Quantum Security of A Compact Multi-Signature

1. Introduction

A multi-signature scheme allows a group of signers to jointly generate a signature while any subset of them can not represent the group. This mechanism was introduced by Itakura and Nakamura [22] with the motivation to reduce the signature size. In the blockchain application [41], it is also demanded that the aggregated public-key that represents the group should also have a small size, as it will be part of the transaction and the network storage. The blockchain has no control over a user and hence one should be able to freely decide his public-keys. Accordingly, we must make sure that it is secure against a rogue key attack: the attacker might choose his public-key after seeing other signers’ public-keys. In a poorly designed scheme, an attacker could manage to decide the secret key of the aggregated public-key. In addition, with the advance of quantum computer, the quantum attack places a major threat to any cryptographic system. Especially, the RSA based multi-signature (such as [5]) is no longer secure [45]. In this paper, we investigate the multi-signature security in the quantum random oracle model, where the attacker has an internal quantum computer and also can access to the quantum random oracle. We aim to develop quantum random oracle techniques that enable a security proof of a complex cryptographic system. We then apply it to prove the security of our recent compact multi-signature.

1.1. Related Works

A multi-signature scheme [22] is a special case of aggregate signature [8] where each signer of the latter can sign a possibly different message. Since it was introduced by Itakura and Nakamura [22], it has been intensively studied in the literature [2,3,5,7,32,36,38,39,42,46]. However, most of schemes are based on some variants of discrete logarithm assumption which does not hold under a quantum attack [45]. There are multi-signatures that are based on quantum mechanics only (i.e., without a computational hardness assumption) [21,25]. However, their schemes are certainly not what is understood in the crypto community: (1) signers need to share a private key with a trusted party; (2) the verification is completely done by the trusted party; (3) signer has no public-key.

Constructions from lattice assumptions such as (ring-)LWE are potentially the solutions for the quantum secure multi-signature problem. However, currently there are only very few schemes [10,19,26,27,31,37] from this. In addition, some schemes [26,27] are known insecure [23,31]. Schemes [10,14,17–19,23,37] did not consider a quantum attacker. Fukumitsu and Hasegawa [20] is the only previous scheme that considered the quantum security. Their construction is based on Dilithium signature [28]. However, their scheme only allows a constant number of signers and the verification requires all signers’ public-keys. Their proof technique (also that of Dilithium [28]) seems to rely on the statistical lossy property of the underlying ID scheme and is unclear if it can be generally usable in other security analysis. In this paper, we investigate general quantum random oracle techniques that are useful in proving a wide class of random oracle based systems. With this, we prove the quantum security of our recent multi-signature framework [23].

The random oracle basically models a hash function as a completely random function. It was first proposed by Bellare and Rogaway [4]. This methodology has a heuristic assumption: when the random oracle is replaced by a cryptographic hash function, the security will preserve. This generally is not true [11]. However, the counter example does not seem realistic. So the crypto community still widely believes that this methodology is practically meaningful. Furthermore, it greatly simplifies the construction of many cryptographic systems and the proof in the classic random oracle is usually amazingly simple. However, it is not true for the quantum world. The great advantage of a classic random oracle is that the simulator can easily record the attacker’s query history. In the quantum setting, this is difficult as an attacker can query a superposition. If the simulator makes a measurement on the query, it will destroy the quantum state. Zhandry [49] proposed new techniques to record the oracle query which is called compressed random oracle ($CStO$). Essentially, if the oracle is only queried q times, then the oracle can be compactly represented into a superposition of database with the basis record only containing at most q non-trivial values. Don et al. [15] showed a simulation that can extract an oracle query of a (classic) commitment on the fly. The impact of this feature is that if an adversary outputs a commitment value, we can immediately extract his query input that matches this commitment. This will not destroy the quantum state essentially because when an attacker outputs his classic commitment, he must have already made the measurement. Hence, this gives us a very useful tool, especially when a simulator needs to know the query in order to continue the simulation. However, this is not enough in some proofs. For example, in our multi-signature scheme, the adversary will receive a honest user’s public-key $p{k}_1$ and then generate two public-key $p{k}_2,p{k}_2$. At the end, he will try to forge a signature w.r.t. a combined public-key $F(p{k}_1,p{k}_2,p{k}_3)$ that is computed from $H(p{k}_i|p{k}_1|p{k}_2|p{k}_3)$ for $i=1,2,3$ and H is the random oracle. The problem is that $p{k}_2,p{k}_3$ will reveal only at the end of the game. If the simulator wishes to know it in advance, it is impossible using the techniques in [15]. Liu and Zhandry [30] presented a measurement technique to extract $p{k}_2,p{k}_3$ during the game involving $CStO$. Essentially, it chooses a random query and measures it. Then, the outcome is $p{k}_i|p{k}_1|p{k}_2|p{k}_3$ for some i with a good probability. Further, the adversary success probability for the forgery will be degraded only by a polynomial fraction. For technique reasons, it is desired that the simulator can set the random oracle value of the measure outcome $p{k}_i|p{k}_1|p{k}_2|p{k}_3$ (called special point) to a value of his favorite. To take the advantage of both extraction techniques, one might consider the simulation of [15] with the measurement techniques in [30]. However, there are two issues. First, Some verification measurements in [30] will be done on the random oracle database and hence the extraction theorems in [15] will no longer hold. Second, the special input measurement [30] is operated only once. This sometimes is insufficient to produce a witness for the final adversary output. Our work in this paper is to propose an improved $CStO$ that addresses the two issues and then apply the improved random oracle techniques to prove the security of our recent compact multi-signature scheme [23].

1.2. Contribution

In this paper, we study how to improve $CStO$ so that it still has a simulator (similar to [15]) that allows to extract a query input of any given commitment on the fly but additionally also allows to adaptively specify a small number of special points and set their random oracle values to our own choices. The improved random oracle is called compressed random oracle with adaptive special points (${\mathbf{CStO}}_s$). We generalize the simulator and extraction theorem in [15] to the ${\mathbf{CStO}}_s$ setting. We also generalize the experiment sampling technique in [30] to allow samplings for several times. This allows us to extract the witness of the final adversary output, where this witness might depend on several random oracle queries (that are measured during the game). This random experiment can be easily converted to an interaction with ${\mathbf{CStO}}_s$ oracle and hence the foregoing on-line extraction technique can be applied. With this improved random oracle technique, we show that our recent multi-signature framework (which is converted from any weakly secure linear identification) is provably secure in the quantum random oracle model. The proof strategy is to use the sequence of game technique. It starts the adversary with a standard quantum random oracle and then continues with the compressed quantum random oracle (CStO) while preserving the same adversary success probability. It next applies the random experiment sampling techniques which degrades the adversary success only by a polynomial fraction but it can extract the witness for the final adversary output. Then, we convert the random experiment (with $\mathbf{CStO}$) to one involving ${\mathbf{CStO}}_s$. Finally, the online extraction technique is used to simulate the interaction without the knowledge of the secret of an ID scheme. This allows to reduce the adversary success to the security of the ID scheme. We also prove the quantum security of the JAK ID scheme in [23]. The main tool to achieve this is to use the collapsing sigma protocol technique in [30] that was originally proposed by Unruh [47]. Our security proof essentially is to formulate the JAK ID security game into two public-coin protocols, each of which uses the collapsing property to guarantee the non-negligibility of the adversary success probability. This two-step analysis allows us to reduce the adversary success probability in attacking the JAK ID scheme to break the underlying ring-SIS assumption.

2. Preliminaries

Notations. We will use the following notations.

• $x\leftarrow S$ samples x uniformly random from a set S.
• For a randomized algorithm A, $u=A(x;r)$ denotes the output of A with input x and randomness r, while $u\leftarrow A\left(x\right)$ denotes the random output (with unspecified randomness).
• Min-entropy $H_{\infty }\left(X\right)=-log({max}_{x}log{P}_X\left(x\right))$.
• A concatenating with B is represented by $A|B$ and also by $(A,B)$ (if the context is clear).
• negl$\left(\lambda \right)$ is negligible: ${lim}_{\lambda \to \infty }poly\left(\lambda \right)\mathsf{negl}\left(\lambda \right)=0$ for any polynomial $poly\left(\lambda \right).$
• $\left[\nu \right]$ denotes set $\{1,\cdots ,\nu \}.$
• $|||\nu \rangle ||$ is the Euclidean norm: $|||v\rangle ||=\sqrt{\langle v|v\rangle }.$
• ${\mathcal{Y}}^{\mathcal{X}}$ denotes the set of vector $\mathbf{y}:={\left\{y_x\right\}}_{x\in \mathcal{X}}$. We use $\mathbf{y}\left(x\right)$ to denote $y_x.$

2.1. Ring and Module

In this section, we review math concepts: ring and module (for details, see [29]). A ring A is a set, associated with multiplication and addition operators, respectively written as a product and a sum, satisfying the following conditions:

-

R-1. A is a commutative group under addition operator + with identity element 0.

-

R-2. A is associative under multiplication operator: for $a,b,c\in A$, (ab)c=a(bc). Also, it has a unit element 1: 1a=a.

-

R-3. It satisfies the distributive law: for $a,b,c\in A$, $a(b+c)=ab+ac$ and $(b+c)a=ba+ca.$

In this paper, we only consider a commutative ring: if $a,b\in A$, then $ab=ba$. When we say ring, it always means a commutative ring. If A is a commutative ring with $\mathbf{0}\ne \mathbf{1}$ and every non-zero element in A has an inverse, then A is a field.

Definition 1.

Let R be a ring. An Abelian group M (with group operator ⊞) is a R-module , if (1) it has defined a multiplication operator • between R and M: for any $r\in R,m\in M$, $r•m\in M$; (2) the following conditions are satisfied: for any $r,s\in R$ and $x,y\in M$,

1.

$r•(x⊞y)=(r•x)⊞(r•y)$;

2.

$(r+s)•x=(r•x)⊞(s•x)$

3.

$\left(rs\right)•x=r•(s•x)$

4.

$1_R•x=x$, where $1_R$ is the multiplicative identity of R.

Note that if R is a field, then R-module M in fact is the well-understood concept - vector space, where M consists of vectors and R is the coefficient field.

2.2. Elements in Quantum Computing

In this section, we give a brief introduction to quantum computing. Details can be found in [43]. A quantum system is a finite-dimensional complex Hilbert space $\mathcal{H}$ with an inner product $\langle ·|·\rangle$. We use standard bra-ket notations to denote vectors in $\mathcal{H}$ and its dual space. The state of a quantum system is a unit vector $|\psi \rangle$. Let $\mathcal{Y}$ be a finite Abelian group. We use ${\{|y\rangle \}}_{y\in \mathcal{Y}}$ to represent an orthonormal basis for $\mathcal{H}={\mathbb{C}}^{|\mathcal{Y}|}$. We also write this $\mathcal{H}$ as $\mathbb{C}\left[\mathcal{Y}\right]$ to emphasize that $\mathcal{H}$ is expanded by ${\{|y\rangle \}}_{y\in \mathcal{Y}}$. For two quantum systems ${\mathcal{H}}_1$ and ${\mathcal{H}}_2$, the joint system is a tensor product ${\mathcal{H}}_1\otimes {\mathcal{H}}_2$. For $|{\psi }_1\rangle \in {\mathcal{H}}_1$ and $|{\psi }_2\rangle \in {\mathcal{H}}_2$, their product state is $|{\psi }_1\rangle |{\psi }_2\rangle .$ For an ordered set $\mathcal{X}=\{x_1,\cdots ,x_n\}$, $\mathbb{C}{\left[\overline{\mathcal{Y}}\right]}^{\otimes \mathcal{X}}$ represents the tensor product of $|\mathcal{X}|$ copies of $\mathbb{C}\left[\overline{\mathcal{Y}}\right]$ with the ith copy labeled by $x_i.$ A quantum system $\mathcal{H}$ has an orthonormal basis $\{|{\psi }_1\rangle ,\cdots ,|{\psi }_n\rangle \}$. With this, a quantum state $|\psi \rangle \in \mathcal{H}$ can be represented as $|\psi \rangle ={\sum }_{i=1}^n{\lambda }_i|{\psi }_i\rangle$ with ${\sum }_i{|{\lambda }_i|}^2=1.$ Quantum operations on $\mathcal{H}$ consist of unitaries and measurements. A unitary U on $\mathcal{H}$ is an operator from $\mathcal{H}$ to $\mathcal{H}$ with $U{U}^{†}=I$, where $U^{†}$ is the conjugate of U. Measurement $M={\left\{M_i\right\}}_i$ on a quantum state $|\psi \rangle \in \mathcal{H}$ is the operator for extracting the classic information from $|\psi \rangle$, where each $M_i$ must be Hermitian (i.e., $M_i^{†}=M_i$) and satisfies the completeness condition ${\sum }_i{M}_i^{†}{M}_i=I.$ After the measurement, the post-measurement state will be $M_i|\psi \rangle /||M_i|\psi \rangle ||$, which occurs with probability $||M_i{|\psi \rangle ||}^2$. A quantum algorithm A is represented by a list of unitaries/measurements. Due to deferred measurement principle [43, pp. 186], the measurement can be deferred to the end of operations of A. Hence, whenever applicable, we assume that A before the final measurement is represented by a list of unitaries $U_1,\cdots ,U_{\ell }.$

Let $\mathcal{L}\left(\mathcal{H}\right)$ denote the linear operator from $\mathcal{H}$ to $\mathcal{H}$. For $A,B\in \mathcal{L}\left(\mathcal{H}\right)$, their commuter is defined as $[A,B]=AB-BA.$ The norm of linear operator A on $\mathcal{H}$ is defined as $||A||={max}_v||A|v\rangle ||$, where $|v\rangle$ goes over all the possible unit vectors in $\mathcal{H}.$ By the singular value decomposition theorem, we can write $A={\sum }_i{\lambda }_i|v_i\rangle \langle y_i|$, where ${\left\{v_i\right\}}_i$ and ${\left\{y_i\right\}}_i$ are respectively a set of orthonormal vectors in $\mathcal{H}$ and ${\left\{{\lambda }_i\right\}}_i$ is the set of positive singular values of A. Hence, $||A||={max}_i{\lambda }_i$. The trace distance between two states $\rho ,\sigma$ is defined as $D_t(\rho ,\sigma )={\displaystyle \frac{1}{2}}\mathsf{tr}(|\rho -\sigma |),$ where $|A|:=\sqrt{A^{†}A}$.

2.3. Multi-Signature

In this section, we introduce the multi-signature and its security model. A multi-signature scheme is a protocol that allows a group of signers to jointly generate a signature. The signature should be valid against an aggregated public-key determined from all signers’ public-keys. The protocol proceeds in rounds. Signers are pair-wise connected but the channel is not secure. The target is to generate a short signature. It is desired that the aggregated public-key should be short too.

Definition 2.

A multi-signature scheme is a quadruple of algorithms (Setup, KeyGen, Sign, Verify), described as follows.

Setup. Given $1^{\lambda }$, it generates a system parameter param. Note: param should be part of the input for KeyGen, Sign, Verify. But we usually omit it for brevity.

KeyGen. It takes param as input and generates a private key $sk$ and a public-key $pk$.

Sign. Given public-keys $(p{k}_1,\cdots ,p{k}_n)$ and a message $M,$ user i has the private key $s{k}_i$ w.r.t. $p{k}_i$. Then, they interact with each other and finally output a signature σ, with respect to an aggregated public-key $\overline{pk}:=F(p{k}_1,\cdots ,p{k}_n)$, where F is called an aggregation function.

Verify. Upon $(\sigma ,M)$ and an aggregated public-key $\overline{pk}=F(p{k}_1,\cdots ,p{k}_n)$, verifier outputs either 1 (for accept) or 0 (for reject).

Remark 1.

The aggregated key $\overline{pk}$ carries the information of the signers’ public-keys. It is desired that it has a size independent of n. But this is not enforced in the definition.

2.3.1. Security Model

In the following, we define the existential unforgeability of a multi-signature in the quantum random oracle model. Essentially, it says that no quantum adversary can forge a valid signature on a new message as long as the signing group contains an honest member. Toward this, the attacker can access to a signing oracle and quantum random oracle and create fake public-keys at will. The security is defined through a game between a challenger $\mathsf{CHAL}$ and a quantum attacker $\mathcal{A}$ that has oracle access to quantum random oracle maintained by CHAL.

Initially, CHAL generates param and a challenge public-key $p{k}^{*}$ with a private key $s{k}^{*}$. It then provides $p{k}^{*}|\mathsf{param}$ to $\mathcal{A}$ who has an initial state $|\psi \rangle ={\sum }_{xyw}{\lambda }_{xyw}{|x\rangle }_X{|y\rangle }_Y{|w\rangle }_W$, where $X,Y,W$ represents query register, response register and working register respectively. Next, $\mathcal{A}$ interacts with CHAL through signing oracle and random oracle $RO$ and finally generates a forgery.

Sign$(PK,M)$. Here $PK$ is a set of distinct public-keys with $p{k}^{*}\in PK$. Upon this query, CHAL represents the signer of $p{k}^{*}$ and $\mathcal{A}$ represents signers of $PK-\left\{p{k}^{*}\right\}$ to run the signing protocol on message M. Finally, it outputs the multi-signature $\sigma$ (if it succeeds) or ⊥ (if it fails).

RO. $\mathcal{A}$ can query random oracle $RO$ by providing his $XY$ registers to $\mathsf{CHAL}$ who applies $RO$ on $XYD$ so that ${RO|x\rangle }_X{|y\rangle }_Y{|H\rangle }_D=|x\rangle |y+H\left(x\right)\rangle |H\rangle ,$ where H is the random function and D is the random oracle register. Finally, it returns registers $XY$ back to $\mathcal{A}$. See Section 4.1 for details.

Forgery. Finally, $\mathcal{A}$ outputs a signature ${\sigma }^{*}$ for a message $M^{*}$, w.r.t. a set of distinct public-keys $(p{k}_1^{*},\cdots ,p{k}_N^{*})$ s.t. $p{k}^{*}=p{k}_i^{*}$ for some i. $\mathcal{A}$ succeeds if (a) $\mathsf{Verify}(\overline{p{k}^{*}},{\sigma }^{*},M^{*})=1$ and (b) $((p{k}_1^{*},\cdots ,p{k}_N^{*}),M^{*})$ was not issued to $\mathbf{Sign}$ oracle. Denote a success forgery event by $\mathbf{succ}$.

