Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
research-article
Open access

Verifiable Quantum Advantage without Structure

Published: 11 June 2024 Publication History

Abstract

We show the following hold, unconditionally unless otherwise stated, relative to a random oracle:
There are NP search problems solvable by quantum polynomial-time (QPT) machines but not classical probabilistic polynomial-time (PPT) machines.
There exist functions that are one-way, and even collision resistant, against classical adversaries but are easily inverted quantumly. Similar counterexamples exist for digital signatures and CPA-secure public key encryption (the latter requiring the assumption of a classically CPA-secure encryption scheme). Interestingly, the counterexample does not necessarily extend to the case of other cryptographic objects such as PRGs.
There are unconditional publicly verifiable proofs of quantumness with the minimal rounds of interaction: for uniform adversaries, the proofs are non-interactive, whereas for non-uniform adversaries the proofs are two message public coin.
Our results do not appear to contradict the Aaronson-Ambanis conjecture. Assuming this conjecture, there exist publicly verifiable certifiable randomness, again with the minimal rounds of interaction.
By replacing the random oracle with a concrete cryptographic hash function such as SHA2, we obtain plausible Minicrypt instantiations of the above results. Previous analogous results all required substantial structure, either in terms of highly structured oracles and/or algebraic assumptions in Cryptomania and beyond.

1 Introduction

Can \(\mathsf {NP}\) search problems have a super-polynomial speed-up on quantum computers? This is one of the oldest and most important questions in quantum complexity.
The first proposals for such quantum advantage were relative to highly structured oracles. Examples include Simon’s oracle [54], or more generally periodic oracles, as well as the Bernstein–Vazirani oracle [14] and welded trees [24].
The first non-oracular quantum advantage for \(\mathsf {NP}\) problems is due to Shor’s famous algorithm for factoring integers and computing discrete logarithms [53]. Since Shor’s algorithm, other non-oracular \(\mathsf {NP}\) problems with quantum advantage include solving Pell’s equation [33] and matrix group membership [9]. While the technical details of all these examples are very different, these problems can all be seen as non-oracular instantiations of periodic oracles.
While the above non-oracular problems are certainly easy on a quantum computer, the classical hardness can only be conjectured since, in particular, the classical hardness would imply \(\text{P}\ne \mathsf {NP}\), or an analogous statement if one considers probabilistic algorithms. The problem is that, when instantiating an oracle with real-world computational tasks, non-black-box algorithms may be available that render the problem classically easy, despite the oracle problem being hard. For example, index calculus methods [4] yield sub-exponential time classical attacks for factoring and discrete logarithms, despite black box period-finding being classically exponentially hard.
To make matters worse, for the known \(\mathsf {NP}\) search problems with plausible quantum advantage, the classical hardness is widely believed to be a much stronger assumption than \(\text{P}\ne \mathsf {NP}\), since the problems have significant algebraic structure and are not believed to be \(\mathsf {NP}\)-complete. In particular, all \(\mathsf {NP}\) search problems we are aware of yielding a super-polynomial quantum advantage rely on Cryptomania tools [37], in the sense that their classical hardness can be used to build public key encryption (PKE).1 This puts the assumptions needed for an \(\mathsf {NP}\) quantum advantage quite high in the assumption hierarchy.
Quantum speed-ups and structure. The above tasks demonstrating speed-ups, both oracular and non-oracular, all have one thing in common: significant “structure.” It is natural to wonder whether such structure is necessary. In the non-oracular setting, a natural interpretation of this question could be if Minicrypt assumptions—those that give symmetric key but not public key cryptography—can be used to give a quantum advantage. Minicrypt assumptions, such as the one-wayness of SHA2, lack the algebraic structure needed in typical super-polynomial quantum speed-ups. In the oracle setting, this could mean, for example, proving unconditional quantum advantage relative to a uniformly random oracle, which is generally seen as beeing structure-less.
Prior work on this topic could be interpreted as negative. As observed above, all non-oracular \(\mathsf {NP}\) problems demonstrating quantum advantage imply, or are closely related to problems that imply, public key cryptography. In the random oracle setting, the evidence is even stronger. The most natural problems to reason about—one-wayness and collision resistance of the random oracle, and generalizations—provably only have a polynomial quantum advantage [3, 13, 59, 61]. Additional evidence is given by Aaronson and Ambanis [1], who build on work of Beals et al. [11]. They consider the following conjecture, dating back to at least 1999:
Conjecture 1.1 (Paraphrased from [1]).
Let \(Q\) be a quantum algorithm with Boolean output that makes \(T\) queries to a random oracle \(\mathcal {O}\), and let \(\epsilon ,\delta \gt 0\). Then there exists a deterministic classical algorithm \(C\) that makes \(\mathsf {poly}(T,1/\epsilon ,1/\delta)\) queries, such that
\begin{equation*} \Pr _\mathcal {O}\left[\;\left|\;C^\mathcal {O}()-\Pr [Q^\mathcal {O}()=1]\;\right|\le \epsilon \;\right]\ge 1-\delta \hspace{5.0pt}, \end{equation*}
where the inner probability is over the randomness of \(Q\).
Aaronson and Ambanis give some evidence for Conjecture 1.1, by reducing it to a plausible mathematical conjecture closely related to known existing results. If Conjecture 1.1 is true, any quantum decision algorithm \(Q\) making queries to a random oracle can be simulated classically with only polynomially-more queries.
Note that the conjectured classical simulator may be computationally inefficient, and indeed we would expect it to be if, say, \(Q\) ignored its oracle and just factored integers. But for any particular algorithm \(Q\), proving computational inefficiency amounts to an unconditional hardness result, which is beyond the reach of current complexity theory. Thus, Conjecture 1.1, if true, essentially shows that random oracles are equivalent to the non-oracular world with respect to \(\mathsf {NP}\) decision problems, and cannot be used to provide provable quantum advantage for such problems.

1.1 Our Results

In this work, we make progress toward justifying super-polynomial quantum advantage for \(\mathsf {NP}\) problems, under less structured oracles or milder computational assumptions. We show, perhaps surprisingly, that for certain search problems in \(\mathsf {NP}\), random oracles do in fact give provable unconditional super-polynomial quantum speed-ups.
Random oracles. Our starting point is to prove the following theorem:
Theorem 1.2 (Informal).
Relative to a random oracle, there exists a non-interactive proof of quantumness, with unconditional security against any computationally-unbounded adversary making a polynomial number of classical queries.
Here, a proof of quantumness [17] is a protocol between a quantum prover and classical verifier (meaning in particular that messages are classical) where no cheating classical prover can convince the verifier. By being non-interactive, our protocol is also publicly verifiable. Prior LWE-based proofs of quantumness [17, 18] lacked public verifiability. The only previous publicly verifiable proof of quantumness [6] required highly non-trivial structured oracles.
Remark 1.
We note the restriction to uniform adversaries is necessary in the non-interactive setting, as a non-uniform adversary (that may take oracle-dependent advice) can simply have a proof hardcoded. Our protocol also readily gives a two-message public coin (and hence also publicly verifiable) protocol against non-uniform adversaries, which is the best one can hope for in the non-uniform setting.
Theorem 1.2 has a number of interesting immediate consequences:
Corollary 1.3.
Relative to a random oracle, there exists an \(\mathsf {NP}\) search problem that is solvable by quantum polynomial-time (QPT) machines but not by classical probabilistic polynomial-time (PPT) machines.
Our construction also readily adapts to give one-way functions that are classically secure but quantum insecure. We can alternatively use minimal-round proofs of quantumness generically to give a one-way function counterexample, and even a collision resistance counterexample:
Theorem 1.4.
Relative to a random oracle, there exists a compressing function that is collision resistant against any computationally unbounded adversary making a polynomial number of classical queries, but is not even one-way against quantum adversaries.
Using results from [58], we also obtain an unconditional analogous counterexample for digital signatures and CPA-secure PKE (the latter requiring assuming classically CPA-secure PKE). Previous such results required LWE (in the case of signatures) or highly structured additional oracles (in the case of CPA-secure encryption).
Our results do not appear to contradict Conjecture 1.1, since they are for search problems as opposed to decision problems. In particular, our quantum algorithm for generating proofs of quantumness/breaking the one-wayness does not compute a function, but rather samples from a set of possible values. Assuming Conjecture 1.1 shows that this is inherent. We leverage this feature to yield the following:
Theorem 1.5.
Assuming Conjecture 1.1, relative to a random oracle there exists a one- (resp. two-) message certifiable randomness protocol against a single uniform (resp. non-uniform) quantum device. By adding a final message from the verifier to the prover, our protocols become public coin and publicly verifiable.
Here, certifiable randomness [17] means the classical verifier, if it accepts, is able to expand a small random seed \(s\) into a truly random bit-string \(x,|x|\gg |s|\), with the aid of a single quantum device. Conditioned on the verifier accepting, \(x\) remains truly random even if the device is adversarial. We remark that \(|x|\gg |s|\) is the key property that makes certifiable randomness non-trivial: It enables the verifier to create a large random string \(x\) from a much smaller random seed \(s\). In addition, we remark that the random seed \(s\) is used only in the verifier’s postprocessing for deriving \(x\) and not used during the protocol execution in our construction.
We note that our results are the best possible: if the final message is from prover to verifier, the protocols cannot be publicly verifiable. Indeed, the prover could force, say, the first output bit to be 0 by generating a candidate final message, computing the what the outputted string would be, and then re-sampling the final message until the first output bit is 1. Our one- and two-message protocols therefore require verifier random coins that are kept from the prover. In our protocols, however, these secret random coins can be sampled and even published after the prover’s message. The result is that, by adding a final message from the verifier, our protocols are public coin and publicly verifiable.
Instantiating the random oracle. We next instantiate the random oracle in the above construction with a standard-model cryptographic hash, such as SHA2. We cannot hope to prove security unconditionally. Nevertheless, the resulting construction is quite plausibly secure. Indeed, it is common practice in cryptography to prove security of a hash-based protocol relative to random oracles [12], and then assume that security also applies when the random oracle is replaced with a concrete well-designed cryptographic hash. While there are known counter-examples to the random oracle assumption [21], they are quite contrived and are not known to apply to our construction.
We thus obtain a plausible construction of non-interactive proofs of quantumness based on a cryptographic hash, such as SHA2. This gives a completely new approach to non-oracular quantum advantage. What’s more, it is widely believed that SHA2 is only capable of yielding symmetric key cryptosystems. Impagliazzo and Rudich [38] show that there is no classical black box construction of PKE from cryptographic hash functions, and no quantum or non-black box techniques are known to overcome this barrier.2 In fact, what [38] show is that, in the world of computationally unbounded but query bounded (classical) attackers, random oracles cannot be used to construct PKE. But this is exactly the setting of the random oracle model (ROM) we consider.
Therefore, by instantiating the random oracle with a well-designed hash such as SHA2, we obtain a Minicrypt construction of a proof of quantumness. We likewise obtain candidate Minicrypt examples of \(\mathsf {NP}\) search problems in \(\mathsf {BQP}\setminus \mathsf {BPP}\), functions that are classically one-way but quantumly easy, and even certifiable randomness.

1.2 Discussion

Other sources of quantum advantage. Other candidates for super-polynomial quantum speed-ups are known. Aaronson and Arkhipov [2] and Bremner, Jozsa, and Shepherd [19] give a sampling task with such a speed-up, based on plausible complexity-theoretic constructions. Similar sampling tasks are at the heart of current real-world demonstrations of quantum advantage. More recently, Brakerski et al. [17] provided a proof of quantumness from the Learning With Errors (LWE) assumption, and Morimae and Yamakawa [48] give a construction from general trapdoor permutations.
We note, however, that none of the these alternate sources of quantum advantage correspond to \(\mathsf {NP}\) search problems, as there is no way to verify the output. In the case of [2, 19], this is because the task is to sample from a distribution, and it is in general hard to tell if an algorithm samples from a given distribution. In the case of [17, 48], this is due to the interactive protocols being private coin.
Why \(\mathsf {NP}\) search problems?. Most real-life problems of interest can be phrased as \(\mathsf {NP}\) search problems, so it is a natural class of problems to study. Our work gives the first evidence besides period finding of a quantum advantage for this class.
Moreover, \(\mathsf {NP}\) means that solutions can be efficiently verified. For existing sampling-based demonstrations of quantum advantage [2, 19], verification is roughly as hard as classically sampling. Proofs of quantumness from LWE or trapdoor permutations [17, 48] do admit verification, but the verifier must use certain secrets computed during the protocol in order to verify. This means that only the verifier involved in the protocol is convinced of the quantumness of the prover.
In contrast, using an \(\mathsf {NP}\) problem means anyone can look at the solution and verify that it is correct. Moreover, our particular instantiation allows for sampling the problems obliviously, meaning we obtain a public coin proof of quantumness where the verifier’s message is simply uniform random coins. Against uniform adversaries, we can even just set the verifier’s message to \(000\cdots\), eliminating the verifier’s message altogether.
The QROM. In classical cryptography, the ROM[12] models a hash function as a truly random function, and proves security in such a world. This model is very important for providing security justifications of many practical cryptosystems.
Boneh et al. [16] explain that, when moving to the quantum setting, one needs to model the random oracle as a quantum random oracle model (QROM). Many works (e.g., [23, 29, 39, 40, 46, 52, 55, 60]) have been devoted to lifting classical ROM results to the QROM. Ambainis, Rosmanis, and Unruh [5] demonstrated that some random-oracle-based constructions that are known to be secure against classical adversaries are insecure against quantum adversaries. However, their counterexamples are insecure even against quantum adversaries in the classical ROM (i.e., those that only make classical queries), and thus they do not indicate a difference between the classical ROM and QROM. To date, most of the main classical ROM results have successfully been lifted. This leads to a natural question: do all ROM results lift to the QROM?
Recently, Yamakawa and Zhandry [58], leveraging recent proofs of quantumness [18] in the random oracle, give a counter-example assuming the hardness of LWE. Their counter-examples were limited to highly interactive security models such as digital signatures and CCA-secure PKE.
By relying on LWE, [58] left open the possibility that unconditional ROM results may all lift to the QROM. Our proof of quantumness refutes this, showing that the ROM and QROM are separated even in the unconditional setting. Our results also give counterexamples for many more objects, especially for objects like one-way functions and collision resistance which have essentially non-interactive security experiments.
Subsequent work. Our techniques have already been used in a couple subsequent works. Liu [45] use our construction to give an exponential separation between classical and quantum advice, relative to a random oracle. Arora et al [7] use our construction to give a proof of quantum depth relative to random oracles.

1.3 Overview

Let \(\Sigma\) be an exponentially-sized alphabet, and \(C\subseteq \Sigma ^n\) be an error correcting code over \(\Sigma\). Let \(O:\Sigma \rightarrow \lbrace 0,1\rbrace\) be a function. Consider the following function \(f_C^O:C\rightarrow \lbrace 0,1\rbrace ^n\) derived from \(C,O\):
\begin{equation*} f_C^O(c_1,\dots ,c_n)=(O(c_1),\dots ,O(c_n)). \end{equation*}
In other words, \(f_C^O\) simply applies \(O\) independently to each symbol in the input codeword. We will model \(O\) as a uniformly random function. Note that if \(f\) were applied to arbitrary words in \(\Sigma ^n\), then it would just be the parallel application of a function with one-bit outputs, which can be trivially inverted. By restricting the domain to only codewords, we show, under a suitable choice of code elaborated on below, that:
\(f_C^O\) is unconditionally one-way against classical probabilistic algorithms making polynomially-many queries to \(O\). It is even infeasible to find \(c\in C\) such that \(f_C^O(c)=0^n\).
There exists a quantum algorithm which, given any \(y\in \lbrace 0,1\rbrace ^n\), samples statistically close to uniformly from the set of pre-images \(c\in C\) such that \(f_C^O(c)=y\).
From these properties, we immediately obtain a weak version of Theorem 1.4 which only considers classical one-wayness. We explain in Section 7.2 how to obtain the full Theorem 1.4. To prove quantumness, one simply produces \(c\in C\) such that \(f_C^O(c)=0^n\), giving Theorem 1.2. Since inverting one-way functions is in \(\mathsf {NP}\), this also immediately gives Corollary 1.3. We now explain how we justify these facts about \(f_C^O\).
Classical hardness. Assume \(C\) satisfies the following properties: (1) the set of symbols obtained at each position are distinct, and (2) \(C\) is information-theoretically list-recoverable.3 Here, we take list-recoverability to mean that, given polynomial-sized sets \(S_i,i\in [n]\) of possible symbols for each position, there exist a sub-exponential sized (in \(n\)) list of codewords \(c\) such that \(c_i\in S_i\) for all \(i\in [n]\). The list size remains sub-exponential even if we include codewords such that \(c_i\notin S_i\) for a few positions.
Property (1) can be obtained generically by replacing \(\Sigma \mapsto [n]\times \Sigma\), where \((c_1,\dots ,c_n)\mapsto ((1,c_1),\dots ,(n,c_n))\). Property (2) is satisfied by folded Reed-Solomon codes, as shown by Guruswami and Rudra [30].
Assuming (1) and (2), we can show classical hardness. Fix an image \(y\). We can assume without loss of generality that the adversary always evaluates \(f_C^O(c)\) for any pre-image \(c\) it outputs. Suppose for our discussion here, that all queries to \(O\) were made in parallel. Then any polynomial-sized set of queries corresponds to a collection of \(S_i\). List recoverability means that there are at most \(2^{n^c},c\lt 1\) codewords consistent with the \(S_i\). For each consistent codeword, the probability of being a pre-image of \(y\) is at most \(2^{-n}\) over the choice of random oracle. Union-bounding over the list of consistent codewords shows that the probability that any consistent codeword is a pre-image is exponentially small. With some effort, we can show the above holds even for adaptively chosen queries.
Remark 2.
Haitner et al. [32] construct a very similar hash function from list-recoverable codes. Their hash functions assumes a multi-bit \(O\), but then XORs the results together, rather than concatenating them. They prove that their hash function is collision-resistant. Our proof of one-wayness is based on a similar idea to their proof of collision-resistance. Our novelty, and what does not appear to be possible for their construction, is the quantum pre-image finder, which we discuss next.
We note that we could, similar to [32], prove the collision resistance of \(f_C^O\) by choosing \(C\) to have an appropriate rate. However, our quantum pre-image finder constrains \(C\) to having a rate where we only know how to prove one-wayness. Proving Theorem 1.4 therefore requires a different construction, which we elaborate on in Section 7.2.
Quantum easiness. Our algorithm can be seen as loosely inspired by Regev’s quantum reduction between SIS and LWE [50]. Given an image \(y\), our goal will be to create a uniform superposition over pre-images of \(y\):
\begin{equation*} |\psi _y\rangle \propto \sum _{c\in C:f_C^O(c)=y}|c\rangle . \end{equation*}
We can view \(|\psi _y\rangle\) as the point-wise product of two vectors:
\begin{align*} |\phi \rangle &\propto \sum _{c\in C}|c\rangle \;,\;\;\;\;\;\;\;\;\;\;\text{ and }\;\;\;\;\;\;\;\;\;\; |\tau _y\rangle \propto \sum _{c\in {\mathbf {\Sigma ^n}}:f_C^O(c)=y}|c\rangle . \end{align*}
Observe that \(|\tau _y\rangle\) looks like \(|\psi _y\rangle\), except that the domain is no longer constrained to codewords. Once we have the state \(|\psi _y\rangle\), we can simply measure it to obtain a random pre-image of \(y\). We will show how to construct \(|\psi _y\rangle\) in reverse: we will show a sequence of reversible transformations that transform \(|\psi _y\rangle\) into states we can readily construct. By applying these transformations in reverse we obtain \(|\psi _y\rangle\). To do so, we will now impose that \(\Sigma\) is a vector space over \(\mathbb {F}_q\) for some prime \(q\), and that \(C\) is linear over \(\mathbb {F}_q\).4 This means there is a dual code \(C^\perp\), such that \(c\cdot d=0\) for all \(c\in C,d\in C^\perp\).
We now consider the quantum Fourier transform \(\mathsf {QFT}\) of \(|\psi _y\rangle\).5 Write:
\begin{align*} |\widehat{\phi }\rangle &:=\mathsf {QFT}|\phi \rangle \propto \sum _{c\in \Sigma ^n}\alpha _c |c\rangle =\sum _{c\in C^\perp }|c\rangle ,\\ |\widehat{\tau _y}\rangle &:=\mathsf {QFT}|\tau _y\rangle \propto \sum _{c\in \Sigma ^n}\beta _{y,c} |c\rangle . \end{align*}
Above, we used the fact that the QFT of a uniform superposition over a linear space is just the uniform superposition over the dual space. Then, by the Convolution Theorem, the QFT of \(|\psi _y\rangle\) is the convolution of \(|\widehat{\phi }\rangle\) and \(|\widehat{\tau }_y\rangle\):
\begin{equation*} |\widehat{\psi }_y\rangle :=\mathsf {QFT}|\psi _y\rangle \propto \sum _{c,e\in \Sigma ^n}\alpha _c\beta _{y,e}|c+e\rangle =\sum _{c\in C^\perp ,e\in \Sigma ^n}\beta _{y,e} |c+e\rangle . \end{equation*}
The next step is to decode \(c\) and \(e\) from \(c+e\); assuming we had such a decoding, we can apply it to obtain the state proportional to
\begin{equation*} \sum _{c\in C^\perp ,e\in \Sigma ^n}\beta _{y,e}|c,e\rangle =|\widehat{\phi }\rangle |\widehat{\tau }_y\rangle . \end{equation*}
We can then construct \(|\widehat{\phi }\rangle\) as the QFT of \(|\phi \rangle\), which we can generate using the generator matrix for \(C\). We will likewise construct \(|\widehat{\tau }_y\rangle\) as the QFT of \(|\tau _y\rangle\). To construct \(|\tau _y\rangle\), we note that \(|\tau _y\rangle\) is a product of \(n\) states that look like:
\begin{equation*} |\tau _{i,y_i}\rangle \propto \sum _{\sigma \in \Sigma :O(\sigma)=y_i}|\sigma \rangle . \end{equation*}
Since each \(y_i\) is just a single bit, we can construct such states by applying \(O\) to a uniform superposition of inputs, measuring the result, and starting over if we obtain the incorrect \(y_i\).
It remains to show how to decode \(c,e\) from \(c+e\). We observe that \(|\widehat{\tau }_{i,y_i}\rangle\) has roughly half of its weight on 0, whereas the remaining half the weight is essentially uniform (though with complex phases) since \(O\) is a random function. This means we can think of \(e\) as a vector where each symbol is 0 with probability \(1/2\), and random otherwise. In other words, \(c+e\) is a noisy version of \(c\) following an analog of the binary symmetric channel generalized to larger alphabets. If the dual code \(C^\perp\) were efficiently decodable under such noise, then one can decode \(c\) (and hence \(e\)) from \(c+e\).
Toward that end, we show that \(c\) is uniquely and efficiently decodable (with high probability) provided the rate of \(C^\perp\) is not too high. In our case, where \(C\) is a folded Reed-Solomon code, \(C^\perp\) is essentially another Reed-Solomon code, and we can decode efficiently using list-decoding algorithms [31]. We can show that the list-decoding results in a unique codeword (with high probability) for the above described error distribution assuming \(C\) to have an appropriate rate.
There are a couple important caveats with the above. First is that, to use list-recoverability to prove one-wayness, we actually needed to augment \(C\), which broke linearity. This is easily overcome by only applying the QFT to the linear part of \(C\).
More importantly, and much more challenging, we can only decode \(c+e\) as long as \(e\) has somewhat small Hamming weight. While such \(e\) occur with overwhelming probability, there will always be a negligible fraction of decoding errors. The problem is that the constant of proportionality in the Convolution Theorem is exponentially large, and therefore the negligible decoding errors from our procedure could end up being blown up and drowning out \(|\widehat{\psi }_y\rangle\). This is not just an issue with our particular choice of decoding algorithm, as for large enough Hamming weight decoding errors are guaranteed. What this means is that the map \(|\widehat{\phi }\rangle |\widehat{\tau }_y\rangle \mapsto |\widehat{\psi }_y\rangle\) is not even unitary, and \(|\widehat{\psi }_y\rangle\) is not even unit norm.
By exploiting the particular structure of our coding problem and the uniform randomness of the oracle \(O\), we are able to resolve the above difficulties and show that our algorithm does, in fact, produce pre-images of \(y\) as desired.
Certifiable randomness. We next explain that any efficient quantum algorithm for inverting \(f_C^O\) likely produces random pre-images. After all, suppose there was an alternative quantum algorithm which inverted \(f_C^O\), such that it finds a deterministic pre-image on any given \(y\). If we look at any single bit of the pre-image, then Conjecture 1.1 would imply that this bit can be simulated by a polynomial-query classical algorithm. By applying Conjecture 1.1 to every bit of the pre-image, we thus obtain a classical query algorithm for inverting \(f_C^O\), which we know is impossible.
This immediately gives us a proof of entropy: the prover generates a pre-image \(c\) of an arbitrary \(y\) (even \(y=0^n\)), and the verifier checks that \(f_C^O(c)=y\). If the check passes, the verifier can be convinced that \(c\) was not deterministically generated, and therefore has some randomness. Though this only ensures that \(c\) is not completely deterministic, by using the fact that \(f_C^O\) is one-way even against sub-exponential-query algorithms, we can extend the above argument to show that the min-entropy must be polynomial.
Once we have a string with min-entropy, we can easily get uniform random bits by having the verifier extract using a private random seed.
Extension to non-uniform adversaries. Note that the above results all considered fixing an adversary first, and then sampling a random oracle. A standard complexity theoretic argument shows that, in the case of uniform adversaries, we can switch the order of quantifiers, and choose the random oracle first and then the adversary.
For non-uniform adversaries, we have to work harder, and direct analogs of the results above may in fact be impossible: for example, a non-uniform adversary (chosen after the random oracle) could have a valid proof of quantumness hardcoded.
For proofs of quantumness, we can leverage the “salting defeats preprocessing” result of [26, 27] to readily get a two-message public coin proof of quantumness against non-uniform attackers. For certifiable entropy/randomness, this also works, except the known bounds would end up requiring the verifiers message to be longer than the extracted string. This is a consequence of leveraging the sub-exponential one-wayness of \(f_C^O\) to obtain polynomially-many random bits. Since the verifier’s message must be uniform, this would somewhat limit the point of a proof of randomness. We show via careful arguments how to overcome this limitation, obtaining two message proofs of randomness where the verifier’s message remains small in the classical advice setting. We leave it open to extend our result to construct proofs of randomness that are secure against non-uniform adversaries with quantum advice.
Extension to worst-case completeness. Our analysis of the quantum algorithm seems to inherently rely on the oracle being uniformly random. We show how to tweak our scheme so that correctness holds for any oracle. The idea is to set \(O=O^{\prime }\oplus P\), where \(O^{\prime }\) is the oracle, and where \(P\) is a \(k\)-wise independent function for some sufficiently large \(k\). The point is that \(P\) is supplied as part of the problem solution, and so is chosen by the quantum algorithm. This makes \(O\) \(k\)-wise independent regardless of \(O^{\prime }\), which is sufficient for the analysis.
Of course, introducing \(P\) makes the classical problem easier, since now the classical adversary has some flexibility in constructing \(O\). We handle this by asking the adversary to find many solutions relative to different \(O^{\prime }\), but the same \(P\). This amplifies hardness, after which we can union-bound over all possible \(P\) and still maintain classical hardness. The quantum algorithm, on the other hand, can solve each of the individual instances with high probability, so it can easily solve all instances.
This gives the following conceptual implication: By regarding the oracle as an \(N=2^n\)-bit input, we obtain a relational problem \(R\subseteq \lbrace 0,1\rbrace ^N \times \lbrace 0,1\rbrace ^{m}\) for \(m=\mathsf {poly}(n)\) such that
(1)
\(R\) is classically efficiently verifiable, that is, we can test if \((x,w)\in R\) given \(w\) and \(\mathsf {poly}(n)\) classical queries to \(x\), and
(2)
finding \(w\) such that \((x,w)\in R\) is easy with \(\mathsf {poly}(n)\) quantum queries to for all \(x\) but hard with \(\mathsf {poly}(n)\) classical queries on average over \(x\).
Note that this is a slightly different setting than our \(\mathsf {NP}\) relation above, where the instances and witnesses were both polynomial-length strings, and the oracle is used to determine which witnesses are valid for a given instance.

1.4 Acknowledgements

We thank Scott Aaronson for helpful suggestions, including the conceptual implication of worst-case completeness. We thank anonymous reviewers of FOCS 2022, QIP 2023, and Journal of the ACM for their helpful comments. Mark Zhandry is supported in part by an NSF CAREER award.

