. So, we let A be another QPT adversary who has full knowledge of H d . It is obvious that the success probability of A would be higher than the success probability of A due to the extra knowledge that A has. So, we have In rest of the proof, We calculate the success probability of A which is the higher bound for the success probability of A. We write this probability in terms of its partial probabilities for the states orthogonal to H d and the rest of the space: (48) The probability of projection into the orthogonal subspace and the conjugate subspace can be obtained by calling Lemma 1: We also assume there exists a QPT algorithm that its average probability over all the states not in the orthogonal subspace to estimate their outputs with F ≥ δ is 1, i.e. P r Thus, the only remaining term to calculate is the probability that the average fidelity be greater than δ in the orthogonal subspace, i.e. P r We show in Appendix D that since the qSel challenge is chosen uniformly at random from H D , the best attack strategy to achieve the desired fidelity is choosing the output state uniformly at random from H D .
Then, we calculate the average fidelity according to Haar measure and show the average probability for non-zero fidelity is bounded by: So, for non-zero δ we also have, As a result, the success probability of A is bounded by And the theorem is proved.
Theorem 7 (Any UqPUF provides quantum selective unforgeability) Let the test algorithm T be defined according to Definition 4 and satisfy the condition Err(κ 1 , κ 2 ) = negl(κ 1 , κ 2 ). Then, for any UqPUF = (QGen, QEval, T ) and any QPT adversary, we have: Proof: Let |ψ be quantum state chosen by the challenger in the selective challenge phase. Also, let |ψ out and |ω be the output of the UqPUF and the adversary A to |ψ , respectively. Note that the success probability of A in game G UqPUF qSel (λ, A) is equal to the probability of the test algorithm in outputting 1: We denote P r[1 ← T (|ω ⊗κ 1 , |ψ out ⊗κ 2 )] with P r[1 ← T ] for simplicity. To calculate this probability, we consider two independent cases where leads the T outputs 1. We let δ be the threshold for F (|ω , |ψ out ) that helps us to write the P r[1 ← T ] as sum of two terms, i.e. the probability of T outputting 1 while F ≥ δ and the probability of T outputting 1 while F < δ: Let δ = negl(λ) hence we have and then from Theorem 6, it can be concluded that where d is the dimension of the subspace spanned by the learnt queries and D is the dimension of the Hilbert space that the UqPUF is defined over it. Thus, D = 2 n where n is the number of qubits in each input/output state. Since the adversary is a QPT adversary, the number of learnt queries and as a result the value of d should be polynomial in n, i.e. d = poly(n). Also, according to Definition 4, we have, And, Considering the equality cases and due to the fact that P r[F < negl(λ)] Recall that Err(κ 1 , κ 2 ) = negl(κ 1 , κ 2 ), d = poly(n) and D = 2 n and hence d+1 D = negl(n) and the probability that the test algorithm outputs 1 is computed as Let λ = f (κ 1 , κ 2 , n), therefore we have and the proof is complete.

Discussion and Future works
In this section, we briefly discuss the relationship between our proposal and other types of PUFs, as well as the open questions and direction for future works.
Here, we briefly discuss how requirements and security properties defined for cPUFs and QR-PUFs [45,46] in the literature differ from or relate to what we have defined as qPUF in this paper while leaving a concrete comparison between various PUF instances for future studies.
Most of the available PUF structures use digital encoding as their inputs and outputs so that they can easily be integrated with other functionalities in Integrated Circuits (ICs). This means their input-output pairs are bit-strings. As we can encode the bit strings in computational bases of the Hilbert space, the cPUFs can be considered as special types of Unitary qPUFs (UqPUFs) that can only operate on the computational bases, i.e. map the computational bases in their input domain to other computational bases in their output range. So, our result stating that no UqPUF provides quantum existential unforgeability also shows no cPUF, assuming that they can be queried by quantum states, can provide this security notion for µ = 1.