Definition 3.

A multi-signature scheme (Setup, KeyGen, Sign, Verify) is existentially unforgeable against chosen message attack (or EU-CMA for short) in the quantum random oracle model, if the following holds.

• Correctness.For $(s{k}_1,p{k}_1),\cdots ,(s{k}_n,p{k}_n)$ generated by KeyGen, the signature generated by signing algorithm on a message M will pass the verification, except for a negligible probability.
• Existential Unforgeability.For any quantum polynomial time adversary $\mathcal{A}$ in the above forgery game, $Pr\left(\mathbf{succ}\right(\mathcal{A}\left)\right)$ is negligible.

2.4. Canonical Linear Identification

A canonical identification system is a 3-round public coin protocol where the first round message has a super logarithmic min-entropy. It is formally defined as follows (also see Figure 1).

Definition 4.

A canonical identification scheme with parameter $\tau \in \mathbb{N}$ is a quadruple of algorithms $\mathcal{ID}=(\mathbf{Setup},\mathbf{KeyGen},P,V_{\tau })$, where Setup takes security parameter λ as input and generates a system parameter param; KeyGen is a key generation algorithm that takes $\mathsf{param}$ as input and outputs a public key $pk$ and a private key $sk$; P is an algorithm, executed by prover; $V_{\tau }$ is an algorithm parameterized by τ, executed by Verifier. $\mathcal{ID}$ is a three-round protocol, where Prover starts with a committing message $\mathrm{CMT}$ with $H_{\infty }\left(\mathrm{CMT}\right)=\omega (log\lambda )$, and then Verifier replies with a challenge $\mathrm{CH}\leftarrow \mathsf{\Theta }$ and finally Prover finishes with a response $\mathrm{Rsp}$ which will be either rejected or accepted by $V_{\tau }$.

The domains of $sk$, $pk$, CMT, Rsp are respectively denoted by $\mathcal{SK},\mathcal{PK},\mathcal{CMT},\mathcal{RSP}.$ We are interested in a canonical ID scheme with linearity [23] and simulability in the following sense.

Linearity. A canonical ID scheme $\mathcal{ID}=(\mathbf{Setup},\mathbf{KeyGen},P,V_{\tau })$ is linear if it satisfies the following conditions.

i.

$\mathcal{SK},\mathcal{PK},\mathcal{CMT},\mathcal{RSP}$ are $\mathcal{R}$-modules for some ring $\mathcal{R}$ with $\mathsf{\Theta }\subseteq \mathcal{R}$ (as a set);

ii.

For any ${\lambda }_1,\cdots ,{\lambda }_t\in \mathsf{\Theta }$ and public/private pairs $(s{k}_i,p{k}_i)$ ($i=1,\cdots ,t$), we have that $\overline{sk}={\sum }_{i=1}^t{\lambda }_i•s{k}_i$ is a private key of $\overline{pk}={\sum }_{i=1}^t{\lambda }_i•p{k}_i$.

Note: Operator • between $\mathcal{R}$ and $\mathcal{SK}$ (resp. $\mathcal{PK},\mathcal{CMT},\mathcal{RSP}$) might be different. But we will use the same symbol • as long as it is clear from the context.

iii.

Let ${\lambda }_i\leftarrow \mathsf{\Theta }$ and $(p{k}_i,s{k}_i)\leftarrow \mathbf{KeyGen}\left(1^{\lambda }\right),$ for $i=1,\cdots ,t.$ If ${CMT}_i|CH|{Rsp}_i$ is a faithfully generated transcript of the ID scheme w.r.t. $p{k}_i$, then

$$V_{\tau }(\overline{pk},\overline{CMT}|CH|\overline{Rsp})=1,$$

(1)

where $\overline{pk}={\sum }_{i=1}^t{\lambda }_i•p{k}_i,\overline{CMT}={\sum }_{i=1}^t{\lambda }_i•{CMT}_i$ and $\overline{Rsp}={\sum }_{i=1}^t{\lambda }_i•{Rsp}_i$.

Note: we require Equation (1) to hold only if the keys and transcripts are faithfully generated. If some are contributed by attacker, this equality might fail.

Simulability. $\mathcal{ID}$ is simulatable if there exists a polynomial time algorithm SIM s.t. for $(sk,pk)\leftarrow \mathbf{KeyGen}\left(1^{\lambda }\right)$, $\mathrm{CH}\leftarrow \mathsf{\Theta }$ and $(\mathrm{CMT},\mathrm{Rsp})\leftarrow \mathbf{SIM}(\mathrm{CH},pk,\mathsf{param})$, it holds that $\mathrm{CMT}|\mathrm{CH}|\mathrm{Rsp}$ is indistinguishable from a real transcript, even if the quantum distinguisher is given $pk|\mathsf{param}$ and has access to oracle ${\mathcal{O}}_{id}(sk,pk)$, where ${\mathcal{O}}_{id}(sk,pk)$ acts as follows: $(st,\mathrm{CMT})\leftarrow P\left(\mathsf{param}\right)$; $\mathrm{CH}\leftarrow \mathsf{\Theta }$; $\mathrm{Rsp}\leftarrow P(st|sk|pk,\mathrm{CH})$; output $\mathrm{CMT}|\mathrm{CH}|\mathrm{Rsp}.$

Now we define the security for a linear ID scheme. Essentially, it is desired that an attacker is unable to impersonate a prover w.r.t. an aggregated public-key, where at least one of the participating public-keys is not generated by attacker. Here we use the aggregated public-key as the challenge public-key in order to relate it to the security of the multi-signature later.

Definition 5.

A canonical identification scheme $\mathcal{ID}=(\mathbf{Setup},\mathbf{KeyGen},P,V_{\tau },\mathsf{\Theta })$ with linearity and $\tau \in \mathbb{N}$ is secure if it satisfies correctness and security below.

Correctness. When no attack presents, Prover will convince Verifier.

Soundness. For any quantum polynomial time algorithm $\mathcal{A}$, $Pr({\mathrm{EXP}}_{\mathcal{ID},\mathcal{A}}=1)$ is negligible, where ${\mathrm{EXP}}_{\mathcal{ID},\mathcal{A}}$ is defined below with $p{k}_i\in \mathcal{PK}$ for $i\in \left[t\right]$ and $\overline{pk}={\sum }_{i=1}^t{\lambda }_i•p{k}_i$.

Experiment ${\mathrm{Exp}}_{\mathcal{ID},\mathcal{A}}\left(\lambda \right)$

param$\leftarrow \mathbf{Setup}\left(1^{\lambda }\right)$;

$(p{k}_1,s{k}_1)\leftarrow \mathbf{KeyGen}\left(\mathsf{param}\right)$;

$(|s{t}_0\rangle ,p{k}_2,\cdots ,p{k}_t)\leftarrow \mathcal{A}(\mathsf{param},p{k}_1)$

${\lambda }_1,\cdots ,{\lambda }_t\leftarrow \mathsf{\Theta }$

$(|s{t}_1\rangle ,CMT)\leftarrow \mathcal{A}(|s{t}_0\rangle ,{\lambda }_1,\cdots ,{\lambda }_t)$;

$CH\leftarrow \mathsf{\Theta }$; $Rsp\leftarrow \mathcal{A}(|s{t}_1\rangle ,CH)$;

$b\leftarrow V_t(\overline{pk},CMT|CH|Rsp)$;

output $b.$

3. Basic Properties in Quantum Computing

In this section, we give some fundamental properties in quantum computing. The first result is trivial and can be verified by simple calculations. We thus state it without a proof.

Lemma 1.

Let $A,B,C\in \mathcal{L}\left(\mathcal{H}\right).$ Then, the following holds.

1.

$[AB,C]=A[B,C]+[A,C]B$;

2.

$[ABC,D]=AB[C,D]+A[B,D]C+[A,D]BC;$

3.

$[A^n,B]={\sum }_{i=0}^{n-1}{A}^i[A,B]A^{n-i-1}.$

The next lemma was stated in [15] with a proof omitted. We give a proof for completeness.

Lemma 2.

Let $A,B,A_1,,A_2\in \mathcal{L}\left(\mathcal{H}\right).$ Then, the following holds.

1.

If $A_1,A_2\in \mathcal{L}\left(\mathcal{H}\right)$, then $||A_1\otimes A_2||=||A_1||·||A_2||.$

2.

If $A^{†}B=0$ and $A{B}^{†}=0$, then $||A+B||\le max(||A||,||B||).$ Especially, if $A={\sum }_x|x\rangle \langle x|\otimes A^x$, then $||A||\le {max}_x||A^x||.$

Proof. 1. Let $A_1=U_1{D}_1{V}_1$ and $A_2=U_2{D}_2{V}_2$ for $D_i=\mathtt{diag}({\mu }_{i1},\cdots ,{\mu }_{i{t}_i})$ with ${\mu }_{ij}\ge 0$ and unitary $U_1,U_2,V_1,V_2$. Then, $A_1\otimes A_2=(U_1\otimes U_2)(D_1\otimes D_2)(V_1\otimes V_2).$ Hence, $||A_1\otimes A_2||=\left({max}_t{\mu }_{1t}\right)\left({max}_j{\mu }_{2j}\right)=||A_1||·||A_2||$ as $U_1\otimes U_2$ and $V_1\otimes V_2$ are unitary.

2. By the singular value decomposition theorem, we can write $A={\sum }_{i=1}^s{\lambda }_i|x_i\rangle \langle y_i|$ and $B={\sum }_{i=1}^t{\beta }_i|u_i\rangle \langle v_i|$, where $\{|x_i\rangle {\}}_i,{\{{\langle y_i|\}}_i,\{|u_i\rangle \}}_i,\{{\langle v_i|\}}_i$ are respectively orthonormal sets of vectors in $\mathcal{H}$ and ${\lambda }_j,{\beta }_i>0$. Then, from $A^{†}B=0$, we have ${\sum }_{i,j}{\lambda }_i^{*}{\beta }_j\langle x_i|u_j\rangle ·|y_i\rangle \langle v_j|=0.$ As $\langle y_i|A^{†}B|v_j\rangle =0$, we know that $\langle x_i|u_j\rangle =0$ for $i=1,\cdots ,s$ and $j=1,\cdots ,t.$ Similarly, from $A{B}^{†}=0$, we have $\langle y_i|v_j\rangle =0.$ Hence, $\{|y_i\rangle {{\}}_{i=1}^s,\{|v_i\rangle \}}_{i=1}^t$ are disjoint and together orthonormal states. They together can be extended to an orthonormal basis. Let $|x\rangle$ be any normalized state represented under this basis with coordinate vector $(w_1,\cdots ,w_n).$ Then, $(A+B)|x\rangle ={\sum }_{i=1}^s{\lambda }_i{w}_i|x_i\rangle +{\sum }_{j=1}^t{\beta }_j{w}_{s+j}|u_j\rangle .$ Its norm is upper bounded by ${max}_{ij}(|{\lambda }_i|,|{\beta }_j|)=max(||A||,||B||),$ desired! This result implies the second claim as $(|x\rangle {\langle x|\otimes A^x)}^{†}(|y\rangle \langle y|\otimes A^y)=0$ for any $x\ne y.$□

Definition 6.

Register D is a control register for operator B which works on registers $WD$, if B can be written as $B={\sum }_y{B}_y\otimes {|y\rangle \langle y|}_D$ for an orthonormal basis ${\{|y\rangle \}}_y$, where $B_y$ works on W.

Remark 2.

This definition is very loose. If B does not operate on D, by default, it is understood as $B\otimes I_D={\sum }_{x}B\otimes |x\rangle \langle x|$ for a basis ${\{|x\rangle \}}_x$ and so D is a control register for B. The following lemma is shown by simple verifications.

Lemma 3.

Let $XYD$ be three quantum registers. The following properties hold.

1.

If A operates on $XD$ while B operates on $YD$ with D being a control register in the same basis ${\{|y\rangle \}}_{y\in D}$ for both A and B, then $[A,B]=0.$

2.

If A is a projector on D in basis ${\{|y\rangle \}}_y$ and B operates on $YD$ with D being a control register in the same basis, then $[A,B]=0.$

Lemma 4.

Let $|\psi \rangle ={\sum }_y{t}_y|{\psi }_y\rangle |y\rangle$ be a joint state for register $XY$ with ${\{|y\rangle \}}_{y\in \mathcal{Y}}$ orthonormal basis of register Y. Let $P=\{|y\rangle {\langle y|\}}_y$ be the projective measurement on register Y. Let $Q={\left\{Q_x\right\}}_x$ be the measurement on register X. Let $U_y$ be a unitary on register X, labelled with $y\in \mathcal{Y}$. Consider procedure A: apply ${\sum }_{y\in \mathcal{Y}}{U}_y\otimes |y\rangle \langle y|$ to $|\psi \rangle$ and then apply measurement Q on X to output x. Also consider procedure $A^{\prime }$ which starts with measurement P on Y and continues with procedure A with the final output denoted by $x^{\prime }$. Then, the distributions of x and $x^{\prime }$ are identical.

Proof. Procedure A outputs x with probability $||{\sum }_y{t}_y{Q}_x{U}_y|{\psi }_y{\rangle |y\rangle ||}^2.$ The procedure $A^{\prime }$ outputs y, resulting in the collapsed state $U_y|{\psi }_y\rangle |y\rangle$ with probability $||t_y{||}^2$. Following the measurement Q, it outputs x with probability $||t_y{Q}_x{U}_y|{\psi }_y{\rangle |y\rangle ||}^2$. So the overall probability to output x with probability ${\sum }_y||t_y{Q}_x{U}_y|{\psi }_y{\rangle |y\rangle ||}^2=||{\sum }_y{t}_y{Q}_x{U}_y|{\psi }_y{\rangle |y\rangle ||}^2,$ as ${\{|y\rangle \}}_y$ is orthogonal, desired. □

Remark 3.

There are two points to clarify.

(1) In Lemma 4, it is important that projective measurement $P=\{|y\rangle {\langle y|\}}_y$ uses the same basis as ${\{|y\rangle \}}_y$ as in ${\sum }_y{U}_y\otimes |y\rangle \langle y|$. That is, the unitary needs to use register Y as a control register in the basis of the projective measurement P. Otherwise, the result will be incorrect. For example, let $|\psi \rangle =|0\rangle |+\rangle ,$ where $|+\rangle ={\displaystyle \frac{|0\rangle +|1\rangle }{\sqrt{2}}}$ and $|-\rangle ={\displaystyle \frac{|0\rangle -|1\rangle }{\sqrt{2}}}.$ Define $U_{+}=|1\rangle \langle 0|+|0\rangle \langle 1|$ and $U_{-}=I.$ Let $Q=\{|0\rangle \langle 0|,|1\rangle \langle 1|\}$ on register X and $P=Q$ but on register Y. Let $U=U_{+}\otimes |+\rangle \langle +|+U_{-}\otimes |-\rangle \langle -|$. Then, for procedure A, the state before measurement Q is $|1\rangle |+\rangle$ and hence the outcome of Q is 1 with probability 1. But procedure $A^{\prime }$, after measurement P, the state is $|0\rangle |1\rangle$ or $|0\rangle |0\rangle$, each with probability 1/2. Since $|1\rangle ={\displaystyle \frac{|+\rangle -|-\rangle }{\sqrt{2}}}$ and $|0\rangle ={\displaystyle \frac{|+\rangle +|-\rangle }{\sqrt{2}}}$, after applying U, the result is ${\displaystyle \frac{1}{\sqrt{2}}}(|1\rangle |+\rangle \pm |0\rangle |-\rangle )$ (± depending 1 or 0 on Y register) and next the measurement Q on register X gives the outcome 1 with probability $1/2·1/2+1/2·1/2=1/2.$ This is different from the procedure A.

(2) This counter example can also be regarded as the evidence that starting with a different projective measurement on the same register will result in a different final output distribution. Indeed, Procedure A in our example can also be regarded as starting with a projective measurement $P^{\prime }=\{|+\rangle \langle +|,|-\rangle \langle -|\}$ as it does not change $|\psi \rangle$, while procedure $A^{\prime }$ remains unchanged (starting with measurement P). But x and $x^{\prime }$ are distributed differently.

Summarizing the example, if we insert a measurement into the quantum algorithm, the output could be disturbed. But the following result states that the probabilities w/o a measurement are actually related. This result was given by Boneh and Zhandry [9] but it seems only valid for the case where M is a projective (instead of general) measurement.

Lemma 5.

Let A be a quantum algorithm and $Pr\left[x\right]$ be the probability that A outputs x. Let $A^{\prime }$ be the algorithm that runs A till some stage and then performs a projective measurement M which gives an outcome m (out of k possible choices) and next continues the execution of A with post-measurement state. Let ${Pr}^{\prime }\left[x\right]$ be the probability that $A^{\prime }$ outputs x. Then, ${Pr}^{\prime }\left[x\right]\ge Pr\left[x\right]/k.$

Proof. Let $M={\left\{M_i\right\}}_{i=1}^k$ be the measurement. Let $|\varphi \rangle$ be the state right before this measurement. Then, the probability of partial measurement outcome m occurs with probability $p_m=\langle \varphi |M_m^{*}{M}_m|\varphi \rangle$ and the post-measurement has the state $|{\varphi }_m\rangle =M_m|\varphi \rangle /\sqrt{p_m}.$ By deferred measurement principle, we can assume that A after this consists of a unitary U and a final projective measurement ${\left\{P_i\right\}}_i$ be the final measurement. Then

$$\begin{array}{cc}\hfill {Pr}^{\prime }\left[x\right]=& \sum _m{p}_m\langle {\varphi }_m|U^{†}{P}_x^{†}{P}_{x}U|{\varphi }_m\rangle =\sum _m\langle \varphi |M_m^{†}{U}^{†}{P}_x^{†}{P}_{x}U{M}_m|\varphi \rangle \hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill =& \sum _m||P_{x}U{M}_m{|\varphi \rangle ||}^2\ge ||\sum _m{P}_{x}U{M}_m{|\varphi \rangle ||}^2/k\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill =& ||P_x{U|\varphi \rangle ||}^2/k=Pr\left[x\right]/k.\hfill \end{array}$$

(4)

where the inequality follows from Cauchy-Schwarz inequality and Equation (4) uses the fact that M is the projective measurement so ${\sum }_m{M}_m={\sum }_m{M}_m^{†}{M}_m=I$. □

Lemma 6.