1.5 Organization

The remainder of the article is organized as follows. Section 2 gives some basic preliminaries, including for quantum computation. Section 3 defines the various objects we will be considering and gives some basic relations. Section 4 discusses the properties of error correcting codes we will need. Section 5 gives a technical lemma that is needed to prove the correctness of our protocol, that may be more broadly useful. Section 6 gives our proof of quantumness, while Section 7 uses this to give counterexamples for various cryptographic primitives. Finally, Section 8 gives our proofs of randomness.

2 Preliminaries

Basic notations. We use \(\lambda\) to mean the security parameter throughout the article. For a set \(X\), \(|X|\) is the cardinality of \(X\). For a non-empty finite set \(X\), we denote by \(x{\xleftarrow{$}} X\) to mean that \(x\) is uniformly taken from \(X\). For a distribution \(D\) over a set \(X\), we denote by \(x{\xleftarrow{$}} D\) to mean that \(x\in X\) is taken according to the distribution \(D\). For sets \(\mathcal {X}\) and \(\mathcal {Y}\), \(\mathsf {Func}(\mathcal {X},\mathcal {Y})\) denotes the set of all functions from \(\mathcal {X}\) to \(\mathcal {Y}\). For a positive integer \(n\), \([n]\) means a set \(\lbrace 1, \ldots ,n\rbrace\). For a random variable \(X\), \(\mathbb {E}[X]\) denotes its expected value. For random variables \(X\) and \(X^{\prime }\), \(\Delta (X,X^{\prime })\) denotes the statistical distance between \(X\) and \(X^{\prime }\). For a random variable \(X\), \(H_\infty (X)\) denotes the min-entropy of \(X\), that is, \(H_\infty (X)=-\log \max _{x}\Pr [X=x]\). For a quantum or randomized classical algorithm \(\mathcal {A}\), we denote \(y{\xleftarrow{$}} \mathcal {A}(x)\) to mean that \(\mathcal {A}\) outputs \(y\) on input \(x\). For a randomized classical algorithm \(\mathcal {A}\), we denote \(y\leftarrow \mathcal {A}(x;r)\) to mean that \(\mathcal {A}\) outputs \(y\) on input \(x\) and randomness \(r\).
Notations for quantum states. For a not necessarily normalized state \(\mathinner {|{\psi }\rangle }\), we denote by \(\Vert \mathinner {|{\psi }\rangle }\Vert\) to mean its Euclidean norm. For not necessarily normalized quantum states \(\mathinner {|{\psi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\) and \(\epsilon \gt 0\), we denote by \(\mathinner {|{\psi }\rangle }\approx _{\epsilon } \mathinner {|{\phi }\rangle }\) to mean \(\Vert \mathinner {|{\psi }\rangle }-\mathinner {|{\phi }\rangle }\Vert \le \epsilon\). We simply write \(\mathinner {|{\psi }\rangle }\approx \mathinner {|{\phi }\rangle }\) to mean \(\mathinner {|{\psi }\rangle }\approx _{\mathsf {negl}(\lambda)} \mathinner {|{\phi }\rangle }\). By the triangle inequality, if we have \(\mathinner {|{\psi }\rangle }\approx _\epsilon \mathinner {|{\phi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\approx _\delta \mathinner {|{\tau }\rangle }\), then we have \(\mathinner {|{\psi }\rangle }\approx _{\epsilon +\delta } \mathinner {|{\tau }\rangle }\).
For not necessarily normalized quantum states \(\mathinner {|{\psi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\), we denote by \(\mathinner {|{\psi }\rangle }\propto \mathinner {|{\phi }\rangle }\) to mean that \(\mathinner {|{\psi }\rangle }=C\mathinner {|{\phi }\rangle }\) for some \(C\in \mathbb {C}\setminus \lbrace 0\rbrace\).

2.1 Finite Fields

For a prime power \(q=p^r\), \(\mathbb {F}_q\) denotes a field of order \(q\). We use this notation throughout the article, and whenever we write \(\mathbb {F}_q\), \(q\) should be understood as a prime power. We denote by \(\mathbf {0}\) to mean \((0, \ldots ,0)\in \mathbb {F}_q^n\) where \(n\) will be clear from the context. For \(\mathbf {x}=(x_1, \ldots ,x_n)\in \mathbb {F}_q^n\) and \(\mathbf {y}=(y_1, \ldots ,y_n)\in \mathbb {F}_q^n\), we define \(\mathbf {x}\cdot \mathbf {y}:=\sum _{i=1}^{n}x_iy_i\).
We often consider vectors \(\mathbf {x}\in \Sigma ^n\) over the alphabet \(\Sigma =\mathbb {F}_q^m\). We identify \(\Sigma ^n\) and \(\mathbb {F}_q^{nm}\) in the canonical way, that is, we identify \(((x_1,\ldots ,x_m),\ldots ,(x_{(n-1)m+1},\ldots ,x_{nm}))\in \Sigma ^n\) and \((x_1,x_2,\ldots , x_{nm})\in \mathbb {F}_q^{nm}\). For \(\mathbf {x}=(\mathbf {x}_1, \ldots ,\mathbf {x}_n)\in \Sigma ^n\) and \(\mathbf {y}=(\mathbf {y}_1, \ldots ,\mathbf {y}_n)\in \Sigma ^n\), we define \(\mathbf {x}\cdot \mathbf {y}:=\sum _{i=1}^{n}\mathbf {x}_i\cdot \mathbf {y}_i\).
The trace function \(\mathrm{Tr}:\mathbb {F}_q\rightarrow \mathbb {F}_p\) is defined by6
\begin{align*} \mathrm{Tr}(x):=\sum _{i=0}^{r-1}x^{p^{i}}. \end{align*}
The trace function is \(\mathbb {F}_p\)-linear, that is, for any \(a,b\in \mathbb {F}_p\) and \(x,y\in \mathbb {F}_q\), we have
\begin{align*} \mathrm{Tr}(ax+by)=a\mathrm{Tr}(x)+b\mathrm{Tr}(y). \end{align*}
We let \(\omega _p:=e^{2\pi i/p}\). For any \(\mathbf {x}\in \mathbb {F}_q^n \setminus \lbrace \mathbf {0}\rbrace\), we have
\begin{align} \sum _{\mathbf {y}\in \mathbb {F}_q^n}\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {y})}=0. \end{align}
(1)
The multiplicative group \(\mathbb {F}_q^*\) of \(\mathbb {F}_q\) is cyclic, and thus there is an element \(\gamma \in \mathbb {F}_q^*\) such that
\begin{align*} \lbrace \gamma ^{i}\rbrace _{i\in [q-1]}=\mathbb {F}_q^*. \end{align*}
For \(\mathbf {x}\in \mathbb {F}_q^n\), we denote by \(\mathsf {hw}(\mathbf {x})\) to mean the Hamming weight of \(\mathbf {x}\), that is, \(\mathsf {hw}(\mathbf {x}):=|\lbrace i\in [n]: x_i \ne 0\rbrace |\) where \(\mathbf {x}=(x_1,\ldots ,x_n)\). For \(\mathbf {x}=(x_1,\ldots ,x_n) \in \mathbb {F}_q^n\) and a subset \(S\subseteq [n]\), we denote by \(\mathbf {x}_S\) to mean \((x_i)_{i\in S}\).

2.2 Quantum Fourier Transform over Finite Fields

We review known facts on quantum Fourier transform over finite fields. On a quantum system over a finite field \(\mathbb {F}_q\), a quantum Fourier transform is a unitary denoted by \(\mathsf {QFT}_{\mathbb {F}_q}\) such that for any \(x\in \mathbb {F}_q\),
\begin{align*} \mathsf {QFT}_{\mathbb {F}_q}\mathinner {|{x}\rangle } = \frac{1}{\sqrt {q}}\sum _{z\in \mathbb {F}_q}\omega _p^{\mathrm{Tr}(x \cdot z)}\mathinner {|{z}\rangle }. \end{align*}
A quantum Fourier transform over \(\mathbb {F}_q\) can be approximated to within error \(\epsilon\) in time polynomial in \(\log q\) and \(\log 1/\epsilon\) [28, 57]. For ease of exposition, we ignore the approximation error in the rest of the article since it can be made exponentially small by a polynomial-size quantum circuit.
We often consider quantum systems over the alphabet \(\Sigma =\mathbb {F}_q^m\) for some positive integer \(m\). We define the QFT over \(\Sigma\) to be the \(m\)-tensor product of \(\mathsf {QFT}_{\mathbb {F}_q}\): For \(\mathbf {x}=(x_1, \ldots ,x_m)\in \Sigma\),
\begin{align*} \mathsf {QFT}_{\Sigma }\mathinner {|{\mathbf {x}}\rangle }&:= \mathsf {QFT}_{\mathbb {F}_q}^{\otimes m}\mathinner {|{x_1}\rangle }\mathinner {|{x_2}\rangle }\cdots \mathinner {|{x_m}\rangle }\\ &=\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\mathinner {|{\mathbf {z}}\rangle } \end{align*}
where the second equality follows from the definition of \(\mathsf {QFT}_{\mathbb {F}_q}\) and linearity of \(\mathrm{Tr}\). Similarly, for any positive integer \(n\) and \(\mathbf {x}\in \Sigma ^n\), we have
\begin{align*} \mathsf {QFT}_{\Sigma }^{\otimes n}\mathinner {|{\mathbf {x}}\rangle } = \frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {z}\in \Sigma ^n}\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\mathinner {|{\mathbf {z}}\rangle } \end{align*}
by the definition of \(\mathsf {QFT}_{\Sigma }\) and linearity of \(\mathrm{Tr}\).
For a function \(f:\Sigma ^n\rightarrow \mathbb {C}\), we define
\begin{align*} \hat{f}(\mathbf {z}):=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {x}\in \Sigma ^n}f(\mathbf {x})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}. \end{align*}
Then it is easy to see that we have
\begin{align*} \mathsf {QFT}_{\Sigma }^{\otimes n}\sum _{\mathbf {x}\in \Sigma ^n} f(\mathbf {x})\mathinner {|{\mathbf {x}}\rangle } = \sum _{\mathbf {z}\in \Sigma ^n} \hat{f}(\mathbf {z})\mathinner {|{\mathbf {z}}\rangle }. \end{align*}
For functions \(f:\Sigma ^n\rightarrow \mathbb {C}\) and \(g:\Sigma ^n\rightarrow \mathbb {C}\), \(f\cdot g\) and \(f\ast g\) denote the point-wise product and convolution of \(f\) and \(g\), respectively, that is,
\begin{align*} &(f\cdot g)(\mathbf {x}):=f(\mathbf {x})\cdot g(\mathbf {x})\\ &(f\ast g)(\mathbf {x}):=\sum _{\mathbf {y}\in \Sigma ^n}f(\mathbf {y})\cdot g(\mathbf {x}-\mathbf {y}). \end{align*}
We have the following standard lemmas. We include the proofs for completeness.
Lemma 2.1 (Parseval’s Equality).
For any \(f:\Sigma ^n\rightarrow \mathbb {C}\), we have
\begin{align*} \sum _{\mathbf {x}\in \Sigma ^n}|f(\mathbf {x})|^2=\sum _{\mathbf {z}\in \Sigma ^n}|\hat{f}(\mathbf {z})|^2. \end{align*}
Proof.
Since \(\mathsf {QFT}_{\mathbb {F}_q}\) is unitary, \(\mathsf {QFT}_{\Sigma }^{\otimes n}\) is also unitary. This immediately implies Lemma 2.1. □
Lemma 2.2.
Let \(m\) be a positive integer that divides \(n\). Suppose that we have \(f_i:\Sigma \rightarrow \mathbb {C}\) for \(i\in [n]\) and \(f:\Sigma ^n\rightarrow \mathbb {C}\) is defined by
\begin{align} f(\mathbf {x}):=\prod _{i\in [n]}f_i(\mathbf {x}_i) \end{align}
(2)
where \(\mathbf {x}=(\mathbf {x}_1,\mathbf {x}_2, \ldots ,\mathbf {x}_n)\). Then, we have
\begin{align*} \hat{f}(\mathbf {z})=\prod _{i\in [n]}\hat{f}_i(\mathbf {z}_i) \end{align*}
where \(\mathbf {z}=(\mathbf {z}_1,\mathbf {z}_2, \ldots ,\mathbf {z}_n)\).
Proof.
This can be proven by the following equalities:
\begin{align*} \hat{f}(\mathbf {z}) &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {x}\in \Sigma ^n}f(\mathbf {x})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\\ &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {x}_1\in \Sigma }\cdots \sum _{\mathbf {x}_{n}\in \Sigma }\prod _{i\in [n]} f_i(\mathbf {x}_i)\omega _p^{\mathrm{Tr}(\mathbf {x}_i\cdot \mathbf {z}_i)}\\ &=\prod _{i\in [n]}\frac{1}{|\Sigma |^{1/2}}\sum _{\mathbf {x}_i\in \Sigma }f_i(\mathbf {x}_i)\omega _p^{\mathrm{Tr}(\mathbf {x}_i\cdot \mathbf {z}_i)}\\ &=\prod _{i\in [n]}\hat{f}_i(\mathbf {z}_i) \end{align*}
where the second equality follows from Equation (2) and the linearity of \(\mathrm{Tr}\). □
Lemma 2.3 (Convolution Theorem).
For functions \(f:\Sigma ^n\rightarrow \mathbb {C}\), \(g:\Sigma ^n\rightarrow \mathbb {C}\), and \(h:\Sigma ^n\rightarrow \mathbb {C}\), the following equations hold.
\begin{align} \widehat{f\cdot g} = \frac{1}{|\Sigma |^{n/2}}(\hat{f} \ast \hat{g}), \end{align}
(3)
\begin{align} \widehat{f\ast g} = |\Sigma |^{n/2}(\hat{f} \cdot \hat{g}), \end{align}
(4)
\begin{align} \widehat{f\cdot (g\ast h)} = (\hat{f} \ast (\hat{g}\cdot \hat{h})). \end{align}
(5)
Proof.
For any \(\mathbf {x}\in \Sigma ^n\), we have
\begin{align*} (\hat{f}\ast \hat{g})(\mathbf {x}) &=\sum _{\mathbf {y}\in \Sigma ^n}\hat{f}(\mathbf {y})\hat{g}(\mathbf {x}-\mathbf {y})\\ &=\sum _{\mathbf {y}\in \Sigma ^n}\left(\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {z}\in \Sigma ^n}f(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {y}\cdot \mathbf {z})}\right)\left(\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {z}^{\prime }\in \Sigma ^n}g(\mathbf {z}^{\prime })\omega _p^{\mathrm{Tr}((\mathbf {x}-\mathbf {y})\cdot \mathbf {z}^{\prime })}\right)\\ &=\frac{1}{|\Sigma |^{n}}\sum _{\mathbf {y}\in \Sigma ^n}\sum _{\mathbf {z}\in \Sigma ^n}\sum _{\mathbf {z}^{\prime }\in \Sigma ^n}f(\mathbf {z})g(\mathbf {z}^{\prime })\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z}^{\prime })}\omega _p^{\mathrm{Tr}(\mathbf {y}\cdot (\mathbf {z}-\mathbf {z}^{\prime }))}\\ &=\frac{1}{|\Sigma |^{n}}\sum _{\mathbf {z}\in \Sigma ^n}\sum _{\mathbf {z}^{\prime }\in \Sigma ^n}\left(f(\mathbf {z})g(\mathbf {z}^{\prime })\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z}^{\prime })}\sum _{\mathbf {y}\in \Sigma ^n}\omega _p^{\mathrm{Tr}(\mathbf {y}\cdot (\mathbf {z}-\mathbf {z}^{\prime }))}\right)\\ &=\frac{1}{|\Sigma |^{n}}\cdot |\Sigma |^{n} \sum _{\mathbf {z}\in \Sigma ^n}f(\mathbf {z})g(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\\ &=\sum _{\mathbf {z}\in \Sigma ^n}f(\mathbf {z})g(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\\ &=|\Sigma |^{n/2}(\widehat{f \cdot g})(\mathbf {x}) \end{align*}
where the third equality follows from the linearity of \(\mathrm{Tr}\) and the fifth equality follows from Equation (1). This implies Equation (3).
For any \(\mathbf {x}\in \Sigma ^n\), we have
\begin{align*} \widehat{(f \ast g)}(\mathbf {x}) &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {z}\in \Sigma ^n}(f \ast g)(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\\ &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {z}\in \Sigma ^n}\sum _{\mathbf {y}\in \Sigma ^n}f(\mathbf {y})g(\mathbf {z}-\mathbf {y})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {y})}\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot (\mathbf {z}-\mathbf {y}))}\\ &=\frac{1}{|\Sigma |^{n/2}}\left(\sum _{\mathbf {y}\in \Sigma ^n}f(\mathbf {y})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {y})}\right)\left(\sum _{\mathbf {z}^{\prime }\in \Sigma ^n}g(\mathbf {z}^{\prime })\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z}^{\prime })}\right)\\ &=|\Sigma |^{n/2}(\hat{f}\cdot \hat{g})(\mathbf {x}) \end{align*}
where the second equality follows from the linearity of \(\mathrm{Tr}\). This implies Equation (4). Equation (5) immediately follows from Equations (3) and (4). □

2.3 Other Lemmas

We rely on the following well-known lemmas.
Lemma 2.4 (Chernoff Bound).
Let \(X_1, \ldots ,X_n\) be independent random variables taking values in \(\lbrace 0,1\rbrace\), \(X:=\sum _{i\in [n]}X_i\), and \(\mu :=\mathbb {E}[X]\). For any \(\delta \ge 0\), it holds that
\begin{align*} \Pr [X\ge (1+\delta)\mu ]\le e^{-\frac{\delta ^2 \mu }{2+\delta }}. \end{align*}
Lemma 2.5 ([60]).
For any sets \(\mathcal {X}\) and \(\mathcal {Y}\) of classical strings and \(q\)-quantum-query algorithm \(\mathcal {A}\), we have
\begin{equation*} \Pr [\mathcal {A}^{H}=1:H{\xleftarrow{$}} \mathsf {Func}(\mathcal {X},\mathcal {Y})]= \Pr [\mathcal {A}^{H}=1:H{\xleftarrow{$}} \mathcal {F}], \end{equation*}
where \(\mathcal {F}\) is a family of \(2q\)-wise independent hash functions from \(\mathcal {X}\) to \(\mathcal {Y}\).

3 Cryptographic Definitions in the Random Oracle Model

Here, we define various cryptographic notions we will be constructing. We consider the following variations of the ROM.
Classical random oracle model (CROM) [12]. In this model, a uniformly random function \(H:\lbrace 0,1\rbrace ^n \rightarrow \lbrace 0,1\rbrace ^m\) is chosen at the beginning where \(n=n(\lambda)\) and \(m=m(\lambda)\) are polynomials in the security parameter \(\lambda\) (that may vary depending on the protocol), and the adversary is allowed to make classical queries to \(H\).7 When we consider probabilities over the random oracle \(H\), it should be understood to be uniformly chosen from the set of all functions from \(\lbrace 0,1\rbrace ^n\) to \(\lbrace 0,1\rbrace ^m\) unless otherwise stated. We often refer to adversaries in the CROM as uniform classical adversaries.
Quantum random oracle model (QROM) [16]. This is identical to the CROM except that queries to \(H\) can now be quantum. In other words, a quantum oracle that applies a unitary \(\mathinner {|{x}\rangle }\mathinner {|{y}\rangle }\mapsto \mathinner {|{x}\rangle }\mathinner {|{y\oplus H(x)}\rangle }\) is available. We often refer to adversaries in the QROM as uniform quantum adversaries.
Classical random oracle model with auxiliary-inputs (AI-CROM) [56]. This is identical to the CROM except that the adversary is allowed to take a polynomial-size classical advice that depends on the random oracle. We often refer to adversaries in the AI-CROM as non-uniform classical adversaries.
QROM with (classical) auxiliary-inputs (AI-QROM) [35].8 This is identical to the QROM except that the adversary is allowed to take a polynomial-size classical advice that depends on the random oracle. We often refer to adversaries in the AI-QROM as non-uniform quantum adversaries.
Remark 3.
In this article, we treat random oracles as functions defined over a finite-size domain that depends on the security parameter. This treatment is more common in cryptography. On the other hand, in complexity theory, random oracles are often treated as functions over the infinite set \(\lbrace 0,1\rbrace ^*\). By standard arguments, we can translate our results into those in the complexity theoretic setting (e.g., relative to a random oracle with probability 1, proofs of quantumness exist etc.).
Definition 3.1 (Family of Oracle-aided Functions).
For functions \({\ell _\mathsf {key}}={\ell _\mathsf {key}}(\lambda),{\ell _\mathsf {in}}={\ell _\mathsf {in}}(\lambda),{\ell _\mathsf {out}}={\ell _\mathsf {out}}(\lambda)\), a family \(\lbrace f_\lambda :\lbrace 0,1\rbrace ^{{\ell _\mathsf {key}}}\times \lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}} \rightarrow \lbrace 0,1\rbrace ^{{\ell _\mathsf {out}}}\rbrace _{\lambda \in \mathbb {N}}\) of efficiently computable oracle-aided keyed functions relative to oracles \(H:\lbrace 0,1\rbrace ^n \rightarrow \lbrace 0,1\rbrace ^m\) is a family of functions \(f_{\lambda }\) that is implemented by a polynomial-time (deterministic) classical machine with an oracle access to \(H\). The family of functions is keyless if \({\ell _\mathsf {key}}=0\). If we do not specify keyed or keyless, we mean keyless. We denote by \(f_{\lambda }^H\) to mean \(f_\lambda\) relative to a specific oracle \(H\).
One-way functions. We now define what it means for an oracle-aided function to be one-way relative to a random oracle. For one-way functions, we only consider keyless functions, as it is well known that keyless and keyed one-way functions are equivalent.
Definition 3.2 (One-way Functions with Random Oracles).
We say that a family \(\lbrace f_\lambda :\lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}} \rightarrow \lbrace 0,1\rbrace ^{{\ell _\mathsf {out}}}\rbrace _{\lambda \in \mathbb {N}}\) of efficiently computable oracle-aided functions relative to oracles \(H:\lbrace 0,1\rbrace ^n \rightarrow \lbrace 0,1\rbrace ^m\) is one-way in the CROM (resp. QROM) if for all unbounded-time \(\mathcal {A}\) that make \(\mathsf {poly}(\lambda)\) classical (resp. quantum) queries to \(H\), there exists a negligible function \(\mathsf {negl}\) such that:
\begin{align} \Pr _H[y= f_\lambda ^{H}(x^{\prime }) :x{\xleftarrow{$}} \lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}}, y= f_\lambda ^{H}(x), x^{\prime }{\xleftarrow{$}} \mathcal {A}^{H}(1^\lambda ,y)]\lt \mathsf {negl}(\lambda). \end{align}
(6)
We say that \(\lbrace f_\lambda :\lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}} \rightarrow \lbrace 0,1\rbrace ^{{\ell _\mathsf {out}}}\rbrace _{\lambda \in \mathbb {N}}\) is one-way in the AI-CROM (resp. AI-QROM) if for all unbounded-time \(\mathcal {A}\) that make \(\mathsf {poly}(\lambda)\) classical (resp. quantum) queries to \(H\) and polynomial-size classical advice \(\lbrace a(H)\rbrace _H\), there exists a negligible function \(\mathsf {negl}\) such that:
\begin{align} \Pr _H[y= f_\lambda ^{H}(x^{\prime }) :x{\xleftarrow{$}} \lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}}, y= f_\lambda ^{H}(x), x^{\prime }{\xleftarrow{$}} \mathcal {A}^{H}(a(H),1^\lambda ,y)]\lt \mathsf {negl}(\lambda). \end{align}
(7)
Collision-resistance. We now define collision-resistant hashing.
Definition 3.3 (Collision-resistance with Random Oracles).
We say that a family \(\lbrace f_\lambda :\lbrace 0,1\rbrace ^{{\ell _\mathsf {key}}}\times \lbrace 0,1\rbrace ^{{\ell _\mathsf {in}}} \rightarrow \lbrace 0,1\rbrace ^{{\ell _\mathsf {out}}}\rbrace _{\lambda \in \mathbb {N}}\) of efficiently computable oracle-aided keyed functions relative to oracles \(H:\lbrace 0,1\rbrace ^n\rightarrow \lbrace 0,1\rbrace ^m\) is collision-resistant in the CROM (resp. QROM) if for all unbounded-time adversaries \(\mathcal {A}\) that make \(\mathsf {poly}(\lambda)\) classical (resp. quantum) queries to \(H\), there exists a negligible function \(\mathsf {negl}\) such that:
\begin{align*} \Pr _H[f_\lambda ^{H}(k,x_0)=f_\lambda ^{H}(k,x_1)~\wedge ~x_0\ne x_1 : k{\xleftarrow{$}} \lbrace 0,1\rbrace ^{\ell _\mathsf {key}}, (x_0,x_1){\xleftarrow{$}} \mathcal {A}^{H}(k)]=\mathsf {negl}(\lambda). \end{align*}
Collision-resistance in the AI-CROM and AI-QROM is defined analogously.
A keyless hash function has \({\ell _\mathsf {key}}=0\). Note that unlike one-way functions, keyless collision resistant hash functions cannot have security against non-uniform adversaries since collisions may be hardcoded in the advice.
Proofs of quantumness. We now define proofs of quantumness, which have a quantum prover prove that they are quantum to a classical verifier. Like before, we will consider various definitions.
Definition 3.4.
A (keyed non-interactive publicly verifiable) proof of quantumness with key length \({\ell _\mathsf {key}}=\mathsf {poly}(\lambda)\) relative to a random oracle consists of algorithms \((\mathsf {Prove},\mathsf {Verify})\).
\(\mathsf {Prove}^{H}(1^\lambda ,k)\): This is a QPT algorithm that takes the security parameter \(1^\lambda\) and a key \(k\in \lbrace 0,1\rbrace ^{\ell _\mathsf {key}}\) as input, makes \(\mathsf {poly}(\lambda)\) quantum queries to the random oracle \(H\), and outputs a classical proof \(\pi\).
\(\mathsf {Verify}^{H}(1^\lambda ,k,\pi)\): This is a deterministic classical polynomial-time algorithm that takes the security parameter \(1^\lambda\), \(k\) and a proof \(\pi\), makes \(\mathsf {poly}(\lambda)\) queries to the random oracle \(H\), and outputs \(\top\) indicating acceptance or \(\bot\) indicating rejection.
We require a proof of quantumness to satisfy the following properties.
Correctness. We have
\begin{equation*} \Pr _{H,k}\left[\mathsf {Verify}^{H}(1^\lambda ,k,\pi)=\bot : \begin{array}{l} \pi {\xleftarrow{$}} \mathsf {Prove}^{H}(1^\lambda ,k) \end{array} \right]\le \mathsf {negl}(\lambda). \end{equation*}
Soundness. A proof of quantumness is \((Q(\lambda),\epsilon (\lambda))\)-sound in the CROM if, for any unbounded-time adversary \(\mathcal {A}\) that makes \(Q(\lambda)\) classical oracle queries to \(H\), we have
\begin{equation*} \Pr _{H,k}\left[\mathsf {Verify}^{H}(1^\lambda ,k,\pi ^*)=\top : \begin{array}{l} \pi ^* {\xleftarrow{$}} \mathcal {A}^H(1^\lambda ,k) \end{array} \right]\le \epsilon (\lambda). \end{equation*}
When we do not specify \(Q\) and \(\epsilon\), we require that for any unbounded-time adversary \(\mathcal {A}\) that makes \(\mathsf {poly}(\lambda)\) queries, the above probability is \(\mathsf {negl}(\lambda)\). Soundness in the AI-CROM is defined analogously. A keyless proof of quantumness has \({\ell _\mathsf {key}}=0\).
Note that, as with collision resistance, there cannot be keyless proofs of quantumness with soundness against non-uniform adversaries. Indeed, a valid proof \(\pi\) could be hardcored in the advice.
Proofs of randomness. We now define proofs of (min-)entropy and proofs of randomness, also referred to as certifiable randomness. These are protocols by which a classical verifier with very little entropy can produce significant entropy with the help of a potentially untrusted quantum device.
We note that Brakerski et al.’s [17] work giving the first certifiable randomness protocol for a single device actually did not provide a formal definition. The work of Amos et al. [6] provide a definition of certifiable min-entropy, but we observe that it is inappropriate. Their definition says that, conditioned on the verifier accepting, the string produced by the verifier must have min-entropy. We note, however, that a malicious device may always output a deterministic value. This value may be accepted with negligible but non-zero probability. Conditioned on accepting, the entropy remains zero. We give new definitions for certifiable entropy and randomness, overcoming this limitation.
We also note that defining certifiable randomness relative to a random oracle is subtle, since the random oracle itself is an infinite source of randomness. To accurately model entropy that comes from the protocol as opposed to the random oracle, we insist that the random string produced by the verifier has min-entropy or is uniformly random, even conditioned on the random oracle.
We note that for a proof of min-entropy, the situation is analogous to collision resistance where it is potentially feasible in the uniform setting or with a key, but trivially impossible in the non-uniform keyless setting. However, for a proof of randomness, it is inherent in the non-interactive setting that the verifier must have some local randomness. This is because, in the non-interactive setting without verifier randomness, a malicious prover can keep generating samples until, say, the first bit of the output is 0. Such a string clearly will not be uniformly random. This shows that the actual string obtained by the verifier must be kept secret from the prover, at least until after the prover’s message is sent.
We now give the definitions.
Definition 3.5.
A (keyed non-interactive publicly verifiable) proof of min-entropy relative to a random oracle with key length \({\ell _\mathsf {key}}=\mathsf {poly}(\lambda)\) consists of algorithms \((\mathsf {Prove},\mathsf {Verify})\).
\(\mathsf {Prove}^{H}(1^\lambda ,k,1^h)\): This is a QPT algorithm that takes the security parameter \(1^\lambda\), key \(k\in \lbrace 0,1\rbrace ^{\ell _\mathsf {key}}\), and a min-entropy threshold \(1^h\) as input. It makes \(\mathsf {poly}(\lambda ,h)\) quantum queries to the random oracle \(H\), and outputs a classical proof \(\pi\).
\(\mathsf {Verify}^{H}(1^\lambda ,k,1^h,\pi)\): This is a deterministic classical polynomial-time algorithm that takes \(1^\lambda ,k,1^h\), and a proof \(\pi\); it makes \(\mathsf {poly}(\lambda ,h)\) queries to the random oracle \(H\), and outputs either a string \(x\) (whose length may depend on \(h\)), or \(\bot\) indicating rejection.
We require a proof of min-entropy to satisfy the following properties:
Correctness. For any \(h=h(\lambda)\), we have
\begin{equation*} \Pr _{H,k}\left[\mathsf {Verify}^{H}(1^\lambda ,k,1^h,\pi)=\bot : \begin{array}{l} \pi {\xleftarrow{$}} \mathsf {Prove}^{H}(1^\lambda ,k,1^h) \end{array} \right]\le \mathsf {negl}(\lambda). \end{equation*}
Min-entropy. For any polynomially-bounded \(h=h(\lambda)\), any unbounded-time adversary \(\mathcal {A}\) that makes \(\mathsf {poly}(\lambda)\) quantum oracle queries to \(H\), and for any inverse polynomial \(\delta\), there is a negligible \(\mathsf {negl}\) such that the following holds. Let \(\mathcal {A}^H_{\top }(1^\lambda ,k,1^h)\) be the distribution \(\mathsf {Verify}^H(1^\lambda ,k,1^h,\mathcal {A}^H(1^\lambda ,k,1^h))\), conditioned on the output not being \(\bot\). Then:
\begin{equation*} \Pr _{H,k}\left[\Pr [\mathsf {Verify}^H(1^\lambda ,k,1^h,\mathcal {A}^H(1^\lambda ,k,1^h))\ne \bot ]\ge \delta (\lambda)\wedge H_\infty \left(\mathcal {A}^H_{\top }(1^\lambda ,k,1^h)\right)\le h(\lambda)\right]\le \mathsf {negl}(\lambda) \end{equation*}
The min-entropy requirement in the AI-QROM is defined analogously. A keyless proof of min-entropy has \({\ell _\mathsf {key}}=0\) in which case we omit \(k\) from the input of \(\mathsf {Prove}\) and \(\mathsf {Verify}\).
Note that min-entropy and correctness together imply that the output of \(\mathsf {Verify}\) when interacting with the honest \(\mathsf {Prove}\) algorithm must have min-entropy at least \(h\) for an overwhelming fraction of \(H,k\).
Definition 3.6.
A (keyed non-interactive publicly verifiable) proof of randomness relative to a random oracle has the same syntax as a proof of min-entropy (Definition 3.5), except that we allow \(\mathsf {Verify}\) to be randomized and require the output of \(\mathsf {Verify}\) to be exactly \(h\) bits unless its output is \(\bot\). We require a proof of randomness to satisfy the following properties:
Correctness. For any \(h=h(\lambda)\), we have
\begin{equation*} \Pr _{H,k,r}\left[\mathsf {Verify}^{H}(1^\lambda ,k,1^h,\pi ;r)=\bot : \begin{array}{l} \pi {\xleftarrow{$}} \mathsf {Prove}^{H}(1^\lambda ,k,1^h) \end{array} \right]\le \mathsf {negl}(\lambda). \end{equation*}
Succinct randomness. The length of the randomness \(r\) used by \(\mathsf {Verify}\) is \(\mathsf {poly}(\lambda ,\log h)\) bits.
True randomness. For any polynomially-bounded \(h=h(\lambda)\) and any unbounded-time adversary \(\mathcal {A}\) that makes \(\mathsf {poly}(\lambda)\) quantum oracle queries to \(H\), and for any inverse polynomial \(\delta\), there is a negligible \(\mathsf {negl}\) such that the following holds for a \((1-\mathsf {negl}(\lambda))\)-fraction of \((H,k)\). If it holds that \(\Pr [\mathsf {Verify}^H(k,h,\mathcal {A}^H(k,h);r)\ne \bot ]\ge \delta\), then
\begin{equation*} \Delta \left(\;(r,U)\;,\;(r,\mathcal {A}^H_{\top }(1^\lambda ,k,1^h;r))\;)\right)\le \mathsf {negl}(\lambda) \end{equation*}
where \(\mathcal {A}^H_{\top }(1^\lambda ,k,1^h;r)\) is the distribution \(\mathsf {Verify}^H(1^\lambda ,k,1^h,\mathcal {A}^H(1^\lambda ,k,1^h);r)\), conditioned on the output not being \(\bot\), and \(U\) is the uniform distribution over \(h\)-bit-strings. In other words, provided that \(\mathsf {Verify}\) actually outputs a string with inverse polynomial probability, that string will be statistically close to random for an overwhelming fraction of \(H,k\).
The true randomness requirement in the AI-QROM is defined analogously. A keyless proof of randomness has \({\ell _\mathsf {key}}=0\) in which case we omit \(k\) from the input of \(\mathsf {Prove}\) and \(\mathsf {Verify}\).
From min-entropy to true randomness. Here, we discuss how proofs of min-entropy imply proofs of randomness. This is an immediate application of extractors:
Theorem 3.7.
If proofs of min-entropy in the QROM (resp. AI-QROM) exist, then so do proofs of randomness in the QROM (resp. AI-QROM). If the proof of min-entropy is keyless, then so is the proof of randomness.
Proof.
We simply have a new \(\mathsf {Verify}^{\prime }\) which chooses a random seed for a strong extractor, which it applies to the result of \(\mathsf {Verify}\), outputting whatever the extractor outputs. By choosing the min-entropy \(h\) sufficiently higher than the desired output length according to the parameters of the extractor, the output of \(\mathsf {Verify}^{\prime }\) will be statistically close to random and the desired length. □
We note that the verifier’s random seed for the extractor can be sampled after the prover’s message, and can also be made public afterward. The result is that if the proof of min-entropy is public coin and publicly verifiable, the proof of randomness will be as well, at the cost of a single final message from the verifier.