According to [3], if a cPUF provides the min-entropy requirement (which imposes that the cPUF responses are linearly independent) then it can provide existential unforgeability [3] against classical adversaries with no quantum access to the cPUF. However, this requirement cannot be satisfied with most of the common cPUF structures as shown in [19,44,43,28]. Instead of the min-entropy requirement that seems hard or impossible to be achieved, we only consider the basic assumption on PUFs that let the behaviour of PUF be unknown to anyone [42]; and instead of existential unforgeability property which seems impossible to be achieved for both cPUFs and qPUFs, we consider the selective unforgeability property which is a weaker, yet more relevant, notion than the existential one.
To the best of our knowledge, there is no study on quantum security of cPUFs in the literature. We emphasise given the speedy progress in quantum technology the investigation of the security of cPUFs against quantum adversaries is crucial. The security of silicon cPUFs and the other types of cPUFs that cannot be queried by quantum states can be explored in the post-quantum (or standard) security model where the quantum adversary has only classical interaction with the primitive while he has been equipped with a powerful quantum computer. However, for the other types of cPUF structures like optical PUFs that can naturally be queried with quantum states, the security of cPUFs need to be analysed in the quantum security model where the adversary in addition to having a quantum computer can have quantum access to the cPUF oracle. Note that quantum selective unforgeability of this type of cPUF structures can be investigated in the aforementioned model. We leave exploring these open questions for future studies.
Another main category of PUFs that can be represented via unitary transformations, is Quantum Read-out PUFs (QR-PUFs). The original definition of QR-PUFs considered cPUFs with quantumly-encoded challenge-response pairs. [45,46]. The security of QR-PUF-based identification protocols has been investigated in specific security models, such as prepare-and-resend adversaries in [45,46,39,22,47,38,18] where either the full unitary transformation or equivalently the classical description of QR-PUF responses for any known challenge, is assumed to be public knowledge. The security of such PUF-based protocols relies on the bounds on the ability of an adversary to estimate an unknown quantum challenge sent by the verifier.
Although our current framework as it is, will not be directly applicable to all sorts of protocols and scenarios in which QR-PUFs are defined and used due to specific sets of assumptions and adversarial models considered in these scenarios, we believe that an extended variant of QR-PUFs can be studied as a stand-alone primitive in our proposed framework. We call this extended class, Public-Database PUFs (or PDB-PUFs) which include any PUF that can be queried with quantum (or quantumly encoded) challenges, produce quantum states as responses and are modelled by a publicly known unitary transformation or a public database equivalently. Our framework provides security notions against general and quantum adversaries in the standard game-based model. Hence we can also investigate the security of PDB-PUFs, by relaxing the unknownness condition for this class. It can easily be shown that in the case of PDB-PUFs the adversary has more knowledge compared to qPUFs, so, these PUFs cannot provide quantum existential unforgeability, either. But more interestingly, using our toolkit of the quantum emulation attack, one can also show that, provided that the classical description of the unitary or the responses to be known, PDB-PUFs do not even provide quantum selective unforgeability against QPT adversaries, even if the adversary is unable to efficiently estimate the challenge quantum state. To see why let us assume the challenger to be also an efficient quantum party. Hence a QPT adversary having knowledge over the database can efficiently span a subspace, including the challenge state, hence the approximate response can be produced with high fidelity using the universal quantum emulator as has been discussed in Section 2. We should mention that the feasibility of other quantum attacks with current technologies has been discussed in [45,46,39,22,47,38,18]. However, it remains an interesting open question when the quantum emulator attack presented in this paper can also be demonstrated on emerging quantum devices.
Another interesting direction for future work is whether the assumptions of QR-PUFs can be matched to the current framework to be able to study their provable security against stronger quantum adversaries. It seems that if one can assume the classical description of U QR to be private and the challenge state can be chosen uniformly at random from the whole Hilbert space, the QR-PUFs like qPUFs can provide the quantum selective unforgeability. Although this remains an interesting open problem.
