1 Introduction
Spacetime tradeoffs are a widely observed phenomenon in data structure complexity. In this work, we are interested in spacetime tradeoffs in inverting random functions, namely, the tradeoff between the size (in the number of bits) of precomputed data structure (or advice) about the function and the algorithm’s running time for computing the inverse of a certain image. Such tradeoffs give lower bound for algorithms that inverts cryptographic functions without taking the specific structure of that family of functions.
Without precomputed advice (), classical computers requires for inverting a fraction of the input for a random function , and quantum computers requires [ambainis2002quantum]. Both bounds are asymptotically tight, by either an exhaustive search or Grover’s algorithm [grover1996fast]. However, if we allow some precomputed advice, classical computers can do much better. Hellman [hellman1980cryptanalytic] showed that every permutation can be inverted with . However, it is not known whether we can do better than Grover’s algorithm or Hellman’s algorithm, even if we allow quantum computers to come into play. Therefore motivated by postquantum cryptanalysis, it is natural to ask whether these two algorithms are indeed the best that we can do. For classical computers, De et al. [de2009non] (going back to ideas of Yao [yao1990coherent]) showed that is required, and CorriganGibbs and Kogan [DBLP:journals/eccc/CorriganGibbsK18] gave some evidence that improving this lower bound seems to be difficult, by connecting function inversion problem to several other hard problems in complexity theory, communication complexity, etc. For quantum computers, Nayebi et al. [nayebi2015quantum] showed that is required, however, this result only applies to the case where the computation and the oracle queries are quantum but the precomputed advice remains classical. However, they also noted that the advice given to a quantum computer can as well be quantum, and it remains open to prove a lower bound for computations in that model.
1.1 Our Contributions
In this work, we resolve this discrepancy by showing that is still required even if the inverter is allowed to use quantum advice. Formally,
Definition 1.
A function (or permutation) inverter is a pair , where:

is a precomputed quantum advice of qubits, which can depend on the function ; (for permutations, )

is a quantum oracle algorithm that takes advice and an image , makes at most quantum queries to the function as an oracle , and outputs a supposed preimage .
Definition 2.
Fix a function inverter .

We say that “ invert for " if
where the probability is taken over the measurement results (internal randomness) of
. 
For any real , we say that “ invert fractions of inputs" if
where and is sampled uniformly from and , respectively.
Theorem 1.
(Lower bound for permutations) For any permutation inverter that invert fractions of inputs, assuming:

(1) that is, the inverter can succeed on more than a constant number of points;

(2) noting that is the complexity of Grover’s search algorithm;

(3)
We have
for all sufficiently large .
Theorem 2.
(Lower bound for functions) For any function inverter that invert fractions of inputs, assuming:

(4) 
(5) noting that is the complexity of Grover’s search algorithm;

(6) that is, the inverter performs no worse than a fixed point output inverter;

