Non-uniformity and Quantum Advice in the Quantum Random Oracle Model

Abstract

QROM (quantum random oracle model), introduced by Boneh et al. (Asiacrypt 2011), captures all generic algorithms. However, it fails to describe non-uniform quantum algorithms with preprocessing power, which receives a piece of bounded classical or quantum advice.

As non-uniform algorithms are largely believed to be the right model for attackers, starting from the work by Nayebi, Aaronson, Belovs, and Trevisan (QIC 2015), a line of works investigates non-uniform security in the random oracle model. Chung, Guo, Liu, and Qian (FOCS 2020) provide a framework and establish non-uniform security for many cryptographic applications. Although they achieve nearly optimal bounds for many applications with classical advice, their bounds for quantum advice are far from tight.

In this work, we continue the study on quantum advice in the QROM. We provide a new idea that generalizes the previous multi-instance framework, which we believe is more quantum-friendly and should be the quantum analog of multi-instance games. To this end, we match the bounds with quantum advice to those with classical advice by Chung et al., showing quantum advice is almost as good/bad as classical advice for many natural security games in the QROM.

Finally, we show that for some contrived games in the QROM, quantum advice can be exponentially better than classical advice for some parameter regimes. To our best knowledge, it provides an evidence of a general separation between quantum and classical advice relative to an unstructured oracle.

Appendices

A Proofs for the Useful Lemmas

Lemma 10

Let N be a positive integer and \(p_1, \cdots , p_N \in \mathbb {R}^{\ge 0}\). Let \(\alpha _1, \cdots , \alpha _N\) be a distribution over [N]: i.e., \(\alpha _i \in [0, 1]\) and \(\sum _{i \in [N]} \alpha _i = 1\).

Assume \(\mu := \sum _{i \in [N]} \alpha _i p_i > 0\). Let \(\beta _1, \cdots , \beta _N\) be another distribution over [N]: \(\beta _i := \alpha _i p_i / \mu \). The following holds:

$$\begin{aligned} \sum _{i \in [N]} \beta _i p_i \ge \sum _{i \in [N]} \alpha _i p_i. \end{aligned}$$

Proof

Let \({\textbf{X}}\) be a random variable that takes value \(p_i\) w.p. \(\alpha _i\). It is easy to see that \({\mathbb {E}}[{\textbf{X}}] = \sum _{i} \alpha _i p_i\) and \({\mathbb {E}}[{\textbf{X}}^2] = \sum _{i} \alpha _i p_i^2\).

Since we assume \(\mu = {\mathbb {E}}[{\textbf{X}}] > 0\), we rewrite the inequality as follows:

$$\begin{aligned} \sum _{i} \alpha _i p_i^2 \ge \left( \sum _{i} \alpha _i p_i\right) ^2. \end{aligned}$$

The lemma holds by observing that L.H.S. is \({\mathbb {E}}[{\textbf{X}}^2]\), R.H.S. is \({\mathbb {E}}[{\textbf{X}}]^2\) and the fact that \({\textbf{Var}}[{\textbf{X}}] := {\mathbb {E}}[{\textbf{X}}^2] - {\mathbb {E}}[{\textbf{X}}]^2 \ge 0\).    \(\square \)

Proof for Lemma 1. We fix any integer \(k \ge 1\). Let \(\alpha _i = c_i p_i^{k-1} / (\sum _i c_i p_i^{k-1})\). It it easy to see that \(S_k = \sum _{i} \alpha _i p_i\).

