Lower Bounds for Function Inversion with Quantum Advice

Function inversion is the problem that given a random function $f: [M] \to [N]$, we want to find pre-image of any image $f^{-1}(y)$ in time $T$. In this work, we revisit this problem under the preprocessing model where we can compute some auxiliary information or advice of size $S$ that only depends on $f$ but not on $y$. It is a well-studied problem in the classical settings, however, it is not clear how quantum algorithms can solve this task any better besides invoking Grover's algorithm, which does not leverage the power of preprocessing. Nayebi et al. proved a lower bound $ST^2 \ge \tilde\Omega(N)$ for quantum algorithms inverting permutations, however, they only consider algorithms with classical advice. Hhan et al. subsequently extended this lower bound to fully quantum algorithms for inverting permutations. In this work, we give the same asymptotic lower bound to fully quantum algorithms for inverting functions for fully quantum algorithms under the regime where $M = O(N)$. In order to prove these bounds, we generalize the notion of quantum random access code, originally introduced by Ambainis et al., to the setting where we are given a list of (not necessarily independent) random variables, and we wish to compress them into a variable-length encoding such that we can retrieve a random element just using the encoding with high probability. As our main technical contribution, we give a nearly tight lower bound (for a wide parameter range) for this generalized notion of quantum random access codes, which may be of independent interest.Comment: ITC full versio

Tight Quantum Time-Space Tradeoffs for Function Inversion

In function inversion, we are given a function $f: [N] \mapsto [N]$, and want to prepare some advice of size $S$, such that we can efficiently invert any image in time $T$. This is a well studied problem with profound connections to cryptography, data structures, communication complexity, and circuit lower bounds. Investigation of this problem in the quantum setting was initiated by Nayebi, Aaronson, Belovs, and Trevisan (2015), who proved a lower bound of $ST^2 = \tilde\Omega(N)$ for random permutations against classical advice, leaving open an intriguing possibility that Grover\u27s search can be sped up to time $\tilde O(\sqrt{N/S})$. Recent works by Hhan, Xagawa, and Yamakawa (2019), and Chung, Liao, and Qian (2019) extended the argument for random functions and quantum advice, but the lower bound remains $ST^2 = \tilde\Omega(N)$. In this work, we prove that even with quantum advice, $ST + T^2 = \tilde\Omega(N)$ is required for an algorithm to invert random functions. This demonstrates that Grover\u27s search is optimal for $S = \tilde O(\sqrt{N})$, ruling out any substantial speed-up for Grover\u27s search even with quantum advice. Further improvements to our bounds would imply new classical circuit lower bounds, as shown by Corrigan-Gibbs and Kogan (2019). To prove this result, we develop a general framework for establishing quantum time-space lower bounds. We further demonstrate the power of our framework by proving the following results. * Yao\u27s box problem: We prove a tight quantum time-space lower bound for classical advice. For quantum advice, we prove a first time-space lower bound using shadow tomography. These results resolve two open problems posted by Nayebi et al (2015). * Salted cryptography: We show that “salting generically provably defeats preprocessing,” a result shown by Coretti, Dodis, Guo, and Steinberger (2018), also holds in the quantum setting. In particular, we prove quantum time-space lower bounds for a wide class of salted cryptographic primitives in the quantum random oracle model. This yields a first quantum time-space lower bound for salted collision-finding, which in turn implies that ${PWPP}^{O} \not\subseteq {FBQP}^{O}{/qpoly}$ relative to a random oracle $O$

Quantum lower bound for inverting a permutation with advice

Given a random permutation $f: [N] \to [N]$ as a black box and $y \in [N]$, we want to output $x = f^{-1}(y)$. Supplementary to our input, we are given classical advice in the form of a pre-computed data structure; this advice can depend on the permutation but \emph{not} on the input $y$. Classically, there is a data structure of size $\tilde{O}(S)$ and an algorithm that with the help of the data structure, given $f(x)$, can invert $f$ in time $\tilde{O}(T)$, for every choice of parameters $S$, $T$, such that $S\cdot T \ge N$. We prove a quantum lower bound of $T^2\cdot S \ge \tilde{\Omega}(\epsilon N)$ for quantum algorithms that invert a random permutation $f$ on an $\epsilon$ fraction of inputs, where $T$ is the number of queries to $f$ and $S$ is the amount of advice. This answers an open question of De et al. We also give a $\Omega(\sqrt{N/m})$ quantum lower bound for the simpler but related Yao's box problem, which is the problem of recovering a bit $x_j$, given the ability to query an $N$-bit string $x$ at any index except the $j$-th, and also given $m$ bits of advice that depend on $x$ but not on $j$.Comment: To appear in Quantum Information & Computation. Revised version based on referee comment

