Tight Quantum Time-Space Tradeoffs for Function Inversion

In function inversion, we are given a function $f:[N]\rightarrow[N]$, and want to prepare some advice of size $S$, such that we can efficiently invert any image in time $T$. This is a well studied problem with profound connections to cryptography, data structures, communication complexity, and circuit lower bounds. Investigation of this problem in the quantum setting was initiated by Nayebi, Aaronson, Belovs, and Trevisan (2015), who proved a lower bound of $ST^{2}=\tilde{\Omega}(N)$ for random permutations against classical advice, leaving open an intriguing possibility that Grover's search can be sped up to time $\tilde{O}(\sqrt{N/S})$. Recent works by Hhan, Xagawa, and Yamakawa (2019), and Chung, Liao, and Qian (2019) extended the argument for random functions and quantum advice, but the lower bound remains $ST^{2}=\tilde{\Omega}(N)$. In this work, we prove that even with quantum advice, $ST+ T^{2}=\tilde{\Omega}(N)$, is required for an algorithm to invert random functions. This demonstrates that Grover's search is optimal for $S=\tilde{O}(\sqrt{N})$, ruling out any substantial speed-up for Grover's search even with quantum advice. Further improvements to our bounds would imply new classical circuit lower bounds, as shown by Corrigan-Gibbs and Kogan (2019). To prove this result, we develop a general framework for establishing quantum time-space lower bounds. We further demonstrate the power of our framework by proving the following results. •Yao's box problem: We prove a tight quantum time-space lower bound for classical advice. For quantum advice, we prove a first time-space lower bound using shadow tomography. These results resolve two open problems posted by Nayebi et al (2015). •Salted cryptography: We show that “salting generically provably defeats preprocessing,” a result shown by Coretti, Dodis, Guo, and Steinberger (2018), also holds in the quantum setting. In particular, we prove quantum time-space lower bounds for a wide class of salted cryptographic primitives in the quantum random oracle model. This yields the first quantum time-space lower bound for salted collision-finding, which in turn implies that $\text{PWPP}^{\mathcal{O}} \nsubseteq \text{FBQP}^{\mathcal{O}}/\text{qpoly}$ relative to a random oracle $\mathcal{O}$.

[1]  Yassine Hamoudi,et al.  Quantum Time-Space Tradeoffs by Recording Queries , 2020, ArXiv.

[2]  Minki Hhan,et al.  Quantum Random Oracle Model with Auxiliary Input , 2019, IACR Cryptol. ePrint Arch..

[3]  Henry Corrigan-Gibbs,et al.  The Function-Inversion Problem: Barriers and Opportunities , 2019, Electron. Colloquium Comput. Complex..

[4]  Kai-Min Chung,et al.  Lower Bounds for Function Inversion with Quantum Advice , 2019, ITC.

[5]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[6]  Mark Zhandry,et al.  How to Record Quantum Queries, and Applications to Quantum Indifferentiability , 2019, IACR Cryptol. ePrint Arch..

[7]  Andris Ambainis,et al.  Quantum security proofs using semi-classical oracles , 2019, IACR Cryptol. ePrint Arch..

[8]  Tsvi Kopelowitz,et al.  The Strong 3SUM-INDEXING Conjecture is False , 2019, ArXiv.

[9]  V. Vaikuntanathan,et al.  3SUM with Preprocessing: Algorithms, Lower Bounds and Cryptographic Applications , 2019, ArXiv.

[10]  Guy N. Rothblum,et al.  Gentle measurement of quantum states and differential privacy , 2019, Electron. Colloquium Comput. Complex..

[11]  Or Meir,et al.  Prediction from Partial Information and Hindsight, with Application to Circuit Lower Bounds , 2019, computational complexity.

[12]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[13]  Scott Arciszewski,et al.  XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 , 2018 .

[14]  Mark Zhandry,et al.  On Finding Quantum Multi-collisions , 2018, IACR Cryptol. ePrint Arch..

[15]  Yevgeniy Dodis,et al.  Non-Uniform Bounds in the Random-Permutation, Ideal-Cipher, and Generic-Group Models , 2018, IACR Cryptol. ePrint Arch..

[16]  Navid Talebanfard,et al.  Prediction from Partial Information and Hindsight, an Alternative Proof , 2018, Electron. Colloquium Comput. Complex..

[17]  John P. Steinberger,et al.  Random Oracles and Non-Uniformity , 2018, IACR Cryptol. ePrint Arch..

[18]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[19]  Dominique Unruh,et al.  Post-quantum Security of Fiat-Shamir , 2017, ASIACRYPT.

[20]  Scott Aaronson,et al.  Shadow tomography of quantum states , 2017, Electron. Colloquium Comput. Complex..

[21]  Jonathan Katz,et al.  Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited , 2017, EUROCRYPT.

[22]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[23]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[24]  Aran Nayebi,et al.  Quantum lower bound for inverting a permutation with advice , 2014, Quantum Inf. Comput..

[25]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[26]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[27]  Russell Impagliazzo,et al.  Relativized Separations of Worst-Case and Average-Case Complexities for NP , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[28]  Madhur Tulsiani,et al.  Time Space Tradeoffs for Attacks against One-Way Functions and PRGs , 2010, CRYPTO.

[29]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[30]  Eric Rescorla,et al.  Cryptographic Algorithms for the TCP Authentication Option (TCP-AO) , 2010, RFC.

[31]  Dominique Unruh,et al.  Random Oracles and Auxiliary Input , 2007, CRYPTO.

[32]  Hartmut Klauck,et al.  Quantum and classical strong direct product theorems and optimal time-space tradeoffs , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[33]  Scott Aaronson,et al.  Limitations of quantum advice and one-way communication , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[34]  Hartmut Klauck,et al.  Quantum time-space tradeoffs for sorting , 2002, STOC '03.

[35]  Yaoyun Shi,et al.  Quantum lower bounds for the collision and the element distinctness problems , 2001, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[36]  Amos Fiat,et al.  Rigorous Time/Space Trade-offs for Inverting Functions , 1999, SIAM J. Comput..

[37]  Charles H. Bennett,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[38]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[39]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[40]  Umesh V. Vazirani,et al.  Quantum complexity theory , 1993, STOC.

[41]  J. F. Goehl An Alternative Proof , 1991 .

[42]  A. Yao Coherent functions and program checkers , 1990, STOC '90.

[43]  Paul Beame,et al.  A general sequential time-space tradeoff for finding unique elements , 1989, STOC '89.

[44]  Hugo Krawczyk,et al.  On the existence of pseudorandom generators , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[45]  Leonid A. Levin,et al.  One-way functions and pseudorandom generators , 1985, STOC '85.

[46]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[47]  R. Adams Proceedings , 1947, Quarterly Journal of the Geological Society of London.

[48]  L. Heilmann Proceedings, Part II , 1943, Ecology.