On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential Work
OOn the Compressed-Oracle Technique, and Post-Quantum Securityof Proofs of Sequential Work
Kai-Min Chung , Serge Fehr , Yu-Hsuan Huang , and Tai-Ning Liao Academia Sinica, Taiwan ( [email protected] ) CWI Cryptology Group and Leiden University, The Netherlands ( [email protected] ) National Chiao-Tung University, Taiwan ( [email protected] ) National Taiwan University, Taiwan ( [email protected] ) Abstract
We revisit the so-called compressed oracle technique, introduced by Zhandry for analyzing quantum algorithmsin the quantum random oracle model (QROM). This technique has proven to be very powerful for reproving knownlower bound results, but also for proving new results that seemed to be out of reach before. Despite being very useful,it is however still quite cumbersome to actually employ the compressed oracle technique.To start off with, we offer a concise yet mathematically rigorous exposition of the compressed oracle technique.We adopt a more abstract view than other descriptions found in the literature, which allows us to keep the focuson the relevant aspects. Our exposition easily extends to the parallel-query
QROM, where in each query-round theconsidered quantum oracle algorithm may make several queries to the QROM in parallel . This variant of the QROMallows for a more fine-grained query-complexity analysis of quantum oracle algorithms.Our main technical contribution is a framework that simplifies the use of (the parallel-query generalization of)the compressed oracle technique for proving query complexity results. With our framework in place, wheneverapplicable, it is possible to prove quantum query complexity lower bounds by means of purely classical reasoning.More than that, we show that, for typical examples, the crucial classical observations that give rise to the classicalbounds are sufficient to conclude the corresponding quantum bounds.We demonstrate this on a few examples, recovering known results (like the optimality of parallel Grover), but alsoobtaining new results (like the optimality of parallel BHT collision search). Our main application is to prove hardnessof finding a q -chain, i.e., a sequence x , x , . . . , x q with the property that x i = H ( x i − ) for all ≤ i ≤ q , withfewer than q parallel queries.The above problem of producing a hash chain is of fundamental importance in the context of proofs of sequentialwork . Indeed, as a concrete application of our new bound, we prove that the “Simple Proofs of Sequential Work”proposed by Cohen and Pietrzak remain secure against quantum attacks. Such a proof is not simply a matter ofplugging in our new bound; the entire protocol needs to be analyzed in the light of a quantum attack, and substantialadditional work is necessary. Thanks to our framework, this can now be done with purely classical reasoning. Background.
The random oracle methodology [2] has proven to be a successful way to design very efficientcryptographic protocols and arguing them secure in a rigorous yet idealized manner. The considered idealizationtreats a cryptographic hash function H : { , } n → { , } m as an external oracle that the adversary needs to query on x ∈ { , } n in order to learn H ( x ) . Furthermore, this oracle, called random oracle (RO) then, answers these queriesby means of a uniformly random function H : { , } n → { , } m . Even though it is known that in principle themethodology can break down [7] and a “proven secure” protocol may become insecure in the actual (non-idealized)setting, experience has shown that for natural protocols this does not seem to happen.In case of a quantum adversary that may locally run a quantum computer, the RO needs to be modeled as aquantum operation that is capable of answering queries in superposition , in order to reasonable reflect the capabilities1 a r X i v : . [ qu a n t - ph ] O c t f an attacker in the non-idealized setting [5]. This is then referred to as the quantum random oracle model (QROM).Unfortunately, this change in the model renders typical RO-security proofs invalid. One reason is that in the ordinaryRO model the security reduction can inspect the queries that the adversary makes to the RO, while this is not possibleanymore in the quantum setting when the queries are quantum states in superposition — at least not without disturbingthe query state significantly and, typically, uncontrollably. The Compressed Oracle.
A very powerful tool to deal with the QROM is the so-called compressed oracle tech-nique, introduced by Zhandry [19]. On a conceptual level, the technique very much resembles the classical ”lazysampling” technique; on a technical level, the idea is to consider a quantum purification of the random choice of thefunction H , and to analyze the internal state of the RO then in the Fourier domain.This idea has proven to be very powerful. On the one hand, it gives rise to new and shorter proofs for known lowerbound results on the query complexity of quantum algorithms (like Grover [12, 3]); on the other hand, it allows forproving new cryptographic security results that seemed to be out of reach before, like in the context of indifferentiabil-ity [19, 10], or, more recently, the Fiat-Shamir transformation [16], when considering a quantum adversary. Despitebeing very useful, it is however still quite cumbersome to actually employ the compressed oracle technique. Proofstend to be hard to read, and they require a good understanding of quantum information science.
Our Results.
We first present a concise yet mathematically rigorous exposition of the compressed oracle technique.Our exposition differs from other descriptions found in the literature (e.g. [19, 14, 10, 8, 13]) in that we adopt a moreabstract view in terms of Fourier transform for arbitrary finite Abelian groups, i.e., by considering the range of H tobe an arbitrary finite Abelian group. Some readers may, to start with, feel uncomfortable with this approach, but itallows us to keep the focus on the relevant aspects, and, on the long run, abstraction simplifies matters and improvesthe understanding.We also consider a generalization of the compressed-oracle technique to the parallel-query QROM. In this vari-ation of the standard QROM, the considered quantum oracle algorithm may make several queries to the QROM inparallel in each query-round. The main difference between parallel and sequential queries is of course that sequentialqueries may be adaptive , i.e., the queried value x may depend on the hash learned in a previous query, while paral-lel queries are limited to be non-adaptive , i.e., the queries are independent of the hash values that are to be learned.This variation of the QROM allows for a more fine-grained query-complexity analysis that distinguishes between thenumber q of query rounds, and the number k of queries made per round ; the total number of queries made is thenobviously given by Q = kq . This way of studying the query complexity of quantum oracle algorithms is in particularsuited for analyzing how well a computational task can or cannot be parallelized (some more on this below).As our first main technical contribution, we propose an abstract framework that simplifies the use of (our gener-alized version of) the compressed oracle technique in certain cases. In particular, with our new framework in placeand whenever it is applicable, it is possible to prove quantum query complexity lower bounds by means of purely classical reasoning: all the quantum aspects are abstracted away by our framework. This means that no knowledgeabout quantum information science is actually necessary in order to apply our framework. If applicable, the reasoningis purely by means of identifying some classical property of the problem at hand and applying our meta-theorems.More than that, the necessary classical property can typically be extracted from the — typically much simpler — prooffor the classical query complexity bound.We demonstrate the workings and the power of our framework on a few examples, recovering known and findingnew bounds. For example, with q, k, m as above, we show that the success probability of finding a preimage is upperbounded by O ( kq / m ) , compared to the coarse-grained bound O ( Q / m ) [3] that does not distinguish betweensequential and parallel queries; this recovers the known fact that the naive way to parallelize a preimage search (bydoing several executions of Grover [12] in parallel) is optimal [18]. We also show that the success probability of findinga collision is bounded by O ( k q / m ) , compared to the coarse-grained bound O ( Q / m ) [1] that does not distinguishbetween sequential and parallel queries. Like for Grover, this shows optimality for the obvious parallelization of theBHT collision finding algorithm [6], which makes k -parallel queries in the first phase to collect kq/ function valuesand then runs a parallel Grover in the second phase, which gives a factor k improvement. We are not aware of any prioroptimality result on parallel collision search; [15] shows a corresponding bound for element distinctness , but that bounddoes not apply here when considering a hash function with many collisions. Finally, our main example application is2o the problem of finding a q -chain , i.e., a sequence x , x , . . . , x q with the property that that x i = H ( x i − ) for all ≤ i ≤ q (or, more generally, that H ( x i − ) is a substring of x i , or yet satisfies some other relation). While classicallyit is well known and not too hard to show that q parallel queries are necessary to find a q -chain, there has been noproven bound in the quantum setting — at least not until very recently (see the recent-related-work paragraph below). Here, we show that the same does hold in the quantum setting. Formally, we prove that the success probability offinding a q -chain using fewer than q queries is upper bounded by O ( k q / m ) . The proof is by means of recycling anobservation that is crucial to the classical proof, and plugging it into the right theorem(s) of our framework.The problem of producing a hash chain is of fundamental importance in the context of proofs of sequential work (PoSW); indeed, a crucial ingredient of a PoSW is a computational problem that is hard/impossible to parallelize.Following up on this, our second main technical contribution is to show that the “Simple Proofs of Sequential Work”proposed by Cohen and Pietrzak [9] remain secure against quantum attacks. One might hope that this is simply amatter of plugging in our bound on the chain problem; unfortunately, it is more complicated than that: the entireprotocol needs to be analyzed in the light of a quantum attack, and substantial additional work is necessary to reducethe security of the protocol to the hardness of finding a chain. As a matter of fact, we enrich our framework witha “calculus” that facilitates the latter. In return, relying on our framework, the proof of the quantum security of thePoSW scheme is purely classical, with no need to understand anything about quantum information science. Recent Related Work.
Independently and (partly) concurrently to the preparation of our work, the q -chain problemhas been analyzed and tackled by another work by Blocki, Lee and Zhou [4], which we want to briefly discuss here.As we do, Blocki, Lee and Zhou show the hardness of finding a q -chain with fewer than q queries for any quantumalgorithm. Comparing the obtained bounds, we observe that our bound is significantly better. Translated into ournotation, the upper bound on the success probability derived by Blocki, Lee and Zhou is O ( q (cid:112) k q / m ) , whichis worse by more than a square-root compared to our bound O ( k q / m ) . In addition, while Blocki et al. wellemphasize the relevance of the q -chain problem to the PoSW by Cohen and Pietrzak [9], they do not offer an analysisof the latter.We would also like to stress the conceptual differences in the respective contributions. In our work, we provide ageneral framework for proving quantum query complexity bounds by means of purely classical reasoning. With theframework in place, this makes our proof for the q -chain problem accessible to a much broader audience, and opens thedoor for non-quantum-experts to derive quantum query complexity bounds for their problems of interest. In contrast,Blocki et al. ’s work is specific to the q -chain problem, and verifying the proof requires to go through cumbersomederivations that require a deep understanding of quantum information science in general and of the compressed oracletechnique in particular. In this section, we discuss lower bounds on the classical query complexity in the classical ROM for a few exampleproblems. This serves as a warm-up and as a reminder of how such classical bounds are (or can be) rigorously proven.Additionally, it demonstrates that, when it then comes to analyzing the quantum query complexity of these problems,it is simply a matter of recycling certain observations from the classical proofs and plugging them into our framework.
First, let us briefly recall the lazy sampling technique, which allows to efficiently simulate the random oracle. Insteadof choosing a uniformly random function H : X → Y and answering each query x to random oracle as y = H ( x ) ,one can build up the hash function H “on the fly”. Introduce a special symbol ⊥ , which stands for “not defined (yet)”,and initiate D to be the constant- ⊥ function. Then, inductively for i = 1 , , . . . , on receiving the i -th query x i , check The problem of finding a q -chain looks very similar to the iterated hashing studied by Unruh in [17]; however, a crucial difference is that thestart of the chain, x , can be freely chosen here. We compare here the respective bounds under the strict requirement H ( x i − ) = x i for all i . Blocki et al. actually consider a notion of a q -chain (which they call an H -sequence) where H ( x i − ) is asked to be a continuous substring of x i , while we consider an arbitrary relation between H ( x i − ) and x i . Our bound compares similarly favorably also for these variations.
3f this query has been made before, i.e., if x i = x j for some j < i . If this is the case then set D i = D i − ; else, dothe following: choose a uniformly random y i ∈ Y and set D i to D i := D i − [ x i (cid:55)→ y i ] , where the latter is defined by D i − [ x i (cid:55)→ y i ]( x i ) = y i and D i − [ x i (cid:55)→ y i ](¯ x ) = D i − (¯ x ) for ¯ x (cid:54) = x i . In either case, answer the query then with y i = D i ( x i ) . We refer to such a function D i : X → Y ∪ {⊥} as a database .As it is easy to see, the lazy-sampling only affects the “internal workings” of the random oracle; any algorithmmaking queries to the standard random oracle (which samples H as a random function at the beginning of time), or tothe lazy-sampled variant (which builds up D , D , . . . as explained above), cannot see any difference.For below, it will be convenient to write D i , the “update” of D i − in response to query x i , as D i = D (cid:9) x i i − . Notethat since D i ( x ) = y i is chosen in a randomized way, D (cid:9) x i i − is a random variable, strictly speaking. One important feature of the lazy-sampling technique is that it allows for an efficient simulation of the random oracle.Indeed, compared to a uniformly random function H : X → Y , the databases D , D , . . . can be efficiently repre-sented by means of an encoding function enc that maps any database D : X → Y ∪ {⊥} to (a suitable representationof) the list of pairs (cid:0) x, D ( x ) (cid:1) for which D ( x ) (cid:54) = ⊥ . Obviously, for a bounded number of queries, the list enc ( D i ) remains bounded in size. Furthermore, the update enc ( D i ) (cid:55)→ enc ( D i +1 ) = enc ( D i [ x i (cid:55)→ y i ]) can be efficientlycomputed (for any choice of y i ). In the work here, we are more interested in the fact that the lazy sampling idea is useful for showing lower bounds onthe query complexity for certain tasks. Our goal here is to show on a few examples that the well-understood classicalreasoning is very close to the reasoning that our framework will admit for proving bounds in the quantum setting. Inorder to align the two, certain argumentation below may appear overkill given the simplicity of the classical case.
Finding a Preimage.
We first consider the example of finding a preimage of the random oracle, say, without lossof generality, finding x ∈ X with H ( x ) = 0 . Thus, let A be an algorithm making q queries to the random oracle andoutputting some x at the end, with the goal of x being a zero-preimage. A first simple observation is the following:if in the lazy-sampling picture after q queries the built-up database D q : X → Y ∪ {⊥} does not map A ’s output x to , then H ( x ) is unlikely to vanish, where H ( x ) is understood to be obtained by making one more query to theoracle, i.e., H ( x ) = D q +1 ( x ) . More formally, if p is the probability that H ( x ) = 0 when A is interacting with thestandard oracle, and p (cid:48) is the probability that D q ( x ) = 0 when A is interacting with the lazy-sampled oracle, then p ≤ p (cid:48) + 1 / |Y| . Looking ahead, this trivial observation is the classical counterpart of Corollary 4.2 (originally byZhandry).The above observation implies that it is sufficient to show that P [ ∃ x : D q ( x ) = 0] is small. Furthermore, writing PRMG := { D : X → Y ∪ {⊥} | ∃ x : D ( x ) = 0 } , we can write and decompose P [ ∃ x : D q ( x ) = 0] = P [ D q ∈ PRMG ] ≤ (cid:88) i P [ D i ∈ PRMG | D i − (cid:54)∈ PRMG ] . In order to align the reasoning here with our framework, which relies on the notion of a quantum transition capacity ,we introduce here the classical transition capacity (cid:2) ¬ PRMG → PRMG (cid:3) := max D (cid:54)∈ PRMG x ∈X P [ D (cid:9) x ∈ PRMG ] as the maximal probability that a database D : X → Y ∪ {⊥} with no zero-preimage will be turned into a database with a zero-preimage as a result of a query. Combining the above observations, we obtain that p ≤ q · (cid:2) ¬ PRMG → PRMG (cid:3) + 1 |Y| . (1) This representation as a list of pairs somewhat justifies the terminology ”database” for D . P s set to PRMG ), which is in terms of the(appropriately defined) quantum transition capacity (cid:113) · → · (cid:121) .The reader probably already sees that (cid:2) ¬ PRMG → PRMG (cid:3) = 1 / |Y| , leading to the (well-known) bound p ≤ ( q + 1) / |Y| . However, in order to better understand the general reasoning, we take a more careful look at boundingthis transition capacity. For every D (cid:54)∈ PRMG and x ∈ X , we identify a “ local ” property L D,x ⊆ Y that satisfies D [ x (cid:55)→ y ] ∈ PRMG ⇐⇒ y ∈ L D,x ; therefore, P [ D (cid:9) x ∈ PRMG ] ≤ P (cid:2) D [ x (cid:55)→ U ] ∈ PRMG (cid:3) = P [ U ∈ L D,x ] where U is defined to be uniformly randomin Y . Here, we can simply set L D,x := { } and thus obtain (cid:2) ¬ PRMG → PRMG (cid:3) = P [ U = 0] = 1 / |Y| as claimed.The point of explicitly introducing L D,x is that our framework will offer similar connections between the quantum transition capacity (cid:113) · → · (cid:121) and the purely classically defined probability P [ U ∈ L D,x ] . Indeed, by means of the verysame choice of local property L D,x , but then applying Theorem 5.15, we obtain (cid:113) ¬ PRMG → PRMG (cid:121) ≤ max D,x (cid:113) P (cid:2) U ∈ L D,x (cid:3) ≤ (cid:115) |Y| . By Theorem 5.6, this implies that the success probability p of a quantum algorithm to find a preimage is bounded by p ≤ (cid:32) q (cid:113) ¬ PRMG → PRMG (cid:121) + 1 (cid:112) |Y| (cid:33) ≤ (cid:32) q (cid:115) |Y| + 1 (cid:112) |Y| (cid:33) = O (cid:18) q |Y| (cid:19) , confirming the optimality of the quadratic speed-up of Grover. Finding a Preimage with Parallel Queries.
