Quantum Lock: A Provable Quantum Communication Advantage

)


Introduction
The recent advances in the development of quantum internet and both short-distance and longdistance quantum networks have enabled a broad range of applications from simple secure communication to advanced functionalities such as delegated quantum computation. Many of these applications are out of reach for classical networks [6,10,13,14,21,24,25,39,47,63,64,66]. Nevertheless, the search for other useful and implementable applications of quantum internet, and quantum communication networks in general, is a very active area of research. A common essential security feature for most such applications is the ability of secure authentication. In general, authentication is captured by different definitions and security levels and plays a central role in establishing secure communications over untrusted channels [1,9,23]. In particular, entity authentication, also known as device authentication is a crucial, fundamental, and yet challenging and mostly unsolved task [30,36]. This sets authentication as a good candidate for practical applications of quantum networks.
Among various approaches for authentication, hardware security provides a promising paradigm for solving such problems by exploiting the underlying properties of hardware and physical devices. In this context, Physically Unclonable Functions (PUF) are a full of potential technology that can establish trust in embedded systems without requiring any non-volatile memory (NVM) [28,29,41]. A PUF derives unique volatile secret keys on the fly by exploiting the inherent random variations introduced by the manufacturing processes of the integrated circuits (ICs). Any slight (yet unavoidable and uncontrollable) variation in the manufacturing process produces a different PUF, rendering the fabrication of an identical physical 'clone' of a PUF [51] infeasible. Hence, PUFs provide copyproof, cost-efficient unique hardware fingerprints. Usually, one can generate such fingerprints just by querying the PUF physically. In the literature, we refer to the query and response pairs as challenge-response pairs (CRPs). Due to the uniqueness of these devices, different PUFs generate different CRPs.
The literature on classical PUFs (CPUFs) is rich, and there is a multitude of constructions available based on different hardware technologies [28,31,37]. We refer to [49] for a detailed review of the available constructions of classical PUFs. Although all of those constructions provide unique and inexpensive hardware fingerprints, they all suffer from providing sufficient randomness. As a result, most of the existing CPUF constructions are vulnerable against machine learning modelling-based attacks [7,8,18,52,53]. In these types of attacks, the attacker first collects a sufficient number of CRPs by adaptively querying the PUF and then uses that data to derive a numerical model using the tools from machine learning. Here, the goal of the model is to predict the response of the PUF to an arbitrary challenge. These attacks open multiple new research directions on designing machine learning-based attack-resilient PUFs [45,54]. In the classical domain, there are a few proposals to prevent such sophisticated attacks. The lockdown technique [70] is one such example. Informally speaking, it provides a two-way, i.e., serverclient authentication. Here, the server first sends a part of the response along with a challenge to the client. The client first checks whether the sent partial response is consistent with the actual response from the PUF corresponding to the challenge that is sent by the server. The client replies with the rest of the response if the server passes this test. Though it prevents the adversary from querying the CPUF in an adaptive manner. However, all of such solutions are heuristic in nature, and none of them provides provable security for CPUFs or PUF-based authentication protocols. On the other hand, in recent years, there has been a line of research suggesting to exploit quantum mechanical features of certain devices to design secure PUFs, known in the literature as quantum PUFs [2,27,40]. Although these proposals provide provable security against quantum machine learning attacks, they are challenging to realise with current-day quantum technologies.
In this work, we introduce a new use-case of quantum communication with provable advantages in several aspects: A new PUF construction and a novel quantum entity authentication protocol that exploits the combination of hardware assumptions and quantum information to achieve secure authentication with provable exponential security advantage compared to its classical counterparts. We also formally prove that the protocol fulfills a specific desired property, namely, challenge reusability, which is impossible unless using quantum communication, emphasizing the significance of quantum communication technology and quantum network for a new quantum security era. Moreover, we show that quantum communication makes our construction cheat-sensitive, i.e., our PUF-based authentication protocol can detect the adversarial attempts (both passive and active) on intercepting the responses of the PUF. We aim to keep our construction implementable using presentday quantum communication technologies while exploiting the desirable security promises that are provided due to the quantum nature of the challenges and responses. Our PUF construction utilises classical PUFs, which are too weak to be useful in a standalone manner, but present the advantage of being widely accessible and easy to use, and enhances their security using commercially available tools from quantum communication. Here for the first time, we show that by encoding the output of classical PUFs into non-orthogonal qubits, one can enhance the security of PUFs against weak (non-adaptive) adversaries. As such, the first building block of our design is a construction we refer to as hybrid PUFs (HPUFs), which encompasses a classical PUF and produces quantum responses for classical challenges. We prove that this construction provides security against the mentioned adversary. With this gadget at hand, we then introduce a construction that is secure against more powerful adaptive quantum adversaries (the general class of quantum polynomial-time (QPT) adversaries). To this end, we borrow the idea of the classical lockdown technique and, by redefining it in the quantum setting, we present our final construction, namely hybrid locked PUF (HLPUF). We show that classical PUFs combined with quantum encoding and the new lockdown toolkit can considerably boost the security of classical PUFs without too much overhead. An important technological improvement compared to previous quantum-enhanced proposals where quantum memory was necessary is that for both HPUFs and HLPUFs, only a classical database of challenge-response pairs needs to be stored on the verifier's side. We formally prove adversarial bounds on the unforgeability of HLPUFs in comparison with the underlying classical PUFs, using rigorous proof techniques from quantum information theory. We also formally prove the security of our HLPUF-based device authentication protocol under realistic assumptions.
In addition to our theoretical contributions, to better demonstrate the applicability and strength of our results, we provide simulations for the design of HPUF constructions with underlying silicon CPUFs instantiated by the pypuf python-based library [68]. Furthermore, we simulate machine-learning-based modelling attacks on HLPUFs where an adversary acquires classical challenges and quantum-encoded responses from an HLPUF. Our simulation results assist in demonstrating our theoretical proofs by evidencing the security enhancement from CPUFs to HLPUFs. Another significance of our simulation results is that they certify the practicality, and security of our construction, even beyond the scope of the proven theorems, in a real-world scenario, as the CPUFs used in our simulations are commercially available and not only theoretical models. We also bring forward practical proposals to further improve the quality of such constructions.
Finally, through studying this construction, we will also address a long-standing open problem in the field of PUF-based authentication, which is the reusability of challenge-response pairs stored in the verifier database. One significant drawback of PUF-based authentication protocols is that the server/verifier cannot use the same challenge multiple times to authenticate a client/prover due to man-in-the-middle attacks. Therefore, the server exhausts all the challenges from the database after running several rounds of the authentication protocol. This limitation is unavoidable in any such classical protocols. However, we show that due to the entropy uncertainty principle in quantum information theory, with our proposed construction, the server can reuse a challenge as long as they can successfully authenticate the client using that challenge in the previous rounds. Our result overcomes this open problem as we prove for the first time the challenge reusability of PUF-based applications. The entropy uncertainty principle also allows the honest server/client to detect any adversarial attempts on extracting information from the response of the HPUFs, providing the cheat sensitivity of our protocol.

Our Results
We first present the construction of HLPUFs discussing our theoretical results w.r.t. their security and showing a provable method of securing classical PUFs, using quantum communication. This result, as mentioned, provides a novel provable advantage that is only achievable using quantum communication. Then we introduce our HLPUF-based authentication protocol. In addition to discussing the security of the protocol, we also show a unique property of such protocols, namely challenge-reusability, which cannot be realised purely classically under similar assumptions. Lastly, we exhibit our theoretical results in practice through simulations, while stepping even closer to practice by using our construction to secure one of the most commercially available and cheap existing PUFs.

Construction of Hybrid Locked PUF (HLPUF)
The core idea of our HLPUF construction is to hide the outcome of the classical PUF inside quantum states and prevent the adversary from implementing adaptive strategies or getting multiple copies of output quantum states using the quantum lock. The underlying component of our construction is a gadget which we name Hybrid PUF (HPUF). HPUF is the part that protects the output interface of the classical PUF by encoding the classical outcomes in non-orthogonal states. Thus, an HPUF is a device with a classical bit-string as input and encoded quantum states as output.
Intuitively, to forge the HPUF, the adversary needs to extract the classical outcome of each challenge from a series of quantum states produced by the HPUF. The task reduces to extracting information on all the two-bit outcomes of the classical PUF (say (2j − 1, 2j)-th bits) from each quantum state |ψ j out . Thus the adversary needs to distinguish between four non-orthogonal states {|0 , |1 , |+ , |− }, which is possible with a probability at most p guess . Distinguishing an unknown non-orthogonal quantum state from a pre-determined set of the state is a well-known problem in quantum information which we exploit here in a more general way to introduce Thus, an adversary trying to break HPUF is forced to run its forgery algorithm based on an imperfect training database. The adversarial model considered here assumes that the adversary gets access to a random set of these classical challenges and quantum responses, where there exist only one copy of each pair in the adversary's database. This model is usually referred to as weak adversary. We later upgrade this adversary into a more powerful one, which is our target most powerful quantum adversary of interest, when introducing the locking mechanism of the construction.
Due to the probabilistic nature of this extraction process, the extra randomness, captured by probability p guess , enhances the security of the HPUF against weak quantum adversaries as they require considerably more challengeresponse pairs to forge the HPUF. We refer to this specific forgery attack as measure-then-forge strategy. This attack is illustrated in Figure 4. Our first result in Lemma 2 (see supplementary materials) shows that measure-then-forge is an optimal forging strategy for this problem.
Given a set of q random classical challenge and quantum response pairs, the adversary needs to extract enough classical information to forge the HPUF with the most optimal forging algorithm. We assume that for a successful forgery, the adversary needs to extract the outcome of the CPUF from at least (1−ε)q responses, where 0 ≤ ε ≤ 1. The value of ε depends mainly on the quality of the CPUF and the noise tolerance of the machine-learning algorithm. The calculation of the ε parameter is discussed in Section 3. To derive one of our central results, i.e. the quantum advantage brought by the HPUF construction, we prove an exponential gap between the success probabilities of optimal forgery attack on CPUF and HPUF. Let P classical forge denote the probability of forging the CPUF using q challenge-response pairs from the CPUF. We derive the following result, which is formally presented in Theorem 2 and Lemma 3. Security Result 1: The forging probability of HPUF, denoted as p quantum forge , is upper bounded by the following quantity. (1) where the p extract probability itself is bounded as: (2) Here, p guess is the probability of guessing a singlebit outcome of the CPUF from a single-qubit outcome of the HPUF. As an important remark, we note that the classical forging probability, P classical forge , is not a small value, given that the CPUF can be broken with a large enough number of queries. Therefore, the term p extract is responsible for the exponential gap between the security of HPUF and CPUF and consequently highlights the role of quantum encoding in deriving this quantum advantage result.
The p guess probability itself is upper bounded (calculated in Lemma 1) as follows as a function of a parameter 0.5 ≤ p ≤ 1, which quantifies the randomness of the underlying CPUF.
If p extract decays exponentially with the number of output bits of the HPUF, i.e., m then p quantum forge would be exponentially smaller than the success probability of CPUF forgery p classical forge . One can observe that for a smaller value of ε (See Figure S2 in the supplementary materials), p extract decays exponentially with m, showing an exponential separation in the security between the HPUF, and the CPUF. To conclude, we give concrete security bounds for HPUF based on its underlying insecure CPUF.