3.1 From Uniform to Non-Uniform Security

Clearly, security against non-uniform adversaries implies security against uniform adversaries. For the other direction, we can use known results of [27] and [26] that show that salting generically lifts uniform security to non-uniform security in the classical and QROMs, respectively. Note that the results require it to be efficiently verifiable when the adversary wins; this applies to one-way functions, collision resistance, and proofs of quantumness, but not to proofs of min-entropy/randomness, where it cannot be efficiently checked if the adversary produced a low entropy or non-uniform string. As immediate corollaries of these results, we obtain the following:
Theorem 3.8.
If \(\lbrace f_\lambda \rbrace _\lambda\) is one-way in the CROM (resp. QROM), then \(\lbrace g_\lambda \rbrace _\lambda\) where \(g_\lambda ^H(s,x)=s||f_\lambda ^{H(s||\cdot)}(x)\) and where \(s\in \lbrace 0,1\rbrace ^\lambda\) is one-way in the AI-CROM (resp. AI-QROM).
Theorem 3.9.
If \(\lbrace f_\lambda \rbrace _\lambda\) is a potentially keyed function family that is collision resistant in the CROM (resp. QROM), then the keyed function \(\lbrace g_\lambda \rbrace _\lambda\) where \(g_\lambda (k_0||k_1,x)=f_\lambda ^{H(k_1||\cdot)}(k_0,x)\) and where \(k_1\in \lbrace 0,1\rbrace ^\lambda\) is collision resistant against in the AI-CROM (resp. AI-QROM).
Theorem 3.10.
If \((\mathsf {Prove}_0,\mathsf {Verify}_0)\) is a proof of quantumness that satisfies soundness in the CROM, then \((\mathsf {Prove},\mathsf {Verify})\) satisfies soundness in the AI-CROM, where \(\mathsf {Prove}^H(1^\lambda ,k_0||k_1)=\mathsf {Prove}_0^{H(k_1||\cdot)}(1^\lambda ,k_0)\) and \(\mathsf {Verify}^H(1^\lambda ,k_0||k_1,\pi)=\mathsf {Verify}_0^{H(k_1||\cdot)}(1^\lambda ,k_0,\pi)\) and where \(k_1\in \lbrace 0,1\rbrace ^\lambda\).
We, next discuss how salting actually does lift security for proofs of min-entropy and randomness from the uniform to non-uniform case in the classical advice setting. We note that [26] actually does work, by fixing a particular string, and having the adversary win if it can cause the verifier to output that string. This event occurs with exponentially-small probability, but [26] would handle exponentially small probabilities by setting the salt to be appropriately larger than the min-entropy requirement. This limits the utility of a proof of min-entropy, since the large salt could have just been used as the source of randomness. In the following, we show that small salts can, in fact, be used, though it requires a more careful proof and cannot simply rely on the prior theorem statements.
Theorem 3.11.
If \((\mathsf {Prove}_0,\mathsf {Verify}_0)\) is a proof of min-entropy (resp. proof of randomness) in the QROM, then \((\mathsf {Prove},\mathsf {Verify})\) is a proof of min-entropy (resp. proof of randomness) in the AI-QROM, where \(\mathsf {Prove}^H(1^\lambda ,k_0||k_1,1^h)=\mathsf {Prove}_0^{H(k_1||\cdot)}(1^\lambda ,k_0,1^{h+1})\) and \(\mathsf {Verify}^H(1^\lambda ,k_0||k_1,1^h,\pi)=\mathsf {Verify}_0^{H(k_1||\cdot)}(1^\lambda ,k_0,1^{h+1},\pi)\) and where \(k_1\in \lbrace 0,1\rbrace ^\lambda\).
We defer the proof to Section 9.

4 Error Correcting Codes.

In this section, we first review basic definitions and facts on error correcting codes. Then, we state requirements of codes that are needed for our purpose. Then, we show that such a code exists based on known results.

4.1 Definitions

A code of length \(n\in \mathbb {N}\) over an alphabet \(\Sigma\) (which is a finite set) is a subset \(C\subseteq \Sigma ^n\).
Linear codes. A code \(C\) is said to be a linear code if its alphabet is \(\Sigma =\mathbb {F}_q\) for some prime power \(q\) and \(C\subseteq \mathbb {F}_q^n\) is a linear subspace of \(\mathbb {F}_q^n\).
Folded linear codes. A code \(C\) is said to be a folded linear code [30, 42] if its alphabet is \(\Sigma =\mathbb {F}_q^m\) for some prime power \(q\) and a positive integer \(m\) and \(C\subseteq \Sigma ^{n}\) is a linear subspace of \(\mathbb {F}_q^{nm}\) where \(n\) is the length of \(C\) and we embed \(C\) into \(\mathbb {F}_q^{nm}\) in the canonical way. Linear codes are the special case of folded linear codes where \(m=1\). For a linear code \(C\subseteq \mathbb {F}_q^n\) and a positive integer \(m\) that divides \(n\), we define its \(m\)-folded version \(C^{(m)}\) as follows:
\begin{align*} C^{(m)}:=\lbrace ((x_1,\ldots ,x_m),(x_{m+1},\ldots ,x_{2m})\ldots ,(x_{n-m+1},\ldots ,x_{n})):(x_1,\ldots ,x_n)\in C\rbrace . \end{align*}
Clearly, \(C^{(m)}\) is a folded linear code. Conversely, any folded linear code can be written as \(C^{(m)}\) for some linear code \(C\) and a positive integer \(m\).
Dual codes. Let \(C\) be a linear code of length \(n\) and dimension \(k\) over \(\mathbb {F}_q\). The dual code \(C^\perp\) of \(C\) is defined as the orthogonal complement of \(C\) as a linear space over \(\mathbb {F}_q\), that is,
\begin{equation*} C^{\perp }:=\lbrace \mathbf {z}\in \mathbb {F}_q^n: \mathbf {x}\cdot \mathbf {z}= 0 \text{~for~all~}\mathbf {x}\in C\rbrace . \end{equation*}
\(C^{\perp }\) is a linear code of length \(n\) and dimension \(n-k\) over \(\mathbb {F}_q\).9
We define dual codes for folded linear codes similarly. That is, for a folded linear code \(C\in \Sigma ^n\) over the alphabet \(\Sigma =\mathbb {F}_q^m\), its dual \(C^\perp\) is defined as
\begin{equation*} C^{\perp }:=\lbrace \mathbf {z}\in \Sigma ^n: \mathbf {x}\cdot \mathbf {z}= 0 \text{~for~all~}\mathbf {x}\in C\rbrace .^{10} \end{equation*}
It is clear from the definition that \((C^{\perp })^{(m)}=(C^{(m)})^{\perp }\) for any linear codes \(C\) of length \(n\) and positive integer \(m\) that divides \(n\).
Lemma 4.1.
For a folded linear code \(C\subseteq \Sigma ^n\), if we define
\begin{equation*} f(\mathbf {x}):={\left\lbrace \begin{array}{ll}\frac{1}{\sqrt {|C|}}& \mathbf {x}\in C\\ 0& \text{otherwise} \end{array}\right.}, \end{equation*}
then we have
\begin{equation*} \hat{f}(\mathbf {z})= {\left\lbrace \begin{array}{ll}\frac{1}{\sqrt {|C^{\perp }|}}& \mathbf {z}\in C^{\perp }\\ 0& \text{otherwise} \end{array}\right.}. \end{equation*}
Proof.
For \(\mathbf {z}\in C^{\perp }\), we have
\begin{align*} \hat{f}(\mathbf {z}) &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {x}\in \Sigma ^n}f(\mathbf {x})\omega _p^{\mathrm{Tr}(\mathbf {x}\cdot \mathbf {z})}\\ &=\frac{1}{|\Sigma |^{n/2}}\sum _{\mathbf {x}\in C}\frac{1}{\sqrt {|C|}}\\ &=\frac{1}{\sqrt {|C^{\perp }|}} \end{align*}
where the final equality follows from \(|C|\cdot |C^\perp |=|\Sigma |^n\). That \(\hat{f}(\mathbf {z})=0\) for \(\mathbf {z}\notin C^{\perp }\) immediately follows from the above and Lemma 2.1. □
List recovery. We say that a code \(C\subseteq \Sigma ^n\) is \((\zeta ,\ell ,L)\)-list recoverable if for any subsets \(S_i\subseteq \Sigma\) such that \(|S_i|\le \ell\) for \(i\in [n]\), we have
\begin{align*} |\lbrace (x_1, \ldots ,x_n) \in C:|\lbrace i\in [n]:x_i\in S_i\rbrace |\ge (1-\zeta)n\rbrace |\le L. \end{align*}
Note that list recoverability in the literature usually requires that the list of all codewords \((x_1, \ldots ,x_n) \in C\) satisfying \(|\lbrace i\in [n]:x_i\in S_i\rbrace |\ge (1-\zeta)n\) can be computed from \(\lbrace S_i\rbrace _{i\in [n]}\) in time polynomial in \(|\Sigma |,n,\ell\). However, we will not require this.

4.2 Suitable Codes

The following lemma claims the existence of codes that are suitable for our purpose.
Lemma 4.2 (Suitable Codes).
For any constants \(0\lt c \lt c^{\prime } \lt 1\), there is an explicit family \(\lbrace C_\lambda \rbrace _{\lambda \in \mathbb {N}}\) of folded linear codes over the alphabet \(\Sigma =\mathbb {F}_q^m\) of length \(n\) where \(|\Sigma |=2^{\lambda ^{\Theta (1)}}\), \(n=\Theta (\lambda)\), and \(|C_\lambda |\ge 2^{n+\lambda }\) that satisfies the following.10
(1)
\(C_\lambda\) is \((\zeta ,\ell ,L)\)-list recoverable where \(\zeta =\Omega (1)\), \(\ell =2^{\lambda ^c}\) and \(L=2^{\tilde{O}(\lambda ^{c^{\prime }})}\).
(2)
There is an efficient deterministic decoding algorithm \(\mathsf {Decode}_{C_\lambda ^\perp }\) for \(C_\lambda ^\perp\) that satisfies the following. Let \(\mathcal {D}\) be a distribution over \(\Sigma\) that takes \(\mathbf {0}\) with probability \(1/2\) and otherwise takes a uniformly random element of \(\Sigma \setminus \lbrace \mathbf {0}\rbrace\). Then, it holds that
\begin{align*} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}[\forall \mathbf {x}\in C_\lambda ^\perp ,~\mathsf {Decode}_{C_\lambda ^\perp } (\mathbf {x}+\mathbf {e})=\mathbf {x}]=1-2^{-\Omega (\lambda)}. \end{align*}
(3)
For all \(j\in [n-1]\), \(\Pr _{\mathbf {x}{\xleftarrow{$}} C_\lambda }[\mathsf {hw}(\mathbf {x})=n-j]\le \left(\frac{n}{|\Sigma |}\right)^{j}\).
Our instantiation of \(C_\lambda\) is just folded Reed-Solomon codes with an appropriate parameter setting. Item 1 is a direct consequence of the list recoverability of folded Reed-Solomon codes in a certain parameter regime [30, 51]. For proving Item 2, we first remark that the duals of folded Reed-Solomon codes are folded generalized Reed-Solomon codes, which have efficient list decoding algorithms [31]. Then, we prove that the list decoding algorithm returns a unique decoding result when the error comes from the distribution \(\mathcal {D}^n\). Item 3 follows from a simple combinatorial argument. The proof of Lemma 4.2 is given in Section 4.3.
Remark 4.
Folded Reed-Solomon codes are the only instantiation of \(C_\lambda\), which we are aware of. Especially, we are not aware of any other codes that satisfy list-recoverability with appropriate parameters for our purpose.

4.3 Proof of Lemma 4.2

In this subsection, we prove Lemma 4.2, that is, we give a construction of codes that satisfy the properties stated in Lemma 4.2.

4.3.1 Preparation.

Before giving the construction, we need some preparations. Generalized Reed-Solomon codes. We review the definition and known facts on (generalized) Reed-Solomon codes. See e.g., [44, Section 6] for more details.
A generalized Reed-Solomon code \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}\) over \(\mathbb {F}_q\) w.r.t. a generator \(\gamma\) of \(\mathbb {F}_q^*\), the degree parameter \(0\le k\le N\), and \(\mathbf {v}=(v_1, \ldots ,v_N)\in {\mathbb {F}_q^*}^N\) where \(N:=q-1\) is defined as follows:
\begin{equation*} \mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}:=\lbrace (v_1f(\gamma),v_2f(\gamma ^2)\cdots v_Nf(\gamma ^{N})):f\in \mathbb {F}_q[x]_{deg\le k}\rbrace \end{equation*}
where \(\mathbb {F}_q[x]_{deg\le k}\) denotes the set of polynomials over \(\mathbb {F}_q\) of degree at most \(k\).10 We remark that \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}\) is a linear code over \(\mathbb {F}_q\) that has length \(N=q-1\) and dimension \(k+1\). A Reed-Solomon code is a special case of a generalized Reed-Solomon code where \(\mathbf {v}=(1,1,\ldots ,1)\). We denote it by \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}\) (which is equivalent to \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,(1,1,\ldots ,1)})\). The dual of \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}\) is \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}\) for some \(\mathbf {v}\in \mathbb {F}_q^N\) [44, Claim 6.3].10
There is a classical deterministic list decoding algorithm \(\mathrm{GRSListDecode}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}\) for \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}\) that corrects up to \(N-\sqrt {kN}\) errors in polynomial time in \(N\) [31].10 More precisely, for any \(\mathbf {z}\in \mathbb {F}_q^N\), \(\mathrm{GRSListDecode}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}(\mathbf {z})\) returns the list of all \(\mathbf {x}\in \mathrm{GRS}_{\mathbb {F}_q,\gamma ,k,\mathbf {v}}\) such that \(\mathsf {hw}(\mathbf {x}-\mathbf {z})\lt N-\sqrt {kN}\).
Folded Reed-Solomon codes. Let \(m\) be a positive integer that divides \(N=q-1\). The \(m\)-folded version \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\) of \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}\) is a folded linear code of length \(n=N/m\).10 It is known that \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\) is list recoverable in the following parameter regime [30, 51].10
Lemma 4.3 ([51, Section 3.6]).
Let \(q\) be a prime power, \(\gamma \in \mathbb {F}_q^*\) be a generator, \(N:=q-1\), \(k\lt N\) be a positive integer, and \(m\) be a positive integer that divides \(N\). For positive integers \(\ell\), \(r\), and \(s\le m\) and a real \(0\lt \zeta \lt 1\), suppose that the following inequalities hold:
\begin{align} \frac{(1-\zeta)N}{m}\ge \left(1+\frac{s}{r}\right)\frac{\sqrt [s+1]{N\ell k^s}}{m-s+1} , \end{align}
(8)
\begin{align} (r+s)\sqrt [s+1]{\frac{N\ell }{k}}\lt q. \end{align}
(9)
Then, \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\) is \((\zeta ,\ell ,L)\)-list recoverable where \(L=q^s\).

