# Lower Bounds for Function Inversion with Quantum Advice

Function inversion is that given a random function f: [M] → [N], we want to compute some auxiliary information of size S that we can find pre-image of any image with a few queries to the function given as a black box in time T. It is a well-studied problem in the classical settings, however, it is not clear how a quantum adversary can do better at this task besides invoking Grover's algorithm. Nayebi et al. proved a lower bound for adversaries inverting permutations leveraging only quantum queries to the black box. We give a matching lower bound for functions and permutations where M = O(N), and allowing adversaries to be fully quantum, and thus resolving the open question positively raised by Nayebi et al. of whether such lower bound is achievable for inverters with quantum advice. In order to prove these bounds, we also proved a lower bound for a generalized version of quantum random access code (originally introduced by Ambainis et al.), i.e. under the setting where the encoding length is variable and each element can be arbitrarily correlated, which may be of independent interest.

## Authors

• 12 publications
• 2 publications
• 2 publications
• ### Tight Quantum Time-Space Tradeoffs for Function Inversion

In function inversion, we are given a function f: [N] ↦ [N], and want to...
06/10/2020 ∙ by Kai-Min Chung, et al. ∙ 0

• ### Simon's problem for linear functions

Simon's problem asks the following: determine if a function f: {0,1}^n →...
10/29/2018 ∙ by Joran van Apeldoorn, et al. ∙ 0

• ### Efficient simulation of random states and random unitaries

We consider the problem of efficiently simulating random quantum states ...
10/13/2019 ∙ by Gorjan Alagic, et al. ∙ 0

• ### Lower bound the T-count via unitary stabilizer nullity

We introduce magic measures for multi-qubit quantum gates and establish ...
03/18/2021 ∙ by Jiaqing Jiang, et al. ∙ 0

• ### Quantum Lower Bounds for Approximate Counting via Laurent Polynomials

This paper proves new limitations on the power of quantum computers to s...
04/18/2019 ∙ by Scott Aaronson, et al. ∙ 0

• ### Quantum Lower Bounds for 2D-Grid and Dyck Language

We show quantum lower bounds for two problems. First, we consider the pr...
11/28/2019 ∙ by Andris Ambainis, et al. ∙ 0

• ### On Finding Quantum Multi-collisions

A k-collision for a compressing hash function H is a set of k distinct i...
11/13/2018 ∙ by Qipeng Liu, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Space-time trade-offs are a widely observed phenomenon in data structure complexity. In this work, we are interested in space-time trade-offs in inverting random functions, namely, the trade-off between the size (in the number of bits) of pre-computed data structure (or advice) about the function and the algorithm’s running time for computing the inverse of a certain image. Such trade-offs give lower bound for algorithms that inverts cryptographic functions without taking the specific structure of that family of functions.

Without pre-computed advice (), classical computers requires for inverting a fraction of the input for a random function , and quantum computers requires [ambainis2002quantum]. Both bounds are asymptotically tight, by either an exhaustive search or Grover’s algorithm [grover1996fast]. However, if we allow some pre-computed advice, classical computers can do much better. Hellman [hellman1980cryptanalytic] showed that every permutation can be inverted with . However, it is not known whether we can do better than Grover’s algorithm or Hellman’s algorithm, even if we allow quantum computers to come into play. Therefore motivated by post-quantum cryptanalysis, it is natural to ask whether these two algorithms are indeed the best that we can do. For classical computers, De et al. [de2009non] (going back to ideas of Yao [yao1990coherent]) showed that is required, and Corrigan-Gibbs and Kogan [DBLP:journals/eccc/Corrigan-GibbsK18] gave some evidence that improving this lower bound seems to be difficult, by connecting function inversion problem to several other hard problems in complexity theory, communication complexity, etc. For quantum computers, Nayebi et al. [nayebi2015quantum] showed that is required, however, this result only applies to the case where the computation and the oracle queries are quantum but the pre-computed advice remains classical. However, they also noted that the advice given to a quantum computer can as well be quantum, and it remains open to prove a lower bound for computations in that model.

### 1.1 Our Contributions

In this work, we resolve this discrepancy by showing that is still required even if the inverter is allowed to use quantum advice. Formally,

###### Definition 1.

A function (or permutation) inverter is a pair , where:

1. is a pre-computed quantum advice of qubits, which can depend on the function ; (for permutations, )

2. is a quantum oracle algorithm that takes advice and an image , makes at most quantum queries to the function as an oracle , and outputs a supposed pre-image .