Quantum Lock on the HPUFs
Next, in order to prove the full quantum security of our construction, we need to uplift the previously considered weak adversary into any general adaptive quantum adversary. An adaptive quantum adversary is free to build their database with any arbitrary query and in an adaptive manner, potentially depending on the previous queries 1 . Particularly such adversaries can query HPUF multiple times with the same challenge x, obtaining several copies of |ψ out and can easily extract the outcome f (x) from multiple copies.
1 Note that here we don't allow superposition queries to the underlying CPUF inside the HLPUF. However, we allow the adversaries to run quantum algorithms on the challenge-response pair database.
Consequently, a probability p guess ≈ 1 can be achieved in theory, and a strong adversary can forge the HPUF efficiently. Hence the construction of HPUFs on its own is not sufficient to achieve the most compelling desired notion of quantum security.
To complete our construction, we equip it with a mechanism called quantum lock, which ensures security against general adaptive adversaries. The quantum lock is a mechanism that allows both parties to partially authenticate each other by having access to embedded small verification resources. As a result, it restricts the adversary from adaptively querying the device and reduces a powerful quantum polynomial time (QPT) adversary to a weak adversary.
We start by subdividing the output of the Hilbert space of quantum states. The first part contains the first m qubits, and the second half contains the last m qubits of the outcome of the HPUF E f . Note that the first m qubits of the HPUF's outcome come from the first 2m bits outcome of the underlying classical PUF f . For any challenge x ∈ {0, 1} n we can write the outcome of the classical PUF as f (x) = f 1 (x)||f 2 (x), where the mapping f 1 : {0, 1} n → {0, 1} 2m denotes the first 2m bits of f and f 2 : {0, 1} n → {0, 1} 2m denotes the last 2m bits of f . Similarly, we can rewrite the HPUF E f as a tensor product of two mappings E f 1 : {0, 1} n → (H 2 ) ⊗m , and The hybrid locked PUF, takes the classical input x i and a quantum stateρ 1 and produces the second half of the response of the hybrid PUF, |ψ f 2 (x i ) ψ f 2 (x i ) |, as an output ifρ 1 is equal to the first half of the output of the hybrid PUF Figure 2 illustrates the construction of HLPUF. In each authentication round, the verifier (server) uses a classical database and a quantum encoder to create the required form of challenge for HLPUF which consists of two parts: the classical challenge x, and the quantum state |ψ f1(x) , constructed based of the first half of the classical response, stored in the database. Then the verifier sends them through a public channel fully controlled by a quantum adversary, as illustrated in the figure. The prover (client) then inputs this two-part challenge into the HLPUF and either receives the state |ψ f2(x) or gets a reject outcome and aborts the protocol, meaning the message did not come from the authentic verifier. The prover then sends back the quantum state through the same public quantum channel to the verifier, which will verify the client's response by measuring in y 3 according to the classical database.
Recall that here, f 2 (x) = y 3 y 4 . Also,ρ f1(x) andρ f2(x) denote the real quantum state received by the prover and verifier respectively, after the adversary's interaction with the original states. Now we prove the promised security for this construction. Note that we assume that the adversary does not have any direct access to the outcome of the embedded classical PUF inside our construction. This assumption can be satisfied by putting the HLPUF inside a tamper-proof box. Thus under the assumption that the adaptive adversary has only access to the input/output ports of the HLPUF, we prove the security of our HLPUF construction, presented in the following informal theorem (The formal result and its proof can be found in Theorem 4 in the supplementary materials).
If both E f 1 and E f 2 are secure against q-query weak adversaries then the HLPUF E L f is secure against any q-query adaptive adversaries.
Intuitively, if an adversary tries to query the HLPUF with any arbitrary challenge x, then they need to produce a correct quantum state |ψ f 1 (x) , otherwise, the verification procedure inside the HLPUF fails, and the HLPUF replies with a garbage output ⊥. The inability of the adversary to produce the outcome |ψ f 1 (x) is itself insured via the unforgeability of the HPUF construction and the no-cloning principle of the quantum states.
The only remaining option for the adaptive adversary would be to intercept the challenges sent by the server in the previous rounds and use them to query the HLPUF. Therefore practically, with the same challenge x they can query the HLPUF only once. Given that the server chooses the challenges uniformly at random from its database, the adversary querying the HLPUF with those challenges will reduce their power to a weak adversary. As we showed the security of E f 1 , and E f 2 against the q-query weak adversaries, with the proposed construction, the HLPUF remains secure against any q-query adaptive adversaries.

HLPUF-based Authentication Protocol
Putting our construction into practice, we propose an HLPUF-based authentication protocol. Figure 3 gives an illustration of the protocol and the formal description of the protocol is given in the supplementary materials. In a nutshell, the verifier (server) sends a challenge that consists of a classical part and a quantum state that will be verified on the prover's (client's) end when queried to the HLPUF device. If the verifier is successfully authenticated by the HLPUF, it produces the quantum response and sends it back to the verifier which can use it to authenticate the prover.
In Further, we formally prove the complete-ness and security of our protocol against adaptive quantum adversaries in the supplementary materials. Security Result 3: The HLPUF-based authentication protocol shown in Figure 3 is complete and secure (universally unforgeable) against any polynomial-time adaptive quantum adversary, given that an HLPUF is used according to the Construction 2, and all the assumptions for the construction are satisfied.

Challenge Reusability and Cheat-Sensitivity
In classical PUF-based authentication protocols, each challenge can be used only in a single authentication round due to man-in-the-middle attacks. The problem arises since the adversary can simply copy and record the challenges and responses and have a perfect copy of the challenger's database, which later can be used to falsely identify themselves. Therefore, the server needs to store an enormous database for running the authentication protocol for a long period. This is a fundamental limitation of classical PUFs [34, 60].
However, we show that HLPUFs provide an efficient and unique solution to this issue by exploiting the unclonability of the quantum states and the existence of uncertainty relations in quantum mechanics and quantum information. It allows the use of the same challenge several times for authentication without any security compromise. More precisely, each challengeresponse pair can be reused under the circumstance of previous successful authentication rounds. This solution will resolve the important practical limitation of the challenger storing a big database or renewing the database of challenge responses frequently.
First, we clarify the condition under which the challenge can be reused. It is a straightforward observation that the challenges for which the verification test has failed should never be used again. A trivial attack, in this case, would be that the adversary intercepts the communication and stores the response state, and later when the same challenge has been queried again, will re-send the stored correct response state to pass the verification. As a result, all the challenges in the failed rounds should be discarded.
Nonetheless, one of our main results is to show that in the event of successful authentication, the challenges can be reused. Here, by successful authentication, we mean that the received response state passes the verification on the client and server side, and both are identified as honest parties. Even though the events of false identification of an adversary is still possible (for example, if the challenge is the same as one of the challenges that previously existed in the adversary's local database), our result, stated as follows, ensures that these events occur only with negligible probability.
Security result 4 (Informal): If the HLPUFbased authentication protocol ( Figure 3) doesn't abort for a specific challenge x, then the probability of the adversary successfully extracting the classical outcome of the PUF is upper bounded by 2 −m . Therefore, the challenge x can be reused.
This is an influential information-theoretic result that shows even in the presence of a powerful quantum adversary, if the challenge-response pair of HLPUF leads to successful authentication of the honest parties then the adversary has almost no information about the response f (x) of the underlying CPUF f . We also show that using the same challenge for k times, if the authentication is passed for all of them, the probability that the adversary successfully extracts the classical outcome of the PUF is upper bounded by k2 −m , which quantifies further this reusability feature. The results have been formally shown in Theorems 5 and 6 in the supplementary materials. This feature is uniquely been enabled due to quantum communication and the specific relation between the quantum states that we use for our encoding. Our results have been proven using a sophisticated toolkit in quantum information theory, namely, entropic uncertainty relations [15,20], which have also been used for the full security proof of famous quantum protocols such as QKD.
Another relevant feature that our quantum communication-based solution provides is cheat sensitivity, meaning that due to the discussed quantum properties of our CRPs, a passive adversary trying to intercept and hijack the communication will be detected.

Our Theoretical Results in Practice: HLPUF's Resiliency to the Machine Learning-Based Attacks
We validate and showcase the practicality of our theoretical results for HLPUF construction using numerical results and simulations. While introducing HPUF and our security results earlier, we gave a theoretical upper bound on the forging probability of HPUF. Our theoretical security analysis shows that exponential security can be achieved for this construction, relying on certain reasonable assumptions, including the existence of a classical PUF that is not broken with probability 1, nonetheless is breakable with nonnegligible probability given enough queries. Although such mid-level classical PUFs can be theoretically found, especially in optical-based constructions, we focus on putting our construction to into test using the cheapest and most widely available CPUFs. We choose silicon CPUFs such as arbiter PUFs for this purpose, which are known to be weak in security and breakable using machine-learning attacks. We compare the performance of these CPUFs with an HPUF that is constructed with the same underlying CPUF, performing measure-then-forge attacks using classical machine-learning algorithms (see Figure 4 for the illustration of the attack). The numerical simulation results assist in demonstrating our theoretical proofs by exhibiting an exponential advantage of success probability of HPUF forgery compared to its underlying CPUF with a limited q-query.
Here, we instantiate the underlying silicon CPUFs by a python-based library called pypuf For constructing the HPUFs, we need an underlying CPUF with at least two bits outcome. Therefore, we use two such XOR arbiter PUFs (say f 1 , and f 2 ) for instantiating an HPUF. For the forgery, we use the measure-then-forge strategy that we define in the HPUF section. As the best measurement strategy for the measure-then-forge attack, we use the upper bound we derived on the adversary's guessing probability of extracting a single-bit outcome of the classical PUF from the outcome of the HPUF (see Lemma 1 in the supplementary materials). After the measurement phase in the measure-then-forge strategy, the ad- Figure 4: Illustration of the measure-then-forge attack. The quantum adversary receives a sequence of BB84 quantum states as the output of the HPUF and measures them with the optimal measurement strategy to obtain the underlying classical information of the responses of CPUF. Due to the quantum nature of the HPUF responses, even the best measurement strategy is still probabilistic, which leaves the adversary with a noisy version of the classical database. Then the adversary can run a machine-learning attack on the noisy database (in the optimal attack, this classical machine-learning algorithm is assumed to be optimal as well) to extract the mathematical model of the PUF.
versary ends up with a classical database. We use the classical logistic regression (LR) algorithm for the forgery. Note that, for the k-XOR PUFs, the LR attacks show the best performance. Therefore, we use the same algorithm in our measurethen-forge strategy. For a more detailed description of the forgery attack, we refer to Section G in the supplementary materials. Our numerical results can be categorised into two main contributions summarized as follows.