4.3.2 Construction.

We show that folded Reed-Solomon codes satisfy the requirements of Lemma 4.2 if we set parameters appropriately. In the following, whenever we substitute non-integer values into integer variables, there is an implicit flooring to integers which we omit writing. Fix \(0\lt c\lt c^{\prime }\lt 1\), which defines \(\ell =2^{\lambda ^c}\). Our choices of parameters are as follows:
\(q=2^{2\lfloor \log \lambda \rfloor }\) (which automatically defines \(N=q-1\)), \(m=2^{\lfloor \log \lambda \rfloor }+1\), and \(n=N/m=2^{\lfloor \log \lambda \rfloor }-1\).10
\(\gamma\) is an arbitrary generator of \(\mathbb {F}_q^*\). Note that we can find \(\gamma\) in polynomial time in \(\lambda\) since \(q=\mathsf {poly}(\lambda)\).
\(k=\alpha N\) for an arbitrary constant \(5/6\lt \alpha \lt 1\).
We set \(C_\lambda :=\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\). By the above parameter setting, it is easy to see that we have \(|\Sigma |=2^{\lambda ^{\Theta (1)}}\), \(n=\Theta (\lambda)\), and \(|C_\lambda |=q^{k+1}\ge 2^{n+\lambda }\). We show that \(\lbrace C_\lambda \rbrace _{\lambda \in \mathbb {N}}\) satisfies the requirements of Lemma 4.2. For notational simplicity, we omit \(\lambda\) from the subscript of \(C\).
First item. We prove Item 1 of Lemma 4.2. First, we remark that we only have to prove that the requirement is satisfied for sufficiently large \(\lambda\) since we can set \(L=q^{N}\) for finitely many \(\lambda\) for which \((\zeta ,\ell ,L)\)-list recoverability is trivially satisfied for any \(\zeta\) and \(\ell\). We apply Lemma 4.3 with the following parameters:
\(s=\lambda ^{c^{\prime }}\). Note that this satisfies the requirement \(s\le m\) in Lemma 4.3 for sufficiently large \(\lambda\) since \(m=\Omega (\lambda)\) and \(c^{\prime }\lt 1\).
\(r=\lambda ^{c^{\prime \prime }}\) for a constant \(c^{\prime }\lt c^{\prime \prime }\lt 1\).
\(0\lt \zeta \lt 1-\alpha\) is an arbitrary constant.
Based on the above parameter setting, we have \(\lim _{\lambda \rightarrow \infty }(1+\frac{s}{r})=1\), \(\lim _{\lambda \rightarrow \infty }\frac{m}{m-s+1}=1\), and \(\lim _{\lambda \rightarrow \infty }\sqrt [s+1]{\ell }=1\) where we used \(\ell =2^{\lambda ^{c}}\) and \(c\lt c^{\prime }\). Therefore, Equation (8) can be rearranged as follows:
\begin{align} 1-\zeta \ge (1+o(1))\left(\frac{k}{N}\right)^{\frac{s}{s+1.}} \end{align}
(10)
This is satisfied for sufficiently large \(s\) (which occurs for sufficiently large \(\lambda\)) since we assume \(k=\alpha N\) and \(\zeta \lt 1-\alpha\).
Similarly, by our choice of parameters, the LHS of Equation (9) is \(O(\lambda ^{c^{\prime \prime }})\) and the RHS is \(\Omega (\lambda ^2)\). Since \(c^{\prime \prime }\lt 1\), Equation (9) also holds for sufficiently large \(\lambda\).
Thus, by Lemma 4.3, \(\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\) with the above parameter setting is \((\zeta ,\ell ,L)\)-list recoverable where \(L=q^s\le (\lambda ^2)^{\lambda ^{c^{\prime }}}=2^{\widetilde{O}(\lambda ^{c^{\prime }})}\). This means that Item 1 of Lemma 4.2 is satisfied.
Second item. Next, we prove Item 2 of Lemma 4.2. Since \(C=\mathrm{RS}_{\mathbb {F}_q,\gamma ,k}^{(m)}\) is a folded Reed-Solomon code, its dual \(C^\perp\) is a folded generalized Reed-Solomon code \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}^{(m)}\) for some \(\mathbf {v}\in \mathbb {F}_q^N\). In the following, we think of an element of \(\Sigma ^n\) as an element of \(\mathbb {F}_q^{N}\) in the canonical way. Then, \(C^\perp =\mathrm{GRS}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}^{(m)}\) is identified with \(\mathrm{GRS}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}\). Let \(d:=N-k-2\) and \(0\lt \epsilon \lt 0.09\) be a constant specified later. We define \(\mathsf {Decode}_{C^\perp }\) as follows.
\(\mathsf {Decode}_{C^\perp }(\mathbf {z})\): On input \(\mathbf {z}\in \mathbb {F}_q^N\), it runs the list decoding algorithm \(\mathrm{GRSListDecode}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}(\mathbf {z})\) to get a list of codewords. If there is a unique \(\mathbf {x}\) in the list such that \(\mathsf {hw}(\mathbf {z}-\mathbf {x})\le (1/2+\epsilon)N\), it outputs \(\mathbf {x}\), and otherwise outputs \(\bot\).
We define a subset \(\mathcal {G}\subseteq \mathbb {F}_q^N\) as follows:
\begin{align*} \mathcal {G}:=\lbrace \mathbf {e}\in \mathbb {F}_q^N: \mathsf {hw}(\mathbf {e})\le (1/2+\epsilon)N ~\wedge ~ \forall \mathbf {y}\in C^\perp \setminus \lbrace \mathbf {0}\rbrace ,~\mathsf {hw}(\mathbf {e}-\mathbf {y})\gt (1/2+\epsilon)N \rbrace . \end{align*}
For any \(\mathbf {x}\in C^\perp\) and \(\mathbf {e}\in \mathcal {G}\), by the definition of \(\mathcal {G}\), \(\mathbf {x}\) is the only codeword of \(C^\perp\) whose Hamming distance from \(\mathbf {x}+\mathbf {e}\) is smaller than or equal to \((1/2+\epsilon)N\). Moreover, since \(k=\alpha N\) for \(\alpha \gt 5/6\) and \(\epsilon \lt 0.09\), it holds that \(N-\sqrt {dN}=N-\sqrt {(1-\alpha)N^2-2N}\ge (1-\sqrt {1-\alpha })N\gt 0.59 N\gt (1/2+\epsilon)N\). Thus, for any \(\mathbf {x}\in C^\perp\) and \(\mathbf {e}\in \mathcal {G}\), the list output by \(\mathrm{GRSListDecode}_{\mathbb {F}_q,\gamma ,N-k-2,\mathbf {v}}(\mathbf {x}+\mathbf {e})\) must contain \(\mathbf {x}\), which implies
\begin{equation*} \mathsf {Decode}_{C^\perp }(\mathbf {x}+\mathbf {e})=\mathbf {x}. \end{equation*}
Thus, it suffices to prove
\begin{align*} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}[\mathbf {e}\notin \mathcal {G}]=2^{-\Omega (\lambda)} \end{align*}
where \(\mathcal {D}\) is the distribution as defined in Lemma 4.2.10 For \(\mathbf {e}\in \mathbb {F}_q^N\), we parse it as \(\mathbf {e}=(\mathbf {e}_1, \ldots ,\mathbf {e}_n)\in \Sigma ^n\) and define \(S_\mathbf {e}\subseteq [N]\) as the set of indices on which \(\mathbf {e}_i=\mathbf {0}\), that is,
\begin{equation*} S_\mathbf {e}:=\bigcup _{i\in [n]:\mathbf {e}_i=\mathbf {0}}\lbrace (i-1)m+1,(i-1)m+2,\ldots ,im\rbrace . \end{equation*}
By the definition of \(\mathcal {D}\) and \(n=\Theta (\lambda)\), the Chernoff bound (Lemma 2.4) gives
\begin{align*} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}\left[(1/2-\epsilon)N\le |S_\mathbf {e}|\le (1/2+\epsilon)N\right]\ge 1-2^{\Omega (\lambda)}. \end{align*}
Therefore, it suffices to prove
\begin{align} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}[\mathbf {e}\notin \mathcal {G}\mid S_\mathbf {e}=S^*]=2^{-\Omega (\lambda)} \end{align}
(11)
for all \(S^*\subseteq [N]\) such that \((1/2-\epsilon)N\le |S^*|\le (1/2+\epsilon)N\). Fix such \(S^*\). When \(S_\mathbf {e}=S^*\), it is clear that we have \(\mathsf {hw}(\mathbf {e})\le (1/2+\epsilon)N\) since \(|S^*|\ge (1/2-\epsilon)N\). Thus, when \(S_\mathbf {e}=S^*\) and \(\mathbf {e}\notin \mathcal {G}\), there exists \(\mathbf {y}\in C^\perp \setminus \lbrace \mathbf {0}\rbrace\) such that
\begin{align} \mathsf {hw}(\mathbf {e}-\mathbf {y})\le (1/2+\epsilon)N. \end{align}
(12)
Let \(\bar{S}^*:=[N]\setminus S^*\). Note that \(|\bar{S}^*|\gt d+2\epsilon N\) holds by our parameter choices. It holds that10
\begin{align} \mathsf {hw}(\mathbf {e}-\mathbf {y})= \mathsf {hw}(\mathbf {e}_{S^*}-\mathbf {y}_{S^*}) + \mathsf {hw}(\mathbf {e}_{\bar{S}^*}-\mathbf {y}_{\bar{S}^*}). \end{align}
(13)
Since we assume \(S^*=S_{\mathbf {e}}\), we have \(\mathbf {e}_{S^*}=\mathbf {0}\). On the other hand, since \(\mathbf {y}\ne \mathbf {0}\) and degree \(d\) non-zero polynomials have at most \(d\) roots, \(\mathbf {y}\) can take 0 on at most \(d\) indices. In particular, we have
\begin{align} \mathsf {hw}(\mathbf {e}_{S^*}-\mathbf {y}_{S^*})\ge |S^*|-d. \end{align}
(14)
By combining Equations (12) to (14), we have
\begin{align} \mathsf {hw}(\mathbf {e}_{\bar{S}^*}-\mathbf {y}_{\bar{S}^*})\le (1/2+\epsilon)N- (|S^*|- d)\le d +2\epsilon N \end{align}
(15)
where we used \(|S^*|\ge (1/2-\epsilon)N\). That is, conditioned on \(S_\mathbf {e}=S^*\), Equation (15) holds for some \(\mathbf {y}\in C^\perp \setminus \lbrace \mathbf {0}\rbrace\) whenever \(\mathbf {e}\notin \mathcal {G}\). Moreover, conditioned on \(S_\mathbf {e}=S^*\), the distribution of \(\mathbf {e}_{\bar{S}^*}\) is a direct product of \(|\bar{S}^*|/m\) copies of the uniform distribution over \(\mathbb {F}_q^m\setminus \lbrace \mathbf {0}\rbrace\) by the definition of \(\mathcal {D}\). Since \(q^m=2^{\Omega (\lambda)}\), the distribution is statistically \(2^{-\Omega (\lambda)}\)-close to the uniform distribution over \(\mathbb {F}_q^N\). Combining these observations, it holds that10
\begin{align} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}[\mathbf {e}\notin \mathcal {G}\mid S_\mathbf {e}=S^*]\le \Pr _{\mathbf {e}_{\bar{S}^*}{\xleftarrow{$}} \mathbb {F}_q^{\left|\bar{S}^*\right|}}[\exists \mathbf {y}\in C^\perp ~\mathsf {hw}(\mathbf {e}_{\bar{S}^*}-\mathbf {y}_{\bar{S^*}})\le d+2\epsilon N]+2^{-\Omega (\lambda)}. \end{align}
(16)
When there exists \(\mathbf {y}\in C^\perp\) such that \(\mathsf {hw}(\mathbf {e}_{\bar{S}^*}-\mathbf {y}_{\bar{S^*}})\le d+2\epsilon N\), there is a subset \(T\subseteq \bar{S}^*\) such that \(|T|= |\bar{S}^*|-\lceil d+2\epsilon N \rceil\) and \(\mathbf {e}_{T}=\mathbf {y}_{T}\) since we have \(|\bar{S}^*|\gt \lceil d+2\epsilon N \rceil\). On the other hand, since a codeword of \(C^\perp\) is determined by values on \(d+1\) indices, for any fixed \(T\subseteq S^*\), we have
\begin{align} \Pr _{\mathbf {e}_{\bar{S}^*}{\xleftarrow{$}} \mathbb {F}_q^{\left|\bar{S}^*\right|}}[\exists \mathbf {y}\in C^\perp ~\mathbf {e}_{T}=\mathbf {y}_{T}]= q^{-(|T|-(d+1))}\le q^{-\left(\frac{1}{2}-3\epsilon \right)N+2d+1} \end{align}
(17)
where we used \(|T|\ge |\bar{S}^*|-d-2\epsilon N\) and \(|\bar{S}^*|\ge (1/2-\epsilon)N\). Since there are \({|\bar{S}^*| \choose \lceil d+2\epsilon N \rceil }\) possible choices of \(T\), combined with Equation (17), it holds that
\begin{align} \Pr _{\mathbf {e}_{\bar{S}^*}{\xleftarrow{$}} \mathbb {F}_q^{\left|\bar{S}^*\right|}}[\exists \mathbf {y}\in C^\perp ~\mathsf {hw}(\mathbf {e}_{\bar{S}^*}-\mathbf {y}_{\bar{S^*}})\le d+2\epsilon N] &\le {|\bar{S}^*| \choose \lceil d+2\epsilon N \rceil }\cdot q^{-\left(\frac{1}{2}-3\epsilon \right)N+2d+1} \nonumber \nonumber\\ &\le q^{d+2\epsilon N +1}\cdot q^{-\left(\frac{1}{2}-3\epsilon \right)N+2d+1} \nonumber \nonumber\\ &\le q^{-\left(\frac{1}{2}-3(1-\alpha)-5\epsilon \right)N-4} \end{align}
(18)
where we used \(|\bar{S}^*|\le N\lt q\) in the second inequality and \(d=N-k-2=(1-\alpha)N-2\) in the third inequality. Since \(5/6\lt \alpha \lt 1\), we can choose \(0\lt \epsilon \lt 0.09\) in such a way that \(\frac{1}{2}-3(1-\alpha)-5\epsilon \gt 0\). (For example, \(\epsilon :=-\frac{1}{4}+\frac{3}{10}\alpha\) suffices.) Then, by combining Equations (16) and (18) together with \(q=\Omega (\lambda)\) and \(\frac{1}{2}-3(1-\alpha)-5\epsilon =\Omega (1)\), we obtain Equation (11).
Third item. Finally, we prove Item 3 of Lemma 4.2. For \(\lceil \frac{k+1}{m}\rceil \lt j \lt n\), there does not exist a codeword \(\mathbf {x}\) such that \(\mathsf {hw}(\mathbf {x})=n-j\). This is because if \(\mathsf {hw}(\mathbf {x})=n-j\), the polynomial \(f\) corresponding to \(\mathbf {x}\) has at least \(mj\ge k+1\) roots, which means that \(\mathbf {x}=\mathbf {0}\) since the degree of \(f\) is at most \(k\). This contradicts \(\mathsf {hw}(\mathbf {x})=n-j\gt 0\).
The case of \(j\le \lceil \frac{k+1}{m}\rceil\) is proven below. In this case, since a polynomial of degree at most \(k\) is determined by evaluated values on \(k+1\) points, for any subset \(S\subseteq [n]\) such that \(|S|=j\), \(\mathbf {x}_S\) is uniformly distributed over \(\Sigma ^j\) when \(\mathbf {x}{\xleftarrow{$}} C_\lambda\). Therefore, we have
\begin{align*} \Pr _{\mathbf {x}{\xleftarrow{$}} C_\lambda }[\mathsf {hw}(\mathbf {x})=n-j] &\le \sum _{S\subseteq [n]\text{~s.t.~}|S|=j}\Pr _{\mathbf {x}{\xleftarrow{$}} C_\lambda }[\mathbf {x}_{S}=\mathbf {0}]\\ &\le {n\choose j}|\Sigma |^{-j}\\ &\le \left(\frac{n}{|\Sigma |}\right)^j. \end{align*}
This completes the proof of Lemma 4.2.

5 Technical Lemma

We prepare a lemma that is used in the proof of correctness of our proof of quantumness constructed in Section 6. The lemma is inspired by the quantum step of Regev’s reduction from LWE to worst-case lattice problems [50].
Lemma 5.1.
Let \(\mathinner {|{\psi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\) be quantum states on a quantum system over an alphabet \(\Sigma =\mathbb {F}_q^m\) written as
\begin{align*} &\mathinner {|{\psi }\rangle }=\sum _{\mathbf {x}\in \Sigma ^n}V(\mathbf {x})\mathinner {|{\mathbf {x}}\rangle }\\ &\mathinner {|{\phi }\rangle }=\sum _{\mathbf {e}\in \Sigma ^n}W(\mathbf {e})\mathinner {|{\mathbf {e}}\rangle }. \end{align*}
Let \(F:\Sigma ^n \rightarrow \Sigma ^n\) be a function. Let \(\mathsf {GOOD}\subseteq \Sigma ^n \times \Sigma ^n\) be a subset such that for any \((\mathbf {x},\mathbf {e})\in \mathsf {GOOD}\), we have \(F(\mathbf {x}+\mathbf {e})=\mathbf {x}\). Let \(\mathsf {BAD}\) be the complement of \(\mathsf {GOOD}\), i.e., \(\mathsf {BAD}:=(\Sigma ^n \times \Sigma ^n)\setminus \mathsf {GOOD}\). Suppose that we have
\begin{align} &\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}}|\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})|^2\le \epsilon \end{align}
(19)
\begin{align} &\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}: \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\right|^2\le \delta . \end{align}
(20)
Let \(U_{\mathsf {add}}\) and \(U_{F}\) be unitaries defined as follows:
\begin{align*} &\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle } \xrightarrow {U_{\mathsf {add}}} \mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }\xrightarrow {U_{F}} \mathinner {|{\mathbf {x}-F(\mathbf {x}+\mathbf {e})}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }. \end{align*}
Then we have
\begin{align*} (I\otimes (\mathsf {QFT}_{\Sigma }^{\otimes n})^{-1})U_{F}U_{\mathsf {add}}(\mathsf {QFT}_{\Sigma }^{\otimes n}\otimes \mathsf {QFT}_{\Sigma }^{\otimes n})\mathinner {|{\psi }\rangle }\mathinner {|{\phi }\rangle } \approx _{\sqrt {\epsilon }+\sqrt {\delta }} |\Sigma |^{n/2}\sum _{\mathbf {z}\in \Sigma ^n}(V\cdot W)(\mathbf {z})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {z}}\rangle }. \end{align*}
Proof.
Equations (19) and (20) immediately imply the following inequalities, respectively:
\begin{align*} \left\Vert \sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {BAD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle }\right\Vert \le \sqrt {\epsilon } \end{align*}
and
\begin{align*} \left\Vert \sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {BAD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }\right\Vert \le \sqrt {\delta }. \end{align*}
Since \(\mathsf {BAD}\) is the complement of \(\mathsf {GOOD}\), the above imply the following:
\begin{align} \sum _{(\mathbf {x},\mathbf {e}) \in \Sigma ^n\times \Sigma ^n}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle } \approx _{\sqrt {\epsilon }} \sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {GOOD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle } \end{align}
(21)
and
\begin{align} \sum _{(\mathbf {x},\mathbf {e}) \in \Sigma ^n\times \Sigma ^n}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle } \approx _{\sqrt {\delta }} \sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {GOOD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }. \end{align}
(22)
Then, we have
\begin{align*} U_{F}U_{\mathsf {add}}(\mathsf {QFT}\otimes \mathsf {QFT})\mathinner {|{\psi }\rangle }\mathinner {|{\phi }\rangle } &= U_{F}U_{\mathsf {add}}\sum _{(\mathbf {x},\mathbf {e}) \in \Sigma ^n\times \Sigma ^n}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle }\\ &\approx _{\sqrt {\epsilon }} U_{F}U_{\mathsf {add}}\sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {GOOD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle }\\ &=\sum _{(\mathbf {x},\mathbf {e}) \in \mathsf {GOOD}}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }\\ &\approx _{\sqrt {\delta }}\sum _{(\mathbf {x},\mathbf {e}) \in \Sigma ^n\times \Sigma ^n}\hat{V}(\mathbf {x})\hat{W}(\mathbf {e})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle }\\ &=\sum _{\mathbf {z}\in \Sigma ^n}(\hat{V}*\hat{W})(\mathbf {z})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {z}}\rangle }\\ &=|\Sigma |^{n/2}\sum _{\mathbf {z}\in \Sigma ^n}\widehat{(V\cdot W)}(\mathbf {z})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {z}}\rangle }\\ &=(I\otimes \mathsf {QFT})|\Sigma |^{n/2}\sum _{\mathbf {z}\in \Sigma ^n}(V\cdot W)(\mathbf {z})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {z}}\rangle } \end{align*}
where we used Equation (21) for the second line, Equation (22) for the fourth line, and the convolution theorem (Equation (3) in Lemma 2.3) for the sixth line. This completes the proof of Lemma 5.1. □

