Remote inspection of adversary-controlled environments

The paper addresses how to remotely verify the continued presence and integrity of valuable items stored in environments controlled by potentially adversarial parties, where frequent physical inspections or conventional surveillance may be infeasible or insecure. The research question is whether a room and its contents can serve as a large-scale physical unclonable function (PUF), enabling a remote verifier to detect any disturbance using radio-wave fingerprints without revealing sensitive information or relying on tamper-resistant on-site hardware. The study is motivated by arms-control verification for non-deployed nuclear warheads and broader applications in finance, IT, energy, and art sectors where privacy, security, and minimal on-site access are required.

The work builds on physical unclonable functions (PUFs) and virtual proofs of reality, extending them from micro/meso-scale objects to room-scale environments. Prior approaches for treaty verification emphasize trustworthy data acquisition and the challenges of secure monitoring at sensitive sites. The authors contrast their approach with electromagnetic (EM) full-wave simulations and ray-tracing methods often used for propagation modeling; they argue such simulations are computationally infeasible or inaccurate in highly reflective indoor environments with strong multipath and small-scale fading. The study also situates its security analysis within the context of machine-learning modeling attacks on Strong PUFs, noting that while similar attacker models apply, the specific learning problem differs here due to the high-dimensional, complex, and frequency-dependent channel responses.

• System concept and protocol: The inspection protocol uses a challenge-response framework between a remote verifier and an on-site prover. The verifier initializes the system during a single on-site visit, installs a challenge-response apparatus, and records an initial set of secret challenge-response pairs (CRPs). The room is then sealed. During the proof phase, the verifier remotely sends challenges drawn from a secret list; the prover must return corresponding responses within a short, agreed time window. Accepted queries are removed from the verifier’s list to prevent replay. Fake queries (random challenges) can be interspersed to prevent the prover from distinguishing which challenges are verifiable.
• Challenge mechanism: The challenge device consists of 20 individually controllable aluminum mirrors mounted on stepper motors, each capable of 360° rotation in 1.8° steps (200 discrete positions). A challenge is a 20-dimensional vector of integers in [0,199] specifying mirror angles. The nominal challenge space is 200^20 ≈ 10^46 configurations.
• Measurement setup: The system is housed in a 6 m × 2.2 m × 2.1 m steel container populated with empty 55-gallon steel drums to create rich multipath. Two wideband antennas (no line of sight) connect to a Keysight P9372B VNA. For each challenge, the magnitude of S21 is sampled at 100 evenly spaced frequency points from 3–9 GHz (IF bandwidth 30 kHz), corresponding to wavelengths ≈3.3–10 cm. The per-CRP acquisition time is ~0.4 s.
• Response representation and matching: Each response is a 100-dimensional vector. The Euclidean distance between responses quantifies similarity. Intra distance captures variation for the same challenge over time/environmental changes; inter distance captures differences between distinct challenges. Long-term measurements (4 weeks) demonstrate clear separation between intra and inter distance distributions, enabling reliable matching.
• Sensitivity experiments: A drum is mounted on a linear translation table and displaced in fine increments to quantify detection thresholds. The effect of mirror rotation on responses is also profiled by rotating a single mirror in 1.8° steps up to 90° while others remain fixed.
• Security analyses: • Brute-force feasibility: Effective challenge granularity per mirror is empirically at least 8 positions (detectable ≥ 44° rotation), giving > 8^20 ≈ 10^18 effective CRPs—too many to exhaustively query. • Physical cloning: Replicating the exact EM behavior is deemed infeasible; adding unique, complex objects (e.g., crumpled aluminum, stochastic metallic foams) or deploying a “room within a room” further complicates cloning. • Computational cloning (simulation): Full EM simulations would require meshes ~λ/100 for stability and accuracy; for the experimental room, this implies ~10^12 unknowns, exceeding current supercomputing capabilities within the response-time window. Ray tracing is unsuitable due to high reflectivity, small-scale fading, and measured coherence bandwidth ~1 MHz. • Machine learning attacks: Treating the mapping from challenges to response vectors as multi-output regression, the authors evaluate linear regression, k-nearest neighbors, gradient-boosted trees, and deep neural networks (8 hidden layers × 3072 neurons, ReLU, layer norm, Adam). Training sets up to 1,280,000 CRPs (with 4–20 active mirrors) are collected. The best model (neural network) is assessed against a security threshold defined as intra-distance mean + 3σ.
• Data handling: Training and test sets span 20,000–1,280,000 CRPs per configuration, totaling >5,000,000 CRPs. A small interleaved set of 25 challenges is repeatedly measured to estimate intra distances across the campaign. Coherence bandwidth is estimated via autocorrelation of dense S21 measurements (100 kHz spacing over 3–9 GHz).

