Continuous-variable quantum authentication of physical unclonable keys

We propose a scheme for authentication of physical keys that are materialized by optical multiple-scattering media. The authentication relies on the optical response of the key when probed by randomly selected coherent states of light, and the use of standard wavefront-shaping techniques that direct the scattered photons coherently to a specific target mode at the output. The quadratures of the electromagnetic field of the scattered light at the target mode are analysed using a homodyne detection scheme, and the acceptance or rejection of the key is decided upon the outcomes of the measurements. The proposed scheme can be implemented with current technology and offers collision resistance and robustness against key cloning.

Entity authentication (sometimes also referred to as identification) is one of the most important cryptographic tasks, in which one party (the verifier) obtains assurance that the identity of another party (the claimant) is as declared, thereby preventing impersonation 1 . Techniques for identification typically rely on (i) something that the claimant knows (e.g., a secret password or numerical key); (ii) something that the claimant possesses (e.g., a physical token or card); or (iii) something inherent (e.g., biometrics). The first two techniques are purely cryptographic and are used extensively for everyday tasks (such as transactions in automatic teller machines). High levels of security can be achieved by means of dynamic entity authentication protocols (EAPs) that combine techniques (i) and (ii), through a challenge-response mechanism 1,2 . More precisely, before any authentication, the user is given a physical key (token or smart card) and a short personal identification number (PIN), which has to be kept secret. The authentication then relies on a publicly-known cryptographic algorithm, such as for instance a symmetric algorithm involving a numerical key that is shared between the verifier and the token. First, the PIN is used to verify the user to the token; if the PIN is correct, the verifier proceeds by generating a number of random and independent numerical challenges, and for each one of them the token computes a response based on the implemented algorithm and the shared key. The user is authenticated only if all of the responses agree with the ones expected by the verifier. An impersonation attack against such a dynamic EAP is difficult but not impossible, especially when the PIN is not well protected. The main weakness of the protocol stems from the fact that traditional physical keys can be cloned 3 , thereby enabling potential hackers to impersonate successfully legitimate users.
The development of cloning-resistant EAPs is of particular importance for the field of cryptography, and optical schemes are currently considered to be among the most promising candidates 3 . In optical EAPs, the physical key is materialized by an optical multiple-scattering random medium, which is probed (or interrogated) by light pulses (probes) [3][4][5][6][7][8][9][10][11][12][13] . Such disordered keys are considered to be practically unclonable because their full characterization involves a large number of degrees of freedom, and they are usually referred to as physical unclonable keys (PUKs) or functions (PUFs). Their optical response to a probe depends on the details of their internal disorder, as well as on different parameters of the probe. Typically, an optical EAP has two stages 4,5 . The enrolment stage takes place only once, before the key is given to the user, and aims at its full characterization by the authority responsible for the distribution of the keys. To this end, the key is subject to a large number of random challenges (i.e., it is interrogated by large number of probes with different parameters), and all of the challenge-response pairs (CRPs) are stored in a database together with the PIN. In the verification stage, the user inserts his key in a verification device and types in his secret PIN. If the PIN is correct, the verifier has to decide whether the key with the given PIN is authentic or not. Assuming that the verifier has access to the database, the verification is achieved by interrogating the key with a moderate number of probes, whose parameters are chosen at random Results Authentication set-up. A realization of the proposed EAP is shown in Fig. 1, and consists of the probe state preparation set-up, the interrogation chamber, and the homodyne-detection (HD) set-up (chamber). Except for the HD, the scheme is similar to the wavefront-shaping set-up used for the control of light scattered by a disordered multiple-scatering medium (to be referred to hereafter as the key) [16][17][18][19][20][21][22][23][24][25] . The laser beam at wavelength λ is split into two parts: a weak probe that is sent to the wavefront shaping set-up, and a strong local oscillator, which will serve as a reference in the HD of the scattered light. The key is assumed to have a slab geometry with thickness L and mean free path  l L. In the diffusive regime, i.e. for λ    l L L abs , where L abs is the absorption length, light undergoes multiple scattering events in the key, and the process can be described in terms of a finite number of discrete input and output transverse spatial modes [26][27][28][29] . Using a phase-only spatial light modulator (SLM), one can control the phases of the incoming modes, thereby directing coherently the main part of the scattered light into a prescribed outgoing mode (to be referred to hereafter as the target mode) [16][17][18][19][20][21][22][23][24][25] . For a given key, Figure 1. Schematic representation of the authentication protocol. The output of the laser is injected into a single-mode fiber (SMF) and then split, using an unbalanced fiber coupler (UFC), into a large fraction that serves as the local oscillator (LO) and a small fraction that serves as the probe in the verification. The phase of the probe relative to the LO is adjusted using a phase modulator (PM), and the challenge is obtained by modulating the wavefront of the probe using a phase-only spatial-light modulator (SLM). The challenge is then focused on the key, and the scattered (reflected) light is coupled out by means of a polarizing beam splitter (PBS), which ensures the collection of light that has undergone multiple scattering in the key 23 . The phase mask of the SLM is adjusted so that the scattered light is focused on one of the transverse modes of the output plane, where it is coupled to a SMF. The quadratures of the electric field of the scattered light are measured using a standard homodyne detection (HD) set-up involving a phase modulator in the LO path, a balanced fiber coupler (BFC) and two photodiodes. The laser source, the interrogation chamber and the HD chamber are considered to be well-separated and connected via SMFs.