6 Proofs of Quantumness

In this section, we give a construction of proofs of quantumness in the QROM, which is the main result of this article.
Theorem 6.1.
There exists a keyless proof of quantumness relative to a random oracle that satisfies soundness in the CROM.
By Theorem 3.10, we immediately obtain the following corollary.
Corollary 6.2.
There exists a keyed proof of quantumness relative to a random oracle that satisfies soundness in the AI-CROM.
The rest of this subsection is devoted to a proof of Theorem 6.1.
Construction. Let \(\lbrace C_\lambda \rbrace _\lambda\) be a family of codes over an alphabet \(\Sigma =\mathbb {F}_q^m\) that satisfies the requirements of Lemma 4.2 with arbitrary \(0\lt c\lt c^{\prime }\lt 1\). In the following, we omit \(\lambda\) from the subscript of \(C\) since it is clear from the context. We use notations defined in Lemma 4.2 (e.g., \(n,m,\zeta ,\ell ,L\) etc). Let \(H:\Sigma \rightarrow \lbrace 0,1\rbrace ^{n}\) be a random oracle.10 For \(i\in [n]\), let \(H_i:\Sigma \rightarrow \lbrace 0,1\rbrace\) be a function that on input \(x\) outputs the \(i\)th bit of \(H(x)\). Then, we construct a proof of quantumness \(\Pi =(\mathsf {Prove},\mathsf {Verify})\) in the QROM as follows.
\(\mathsf {Prove}^{H}(1^\lambda)\): For \(i\in [n]\), it generates a state
\begin{equation*} \mathinner {|{\phi _i}\rangle }\propto \sum _{ \mathbf {e}_i\in \Sigma \text{~s.t.~} H_i(\mathbf {e}_i)= 1 } \mathinner {|{\mathbf {e}_i}\rangle }. \end{equation*}
This is done as follows. It generates a uniform superposition over \(\Sigma\), coherently evaluates \(H\), and measures its value. If the measurement outcome is 1, then it succeeds in generating the above state. It repeats the above procedure until it succeeds or it fails \(\lambda\) times. If it fails to generate \(\mathinner {|{\phi _i}\rangle }\) within \(\lambda\) trials for some \(i\in [n]\), it just aborts. Otherwise, it sets
\begin{equation*} \mathinner {|{\phi }\rangle }:=\mathinner {|{\phi _1}\rangle }\otimes \mathinner {|{\phi _2}\rangle }\otimes \ldots \otimes \mathinner {|{\phi _n}\rangle }. \end{equation*}
Note that we have
\begin{equation*} \mathinner {|{\phi }\rangle }\propto \sum _{\mathbf {e}=(\mathbf {e}_1,\ldots ,\mathbf {e}_n)\in \Sigma ^n\text{~s.t.~}\\ H_i(\mathbf {e}_i)=1\text{~for~all~}i\in [n]}\mathinner {|{\mathbf {e}}\rangle }. \end{equation*}
It generates a state
\begin{equation*} \mathinner {|{\psi }\rangle }\propto \sum _{\mathbf {x}\in C}\mathinner {|{\mathbf {x}}\rangle }. \end{equation*}
Then it applies \(\mathsf {QFT}\) to both \(\mathinner {|{\psi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\). At this point, it has the state
\begin{equation*} \mathinner {|{\eta }\rangle }:=\mathsf {QFT}\mathinner {|{\psi }\rangle } \otimes \mathsf {QFT}\mathinner {|{\phi }\rangle }. \end{equation*}
Let \(U_{\mathsf {add}}\) and \(U_{\mathsf {decode}}\) be unitaries on the Hilbert space of \(\mathinner {|{\eta }\rangle }\) defined by the following:
\begin{equation*} \mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {e}}\rangle } \xrightarrow {U_{\mathsf {add}}} \mathinner {|{\mathbf {x}}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle } \xrightarrow {U_{\mathsf {decode}}} \mathinner {|{\mathbf {x}-\mathsf {Decode}_{C^\perp }(\mathbf {x}+\mathbf {e})}\rangle }\mathinner {|{\mathbf {x}+\mathbf {e}}\rangle } \end{equation*}
where \(\mathsf {Decode}_{C^\perp }\) is the decoder for \(C^\perp\) as required in Item 2 of Lemma 4.2. Then it applies \((I\otimes \mathsf {QFT}^{-1}) U_{\mathsf {decode}}U_{\mathsf {add}}\) to \(\mathinner {|{\eta }\rangle }\), measures the second register, and outputs the measurement outcome \(\mathbf {x}\in \Sigma ^n\) as \(\pi\). A diagram showing how to compute \(\pi\) is given in Figure 1.
\(\mathsf {Verify}^{H}(1^\lambda ,\pi)\): It parses \(\pi =\mathbf {x}=(\mathbf {x}_1,\ldots ,\mathbf {x}_n)\) and outputs \(\top\) if \(\mathbf {x}\in C\) and \(H_i(\mathbf {x}_i)= 1\) for all \(i\in [n]\) and \(\bot\) otherwise.
Fig. 1.
Fig. 1. The algorithm \(\mathsf {Prove}\) for computing \(\pi\). Here, \(n-k\) is the dimension of \(C^\perp\), and \(M_{C^\perp }\) is any invertible matrix whose first \(n-k\) columns are a basis for \(C^\perp\).
Correctness.
Lemma 6.3.
\(\Pi\) satisfies correctness.
Proof.
Let \(T_i^{H_i}\subseteq \Sigma\) be the subset consisting of \(\mathbf {e}_i\in \Sigma\) such that \(H_i(\mathbf {e}_i)=1\) and \(T^H:=T_1^{H_1}\times T_2^{H_2}\times \ldots \times T_n^{H_n}\subseteq \Sigma ^n\). Let \(\widetilde{\mathcal {H}}\subseteq \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n)\) be the subset that consists of all \(H\in \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n)\) such that \(\frac{1}{3}\lt \frac{|T_i^{H_i}|}{|\Sigma |}\lt \frac{2}{3}\) for all \(i\in [n]\). By the Chernoff bound (Lemma 2.4) and union bound, we can see that \((1-n\cdot 2^{-\Omega (|\Sigma |)})\)-fraction of \(H\in (\Sigma ,\lbrace 0,1\rbrace ^n)\) belongs to \(\widetilde{\mathcal {H}}\). Since we have \(n\cdot 2^{-|\Sigma |}=\mathsf {negl}(\lambda)\) by our parameter choices specified in Lemma 4.2, it suffices to prove the correctness assuming that \(H\) is uniformly chosen from \(\widetilde{\mathcal {H}}\) instead of from \(\mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n)\). We prove this below.
First, we show that the probability that \(\mathsf {Prove}\) aborts is negligible. In each trial to generate \(\mathinner {|{\phi _i}\rangle }\), the success probability is \(\frac{|T_i^{H_i}|}{|\Sigma |}\lt \frac{2}{3}\).
Thus, the probability that it fails to generate \(\mathinner {|{\phi _i}\rangle }\) \(\lambda\) times is negligible.
Let \(V:\Sigma ^n\rightarrow \mathbb {C}\), \(W^{H_i}_i:\Sigma \rightarrow \mathbb {C}\), and \(W^H:\Sigma ^n\rightarrow \mathbb {C}\) be functions defined as follows:10
\begin{align*} &V(\mathbf {x})= {\left\lbrace \begin{array}{ll} \frac{1}{\sqrt {|C|}}& \mathbf {x}\in C\\ 0& \text{otherwise} \end{array}\right.}\\ &W^{H_i}_i(\mathbf {e}_i)= {\left\lbrace \begin{array}{ll} \frac{1}{\sqrt {|T^{H_i}_i|}}& \mathbf {e}_i\in T^{H_i}_i\\ 0& \text{otherwise} \end{array}\right.}\\ &W^H(\mathbf {e})= {\left\lbrace \begin{array}{ll} \frac{1}{\sqrt {|T^H|}}& \mathbf {e}\in T^H\\ 0& \text{otherwise} \end{array}\right.} \end{align*}
Then we have
\begin{align*} &\mathinner {|{\psi }\rangle }=\sum _{\mathbf {x}\in \Sigma ^n}V(\mathbf {x})\mathinner {|{\mathbf {x}}\rangle }\\ &\mathinner {|{\phi }\rangle }=\sum _{\mathbf {e}\in \Sigma ^n}W^H(\mathbf {e})\mathinner {|{\mathbf {e}}\rangle } \end{align*}
where \(\mathinner {|{\psi }\rangle }\) and \(\mathinner {|{\phi }\rangle }\) are as in the description of \(\mathsf {Prove}\). For using Lemma 5.1, we prove the following claim.
Claim 6.4.
For an overwhelming fraction of \(H\in \widetilde{\mathcal {H}}\), there is a subset \(\mathsf {GOOD}\subseteq \Sigma ^n \times \Sigma ^n\) such that \(\mathsf {Decode}_{C^\perp }(\mathbf {x}+\mathbf {e})=\mathbf {x}\) for any \((\mathbf {x},\mathbf {e})\in \mathsf {GOOD}\) and we have
\begin{align*} &\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}}|\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})|^2\le \mathsf {negl}(\lambda),\\ &\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}: \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2\le \mathsf {negl}(\lambda). \end{align*}
where \(\mathsf {BAD}=(\Sigma ^n \times \Sigma ^n)\setminus \mathsf {GOOD}\). □
We prove Claim 6.4 later. We complete the proof of Lemma 6.3 by using Claim 6.4. By Lemma 5.1 and Claim 6.4 where we set \(F:=\mathsf {Decode}_{C^\perp }\), for an overwhelming fraction of \(H\in \widetilde{\mathcal {H}}\), we have
\begin{align} (I\otimes \mathsf {QFT}^{-1})U_{\mathsf {decode}}U_{\mathsf {add}}\mathinner {|{\eta }\rangle } \approx |\Sigma |^{n/2}\sum _{\mathbf {x}\in \Sigma ^n}(V\cdot W^H)(\mathbf {x})\mathinner {|{0}\rangle }\mathinner {|{\mathbf {x}}\rangle }, \end{align}
(23)
where \(\mathinner {|{\eta }\rangle }\) is as in the description of \(\mathsf {Prove}\). Since \((V\cdot W^H)(\mathbf {x})=0\) for \(\mathbf {x}\notin C\cap T^H\), if we measure the second register of the RHS of Equation (23), the outcome is in \(C\cap T^H\) with probability 1. Thus, if we measure the second register of the LHS of Equation (23), the outcome is in \(C\cap S\) with probability \(1-\mathsf {negl}(\lambda)\). This means that an honestly generated proof \(\pi\) passes the verification with probability \(1-\mathsf {negl}(\lambda)\).
To complete the proof of correctness, we prove Claim 6.4 below.
Proof of Claim 6.4
We use the notations defined in the proof of Lemma 6.3 above. For each \(i\in [n]\), let \(\widetilde{\mathcal {H}}_i\subseteq \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace)\) be the subset that consists of all \(H_i\in \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace)\) such that \(\frac{1}{3}\lt \frac{|T_i^{H_i}|}{|\Sigma |}\lt \frac{2}{3}\).10 Choosing \(H{\xleftarrow{$}} \widetilde{\mathcal {H}}\) is equivalent to choosing \(H_i{\xleftarrow{$}} \widetilde{\mathcal {H}}_i\) independently for each \(i\in [n]\). In the following, whenever we write \(H\) or \(H_i\) in subscripts of \(\mathbb {E}\), they are uniformly taken from \(\widetilde{\mathcal {H}}\) or \(\widetilde{\mathcal {H}}_i\), respectively.
By Lemma 4.1 and the definition of \(V\), we have
\begin{align*} &\hat{V}(\mathbf {x})= {\left\lbrace \begin{array}{ll} \frac{1}{\sqrt {|C^\perp |}}& \mathbf {x}\in C^\perp \\ 0& \text{otherwise} \end{array}\right.}. \end{align*}
Let \(\mathcal {G}\subseteq \Sigma ^n\) be a subset defined as follows:
\begin{align*} \mathcal {G}:=\lbrace \mathbf {e}\in \Sigma ^n: \forall \mathbf {x}\in C^\perp ,~\mathsf {Decode}_{C^\perp } (\mathbf {x}+\mathbf {e})=\mathbf {x}\rbrace . \end{align*}
Let \(\mathcal {B}:=\Sigma ^n \setminus \mathcal {G}\). Item 2 of Lemma 4.2 implies
\begin{align} \Pr _{\mathbf {e}{\xleftarrow{$}} \mathcal {D}^n}[\mathbf {e}\in \mathcal {B}]=\mathsf {negl}(\lambda) \end{align}
(24)
where \(\mathcal {D}\) is the distribution as defined in Item 2 of Lemma 4.2. We define \(\mathsf {GOOD}:=C^\perp \times \mathcal {G}\) and \(\mathsf {BAD}:=(\Sigma ^n\times \Sigma ^n)\setminus \mathsf {GOOD}\). Then, we have \(\mathsf {Decode}_{C^\perp }(\mathbf {x}+\mathbf {e})=\mathbf {x}\) for all \((\mathbf {x},\mathbf {e})\in \mathsf {GOOD}\) by definition.
Noting that \(\hat{V}(\mathbf {x})=0\) for \(\mathbf {x}\notin C^{\perp }\), it is easy to see that we have the following:
\begin{align} &\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}}|\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})|^2 =\sum _{\mathbf {e}\in \mathcal {B}}|\hat{W}^H(\mathbf {e})|^2, \end{align}
(25)
\begin{align} &\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{(\mathbf {x},\mathbf {e})\in \mathsf {BAD}: \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2 =\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{\mathbf {x}\in C^\perp ,\mathbf {e}\in \mathcal {B}\\ : \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2. \end{align}
(26)
We should prove that values of Equations (25) and (26) are negligible for an overwhelming fraction of \(H\in \widetilde{\mathcal {H}}\). By a standard averaging argument, it suffices to prove that their expected values are negligible, that is,
\begin{align} &\mathbb {E}_{H}\left[\sum _{\mathbf {e}\in \mathcal {B}}|\hat{W}^H(\mathbf {e})|^2\right]\le \mathsf {negl}(\lambda), \end{align}
(27)
\begin{align} &\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{\mathbf {x}\in C^\perp ,\mathbf {e}\in \mathcal {B}\\ : \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2\right]\le \mathsf {negl}(\lambda). \end{align}
(28)
Before proving them, we remark an obvious yet useful claim.
Claim 6.5.
Let \(\pi\) be a permutation over \(\Sigma\) (resp. \(\Sigma ^n\)). Then, the distributions of \(H_i\) and \(H_i\circ \pi\) (resp. \(H\) and \(H\circ \pi\)) are identical when \(H_i{\xleftarrow{$}} \widetilde{\mathcal {H}}_i\) (resp. \(H{\xleftarrow{$}} \widetilde{\mathcal {H}}\)). □
Proof of Claim 6.5
Recall that \(\widetilde{\mathcal {H}}_i\) is the set of all \(H_i:\Sigma \rightarrow \lbrace 0,1\rbrace\) such that \(\frac{|\Sigma |}{3} \lt |\lbrace \mathbf {e}_i\in \Sigma :H(\mathbf {e}_i)=1\rbrace |\lt \frac{2|\Sigma |}{3}\). Clearly, we have \(|\lbrace \mathbf {e}_i\in \Sigma :H(\mathbf {e}_i)=1\rbrace |=|\lbrace \mathbf {e}_i\in \Sigma :H\circ \pi (\mathbf {e}_i)=1\rbrace |\). Thus, \(\pi\) induces a permutation over \(\widetilde{\mathcal {H}}_i\), and thus \(H_i\circ \pi\) is uniformly distributed over \(\widetilde{\mathcal {H}}_i\) when \(H_i{\xleftarrow{$}} \widetilde{\mathcal {H}}_i\). A similar argument works for \(\widetilde{\mathcal {H}}\) as well. □
Then, we prove Equations (27) and (28).
Proof of Equation (27). First, we prove the following claim.
Claim 6.6.
For all \(i\in [n]\) and \(\mathbf {e},\mathbf {e}^{\prime }\in \Sigma \setminus \lbrace 0\rbrace\), it hold that
\begin{align} \mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {0})|^2\right] =\frac{1}{2} \end{align}
(29)
and
\begin{align} \mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {e})|^2\right] =\mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {e}^{\prime })|^2\right]. \end{align}
(30)
Proof of Claim 6.6
Equation (29) is proven as follows:
\begin{align*} \mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {0})|^2\right] &=\mathbb {E}_{H_i}\left[\left|\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }W_i^{H_i}(\mathbf {z})\right|^2\right] =\frac{\mathbb {E}_{H_i}\left[|T_i^{H_i}|\right]}{|\Sigma |} =\frac{1}{2}. \end{align*}
Since \(\mathbf {e}\ne \mathbf {0}\), for any \(w\in \mathbb {F}_q\), the number of \(\mathbf {z}\in \Sigma\) such that \(\mathbf {e}\cdot \mathbf {z}=w\) is \(|\Sigma |/q\). A similar statement holds for \(\mathbf {e}^{\prime }\) too. Therefore, there is a permutation \(\pi _{\mathbf {e},\mathbf {e}^{\prime }}:\Sigma \rightarrow \Sigma\) such that \(\mathbf {e}\cdot \mathbf {z}=\mathbf {e}^{\prime }\cdot \pi _{\mathbf {e},\mathbf {e}^{\prime }}(\mathbf {z})\) for all \(\mathbf {z}\in \Sigma\). Then, Equation (30) is proven as follows.
\begin{align*} \mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {e})|^2\right] &=\mathbb {E}_{H_i}\left[\left|\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }W_i^{H_i}(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {e}\cdot \mathbf {z})}\right|^2\right]\\ &=\mathbb {E}_{H_i}\left[\left|\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }W_i^{H_i\circ \pi _{\mathbf {e},\mathbf {e}^{\prime }}^{-1}}(\pi _{\mathbf {e},\mathbf {e}^{\prime }}(\mathbf {z}))\omega _p^{\mathrm{Tr}(\mathbf {e}^{\prime }\cdot \pi _{\mathbf {e},\mathbf {e}^{\prime }}(\mathbf {z}))}\right|^2\right]\\ &=\mathbb {E}_{H_i}\left[\left|\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }W_i^{H_i\circ \pi _{\mathbf {e},\mathbf {e}^{\prime }}^{-1}}(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {e}^{\prime }\cdot \mathbf {z})}\right|^2\right]\\ &=\mathbb {E}_{H_i}\left[\left|\frac{1}{\sqrt {|\Sigma |}}\sum _{\mathbf {z}\in \Sigma }W_i^{H_i}(\mathbf {z})\omega _p^{\mathrm{Tr}(\mathbf {e}^{\prime }\cdot \mathbf {z})}\right|^2\right]\\ &=\mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {e}^{\prime })|^2\right] \end{align*}
where the fourth equality follows from Claim 6.5. □
Claim 6.6 means that we have
\begin{align} \mathcal {D}(\mathbf {e}_i)= \mathbb {E}_{H_i}\left[|\hat{W}_i(\mathbf {e}_i)|^2\right] \end{align}
(31)
for all \(\mathbf {e}_i\in \Sigma\) where \(\mathcal {D}(\cdot)\) is the probability density function of the distribution \(\mathcal {D}\) as defined in Item 2 of Lemma 4.2. Moreover, for any \(\mathbf {e}=(\mathbf {e}_1,\ldots ,\mathbf {e}_n)\in \Sigma ^n\) and \(H\in \widetilde{\mathcal {H}}\), since we have \(W^H(\mathbf {e})=\prod _{i=1}^{n}W_i^{H_i}(\mathbf {e}_i)\), by Lemma 2.2, we have
\begin{align} \hat{W}^{H}(\mathbf {e})=\prod _{i=1}^{n}\hat{W}_i^{H_i}(\mathbf {e}_i). \end{align}
(32)
By combining Equations (31) and (32), we obtain
\begin{align} \mathcal {D}^n(\mathbf {e})= \mathbb {E}_{H}\left[|\hat{W}(\mathbf {e})|^2\right] \end{align}
(33)
for all \(\mathbf {e}\in \Sigma ^n\) where \(\mathcal {D}^n(\cdot)\) is the probability density function of \(\mathcal {D}^n\). By Equations (24) and (33), and the linearity of expectation, we obtain Equation (27).
Proof of Equation (28). We define a function \(B:\Sigma ^n\rightarrow \mathbb {C}\) so that \(\hat{B}\) satisfies the following:10
\begin{align*} \hat{B}(\mathbf {e})= {\left\lbrace \begin{array}{ll}1& \mathbf {e}\in \mathcal {B}\\ 0& \text{otherwise}\end{array}\right.}. \end{align*}
We prove the following claims.
Claim 6.7.
For any \(H\in \widetilde{\mathcal {H}}\), it holds that
\begin{align*} \sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{\mathbf {x}\in C^\perp ,\mathbf {e}\in \mathcal {B}\\ : \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2 =\sum _{\mathbf {z}\in \Sigma ^n}\left|(V\cdot (B\ast W^H))(\mathbf {z})\right|^2. \end{align*}
Proof of Claim 6.7
For any \(\mathbf {z}\in \Sigma ^n\), we have
\begin{align*} \sum _{\mathbf {x}\in C^\perp ,\mathbf {e}\in \mathcal {B}\\ : \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e}) &=\sum _{\mathbf {x}\in \Sigma ^n, \mathbf {e}\in \Sigma ^n\\ :\mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})(\hat{B}\cdot \hat{W}^H)(\mathbf {e})\\ &=(\hat{V}\ast (\hat{B}\cdot \hat{W}^H))(\mathbf {z})\\ &=\widehat{(V\cdot (B\ast W^H))}(\mathbf {z}) \end{align*}
where we used \(\hat{V}(\mathbf {x})=0\) for \(\mathbf {x}\notin C^\perp\) in the first equality and the convolution theorem (Equation (5) in Lemma 2.3) in the third equality. Claim 6.7 follows from the above equation and Parseval’s equality (Lemma 2.1). □
Claim 6.8.
For any \(\mathbf {z}\in \Sigma ^n\), it holds that
\begin{align*} \mathbb {E}_{H}\left[|(B\ast W^H)(\mathbf {z})|^2\right]\le \mathsf {negl}(\lambda). \end{align*}
Proof of Claim 6.8.
First, we observe that \(\mathbb {E}_{H}\left[|(B\ast W^H)(\mathbf {z}_0)|^2\right]=\mathbb {E}_{H}\left[|(B\ast W^H)(\mathbf {z}_1)|^2\right]\) for any \(\mathbf {z}_0,\mathbf {z}_1\). Indeed, if we define a permutation \(\pi :\Sigma ^n\rightarrow \Sigma ^n\) as \(\pi (\mathbf {z}):=\mathbf {z}+\mathbf {z}_0-\mathbf {z}_1\), we have
\begin{align*} &\mathbb {E}_{H}\left[\left|(B\ast W^H)(\mathbf {z}_0)\right|^2\right]\\ =&\mathbb {E}_{H}\left[\left|\sum _{\mathbf {x}\in \Sigma ^n}B(\mathbf {x})W^H(\mathbf {z}_0-\mathbf {x})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\left|\sum _{\mathbf {x}\in \Sigma ^n}B(\mathbf {x})W^{H\circ \pi }(\mathbf {z}_1-\mathbf {x})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\left|\sum _{\mathbf {x}\in \Sigma ^n}B(\mathbf {x})W^H(\mathbf {z}_1-\mathbf {x})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\left|(B\ast W^H)(\mathbf {z}_1)\right|^2\right] \end{align*}
where the third equality follows from Claim 6.5.
Then, for any \(\mathbf {z}\in \Sigma ^n\), we have
\begin{align*} &\mathbb {E}_{H}\left[\left|(B\ast W^H)(\mathbf {z})\right|^2\right]\\ =&\frac{1}{|\Sigma |^n}\sum _{\mathbf {z}\in \Sigma ^n}\mathbb {E}_{H}\left[\left|(B\ast W^H)(\mathbf {z})\right|^2\right]\\ =&\frac{1}{|\Sigma |^n}\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \Sigma ^n}\left|(B\ast W^H)(\mathbf {z})\right|^2\right]\\ =&\frac{1}{|\Sigma |^n}\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \Sigma ^n}\left||\Sigma |^{n/2}(\hat{B}\cdot \hat{W}^H)(\mathbf {z})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \mathcal {B}}\left| \hat{W}^H(\mathbf {z})\right|^2\right]\\ \le & \mathsf {negl}(\lambda). \end{align*}
where the third equality follows from the convolution theorem (Equation (4) in Lemma 2.3) and Parseval’s equality (Lemma 2.1) and the final inequality follows from Equation (27). □
Then, we prove Equation (28) as follows:
\begin{align*} &\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \Sigma ^n}\left|\sum _{\mathbf {x}\in C^\perp ,\mathbf {e}\in \mathcal {B}\\ : \mathbf {x}+\mathbf {e}=\mathbf {z}}\hat{V}(\mathbf {x})\hat{W}^H(\mathbf {e})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in \Sigma ^n}\left|(V\cdot (B\ast W^H))(\mathbf {z})\right|^2\right]\\ =&\mathbb {E}_{H}\left[\sum _{\mathbf {z}\in C}\frac{1}{|C|}\left|(B\ast W^H))(\mathbf {z})\right|^2\right]\\ =&\frac{1}{|C|}\sum _{\mathbf {z}\in C}\mathbb {E}_{H}\left[\left|(B\ast W^H))(\mathbf {z})\right|^2\right]\\ \le &\mathsf {negl}(\lambda). \end{align*}
where the first equality follows from Claim 6.7, the second equality follows from the definition of \(V\), and the final inequality follows from Claim 6.8.
This completes the proof of Claim 6.4.
Soundness.
Lemma 6.9.
\(\Pi\) satisfies \((2^{\lambda ^c},2^{-\Omega (\lambda)})\)-soundness in the CROM.
Proof.
Let \(\mathcal {A}\) be an adversary that makes \(Q\le 2^{\lambda ^{c}}\) classical queries to \(H\). Without loss of generality, we assume that \(\mathcal {A}\) queries \(\mathbf {x}^*_i\) to \(H\) at some point for all \(i\in [n]\) where \(\mathbf {x}^*=(\mathbf {x}^*_1, \ldots ,\mathbf {x}^*_n)\in \Sigma ^n\) is \(\mathcal {A}\)’s final output. Since a query to \(H\) can be replaced with queries to each of \(H_1,\ldots ,H_n\), there is an adversary \(\mathcal {A}^{\prime }\) that makes \(Q\) queries to each of \(H_1\), ...,\(H_n\) and succeeds with the same probability as \(\mathcal {A}\). We denote \(\mathcal {A}^{\prime }\)’s total number of queries by \(Q^{\prime }=nQ\). We remark that \(\mathcal {A}^{\prime }\) queries \(\mathbf {x}^*_i\) to \(H_i\) at some point by our simplifying assumption on \(\mathcal {A}\).
For each \(i\in [n]\) and \(j\in [Q^{\prime }]\), let \(S_i^j \subseteq \Sigma\) be the set of elements that \(\mathcal {A}^{\prime }\) ever queried to \(H_i\) by the point when it has just made the \(j\)th query counting queries to any of \(H_1, \ldots ,H_n\) in total. After the \(j\)th query, we say that a codeword \(\mathbf {x}=(\mathbf {x}_1, \ldots ,\mathbf {x}_n)\in C\) is \(K\)-queried if there is a subset \(I\in [n]\) such that \(|I|= K\), \(\mathbf {x}_i\in S_i^j\) for all \(i\in I\), and \(\mathbf {x}_i\notin S_i^j\) for all \(i\notin I\). By our assumption, the final output \(\mathbf {x}^*\) must be \(n\)-queried at the end. Since a \(K\)-queried codeword either becomes \((K+1)\)-queried or remains \(K\)-queried by a single query, \(\mathbf {x}^*\) must be \(K\)-queried at some point of the execution of \(\mathcal {A}^{\prime }\) for all \(K=0,1, \ldots ,n\).
We consider the number of codewords that ever become \(K\)-queried for \(K=\lceil (1-\zeta)n \rceil\) where \(\zeta\) is the constant as in Item 1 of Lemma 4.2. If \(\mathbf {x}=(\mathbf {x}_1, \ldots ,\mathbf {x}_n)\in C\) is \(\lceil (1-\zeta)n \rceil\)-queried at some point, the number of \(i\) such that \(\mathbf {x}_i\in S_i^{Q^{\prime }}\) is at least \(\lceil (1-\zeta)n \rceil\) since \(S_i^j\subseteq S_i^{Q^{\prime }}\) for all \(i,j\). By the construction of \(\mathcal {A}^{\prime }\), we have \(|S_i^{Q^{\prime }}|= Q\le 2^{\lambda ^c}\). On the other hand, \(C\) is \((\zeta ,\ell ,L)\)-list recoverable for \(\ell =2^{\lambda ^c}\) and \(L=2^{\tilde{O}(\lambda ^{c^{\prime }})}\) as required in Item 1 of Lemma 4.2. Thus, the number of codewords that ever become \(\lceil (1-\zeta)n \rceil\)-queried is at most \(L=2^{\tilde{O}(\lambda ^{c^{\prime }})}\).
Let \(E_i\) be the event that the \(i\)th codeword that becomes \(\lceil (1-\zeta)n \rceil\)-queried is finally output by \(\mathcal {A}^{\prime }\). Here, if multiple codewords become \(\lceil (1-\zeta)n \rceil\)-queried at the same time, we order them according to the lexicographical ordering. By the above argument, we have
\begin{align} \Pr [\mathcal {A}^{\prime }\text{~wins}]=\sum _{i\in [L]} \Pr [\mathcal {A}^{\prime }\text{~wins} \wedge E_i], \end{align}
(34)
where we say that \(\mathcal {A}^{\prime }\) wins if its output passes the verification. Moreover, we show that for each \(i\in [L]\),
\begin{align} \Pr [\mathcal {A}^{\prime }\text{~wins} \wedge E_i]=2^{-\Omega (\lambda)}. \end{align}
(35)
This can be seen as follows. Suppose that we simulate oracles \(H_1, \ldots ,H_n\) for \(\mathcal {A}^{\prime }\) via lazy sampling, that is, instead of uniformly choosing random functions at first, we sample function values whenever they are queried by \(\mathcal {A}^{\prime }\). Let \(\mathbf {x}\) be the \(i\)th codeword that becomes \(\lceil (1-\zeta)n \rceil\)-queried in the execution of \(\mathcal {A}^{\prime }\). Since the function values on the unqueried \(\lfloor \zeta n \rfloor\) positions are not sampled yet, \(\mathbf {x}\) can become a valid proof only if all those values happen to be 1, which occurs with probability \(\left(\frac{1}{2}\right)^{\lfloor \zeta n \rfloor }=2^{-\Omega (\lambda)}\) by \(\zeta =\Omega (1)\) and \(n=\Omega (\lambda)\). This implies Equation (35).
By combining Equation (34) to (35) and \(L=2^{\tilde{O}(\lambda ^{c^{\prime }})}\) for \(c^{\prime }\lt 1\), we complete the proof of Lemma 6.9. □
Theorem 6.1 follows from Lemmas 6.3 and 6.9.
Achieving worst-case correctness. Remark that the correctness proven in Lemma 6.3 only ensures that the proving algorithm succeeds with an overwhelming probability over the random choice of the oracle \(H\). Below, we show a modified protocol for which we can show that the correctness holds for any \(H\), while still preserving soundness on random \(H\).
The motivation of achieving worst-case correctness is as follows. In the query-complexity literature (e.g., [1, 10, 20]), it is more common to think of an oracle as an (exponentially large) “input” rather than a function. In that context, the (classical, randomized, or quantum) query complexity of a task is defined to be the minimum number of queries that is needed to solve the task with probability at least \(2/3\) for all inputs. Viewing our problem from this perspective, it is natural to require correctness to hold for all possible oracles \(H\).
Construction. Let \(\lbrace C_\lambda \rbrace _\lambda\) be a family of codes over an alphabet \(\Sigma =\mathbb {F}_q^m\) that satisfies the requirements of Lemma 4.2 with arbitrary \(1\lt c\lt c^{\prime }\lt 1\). Let \(H:[t]\times \Sigma \rightarrow \lbrace 0,1\rbrace ^{n}\) be a random oracle where \(t\) is a positive integer specified later. For \(j\in [t]\), we define \(H^{(j)}:\Sigma \rightarrow \lbrace 0,1\rbrace ^{n}\) by \(H^{(j)}(x):=H(j||x)\). Let \(\mathcal {F}=\lbrace f_K:\Sigma \rightarrow \lbrace 0,1\rbrace ^{n}\rbrace _{K\in \mathcal {K}}\) be a family of \(2(\lambda n+1)\)-wise independent hash functions. Then, we construct a proof of quantumness \(\widetilde{\Pi }=(\widetilde{\mathsf {Prove}},\widetilde{\mathsf {Verify}})\) based on \(\Pi =(\mathsf {Prove},\mathsf {Verify})\) as follows:
\(\widetilde{\mathsf {Prove}}^{H}(1^\lambda)\): It chooses \(K{\xleftarrow{$}} \mathcal {K}\) and defines a function \(\widetilde{H}_K^{(j)}:\Sigma \rightarrow \lbrace 0,1\rbrace ^{n}\) by \(\widetilde{H}_K^{(j)}(x):=H^{(j)}(x)\oplus f_K(x)\) for \(j\in [t]\). Then, it runs \(\pi ^{(j)}{\xleftarrow{$}} \mathsf {Prove}^{\widetilde{H}_K^{(j)}}(1^\lambda)\) for \(j\in [t]\) and outputs a proof \(\widetilde{\pi }:=(K,\lbrace \pi ^{(j)}\rbrace _{j\in [t]})\).
\(\widetilde{\mathsf {Verify}}^{H}(1^\lambda ,\widetilde{\pi })\): It parses \(\widetilde{\pi }:=(K,\lbrace \pi ^{(j)}\rbrace _{j\in [t]})\) and outputs \(\top\) if \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}(1^\lambda ,\pi ^{(j)})=\top\) for all \(j\in [t]\) and \(\bot\) otherwise.
Correctness.
Lemma 6.10.
\(\widetilde{\Pi }\) satisfies worst-case correctness, that is, for any \(H\),
\begin{equation*} \Pr \left[\widetilde{\mathsf {Verify}}^{H}(1^\lambda ,\widetilde{\pi })=\bot : \begin{array}{l} \widetilde{\pi } {\xleftarrow{$}} \widetilde{\mathsf {Prove}}^{H}(1^\lambda) \end{array} \right]\le \mathsf {negl}(\lambda). \end{equation*}
Proof.
For each \(j\in [t]\) and fixed \(H\), by the construction of \(\mathsf {Prove}\) and the definition of \(\widetilde{H}_K^{(j)}\), we can view \(\mathsf {Prove}^{\widetilde{H}_K^{(j)}}\) as an oracle-algorithm that makes \(\lambda n\) queries to \(f_K\). Similarly, we can view \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}\) as an oracle-algorithm that makes a single query to \(f_K\). Since the combination of \(\mathsf {Prove}^{\widetilde{H}_K^{(j)}}\) and \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}\) makes \(\lambda n +1\) quantum queires to \(f_K\), which is chosen from a family of \(2(\lambda n + 1)\)-wise independent hash functions, by Lemma 2.5, the probability that \(\pi ^{(j)}\) generated by \(\mathsf {Prove}^{\widetilde{H}_K^{(j)}}\) passes \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}\) does not change even if \(f_K\) is replaced with a uniformly random function. Moreover, if \(f_K\) is replaced with a uniformly random function, the correctness of \(\Pi\) immediately implies that \(\pi ^{(j)}\) generated by \(\mathsf {Prove}^{\widetilde{H}_K^{(j)}}\) passes \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}\) with an overwhelming probability (for each fixed \(H\)). By taking the union bound over \(j\in [t]\), \(\pi ^{(j)}\) generated by the \(\mathsf {Prove}^{\widetilde{H}_K^{(j)}}\) passes \(\mathsf {Verify}^{\widetilde{H}_K^{(j)}}\) for all \(j\in [t]\) with an overwhelming probability, which means that \(\widetilde{\Pi }\) satisfies correctness. □
Soundness.
Lemma 6.11.
\(\widetilde{\Pi }\) satisfies \((2^{\lambda ^c},|\mathcal {K}|\cdot 2^{-\Omega (t\lambda)})\)-soundness in the CROM.
Proof.
(sketch.) We observe that the proof of the soundness of \(\Pi\) (Lemma 6.9) can be easily extended to prove \((2^{\lambda ^c},2^{-\Omega (t\lambda)})\)-soundness for the \(t\)-parallel repetition of \(\Pi\). A similar soundness holds even if we use \(\widetilde{H}_K^{(j)}\) as the oracle for the \(i\)th instance for each fixed \(K\) since a random oracle shifted by \(f_K\) behaves as another random oracle. Thus, by taking the union bound over \(K\in \mathcal {K}\), we obtain Lemma 6.11. □
Since \(|\mathcal {K}|=2^{\mathsf {poly}(\lambda)}\) for some polynomial \(\mathsf {poly}\) that is independent of \(t\), we can set \(t=\mathsf {poly}(\lambda)\) so that \(|\mathcal {K}|\cdot 2^{-\Omega (t\lambda)}=2^{-\Omega (\lambda)}\).

7 Counterexamples for Cryptographic Primitives

In this section, we give constructions of cryptographic primitives that are secure in the CROM but insecure in the QROM. They are easy consequences of our proof of quantumness constructed in Section 6.

7.1 Counterexample for One-Way Functions

We give a construction of a family of functions that is one-way in the CROM but not one-way in the QROM. It is easy to generically construct such a one-way function from proofs of quantumness. Indeed, we prove a stronger claim than that in Section 7.2. Nonetheless, we give a direct construction with a similar structure to the proof of quantumness presented in Section 6. An interesting feature of the direct construction which the generic construction does not have is that it is not even distributionally one-way in the QROM as explained in Remark 5.
Theorem 7.1 (Counterexample for One-way Functions).
There exists a family \(\lbrace f_\lambda \rbrace _\lambda\) of efficiently computable oracle-aided functions that is one-way in the CROM but not one-way in the QROM.
Proof.
The construction of \(f_\lambda\) is very similar to that of the proof of quantumness constructed in Section 6. We rely on similar parameter settings as in Section 6, and use similar notations as in Section 6.
We define \(f_\lambda ^H:C\rightarrow \lbrace 0,1\rbrace ^n\) as follows:
\begin{equation*} f_\lambda ^{H}(\mathbf {x}_1, \ldots ,\mathbf {x}_n)=(H_1(\mathbf {x}_1), \ldots ,H_n(\mathbf {x}_n)). \end{equation*}
where \(H_i:\Sigma \rightarrow \lbrace 0,1\rbrace\) is the function that outputs the \(i\)th bit of the output of \(H:\Sigma \rightarrow \lbrace 0,1\rbrace ^n\).
The \(\mathsf {Prove}\) algorithm in Section 6 can be understood as an algorithm to invert \(f_\lambda\) for the image \(1^n\) in the QROM. This can be extended to find a preimage of any image \(y\in \lbrace 0,1\rbrace ^n\) in a straightforward manner: We only need to modify the definition of \(T^H_i\) to the subset consisting of \(\mathbf {e}_i\in \Sigma\) such that \(H_i(\mathbf {e}_i)=y_i\) instead of \(H_i(\mathbf {e}_i)=1\) in the proof of Lemma 6.3. The rest of the proof works analogously. Thus, \(\lbrace f_\lambda \rbrace _\lambda\) is not one-way in the QROM.
The proof of one-wayness in the CROM is similar to that of soundness of the proof of quantumness in Section 6. By a straightforward extension of the proof of Lemma 6.9 where we replace \(1^n\) with arbitrary \(y\in \lbrace 0,1\rbrace ^n\), we obtain the following claim.
Claim 7.2.
For any adversary \(\mathcal {A}\) that makes \(\mathsf {poly}(\lambda)\) classical queries and \(y\in \lbrace 0,1\rbrace ^n\),
\begin{align*} \Pr [y= f_\lambda ^{H}(\mathbf {x}^{\prime }) : \mathbf {x}^{\prime }{\xleftarrow{$}} \mathcal {A}^{H}(1^\lambda ,y)]\lt \mathsf {negl}(\lambda). \end{align*}
 □
The above claim does not immediately imply one-wayness since in the one-wayness game, \(y\) is chosen by first sampling \(\mathbf {x}{\xleftarrow{$}} C\) and then setting \(y=f_\lambda ^H(\mathbf {x})\) instead of fixing \(y\) independently of \(H\). Fortunately, we can show that the distribution of \(y\) is almost independent of \(H\) as shown in the following claim.
Claim 7.3.
We have
\begin{equation*} \Delta ((H,y),(H,y^{\prime }))=\mathsf {negl}(\lambda) \end{equation*}
where \(H{\xleftarrow{$}} \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n),\mathbf {x}{\xleftarrow{$}} C\), \(y=f_\lambda ^H(\mathbf {x})\), and \(y^{\prime }{\xleftarrow{$}} \lbrace 0,1\rbrace ^n\).
By combining Claims 7.2 and 7.3, one-wayness in the CROM immediately follows.
For proving Claim 7.3, we rely on the following well-known lemma that relates the collision probability and statistical distance from the uniform distribution.
Definition 7.4.
For a random variable \(X\) over a finite set \(\mathcal {X}\), we define its collision probability as \(\mathrm{Col}(X)=\sum _{x\in \mathcal {X}}\Pr [X=x]^2\).
Lemma 7.5.
Let \(X\) be a random variable over a finite set \(\mathcal {X}\). For \(\epsilon \gt 0\), if \(\mathrm{Col}(X)\le \frac{1}{|\mathcal {X}|}(1+\epsilon)\), then
\begin{equation*} \Delta (X,U_{\mathcal {X}})\le \sqrt {\epsilon }/2 \end{equation*}
where \(U_{\mathcal {X}}\) denotes the uniform distribution over \(\mathcal {X}\).
See, for example, [47, Lemma 4.5] for the proof of Lemma 7.5.
Then, we prove Claim 7.3 below.
Proof of Claim 7.3
By Lemma 7.5, it suffices to prove \(\mathrm{Col}(H,y)=2^{-(|\Sigma |+1)n}\cdot (1+\mathsf {negl}(\lambda))\) where \(H{\xleftarrow{$}} \mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n),\mathbf {x}{\xleftarrow{$}} C,y=f_\lambda ^H(\mathbf {x})\). We prove this as follows where \(H\) and \(H^{\prime }\) are uniformly sampled from \(\mathsf {Func}(\Sigma ,\lbrace 0,1\rbrace ^n)\) and \(\mathbf {x}\) and \(\mathbf {x}^{\prime }\) are uniformly sampled from \(C\).
\begin{align*} \mathrm{Col}(H,y)&=\Pr _{H,H^{\prime },\mathbf {x},\mathbf {x}^{\prime }}\left[H=H^{\prime }~\wedge ~f^{H}_\lambda (\mathbf {x})=f^{H^{\prime }}_\lambda (\mathbf {x}^{\prime })\right]\\ &=2^{-|\Sigma |n}\cdot \Pr _{H,\mathbf {x},\mathbf {x}^{\prime }}\left[f^{H}_\lambda (\mathbf {x})=f^{H}_\lambda (\mathbf {x}^{\prime })\right]\\ &=2^{-|\Sigma |n}\cdot \sum _{j=0}^{n}\Pr _{\mathbf {x},\mathbf {x}^{\prime }}[\mathsf {hw}(\mathbf {x}-\mathbf {x}^{\prime })=n-j]\cdot 2^{-(n-j)}\\ &=2^{-|\Sigma |n}\cdot \sum _{j=0}^{n}\Pr _{\mathbf {x}}[\mathsf {hw}(\mathbf {x})=n-j]\cdot 2^{-(n-j)}\\ &\le 2^{-(|\Sigma |+1)n}\cdot \left(1+\frac{2^n}{|C_\lambda |}+\sum _{j=1}^{n-1} \Pr _{\mathbf {x}}[\mathsf {hw}(\mathbf {x})=n-j] \cdot 2^{j}\right)\\ &\le 2^{-(|\Sigma |+1)n}\cdot \left(1+\frac{2^n}{|C_\lambda |}+\sum _{j=1}^{n-1} \left(\frac{2n}{|\Sigma |}\right)^j \right)\\ &\le 2^{-(|\Sigma |+1)n}\cdot \left(1+\frac{2^n}{|C_\lambda |}+\sum _{j=1}^{\infty } \left(\frac{2n}{|\Sigma |}\right)^j \right)\\ &=2^{-(|\Sigma |+1)n}\cdot \left(1+\frac{2^n}{|C_\lambda |}+\frac{\left(\frac{2n}{|\Sigma |}\right)}{ 1-\left(\frac{2n}{|\Sigma |}\right)} \right)\\ &=2^{-(|\Sigma |+1)n}\cdot (1+\mathsf {negl}(\lambda)) \end{align*}
where we used \(\Pr _\mathbf {x}[\mathsf {hw}(\mathbf {x})=n]\le 1\) and \(\Pr _\mathbf {x}[\mathsf {hw}(\mathbf {x})=0]=\frac{1}{|C_\lambda |}\) for the fifth line, Item 3 of Lemma 4.2 for the sixth line, and \(|\Sigma |=2^{\lambda ^{\Theta (1)}}\), \(n=\Theta (\lambda)\), and \(|C_\lambda |\ge 2^{n+\lambda }\) for the final line. This completes the proof of Claim 7.3. □
This completes the proof of Theorem 7.1. □
Remark 5 (On Distributional One-wayness).
It is worth mentioning that \(\lbrace f_\lambda \rbrace _\lambda\) is not even distributionally one-way in the QROM. That is, one can find an almost uniformly distributed preimage of \(y\) with quantum oracle access to \(H\). This can be seen by observing that the proof of Lemma 6.3 actually shows that the proving algorithm outputs an almost uniformly distributed valid proof. This corresponds to finding an almost uniformly distributed preimage of \(y\) for the above \(f_\lambda\).