The above (classical and quantum) reasoning can be extended to theparallel query model, where with each interaction with the random oracle, a query algorithm can make k queries inone go. The lazy-sampling technique then works in the obvious way, with the function update D i := D (cid:9) x i i − nowinvolving a query vector x i ∈ X k . This then gives rise to (cid:2) ¬ PRMG k → PRMG (cid:3) , and (1) generalizes accordingly.For D (cid:54)∈ PRMG and x = ( x , . . . , x k ) ∈ X k , we then identify a family of k local properties L D, x , . . . , L D, x k ⊆ Y sothat D [ x (cid:55)→ y ] ∈ PRMG ⇐⇒ ∃ i : y i ∈ L D, x i , (2)and therefore, by the union bound, P [ D (cid:9) x ∈ PRMG ] ≤ (cid:80) i P [ U ∈ L D,xi ] . Setting L D, x = . . . = L D, x k := { } ,we now obtain (cid:2) ¬ PRMG k → PRMG (cid:3) = kP [ U = 0] = k/ |Y| , showing a factor- k increase in the bound as expected.More interesting is that Theorem 5.15 still applies, implying that for the quantum version we have (cid:113) ¬ PRMG k → PRMG (cid:121) ≤ max D, x (cid:115) (cid:88) i P (cid:2) U ∈ L D, x i (cid:3) ≤ (cid:115) k |Y| . Plugging this into Theorem 5.6, we then get the bound p ≤ (cid:32) q (cid:115) k |Y| + 1 (cid:112) |Y| (cid:33) = O (cid:18) q k |Y| (cid:19) , showing optimality of running k parallel executions of Grover. Finding a Chain (with Parallel Queries).
Another example we want to discuss here, where we now stick to theparallel query model, is the problem of finding a ( q + 1) -chain, i.e., a sequence x , x , . . . , x q +1 with H ( x i − ) (cid:47) x i ,with no more than q (parallel) queries. Here, (cid:47) refers to an arbitrary relation among the elements of X and Y ; typicalexamples are: y (cid:47) x if x = y , or if y is a prefix of y , or if y is an arbitrary continuous substring of x . Below, we set Y (cid:47)x := { y ∈ Y | y (cid:47) x } and T := max x |Y (cid:47)x | . 5sing the same kind of reasoning as above, we can argue that p ≤ q (cid:88) s =1 (cid:2) ¬ CHN s k → CHN s +1 (cid:3) + q + 2 |Y| , where CHN s = { D | ∃ x , x , . . . , x s ∈ X : D ( x i − ) (cid:47) x i ∀ i } . Here, it will be useful to exploit that after s (parallel)queries, D s ∈ SZ ≤ ks := { D | |{ x | D ( x ) (cid:54) = ⊥}| ≤ ks } , i.e., that the size of the database D s , measured as the numberof x ’s for which D s ( x ) (cid:54) = ⊥ , is at most ks . Thus, the above extends to p ≤ q (cid:88) s =1 (cid:2) SZ ≤ k ( s − \ CHN s k → CHN s +1 (cid:3) + q + 2 |Y| , (3)with the (classical) transition capacity here given by max P [ D (cid:9) x ∈ CHN s +1 ] , maximized over all D ∈ SZ ≤ k ( s − \ CHN s and x ∈ X k . To control the considered (classical and quantum) transition capacity, for any D and any x =( x , . . . , x k ) ∈ X k , we introduce the following local properties L D, x i ⊆ Y with i = 1 , . . . , k : L D, x i = (cid:91) x ∈X D ( x ) (cid:54) = ⊥ Y (cid:47)x ∪ k (cid:91) j =1 Y (cid:47)x j , (4)so that y i ∈ L D, x i if y i (cid:47) x for some x ∈ X with D ( x ) (cid:54) = ⊥ or x ∈ { x , . . . , x k } . They satisfy the following condition,which is slightly weaker than (2) used above. Lemma 2.1. D [ x (cid:55)→ r ] (cid:54)∈ CHN s ∧ D [ x (cid:55)→ u ] ∈ CHN s +1 = ⇒ ∃ i : r i (cid:54) = u i ∧ u i ∈ L D, x i . Proof.
Write D ◦ for D [ x (cid:55)→ r ] and D (cid:48) for D [ x (cid:55)→ u ] . Assume that D (cid:48) ∈ CHN s +1 , and let ˆ x , ˆ x , . . . , ˆ x s +1 ∈ X besuch a chain, i.e., so that D (cid:48) (ˆ x j ) (cid:47) ˆ x j +1 for j = 0 , . . . , s . Let s ◦ be the smallest j so that D ◦ (ˆ x j ) (cid:54) = D (cid:48) (ˆ x j ) ; if s ◦ ≥ s (or no such j exists) then D ◦ (ˆ x j ) = D (cid:48) (ˆ x j ) (cid:47) ˆ x j +1 for j = 0 , . . . , s − , and thus D ◦ ∈ CHN s and we are done.Therefore, we may assume s ◦ < s . Furthermore, since D ◦ (¯ x ) = D (cid:48) (¯ x ) for ¯ x (cid:54)∈ { x , . . . , x k } , we must have that ˆ x s ◦ = x i for some i ∈ { , . . . , k } , and therefore r i = D ◦ ( x i ) = D ◦ (ˆ x s ◦ ) (cid:54) = D (cid:48) (ˆ x s ◦ ) = D (cid:48) ( x i ) = u i . Also, we havethat u i = D (cid:48) ( x i ) = D (cid:48) (ˆ x s ◦ ) (cid:47) ˆ x s ◦ +1 where ˆ x s ◦ +1 is such that D (cid:48) (ˆ x s ◦ +1 ) (cid:47) ˆ x s ◦ +2 and thus (cid:54) = ⊥ . The latter meansthat either D (ˆ x s ◦ +1 ) (cid:54) = ⊥ or ˆ x s ◦ +1 ∈ { x , . . . , x k } (or both). In either case we have that u i ∈ L D, x i .Applied to r := D ( x ) so that D [ x (cid:55)→ r ] = D , we obtain P [ D (cid:9) x ∈ CHN s +1 ] ≤ (cid:80) i P [ U ∈ L D, x i ] . Given that,for D ∈ SZ ≤ k ( s − , the set { x | D ( x ) (cid:54) = ⊥} is bounded in size by k ( s − , and |Y (cid:47)x | , |Y (cid:47)x j | ≤ T , we can boundthe relevant probability P [ U ∈ L D,xi ] ≤ ksT / |Y| . Hence, the considered classical transition capacity is bounded by k sT / |Y| . By (3), we thus have p = O ( k q T / |Y| ) , which is in line with the bound given by Cohen-Pietrzak [9].Also here, our framework allows us to lift the above reasoning to the quantum setting, simply by plugging the coreelements of the above reasoning for the classical case into our framework. Concretely, choosing the local properties L D, x i as above whenever D ∈ SZ ≤ k ( s − , and to be constant-false otherwise, Lemma 2.1 ensures that we can applyTheorem 5.19 to bound the quantum transition capacity as (cid:113) SZ ≤ k ( s − \ CHN s k → CHN s +1 (cid:121) ≤ e max x ,D (cid:88) i (cid:113) P (cid:2) U ∈ L D, x i (cid:3) ≤ ek (cid:115) k ( q + 1) T |Y| , where e is Euler’s number. Plugging this into Theorem 5.6, we then get the bound p ≤ (cid:32) qek (cid:115) k ( q + 1) T |Y| + q + 2 |Y| (cid:33) = O (cid:18) q k T |Y| (cid:19) on the success probability of a quantum oracle algorithm in finding a ( q + 1) -chain with no more than q k -parallelqueries. Recall, T depends on the considered relation y (cid:47) x ; T = 1 if y is required to be equal to x , or a prefix of x ,and T = m − n if y and x are n - and m -bit strings, respectively, and y is required to be a continuous substring of x .6 inding a Collision (with Parallel Queries). In the same spirit, for the query complexity of finding a collision , itis sufficient to control the transition capacity for CL := { D | ∃ x (cid:54) = x (cid:48) : D ( x ) = D ( x (cid:48) ) (cid:54) = ⊥} . Indeed, using the samekind of reasoning as above, we can argue that p ≤ q (cid:88) s =1 (cid:2) SZ ≤ k ( s − \ CL k → CL (cid:3) + 2 |Y| , with the (classical) transition capacity here given by max P [ D (cid:9) x ∈ CL ] , maximized over all D ∈ SZ ≤ k ( s − \ CL and x ∈ X k . In order to analyze this transition capacity, for given D and x = ( x , . . . , x k ) ∈ X k , we consider thefollowing family of 1-local and 2-local properties: CL i,j = { ( y, y ) | y ∈ Y} ⊆ Y × Y and CL i = { D (¯ x ) | ¯ x (cid:54)∈ { x , . . . , x k } : D (¯ x ) (cid:54) = ⊥} ⊆ Y , indexed by i (cid:54) = j ∈ { , . . . , k } and i ∈ { , . . . , k } , respectively, and where were we leave the dependency on D and x implicit. Similar to (2), here we have that for any x ∈ X k and D ∈ SZ ≤ k ( s − \ CL D [ x (cid:55)→ y ] ∈ CL ⇐⇒ (cid:0) ∃ i (cid:54) = j : ( y i , y j ) ∈ CL i,j (cid:1) ∨ (cid:0) ∃ i : y i ∈ CL i (cid:1) , i.e., a collision can only happen for D [ x (cid:55)→ y ] if y i = y j for i (cid:54) = j , or y i = D (¯ x ) for some i and some ¯ x outside of x .It then follows that (cid:2) SZ ≤ k ( s − \ CL k → CL (cid:3) = (cid:88) i (cid:54) = j P [( U, U (cid:48) ) ∈ CL i,j ] + (cid:88) i P [ U ∈ CL i ] ≤ k ( k − |Y| + k ( s − |Y| , where we exploited that CL i is bounded in size by assumption on D . This then amounts to the classical bound p ≤ O (cid:18) q k |Y| (cid:19) on the success probability of finding a collision with no more than q k -parallel queries.Here, due to the 2-locality of CL i,j , there is an additional small complication for deriving the correspondingquantum bound, since in such a case our framework does not relate the corresponding quantum transition capacity tothe probability P [( U, U (cid:48) ) ∈ CL i,j ] of a random pair in Y × Y satisfying the -local property CL i,j . Instead, we have toconsider the following derived -local properties. For any i (cid:54) = j and D (cid:48) , let CL i,j | D (cid:48) | xi := CL i,j ∩ (cid:0) ( Y ∪ {⊥} ) × { D (cid:48) ( x j ) } (cid:1) = { D (cid:48) ( x j ) } and CL i | D (cid:48) | xi := CL i . Then, the considered quantum transition capacity is given in terms of P (cid:2) U ∈ CL i,j | D (cid:48) | xi (cid:3) = 1 |Y| and P (cid:2) U ∈ CL i | D (cid:48) | xi (cid:3) ≤ kq |Y| . Namely, by Theorem 5.21, (cid:113) SZ ≤ ks \ CL k → CL (cid:121) ≤ e (cid:118)(cid:117)(cid:117)(cid:116) (cid:18) (cid:88) i (cid:54) = j P (cid:2) U ∈ CL i,j | D (cid:48) | xi (cid:3) + (cid:88) i P (cid:2) U ∈ CL i | D (cid:48) | xi (cid:3)(cid:19) ≤ ek (cid:115) q + 1 |Y| . By Theorem 5.6, this then amounts to the bound p ≤ O (cid:18) q k |Y| (cid:19) on the success probability of a quantum oracle algorithm in finding a collision with no more than q k -parallel queries.7 Notation
Let H be a finite-dimensional complex Hilbert space; by default, H = C d for some dimension d . We use standardbra-ket notation for covariant and contravariant vectors in H , i.e., for column and row vectors C d . We write L ( H , H (cid:48) ) for the linear maps, i.e., operators (or matrices), A : H → H (cid:48) , and we use L ( H ) as a short hand for L ( H , H ) . Wewrite I for the identity operator in L ( H ) . It is understood that pure states are given by norm- ket vectors | ψ (cid:105) ∈ H andmixed states by density operators ρ ∈ L ( H ) .A (possibly) mixed state ρ ∈ L ( H ) is said to be supported by subspace H ◦ ⊆ H if the support of the operator ρ lies in H ◦ , or, equivalently, if any purification | Ψ (cid:105) ∈ H ⊗ H of ρ lies in H ◦ ⊗ H . A state is said to be supported by afamily of (orthonormal) vectors if it is supported by the span of these vectors.We write (cid:107) A (cid:107) for the operator norm of A ∈ L ( H , H (cid:48) ) and recall that it is upper bounded by the Frobenius norm .Special choices of operators in L ( H ) are projections and unitaries . We assume familiarity with these notions, as wellas with the notion of an isometry in L ( H , H (cid:48) ) .If H ◦ is a subspace of H and A ∈ L ( H ◦ ) then we can naturally understand A as a map A ∈ L ( H ) by letting A actas zero-map on any | ψ (cid:105) ∈ H that is orthogonal to H ◦ . We point out that this does not cause any ambiguity in (cid:107) A (cid:107) . Viceversa, for any A ∈ L ( H ) we can consider its restriction to H ◦ . Here, we have the following. If H = H ⊕ . . . ⊕ H m is a decomposition of H into orthogonal subspaces H i ⊆ H , and A ∈ L ( H ) is such that its restriction to H i is a map H i → H i and coincides with B i ∈ L ( H i ) for any i ∈ { , . . . , m } , then (cid:107) A (cid:107) = max ≤ i ≤ m (cid:107) B i (cid:107) . This is a property we are exploiting multiple times, typically making a reference then to “basic properties” of theoperator norm.