###### Definition 2.

Fix a function inverter .

• We say that “ invert for " if

 Pr[f(Aπ(α,y))=y]≥2/3,

where the probability is taken over the measurement results (internal randomness) of

.

• For any real , we say that “ invert fractions of inputs" if

 Pry,π[(α,A) inverts y% for π]≥ε,

where and is sampled uniformly from and , respectively.

###### Theorem 1.

(Lower bound for permutations) For any permutation inverter that invert fractions of inputs, assuming:

1.  ε=ω(1/N), (1)

that is, the inverter can succeed on more than a constant number of points;

2.  T=o(ε√N), (2)

noting that is the complexity of Grover’s search algorithm;

3.  S≥1. (3)

We have

 ST2≥~Ω(εN)

for all sufficiently large .

###### Theorem 2.

(Lower bound for functions) For any function inverter that invert fractions of inputs, assuming:

1.  M=O(N), (4)
2.  T=o(ε√M/log10N), (5)

noting that is the complexity of Grover’s search algorithm;

3.  ε≥1/N, (6)

that is, the inverter performs no worse than a fixed point output inverter;

4.  S≥1. (7)

We have

 ST2≥~Ω(εM)

for all sufficiently large .

Towards proving these two theorems, we also develop a lower bound for a generalized version of quantum random access code presented in Section 4, which may be of separate interest.

### 1.2 Historical Note and Concurrent Work

This version of the paper represents the submission version for QIP 2020. The differences of this version and the submission version are fixing a problem in the proof as pointed out by the reviewers, and adding the second paragraph in the abstract highlighting our lower bound on generalized quantum random access codes. We learned the concurrent work of Hhan, Xagawa, and Yamakawa [cryptoeprint:2019:1093] after submitting our paper to QIP 2020.

In [cryptoeprint:2019:1093], they considered a number of cryptographic applications of random functions under both classical advice model and quantum advice model (which they denote as AI-QROM and QAI-QROM respectively). Under quantum advice model, their Theorem 6 showed bounds for inverting random permutations using different techniques, namely, gentle measurements and semi-classical oracle. However, in their work, they left the problem of proving bounds for random functions open and we partially give some answers to that open problem in this work. We also note that our proof technique does not involve internal measurements in the compress/decompress algorithm and is conceptually simpler.

## 2 Technical Overview

### 2.1 Permutations

#### Compression argument.

In De et al. [de2009non], the main idea in proving the lower bound is to leverage the inverter to produce an algorithm that compresses the permutation into a short string, and the information theoretic lower bound on the size of the string translates to our desired lower bound. However, as the inverter needs to make adaptive queries, we need to produce the correct answer for the inverter so that she can successfully invert the image and we can extract the information from the inverter. The way to do this is to randomly (using some shared randomness that will not affect the information theoretic lower bound that we will use in the end) remove a small enough subset of the image from the permutation and the probability that the inverter hits this subset will be small. Therefore, we can use the advice and the permutation without the removed fraction as the encoding for the permutation, and since the length of the encoding is lower bounded by the entropy of all the permutations the encoding scheme is able to compress, this translates to a lower bound in the space-time trade-off for the permutation inversion problem.

As shown by Nayebi et al. [nayebi2015quantum], this idea also holds similarly for algorithms that can make quantum queries to the permutation. Namely, if we change fraction of the input, by a similar argument to proving the optimality of Grover’s algorithm [ambainis2002quantum], a quantum query algorithm is required to take queries to distinguish the change with constant probability. However, they also have shown that this approach has a fundamental limitation when one tries to adapt it to the case where the pre-processed information can be quantum. Recall that in order to invoke the inverter to recover a deleted entry, we need to invoke it with the pre-computed advice. If the advice is classical, we can simply repeat this process for every entry to recover the entire permutation table; but if the advice is quantum, we cannot hope to do this repeatedly as the previous copy would be destroyed by measurement, and we cannot hope to clone multiple copies of the advice for free due to no cloning theorem [wootters1982single]. The only thing we can do is to produce multiple copies of the same advice in the encoding phase, however, it is easy to see that this encoding scheme is too inefficient for proving a meaningful lower bound for inverting permutations.