7.2 Counterexample for Collision-Resistant Hash Functions.

We give a construction of a family of compressing functions that is collision-resistant in the CROM but not even one-way in the QROM. It is a generic construction based on proofs of quantumness.
Theorem 7.6 (Counterexample for Collision-resistant Functions).
There exists a family \(\lbrace f_\lambda \rbrace _\lambda\) of efficiently computable oracle-aided compressing keyless (resp. keyed) functions that is collision-resistant against in the CROM (resp. AI-CROM) but not even one-way against oracle-independent adversaries in the QROM.
Proof.
Since the keyed version immediately follows from the keyless version by Theorem 3.9, we prove the keyless version below.
Let \((\mathsf {Prove},\mathsf {Verify})\) be a keyless proof of quantumness that satisfies soundness in the CROM as given in Theorem 6.1. Let \({\ell _{\pi }}\) be its maximum proof length.
We assume that the proof of quantumness uses a random oracle \(H:\lbrace 0,1\rbrace ^{\lambda +{\ell _{\pi }}} \rightarrow \lbrace 0,1\rbrace ^\lambda\) without loss of generality. We construct \(f_\lambda ^H:\lbrace 0,1\rbrace ^{\lambda +{\ell _{\pi }}}\rightarrow \lbrace 0,1\rbrace ^{\lambda }\) as follows:
\begin{align*} f_\lambda ^H(x,\pi):={\left\lbrace \begin{array}{ll} x&\text{if~}\mathsf {Verify}^H(1^\lambda ,\pi)=\top \\ H(x,\pi)&\text{otherwise} \end{array}\right.} \end{align*}
where the input is parsed as \(x\in \lbrace 0,1\rbrace ^\lambda\) and \(\pi \in \lbrace 0,1\rbrace ^{{\ell _{\pi }}}\). Collision-resistance of \(\lbrace f_\lambda \rbrace _{\lambda }\) in the CROM is clear from the soundness of the proof of quantumness. Indeed, an adversary with a classical access to \(H\) can output \((x,\pi)\) such that \(\mathsf {Verify}(1^\lambda ,\pi)=\top\) only with a negligible probability. Assuming that this does not happen, an adversary has to find a collision of \(H\), which can be done only with probability at most \(\frac{Q(Q+1)}{2}\cdot 2^{-\lambda }=\mathsf {negl}(\lambda),\) where \(Q=\mathsf {poly}(\lambda)\) is the number of queries to \(H\). On the other hand, the correctness of the proof of quantumness gives a trivial way to invert \(f_{\lambda }^H\) on any target \(y\in \lbrace 0,1\rbrace ^\lambda\) with a quantum access to \(H\): one can just run \(\pi {\xleftarrow{$}} \mathsf {Prove}^{H}(1^\lambda)\) and then output \((y,\pi)\). We have \(f_{\lambda }^H(y,\pi)=y\) except for a negligible probability by the correctness of the proof of quantumness. This means that \(\lbrace f_\lambda \rbrace _{\lambda }\) is not one-way in the QROM. □

7.3 Counterexamples for Public Key Primitives

In [58], they give counterexamples for PKE and digital signatures. Since their constructions are generic based on proofs of quantumness, we can plug our proofs of quantumness given in Section 6 into their constructions to obtain the following theorems.
Theorem 7.7.
If there exists a PKE scheme that is IND-CPA secure in the CROM, then there exists a PKE scheme that is IND-CCA secure in the CROM but not IND-CPA secure in the QROM.
Theorem 7.8.
There exists a digital signature scheme that is EUF-CMA secure in the CROM but not EUF-NMA secure in the QROM.
See [58] for the formal definitions of PKE and digital signatures and their security notions. Note that [58] proved similar theorems relative to additional artificial classical oracles and weaker variants of them assuming the LWE assumption. We significantly improve them by removing the necessity of additional oracles or complexity assumptions.

7.4 A Remark on Pseudorandom Generators

One might think that we can also construct pseudorandom generators (PRGs) that are secure in the CROM but insecure in the QROM because Theorem 7.1 gives one-way functions (OWFs) that are secure in the CROM but insecure in the QROM and there is a black-box construction of PRGs from OWFs [34]. However, we remark that this does not work. The reason is that PRGs constructed from OWFs may be secure in the QROM even if the building block OWF is insecure in the QROM. For example, there is no obvious attack against the PRG of [34] even with an inverter for the building block OWF.
Indeed, we believe that we can show that any black-box construction of PRGs from OWFs may remain secure even if the building block OWF is insecure. We sketch the intuition below. Let \(f:\mathcal {X}\rightarrow \mathcal {X}\) be a OWF. We augment the domain to \(\mathcal {X}\times \mathcal {R}\) where \(\mathcal {R}\) is an exponentially large space by defining
\begin{align*} f^{\prime }(x,r):=f(x). \end{align*}
Then, it is clear that \(f^{\prime }\) is also a OWF. Suppose that we construct a PRG \(G\) by making black-box use of \(f^{\prime }\). Since \(f^{\prime }\) is a secure OWF, \(G^{f^{\prime }}\) is a secure PRG. For each \(r^* \in \mathcal {R}\), we define \(f^{\prime }_{r^*}\) as follows:
\begin{align*} f^{\prime }_{r^*}(x,r):={\left\lbrace \begin{array}{ll} f(x) & \text{if~}r\ne r^*\\ x &\text{otherwise} \end{array}\right.}. \end{align*}
Then, \(f^{\prime }_{r^*}\) clearly does not satisfy the one-wayness: for inverting \(y\), one can just output \((y,r^*)\). On the other hand, when we run \(G\) with respect to \(f^{\prime }_{r^*}\) instead of \(f^{\prime }\) for a randomly chosen \(r^*\), there would be a negligibly small chance of calling the second branch of \(f^{\prime }_{r^*}\) if the number of \(G\)’s queries is polynomial. This means that \(G\) remains secure even though the building block function \(f^{\prime }_{r^*}\) is insecure as a OWF.
We observe that the (im)possibility of separating CROM and QROM for PRGs is closely related to the Aaronson-Ambainis conjecture [1] (Conjecture 8.1). Very roughly speaking, the conjecture claims that any single-bit output algorithm in the QROM can be simulated in the CROM with a polynomial blowup on the number of queries. Since a PRG distinguisher’s output is a single-bit, it is reasonable to expect that we can prove the equivalence of QROM security and CROM security for PRGs under the Aaronson-Ambainis conjecture. Unfortunately, this does not work as it is because a distinguisher takes a PRG value as its input, which may be correlated with the random oracle, whereas the Aaronson-Ambainis conjecture only captures the case where no side information of the random oracle is given. Nonetheless, we conjecture that QROM security and CROM security for PRGs (against polynomial-query unbounded-time adversaries) are equivalent. It is a fascinating direction for future work to reduce it to the Aaronson-Ambainis conjecture or its reasonable variant.

8 Proofs of Randomness

In this section, we construct proofs of randomness assuming the Aaronson-Ambainis conjecture [1].
Roughly speaking, the Aaronson-Ambainis conjecture claims that for any algorithm \(\mathcal {A}\) with a quantum access to a random oracle, there is an algorithm \(\mathcal {B}\) that approximates the probability that \(\mathcal {A}\) outputs a particular output with a classical access to the random oracle, and the number of queries of \(\mathcal {A}\) and \(\mathcal {B}\) are polynomially related. A formal claim is stated below.
Conjecture 8.1 (Aaronson-Ambainis Conjecture [1, Theorem 22]).
Let \(\epsilon ,\delta \gt 0\) be reals. Given any quantum algorithm \(\mathcal {A}\) that makes \(Q\) quantum queries to a random oracle \(H:\lbrace 0,1\rbrace ^n\rightarrow \lbrace 0,1\rbrace ^m\), there exists a deterministic classical algorithm \(\mathcal {B}\) that makes \(\mathsf {poly}(Q,m,\epsilon ^{-1},\delta ^{-1})\) classical queries and satisfies
\begin{align*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}[\left|\Pr [\mathcal {A}^H()\rightarrow 1]-\mathcal {B}^{H}()\right|\le \epsilon ]\ge 1-\delta . \end{align*}
Remark 6.
We remark that the way of stating the conjecture is slightly different from that in [1, Theorem 22], but they are equivalent. The difference is that [1] considers oracle access to Boolean inputs whereas we consider an oracle access to functions. They are equivalent by considering a function as a bit string concatenating outputs on all inputs. We remark that a straightforward rephrasing would result in an oracle with 1-bit outputs, but their conjecture is equivalent in the setting with \(m\)-bit output oracles since an \(m\)-bit output oracle can be seen as a concatenation of \(m\) 1-bit output oracles. We note that the number of \(\mathcal {B}\)’s queries in the above conjecture depends on \(m\) unlike theirs due to this difference.
We also remark that Aaronson and Ambainis [1] reduce the above conjecture to another seemingly unrelated conjecture in Fourier analysis. In the literature, the latter conjecture is often referred to as Aaronson-Ambainis conjecture. On the other hand, we call Conjecture 8.1 Aaronson-Ambainis conjecture since this is more relevant to our work.
The main theorem we prove in this section is the following:
Theorem 8.2.
If Conjecture 8.1 is true, there exists keyless (resp. keyed) proofs of randomness in the QROM (resp. AI-QROM).
By Theorems 3.7 and 3.11, it suffices to prove the following theorem for proving Theorem 8.2.
Theorem 8.3.
If Conjecture 8.1 is true, there exists keyless proofs of min-entropy that has min-entropy in the QROM.
In the following, we prove Theorem 8.3.
From proofs of quantumness to proofs of min-entropy. Our proof of quantumness constructed in Section 6 has a large entropy in proofs. We can easily show that this is inherent assuming Aaronson-Ambainis conjecture. This is because if the proving algorithm is almost deterministic, it can be simulated by a polynomial-query classical algorithm, which breaks soundness. The following theorem gives a generalization of the above argument.
Theorem 8.4.
If Conjecture 8.1 is true, the following holds. Let \((\mathsf {Prove},\mathsf {Verify})\) be a keyless proof of quantumness relative to a random oracle \(H:\lbrace 0,1\rbrace ^n\rightarrow \lbrace 0,1\rbrace ^m\) that satisfies \((Q_\mathsf {poq}(\lambda),\epsilon _\mathsf {poq}(\lambda))\)-soundness. Let \(\mathcal {A}\) be an adversary that makes \(Q_\mathcal {A}(\lambda)\) quantum queries. Let \(\epsilon _\mathcal {A}(\lambda),\delta _\mathcal {A}(\lambda)\gt 0\) be reals. There exists a polynomial \(p\) such that if we have
\begin{equation*} Q_\mathsf {poq}(\lambda)\ge p(\lambda ,Q_\mathcal {A}(\lambda),\epsilon _\mathcal {A}(\lambda)^{-1},\delta _\mathcal {A}(\lambda)^{-1}) \end{equation*}
and
\begin{equation*} \epsilon _\mathsf {poq}(\lambda)\le \delta _\mathcal {A}(\lambda)/4,^{25} \end{equation*}
for all \(\lambda \in \mathbb {N}\), then we have
\begin{equation*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[ \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H(1^\lambda ,\pi ^*)=\top }\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ^*]\le \epsilon _\mathcal {A}(\lambda) \right]\ge 1-\delta _\mathcal {A}(\lambda). \end{equation*}
We defer the proof of Theorem 8.4 to the end of this section. By plugging the proofs of quantumness in Section 6 into Theorem 8.4, we obtain proofs of min-entropy, which proves Theorem 8.3.
Proof of Theorem 8.3
For any polynomial \(h(\lambda)\), there exists a constant \(C\) such that \(Q_\mathsf {poq}(\lambda)=2^{C (h(\lambda)+\lambda)}\) and \(\epsilon _\mathsf {poq}(\lambda)=2^{-\lambda -2}\) satisfy the requirements of Theorem 8.4 for \(Q_\mathcal {A}(\lambda)=\mathsf {poly}(\lambda)\), \(\epsilon _\mathcal {A}(\lambda)=2^{-(h(\lambda)+\lambda)}\), and \(\delta _\mathcal {A}(\lambda)=2^{-\lambda }\). As shown in Lemma 6.9, our proof of quantumness constructed in Section 6, which we denote by \((\mathsf {Prove}_\mathsf {poq},\mathsf {Verify}_\mathsf {poq})\), satisfies subexponential security. Thus, by standard complexity leveraging, there is a polynomial \(q(\lambda)\) such that if we replace the security parameter with \(q(\lambda)\) in \((\mathsf {Prove}_\mathsf {poq},\mathsf {Verify}_\mathsf {poq})\), then it satisfies \((2^{C (h(\lambda)+\lambda)}, 2^{-\lambda -2})\)-soundness. By Theorem 8.4, for any adversary \(\mathcal {A}\) that makes \(\mathsf {poly}(\lambda)\) quantum queries, we have
\begin{align} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[ \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H_\mathsf {poq}(1^{q(\lambda)},\pi ^*)=\top }\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ^*]\le 2^{-(h(\lambda)+\lambda)} \right]\ge 1-2^{-\lambda }. \end{align}
(36)
Then, we construct proofs of min-entropy \((\mathsf {Prove},\mathsf {Verify})\) as follows.
\(\mathsf {Prove}^H(1^\lambda ,1^{h(\lambda)}):=\mathsf {Prove}^H_\mathsf {poq}(1^{q(\lambda)})\)
\(\mathsf {Verify}^H(1^\lambda ,1^{h(\lambda)},\pi)\):
If \(\mathsf {Verify}^H_\mathsf {poq}(1^{q(\lambda)},\pi)=\bot\), it outputs \(\bot\). Otherwise, it outputs \(\pi\).
Suppose that \((\mathsf {Prove},\mathsf {Verify})\) does not have min-entropy in the QROM. Then, there exist an adversary \(\mathcal {B}\) that makes \(\mathsf {poly}(\lambda)\) quantum queries and a polynomial \(h(\lambda)\) such that we have
\begin{align} \Pr [\mathsf {Verify}^H(1^{\lambda },h(\lambda),\mathcal {B}^H(1^\lambda ,1^{h(\lambda)}))\ne \bot ]\ge 1/\mathsf {poly}(\lambda)\wedge H_\infty \left(\mathcal {B}^H_{\top }(1^\lambda ,1^{h(\lambda)})\right)\le h(\lambda). \end{align}
(37)
for a non-negligible fraction of \(H\). It is easy to see that Equation (37) implies
\begin{align*} \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H_\mathsf {poq}(1^{q(\lambda)},\pi ^*)=\top }\Pr [\mathcal {B}^H(1^\lambda ,1^{h(\lambda)})\rightarrow \pi ^*]\ge 2^{-h(\lambda)}/\mathsf {poly}(\lambda). \end{align*}
Since this holds for a non-negligible fraction of \(H\), if we consider \(\mathcal {A}^H(1^\lambda):=\mathcal {B}^H(1^\lambda ,1^{h(\lambda)})\), this contradicts Equation (36). Therefore, \((\mathsf {Prove},\mathsf {Verify})\) has min-entropy in the QROM. □
Intuition for the proof of Theorem 8.4. In the following, we often omit dependence on \(\lambda\) and simply write for example, \(\epsilon _\mathcal {A}\) to mean \(\epsilon _\mathcal {A}(\lambda)\) for brevity.
Towards a contradiction, we assume that
\begin{align*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[ \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H(1^\lambda ,\pi ^*)=\top }\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ^*]\gt \epsilon _\mathcal {A}\right]\gt \delta _\mathcal {A}. \end{align*}
We have to construct a classical adversary that breaks the soundness of the proof of quantumness. If \(\epsilon _\mathcal {A}\approx 1\), it is easy: We consider an algorithm \(\mathcal {A}_j\) that outputs the \(j\)th bit of \(\mathcal {A}\)’s output for \(j\in [\ell _\pi ]\) where \(\ell _\pi\) is the length of a proof in the proof of quantumness. For \(\delta _\mathcal {A}\)-fraction of \(H\), \(\mathcal {A}_j\)’s output is almost deterministic for all \(j\). Then, we can classically simulate \(\mathcal {A}_j\) for all \(j\) by invoking Conjecture 8.1 for \(\epsilon \ll 1\) and \(\delta \ll \delta _\mathcal {A}/\ell _{\pi }\). This breaks the soundness of the proof of quantumness.
When \(\epsilon _\mathcal {A}\ll 1\), such a simple bit-by-bit simulation attack does not work. The reason is that mixing up bits of multiple valid proofs does not result in a valid proof in general. To deal with such a case, we attempt to convert \(\mathcal {A}\) into an almost deterministic attacker. If this is done, the same idea as the case of \(\epsilon _\mathcal {A}\approx 1\) works. For making \(\mathcal {A}\) almost deterministic, our first idea is to consider an modified adversary \(\mathcal {A}^{\prime }\) that outputs the smallest valid proof \(\pi\) in the lexicographical order such that \(\mathcal {A}\) outputs \(\pi\) with probability at least \(\epsilon _\mathcal {A}\). If we can efficiently construct such \(\mathcal {A}^{\prime }\), then this idea works. However, the problem is that \(\mathcal {A}^{\prime }\) cannot exactly compute the probabilities that \(\mathcal {A}\) outputs each \(\pi\) with a limited number of queries. What \(\mathcal {A}^{\prime }\) can do is to run \(\mathcal {A}\) many times to approximate the probabilities up to a \(1/\mathsf {poly}\) error.10 Now, a problem occurs if there are multiple \(\pi\) such that the probability that \(\mathcal {A}\) outputs \(\pi\) is within \(\epsilon _\mathcal {A}\pm 1/\mathsf {poly}\).
To deal with this issue, we rely on an idea to randomly decide the threshold.10 That is, \(\mathcal {A}^{\prime }\) outputs the lexigographically smallest valid proof \(\pi\) such that the approximated probability that \(\mathcal {A}\) outputs \(\pi\) is at least \(t\) for some randomly chosen threshold \(t\in (\epsilon _\mathcal {A}/2,\epsilon _\mathcal {A})\). If we choose \(t\) from a sufficiently large set and set the approximation error to be sufficiently small, we can show that it is impossible that there are multiple \(\pi\) such that the probability that \(\mathcal {A}\) outputs \(\pi\) is within \(t \pm 1/\mathsf {poly}\) for a large fraction of \(t\) by a simple counting argument. This resolves the above problem.
Proof of Theorem 8.4. In the rest of this section, we give a formal proof of Theorem 8.4. We first show the following simple lemma.
Lemma 8.5.
Let \(\mathcal {A}\) be a (possibly quantum) algorithm that outputs an \(\ell\)-bit string \(z\). For any \(\epsilon ,\delta \gt 0\), there is an algorithm \(\mathsf {Approx}(\mathcal {A},\epsilon ,\delta)\) that runs \(\mathcal {A}\) \(O(\ell \log (\delta ^{-1}) \epsilon ^{-2})\) times and outputs a tuple \(\lbrace P_z\rbrace _{z\in \lbrace 0,1\rbrace ^\ell }\) such that
\begin{align*} \Pr \left[\forall z\in \lbrace 0,1\rbrace ^\ell ~\left|P_z-\Pr [\mathcal {A}()\rightarrow z]\right|\le \epsilon \right]\ge 1-\delta , \end{align*}
where \(\lbrace P_z\rbrace _{z\in \lbrace 0,1\rbrace ^\ell }{\xleftarrow{$}} \mathsf {Approx}(\mathcal {A},\epsilon ,\delta)\). We say that \(\mathsf {Approx}(\mathcal {A},\epsilon ,\delta)\) succeeds if the event in the above probability occurs.
Proof.
\(\mathsf {Approx}(\mathcal {A},\epsilon ,\delta)\) works as follows. It runs \(\mathcal {A}()\) \(N\) times where \(N\) is an integer specified later. For each \(z\), let \(K_z\) be the number of executions where \(\mathcal {A}\) outputs \(z\). Then it outputs \(\lbrace P_z:=\frac{K_z}{N}\rbrace _{z\in \lbrace 0,1\rbrace ^\ell }\).
If we set \(N\ge C\ell \log (\delta ^{-1})\epsilon ^{-2}\) for a sufficiently large constant \(C\), by the Chernoff bound (Lemma 2.4), for each \(z\), we have
\begin{align*} \Pr \left[ \left|P_z-\Pr [\mathcal {A}()\rightarrow z]\right|\le \epsilon \right]\ge 1-\frac{\delta }{2^\ell }. \end{align*}
By the union bound, we obtain Lemma 8.5. □
Then, we prove Theorem 8.4.
Proof of Theorem 8.4.
Towards a contradiction, we assume that
\begin{align} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[ \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H(1^\lambda ,\pi ^*)=\top }\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ^*]\gt \epsilon _\mathcal {A}\right]\gt \delta _\mathcal {A}. \end{align}
(38)
It suffices to prove that there exists a classical adversary \(\mathcal {B}\) that makes \(p(Q_\mathcal {A},m,\epsilon _\mathcal {A}^{-1},\delta _\mathcal {A}^{-1})\) quantum queries and satisfies
\begin{equation*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}[\mathsf {Verify}^H(1^\lambda ,\pi)=\top :\pi {\xleftarrow{$}} \mathcal {B}^{H}(1^\lambda)]\ge \delta _\mathcal {A}/4 \end{equation*}
for some polynomial \(p\). Let \(M:=\lceil \frac{4}{\epsilon _\mathcal {A}}\rceil\). For \(i\in [M]\), we consider a quantum adversary \(\mathcal {A}_i\) that works as follows.
\(\mathcal {A}_i^H(1^\lambda)\): It runs \(\lbrace P_\pi \rbrace _{\pi \in \lbrace 0,1\rbrace ^{\ell _\pi }}{\xleftarrow{$}} \mathsf {Approx}(\mathcal {A},\frac{\epsilon _\mathcal {A}}{4M},\frac{1}{5})\) where \(\ell _\pi\) is the length of a proof. Then it outputs the smallest \(\pi\) in the lexicographical order that satisfies
\begin{equation*} \mathsf {Verify}^H(1^\lambda ,\pi)=\top \end{equation*}
and
\begin{equation*} P_\pi \gt \frac{\epsilon _\mathcal {A}}{2}\left(1+\frac{2i-1}{2M}\right). \end{equation*}
The number of queries by \(\mathcal {A}_i\) is \(Q_{\mathcal {A}_i}=\mathsf {poly}(\lambda ,Q_\mathcal {A}, \epsilon _\mathcal {A}^{-1})\) since \(\ell _\pi =\mathsf {poly}(\lambda)\). For each \(H\), let \(\pi _i^H\) be the most likely output of \(\mathcal {A}^H_{i}(1^\lambda)\).10 We prove the following claim.
Claim 8.6.
For at least \((\tfrac{\delta _A}{2})\)-fraction of \(H\in \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)\) and \(i\in [M]\), it holds that
\begin{equation*} \Pr [\mathcal {A}_i^H(1^\lambda)\rightarrow \pi _i^H]\gt 4/5. \end{equation*}
Proof of Claim 8.6
By Equation (38), at least \(\delta _\mathcal {A}\)-fraction of \(H\) satisfies
\begin{align} \max _{\pi ^*\text{~s.t.~}\mathsf {Verify}^H(1^\lambda ,\pi ^*)=\top }\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ^*]\gt \epsilon _\mathcal {A}. \end{align}
(39)
Fix such \(H\). Then, for at least \(\frac{1}{2}\)-fraction of \(i\in [M]\), there does not exist \(\pi\) satisfying
\begin{align} \left| \Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ]-\frac{\epsilon _\mathcal {A}}{2}\left(1+\frac{2i-1}{2M}\right) \right| \lt \frac{\epsilon _\mathcal {A}}{4M}. \end{align}
(40)
This can be seen by a simple counting argument. First, we remark that if \(\pi\) satisfies Equation (40) for some \(i\in [M]\), then we have \(\Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ]\gt \epsilon _\mathcal {A}/2\). Therefore, the number of such \(\pi\) is at most \(2/\epsilon _\mathcal {A}\). Second, we remark that each \(\pi\) can satisfy Equation (40) for at most one \(i\). Therefore, the fraction of \(i\in [M]\) such that there is \(\pi\) that satisfies Equation (40) is at most \(2/(\epsilon _\mathcal {A}M)\le 1/2\).
Therefore, for at least \((\tfrac{\delta _\mathcal {A}}{2})\)-fraction of \(H\) and \(i\), Equation (39) holds and there does not exist \(\pi\) satisfying Equation (40). For such \(H\) and \(i\), if \(\mathsf {Approx}(\mathcal {A},\frac{\epsilon _\mathcal {A}}{4M},\frac{1}{5})\) succeeds, which occurs with probability at least \(\frac{4}{5}\), then \(\mathcal {A}_i\) outputs the smallest \(\pi\) in the lexicographical order that satisfies
\begin{equation*} \mathsf {Verify}^H(1^\lambda ,\pi)=\top \end{equation*}
and
\begin{equation*} \Pr [\mathcal {A}^H(1^\lambda)\rightarrow \pi ]\gt \frac{\epsilon _\mathcal {A}}{2}\left(1+\frac{2i-1}{2M}\right). \end{equation*}
Since the above \(\pi\) is output with probability larger than \(4/5\), this is the most likely output \(\pi _i^H\). Thus, for at least \((\tfrac{\delta _\mathcal {A}}{2})\)-fraction of \(H\) and \(i\), \(\mathcal {A}_i^H\) returns \(\pi _i^H\) with probability larger than \(4/5\). This completes the proof of Claim 8.6. □
For \(j\in [\ell _\pi ]\), let \(\mathcal {A}_{i,j}\) be the algorithm that runs \(\mathcal {A}_{i}\) and outputs the \(j\)th bit of the output of \(\mathcal {A}_i\). Since \(\mathcal {A}_{i,j}\) makes the same number of queries as \(\mathcal {A}_i\), its number of queries is \(Q_{\mathcal {A}_{i,j}}=Q_{\mathcal {A}_i}=\mathsf {poly}(\lambda ,Q_\mathcal {A},\epsilon _\mathcal {A}^{-1})\). We apply Conjecture 8.1 to \(\mathcal {A}_{i,j}\) where \(\epsilon :=1/5\) and \(\delta :=\frac{\delta _\mathcal {A}}{4\ell _\pi }\). Then, Conjecture 8.1 ensures that there exists a deterministic classical algorithm \(\mathcal {B}_{i,j}\) that makes \(\mathsf {poly}(Q_{\mathcal {A}_{i.j}},m,\epsilon ^{-1},\delta ^{-1})=\mathsf {poly}(\lambda ,Q_\mathcal {A}, \epsilon _\mathcal {A}^{-1},\delta _\mathcal {A}^{-1})\) classical queries and satisfies
\begin{align*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[\left|\Pr [\mathcal {A}^H_{i,j}(1^\lambda)\rightarrow 1]-\mathcal {B}^{H}_{i,j}(1^\lambda)\right|\le 1/5\right]\ge 1-\frac{\delta _\mathcal {A}}{4\ell _\pi }. \end{align*}
By the union bound, we have
\begin{align} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}\left[ \forall j\in [\ell _\pi ]~ \left|\Pr [\mathcal {A}^H_{i,j}(1^\lambda)\rightarrow 1]-\mathcal {B}^{H}_{i,j}(1^\lambda)\right|\le 1/5\right]\ge 1-\frac{\delta _\mathcal {A}}{4}. \end{align}
(41)
Now, we give the classical adversary \(\mathcal {B}\).
\(\mathcal {B}^H(1^\lambda)\): It randomly chooses \(i{\xleftarrow{$}} [M]\). For \(j=1,2, \ldots ,\ell _\pi\), it runs \(\mathcal {B}^H_{i,j}(1^\lambda)\) and sets \(\pi _j:=1\) if the output is larger than \(1/2\) and \(\pi _j:=0\) otherwise. Then it outputs \(\pi :=\pi _1||\pi _2||\cdots ||\pi _{\ell _\pi }\).
By the construction, we can see that \(\mathcal {B}\) makes \(\mathsf {poly}(\lambda ,Q_\mathcal {A},\epsilon _{\mathcal {A}}^{-1},\delta _{\mathcal {A}}^{-1})\) queries. By combining Claim 8.6 and Equation (41), for at least \((\tfrac{\delta _A}{4})\)-fraction of \(H\in \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)\) and \(i\in [M]\), for all \(j\in [\ell _\pi ]\), if the \(j\)th bit of \(\pi ^H_i\) is 1, we have
\begin{equation*} \mathcal {B}^{H}_{i,j}(1^\lambda)\gt 3/5 \end{equation*}
and otherwise
\begin{equation*} \mathcal {B}^{H}_{i,j}(1^\lambda)\lt 2/5. \end{equation*}
Thus, for such \(H\) and \(i\), \(\mathcal {B}^{H}(1^\lambda)\) outputs \(\pi ^H_i\). Since we have \(\mathsf {Verify}^H(1^\lambda ,\pi ^H_i)=\top\) for all \(i\in [M]\), we have
\begin{equation*} \Pr _{H{\xleftarrow{$}} \mathsf {Func}(\lbrace 0,1\rbrace ^n,\lbrace 0,1\rbrace ^m)}[\mathsf {Verify}^H(1^\lambda ,\pi)=\top :\pi {\xleftarrow{$}} \mathcal {B}^{H}(1^\lambda)]\ge \frac{\delta _\mathcal {A}}{4}. \end{equation*}
This contradicts the soundness of the proof of quantumness in the CROM. This completes the proof of Theorem 8.4.