Let \(\beta _i = \alpha _i p_i / \mu \) where \(\mu = \sum _i \alpha _i p_i\). We have

$$\begin{aligned} \beta _i&= \alpha _i p_i / \mu \\&= \frac{c_i p_i^{k}}{\sum _i c_i p_i^{k-1} \cdot \mu }\\&= \frac{c_i p_i^{k}}{\sum _i c_i p_i^{k-1} \cdot \left( \sum _i c_i p_i^{k} / (\sum _i c_i p_i^{k-1}) \right) } \\&= \frac{c_i p_i^{k}}{\sum _i c_i p_i^{k}}. \end{aligned}$$

Therefore, \(S_{k+1} = \sum _i \beta _i p_i\). By Lemma 10, \(S_{k+1} = \sum _i \beta _i p_i \ge \sum _i \alpha _i p_i = S_{k}\).    \(\square \)

B Characterization of Alternating Measurements and Proof of Theorem 6

Fixing a function H, the intial internal register \(\textbf{A}\) of \(\mathcal {A}\) is \(|\sigma _H\rangle |0^L\rangle = \sum _{i} \alpha _{H, i} |\phi _{H, i}\rangle \). Let us define the following states \(|v_{H, i}^0\rangle , |v_{H, i}^1\rangle , |w_{H, i}^0\rangle , |w_{H, i}^1\rangle \) (for convenience, we ignore H in the subscripts in the analysis below). We will also ignore H for other notations like \(P^H_r, |\phi _{H, i}\rangle , p_{H, i}\) as our analysis does not depend on H and the final conclusion follows by taking expectation over uniformly random functions H. Instead, we are using \(P_r := P^H_{r}, |\phi _i\rangle :=|\phi _{H, i}\rangle , p_i := p_{H, i}\) in the analysis.

1. 1.

   \(|w_i^0\rangle = \frac{1}{\sqrt{p_{i} |{\mathcal {R}}|}} \sum _r |r\rangle P_r |\phi _{i}\rangle \).

   It is easy to verify that it has norm 1:

   $$\begin{aligned} \langle w_i^0 | w_i^0\rangle = \frac{1}{p_i |{\mathcal {R}}|} \sum _r \langle \phi _i | P_r | \phi _i \rangle = \frac{1}{p_i |{\mathcal {R}}|} \langle \phi _i | (\sum _r P_r) | \phi _i \rangle =\frac{p_i |{\mathcal {R}}| }{p_i |{\mathcal {R}}|} \,= 1. \end{aligned}$$

   \({\textsf{CP}}^H_0 |w_i^0\rangle = |w_i^0\rangle \) and \({\textsf{CP}}^H_1 |w_i^0\rangle = 0\).

   After seeing the definition of \(|v_i^0\rangle \) and \(|v_i^1\rangle \) below, we also observe that \(|w_i^0\rangle = \sqrt{p_i} |v_i^0\rangle + \sqrt{1-p_i} |v_i^1\rangle \).

2. 2.

   \(|w_i^1\rangle = \frac{1}{\sqrt{(1-p_{i}) |{\mathcal {R}}|}} \sum _r |r\rangle (\textbf{I}_{\textbf{A}}-P_r) |\phi _{i}\rangle \).

   Similarly, it has norm 1, \({\textsf{CP}}^H_1 |w_i^1\rangle = |w_i^1\rangle \) and \({\textsf{CP}}^H_0 |w_i^1\rangle = 0\).

3. 3.

   \(|v^0_i\rangle = |\mathbbm {1}\rangle _{{\mathcal {R}}} |\phi _{i}\rangle = \sqrt{p_i} |w_i^0\rangle + \sqrt{1 - p_i} |w^1_i\rangle \).

   By the description of the game \(G^{\otimes k}\) (Definition 8), the overall register \(\textbf{R}\textbf{A}\) at the beginning of the game can be written as \(\sum _{i} \alpha _{i} |v^0_i\rangle \) (which we will prove below).

   The state has norm 1, \({\textsf{IsUniform}}^0 |v^0_i\rangle = |v^0_i\rangle \) and \({\textsf{IsUniform}}^1 |v^0_i\rangle = 0\).

4. 4.

   \(|v_i^1\rangle = \sqrt{1 - p_i} |w_i^0\rangle - \sqrt{p_i} |w^1_i\rangle \).

   We will not use the property of \(|v_i^1\rangle \) in the proof and we thus omit all the details here.