#### Avoiding repeated measurements.

Approaching this challenge, our idea is to reduce the problem to a similar problem that does not require recovering the entire permutation table. Ambainis et al. [ambainis1999dense] introduced the notion of Quantum Random Access Code with Shared Randomness, which is a two-player game where two player shares some randomness ; the first player gets a bit string chosen uniformly at random and is asked to encode it into an encoding ; and the second player is asked to recover given and some index chosen uniformly at random. Assuming the two player succeeds with probability , the number of bits in is lower bounded by (with some very rough approximations when ) . It can be shown that this lower bound is tight, and it also extends to the quantum setting, where the number of qubits in is still lower bounded by (roughly) . This game has found several applications in quantum information theory [alagic2018non].

Thus, a natural idea is to come up with a similar lower bound for quantum random access code with shared randomness for permutations and do the reduction. However, unlike in the case of bit strings, as there is correlations between each element of the permutation, our lower bound argument would need to proceed very carefully. Thus, we proved a lower bound on the expected number of qubits which is only related to the overall entropy, the average element entropy, and the recover (success) probability, and this holds even if there exists correlations between the elements. In general, this lower bound is weaker than the compression argument where the entire permutation is recovered. However, we note that if the success probability is high, say for permutations, then the expected number of qubits needs to be at least , which asymptotically matches the lower bound for compression argument.

A direct encoding scheme would be using the encoding scheme of Nayebi et al. [nayebi2015quantum] and decode only the element in question. However, this direct idea does not work, since we are randomly removing entries from the permutation, the scheme only succeeds when the removed entries (determined by shared randomness ) does not affect the output of the inverter, which only happens with a small probability. This means that will be bounded away from 1. Recall that our encoding will need to remember fraction of the permutation, this gives us no meaningful bound. In fact, in order for this idea to succeed, we need to boost the success probability to also .

We observe that in our proof for quantum random access code, the length of our encoding is ultimately bounded by the von Neumann entropy of the encoding. By using the variable length version of quantum source coding theorem, we can also use a variable length encoding that is still bounded by the von Neumann entropy of the encoding. Specifically, if the randomness will cause the encoding to err, we will simply use the entire permutation table as our encoding, which the decoder can decode any element directly. By repeating the advice poly-logarithmically many times, we can make the success probability sufficiently close to 1 for proving a meaningful bound.

### 2.2 Functions

To bootstrap the previous argument into an argument for function inverters, we can view the inverse function as a partition of , and our goal is to design a random access code for querying this partition. In order to accommodate all possible adversaries, we only pick the pre-images that have high probability to be returned by the adversary. However, consider the following bad case, , and the adversary uniformly returns or . In this case, majority vote will not work since (without loss of generality) assuming we removed from the encoding, the decoder cannot distinguish adversary returns or (assuming is also removed from the encoding). To fix this, we use a 2-universal hash function (sampled from shared randomness) and use the hash tag to distinguish the correct output. However, we need to choose the hash length very carefully, as length too short results in high error probability, and length too long results in inefficient coding (our goal is to achieve nontrivial savings for the random function). It turns out that using a length of works in our case.

## 3 Preliminaries

We denote to be , and the set of all possible bijections from to itself to be .

###### Definition 3.

(Quantum oracle) For any classical function where is some additive group, it naturally corresponds to a quantum oracle such that for all ,

 Of(|x⟩|y⟩)=|x⟩|y+f(x)⟩.

Let be a quantum oracle algorithm taking as an oracle. In the rest of the paper, we will abuse the notation to represent .

###### Definition 4.

The query magnitude at of is defined to be , where is the set of all computational basis states that query position .

###### Definition 5.

Given a quantum algorithm , the total query magnitude at of with (oracle access to) input is defined to be , where the sum is taken over all the quantum queries produced by the algorithm.

###### Lemma 1.

(Swapping lemma) [vazirani1998power, Lemma 3.1] Let and be the final state of on inputs and respectively. Let be (the upper bound of) the number of queries has made. Then:

 ∥|ϕx⟩−|ϕy⟩∥≤√T∑j:xj≠yjqj(x),

where

denote the Euclidean distance between the two vectors.

###### Theorem 3.

(Quantum Source Coding Theorem) [schumacher2001indeterminate] Let be an alphabet, be a density operator whose von Neumann entropy is .

1. If , then independent samples of can be losslessly compressed into qubits for all sufficiently large ;

2. If , then independent samples of can be losslessly compressed into qubits for at most finitely many ’s.

###### Theorem 4.

(2-Universal Hashing) For every , there exists a 2-universal hash function family with error probability and output length (using some finite amount of randomness). [vadhan2012pseudorandomness, Chapter 3]

## 4 Quantum Random Access Codes with Variable Length

###### Definition 6.

Let be a set of functions for some finite set . A quantum random access code with variable length (QRAC-VL) for consists of two algorithms .