9 Proof of Theorem 3.11

In this section, we prove Theorem 3.11. For the reader’s convenience, we restate the theorem below.
Theorem 9.1 (Restatement of Theorem 3.11).
If \((\mathsf {Prove}_0,\mathsf {Verify}_0)\) is a proof of min-entropy (resp. proof of randomness) in the QROM, then \((\mathsf {Prove},\mathsf {Verify})\) is a proof of min-entropy (resp. proof of randomness) in the AI-QROM, where \(\mathsf {Prove}^H(1^\lambda ,k_0||k_1,1^h)=\mathsf {Prove}_0^{H(k_1||\cdot)}(1^\lambda ,k_0,1^{h+1})\) and \(\mathsf {Verify}^H(1^\lambda ,k_0||k_1,1^h,\pi)=\mathsf {Verify}_0^{H(k_1||\cdot)}(1^\lambda ,k_0,1^{h+1},\pi)\) and where \(k_1\in \lbrace 0,1\rbrace ^\lambda\).
Proof.
We prove the case of proof of min-entropy, the case of proofs of randomness being essentially identical. Consider a non-uniform oracle-dependent adversary \(\mathcal {A}\) for the min-entropy of \((\mathsf {Prove},\mathsf {Verify})\), with advice function \(a(H)\) of polynomial output length.
To get an intuition for our proof, consider two possible advice strings \(a(H)\). The first is where \(a(H)\) is computed by choosing an arbitrary \(k_1^*\), and setting \(a(H)\) to be some function of \(H(k_1^*||\cdot)\), the portion of the truth table that uses the prefix \(k_1^*\). The second is where \(a(H)\) is, say, \(H(0||x)\oplus H(1||x)\oplus H(2||x),\cdots\) for some \(x\), which depends on \(H\) evaluated at all possible prefixes.
In the first case, \(a(H)\) is only useful if \(k_1=k_1^*\), which occurs with exponentially-small probability. If \(k_1\ne k_1^*\), then since \(\mathsf {Verify}_0^{H(k_1||\cdot)}\) only queries \(H\) on inputs that are independent of \(a(H)\), security follows from the underlying security of \((\mathsf {Prove}_0,\mathsf {Verify}_0)\) in the ordinary QROM.
The second case is slightly trickier, since now \(a(H)\) depends on all possible prefixes. Here, however, we can come up with a simple fix: choose a uniform \(k_1^*\), and re-sample \(H\) on all inputs of the form \(k_1^*||\cdot\). Let the resulting oracle be \(H^{\prime }\). Because \(k_1^*\) is random and independent of the adversary’s view, it is straightforward to show that this change negligibly impacts the adversary’s output distribution. Now, however, \(a(H)\) is actually independent of \(H^{\prime }\), since the re-sampled parts eliminate any dependency.
Our proof will follow similar lines, but work more generally. We re-sample a large-but-not-too-large number of prefixes, and show that this does not change the adversaries output distribution by much. Intuitively, if \(a(H)\) depended globally on many prefixes (as in our second example), then by re-sampling a few prefixes we make \(a(H)\) close to independent of \(H^{\prime }\). On the other hand, if \(a(H)\) depends on just a few prefixes, it is anyway exponentially unlikely that \(k_1\) will be among the prefixes. The result in either case is that \(H(k_1||\cdot)\) will be close to independent of \(a(H)\), which allows us to base security on the underlying security of \((\mathsf {Prove}_0,\mathsf {Verify}_0)\) in the ordinary QROM.
The above argument would work for “typical” cryptographic games. One wrinkle, however, with applying it to proofs of min-entropy is that a negligible change in the adversary’s output distribution can result in a non-negligible change in the entropy. It is therefore insufficient to argue simply that the adversary’s output distribution is negligibly close. We utilize a careful argument to show that, indeed, entropy is preserved in our reduction. The intuition is that instead of an additive error, we show that the probability of each outcome incurs only a small multiplicative change moving from \(H\) to \(H^{\prime }\). Such a small multiplicative change will indeed preserve entropy. We now give the proof.
Suppose \(\mathcal {A}\) breaks min-entropy. This means there is a polynomial \(h\), an inverse polynomial \(\delta\) and a non-negligible \(\epsilon\) such that the following simultaneously hold with probability at least \(\epsilon\) over the choice of \(H,k_0,k_1\):
\begin{align} \Pr [\mathsf {Verify}^{H}(1^\lambda ,k_0||k_1,1^h,\mathcal {A}^{H}(1^\lambda ,a(H),k_0||k_1,1^h))\ne \bot ]&\ge \delta (\lambda), \end{align}
(42)
\begin{align} H_\infty \left(\mathcal {A}^{H}_{\top }(1^\lambda ,a(H),k_0||k_1,1^h)\right)&\le h. \end{align}
(43)
We now implement the re-sampling process outlined above. Choose a second random oracle \(J\). Moreover, choose a random set of salts \(S\subseteq \lbrace 0,1\rbrace ^\lambda\). \(S\) will be chosen as follows. First choose a size \(\ell \in [2^{\lambda }]\) according to a distribution \(D\), which will be specified later. Then choose \(S\) to be a uniform random subset of size \(\ell\). Define \(H^{\prime }\) as
\begin{equation*} H^{\prime }(s,x)={\left\lbrace \begin{array}{ll}J(s,x)&\text{if }s\in S\\ H(s,x)&\text{otherwise} \end{array}\right.} \end{equation*}
We now specify two different distributions \(D_1,D_2\) for \(\ell\), which induce distributions \(E_1,E_2\) over \(H^{\prime }\). Let \(k,d,n\) be non-negative integers with \(dn\le 2^\lambda\). We will think of \(d,n\) as being super-polynomial, and \(k\) as being polynomial. Define the matrix \({\mathbf {A}}\in \mathbb {Z}^{(k+1)\times n}\) as follows:
\begin{equation*} {\mathbf {A}}=\begin{pmatrix} 1&1&1&1&\cdots &1\\ 0&1&2&3&\cdots &n\\ 0&1&4&9&\cdots &n^2\\ \vdots &\vdots &\vdots &\vdots &\ddots &\vdots \\ 0&1&2^k&3^k&\cdots &n^k \end{pmatrix} \end{equation*}
Let \(\mathbf {x}\) be the \(n\)-dimensional vector \(\mathbf {x}=(1\;\;-1\;\;0\;\;0\;\;\cdots \;\;0)\), and let \(\mathbf {y}\) be the orthogonal projection of \(\mathbf {x}\) onto the space orthogonal to the rows \({\mathbf {A}}\). Let \(\mathbf {y}^+\) be the vector obtained from \(\mathbf {y}\) by replacing all the negative entries with 0 and keeping all the positive entries. Let \(\mathbf {y}^-\) be the vector obtained from \(\mathbf {y}\) by replacing all the positive entries with 0, and negating all the negative entries (thereby making them positive). That is,
\begin{align*} \mathbf {y}^+_i&=\max (\mathbf {y}_i,0)\\ \mathbf {y}^-_i&=\max (-\mathbf {y}_i,0) \end{align*}
This means \(\mathbf {y}^+,\mathbf {y}^-\) have only non-negative entries, and \(\mathbf {y}=\mathbf {y}^+-\mathbf {y}^-\). We will 0-index the coordinates of \(\mathbf {y},\mathbf {y}^+,\mathbf {y}^-\), so that the first entry has position \(i=0\), the second has position \(i=1\), and so on.
Now define \(D_1\) as the distribution which samples \(i\cdot d\) with probability proportional to \(\mathbf {y}^+_i\) (namely, with probability \(\mathbf {y}^+_i/|\mathbf {y}^+|_1\) where \(|\cdot |_1\) represents the 1-norm), and \(D_2\) as the distribution which samples \(i\cdot d\) with probability proportional to \(\mathbf {y}^-_i\) (namely, with probability \(\mathbf {y}^-_i/|\mathbf {y}^-|_1\)). We call \(E_1,E_2\) the distributions over \(H^{\prime }\) that result from sampling \(\ell\) from \(D_1,D_2\), respectively.
The intuition for these distributions is that \(\mathbf {y}^+\) will be very close to \((1\;\;0\;\;\cdots \;\;0)\) while \(\mathbf {y}^-\) will be very close to \((0\;\;1\;\;0\;\;\cdots \;\;0)\). This means \(D_1\) will place the bulk of its weight on 0, meaning \(|S|=0\) with high probability, in which case \(H^{\prime }=H\). The small probability that \(H\ne H^{\prime }\) means that the probability of any output of \(\mathcal {A}\) could only have changed by a small multiplicative amount, meaning the min-entropy stays low (we want the entropy to stay low since we are ultimately going to use the adversary to break \((\mathsf {Prove}_0,\mathsf {Verify}_0)\)). On the other hand, \(D_2\) places all of its weight on values at least \(d\), meaning \(|S|\ge d\). In this case, we will show that for a random choice of \(s\notin S\), the truth table of \(H(s,\cdot)\) is essentially independent of \(a(H)\) given \(H^{\prime }\). This allows us to show that if \(\mathcal {A}\) breaks min-entropy under the distribution \(D_2\), then we can turn \(\mathcal {A}\) into an adversary \(\mathcal {B}\) for \(H(s,\cdot)\) in the setting where \(\mathcal {B}\) is given no auxiliary input. This would contradict the assumed security of \((\mathsf {Prove}_0,\mathsf {Verify}_0)\). The proof is then completed by showing that, since \({\mathbf {A}}\cdot (\mathbf {y}^+-\mathbf {y}^-)=0\), the output distributions under \(D_1\) and \(D_2\) are identical. We now prove the above facts.
Part 1: Small entropy difference for \(E_1\). We now show that in the case \(H^{\prime }\) is sampled from \(E_1\) (that is, \(\ell\) sampled from \(D_1\)), that the resulting distribution is very close to \(H\). More precisely:
Lemma 9.2.
Fix \(H,k_0,k_1\), which in turn fixes \(a(H)\). Let \(z\) be any possible output of \(\mathcal {A}\). Then
\begin{equation*} \Pr _{H^{\prime }\leftarrow E_1}[z\leftarrow \mathcal {A}^{H^{\prime }}(1^\lambda ,a(H),k_0||k_1,1^h)]\ge \left(1-O(k^3/n^{1/2})\right)\Pr [z\leftarrow \mathcal {A}^{H}(1^\lambda ,a(H),k_0||k_1,1^h)] \end{equation*}
This means that the most likely outcome \(z\) is only negligibly effected by moving from \(H\) to \(H^{\prime }\), when \(\ell\) is sampled from \(D_1\). Hence, the min-entropy of the output distribution of \(\mathcal {A}\) can only increase by a negligible amount.
Since \(H^{\prime }=H\) when \(\ell =0\), Lemma 9.2 is an immediate consequence of the following lemma:
Lemma 9.3.
\(\Pr [0\leftarrow D_1]\ge 1-O(k^3/n^{1/2})\)
Proof.
Let \(\mathbf {z}\) be the projection of \(\mathbf {x}=(1\;\;-1\;\;0\;\;0\;\;\cdots \;\;0)\) onto the row-span of \({\mathbf {A}}\), meaning \(\mathbf {z}+\mathbf {y}=\mathbf {x}\) and \(\mathbf {y},\mathbf {z}\) are orthogonal. Hence \(2=|\mathbf {x}|^2=|\mathbf {z}|^2+|\mathbf {y}|^2\). Our goal will be to bound \(|\mathbf {z}|\) to being negligible. This will imply that \(\mathbf {y}\) is very close to \(\mathbf {x}\), and hence \(\mathbf {y}^+\) is very close to \((1\;\;0\;\;0\;\;\cdots \;\;0)\). This in turn means most of the mass of \(D_1\) is on 0, as desired.
Consider the matrix \({\mathbf {B}}={\mathbf {A}}\cdot {\mathbf {A}}^T\). Then \({\mathbf {B}}_{i,i^{\prime }}=\sum _{j=0}^n j^{i+i^{\prime }}\) (where we 0-index \(i,i^{\prime }\)). This sum very closely approximates \(n^{i+i^{\prime }+1}/(i+i^{\prime }+1)\). To keep the following analysis simpler, we will take \({\mathbf {B}}_{i,i^{\prime }}=n^{i+i^{\prime }+1}/(i+i^{\prime }+1)\); the error caused by this will be small and therefore will be absorbed into the big-O. We can then write \({\mathbf {B}}=n\cdot {\mathbf {D}}\cdot {\mathbf {B}}^{\prime }\cdot {\mathbf {D}}\) where
\begin{equation*} {\mathbf {D}}=\begin{pmatrix}1&&&\\ &n&&\\ &&n^2&\\ &&&\ddots \end{pmatrix}\;\;\;\;{\mathbf {B}}^{\prime }=\begin{pmatrix}1&\frac{1}{2}&\frac{1}{3}&\cdots &\frac{1}{k+1}\\ \frac{1}{2}&\frac{1}{3}&\frac{1}{4}&\cdots &\frac{1}{k+2}\\ \frac{1}{3}&\frac{1}{4}&\frac{1}{5}&\cdots &\frac{1}{k+3}\\ \vdots &\vdots &\vdots &\ddots &\vdots \\ \frac{1}{k+1}&\frac{1}{k+2}&\frac{1}{k+3}&\cdots &\frac{1}{2k+1} \end{pmatrix} \end{equation*}
Observe that the matrix representing the orthogonal projection onto the row-span of \({\mathbf {A}}\) is \({\mathbf {A}}^T\cdot {\mathbf {B}}^{-1}\cdot {\mathbf {A}}\). Therefore, we have that
\begin{align*} |\mathbf {z}|^2 &= \mathbf {z}^T\cdot \mathbf {z}= \mathbf {x}^T\cdot {\mathbf {A}}^T\cdot {\mathbf {B}}^{-1}\cdot {\mathbf {A}}\cdot \mathbf {x}=(0\;\;-1\;\;-1\;\;\cdots \;\;-1)\cdot {\mathbf {B}}^{-1}\cdot \begin{pmatrix}0\\ -1\\ -1\\ \vdots \\ -1\end{pmatrix}\\ &=\frac{1}{n}\cdot \left(0\;\;\frac{1}{n}\;\;\frac{1}{n^2}\;\;\cdots \;\;\frac{1}{n^k}\right)\cdot ({\mathbf {B}}^{\prime })^{-1}\cdot \begin{pmatrix}0\\ 1/n\\ 1/n^2\\ \vdots \\ 1/n^k\end{pmatrix} \end{align*}
We therefore must compute \(({\mathbf {B}}^{\prime })^{-1}\). Fortunately, the inverse is known. \({\mathbf {B}}\) is known as the Hilbert matrix, and it’s inverse is given by:
Lemma 9.4 ([25]).
\(({\mathbf {B}}^{\prime })^{-1}_{i,i^{\prime }}=(-1)^{i+i^{\prime }}(i+i^{\prime }+1)\binom{i+i^{\prime }}{i}^2\binom{k+i}{i+i^{\prime }+1}\binom{k+i^{\prime }}{i+i^{\prime }+1}\), where again \(i,i^{\prime }\) are 0-indexed.
With Lemma 9.4, we have that \(|\mathbf {z}|^2=\sum _{j=2}^{2k}\frac{(-1)^j(j+1)}{n^{j+1}}\sum _i \binom{j}{i}\binom{k+i}{j+1}\binom{k+j-i}{j+1}\). We can lower-bound the sum over \(i\) by 0 and upper bound it by \(\sum _i\binom{j}{i}(2k)^{2(j+1)}=2^j\cdot (2k)^{2(j+1)}\le (4k)^{2j+2}\). Thus,
\begin{equation*} |\mathbf {z}|^2\le \sum _{j^{\prime }=1}^k (2j^{\prime }+1) \left(\frac{16k^2}{n}\right)^{2j^{\prime }+1}\le \sum _{j^{\prime }=1}^\infty (2j^{\prime }+1) \left(\frac{16k^2}{n}\right)^{2j^{\prime }+1}=\frac{(3-\alpha ^2)\alpha ^3}{(1-\alpha ^2)^2}\le 12\left(\frac{16k^2}{n}\right)^3 \end{equation*}
where above we set \(j^{\prime }=j/2\) for even \(j\) (the odd \(j\) terms being bounded by 0), \(\alpha =16k^2/n\), and we assume \(\alpha \le 1/2\).
Thus we have that \(|\mathbf {z}|=O(k^3/n^{3/2})\), which in turn implies that \(|\mathbf {z}|_1\le n|\mathbf {z}|=O(k^3/n^{1/2})\). Since we have \(\mathbf {y}=(1\;\;-1\;\;0\;\;\cdots \;\;0)-\mathbf {z}\), and \(\mathbf {y}^+\) contains all the non-negative entries of \(\mathbf {y}\), we therefore have that \(\mathbf {y}^+_1\ge 1-O(k^3/n^{1/2})\), and all the remaining entries of \(\mathbf {y}^+\) sum to less that \(O(k^3/n^{1/2})\). Thus \(|\mathbf {y}^+|_1= 1\pm O(k^2/n^{1/2})\), and so \(\mathbf {y}^+_1/|\mathbf {y}^+|\ge 1-O(k^3/n^{1/2})\). Thus the distribution \(D_1\) will output zero with probability at least \(1-O(k^3/n^{1/2})\), as desired. □
Part 2: Equivalent Output Distributions. We next show that the output distributions are equivalent under \(E_1\) and \(E_2\):
Lemma 9.5.
Fix \(H,k_0,k_1\), which in turn fixes \(a(H)\). Let \(z\) be any possible output of \(\mathcal {A}\). Let \(q\) be the number of queries made by \(\mathcal {A}\), and assume \(k\ge 4q\). Then \(\Pr _{H^{\prime }\leftarrow E_1}[z\leftarrow \mathcal {A}^{H^{\prime }}(1^\lambda ,a(H),k_0||k_1,1^h)]=\Pr _{H^{\prime }\leftarrow E_2}[z\leftarrow \mathcal {A}^{H^{\prime }}(1^\lambda ,a(H),k_0||k_1,1^h)]\). In other words, output distributions of \(\mathcal {A}^{H^{\prime }}(1^\lambda ,a(H),k_0||k_1,1^h)\) is identical whether \(H^{\prime }\) is sampled from \(E_1\) or \(E_2\).
Proof.
Our proof will use the polynomial method [10]. Specifically, we will make use of the following formulation, shown in [60]:
Lemma 9.6.
Let \(\mathcal {A}\) be a quantum algorithm making \(q^{\prime }\) quantum queries to an oracle \(H:\mathcal {X}\rightarrow \mathcal {Y}\). If we draw \(H\) from some distribution \(D\), then for every \(z\), the quantity \(\Pr _{H\leftarrow D}[z\leftarrow \mathcal {A}^H()]\) is a linear combination of the quantities \(\Pr _{H\leftarrow D}[H(x_i)=r_i\forall i\in [2q^{\prime }]]\) for all possible settings of the \(x_i\) and \(r_i\). The coefficients in the linear combination are independent of the distribution \(D\). □
In the case \(\mathcal {Y}=\lbrace 0,1\rbrace\), by inclusion-exclusion, we can in turn write the quantities \(\Pr _{H\leftarrow D}[H(x_i)=r_i\forall i\in \lbrace 1,\cdots 2q^{\prime }\rbrace ]\) as linear combinations of the quantities \(\Pr _{H\leftarrow D}[H(x_i)=1\forall i\in [k]]\) for all possible \(k\le 2q^{\prime }\).
We abuse notation, and let \(S\) also denote the membership oracle for \(S\), namely \(S(s)=1\) if and only if \(s\in S\). Now consider the distributions \(D_1,D_2\), which induce distributions over \(S\) that we will call \(S_1\) and \(S_2\), respectively. These in turn induce distributions \(E_1,E_2\) over \(H^{\prime }\). Consider the algorithm that simulates \(\mathcal {A}^{H^{\prime }}\) by making queries to \(S\), where \(S\) is drawn from either \(S_1\) or \(S_2\), meaning that \(H^{\prime }\) is drawn from either \(E_1\) or \(E_2\). This simulation must make two queries to \(S\) for each query \(\mathcal {A}\) makes to \(H^{\prime }\): one to compute whether \(s\in S\), and then one to un-compute the value at the end of the query. Thus, if \(\mathcal {A}\) makes \(q\) queries, the total number of queries the simulation makes to \(S\) is \(q^{\prime }=2q\). Observe also that \(S\) is independent of \(H,k_0,k_1,a(H)\). Thus, after fixing \(H,k_0,k_1,a(H)\), we can apply Lemma 9.6 to the simulation of \(\mathcal {A}\), and see that the probability \(\mathcal {A}\) outputs any given value \(z\) is a linear combination of \(\Pr _S[S(s_i)=1\forall i\in [k^{\prime }]]\) for \(k^{\prime }\le 4q\le k\), where the coefficients of the linear combination are independent of the distribution over \(S\). It suffices, therefore, to prove that for all \(k^{\prime }\le k\) and for all \(s_1,\cdots ,s_{k^{\prime }}\), that
\begin{equation*} \Pr _{S\leftarrow S_1}[S(s_i)=1\forall i\in [k^{\prime }]]=\Pr _{S\leftarrow S_2}[S(s_i)=1\forall i\in [k^{\prime }]] \end{equation*}
Toward that end, we observe that, for any \(s_1,\cdots ,s_{k^{\prime }}\), the event \(S(s_i)=1\forall i\in [k^{\prime }]\) means that each \(s_i\in S\). For a given size \(\ell\) of \(S\), there are \(\binom{2^\lambda -k^{\prime }}{\ell -k^{\prime }}\) ways to choose such an \(S\). Since for both \(S_1,S_2\) we have that \(S\) is uniform once we choose \(\ell\), this means that for a given \(\ell\),
\begin{equation*} \Pr _S[S(s_i)=1\forall i\in [k^{\prime }]]=\binom{2^\lambda -k^{\prime }}{\ell -k^{\prime }}/\binom{2^\lambda }{\ell }=\frac{(2^\lambda -k^{\prime })!\ell !}{(2^\lambda)!(\ell -k^{\prime })!}=\frac{(2^\lambda -k^{\prime })!}{(2^\lambda)!}\ell (\ell -1)\cdots (\ell -k^{\prime }+1), \end{equation*}
which is a polynomial in \(\ell\) of degree at most \(k^{\prime }\le k\).
This in turn means the probability of any outcome \(z\), once we have fixed \(z\), is a polynomial \(p_z\) in \(\ell\) of degree at most \(k\). Averaging over all \(\ell\), the probability of outcome \(z\) is \(\sum _\ell \Pr [\ell ]p_z(\ell)\). We must therefore show that \(\sum _\ell \Pr [\ell \leftarrow D_1]p_z(\ell)=\sum _\ell \Pr [\ell \leftarrow D_2]p_z(\ell)\), for which is suffices to show that \(\sum _\ell (\Pr [\ell \leftarrow D_1]-\Pr [\ell \leftarrow D_2])\ell ^j=0\) for all \(j\in [0,k]\). Recall that \(\ell\) is always a multiple of \(d\), so this is equivalent to showing \(\sum _i (\Pr [i\cdot d\leftarrow D_1]-\Pr [i\cdot d\leftarrow D_2])(i\cdot d)^j=0\)
We now observe that \(\mathbf {y}\) is in the kernel of \({\mathbf {A}}\), meaning the sum of its components is 0. As such, we must have that \(|\mathbf {y}^+|_1=|\mathbf {y}^-|_1=:R\). Therefore, when we re-normalize \(\mathbf {y}^+\) and \(\mathbf {y}^-\) to get the distributions \(D_1,D_2\), the re-normalization is the same in both cases: dividing by \(R\). Thus \(\mathbf {y}_i/R=\mathbf {y}^+_i/R-\mathbf {y}^-_i/R=\Pr [i\cdot d\leftarrow D_1]-\Pr [i\cdot d\leftarrow D_2]\), meaning \(\sum _i (\Pr [i\cdot d\leftarrow D_1]-\Pr [i\cdot d\leftarrow D_2])(i\cdot d)^j=\frac{d^j}{R} ({\mathbf {A}}\cdot \mathbf {y})_j=0\), as desired. □
Part 3: Statistical independence for \(E_2\). Here, we show that when \(H^{\prime }\) is sampled from \(E_2\), but when the adversary is still provided the advice \(a(H)\), then for most choices of the salt \(k_1\), \(H(k_1||\cdot)\) is statistically close to uniform even given \(a(H)\) and \(H^{\prime }\).
Let \(H(s||\cdot)\) denote the slice of the truth table of \(H\) corresponding to salt \(s\). Let \(\overline{H}(s||\cdot)\) denote the remaining truth table not included in \(H(s||\cdot)\).
Lemma 9.7.
Consider sampling a uniform \(H\), and then sampling \(H^{\prime }\leftarrow E_2\) and letting \(k_1\leftarrow \lbrace 0,1\rbrace ^\lambda \setminus S\). Then the distributions \((a(H),k_1,H(k_1||\cdot),\overline{H^{\prime }}(k_1||\cdot)\) and \((a(H),k_1,R,\overline{H^{\prime }}(k_1||\cdot)\) are \(\sqrt {|a(H)|/2d}\)-close in statistical distance.
Proof.
In order to prove Lemma 9.7, we will need the following technical lemma:
Lemma 9.8.
Let \(D\) be a distribution and \(X_1,\dots ,X_g,Y\) be iid random variables sampled from \(D\). Let \(F\) be a function with co-domain of size \(2^r\). Then
\begin{equation*} \Delta (\;(\mathcal {I},X_\mathcal {I},F(X_1,\dots ,X_g))\;,\;(\mathcal {I},Y,F(X_1,\dots ,X_g))\;)\le \sqrt {r/2g} \end{equation*}
Above, \(\mathcal {I}\) is uniform in \([g]\), and \(\Delta\) denotes statistical distance.
Proof.
Let \(I(X;Y)\) denote the mutual information between random variables \(X\) and \(Y\). Then
\begin{equation*} r\ge I(\;F(X_1,\dots ,X_g)\;;\;X_1,\dots ,X_t\;)\ge \sum _{i=1}^g I(\;F(X_1,\dots ,X_g)\;;\; X_i\;) \end{equation*}
where the second inequality is due to the independence of the \(X_i\). Let \(\delta _i\) be the statistical distance between the distributions \((F(X_1,\dots ,X_g),X_i)\) and \((F(X_1,\dots ,X_g),Y)\). Let \(\delta\) be the statistical distance between \((\mathcal {I},X_\mathcal {I},F(X_1,\dots ,X_g))\) and \((\mathcal {I},Y,F(X_1,\dots ,X_g))\); our goal is to bound \(\delta\). \(I(\;F(X_1,\dots ,X_g)\;;\; X_i\;)\) is just the KL divergence between \((F(X_1,\dots ,X_g),X_i)\) and \((F(X_1,\dots ,X_g),Y)\). By Pinsker’s inequality, we therefore have that \(\delta _i\le \sqrt {I(\;F(X_1,\dots ,X_t)\;;\; X_i\;)/2}\). This implies
\begin{equation*} r\ge 2\sum _{i=1}^g \delta _i^2 \end{equation*}
On the other hand, \(\delta =(\sum _i \delta _i)/g\). Jensen’s inequality then gives that
\begin{equation*} \delta \le \sqrt {\sum _i \delta _i^2/g}\le \sqrt {r/2g}.\square \end{equation*}
 □
We now apply Lemma 9.8 to our setting. Consider sampling a random \(S\) of size \(\ell\) where \(\ell\) is sampled from \(D_2\). \(D_2\) only has support on \(\ell\) of size at least \(d\). Now consider sampling a random \(k_1\notin S\). It is equivalent to sample a random set \(S^{\prime }\) of size \(\ell +1\), and then let \(k_1\) be uniform in \(S^{\prime }\), and \(S=S^{\prime }\setminus \lbrace k_1\rbrace\).
Therefore let \(g=\ell +1\), and let \(X_1,\cdots ,X_g\) denote the slices \(H(s||\cdot)\) of the truth table of \(H\), for \(s\in S\cup \lbrace k_1\rbrace\). Now fix \(H(s||\cdot)\) for \(s\notin S\cup \lbrace k_1\rbrace\); call this partial truth table \(H_{\sf part}\). Let \(F\) be the function from \(X_1,\cdots ,X_g\) which computes \(a(H)\) (\(H\) being fully specified by \(H_{\sf part}\) together with \(X_1,\cdots X_g\)). Lemma 9.8 now says that the tuples \((k_1,H(k_1||\cdot),a(H))\) and \((k_1,R,a(H))\) are \(\sqrt {|a(H)|/2d}\)-close given \(H_{\sf part}\), where \(R\) is a independent uniform truth table. To complete the proof of Lemma 9.7, we simply observe that \(\overline{H^{\prime }}(k_1||\cdots)\) consists of \(H_{\sf part}\) together with \(H^{\prime }(s||\cdots)\) for \(s\in S\). But recall that for \(s\in S\), we set \(H^{\prime }(s||\cdots)=J(s||\cdots),\) where \(J\) is an independent random oracle, meaning all information about \(H(s||\cdots)\) is erased from \(H^{\prime }\). Therefore, even conditioned on \(\overline{H^{\prime }}(k_1||\cdots)\), the tuples \((k_1,H(k_1||\cdot),a(H))\) and \((k_1,R,a(H))\) remain statistically close. Averaging over all choices of \(\overline{H^{\prime }}\) gives the lemma.
Part 4: Putting it all together. We now put everything together, obtaining an adversary for \(\mathsf {Prove}_0,\mathsf {Verify}_0\). To create our adversary \(\mathcal {B}\), we do the following:
Choose a random \(H\) and compute \(a(H)\).
Choose a random set \(S\) from \(D_2\). Choose a random \(J\) and compute \(H^{\prime }\).
Choose a random \(k_1\in \lbrace 0,1\rbrace ^\lambda \setminus S\).
We will fix \(H,a(H),S,k_1,H^{\prime }\) in the description of \(\mathcal {B}\); alternatively we could imagine \(\mathcal {B}\) choosing the \(H,a(H),S,k_1,H^{\prime }\) which maximize its success probability.
\(\mathcal {B}^{H_0}(1^\lambda ,k_0,1^h)\) runs \(\mathcal {A}^{H^{\prime \prime }}(1^\lambda ,a(H),k_0||k_1,1^h)\) and outputs whatever \(\mathcal {A}\) outputs, where \(H_0\) is the random oracle \(\mathcal {B}\) is given, and \(H^{\prime \prime }\) is the oracle:
\begin{equation*} H^{\prime \prime }(s,x)={\left\lbrace \begin{array}{ll}H^{\prime }(s,x)&\text{ if }s\ne k_1\\ H_0(x)&\text{ if }s=k_1 \end{array}\right.} \end{equation*}
Lemma 9.9.
With non-negligible probability over the choice of \(H,a(H),S,k_1,H^{\prime }\) as sampled above, there is a non-negligible \(\delta ^{\prime }\) such that the following is true:
\begin{align} \Pr [\mathsf {Verify}_0^{H_0}(1^\lambda ,k_0,1^h,\mathcal {B}^{H_0}(1^\lambda ,k_0,1^h))\ne \bot ]&\ge \delta ^{\prime }(\lambda) \end{align}
(44)
\begin{align} H_\infty \left(\mathcal {B}^{H_0}_{\top }(1^\lambda ,k_0,1^h)\right)&\le h+1 \end{align}
(45)
where the probabilities above are taken over the choice of uniform \(H_0,k_0\). In particular, there exists such a choice of \(H,a(H),S,k_1,H^{\prime }\) which makes \(\mathcal {B}\) break the security of \(\mathsf {Prove}_0,\mathsf {Verify}_0\).
This lemma therefore completes the proof of Theorem 3.11.
Proof.
We first consider setting \(H_0\) to be \(H^{\prime }(k_1||\cdot)\). In this case, \(H^{\prime \prime }=H^{\prime }\) so \(\mathcal {B}\) runs \(\mathcal {A}\) on \(H^{\prime }\), and by Lemmas 9.2 and 9.5, the entropy of the output of \(\mathcal {A}\) and hence \(\mathcal {B}\) is less than \(h+1\) with non-negligible probability over the choice of \(H,a(H),S,k_1,H^{\prime }\).
Now we actually set \(\mathcal {B}\)’s oracle to \(H_0\). By Lemma 9.7, \(H_0\) and \(H^{\prime }(k_1||\cdot)\) are statistically close, even given \(a(H),S,k_1,\overline{H^{\prime }}(k_1||\cdot)\). Since the min-entropy of \(\mathcal {B}\) is a property of the oracle it sees (and \(k_0\)), even after changing to \(H_0\), the probability \(\mathcal {B}\)’s entropy is less than \(h+1\) is only negligibly affected, and is hence still non-negligible. □
This completes the proof of Theorem 3.11. □