Advantage over CPUFs
First, our simulation results show a considerable advantage of our construction over CPUFs, even when constructed from the on-the-counter lowcost CPUFs. We summarize our numerical results on the advantage of HLPUF over the underlying CPUF in Figures 5 and 6. On each of the plots in these figures, the X-axis denotes the number of CRPs we use for the forgery, and the Y -axis denotes the accuracy of the forgery. The blue curves in each sub-figure represent the forging accuracy of the underlying CPUF. The red curves denote the forging accuracy of the HPUF against the general adaptive adversary, and the green curves denote the forging accuracy of the HLPUFs against general adaptive adversaries. From these plots, it is evident that without the quantum lock, the HPUF provides a very small advantage over the underlying CPUF. This implies that quantum communication alone is not sufficient in providing a higher security boost. However, the gap between the blue curve and the green curve in each of the plots of Figures 5 and  6, shows the importance of the quantum lock for providing a much higher security boost.
The simulation results show that if the adversary has enough challenge-response pairs from the HLPUF then eventually it can forge the HLPUF. However, if the adversary tries to forge the HLPUF, then it needs to measure to extract the classical information from the quantum state, i.e., the outcome of the HLPUF. This measurement can disturb the quantum state, and if the measurement is not successful then the authentication also fails. This is something different from the classical scenario, where the adversary can remain undetected and make the forgery. We refer to this property as the cheat-sensitivity of the HLPUFs. Due to this property, we can safely use the HLPUFs in practice much more times than the prediction of Figures 5 and 6.   In Figure 7a we observe that if we increase the value of k in the underlying k-XOR PUFs, then the adversary requires more challenge-response pairs for a successful forgery. This observation suggests that one possible way to enhance the security of the HLPUFs is to use more secure classical PUFs. Hence, we elaborate on the effect of different k-values on the HLPUF forgery. Moreover, the red plot in this figure also suggests that one can improve the security of HLPUFs significantly just by increasing the input size of the HLPUFs.
We also explore another possible way to improve the security of the HLPUFs. The idea is to use a more sophisticated encoding than encoding two classical bits into a quantum state |ψ such that |ψ ∈ {|0 , |1 , |+ , |− }. Here we use the concept of Mutually Unbiased Bases (MUBs) [5] of dimension d = 4 or d = 8 for the encoding. For the dimension d = 4 (d = 8), we encode four (six) classical bits to a two (three) qubits quantum state. We describe the encoding procedure in detail in the supplementary materials (see Section G.2). Intuitively, the higher dimen-  In Figure 7b, we show the impact of this encoding on the forging probability. Specifically, we show an interesting simulation result in Figure 8, where we only use 32-bits input 5-XOR PUF as an underlying CPUF. For such CPUFs, the total number of possible challenges is 2 32 ≈ 10 9 . In Figure 8, we observe that the underlying CPUF can be forged using only 5000 CRPs. On the other hand, for the forgery of the HLPUFs, the adversary requires almost 10 6 queries. For the forgery of the HLPUF, the adversary needs to use almost all the CRPs. We can enhance the security of the HLPUFs by using higher-dimensional MUBs.

Discussion
In this paper, we proposed a new practical way to enhance the security of PUFs using quantum communication technology and showed a new use case for quantum communication, which benefits from both provability and practicality. We classify the adversaries into adaptive and weak adversaries based on their querying capabilities. This classification is not only useful in the proof reductions but also provides a step-by-step path towards a provably secure PUF against the strongest possible quantum adversaries. By harnessing the power of quantum information theory, here we propose a construction for a hybrid PUF with classical challenge and quantum response. The main idea is to encode the output of classical PUF into non-orthogonal quantum states. We show that for the forgery of the HPUF, any q-query weak adversary first needs to extract the classical string f (x) from the outcome of the HPUF. The adversary tries to forge the CPUF using that extracted data. Due to the indistinguishability of the non-orthogonal quantum states, the adversary introduces extra randomness at the outcome of the CPUF, which in turn complicates the forging task for any QPT adversary. We have established the result under the assumption that for a q random outcomes of the HPUF if the distance between the outcomes of CPUF and the extracted outcomes from the HPUF is above a threshold ε then no QPT adversary can forge the HPUF. Under this assumption, we show that the probability of forging the HPUF is exponentially smaller than forging the CPUF. This is an exponential provable gap which is only achievable via quantum communication. We also instantiated our HPUF design using real-world CPUF, called XOR-PUFs. In Figure 5 and Figure 6, we show the gap in the number of queries the adversary needs to forge the HPUF compared to the underlying CPUF. As displayed in those figures, the probability of the HPUFs being fully broken is considerably small compared to their underlying CPUF. However, using an enormous number of samples, the adversary eventually forges the HPUF, certifying the assumption in our theoretical result. A more sophisticated encoding can enhance this gap. Later in Figure 8, we show that the MUB of dimension 8 encoding of the outcome of the CPUFs can enhance this gap substantially.
In PUF-based authentication protocols, one important issue (both for classical and quantum PUFs) is that an adaptive adversary can query the PUF with arbitrary input challenges. It permits such an adversary to learn efficiently and emulate the input/output behaviour of the targeted PUF. We solve this problem with our quantum locking mechanism, leading to our HLPUF construction as discussed.
In our proposed authentication protocol, we prove the security against adaptive adversaries. The advantage is twofold: On one hand, the probability of knowing information about a quantum state is upperbounded compared to a classical PUF due to the quantum information theory. On the other hand, the implementation of hybrid PUFs is practical nowadays with the existing quantum communication technology.
Another advantage of the hybrid locked construction is the reusability of the challengeresponse pairs, which was impossible prior to this work for similar protocols. Therefore, with our solution, a server can perform secure client authentication for an extended period without exhausting its CRPs database. This result overcomes the fundamental drawbacks of the exist-ing classical PUF-based authentication protocols while putting forward a novel and practical use case for our HLPUF construction as well as a unique feature enabled solely by quantum communication.
The no-cloning property of quantum states also prevents passive adversaries from intercepting and storing the qubits for forgery without getting detected by the server/client. Unlike the classical setting, quantum communication forces all adversaries to behave like active ones. In general, it is impossible for adversaries to extract information about the outcome of the underlying classical PUFs from the outcome of the HLPUFs without getting detected. This makes our HLPUF protocol cheat-sensitive, providing another advantage over CPUF-based authentication protocols.
The quantum communication part of our HLPUF construction relies on the conjugate coding, which is used in the quantum key distribution (QKD) protocols. QKD technology is one of the most mature quantum technologies. Longdistance QKD networks are already implemented and used in several countries like the USA, UK, China, EU, Japan, [16,48,55,59, 65] etc. Many commercially available QKD infrastructures provide almost 300kb/s secret key rate over optical fibre links of length 120km [26]. Moreover, the availability of the mature QKD on-chip technology [12,56,57] makes all the proposed constructions in this paper implementable using existing quantum technology. Our results show that picking off-the-shelf classical PUF technology and QKD technology can partially solve significant shortcomings of the device authentication problem in a quantum network.
In this work, we show that our HLPUF construction makes the current-day insecure classical PUFs, secure with the help of quantum conjugate coding and lockdown techniques, and against present and future powerful quantum adversaries. However, all of our results are based on ideal implementations of the protocol. The next research direction will be to explore the performance of our HLPUF-based authentication protocol under channel noise and imperfect singlephoton sources. Yet another intriguing research direction will be the design of robust variants of our protocol. Like some QKD protocols, our HLPUF becomes vulnerable to photon number splitting attacks if the source suffers from a multiphoton emission problem. Therefore, a further study of the feasibility and practicality of hybrid PUF constructions is an important future direction for bringing this technology from theory to practice.
Another interesting question arises in terms of the engineering design of the HLPUF, where a lockdown technique is exploited to prevent adaptive queries by network adversaries during usage. Explicitly, as a stand-alone construction, HLPUF construction implies a tamper-proof box where the underlying CPUF, as well as the quantum measurement and preparation apparatus, are under protection, except for the locked interface. A relevant question here is how a server can obtain a classical database of HLPUF given such tamper-proof environments. We argue that this is not an issue in the context of our proposed protocol and under the formal assumptions under which the protocol provides security guarantees. Firstly, we note that in the proposed protocols, the manufacturer, the server, and the client are all honest parties, and the construction of the HLPUF can be seen as a recipe for an honest manufacturer/server to construct such mechanisms given a CPUF which is potentially insecure, while followed by our adversarial model, the CPUF should not be queried directly at any point during the protocol. One can reasonably assume that the server first obtains the classical database of underlying CPUF prior to assembling HLPUF construction, then after assembling and sealing the box, transfers it to the client. We emphasise that such considerations will not affect the security guarantees of the protocol as they have been taken into account in our network adversarial model. Nonetheless, we also propose an alternative solution that can be implemented at the hardware engineering level to ensure our assumptions are being met while enabling the HLPUF to operate as a stand-alone hardware token, and not just within our given protocol. This can be achieved by integrating a programmable read-only memory (PROM) based device inside HLPUF while assembling by the manufacturer. A PROM is a type of non-volatile classical memory chip that permits data to be written in only once after the device's manufacture [4,32]. Once PROM is programmed, its content cannot be changed, which means the data is permanent. In practice, a small piece of PROM is needed, with at least 2 registers, to enable the HLPUF device to switch between setup and handover modes. The modeswitch procedure can be performed as follows: When the manufacturer produces an HLPUF device within a tamper-proof box, the registers of PROM are set to value 11 as setup mode, and it can be queried from outside. Once the mode has been set differently, it can never go back to 11, which means that HLPUF has been used before in the setup mode. In setup mode, the server can query the box with classical queries. On the first classical query, the register updates the mode to 01 internally and will output classical responses, as long as it stays so. After the setup is done, the server can set the value of registers to 00, in which case the encoding part of the device is activated and the HLPUF will output the quantumly encoded queries i.e., |ψ f (x) . Of course, an adversary can do the same by querying HLPUF classically by setting registers from 11 to 01. However, this behaviour can be easily detected and when an honest party (server) receives the box, they will not use the HLPUF box, if it has ever been on a setup mode before. Furthermore, another engineering aspect to be taken is by harnessing device wear-out property to create limited access to the underlying CPUF [19]. Finally, we note that the most efficient and practical design for such boxes although an interesting engineering problem, is not in the scope of this paper and is a completely distinct direction for future works.

Appendix A Overview
In the supplementary materials, we provide all the formal definitions and constructions, security proofs and other detailed technical results. The structure is as follows: First, in Appendix B we introduce some of the basic notions and tools from quantum information and PUF literature that we will use later. In Appendix C we give a detailed description of an adaptive and weak quantum adversary, in the most general case of the unforgeability game where all the learning queries are density matrices. Then, we also give a more detailed version of the quantum unforgeability game, with adaptive and weak adversaries. In Appendix D and Appendix E we give the formal description of HPUF and HLPUF constructions respectively and then in Appendix E.2, we present the main results of the paper formally. Then in Appendix F, we discuss the challenge reusability result in further detail and in I. 6 we first give a brief introduction of the entropic uncertainty relations that have been used in the literature of quantum information for different purposes like security proof of QKD protocols. Then, we establish a formal version of Theorem 5, in terms of the described uncertainty quantities, and finally, we give a full detailed proof of this theorem which we will use to establish the challenge reusability property for our HLPUF-based protocol. In Appendix G we discuss our simulation results more extensively, discussing also technical details about the effect of different quantum encoding. In Appendix H we investigate the lockdown technique on quantum PUFs and we establish a general no-go result. Finally, in Appendix I we give the full and detailed security proofs for the theorem in Appendix E.2, including the proof of Theorem 1, Lemma 1, Lemma 2, and Lemma 3.

