Featured Post

Tracking air pollution disparities -- daily -- from space

Studies have shown that pollution, whether from factories or traffic-snarled roads, disproportionately affects communities where economicall...

Tuesday, August 18, 2020

Goodbye Passwords, Hello ‘Unbreakable’ Quantum IDs Containing 1,000 Trillion Atoms


The problem with passwords is that they are just too vulnerable, be that from weak construction, reuse or data breaches. In the world of supply chain product authentication issues of theft and interception come to the fore when passwords are on the security debate agenda. Things are not a whole heap better when it comes to holograms or QR codes, to be honest, where imitation is rife.


Solving the supply chain counterfeit problem has taken on a whole new level of urgency in the new COVID-19 pandemic reality. Criminal enterprise has seized the despicable opportunity the global demand for medicines and medical supplies that the pandemic has presented, and the illicit trade in counterfeit goods has exploded as a result.


But what if there were an 'unbreakable' product authentication methodology that promised to make counterfeiting impossible?


Welcome to the atomic-scale digital ID world that might just be the next big thing when it comes to securing the supply chain.


Lancaster University start-up Quantum Base is a U.K. company that claims its patented Q-ID optical authentication tags are impossible to copy because each nano-scale device contains 1,000 trillion atoms. This, Quantum Base says, would take the most powerful scanning probe microscopes on the planet about the age of the universe, 13 billion years give or take, to produce an identical clone.



Recommended For You

What's more, Quantum Base is working right now with a "major manufacturer" to mass-produce this authentication system from the future.




IsoLab at Lancaster University is a suite of 3 laboratories where vibration, noise and electromagnetic disturbance have been drastically reduced, creating an ultra-clean environment for measurement and characterization. This is where scientists have created a family of simple, practical, scalable security devices based on state-of-the art quantum technologies. Commercialized by spinout company Quantum Base, these include the 'unclonable' identity tags Q-ID


The problem with supply chain authentication


Let's accept that current supply chain authentication solutions like anti-counterfeit tags or password-protection, which base their security credentials on being difficult to replicate or secrecy, are not as secure as they should be. The imitation, theft, hacking and interception arguments all come into play in this discussion, as I've already mentioned. Quantum Base's atomic-scale devices don't need passwords and, according to the company, are impervious to cloning.


Quantum Base claims these atomic-scale Q-ID tags are simply the most secure system ever made. I will question those claims of unbreakability and unclonability in due course, as I'm sure you would expect of me. But for now, let's look at what Quantum Base is doing here.


MORE FROM FORBESMeet The Scrappy Space Startup Taking Quantum Security Into Space

Supply chain product authentication and tracking could be achieved with Q-ID optical tags that are created by "harnessing the randomness of quantum materials," I was informed. In other words, the creation of unique atomic-scale digital IDs that are based upon the irregularities that can be found in one-atom-thick "2D materials" such as graphene.


Quantum physics amplifies the anomalies, which makes them impossible to fingerprint. Because of the nano-scale we are talking about here, less than 1000th of a human hair in size, they can easily be incorporated onto the surface of any product or tag, any QR-code or hologram to create a truly unique fingerprint.


Quantum Base also says that Q-IDs can be mass-produced using existing processes and incorporated into any material. To add to the Holy Grail status being summoned up here, faking of supply chains using lengthy artificial chains of organizations would become a thing of the past as every chain would be transparent: the Q-ID code can be scanned using a smartphone app to match it to the manufacturer database. 


If a batch of goods were to be stolen, the graphene identity tags could simply be "switched off" at any point to ensure supply chain integrity.


Getting technical with authentication in the atomic world


The secret sauce behind the Q-IDs sits in the idea that, at the atomic scale, everything is unique: moving single atoms around to clone a specific tag structure is virtually impossible thanks to PUFs. Physically unclonable functions (PUFs) bring forward the idea that is using the no-cloning theorem from quantum mechanics, unique fingerprints can be derived. Just getting your head around PUFs would need another deep-dive article, but thankfully there's an excellent PUF primer to be found here.