An important complementary question that we left open is the design of concrete qPUF construction based on the formal framework proposed in this work. Introducing a proper construction for quantum PUF would be much more complicated than their classical counterparts as one needs to deal with many complications of the quantum world such as decoherence. Although similar to the case of classical PUF, optical devices still remain good candidates for qPUFs and worth a formal study that would be able to show whether they satisfy all the requirements and properties of a secure qPUF. Moreover, some randomised circuit-based construction such as t-design can also be a suitable candidate for qPUF as we have recently explored [29]. Another challenge in the way of industrialising of the qPUFs is the need for quantum memory for some of the qPUF-based protocols. It is an interesting question that how much this resource can be reduced or even removed in different protocols. Finally, the current definition allows the study of unitary qPUFs while as also mentioned in the paper, by relaxing some of the requirements the framework could also allow for non-unitary qPUF which is another natural open question for the future studies.

A Background on Classical Physical Unclonable Functions
In this section, we briefly present the formal definition of Physical Unclonable Functions (PUFs) as found in the classical literature [3,42,7]. Let a D-family be a set of physical devices generated through the same manufacturing process. Due to unavoidable variations during manufacturing, each device has some unique features that are not easily clonable. A Physical Unclonable Function (PUF) is an operation making these features observable and measurable by the holder of the device.
As in [3,7], we formalize the manufacturing process of a PUF by defining the Gen algorithm that takes the security parameter λ as input and generates a PUF with an identifier id. Note that each time the Gen algorithm is run, a new PUF with new id is built. So, we have: Also, we define the Eval algorithm that takes a challenge x and PUF id as inputs and generates the corresponding response y id as output: Due to variations in the environmental conditions, for any given PUF id , the Eval algorithm may generate a different response to the same challenge x. It is required that this noise be bounded as follows; if Eval(PUF id , x) is run several times, the maximum distance between the corresponding responses should at most be δ r . This requirement is termed the robustness requirement. Consider a family of PUF generated by the same Gen algorithm, and assume the algorithm Eval is run on all of them with a single challenge x. To be able to distinguish each PUF id , it is required that the minimum distance between the corresponding responses be at least δ u . This requirement is termed the uniqueness requirement.
The other requirement considered in [3] is collision-resistance. This imposes that whenever the Eval algorithm is run on PUF id with different challenges, the minimum distance between the different responses must be at least δ c . The parameters δ r , δ u , δ c are determined by the security parameter λ. Robustness, uniqueness and collision-resistance are crucial for correctness of cryptographic schemes built on top of PUFs. The conditions δ r ≤ δ u and δ r ≤ δ c must be satisfied to allow for distinguishing different challenges and PUFs [3].
According to the above, a (λ, δ r , δ u , δ c )-PUF is defined as a pair of algorithms: Gen and Eval that provides the robustness, uniqueness and collision-resistance requirements. We call a (λ, δ r , δ u , δ c )-PUF a Classical PUF (cPUF), if the Eval algorithm runs on classical information such as bit strings. Any classical function f : {0, 1} n → {0, 1} m , including a cPUF's Eval, can be modelled as a unitary transformation as follows and thus a quantum adversary can query U f on any desired quantum states such as the superposition of all the classical inputs.

B Proof of Theorem 2: Quantum Emulation Output
Here we give the full proof of Theorem 2 as follows.
Proof: We prove the theorem by induction. For the first block (K = 1), according to equation (9) and letting |χ 0 = |ψ we have: where the term I −R(φ r ) = 2 |φ r φ r | projects the previous state to |φ r with the coefficient φ r | ψ and the term R(φ i )(I + R(φ r )) is equal to: Thus, the final relation between all the parameters in the first block is as follows.