Appendix B Preliminaries
In this section, we discuss some of the main concepts and definitions that we rely upon in the paper.

B.1 Quantum information tools
Quantum states are denoted as unit vectors in a Hilbert space H. Any d-dimensional Hilbert space is equipped with a set of d orthonormal bases. We say a quantum state is pure if it deterministically describes a vector in Hilbert space. On the other hand, a mixed quantum state is described as a probability distribution over different pure quantum states, represented as a density matrix ρ ∈ H d . If a quantum state can be written as the tensor product of all its subsystems, we say that the state is separable, otherwise, it is referred to as entangled state.
If a quantum resource takes an input ρ in ∈ H d in A and produces an output ρ out ∈ H dout B , we use a completely positive and trace preserving (CPTP) map E to describe the general quantum transformation The measurement of a quantum state is defined by a set of operators {M i } satisfying i M † i M i = I with its conjugate transpose operator M † . The probability of getting measurement result i on quantum state |ψ is: An important property of the quantum states is the impossibility of creating perfect copies of general unknown quantum states, known as the no-cloning theorem [69]. This is an important limitation imposed by quantum mechanics which is particularly relevant for cryptography. A variation of the same feature makes it impossible to obtain the exact classical description of quantum states by having a single or very few copies, therefore, there exists a bound on how much classical information can be extracted from quantum states, known as Holevo bound [35]. Moreover, distinguishing between two unknown quantum states is also a probabilistic procedure known in the literature of quantum information as quantum state discrimination. The distinguishability of the quantum states depends on their distance. There exist several distance measures for quantum states and quantum processes [46], although, for the purpose of this paper, we introduce the fidelity, the trace distance and the diamond norm. The trace distance between two quantum states ρ and σ is defined as: The fidelity of mixed states ρ and σ is defined by the Uhlmann fidelity [46]: which will become | ψ| φ | 2 the following expression for two pure quantum states |ψ (ρ = |ψ ψ|) and |φ (σ = |φ φ|). The fidelity is bounded between 0 and 1, 0 ≤ F (ρ, σ) ≤ 1. F (ρ, σ) = 0 when two states ρ and σ are orthogonal and F (ρ, σ) = 1 when ρ and σ are identical.
In this paper, we denote all the verification algorithms for checking equality of two quantum states by distance as a CPTP map Ver : H d ⊗ H d → {0, 1}. For any two states ρ 1 , ρ 2 ∈ H d , this mapping is defined below.
This general verification also includes measurements of quantum states as verification algorithms since it has been defined as a general CPTP map. Finally, we mention the notion of SWAP test [11] as a quantum circuit for implementing the verification algorithm Ver(.) above. The swap test's circuit uses the controlled version of a swap gate that swaps the order of two quantum states if the control qubit is |1 . The circuit outputs |0 with probability 1 2 + 1 2 F (|ψ , |φ ) and it outputs |1 with probability 1 2 − 1 2 F (|ψ , |φ ). As can be seen, the success probability of this test depends on the fidelity of the states. This occurs because of the quantum nature of these states and measurements in quantum mechanics.

B.2 Models for PUF
A Physical Unclonable Function is a secure hardware cryptographic device that is, by assumption, hard to clone or reproduce. Here we give the mathematical model for the classical PUFs first, and then we also briefly mention the quantum analogue of them known as quantum PUF (QPUF) as defined in [2]. As classical PUFs are usually defined with probabilistic functions, due to their inherent physical randomness, we first define the notion of probabilistic functions as follows.
Definition 1 (Probabilistic Function). A probabilistic function is a mapping f : R × X → Y with an input space X , an random coin space R, and an output space Y.
For a fixed input x ∈ X , and a random coin (or key) R ← R, we define the probability distribution of the output random variable f (x) := f (R, x) over all y ∈ Y as, A classical PUF can be modelled as a probabilistic function f : R × X → Y where X is the input space, Y is the output space of f and R is the identifier. The creation of a classical PUF is formally expressed by invoking a manufacturing process f ← MP C (λ), where λ is the security parameter.
To model classical PUF f in terms of security primitives, Armknecht et al. [3] define some requirements which are parameterized by some threshold δ i and a negligible function (λ) ≤ λ −c , where c > 0 and λ is large enough. Note that the requirements in our paper correspond to the requirements of intra and inter distances of PUF f .

Definition 2.
The classical PUF f : R × X → Y with (MP C , δ 1 , δ 2 , δ 3 , , λ) satisfies the requirements defined below: Requirement 1 (δ 1 -Robustness). Whenever a single classical PUF is repeatedly evaluated with a fixed input, the maximum distance between any two outputs y i ← f (x) and y j ← f (x) is at most δ 1 . That is for a created PUF f and x ∈ X , it holds that: Requirement 2 (δ 2 -Collision Resistance). Whenever a single classical PUF is evaluated on different inputs, the minimum distance between any two outputs y i ← f (x i ) and y j ← f (x j ) is at least δ 2 . That is for a created PUF f and x i , x j ∈ X , it holds that: Requirement 3 (δ 3 -Uniqueness). Whenever any two classical PUFs are evaluated on a single, fixed input, the minimum distance between any two outputs y i ← f i (x) and y j ← f j (x) is at least δ 3 . That is for a created PUF f and x ∈ X , it holds that: where Dist(., .) is a general notion of distance between the responses.
We also introduce the notion of randomness for the classical PUF f . It says the maximal probability of p f x (y) with an input x j ∈ X on PUF f i where i ∈ R. conditioned on the residual output space. A formal definition is as follows.

Definition 3 (p-Randomness).
We define the p-randomness of a classical PUF f : R × X → Y as For a correct valid modelling of PUF, δ 1 < δ 2 and δ 1 < δ 3 are necessary conditions to allow for a clear distinction between different input and different PUFs.
A quantum PUF, is again a hardware primitive that is unclonable by assumption which also utilises the properties of quantum mechanics. Similar to a classical PUF, a QPUF is assessed via challenge and response pairs (CPR). However, in contrast to a classical PUF where the CRPs are classical states, the QPUF CRPs are quantum states. Moreover, the evaluation algorithm of a QPUF is modelled by a general quantum transformation that is a CPTP map that produces an output in the form of a quantum state. A quantum transformation needs to have few requirements such as robustness, collision resistance and uniqueness to be considered a QPUF, similar to its classical counterpart. The focus of this paper is not on full quantum PUFs, and only for Section H, where we discuss the feasibility of lockdown technique for general quantum PUFs, we use the QPUF as defined in [2].

Appendix C Unforgeability against Adaptive and Weak Adversaries C.1 Models for adaptive and weak adversaries
In this paper, we only consider the network adversarial model, i.e., the adversary has only access to the communication channel. Moreover, we assume that the manufacturer of the PUF is honest. The network adversaries can get the challenge-response pairs just by intercepting the messages that are exchanged between the server and the clients. They can also pretend to be the server and make queries to the PUF on the client side with a challenge and get the response.
Any network adversary that tries to predict the response of a PUF namely E : D in → D out , can be modelled as an interactive algorithm. Here we consider Quantum Polynomial-Time (QPT) adversaries that have q-query classical access to the evaluation of the PUF, where q is polynomial in the security parameter. An adaptive adversary can choose and issue any arbitrary query (up to q-query) which could also depend on the previous responses received from the PUF. On the other hand, a weak nonadaptive adversary, cannot choose the queries and instead receives q CRPs of E. In this case, the queries are being picked at random from a uniform distribution by an honest party and sent to the adversary.

C.2 Unforgeability with game-based security
Unforgeability is the main security property of PUFs. Unforgeability means that given a subset of challenge-response pairs of the target PUF, the probability of correct estimation of a new challengeresponse pair is negligible in terms of the security parameter. The unforgeability for Classical PUFs has been defined in [3], and for Quantum PUFs in [2] as a game-based definition. Moreover, a general game-based framework for quantum unforgeability has been defined in [22] for both quantum and classical primitives in an abstract way. Following the previous works, here in this paper, we present a game-based unforgeability definition for PUFs, emphasizing the adversary's capabilities in the learning phase, and capturing both adaptive and weak adversaries as defined in the previous section. We define the unforgeability of PUF as a formal game between two parties: a challenger (C) and an adversary (A). The game is divided with 4 phases: Setup, Learning, Challenge and Guess. A formal description is given as follows: Game 1 (Universal Unforgeability of PUF 2 ). Let MP be the manufacturing process, Ver(.) be a verification algorithm for checking the responses, and λ the security parameter. We define the following game G P U F (A, λ) running between an adversary A and a challenger C: • Setup phase.
-C selects a manufacturing process MP and security parameter λ. Then C creates a PUF by E ← MP(λ), which is described by a CPTP map. The challenge and response domain D in and D out are shared between C and A.
-If the adversary is adaptive, A = A ad : * A ad selects any desired challenge c i ∈ D in , and issues to C (up to q queries). * C queries the PUF with each challenge c i and sends the response r i = E(c i ) ∈ D out back to A ad .
-If the adversary is weak (non-adaptive), A = A weak : * C selects a challenge c i ∈ D in uniformly at random from D in and independent of i. * C queries the PUF with c i and produces the response r i = E(c i ).

* C issues to A weak the set of random challenges and their respective responses
-C chooses a challengec uniformly at random from challenge domain D in .
-C issuesc to A. The above game is the abstract version of the unforgeability game that can be used for different classical or quantum PUFs and with different challenge types. For instance, the learning phase challenges c i can be classical bit-strings or quantum states and in that case, the domain D in will be a Hilbert. Here we mostly focus on the notion of classical and Hybrid PUFs. As a result, we do not need the full generalization to the quantum setting. Nevertheless, for the sake of completeness, we also give a full quantum version of this game-based definition in Appendix C.3.
Note that the adversary could not choose arbitrarily the challenges in the challenge phase in this game. So it is so-called universal unforgeability. Relatively, there are different notions of unforgeability e.g, unconditional unforgeability and existential unforgeability [2]. Unconditional unforgeability models the PUF against an unbounded adversary with unlimited queries during the learning phase, which is the strongest notion of unforgeability. The difference between existential unforgeability and universal unforgeability is that the adversary could choose the challenges during the challenge phase with existential unforgeability instead of choosing the challenges by the challenger. Even though the universal unforgeability is the weaker one compared with the rest of the two, it is sufficient for most PUF-based applications.
Finally, we define game-based security in terms of universal unforgeability in this setting:

C.3 Unforgeability game for general quantum PUF against adaptive and weak adversary
In this appendix, we introduce the full quantum unforgeability game against adaptive and weak (nonadaptive) adversaries. Any adversary that tries to predict the response of a PUF E : H d in → H dout , can be modelled as an interactive algorithm. Here we consider Quantum Polynomial-Time (QPT) adversaries that have q-query access to the evaluation of the PUF, namely E where q is polynomial in the security parameter. An adaptive adversary can choose and issue any arbitrary query which could also depend on the previous responses received from the PUF. On the other hand, a weak non-adaptive adversary, cannot choose the queries and will instead receive q input/output pairs states of E. In the case that all the queries are quantum, the post-learning phase database of a weak adversary can be easily modelled by the definition. However, an adaptive quantum adversary is likely to consume the quantum state of the response to be able to pick the next query adaptively. Hence modelling the post-query database of an adaptive quantum adversary is more challenging. In what follows we give a q-query mathematical model for adaptive and weak adversaries.