Lemma 11

For any fixed H, for any non-negative integer k, the leftover state over \(\textbf{R}\textbf{A}\) conditioned on all outcomes in the first k rounds being 0s is in proportion to:

$$\begin{aligned} \sum _i \alpha _i p_i^{k/2} {\left\{ \begin{array}{ll} |v^0_i\rangle \text { if { k} is even}, \\ |w^0_i\rangle \text { if { k} is odd}. \end{array}\right. } \end{aligned}$$

The probability of all outcomes being 0s is \(\sum _i |\alpha _i|^2 p_i^k\).

The proof follows the proof of Claim 6.3 in [Zha20]. We reprove this claim for completeness.

Proof

This lemma holds for \(k=0\), when no measurement is applied. This is the state is

$$\begin{aligned} \sum _i \alpha _i |v^0_i\rangle = \sum _i \alpha _i |\mathbbm {1}_{{\mathcal {R}}}\rangle _\textbf{R}|\phi _i\rangle _\textbf{A}= |\mathbbm {1}_{{\mathcal {R}}}\rangle _\textbf{R}|\sigma _H, 0^L\rangle _\textbf{A}. \end{aligned}$$

We now prove by induction. Assume the lemma holds up to some even k. We prove it holds for odd \(k+1\).

The leftover state after the first k rounds is \(c \sum _i \alpha _i p_i^{k/2} |v_i^0\rangle \) for some normalization c. Note that \(|v^0_i\rangle = \sqrt{p_i} |w_i^0\rangle + \sqrt{1 - p_i} |w^1_i\rangle \). The state can be rewritten as

$$\begin{aligned} c \sum _i \alpha _i p_i^{k/2} \left( \sqrt{p_i} |w_i^0\rangle + \sqrt{1 - p_i} |w^1_i\rangle \right) . \end{aligned}$$

In the \((k+1)\)-th round, the challenger measures the state under \({\textsf{CP}}^H\). Note that \({\textsf{CP}}^H_0 |w_i^0\rangle = |w_i^0\rangle \) and \({\textsf{CP}}^H_0 |w_i^1\rangle = 0\). Thus, conditioned on the \((k+1)\)-th outcome being 0, the state is in proportion to \(\sum _i \alpha _i p_i^{(k+1)/2} |w_i^0\rangle \). We complete the induction for k being even.

For odd k, the analysis is almost identical, by observing \(|w_i^0\rangle = \sqrt{p_i} |v_i^0\rangle + \sqrt{1-p_i} |v_i^1\rangle \) and also following from the fact that \({\textsf{IsUniform}}^0 |v^0_i\rangle = |v^0_i\rangle \) and \({\textsf{IsUniform}}^1 |v^0_i\rangle = 0\).

Finally, the probability can be bounded by looking at the un-normalized states above.    \(\square \)

Theorem 6 follows from summing over all functions H and Lemma 11.

C Classical Version of Our Main Theorem

The following theorem is a classical version of our main theorem (Theorem 5), improved from Theorem 1 in [GLLZ21].

Theorem 13

Let G be any game with \(T_\textsf{Samp}, T_\textsf{Verify}\) being the number of queries made by \(\textsf{Samp}\) and \(\textsf{Verify}\). For any S, T, let \(P = S (T + T_\textsf{Verify}+ T_\textsf{Samp})\).

If G has security \(\nu (P, T)\) in the P-BF-ROM, then it has security \(\delta (S, T) \le 2 \cdot \nu (P, T)\) against (S, T) non-uniform classical algorithms with classical advice.

In Theorem 1 in [GLLZ21], \(P = (S + \log \gamma ^{-1}) (T + T_\textsf{Verify}+ T_\textsf{Samp})\) and there is an extra additive term \(\gamma \) for \(\delta (S, T)\).

Theorem 14

(Theorem 1 in [GLLZ21]). Let G be any game with \(T_\textsf{Samp}, T_\textsf{Verify}\) being the number of queries made by \(\textsf{Samp}\) and \(\textsf{Verify}\). For any \(S, T, \gamma > 0\), let \(P = (S + \log \gamma ^{-1}) (T + T_\textsf{Verify}+ T_\textsf{Samp})\).