By substituting |χ K−1 with its equivalent based on equation (10), we calculate each term in the above formula. Note that the coefficient in the third term is the same as the first one with a minus sign, and the ancillary state for the first term is |0 while for the third term is |1 . Thus, we only show the details of the calculation for the first term: The second term is calculated as follows: The forth term −2 φ K | χ K−1 |φ K |1 has the coefficient −2 φ K | χ K−1 , which produces the same sigma terms while only l i,j , x i,j , y i,j and z i,j are increased by one. The fifth term 2 φ r | χ K−1 φ r | φ K |φ K |1 has the coefficient 2 φ r | χ K−1 φ r | φ K and similarly produces the same sigma terms where l i,j , x i,j , y i,j and z i,j are increased by one (Note that the φ r | φ K is itself one of the terms of the sigma). Finally by adding all these terms the equation (10) is obtained and the proof is complete.

C Lemma for the Proof of Theorem 3
We establish the following lemma that we have used in the proof of theorem 3.
Lemma 2 Let E be a CPT map of the for E(ρ) = (1 − )U ρU † + Ẽ (ρ) where U is a unitary andẼ is a strictly contractive CPT map. Let ρ and σ be two arbitrary density matrices with trace distance D = D tr (ρ, σ). Then the following inequality holds: Proof: We note that the first part of the channel E, which outputs density matrix U ρU † with probability (1 − ) 2 , is a unitary and preserves the distance. As a result, for a fixed value of and fixed arbitrary states ρ and σ, the difference between the trace distances of the output of E and the input states increases asẼ becomes more contractive. As the maximum contractivity ofẼ occurs whenẼ = I d , then the maximum difference between the output and input trace distances is satisfies for this instance of the channel. Let Then for a fixed we will have: Now we calculate D tr (E (ρ), E (σ)) using the definition of the trace distance which is D tr (ρ, σ) = 1 2 tr(|ρ − σ|). And |A| = √ A † A for a positive semidefinite matrix A. We calculate the trace distance as: Finally, we can relate the desired trace distance with the above value as: And the lemma has been proved.

D Full Proof of Theorem 6
Proof: Let A be a QPT adversary playing the game G UqPUF qSel (λ, A) where UqPUF is defined over H D . Let S in and S out be the input and output database of the adversary after the learning phase both with size k 1 , respectively. Also, Let H d be the d-dimensional Hilbert space spanned by elements of S in where d ≤ k 1 and H d out be the Hilbert space spanned by elements of S out with the same dimension. A receives an unknown quantum state |ψ as a challenge in the qSel challenge phase and tries to output a state |ω as close as possible to |ψ out . We are interested in calculating the average probability that the fidelity of A's output state |ω and |ψ out be larger or equal to δ. We calculate this probability over all the possible states chosen uniformly at random from H D .
We calculate this probability over all the possible states chosen uniformly at random from H D . We will show, for any δ = 0, the success probability of A is negligible in λ.
According to the game definition, as the adversary selects states of the learning phase, the classical description of these states are known for him while the corresponding responses are unknown quantum states. Let A be the adversary who also receives the classical description of the outputs, or the complete set of bases of H d and H d out . So, he will have a complete description of the map in the subspace; and as a result A has a greater success probability than A.