Such an adversary is called an adaptive adversary A ad if for all random coin r ∈ R and for any
. Moreover, the adversary has no choice over the query, i.e., all the queries ⊗ q i=1 ρ in i are chosen following a distribution R, and a third party chooses the distribution.
Intuitively, an adaptive adversary A : R × (H d in ) ⊗q ⊗ (H dout ) ⊗q → (H d in ) captures the strategy to choose the query input ρ in q+1 ∈ H d in to the PUF E. The adversary can use these query response pairs to predict the output of the PUF. We call the pair ( q i=1 ρ in i , q i=1 ρ out i ) that is generated after the q-round of interaction between an adversary A and a PUF E, as a transcript. Note, that the transcripts depend on the choice of the random coins of A.
Similar to Game 1, We define the unforgeability of PUF as a formal game between two parties: a challenger (C) and an adversary (A). The difference here is that our adversaries are defined according to Definition 6. A formal description is given as follows: Game 2 (Universal Unforgeability of PUF). Let MP be the manufacturing process, Ver(.) be a verification algorithm for checking the responses, and λ the security parameter. We define the following game G P U F (A, λ) running between an adversary A and a challenger C: • Setup phase.
-C selects a manufacturing process MP and security parameter λ. Then C creates a PUF by E ← MP(λ), which is described by a CPTP map. The challenge and response domain H d in and H dout are shared between C and A.
-If the adversary is adaptive, A = A ad : * A ad selects and prepares an initial state ρ in 0 ∈ H d in , while having full access to the preparation algorithm. * A ad issues to C the initial challenge state ρ in 0 ⊗ ρ anc where ρ anc is an initially blank state. * C queries the PUF with ρ in 0 and sends the response (E ⊗ I)ρ in 0 ⊗ ρ anc back to A ad * for the next challenges (i = 0), the adaptive adversary A ad produces a new challenge for next query as ρ in i = A r i i ((E ⊗ I)ρ in i−1 ) and issues to C. -C issues ρ c to A.
-For the challenge ρ c , A produces his forgery σ r ← A(1 λ , ρ c , {(ρ in i , ρ out i )}) and sends to C. -C runs a verification algorithm b ← Ver(σ r , ρ r , ρ C ), to check the fidelity of the responses.
Where ρ r = E(ρ c ) is the correct output, ρ C is the local register of the challenger that can include extra copies of correct output if necessary for the verification, and b ∈ {0, 1}.
Finally, the security definitions can be defined based on this game, similar to definitions 4 and 5.

Appendix D Formal construction of HPUF
We have illustrated our HPUF construction in the main text. Here in Construction 1, we give the formal description of our HPUF design which is based on conjugate coding [67]. For our construction, we start with a classical PUF (CPUF) that has a certain amount of randomness (also denoted as min-entropy). To increase the min-entropy further, we encode the output of the CPUF into nonorthogonal quantum states and send the qubits through the communication channel. We refer to the entire system, i.e., CPUF together with a quantum encoding as hybrid PUF (HPUF).

Appendix E Hybrid Locked PUF
In this section, we give the first construction for lockdown mechanics in the quantum setting. We use our proposed HPUF construction to increase the security of the classical PUFs against quantum adversaries and then we combine it with our quantum locking mechanism and construct a Hybrid Locked PUF (HLPUF) that resits powerful quantum adaptive adversaries. We then give a PUF-based authentication based on HLPUF and analyse its security.

E.1 Lockdown technique for Hybrid PUF
In construction 2 we show how to apply the lockdown technique on a hybrid PUF. We refer to such HPUFs with the lockdown technique as the hybrid locked PUFs (HLPUFs). We formalise the construction as follows: where Ver(., .) is verification algorithm that checks the equality of the first half of the response based on the classical response y 1 i . To be precise, Ver(., .) is specified by measuring each qubit of the incoming quantum state with corresponding basis according to {y i,2j } 1≤j≤2m of response y i and check the equality Equal(y i,2j ,ỹ i,2j ) 1≤j≤2m in our construction. Figure S1: Hybrid Locked PUF (HLPUF) E L f . The verification algorithm Ver(., .) is specified by measurement as described in Construction 2. Here,

E.2 Security Analysis
In this section, we give a comprehensive security analysis of the previously proposed constructions. First, we show that using hybrid construction will exponentially improve the security of classical PUFs. More precisely, it will exponentially decrease the success probability of a quantum adversary in the universal unforgeability game, compared to a classical PUF with the same number of learning queries. Further, we show how much quantum communication can improve the security of a weaker classical PUF and as a result propose an efficient and secure construction that can be built using existing classical PUFs. Finally, we analyse the completeness and security of the hybrid PUF-based device authentication protocol and show that under the assumption that the inherent classical PUF resists the weak quantum adversary, the HLPUF-based protocol will be secure against an adaptive adversary.

E.2.1 Assumptions on the CPUFs
For the security analysis of our constructions, we consider the following assumptions of the CPUFs 1. For any input x ∈ {0, 1} n the probability distributions of the 4m output bits f (x) 1 , . . . , f (x) 4m are independent and identically distributed (i.i.d).

E.2.2 Security of the HPUFs against weak adversaries
Intuitively the security of our HPUF comes from the indistinguishability property of the nonorthogonal quantum states. In Theorem 1, we first show that the HPUFs are at least as secure as the underlying CPUFs. Here we only give the proof sketch, later in Appendix I.2 we give the detailed proof.
Theorem 1. Let f : {0, 1} n → {0, 1} 2m be a classical PUF. If there is no QPT weak adversary who can win the universal unforgeability game for CPUF with more than a negligible probability in the security parameter, then the HPUF constructed from f according to construction 2, is also universally unforgeable.
Proof Sketch. Here we prove the theorem using a contrapositive argument, i.e., we show that if any QPT weak adversary can forge the HPUF, then it can also forge the underlying CPUF efficiently. If any QPT weak adversary can forge the HPUF, i.e., win the universal unforgeability game with a non-negligible probability, then for a random challenge x * ∈ R {0, 1} n it can produce the correct output state |ψ f (x * ) . Note that, the adversary can produce multiple copies of the output state |ψ f (x * ) by fixing all the internal parameters of the attack algorithm to the same values. The forged quantum state |ψ f (x * ) is a product state of m qubit states, where each qubit belongs to the set {|0 , |1 , |+ , |− }.
If the adversary has multiple copies of each qubit, then it can perform full state tomography just by measuring them in the {|0 , |1 }-basis, and {|+ , |− }-basis. Thus, it can learn f (x * ) from |ψ f (x * ) with probability arbitrarily close to one. Therefore, it can forge the CPUF with a non-negligible probability. This concludes the proof sketch. The full proof is given in Appendix I.2.
The above theorem is an intuitive result that shows HPUF is stronger or at least as strong as the underlying CPUF. Although we want to prove a more powerful and explicit statement regarding HPUFs by quantifying how much the hybrid construction will boost security. In fact, we want to show that one can construct a secure unforgeable HPUF against a quantum adversary even if the underlying CPUF is breakable (with a certain probability) against the classical forger. To this end, we compare the success probability of a QPT adversary in breaking the HPUF in the universal unforgeability game, with the success probability of the adversary who breaks the CPUF with a certain non-negligible probability in a fixed query setting. This will allow us to show that some of the weak and considerably broken CPUFs can still be used to construct an asymptotically secure HPUF against stronger quantum adversaries since the quantum encoding drastically decreases the success probability.
In Lemma 1, first we give an upper bound on the adversary's guessing probability of the response f (x i ) corresponding to a challenge x i and a single copy of the quantum response state |ψ f (x i ) . The complete proof can be found in Section I.1.
with a biased distribution p = 1 2 + δ r where 0 ≤ δ r ≤ 1 2 , and E f be a HPUF corresponding to f that we construct using Construction 1. Let a quantum adversary A i,j guess extract the value y i,(2j−1) out of (y i,(2j−1) , y i,2j ) from quantum state |ψ i,j out ψ i,j out | corresponding to a random challenge x i . If all the output bits of the CPUF are independent and identically distributed, then for any quantum adversary A i,j guess , and ∀ x i ∈ {0, 1} n , Lemma 2 shows that the adversary needs to extract the classical information f (x) that is encoded in the quantum state |ψ f (x) for the forgery of the HPUFs. Here we only state the lemma, and for the complete proof we refer to Appendix I.3.