1. . The encoding algorithm encode a function with some fresh independent randomness in to some qubits. The number of qubits denoted by can depend on the function .

2. . The decoding algorithm compute on some specific element with the encoded message in , and it uses the same shared randomness for the encoding algorithm.

The performance of the code is measured by two parameters and . We define

 L:=Ef[ℓ(f)]

to be the average length of the coding scheme over uniform distribution on

, and

 δ:=Prf,x,R[Dec(Enc(f;R),x;R)=f(x)]

to be the probability that our scheme correctly reconstructs the image of the function, where the probability is taken over uniform distribution on , , and the scheme’s internal randomness.

First, we prove a helpful lemma that says conditional quantum entropy satisfies subadditivity.

###### Lemma 2.

Let be some quantum states, then

 N∑i=1S(Xi|Q)≥S(X|Q).
###### Proof.

We will prove this for and it is easy to extend this proof to any using an inductive argument.

For , by the definition of conditional entropy, it is equivalent to prove , which holds due to strong subadditivity of von Neumann entropy. ∎

###### Theorem 5.

(Lower bound for QRAC-VL) For any QRAC-VL, let

be a random variable sampled uniformly random from

, where corresponds to the value of evaluating for . Let be a random variable uniformly sampled from . Therefore, is the (von Neumann) entropy of a uniformly random distribution of and is the average (or expected) entropy of a single element. We have

 L≥S(X)−N⋅(1−δ)⋅S(XJ).
###### Proof.

Sample independently. Let be the encoding. Using the fact in conditional mutual information that and the fact that and are independent,

 I(Q,R;X)=I(Q;X|R)≤S(Q|R). (8)

Since is classical, by Theorem 3,

 S(Q|R)≤S(Q)≤L. (9)

On the other hand, using Lemma 2,

 I(Q,R;X) =S(X)−S(X|Q,R)≥S(X)−N∑i=1S(Xi|Q,R)=S(X)−N⋅S(XJ|Q,R,J), (10)

By data processing inequality, we know that

 S(XJ|Q,R,J)≤S(XJ|%Dec(Q,J;R)). (11)

By definition of success probability in quantum random access code, we can show that

 S(XJ|Dec(Q,J;R))≤(1−δ)S(XJ), (12)

using an indicator variable that indicates whether the decoder succeeds.

Combining (8), (9), (10), (11), and (12), we get the expected equation in the theorem. ∎

To see an immediate application of this theorem, we will demonstrate proving a bound for QRAC-VL for permutations. For permutations, and . By the theorem above, we immediately get that

###### Corollary 1.

For any QRAC-VL for permutations with for any , we have

 L≥logN!−klogN.

## 5 Proof for Theorem 1

Now we proceed to construct an encoding scheme given an inverter. Given a permutation inverter that inverts fraction of the input. Let . By how we defined success probability, we can show that there exists a large subset of all the permutations with size at least , such that for any permutation , we have that

 Pry[(α,A) inverts y for% π]≥ε′.

Consider a permutation , and let be the set of indices such that inverts . Recall that by the definition of , we have . We use the shared randomness in the way such that we sample a subset with each element of independently chosen to be in with probability , where is some constant that we will decide later.

Let be a subset of , where an element if it satisfies the following two conditions,

1.  x∈R; (13)
2. The total query magnitude on while running is bounded by , that is,

 ∑z∈R∖{x}qz(x)≤cT. (14)
###### Claim 1.

With probability at least 0.8 over the choice of , .

###### Proof.

Let . Due to the definition of ,

is distributed according to a binomial distribution. Therefore, the expected value of

is . By the multiplicative Chernoff bound and (2),

 PrR[|H|≥|I|γ2T2]≥0.9 (15)

for all sufficiently large .

By definition, each query that makes is of unit length. Since makes at most queries, by Definition 5,

 ∑z∈[N]qz(x)≤T.

By linearity of expectation,

 ER⎡⎣∑z∈R∖{x}qz(x)⎤⎦=∑z∈R∖{x}γT2qz(x)≤γT2T=γT.