Quantum Base insists that optical quantum PUFs provide "100% absolute authentication" that simply cannot be cloned, copied or simulated because, and I'm repeating myself here I know, everything is unique at the atomic scale. Of course, this depends somewhat on your definition of unique, but I'm guessing most people would go along with 1,000,000,000,000,000 atoms being pretty damn hard to copy.


Damn hard to copy isn't the same as unbreakable or unclonable, though, and those are what is being claimed by Quantum Base.


Naturally, being the cynical old hack that I am, I went and sought out boffins who could help me get to grips with all this. Let's start with Dr. Mark Carney, a mathematician and security researcher with a particular interest in quantum security.


OK, let's begin with PUFs used in authentication, which Dr. Carney describes as the notion that an individual chip can be characterized and then the responses from that chip can be compared along the supply chain to ensure it's the same one. "Even if the attacker gains some data about the chip's characterization," Dr. Carney says, "they are bound to generate more error or variation than the chip, and in theory, you can detect this given a large enough sample." This would be done through a process of challenge-response pairs or CRPs.


Overall, Dr. Carney felt that this could work quite well and it "would be nice if it did." I'm sure you have already anticipated the but that's coming: "but as with anything quantum," Dr. Carney adds, "the security is intrinsically tied to the precise mechanics and physicality of the thing - and PUFs don't have a great track record." Indeed, there have been known side-channel attacks taking advantage of "lazy" implementations and some theoretical attacks using Machine Learning to predict the CRP values.



The Nanoscale Materials Microscopy pod is one of the three laboratories at IsoLab. It is used for atomic and molecular imaging studies, pushing the boundaries of ultra-high-resolution force imaging and measurement with atomic and molecular resolution far beyond current limits.


Next, I turned to Professor Ben Varcoe from Leeds University, who has a particular research interest in experimental quantum information and is an expert in cavity quantum electrodynamics and continuous-variable quantum key distribution. "I personally think that a PUF is an interesting concept, as it provides a unique identifier," he says, "the problem as Mark has suggested is that if the identifier can be used in any type of 'record and replay' scenario, it is useless, or at least only useful the first time, while also being vulnerable to hardware attacks."


Professor Varcoe tells me that while there have been some methods suggested in which the PUF is a complex function so harder to replicate, there would still be a time limit on the amount of security provided. "It's better to have a code that changes with time," he says, "even if it is quantum."


That said, Professor Varcoe agrees that it "certainly seems to be the case that no two quantum dots are identical and therefore it would be hard to create a quantum dot with that exact property," and the "concept of allowing a consumer to use a mobile phone to authenticate is extremely interesting." His one quibble is that, for authentication application purposes, it's essential that the signal cannot be replicated by a counterfeiter. "If the forgers aim is to create a copy of an artwork protected with the quantum dots," he explains, "then the forger only needs to create a signal that would fool a smartphone - there is no reason to actually create a new set of quantum dots."


One option, he suggests, would be to create a reflection (rainbow) hologram that mimics the pattern, which is challenging, but not impossible. Smartphone camera limitations could come into play here as fooling the camera is more achievable than replicating the quantum mechanics.


MORE FROM FORBESU.S. Government Says It's Building A 'Virtually Unhackable' Quantum Internet

Quantum Base chief scientific officer responds


Armed with these opinions, I took them to Royal Society Research Fellow Professor Rob Young, who, as well as being the chief scientific officer for Quantum Base, is also director of the quantum technology center at Lancaster University.


Addressing the what's quantum about Q-IDs angle, Professor Young says that in the Quantum Base optical and electronic Q-ID technology, "quantum physics dictates the behavior of the electrons in the materials, or in other words, we're using quantum materials."


Normally, he explains, as you reduce the size of a system it becomes increasingly challenging to measure variations in that system; you can see the difference between a person's fingerprints, but you would need an optical microscope to tell the difference between two similar hairs, or an electron microscope to tell two pollen particles apart, "As the system gets smaller, you need more and more powerful tools to tell them apart," he says.