양자 컴퓨터에 대한 암호학적 알고리즘

학위논문(박사) -- 서울대학교대학원 : 자연과학대학 수리과학부, 2022. 8. 이훈희.The advent of a quantum mechanical computer presents a clear threat to existing cryptography. On the other hand, the quantum computer also suggests the possibility of a new cryptographic protocol through the properties of quantum mechanics. These two perspectives, respectively, gave rise to a new field called post-quantum cryptography as a countermeasure against quantum attacks and quantum cryptography as a new cryptographic technology using quantum mechanics, which are the subject of this thesis. In this thesis, we reconsider the security of the current post-quantum cryptography through a new quantum attack, model, and security proof. We present the fine-grained quantum security of hash functions as cryptographic primitives against preprocessing adversaries. We also bring recent quantum information theoretic research into cryptography, creating new quantum public key encryption and quantum commitment. Along the way, we resolve various open problems such as limitations of quantum algorithms with preprocessing computation, oracle separation problems in quantum complexity theory, and public key encryption using group action.양자역학을 이용한 컴퓨터의 등장은 쇼어의 알고리즘 등을 통해 기존 암호학에 명백한 위협을 제시하며, 양자역학의 성질을 통한 새로운 암호프로토콜의 가능성 또한 제시한다. 이러한 두 가지 관점은 각각 이 학위 논문의 주제가 되는 양자공격에 대한 대응책으로써의 대양자암호와 양자역학을 이용한 암호기술인 양자암호라고 불리는 새로운 분야를 발생시켰다. 이 학위 논문에서는 현재 대양자암호의 안전성을 새로운 양자암호 공격 알고리즘과 모델, 안전성 증명을 통해 재고한다. 특히 암호학적 해쉬함수의 일방향함수, 암호학적 의사난수생성기로서의 대양자 암호 안전성의 구체적인 평가를 제시한다. 또한 최근 양자역학의 연구를 양자암호에 도입함으로써 새로운 양자 공개키암호와 양자 커밋먼트 등의 새로운 발견을 제시한다. 이 과정에서 전처리 계산을 포함한 양자알고리즘의 한계, 양자 복잡계들의 오라클분리 문제, 군의 작용을 이용한 공개키 암호 등의 여러 열린문제들의 해결을 제시한다.1 Introduction 1 1.1 Contributions 3 1.2 Related Works 11 1.3 Research Papers 13 2 Preliminaries 14 2.1 Quantum Computations 15 2.2 Quantum Algorithms 20 2.3 Cryptographic Primitives 21 I Post-Quantum Cryptography: Attacks, New Models, and Proofs 24 3 Quantum Cryptanalysis 25 3.1 Introduction 25 3.2 QROM-AI Algorithm for Function Inversion 26 3.3 Quantum Multiple Discrete Logarithm Problem 34 3.4 Discussion and Open problems 39 4 Quantum Random Oracle Model with Classical Advice 42 4.1 Quantum ROM with Auxiliary Input 44 4.2 Function Inversion 46 4.3 Pseudorandom Generators 56 4.4 Post-quantum Primitives 58 4.5 Discussion and Open Problems 59 5 Quantum Random Permutations with Quantum Advice 62 5.1 Bound for Inverting Random Permutations 64 5.2 Preparation 64 5.3 Proof of Theorem 68 5.4 Implication in Complexity Theory 74 5.5 Discussion and Open Problems 77 II Quantum Cryptography: Public-key Encryptions and Bit Commitments 79 6 Equivalence Theorem 80 6.1 Equivalence Theorem 81 6.2 Non-uniform Equivalence Theorem 83 6.3 Proof of Equivalence Theorem 86 7 Quantum Public Key Encryption 89 7.1 Swap-trapdoor Function Pairs 90 7.2 Quantum-Ciphertext Public Key Encryption 94 7.3 Group Action based Construction 99 7.4 Lattice based Construction 107 7.5 Discussion and Open Problems 113 7.6 Deferred Proof 114 8 Quantum Bit Commitment 119 8.1 Quantum Commitments 120 8.2 Efficient Conversion 123 8.3 Applications of Conversion 126 8.4 Discussion and Open Problems 137박