Therefore from now on throughout the proof, we calculate the success probability of A who has full knowledge of the subspace. Note that the adversary cannot enhance his knowledge of the subspace by entangling its local system to the challenges of the learning phase since the reduced density matrix of the challenge/response entangled state lies in the same subspace H d and H d out . Hereby upper-bounding the success probability of A with the success probability of A who has the full knowledge of the subspace we have also included the entangled queries. Thus without loss of generality and to avoid complicated notations, we consider the adversary's estimated state as a pure state |ω . Now, we partition the set of all the challenges to two parts: the challenges that are completely orthogonal to H d subspace, and the rest of the challenges that have non-zero overlap with H d . We denote the subspace of all the states orthogonal to H d as H d ⊥ . We calculate the success probability of A in terms of the following partial probabilities: Because the probability of |ψ being in any particular subset is independent of the adversary's learnt queries, the success probability of A can be written as: denotes the probability of |ψ that is picked uniformly at random from H D being projected into the subspace of H d ⊥ . From lemma 1, we know that this probability for any subspace, is equal to the ratio of the dimensions. As Also the probability is upper-bounded by the cases that the adversary can always win the game for |ψ ∈ H d ⊥ . So, we have, Finally, the only term that should be calculated is P r Note that any |ψ ∈ H D can be written in any set of full bases of H D as |ψ = where the first term represents part of the output state, that has been produced by A from the his learnt output subspace and the second term denotes the part lies in H d ⊥ out with the set of bases {|q i } D−d i=1 . Based on the above argument, the fidelity of the first part is always zero as b i | e out i = 0. Note that the normalization condition implies d i=1 |β i | 2 + D i=d+1 |γ i | 2 = 1. Thus for any state |ω that has a non-zero overlap with the learnt outputs, the fidelity with the correct state decreases. To make the A 's strategies optimal we assume D where the normalization condition is D−d i=1 |γ i | 2 = 1. Since there are infinite choices for set of bases orthogonal to {|e out i } d i=1 , there is no way to uniquely choose or obtain the rest of the bases to complete the set. Also, another input of the adversary is the state |ψ which according to the game definition, is an unknown state from a uniform distribution. As a result, the choice of the |q i bases are also independent of |e i or |b i . Thus knowing a matching pair of (|q i , |b i ) increases the dimension of the known subspace by one that means the adversary has more information that it is assumed to have.
So, for each new challenge, A produces a state |ω = D−d i=1 γ i |q i with a totally independent choice of bases. Without loss of generality we can fix the bases |q i for different |ω . To calculate the success probability of A , we calculate the fidelity averaging over all the possible choices of ψ. As the unitary transformation preserves the distance, it maps a uniform distribution of states to a uniform distribution. This leads to a uniform distribution of all the possible |ψ out . As a result, the average probability over all possible |ψ is equal to the average probability over all possible |ψ out .
Now, we show that the adversary A also needs to output |ω according to the uniform distribution to win the game in the average case. Let A output the states according to a probability distribution D which is not uniform. Then, by repeating the experiment asymptotically many times, the correct response |ψ out covers the whole H d ⊥ out while |ω covers a subspace of H d ⊥ out . This decreases the average success probability of A . So, the best strategy for A is to generate the states |ω such that they span the whole H d ⊥ out , i.e. generating them according to the uniform distribution.
Based on the above argument, and the fact that all the |ω s are produced independently, we show that the average fidelity over all the |ψ out is equivalent to average fidelity over all the |ω .
There are different methods for calculating the average fidelity [55], but most commonly the average fidelity can be written as: where dµ is a measure based on which the reference state has been produced and parameterized. According to our uniformity assumption, the dµ here is the Haar measure. Note that |ω can be different for any new challenge. Now we rewrite the above average with the new parameters as: The above equality holds since the fidelity is a symmetric function of two states and the measure of integral is the same for both cases. We use this equality for averaging all the possible outputs for one |ψ out . Recall that we aim to calculate the probability of the average fidelity being greater than δ. To this end, we first calculate a more general probability that is the probability of the average fidelity to be non-zero. As we have we calculate the probability of the zero fidelity for simplicity. So, Based on the Cauchy-Schwarz inequality we have the following inequality: where, So, we have, The smaller term is the probability of |ω being projected into the orthogonal subspace of a space that only includes |ψ out averaging over all the projectors. We call again Lemma 1.
As the target subspace includes only one vector of the Hilbert space, the dimension of the orthogonal subspace is always one dimension less. Recall that d ⊥ = D − d, the dimension of the intended orthogonal subspace is equal to D − d − 1. So, And as a result, So, for any non-zero δ we have, Thus, the success probability of A is And the success probability of A is bounded by d+1 D , and the theorem has been proved.