Let $|u\rangle ,|v\rangle$ be two states for a quantum system. $D_t(|u\rangle \langle u|,|v\rangle \langle v|)\le |||u\rangle -|v\rangle ||.$

Proof. Let $|0\rangle =|u\rangle$ and take $|1\rangle$ as a unit orthogonal state of $|0\rangle$ so that $|v\rangle =\omega (cos\left(\theta \right)|0\rangle +sin(\theta )|1\rangle )$ with $\theta \in [0,\pi /2]$, by absorbing the complex unit factor (if any) into $|1\rangle ,$ where $\omega$ is a complex unit factor. By calculation, $D_t(|u\rangle \langle u|,|v\rangle \langle v|)=|sin\left(\theta \right)|.$ On the other hand, $|||u\rangle -|v\rangle ||=\sqrt{{|1-\omega cos\left(\theta \right)|}^2+{sin}^2\left(\theta \right)}\ge \sqrt{{(1-cos\left(\theta \right))}^2+{sin}^2\left(\theta \right)}=2|sin(\theta /2)|.$ Since $|sin(\theta )|=2|sin(\theta /2)·cos(\theta /2)|\le 2|sin(\theta /2)|,$ the result follows. □

The following property states that an intermediate measurement by a quantum algorithm is not necessary (in the sense that we can replace it with a certain unitary) if we are only concerned with the final output. This is essentially the deferred measurement principle [43].

Lemma 7.

Let $|\varphi \rangle$ be a quantum state. We apply the following operators on register A: first a unitary U, then a measurement $M={\left\{M_y\right\}}_y$ that results in y, next a unitary $V_y$ and finally a measurement $N_y={\left\{N_{yx}\right\}}_x$ that results in x. Then, there exist a unitary W on A and additional registers $BC$ and a projective measurement P on C that results x with the same probability.

Proof. It can be seen that the original procedure outputs x with probability ${\sum }_y||N_{yx}{V}_y{M}_y{U|\varphi \rangle ||}^2.$ Then, define a unitary operator $U_M$ so that $U_M{|\varphi \rangle }_A{|0\rangle }_B={\sum }_y{M}_y{|\varphi \rangle }_A{|y\rangle }_B$ ([43]). Also define unitary V on $AB$ with $V={\sum }_y{V}_y\otimes {|y\rangle \langle y|}_B.$ Also define unitary $U_N$ so that $U_N{|u\rangle }_A{|y\rangle }_B{|0\rangle }_C={\sum }_x{\sum }_r(N_{rx}\otimes |r\rangle \langle r|){|u\rangle }_A{|y\rangle }_B{|x\rangle }_C.$ Finally, define P to be the projective measurement $P=\{|x\rangle {\langle x|\}}_x.$ Then, consider $U_{N}V{U}_M{U|\varphi \rangle }_A{|0\rangle }_B{|0\rangle }_C$ followed by P on C. Then, the probability of outcome x, by first applying $W=U_{N}V{U}_M$, followed by measurement P on C, is

$$\begin{array}{cc}\hfill {Pr}^{\prime }\left(x\right)=& ||\sum _r(N_{rx}\otimes |r\rangle \langle r{|}_B)·\sum _{y^{\prime }}{V}_{y^{\prime }}\otimes |y^{\prime }\rangle \langle y^{\prime }{|}_B·\sum _y{M}_y{|\varphi \rangle }_A{|y\rangle }_B{|x\rangle }_C{||}^2\hfill \\ \hfill =& ||\sum _y{N}_{yx}{V}_y{M}_y{U|\varphi \rangle |y\rangle ||}^2\hfill \\ \hfill =& \sum _y||N_{yx}{V}_y{M}_y{U|\varphi \rangle ||}^2,\mathrm{desired}!\square \hfill \end{array}$$

Remark 4.

In this lemma, register B is a control register in the basis ${\{|y\rangle }_B{\}}_y$ for other operators; register C is a control register in the basis ${\{|x\rangle }_C{\}}_x$ for other operators. Hence, the projective measurement $\{|x\rangle {\langle x|\}}_x$ on B commutes with other operators and so can be moved to the end of the operations (especially, after measurement P on C) and hence does not affect the distribution of outcome x of P, and hence it can be removed. This justifies the proof idea of the above lemma. With this in mind, the following generalization corollary of the lemma is straightforward.

Corollary 1.

Let $|\varphi \rangle$ be a quantum state of register A. For $\ell =1,\cdots ,N$, run a unitary $U_{\ell },$ measurement $M_{y^{\ell -1}}={\left\{M_{y^{\ell }}\right\}}_{y_{\ell }}$ that results in $y_{\ell }$, followed by unitary $V_{y^{\ell }}$, where $y^i$ represents the sequence $y_1\cdots y_i$. Finally, it applies measurement $N_{y^N}={\left\{N_{y^{N}x}\right\}}_x$ that results in x. Then, there is unitary W and projective measurement P that applies to the initial state ${|\varphi \rangle |0\rangle }_1{\cdots |0\rangle }_N|0\rangle$ and results in x with the same probability.

4. Quantum Random Oracle

In this section, we will introduce the quantum random oracle. We use bold font to represent the random oracle (e.g., $\mathbf{RO}$) and the italic font (e.g., $RO$) to represent the operator for the random oracle query. We distinguish an oracle and its operator because some oracle could offer more operators.

4.1. Standard Random Oracle

In the random oracle model, a cryptographic hash function $H:\mathcal{X}\to {\{0,1\}}^n$ is treated as an external oracle so that whenever one needs to compute $H\left(x\right)$, he queries x to this oracle and receives $H\left(x\right)$. We assume $\mathcal{X}$ has a finite bit-length. The oracle uses a random function from $\mathcal{X}$ to $\mathcal{Y}$ to answer the queries. Let $\mathcal{X}=\{x_1,\cdots ,x_N\}$ be an ordered set with $x_1<x_2<\cdots <x_N.$ Function H can be represented by its truth table $H\left(x_1\right),H\left(x_2\right),\cdots ,H\left(x_N\right)$. In the quantum random oracle model, H is represented by state $|H\rangle$ (using its truth table). An algorithm $\mathcal{A}$ can query a superposition to random oracle $\mathbf{RO}$. For query $|x\rangle |y\rangle$, $RO$ maps $|x\rangle |y\rangle |H\rangle$ to $|x\rangle |y\oplus H\left(x\right)\rangle |H\rangle$.

The standard random oracle $\mathbf{StO}$ has an initial state in a uniform superposition ${\displaystyle \frac{1}{\sqrt{2^{n|\mathcal{X}|}}}}{\sum }_H|H\rangle .$ For query $|x\rangle |y\rangle$, $StO$ maps ${\displaystyle \frac{1}{\sqrt{2^{n|\mathcal{X}|}}}}{\sum }_H|x\rangle |y\rangle |H\rangle$ to ${\displaystyle \frac{1}{\sqrt{2^{n|\mathcal{X}|}}}}{\sum }_H|x\rangle |y\oplus H\left(x\right)\rangle |H\rangle$. Notice that $\mathbf{RO}$ can be obtained from $\mathbf{StO}$ by starting with a projective measurement on oracle register (resulting in $|H\rangle$). Even though $\mathbf{RO}$ and $\mathbf{StO}$ are different, no adversary can distinguish them. This can be seen from Lemma 3(2) by observing that oracle register is a control register in the computational basis for adversarial operators (which do not operate on oracle register) and $StO$. Hence, the projective measurement on oracle register can be moved to after $\mathcal{A}$ makes the final measurement.

Fact 1.

Let $\mathcal{A}$ be a quantum algorithm with oracle access to the quantum random oracle. Then, $Pr({\mathcal{A}}^{\mathbf{RO}}\left(\right)=1)=Pr({\mathcal{A}}^{\mathbf{StO}}\left(\right)=1)$.

4.2. Compressed Random Oracle

The compressed random oracle $\mathbf{CStO}$ was introduced in [49] and our exposition mainly follows [15]. It is a powerful tool for security proof in the quantum random oracle model (QROM). Let $\mathcal{Y}={\{0,1\}}^n$ and $\overline{\mathcal{Y}}=\mathcal{Y}\cup \{\perp \}$. Let H be the quantum Walsh-Hadamard transform over $\mathbb{C}\left[\mathcal{Y}\right]$. Define ${\varphi }_y=H|y\rangle$ for $y\in {\{0,1\}}^n$. Since ${\{|y\rangle \}}_{y\in {\{0,1\}}^n}$ is orthonormal and $H^2=I$, $\{|{\varphi }_y\rangle {\}}_{y\in {\{0,1\}}^n}$ is orthonormal either. Then, we define an unitary operator F over $\mathbb{C}\left[\overline{\mathcal{Y}}\right]$ such that

$$\begin{array}{c}\hfill F|\perp \rangle =|{\varphi }_0\rangle ,F|{\varphi }_0\rangle =|\perp \rangle ,F|{\varphi }_y\rangle =|{\varphi }_y\rangle ,\forall y\in \mathcal{Y}-\left\{\mathbf{0}\right\}.\end{array}$$

(5)

It is Hermitian (i.e., $F^{†}=F$) because $F=|{\varphi }_0\rangle \langle \perp |+|\perp \rangle \langle {\varphi }_0|+{\sum }_{y\ne 0}|{\varphi }_y\rangle \langle {\varphi }_y|.$ Further, notice that $|y\rangle =2^{-n/2}{\sum }_{\eta \in {\{0,1\}}^n}{(-1)}^{y·\eta }|{\varphi }_{\eta }\rangle .$ This implies that $F|y\rangle =|y\rangle +2^{-n/2}(|\perp \rangle -|{\varphi }_0\rangle ).$

We consider the multi-register $D={\left\{D_x\right\}}_{x\in \mathcal{X}}$ for the random oracle, where $D_x$ has a state space $\mathbb{C}\left[\overline{\mathcal{Y}}\right]$, spanned by the computational basis ${\{|y\rangle \}}_{y\in \mathcal{Y}}\cup \{|\perp \rangle \}.$ The initial state of D is ${\otimes }_x{|\perp \rangle }_{D_x}$. We assume that the adversary has a query register X, response register Y and a work register $W.$ To query the oracle, adversary provides $XY$ registers to oracle who then applies unitary

$$\begin{array}{cc}\hfill CSt{O}_{XYD}& =\sum _{x\in \mathcal{X}}{|x\rangle \langle x|}_X\otimes CSt{O}_{Y{D}_x}\hfill \end{array}$$

(6)

on $XYD$, where $CSt{O}_{Y{D}_x}=F_{D_x}·{CNOT}_{Y{D}_x}·F_{D_x}$ and ${CNOT|y\rangle }_Y{|u\rangle }_{D_x}={|y+u\rangle }_Y{|u\rangle }_{D_x}.$ Then, the following result holds. It must be pointed out that the result holds only if no operator other than $CStO$ (resp. $StO$) is applied on D; otherwise, the result might fail.

Lemma 8.

[49] Let $\mathcal{A}$ be a quantum algorithm with oracle access to the quantum random oracle. Then, $Pr({\mathcal{A}}^{\mathbf{StO}}\left(\right)=1)=Pr({\mathcal{A}}^{\mathbf{CStO}}\left(\right)=1).$

4.3. Compressed Random Oracle with Adaptive Special Points

Compressed random oracle with adaptive special points (denoted by ${\mathbf{CStO}}_s$) is a natural generalization of $\mathbf{CStO}$. Liu and Zhandry [30] briefly introduced CStO with non-adaptive special points. But we believe that ${\mathbf{CStO}}_s$ (which has adaptive special points) is very useful in applications. It allows to register special points on the fly. In fact, it seems the Fiat-Shamir based signature proof in [30] also seems to require this adaptivity as the adversary’s signing query can not be guessed or predicted before the query. The oracle has the initial state ${\otimes }_x{|\perp \rangle }_{D_x}.$ We maintain two initially empty set ${\mathsf{\Xi }}_0$ and ${\mathsf{\Xi }}_1$ to record the special points at different stages. We also allow the oracle to abort after certain measurements and the motivation will be discussed later. The oracle can be accessed through three types of queries below.

• PointReg0 Query. One can send a new point $x\in \mathcal{X}$ to oracle. If $x\in {\mathsf{\Xi }}_0\cup {\mathsf{\Xi }}_1$, it does nothing; otherwise, the oracle updates ${\mathsf{\Xi }}_0={\mathsf{\Xi }}_0\cup \left\{x\right\}.$
• Random Oracle Query. One can issue a random oracle query by providing a query register X and a response register Y to oracle. If this is the ith random oracle query, the oracle applies a projective measurement ${\mathsf{\Lambda }}_i=({\mathsf{\Lambda }}_{i0},{\mathsf{\Lambda }}_{i1})$ in the computational basis to oracle register $D_{{\mathsf{\Xi }}_0}$ (${\mathsf{\Lambda }}_i$ can be determined by i and some parameters that are determined before the oracle starts). If the outcome is 1, it aborts; otherwise, it applies $CSt{O}_s={\sum }_{x\in \mathcal{X}}|x\rangle \langle x|\otimes CSt{O}_{sY{D}_x}$ to $XYD$ registers, where

  $$CSt{O}_{sY{D}_x}=\left\{\begin{array}{cc}CSt{O}_{Y{D}_x},\hfill & x\notin {\mathsf{\Xi }}_1\hfill \\ {CNOT}_{Y{D}_x},\hfill & otherwise.\hfill \end{array}\right.$$
  Finally, it returns register $XY$.
• PointReg1 Query. One can send $x\in {\mathsf{\Xi }}_0$ to oracle. If $x\notin {\mathsf{\Xi }}_0$, it does nothing. Otherwise, it measures $D_x$ with $\mathsf{\Pi }=({\mathsf{\Pi }}_0,{\mathsf{\Pi }}_1)$, where ${\mathsf{\Pi }}_0=|\perp \rangle \langle \perp |,{\mathsf{\Pi }}_1=I-{\mathsf{\Pi }}_0$. If the outcome is 1, it aborts; otherwise, it updates ${|\perp \rangle }_{D_x}$ with $|r\rangle$ for a random $r\in \mathcal{Y}$ (this can be done as ${|\perp \rangle }_{D_x}$ is now classic; or, we can apply unitary $|\perp \rangle \langle r|+|r\rangle \langle \perp |+{\sum }_{v\in \mathcal{Y}-\left\{r\right\}}|v\rangle \langle v|$). Finally, it updates ${\mathsf{\Xi }}_1={\mathsf{\Xi }}_1\cup \left\{x\right\}$ and ${\mathsf{\Xi }}_0={\mathsf{\Xi }}_0-\left\{x\right\}.$

Remark 5.

It is time to justify this strange random oracle. It is in fact motivated by the requirements in the security proof. The main motivation is to find a modified random oracle so that the randomly sampled experiment (with $\mathbf{CStO}$) in Section 5 can be easily converted into a game with this modified random oracle. The idea is that we want to define some special points and set their random oracle values to our own choices, just as I can do in the classical random oracle.

• In the classic random oracle, a simulator can set the random oracle values of special queries to his own choices. In the ${\mathbf{CStO}}_s$, a special point will be first recorded in ${\mathsf{\Xi }}_0$ and later set to a planned value (when a PointReg1 query on this point is issued). We handle special points in two stages for technical reasons (See the remark after Theorem 5) only. Essentially, if we define the random oracle value of a special point early (e.g., at the time of adding into ${\mathsf{\Xi }}_0$), it could make the previously selected experiment change to a different one.
• ${\mathbf{CStO}}_s$ is to formulate the selected experiment in Section 5 as a well-defined random oracle model. Especially, measurement ${\mathsf{\Lambda }}_i$ in a random oracle query is to make sure the interaction with oracle follows the restriction of the selected experiment. If the measurement outcome is 1, it indicates that the game is not consistent with the selected experiment and hence it can stop now; otherwise, it continues. This randomly selected but consistent experiment can guarantee the adversary to have a good success probability, compared with the original game.
• In the classic random oracle, a simulator can pay attention to each query to make sure that each special point is not queried before it is set to the designated value. In the quantum setting, recording each query is difficult as one can query ${\displaystyle \frac{1}{|\mathcal{X}|}}{\sum }_x{|x\rangle }_X{|0\rangle }_Y$ which indicates that every x is actually queried. To overcome this, we need to confirm that $OR\left(x\right)$ is not defined by measurement Π on $D_x$. If measurement is successful, then $D_x$ will have ${|\perp \rangle }_{D_x}$ now and non-⊥ components in the superposition are pruned and we can define the random oracle value for this x; if the measurement fails, we have no way to set the random oracle value for x and so abort.

We define ${\mathbf{CStO}}^{\prime }$ to be a variant of ${\mathbf{CStO}}_s$ so that $CSt{O}_s$ in the random oracle query is replaced by $CStO$ and also in PointReg1 query, in case the measurement outcome 0, it leaves ${|\perp \rangle }_{D_x}$ as it is (instead of replacing it by $|r\rangle$). Essentially, ${\mathbf{CStO}}^{\prime }$ is the same as $\mathbf{CStO}$, except it applies ${\mathsf{\Lambda }}_i$ and $\mathsf{\Pi }$ measurements on D. The following lemma shows that ${\mathbf{CStO}}_s$ is perfectly indistinguishable from ${\mathbf{CStO}}^{\prime }$, conditional on that the abort event in the oracle does not occur.

Lemma 9.

Let $\mathcal{A}$ be a quantum algorithm with access to quantum random oracle and $\mathsf{abort}$ be the oracle abortion event. Then,

$$\begin{array}{c}\hfill Pr({\mathcal{A}}^{{\mathbf{CStO}}^{\prime }}\left(\right)=1\wedge \neg \mathsf{abort})=Pr({\mathcal{A}}^{{\mathbf{CStO}}_s}\left(\right)=1\wedge \neg \mathsf{abort}).\end{array}$$

(7)

Proof. We use the hybrid argument with a variant ${\mathbf{CStO}}_s^{\prime }$ of ${\mathbf{CStO}}_s$ to bridge ${\mathbf{CStO}}_s$ and ${\mathbf{CStO}}^{\prime }$.

