Provably secure key establishment against quantum adversaries
Aleksandrs Belovs, Gilles Brassard, Peter Hoyer, Marc Kaplan, Sophie Laplante, Louis Salvail
aa r X i v : . [ qu a n t - ph ] A p r Provably secure key establishment against quantum adversaries
Aleksandrs Belovs , Gilles Brassard , Peter Høyer , Marc Kaplan , Sophie Laplante ,and Louis Salvail University of Latvia, [email protected] DIRO, Universit´e de Montr´eal, { brassard, salvail } @iro.umontreal.ca Canadian Institute for Advanced Research Department of Computer Science, University of Calgary, [email protected] School of Informatics, University of Edinburgh, [email protected] IRIF, Universit´e Paris Diderot, [email protected]
26 April 2017
Abstract At Crypto and classical legitimate parties unconditionallyagainst a quantum eavesdropper in the query complexity model. Unfortunately, our securityproofs were unsatisfactory from a cryptographically meaningful perspective because theywere sound only in a worst-case scenario. Here, we extend our results and prove thatfor any ε >
0, there is a classical protocol that allows the legitimate parties to establish acommon key after O ( N ) expected queries to a random oracle, yet any quantum eavesdropperwill have a vanishing probability of learning their key after O ( N . − ε ) queries to the sameoracle. The vanishing probability applies to a typical run of the protocol. If we allow thelegitimate parties to use a quantum computer as well, their advantage over the quantumeavesdropper becomes arbitrarily close to the quadratic advantage that classical legitimateparties enjoyed over classical eavesdroppers in the seminal 1974 work of Ralph Merkle.Along the way, we develop new tools to give lower bounds on the number of quantumqueries required to distinguish two probability distributions. This method in itself couldhave multiple applications in cryptography. We use it here to study average-case quantumquery complexity, for which we develop a new composition theorem of independent interest. Not taking classified work within secret services into consideration [27], Ralph Merkle is thefirst person to have asked—and solved—the question of secure communications over insecurechannels [23]. In his seminal (rejected!) 1974 project for a Computer Security course at theUniversity of California, Berkeley, he discovered that it is possible for two people who want tocommunicate securely to establish a secret key by communicating over an authenticated channelthat provides no protection against eavesdropping. Merkle’s solution to this conundrum offers quadratic security in the sense that if the legitimate parties—codenamed Alice and Bob—arewilling to expend an effort in the order of N , for some security parameter N , they can establish akey that no eavesdropper—codenamed Eve—can discover with better than vanishing probabilitywithout expending an effort in the order of N .1his quadratic security may seem unattractive compared to the potential exponential se-curity entailed by the subsequently discovered key establishment protocols of Diffie and Hell-man [15] and Rivest, Shamir and Adleman [25], to name a few. However, the security of thosecurrently ubiquitous cryptographic solutions will be compromised with the advent of full-scalequantum computers, as discovered by Peter Shor more than two decades ago [26]. And evenif a quantum computer is never built, no one has been able to prove their security againstclassical attacks, nor that of quantum-resistant candidates based, for instance, on short vectorsin lattices. Furthermore, Merkle had already understood in 1974 that quadratic security could be practical if the underlying one-way function (see below) can be computed very quickly: if ittakes one nanosecond to compute the function and legitimate users are willing to spend onesecond each, a classical adversary who could only invert the function by exhaustive search wouldrequire fifteen expected years to break Merkle’s original scheme.The main interest of Merkle’s solution is that it offers provable security, at least in the query model of computational complexity, a model closely related to the random oracle model.In this model, we assume the existence of a black-box function f : D → R from some domain D to some range R , so that the only way to learn something about this function is to query thevalue of f ( x ) on inputs x ∈ D that can be chosen arbitrarily. The query complexity of someproblem given f is defined as the expected number of calls to f required to solve the problem,using the best possible algorithm. In our case of interest, we shall consider random black-box functions, meaning that for each x ∈ D , the value of f ( x ) is chosen uniformly at randomwithin R , independently of the value of f ( x ′ ) for any other x ′ ∈ D . Provided the size r of R is sufficiently large compared to the size d of D , such a random function is automatically one-to-one, except with vanishing probability. The main characteristic of these black-box randomfunctions that is relevant to the proof of security of Merkle’s scheme is that, given a randomlychosen point y in the image of f , the only (classical) approach to finding an x so that f ( x ) = y is exhaustive search: we have to try x ’s one after another until a solution is found. Indeed,whenever we try some x ′ and find that f ( x ′ ) = y , the only thing we have learned is that thisparticular x ′ is not a solution. Provided the function is indeed one-to-one, we expect to have toquery the function d/ they exist!—which is what Merkle meantby “one-way encryption” in his 1974 class assignment [23]. Thus, we can base the security ofMerkle’s scheme on the generic assumption that one-way functions exist, which is unlikely tobe broken by a quantum computer, rather than the assumption that specific computationalproblems such as factorization or finding short vectors in lattices are difficult, at least the firstone of which is known not to hold on a quantum computer. Can we do better than provable quadratic security in the query model? This question remained open for 35 years, and wasfinally settled in the negative by Boaz Barak and Mohammad Mahmoody-Ghidary [4], buildingon earlier work of Russell Impagliazzo and Steven Rudich [18]: any protocol by which thelegitimate parties can obtain a shared key after O ( N ) expected queries to a black-box randomfunction can be broken with O ( N ) expected queries to the same black box.It was apparently noticed for the first time by one of us in 2005, and published a few yearslater [14], that Merkle’s original 1974 scheme [23], as well as his better known subsequentlypublished puzzles [24], are broken by Grover’s algorithm [16] on a quantum computer. Thisattack assumes that the eavesdropper can query the function in quantum superposition, whichis perhaps not reasonable if the function is provided as a physical classical black box, butis completely reasonable if it is given by the publicly-available code of a one-way function(as originally envisioned by Merkle). If the legitimate parties are also endowed with a quantum2omputer, the same paper [14] gave an obvious fix, by which the legitimate parties can establisha key after O ( N ) quantum queries to the black-box function, but no quantum eavesdroppercan discover it with better than vanishing probability without querying the function O ( N / )times. That paper made the explicit conjecture that this was best possible when quantumcodemakers are facing quantum codebreakers in the game of provable security in the randomblack-box model. The issue of protecting classical codemakers against quantum codebreakerswas not addressed in Ref. [14].At the Crypto N / ) times. We also offered the first protocol provablycapable of protecting classical codemakers against quantum codebreakers, although O ( N / )queries in superposition sufficed for the quantum eavesdropper to obtain the not-so-secret key.Unfortunately, our security proofs were worked out in the traditional computational complexity worst-case scenario. In other words, it was only proved that any quantum eavesdropper limitedto o ( N / ) or o ( N / ) queries, depending on whether the legitimate parties are quantum orclassical, would be likely to fail on at least one possible instance of the protocol. This did notpreclude that most instances of the protocol could result in insecure keys against an eavesdropperwho would work no harder than the legitimate parties. Said otherwise, our Crypto o ( N / ) or o ( N / ) queries , where theprobabilities are taken not only over the execution of the eavesdropping algorithm but also overthe instance of the protocol run by the legitimate parties. We also extended our results to twosequences of protocols based on the k -SUM problem (Definition 1 in Section 3), where k ≥ O ( kN ) times. It was claimed that any quantum eavesdropper had a vanishing probability oflearning the key after o ( N + kk +1 ) or o ( N kk +1 ) queries, against the classical or the quantumprotocol parametrized by k , respectively. Again, this was claimed to hold not only in thecryptographically-challenged worst-case scenario, but also when the probabilities are taken overthe protocols being run by the legitimate parties.Unfortunately, all our average-case analyses in Ref. [13] were incorrect! The case k = 2 canbe fixed rather easily, hence the insufficiency of o ( N / ) queries for a quantum-against-quantumprotocol and of o ( N / ) queries for a classical-against-quantum protocol in a cryptographicallysignificant setting can be derived from the incorrect arguments provided in Ref. [13]. However,we also claimed in Ref. [13] that the case k > k = 2. This was a mistake due to a fundamental difference in the k -SUM problem whether k = 2 or k >
2. Whereas the problem is easily seen to be random self-reducible, sothat its hardness in worst case implies its hardness on average, this does not seem to be thecase for the k -SUM problem when k >
2. In particular, the worst-case lower bound provedby Aleksandrs Belovs and Robert ˇSpalek [7] on the difficulty of solving the k -SUM problemon a quantum computer does not extend in any obvious way to a lower bound on average.And without such an average lower bound, our results claimed in Ref. [13] go up in smoke for k >
2. Furthermore, for a technical reason explained later, even such an average lower boundwould not suffice. The word “function s ” is plural because the 2011 protocol required two black-box random functions. For classical legitimate parties, the o ( N / ) of Ref. [12] had been improved to o ( N / ) in Ref. [13].