Let Y be a finite Abelian group of cardinality M , and let {| y (cid:105)} y ∈Y be an (orthonormal) basis of H = C M , where thebasis vectors are labeled by the elements of Y . We refer to this basis as the computational basis , and we also write C [ Y ] for H = C M to emphasize that the considered space is spanned by basis vectors that are labeled by the elementsin Y . Let ˆ Y be the dual group of Y , which consists of all group homomorphisms Y → C × = { ω ∈ C | | ω | = 1 } andis known to have cardinality M as well. Up to some exceptions, we consider ˆ Y to be an additive group; the neutralelement is denoted ˆ0 . We stress that we treat Y and ˆ Y as disjoint sets, even though in certain (common) cases they arenaturally isomorphic as groups and thus considered to be equal. The Fourier basis {| ˆ y (cid:105)} ˆ y ∈ ˆ Y of H is defined by thebasis transformations | ˆ y (cid:105) = 1 √ M (cid:88) y ˆ y ( y ) ∗ | y (cid:105) and | y (cid:105) = 1 √ M (cid:88) ˆ y ˆ y ( y ) | ˆ y (cid:105) , (5)where ( · ) ∗ denotes complex conjugation. With the above convention on the notation, we have C [ Y ] = C [ ˆ Y ] = H . An elementary property of the Fourier basis is that the operator in L ( C [ Y ] ⊗ C [ Y ]) defined by | y (cid:105)| y (cid:48) (cid:105) (cid:55)→ | y + y (cid:48) (cid:105)| y (cid:48) (cid:105) for y, y (cid:48) ∈ Y acts as | ˆ y (cid:105)| ˆ y (cid:48) (cid:105) (cid:55)→ | y (cid:105)| ˆ y + ˆ y (cid:48) (cid:105) for ˆ y, ˆ y (cid:48) ∈ ˆ Y .We will also consider extensions Y ∪ {⊥} and ˆ Y ∪ {⊥} of the sets Y and ˆ Y by including a special symbol ⊥ . Wewill then fix a norm- vector |⊥(cid:105) ∈ C M +1 that is orthogonal to C [ Y ] = C [ ˆ Y ] , given a fixed embedding of C [ Y ] = C M into C M +1 . In line with our notation, C M +1 is then referred to as C [ Y ∪ {⊥} ] = C [ ˆ Y ∪ {⊥} ] . By fixing an isomorphism
Y → ˆ Y , y (cid:55)→ ˆ y we obtain a unitary map | y (cid:105) (cid:55)→ | ˆ y (cid:105) , called quantum Fourier transform (QFT) . However, we pointout that in general there is no natural choice for the isomorphism, and thus for the QFT — but in the common cases there is. We note that in thiswork we do not fix any such isomorphism and do not make use of a QFT; we merely consider the two bases. The reader that feels uncomfortable with this abstract approach to the Fourier basis may stick to Y = { , } m and replace | ˆ y (cid:105) by H ⊗ m | y (cid:105) with y ∈ { , } m and H the Hadamard matrix. .3 Functions and Their (Quantum) Representations For an arbitrary but fixed non-empty finite set X , we let H be the set of functions H : X → Y . Similarly, ˆ H denotes the set of all functions ˆ H : X → ˆ Y . Given that we can represent H by its function table { H ( x ) } x ∈X , and | y (cid:105) ∈ C [ Y ] is understood as a “quantum representation” of y ∈ Y , we consider | H (cid:105) = (cid:78) x | H ( x ) (cid:105) to be the “quantumrepresentation” of H , where in such a tensor product we implicitly consider the different registers to be labelled by x ∈ X in the obvious way. By our naming convention, the space (cid:78) x C [ Y ] spanned by all vectors | H (cid:105) = (cid:78) x | H ( x ) (cid:105) with H ∈ H is denoted C [ H ] . Similarly, | ˆ H (cid:105) = (cid:78) x | ˆ H ( x ) (cid:105) is the “quantum representation” of ˆ H ∈ ˆ H . By applying(5) register-wise, any | H (cid:105) decomposes into a linear combination of vectors | ˆ H (cid:105) with ˆ H ∈ ˆ H , and vice versa. Thus, C [ H ] = C [ ˆ H ] .Extending Y to ¯ Y := Y ∪ {⊥} , we also consider the set D of functions (referred to as databases ) D : X → ¯ Y . Inline with the above, the “quantum representation” of a database D is given by | D (cid:105) = (cid:78) x | D ( x ) (cid:105) ∈ (cid:78) x C [ ¯ Y ] = C [ D ] .We also consider the set ˆ D of functions ˆ D : X → ˆ Y ∪ {⊥} and have C [ D ] = C [ ˆ D ] .For D ∈ D and x = ( x , . . . , x k ) ∈ X k , we write D ( x ) for (cid:0) D ( x ) , . . . , D ( x k ) (cid:1) ∈ ¯ Y k ; similarly for H ∈ H .Furthermore, if x has pairwise distinct entries and r = ( r , . . . , r k ) ∈ ¯ Y k , we define D [ x (cid:55)→ r ] ∈ D to be the database D [ x (cid:55)→ r ]( x i ) = r i and D [ x (cid:55)→ r ](¯ x ) = D (¯ x ) ∀ ¯ x (cid:54)∈ { x , . . . , x k } . We give a concise yet self-contained and mathematically rigorous introduction to the compressed-oracle technique.For the reader familiar with the compressed oracle, we still recommend to browse over the section to familiarize withthe notation we are using, and for some important observations, but some of the proofs can well be skipped then.
The core ideas of Zhandry’s compressed oracle are, first, to consider a superposition (cid:80) H | H (cid:105) of all possible functions H ∈ H , rather than a uniformly random choice; this purified oracle is indistinguishable from the original randomoracle for any (quantum) query algorithm since the queries commute with measuring the superposition. Second, tothen analyze the behavior of this purified oracle in the Fourier basis. Indeed, the initial state of the oracle is given by | Π (cid:105) = (cid:88) H | H (cid:105) = (cid:79) x (cid:16)(cid:88) y | y (cid:105) (cid:17) = (cid:79) x | ˆ0 (cid:105) = | ˆ0 (cid:105) ∈ C [ H ] , (6)with ˆ0 ∈ ˆ H the constant- ˆ0 function. Furthermore, an oracle query invokes the unitary map O given by O : | x (cid:105)| y (cid:105) ⊗ | H (cid:105) (cid:55)→ | x (cid:105)| y + H ( x ) (cid:105) ⊗ | H (cid:105) in the computational basis; in the Fourier basis, this becomes O : | x (cid:105)| ˆ y (cid:105) ⊗ | ˆ H (cid:105) (cid:55)→ | x (cid:105)| ˆ y (cid:105) ⊗ O x ˆ y | ˆ H (cid:105) = | x (cid:105)| ˆ y (cid:105) ⊗ | ˆ H − ˆ y · δ x (cid:105) , (7)where the equality is the definition of O x ˆ y , and δ x : X → { , } satisfies δ x ( x ) = 1 and δ x ( x (cid:48) ) = 0 for all x (cid:48) (cid:54) = x .Note that O x ˆ y acts on register x only, and O x ˆ y O x ˆ y (cid:48) = O x, ˆ y +ˆ y (cid:48) ; thus, O x ˆ y and O x (cid:48) ˆ y (cid:48) all commute. As an immediateconsequence of (6) and (7) above, it follows that the internal state of the oracle after q queries is supported by statevectors of the form | ˆ H (cid:105) = | ˆ y δ x + · · · + ˆ y q δ x q (cid:105) .The actual compressed oracle (respectively some version of it) is now obtained by applying the isometry Comp x = |⊥(cid:105)(cid:104) ˆ0 | + (cid:88) ˆ z (cid:54) =ˆ0 | ˆ z (cid:105)(cid:104) ˆ z | : C [ Y ] → C [ ¯ Y ] , | ˆ y (cid:105) (cid:55)→ (cid:40) |⊥(cid:105) if ˆ y = ˆ0 | ˆ y (cid:105) if ˆ y (cid:54) = ˆ0
9o register x for all x ∈ X (and then viewing the result in the computational basis). This “compression” operator Comp := (cid:78) x Comp x : C [ H ] → C [ D ] maps | Π (cid:105) to | ∆ (cid:105) := Comp | Π (cid:105) = (cid:16) (cid:79) x Comp x (cid:17)(cid:16) (cid:79) x | ˆ0 (cid:105) (cid:17) = (cid:79) x Comp x | ˆ0 (cid:105) = (cid:79) x |⊥(cid:105) = | ⊥ (cid:105) , which is the quantum representation of the trivial database ⊥ that maps any x ∈ X to ⊥ . More generally, for any ˆ H ∈ ˆ H , Comp | ˆ H (cid:105) = | ˆ D (cid:105) where ˆ D ∈ ˆ D is such that ˆ D ( x ) = ˆ H ( x ) whenever ˆ H ( x ) (cid:54) = 0 , and ˆ D ( x ) = ⊥ whenever ˆ H ( x ) = 0 . As a consequence, the internal state of the compressed oracle after q queries is supported by state vectors | D (cid:105) in the computational basis (respectively | ˆ D (cid:105) in the Fourier basis) for which D ( x ) = ⊥ (respectively ˆ D ( x ) = ⊥ )for all but (at most) q choices of x .This is referred to as the compressed oracle because, for a bounded number of queries, these state vectors | D (cid:105) canbe efficiently represented in terms of the number of qubits, i.e., can be compressed , as | enc ( D ) (cid:105) , i.e., by employing aclassical efficient representation, similar to the one mentioned in Section 2.2. Furthermore, the unitary that implementsan oracle call (see cO below) can then be efficiently computed by a quantum circuit. In this work, we are not concernedwith such computational efficiency aspect; nevertheless, for completeness, we formally discuss this in Appendix A. The following result (originally by Zhandry [19]) links the compressed oracle with the original standard oracle. Intu-itively, it ensures that one can extract useful information from the compressed oracle.
Lemma 4.1.
Consider an arbitrary (normalized) | Π (cid:105) ∈ C [ H ] , and let | ∆ (cid:105) = Comp | Π (cid:105) in C [ D ] be the corresponding“compressed database”. Let x = ( x , . . . , x (cid:96) ) consist of pairwise distinct x i ∈ X , let y = ( y , . . . , y (cid:96) ) ∈ Y (cid:96) , and set P x := | y (cid:105)(cid:104) y | ⊗ · · · ⊗ | y (cid:96) (cid:105)(cid:104) y (cid:96) | with the understanding that | y i (cid:105)(cid:104) y i | acts on register x i . Then (cid:107) P x | Π (cid:105)(cid:107) ≤ (cid:107) P x | ∆ (cid:105)(cid:107) + (cid:114) (cid:96)M . This somewhat technical statement directly translates to the following statement in terms of algorithmic language.
Corollary 4.2 (Zhandry) . Let R ⊆ X (cid:96) × Y (cid:96) be a relation. Let A be an oracle quantum algorithm that outputs x ∈ X (cid:96) and y ∈ X (cid:96) . Let p be the probability that y = H ( x ) and ( x , y ) ∈ R when A has interacted with the standardrandom oracle, initialized with a uniformly random function H . Similarly, let p (cid:48) be the probability that y = D ( x ) and ( x , y ) ∈ R when A has interacted with the compressed oracle instead and D is obtained by measuring its internalstate (in the computational basis). Then √ p ≤ (cid:112) p (cid:48) + (cid:114) (cid:96)M . Proof (of Corollary 4.2).
Consider an execution of A when interacting with the purified oracle. For technical reasons,we assume that, after having measured and output x , y , A measures its internal state in the computational basis toobtain a string w , which he outputs as well. We first observe that p = (cid:88) x , y ,w ( x , y ) ∈ R q x , y ,w p x , y ,w and p (cid:48) = (cid:88) x , y ,w ( x , y ) ∈ R q x , y ,w p (cid:48) x , y ,w where q x , y ,w is the probability that A outputs the triple x , y , w , and p x , y ,w is the probability that y = H ( x ) con-ditioned on the considered output of A , and correspondingly for p (cid:48) x , y ,w . More technically, using the notation fromLemma 4.1, p x , y ,w = (cid:107) P x | Π (cid:105)(cid:107) with | Π (cid:105) the internal state of the purified oracle, post-selected on x , y and w . Simi-larly, p (cid:48) x , y ,w = (cid:107) P x Comp | Π (cid:105)(cid:107) . Thus, applying Lemma 4.1 and squaring, we obtain p x , y ,w ≤ (cid:16)(cid:113) p (cid:48) x , y ,w + ε (cid:17) = p (cid:48) x , y ,w + 2 (cid:113) p (cid:48) x , y ,w ε + ε . Averaging with the q x , y ,w ’s, applying Jensen’s inequality, and taking square-roots, then implies the claim.10 roof (of Lemma 4.1). We set
Comp x := (cid:78) i Comp x i ; the subscript x again emphasizing that Comp x acts on theregisters x , . . . , x (cid:96) only. In line with this, we write I ¯ x for the identity acting on the registers x (cid:54)∈ { x , . . . , x (cid:96) } . Then (cid:107) P x | Π (cid:105)(cid:107) − (cid:107) P x Comp | Π (cid:105)(cid:107) = (cid:107) P x | Π (cid:105)(cid:107) − (cid:107) P x Comp x | Π (cid:105)(cid:107) (since the Comp x ’s are isometries) ≤ (cid:107) ( P x − P x Comp x ) | Π (cid:105)(cid:107) (by triangle inequality) ≤ (cid:107) ( P x − P x Comp x ) ⊗ I ¯ x (cid:107) (by definition of the operator norm) = (cid:107) P x − P x Comp x (cid:107) (by basic property of the operator norm)We will work out the above operator norm. For this, recall that in the Fourier basis P x = (cid:79) i (cid:32) M (cid:88) ˆ y ∈ ˆ Y ˆ z ∈ ˆ Y ω ˆ z/ ˆ y ( y i ) | ˆ z (cid:105)(cid:104) ˆ y | (cid:33) and Comp x = (cid:79) i (cid:32) |⊥(cid:105)(cid:104) | + (cid:88) (cid:54) =ˆ y ∈ ˆ Y | ˆ y (cid:105)(cid:104) ˆ y | (cid:33) , with the understanding that in the above respective tensor products the i -th component acts on register x i , and wherethe ω ˆ z/ ˆ y ( y i ) are suitable phases, i.e., norm- scalars, which will be irrelevant though. By multiplying the two, we get P x Comp x = (cid:79) i (cid:32) M (cid:88) (cid:54) =ˆ y ∈ ˆ Y ˆ z ∈ ˆ Y ω ˆ z/ ˆ y ( y i ) | ˆ z (cid:105)(cid:104) ˆ y | (cid:33) . Multiplying out the respective tensor products in P x and P x Comp x , and subtracting the two expressions, we obtain P x − P x Comp x = 1 M (cid:96) (cid:88) ˆ y ,..., ˆ z(cid:96) ∈ ˆ Y∃ i :ˆ yi =0 (cid:79) i ω ˆ z i / ˆ y i ( y i ) | ˆ z i (cid:105)(cid:104) ˆ y i | = 1 M (cid:96) (cid:88) ˆy , ˆz ∃ i :ˆ yi =0 ω ˆz / ˆy | ˆz (cid:105)(cid:104) ˆy | , where the sum is over all ˆy = (ˆ y , . . . , ˆ y (cid:96) ) and ˆz = (ˆ z , . . . , ˆ z (cid:96) ) in ˆ Y (cid:96) subject to that at least one ˆ y i is , and where ω ˆz / ˆy is the phase ω ˆz / ˆy := (cid:81) i ω ˆ z i / ˆ y i ( y i ) . Bounding the operator norm by the Frobenius norm, we thus obtain that (cid:107) P x − P x Comp x (cid:107) ≤ (cid:88) ˆy , ˆz |(cid:104) ˆz | ( P x − P x Comp x ) | ˆy (cid:105)| = 1 M (cid:96) (cid:88) ˆy , ˆz ∃ i :ˆ yi =0 | ω ˆz / ˆy | ≤ M (cid:96) (cid:96)M (cid:96) − = (cid:96)M , where the inequality is a standard counting argument: there are (cid:96) choices for i , and for each i there are M (cid:96) − choicesfor ˆy ∈ ˆ Y (cid:96) with ˆ y i = 0 (however, ˆy ’s with multiple zeros are counted multiple times this way). Here, we explicitly work out the matrix (in the computational basis) that describes the evolution that the compressedoracle undergoes as a result of an oracle query. For this, it will be convenient to extend the domain C [ Y ] of cO x ˆ y andof Comp x to C [ ¯ Y ] by declaring that O x ˆ y |⊥(cid:105) = |⊥(cid:105) and Comp x |⊥(cid:105) = | ˆ0 (cid:105) . This turns cO x ˆ y and Comp x into unitarieson C [ ¯ Y ] , and correspondingly then for O and Comp . We are now interested in cO := Comp ◦ O ◦ Comp † ∈ L (cid:0) C [ X ] ⊗ C [ Y ] ⊗ C [ D ] (cid:1) , In line with the discussion in Section 3.1, since it maps any |⊥(cid:105) -component to , P x can be understood to have domain C [ Y ] ⊗ (cid:96) or C [ ¯ Y ] ⊗ (cid:96) ;the same for its range. Thus, below, in P x | Π (cid:105) it is understood as C [ Y ] ⊗ (cid:96) → C [ Y ] ⊗ (cid:96) ⊆ C [ ¯ Y ] ⊗ (cid:96) , while in P x Comp x | Π (cid:105) as C [ ¯ Y ] ⊗ (cid:96) → C [ ¯ Y ] ⊗ (cid:96) . For the record, switching back to multiplicative notation for the elements in the dual group ˆ Y , we have ω ˆ z/ ˆ y ( y i ) = (ˆ z/ ˆ y )( y i ) . | x (cid:105)| ˆ y (cid:105) ⊗ | D (cid:105) to | x (cid:105)| ˆ y (cid:105) ⊗ cO x ˆ y | D (cid:105) for any D ∈ D , where cO x ˆ y := Comp x ◦ O x ˆ y ◦ Comp † x ∈ L ( C [ ¯ Y ]) acts on the x -register only. In the form of a commuting diagram, we thus have C [ H ] Comp −−−−→ C [ D ] O x ˆ y (cid:121) (cid:121) cO x ˆ y C [ H ] Comp −−−−→ C [ D ] Lemma 4.3.
For any ˆ y (cid:54) = 0 , in the computational basis the unitary cO x ˆ y on C M +1 is represented by the matrix givenin Figure 1; i.e, for all r, u ∈ ¯ Y := Y ∪ {⊥} it holds that (cid:104) u | cO x, ˆ y | r (cid:105) = γ ˆ yu,r . Furthermore, cO x, ˆ0 = I . ⊥ r ∈ Y⊥ γ ˆ y ⊥ , ⊥ = 0 γ ˆ yu, ⊥ = ˆ y ∗ ( r ) √ M u ∈ Y ˆ y ∗ ( u ) √ M γ ˆ yu,r = (cid:16) − M (cid:17) ˆ y ∗ ( u ) + 1 M if u = r ∈ Y − ˆ y ∗ ( r ) − ˆ y ∗ ( u ) M if u (cid:54) = r , both in Y Figure 1: The matrix describing the evolution of the compressed oracle in the computational basis.
Proof.
From simple but somewhat tedious manipulations, using basic properties of the Fourier transform, we obtainthe following. For any r (cid:54) = ⊥ (and ˆ y (cid:54) = ˆ0 ), we have √ M | r (cid:105) = (cid:88) ˆ r ˆ r ( r ) | ˆ r (cid:105) = | (cid:105) + (cid:88) ˆ r (cid:54) =ˆ0 ˆ r ( r ) | ˆ r (cid:105) , which gets mapped to Comp † (cid:55)−−−→ |⊥(cid:105) + (cid:88) ˆ r (cid:54) =ˆ0 ˆ r ( r ) | ˆ r (cid:105) , which gets mapped to cO x, ˆ y (cid:55)−−−→ |⊥(cid:105) + (cid:88) ˆ r (cid:54) =ˆ0 ˆ r ( r ) | ˆ r + ˆ y (cid:105) = |⊥(cid:105) − | ˆ y (cid:105) + (cid:88) ˆ r ˆ r ( r ) | ˆ r + ˆ y (cid:105) = |⊥(cid:105) − | ˆ y (cid:105) + ˆ y ∗ ( r ) (cid:88) ˆ r ˆ r ( r ) | ˆ r (cid:105) = |⊥(cid:105) − | ˆ y (cid:105) + ˆ y ∗ ( r ) | ˆ0 (cid:105) + ˆ y ∗ ( r ) (cid:88) ˆ r (cid:54) =ˆ0 ˆ r ( r ) | ˆ r (cid:105) , which gets mapped to Comp (cid:55)−−−→ | ˆ0 (cid:105) − | ˆ y (cid:105) + ˆ y ∗ ( r ) |⊥(cid:105) + ˆ y ∗ ( r ) (cid:88) ˆ r (cid:54) =ˆ0 ˆ r ( r ) | ˆ r (cid:105) = | ˆ0 (cid:105) − | ˆ y (cid:105) + ˆ y ∗ ( r ) |⊥(cid:105) − ˆ y ∗ ( r ) | ˆ0 (cid:105) + ˆ y ∗ ( r ) (cid:88) ˆ r ˆ r ( r ) | ˆ r (cid:105) = 1 √ M (cid:88) u | u (cid:105) − √ M (cid:88) u ˆ y ∗ ( u ) | u (cid:105) + ˆ y ∗ ( r ) |⊥(cid:105) − ˆ y ∗ ( r ) √ M (cid:88) u | u (cid:105) + √ M ˆ y ∗ ( r ) | r (cid:105) . γ ˆ yu,r for r (cid:54) = ⊥ . Finally, from |⊥(cid:105) Comp † (cid:55)−−−→ | ˆ0 (cid:105) cO x, ˆ y (cid:55)−−−→ | ˆ y (cid:105) Comp (cid:55)−−−→ | ˆ y (cid:105) = 1 √ M (cid:88) u ˆ y ∗ ( u ) | u (cid:105) we obtain the coefficients for r = ⊥ (for ˆ y (cid:54) = 0 ). The case ˆ y = 0 follows from the fact that O x, ˆ0 = I .Since, for any fixed ˆ y , this matrix is unitary, the squares of the absolute values of each column add up to . Thus,for any ˆ y and r we can consider the (conditional) probability distribution defined by ˜ P [ U = u | r, ˆ y ] := | γ ˆ yu,r | . Thisoffers us a convenient notation, like ˜ P [ U ∈ S| r, ˆ y ] for (cid:80) u ∈S | γ ˆ yu,r | or ˜ P [ U (cid:54) = r | r, ˆ y ] for (cid:80) u (cid:54) = r | γ ˆ yu,r | . For laterpurposes, it is useful to observe that, for any L ⊆ Y (i.e., ⊥ (cid:54)∈ L ), (cid:88) r ˜ P [ r (cid:54) = U ∈ L | r, ˆ y ] ≤ ˜ P [ U ∈ L |⊥ , ˆ y ] + (cid:88) r (cid:54) = ⊥ ˜ P [ r (cid:54) = U ∈ L | r, ˆ y ≤ | L | M + M | L | M = 10 P [ U ∈ L ] (8)where P [ U ∈ L ] = | L | M is the probability for a uniformly random U in Y to be in L . Here, we extend the above compressed-oracle technique to the setting where a quantum algorithm may make several queries to the random oracle in parallel . We recall that distinguishing between parallel and sequential queries allowsfor a more fine-grained query-complexity analysis of quantum algorithms. In particular, by showing a lower boundon the number of necessary sequential queries (with each sequential query possibly consisting of a large number of parallel queries), one can show the impossibility (or bound the possibility) of parallelizing computational tasks.Formally, for any positive integer k , a k -parallel query is given by k parallel applications of O , with the understand-ing that each application acts on a different input/output register pair. More explicitly, but slightly abusing notation ofwriting a k -th power, a k -parallel query is given by O k : | x (cid:105)| y (cid:105) ⊗ | H (cid:105) (cid:55)→ | x (cid:105)| y + H ( x ) (cid:105) ⊗ | H (cid:105) for any x = ( x , . . . , x k ) ∈ X k and y = ( y , . . . , y k ) ∈ Y k . The operator cO k := Comp ◦ O k ◦ Comp † , whichdescribed the evolution of the compressed oracle under such a k -parallel query, then acts as cO k : | x (cid:105)| ˆy (cid:105) ⊗ | ∆ (cid:105) (cid:55)→ | x (cid:105)| ˆy (cid:105) ⊗ cO xˆy | ∆ (cid:105) for any | ∆ (cid:105) ∈ C [ D ] , where cO x ˆ y is the product cO x ˆ y · · · cO x k ˆ y k . We recall that cO x i ˆ y i acts on register x i (only),and cO x i ˆ y i and cO x j ˆ y j commute (irrespectively of x i and x j being different or not). In this section we set up a framework for proving lower-bounds on the query complexity (actually, equivalently, upperbounds on the success probability) of quantum algorithms in the (quantum) random oracle model. Our frameworkclosely mimics the reasoning for classical algorithms and allows to easily “lift” the typical kind of reasoning to thequantum setting.
Definition 5.1. A database property on D is a subset P ∈ D of the set of databases D . Remark 5.2.
As the naming suggests, we think of P as a property that is either true or false for any D ∈ D ; wethus also write P ( D ) to denote that D ∈ P , i.e., to express that “ D satisfies P ”. Furthermore, by convention, for anydatabase property P ∈ D , we overload notation and use P also to refer to the projection (cid:80) D ∈ P | D (cid:105)(cid:104) D | ∈ L ( C [ D ]) .13xamples that we will later consider are PRMG := { D |∃ x : D ( x ) = 0 } and CL = { D | ∃ x, x (cid:48) : D ( x ) = D ( x (cid:48) ) (cid:54) = ⊥} as well as CHN q = { D | ∃ x , x , . . . , x q ∈ X : D ( x i − ) (cid:47) x i ∀ i } , where (cid:47) denotes an arbitrary relation, e.g., y (cid:47) x if y is a prefix of x .We introduce the following notation. For any tuple x = ( x , . . . , x k ) of pairwise distinct x i ∈ X and for any D : X → ¯ Y we let D | x := (cid:8) D [ x (cid:55)→ r ] | r ∈ ¯ Y k (cid:9) ⊆ D be the set of databases that coincide with D outside of x . Furthermore, for any database property P ⊆ D , we then let P | D | x := P ∩ D | x be the restriction of P to the databases in D | x . Remark 5.3.
For fixed choices of x and D , we can, and often will, identify D | x with ¯ Y k by means of the obviousidentification map r (cid:55)→ D [ x (cid:55)→ r ] . The property P | D | x can then be considered to be a property/subset of ¯ Y k , namely { r ∈ ¯ Y k | D [ x (cid:55)→ r ] ∈ P } . Accordingly, we do not distinguish between the projections (cid:88) D (cid:48) ∈ P | D | x | D (cid:48) (cid:105)(cid:104) D (cid:48) | ∈ L ( C [ D | x ]) ⊆ L ( C [ D ]) and (cid:88) r ∈ ¯ Y kD [ x (cid:55)→ r ] ∈ P | r (cid:105)(cid:104) r | ∈ L ( C [ ¯ Y k ]) but refer to both as P | D | x , using our convention to use the same variable for a property and the corresponding projec-tion. This is justified by the fact that on the space spanned by | D [ x (cid:55)→ r ] (cid:105) with r ∈ ¯ Y k , both act identically (with theunderstanding that the latter acts on the registers labeled by x .). In particular, they have the same operator norm. Example.
For a given x and D , as a subset of ¯ Y k , we have PRMG | D | x = (cid:26) ¯ Y k if D (¯ x ) = 0 for some ¯ x (cid:54)∈ { x , . . . , x k }{ r | ∃ i : r i = 0 } elseIn words: if D has a zero outside of x then D [ x (cid:55)→ r ] has a zero for any r ∈ ¯ Y k ; otherwise, D [ x (cid:55)→ r ] has a zero ifand only if one of the coordinates of r is zero. Lemma 5.4.
For any two properties P and P (cid:48) , and for any state | φ (cid:105) , (cid:107) P (cid:48) cO | φ (cid:105)(cid:107) ≤ (cid:107) P | φ (cid:105)(cid:107) + max x , ˆ y (cid:107) P (cid:48) cO x , ˆ y ( I − P ) (cid:107) ≤ (cid:107) P | φ (cid:105)(cid:107) + max x , ˆ y ,D (cid:107) P (cid:48) | D | x cO x ˆ y ( I − P | D | x ) (cid:107) . Proof.
First, we see that (cid:107) P (cid:48) cO | φ (cid:105)(cid:107) ≤ (cid:107) P (cid:48) cO P | φ (cid:105)(cid:107) + (cid:107) P (cid:48) cO ( I − P ) | φ (cid:105)(cid:107) ≤ (cid:107) P | φ (cid:105)(cid:107) + (cid:107) P (cid:48) cO ( I − P ) | φ (cid:105)(cid:107) . Then, we note that (cid:107) P (cid:48) cO ( I − P ) | φ (cid:105)(cid:107) ≤ (cid:107) P (cid:48) cO ( I − P ) (cid:107) ≤ max x , ˆ y (cid:107) P (cid:48) cO x ˆ y ( I − P ) (cid:107) , where the first inequality is by definition of the operator norm, and for the second we observe that P (cid:48) cO x ˆ y ( I − P ) maps | x (cid:105)| ˆ y (cid:105) ⊗ | Γ (cid:105) to | x (cid:105)| ˆ y (cid:105) ⊗ cO x ˆ y | Γ (cid:105) , and so the first inequality holds by basic properties of the operator norm.For any fixed D , consider the subspace of C [ D ] spanned by | D [ x (cid:55)→ r ] (cid:105) with r ∈ ¯ Y k . On this subspace, P and P | D | x are identical projections (and similarly for I − P and P (cid:48) ). Also, cO xy is a unitary on this subspace. The claimthen again follows by basic properties of the operator norm. We typically think of P | D | x as a property of functions in D (cid:48) in D | x . Definition 5.5 (Quantum transition capacity) . Let P , P (cid:48) be two database properties. Then, the quantum transitioncapacity (of order k ) is defined as (cid:113) ¬ P k → P (cid:48) (cid:121) := max x , ˆ y ,D (cid:107) P (cid:48) | D | x cO xy ( I − P | D | x ) (cid:107) . More generally, (cid:113) ¬ P k,q = ⇒ P (cid:48) (cid:121) := min P ,..., P q P P , P q = P (cid:48) q (cid:88) s =1 (cid:113) ¬ P s − k → P s (cid:121) . The intuition behind the notation is that (cid:113) ¬ P → P (cid:48) (cid:121) represents a measure of how likely it is that, as a result of aquery (or several queries), a compressed database D ∈ D that does not satisfy P turns into a database D (cid:48) that satisfies P (cid:48) . We also use natural variations of this notation, like (cid:113) ⊥ → P (cid:48) (cid:121) , which captures how likely it is that the initial all- ⊥ database turns into a database that satisfies P (cid:48) , or (cid:113) Q \ P → P (cid:48) (cid:121) , which captures how likely it is that the database thatsatisfies Q but not P turns into a database that satisfies P (cid:48) . We also write ¬ P → P (cid:48) and refer to this as a databasetransition when considering two database properties P and P (cid:48) , and similarly with the above variations. Theorem 5.6.
Let R be a relation, and let A a k -parallel q -query quantum oracle algorithm, both as in Corollary 4.2.Consider the database property P R = (cid:8) D ∈ D | ∃ x ∈ X (cid:96) : (cid:0) x , H ( x ) (cid:1) ∈ R (cid:9) induced by R . Then, √ p ≤ (cid:113) ⊥ k,q = ⇒ P R (cid:121) + (cid:113) (cid:96)M , i.e., √ p ≤ min P ,..., P q P ¬ ⊥ , P q = P R q (cid:88) s =1 (cid:113) ¬ P s − k → P s (cid:121) + (cid:114) (cid:96)M . Remark 5.7.
This result implies that in order to bound p , it is sufficient to find a sequence ⊥ (cid:54)∈ P , . . . , P q = P R ofproperties for which all quantum transition capacities (cid:113) ¬ P s − → P s (cid:121) are small. Often, it is good to keep track of the(growing but bounded) size of the database and instead bound the capacities (cid:113) SZ ≤ k ( s − \ P s − → P s (cid:121) = (cid:113) SZ ≤ k ( s − \ P s − → P s ∪ ¬ SZ ≤ ks (cid:121) , where the equality is due to the fact that the size of a database cannot grow by more than k with one k -parallelquery. Formally, we would then instantiate the min in the definition of (cid:113) ⊥ k,q = ⇒ P R (cid:121) with P (cid:48) s = ¬ ( SZ ≤ ks \ P s ) = P s ∪ ¬ SZ ≤ ks . Proof (of Theorem 5.6).
Let P , . . . , P q achieve the minimum in the definition of (cid:113) ⊥ k,q = ⇒ P R (cid:121) . Applying Lemma 5.4to | φ (cid:105) = | φ q (cid:105) , the state produced by A after q queries, and to P (cid:48) = P q and P = P q − , and applying induction (andusing, for the base case, that (cid:107) P | φ (cid:105)(cid:107) = 0 ), we obtain that (cid:107) P q | φ q (cid:105)(cid:107) ≤ q (cid:88) i =1 (cid:113) ¬G i − k → G i (cid:121) + (cid:114) (cid:96)M . Further note that (cid:107) P q | φ q (cid:105)(cid:107) = (cid:107) P R | φ q (cid:105)(cid:107) , which equals the square-root of the probability that there exists x so that ( x , D ( x )) ∈ R , with D obtained as in Corollary 4.2. Thus, the same upper bound applies to the probability that x output by A satisfies ( x , D ( x )) ∈ R . The claim then follows from Corollary 4.2.In the following section, we offer techniques to bound the quantum transition capacities (in certain cases) using purely classical reasoning. In connection with Theorem 5.6, this then allows to prove lower bounds on the quantumquery complexity (for certain computational problem in the random oracle model) using purely classical reasoning.15 .2 Bounding Quantum Transition Capacities Using Classical Reasoning Only The general idea is to “recognize” a database transition ¬ P → P in terms of local properties L , for which the truthvalue L ( D ) only depends on the function value D ( x ) at one single point x (or at few points), and then to exploitthat the behavior of the compressed oracle at a single point x is explicitly given by Lemma 4.3. In the following twosections, we consider two possible ways to do this, but first we provide the formal definition for local properties. Definition 5.8.