Oracle ${\mathbf{CStO}}_s^{\prime }$. We modify ${\mathbf{CStO}}_s$ to ${\mathbf{CStO}}_s^{\prime }$ so that upon PointReg1 query x with $D_x$ measured with outcome 0 (i.e., $|\perp \rangle$), it updates ${|\mathbf{y}\rangle }_D$ to ${\displaystyle \frac{1}{2^{n/2}}}{\sum }_r{|\mathbf{y}\cup {\left(r\right)}_x\rangle }_D$ (instead of ${|\mathbf{y}\cup \left(r\right)}_x{\rangle }_D$ for a random r), where $\mathbf{y}\cup {\left(r\right)}_x$ (which is well defined as $y_x=\perp$) is the vector with $y_{x^{\prime }}$ at index $x^{\prime }\ne x$ and r at index x. Notice that right after this, $x\in {\mathsf{\Xi }}_1$. Further, $D_x$ for this x is a control register (Def. 6) in the computational basis for adversary operations, ${\mathsf{\Pi }}_0,{\mathsf{\Pi }}_1,{\mathsf{\Lambda }}_{i0},{\mathsf{\Lambda }}_{i1}$ and $CSt{O}_{sY{D}_u}$. To see this, it suffices to check $CSt{O}_{sY{D}_x}$ only as other cases are clear (e.g., $CSt{O}_{sY{D}_u}$ for $u\ne x$ does not operate on $D_x$ at all). Since $x\in {\mathsf{\Xi }}_1$, we know that $CSt{O}_{Y{D}_x}={CNOT}_{Y{D}_x}$ which obviously can be written as a format of ${\sum }_{y\in \overline{\mathcal{Y}}}{B}_y\otimes {|y\rangle \langle y|}_{D_x}$. Further, ${\mathbf{CStO}}_s$ is obtained from ${\mathbf{CStO}}_s^{\prime }$ by projective measurement on $D_x$ in the computational basis for every $x\in {\mathsf{\Xi }}_1$ (right after x is put in ${\mathsf{\Xi }}_1$). By Lemma 3(2), the projective measurement on $D_x$ can be moved to the end of the interaction (after $\mathcal{A}$ outputs). Thus, the output of $\mathcal{A}$ with access to ${\mathbf{CStO}}_s^{\prime }$ is the same as with access to ${\mathbf{CStO}}_s$.

Oracle ${\mathbf{CStO}}^{\prime }$. We show that under the event $\neg \mathsf{abort}$, if the final (unnormalized) state after interacting with ${\mathbf{CStO}}_s^{\prime }$ is $|\psi \rangle$, then the final state (unnormalized) after interacting with ${\mathbf{CStO}}^{\prime }$ will be $F_{D_{{\mathsf{\Xi }}_1}}|\psi \rangle .$ This can be shown by induction on the query. It is correct initially, as ${\mathsf{\Xi }}_1=\varnothing$ initially and hence $F_{D_{{\mathsf{\Xi }}_1}}$ is identity. Then, if it is correct after query $i-1$, consider query $i.$ Before query i, $\mathcal{A}$ will operate on $XYW$ registers (for simplicity, assume it is a unitary). But since adversary does not operate on D, if the state right before query i (when interacting with ${\mathbf{CStO}}_s^{\prime }$) is $|\psi \rangle$, then the state right before query i (when interacting with ${\mathbf{CStO}}^{\prime }$) will be $F_{D_{{\mathsf{\Xi }}_1}}|\psi \rangle$.

If query i is a PointReg0 query, then the claim still holds after the query as no operation on the quantum state is executed.

If query i is a PointReg1 query x, then it suffices to consider $x\in {\mathsf{\Xi }}_0$. Since $x\notin {\mathsf{\Xi }}_1$ and the outcome of $\mathsf{\Pi }$ is 0 (otherwise, $\mathsf{abort}$ occurs, contradiction to the probability condition) so x will be added to ${\mathsf{\Xi }}_1$, the conclusion holds after the query as $F|\perp \rangle =|{\varphi }_0\rangle$ (while, after the query, $D_x$ in case of ${\mathbf{CStO}}_s^{\prime }$ will have $|\perp \rangle$ and $D_x$ in case of ${\mathbf{CStO}}^{\prime }$ will $|{\varphi }_0\rangle$).

If query i is a random oracle query, we show that the induction still holds. First, $[F_{D_{{\mathsf{\Xi }}_1}},{\mathsf{\Lambda }}_{ib}]=0$ for both $b=0,1$ as ${\mathsf{\Lambda }}_i$ only operates on register $D_{{\mathsf{\Xi }}_0}$. Thus, after the measurement (with the same outcome), the relation still holds. Second, the relation still holds after operator $CSt{O}_s$ (in case of ${\mathbf{CStO}}_s^{\prime }$) and operator $CStO$ (in case of ${\mathbf{CStO}}^{\prime }$): for query ${|x\rangle }_X{|y\rangle }_Y$ with $x\notin {\mathsf{\Xi }}_1$, both oracles use $CSt{O}_{Y{D}_x}$ to respond and hence their states after the query maintain the same relation (as $D_{{\mathsf{\Xi }}_1}$ is untouched); for query ${|x\rangle }_X{|y\rangle }_Y$ with $x\in {\mathsf{\Xi }}_1$, ${\mathbf{CStO}}^{\prime }$ uses $CSt{O}_{Y{D}_x}$ and ${\mathbf{CStO}}_s^{\prime }$ uses ${CNOT}_{Y{D}_x}$ but two applications of $F_{D_x}$ in ${CStO}_{Y{D}_x}$ will cancel out. So after the query the relation still holds. The induction holds too.

Let $|\psi \rangle$ be the final unnormalized state under $\neg \mathsf{abort}$ and the final measurement of $\mathcal{A}$ be $(P_0,P_1)$ with $P_1$ corresponding to outcome 1. Then, $Pr({\mathcal{A}}^{{\mathbf{CStO}}_s^{\prime }}\left(\right)=1\wedge \neg \mathsf{abort})$ is $||P_1{|\psi \rangle ||}^2$, while $Pr({\mathcal{A}}^{{\mathbf{CStO}}^{\prime }}\left(\right)=1\wedge \neg \mathsf{abort})$ is $||P_1·{\mathsf{F}}_{D_{{\mathsf{\Xi }}_1}}{|\psi \rangle ||}^2$. However, $||P_1·{\mathsf{F}}_{D_{{\mathsf{\Xi }}_1}}{|\psi \rangle ||}^2=||P_1{|\psi \rangle ||}^2$ as $F_{D_{{\mathsf{\Xi }}_1}}$ commute with $P_1$ (since they operate on disjoint registers) and $F^2=I$. □

The following lemma essentially states that if $x^{*}$ has large min-entropy and we measure $D_{x^{*}}$ of the adversary-oracle joint state, then, with high probability, the post-measurement state with outcome ⊥ is close to the original state.

Lemma 10.

Let the current adversary-oracle joint state be $|\psi \rangle ={\sum }_{z\mathbf{y}}{\lambda }_{z\mathbf{y}}{|z\rangle |\mathbf{y}\rangle }_D$ after q queries to ${\mathbf{CStO}}_s$ (or CStO ). Let $|{\psi }_x\rangle ={\sum }_{z\mathbf{y}:y_x=\perp }{\lambda }_{z\mathbf{y}}{|z\rangle |\mathbf{y}\rangle }_D$ and $x^{*}$ is a random variable over $\mathcal{X}$ with min-entropy at least μ. Then, with probability $1-2^{-\mu /2}$ (over $x^{*}$), $|||\psi \rangle -|{\psi }_{x^{*}}\rangle ||\le q^{1/2}{2}^{-\mu /4}$.

Proof. Let $|{\psi }_x^{\prime }\rangle ={\sum }_{z\mathbf{y}:y_x\ne \perp }{\lambda }_{z\mathbf{y}}{|z\rangle |\mathbf{y}\rangle }_D.$ Then, $|\psi \rangle =|{\psi }_x^{\prime }\rangle +|{\psi }_x\rangle .$ Consider $L:={\sum }_x|||{\psi }_x^{\prime }{\rangle ||}^2$. Let $N_{\mathbf{y}}$ be the number of x so that $y_x\ne \perp$ in $\mathbf{y}$. Then, given $\mathbf{y}$, $|\mathbf{y}\rangle$ appears in $|{\psi }_x^{\prime }\rangle$ for exactly $N_{\mathbf{y}}$ possible x’s. Thus, $L={\sum }_{z\mathbf{y}}{|{\lambda }_{z\mathbf{y}}|}^2{N}_{\mathbf{y}}.$ Since each $\mathbf{y}$ in $|\psi \rangle$ has at most q possible non-⊥ entries, it follows that $N_{\mathbf{y}}\le q$ and hence $L\le q.$ Hence, there are at most $2^{\mu /2}$ choices for x so that $|||{\psi }_x^{\prime }\rangle ||\ge q^{1/2}{2}^{-\mu /4}.$ Since $x^{*}$ has min-entropy $\mu$, we have that $|||{\psi }_{x^{*}}^{\prime }\rangle ||<q^{1/2}{2}^{-\mu /4}$ with probability at least $1-2^{-\mu /2}$. The lemma follows. □

4.4. Measurement $U_R$

Let $R\subset \mathcal{X}\times \mathcal{Y}$ be a fixed and efficiently verifiable relation with $R(x,y)=1$ if and only if $(x,y)\in R$. Especially, $R(x,y)=0$ for any $(x,y)\notin \mathcal{X}\times \mathcal{Y}$. We assume that $0\notin \mathcal{X}$ and so $R(0,y)=0$. Further, $R(x,\perp )=0$ as $\perp \notin \mathcal{Y}$. Let $\overline{\mathcal{X}}=\mathcal{X}\cup \left\{0\right\}.$ We define function $f_R:{\overline{\mathcal{Y}}}^{|\mathcal{X}|}\to \overline{\mathcal{X}}$ so that

$$f_R(y_1,\cdots ,y_N)=\left\{\begin{array}{cc}{x}_i,\hfill & (x_j,y_j)\notin Rforj<ibut(x_i,y_i)\in R\hfill \\ 0,\hfill & idoesnotexist.\hfill \end{array}\right.$$

where $\mathcal{X}=\{x_1,\cdots ,x_N\}$ is an ordered set with $x_1<x_2<\cdots <x_N.$ In other words, $f_R(y_1,\cdots ,y_N)$ is the smallest $x_i$ so that $(x_i,y_i)\in R.$ It is easy to verify that

$$\begin{array}{c}\hfill f_R(y_1,\cdots ,y_{|\mathcal{X}|})=\sum _{i=1}^{|\mathcal{X}|}{x}_i·\overline{R}(x_1,y_1)·\dots ·\overline{R}(x_{i-1},y_{i-1})·R(x_i,y_i).\end{array}$$

(8)

Here we emphasize that we do not require $\overline{\mathcal{X}}$ itself to be a group but we implicitly assume that it can be regarded as a subset of an Abelian group $\tilde{\mathcal{X}}$ (e.g., $\overline{\mathcal{X}}=\{0,1,2,4\}$ can be regarded as a subset of ${\mathbb{Z}}_5$). Next, we define $U_R$ to be a unitary on $\mathbb{C}{\left[\overline{\mathcal{Y}}\right]}^{\otimes \mathcal{X}}\otimes \mathbb{C}\left[\tilde{\mathcal{X}}\right]$ for register $DP$ so that

$$\begin{array}{c}\hfill U_R{|\mathbf{y}\rangle }_D{|w\rangle }_P={|\mathbf{y}\rangle }_D{|w+f_R(y_1,\cdots ,y_{|\mathcal{X}|})\rangle }_P,\end{array}$$

(9)

where ${|\mathbf{y}\rangle }_D:=|y_1{\rangle }_{D_{x_1}}\cdots {|y_{|\mathcal{X}|}\rangle }_{D_{x_{|\mathcal{X}|}}}$. Let

$${\mathsf{\Gamma }}_R=\underset{x}{max}|\{y\mid (x,y)\in R\}| and {\mathsf{\Gamma }}_x=|\{y\mid (x,y)\in R\}|.$$

(10)

Notice that our $U_R$ is an alternative specification but identical to $U_R$ in [15]. The following lemma was proved in [15] (we can obtain the same bound by a proof for our specification).

Lemma 11.

For any $x\in \mathcal{X}$, $||[F_{D_x},U_R]||\le 4\sqrt{2{\mathsf{\Gamma }}_R/2^n}.$

Lemma 12.

$[{CNOT}_{XYD},U_R]=0.$

Proof. It can be seen that ${CNOT}_{XYD}={\sum }_{\mathbf{y}}({\sum }_{x,y}|x,y_x+y\rangle \langle x,y|)\otimes {|\mathbf{y}\rangle \langle \mathbf{y}|}_D$ and also that $U_R={\sum }_{\mathbf{y}}({\sum }_w|w+f_R\left(\mathbf{y}\right)\rangle \langle w{|}_P)\otimes {|\mathbf{y}\rangle \langle \mathbf{y}|}_D$. Therefore, D is a control register for $U_R$ and ${CNOT}_{XYD}$ in the computational basis. By Lemma 3(1), they commute. □

Theorem 1.

$||[CSt{O}_s,U_R]||\le 8·2^{-n/2}\sqrt{2{\mathsf{\Gamma }}_R}.$

Proof. Notice that $CSt{O}_s={\sum }_{x\in \mathcal{X}}|x\rangle \langle x|\otimes CSt{O}_{sY{D}_x}$ and for $x\in {\mathsf{\Xi }}_1$, $CSt{O}_{sY{D}_x}={CNOT}_{Y{D}_x}$. Hence, by Lemma 12, $[CSt{O}_s,U_R]={\sum }_{x\notin {\mathsf{\Xi }}_1}{|x\rangle \langle x|}_X\otimes [F_{D_x}\otimes {CNOT}_{Y{D}_x}\otimes F_{D_x},U_R],$ where we also use $[|x\rangle \langle x{|}_X,U_R]=0.$ By Lemma 1(3) and Lemma 2(2),

$$||[CSt{O}_s,U_R]||\le 2\underset{i}{max}||[F_{D_{x_i}},U_R]||+||[CNOT,U_R]||.$$

By Lemma 11 and Lemma 12, the result follows. □

4.5. Bounding the Probability for Relation Search through Oracle Queries

We are interested in finding an entry $y_x$ for some x in the oracle (through oracle queries) so that $R(x,y_x)=1$ for a relation R. The following lemma upper bounds the probability for this. The proof idea is that $R(x,y_x)=1$ can be detected by applying $U_R$ and measuring P register with outcome $\widehat{x}\ne 0.$ If we apply $U_R$ and measure P at the beginning of the interaction, then $\widehat{x}=0$ because the initial oracle state is dummy. Hence, the success probability with $U_R$ at the end of interaction, is bounded by the squared norm of the commuter of operators (throughout the interaction) with $U_R$.

Lemma 13.

Let $\mathcal{A}$ be a quantum algorithm with access to ${\mathbf{CStO}}_s$, incurring $L_0$ random oracle queries and $q-L_0$ PointReg1 queries. The final state goes through $U_R$ of relation R and a projective measurement on register P in the computational basis with outcome $\widehat{x}\in \overline{\mathcal{X}}$. Then,

$$\begin{array}{c}\hfill Pr(\widehat{x}\ne 0\wedge \neg \mathsf{abort})\le 128q^2{\mathsf{\Gamma }}_R/2^n.\end{array}$$

(11)

Proof. Let $|\psi \rangle$ be the initial state of $\mathcal{A}$ with registers $XYZ$. The joint initial state with oracle is then $|{\omega }_0{\rangle =|\psi \rangle }_{XYZ}\otimes {({\otimes }_x|\perp \rangle }_{D_x}{)\otimes |0\rangle }_P$ (after register P added). Then, $\mathcal{A}$ has access to ${\mathbf{CStO}}_s$, incurring $L_0$ random oracle queries with intermediate operator $V_{XYZ}$, where, for simplicity, we assume that $V_{XYZ}$ remains unchanged throughout the game. Finally, oracle applies $U_R$ on $DP$ and projective measurement $\mathbf{P}$ on P, outputting the outcome $\widehat{x}$. The final state before measurement $\mathbf{P}$ is $|\omega \rangle =U_R{(V·{\mathbf{CStO}}_s)}^L|{\omega }_0\rangle$ for some L, where ${\mathbf{CStO}}_s$ is PointReg0 query or PointReg1 query or random oracle query. If the query is PointReg0, it does not operate on the state and so commutes with $U_R$; if it is PointReg1, then we only consider the case $x\in {\mathsf{\Xi }}_0$. Under $\neg \mathsf{abort}$, it consists of projector ${\mathsf{\Pi }}_0$ and $U_{\perp ,r}=|r\rangle \langle \perp |+|\perp \rangle \langle r|+{\sum }_{v\ne r}|v\rangle \langle v|$ for uniformly random r over $\mathcal{Y}$. We notice that $[{\mathsf{\Pi }}_0,U_R]=0$. Further, it is not hard to verify that $U_{\perp ,r}{\mathsf{\Pi }}_0$ in PointReg1 commutes with $U_R$ if $(x,r)\notin R$ (as $(x,\perp )\notin R$). If it is a random oracle query, we notice that $[{\mathsf{\Lambda }}_i,U_R]=0$ as D is control register for both ${\mathsf{\Lambda }}_i$ and $U_R$ in the computational basis. Therefore,