3n this paper, we overcome all these problems and give a correct and cryptographicallymeaningful security proof for all our protocols from Ref. [13]. Consequently, we prove thatfor any ε > O ( N ) expected queries to black-box random functions, yet any quantumeavesdropper will have a vanishing probability of learning their key after O ( N . − ε ) queries tothe same oracle. The vanishing probability is over the randomness in the actual run of theprotocol followed by that of the eavesdropper’s algorithm. If we allow the legitimate partiesto use quantum computers as well, their advantage over the quantum eavesdropper becomesarbitrarily close to the quadratic advantage that classical legitimate parties enjoyed over classicaleavesdroppers in the seminal 1974 work of Ralph Merkle [23].Our results require new tools in quantum query complexity, which are of independentinterest. In particular, we introduce techniques to lower-bound the quantum query complexityof distinguishing between two probability distributions, which we use to extend the adversarylower bound method in order to handle average-case complexity, but they could have otheruses in cryptography. This approach is necessary for the distributions of inputs considered herebecause the associated decision problems become trivial on average, which prevents us fromapplying the average-case method developed in Ref. [6]. Furthermore, we prove a compositiontheorem for this new lower bound method, extending that of Ref. [12], which was valid only toprove cryptographically irrelevant worst-case lower bounds. Using these two tools, we prove thatany quantum eavesdropper who does not make a prohibitive number of calls to the black-boxfunctions will fail to break a typical instance of the protocol, except with vanishing probability.This work fits in the general framework of “Cryptography in a quantum world” [11], whichaddresses the question: “Is the fact that we live in a quantum world a blessing or a curse forcodemakers?”. It is a blessing if we allow quantum communication, thanks to Quantum KeyEstablishment (aka Quantum Key Distribution—QKD) [9], at least if the protocols can be imple-mented faithfully according to theory [28, 21]. On the other hand, it is a curse if we continueto use the current cryptographic infrastructure, which pretends to secure the Internet at therisk of falling prey to upcoming quantum computers. However, it is mostly a draw in the realmof provable query complexity in the black-box model considered in this paper since codemakersenjoy a quadratic (or arbitrarily close to being quadratic) advantage over codebreakers in bothan all-classical or an all-quantum world, at least in terms of query complexity (but see footnote 3again). Furthermore, the known proof that quadratic security is best possible in an all-classicalworld [4] does not extend to the all-quantum world, and hence the (unlikely) possibility remainsthat a more secure protocol could exist in our quantum world.The rest of the paper is organized as follows. Section 2 lists all the techniques and relatednotations that are used throughout the paper. Section 3 recalls the classical and quantumprotocols from Refs [12, 13]. In Section 4, we introduce a new method to prove lower boundson the difficulty of distinguishing between two probability distributions, which we use to studyaverage-case quantum query complexity. This method extends the extensively studied adversarymethod. We then apply this method to the k -SUM problem in Section 5, which is at the heart ofour hardness result. Finally, in Section 6, we prove a composition theorem for the new adversarymethod introduced in Section 4. This allows us to conclude that typical runs of the protocolsfrom Refs [12, 13] are indeed secure against quantum adversaries. To be honest, it is not entirely cryptographically meaningful to restrict the analysis to the number of callsto the black-box functions, taking no account of the computing time that may be required outside those calls.However, if we also restrict the legitimate expected time to be in O ( N ), then our quantum protocol with k = 3remains valid and provably resists any o ( N / )-time quantum eavesdropping attack, which was claimed in Ref [13],but with a fundamentally incorrect proof. Preliminaries and Notation
At the heart of this work is a lower bound on the quantum query complexity of a generalisationof the k -SUM problem. Many techniques have been given to prove such lower bounds in theworst-case scenario, including the adversary method [2, 17, 20]. This method is based on thespectral norm of a matrix, Γ, indexed in the rows and columns by inputs to the problem.Roughly, each entry of the matrix Γ[ x, y ] ∈ R can be thought of as representing the hardness ofdistinguishing inputs x and y . It is known that for Boolean functions, the (negative) adversarybound is multiplicative under function composition [17]. For non-Boolean functions, a generalcomposition theorem fails to hold, as counterexamples can be found. Nevertheless, it was shownin Ref. [12] that the adversary method is multiplicative under composition with (non-Boolean)unstructured search problems.In this paper, we extend the quantum adversary method to average-case complexity, whichis crucial for cryptographic applications, and we show that a similar composition property holdsfor this measure. As for the adversary bound, this method is based on the spectral norm ofmatrices, and involves probability distributions. Below, we summarize the notation related tofunctions, algebra and probabilities, used throughout the paper.We consider decision or search problems denoted F , G or H . These problems are on abeliangroups, which are denoted G , or G m when we want the order m of the group to appear explicitly.The group operation is denoted “+” and its inverse “ − ”. For a decision problem F , the inputs inthe language F are called positive and the inputs not in the language are negative . We composeour problems with an unstructured search problem to make them harder. To do so, we need toadd to the alphabet an element that does not belong to G . We denote this element “ ⋆ ”.Fix two problems F : A n → B and G : C → A for some n ∈ N . Then, the composed problem F ◦ G n : C n → B is defined by F ◦ G n ( x , . . . x n ) = F ( G ( x ) , . . . , G ( x n )) for ( x , . . . x n ) ∈ C n .For any positive integer n we use [ n ] to denote the set of n elements { , , , . . . , n − } .We only make use of basic concepts of quantum computing: states, unitary operations andmeasurements. These notions are used in Section 4, but even there, the calculations boil downto basic linear algebra. The entries of an n × m matrix Γ are denoted Γ[ x, y ], where x ∈ [ n ] and y ∈ [ m ]. For X ⊆ [ n ] and Y ⊆ [ m ], Γ X,Y is the restriction of Γ to the rows and columns in X and Y , respectively.The direct sum of spaces, operators, matrices or vectors is denoted “ L ”. The inner productof two states (or vectors in an Hilbert space) ψ and φ is (cid:10) ψ, φ (cid:11) . For a matrix A , we use k A k forits spectral norm, that is, its largest singular value, and k A k F for the Frobenius norm, that is,the square root of the sum of the squares of the moduli of its elements. For two matrices A and B , we denote A ◦ B their entrywise (or Hadamard) product. We make use of the two followingmatrices: the n × n identity matrix I n and the n × n all-one matrix J n .We use P and Q for probability distributions over inputs to the problems. The support of adistribution is the set of elements with non-zero probability. We sometimes identify distributionswith vectors. More precisely, if p x is the probability of x in P , we can consider the vector P given by the entries P [ x ] = p x . We use “ X ∼ P ” to denote that the random variable X issampled from P . In this case, it is the variable whose probability is given by Pr[ X = x ] = p x .In the specific case of sampling an element x uniformly at random from a set D , we use x ∈ R D .We also use the indicator function 1 x = y whose value is 1 if x = y and 0 otherwise.We sometimes consider sequences of probabilities, such as the accepting probability ν n ofan algorithm (for a decision problem) as a function of the input size n . For simplicity, we often5mit the subscript n , in which case “ ν ” should be understood as a function of n . We call sucha sequence ν vanishing if ν = o (1). If ν decreases faster than the inverse of any polynomial, wesay that the event is negligible . With the exception of Merkle’s more famous “puzzles” [24], all key establishment protocolsbased on black-box random functions (which Merkle called “one-way encryption”) begin in away that is essentially identical to Merkle’s original 1974 idea [23], with possible