**Vincent:** First, we have some questions about PUFs. So let's start with that because we are PUF Cafe. You're saying SRAM PUF is quantum proof. Does this only apply to SRAM PUF or is it a broader statement about PUFs?

**Pim:** It's certainly true for SRAM PUFs. And the reason I say that is because I know how we build our algorithms to derive keys from SRAM PUFs. I think that in principle the statement should be true for other PUFs too. And again, that I can say for sure for the other PUFs that we have at Intrinsic ID. But I expect that if the other PUFs are implemented according to the Fuzzy Extractor rules that are now well understood, then that should be generally true for all PUFs.

**Vincent:** another question about the SRAM PUF. Will it be able to provide the larger keys that are needed for the postquantum crypto era?

**Roel:** The short answer is yes. SRAM PUF technology, I think perhaps even generally PUF technology, is quite scalable. So generating longer keys is not really an issue. You also very much have to think about actual security strength here. What we typically do in a PUF-based security solution is that we generate a root key with a particular security strength. From there on we let cryptography take over. So we start using established algorithms. And the only difference that we will have to make in the future is that we will have to start using postquantum cryptographic algorithms. And that is certainly something that needs to happen, also in our solutions. But any security company will need to do that exercise. It will have some technical challenges. So memories will need to be bigger to work with longer keys. But nothing is required that is impossible.

**Vincent:** What's the point of a quantum PUF and what problem is it trying to solve?

**Roel:** I'm not a quantum PUF expert, by the way, there are a few people worldwide that are working on this. But the way that I understand it, on a bit of a higher level, is the very big advantage that you can get through the quantum PUF is that you don't need to trust the readout procedure anymore. The reason for that is the quantum state. You can just challenge something in public with the quantum state because no one can eavesdrop on it. If someone eavesdrops on it, he is going to change that state. That's because it's a quantum state. So you don't need to trust the readout process anymore. You can even securely evaluate these PUFs with insecure hardware. And that is not something we can do with classical PUFs. Even we, with SRAM PUFs, we need to do that within the security boundary of a silicon chip. Otherwise we cannot guarantee that no one is listening in. And with the quantum PUF you don't have to do that. So that is their big advantage.

**Pim:** Maybe I can quickly add to that. Just a small addition for those interested. One of the early things that led to quantum crypto was the paper of Stephen Wiesner. That's like, I think, a “semi-quantum PUF”, where they try to build unclonable money by storing polarized photon states in the bank note. Of course, this is a highly theoretical concept, but from that point of view very interesting because it achieves the goal of having money that cannot be counterfeited.

**Vincent:** Does Grover's algorithm assume that the quantum computer operates at the speed of a conventional computer? And do such quantum computers even exist?

**Roel:** That is something that is often overlooked. When we talk about the speed of these quantum algorithms, like Grover's algorithm or Shor's algorithm, we are actually talking about computational complexity. That means: how many operations do these algorithms need to do in order to break something? And if these operations scale polynomially or exponentially, that makes a huge difference in theory. But in practice, you also need a very fast computer. Let's say on a classical computer nowadays, you could brute force a 64-bit key within a couple of days on a very fast computer. The reason for that is because modern computers nowadays are very fast. They can literally do billions of operations per second, giga flops. The first generation of quantum computers will not be able to do billions of operations per second, but probably many orders of magnitude less than that. So that means that Grover’s algorithm will not be practical, at first, for a reasonable key length, not even for 64 bits. You need a very fast processor for that. In time that might change, of course. We have also seen that with classical computing. With classical silicon chips we have seen exponential scaling and speeds have increased significantly over the past 50 years. But it has also taken 50 years to get to where we are now, even with exponential scaling. If that would happen with quantum computing, if quantum computing goes through exponential scaling, it will still take time. It can still take 50 years before we actually have very fast quantum computers. So that is an aspect that is often overlooked.