$$\begin{array}{cc}\hfill & Pr(\widehat{x}\ne 0\wedge \neg \mathsf{abort})\hfill \\ \hfill & \le {\mathbf{E}}_{\mathbf{r}}(||(I-|0\rangle \langle 0{|}_P){|\omega \rangle ||}^2)/*r^{\prime }\mathrm{s\; from\; PointReg1;\; state}|\omega \rangle \mathrm{is\; consistent\; with}\neg \mathsf{abort}*/\hfill \\ \hfill & ={\mathbf{E}}_{\mathbf{r}}(||(I-|0\rangle \langle 0{|}_P)[U_R,{(V·{\mathbf{CStO}}_s)}^L]|{\omega }_0\rangle +(I-|0\rangle \langle 0{|}_P){(V·{\mathbf{CStO}}_s)}^L{U}_R|{\omega }_0{\rangle ||}^2)\hfill \\ \hfill & /*{\mathbf{CStO}}_s\mathrm{requires\; the\; operator\; for\; measurement\; outcome}(e.g.,{\mathsf{\Pi }}_0,{\mathsf{\Lambda }}_{i0})\mathrm{consistent\; with}\neg \mathsf{abort}*/\hfill \\ \hfill & ={\mathbf{E}}_{\mathbf{r}}(||(I-|0\rangle \langle 0{|}_P)[U_R,{(V·{\mathbf{CStO}}_s)}^L]|{\omega }_0{\rangle ||}^2)\hfill \\ \hfill & /*\mathrm{as} V \mathrm{and}{\mathbf{CStO}}_s{\mathrm{do\; not\; operate\; on} P \mathrm{and\; so\; part\; 2\; has} |0\rangle }_P\mathrm{before\; applying} I-|0\rangle \langle 0|*/\hfill \\ \hfill & \le {\mathbf{E}}_{\mathbf{r}}(||[U_R,{(V·\mathbf{CStO})}^L]{||}^2)\le {\mathbf{E}}_{\mathbf{r}}\left\{\right(L_0||[U_R,CSt{O}_s]||+\sum _i||[U_R,U_{\perp ,r_i}]{||)}^2\}\hfill \\ \hfill & /*\mathrm{Lemma\; 1(3)\; and} [{\mathsf{\Lambda }}_i,U_R]=[{\mathsf{\Pi }}_0,U_R]=[V,U_R]=0 \mathrm{and} L_{0}is♯\mathrm{of} CSt{O}_s \mathrm{queries}\hfill \\ \hfill & \mathrm{and} r_i \mathrm{corresponds} \mathrm{to} r \mathrm{in} \mathrm{the} i\mathrm{th} \mathrm{PointReg1\; query}.*/\hfill \\ \hfill & \le {\mathbf{E}}_{\mathbf{r}}\left\{{(8L_0·2^{-n/2}\sqrt{2{\mathsf{\Gamma }}_R}+2N_{\mathbf{r}})}^2\right\}.\hfill \\ \hfill & /*N_{\mathbf{r}} \mathrm{is\; the\; number\; of} r_i \mathrm{in} i\mathrm{th} \mathrm{PointReg1}\left(x_i\right) \mathrm{so\; that} (x_i,r_i)\in R*/\hfill \\ \hfill & /*[U_R,U_{\perp ,r}]=0 \mathrm{for} (x,r)\notin R;||[U_R,U_{\perp ,r}]||\le 2as||U_R||=||U_{\perp ,r}||=1*/\hfill \\ \hfill & \le 128q^2{\mathsf{\Gamma }}_R/2^n,\hfill \end{array}$$

where the last inequality follows from the calculation with the observation: $N_{\mathbf{r}}$ is the result of Bernouli trial with probability ${\mathsf{\Gamma }}_R/2^n$ for $q-L_0$ times; $\mathbf{E}{(a+N_{\mathbf{r}})}^2=Var\left(N_{\mathbf{r}}\right)+{[a+\mathbf{E}\left(N_{\mathbf{r}}\right)]}^2$; $Var\left(N_{\mathbf{r}}\right)=(q-L_0){\mathsf{\Gamma }}_R/2^n(1-{\mathsf{\Gamma }}_R/2^n)$ and $\mathbf{E}\left(N_{\mathbf{r}}\right)=(q-L_0){\mathsf{\Gamma }}_R/2^n$. The lemma follows. □

4.6. Simulating ${\mathbf{CStO}}_s$ with Extraction

In this section, we adapt the simulation of $\mathbf{CStO}$ with the extraction capability in [15] to the ${\mathbf{CStO}}_s$ setting. Essentially, the simulator simulates the oracle and also provides an interface for extracting the attacker’s oracle query x that, together with y in $D_x$, is a witness of a target “commitment”. Let $\theta (x,y)$ be an arbitrary but fixed function from $\mathcal{X}\times \mathcal{Y}$ to $\mathcal{T}.$ For $t\in \mathcal{T}$, define relation $R_t=\{(x,y)\mid \theta (x,y)=t\}$ and $U_t$ denotes unitary $U_{R_t}$. Then, the simulator is described in Figure 2.

In the following, we prove that if $\mathcal{A}$ uses x and $y=OR\left(x\right)$ to generate t, then the extracted $\widehat{x}$ from $\mathcal{S}.E\left(t\right)$ will equal to x. This is useful in a security proof where an attacker generates an output and we need to find out the witness of this output. We first prove a weaker version of this: if $\widehat{x}$ is extracted at the end of game, the claim is true. Then, we extend to the case that $\widehat{x}$ is extracted on-the-fly (i.e., right after $\mathcal{A}$ outputs t).

4.6.1. Extraction at the End of Game

We begin with a collision event in a computational basis ${|\mathbf{y}\rangle }_D$ in the oracle state w.r.t. a function f in the sense that $f(x,y_x)=f(x^{\prime },y_{x^{\prime }})$ for some $x^{\prime }\ne x$. We give a result which says that after q oracle queries, the probability of collision in the oracle is small. It is extended from [49] in the setting of $\mathbf{CStO}$ to ${\mathbf{CStO}}_s$ (see Appendix C for details).

Lemma 14.

Let $f:\mathcal{X}\times \mathcal{Y}\to \mathcal{T}$. Then, for any quantum algorithm $\mathcal{A}$ with access to ${\mathbf{CStO}}_s$, incurring q oracle queries of either PointReg1 or random oracle,

$$Pr(\mathsf{col}\wedge \neg \mathsf{abort})\le 16q^3{\mathsf{\Gamma }}_f/2^n,$$

(12)

where $\mathsf{col}$ is the collision event in the final state ${\rho }_q$ and ${\mathsf{\Gamma }}_f={max}_{x^{\prime }\ne x,y^{\prime }}|\{y\mid f(x,y)=f(x^{\prime },y^{\prime })\}|$.

Now we give an extraction theorem, where $\widehat{x}$ is extracted at the end of oracle access. It states that if attacker computes t from x so that $t=f(x,RO(x\left)\right)$, then $\mathcal{S}.E\left(t\right)$ at the end of game will most likely have $\widehat{x}=x$. The idea is as follows. Assume $\widehat{x}\ne x$. After attacker’s oracle access to ${\mathbf{CStO}}_s$, we apply a classical oracle query on x with result $y_x$. Assume this state (right before $\mathcal{S}.E\left(t\right)$) is ${\sum }_{\mathbf{y}:y_{x}fixed}{\lambda }_{\mathbf{y}}|{\omega }_{\mathbf{y}}{\rangle |\mathbf{y}\rangle }_{D_{\mathcal{X}-\left\{x\right\}}}F|y_x{\rangle }_{D_x}{|0\rangle }_P$. Further, notice that $F|y_x\rangle =|y_x\rangle +|\delta \rangle$. If $\mathbf{y}$ in the sum measures with outcome $\widehat{x}$ (i.e., after $\mathcal{S}.E\left(t\right)$), then it has a collision (since $f(\widehat{x},y_{\widehat{x}})=t=f(x,y_x)$). This probability is small (by Lemma 15) and we can ignore it. If ${|\mathbf{y}\rangle }_{D_{\mathcal{X}-\left\{x\right\}}}|y_x^{\prime }\rangle$ for $y_x^{\prime }\ne y_x$ under $\mathcal{S}.E\left(t\right)$ gives $\widehat{x}$, then $y_x^{\prime }$ must come from $\delta$. However, $||\delta ||$ is very small. So this is unlikely too. This idea is from [15] in the $CStO$ case and can be generalized to prove a vector $(\mathbf{t},\mathbf{x})$ case.

Theorem 2.

Consider quantum algorithm $\mathcal{A}$ with access to $\mathcal{S}$ (via interfaces other than $\mathcal{S}.E$), including q random oracle queries or PointReg1 queries and outputting $\mathbf{t}\in {\mathcal{T}}^{\ell }$ and $\mathbf{x}\in {\mathcal{X}}^{\ell }.$ Let $h_i$ be the output for an additional classical query $x_i$ to $\mathcal{S}.RO$ and ${\widehat{x}}_i=\mathcal{S}.E\left(t_i\right)$. Then,

$$\begin{array}{c}\hfill Pr(\exists i:x_i\ne {\widehat{x}}_i,f(x_i,h_i)=t_i\wedge \neg \mathsf{abort})\le 2^{-n+1}\ell +16{(q+\ell )}^3{\mathsf{\Gamma }}_f/2^n.\end{array}$$

(13)

Proof. Let the adversary-oracle joint state be $|{\psi }_0\rangle$ after queries to $\mathcal{S}$ (including q random oracle queries or PointReg1 queries). In the following, we always assume that random oracle query does not abort. Then, $\mathcal{A}$ measures and outputs $\mathbf{t},\mathbf{x}$. Each $x_i$ is then classically queried to $\mathcal{S}.RO$ and results in a joint state $|{\psi }_1\rangle$. We assume that $\mathbf{x}\cap {\mathsf{\Xi }}_1=\varnothing$ (the other case is similar). Hence, $|{\psi }_1\rangle$ can be written as $|{\psi }_1{\rangle =|\mathbf{r}\rangle }_{D_{{\mathsf{\Xi }}_1}}\otimes F_{D_{\mathbf{x}}}{|\mathbf{h}\rangle }_{D_{\mathbf{x}}}\otimes {\sum }_{\omega \mathbf{u}:\mathbf{u}\in {\overline{\mathcal{Y}}}^A}{\lambda }_{\omega \mathbf{u}}{|\omega \rangle }_{XYZ}{|\mathbf{u}\rangle }_{D_A},$ where ${\mathsf{\Xi }}_1\cup \mathbf{x}\cup A$ is a decomposition of $\mathcal{X}.$

Finally, it applies the projective measurement ${\mathsf{\Pi }}_D=\{|\mathbf{y}\rangle {\langle \mathbf{y}|\}}_{\mathbf{y}\in {\overline{\mathcal{Y}}}^{\mathcal{X}}}$ in the computational basis on D and applies $U_{t_i},i=1,\cdots ,\ell$ followed by (projective) measurement on register P as well as measurement $({\mathsf{\Pi }}_{col},I-{\mathsf{\Pi }}_{col})$ to the resulting state (assuming the collision measurement writes the result in a new register C), where ${\mathsf{\Pi }}_{col}$ is a projection into a space spanned by ${|\mathbf{y}\rangle }_D$ with $\mathbf{y}\in {\overline{\mathcal{Y}}}^{\mathcal{X}}$ satisfying $f(x,y_x)=f(x^{\prime },y_{x^{\prime }})$ for some $x^{\prime }\ne x$ and $y_x,y_{x^{\prime }}\in \mathcal{Y}.$ Notice that D is a control register in the computational basis for ${\mathsf{\Pi }}_D,\mathbf{P}{U}_{t_i}$, and collision measurement, where $\mathbf{P}$ is the projective measurement on P. Hence, by Lemma 3, they all commute. Hence, both collision probability and $Pr(\exists i:x_i\ne {\widehat{x}}_i,f(x_i,h_i)=t_i)$ will remain the same as the original game. For collision probability, it is the same as we move $\mathbf{P}{U}_{t_i}$ and ${\mathsf{\Pi }}_D$ to after collision measurement; for $Pr(\exists i:x_i\ne {\widehat{x}}_i,f(x_i,h_i)=t_i)$, it is similar by keeping $\mathbf{P}{U}_{t_i}$ while moving other two operators to the end of game. Let $col$ be the output 0 of measurement $({\mathsf{\Pi }}_{col},I-{\mathsf{\Pi }}_{col})$. Notice that

$$\begin{array}{cc}\hfill & Pr(\exists i:x_i\ne {\widehat{x}}_i,f(x_i,h_i)=t_i||{\psi }_1\rangle )\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill \le & Pr(\exists i:x_i\ne {\widehat{x}}_i\wedge f(x_i,h_i)=t_i\wedge \neg col||{\psi }_1\rangle )+Pr(col||{\psi }_1\rangle )\hfill \end{array}$$

(15)

Notice that register $D_{x_i}$ in $|{\psi }_1\rangle$ is $|h_i\rangle +2^{-n/2}(|\perp \rangle -|{\varphi }_0\rangle ).$ Since $f(x_i,h_i)=t_i$, it follows that under $\neg col$ condition, $x_i\ne {\widehat{x}}_i$ implies that after measurement on P (that results in ${\widehat{x}}_i$ in the ith component on register P), the post-measurement joint state $|{\psi }^{\prime }{\rangle }_{XYZD}{|\widehat{\mathbf{x}}\rangle }_P$ must have $D_{x_i}$ content different from $h_i$ (that is, $\langle h_i|{\psi }^{\prime }\rangle =0$). Since $|{\psi }_1\rangle$ has $F|h_i\rangle$ in $D_{x_i}$, this has a probability $1-|\langle h_i|(|h_i\rangle +2^{-n/2}|{\varphi }_0{\rangle )|}^2=1-{(1-2^{-n})}^2\le 2^{-n+1}.$ There are at most ℓ possible i’s. So the first item in Equation (15) is at most $2^{-n+1}\ell$. On the other hand, $|{\psi }_1\rangle$ is obtained by measurements. Averaging over the choices of $|{\psi }_1\rangle$ satisfying $\neg \mathsf{abort}$ (due to intermediate measurements) gives $Pr(\exists i:x_i\ne {\widehat{x}}_i\wedge f(x_i,h_i)=t_i\wedge \neg col\neg \mathsf{abort})\le 2^{-n+1}\ell$. By Lemma 14, $Pr(col\wedge \neg \mathsf{abort})\le 16{(q+\ell )}^3{\mathsf{\Gamma }}_f/2^n$. Thus, $Pr(\exists i:x_i\ne {\widehat{x}}_i,f(x_i,h_i)=t_i\wedge \neg \mathsf{abort})\le 2^{-n+1}\ell +16{(q+\ell )}^3{\mathsf{\Gamma }}_f/2^n.$□

4.6.2. Extraction on the Fly

We have showed the extraction result where the extractions occur only at the end of the game. To be useful, it is expected that we can extract them “on-the-fly" (i.e., right after each commitment is given during the game). In the following, we consider this. The result is extended from [15] from the $\mathbf{CStO}$ setting to the ${\mathbf{CStO}}_s$ setting.

Let us consider a function $f:\mathcal{X}\to \mathcal{T}\cup \{\varnothing \}$ with some special set $\mathsf{\Xi }\subset \mathcal{X}$ so that $f(\mathsf{\Xi },\mathcal{Y})=\varnothing$ and $f(\overline{\mathsf{\Xi }},\mathcal{Y})\subseteq \mathcal{T}$. Consider the following games, where $\mathcal{S}.{\mathbf{CStO}}_s$ is $\mathcal{S}.RO$ or $\mathcal{S}.P{R}_0$ or $\mathcal{S}.P{R}_1$.

Game ${\mathsf{\Gamma }}_0.$ $\mathcal{A}$, with $q_1^{\prime }$ queries to ${\mathbf{CStO}}_s$, outputs $t\in \mathcal{T}$ and then with $q_2^{\prime }$ queries to ${\mathbf{CStO}}_s$, outputs $x\in \mathcal{X}$ and auxiliary output $W.$ Finally, x is classically issued to ${\mathbf{CStO}}_s$ with response h.

Game ${\mathsf{\Gamma }}_1$. $\mathcal{A}$, with $q_1^{\prime }$ queries to $\mathcal{S}.{\mathbf{CStO}}_s$, outputs $t\in \mathcal{T}$ and $\mathcal{S}.E\left(t\right)$ is executed to output $\widehat{x}$. Then, $\mathcal{A}$ continues $q_2^{\prime }$ queries to $\mathcal{S}.{\mathbf{CStO}}_s$ and finally outputs $x\in \mathcal{X}$ and auxiliary output W. Finally, x is classically issued to $\mathcal{S}.{\mathbf{CStO}}_s$ with response h.

Let $q_1$ be the number of random oracle queries or PointReg1 queries in the first $q_1^{\prime }$ queries to $\mathcal{S}.{\mathbf{CStO}}_s$. Similarly, we can define $q_2.$ The pair ${(X,Y)}_{\mathsf{\Gamma }}$ denotes $(X,Y)$ in game $\mathsf{\Gamma }$. Define $\Delta ({(X,Y=y)}_{{\mathsf{\Gamma }}_0},{(X,Y=y)}_{{\mathsf{\Gamma }}_1})\stackrel{def}{=}{\displaystyle \frac{1}{2}}{\sum }_x|P_{XY}(x,y)-Q_{XY}(x,y)|$ (a partial sum in the statistical distance), where $P_{XY}$ (resp. $Q_{XY})$ is the joint distribution of $XY$ in ${\mathsf{\Gamma }}_0$ (resp. ${\mathsf{\Gamma }}_1$).

In the following, we show that adversarial outputs from ${\mathsf{\Gamma }}_0$ and ${\mathsf{\Gamma }}_1$ are close. Also, the extraction $\widehat{x}$ from $\mathcal{S}.E\left(t\right)$ in ${\mathsf{\Gamma }}_1$ will be mostly identical to x. The idea is that ${\mathsf{\Gamma }}_0$ can be regarded as the simulated game with extraction occurring at the end because the extraction at the end does not affect the adversarial output. Then, we try to shift $\mathcal{S}.E\left(t\right)$ toward the end of game step-by-step and quantify the change of the quantum state. We find that the change throughout this shift process is small. The second claim $x=\widehat{x}$ follows from the foregoing argument and Theorem 2.

Theorem 3.

Let ${\left(\alpha \right)}_{\mathsf{\Gamma }}$ be the random variable α w.r.t. game $\mathsf{\Gamma }.$ Let $\mathcal{A}$ be a quantum algorithm with access to ${\mathbf{CStO}}_s$ s.t. ${\mathsf{\Xi }}_1\subseteq \mathsf{\Xi }$. Let $q=q_1+q_2.$ Then,

$$\begin{array}{cc}\hfill & \Delta ({(t,x,h,W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_0},{(t,x,h,W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_1})\le 8(q_2+1)\sqrt{2{\mathsf{\Gamma }}_f/2^n},\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill & Pr(x\ne \widehat{x}\wedge f(x,h)=t\wedge \mathsf{abort}=0)\le 8(q_2+1)\sqrt{2{\mathsf{\Gamma }}_f/2^n}+2^{-n+1}+{\displaystyle \frac{16{(q+1)}^3{\mathsf{\Gamma }}_f}{2^n}}.\hfill \end{array}$$

(17)

Proof. Let $U_t$ be the unitary measurement on $DP$, following which, the projective measurement ${\left\{P_x\right\}}_{x\in \overline{\mathcal{X}}}$ on register P is applied, resulting in $\widehat{x}$. Assume that ${\left\{T_t\right\}}_t$ is the measurement for t. Let $V_{XYW}$ be the unitary operator of $\mathcal{A}$ between queries, and ${\left\{M_{xw}\right\}}_{x,w}$ be the measurement for $(x,w).$ The initial state is $|{\gamma }_0{\rangle =|\omega \rangle }_{XYW}\otimes {({\otimes }_x|\perp \rangle }_{D_x}{)\otimes |0\rangle }_P.$ Then, the final unormalized state in ${\mathsf{\Gamma }}_1$ is

$$\begin{array}{cc}\hfill |{\gamma }_1\rangle =& P_h·\mathcal{S}.RO·M_{xw}·{(\mathcal{S}.{\mathbf{CStO}}_s·V)}^{q_2}·\mathcal{S}.E\left(t\right)·T_t·{(\mathcal{S}.{\mathbf{CStO}}_s·V)}^{q_1}|{\gamma }_0\rangle \hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill =& P_h·{\mathbf{CStO}}_s·M_{xw}·{({\mathbf{CStO}}_s·V)}^{q_2}·P_{\widehat{x}}·U_t·T_t·{({\mathbf{CStO}}_s·V)}^{q_1}|{\gamma }_0\rangle ,\hfill \end{array}$$

(19)

where the last ${\mathbf{CStO}}_s$ in Equation (19) is a random oracle query and $P_{\widehat{x}}=|\widehat{x}\rangle \langle \widehat{x}{|}_P$. Further, if $\mathcal{A}$ makes a random oracle query, then under $\mathsf{abort}=0$, $\mathcal{S}.{\mathbf{CStO}}_s$ is $CSt{O}_s·{\mathsf{\Lambda }}_{i0}$; if $\mathcal{A}$ makes PointReg1 query x and $\mathsf{abort}=0$, then oracle applies ${\mathsf{\Pi }}_0$ and then $U_{\perp ,r}$ to $D_x$. A PointReg0 query does not impact on the quantum state and hence does not occur in the above equation but it is implicit to maintain ${\mathsf{\Xi }}_0$. We assume that the operators other than the measurements mentioned are unitary (which can be made up with some auxiliary registers). Then, the probability of $xhw\widehat{x}t{\mathsf{\Xi }}_1$ with $\mathsf{abort}=0$ in ${\mathsf{\Gamma }}_1$ (denoted by $p_{xhw\widehat{x}t{\mathsf{\Xi }}_1}$) is $||{\gamma }_1{||}^2$. Further, since $P_{\widehat{x}}$ can be moved to the end of game (as variable $\widehat{x}$ and register P are not related to operators currently on the left to $P_{\widehat{x}}$), $p_{xhw\widehat{x}t{\mathsf{\Xi }}_1}=||{\gamma }_2{||}^2$, where

$$\begin{array}{c}\hfill |{\gamma }_2\rangle =P_{\widehat{x}}{P}_h·{\mathbf{CStO}}_s·M_{xw}·{({\mathbf{CStO}}_s·V)}^{q_2}·U_t·T_t·{({\mathbf{CStO}}_s·V)}^{q_1}|{\gamma }_0\rangle .\end{array}$$

(20)

If we remove $P_{\widehat{x}}{U}_t$ from Equation (19), then $|{\gamma }_1\rangle$ becomes the final state of ${\mathsf{\Gamma }}_0$. Then, the probability of $xhw\widehat{x}t{\mathsf{\Xi }}_1$ in ${\mathsf{\Gamma }}_0$ with $\mathsf{abort}=0$ (denoted by $q_{xhw\widehat{x}t{\mathsf{\Xi }}_1}$) is $||{\gamma }_2^{\prime }{||}^2$ (if further applying $U_t$ and projective measurement ${\left\{P_{\widehat{x}}\right\}}_{\widehat{x}}$ at the end of ${\mathsf{\Gamma }}_0$), where

$$\begin{array}{c}\hfill |{\gamma }_2^{\prime }\rangle =P_{\widehat{x}}{U}_t{P}_h·{\mathbf{CStO}}_s·M_{xw}·{({\mathbf{CStO}}_s·V)}^{q_2}·T_t·{({\mathbf{CStO}}_s·V)}^{q_1}|{\gamma }_0\rangle .\end{array}$$

(21)

By triangle inequality, Equation (17) is bounded by

$$\begin{array}{c}\hfill {\displaystyle \frac{1}{2}}\sum _{xhw\widehat{x}t{\mathsf{\Xi }}_1}||||{\gamma }_2{\rangle ||}^2-|||{\gamma }_2^{\prime }{\rangle ||}^2|\le {\displaystyle \frac{1}{2}}\sum _{i=0}^{q_2}\sum _{xhw\widehat{x}t{\mathsf{\Xi }}_1}||||{\gamma }_{2(i+1)}{\rangle ||}^2-|||{\gamma }_{2i}{\rangle ||}^2|,\end{array}$$

(22)

where $|{\gamma }_{2i}\rangle$ is the variant of $|{\gamma }_2\rangle$ with $U_t$ relocated (starting from the leftmost) to right after the ith ${\mathbf{CStO}}_s$ operator in $|{\gamma }_2\rangle$ (that is either random oracle query or PointReg1 query) and thus ${\gamma }_2^{\prime }=|{\gamma }_{20}\rangle$ and $|{\gamma }_2\rangle =|{\gamma }_{2(q_2+1)}\rangle$.

We consider the inner summation at Equation (23) for a fixed i. We can separate $xhw\widehat{x}t{\mathsf{\Xi }}_1$ as $AB$, where A is the subset of variables obtained by measurements in $|{\gamma }_{2i}\rangle$ after $U_t$ and B is the remaining variables. Denote $|{\psi }_B\rangle$ be the state right before $U_t$ and $M_A^{\prime }$ be the product of operators after $U_t$ and the ith ${\mathbf{CStO}}_s$ in $|{\gamma }_{2i}\rangle$. Then, $|{\gamma }_{2i}\rangle =M_A^{\prime }·U_t·{\mathbf{CStO}}_s|{\psi }_B\rangle$ and, $|{\gamma }_{2(i+1)}\rangle =M_A^{\prime }·{\mathbf{CStO}}_s·U_t|{\psi }_B\rangle$ as $[U_t,V]=0$. It is well-known that the measurement can be made at the end of operation without changing the measurement outcome distribution. Hence, we can assume $M_A^{\prime }=M_{A}S$ for projection $M_A$ of A and unitary S. That is, we can assume that $|{\gamma }_{2i}\rangle =M_A·S·U_t·{\mathbf{CStO}}_s|{\psi }_B\rangle$ and $|{\gamma }_{2(i+1)}\rangle =M_A·S·{\mathbf{CStO}}_s·U_t|{\psi }_B\rangle$. Let $|{\psi }_B^{\prime }\rangle$ be the normalized $|{\psi }_B\rangle$. Then,

$$\begin{array}{cc}\hfill & {\displaystyle \frac{1}{2}}\sum _{xhwt\mathbf{b}\mathsf{\Xi }}||||{\gamma }_{2(i+1)}{\rangle ||}^2-|||{\gamma }_{2i}{\rangle ||}^2|\hfill \end{array}$$

(23)

$$\begin{array}{cc}\hfill =& \sum _B|||{\psi }_B{\rangle ||}^2·{\displaystyle \frac{1}{2}}\sum _A|||M_A·S·U_t·{\mathbf{CStO}}_s|{\psi }_B^{\prime }{\rangle ||}^2-||M_A·S·{\mathbf{CStO}}_s·U_t|{\psi }_B^{\prime }{\rangle ||}^2|\hfill \end{array}$$

(24)

If ${\mathbf{CStO}}_s$ is a random oracle query, then the inner sum is the statistical distance between measurement outcomes from $S·U_t·CSt{O}_s·\mathsf{\Lambda }|{\psi }_B^{\prime }\rangle$ and $S·CSt{O}_s·U_t·\mathsf{\Lambda }|{\psi }_B^{\prime }\rangle$ (note: Here $\mathsf{\Lambda }$ is some ${\mathsf{\Lambda }}_{i0}$ and $[U_t,\mathsf{\Lambda }]=0$). By [43], it is no more than their trace distance. Further, by Lemma 6, trace distance of two states is no more than their Euclidean distance which is further bounded by $||[CSt{O}_s,U_t]||.$ Hence, by Theorem 1,

$$\begin{array}{c}\hfill Equation\left(24\right)\le \sum _B|||{\psi }_B{\rangle ||}^2·||U_t,{\mathbf{CStO}}_s||=||U_t,{\mathbf{CStO}}_s||\le 8·2^{-n/2}\sqrt{2{\mathsf{\Gamma }}_f}.\end{array}$$

(25)

If ${\mathbf{CStO}}_s$ is PointReg1 query $x\in {\mathsf{\Xi }}_0$ with $\mathsf{abort}=0$, this will apply ${\mathsf{\Pi }}_0$ and $U_{\perp ,r}{=|r\rangle \langle \perp |}_{D_x}$ to register $D_x$. Note that $U_t$ commutes with $U_{\perp ,r}$ if $f(x,r)\ne t$ (that is, ${|\perp \rangle }_{D_x}$ replaced by ${|r\rangle }_{D_x}$ will not change $\widehat{x}$). By Lemma 3, $[{\mathsf{\Pi }}_0,U_t]=0.$ Thus, ${\mathbf{CStO}}_s$ (i.e., PointReg1) commutes with $U_t$ if $f(x,r)\ne t$. By our assumption, $\mathcal{A}$ satisfies ${\mathsf{\Xi }}_1\subseteq \mathsf{\Xi }$. Hence, $f(x,r)=\varnothing$ and so $f(x,r)=t$ will never hold. Hence, PointReg1 commutes with $U_t.$ Hence, Equation (24) is 0 for this query.

Finally, since there are at most $q_2$ random oracle queries after t is measured, Equation (22) is bounded by $8(q_2+1)\sqrt{2{\mathsf{\Gamma }}_f/2^n}.$

Now we consider the second claim. Notice that Z is defined as boolean variable $(x\ne \widehat{x}\wedge f(x,h)=t\wedge \mathsf{abort}=0)$ of $(x,h,\widehat{x},t)$. We still use $p_Z$ to denote the distribution in ${\mathsf{\Gamma }}_1$ and $q_Z$ to denote the distribution of Z in ${\mathsf{\Gamma }}_0$. Then, by the forgoing argument, $p_Z\left(1\right)\le q_Z\left(1\right)+8(q_2+1)\sqrt{2{\mathsf{\Gamma }}_f/2^n}.$ Then, by Theorem 2, $q_Z\left(1\right)\le 2^{-n+1}+16{(q+1)}^3{\mathsf{\Gamma }}_f/2^n.$ The result follows. □

The above theorem can be extended to the vector case, where $M_{xw},U_t$ are replaced with several $M_{x_i{w}_i},U_{t_i}$ at location $i.$ Then, we switch $U_{t_i}$ with each ${\mathbf{CStO}}_s$ after $t_i$ is measured as in the above theorem. Denote the number of this kind of ${\mathbf{CStO}}_s$ (that is either random oracle query or PointReg1 query) by $q_{2i}$. Then, $q_{2i}<q$. For each i, we obtain the similar bound as the above theorem. Summarizing the argument for $i=1,\cdots ,\ell$, the extension of the first claim can be obtained. For the extension of the second claim is very similar to the second claim of the above theorem.

Corollary 2.

Let q be the total number of random oracle queries or PointReg1 queries and ${\mathsf{\Xi }}_1\subseteq \mathsf{\Xi }$. If $(\mathbf{x},\mathbf{t},\mathbf{h},\widehat{\mathbf{x}})$ with vector length ℓ is the vector corresponding to $(x,t,h,\widehat{x})$ in Theorem 3, then

$$\begin{array}{cc}\hfill & \Delta ({(\mathbf{t},\mathbf{x},\mathbf{h},W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_0},{(\mathbf{t},\mathbf{x},\mathbf{h},W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_1})\le 8(q+\ell )\ell \sqrt{2{\mathsf{\Gamma }}_f/2^n}\hfill \\ \hfill & Pr(\exists i:x_i\ne {\widehat{x}}_i\wedge f(x_i,h_i)=t_i\wedge \mathsf{abort}=0)\le 8(q+\ell )\ell \sqrt{{\displaystyle \frac{2{\mathsf{\Gamma }}_f}{2^n}}}+{\displaystyle \frac{2\ell }{2^n}}+{\displaystyle \frac{16{(q+\ell )}^3{\mathsf{\Gamma }}_f}{2^n}}.\hfill \end{array}$$

(26)

Remark 6.

Theorem 3 requires ${\mathsf{\Xi }}_1\subset \mathsf{\Xi }$. If this is not satisfied, then the proof can not get through. However, this condition is only used in the PointReg1 query to guarantee that $f(x,r)\ne t$. Since r is taken uniformly randomly after x is fixed, this condition holds for $2^n-{\mathsf{\Gamma }}_t$ choices of $r.$ Since there are at most $q_s$ PointReg1 queries, this holds for every PointReg1 query with probability at least $1-q_s{\mathsf{\Gamma }}_t/2^n.$ When this holds, the proof of Theorem 3 remains valid. Furthermore, this argument extends to the vector case in Corollary 2 with further observation that Equation (26) holds with q replaced by $q-q_s$ as that is the bound from the number of the random oracle queries. Notice that ${\mathsf{\Gamma }}_t/2^n<8\ell \sqrt{2{\mathsf{\Gamma }}_t/2^n}.$ Hence, with this tighter analysis, we have the following corollary that preserves the same bound.

Corollary 3.

Let q be the number of random oracle queries or PointReg1 queries. If $(\mathbf{x},\mathbf{t},\mathbf{h},\widehat{\mathbf{x}})$ with vector length ℓ is the vector corresponding to $(x,t,h,\widehat{x})$ in Theorem 3. Let $\mathcal{A}$ be a quantum algorithm with access to ${\mathbf{CStO}}_s$ with at most $q_s$ PointReg1 queries. Then,

$$\begin{array}{cc}\hfill & \Delta ({(\mathbf{t},\mathbf{x},\mathbf{h},W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_0},{(\mathbf{t},\mathbf{x},\mathbf{h},W,\mathsf{abort}=0)}_{{\mathsf{\Gamma }}_1})\le 8(q+\ell )\ell \sqrt{2{\mathsf{\Gamma }}_f/2^n},\hfill \\ \hfill & Pr(\exists i:x_i\ne {\widehat{x}}_i\wedge f(x_i,h_i)=t_i\wedge \mathsf{abort}=0)\le 8(q+\ell )\ell \sqrt{{\displaystyle \frac{2{\mathsf{\Gamma }}_f}{2^n}}}+{\displaystyle \frac{\ell }{2^{n-1}}}+{\displaystyle \frac{16{(q+\ell )}^3{\mathsf{\Gamma }}_f}{2^n}}.\hfill \end{array}$$

4.7. Efficient Encoding of $\mathbf{CStO}$ and ${\mathbf{CStO}}_s$

Notice that so far the oracle state is represented via basis states ${|\mathbf{y}\rangle }_D\in {\overline{\mathcal{Y}}}^{\mathcal{X}}$ with at most q non-⊥ entries. However, we need to show how operators used so far can be efficiently implemented. Zhandry [49] showed how to efficiently encode and compute $O_{XYD}$. In our work, more operators on D are introduced. It is necessary to show that Zhandry’s encoding can be extended. In Appendix B, we detail how these operators can be efficiently executed on the encoded oracle state.

5. Extracting Queries to $\mathbf{CStO}$ that Witness the Future Adversarial Output

In this section, we introduce and extend the techniques of Liu and Zhandry [30] for extracting an adversarial query that matches the adversary’s final output which is unknown at the time of the extraction. This extraction technique is very useful in a security proof when the final adversary output is the final solution of the attack while the query input to be extracted is a certain witness of this solution. In the classical world, we can find this witness query by guessing, which has the polynomial fraction of the success probability. In the quantum world, this guessing strategy does not quite work as the query could be a superposition. Liu and Zhandry [30] showed that we can randomly guess which superposition query will contain the witness and then measure it. Then, the measurement outcome is the witness to the final output with a good probability. In the following, we adapt their technique to the setting of multiple extractions (but still interacting with $\mathbf{CStO}$). This modified game can be used to extract multiple queries that are collectively used to derive a witness for the final adversary output. This game can be easily converted to one where the random oracle is ${\mathbf{CStO}}_s$ and so our extraction theorems in the previous sections can be used.

Assume that adversary $\mathcal{A}$ makes at most q oracle queries to $\mathbf{CStO}$ oracle. In the end, we measure the adversary-oracle joint state and obtain $(w,\mathbf{y})$ so that D has the collapsed state $F_D{|\mathbf{y}\rangle }_D$ (i.e., measuring the final state on D using ${\{F_D|\mathbf{y}\rangle }_{\mathbf{D}}{\}}_{\mathbf{y}}$ basis). Let ${\lambda }_{w,\mathbf{y}}$ denote the probability of outcome $(w,\mathbf{y}).$ We define game ${\mathsf{Exp}}_{i,j,k}$ (with either $i=j=k$ or $i<j<k$ for $i,j,k\in \left[q\right]$). Before this, we define $\underline{x}$ as an equivalence class (which is a subset of $\mathcal{X}$, including x and also determined by x) in the sense that $\underline{x}=\underline{u}$ for any $u\in \underline{x}.$ We assume that the cardinality of $\underline{x}$ is polynomially bounded. For $\mathbf{y}\in {\mathcal{Y}}^{\mathcal{X}}$, $\mathbf{y}\left(\underline{x}\right)=\overrightarrow{\perp }$ denotes that $y_u=\perp$ for $\forall u\in \underline{x}.$

${\mathrm{Exp}}_{i,i,i}$: In this game, it proceeds normally until the ith oracle query. Assume the attacker-oracle state is ${\sum }_{xuz\mathbf{y}}{\alpha }_{xuz\mathbf{y}}|x,{\varphi }_u,z,\mathbf{y}\rangle ,$ where we remind that Y register is represented using Fourier basis ${\left\{{\varphi }_u\right\}}_{u\in \mathcal{Y}}$. Then, we measure1 the query input to output ${\underline{x}}^{*}$ and further we measure to test (by two measurements) whether it holds: $D\left({\underline{x}}^{*}\right)=\overrightarrow{\perp }$ before the oracle query2but$D\left({\underline{x}}^{*}\right)\ne \overrightarrow{\perp }$ after the oracle query3. If both test measurements succeed, then the resulting state before applying $CStO$ oracle will be

$$\begin{array}{c}\hfill \sum _{x^{\prime }uz\mathbf{y}:y_{x^{\prime }}=\perp ,u\ne 0,x^{\prime }\in {\underline{x}}^{*}}{\alpha }_{x^{\prime }uz\mathbf{y}}|x^{\prime },{\varphi }_u,z,\mathbf{y}\rangle .\end{array}$$

(27)

In this case, the state after the $CStO$ query will become

$$\begin{array}{c}\hfill \sum _{x^{\prime }uz\mathbf{y}:y_{x^{\prime }}=\perp ,u\ne 0,x^{\prime }\in {\underline{x}}^{*}}{\alpha }_{x^{\prime }uz\mathbf{y}}|x^{\prime },{\varphi }_u,z\rangle {\displaystyle \frac{1}{\sqrt{2^n}}}\sum _{y\in \mathcal{Y}}{(-1)}^{u·y}|\mathbf{y}\cup {\left(y\right)}_{x^{\prime }}\rangle .\end{array}$$

(28)

Then, the game proceeds normally. If one or both measurements fails, the game aborts.

${\mathrm{Exp}}_{i,j,k}$ with $i<j<k$: In this game, it proceeds normally until the ith oracle query. Let the attacker-oracle state be ${\sum }_{xuz\mathbf{y}}{\alpha }_{xuz\mathbf{y}}|x,{\varphi }_u,z,\mathbf{y}\rangle .$ Then, we measure the query input to output ${\underline{x}}^{*}$ and further we measure (similar to that in ${\mathsf{Exp}}_{i,i,i}$) to test whether the followings are satisfied throughout the ith oracle query to the kth oracle query (using footnotes 2 and 3):

• right before the ith query, $D\left({\underline{x}}^{*}\right)=\overrightarrow{\perp }$; but after it, $D\left({\underline{x}}^{*}\right)\ne \overrightarrow{\perp }$.
• after ith query and before the jth query, it remains that $D\left({\underline{x}}^{*}\right)\ne \overrightarrow{\perp }$.
• after jth query and before the kth query, $D\left({\underline{x}}^{*}\right)=\overrightarrow{\perp }.$
• right after the kth query, $D\left({\underline{x}}^{*}\right)\ne \overrightarrow{\perp }.$

If the test measurement fails, the game aborts; otherwise, it proceeds normally. It should be emphasized that we do not care if $D\left({\underline{x}}^{*}\right)=\overrightarrow{\perp }$ after any other query than those listed above.

We remark that ${\mathsf{Exp}}_{i,i,i}$ in fact is a special case of ${\mathsf{Exp}}_{i,j,k}$ with $i=j=k$ as “after ith query and before the j query" and “after jth query and before the k query" in ${\mathsf{Exp}}_{i,j,k}$ are both null statements in this setting.

Further, although ${\mathsf{Exp}}_{i,j,k}$ is defined in the game between adversary and $\mathbf{CStO}$, by inspecting its definition, we can see that ${\mathsf{Exp}}_{i^{\prime },j^{\prime },k^{\prime }}$ in ${\mathsf{Exp}}_{i,j,k}$ is also well-defined (as the conducted measurements are well-defined). It is not hard to see that the game ${\mathsf{Exp}}_{i,j,k}$ in ${\mathsf{Exp}}_{i^{\prime },j^{\prime },k^{\prime }}$ and the game ${\mathsf{Exp}}_{i^{\prime },j^{\prime },k^{\prime }}$ in ${\mathsf{Exp}}_{i,j,k}$ are the same. By iteration, we can define ${\mathsf{Exp}}_{i^t,j^t,k^t}$ as game ${\mathsf{Exp}}_{i_t,j_t,k_t}$ in ${\mathsf{Exp}}_{i^{t-1},j^{t-1},k^{t-1}}$, where $v^t$ is the sequence $v_1,\cdots ,v_t.$ Let ${\mathcal{U}}_{IJK}$ be the distribution of $(i,j,k)$ that is uniformly random in $\left\{\right(i,i,i)\mid i\in [q\left]\right\}\cup \left\{\right(i,j,k)\mid 1\le i<j<k\le q\}.$ Further, ${\mathcal{U}}_{IJK}^c$ is the product distribution of ${\mathcal{U}}_{IJK}$ of c copies.

The following is the main result in this section. This is an extension of [30, Corollary 6] with the proof mainly extending [30, Theorem 9]. The details can be found in Appendix D.

Theorem 4.

Let $c>0$ be a constant. Take $(i^c,j^c,k^c)\leftarrow {\mathcal{U}}_{IJK}^c$. Let S be a subset of the possible output $(w,\mathbf{y})$ in the game with $CStO$ oracle. Define the measurement $(P_0,P_1)$ with $P_0={\sum }_{(w,\mathbf{y})\in S}|w,\tilde{\mathbf{y}}\rangle \langle w,\tilde{\mathbf{y}}|$ (where we use the basis $F_D|\mathbf{y}\rangle =|\tilde{\mathbf{y}}\rangle$ for the consistency with the measurement at the beginning of this section) and $P_1=I-P_0.$ Let $x_{w,\mathbf{y},t}\in \mathcal{X}$ for $t=1,\cdots ,c$ be representatives for c (possibly repeating) classes, determined by $(w,\mathbf{y})$ with $\mathbf{y}\left({\underline{x}}_{w,\mathbf{y},t}\right)\ne \perp$. Let λ be the probability in the random game ${\mathsf{Exp}}_{i^c,j^c,k^c}$ that gives ${\underline{x}}_{w,\mathbf{y},t}$ for some $(w,\mathbf{y})\in S$ from the measurement on the $i_t$th oracle query for $t=1,\cdots ,c$ and the final measurement $(P_0,P_1)$ gives outcome 0. Let γ be the probability that the final measurement in the normal game gives outcome 0. Then, $\lambda \ge {\displaystyle \frac{\gamma }{{(q+\left(\genfrac{}{}{0pt}{}{q}{3}\right))}^{3c}}}.$

6. Quantum Security of the JAK Multi-Signature Framework

Jiang et al. [23] proposed a framework that converts a linear ID scheme into a compact multi-sinagure scheme and proved its security in the classic random oracle model. In this section, we prove its security in the quantum random oracle model.

6.1. Review of JAK Mutli-Signature Framework

Let

$$\mathcal{ID}=({\mathbf{Setup}}_{id},{\mathbf{KeyGen}}_{id},P,V_{\tau },\mathsf{\Theta })$$

be a canonical linear ID with parameter $\tau \in \mathbb{N}$. Let $H_0,H_1$ be two random oracles from ${\{0,1\}}^{*}$ to $\mathsf{\Theta }$ with $\mathsf{\Theta }\subseteq \mathcal{R}$, where $\mathcal{R}$ is the ring defined for the linearity property of $\mathcal{ID}$. The JAK multi-signature scheme $\left(\mathbf{Setup},\mathbf{KeyGen},\mathbf{Sign},\mathbf{Verify}\right)$ is as follows.

Setup. Sample and output $\mathsf{param}\leftarrow {\mathbf{Setup}}_{id}\left(1^{\lambda }\right)$.

KeyGen. Sample $(pk,sk)\leftarrow {\mathbf{KeyGen}}_{id}\left(\mathsf{param}\right)$; output a public-key $pk$ and private key $sk$.

Sign. Assume that signers with public-keys ${\left\{p{k}_i\right\}}_{i=1}^t$ want to jointly sign message M. Let ${\lambda }_i=H_0(p{k}_i,PK)$ and $\overline{pk}={\sum }_{i=1}^t{\lambda }_i•p{k}_i$, where $PK=(p{k}_1,\cdots ,p{k}_t).$ They execute the following.

• R-1. Signer i takes $(s{t}_i,{CMT}_i)\leftarrow P\left(\mathsf{param}\right)$ and sends $r_i:=H_0({CMT}_i|p{k}_i)$ to all signers.
• R-2. Upon $r_j$ for all j (we don’t restrict $j\ne i$ for brevity), signer i sends ${CMT}_i$ to all signers.
• R-3. Upon ${CMT}_j,j=1,\cdots ,t$, signer i checks if $r_j=H_0({CMT}_j|p{k}_j)$ for all j. If no, it rejects; otherwise, it computes $\overline{CMT}={\sum }_{j=1}^t{\lambda }_j•{CMT}_j$, $CH=H_1(\overline{pk}|\overline{CMT}|M)$ and ${Rsp}_i=P(s{t}_i|s{k}_i|p{k}_i,CH)$. Finally, it sends ${Rsp}_i$ to all signers.
• Output. Upon ${Rsp}_j,j=1,\cdots ,t$, signer i computes $\overline{Rsp}={\sum }_{j=1}^t{\lambda }_j•{Rsp}_j$, and outputs the aggregated public-key $\overline{pk}|t$ and multi-signature $\overline{CMT}|\overline{Rsp}$.

Verify. Upon signature $(\overline{CMT},\overline{Rsp})$ on message M with the aggregated public key $\overline{pk}|t$, it outputs $V_t(\overline{pk},\overline{CMT}|CH|\overline{Rsp})$, where $CH=H_1(\overline{pk}|\overline{CMT}|M).$

6.2. Security Theorem

In this section, we prove the security of the JAK framework in the quantum random oracle model. Our proof strategy is to use the sequence of game techniques. We first replace two random oracles $|H_0\rangle$ and $|H_1\rangle$ with a single one $|H\rangle$ so that $H(0|x)=H_0\left(x\right)$ and $H(1|x)=H_1\left(x\right).$ Since the distributions of $H(b|x)$ and $H_b\left(x\right)$ are identical, adversary success does not decrease. Then, we replace $|H\rangle$ by $\mathbf{CStO}$ and this will not change the adversary success by Fact 1 and Lemma 8. Next, we sample experiment ${\mathbf{Exp}}_{i^2,j^2,k^2}$ so that the $i_1$th query has measurement outcome ${\underline{x}}_1^{*}$ with $x_1^{*}=0|p{k}_1^{\prime }|P{K}^{\prime }$ where $P{K}^{\prime }$ is the signature group in the attacker’s forgery and the measurement outcome for the $i_2$th query is ${\underline{x}}_2^{*}$ with $x_2^{*}=1\overline{p{k}^{\prime }}|\overline{{\mathrm{CMT}}^{\prime }}|M$ being the attacker’s input to compute ${\mathrm{CH}}^{\prime }$ in its forgery. By Theorem 4, the adversary success in this experiment is degraded only by a polynomial fraction. Then, we consider the signing oracle in ${\mathbf{Exp}}_{i^2,j^2,k^2}$. We will try to confirm (by measurement) that the query input $x=1|\overline{pk}|\overline{\mathrm{CMT}}|M$ to compute $\mathrm{CH}$, is not recorded in $\mathbf{CStO}$ (so that we can set this $CH$ by ourselves). Since $\overline{\mathrm{CMT}}$ contains the challenger’s committing message (that has super-logarithmic min-entropy), this confirmation measurement will succeed with high probability (Lemma 10). Then, we reformulate ${\mathbf{Exp}}_{i^2,j^2,k^2}$ as the game with ${\mathbf{CStO}}^{\prime }$ and further change to a game with ${\mathbf{CStO}}_s$. The format of ${\mathbf{Exp}}_{i^2,j^2,k^2}$ is very compatible with ${\mathbf{CStO}}^{\prime }$ and so this switch is just a simple formatting problem. Now under the game with ${\mathbf{CStO}}_s$, we can use the extraction technique to extract the committing messages from adversary in a signing oracle and treat $x=1|\overline{pk}|\overline{CMT}|M$ as a special point. We also treat ${\underline{x}}_1^{*},{\underline{x}}_2^{*}$ as special points. We can set the random oracle value of these special points by ourselves. With this benefit, we use the ID simulator to simulate the honest signer’s messages in a signing oracle without its secret. Finally, we can reduce the adversary success to break the ID scheme by setting the CH in attacker’s forgery as the challenge from the ID challenger. So the attacker’s forgery will help us to break the ID security.

Theorem 5.

Assume that $h\leftarrow \mathsf{\Theta }$ is invertible in $\mathcal{R}$ with probability $1-\mathsf{negl}\left(\lambda \right)$. Let $\mathcal{ID}=({\mathbf{Setup}}_{id},{\mathbf{KeyGen}}_{id},P,V_{\tau })$ be a secure ID scheme with linearity and simulability. Then, the JAK multi-signature scheme is EU-CMA secure in the quantum random oracle model.

Proof. Our proof follows the sequence of game strategy. The game consists of quantum polynomial time adversary $\mathcal{D}$ and a challenger $\mathcal{C}$ who maintains the quantum random oracle and the signing oracle that jointly signs a message M with $\mathcal{D}.$ We use $\mathsf{Succ}\left(\mathbf{G}\right)$ to denote the adversary success probability in game $\mathbf{G}.$

Game ${\mathbf{G}}_0.$ This is the real forgery game. Challenger runs Setup$\left(1^{\lambda }\right)$ to generate $\mathsf{param}$ and executes $\mathbf{KeyGen}\left(\mathsf{param}\right)$ to generate a challenge key pair $(p{k}^{*},s{k}^{*})$. Then, it provides $(p{k}^{*},\mathsf{param})$ to $\mathcal{D}$ and maintains two quantum random oracles $|H_0\rangle ,|H_1\rangle$ and signing oracle ${\mathcal{O}}_s$ to interact with $\mathcal{D}$. Finally, $\mathcal{D}$ outputs a forgery $({\sigma }^{*},M^{*})$ with a set of public keys $(p{k}_1^{*},\cdots ,p{k}_N^{*})$ where $p{k}^{*}=p{k}_1^{*}.$ He succeeds if $\mathsf{Verify}(\overline{p{k}^{*}},{\sigma }^{*},M^{*})=1$ and no query $(p{k}_1^{*},\cdots ,p{k}_N^{*},M^{*})$ was issued to ${\mathcal{O}}_s.$

Game ${\mathbf{G}}_1.$ We modify ${\mathbf{G}}_0$ to ${\mathbf{G}}_1$ so that $H_0\left(x\right)=H(0|x)$ and $H_1\left(x\right)=H(1|x)$ for a random oracle $H.$ This does not reduce the adversary success probability as the tables for $H(0|·),H(1|·)$ and the tables for $H_0(·),H_1(·)$ jointly are identically distributed (i.e., purely random in both cases). Any query $|\psi \rangle$ to $H_b(·)$ is a special case of query $|b\rangle |\psi \rangle$ to $|H\rangle$. Thus, $Pr(\mathbf{Succ}\left({\mathbf{G}}_1\right)\ge Pr\left(\mathbf{Succ}\left({\mathbf{G}}_0\right)\right)$.

Game ${\mathbf{G}}_2.$ We modify ${\mathbf{G}}_1$ to ${\mathbf{G}}_2$ so that the random oracle is implemented using $\mathbf{CStO}.$ By Fact 1 and Lemma 8, the success probabilities of $\mathcal{D}$ in ${\mathbf{G}}_1$ and ${\mathbf{G}}_2$ are identical.

Game ${\mathbf{G}}_3.$ We modify ${\mathbf{G}}_2$ to ${\mathbf{G}}_3$ so that it selects the game (involving $\mathcal{D}$) ${\mathbf{Exp}}_{i^2,j^2,k^2}$ for $(i^2,j^2,k^2)\leftarrow {\mathcal{U}}_{IJK}^2$. Let the measurement at the $i_t$th oracle query be ${\underline{x}}_t^{*}$ for some $x_t^{*}$ for $t=1,2.$ At the end of game, let $(w,\mathbf{y})$ be the measurement output, where w is the forgery $(\alpha ,\beta ,P{K}^{\prime },M)$ measured by $\mathcal{D}$ on register $XYW$ and $\mathbf{y}$ is the measurement outcome on D (which represents the quantum state $F_D{|\mathbf{y}\rangle }_D$ and hence $\mathbf{y}$ satisfies $y_x=RO\left(x\right)$). Define $x_{w,\mathbf{y},1}=0|p{k}_1^{\prime }|P{K}^{\prime }$ for $P{K}^{\prime }=(p{k}_1^{\prime },\cdots ,p{k}_n^{\prime })$. Further, define ${\underline{x}}_{w,\mathbf{y},1}=\{0|p{k}_v^{\prime }|P{K}^{\prime }:v=1,\cdots ,n\}$ and $\underline{x}=\left\{x\right\}$ (for any x that can not be written in $0|p{k}_v|PK$ with $p{k}_v\in PK$). Hence, the equivalence class is well-defined. In addition, define $x_{w,\mathbf{y},2}=1|\overline{p{k}^{\prime }}|\alpha |M$. We consider the case $x_t^{*}=x_{w,\mathbf{y},t}$ for $t=1,2$. Define S in Theorem 4 as the set of all pairs $(w,\mathbf{y})$ so that w is a valid forgery under random oracle assignments $y_x=RO\left(x\right)$. Since the probability $(w,\mathbf{y})\in S$ is the success probability of $\mathcal{D}$ in ${\mathbf{G}}_2$, by Theorem 4, the success probability of $\mathcal{D}$ in ${\mathbf{G}}_3$ will be at least ${\displaystyle \frac{ϵ}{{(q+\left(\genfrac{}{}{0pt}{}{q}{3}\right))}^6}}.$

Game ${\mathbf{G}}_4.$ We modify ${\mathbf{G}}_3$ to ${\mathbf{G}}_4$ so that in the signing oracle, right before the classic oracle query $x=1|\overline{pk}|\overline{CMT}|M$ to generate $CH,$ it does a measurement $(|\perp \rangle \langle \perp |,I-|\perp \rangle \langle \perp |)$ to the register $D_x$ of the oracle. If it gives the outcome 0, it aborts with $\mathsf{Fail}$ (indicating the failure of the simulation); otherwise, it continues normally. By Lemma 11, this Fail occurs only with a negligible probability (recall that $H_{\infty }\left(CMT\right)$ is super-logarithmic for randomly generated $CMT$) and hence the success probability $\mathcal{D}$ in ${\mathbf{G}}_4$ is at least ${\displaystyle \frac{ϵ}{{(q+\left(\genfrac{}{}{0pt}{}{q}{3}\right))}^6}}-\mathbf{negl}\left(\kappa \right)$

Game ${\mathbf{G}}_5.$ We re-format ${\mathbf{G}}_4$ as a game between an adversary $\mathcal{D}$ and challenger ${\mathcal{C}}^{\prime }$ that has oracle access to ${\mathbf{CStO}}^{\prime }$ (ref. Section 4.3) so that $\mathcal{D}$ in ${\mathbf{G}}_5$ has the success probability exactly identical to that of $\mathcal{D}$ in ${\mathbf{G}}_4.$ The code of ${\mathcal{C}}^{\prime }$ as follows. It follows $\mathcal{C}$ to set up ${\mathbf{G}}_4$ to invoke $\mathcal{D}$ with the public parameters and then interacts with $\mathcal{D}$. ${\mathcal{C}}^{\prime }$ also follows $\mathcal{C}$ to choose the random game ${\mathbf{Exp}}_{i^2,j^2,k^2}$.