Lemma 2. Suppose
denotes the adversary's database of q random CRPs that are generated from a HPUF E f : {0, 1} n → (H 2 ) ⊗m . If E(D q ) denotes the measurement strategy for forging the HPUF with probability p forge using the database D q , then using the following measure-then-forge strategy that can forge the HPUF with the same probability p forge .
• Adversary extracts the classical encoding {f (x i )} 1≤i≤q from |D q . Let {f (x i )} 1≤i≤q denotes the extracted classical string.
• The QPT adversary applies a forging strategy using the extracted data set {f (x i )} 1≤i≤q .
Lemma 2 suggests that the optimal adversary first needs to extract the classical information from the database state |D q , and then perform the modelling attack to guess |ψ f (x * ) . In general, if the extracted classical information {f (x i )} 1≤i≤q from the database state |D q is very far from the original encoded string {f (x i )} 1≤i≤q then it would be difficult for the adversary to forge the HPUF, based on that noisy data set. Here, we define the distance betweenD where we define Mis-match(f (x i ), f (x i )) as follows.
Otherwise. (20) It is reasonable to assume that no forging strategy can forge the HPUF with a non-negligible probability that runs on the noisy database setD x q such that dist(D x q , D x q ) > ε, where 0 ≤ ε ≤ 1 is a parameter that quantifies the error threshold. In the next lemma, we give an upper bound on extractingD x q from |D q such that dist(D x q , D x q ) ≤ ε. Intuitively, a robust HPUF is with low ε such that an adversary can not forge it with a noisy data set that is very far away from the original data set. Otherwise, the ε should be high with a bad HPUF.
denotes the adversary's database of q random CRPs that are generated from a HPUF E f : {0, 1} n → (H 2 ) ⊗m . IfD q denotes the noisy classical response set that is extracted from |D q such that dist(D q ,D q ) ≤ ε with probability p extract , then where p guess ≤ p(1 + √ 2p), defined in Lemma 1.
Proof Sketch. A q-query weak adversary gets a q random outputs from the HPUF E f : {0, 1} n → (H 2 ) ⊗m along with q bit random strings X i ∈ R {0, 1} n . Here each output state is m-qubit product state, where each qubit belongs to {|0 , |1 , |+ , |− }, depending on the value of the random variable f (X i ). In Lemma 1, we show that the probability of guessing a single output bit is p guess . Due to the i.i.d assumption on the different output bits of a single outcome of the CPUF, the probability of guessing all the 2m output bits from the state |ψ f (X i ) is upper bounded by (p guess ) 2m .
Here, we would like to compute the probability of successfully guessing f (X i )'s for at least (1 − ε)q random samples. We denote this probability as p extract . Due to the i.i.d assumption on the outcomes f (X i )'s of the CPUF, the probability of guessing exactly k responses out of q responses is given by q k (p guess ) 2m (1 − (p guess ) 2m ) q−k . Therefore, we get the following upper bound on the p extract .
This concludes the proof.
To provide a better intuition of the expression of p extract to show the exponential gap, we give in Figure S2 the evolution of p extract for different values of ε. It means that with a bad HPUF with high ε, the p extract converges to 1 − negl(λ) as q, and the number of queries of the QPT weak adversary increases. Otherwise, for a smaller error threshold, corresponding to a better HPUF, it decreases exponentially with q. Later, we show in Section G the ε of HPUF depends on its underlying CPUFs, and the machine-learning algorithm we use to forge the HPUF.
In the next theorem, we give an upper bound of the success probability of forging a HPUF by a QPT weak adversary.
1. Let any q-query weak adversary win the universal unforgeability game for the CPUF f with probability at most p classical forge (m, p, q) ≥ nonnegl(λ).
2. There is no QPT adversary that can win the universal unforgeability game for the CPUF using a noisy databaseD q such that dist(D q ,D q ) > ε. If we construct a HPUF E f from such a CPUF f , then the q-query weak quantum adversary can win the universal unforgeability game for the HPUF E f with probability p quantum forge (x * , p, |Q q ), such that, where Proof. From Lemma 2, we get that the optimal adversary's strategy is measure-then-forge. LetD q denotes the set of extracted database response. From the 2nd property, we get that the adversary can forge the HPUF with a non-negligible probability if and only if dist(D q , D q ) ≤ ε. Suppose p extract denotes the optimal success probability of extractingD q from |D q such that dist(D q ,D q ) ≤ ε. If p classical forge (D q , X * , p) denotes the optimal forging probability using the databaseD q , then the total forging probability is given by the following equation.
Note that, the adversary's optimal forging probability with database D q is always higher than the optimal forging probability with the databaseD q , i.e., Substituting the relation in Equation (25) in Equation (24) we get the following expression of p quantum forge (X * , p, |D q ).
From Lemma 3 we get that p extract ≤ q k=(1−ε)q q k (p guess ) 2mk (1 − (p guess ) 2m ) q−k . By substituting the expression of p success in Equation (26), we get the desired upper bound on the p quantum forge (X * , p, |D q ). This concludes the proof.
The above result is a general statement for any fixed number of queries and compares the success probability of a weak adversary in breaking the unforgeability of CPUF and HPUF. Given this theorem, we can also easily state the following corollary that ensures the universal unforgeability of an HPUF constructed from a CPUF that does not provide suitable security, yet is not totally broken with overwhelming probability. Corollary 1. Let the success probability of any QPT weak-adversary in the universal unforgeability game with a CPUF f : {0, 1} n → {0, 1} 4m with p-randomness, be at most p classic forge , where 0 ≤ p classic forge ≤ 1 − non-negl(2m). Then, there always exists an error threshold 0 < ε ≤ 1 for which the success probability of any QPT adversary in the universal unforgeability game for the HPUF E f , is at most (2m), which is a negligible function in the security parameter. Hence such HPUFs are universally unforgeable.
This directly follows from Theorem 2 where p classic forge = p classical forge (m, p, q) for any q = poly(m) is a value between 0 and 1, and not negligibly close to 1. As shown in the proof of Theorem 2 in the Appendix, for a large family of ε the first part of the probability, namely p extract becomes negligibly small (in 2m) and hence the overall probability becomes a negligible function (2m).

E.2.3 Security of the HLPUFs against general adaptive adversaries
In the last two theorems, we analyse the security of the HPUFs against only weak adversaries. In Theorem 3 we show that if the HPUFs are secure against the weak adversaries then with the lockdown technique we can make the HLPUFs secure against the adaptive adversaries.
⊗m denotes the HLPUF that we construct from E f using the Construction 2. If E f = E f 1 ⊗ E f 2 and if each of the mappings E f 1 , E f 2 has ( , m)-universal unforgeability against the q-query weak adversaries, then the corresponding HLPUF E L f is ( , m)-secure against the q-query adaptive adversaries.
Proof Sketch. According to the Construction 2, if the adaptive adversary tries to query the HLPUF with any arbitrary challenge x ∈ {0, 1} n , then it also needs to send a quantum state ρ f 1 (x) . The adversary successfully gets |ψ f 1 (x) as a reply if and only if Ver(ρ f 1 (x) , |ψ f 1 (x) ψ f 1 (x) ) = 1. Note that the adversary doesn't have any access to the underlying classical PUF f 1 , therefore it cannot produce such a ρ f 1 (x) for an arbitrary x. The only possible option is to use some of the previous intercepted queries x, |ψ f 1 (x) that were sent by the server. As the server chooses its queries uniformly at random, the adaptive adversaries need to depend on those random queries to make an adaptive query to the HLPUF. Moreover, for the adaptive queries to the HLPUF, first the adversary needs to forge the mapping E f 1 using the q random challenge-response pairs {x i , |ψ f 1 (x i ) } 1≤i≤q . Here, we assume that the mapping E f 1 is secure against q-query weak adversaries, therefore the adaptive adversary cannot forge E f 1 . Hence, the q-query adaptive adversary can only get the responses from the mapping E f 2 for at most q random queries. According to the assumption, the mapping E f 2 is also secure against q-query weak adversaries. Therefore, from q random challenge-response pairs the adaptive adversary couldn't forge E f 2 . Hence, the HLPUF remains secure against the q-query adaptive adversaries. This concludes the proof sketch.

E.2.4 Security of the HLPUF-based Authentication Protocol:
In this section, we first give a full formal description of the HLPUF-based authentication protocol, then we define the completeness and security properties of Protocol 1. Later, in Theorem 4 we prove its completeness and security.
Definition 7 (Completeness of HLPUF-based Authentication Protocol 1). We say the HLPUF-based authentication protocol 1 satisfies completeness if in the absence of any adversary, an honest client and server generating |ψ f 1 (x i ) ψ f 1 (x i ) | and |ψ f 2 (x i ) ψ f 2 (x i ) | with a valid HLPUF E L f for any selected challenge x i , can pass the verification algorithms with overwhelming probability: with On the other hand for security, we rely on Theorem 3 that the HLPUF E L f is ( , m)-secure against any q-query adaptive adversaries. In the theorem, we show the fact that the adaptive adversary cannot boost from the weak-learning phase of HPUF E f 2 , producing a forgery σ 2 for E L f that passes the verification Ver(|ψ f 2 (x i ) ψ f 2 (x i ) |, σ 2 ) . Since E f 2 has the universal unforgeability against a weak adversary by assumption, we have: This concludes the proof.

Appendix F Challenge Reusability
We have discussed in the main paper about the issue of challenge-reusability in classical PUF-based protocols and discussed how our construction brings forward unique and new solution for this problem.
In this section, we dive deeper into this issue and we formally prove why our proposal satisfies the important property of challenge reusability. We are thus interested in the eavesdropping attacks by the adversary on the first and second half of the response states that are of the form Note that eavesdropping on the states that encode the first part of the response will lead to breaking the locking mechanism while eavesdropping on the second half will lead to an attack on the authentication (Removed identification). Without loss of generality, we only consider one of the cases where the adversary wants to eavesdrop on the first (or second) half to break the protocol in the upcoming rounds where the challenge is reused. The arguments will hold equivalently for both cases since the states and verification are symmetric.
Given all these considerations, the challenge reusability problem will reduce to the optimal probability of the eavesdropping attack on |ψ f 1 ( which is in fact m qubit states encoded in conjugate basis same as BB84 states. In the most general case, the adversary can perform any arbitrary quantum operation on the state m j=1 |ψ i,j f 1 (x i ) ψ i,j f 1 (x i ) | or separately on each qubit state |ψ i,j f 1 (x i ) , together with a local ancillary system and sends a partial state of this larger state to the verifier to pass the verification test, and keep the local state to extract the encoded response bits. Let ρ SEC be the joint state of the server, the eavesdropper and the client. Since the states used in the protocol are from Mutually Unbiased Basis (MUB) states i.e. from either Z = {|0 , |1 } or X = {|+ , |− }, in order to show the optimal attack, we can rely on the entropy uncertainty relations that have been used for the security proof of QKD. The measurements for verification are also performed in the {Z, X} bases accordingly. We use the entropy uncertainty relations from [15] where the security criteria for QKD have been given in terms of the conditional entropy for MUBs measurements. Using these results we show that the entropy of Eve in guessing the correct classical bits for the response is very high if the state sent to the verification algorithm passes the verification with a high probability. Intuitively this is due to the uncertainty that exists related to the commutation relation between X and Z operators in quantum mechanics. Hence we conclude that the success probability of Eve in extracting information from the encoded halves of the response is relatively low. Also, we show that this uncertainty increases linearly with m similar to the number of rounds for QKD. This argument results in the following theorem which we will formally describe and prove in Appendix I. 6 where we also introduce the uncertainty relations.
Theorem 5 (informal). In Protocol 1, if the client (or server for the second half of the state) verification does not abort for a challenge x, then Eve's uncertainty on the respective response of the CPUF, denoted by H Eve min is greater than m − (m). Now, we first define the reusability in relation with the unforgeability game and then using Theorem 5, we prove the challenge reusability of the HLPUF-based Protocol 1. Definition 9 (Challenge (k-)reusability in the universal unforgeability game). Let G re (λ, A, x k+1 ) be a special instance of the universal unforgeability game, where a challenge x, picked uniformly at random by the challenger, has been previously used k times. We are interested in the events where the same challenge is used in the (k + 1)-th round, which we denote by x k+1 . We say the challenge x is (k-)re-usable if the success probability of any QPT adversary in winning G re (λ, A, x k+1 ), i.e, in forging message x k+1 , is negligible in the security parameter: Theorem 6 (Challenge reusability of HLPUF-based Authentication Protocol 1). A challenge x can be reused k times during the Protocol 1 as long as the received respective response σ for each round passes the (client's or server's) verification with overwhelming probability. In other words, under the successful verification, the success probability of the adversary in passing the (k + 1)-th round with the same challenge x is bounded as follows: Proof. To prove this theorem, we use the Theorem 5 directly. First, we assume that x has been used one time before in a previous round. Given the assumption that the verification is passed with probability 1 − (m), and this theorem, we conclude that the uncertainty of the adversary in guessing the encoded response of the HLPUF is larger than m − (m). In our case, the joint quantum state between the server and the adversary is a classical-quantum state (server has the classical description of f (x), and the adversary has the quantum state |ψ f (x) ). For such states, Eve's uncertainty, H Eve min is the same as − log P Eve guess , where P Eve guess is Eve's guessing probability of the classical information encoded in the quantum state [38]. Therefore, This probability is negligible in the security parameter, which means that after performing any arbitrary quantum operations, the adversary's local state includes at most, a negligible amount of information on the response of x, each round that the state x is reused. Now, we can use the union bound to show that this success probability only linearly scales with k: where E i guess are the events where Eve correctly guesses the response and P (E i guess ) = (P Eve guess ) i is the success probability of Eve in guessing in the i-th round. Finally, let the success probability of an adversary in the universal unforgeability game for the HLPUF be upper-bounded by 1 (m) which is a negligible function in the security parameter since we assume that the HLPUF satisfies the universal unforgeability. This is the same as the success probability of the adversary in passing the verification for a new challenge, chosen at random from the database. Now in the (k +1)-th round, where the same x is reused, the success probability is at most boosted by the guessing probability over the previous k-th rounds, hence we will have: As long as k is polynomial in the security parameter, the second term is also a negligible function and since the sum of two negligible probabilities will also be negligible. This concludes the proof.