Scientific RepoRts | 7:46047 | DOI: 10.1038/srep46047 one can select different target modes by changing accordingly the phase mask of the SLM. Moreover, different output transverse modes can be addressed by a single-mode fiber (SMF), which can be translated on the output (optical) plane in a controlled manner, provided that the overall imaging system is optimized so that the diameter of a single speckle grain matches the diameter of the mode of the SMF 23,24 . Formalism. Throughout this work we adopt the Heisenberg picture, because it facilitates the comparison with the classical setting. Following existing literature [26][27][28][29] , for the sake of simplicity we assume  incoming and  outgoing modes on each side of the key (see Fig. 2). However, our analysis is expected to remain valid more generally, with appropriate adjustment of the formulas below. In the set-up of Fig. 1 the target mode is one of the  outgoing modes on the left of the key (labelled by  ∈ … s {1, 2, , }), which is coupled to a SMF, and let b s be the corresponding annihilation operator for a photon (see Fig. 2). Only incoming modes on the left of the key are initially populated and are controlled by the SLM, whereas all the incoming modes on the right of the key are in vacuum. Hence, one readily obtains 28,29  where 〈 ·〉 denotes quantum mechanical expectation value, ĉ j is the annihilation operator for a photon in the j-th incoming mode on the left of the key, and {R s,j } are the electric-field reflection coefficients from the j-th incoming mode to the target mode. The latter depend on the realization of the disorder in the medium and can be treated as independent complex Gaussian random variables that satisfy [26][27][28][29] where the over-line denotes (classical) ensemble average over all disorder realizations. The main assumptions underlying this "Gaussian-statistics model" are summarized in the Methods. By analogy with Eqs (1) and (2), the coupling of the SMF at the input of the verification set-up to the incoming modes at the exit of the SLM can be modelled by equations of the form where â is the annihilation operator for a photon in the mode of the fiber and g j is the electric-field transmission coefficient from the fiber's mode to the j-th incoming mode. Analogous models have been employed in various contexts in physics for the description of outcoupling from cavities and waveguides 30,31 . The specific form of the coefficients {g j } depends on the details of the mechanism that governs the coupling between the mode of the fiber and the modes at the exit of the SLM, and is not needed for the purpose of this work. For what follows, however, Figure 2. Schematic representation of the incoming (solid arrows) and outgoing (dashed arrows) modes with respect to the disordered key. All of the  incoming modes on the right of the key (magenta arrows) are initially in vacuum, which implies ′ = c 0 j for all = … j 1, 2, ,  . Only incoming modes on the left of the key (red solid arrows) are initially excited, with their relative phases optimized so that the main part of the reflected light is collected in a particular outgoing mode, which is addressed by a SMF (corresponding annihilation operator b s ). The collected light is transferred to the HD chamber, where it is analysed. The transmitted light (dashed orange arrows on the right of the key) is not monitored in our set-up, and the corresponding equations are not of relevance.
it is important to emphasize that these coefficients are in general complex numbers that satisfy τ ∑ | | = ≤ g 1 j j 2 , where the constant τ accounts for possible losses. Contrary to the reflection coefficients {R s,j }, the coefficients {g j } are independent of the key, and are expected to be fully determined by the details of the verification set-up (e.g., wavelength of the light, cross section of the fiber, separation of various elements, etc). Throughout this work we will be interested in a fixed verification set-up, with publicly known specifications, which means that {g j } have to be considered as publicly known constants as well.
The set of angles in Eq. (4) refer to the phase mask of the SLM, and may or may not be optimized with respect to the particular target mode (denoted by s). In the absence of optimization, the scattered light is distributed among the various modes at the output, with the precise form of the corresponding intensity distribution (speckle pattern) depending on the realization of disorder. By optimizing the phase mask of the SLM one can maximize the concentration of scattered light in the target mode s. The optimization may involve feedback algorithms, in which the phase mask of the SLM is optimized with respect to the intensity (or power) of the scattered light in the target mode 17,32,33 . Alternatively, an optimal phase mask can be found by means of the experimental estimation of the scattering matrix of the key 22 . The directional concentration of scattered light in the target mode is never complete, because light will be unavoidably scattered in other outgoing modes as well. Hence, the amount of control one has over the propagation of light in the disordered key is usually quantified by the intensity enhancement  i.e., the ratio of the intensity in the target mode after optimization, to the ensemble-average intensity in the absence of optimization 17,32,33 . Generalizing this classical definition to a quantum setting we have s s no in the denominator is the corresponding ensemble-average mean number of photons in absence of optimization. From now on, Φ s opt ( ) will denote the optimal phase mask that maximizes the number of scattered photons in the target mode s, for a given key. For the sake of simplicity, the dependence of Φ s opt ( ) on the key (i.e., on the realization of the disorder), will not be explicitly shown. The above formalism is rather general, in the sense that so far there have been no explicit assumptions about the quantum state of the probes that are used in the interrogation of the key. The proposed EAP uses coherent states of light, and relies on standard HD techniques. In particular, we treat the states of the local oscillator (LO) and the probe as single-mode coherent states, |α LO 〉 and α µ = ϕ e P P i P respectively, where μ P is the mean number of photons in the probe and ϕ P is a relative phase with respect to the LO. The coherent state |α P 〉 is an eigenstate of â with eigenvalue α P , and thus , and (7) Using Eqs (1), (4) and (7) we obtain i j with the case of uniform illumination of the SLM obtained for τ = g / j . The analogy of Eq. (8) to equations used in the analysis and the implementation of wavefront-shaping with classical light sources 17 , stems from the use of coherent probe states, and the preservation of coherence throughout the wavefront-shaping and the scattering. The latter is reflected in the linearity of the input-output equations (1)(2)(3)(4)(5), which in view of Eq. (7) imply s s s 2 Equation (8) determines the expectation value of the electric field in the mode of the fiber. The quadrature amplitudes of the field can be measured by means of HD, with the LO serving as the required reference 30 . By adjusting the LO phase θ, one measures the generalized quadrature amplitude Assuming that the LO field is much stronger than the total scattered field (i.e., for α α  LO P ), the outcome of such a measurement is a real random number q which, to a good accuracy, follows a Gaussian distribution 34 with the shot noise σ η  1/ 2 , where η ≤ 1 is the detection efficiency. Hence, the measurement of the quadrature θ Q ( ) s is equivalent to sampling from the distribution (10). Throughout this work we focus on the measurement of the real X s and imaginary Ŷ s quadratures, corresponding to Q (0) π/2, respectively. In the framework of our protocol, we will refer to as the response of the key to the probe state |α P 〉 .
The above expressions and observations are applicable to the cases of both optimized and non-optimized no no no  denote the response of the key in the absence of SLM optimization, where X s no and Ŷ s no are the centres of the photocount distributions for θ = 0 and π/2, respectively. Both of X s no and Ŷ s no depend on the realization of the disorder, and statements can be made only for ensemble averages. Using Eqs (8) and (9) for =b b s s no , as well as the independence of {R s,j } and Eq. (3), one readily obtains is the total mean number of photons in the challenge, at the exit of the SLM. Hence, using the above relation between s (no)  and b s no we have For a given realization of disorder, when the SLM is optimized so that the scattered light is mainly directed to the target mode s, the response of the key will be denoted by , and the photocount distributions for θ = 0 and π/2 are expected to be centred at X s o and Ŷ 4 . From Eq. (10) and the above discussion, we have s which is independent of θ π ∈ {0, /2}, and depends only on the ratio δ/σ. This is because for both values of θ, the bin is centred at the centre of the Gaussian distribution of Eq. (10). Moreover, Eq. (14) is valid for both optimized and non-optimized SLM, provided that the bin is defined for s  without knowing all of these pertinent quantities.
Entity authentication protocol. We assume that the set-ups used for the enrolment and the verification stages of the EAP are the same. All of their specifications (i.e., losses, imperfections, detection efficiency, wavelength of light, etc) together with δ and convergence parameters ε, ζ  1, are publicly known. As will become clear below, ε and 1 − ζ are the error and the confidence levels in the verification stage of the EAP, respectively. Hence,  θ Pr ( in , ) s becomes a publicly known constant that will be denoted by P in . For the sake of clarity, we will discuss the protocol in the framework of coherent states with the same amplitude but different phases. However, the protocol can also be implemented with states that differ both in phase and in amplitude, and the generalization of the following results and observations to this case is straightforward. Let Note that the states in  are uniquely identified by the values of the integer k. Enrolment stage. Each key is associated with a single target mode s chosen at random from the set of all accessible target modes in the set-up. In the enrolment stage, the first task of the enroller is to find the optimal phase mask Φ s opt ( ) for the SLM that directs the scattered light to the particular target mode. A classical light source and known techniques 17,21,22 can be used to this end, because an optimal phase mask works in the same way in the classical and the quantum regimes 19,23,25 . Subsequently, for each  α ∈ k the key is interrogated by many probes (each one prepared in |α k 〉 ), with the phase mask of the SLM set to Φ s opt ( ) , and for each probe one of the quadratures of the field in the target mode is measured. In a standard HD set-up, the enroller has to switch randomly between θ = 0 and θ = π/2 so as to obtain sufficiently large samples for a reliable estimation of both X s o and Ŷ s o , and thus of the corresponding optimized response  α ( ) . For the sake of clarity, the dependence of s (o)  on the scattering matrix of the key and the phase mask of the SLM is not explicitly shown here. It is essential for each one of the possible probe states, to estimate the response α ( ) with accuracy higher than the accuracy to be used in the verification. For a fixed probe state |α k 〉 , the samples that are obtained for the estimation of either of the two quadratures are assumed to be independent and identical. Hence, from the central-limit theorem we have that, with high probability, the absolute error in the estimation of either where M e is the sample size used in the estimation of one of the quadratures for the given probe state (see Methods below). Given that the enrolment is performed only once by the authority that creates and distributes the keys, well before they are given to the users, it is reasonable to assume that the enroller has all the freedom to obtain as large samples as needed for the error to satisfy ξ ε  . Repeating the same procedure for both quadratures and for all of the states in , the enroller can form a list of challenge-response pairs (CRPs), with each pair given by , which has to be stored in a secure database and will be used for the authentication of the key.
Verification stage. When a user gives the key for authentication, the verifier contacts the database over a secure authenticated classical channel to obtain the pertinent list of CRPs. The verification stage involves  M 1 identical sessions, and proceeds as follows. Given that the verifier is the one who chooses randomly the CRP in each session, he is also able to choose the bin so that its centre coincides with the centre of the expected photodetection distribution for the true key (namely, |q X Pr( ) s o and |q Y Pr( ) s o for θ = 0 and π/2, respectively). Hence, in the limit of → ∞ M , one expects p in → P in . On the contrary, as will be explained below, a false key will result in estimates that deviate from P in , and thus the verifier could always detect such a key if he could perform an arbitrarily large number of sessions. This is, however, not possible in practice. Our EAP can be useful in practice only if the verification stage is quick, which means that only a moderate number of sessions can be applied during verification. As a result, there will be statistical deviations of the empirical probability p in from the theoretical probability P in , in addition to the deviations that are due to a false key. Distinguishing between deviations of different origin is impossible, but the verifier can bound the statistical deviations by choosing M sufficiently large. According to the Chernoff bound (see Methods) 35 for some ζ  1 and ε  P in , then the probability for the estimate p in to deviate from P in by more than ε is bounded from above by ζ, i.e., ε ζ − ≥ < p P Pr ( ) in in . Hence, for any M > M th , the verifier can be 100(1 − ζ)% confident that for the true key the statistical deviations cannot exceed ε. This implies that if the verifier obtains an estimate such that |p in − P in | ≥ ε, then he can be confident that with high probability the observed deviations are due to a false key.
In closing, we would like to emphasize once more the fundamental difference between the enrolment and the verification stages. By definition, the enrolment is performed only once, by the authority that creates and distributes the keys, and it aims at the accurate characterization of a key with respect to its response to all of the possible probe states. It is natural, therefore to assume that the enroller has all the time needed so that the accuracy in the estimation of the response of the key to a particular probe state, is considerably higher than the accuracy in the verification stage. By contrast, the verification stage takes place each time the holder of a key has to be authenticated, and the verifier has to decide on the acceptance or rejection of a key as quickly as possible. Hence, it is crucial for the sample size in the verification stage to be "small" enough so that it can be obtained within a reasonable period of time (say seconds), and at the same time "large" enough to ensure a reliable verification. This point will be made clearer in the following sections. Security aspects. In order for our EAP to be useful in practice, it has to offer collision resistance and high sensitivity to the randomness of the key 4,5 . Assuming a tamper-resistant verification set-up, in this section we address both of these issues. For the security analysis, it is worth keeping in mind two aspects of the EAP: the phase mask of the SLM is optimized with respect to the true key and a randomly chosen output mode, and in each session of the verification stage the CRP and the LO phase are chosen at random and independently by the verifier, and they are never revealed.
Collision resistance. Collision resistance refers to the protocol's capability of distinguishing between two randomly chosen keys, and its importance is twofold 1,2,4,5 . First, it implies that the EAP can distinguish between different honest users who are holders of random and independently prepared keys. Second, it is not possible to cheat on a collision-resistant EAP by using a randomly chosen false key.
To gain some insight into the operation of the EAP, let us focus first on a single session, with the typical situation for the response of the true key and a false key summarized in Fig. 3. The main observation is that, with high probability, the response of a false key lies close to the origin (0, 0) of the phase representation shown in Fig. 3(a), inside or very close to a circular area of radius Fig. 3(a)], whereas the response of the true key lies well outside this area [see star in Fig. 3(a)], with its precise location determined by the enhancement  and the probe state. This behaviour can be explained easily, if we note that the phase mask of the SLM is not optimized with respect to the false key, and Eq. (12) implies that the quadratures of the scattered field will , with high probability. By contrast, when the true key is interrogated, the SLM is optimized, and from Eq. (13) we have that either For the parameters used in Fig. 3(a), we have ρ f = 10, E N π   /4 201, and ρ .  35 5 t , which correspond to the depicted behaviour.
These observations hold for any session, where in each session the verifier chooses at random the quadrature to be measured, and checks whether the outcome falls within a bin that is centred at X s o or Ŷ s o , for θ = 0 and π/2 respectively. Given that both quadratures X s and Ŷ s are treated equally, after  M 1 sessions the verifier has obtained samples from both distributions. As discussed earlier, for the true key the centres of the sampled distributions coincide with the centres of the bins and, irrespective of the measured quadrature, the theoretical probability for the outcome to fall in the bin is P in [see Fig. 3(b)]. By contrast, in the case of a false key, the samples are obtained from Gaussian distributions of the form of Eq. (10), centred at X s no and Ŷ s no , and we have either . Hence, recalling that  ρ ρ = /4 t f , and for sufficiently large values of , we expect negligible overlap between one of the sampled distributions and the corresponding bin [see Fig. 3(b)], thereby resulting in a significant deviation of the empirical probability p in from the theoretical probability P in .
In practice, we would like to have as large deviations as possible so that the detection of a false key is guaranteed. To this end, it is sufficient to impose the condition ρ . This is because, according to the Gaussian distribution of Eq. (10), outcomes q with s occur with probabilities that are at least two orders of magnitude smaller than the maximum probability corresponding to the outcome θ =q Q ( ) s . Assuming 0.5 ≤ η ≤ 1, the worst case scenario is for σ = 1, and using the above expressions for ρ t and ρ f one readily obtains Condition (17) ensures the detection of a false key, because it implies that for at least one of the quadratures, the corresponding distribution has negligible overlap with the bin used by the verifier, and hence that it will have negligible contribution to the estimation of p in . Typically, the number of modes  and the enhancement  depend strongly on the details of the wavefront-shaping set-up, whereas the fraction l/L depends only on the key. For a fixed wavefront-shaping set-up, and assuming that the keys used in the EAP are characterized by the same ratio l/L, one can easily adjust the mean number of photons per incoming mode, μ c /N, so that the above condition is satisfied. As shown in Fig. 4, condition (17) is satisfied in many existing wavefront-shaping set-ups, for a broad range of mean photon number per mode values. To confirm the above observations, we have performed simulations of the EAP for various combinations of parameters. More details about our simulations can be found in the Methods section, and in Fig. 5 we present an example of our results. Clearly, with high probability the false key results in an estimate p in , which is about an order of magnitude smaller than the expected probability P in , and thus it will be detected by a verification test with any error ε < 1. At the same time the true key results in an estimate that satisfies ε − < p P in in , and thus it will pass the verification test. Condition (17) is readily satisfied for the parameters used in Fig. 5  ), leading to the depicted difference between P in and p in in the case of a false key.
Sensitivity to cloning. Although perfect cloning of PUKs is considered to be practically impossible, imperfect cloning cannot be excluded 4,5,11 . The question therefore is whether our EAP is capable of distinguishing between the true key and a clone of it. To address this question, we modelled a D-close clone by a scattering matrix, which differs from the scattering matrix of the true key in a fraction of elements D ≤ 1. Hence, the quality of the clone increases with a decreasing D, with D = 0 and D = 1 corresponding to a perfect and a totally randomized clone, respectively. A D-close clone is expected to pass the verification test if its response to the M random challenges is such that, with high probability, the estimated probability p in satisfies ε − < p P in in . But, how good a clone should be in order for this to happen?
The typical response of D-close clones relative to the response of the true key is shown in Fig. 6. We see that for values of <  D 1%, the response of D-close clones lies very close to the response of the true key. In this case, one may expect high probability for a clone to result in a probability p in very close to P in . As D increases, however, the responses of the clones move rapidly away from the response of the true key, and p in is also expected to move away from P in . This behaviour is clearly shown in the probability distributions of Fig. 7(a). As a result, the  Each red bar gives the probability for a false key to result in an estimate p in that lies in an interval [p, p + dp). We also show the theoretically expected probability P in , given by Eq. (14), together with the estimate for the true key for the given M. The vertical dashed lines define P in ± ε. The probabilities have been obtained by simulating the verification of 500 randomly chosen false keys, as well as the verification of the true key (for which the phase mask of the SLM is optimized). Note that the histogram for the false keys is peaked at a distance which is about an order of magnitude away from P in , whereas the estimate for the true key satisfies |p in − P in | < ε. Parameters: = 121  modes, uniform illumination of SLM, τ = 0.8, η = 0.55, δ = 2σ, dp = 0.01, ε = 0.05, l/L = 0.2, μ P = 2500, N = 11.
Scientific RepoRts | 7:46047 | DOI: 10.1038/srep46047 probability for a D-close clone to pass the verification test, i.e., to result in an estimate p in such that ε − < p P in in , decreases rapidly with increasing D [see Fig. 7(b)]. Note that for fixed D and  , this probability is expected to decrease with decreasing error ε, because the accuracy in the estimation of P in increases in this case. Figure 7(b) suggests that for  ≥ 256 and ε ≤ 5 × 10 −2 , the scattering matrix of a clone should differ from the one of the key in a small fraction of elements (smaller than 3% or so), in order for the clone to have a non-negligible probability to pass the verification test. Cloning of such a high quality is a formidable challenge for today's technology, because it requires the exact positioning (on a nanometer scale) of millions of scatterers with the exact characteristics 4,11 . It is also worth noting here that according to the results of Figs 6 and 7(b), the robustness of the EAP against cloning appears to increase considerably with an increasing number of modes. This finding suggests that if the protocol is realized using existing wavefront shaping set-ups, which have been shown capable of controlling thousands of modes, then the probability for a clone with ≈ D 3% to pass the verification test will be at most 10 −3 . We remark that we have performed simulations for many different combinations of parameters, but for practical reasons we have presented results for certain representative combinations only. The main findings and conclusions presented here hold for all of the combinations we have studied, and we expect that they are generally valid.

Discussion
In the present form of the EAP, the number of sessions that can be performed within a prescribed period of time, is mainly limited by the separation distances of the various components of the set-up, and the HD bandwidth. Assuming that the different components of the set-up (laser source, interrogation chamber and HD set-up) are located in neighbouring rooms, the typical total distances to be travelled by the probe and the scattered light are of the order of tens of meters. HD bandwidth is typically ~10-100 MHz depending on the specific implementation. Hence, the time of a single session, i.e., the time that it takes for a pulse to propagate from the laser source to the key, and from there to the HD set-up where it will be analysed, is estimated to be less than a microsecond. According to Eq. (16), verification tests of error ε × −  1 10 3 and confidence 99.9% require . ×  M 2 3 10 7 sessions, and the total verification time is expected to be a few seconds.
Our EAP is the first one to rely on conjugate quantum continuous variables, and provides a practical way to secure authentication of optical PUKs without the need for photon counting. Assuming a tamper-resistant verification set-up, we have shown that the protocol offers collision resistance and robustness against cloning. Moreover, it is worth emphasizing that, as long as the verification set-up is tamper resistant, a compromised database does not affect the security of the protocol. Indeed, even if an adversary has access to the list of CRPs to be used for the authentication of a key, the sequence of probe states as well as the sequence of the quadratures to be measured in M sessions, are not a priori known. They are chosen at random during the verification, and the probability for an adversary to guess correctly both sequences is  −  ( 2 ) 1 M , for  ,  M 1. Collision resistance and robustness against cloning are necessary for our EAP to be useful in practice 1,2,4,5 . Its security against cheating strategies, where an adversary has access to the verification set-up, goes beyond the scope of the present work, and requires an in-depth description and analysis of the strategy under consideration. We do point out, however, that a prerequisite for the successful implementation of such attacks is that the adversary has access to the challenge states (or equivalently to the interrogation chamber), as well as to the LO, without being noticed by the verifier. The proposed fiber-based implementation of our scheme allows for the spatial separation of the interrogation chamber from the laser source and the HD set-up (e.g., they may be located in nearby rooms). The LO never enters the interrogation chamber, and an adversary who has access to this chamber only does not have access to the reference frame used for the definition of the quantum state of the probes. Finally, it is worth emphasizing that the only constraints on the mean number of photons of the probe are the ones imposed by Eq. (17). This is because we have assumed that the verification set-up is tamper-resistant. The security of the protocol against attackers who have access to the verification set-up may require additional constraints on the mean number of photons in the probes, as well as on the size of the set of states  . Such security analysis depends strongly on the details of the attack under consideration, but it will rely on the fact that the quadrature components of the electric field do not commute, and thus by virtue of Heisenberg's uncertainty relation, they cannot be determined simultaneously with arbitrary accuracy.