inessentialdifferences . Given a black-box random function f : D → R from some domain D to somerange R , Alice chooses random elements x i ∈ R D and she obtains y i = f ( x i ), which she sendsto Bob over an authenticated channel on which Eve can freely eavesdrop. This defines the sets X of x i ’s and Y of y i ’s, of which X is private information kept by Alice whereas Y becomesknown to all parties, including Eve. Upon receiving this information, Bob’s first task is to findone or several preimage(s) under f of any of the points sent by Alice.The various schemes that were considered in Refs [23, 14, 12, 13] differ in how Bob proceedsto find the preimage(s), how many such preimages he needs to find, and how he informs Aliceof which preimage(s) he has found. In Merkle’s original scheme [23], he needs to find a singlepreimage. This is done by querying f on random points in its domain until some x is foundsuch that f ( x ) = y ∈ Y . Afterwards, Bob sends y back to Alice, who can find efficiently thecorresponding x because it is among her set X , which she had kept. This shared x becomestheir secret key. The intuition behind the security of this scheme stems from the freedom inBob’s task to invert f on any element of Y , compared to how stringent Eve’s is since she mustinvert it on the specific element that Bob had inverted by chance.To be more precise, let N be a safety parameter, let the domain of f contain N pointsand its range be of size N , which is large enough to ensure that f is one-to-one except withvanishing probability. If Alice chooses N random points in the domain of f and Bob triesrandom such points as well until he hits upon an x such that f ( x ) ∈ Y , it is easy to see thatboth Alice and Bob need query function f an expected number of N times. However, a classicalEve requires an expected N / f with the help of a quantumcomputer requires only π √ N = π N queries to f by way of Grover’s algorithm [16], which isslightly fewer than the effort required by the legitimate parties. This is why Merkle’s originalscheme is totally broken against a quantum adversary, as first pointed out in Ref. [14]. In orderto restore security, two main modifications to Merkle’s original scheme have been considered,as we now proceed to describe. If we require Bob to find k distinct preimages among the N points sent by Alice, for some k > k times as hard, provided k ≪ N .The key shared by Alice and Bob could then be the concatenation of those preimages in theorder in which the corresponding images were sent by Alice in the first step. But how can In Merkle’s original scheme, there is no asymmetry between Alice and Bob, as they both “guess at keywords”and share and compare their one-way encryptions until they discover that they have guessed at the same keyword.In all the protocols considered here, Alice goes first and Bob works from there. k = 2,but a much simpler one was given subsequently in Ref. [13] for arbitrary k . The idea is tointroduce a second black-box random function t from the same domain to some sufficientlylarge group G . If Bob finds preimages x i , x i , . . . , x i k ∈ X , with 1 ≤ i < i < · · · < i k ≤ N ,and sends w = t ( x i ) + t ( x i ) + · · · t ( x i k ) to Alice, she needs only call black-box function t onthe N points she had kept in X in order to determine Bob’s k preimages, provided the order of G was chosen sufficiently large to ensure the uniqueness of the solution, except with vanishingprobability. Taking the order to be N k +1 is sufficient to ensure this. Furthermore, she can dothis efficiently, in terms of computing time, when k = 2. Hence, Alice needs to query each offunctions f and t exactly N times, whereas Bob needs to query function f an expected O ( kN )times and function t exactly k times.How difficult is the cryptanalytic task for quantum Eve, who has seen the y ’s sent fromAlice to Bob and the single w sent from Bob to Alice? We gave an explicit algorithm basedon quantum walks [22] in Hamming graphs in Ref. [13], which allows her to discover the secretkey after O ( N / k/ ( k +1) ) calls to the black-box functions. In the same paper, we claimed thata matching Ω( N / k/ ( k +1) ) lower bound holds for a typical instance of the protocol, which isformally stated in Theorem 2 below, but the proof proposed in Ref. [13] fails for k > ε >
0, there is a classical key establishment protocol(taking k = ⌊ /ε ⌋ ) that allows the legitimate parties to establish a shared key after O ( N )expected queries to black-box random functions f and t , yet any quantum eavesdropper will havea vanishing probability of learning their key after O ( N . − ε ) queries to the same oracle. If wetake account of computational complexity in addition to query complexity, we must be contentwith k = 2, in which case the claim is much more modest, but still the quantum codebreakermust work more than linearly harder than the classical codemakers. Along the way, we need todevelop in Section 4 new tools for the study of average-case quantum query complexity, whichhad essentially remained virgin territory despite its obvious importance, in particular but notonly for cryptography.The second modifications to Merkle’s original scheme that has been considered [14, 12, 13]is to play a fair game in allowing the codemakers to use quantum computers as well. The firstbenefit is that we can enlarge the domain of f to contain N points. If Alice proceeds exactly asbefore, Bob can use an extension of Grover’s algorithm known as BBHT [10] in order to find ran-dom preimages of the N image points initially sent by Alice at the cost of O ( p N /N ) = O ( N )queries per preimage, provided k ≪ N . This increase in the domain size of f , and correspond-ingly of t , makes it significantly harder for a quantum eavesdropper to solve the conundrum anddiscover the key shared by Alice and Bob. Indeed, we also prove Theorem 3, stated below, to theeffect that no cryptanalytic attack can succeed on a typical instance of the protocol, except withvanishing probability, short of making Ω( N k/ ( k +1) ) queries to the black-box functions. Again,this theorem was claimed in Ref. [13] but its proof was fundamentally flawed for k >
2. Taking k sufficiently large, this offers a quantum-against-quantum security that is arbitrarily close tothe quadratic security that the original scheme of Merkle [23] offered in the classical-against-classical scenario. The second benefit to allowing the codemakers to use quantum computers isthat now a quantum Alice can be efficient in terms of computation time, in addition to querycomplexity, even when k = 3. According to Theorem 3, we get an Ω( N / ) security guaranteefor a protocol that could become practical once sufficiently powerful quantum computers startto seriously threaten the security of the current Internet cryptographic infrastructure. This isthe most secure proven solution ever discovered to the conundrum of post-quantum cryptogra-7hy [11] when all parties have equal quantum computing capabilities, at least in the randomoracle model, and its security is reasonably close to that of Merkle’s provably optimal schemein an all-classical world but otherwise in the same model. k -SUM Problem
The security of the protocols that we study is based on the k -SUM problem, which consists insearching for k elements among N in some abelian group G whose sum is a given value w ∈ G . Definition 1 ( k -SUM problem) . Given an abelian group G , a function t : D → G for somedomain D , a target w ∈ G and N distinct elements x , x , . . . , x N ∈ D , the problem is to find k indices ≤ i < i < · · · < i k ≤ N such that w = P kj ∈ t ( x i j ) , provided a solution exists. The decision version of k -SUM is to decide whether or not a solution exists. It is crucial to understand that we are not interested in how much computation time wouldbe required to find a solution, if one exists. Rather, we want to minimize the number of calls to function t that will be required. Naturally, a quantum algorithm is allowed to query t onsuperpositions of elements of D .When k = 1, this is simply the unstructured search problem , which consists in finding i suchthat t ( x i ) = w , provided it exists. When k = 2 and G is the group of bit strings of a givenlength under bitwise exclusive-or, k -SUM takes the name of . In turn, when w = 0, becomes the search version of the Element Distinctness ( ED ) problem, which consists infinding a collision in a given function if it is not one-to-one. Definition 2 (Element Distinctness ( ED ) problem) . Given a function t : D → R , the decision element distinctness ( ED ) problem is to decide whether or not this function is one-to-one. Definition 3 (Search version of ED ) . Given a function t : D → R , the search version of theelement distinctness problem ( SED ) is to find a pair of distinct x, x ′ ∈ D such that t ( x ) = t ( x ′ ) ,provided such a pair exists. Quantum lower bounds have been proved on all these problems [1, 7, etc.], but only in theworst-case scenario, which is most frequently studied in the field of computational and querycomplexity. For some of these problems, such as ED , SED , and , a simple classical randomized reduction suffices for proving their difficulty on average from their difficulty inthe worst case even in the quantum setting, at least if we add the promise that if there is asolution, then it is unique. However, this does not appear to be the case for k -SUM when k > k afterhaving nearly proved it in the case k = 2. “Nearly” because the proof for k = 2 was flawed,albeit easy to repair. Not so for k >