Appendix G Simulation for HPUF/HLPUF
In this section, we simulate the design of HPUF/HLPUF constructions with underlying silicon CPUFs instantiated by pypuf [68]. pypuf is a python-based emulator that features different existing CPUFs. Furthermore, we simulate the situation where an adversary acquires classical challenges and quantumencoded responses from HPUF/HLPUF and converts the responses into classical bitstrings by measuring the output quantum state. The adversary then attempts to perform machine learning-based attacks with the obtained CRPs to reproduce a model that predicts accurately enough the behaviour of the underlying CPUF. As a result, we say such an adversary wins the unforgeability game successfully in the end. According to the simulation result, we show the performance of hybrid construction in boosting the security of CPUF, quantify the existing advantage of hybrid construction and discuss potential improvements to obtain greater security.
XOR Arbiter PUFs [60] with n-bit challenge to a one-bit response is one of the CPUFs provided by pypuf. Its security is studied widely by Ulrich Rührmair et al. [50]. In that paper, the performance of different machine learning attacks like Logistic Regression (LR), Support Vector Machines (SVMs), and Evolution Strategies (ES) is evaluated in terms of the prediction accuracy of responses with unseen challenges. It turns out that the LR has the best performance. Moreover, it shows that the LR attacks can handle well with the situation while the training data is erroneous with noise up to 40%. In practice, this noise comes from the PUF implementation with the integrated circuit. Meanwhile, quantum encoding of HPUF can be treated as another source of noise to prevent the adversary from modelling CPUFs.

G.1 BB84 encoding with split attack on the HPUF/HLPUF
Recall that the HPUFs that we proposed in this paper encodes every two-bit tuple of response (y i,(2j−1) , y i,2j ) 1≤j≤2m into one BB84 state with y i,2j the basis value and y i,(2j−1) the bit value. Here, we assume that each bit of response is generated independently uniformly at random by an XOR Arbiter PUF. We simulate firstly an adaptive adversary on HPUF. he queries with the same classical challenge multiple times until he extracts the classical information from multi-copy of quantum response with high accuracy. The simulation results for modelling underlying CPUF are shown in red of Figure 5 and 6.
On the other hand, while we consider HLPUF against an adaptive adversary, the lockdown technique reduces an adversary from adaptive to weak queries on HPUF. With a single copy of each quantum response uniformly at random, we intuitively think that the adversary has a 50% probability of guessing the basis value correctly for each qubit of HPUF. If he guesses the basis value correctly, he can then measure the qubit correctly to obtain the exact (y i,(2j−1) , y i,2j ). Otherwise, the classical tuple (y i,(2j−1) , y i,2j ) of each qubit obtained by the adversary is always incorrect. Hence, the success probability of recovering each tuple {(y i,(2j−1) , y i,2j )} from corresponding qubit |ψ i,j out ψ i,j out | by such an adversary is not greater than guessing a tossing coin.
However, there is a specific way to attack HPUFs that we discover throughout the simulation socalled Split Attack. To the best of our knowledge, it is the optimal strategy that a weak adversary can perform on HPUF with underlying XORPUFs. We elaborate the attack as follows: Instead of predicting the tuple (y i,(2j−1) , y i,2j ) simultaneously, the adversary first predicts the bit value y i,(2j−1) of each qubit. For the HPUF with BB84 states encoding, the problem of distinguishing a state from uniformly distributed BB84 states then reduces to the problem of distinguishing two mixed states ρ i,j 1 = 1 2 |0 0| + 1 2 |+ +| and ρ i,j 2 = 1 2 |1 1| + 1 2 |− −| with equal probability. From Lemma 1, we get the optimal success probability as, As it is to say, the adversary A can perform LR attacks on bit value with a 15% error afflicted CRPs training set. We do the simulation of HPUF with BB84 encoding and an underlying of 4-XOR Arbiter PUF and 5-XOR Arbiter PUF and a challenge size of 64 bits and 128 bits. Here, k = 4/5 of XOR Arbiter PUF is the parameter related to its hardware structure. With higher value of k of XORPUF, it takes more CRPs to model accurately with LR attacks. The evolution of accuracy in predicting the bit value of each qubit with different underlying XORPUFs are shown in orange of Figure 5 and 6.
After the bit value of each qubit can be predicted accurately with a given challenge, the problem of predicting the basis value y i,2j of the following qubits is equivalent to the adversary discriminates either a quantum state |0 from |+ if y i,(2j−1) = 0 or a quantum state |1 from |− if y i,(2j−1) = 1. We denote the success probability of guessing the basis value correctly conditioned on an accurate prediction on bit value With the same level of noise introduced by HPUF on guessing the basis value and bit value, the similar performance of LR attack is expected to predict the basis value as long as the prediction accuracy of the bit value is high enough. We have the success probability of guessing both bit and basis values of tuple (y i,(2j−1) , y i,2j ) as: In the end, we get the evolution of accuracy on predicting a tuple (y i,(2j−1) , y i,2j ) with different CRPs for training as the green curves in Figure 5 and 6. The gap between the blue and green curves denotes the reinforcement of security by HPUF construction. We also simulate in Figure S3 the bestperforming training set sizes of CRPs for obtaining accurate enough models from machine learning attacks with different k-XORPUFs in the cases of CPUFs, HPUFs, and HLPUFs constructions. See [42] for details of the simulation. Corresponding to our proofs in Lemma 3 and Theorem 2, our simulation shows an exponential advantage of HPUF compared to the same CPUF with a limited q-query in terms of the modelling success probability against an adversary by LR attacks. As to a larger q-query, the advantage shown in the simulation limits by the fact that k-XORPUFs is a vulnerable CPUF with a large ε, which allows a modelling attack with a noisy data set. That is to say, the probability p extract can be high with dist(D x q , D x q ) = 0.15. As long as P r(1, 1 2 , q) = 1 − negl(λ), the success probability of modelling with hybrid construction converges to 1 − negl(λ) with an increasing q. Therefore, to decrease the forging probability in practice, there are mainly two directions: Firstly, we choose more robust underlying CPUFs to construct HPUF with lower ε and P r(1, 1 2 , q) = 1 − negl(λ) with a greater q. Second, we can consider other sophisticated encodings of HPUF, e.g., MUB encoding of quantum states with higher dimensions. In the next section, we show the construction of HPUF with MUB encoding in 8-dimension and the simulation result. In our simulations, the construction of H(L)PUF with underlying Arbiter-based PUFs generates a 1bit response per query, thus although one can observe the exponential gap for a fixed number of queries between CPUF and HPUF, the inverse exponential scaling with m cannot be witnessed. While for a general m-qubit response construction this inverse-exponential scaling can be seen from the theoretical results. In Figure S4, we also attempt to simulate this behaviour for a m-qubit response constructed by several Arbiter-based PUFs. The construction is a rather trivial one via parallelism, i.e., we simply duplicate the single structure m times and query them by the same challenge [60]. We note that this construction is far from optimal in terms of security, as it does not provide the required independent mqubit outcome required in the theoretical result, and as a result it allows the adversary to perform more effective parallel attacks. However, we can still see that the guessing probability of an eavesdropper decreases inverse exponentially on m until the averaged learning models are all accurate enough (See Figure S4 with 4-XORPUFs and different lengths of challenges). Moreover, the quantum encoding can in any case help with the detection of a network adversary trying to perform ML attacks, as such adversaries will perturb the quantum state in the quantum channels due to measurement, enabling the honest parties to detect their existence with high probability, and preventing the adversary from learning m-qubit states simultaneously during the protocol, as discussed in Appendix F. In this section, we show that a more sophisticated encoding of quantum state in higher dimensions, i.e., an 8-dimensional quantum state with 9 MUB, leads to more noise introduced to the database that an adversary emulates CPUFs with. We denote the encoding quantum state as: , where θ represents the basis and x represents the state. Here, the adversary attempts to obtain the accurate models of x 0 x 1 x 2 from 3 CPUFs associated with the state value. Similarly to the strategy shown in BB84 encoding, the adversary performs a Split Attack on x 0 x 1 x 2 sequentially. The success probability of guessing bit is equivalent to the probability of distinguishing mixed states out of ρ x = 1 9 8 θ=0 |x θ x θ |. We obtain the optimal p 0 , p 1 and p 2 corresponding to guessing correctly x 0 , x 1 and x 2 as More details of the construction of MUBs and the calculation of probabilities are given in Section J. We simulate the modelling of XORPUFs under Split Attack in Figure 8. It takes up to 10 6 CRPs to model the underlying CPUFs accurately. The required number of CRPs to model the underlying k = 5 CPUFs in 8-dimension encoding is the same as BB84 encoding with less input space with 32 bits challenge size. In the HLPUF authentication protocol, it means a longer usage period with the same hardware. However, the MUB in an 8-dimension encoding setting (or high dimensions) requires multi-qubit gates on both the server and client sides. Hence, there is a trade-off between the complexity of encoding and implementation effort. Furthermore, we should consider the imperfect quantum channels and measurements with the HPUF setting. We leave these as one of our benchmarking works in the future.
. According to such construction, the QLPUF takes the input |ψ i in S i ψ i in |⊗ρ S 1 i . Among the two input states, the QLPUF uses |ψ i in S i ψ i in | to get an output state |ψ i is same as the stateρ S 1 i . Otherwise, it outputs an abort state ⊥. We refer to Figure  S5 for the circuit of the QLPUF. Note that the QLPUF needs to check internally whether ρ S 1 i =ρ S 1 i or not. If ρ S 1 i is a pure state then we can use the SWAP test to check the equality of two pure states. The circuit of the SWAP test makes the circuit of the entire QLPUF efficient. Figure S5: Construction of QLPUF E L with quantum PUF E : On the other hand, however, in the case when the quantum channel E of the quantum PUF can have entangling power and hence the subsystems S 1 and S 2 that represent the different parts of the response, may be entangled. Let's start from the simple situation with a 2-qubit entangled state as |ψ i out ψ i out |. i.e., for a quantum PUF E that maps an input state |ψ i in ψ i in | to an entangled output state |ψ i out ψ i out | := (α |a i where |α| 2 +|β| 2 = 1, |a 1 and |a 2 are any two vectors in the space of subsystem S 1 , and |b 1 and |b 2 are any two vectors in the space of subsystem S 2 . Consider a POVM measurement on the subsystem S 1 with m elements {E m } where Σ m E m = I , the reduced density operator of S 2 after tracing out S 1 is: The state of subsystem S 2 is clearly a mixed state. However, checking the equality between two mixed states is difficult, and sometimes not possible. For example, we have two different mixed states: and The density operators of both mixed states are represented as Equation (43). That is to say, these two mixed states are unequal but totally indistinguishable. This can be trivially extended to the n-qubit situation. So the lockdown technique is not implementable with generic quantum PUFs.
In the case of quantum PUFs, our study shows that some quantum mechanical properties of quantum PUFs such as entanglement generation, make it challenging to use the straightforward quantum analogue of the classical lockdown technique. However, this is still an interesting observation, because we do not need this sort of condition on encoding the output of classical PUF to construct an HPUF with the lockdown technique. state corresponding to the successful forgery as follows: where |D q R denotes the post-measurement database state, and |ã out is the post-measurement state of the ancillary system which is a (m − m) dimensional state while as |ψ f (x * ) out is m dimensional. As q i=1 |x i C is a classical state, in the rest of the proof we don't write them in the expressions. Using the Neimark's theorem we can replace the POVM measurement strategy E(D q ) with the combination of a unitary acting on an extended system including an ancilla |anc A , followed by a projective measurement. Let us denote the unitary as U x * Dq which couples the input state |D q ⊗|0 m out with the ancillary system |anc A , and let {|v } be the basis on which the projective measurement is applied to the ancilla. We first rewrite the impact of the unitary U x * Dq on the input state: where in the second line we have rewritten everything after applying the unitary in the {|v }-basis. Now, the adversary performs a projective measurement on the state (50) in this basis. Suppose for the correct forgery, the ancilla is projected into the |v forge A state. Therefore we can rewrite the expression of p forge as follows: Overall, following this strategy, the purification of the adversary's post-measurement state with an optimal POVM measurement can be written as the following: where |D q denotes the post-measurement database state. Note that, due to Neimark's theorem the post-measurement database states in Equation (49), and (52) are the same, if the same ancillary system has been assumed after the purification and POVM, i.e. if |v forge A = |ã out . Now, let us use the unitary U x * Dq and the measurement basis {|v } to construct a measure-then-forge strategy. As the unitary U x * Dq only depends on the input x * and D q , we can rewrite it in the basis that is diagonalised with respect to the states {|Ψ q v , v } v . For the post-measurement state |v forge , of the ancilla, the adversary applies U x,x * Dq,Ψ q forge ,v forge on the |0 out register. Note that, the adversary doesn't have any information about the {f (x i )} 1≤i≤q before measuring the ancillary sub-system in the {|v }-basis. Hence, the measurement basis {|v } choice only depends on the classical challenges x i 's and x * . Therefore, the adversary can use the same information to find the {|v }-basis, and first performs the measurement on the RA register in {|Ψ q v , v }-basis, and obtains the state |Ψ q forge , v forge with the same probability p forge . After the measurement, the adversary applies the unitary U x * Dq,Ψ q forge ,v forge on |0 out , and get the forged state |ψ f (x * ) . Therefore, with this strategy, the adversary also wins the unforgeability game with the probability p forge . Note that, there always exists a unitary U such that U ( q i=1 |f (x i ) ) ⊗ |anc = |Ψ q forge , v forge , wherẽ f (x i ) denotes the extracted information about f (x i )'s from the encoded database |D q . Therefore, from any generalised measurement strategy E(D q ) we can construct a strategy for the measure-thenforge protocol that can win the universal unforgeability game with the same probability p forge . This concludes the proof.