(7)
We have
for all sufficiently large .
Towards proving these two theorems, we also develop a lower bound for a generalized version of quantum random access code presented in Section 4, which may be of separate interest.
1.2 Historical Note and Concurrent Work
This version of the paper represents the submission version for QIP 2020. The differences of this version and the submission version are fixing a problem in the proof as pointed out by the reviewers, and adding the second paragraph in the abstract highlighting our lower bound on generalized quantum random access codes. We learned the concurrent work of Hhan, Xagawa, and Yamakawa [cryptoeprint:2019:1093] after submitting our paper to QIP 2020.
In [cryptoeprint:2019:1093], they considered a number of cryptographic applications of random functions under both classical advice model and quantum advice model (which they denote as AIQROM and QAIQROM respectively). Under quantum advice model, their Theorem 6 showed bounds for inverting random permutations using different techniques, namely, gentle measurements and semiclassical oracle. However, in their work, they left the problem of proving bounds for random functions open and we partially give some answers to that open problem in this work. We also note that our proof technique does not involve internal measurements in the compress/decompress algorithm and is conceptually simpler.
2 Technical Overview
2.1 Permutations
Compression argument.
In De et al. [de2009non], the main idea in proving the lower bound is to leverage the inverter to produce an algorithm that compresses the permutation into a short string, and the information theoretic lower bound on the size of the string translates to our desired lower bound. However, as the inverter needs to make adaptive queries, we need to produce the correct answer for the inverter so that she can successfully invert the image and we can extract the information from the inverter. The way to do this is to randomly (using some shared randomness that will not affect the information theoretic lower bound that we will use in the end) remove a small enough subset of the image from the permutation and the probability that the inverter hits this subset will be small. Therefore, we can use the advice and the permutation without the removed fraction as the encoding for the permutation, and since the length of the encoding is lower bounded by the entropy of all the permutations the encoding scheme is able to compress, this translates to a lower bound in the spacetime tradeoff for the permutation inversion problem.
As shown by Nayebi et al. [nayebi2015quantum], this idea also holds similarly for algorithms that can make quantum queries to the permutation. Namely, if we change fraction of the input, by a similar argument to proving the optimality of Grover’s algorithm [ambainis2002quantum], a quantum query algorithm is required to take queries to distinguish the change with constant probability. However, they also have shown that this approach has a fundamental limitation when one tries to adapt it to the case where the preprocessed information can be quantum. Recall that in order to invoke the inverter to recover a deleted entry, we need to invoke it with the precomputed advice. If the advice is classical, we can simply repeat this process for every entry to recover the entire permutation table; but if the advice is quantum, we cannot hope to do this repeatedly as the previous copy would be destroyed by measurement, and we cannot hope to clone multiple copies of the advice for free due to no cloning theorem [wootters1982single]. The only thing we can do is to produce multiple copies of the same advice in the encoding phase, however, it is easy to see that this encoding scheme is too inefficient for proving a meaningful lower bound for inverting permutations.
Avoiding repeated measurements.
Approaching this challenge, our idea is to reduce the problem to a similar problem that does not require recovering the entire permutation table. Ambainis et al. [ambainis1999dense] introduced the notion of Quantum Random Access Code with Shared Randomness, which is a twoplayer game where two player shares some randomness ; the first player gets a bit string chosen uniformly at random and is asked to encode it into an encoding ; and the second player is asked to recover given and some index chosen uniformly at random. Assuming the two player succeeds with probability , the number of bits in is lower bounded by (with some very rough approximations when ) . It can be shown that this lower bound is tight, and it also extends to the quantum setting, where the number of qubits in is still lower bounded by (roughly) . This game has found several applications in quantum information theory [alagic2018non].
Thus, a natural idea is to come up with a similar lower bound for quantum random access code with shared randomness for permutations and do the reduction. However, unlike in the case of bit strings, as there is correlations between each element of the permutation, our lower bound argument would need to proceed very carefully. Thus, we proved a lower bound on the expected number of qubits which is only related to the overall entropy, the average element entropy, and the recover (success) probability, and this holds even if there exists correlations between the elements. In general, this lower bound is weaker than the compression argument where the entire permutation is recovered. However, we note that if the success probability is high, say for permutations, then the expected number of qubits needs to be at least , which asymptotically matches the lower bound for compression argument.
A direct encoding scheme would be using the encoding scheme of Nayebi et al. [nayebi2015quantum] and decode only the element in question. However, this direct idea does not work, since we are randomly removing entries from the permutation, the scheme only succeeds when the removed entries (determined by shared randomness ) does not affect the output of the inverter, which only happens with a small probability. This means that will be bounded away from 1. Recall that our encoding will need to remember fraction of the permutation, this gives us no meaningful bound. In fact, in order for this idea to succeed, we need to boost the success probability to also .
We observe that in our proof for quantum random access code, the length of our encoding is ultimately bounded by the von Neumann entropy of the encoding. By using the variable length version of quantum source coding theorem, we can also use a variable length encoding that is still bounded by the von Neumann entropy of the encoding. Specifically, if the randomness will cause the encoding to err, we will simply use the entire permutation table as our encoding, which the decoder can decode any element directly. By repeating the advice polylogarithmically many times, we can make the success probability sufficiently close to 1 for proving a meaningful bound.
2.2 Functions
To bootstrap the previous argument into an argument for function inverters, we can view the inverse function as a partition of , and our goal is to design a random access code for querying this partition. In order to accommodate all possible adversaries, we only pick the preimages that have high probability to be returned by the adversary. However, consider the following bad case, , and the adversary uniformly returns or . In this case, majority vote will not work since (without loss of generality) assuming we removed from the encoding, the decoder cannot distinguish adversary returns or (assuming is also removed from the encoding). To fix this, we use a 2universal hash function (sampled from shared randomness) and use the hash tag to distinguish the correct output. However, we need to choose the hash length very carefully, as length too short results in high error probability, and length too long results in inefficient coding (our goal is to achieve nontrivial savings for the random function). It turns out that using a length of works in our case.
3 Preliminaries
We denote to be , and the set of all possible bijections from to itself to be .
Definition 3.
(Quantum oracle) For any classical function where is some additive group, it naturally corresponds to a quantum oracle such that for all ,
Let be a quantum oracle algorithm taking as an oracle. In the rest of the paper, we will abuse the notation to represent .
Definition 4.
The query magnitude at of is defined to be , where is the set of all computational basis states that query position .
Definition 5.
Given a quantum algorithm , the total query magnitude at of with (oracle access to) input is defined to be , where the sum is taken over all the quantum queries produced by the algorithm.
Lemma 1.
(Swapping lemma) [vazirani1998power, Lemma 3.1] Let and be the final state of on inputs and respectively. Let be (the upper bound of) the number of queries has made. Then:
where
denote the Euclidean distance between the two vectors.
Theorem 3.
(Quantum Source Coding Theorem) [schumacher2001indeterminate] Let be an alphabet, be a density operator whose von Neumann entropy is .

If , then independent samples of can be losslessly compressed into qubits for all sufficiently large ;

If , then independent samples of can be losslessly compressed into qubits for at most finitely many ’s.
Theorem 4.
(2Universal Hashing) For every , there exists a 2universal hash function family with error probability and output length (using some finite amount of randomness). [vadhan2012pseudorandomness, Chapter 3]
4 Quantum Random Access Codes with Variable Length
Definition 6.
Let be a set of functions for some finite set . A quantum random access code with variable length (QRACVL) for consists of two algorithms .

. The encoding algorithm encode a function with some fresh independent randomness in to some qubits. The number of qubits denoted by can depend on the function .

. The decoding algorithm compute on some specific element with the encoded message in , and it uses the same shared randomness for the encoding algorithm.
The performance of the code is measured by two parameters and . We define
to be the average length of the coding scheme over uniform distribution on
, andto be the probability that our scheme correctly reconstructs the image of the function, where the probability is taken over uniform distribution on , , and the scheme’s internal randomness.
First, we prove a helpful lemma that says conditional quantum entropy satisfies subadditivity.
Lemma 2.
Let be some quantum states, then
Proof.
We will prove this for and it is easy to extend this proof to any using an inductive argument.
For , by the definition of conditional entropy, it is equivalent to prove , which holds due to strong subadditivity of von Neumann entropy. ∎
Theorem 5.
(Lower bound for QRACVL) For any QRACVL, let
be a random variable sampled uniformly random from
, where corresponds to the value of evaluating for . Let be a random variable uniformly sampled from . Therefore, is the (von Neumann) entropy of a uniformly random distribution of and is the average (or expected) entropy of a single element. We haveProof.
Sample independently. Let be the encoding. Using the fact in conditional mutual information that and the fact that and are independent,
(8) 
Since is classical, by Theorem 3,
(9) 
On the other hand, using Lemma 2,
(10) 
By data processing inequality, we know that
(11) 
By definition of success probability in quantum random access code, we can show that
(12) 
using an indicator variable that indicates whether the decoder succeeds.
To see an immediate application of this theorem, we will demonstrate proving a bound for QRACVL for permutations. For permutations, and . By the theorem above, we immediately get that
Corollary 1.
For any QRACVL for permutations with for any , we have
5 Proof for Theorem 1
Now we proceed to construct an encoding scheme given an inverter. Given a permutation inverter that inverts fraction of the input. Let . By how we defined success probability, we can show that there exists a large subset of all the permutations with size at least , such that for any permutation , we have that
Consider a permutation , and let be the set of indices such that inverts . Recall that by the definition of , we have . We use the shared randomness in the way such that we sample a subset with each element of independently chosen to be in with probability , where is some constant that we will decide later.
Let be a subset of , where an element if it satisfies the following two conditions,