2, however. In order to prove the security of the keyestablishment protocols described above in a cryptographically meaningful context, we need toprove the difficulty of k -SUM on average for arbitrary k , which requires new quantum lowerbound techniques. In fact, we need to prove the difficulty on average of a composed versionof k -SUM , defined below in Section 3.3, which does not follow by a classical reasoning fromthe average difficulty of plain k -SUM . Therefore, we also have to develop a new compositiontheorem that works on average as well.The first quantum lower bound discovered among these problems was for the decision elementdistinctness problem. Aaronson and Shi [1] proved that this problem requires Ω( d / ) queriesto t in the worst case, where d is the cardinality of domain D . There was a technical condition8n their original proof that required r ≥ d , where r is the cardinality of range R , but thatcondition was subsequently lifted [3, 19]. Later, Belovs and ˇSpalek [7] proved that solving k -SUM requires Ω( N k/ ( k +1) ) queries to t in the worst case, provided m ≥ N k , where m is theorder of group G and N is as in Definition 1.Even though the technique used by Aaronson and Shi was adequate only to prove worst-case lower bounds, it is elementary to conclude by a classical reasoning that the hardness inworst-case of ED implies the same hardness on average for ED , SED and . But, as wesaid already, a completely new technique, which we develop in Section 4, is required to prove amatching hardness result for k -SUM on average, which is stated as Theorem 5 in Section 5.However, even this is not sufficient to derive the security of the key establishment protocolsdescribed above in a cryptographically meaningful manner. Indeed, the eavesdropper is notfaced with an instance of k -SUM , as specified in Definition 1. He learns the value of w whenBob transmits it to Alice, and he has access to black-box function t , but he does not know the x ’s, which are kept secret by Alice. Instead, he learns the image of those x ’s by function f ,which we called the y ’s, when Alice sent them to Bob in the first step of the protocol. In fact,he has to solve the more difficult Hidden k -SUM problem, which we now proceed to describe. k -SUM Problems
The hidden k -SUM problem, defined below, corresponds precisely to the task facing the eaves-dropper. Definition 4 (Hidden k -SUM problem) . Given two sets D and R , an abelian group G , twofunctions f : D → R and t : D → G , N distinct elements y , y , . . . , y N ∈ Im ( f ) , and a target w ∈ G , the problem is to find k indices ≤ i < i < · · · < i k ≤ N and a preimage x i j under f for each y i j , ≤ j ≤ k , meaning that f ( x i j ) = y i j , such that w = P kj =1 t ( x i j ) , provided asolution exists. The decision version of hidden k -SUM is to decide if a solution exists. In order to prove lower bounds on the quantum cryptanalytic task of breaking typicalinstances of the protocols described in Section 3.1, we proceed in two steps. First we haveto prove the hardness of the hidden k -SUM problem on average. Then, we have to exhibita reduction that shows how to solve an average instance of the hidden k -SUM problem usingan adversary who thinks he is breaking a typical instance of the key establishment protocol.To prove the hardness of the hidden k -SUM problem on average, it helps to consider a morestructured version of it, which is given by the composition of k -SUM with a search problemcalled pSEARCH , defined below. Definition 5 ( pSEARCH problem) . Let A be some set and ⋆ a symbol not in A . Consider theset P of strings ( a , . . . , a ℓ ) in ( A ∪ { ⋆ } ) ℓ with the promise that exactly one value is not ⋆ . Theproblem pSEARCH ℓ : P → A consists in finding this non- ⋆ value by making queries that take i as input and return a i , ≤ i ≤ ℓ . An equivalent formulation of the k -SUM problem would consist in a target w in abeliangroup G and a list ( t , t , . . . , t N ) of elements of G . The problem is to find k indices1 ≤ i < i < · · · < i k ≤ N such that w = t i + t i + · · · + t i k . We are charged for accessingeach t i given i . This is equivalent to Definition 1 simply by taking t i = t ( x i ), but it is more con-venient since it allows us to consider the composition of k -SUM with N instances of pSEARCH .Thus we define the Composed version of k -SUM as follows.9 efinition 6 (Composed k -SUM problem) . Given a target w in abelian group G and N instances of the pSEARCH ℓ problem using G as set A , we want to solve the k -SUM problemwith t i being the only non- ⋆ element in the i th instance of pSEARCH ℓ . Said otherwise, this isthe composition of k -SUM and pSEARCH ℓ denoted k -SUM ◦ pSEARCH Nℓ . The composed k -SUM problem (Definition 6) is similar to its hidden variant (Definition 4),except that it is more structured, hence easier. Specifically, the x i ’s that serve to define t i = t ( x i )in the hidden version, 1 ≤ i ≤ N , can be a priori any element of D , whereas they are put in N “buckets” of size ℓ in the composed version. If we choose the size of D to be the productof N and ℓ , any algorithm capable of solving the hidden version can serve directly to solvethe composed version simply by taking no account of the additional information provided bythe buckets. Moreover, a random instance of the composed version can be transformed into arandom instance of the hidden version, essentially by mixing the buckets. It follows that anylower bound on the composed problem translates directly into the same lower bound on thehidden problem, mutatis mutandis .In Sections 4 to 6, which are more technical, we give a lower bound on the composedproblem in a series of steps. First, we give a new general method to prove lower bounds forthe average-case quantum query complexity (Section 4). This method is closely related to thetechnique given in Ref. [8], albeit with essential differences. Second, building on techniquesfrom Refs [7, 6], we show a lower bound on the average-case quantum query complexity of k -SUM (Section 5). Third, we show a composition theorem for average-case quantum querycomplexity, which allows us to conclude with Theorem 6 (Section 6).When we apply this theorem with the parameters that correspond to the protocols describedin Section 3.1, we should take n = N , which is the number of images sent by Alice in the firststep of any of these protocols and therefore also the number of buckets. Furthermore, we shouldtake the product of ℓ , the size of the buckets, with n , the number of buckets, to correspond tothe size of the domain D used in the protocols.Putting it all together, Theorem 6 gives us the following lower bound on the difficulty tosolve the hidden k -SUM problem if the domain D of functions f and t contains d elements. Theorem 1.
Any quantum algorithm that uses at most T queries to find a solution to thehidden k -SUM problem with success probability at least ν N > on average over the uniformdistribution on positive instances requires Tν N = Ω (cid:16)p d/N − N k/ ( k +1) (cid:17) provided m = ω (cid:16) N k + 2 k +1 (cid:17) , where m is the order of the underlying abelian group. We proved (correctly!) in Ref. [13] that any eavesdropper who succeeds in obtaining the keywith non-vanishing success probability ν in any of the protocols described in Section 3.1, aftermaking no more than T queries, on average over the runs of the protocol, can be used to solvethe hidden k -SUM problem with the same parameters. Therefore, using the fact that d = N for the classical protocols and d = N for the quantum protocol, we can apply Theorem 1 toconclude that the protocols are secure according to the following theorems.10 heorem 2. Any quantum eavesdropping strategy that makes o (cid:0) N + kk +1 (cid:1) queries to the black-box functions against a typical run of the classical protocol using parameter k will fail to recoverthe key, except with vanishing probability. Theorem 3.