This leads to what Professor Young refers to as being a paradox in anti-counterfeiting technologies: they are either easy to verify but also easy to clone (like holograms) or difficult to clone but also difficult to verify (like microdots), so few people can ever actually check them. "Quantum mechanical effects, however, get bigger as a system gets smaller," Professor Young continues, "and if a system is small enough, you can actually measure differences with macroscopic tools, like a smartphone's camera."


Quantum dots will emit different colors of light depending on their diameter, with visible differences in the emission colors corresponding to variations of just a few atoms in width, the Professor tells me. "Our optical Q-ID works in this way," he says: "We incorporate a layer of quantum material in a surface coating of a tag or product, which has a myriad of natural defects in it, each dot being different in size and also influencing neighboring dots."


The smartphone app that Quantum Base has also developed, fires the flash on the phone to excite optical emission from the material, and then extracts a fingerprint from this randomness to uniquely identify each tag. By so doing, Professor Young says. "our product breaks the anti-counterfeiting paradox by being both sensitive to nano-scale variations and being easy to measure, using a phone with no additional hardware."


So, from a technical perspective, this is a classical measurement of a quantum system: Quantum confinement (the particle in a box problem) is being employed to amplify the influence of nanometer variations in quantum materials.


MORE FROM FORBESHow Math Reveals 'Person Woman Man Camera TV' Doesn't Ace The Password Test

Do PUFs have problems?


Professor Young agrees with Dr. Carney and Professor Varcoe that it's absolutely true that PUFs have problems. "I'd argue the main alternative is storing secret key materials in memory," he says, "which has more problems and suffers from poor implementation in many cases also." Professor Young told me that some PUF companies are doing well, but would argue that the Quantum Base products have the edge on them all.


"Traditional PUFs base their uniqueness on the measurement of classical effects, which makes them cloneable and can lead to security issues," he explains, "the electronic variant of our Q-ID is based on a standard semiconductor system, with a very thin (nanometer-scale again) layer in the middle."


As with the optical variant, small fluctuations in the width and composition of this layer gives each device a unique response. "Technically," Professor Young continues. "the bound states in a quantum well are very sensitive to the well's makeup, we measure these electronically using a resonant tunneling diode."


But what about PUFs being prone to 'record and replay' attacks? This is where the academic paths diverge. "We have an implementation that isn't, and is post-quantum secure," Professor Young insists. "Essentially, we embed an array of the electronic Q-ID elements in a device in which the current path through the array can be programmed," he says. "The number of challenge-response pairs now scales non-linearly, such that with a modestly sized device we can have a vast entropy pool," Professor Young explains, "this allows for implementations where CRPs cannot be reused (so can't be replayed), and can be used as key material in a one-time pad, which is provably quantum secure."



The Quantum Optics Lab at IsoLab is used to explore and exploit the quantum-mechanical behavior of light and its interaction with optical devices, materials and components.


It has become clear that there are two distinct versions of the Q-ID technology, optical and electronic. These are quite different in terms of the applications that Quantum Base is targeting. The optical Q-ID solution is the anti-counterfeit one as it's cheap and easy to manufacture by relying upon those natural imperfections in the Q-IDs embedded within a coating and can be read by any smartphone.


"We don't really see this one as a PUF as such," Professor Young says, "as the challenge will always be the same, the phone is reading a fingerprint from the tag (and a little more) then checking it against a database or distributed ledger." The electronic version, however, most definitely is regarded as a PUF "with a vast number of CRPs," Professor Young says, "which could be used to provide the keys for cryptography, or indeed a one-time pad for secure comms."


The optical Q-ID


The end-user is presented with an application that appears to simply take a photograph of the tag, to verify its fingerprint against a stored record. Still, it's a bit more complicated than this, and an element of attestation is included. "The tag is framed by a QR code in which a record entry is encoded," Professor Young explains, "so the application can request a specific database/DLT entry to check the fingerprint again, the QR code is also used to correct perspective and lighting."