(13) 
The total query magnitude on while running is bounded by , that is,
(14)
Claim 1.
With probability at least 0.8 over the choice of , .
Proof.
Let . Due to the definition of ,
is distributed according to a binomial distribution. Therefore, the expected value of
is . By the multiplicative Chernoff bound and (2),(15) 
for all sufficiently large .
By definition, each query that makes is of unit length. Since makes at most queries, by Definition 5,
By linearity of expectation,
Hence, by Markov’s inequality,
(16) 
Let denote the subset of that satisfy (13) but not (14). Note that (13) and (14) are independent for each , since (13) is whether and (14) only concerns the intersection of and . Therefore by (16), the probability that satisfies is at most . Hence, by Markov’s inequality,
(17) 
From (15) and (17), we get that with probability at least 0.8 over the choice of ,
given that is a small enough positive constant. ∎
We now proceed to describe the QRACVL scheme for encoding . If or is smaller than , the encoding simply sets a (classical) flag (which takes one bit) and stores the entire permutation table of (we will denote this as case A). In this case, it is straightforward to construct a decoder that succeed with probability 1.
Otherwise assuming is large enough, we clear the first flag, and proceed with our QRACVL that computes (if necessary) and outputs the following information as our encoding: (which we will denote as case B)

The size of , encoded using bits;

The set , encoded using bits;

The permutation restricted to input outside of , encoded using bits;

Quantum advice used by the algorithm repeated times , for some that we will decide later. (We can compute this as the encoder can preprocess multiple copies of the same advice. Note that this is the only part of our encoding that is not classical.)
Upon given the encoding , some image , and the algorithm’s randomness , the decoder first proceeds to recover set and for every . If the given for some , the decoder outputs . Otherwise, the decoder constructs to be
Then the decoder extracts , and invokes for each and outputs their majority vote. Let and denote the final states of when it is given the oracle and respectively. Then by Lemma 1 and the definition of a good element,
As , by the definition of , measuring gives with probability at least . Given is a small enough positive constant, measuring will also give with probability at least .
We now examine the length of our encoding. With probability , we have ; with probability , we have but is small. Therefore, over all, with probability , our encoding will take case A, where the encoding consists of classical bits and decoder succeeds with probability 1.
With probability , our encoding takes case B, and the size of the encoding will be
By (2), we can write this as
In this case, when the decoder is queried a point outside of what she has remembered, that is (which occurs with probability ), she recovers the correct preimage with probability 1; otherwise, with one copy of the advice, she recovers the correct preimage with probability 0.6, therefore with copies, by Chernoff’s bound, she recovers the correct preimage using majority vote, with probability .
Overall, the average encoding length is at most , and the average success probability is . By setting , the average success probability will be . By (1) and Corollary 1, we have
Using the fact that (2), (3), we get
Thus, .
6 Proof for Theorem 2
Given a function inverter that inverts fraction of the input. For function , define if such exists, else . Using this notion, we can equivalently view sampling a function from as sampling an inverse function from all the possible partitions of into bags, denoted as . Let sampled from as in Theorem 5, then and
Corollary 2.
For any QRACVL for partitions with for any , we have
Now we construct the encoding scheme given the inverter. Similarly as before, there is a subset of size at least such that for each function in the inverter is able to invert at least fraction of the input. Let be functions where there exists an image in the function that has more than preimages for some constant . We claim that (for cases when and , by using multiplicative form of Chernoff bound and union bound on the number of preimages for each image. Let with size at least , that is the set of functions that both have a large amount of invertible points and each image does not have a lot of preimages.
Consider a function , and let be the set of indices such that when given input returns exactly (conditioned on evaluating on the input is indeed ) with the highest probability (ties are broken arbitrarily). It is not hard to prove that . We sample a subset , with each element independently chosen with probability for some constant that we will decide later.
Let , where if