A database property L ⊆ D is (cid:96) -local if ∃ x = ( x , . . . , x (cid:96) ) ∈ X (cid:96) so that1. the truth value of L ( D ) is uniquely determined by D ( x ) , and2. if D ∈ L ∧ ∃ i ∈ { , . . . , (cid:96) } : D ( x i ) = ⊥ then D [ x i (cid:55)→ r i ] ∈ L ∀ r i ∈ Y .The set { x , . . . , x (cid:96) } is then called the support of L , and denoted by Supp ( L ) . Remark 5.9.
We observe that, as defined above, the support of an (cid:96) -local property is not necessarily uniquely defined:if (cid:96) is not minimal with the required property then there are different choices. A natural way to have a unique definitionfor
Supp ( L ) is to require it to have minimal size. For us, it will be more convenient to instead consider the choice of thesupport to be part of the specification of L . Furthermore, we then declare that
Supp ( L ∪ M ) = Supp ( L ) ∪ Supp ( M ) ,and Supp ( L | D | x ) = Supp ( L ) ∩ { x , . . . , x k } for any D ∈ D and x = ( x , . . . , x k ) . Remark 5.10.
Condition 2 captures that ⊥ is a dummy symbol with no more “value” than any other r ∈ Y .For example, for any database property P , and for any x = ( x , . . . , x (cid:96) ) and D , the property P | D | x satisfiesrequirement 1. of Definition 5.8. In line with this, Remark 5.3 applies here as well: we may identify an (cid:96) -localproperty L with a subset of ¯ Y (cid:96) . A database transition ¬ P → P (cid:48) is said be (uniformly) strongly recognizable by (cid:96) -local properties ifthere exists a family of (cid:96) -local properties { L i } i so that P (cid:48) ⊆ (cid:91) i L i ⊆ P . (9)We also consider the following weaker but somewhat more intricate version. Definition 5.12.
A database transition ¬ P → P (cid:48) is said be k -non-uniformly strongly recognizable by (cid:96) -local proper-ties if for every x = ( x , . . . , x k ) ∈ X k with disjoint entries, and for every D ∈ D , there exist a family { L x ,Di } i of (cid:96) -local properties L x ,Di with supports in { x , . . . , x k } so that P (cid:48) | D | x ⊆ (cid:91) i L x ,Di ⊆ P | D | x . (10)It is easiest to think about these definitions for the case P = P (cid:48) , where (9) and (10) become equalities. Requirement(9) then means that for D to satisfy P it is necessary and sufficient that D satisfies one of the local properties. Remark 5.13.
In the above definitions, as long as the support-size remains bounded by (cid:96) , one can always replace twoproperties by their union without affecting (9), respectively (10). Thus, we may — and by default do — assume the L i ’s to have distinct supports in Definition 5.11, and the same for the L x ,Di ’s for every x and D in Definition 5.12. Remark 5.14.
It is easy to see that Definition 5.11 implies Definition 5.12 with L x ,Di := L i | D | x . E.g., we may consider the constant-true property L with support Supp ( L ) = ∅ , in which case it is (cid:96) -local for any (cid:96) ≥ , or we may considerthe same constant-true property L but now with the support set to Supp ( L ) = { x ◦ } for some x ◦ ∈ X , which then is (cid:96) -local for (cid:96) ≥ . The above mentioned alternative approach would give ⊆ . heorem 5.15. Let ¬ P → P (cid:48) be k -non-uniformly strongly recognizable by -local properties { L x ,D , . . . , L x ,Dk } ,where, without loss of generality, the support of L x ,Di is { x i } . Then (cid:113) ¬ P k → P (cid:48) (cid:121) ≤ max x ,D (cid:115) (cid:88) i P (cid:2) U ∈ L x ,Di (cid:3) with the convention that P (cid:2) U ∈ L x ,Di (cid:3) = 0 if L x ,Di is trivial (i.e. constant true or false). Before doing the proof, let us show how the above can be used to bound the probability of finding a -preimage. Example. P (cid:48) = P = PRMG is uniformly strongly recognized by the -local properties L x = { D | D ( x ) = 0 } .Furthermore, as a subset of ¯ Y , the property L x ,Dx := L x | D | x is either { } or trivial. In the non-trivial case, weobviously have P (cid:2) U ∈ L x ,Di (cid:3) = P [ U = 0] = 1 /M . It then follows from Theorem 5.15 that (cid:113) ¬ PREIMG k → PREIMG (cid:121) ≤ (cid:114) kM , and thus from Theorem 5.6, setting P i = PREIMG for all i , that the probability p of any k -parallel q -query algorithmoutputting a -preimage x is bounded by p ≤ (cid:18) q (cid:114) kM + 1 √ M (cid:19) = O (cid:18) kq M (cid:19) . Proof (of Theorem 5.15).
Consider arbitrary x and D . To simplify notation, we then write L i for L x ,Di . We introducethe properties M i := L i \ ( (cid:83) j
A database transition P → P (cid:48) is said be k -non-uniformly weakly recognizable by (cid:96) -local properties iffor every x = ( x , . . . , x k ) ∈ X k with disjoint entries, and for every D ∈ D , there exist a family of (cid:96) -local properties { L x ,Di } i with supports in { x , . . . , x k } so that D ◦ ∈ P | D | x ∧ D (cid:48) ∈ P (cid:48) | D | x = ⇒ ∃ i : D (cid:48) ∈ L x ,Di ∧ (cid:0) ∃ x ∈ Supp ( L x ,Di ) : D ◦ ( x ) (cid:54) = D (cid:48) ( x ) (cid:1) . (11) Remark 5.18.
Viewing L x ,Di as subset of ¯ Y k , and its support L x ,Di = { x i , . . . , x i (cid:96) } then as subset { i , . . . , i (cid:96) } of { , . . . , k } , (11) can equivalently be written as follows, which is in line with Lemma 2.1 (where Supp ( L x ,Di ) = { i } ): D [ x (cid:55)→ r ] ∈ P ∧ D [ x (cid:55)→ u ] ∈ P (cid:48) = ⇒ ∃ i : u ∈ L x ,Di ∧ (cid:0) ∃ j ∈ Supp ( L x ,Di ) : r j (cid:54) = u j (cid:1) . Example.
Consider
CHN q = { D | ∃ x , x , . . . , x q ∈ X : D ( x i − ) (cid:47) x i ∀ i } for an arbitrary positive integer q . For any x and D , we let L i = L x ,Di be the -local property that has support { x i } and, as a subset of ¯ Y , is defined as (4), i.e., sothat u ∈ L i if and only if u (cid:47) x for some x with D ( x ) (cid:54) = ⊥ or x ∈ { x , . . . , x k } . Lemma 2.1 from the classical analysisshows that condition (11) is satisfied for the database transition ¬ CHN q → CHN q +1 . This in particular implies that(11) is satisfied for the database transition SZ ≤ k ( q − \ CHN q → CHN q +1 ; in this latter case however, whenever D isnot in SZ ≤ kq , which then means that the left hand side of (11) is never satisfied, we may simply pick the constant-falseproperty as family of local properties satisfying (11). Theorem 5.19.
Let P → P (cid:48) be k -non-uniformly weakly recognizable by -local properties L x ,Di , where the support of L x ,Di is { x i } or empty. Then (cid:113) P k → P (cid:48) (cid:121) ≤ max x ,D e (cid:88) i (cid:113) P (cid:2) U ∈ L x ,Di (cid:3) , where e is Euler’s number. Example.
In the above example regarding
CHN q with the considered L i ’s for D ∈ SZ ≤ kq , as in the derivation of theclassical bound in Section 2.3, it holds that P [ U ∈ L i ] ≤ kqT /M , where T denotes the maximal number of y ∈ Y with y (cid:47) x (for any x ). Thus, (cid:113) SZ ≤ k ( q − \ CHN q k → CHN q +1 (cid:121) ≤ ek (cid:114) kqTM , and applying Theorem 5.6 (and the subsequent remark) to the database transitions SZ ≤ k ( s − \ CHN s → CHN s +1 for s = 1 , . . . , q , we obtain the following bound, which we state as a theorem here given that this is a new bound. Theorem 5.20.
Let (cid:47) be a relation over Y and X . The probability p of any k -parallel q -query oracle algorithm A outputting x , x , . . . , x q +1 ∈ X with the property that H ( x i ) (cid:47) x i +1 for all i ∈ { , . . . , q } is bounded by p ≤ (cid:18) qk (cid:114) qkTM e + (cid:114) q + 2 M (cid:19) = O (cid:18) q k TM (cid:19) , where T := max x |{ y ∈ Y | y (cid:47) x }| , and M is the size of the range Y of H : X → Y . We point out that this is thanks to our convention on the definition of the support, as discussed in Remark 5.9. Unlike Theorem 5.15, here is no convention that P (cid:2) U ∈ L x ,Di (cid:3) = 0 if L x ,Di is constant-true. This has little relevance since L x ,Di beingconstant-true can typically be avoided via Remark 5.13. For D (cid:54)∈ SZ ≤ kq we get the trivial bound since we may then choose L i to be constant false. roof (of Theorem 5.19). We consider fixed choices of x and D , and we then write L i for L x ,Di . For arbitrary butfixed ˆ y , we introduce A i := (cid:88) ui,ri s.t. ui ∈ L i ∧ ri (cid:54) = ui | u i (cid:105)(cid:104) u i | cO x i ˆ y i | r i (cid:105)(cid:104) r i | and B i := cO x i ˆ y i − A i = (cid:88) ui,ri s.t. ui (cid:54)∈ L i ∨ ri = ui | u i (cid:105)(cid:104) u i | cO x i y i | r i (cid:105)(cid:104) r i | and observe that, taking it as understood that the operators cO x ˆ y , . . . , cO x k ˆ y k act on different subsystems, cO x ˆ y = k (cid:89) j =1 cO x j ˆ y j = k − (cid:89) j =1 cO x j ˆ y j A k + k − (cid:89) j =1 cO x j ˆ y j B k = k − (cid:89) j =1 cO x j ˆ y j A k + k − (cid:89) j =1 cO x j ˆ y j A k − B k + k − (cid:89) j =1 cO x j ˆ y j B k − B k = · · · = k (cid:88) i =0 (cid:18) (cid:89) j
Let P → P (cid:48) be a database transition that is uniformly strongly recognizable by (cid:96) -local properties L t .Then (cid:113) P k → P (cid:48) (cid:121) ≤ max x ,D e(cid:96) (cid:115) (cid:88) t max x ∈ Supp ( L t ) P (cid:2) U ∈ L t | D | x (cid:3) . with the convention that P (cid:2) U ∈ L t | D | x (cid:3) vanishes if L t | D | x is trivial. Example.
Consider CL = { D | ∃ x, x (cid:48) : D ( x ) = D ( x (cid:48) ) (cid:54) = ⊥} . For any D ∈ D and x = ( x , . . . , x k ) , consider thefamily of -local properties consisting of CL i,j := { D ◦ ∈ D | x | D ◦ ( x i ) = D ◦ ( x j ) (cid:54) = ⊥} and CL i := { D ◦ ∈ D | x | ∃ ¯ x (cid:54)∈ { x , . . . , x k } : D ◦ ( x i ) = D (¯ x ) (cid:54) = ⊥} for i (cid:54) = j ∈ { , . . . , k } , with respective supports { x i , x j } and { x i } . Note that these local properties depend on x butwork uniformly for any choice of D .It is easy to see that this family of -local properties satisfies (10) for the database transition ¬ CL → CL . Indeed,if D and D (cid:48) are identical outside of x , and D has no collision while D (cid:48) has one, then D (cid:48) ’s collision must be for x i , x j inside x , or for one x i inside and one ¯ x outside. As an immediate consequence, the family also satisfies (10) for thedatabase transition ( SZ ≤ ks \ CL ) → CL . In this case though, whenever D (cid:54)∈ SZ ≤ k ( s +1) the left hand side of (10) isnever satisfied and so we may replace the family of local properties to consist of (only) the constant-false property.Consider x = ( x , . . . , x k ) and D ∈ SZ ≤ k ( s +1) with s ≤ q . Then, for i (cid:54) = j , as subsets of ¯ Y we have that CL i,j | D (cid:48) | xi = { D (cid:48) ( x j ) } and CL i | D (cid:48) | xi = { D (cid:48) (¯ x ) | ¯ x (cid:54)∈ { x , . . . , x k } : D (cid:48) (¯ x ) (cid:54) = ⊥} for any D (cid:48) ∈ D | ( x i ,x j ) and D (cid:48) ∈ D | x i , respectively, and therefore P (cid:2) U ∈ CL i,j | D (cid:48) | xi (cid:3) = 1 M and P (cid:2) U ∈ CL i | D (cid:48) | xi (cid:3) ≤ kqM . So, by Theorem 5.21, (cid:113) SZ ≤ ks \ CL k → CL (cid:121) ≤ e (cid:115) (cid:18) k M + k qM (cid:19) = 2 ek (cid:114) q + 1 M and hence, by Theorem 5.6, we obtain the following bound. Theorem 5.23.
The probability p of any k -parallel q -query algorithm outputting a collision is bounded by p ≤ (cid:18) qek (cid:114) q + 1 M + 2 √ M (cid:19) = O (cid:18) k q M (cid:19) . roof (of Theorem 5.21) . We now consider an arbitrary but fixed choice of t and write L for L t . We write { x , . . . , x (cid:96) } for its support and set x (cid:48) := ( x , . . . , x (cid:96) ) . In order to control (cid:107) L cO x (cid:48) ˆ y (cid:48) ( I − L ) (cid:107) , we use a similar technique as in theproof of Theorem 5.19. For any x i ∈ Supp ( L ) , we set A i := L cO x i ˆ y i ( I − L ) and B i := cO x i ˆ y i − A i . By means of the same generic manipulations as in the proof of Theorem 5.19, we have cO x (cid:48) ˆ y (cid:48) = (cid:96) (cid:89) i =1 cO x i ˆ y i = (cid:96) (cid:88) i =0 (cid:18) (cid:89) j<(cid:96) − i cO x j ˆ y j (cid:19) A (cid:96) − i (cid:18) (cid:89) j>(cid:96) − i B j (cid:19) with the convention that A = I . Furthermore, using B i ( I − L t ) = ( I − L t ) cO x λi ˆ y λi ( I − L t ) , we see that L t (cid:18) (cid:89) j> B j (cid:19) ( I − L t ) = 0 . As a consequence, verbatim as in the proof of Theorem 5.19, we obtain (cid:107)
L cO x (cid:48) ˆ y (cid:48) ( I − L ) (cid:107) ≤ (cid:96) − (cid:88) i =0 (cid:16) (cid:107) A (cid:96) − i (cid:107) (cid:89) j>(cid:96) − i (cid:107) B j (cid:107) (cid:17) ≤ (cid:96) (cid:88) i =1 (cid:107) A i (cid:107) e . Furthermore, for any D (cid:48) ∈ D | x and i ∈ { , . . . , (cid:96) } , on the subspace spanned by D (cid:48) | x i , the map A i acts identically to L | D (cid:48) | xi cO x i ˆ y i ( I − L | D (cid:48) | xi ) , and thus, by basic properties of the operator norm, the norm of A i equals the largest normof these restrictions: (cid:107) A i (cid:107) ≤ (cid:13)(cid:13) L | D (cid:48) | xi cO x λi ˆ y i ( I − L | D (cid:48) | xi ) (cid:13)(cid:13) . Bounding the operator norm by the Frobenius norm, we then obtain (cid:107) A i (cid:107) ≤ (cid:88) r (cid:54)∈ L | D (cid:48)| xiu ∈ L | D (cid:48)| xi |(cid:104) u | cO x i ˆ y i | r (cid:105)| ≤ (cid:88) r ˜ P [ r (cid:54) = U ∈ L | D (cid:48) | xi | r, y i ] ≤ P (cid:2) U ∈ L | D (cid:48) | xi (cid:3) . where the last inequality is due to (8), with the additional observation that if ⊥ ∈ L i then, by condition 2 of Defini-tion 5.8, L | D (cid:48) | xi = ¯ Y , and thus the sum vanishes. As we have seen, certain “simple” lower bounds on the query complexity (respectively upper bound on the successprobability) can be obtained rather directly by bounding the quantum transition capacity by the means discussedabove. In more complex scenarios, as we will encounter in the next section, it will be convenient to first manipulate the quantum transition capacity, e.g., to decompose it into different cases that can then be analyzed individually. Wethus show some useful manipulation rules here.To start with, since cO † x ˆ y = cO x ˆ y ∗ , we note that the quantum transition capacity is symmetric: (cid:113) P k → P (cid:48) (cid:121) = (cid:113) P (cid:48) k → P (cid:121) . Therefore, the following bounds hold correspondingly also for (cid:113) P k → P (cid:48) ∩ Q (cid:121) etc. Lemma 5.24.