Hence, by Markov’s inequality,

 PrR⎡⎣∑z∈R∖{x}qz(x)≥cT⎤⎦≤Tc⋅γT=γc. (16)

Let denote the subset of that satisfy (13) but not (14). Note that (13) and (14) are independent for each , since (13) is whether and (14) only concerns the intersection of and . Therefore by (16), the probability that satisfies is at most . Hence, by Markov’s inequality,

 (17)

From (15) and (17), we get that with probability at least 0.8 over the choice of ,

given that is a small enough positive constant. ∎

We now proceed to describe the QRAC-VL scheme for encoding . If or is smaller than , the encoding simply sets a (classical) flag (which takes one bit) and stores the entire permutation table of (we will denote this as case A). In this case, it is straightforward to construct a decoder that succeed with probability 1.

Otherwise assuming is large enough, we clear the first flag, and proceed with our QRAC-VL that computes (if necessary) and outputs the following information as our encoding: (which we will denote as case B)

• The size of , encoded using bits;

• The set , encoded using bits;

• The permutation restricted to input outside of , encoded using bits;

• Quantum advice used by the algorithm repeated times , for some that we will decide later. (We can compute this as the encoder can preprocess multiple copies of the same advice. Note that this is the only part of our encoding that is not classical.)

Upon given the encoding , some image , and the algorithm’s randomness , the decoder first proceeds to recover set and for every . If the given for some , the decoder outputs . Otherwise, the decoder constructs to be

 π′(x)={y,x∈G;π(x),x∉G.

Then the decoder extracts , and invokes for each and outputs their majority vote. Let and denote the final states of when it is given the oracle and respectively. Then by Lemma 1 and the definition of a good element,

 ∥|ϕπ⟩−|ϕπ′⟩∥≤√T∑z∈R∖{x}qz(x)≤√T⋅cT=√c.

As , by the definition of , measuring gives with probability at least . Given is a small enough positive constant, measuring will also give with probability at least .

We now examine the length of our encoding. With probability , we have ; with probability , we have but is small. Therefore, over all, with probability , our encoding will take case A, where the encoding consists of classical bits and decoder succeeds with probability 1.

With probability , our encoding takes case B, and the size of the encoding will be

 1+logN+log(|R||G|)+log(N!/|G|!)+ρS.

By (2), we can write this as

 ρS−log|G|!+logN!+o(log|G|!).

In this case, when the decoder is queried a point outside of what she has remembered, that is (which occurs with probability ), she recovers the correct pre-image with probability 1; otherwise, with one copy of the advice, she recovers the correct pre-image with probability 0.6, therefore with copies, by Chernoff’s bound, she recovers the correct pre-image using majority vote, with probability .

Overall, the average encoding length is at most , and the average success probability is . By setting , the average success probability will be . By (1) and Corollary 1, we have

 logN!+1/2⋅(εlog|G|!−ερS−o(εlog|G|!)−εlogN)≥logN!−O(logN).

Using the fact that (2), (3), we get

 log|G|!+o(log|G|!)≥Ω(SlogN).

Thus, .

## 6 Proof for Theorem 2

Given a function inverter that inverts fraction of the input. For function , define if such exists, else . Using this notion, we can equivalently view sampling a function from as sampling an inverse function from all the possible partitions of into bags, denoted as . Let sampled from as in Theorem 5, then and

 S(XJ) =M(−1Nlog1N−(1−1N)log(1−1N)) =MN(NlogN−(N−1)log(N−1)) ≤MN(logN+loge).
###### Corollary 2.

For any QRAC-VL for partitions with for any , we have

 L≥MlogN−βMN(logN+loge).

Now we construct the encoding scheme given the inverter. Similarly as before, there is a subset of size at least such that for each function in the inverter is able to invert at least fraction of the input. Let be functions where there exists an image in the function that has more than pre-images for some constant . We claim that (for cases when and , by using multiplicative form of Chernoff bound and union bound on the number of pre-images for each image. Let with size at least , that is the set of functions that both have a large amount of invertible points and each image does not have a lot of pre-images.

Consider a function , and let be the set of indices such that when given input returns exactly (conditioned on evaluating on the input is indeed ) with the highest probability (ties are broken arbitrarily). It is not hard to prove that . We sample a subset , with each element independently chosen with probability for some constant that we will decide later.

Let , where if

1.  x∈R; (18)
2. The total query magnitude on while running is bounded by , that is,

 ∑z∈f−1(R∖{x})qz(x)≤cT. (19)
###### Claim 2.

With probability at least 0.75 over the choice of , .

###### Proof.

The proof is almost exactly the same as in the case for permutations.

Let . Due to the definition of , is distributed according to a binomial distribution. Therefore, the expected value of is . By the multiplicative Chernoff bound and (2),

 PrR[|H|≥|I|γ2T2]≥0.95 (20)

for all sufficiently large .