Quantum Algorithm for Dynamic Programming Approach for DAGs. Applications for Zhegalkin Polynomial Evaluation and Some Problems on DAGs

In this paper, we present a quantum algorithm for dynamic programming approach for problems on directed acyclic graphs (DAGs). The running time of the algorithm is $O(\sqrt{\hat{n}m}\log \hat{n})$, and the running time of the best known deterministic algorithm is $O(n+m)$, where $n$ is the number of vertices, $\hat{n}$ is the number of vertices with at least one outgoing edge; $m$ is the number of edges. We show that we can solve problems that use OR, AND, NAND, MAX and MIN functions as the main transition steps. The approach is useful for a couple of problems. One of them is computing a Boolean formula that is represented by Zhegalkin polynomial, a Boolean circuit with shared input and non-constant depth evaluating. Another two are the single source longest paths search for weighted DAGs and the diameter search problem for unweighted DAGs.Comment: UCNC2019 Conference pape

Optimal experiment design revisited: fair, precise and minimal tomography

Given an experimental set-up and a fixed number of measurements, how should one take data in order to optimally reconstruct the state of a quantum system? The problem of optimal experiment design (OED) for quantum state tomography was first broached by Kosut et al. [arXiv:quant-ph/0411093v1]. Here we provide efficient numerical algorithms for finding the optimal design, and analytic results for the case of 'minimal tomography'. We also introduce the average OED, which is independent of the state to be reconstructed, and the optimal design for tomography (ODT), which minimizes tomographic bias. We find that these two designs are generally similar. Monte-Carlo simulations confirm the utility of our results for qubits. Finally, we adapt our approach to deal with constrained techniques such as maximum likelihood estimation. We find that these are less amenable to optimization than cruder reconstruction methods, such as linear inversion.Comment: 16 pages, 7 figure

Symmetric Informationally Complete Quantum Measurements

We consider the existence in arbitrary finite dimensions d of a POVM comprised of d^2 rank-one operators all of whose operator inner products are equal. Such a set is called a ``symmetric, informationally complete'' POVM (SIC-POVM) and is equivalent to a set of d^2 equiangular lines in C^d. SIC-POVMs are relevant for quantum state tomography, quantum cryptography, and foundational issues in quantum mechanics. We construct SIC-POVMs in dimensions two, three, and four. We further conjecture that a particular kind of group-covariant SIC-POVM exists in arbitrary dimensions, providing numerical results up to dimension 45 to bolster this claim.Comment: 8 page

Strong experimental guarantees in ultrafast quantum random number generation

We describe a methodology and standard of proof for experimental claims of quantum random number generation (QRNG), analogous to well-established methods from precision measurement. For appropriately constructed physical implementations, lower bounds on the quantum contribution to the average min-entropy can be derived from measurements on the QRNG output. Given these bounds, randomness extractors allow generation of nearly perfect "{\epsilon}-random" bit streams. An analysis of experimental uncertainties then gives experimentally derived confidence levels on the {\epsilon} randomness of these sequences. We demonstrate the methodology by application to phase-diffusion QRNG, driven by spontaneous emission as a trusted randomness source. All other factors, including classical phase noise, amplitude fluctuations, digitization errors and correlations due to finite detection bandwidth, are treated with paranoid caution, i.e., assuming the worst possible behaviors consistent with observations. A data-constrained numerical optimization of the distribution of untrusted parameters is used to lower bound the average min-entropy. Under this paranoid analysis, the QRNG remains efficient, generating at least 2.3 quantum random bits per symbol with 8-bit digitization and at least 0.83 quantum random bits per symbol with binary digitization, at a confidence level of 0.99993. The result demonstrates ultrafast QRNG with strong experimental guarantees.Comment: 11 pages, 9 figure