Any quantum eavesdropping strategy that makes o (cid:0) N kk +1 (cid:1) queries to the black-box functions against a typical run of the quantum protocol using parameter k will fail to recoverthe key, except with vanishing probability. Furthermore, we showed in Ref. [13] that these bounds are tight.
We generalize the adversary lower bound method to handle average-case complexity. A similarbound from Ref. [8] already gives a lower bound technique on average-case query complexity,but it cannot be applied directly here, as we explain below.We use the following complexity measure, closely related to the adversary bound [2, 17].We give a formulation tailored to the following problem. Given two distributions P and Q , andan algorithm that attempts to distinguish between them, we consider the number of queriesthis algorithm must make in order to succeed. The algorithm is given one input, and accepts ifit thinks the sample it is given comes from P and rejects otherwise. The measure of success isgiven by the probabilities s P and s Q , which are the probability of accepting when the algorithmis given samples from P and Q , respectively. Definition 7.
Let P and Q be two probability distributions on D , and p x and q y denote prob-abilities of x and y in P and Q , respectively. Let s P , s Q be real numbers in [0 , (representingthe acceptance probability on distributions P and Q , respectively). For a given matrix Γ , definethe adversary bound with respect to Γ , P , s P , Q , s Q as Adv (Γ; P , s P ; Q , s Q ) = Ω (cid:18) min j ∈ [ n ] δ ∗P Γ δ Q − τ ( s P , s Q ) k Γ kk Γ ◦ ∆ j k (cid:19) . (1) Here, ◦ denotes entrywise (or Hadamard) product, and k A k denotes the spectral norm of A (which is equal to its largest singular value). The vectors δ P [ x ] = √ p x and δ Q [ y ] = √ q y are unitvectors in R D ; for j ∈ [ n ] , the |D| × |D| matrix ∆ j is defined by ∆ j [ x, y ] = 1 x j = y j ; and τ ( s P , s Q ) = q s P s Q + q (1 − s P )(1 − s Q ) . (2) Theorem 4.
Assume A is a quantum algorithm that makes T queries to the input string x = ( x , . . . , x n ) ∈ D , and then either accepts or rejects. Let P and Q be two probabilitydistributions on D . Let s P and s Q be acceptance probability of A when x is sampled from P and Q , respectively. Then, T ≥ Adv (Γ; P , s P ; Q , s Q ) , for any |D| × |D| matrix Γ . If P and Q have partial supports, then we may use a matrix Γ whose rows are indexed byelements in the support of P and columns by elements of the support of Q . In that case wecan extend the matrix Γ by adding all-0 rows and columns. Notice that this does not alter thevalue of Adv . 11irst let us consider why we need two distributions P , Q on the inputs (and why we cannotuse existing techniques such as Theorem 33 from Ref. [8] for decision problems, where P = Q ).The distribution we care about is the uniform distribution over the positive instances. Underthis distribution, the decision problem is of course trivial. Using this distribution as both P and Q as in Ref. [8] would give a trivial bound.Instead, Theorem 4 gives a lower bound on the query complexity of an algorithm thatattempts to distinguish between two distributions P and Q . Taking P as the uniform distribu-tion over positive instances, and Q as the uniform distribution over all instances implies a lowerbound for the search problem of finding k elements that sum to w with the promise that theinstance is positive, by the following argument. Assume an algorithm solves the search problemwith T queries with non-vanishing probability. Then we can transform this algorithm into adistinguishing algorithm with one-sided error: if the algorithm outputs a candidate solution a , . . . , a k , make k additional queries and check that they sum to w . If they do, accept, elsereject. Then the acceptance probability on negative instances is 0. Since most instances arenegative, the acceptance probability on the uniform distribution is close to 0. We are interestedin the acceptance probability on the positive instances, as a function of the number of queries T .We now proceed to the proof of Theorem 4. Our proof is closely related the proof of theworst-case negative-weighted adversary bound from Ref. [17]. We follow a slightly simplifiedversion of the proof from Ref. [5]. As usual, we introduce a progress function, show that initially,the progress function is large (Claim 1), at the end, it is small (Claim 2), and that at each step,the decrease is bounded (Claim 3). Proof of Theorem 4.
Recall that a quantum query algorithm is given by the following sequenceof operations U → O x → U → O x → U → · · · → U T − → O x → U T , where O x denotes the input oracle, and the U i s are arbitrary unitary transformations. Theoperator O x is defined by O x | a i| i i = | a + x i i| i i which can be decomposed as O x = n M j =0 O x j , (3)where for b ∈ G m , O b : | a i| i i 7→ | a + b i| i i . The addition in the first register is the groupoperation of G m .For an integer t between 0 and T , and x ∈ D , let ψ ( t ) x = U t O x U t − O x · · · U O x U | i . (4)be the state of the algorithm on the input x after t queries. We define the quantity called the progress function as follows W ( t ) = X x,y ∈D √ p x q y Γ[ x, y ] (cid:10) ψ ( t ) x , ψ ( t ) y (cid:11) . (5)The proof is split into three parts: proving that W (0) is large, and that both W ( T ) and W ( t ) − W ( t +1) are small. 12 laim 1. W (0) = δ ∗P Γ δ Q .Proof. We have ψ (0) x = U | i no matter what x is. Hence, (cid:10) ψ (0) x , ψ (0) y (cid:11) = 1 for all x, y ∈ D .Plugging this into Eq. 5 gives W (0) = X x,y ∈D √ p x q y Γ[ x, y ] = δ ∗P Γ δ Q . Before we proceed, we need a simple result from linear algebra.
Lemma 1.
Let A be n × n matrix, and U and V be m × n matrices with columns { u i } i ∈ [ n ] and { v i } i ∈ [ n ] , respectively. Then, (cid:12)(cid:12)(cid:12) X i,j ∈ [ n ] A [ i, j ] h u i , v j i (cid:12)(cid:12)(cid:12) ≤ k A kk U k F k V k F . Proof.