By definition, each query that makes is of unit length. Since makes at most queries, by Definition 5,

 ∑z∈[N]qz(x)≤T.

By linearity of expectation,

 ER⎡⎣∑z∈R∖{x}qz(x)⎤⎦=∑z∈R∖{x}γT2qz(x)≤γT2T=γT.

Hence, by Markov’s inequality,

 PrR⎡⎣∑z∈R∖{x}qz(x)≥cT⎤⎦≤Tc⋅γT=γc. (21)

Let denote the subset of that satisfy (18) but not (19). Similarly, here (18) and (19) are also independent for each , since (18) is whether and (19) only concerns the intersection of and . Therefore by (21), the probability that satisfies is at most . Hence, by Markov’s inequality,

 (22)

From (20) and (22), we get that with probability at least 0.75 over the choice of ,

 |G|=|H|−|J|≥|I|γ2T2−10|I|γ2cT2≥εγM4KT2(1−5γ2c)=Ω(εMKT2),

given that is a small enough positive constant. ∎

We now proceed to describe the QRAC-VL scheme for encoding the partition . If or is not at least , the encoding simply sets a (classical) flag (which takes one bit) and stores the entire table of (we will denote this as case A). In this case, it is straightforward to construct a decoder that succeed with probability 1.

Otherwise assuming and is large enough, we clear the first flag, and proceed with our QRAC-VL that computes (if necessary) and outputs the following information as our encoding: (which we will denote as case B)

• The size of , encoded using bits;

• The set , encoded using bits;

• The set , encoded using bits;

• The function restricted to input outside of , encoded using bits;

• Hash tags for each , each of length , encoded using ;

• Quantum advice used by the algorithm repeated times , for .

Upon given the encoding , some image , and the algorithm’s randomness , the decoder first proceeds to recover set and for every . If the given , the decoder outputs . Otherwise, the decoder constructs to be

 f′(x)={y,x∈G;f(x),x∉G.

Then the decoder extracts , and invokes to obtain outputs. After measuring the outputs, the decoder hashes each output and compares with the hash in the encoding. Finally, the decoder randomly chooses a output with the correct hash, combining other pre-images in the encoding as the output pre-image set.

Let and denote the final states of when it is given the oracle and respectively. Then by Lemma 1 and the definition of a good element,

 ∥|ϕπ⟩−|ϕπ′⟩∥≤√T∑z∈R∖{x}qz(x)≤√T⋅cT=√c.

As , by the definition of , measuring gives some pre-image of that is in with probability at least . Given is a small enough positive constant, measuring will also give with probability at least . Assuming the logarithmics in is large enough, we can find at least one correct output in this process with probability at least . Due to the length of the hash tag and Theorem 4, all the incorrect outputs will be discarded with probability . Overall, the success probability of our decoding procedure for a is at least .

We now examine the length of our encoding. With probability , we have ; with probability , we have but is small. Therefore, over all, with probability , our encoding will take case A, where the encoding consists of classical bits and decoder succeeds with probability 1.

With probability , our encoding takes case B, and the size of the encoding will be

 1+log(M+N)+log(|R||G|)+log(N|G|)+(M−|G|)logN+|G|log(KlogN)+ρS,

which is at most

 MlogN+|G|logO(K2logN)ε−|G|log|G|+ρS,

for all sufficiently large . In this case, when the decoder is queried a point outside of what she has remembered, that is (which occurs with probability ), she recovers the correct pre-image with probability 1; otherwise, she recovers the correct pre-image with probability at least .

Overall, the average encoding length is at most , and the average success probability is . By Corollary 2 and by (4), we have

 MlogN+0.3ε⋅|G|logO(K2logN)ε−|G|log|G|+ρS)≥MlogN−O(|G|).

Using the fact that (5), (7), we get

 ~O(|G|)≥~Ω(SK).

Thus, .

## 7 Open Questions

Is a tighter lower bound like achievable or does there exist an attack using quantum advice that achieves ?

On the other hand, our techniques seem hard to be generalized to random functions where . Say . It turns out that for whatever choice of , remembering where is, and for points outside of is already too much (requires number of bits greater than ).

## Acknowledgements

The authors would like to thank Nai-Hui Chia, Luca Trevisan, Xiaodi Wu, and Penghui Yao for their helpful insights during the discussions. We also thank the anonymous reviewers at QIP for pointing out an issue in the proof of Theorem 5.