Pressing the 'verify' button triggers the application to take a series of images at different flash strengths, thus testing how the emitting material behaves in the different lighting conditions. "It looks for specific nonlinear properties, linked to the quantum dot's zero-dimensional physics," Professor Young says, "to verify that a quantum material generated the fingerprint which is measured."


While he admits that any digital measurement can be fooled, "a complex hologram couldn't reproduce the fingerprint and emission dynamics simultaneously." Which means you'd need "either an active display (and coping with the flash would be very difficult) or to recreate a tag with dots with similar defects in a similar arrangement."


Your smartphone camera isn't capable of measuring single dot emission, but that's not a problem, Professor Young says. "Typically, a tag is 1x1 cm, framed in a QR code, and measured from around 10cm by the phone." Which produces 100,000 pixels, multiplied by the number of different flash intensities measured. Or a lot of data if you prefer, and that would, he says, "require a huge engineering feat to clone."


Returning to the replay attack scenario, Professor Young tells me that there are two components to the measurement that the phone is carrying out: fingerprint extraction and a 'quantum material' test. The latter is assessed through measurements at different intensities so simple replay attacks can be prevented through rooted phones by "not authenticating the same measurement at the same brightness levels twice," Professor Young explains, "as, in a real-world scenario, the ambient light level would always be slightly different for each measurement."


The crucial point, according to Professor Young, isn't actually that there is absolutely no way in which an attacker could target this technology, "it's that we're making that challenge as practically difficult as possible."


And it's that practicality point that's of vital importance when looking at mass-market applications. "They're simple and cheap to manufacture, and read, and extremely difficult to clone," he concludes, whereas "most anti-counterfeiting solutions are as easy to clone as they are manufacture, and have very little security if they're easily read."


MORE FROM FORBESHow Hackers Use An Ordinary Light Bulb To Spy On Conversations 80 Feet Away

The electronic Q-ID


Professor Young also told me more about the electronic Q-ID tags, for which there are several different implementation scenarios. "The entropy contained in our Q-ID array scales exponentially with the size of the array," he says, "the challenge made relates to the path current travels through the array and the response is a convolution of the position of confined energy levels in the quantum wells in the RTDs."


So, each device can have a vast number of challenges. "We can make it so that the number of challenges multiplied by the time required to measure each, the circuit's RC constant, is longer than the age of the universe," Professor Young claims. When making such a device, a small subset of its challenges are chosen randomly, preferably using the Quantum Base quantum random number generator, and stored.


"We do need to store enough data here for a lifetime's communications from the device," Professor Young says, "so this limits its use to applications that aren't data-heavy, the Internet of Things, for example." Communications to the device can then be secured by encrypting the communications using data from this stored one-time pad. Any interception attack would only see encrypted data and the information about the challenges; there's nothing there to store and replay.


Are nano-scale PUFs the next big thing in supply chain security?


Dr. Mark Carney says that "optical dots for sure solve an interesting problem, are easy to measure, but with nano-scale construction." They are certainly a step up from other molecular ID solutions that use arrays of polymers in specific constructs to generate unique identifiable molecules that fluoresce, such as 'smartwater,' for example.


In theory, those can be cloned with enough chemistry resources to throw at the problem. In contrast, optical dots can't as "they are unique per specific, and I guess random, atomic-level variations inherent in manufacture," Dr. Carney says. 


"Overall," Dr. Carney says, "I think Quantum Base has a nice solution. The big thing here, to me, is that they have made PUFs that are very manufacturer friendly, and can be used as ID tags in more applications, or as electronic multi-CRP capable verification chips." With the right implementations, software, and protocols around them, Dr. Carney tells me, "there is likely a lot of potential."






#News | https://sciencespies.com/news/goodbye-passwords-hello-unbreakable-quantum-ids-containing-1000-trillion-atoms/

No comments:

Post a Comment