Methods
The Gaussian-statistics model. The model (3) assumes that we are in the diffusive regime, and the key consists of a large number of independent totally unrelated elementary scattering areas 26,33 . The electric field of the scattered light at a particular observation point consists of a multitude of de-phased contributions from different scattering areas, and thus its amplitude can be expressed as a sum of many elementary phasor contributions. As a result of the occurrence of multiple scattering events, the amplitude of each phasor bears no relation to its phase, while the latter is uniformly distributed over [− π, π]. Under these conditions, the central-limit theorem implies that the scattering problem can be described in the framework of a scattering matrix with independent identically distributed random entries of Gaussian statistics. These conditions have been shown to be satisfied in many experimental set-ups [26][27][28][29] , and the Gaussian-statistics model yielded results that were in excellent agreement with experimental observations. Sample size in the enrolment stage. The two quadratures of  α are the centres of Gaussian distributions of standard deviation σ. We assume that the quadratures are estimated by sampling at random and independently from the corresponding Gaussian distributions. Consider one of the quadratures, say X s o . It will be approximated by the sample mean, which is also a random variable and according to the central-limit theorem, it follows a Gaussian distribution centred at X s o and with standard deviation where M e is the sample size. Hence, the probability to obtain estimates outside the interval is at most 10 −6 . In other words, it is highly unlikely for the error in the estimation of the quadrature to exceed ξ = M 5/ e , where we have assumed that σ ≤ 1. As mentioned in the main text, the sample size M e has to be such that ξ ε  , where ε is the error in the verification test. These arguments hold for the estimation of either of the two quadratures for a given probe state, and assuming that both quadratures and all of the probe states are treated equally, the total sample size is = × × M N M 2 e t e ( ) (for a standard HD set-up). Even for moderate values of N > 2, the total sample size M e t ( ) is expected to be considerably larger than the sample sizes typically used in the verification stage. Assuming identical enrolment and verification set-ups, we can use the parameters of the Discussion above, in order to obtain an estimate for the duration of an enrolment stage with N = 10, ε −  10 3 and ξ ε .  0 1 . The total sample size is 10 , while the typical sample time is expected to be less than a microsecond. Hence, the enrolment stage will last less than 14 hours, which is not in any case prohibitive, given that the enrolment is performed only once by the manufacturer, well before a key is given to a user.
Sample size in the verification stage. In our EAP, the verification relies on the estimation of the probability P in , which refers to the probability for an outcome that is drawn at random from the Gaussian distribution (10), to fall within an interval (bin) of size δ. To estimate the sample size (i.e., the number of sessions) required for the reliable estimation of P in , we can introduce a binary random variable for the ith session, say ω i , which refers to whether the outcome of the measurement in the ith session falls or not within the specified bin. In particular, let ω i be 1 when the outcome lies inside the interval, and 0 otherwise. The former occurs with probability P in , and the latter with probability , where ζ  1 is the uncertainty, and ε  P in the absolute error. To this end, it is sufficient to ask for for 0 < P in < 1. To enforce condition (18), we ask for the upper bound in the last expression to be less than ζ. Subsequently, solving for M one readily obtains that the sample size has to be larger than M th , where M th is given by Eq. (16).
Simulations. We performed simulations for various combinations of parameters, and for each set of parameters we worked as follows. We generated  reflection coefficients of the true key, using a generator of complex Gaussian random variables with the characteristics of Eq. (3). Subsequently, we found the optimal phase mask of the SLM that maximizes the number of scattered photons in a prescribed target mode, using known algorithms 17 . The false keys and the clones were generated along the same lines. Each false key pertained to a set of  random and independently chosen reflection coefficients, whereas for a D-close clone we substituted × D  of the reflection coefficients of the true key by fresh random and independently chosen coefficients. The elements that were substituted were also chosen at random and independently.
Each key (true, false or clone) was interrogated by M probes, with the state of each probe chosen at random and independently from a uniform distribution over a finite set of prescribed coherent states. In each session, i.e., for each probe state, b s was obtained from Eq. (8), using the reflection coefficients for the true key, the false key, or the clone, while the phase mask for the SLM was always set to the optimal configuration that maximizes the light that is scattered from the true key to the target mode s. Having estimated b s , we chose θ at random from a uniform distribution over {0, π/2}. In accordance with the theory of HD, the outcome of a measurement of the quadrature θ Q ( ) s was simulated by a real random variable, which was chosen from a Gaussian distribution centred at θ Q ( ) s and with standard deviation σ η = 1/ 2 . At the end of the session we checked whether the outcome falls within the bin θ B [ , ] s (o)  or not. By performing this procedure for a large number of random and independently chosen false keys, and clones, we obtained sufficiently large samples to estimate the probabilities shown in the figures. It is worth emphasizing that different random generators were employed in our simulations, so that to ensure independence of the drawn random numbers. Finally, we note that for practical and numerical reasons, the number of sessions in our simulations could not exceed 10 3 . Our results, however, show that this number was sufficient for the verification stage to identify successfully the true key and to detect the false keys and the clones, which suggests that M th is not a tight lower bound on the required number of sessions.