(18) 
The total query magnitude on while running is bounded by , that is,
(19)
Claim 2.
With probability at least 0.75 over the choice of , .
Proof.
The proof is almost exactly the same as in the case for permutations.
Let . Due to the definition of , is distributed according to a binomial distribution. Therefore, the expected value of is . By the multiplicative Chernoff bound and (2),
(20) 
for all sufficiently large .
By definition, each query that makes is of unit length. Since makes at most queries, by Definition 5,
By linearity of expectation,
Hence, by Markov’s inequality,
(21) 
Let denote the subset of that satisfy (18) but not (19). Similarly, here (18) and (19) are also independent for each , since (18) is whether and (19) only concerns the intersection of and . Therefore by (21), the probability that satisfies is at most . Hence, by Markov’s inequality,
(22) 
From (20) and (22), we get that with probability at least 0.75 over the choice of ,
given that is a small enough positive constant. ∎
We now proceed to describe the QRACVL scheme for encoding the partition . If or is not at least , the encoding simply sets a (classical) flag (which takes one bit) and stores the entire table of (we will denote this as case A). In this case, it is straightforward to construct a decoder that succeed with probability 1.
Otherwise assuming and is large enough, we clear the first flag, and proceed with our QRACVL that computes (if necessary) and outputs the following information as our encoding: (which we will denote as case B)

The size of , encoded using bits;

The set , encoded using bits;

The set , encoded using bits;

The function restricted to input outside of , encoded using bits;

Hash tags for each , each of length , encoded using ;

Quantum advice used by the algorithm repeated times , for .
Upon given the encoding , some image , and the algorithm’s randomness , the decoder first proceeds to recover set and for every . If the given , the decoder outputs . Otherwise, the decoder constructs to be
Then the decoder extracts , and invokes to obtain outputs. After measuring the outputs, the decoder hashes each output and compares with the hash in the encoding. Finally, the decoder randomly chooses a output with the correct hash, combining other preimages in the encoding as the output preimage set.
Let and denote the final states of when it is given the oracle and respectively. Then by Lemma 1 and the definition of a good element,
As , by the definition of , measuring gives some preimage of that is in with probability at least . Given is a small enough positive constant, measuring will also give with probability at least . Assuming the logarithmics in is large enough, we can find at least one correct output in this process with probability at least . Due to the length of the hash tag and Theorem 4, all the incorrect outputs will be discarded with probability . Overall, the success probability of our decoding procedure for a is at least .
We now examine the length of our encoding. With probability , we have ; with probability , we have but is small. Therefore, over all, with probability , our encoding will take case A, where the encoding consists of classical bits and decoder succeeds with probability 1.
With probability , our encoding takes case B, and the size of the encoding will be
which is at most
for all sufficiently large . In this case, when the decoder is queried a point outside of what she has remembered, that is (which occurs with probability ), she recovers the correct preimage with probability 1; otherwise, she recovers the correct preimage with probability at least .
Overall, the average encoding length is at most , and the average success probability is . By Corollary 2 and by (4), we have
Using the fact that (5), (7), we get
Thus, .
7 Open Questions
Is a tighter lower bound like achievable or does there exist an attack using quantum advice that achieves ?
On the other hand, our techniques seem hard to be generalized to random functions where . Say . It turns out that for whatever choice of , remembering where is, and for points outside of is already too much (requires number of bits greater than ).
Acknowledgements
The authors would like to thank NaiHui Chia, Luca Trevisan, Xiaodi Wu, and Penghui Yao for their helpful insights during the discussions. We also thank the anonymous reviewers at QIP for pointing out an issue in the proof of Theorem 5.
Comments
There are no comments yet.