I.4 Proof of Lemma 3
In this lemma, we give an upper bound on the probability of extracting the CPUF outcomes from the (1 − ε)q out of q responses of the HPUF. Let A h be a quantum adversary who plays the unforgeability game against the HPUF. A h has access to q queries of the HPUF as q pairs of {(X i , |ψ f (X i ) )} q i=1 . Note that, according to the construction 1, As the state in the adversary's possession depends fully on a classical string, we can describe this situation using a classical-quantum state, where the C register contains the classical string f (X i ), and the S register contains the quantum state |ψ f (X i ) ψ f (X i ) |. We assume the j-th bit of the string f (X i ) as Y i,j . The classical-quantum state for the j-th qubit is of the following form.
In Lemma 1, we prove that the probability of guessing Y j is p guess , and it has the following upper bound.
In Section E.2.1, we assume that all the output bits of the CPUF are i.i.d. Therefore the entire classical-quantum state for the i-th challenge X i is ρ CS of the following form.
Therefore, the probability of guessing f (X i ) from the S subsystem is upper bounded by Let ρ C q S q denote the joint state shared between the server and the q-query weak adversary. Due to the i.i.d assumption on all the outputs of the underlying classical PUF of the HPUF, ρ C q S q has the following form.
Here, we would like to find an upper bound on the probability of successfully guessing f (X i )'s for at least (1 − ε)q responses out of q responses. We denote this guessing probability as p extract . Note that, due to the i.i.d assumption on the different outcomes of the CPUF, the adversary's success probability of guessing exactly k responses out of q responses is upper bounded by q k (p guess ) 2mk (1−(p guess ) 2m ) q−k . Therefore, we can re-write the expression of p extract as follows, This concludes the proof.

I.5 Proof of Theorem 3
At the i-th round, the HLPUF E L f receives the queries of the form (x i ,ρ 1 ), where the classical string x i ∈ {0, 1} n , andρ 1 ∈ (H 2 ) ⊗m . The HLPUF returns E f 2 (x i ) if Ver(ρ 1 , E f 1 (x i )) = 1, otherwise it returns an abort state |⊥ ⊥| corresponding to ⊥. Hence, to get any non-abort state |⊥ from the HLPUF, the adaptive adversaries A ad need to produce a query of the form (x i , E f 1 (x i )). As the adversary doesn't have any direct access to the mapping E f 1 , the only way it can get any information about E f 1 (x i ) by intercepting the challenges that are sent by the server to the client. Suppose that the adaptive adversary has access to a set of q queries X [q] := {X i } 1≤i≤q and the corresponding responses Ψ [q] := {E f 1 (x i )} 1≤i≤q . Here each X i follows a uniform distribution over the challenge set {0, 1} n . Hence, for the mapping E f 1 the power of the adaptive adversary reduces to the power of a weak adversary. As E f 1 has the universal unforgeability property against any q-query weak adversary, hence we get, for any random challenge X ∈ X [q] , Pr X,X [q] [1 ← G E f 1 (A ad , m, X, X [q] )] = Pr X,X [q] [1 ← G E f 1 (A weak , m, X, X [q] )] ≤ (m). (59) This implies, using the set of challenges X [q] and responses Ψ [q] the adversary cannot produce the response corresponding to a random challenge X ∈ X [q] . Suppose from the query set X [q] and the responses, the adaptive adversary successfully generates a set X [q ] of q adaptive queries, and corresponding responses Ψ [q ] for the HLPUF E L f . Without any loss of generality, we assume that for all of the queries, X i ∈ X [q ] the HLPUF returns a non-abort state.
We assume that the adaptive adversary wins the universal unforgeability game using the query set X ad = X [q] ∩ X [q ] . This implies, From the construction of our HLPUF in Construction 2 we get that winning the universal unforgeability game with the HLPUF E L f implies winning the universal unforgeability with E f 2 . Hence, we can rewrite Equation (60) in the following way, Pr X,X ad [1 ← G E f 2 (A ad , m, X, X ad )] ≥ non-negl(m). (61) Note that, if the adaptive adversary manages to get non-abort outcomes from the HLPUF corresponding to all X i ∈ X ad then from the Construction 2 we get, 1 ← G E f 1 (A ad , m, X i , X ad ). Due to the unforgeability assumption of Equation (59) we get, Pr X,X [q] [1 ← G E f 1 (A weak , m, X, X [q] )] = Pr Note that, the main difference between adaptive and weak adversaries lies in the choice of the query set. If we fix the query set X ad , then the both adaptive A ad and a weak adversary can extract the same amount of information from the responses corresponding to the query set X ad . Therefore, their winning probability of the universal unforgeability game becomes equivalent. This implies, we can rewrite Equation (62) in the following way, By combining Equation (62) and Equation (63) we get, both the random variables X [q] and X ad are equivalent. From the universal unforgeability property of the PUF E f 2 against any q-query weak adversary, we get Pr X,X [q] [1 ← G E f 2 (A weak , m, X, X [q] )] ≤ (m). (64) As both of the random variables X [q] and X ad are equivalent, so we get, Pr X,X [q] [1 ← G E f 2 (A weak , m, X, X [q] )] = Pr The second equality follows from the fact that for a fixed query set X ad the adaptive adversary A ad and weak adversary A weak become equivalent. Note that, only one of Equation (61) and Equation (65) is true. The Equation (65) is true because of the unforgeability of E f 2 . Hence, our assumption of Equation (61) is wrong. Therefore, Equation (60) is also not true. Hence, with the proof by contradiction, we get, Pr This concludes the proof.

I.6 Challenge reusability Proof
In this subsection, we give a detailed security analysis and proof for the challenge reusability discussed in Section F. First, we introduce the tools and uncertainty relation that we need for the proof mostly from [15], then we give the formal statement and proof for Theorem 5. Heisenberg's uncertainty principle is one of the most important fundamental properties of quantum mechanics which is mathematically speaking due to the non-commuting property of some observables like Pauli X and Z measurements. Reformulating these relations in terms of entropic quantities has been very useful in the foundations of quantum information and has also been widely used in the security proofs of different quantum communication protocols such as QKD. The most well-known uncertainty relation for these operators was given by Deutsch [20] and later improved [43] as follows: where c denotes the maximum overlap between any two eigenvectors of X and Z. Usually, a quantum system A is considered where the state is described with the density matrix ρ A on a finite-dimensional Hilbert space. If the measurement is performed in a X and Z basis (or equivalently any other MUB bases), then the measurements are just projective operators that project the state into the subspace spanned by those bases. In the most general case, the measurements are a set of POVM operators on system A denoted as {M x } x and {N z } z where the general Born rule states that the probability of obtaining outcomes x and z to be as follows: In this case, the Equation (67) still gives the generalised uncertainty relation with the difference that the c is defined as follows: