Quantum Spectral Authentication under Public Unitary Challenges

Abstract

We introduce Quantum Spectral Authentication (QSA), a primitive for verifying that a remote quantum endpoint still possesses a previously installed secret quantum resource, such as a hidden state or state-preparation capability, without revealing that secret. QSA uses fresh public unitary challenges and spectral features of the planted state to derive transcript-bound session material for explicit authentication. We analyse attack strategies including eigenstate propagation across challenges, repeated-session leakage, and direct online forgery. For practical implementation, we develop a symmetric verifier-driven unitary compiler compatible with low-depth quantum phase estimation. Simulations indicate that this symmetric fast-power construction is substantially more noise tolerant than an asymmetric alternative, and small-instance experiments on IBM ibm_fez provide a hardware sanity check. QSA therefore offers a plausible near-term authentication layer for quantum networks and control-plane applications.

Figures (19)

• Figure 1: QSA implementation regimes separated by challenge setup, verifier evaluation, and prover evaluation. In all regimes, a provisioning secret such as a planted-state seed $S_0$ and/or preparation circuit $P$ defines the planted state resource, while a public challenge schedule determines the per-instance public challenges. In QSA-M, the challenges are dense matrices and both parties evaluate them by eigendecomposition. In QSA-C, the challenges are public circuits evaluated classically through autocorrelation spectroscopy. In QSA-Q, the challenges are compiled public circuits; for the symmetric construction $U_i=V_iD_iV_i^\dagger$, the verifier can read off the intended phase directly, while the prover performs phase extraction on hardware using LDQPE or QPE, with LDQPE as the main focus in this work. In all cases, the resulting $m$-bit phase features are aggregated into $\boldsymbol{\Theta}$ and compressed by a classical KDF into session material.
• Figure 2: QSA with an explicit key-confirmation wrapper. A client (A) and server (B) share provisioning material (e.g. a planted state seed $S_0$ or a securely distributed witness/state-preparation capability) that defines a planted state $\ket{\psi}$. A public seed schedule (or public circuit descriptions) determines the challenge family $\{U_i\}_{i=1}^k$, which is distributed over the public channel. Each side evaluates the same challenges under $\ket{\psi}$ using its chosen evaluation regime (QSA-M/C/Q) to obtain a quantised eigenphase feature vector $\boldsymbol{\Theta}=(\theta_{1^\star},\ldots,\theta_{k^\star})$ and derives session material $K=h(\boldsymbol{\Theta})$. A lightweight mutual challenge--response under a symmetric authenticated primitive (shown abstractly as encryption/decryption $\mathcal{E}/\mathcal{D}$) provides an application-facing confirmation token: if the planted provision is missing, substituted, or inconsistent between endpoints, the parties disagree on $\boldsymbol{\Theta}$ and the confirmation fails except with probability set by the response length.
• Figure 3: Attack 1 (Chained-QPE / eigenstate propagation) schematic. The adversary first guesses an input state $\ket{\phi_E}$ and runs QPE on $U_1$, obtaining a measured phase $\widetilde{\theta}_1$ and a post-measurement eigenstate $\ket{u_1^*}$. With probability about $2^{-n}$, $\ket{u_1^*}$ coincides with the honest signal eigenstate. The adversary then feeds $\ket{u_1^*}$ into QPE for $U_2$ to obtain $\widetilde{\theta}_2$ and $\ket{u_2^*}$, and so on along the chain $U_1,\ldots,U_k$, hoping to accumulate an eigenphase vector $(\widetilde{\theta}_1,\ldots,\widetilde{\theta}_k)$ that matches the honest vector $\boldsymbol{\Theta}$.
• Figure 4: Attack 1 decorrelation proxies. Representative cross-instance overlaps for independently randomised challenge instances at $n=6$. In both panels, the orange curve shows the squared overlap $|\langle u_{i+1}^\ast|u_i^\ast\rangle|^2$ between successive signal (or top) eigenvectors, which is the quantity relevant to chained-QPE reuse across instances. The dashed horizontal line marks the Haar benchmark $2^{-n}$. In panel (a) (QSA-C), the public circuit instances are independently randomised and the signal eigenvector is defined a posteriori by the classical spectral extractor, so no high planted-state overlap is enforced. In panel (b) (QSA-Q), each compiled instance is built around its own planted state $\ket{\psi_i}$, so the green curve shows the planted-state overlap $|\langle \psi_i|u_i^\ast\rangle|^2$ for $i\ge 2$, while the orange curve again shows successive signal-eigenvector overlaps. The key observation is that the cross-instance overlaps remain near the Haar scale $2^{-n}$, indicating that successive signal eigenvectors are effectively decorrelated even in the compiled high-overlap QSA-Q setting.
• Figure 5: Spectral overlap mass aggregated into $M=2^6$ eigenphase bins ($n=8$, $m=6$) for the symmetric compiler. For each compiled instance, we diagonalise $U$ and form $p_k=\sum_{i:\mathrm{bin}(\theta_i)=k}|\langle v_i|\cdot\rangle|^2$. The planted state $\ket{\psi}$ produces a highly non-uniform binned spectrum (localisation), whereas a random baseline state is broadly spread across bins (delocalisation).

Theorems & Definitions (3)

• Definition 1: planted state unpredictability
• Definition 2: QSA Hidden-State Security Game
• Definition 3: QSA Hidden-State Security