Footnotes

1
Matrix group membership includes discrete logarithms as a special case. For a public key system based on Pell’s equations, see [49].
2
There is also some evidence that quantum black box techniques cannot overcome this barrier [8].
3
List-recoverable codes have been used in cryptography in the contexts of domain extension of hash functions [15, 32, 41] and the Fiat-Shamir transform [36].
4
In the main body, we use an extension field \(\mathbb {F}_q\) (i.e., \(q\) is a prime power) for an appropriate parameter choice, but one can think of it as a prime field for the purpose of this overview.
5
Note that an element of \(\Sigma ^n\) can be written as a vector over \(\mathbb {F}_q\). Here, we simply write \(\mathsf {QFT}\) to mean the operation that applies QFT over the additive group of \(\mathbb {F}_q\) for each coordinate.
6
It may not be immediately clear from the definition below that \(\mathrm{Tr}(x)\in \mathbb {F}_p\), but this is a well-known fact [43].
7
The classical random oracle model is often just referred to as the ROM, but we call it CROM to emphasize that the oracle access is classical.
8
We could also consider the QROM with quantum auxiliary-inputs, but we do not consider it in this article.
9
Note that it does not always hold that \(\mathbb {F}_q^n=C \oplus C^\perp\) since the bilinear form \((\mathbf {x},\mathbf {y})\mapsto \mathbf {x}\cdot \mathbf {y}\) does not satisfy the axioms of the inner product (i.e., there may exist \(\mathbf {x}\ne 0\) such that \(\mathbf {x}\cdot \mathbf {x}=0\)).
10
Recall that \(\mathbf {x}\cdot \mathbf {z}\) for \(\mathbf {x},\mathbf {z}\in \Sigma ^n\) is defined in Section 2.1.
10
Item 3 is not needed for the construction of a proof of quantumness given in Section 6. It is used only in the counterexample for one-way functions given in Section 7.1.
10
Reed-Solomon codes whose length \(N\) is smaller than \(q-1\) are often considered. But we focus on the case of \(N=q-1\).
10
Recall that the dimension of (generalized) Reed-Solomon codes is the degree parameter \(k\) plus one.
10
[31] described the list decoding algorithm for Reed-Solmon codes, but that can be extended to one for generalized Reed-Solomon codes in a straightforward manner since scalar multiplications in each coordinate do not affect the decodability.
10
We remark that the roles of \(n\) and \(N\) are swapped compared with [30, 51].
10
The following lemma is based on Rudra’s PhD thesis [51]. The same result is also presented in the journal version [30], but note that there is a notational difference in the definition of list recovery: the definition of \((\zeta ,\ell ,L)\)-list recovery of [30] means \(((1-\zeta),\ell ,L)\)-list recovery of [51] and this article. Also remark Footnote 14.
10
This is an example of the parameter choice. Any prime power of the form \(q=nm+1\) where \(n\) and \(m\) are positive integers such that \(n=\Omega (\lambda)\) and \(m=\Omega (\lambda)\) suffices.
10
\(\mathcal {D}^n\) is defined as a distribution over \(\Sigma ^n\), but its sample can be interpreted as an element of \(\mathbb {F}_q^N\) in the canonical way.
10
Recall the notation \(\mathbf {x}_S=(x_i)_{i\in S}\) for \(\mathbf {x}=(x_1,\ldots ,x_N) \in \mathbb {F}_q^N\) and \(S\subseteq [N]\).
10
We can take \(\exists \mathbf {y}\in C^\perp\) instead of \(\exists \mathbf {y}\in C^\perp \setminus \lbrace \mathbf {0}\rbrace\) in the RHS since this does not decrease the probability. Indeed, one can see that the probabilities are the same noting that \(\mathbf {e}_{\bar{S}^*}\) does not take 0 on any index and \(|\bar{S}^*|\gt d+2\epsilon N\).
10
Strictly speaking, we consider a random oracle with the domain \(\lbrace 0,1\rbrace ^*\). However, since our construction only makes queries to \(H\) on (bit representaions of) elements of \(\Sigma\) for a fixed security parameter, we simply denote by \(H\) to mean the restriction of \(H\) to (bit representations of) \(\Sigma\).
10
Since we assume that \(H\) is sampled from \(\widetilde{\mathcal {H}}\), we do not define them when \(|T_i^{H_i}|=0\) for some \(i\).
10
Mathematically, the set \(\widetilde{\mathcal {H}}_i\) does not depend on \(i\). We index it by \(i\) for notational convenience.
10
That is, we first define \(\hat{B}\) and then define \(B\) as its inverse discrete Fourier transform.
25
In fact, it suffices to require \(\epsilon _\mathsf {poq}(\lambda)\le c\delta _\mathcal {A}(\lambda)\) for any constant \(c\lt 1\).
10
\(\mathsf {poly}\) means a polynomial in the number of repetition of \(\mathcal {A}\) run by \(\mathcal {A}^{\prime }\).
10
This idea is inspired by [22].
10
If there is a tie, we choose the smallest one in the lexicographical order.

References

[1]
Scott Aaronson and Andris Ambainis. 2014. The need for structure in quantum speedups. Theory of Computing 10 (2014), 133–166.
[2]
Scott Aaronson and Alex Arkhipov. 2011. The computational complexity of linear optics. In Proceedings of the 43rd ACM STOC, Lance Fortnow and Salil P. Vadhan (Eds.). ACM Press, 333–342. DOI:DOI:
[3]
Scott Aaronson and Yaoyun Shi. 2004. Quantum lower bounds for the collision and the element distinctness problems. Journal of the ACM 51, 4 (2004), 595–605.
[4]
Leonard Adleman. 1979. A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In Proceedings of the 20th Annual Symposium on Foundations of Computer Science (sfcs 1979). 55–60. DOI:DOI:
[5]
Andris Ambainis, Ansis Rosmanis, and Dominique Unruh. 2014. Quantum attacks on classical proof systems: The hardness of quantum rewinding. In Proceedings of the 55th FOCS. IEEE Computer Society Press, 474–483. DOI:DOI:
[6]
Ryan Amos, Marios Georgiou, Aggelos Kiayias, and Mark Zhandry. 2020. One-shot signatures and applications to hybrid quantum/classical authentication. In Proceedings of the 52nd ACM STOC, Konstantin Makarychev, Yury Makarychev, Madhur Tulsiani, Gautam Kamath, and Julia Chuzhoy (Eds.). ACM Press, 255–268. DOI:DOI:
[7]
Atul Singh Arora, Andrea Coladangelo, Matthew Coudron, Alexandru Gheorghiu, Uttam Singh, and Hendrik Waldner. 2022. Quantum depth in the random oracle model. In Proceedings of the 55th ACM STOC. ACM Press, 1111–1124. DOI:
[8]
Per Austrin, Hao Chung, Kai-Min Chung, Shiuan Fu, Yao-Ting Lin, and Mohammad Mahmoody. 2022. On the impossibility of key agreements from quantum random oracles. In Proceedings of the CRYPTO 2022, Part II(LNCS, Vol. 13508), Yevgeniy Dodis and Thomas Shrimpton (Eds.). Springer, Heidelberg, 165–194. DOI:DOI:
[9]
László Babai, Robert Beals, and Ákos Seress. 2009. Polynomial-time theory of matrix groups. In Proceedings of the 41st ACM STOC, Michael Mitzenmacher (Ed.). ACM Press, 55–64. DOI:DOI:
[10]
Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf. 2001. Quantum lower bounds by polynomials. Journal of the ACM 48, 4 (2001), 778–797.
[11]
Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf. 1998. Quantum lower bounds by polynomials. In Proceedings of the 39th FOCS. IEEE Computer Society Press, 352–361. DOI:DOI:
[12]
Mihir Bellare and Phillip Rogaway. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the ACM CCS 93, Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby (Eds.). ACM Press, 62–73. DOI:DOI:
[13]
Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh V. Vazirani. 1997. Strengths and weaknesses of quantum computing. SIAM Journal of the Computing 26, 5 (1997), 1510–1523.
[14]
Ethan Bernstein and Umesh V. Vazirani. 1993. Quantum complexity theory. In Proceedings of the 25th ACM STOC. ACM Press, 11–20. DOI:DOI:
[15]
Nir Bitansky, Yael Tauman Kalai, and Omer Paneth. 2018. Multi-collision resistance: A paradigm for keyless hash functions. In Proceedings of the 50th ACM STOC, Ilias Diakonikolas, David Kempe, and Monika Henzinger (Eds.). ACM Press, 671–684. DOI:DOI:
[16]
Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry. 2011. Random oracles in a quantum world. In Proceedings of the ASIACRYPT 2011(LNCS, Vol. 7073), Dong Hoon Lee and Xiaoyun Wang (Eds.). Springer, Heidelberg, 41–69. DOI:DOI:
[17]
Zvika Brakerski, Paul Christiano, Urmila Mahadev, Umesh V. Vazirani, and Thomas Vidick. 2018. A cryptographic test of quantumness and certifiable randomness from a single quantum device. In Proceedings of the 59th FOCS, Mikkel Thorup (Ed.). IEEE Computer Society Press, 320–331. DOI:DOI:
[18]
Zvika Brakerski, Venkata Koppula, Umesh V. Vazirani, and Thomas Vidick. 2020. Simpler proofs of quantumness. In Proceedings of the TQC 2020(LIPIcs, Vol. 158). 8:1–8:14.
[19]
Michael J. Bremner, Richard Jozsa, and Dan J. Shepherd. 2010. Classical simulation of commuting quantum computations implies collapse of the polynomial hierarchy. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 467, 2126 (2010), 459–472.
[20]
Harry Buhrman and Ronald de Wolf. 2002. Complexity measures and decision tree complexity: A survey. Theoretical Computer Science 288, 1 (2002), 21–43. DOI:DOI:
[21]
Ran Canetti, Oded Goldreich, and Shai Halevi. 1998. The random oracle methodology, revisited (preliminary version). In Proceedings of the 30th ACM STOC. ACM Press, 209–218. DOI:DOI:
[22]
Nai-Hui Chia, Kai-Min Chung, and Takashi Yamakawa. 2020. Classical verification of quantum computations with efficient verifier. In Proceedings of the TCC 2020, Part III(LNCS, Vol. 12552), Rafael Pass and Krzysztof Pietrzak (Eds.). Springer, Heidelberg, 181–206. DOI:DOI:
[23]
Alessandro Chiesa, Peter Manohar, and Nicholas Spooner. 2019. Succinct arguments in the quantum random oracle model. In Proceedings of the TCC 2019, Part II(LNCS, Vol. 11892), Dennis Hofheinz and Alon Rosen (Eds.). Springer, Heidelberg, 1–29. DOI:DOI:
[24]
Andrew M. Childs, Richard Cleve, Enrico Deotto, Edward Farhi, Sam Gutmann, and Daniel A. Spielman. 2003. Exponential algorithmic speedup by a quantum walk. In Proceedings of the 35th ACM STOC. ACM Press, 59–68. DOI:DOI:
[25]
Man-Duen Choi. 1983. Tricks or treats with the hilbert matrix. The American Mathematical Monthly 90, 5 (1983), 301–312. Retrieved from http://www.jstor.org/stable/2975779
[26]
Kai-Min Chung, Siyao Guo, Qipeng Liu, and Luowen Qian. 2020. Tight quantum time-space tradeoffs for function inversion. In Proceedings of the 61st FOCS. IEEE Computer Society Press, 673–684. DOI:DOI:
[27]
Sandro Coretti, Yevgeniy Dodis, Siyao Guo, and John P. Steinberger. 2018. Random oracles and non-uniformity. In Proceedings of the EUROCRYPT 2018, Part I(LNCS, Vol. 10820), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, 227–258. DOI:DOI:
[28]
J. Niel de Beaudrap, Richard Cleve, and John Watrous. 2002. Sharp quantum versus classical query complexity separations. Algorithmica 34, 4 (2002), 449–461.
[29]
Jelle Don, Serge Fehr, Christian Majenz, and Christian Schaffner. 2019. Security of the fiat-shamir transformation in the quantum random-oracle model. In Proceedings of the CRYPTO 2019, Part II(LNCS, Vol. 11693), Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer, Heidelberg, 356–383. DOI:DOI:
[30]
Venkatesan Guruswami and Atri Rudra. 2008. Explicit codes achieving list decoding capacity: Error-correction with optimal redundancy. IEEE Transactions on Information Theory 54, 1 (2008), 135–150.
[31]
Venkatesan Guruswami and Madhu Sudan. 1999. Improved decoding of reed-solomon and algebraic-geometry codes. IEEE Transactions on Information Theory 45, 6 (1999), 1757–1767.
[32]
Iftach Haitner, Yuval Ishai, Eran Omri, and Ronen Shaltiel. 2015. Parallel hashing via list recoverability. In Proceedings of the CRYPTO 2015, Part II(LNCS, Vol. 9216), Rosario Gennaro and Matthew J. B. Robshaw (Eds.). Springer, Heidelberg, 173–190. DOI:DOI:
[33]
Sean Hallgren. 2002. Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem. In Proceedings of the 34th ACM STOC. ACM Press, 653–658. DOI:DOI:
[34]
Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. 1999. A pseudorandom generator from any one-way function. SIAM Journal of the Computing 28, 4 (1999), 1364–1396.
[35]
Minki Hhan, Keita Xagawa, and Takashi Yamakawa. 2019. Quantum random oracle model with auxiliary input. In Proceedings of the ASIACRYPT 2019, Part I(LNCS, Vol. 11921), Steven D. Galbraith and Shiho Moriai (Eds.). Springer, Heidelberg, 584–614. DOI:DOI:
[36]
Justin Holmgren, Alex Lombardi, and Ron D. Rothblum. 2021. Fiat-Shamir via list-recoverable codes (or: parallel repetition of GMW is not zero-knowledge). In Proceedings of the 53rd ACM STOC, Samir Khuller and Virginia Vassilevska Williams (Eds.). ACM Press, 750–760. DOI:DOI:
[37]
R. Impagliazzo. 1995. A personal view of average-case complexity. In Proceedings of Structure in Complexity Theory. 10th Annual IEEE Conference. 134–147. DOI:DOI:
[38]
Russell Impagliazzo and Steven Rudich. 1989. Limits on the provable consequences of one-way permutations. In Proceedings of the 21st ACM STOC. ACM Press, 44–61. DOI:DOI:
[39]
Shuichi Katsumata, Shota Yamada, and Takashi Yamakawa. 2018. Tighter security proofs for GPV-IBE in the quantum random oracle model. In Proceedings of the ASIACRYPT 2018, Part II(LNCS, Vol. 11273), Thomas Peyrin and Steven Galbraith (Eds.). Springer, Heidelberg, 253–282. DOI:DOI:
[40]
Eike Kiltz, Vadim Lyubashevsky, and Christian Schaffner. 2018. A concrete treatment of fiat-shamir signatures in the quantum random-oracle model. In Proceedings of the EUROCRYPT 2018, Part III(LNCS, Vol. 10822), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, 552–586. DOI:DOI:
[41]
Ilan Komargodski, Moni Naor, and Eylon Yogev. 2018. Collision resistant hashing for paranoids: Dealing with multiple collisions. In Proceedings of the EUROCRYPT 2018, Part II(LNCS, Vol. 10821), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, 162–194. DOI:DOI:
[42]
Victor Yu. Krachkovsky. 2003. Reed-solomon codes for correcting phased error bursts. IEEE Transactions on Information Theory 49, 11 (2003), 2975–2984.
[43]
Rudolf Lidl and Harald Niederreiter. 1997. Finite fields (2nd ed.). Encyclopedia of Mathematics and its Applications, Vol. 20. Cambridge University Press, Cambridge.
[44]
Yehuda Lindell. 2010. Introduction to Coding Theory Lecture Notes. Retrieved from https://u.cs.biu.ac.il/lindell/89-662/coding_theory-lecture-notes.pdf
[45]
Qipeng Liu. 2023. Non-uniformity, quantum advice in the quantum random oracle model. In Proceedings of the EUROCRYPT 2023 (to appear).
[46]
Qipeng Liu and Mark Zhandry. 2019. Revisiting post-quantum fiat-shamir. In Proceedings of the CRYPTO 2019, Part II(LNCS, Vol. 11693), Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer, Heidelberg, 326–355. DOI:DOI:
[47]
Michael Mitzenmacher and Salil P. Vadhan. 2008. Why simple hash functions work: Exploiting the entropy in a data stream. In Proceedings of the 19th SODA, Shang-Teng Huang (Ed.). ACM-SIAM, 746–755.
[48]
Tomoyuki Morimae and Takashi Yamakawa. 2022. Proofs of Quantumness from Trapdoor Permutations. Cryptology ePrint Archive, Report 2022/1102. Retrieved from https://eprint.iacr.org/2022/1102
[49]
Sahadeo Padhye. 2006. A Public Key Cryptosystem Based On Pell Equation. Cryptology ePrint Archive, Report 2006/191. Retrieved from https://eprint.iacr.org/2006/191
[50]
Oded Regev. 2005. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th ACM STOC, Harold N. Gabow and Ronald Fagin (Eds.). ACM Press, 84–93. DOI:DOI:
[51]
Atri Rudra. 2007. List Decoding and Property Testing of Error Correcting Codes. Ph. D. Dissertation. University of Washington.
[52]
Tsunekazu Saito, Keita Xagawa, and Takashi Yamakawa. 2018. Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In Proceedings of the EUROCRYPT 2018, Part III(LNCS, Vol. 10822), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, 520–551. DOI:DOI:
[53]
Peter W. Shor. 1994. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th FOCS. IEEE Computer Society Press, 124–134. DOI:DOI:
[54]
Daniel R. Simon. 1997. On the power of quantum computation. SIAM Journal of the Computing 26, 5 (October 1997), 1474–1483.
[55]
Ehsan Ebrahimi Targhi and Dominique Unruh. 2016. Post-quantum security of the fujisaki-okamoto and OAEP transforms. In Proceedings of the TCC 2016-B, Part II(LNCS, Vol. 9986), Martin Hirt and Adam D. Smith (Eds.). Springer, Heidelberg, 192–216. DOI:DOI:
[56]
Dominique Unruh. 2007. Random oracles and auxiliary input. In Proceedings of the CRYPTO 2007(LNCS, Vol. 4622), Alfred Menezes (Ed.). Springer, Heidelberg, 205–223. DOI:DOI:
[57]
Wim van Dam, Sean Hallgren, and Lawrence Ip. 2006. Quantum algorithms for some hidden shift problems. SIAM Journal of the Computing 36, 3 (2006), 763–778.
[58]
Takashi Yamakawa and Mark Zhandry. 2021. Classical vs quantum random oracles. In Proceedings of the EUROCRYPT 2021, Part II(LNCS, Vol. 12697), Anne Canteaut and François-Xavier Standaert (Eds.). Springer, Heidelberg, 568–597. DOI:DOI:
[59]
Henry Yuen. 2014. A quantum lower bound for distinguishing random functions from random permutations. Quantum Information & Computation 14, 13–14 (oct 2014), 1089–1097.
[60]
Mark Zhandry. 2012. Secure identity-based encryption in the quantum random oracle model. In Proceedings of the CRYPTO 2012(LNCS, Vol. 7417), Reihaneh Safavi-Naini and Ran Canetti (Eds.). Springer, Heidelberg, 758–775. DOI:DOI:
[61]
Mark Zhandry. 2015. A note on the quantum collision and set equality problems. Quantum Information & Computation 15, 7–8 (May 2015), 557–567.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Journal of the ACM
Journal of the ACM  Volume 71, Issue 3
June 2024
323 pages
EISSN:1557-735X
DOI:10.1145/3613558
Issue’s Table of Contents
This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2024
Online AM: 22 April 2024
Accepted: 09 April 2024
Revised: 19 March 2024
Received: 23 February 2023
Published in JACM Volume 71, Issue 3

Check for updates

Author Tags

  1. Quantum advantage
  2. random oracle
  3. NP problem

Qualifiers

  • Research-article

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 1,107
    Total Downloads
  • Downloads (Last 12 months)1,107
  • Downloads (Last 6 weeks)273
Reflects downloads up to 09 Nov 2024

Other Metrics

Citations

Cited By

View all

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Full Access

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media