Using the Cauchy-Schwarz inequality, and the definition of the spectral norm: (cid:12)(cid:12)(cid:12) X i,j ∈ [ n ] A [ i, j ] h u i , v j i (cid:12)(cid:12)(cid:12) = |h A, U ∗ V i| = |h U A, V i| ≤ k
U A k F k V k F ≤ k A kk U k F k V k F . Claim 2. W ( T ) ≤ (cid:16)q s P s Q + q (1 − s P )(1 − s Q ) (cid:17) k Γ k .Proof. Denote for brevity ψ x = ψ ( T ) x . Also, let (cid:8) Π , Π (cid:9) be the final measurement of the queryalgorithm A . We have W ( T ) = X x,y ∈D √ p x q y Γ[ x, y ] (cid:10) Π ψ x , Π ψ y (cid:11) + X x,y ∈D √ p x q y Γ[ x, y ] (cid:10) Π ψ x , Π ψ y (cid:11) . (6)Let us estimate the first term of Eq. 6. Denote by U and V the matrices having u x = √ p x ψ x and v y = √ q y ψ y as their columns, respectively. Then, by Lemma 1, the first term of Eq. 6 is atmost k Γ kk U k F k V k F , where k U k = X x ∈D p x k Π ψ x k = 1 − s P , and k V k = X y ∈D q y k Π ψ y k = 1 − s Q . Hence, the first term of Eq. 6 is at most p (1 − s P )(1 − s Q ) k Γ k . Similarly, the second term isat most √ s P s Q k Γ k . Adding them up, we get the required inequality. Claim 3. | W ( t ) − W ( t +1) | ≤ j ∈ [ n ] k Γ ◦ ∆ j k .Proof. Denote ψ x = ψ ( t ) x and ψ ′ x = ψ ( t +1) x . The vector ψ x can be decomposed as L nj =0 ψ x,j where the decomposition is the same as for O x in Eq. 3. If x j = y j , then the input oracle doesnot change the inner product between ψ x,j and ψ y,j , hence, the corresponding entry of Γ canbe ignored. Formally, for any x, y ∈ D , we have13 ψ x , ψ y i − (cid:10) ψ ′ x , ψ ′ y (cid:11) = h ψ x , ψ y i − h O x ψ x , O y ψ y i = n X j =0 χ x,y,j , where χ x,y,j = h ψ x,j , ψ y,j i − (cid:10) O x j ψ x,j , O y j ψ y,j (cid:11) . Note that χ x,y,j = 0 if x j = y j . In particular, χ x,y, = 0. Thus, | W ( t ) − W ( t +1) | = (cid:12)(cid:12)(cid:12)(cid:12) X x,y ∈D √ p x q y Γ[ x, y ] (cid:16) h ψ x , ψ y i − (cid:10) ψ ′ x , ψ ′ y (cid:11)(cid:17)(cid:12)(cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12)(cid:12) X x,y ∈D n X j =0 √ p x q y Γ[ x, y ] χ x,y,j (cid:12)(cid:12)(cid:12)(cid:12) = (cid:12)(cid:12)(cid:12)(cid:12) n X j =1 X x,y ∈D √ p x q y (Γ ◦ ∆ j )[ x, y ] χ x,y,j (cid:12)(cid:12)(cid:12)(cid:12) ≤ n X j =1 (cid:12)(cid:12)(cid:12)(cid:12) X x,y ∈D √ p x q y (Γ ◦ ∆ j )[ x, y ] h ψ x,j , ψ y,j i (cid:12)(cid:12)(cid:12)(cid:12) + n X j =1 (cid:12)(cid:12)(cid:12)(cid:12) X x,y ∈D √ p x q y (Γ ◦ ∆ j )[ x, y ] (cid:10) O x j ψ x,j , O y j ψ y,j (cid:11)(cid:12)(cid:12)(cid:12)(cid:12) . (7)Let us estimate the second term, the first one being similar. For j ∈ [ n ], let U j be the matrixwith columns u j,x = √ p x O x j ψ x,j , and V j be the matrix with columns v j,y = √ q y O y j ψ y,j .By Lemma 1 and the Cauchy-Schwarz inequality, the second term of Eq. 7 is at most n X j =1 k Γ ◦ ∆ j kk U j k F k V j k F ≤ max j ∈ [ n ] k Γ ◦ ∆ j k n X j =1 k U j k F k V j k F ≤ max j ∈ [ n ] k Γ ◦ ∆ j k vuut(cid:18) n X j =1 k U j k (cid:19)(cid:18) n X j =1 k V j k (cid:19) . Also, we have n X j =1 k U j k = n X j =1 X x ∈D p x (cid:13)(cid:13) O x j ψ x,j (cid:13)(cid:13) = X x ∈D p x n X j =1 k ψ x,j k ≤ X x ∈D p x k ψ x k = X x ∈D p x = 1 , and, similarly, P nj =1 k V j k ≤
1. Combining the last three inequalities, we get that the secondterm of Eq. 7 is at most max j ∈ [ n ] k Γ ◦ ∆ j k . Using the same estimate for the first term, we obtainthe required inequality.This concludes the proof of Theorem 4 k -SUM Recall the k -SUM problem on n elements in an abelian group G m where m is the order of thegroup. Let w be a fixed element of G m . An input x = ( x , . . . , x n ) is called positive if there14xists a k -subset V = { t , . . . , t k } ⊆ [ n ] such that x t + · · · + x t k = w in G m . Otherwise, theinput is called negative .Consider the following probability distribution P on positive inputs: • Select a k -subset U of [ n ] uniformly at random; • assign to U a uniformly random string in G | U | m whose sum is w ; • choose the remaining elements uniformly at random. Theorem 5.
Assume S is a quantum algorithm for the search problem k -SUM that makes T queries and succeeds with probability ν > over inputs sampled from the distribution P . Then, Tν = Ω (cid:16) n k/ ( k +1) (cid:17) , provided that ν = ω (cid:0) n − / ( k +1) (cid:1) and m = Ω (cid:16) n k + k +1 (cid:17) is again the order of the underlying abeliangroup. This theorem uses the following claim.
Claim 4.
Let the distribution P be as above, and Q be the uniform distribution on all theinputs. There exists a matrix Γ satisfying the following constraints: δ ∗P Γ δ Q = n k/ ( k +1) , k Γ k ≤ (cid:16) O (cid:0) n − / ( k +1) (cid:1)(cid:17) n k/ ( k +1) , and k Γ ◦ ∆ j k = O (1) in the notation of Theorem 4.Proof. Our construction is the same as in Refs [7, 6], which we sketch below. The matrix Γ con-sists of (cid:0) nk (cid:1) matrices G V stacked one on another for all possible choices of V = { t , . . . , t k } ⊂ [ n ]:Γ = G , ,...,k G , ,...,k − ,k +1 . . .G n − k +1 ,n − k +2 ,...,n . (8)For V = { t , . . . , t k } , G V is a P V ×D matrix, where D = G nm and P V = { x ∈ D | x t + · · · + x t k = w } . Note that the uniform distribution on the labels of the rows and the columns of Γ generatesthe probability distributions P and Q , respectively.Let E = J m /m be the m × m matrix with all entries 1 /m , and let E = I − E . For U ⊆ [ n ], define a D × D matrix E U = N j ∈ [ n ] E s j , where s j = 1 if j ∈ U and s j = 0 otherwise.The matrices G V in Eq. 8 are given by G V = √ m X U ⊆ [ n ]: V U α | U | E P V , D U , (9)where α ℓ = (cid:18) nk (cid:19) − / max n n k/ ( k +1) − ℓ, o . (10)This finishes the definition of the matrix Γ. From Refs [7, 6], we have the following estimate: Claim 5.
For Γ defined above and j ∈ [ n ] , we have k Γ ◦ ∆ j k = O (1) . e , . . . , e m − be the Fourier basis of C G m . Recall that it is an orthonormal basis given by e i [ j ] = √ m ω ij , where ω = e π i /m . For v = ( v , . . . , v n ) ∈ D , define vector e v = e v ⊗ e v ⊗· · ·⊗ e v n .These vectors form the Fourier basis of C D . The support of v is defined as supp( v ) = { i ∈ [ n ] | v i = 0 } . The weight of v is defined as the size of the support: | v | = | supp( v ) | .Let V = { t , . . . , t k } ⊆ [ n ] be fixed, and denote t = t for brevity. We can identify thesequences in P V with the sequences in D ′ = G [ n ] \{ t } m , since any sequence x in D ′ can be uniquelyextended to a sequence in P V using condition x t + · · · + x t k = w . Note that for any v ∈ D and x ∈ P V , we have e v [ x ] = 1 m n/ ω P j ∈ [ n ] v j x j = 1 m n/ ω wv t ω P j ∈ V ( v j − v t ) x j + P j / ∈ V v j x j . Hence, √ mE P V , D U e v = ( ω wv t e v ′ if supp( v ) = U ;0 otherwise; (11)where e v ′ is the element of the Fourier basis of C D ′ defined by v ′ j = ( v j − v t for j ∈ V \ { t } ; v j for j ∈ [ n ] \ V .This suggests the following definition: we say that v ∈ G nm can be obtained from u ∈ G nm bya shift in V if there exists a ∈ G m such that v j = ( u j + a for j ∈ V ; u j for j ∈ [ n ] \ V .Equations 11 and 9 imply that for sequences u, v ∈ D , we have (cid:12)(cid:12) h G V e u , G V e v i (cid:12)(cid:12) = α | u | α | v | if V supp( u ), V supp( v ) and v can beobtained from u by a shift in V ;0 otherwise. (12)Now we are ready to continue with the proof of all statements in Claim 4. Claim 6. δ ∗P Γ δ Q = n k/ ( k +1) .Proof. Let = 0 n ∈ D and ′ = 0 n − ∈ D ′ . Then, using Eqs 8, 11 and 10, we have δ ∗P Γ δ Q = X V ⊆ [ n ]: | V | = k "(cid:18) nk (cid:19) − / e ′ ∗ G V e = X V ⊆ [ n ]: | V | = k "(cid:18) nk (cid:19) − / e ′ ∗ α e ′ = X V ⊆ [ n ]: | V | = k (cid:18) nk (cid:19) − / (cid:18) nk (cid:19) − / n k/ ( k +1) = n k/ ( k +1) . laim 7. k Γ k ≤ (cid:16) O (cid:0) n − / ( k +1) (cid:1)(cid:17) n k/ ( k +1) .Proof. The norm of Γ equals the square root of the norm ofΓ ∗ Γ = X V ⊆ [ n ]: | V | = k G ∗ V G V . (13)We upper bound the latter by the maximal ℓ -norm of a column of the matrix in Eq. 13 in theFourier basis. Fix v ∈ D . From Eq. 12, we get the following estimate on the diagonal entrycorresponding to e v : e ∗ v Γ ∗ Γ e v ≤ (cid:18) nk (cid:19) α | v | ≤ n k/ ( k +1) . Now, let us estimate the off-diagonal entries in the column corresponding to e v . Equation 12tells us that any off-diagonal entry can only come from G ∗ V G V where V ∩ supp( v ) = ∅ , and alsoeach such V contributes at most k off-diagonal entries. Thus, the sum of the absolute valuesof these off-diagonal entries is at most | v | (cid:18) nk − (cid:19) · k · α = O (cid:16) n − / ( k +1) (cid:17) n k/ ( k +1) since we may assume that | v | ≤ n k/ ( k +1) (otherwise, α | v | = 0). Summing both contributions,we get the required bound.This concludes the proof of Claim 4. Proof of Theorem 5.
Let S be the algorithm of Theorem 5. We apply Theorem 4 to the algo-rithm A defined as follows, using the constraints from Claim 4 to evaluate Adv . First, A executes S on its input. Let { t , . . . , t k } be the output of S . The algorithm A then queries the elements x t , . . . , x t k . It accepts if x t + · · · + x t k = w , and rejects otherwise.The query complexity of A is T + k = T + O (1). The acceptance probability on distribution P is s P = ν . Also, since A always rejects a negative input, s Q ≤ Pr x ∼Q (cid:2) the input x is positive (cid:3) ≤ m (cid:18) nk (cid:19) , the last inequality following from the union bound. Thus, we have the following estimate on τ ( s P , s Q ): τ ( s P , s Q ) = q s P s Q + q (1 − s P )(1 − s Q ) ≤ s m (cid:18) nk (cid:19) + 1 − ν , and using the conditions on m and ν , we obtain: δ ∗P Γ δ Q − τ ( s P , s Q ) k Γ kk Γ ◦ ∆ j k = n k/ ( k +1) − (cid:0) − Ω( ν ) (cid:1)(cid:16) O (cid:0) n − / ( k +1) (cid:1)(cid:17) n k/ ( k +1) O (1)= Ω (cid:16) νn k/ ( k +1) (cid:17) . Composition Theorem for the Average-Case Adversary Bound
We now prove the last remaining theorem needed to obtain the lower bound on the averagecase complexity of k -SUM ◦ pSEARCH nℓ (see Section 3.3). Recall that in this version, each inputvariable x i ∈ G m is embedded into a “bucket”, that is, a sequence ( x i , . . . , x iℓ ) ∈ ( G m ∪ { ⋆ } ) ℓ inwhich exactly one element is non- ⋆ . To apply our average-case adversary lower bound method,we need to define the probability distributions and the matrix that appears in Eq. 1 for thecomposed problem. Intuitively, this is done by tensoring the matrix of the two problems thatare composed, as well as the vectors that represent the probability distributions. However,defining the matrix correctly to get a lower bound for the composed problem requires a carefulanalysis.We use the distributions P F and Q F to pick inputs to the outer function F , and the uniformdistribution to place each element of the input independently in its bucket. Formally, we write P = P F ⊗ U ⊗ nℓ , where U ℓ is the uniform distribution over [ ℓ ] and the distributions are viewedas real-valued vectors indexed by elements of their supports. The definition of Q is similar,starting from Q F . Lemma 2.
Let F : A n → B , pSEARCH ℓ : P → A where P ⊆ ( A ∪ { ⋆ } ) ℓ is the set of all possiblebuckets, H = F ◦ pSEARCH nℓ , and P F , Q F , P and Q defined as above. Then for any real numbers s P , s Q ∈ [0 , and matrix Γ F , there exists a matrix Γ H such that Adv (Γ H ; P , s P ; Q , s Q ) ≥ Adv (Γ F ; P F , s P ; Q F , s Q ) √ ℓ − . Theorem 6.
Any algorithm that finds a solution to the search version of k -SUM ◦ pSEARCH nℓ within T queries with probability ν > on average over the uniform distribution on positiveinstances requires Tν = Ω (cid:16) √ ℓ − n k/ ( k +1) (cid:17) provided m = ω (cid:16) n k + 2 k +1 (cid:17) . The rest of this section is devoted to the proof of Theorem 6. It follows closely the proof ofthe composition theorem in Ref. [12], and in particular the adversary matrix for H we use herehas the same structure as the matrices considered in that paper. This allows us to re-use someof the calculations from that paper (see Claims 9 and 10).We use the following notation. Let X , Y ∈ A n denote inputs to F . Its components are X i ∈ A . The value Γ F [ X , Y ] is a scalar. Notice that for the k -SUM problem, the rows of thematrix defined in the previous section are only defined for positive inputs. In order to reuse thenorm calculations from the composition theorem in Ref. [12], we need to extend it to all possibleinputs. We do so by extending the matrix for k -SUM with rows of zeros. This transformationdoes not change the norm of the matrix. Similarly, the vector s P F can be extended with zerosto be defined for any input. Proof of Lemma 2.