• Robust fingerprinting and separability: Over a 4-week campaign, intra and inter distance distributions are well separated, indicating low false match probability for randomly drawn challenges.
• High sensitivity to physical changes: A drum displacement of 1 mm produces a response mismatch exceeding 3σ above the intra-distance mean; ≈7.5 mm (≈ λ_mean/10) yields a decorrelation comparable to removing the drum, demonstrating millimeter-scale sensitivity.
• Large effective challenge space: Due to detectability thresholds, each mirror contributes at least 8 effective positions (≥ 44° rotation discernible), giving > 8^20 ≈ 10^18 effective challenges, making exhaustive pre-measurement infeasible.
• Resistance to computational cloning: • Full-wave EM simulation would involve ~10^12 unknowns for the experimental room—orders of magnitude beyond current practical capability for per-query time budgets. • Ray tracing is ill-suited for the highly reflective, small-scale fading environment (coherence bandwidth ~1 MHz), undermining accurate response prediction.
• Machine learning attack results and scaling: • With 16–20 mirrors and training sets of ~10^6 CRPs, a deep neural network could not reduce prediction error below the acceptance threshold (intra mean + 3σ), failing to fool the verifier. • Learning curves follow power-law scaling: estimated training set sizes to breach the threshold are ~3,000,000 CRPs for 16 mirrors (~2 weeks continuous acquisition at ~0.4 s/CRP) and ~11,000,000 CRPs for 20 mirrors (~8 weeks), limiting attack practicality.
• Operational protocol features: Short response-time windows and use of fake queries impede on-the-fly tampering or challenge-list inference by a prover.

The findings demonstrate that a room and its contents can function as a large-scale physical unclonable function, enabling remote verification of integrity without tamper-resistant on-site hardware or secure communication channels. The system’s radio-frequency fingerprints are reproducible over weeks yet highly sensitive to millimeter-scale changes, addressing the core need to detect any disturbance. Security derives from a large effective challenge space, the impracticality of physical and computational cloning, and the time-bound protocol design. Machine learning attacks face unfavorable data collection constraints and power-law scaling, while the number of mirrors acts as a tunable security parameter. These results directly address the challenge of monitoring items in adversary-controlled environments, notably for arms-control contexts involving non-deployed nuclear warheads where privacy and minimal on-site access are essential. The approach is adaptable: increasing mirrors, adjusting probing wavelengths, and adding complex objects can further boost security margins. Beyond arms control, this technique can support safeguarding of financial assets, data centers, energy infrastructure, and artworks where remote, privacy-preserving integrity assurance is required.

This work introduces and experimentally validates a remote inspection system that treats a room-scale environment as a physical unclonable function using GHz radio-wave fingerprints and a mirror-based challenge mechanism. The system achieves robust, reproducible identification of the undisturbed state, detects millimeter-scale changes, presents a vast effective challenge space, and resists both physical cloning and computational (simulation and ML) attacks under realistic constraints. Key contributions include the protocol design (single-visit initialization and remote proofs), experimental demonstration in a reflective environment, quantitative sensitivity and security analyses, and learning-curve-based security scaling. Future research directions include: scaling the number and geometry of controllable reflectors; exploring different frequency bands and antenna configurations; increasing environmental complexity (e.g., stochastic metallic foams, room-within-a-room constructs); optimizing acquisition speed and matching algorithms; formalizing security models and acceptance thresholds under broader environmental variations; and extending deployment and validation in diverse, operationally relevant facilities.

• Environmental dependence and drift: Responses are affected by measurement noise and environmental conditions (temperature, humidity), necessitating careful thresholding (intra vs inter distances) and long-term characterization.
• Prototype scope: Results are demonstrated in a steel container with 20 mirrors and specific hardware; performance and parameters may vary in different architectures, materials, or larger spaces.
• Data acquisition constraints: Per-CRP acquisition (~0.4 s) limits the rate at which an attacker could collect training data, but also constrains system throughput for very frequent proofs or very large challenge lists.
• Security parameterization: Effective challenge-space estimates rely on empirical detectability (e.g., ≥44° rotations); margins may shift with different environments, hardware, or improved adversarial techniques.
• Machine learning evolution: While current models require millions of CRPs to threaten security, future ML advances could lower data requirements by a constant factor; system parameters must be re-tuned accordingly.
• Operational assumptions: Security relies on the secrecy of the verifier’s challenge list, timely responses to prevent tampering between queries, and preventing physical access that could alter or learn the system state during the proof phase.