For any database properties P , P (cid:48) and Q , (cid:113) P ∩ Q k → P (cid:48) (cid:121) ≤ min (cid:8) (cid:113) P k → P (cid:48) (cid:121) , (cid:113) Q k → P (cid:48) (cid:121) (cid:9) and max (cid:8) (cid:113) P k → P (cid:48) (cid:121) , (cid:113) Q k → P (cid:48) (cid:121) (cid:9) ≤ (cid:113) P ∪ Q k → P (cid:48) (cid:121) ≤ (cid:113) P k → P (cid:48) (cid:121) + (cid:113) Q k → P (cid:48) (cid:121) . We point out that L ( D (cid:48) ) is determined by D (cid:48) ( x (cid:48) ) ; thus, we may consider L as a property of functions D (cid:48) ∈ D | x (cid:48) ⊆ D | x .
21n particular, we have the following intuitive rule.
Corollary 5.25. If P ⊆ Q then (cid:113) P k → P (cid:48) (cid:121) ≤ (cid:113) Q k → P (cid:48) (cid:121) and (cid:113) P (cid:48) k → P (cid:121) ≤ (cid:113) P (cid:48) k → Q (cid:121) .Proof (of Lemma 5.24). As subsets, ( P ∩ Q ) | D | x = ( P ∩ Q ) ∩ D | x = ( P ∩ D | x ) ∩ ( Q ∩ D | x ) = P | D | x ∩ Q | D | x ,and, as projections, P | D | x and Q | D | x commute, and P | D | x ∩ Q | D | x = P | D | x Q | D | x = Q | D | x P | D | x Q | D | x ≤ P | D | x andsimilarly ≤ Q | D | x . This implies that (cid:107) P (cid:48) | D | x cO x ˆ y ( P ∩ Q ) | D | x (cid:107) ≤ min (cid:8) (cid:107) P (cid:48) | D | x cO x ˆ y P | D | x (cid:107) , (cid:107) P (cid:48) | D | x cO x ˆ y Q | D | x (cid:107) (cid:9) , and thus proves the first claim. Similarly, but now using that, as projections, P | D | x , Q | D | x ≤ P | D | x ∪ Q | D | x ≤ P | D | x + Q | D | x , we obtain the second claim.In the following, we extend the definition of the quantum transition capacity as follows, which captures a restrictionof the query vector x = ( x , . . . , x k ) to entries x i in X ⊆ X . (cid:113) P k → P (cid:48) (cid:12)(cid:12) X (cid:121) := max x ∈ Xk ˆ y ,D (cid:107) P (cid:48) | D | x cO x ˆ y P | D | x (cid:107) . (12)where the max is restricted to x ∈ X k . Obviously, (cid:113) P k → P (cid:48) (cid:121) = (cid:113) P k → P (cid:48) (cid:12)(cid:12) X (cid:121) . Lemma 5.26.
Let X = X (cid:48) ∪ X (cid:48)(cid:48) ⊆ X and k = k (cid:48) + k (cid:48)(cid:48) . Furthermore, let P , P (cid:48) , P (cid:48)(cid:48) and Q be database properties.Then (cid:113) P k → P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) ≤ (cid:113) P k → P (cid:48)(cid:48) \ Q (cid:12)(cid:12) X (cid:121) + (cid:113) P k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) , (13) where furthermore (cid:113) P k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) ≤ (cid:113) P k (cid:48) → ¬ Q (cid:12)(cid:12) X (cid:121) + (cid:113) P k (cid:48) → Q ∩ P (cid:48) (cid:12)(cid:12) X (cid:121) + (cid:113) Q \ P (cid:48) k (cid:48)(cid:48) → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) (14) as well as (cid:113) P k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) ≤ (cid:113) P k → ¬ Q (cid:12)(cid:12) X (cid:48) (cid:121) + (cid:113) P k → Q ∩ P (cid:48) (cid:12)(cid:12) X (cid:48) (cid:121) + (cid:113) Q \ P (cid:48) k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:48)(cid:48) (cid:121) . (15) Proof.
The first inequality follows immediately from Lemma 5.24, using that ( P (cid:48)(cid:48) \ Q ) ∪ ( Q ∩ P (cid:48)(cid:48) ) = P (cid:48)(cid:48) . For the othertwo, let x ∈ X k , ˆ y ∈ ˆ Y k , D ∈ D be the choices that achieve the maximal value in the definition of (cid:113) P k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) .We may assume without loss of generality that x consists of pairwise distinct entries. For proving the first inequality,we split up x into ( x (cid:48) , x (cid:48)(cid:48) ) ∈ X k (cid:48) × X k (cid:48)(cid:48) , and correspondingly then for ˆ y ∈ ˆ Y k . For proving the second inequality,we let x (cid:48) consist of all coordinates of x that lie in X (cid:48) , and we let x (cid:48)(cid:48) consist of all coordinates of x that lie in X (cid:48)(cid:48) butnot in X (cid:48) , and ˆ y (cid:48) and ˆ y (cid:48)(cid:48) consists of the corresponding coordinates of ˆ y ; in this case, ( x (cid:48) , x (cid:48)(cid:48) ) ∈ X (cid:48) (cid:96) (cid:48) × X (cid:48)(cid:48) (cid:96) (cid:48)(cid:48) with (cid:96) + (cid:96) = k . In both cases, we have cO x ˆ y = cO x (cid:48) ˆ y (cid:48) cO x (cid:48)(cid:48) ˆ y (cid:48)(cid:48) , and, writing P x for P | D | x etc., we obtain (cid:113) P k → Q ∩ P (cid:48)(cid:48) (cid:12)(cid:12) X (cid:121) = (cid:107) P (cid:48)(cid:48) x Q x cO x (cid:48)(cid:48) ˆ y (cid:48)(cid:48) cO x (cid:48) ˆ y (cid:48) P x (cid:107)≤ (cid:107) P (cid:48)(cid:48) x Q x cO x (cid:48)(cid:48) ˆ y (cid:48)(cid:48) Q x cO x (cid:48) ˆ y (cid:48) P x (cid:107) + (cid:107) ( I − Q x ) cO x (cid:48) ˆ y (cid:48) P x (cid:107)≤ (cid:107) P (cid:48) x Q x cO x (cid:48) ˆ y (cid:48) P x (cid:107) + (cid:107) P (cid:48)(cid:48) x Q x cO x (cid:48)(cid:48) ˆ y (cid:48)(cid:48) ( I − P (cid:48) x ) Q x (cid:107) + (cid:107) ( I − Q x ) cO x (cid:48) ˆ y (cid:48) P x (cid:107)≤ (cid:107) P (cid:48) x (cid:48) Q x (cid:48) cO x (cid:48) ˆ y (cid:48) P x (cid:48) (cid:107) + (cid:107) P (cid:48)(cid:48) x (cid:48)(cid:48) Q x (cid:48)(cid:48) cO x (cid:48)(cid:48) ˆ y (cid:48)(cid:48) ( I − P (cid:48) x (cid:48)(cid:48) ) Q x (cid:48)(cid:48) (cid:107) + (cid:107) ( I − Q x (cid:48) ) cO x (cid:48) ˆ y (cid:48) P x (cid:48) (cid:107) , where the last equality follows from basic properties of the operator norm. The first of the two remaining bounds isnow obtained by maximizing the individual terms on the right hand side over x (cid:48) ∈ X k (cid:48) and x (cid:48)(cid:48) ∈ X k (cid:48)(cid:48) (as well asover ˆ y (cid:48) , ˆ y (cid:48)(cid:48) and D ). For the other case, we maximize over x (cid:48) ∈ X (cid:48) (cid:96) (cid:48) and x (cid:48)(cid:48) ∈ X (cid:48)(cid:48) (cid:96) (cid:48)(cid:48) and exploit that, for instance, (cid:113) P (cid:96) (cid:48) → ¬ Q (cid:12)(cid:12) X (cid:48) (cid:121) ≤ (cid:113) P k → ¬ Q (cid:12)(cid:12) X (cid:48) (cid:121) , given that (cid:96) (cid:48) ≤ k .By recursive application of Lemma 5.26, we obtain the following.22 orollary 5.27 (Parallel Conditioning) . Let X = X ∪ . . . ∪ X h ⊆ X and k = k + · · · + k h , and let P , P , . . . , P h and ¬ P ⊆ Q be database properties. Then (cid:113) ¬ P k → P h (cid:12)(cid:12) X (cid:121) ≤ h (cid:88) i =1 (cid:113) ¬ P k i → ¬ Q (cid:12)(cid:12) X (cid:121) + h (cid:88) i =1 (cid:113) Q \ P i − k i → Q ∩ P i (cid:12)(cid:12) X (cid:121) and (cid:113) ¬ P k → P h (cid:12)(cid:12) X (cid:121) ≤ h (cid:88) i =1 (cid:113) ¬ P k → ¬ Q (cid:12)(cid:12) ¯ X i (cid:121) + h (cid:88) i =1 (cid:113) Q \ P i − k → Q ∩ P i (cid:12)(cid:12) X i (cid:121) , where ¯ k i = k + · · · + k i and ¯ X i = X ∪ . . . ∪ X i .Proof. Applying (13) and (14) with P := ¬ P , P (cid:48) := P h − and P (cid:48)(cid:48) := P h , and omitting the “conditioning” on X forsimplicity, we get (cid:113) ¬ P k → P h (cid:121) ≤ (cid:113) ¬ P k → ¬ Q (cid:121) + (cid:113) ¬ P k h − −→ ¬ Q (cid:121) + (cid:113) ¬ P k h − −→ Q ∩ P h − (cid:121) + (cid:113) Q \ P h − k h −→ Q ∩ P h (cid:121) . Recursively applying (14) to (cid:113) ¬ P k h − −→ Q ∩ P h − (cid:121) gives the first claim. The second is argued correspondingly.The quantum transition capacity with restricted input , defined in (12), is just the original definition of the quantumtransition capacity (Definition 5.5) but with the considered set X replaced by X . As a consequence, properties for (cid:113) P → P (cid:48) (cid:121) carry over to (cid:113) P → P (cid:48) (cid:12)(cid:12) X (cid:121) . For instance, it is still symmetric, and Lemma 5.24 carries over to (cid:113) P ∩ Q k → P (cid:48) (cid:12)(cid:12) X (cid:121) ≤ min (cid:8) (cid:113) P k → P (cid:48) (cid:12)(cid:12) X (cid:121) , (cid:113) Q k → P (cid:48) (cid:12)(cid:12) X (cid:121) (cid:9) etc. For completeness we spell out here the definition of non-uniform recognizability as well as Theorem 5.19 for suchinput-restricted database transitions P → P (cid:48) | X (the other types of recognizability can be generalized similarly). Definition 5.28.
A database transition P → P (cid:48) with input restricted in X ⊆ X is said to be k -non-uniformly weaklyrecognizable by (cid:96) -local properties if for every x = ( x , . . . , x k ) ∈ X k with disjoint entries, and for every D ∈ D ,there exist a family of (cid:96) -local properties { L x ,Di } i with supports in { x , . . . , x k } so that D ◦ ∈ P | D | x ∧ D (cid:48) ∈ P (cid:48) | D | x = ⇒ ∃ i : D (cid:48) ∈ L x ,Di ∧ (cid:0) ∃ x ∈ Supp ( L x ,Di ) : D ◦ ( x ) (cid:54) = D (cid:48) ( x ) (cid:1) Theorem 5.29.
Let P → P (cid:48) with input restricted in X be k -non-uniformly weakly recognizable by -local properties L x ,Di , where the support of L x ,Di is { x i } or empty. Then (cid:113) P k → P (cid:48) (cid:12)(cid:12) X (cid:121) ≤ max x ,D e (cid:88) i (cid:113) P (cid:2) U ∈ L x ,Di (cid:3) , where the max now is over all x = ( x , . . . , x k ) ∈ X k . In this section, we prove post-quantum security of the proof of sequential work (PoSW) construction by Cohen andPietrzak [9] (referred to as Simple PoSW) using our framework developed in the last section. As a matter of fact, wedirectly analyze the non-interactive variant of their construction after applying the Fiat-Shamir transformation [11]. Aswe shall see, the proof is by means of purely classical reasoning, recycling observations that are relevant for arguingclassical security and combining them with results provided by our framework.
For readers not familiar with PoSW, we review the definition in Appendix B. Typically, underlying the constructionof a PoSW is a directed acyclic graph (DAG) G with certain “depth-robust” properties, and a graph labelling that theprover P is required to compute using a hash function H . We proceed to describe the DAG used in Simple PoSW andthe graph labelling. 23 imple PoSW DAG and Graph Labelling. Let n ∈ N and N = 2 n +1 − . Consider the (directed) complete binarytree B n = ( V n , E (cid:48) n ) of depth n , where V n := { , } ≤ n and E (cid:48) n consists of the edges directed towards the root (blackedges in Fig. 2). The Simple PoSW DAG, denoted by G PoSW n , is obtained by adding some additional edges to B n (rededges in Fig. 2). Before giving the formal definition of G PoSW n (Definition 6.2), we recall some basic terminology andnotation in the context of the complete binary tree B n , which we will then also use in the context of G PoSW n . Definition 6.1.