The adversary matrix for the composed problem H is denoted Γ H . We con-sider blocks of Γ H indexed by values X , Y , which we denote Γ X , YH . (These ℓ n × ℓ n blocks are asubmatrix corresponding to all the inputs for which the input to F is X , in the rows, and Y , inthe columns.) As in Ref. [12], we define Γ H by blocks as follows:Γ X ,Y H = Γ F [ X , Y ] · O i ∈ [ n ] Γ X i , Y i , a, b ∈ A , Γ a,b = ( k J ℓ − I ℓ k · I ℓ if a = b J ℓ − I ℓ otherwise . An optimal adversary matrix for pSEARCH can be obtained by taking J ℓ − I ℓ for all blocksexcept the diagonal ones that are all zeroes. But if we were using it, a block Γ X,Y H would be zerowhenever there is an i such that X i = Y i . Using the matrix Γ, with modified diagonal blocks,overcomes this issue.From the distributions P F and Q F , we define the vector δ P F = √P F , that is, δ P F [ X ] = p Pr X ∼P F [ X ] (similarly for δ Q F ). Again, we can split δ P F into blocks δ X P F .With these definitions in hand, we can compute the terms that appear in Eq. 1 of Definition 7.This is done in Claims 8, 9, and 10. When referring to Ref. [12], we use S i = J ℓ − I ℓ for all i (1 ≤ i ≤ n ). Claim 8. δ †P Γ H δ Q = δ †P F Γ F δ Q F · k J ℓ − I ℓ k n . Claim 9. [12, claim on last line of page 409] k Γ H k = k Γ F k · k J ℓ − I ℓ k n . Claim 10. [12, claim near the end of page 410] For a query i that corresponds to index q inthe bucket p , k Γ H ◦ ∆ i k = k Γ F ◦ ∆ p k · k J ℓ − I ℓ k n − · k ( J ℓ − I ℓ ) ◦ ∆ q k . Claims 9 and 10 were proven in the arXiv extended version of Ref. [12]. Although theclaims in the original Crypto version of Ref. [12] consider specifically the Element Distinctnessproblem, the paper mentions that an explicit description of the adversary matrix is not needed(such a description was indeed unknown when this proof was given). For this reason, these twoclaims apply to any outer function F , and in particular to k -SUM . Note that the arXiv extendedversion of Ref. [12] contains the proofs for arbitrary outer functions. Proof of Claim 8. δ †P Γ H δ Q = X X , Y ( δ X P ) † Γ X , YH δ Y Q = X X , Y ( δ X P ) † Γ F [ X , Y ] · O i ∈ [ n ] Γ X i , Y i δ Y Q = X X , Y ( δ P X F ⊗ q U ⊗ nℓ ) † Γ F [ X , Y ] · O i ∈ [ n ] Γ X i , Y i ( δ P Y F ⊗ q U ⊗ nℓ )= X X , Y (cid:16) δ P X F (cid:17) † (Γ F [ X , Y ]) (cid:16) δ P Y F (cid:17) q U ⊗ nℓ O i ∈ [ n ] Γ X i , Y i q U ⊗ nℓ = X X , Y ( δ P XF ) † (Γ F [ X , Y ]) ( δ P Y F ) Y i ∈ [ n ] k Γ X i , Y i k = δ †P F Γ F δ P F k J ℓ − I ℓ k n which concludes the proof of the claim.Using the fact that k J ℓ − I ℓ k = ℓ − k ( J ℓ − I ℓ ) ◦ ∆ q k = √ ℓ − q , we immediatelyget Lemma 2 by substituting the values obtained in Claims 8, 9 and 10 into Definition 7.19 roof of Theorem 6. Using the values computed in Section 5 we get T = Ω δ †P F Γ F δ P F − τ ( s P , s Q ) k Γ F kk Γ F ◦ ∆ i k √ ℓ − ! = Ω n k/ ( k +1) √ ℓ − ν − s m (cid:18) nk (cid:19) !! Suppose that ν is non-vanishing. Since m is chosen large enough to make m (cid:0) nk (cid:1) arbitrarilysmall, we get Tν = Ω (cid:16) √ l − n k/ ( k +1) (cid:17) . Acknowledgements
We are grateful to Kassem Kalach, with whom this work has initiated many years ago. Part ofthis work was performed when GB visited AB, then at
QuSoft in Amsterdam.The work of AB is supported in part by the ERC Advanced Grant MQC. The work ofGB is supported in part by the Canadian Institute for Advanced Research (CIFAR), theCanada Research Chair program, Canada’s Natural Sciences and Engineering Research Council(NSERC) and Qu´ebec’s Institut transdisciplinaire d’information quantique. The work of PH issupported in part by CIFAR and NSERC. The work of MK is supported in part by EPSRCgrant number EP1N003829/1 Verification of Quantum Technology. The work of SL is supportedin part by the European Union Seventh Framework Programme (FP7/2007-2013) under grantagreement no. 600700 (QALGO) and the French ANR Blanc grant RDAM ANR-12-BS02-005.The work of LS is supported in part by NSERC discovery grant and discovery acceleratorsupplements programs.
References [1] S. Aaronson and Y. Shi. Quantum lower bounds for the collision and the element distinct-ness problems.
Journal of the ACM (4):595–605, 2004.[2] A. Ambainis. Quantum lower bounds by quantum arguments. Journal of Computer andSystem Sciences :750–767, 2002.[3] A. Ambainis. Polynomial degree and lower bounds in quantum complexity: Collision andelement distinctness with small range. Theory of Computing (1):37–46, 2005.[4] B. Barak and M. Mahmoody-Ghidary. Merkle puzzles are optimal — An O ( n )–queryattack on any key exchange from a random oracle. In Advances in Cryptology – Proceedingsof Crypto 2009 , pages 374–390, 2009.[5] A. Belovs.
Applications of the Adversary Method in Quantum Query Algorithms . PhDthesis, University of Latvia, 2014.[6] A. Belovs and A. Rosmanis. On the power of non-adaptive learning graphs.
ComputationalComplexity (2):323–354, 2014. 207] A. Belovs and R. ˇSpalek. Adversary lower bound for the k -sum problem. In Proceedingsof 4th ACM Innovations in Theoretical Computer Science , pages 323–328, 2013.[8] A. Belovs. Variations on quantum adversary. http://arxiv.org/abs/1504.06943 , April2015.[9] C. H. Bennett and G. Brassard. Quantum cryptography: Public key distribution and cointossing. In
Proceedings of International Conference on Computers, Systems & Signal Pro-cessing, Bangalore , pages 175–179, 1984. Republished in 30th Anniversary CommemorativeIssue of
Theoretical Computer Science (Part 1):7–11, 2014.[10] M. Boyer, G. Brassard, P. Høyer and A. Tapp. Tight bounds on quantum searching.
Fortschritte der Physik :493–505, 1998.[11] G. Brassard. Cryptography in a quantum world. In Proceedings of SOFSEM 2016: Theoryand Practice of Computer Science , pages 3–16, 2016.[12] G. Brassard, P. Høyer, K. Kalach, M. Kaplan, S. Laplante and L. Salvail. Merkle puzzles ina quantum world. In
Advances in Cryptology – Proceedings of Crypto 2011 , pages 391–410,2011. Extended version available at http://arxiv.org/abs/1108.2316v1 .[13] G. Brassard, P. Høyer, K. Kalach, M. Kaplan, S. Laplante and L. Salvail. Key establishment`a la Merkle in a quantum world. http://arxiv.org/abs/1108.2316v2 , February 2015.[14] G. Brassard and L. Salvail. Quantum Merkle puzzles.
Proceedings of Second InternationalConference on Quantum, Nano, and Micro Technologies , pages 76–79, 2008.[15] W. Diffie and M. E. Hellman. New directions in cryptography.
IEEE Transactions onInformation Theory (6):644–654, 1976.[16] L. K. Grover. Quantum mechanics helps in searching for a needle in a haystack. PhysicalReview Letters (2):325–328, 1997.[17] P. Høyer, T. Lee and R. ˇSpalek. Negative weights make adversaries stronger. In Pro-ceedings of 39th Annual ACM Symposium on Theory of Computing , pages 526–535, 2007. http://dx.doi.org/10.1145/1250790.1250867 doi:10.1145/1250790.1250867 .[18] R. Impagliazzo and S. Rudich. Limits on the provable consequences of one-way permu-tations. In
Proceedings of 21st Annual ACM Symposium on Theory of Computing , pages44–61, 1989.[19] S. Kutin. Quantum lower bound for the collision problem with small range.
Theory ofComputing (1):29–36, 2005.[20] T. Lee, R. Mittal, B. W. Reichardt, R. ˇSpalek and M. Szegedy. Quantum query complexityof state conversion. In Proceedings of 52nd Annual IEEE Symposium on Foundations ofComputer Science , pages 344–353, 2011.[21] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar and V. Makarov. Hacking com-mercial quantum cryptography systems by tailored bright illumination.
Nature Photonics (10):686–689, 2010.[22] F. Magniez, A. Nayak, J. Roland and M. Santha. Search via quantum walk. SIAM Journalon Computing (1):142–164, 2011. 2123] R. Merkle. Publishing a new idea. .[24] R. Merkle. Secure communications over insecure channels. Communications of the ACM (4):294–299, 1978.[25] R. L. Rivest, A. Shamir and L. Adleman. A method for obtaining digital signatures andpublic-key cryptosystems. Communications of the ACM (2):120–126, 1978.[26] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms ona quantum computer. SIAM Journal on Computing :1484–1509, 1997.[27] P. Wayner. British document outlines early encryption discovery. , New York TimesTechnology Cybertimes column, 24 December 1997.[28] Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen and H.-K. Lo. Quantum hacking: Experimen-tal demonstration of time-shift attack against practical quantum-key-distribution systems. Physical Review A78