If G has security \(\nu (P, T)\) in the P-BF-ROM, then it has security \(\delta (S, T) \le 2 \cdot \nu (P, T) + \gamma \) against (S, T) non-uniform classical algorithms with classical advice.

D Proof for the Separation Result

Proof

We first show the second bullet point. Let the quantum algorithm in Theorem 11 be \(\mathcal {B}\). In the non-uniform quantum adversary, quantum advice is the non-adaptive queries made by \(\mathcal {B}\) and the online stage is the post-processing by \(\mathcal {B}\). It is straightforward that the non-uniform algorithm achieves the same probability as \(\mathcal {B}\), which is \(1 - \textsf{negl}(n)\). Since each query has \(O(\log n)\) qubits and \(\mathcal {B}\) makes \(\tilde{O}(n)\) queries, the total size of the quantum advice is still \(\tilde{O}(n)\).

Next, we show the first bullet point. In the first bullet point of this theorem, we do not distinguish between non-uniform quantum adversaries with classical advice and non-uniform classical adversaries. The reason is that the online algorithm does not make any query, i.e., \(T = 0\). These two types of algorithms are equivalent when \(T = 0\).

Thus, we consider success probabilities of non-uniform classical adversaries. By a classical analog of our main theorem Theorem 5 (Theorem 13), we only need to show its success probability in the P-BF-ROM (Definition 5) where \(P = S (T + T_\textsf{Samp}+ T_\textsf{Verify}) = S T_\textsf{Verify}= 2^{n^c}\).

Assume a random oracle is lazily sampled. In other words, an outcome of the random oracle on x is sampled only if the outcome is queried by an algorithm; otherwise, the outcome is marked as “not sampled”. Conditioned on any P-query f outputs 0, the random oracle is only fixed on P positions and the rest of its outputs are still not sampled. The error correcting code C used in [YZ22] satisfies a property called \((\zeta , \ell , L)\) list recoverability:

• For any subset \(S_i \subseteq \varSigma \) such that \(|S_i| \le \ell \) for every \(i \in [n]\), we have

  $$\begin{aligned} |\textsf{Good}| = \left| \left\{ (x_1, \cdots , x_n) \in C : |\{ i \in [n]: x_i \in S_i\}| \ge (1-\zeta ) n \right\} \right| \le L. \end{aligned}$$

  In other words, the total number of codewords in C with hamming distance to \(S_1 \times S_2 \times \cdots \times S_n\) smaller than \(\zeta n\) is bounded by L. Here hamming distance to \(S_1 \times S_2 \times \cdots \times S_n\) is defined as the number of coordinates i whose \(x_i\) is not in the corresponding \(S_i\). We call this set of codewords \(\textsf{Good}\).

• \(P = 2^{n^c} < \ell \), \(\zeta = \varOmega (1)\) and \(L = 2^{n^{c'}}\) for some \(0< c' < 1\).

In \(G_\textsf{YZ}\), when a challenge y is sampled uniformly at random from \(\{0,1\}^n\), there are two cases:

• Case 1: there exists a codeword c in \(\textsf{Good}\), such that \(y = f^H_C(c)\). This case happens with probability at most \(|\textsf{Good}|/2^n \le L / 2^n\).

• Case 2: complement of Case 1. In this case, an adversary wins only if it outputs a codeword that is not in \(\textsf{Good}\). For every codeword \(c = (x_1, x_2, \cdots , x_n) \not \in \textsf{Good}\), there are at least \(\zeta n\) coordinates whose random oracle outputs (i.e., \(H(i,x_i)\)) have not been sampled yet in the lazily sampled random oracle. For any \(c \not \in \textsf{Good}\), \(\Pr [f^H_C(c) = y] \le 2^{-\zeta n}\). Therefore, regardless of the algorithm’s output, the success probability is at most \(2^{-\zeta n}\).

The overall winning probability is bounded by \(L/2^n + 2^{-\zeta n} = 2^{-\varOmega (n)}\). We conclude the first bullet point of the theorem.

   \(\square \)