We write rt := (cid:15) for the root , and we write leaves ( V n ) := { , } n for the leaves in V n . For T ⊆ V n ,we set leaves ( T ) := T ∩ { , } n . For v / ∈ leaves ( V n ) , let left ( v ) := 0 (cid:107) v and right ( v ) := 1 (cid:107) v . For b ∈ { , } and v ∈ { , } For n ∈ N , define the Simple PoSW DAG G PoSW n := ( V n , E (cid:48) n ∪ E (cid:48)(cid:48) n ) with vertex set V n and edges E (cid:48) n := { ( left ( v ) , v ) , ( right ( v ) , v ) | v ∈ V n \ leaves ( V n ) } and E (cid:48)(cid:48) n := { ( sib ( u ) , v ) | v ∈ V n , u ∈ par i ( v ) s.t. u = right ( par ( u )) } . For v ∈ V n , we write in ( v ) := { u ∈ V n | ( u, v ) ∈ E (cid:48) n ∪ E (cid:48)(cid:48) n } to denote the inward neighborhood of v . Weconsider a fixed ordering of the vertices (e.g. lexicographic), so that for any set { v , . . . , v d } ∈ V n of vertices, thecorresponding ordered list ( v , . . . , v d ) is well defined.We proceed to define the graph labelling for G PoSW n with respect to a hash function H : { , } ≤ B → { , } w , were w is a security parameter, and B is arbitrary large (and sufficiently large for everything below being well defined). Definition 6.3 (Graph Labelling) . A function (cid:96) : V n → { , } w , v (cid:55)→ (cid:96) v is a called a labelling of G PoSW n with respectto H if (cid:96) v = H ( v, (cid:96) in ( v ) ) (16) for all v ∈ V n , were (cid:96) in ( v ) is shorthand for ( (cid:96) v , . . . , (cid:96) v d ) with { v , . . . , v d } = in ( v ) . Similarly, for a subtree T of G PoSW n , a function (cid:96) : T → { , } w , v (cid:55)→ (cid:96) v is a called a labelling of T with respect to H if (cid:96) v = H ( v, (cid:96) in ( v ) ) for all v ∈ V n for which in ( v ) ⊆ T . By the structure of the graph, G PoSW n admits a unique labelling, which can be computed by making N = 2 n +1 − sequential queries to H , starting with the leftmost leaf. We sometimes speak of a consistent labelling (of G PoSW n or T )when we want to emphasize the distinction from an arbitrary function (cid:96) . The definition also applies when replacingthe function H by a database D : { , } ≤ B → { , } w ∪ {⊥} , where the requirement (16) then in particular meansthat H ( v, (cid:96) in ( v ) ) (cid:54) = ⊥ .We also make the following important remark. By a subtree of G PoSW n we mean a sub graph of G PoSW n that is a sub tree of the complete binary tree B n when restricted to edges in E (cid:48) n . Weare also a bit sloppy with not distinguishing between the graph T and the vertices of T . emark 6.4. Let T be a subtree of G PoSW n with a consistent labelling (cid:96) . Then, any path P = ( v , . . . , v r ) of length | P | = r in T induces an r -chain ( x , . . . , x r ) , where x i = ( v i , (cid:96) v (cid:48) , . . . , (cid:96) v (cid:48) d ) with { v (cid:48) , . . . , v (cid:48) d } = in ( v i ) , and wherethe relation (cid:47) is defined as follows. y (cid:47) x if and only if x is of form ( v, (cid:96) , (cid:96) , . . . , (cid:96) d ) with v ∈ V n , (cid:96) j ∈ { , } w , | d | = | in ( v ) | ≤ n , and y = (cid:96) j for some j . Simple PoSW Construction. We are ready to describe the (non-interactive) Simple PoSW construction, whichamounts to asking the prover P to compute the root label of G PoSW n with respect to the hash function H χ defined by H χ ( · ) := H ( χ, · ) for a random χ ∈ { , } w sampled by the verifier V , and open the labels of the authentication pathsof the challenge leaves.Specifically, given parameters w, t and N = 2 n +1 − , and a random oracel H : { , } ≤ B → { , } w , the SimplePoSW protocol is defined as follows.• ( φ, φ P ) := PoSW H ( χ, N ) : P computes the unique consistent labelling (cid:96) of G PoSW n with respect to hash func-tion H χ defined by H χ ( · ) := H ( χ, · ) , and stores it in φ P . P sets φ = (cid:96) rt as the root label.• The opening challenge: γ := H ChQ χ ( φ ) := (cid:0) H χ ( φ, , . . . , H χ ( φ, d ) (cid:1) ∈ { , } dw for sufficiently large d , parsedas t leaves { v , . . . , v t } ⊆ leaves ( V n ) .• τ := open H ( χ, N, φ P , γ ) : For challenge γ = { v , . . . , v t } , the opening τ consists of the labels of vertices inthe authentication path ap ( v i ) of v i for i ∈ [ t ] , i.e., τ = { (cid:96) ap ( v i ) } i ∈ [ t ] .• verify H ( χ, N, φ, γ, τ ) : V verifies the consistency of the labelled authentication paths ap ( v i ) . Specifically, foreach i ∈ [ t ] and ≤ j ≤ n , V checks if (cid:96) u = H χ ( u, (cid:96) in ( u ) ) for u = par j ( v i ) . V outputs accept iff all theconsistency checks pass.Note that since we consider the non-interactive version of Simple PoSW after applying the Fair-Shamir transfor-mation, the random oracle H is used to compute both the labels (as H χ ( v, (cid:96) in ( v ) ) ) and the challenge (as H ChQ χ ( φ ) ).We silently assume that the respective inputs are specially formatted so as to distinguish a label query from a chal-lenge query . E.g., a label query comes with a prefix and a challenge query with prefix . We then denote the set ofinputs for label and challenge queries by LbQ and ChQ ⊆ { , } ≤ B , respectively. Also, for simplicity, we will treat H ChQ χ ( φ ) as one oracle query, i.e., “charge” only one query for a challenge query; however, we keep the superscript ChQ to remind that the query response is (understood as) a set of leaves. Classical Security Analysis of Simple PoSW. Before presenting our proof of post-quantum security for SimplePoSW, we first review the classical security analysis in [9]. For simplicity, here we consider the original (interactive)Simple PoSW (i.e., P first sends φ , receives random γ from V , and then sends τ to V ). Also, for now, we assume that P does not make further oracle queries after sending φ . We review the argument of [9] for bounding the probability thata k -parallel q -query classical oracle algorithm A with q < N makes V accept, using the terminology we introduced inSection 2.Let D : { , } ≤ B → { , } w ∪ {⊥} be the database at the point that A sends φ to V (after making the q k -parallelqueries). Following the argument in Section 2, we can bound the success probability of A by bounding the probabilitythat a random challenge γ = { v i } i ∈ [ t ] can be opened based on the information in the database D . As argued inSection 2, the probability that the database D contains collisions, or a ( q + 1) -chain with respect to the relation definedin Remark 6.4, is small; specifically, at most O (( k q + nkq ) / w ) . Thus, by a union bound, we can assume that D contains no collisions nor ( q + 1) -chains.Next, given the database D and the “commitment” φ , claimed to be the root label (cid:96) rt , we need to analyze the setof leaves v that A can open, i.e., for which he can provide a consistently labelled authentication path ap ( v ) . One ofthe key observations in [9] is that, for a database D with no collisions, there exists a maximal subtree T of G PoSW n thatcontains rt and admits a consistent labelling (cid:96) with (cid:96) rt = φ . As observed in [9], this subtree T then contains all leavesthat one can open given D . Thus, A can correctly answer a challenge γ = { v , . . . , v t } if and only if γ ⊆ leaves ( T ) .The subtree T , together with the labelling (cid:96) of T , can be extracted using Extract Dn ( φ ) , described in Algorithm 1in the Appendix C. Roughly speaking, starting with T := { rt } , consider v := rt and (cid:96) rt := φ , and add left ( v ) and right ( v ) to T if (and only if) there exist (cid:96) left ( v ) and (cid:96) right ( v ) such that (cid:96) v = D (cid:0) v, (cid:96) left ( v ) , (cid:96) right ( v ) (cid:1) , and repeat inductively25ith the newly added elements in T . In the end, for the leaves v ∈ T with in ( v ) ⊆ T check if (cid:96) v = D ( v, (cid:96) in ( v ) ) andremove v from T if this is not the case.The last step is to bound the number of leaves in T . Another key argument in [9] uses a certain “depth-robust”property of G PoSW n to show that for any subtree T ⊆ V n with rt ∈ T , there exists a path P in T with length | P | ≥ · | leaves ( T ) | − . Recall we argued above that the graph labelling of a path P ∈ G PoSW n induces a | P | -chain in H .The same argument applies here to show that there exists a | P | -chain in D since the extracted labels in P ⊆ T areconsistent (i.e., satisfying D ( v, (cid:96) in ( v ) ) = (cid:96) v ). Combining these with the assumption that D contains no q +1 -chain, wehave | leaves ( T ) | ≤ ( q + 2) / . Therefore, the probability that A can open labels for a random challenge γ = { v i } i ∈ [ t ] is at most (cid:18) | leaves ( T ) | n (cid:19) t ≤ (cid:18) q + 22 n +1 (cid:19) t . Finally, we briefly discuss here how to handle the case that A can make additional queries after sending φ , as asimilar argument is required in the analysis of the non-interactive Simple PoSW in the next section. As before, let D be the database right after A has sent φ = (cid:96) rt , but now A can make additional queries after seeing γ , which adds newentries to D and may help A to open labels for more challenges γ .The main observation to analyze whether additional queries are helpful is as follows. Recall that T contains allleaves v that admit a consistently labelled authentication path ap ( v ) . Thus for the additional queries to be helpful, theymust enlarge the extracted subtree T . More precisely, let D (cid:48) be the database after the additional queries and let T (cid:48) and (cid:96) (cid:48) be extracted by Extract D (cid:48) n ( φ ) . It must be that T (cid:40) T (cid:48) and (cid:96) (cid:48) | T = (cid:96) , and there must exist x with D ( x ) = ⊥ while D (cid:48) ( x ) = (cid:96) v for some v ∈ T . This happens with probability at most O ( qk/ w ) for each query since (cid:96) has support sizeat most O ( qk ) . In this section, we prove post-quantum security of the (non-interactive) Simple PoSW protocol. As we shall see,relying on the framework we developed in Section 5, the proof uses purely classical reasoning only, and somewhatresembles the arguments in the classical analysis. Theorem 6.5 (Post-Quantum Simple PoSW Security) . Consider the Simple PoSW protocol with parameters w, t and N = 2 n +1 − with w ≥ tn . Let ˜ P be a k -parallel q -query quantum oracle algorithm acting as a prover. Theprobability that ˜ P can make the verifier V accept is at most O (cid:32) k q (cid:18) q + 22 n +1 (cid:19) t + k q n w + tn w (cid:33) . The first step towards the proof is to invoke Theorem 5.6, which, in the case here, bounds the success probability p of a dishonest prover ˜ P by √ p ≤ (cid:113) ⊥ k,q = ⇒ P R (cid:121) + (cid:114) t · ( n + 1) + 12 w , where R is the relation that checks correctness of ˜ P ’s output according to the scheme. In the following, we write Suc := P R and Fail = ¬ Suc . Also, recall the database properties CL , SZ ≤ s and CHN s defined previously, where thelatter is with respect to the hash chain relation (cid:47) considered in Remark 6.4. By the properties of (the subtree extractedwith) Extract Dn ( · ) , we have Suc \ CL = (cid:8) D ∈ ¬ CL (cid:12)(cid:12) ∃ (cid:96) rt ∈ { , } w s.t. D ChQ ( (cid:96) rt ) ⊆ Extract Dn ( (cid:96) rt ) (cid:9) . (17)To bound the above quantum transition capacity (cid:113) ⊥ k,q = ⇒ P R (cid:121) = (cid:113) ⊥ k,q = ⇒ Suc (cid:121) , we consider database properties P , . . . , P q with P = ⊥ and P s = Suc ∪ CL ∪ CHN s +1 for ≤ s ≤ q . Following Remark 5.7 and using Corollary 5.25, (cid:113) ⊥ k,q = ⇒ Suc (cid:121) ≤ (cid:113) ⊥ k,q = ⇒ P q (cid:121) ≤ (cid:88) ≤ s ≤ q (cid:113) SZ ≤ k ( s − \ P s − k → P s (cid:121) . Thus, the proof of Theorem 6.5 follows immediately from the following bound on the considered transition capacity.26 roposition 6.6. For integers ≤ s ≤ q , and for the database properties P , . . . , P q as defined above (cid:113) SZ ≤ k ( s − \ P s − k → P s (cid:121) ≤ ek (cid:114) q + 12 w + 3 ek (cid:114) kqn w + ek (cid:115) (cid:18) q + 22 n +1 (cid:19) t Intuitively, we consider the transition from a database that is bounded in size, has no collision, no s -chain and doesnot have a successful output for ˜ P , into one that contains a collision or an ( s + 1) -chain or a successful output for ˜ P . Proof. Applying Corollary 5.27 with h := 2 , X := LbQ and X := ChQ , and with P , P , P and Q in Corol-lary 5.27 set to ¬ P := SZ ≤ k ( s − \ P s − , P := Suc , P := Suc ∪ CL ∪ CHN s +1 = P s and Q := ¬ ( CL ∪ CHN s +1 ) , we can bound (cid:113) SZ ≤ k ( s − \ P s − k → P s (cid:121) = (cid:113) ¬ P k → P (cid:121) by ≤ (cid:113) ¬ P k → ¬ Q (cid:12)(cid:12) LbQ (cid:121) + (cid:113) ¬ P k → ¬ Q (cid:12)(cid:12) ChQ ∪ LbQ (cid:121) + (cid:113) Q \ P k → Q ∩ P (cid:12)(cid:12) LbQ (cid:121) + (cid:113) Q \ P k → Q ∩ P (cid:12)(cid:12) ChQ (cid:121) ≤ (cid:113) ¬ P k → ¬ Q (cid:121) + (cid:113) Q \ P k → Q ∩ P (cid:12)(cid:12) LbQ (cid:121) + (cid:113) Q \ P k → Q ∩ P (cid:12)(cid:12) ChQ (cid:121) = 2 (cid:113) SZ ≤ k ( s − \ P s − k → CL ∪ CHN s +1 (cid:121) + (cid:113) SZ ≤ k ( s − \ P s − \ CL \ CHN s +1 k → Suc \ CL \ CHN s +1 (cid:12)(cid:12) LbQ (cid:121) + (cid:113) ¬ ( Suc ∪ CL ∪ CHN s +1 ) k → Suc \ CL \ CHN s +1 (cid:12)(cid:12) ChQ (cid:121) ≤ (cid:113) SZ ≤ k ( s − \ P s − k → CL ∪ CHN s +1 (cid:121) + (cid:113) SZ ≤ k ( s − \ P s − k → Suc \ CL (cid:12)(cid:12) LbQ (cid:121) + (cid:113) ¬ P s k → Suc \ CL (cid:12)(cid:12) ChQ (cid:121) . By means of Lemma 5.24 (and Corollary 5.25), and recalling that P s − = Suc ∪ CL ∪ CHN s , the first capacity inthe term can be controlled as (cid:113) SZ ≤ k ( s − \ P s − k → CL ∪ CHN s +1 (cid:121) ≤ (cid:113) SZ ≤ k ( s − \ P s − k → CL (cid:121) + (cid:113) SZ ≤ k ( s − \ P s − k → CHN s +1 (cid:121) ≤ (cid:113) SZ ≤ k ( s − \ CL k → CL (cid:121) + (cid:113) SZ ≤ k ( s − \ CHN s k → CHN s +1 (cid:121) ≤ ek (cid:114) q + 12 w + ek (cid:114) kqn w using earlier derived bounds. It remains to bound the remaining two capacities appropriately, which we do below.Intuitively, (cid:113) ¬ P s k → Suc \ CL (cid:12)(cid:12) ChQ (cid:121) captures the likelihood that a database D (cid:54)∈ Suc (and with no collision andchain) is tuned into one that does satisfy Suc by (re)defining D on k values that correspond to challenge queries. Forthis to happen, one of the newly defined function values of D , corresponding to a challenge query and thus specifyinga set of leaves, must “hit” the set of leaves that can be answered, which is bounded in size. Lemma 6.7. For any positive integer q , it holds that (cid:113) ¬ P q k → Suc \ CL (cid:12)(cid:12) ChQ (cid:121) ≤ ek · (cid:113) (cid:0) q +22 n +1 (cid:1) t .Proof. For convenience, we will denote D [ x (cid:55)→ y ] by D x , y . In order to bound the above capacity, we define -localproperties L x ,Dj and show that L x ,Dj (weakly) recognize the considered transition (with input restricted to ChQ ).For any D and x = ( (cid:96) rt , . . . , (cid:96) k rt ) ∈ ChQ k , we set L x ,Dj := (cid:110) D ◦ ∈ D | x (cid:12)(cid:12)(cid:12) D ChQ ◦ ( x j ) ⊆ leaves (cid:16) Extract D x , ⊥ n ( (cid:96) j rt ) (cid:17)(cid:111) Suppose D x , r ∈ ¬ P q = Fail \ CL \ CHN q +1 but D x , u ∈ Suc \ CL . Thus, by (17), there exists (cid:96) rt ∈ { , } w with D ChQ x , u ( (cid:96) rt ) ⊆ leaves (cid:16) Extract D x , u n ( (cid:96) rt ) (cid:17) , (18) Note that we have slight collision of notation here: P , P , P correspond to the choice of properties for applying Corollary 5.27, and shouldnot be confused with P s with s set to , , , respectively. D ChQ x , r ( (cid:96) rt ) (cid:54)⊆ leaves (cid:16) Extract D x , r n ( (cid:96) rt ) (cid:17) . (19)Since the output of the extraction procedure Extract Dn ( · ) only depends on those function values of D that correspondto label queries ( x here consists of challenge queries), we have Extract D x , r n ( (cid:96) rt ) = Extract D x , ⊥ n ( (cid:96) rt ) = Extract D x , u n ( (cid:96) rt ) . If (cid:96) rt is different from all (cid:96) j rt , then equations (18) and (19) contradict. So there is some j such that (cid:96) j rt = (cid:96) rt . Equations (18) and (19) thus become u j ⊆ leaves (cid:16) Extract D x , ⊥ n ( (cid:96) rt ) (cid:17) and r j (cid:54)⊆ leaves (cid:16) Extract D x , ⊥ n ( (cid:96) rt ) (cid:17) , understanding that taking u j and r j represent lists/sets of t (challenge) leaves. Hence r j (cid:54) = u j . This concludes that L x ,Dj indeed weakly recognizes the considered database transition.We note that, for each x ∈ ChQ k and D ∈ Fail \ CL \ CHN q +1 , since the longest hash chain in D is of length nomore than q , recycling an element from the classical reasoning, we have (cid:12)(cid:12)(cid:12) leaves (cid:16) Extract D x , ⊥ n ( (cid:96) j rt ) (cid:17)(cid:12)(cid:12)(cid:12) ≤ q + 22 . Therefore, P (cid:2) U ∈ L x ,Dj (cid:3) ≤ (cid:32) leaves (cid:0) Extract D x , ⊥ n ( (cid:96) j rt ) (cid:1) n (cid:33) t ≤ (cid:18) q + 22 n +1 (cid:19) t , and so the claimed bound follows by applying Theorem 5.29.Similarly here, the intuition is that (cid:113) ¬ P s k → Suc \ CL (cid:12)(cid:12) LbQ (cid:121) captures the likelihood that a database D (cid:54)∈ Suc (andwith no collision and chain) is tuned into one that does satisfy Suc by (re)defining D on k values that correspond tolabel queries. For this to happen, one of the newly defined function values of D , corresponding to a label, must “matchup” with the other labels. Lemma 6.8. For any positive integer q , it holds that (cid:113) SZ ≤ k ( q − \ P q − k → Suc \ CL (cid:12)(cid:12) LbQ (cid:121) ≤ ek (cid:113) nkq w . Proof. Define the notion of labelling support LSupp( D ) of a database D ∈ D as follows. LSupp( D ) := (cid:26) λ ∈ { , } w (cid:12)(cid:12)(cid:12)(cid:12) ∃ ≤ i ≤ d ≤ n, v ∈ V n , (cid:96) , . . . , (cid:96) d ∈ { , } w s.t. D ( v, (cid:96) , . . . , (cid:96) i − , λ, (cid:96) i +1 , . . . (cid:96) d ) (cid:54) = ⊥ (cid:27) ∪ (cid:110) (cid:96) rt ∈ { , } w (cid:12)(cid:12)(cid:12) D ChQ ( (cid:96) rt ) (cid:54) = ⊥ (cid:111) . We note that since LSupp defined only in terms of where D is defined, but does not depend on the actual functionvalues (beyond being non- ⊥ ), LSupp( D ) ⊆ LSupp( D x , ) , where ∈ { , } k is the all- string for any x ∈ X k .In order to bound above capacity, we define the -local properties and show that they (weakly) recognize theconsidered transition (with input restricted to LbQ ). For any D and x ∈ LbQ k , consider the local properties L x ,Dj := (cid:8) D ◦ ∈ D | x (cid:12)(cid:12) D ◦ ( x j ) ∈ LSupp( D x , ) (cid:9) . Let D x , r ∈ ¬ P q − = Fail \ CL \ CHN q yet D x , u ∈ Suc \ CL . By (17), there exists (cid:96) rt so that D ChQ x , u ( (cid:96) rt ) ⊆ Extract D x , u n ( (cid:96) rt ) , while, on the other hand, there exists some v ∈ D ChQ x , r ( (cid:96) rt ) \ leaves (cid:0) Extract D x , r n ( (cid:96) rt ) (cid:1) . Given thathere x ∈ LbQ k , we have D x , r ( (cid:96) rt ) = D x , u ( (cid:96) rt ) , and thus, by (18) , we have v ∈ leaves (cid:16) Extract D x , u n ( (cid:96) rt ) (cid:17) \ leaves (cid:16) Extract D x , r n ( (cid:96) rt ) (cid:17) . Consider the partial labelling (cid:96) and the subgraph T extracted from Extract D x , u n ( (cid:96) rt ) . Then, given that v ∈ leaves ( T ) ,the labeling (cid:96) is in particular a consistent labeling of the authentication path ap ( v ) with respect to D x , u , i.e., (cid:96) z i = x , u ( z i , (cid:96) in ( z i ) ) for z i = par i ( v ) and ≤ i ≤ n . Furthermore, D ChQ x , u ( (cid:96) rt ) (cid:54) = ⊥ . Therefore, (cid:96) z i ∈ LSupp( D x , u ) ⊆ LSupp( D x , ) for ≤ i ≤ n .On another hand, since v is not a leaf extracted from D x , r , yet D ChQ x , r ( (cid:96) rt ) = D ChQ x , u ( (cid:96) rt ) , it must be that (cid:96) is not aconsistent labelling of ap ( v ) with respect to D x , r . Therefore, there must exist i and j such that x j = ( z i , (cid:96) in ( z i ) ) and u j = D x , u ( x j ) = (cid:96) z i (cid:54) = D x , r ( x j ) = r j . Thus, r j (cid:54) = u j and u j ∈ LSupp( D x , ) . Therefore L x ,Dj indeed weaklyrecognize the considered transition for input restricted to LbQ .For D ∈ SZ ≤ k ( q − \ P q − , since there are only k ( q − entries in D , we have P [ U ∈ L x ,Dj ] ≤ | LSupp( D x , ) | w ≤ nkq w . , and thus the claimed bound follows from applying Theorem 5.29. References [1] Andris Ambainis. Polynomial degree and lower bounds in quantum complexity: Collision and element distinctness with smallrange. Theory of Computing , 1(1):37–46, 2005.[2] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In First ACMConference on Computer and Communications Security , pages 62–73. ACM, 1993.[3] Charles H Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM journal on Computing , 26(5):1510–1523, 1997.[4] Jeremiah Blocki, Seunghoon Lee, and Samson Zhou. On the security of proofs of sequential work in a post-quantum world.arXiv/cs.CR, Report 2006.10972, 2020. https://arxiv.org/abs/2006.10972 .[5] Dan Boneh, ¨Ozg¨ur Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry. Random oracles in aquantum world. In Lee D.H. and Wang X., editors, Advances in Cryptology – ASIACRYPT 2011 , volume 7073 of LectureNotes in Computer Science , pages 41–69. Springer, 2011.[6] Gilles Brassard, Peter Hoyer, and Alain Tapp. Quantum algorithm for the collision problem. arXiv/quant-ph, Report 9705002,1997. https://arxiv.org/abs/quant-ph/9705002 .[7] Canetti, Goldreich, and Halevi. The random oracle methodology, revisited (preliminary version). In ACM Symposium onTheory of Computing (STOC) , 1998.[8] Alessandro Chiesa, Peter Manohar, and Nicholas Spooner. Succinct arguments in the quantum random oracle model. InDennis Hofheinz and Alon Rosen, editors, Theory of Cryptography - TCC 2019 , volume 11892 of Lecture Notes in ComputerScience . Springer, 2019.[9] Bram Cohen and Krzysztof Pietrzak. Simple proofs of sequential work. In Annual International Conference on the Theoryand Applications of Cryptographic Techniques , pages 451–467. Springer, 2018.[10] Jan Czajkowski, Christian Majenz, Christian Schaffner, and Sebastian Zur. Quantum lazy sampling and game-playing proofsfor quantum indifferentiability. arXiv/quant-ph, Report 1904.11477, 2019. https://arxiv.org/abs/1904.11477 .[11] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Conferenceon the Theory and Application of Cryptographic Techniques , pages 186–194. Springer, 1986.[12] Lov K Grover. A fast quantum mechanical algorithm for database search. In Proceedings of the twenty-eighth annual ACMsymposium on Theory of computing , pages 212–219, 1996.[13] Yassine Hamoudi and Fr´ed´eric Magniez. Quantum time-space tradeoffs by recording queries. arXiv/quant-ph, Report2002.08944, 2020. https://arxiv.org/abs/2002.08944 .[14] Akinori Hosoyamada and Tetsu Iwata. 4-round luby-rackoff construction is a qprp. In Steven D. Galbraith and Shiho Moriai,editors, Advances in Cryptology - ASIACRYPT 2019 , volume 11921 of Lecture Notes in Computer Science , pages 145–174.Springer, 2019.[15] Stacey Jeffery, Fr´ed´eric Magniez, and Ronald de Wolf. Optimal parallel quantum query algorithms. Algorithmica , 79(2):509–529, 2017.[16] Qipeng Liu and Mark Zhandry. Revisiting post-quantum fiat-shamir. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology - CRYPTO 2019 , volume 11693 of Lecture Notes in Computer Science , pages 326–355. Springer,2019. 17] Dominique Unruh. Revocable quantum timed-release encryption. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014 , volume 8441 of Lecture Notes in Computer Science , pages 129–146. Springer,2014.[18] Christof Zalka. Grover’s quantum searching algorithm is optimal. Phys. Rev. A , 60:2746–2751, Oct 1999.[19] Mark Zhandry. How to record quantum queries, and applications to quantum indifferentiability. In Alexandra Boldyreva andDaniele Micciancio, editors, Advances in Cryptology - CRYPTO 2019 , volume 11693 of Lecture Notes in Computer Science ,pages 239–268. Springer, 2019. A Efficient Simulation of the Compressed Oracle In order to complete our exposition of the compressed oracle, we show here another aspect of the technique, whichis not relevant in our context but an important feature in other applications: similarly to the classical lazy-samplingtechnique, the evolution of the compressed oracle can be efficiently computed, and useful information can be efficiently extracted from the compressed oracle.For concreteness, we assume here that Y = { , } m . This in particular means that ˆ Y = Y , and that there isa designated and efficiently computable quantum Fourier transform QFT : | y (cid:105) (cid:55)→ | ˆ y (cid:105) = H ⊗ m | y (cid:105) . This then alsomeans that D = ˆ D , but we still distinguish between | D (cid:105) = (cid:78) x | D ( x ) (cid:105) and | ˆ D (cid:105) = (cid:78) x QFT | D ( x ) (cid:105) for any D ∈ D .Additionally, we assume that X comes with an efficiently computable total order, say X = { , } n .Consider the classical encoding function Enc : D → L := (( X × Y ) ∪ {⊥} ) |X | that maps D ∈ D to the list L = (cid:2) ( x , y ) , . . . , ( x s , y s ) , ⊥ , . . . , ⊥ (cid:3) of pairs ( x i , y i ) for which y i = D ( x i ) (cid:54) = ⊥ , sorted as x < · · · < x s andpadded with ⊥ ’s. Recall the unitary cO , defined in Section 4.3 and which describes the evolution of the compressedoracle, and consider the corresponding “update function” Upd : X × Y × L → X × Y × L , defined to satisfy Upd (cid:0) x, y, Enc ( D ) (cid:1) = (cid:0) x, y, Enc ( D (cid:48) ) (cid:1) ⇐⇒ | x (cid:105)| ˆ y (cid:105)| ˆ D (cid:48) (cid:105) = cO | x (cid:105)| ˆ y (cid:105)| ˆ D (cid:105) = | x (cid:105)| ˆ y (cid:105) ⊗ cO x ˆ y | ˆ D (cid:105) for any x ∈ X , y ∈ Y and D ∈ D . By construction, and exploiting (7), it turns out that Upd is a rather simple function.Applied to x ∈ X , y ∈ Y and L = [( x , y ) , . . . , ( x s , y s ) , ⊥ , . . . , ⊥ ] ∈ L , it acts as follows. If y i = 0 for some i then it acts as identity, otherwise, the following two cases are distinguished: if x (cid:54)∈ { x , . . . , x s } and y (cid:54) = 0 then Upd inserts the pair ( x, y ) to the list, while if x = x i and y (cid:54) = y i for some i then Upd replaces ( x i , y i ) by ( x i , y i ⊕ y ) .In particular, for lists L of bounded size s ≤ Q , the classical function Upd can be efficiently computed, i.e., in timepolynomial in Q and in the size of the bit representations of the elements of X and Y .Formally, for a fixed Q , let D ≤ Q := { D ∈ D : |{ x ∈ X : D ( x ) = ⊥}| ≤ Q } , and let enc : D ≤ Q → L ≤ Q :=(( X × Y ) ∪ {⊥} ) Q be defined in the obvious way, i.e., so that enc ( D ) is obtained from Enc ( D ) by removing therightmost ⊥ -paddings. Similarly, upd : X × Y × L ≤ Q → X × Y × L ≤ Q is defined in the obvious way to coincidewith Upd except for the shorter ⊥ -padding, and except for the following additional modification : upd is declared toact as identity on ( x, y, L ) whenever s = Q and x (cid:54) = { x , . . . , x s } , i.e., when there would be an “overflow”. Itthen follows that upd is an efficiently computable permutation . Thus, by basic theory of quantum computation, thecorresponding unitary | x, y, L (cid:105) (cid:55)→ | upd ( x, y, L ) (cid:105) can be efficiently computed by means of a polynomial sized quantumcircuit. Hence, by means of the encoding ˆenc : | ˆ D (cid:105) (cid:55)→ | enc ( D ) (cid:105) = | x (cid:105)| y (cid:105) · · · | x s (cid:105)| y s (cid:105)|⊥(cid:105) · · · |⊥(cid:105) , the unitary cO can be efficiently computed, as long as it acts on C [ X ] ⊗ C [ Y ] ⊗ C [ D QFT ’s to be applied (controlled by the corresponding register not being ⊥ ), which canbe efficiently done. Hence, by a suitable encoding, both the evolution of the compressed oracle as well as efficientlycomputable classical functions on the (suitably encoded) database D , can be efficiently computed by a quantum circuit. B PoSW Definition Informally, a (non-interactive) PoSW allows a prover P to generate an efficiently verifiable proof showing that somecomputation was going on for N sequential steps since some “statement” χ was received, in the sense that evena powerful adversary with parallel computation power cannot compute a valid proof with much less than N steps.PoSW is typically constructed in the random oracle model. We recall its formal definition from [9] (after applying theFiat-Shamir transformation) as follows (see Figure 3 for an illustration). H : { , } ≤ B → { , } w Prover P ( N, t, w ) Verifier V ( N, t, w ) statement χ ← { , } w ( φ, φ P ) := PoSW ( χ, N ) γ := H χ ( φ ) τ := open ( χ, N, φ P , γ ) π := ( φ, τ ) verify authentication path If both succeed, verify ( χ, N ,φ,γ,τ )= accept Figure 3: Non-interactive PoSW.• Common Inputs: The prover P and the verifier V get as common input two statistical security parameters w, t ∈ N and a time parameter N ∈ N . They have access to a random oracle H : { , } ≤ B → { , } w , where B is sufficiently large but otherwise arbitrary. • Statement: V samples a random χ ← { , } w and sends it to P .• Compute PoSW: P computes ( φ, φ P ) := PoSW H ( χ, N ) , where φ is a proof and φ P is a state P uses to computethe opening.• Opening Challenge: The opening challenge γ is determined by γ := H ( χ, φ ) ∈ { , } w .• Open: P computes τ := open H ( χ, N, φ P , γ ) . P sends π := ( φ, τ ) to V . The original paper [9] considers X = { , } ∗ ; however, we want X to be finite so that our results from the previous sections apply. Thus, wesimply choose B large enough, so that the scheme is well defined, but also larger than any query that an arbitrary but fixed attacker will make. Verify: V computes and outputs verify ( χ, N , φ, γ, τ ) ∈ { accept , reject } .Since our goal is to analyze post-quantum security of Simple PoSW [9], we will not present the formal securityproperties for PoSW here. Instead, we will prove concrete upper bounds on the probability that a k -parallel q -queryquantum oracle algorithm A with q < N can generate a valid proof. C The Extraction Algorithm Algorithm 1 Extract Dn ( (cid:96) rt ) Input: (cid:96) rt ∈ { , } w Output: a subtree T ⊆ V n Initialize: Set (cid:96) ext : V n → { , } w ∪ {⊥} with (cid:96) extrt ← (cid:96) rt and (cid:96) ext v ←⊥ for all v ∈ V n \ { rt } ;Set all vertex v ∈ V n as unmarked; Notation: Define the support of a labelling as