• Whenever a random oracle query is issued, ${\mathcal{C}}^{\prime }$ does as follows. Assume this is the ℓth random oracle query. If $\ell =i_1$ or $i_2$, then ${\mathcal{C}}^{\prime }$ (like challenger $\mathcal{C}$ in ${\mathbf{G}}_4$) will apply a projective measurement on X register in the computational basis and results in ${\underline{x}}_1^{*}$ or ${\underline{x}}_2^{*}$ and then it issues a PointReg0 query with each $x\in {\underline{x}}_1^{*}$ or ${\underline{x}}_2^{*}$ to ${\mathbf{CStO}}^{\prime }$. If $\ell =k_t$ (for $t=1$ or 2), it issues a $PointReg1$ query with $x^{\prime }\in {\underline{x}}_t^{*}$ (which does measurement $\mathsf{\Pi }$ on $D_{x^{\prime }}$ like challenger in ${\mathsf{\Gamma }}_4$). Then (no matter what is ℓ), recall that, in ${\mathbf{G}}_4$, the challenger will conduct a projective measurement ${\mathsf{\Lambda }}^{\prime }$ (determined by ℓ and $i_1,j_1,k_1$) on D and another projective measurement ${\mathsf{\Lambda }}^{\prime \prime }$ (still determined by $\ell ,i_2,j_2,k_2)$ on D. These measurements are described in ${\mathbf{Exp}}_{i^2,j^2,k^2}$ and can be seen that they are only applied on $D_{{\mathsf{\Xi }}_0}$ as desired by ${\mathbf{CStO}}^{\prime }$. These two measurements can be combined into one projective measurement ${\mathsf{\Lambda }}_{\ell }=({\mathsf{\Lambda }}_{\ell 0},I-{\mathsf{\Lambda }}_{\ell 0})$ in the computational basis on $D_{{\mathsf{\Xi }}_0}$. Then, to be consistent with ${\mathbf{G}}_4$, ${\mathcal{D}}^{\prime }$ in ${\mathbf{G}}_5$ issues the random oracle query with its register $XY$ to ${\mathbf{CStO}}^{\prime }$ which will handle it first with measurement ${\mathsf{\Lambda }}_{\ell }$ and then with $CStO$ (if it does not abort). Under this reformatting, the action on the joint state is the same as in ${\mathbf{G}}_4$.
• When $\mathcal{D}$ issues a signing query $(PK,M)$ so that $PK$ contains $p{k}_1^{*}$, ${\mathcal{C}}^{\prime }$ in ${\mathbf{G}}_5$ computes $\overline{pk}$, $\overline{CMT}$ and $x=1|\overline{pk}|\overline{CMT}|M$ normally as in ${\mathbf{G}}_4$, with possibly random oracle access to ${\mathbf{CStO}}^{\prime }$ as in the previous item. Next, it issues $PointReg0$ query and then $PointReg1$ query both with x to ${\mathbf{CStO}}^{\prime }$, and finally a classic random oracle query with x (if it does not abort), where the random oracle queries are handled as the above reformatting. In turn, if ${\mathbf{CStO}}^{\prime }$ does not abort, ${\mathcal{C}}^{\prime }$ receives the reply $y=RO\left(x\right)$ and it continues normally as in ${\mathbf{G}}_4$ to generate the signature. Note that ${\mathcal{C}}^{\prime }$ together with ${\mathbf{CStO}}^{\prime }$ acts the same as $\mathcal{C}$ together with $\mathbf{CStO}$ in ${\mathbf{G}}_4$. Thus, this does not change the view of $\mathcal{D}$ and the joint quantum state.

From our description, we can see that $\mathcal{D}$ in ${\mathbf{G}}_4$ and ${\mathbf{G}}_5$ has the same view, as it is just a reformatting of ${\mathbf{G}}_4$. Hence, $\mathcal{D}$ in ${\mathbf{G}}_5$ has the same success probability as in ${\mathbf{G}}_4.$

Game ${\mathbf{G}}_6.$ We modify ${\mathbf{G}}_5$ to ${\mathbf{G}}_6$ s.t. ${\mathbf{CStO}}^{\prime }$ is replaced by ${\mathbf{CStO}}_s$. By Lemma 9, the success probability of $\mathcal{D}$ in ${\mathbf{G}}_6$ is the same as in ${\mathbf{G}}_5$ by checking the output of ${\mathcal{C}}^{\prime }$ which is defined as 1 if and only if $\mathcal{D}$ succeeds ($\neg \mathbf{abort}$ can be removed in the lemma as ${\mathcal{C}}^{\prime }$ outputting 1 indicates $\neg \mathbf{abort}=1$).

Game ${\mathbf{G}}_7.$ We modify ${\mathbf{G}}_6$ to ${\mathbf{G}}_7$ so that ${\mathbf{CStO}}_s$ is now simulated by $\mathcal{S}$. Since $\mathcal{S}.E$ is not used, the adversary success probability is identical to ${\mathbf{G}}_6.$

Game ${\mathbf{G}}_8.$ We modify ${\mathbf{G}}_7$ to ${\mathbf{G}}_8$ so that in the signing query $O_s(p{k}_1,\cdots ,p{k}_n,M)$, after receiving $r_i$, challenger extracts ${CMT}_i^{\prime }=\mathcal{S}.E\left(r_i\right)$ and later in round R-3, when it receives ${CMT}_i$, if ${CMT}_i\ne {CMT}_i^{\prime }$ but $\mathcal{S}.RO\left({CMT}_i\right)=r_i$, it terminates with Fail. By Corollary 2, this occurs negligibly. Thus, the success probability of $\mathcal{D}$ in ${\mathbf{G}}_8$ is negligibly close to that in ${\mathbf{G}}_7.$

Game ${\mathbf{G}}_9.$ We modify ${\mathbf{G}}_8$ to ${\mathbf{G}}_9$ so that in $O_s(p{k}_1,\cdots ,p{k}_n,M)$ with $p{k}_t=p{k}^{*}$ for some t, it generates $({CMT}_t,{Rsp}_t)\leftarrow \mathbf{SIM}(CH,p{k}^{*},\mathsf{param})$, where $CH\leftarrow \mathsf{\Theta }$. It does the same as ${\mathbf{G}}_8$: measure $(|\perp \rangle \langle \perp |,I-|\perp \rangle \langle \perp |)$ on $D_x$ (specified since ${\mathbf{G}}_4$), issues $PointReg0$ query, then $PointReg1$ queries with $x=1|\overline{pk}|\overline{CMT}|M$ to ${\mathbf{CStO}}_s$, where $PointReg1$ will define r in ${\mathbf{CStO}}_s$ for $D_x$ (if it does not abort) as the random oracle value for x. In ${\mathbf{G}}_9$, it defines this r as $CH$. By the simulability of ID, this has the same distribution as ${\mathbf{G}}_8$. So the adversary success probability remains the same as in ${\mathbf{G}}_8$ (specifically, any non-negligible difference in this success probability can be straightforwardly reduced through hybrid argument on $({CMT}_t,{Rsp}_t,{CH}_t)$ in the signing queries to break the ID simulability; details are omitted). We remind that the secret key $sk$ is no longer used in ${\mathbf{G}}_9$.

Game ${\mathbf{G}}_{10}.$ We modify ${\mathbf{G}}_9$ to ${\mathbf{G}}_{10}$ so that it will embed the ID challenges into the attack. Specially, ${\mathcal{C}}^{\prime }$ sets up the game so that $p{k}_1^{*}$ is the ID challenge key. In addition, after obtaining ${\underline{x}}_1^{*}$ (by measuring the $i_1$th random oracle query) with $x_1^{*}=1|p{k}_1^{*}|\{p{k}_1^{*},\cdots ,p{k}_n^{*}\}$, it sends $p{k}_2^{*},\cdots ,p{k}_n^{*}$ as its response of group keys to its own ID challenger and in turn will receive ${\lambda }_1,\cdots ,{\lambda }_n$. Upon $PointReg1$ queries $x_u\in {\underline{x}}_1^{*}$ (from ${\mathcal{C}}^{\prime }$), ${\mathbf{CStO}}_s$ sets its random oracle value4$\mathcal{S}.RO\left(x_u\right)$ as ${\lambda }_u$ ($u=1,\cdots ,n$), provided by ID challenger. In addition, later for $x_2^{*}=1|\overline{p{k}^{\prime }}|\alpha |M$, in $PointReg1$ query $x_2^{*}$, it sets the hash value $r=CH$, provided by ID challenger. This will not change the distribution of the game because ${\lambda }_u$ for any u as well as this $CH$ are all uniformly random and hence remains the same distribution as in ${\mathbf{G}}_9$. When $\mathcal{D}$ outputs its forgery, if the output $(\mathbf{w},\mathbf{y})\in S$, then it sends the response $Rsp$ in w to ID challenger as its response. Obviously, ${\mathcal{C}}^{\prime }$ succeeds in its ID challenge session if and only if $\mathcal{D}$ succeeds with $(w,\mathbf{y})\in S$ (that is, the forgery is valid). Thus, the adversary success probability is the same as in ${\mathbf{G}}_9$ and hence ${\mathcal{C}}^{\prime }$ has a success probability negligibly close to ${\displaystyle \frac{ϵ}{{(q+\left(\genfrac{}{}{0pt}{}{q}{3}\right))}^6}}$. This contradicts the security of ID scheme. □

Remark 7.

In ${\mathbf{G}}_5$, we convert the game with $\mathbf{CStO}$ to the game with ${\mathbf{CStO}}^{\prime }$, where we register ${\underline{x}}_t^{*}$ to ${\mathsf{\Xi }}_0$ at the $i_t$th oracle random oracle query while it registers to ${\mathsf{\Xi }}_1$ only at the $k_t$th random oracle query. This generally is the routine to convert ${\mathbf{Exp}}_{i^c,j^c,k^c}$ to a game with ${\mathbf{CStO}}^{\prime }$. One might wonder why we register ${\underline{x}}_t^{*}$ twice. The issue in fact comes from the switch from ${\mathbf{CStO}}^{\prime }$ to ${\mathbf{CStO}}_s$ in ${\mathbf{G}}_6$. ${\mathbf{CStO}}_s$ requires that after registration in ${\mathsf{\Xi }}_1$, no measurement for testing $D\left(x\right)=\perp$ will be performed. If we register it once, this should happen at the $i_t$th query for ${\underline{x}}_t^{*}$. But in this case, we can not guarantee that ${\mathbf{G}}_5$ (with ${\mathbf{CStO}}^{\prime }$) will be indistinguishably switched to ${\mathbf{G}}_6$ with ${\mathbf{CStO}}_s$: after the $i_t$th query, we still need to measure if $D\left({\underline{x}}_t^{*}\right)=\perp$. But in ${\mathbf{G}}_6$, this will never be true as $|\perp \rangle$ is replaced by $|r\rangle$, while in ${\mathbf{G}}_5$ (with ${\mathbf{CStO}}^{\prime }$), it is still possible. This distinguishing event does not violate Lemma 9 because this test is no longer performed in ${\mathbf{CStO}}_s$ after updating $|\perp \rangle$ by $|r\rangle .$

7. Quantum Security of The JAK ID Scheme

In this section, we prove the quantum security of the lattice-based ID scheme in [23] (which we call it the JAK ID scheme). Together with Theorem 5, it gives a secure lattice-based multi-signature in the quantum random oracle model. We will use the following notations.

• As a convention for lattice over ring, the security parameter is denoted by n (a power of 2);
• q is a prime with $q\equiv 3$ mod 8;
• $R=\mathbb{Z}\left[x\right]/(x^n+1)$; $R_q={\mathbb{Z}}_q\left[x\right]/(x^n+1)$; $R_q^{*}$ is the set of invertible elements in $R_q$;
• A vector $\mathbf{w}$ is implicitly a column vector and the ith component is $w_i$ or $\mathbf{w}\left[i\right]$;
• for a matrix or vector X, $X^T$ is its transpose;
• $\mathbf{1}$ denotes the all-1 vector ${(1,\cdots ,1)}^T$ of dimension clear only in the specific context;
• for $u={\sum }_{i=0}^{n-1}{u}_i{x}^i\in R$, ${||u||}_{\infty }={max}_i|u_i|;$
• $\alpha \in {\mathbb{Z}}_q$ always uses the default representative with $-(q-1)/2\le \alpha \le (q-1)/2$ and similarly, for $u\in R_q$, each coefficient of u by default belongs to this range;
• $e=2.71828\cdots$ is the Euler’s number;
• $\mathcal{C}=\{c\in R\mid ||c|{|}_{\infty }\le logn,deg\left(c\right)<n/2\}$
• $\mathcal{Y}=\{y\in R\mid ||y|{|}_{\infty }\le n^{1.5}\sigma {log}^{3}n\}$
• $\mathcal{Z}=\{z\in R\mid ||z|{|}_{\infty }\le (n-1)n^{1/2}\sigma {log}^{3}n\}$.

7.1. Ring-LWE and Ring-SIS

In the following, we introduce the ring-LWE and ring-SIS assumptions (see [33,35,44] for details). For $\sigma >0$, distribution $D_{{\mathbb{Z}}^n,\sigma }$ assigns the probability proportional to $e^{-{\pi ||\mathbf{y}||}^2/{\sigma }^2}$ for any $\mathbf{y}\in {\mathbb{Z}}^n$ and 0 for other cases. As in [1], $y\leftarrow D_{R,\sigma }$ samples $y={\sum }_{i=0}^{n-1}{y}_i{x}^i$ from R by taking $y_i\leftarrow D_{\mathbb{Z},\sigma }.$

The Ring Learning With Error (${\text{Ring-LWE}}_{q,\sigma ,2n}$) problem over R with standard deviation $\sigma$ is defined as follows. Initially, it takes $s\leftarrow D_{R,\sigma }$ as secret. It then takes $a\leftarrow R_q,e\leftarrow D_{R,\sigma }$ and outputs $(a,as+e)$. The problem is to distinguish $(a,as+e)$ from a tuple $(a,b)$ for $a,b\leftarrow R_q.$ The ${\text{Ring-LWE}}_{q,\sigma ,2n}$ assumption [16,34] is to say that no quantum polynomial time algorithm can solve ${\text{Ring-LWE}}_{q,\sigma ,2n}$ problem with a non-negligible advantage.

The Small Integer Solution problem with parameters $q,m,\beta$ over ring R (${\text{Ring-SIS}}_{q,m,\beta }$) is as follows: given m uniformly random elements $a_1,\cdots ,a_m$ over $R_q$, find $(t_1,\cdots ,t_m)$ so that $||t_i{||}_{\infty }\le \beta$ and $a_1{t}_1+\cdots +a_m{t}_m=0$. We consider the case $m=3$. We assume that $q=3$ mod 8, in which case, by [6], $x^n+1={\Phi }_1\left(x\right){\Phi }_2\left(x\right)$ for irreducible polynomials ${\Phi }_1\left(x\right),{\Phi }_2\left(x\right)$ of degree $n/2$. So by Chinese remainder theorem, $a_i$ is invertible, except for probability $2q^{-n/2}$. Hence, ring-SIS is equivalent to the case of invertible $a_2$ which is further equivalent to problem $a_1{t}_1+t_2+a_3{t}_3=0$, as we can multiply it by $a_2^{-1}$. The quantum hardness of ring-SIS can be found in [13,33].

7.2. The JAK ID Scheme

We now review the JAK ID scheme [23]. Initially, take $s_1,s_2\leftarrow D_{R,\sigma },a_1,a_2\leftarrow R_q^{*}$ and compute $u=a_1{s}_1+a_2{s}_2$. The system parameter is $(a_1,a_2)$; the public key is u and the private key is $(s_1,s_2).$ The ID scheme is as follows (also see Figure 3).

1.

Prover generates ${\mathbf{y}}_1,{\mathbf{y}}_2\leftarrow {\mathcal{Y}}^{\mu }$ and computes $\mathbf{v}=a_1{\mathbf{y}}_1+a_2{\mathbf{y}}_2$ and sends $\mathbf{v}$ to Verifier, where $\mu \ge {log}^{2}n.$

2.

Receiver samples $c\leftarrow \mathcal{C}$ and sends it to Prover.

3.

Upon c, Prover computes $z_1=s_{1}c+{\sum }_j{y}_{1j},z_2=s_{2}c+{\sum }_j{y}_{2j}.$

4.

Upon $z_1,z_2$, Verifier checks if ${\sum }_{i=1}^{\mu }{v}_i\stackrel{?}{=}{a}_1{z}_1+a_2{z}_2-uc$ and $||z_b{||}_{\infty }\stackrel{?}{\le }{\eta }_t$ for $b=1,2,$ where ${\eta }_t=5\sigma n^2\sqrt{t\mu }{log}^{6}n$ and t is a positive integer (that represents the number of signers when converted to a signature scheme) and recall that (as a convention) $v_i$ is the ith component of $\mathbf{v}$. If all are valid, it accepts; otherwise, it rejects.

The above specification uses the public-key $u=a_1{s}_1+a_2{s}_2$ while the original protocol uses $u=a{s}_1+s_2.$ This change is only for convenience for our proof for Lemmas A3 (that is needed for the ID security). It will not affect other properties: correctness, simulatability, linearity and classical security, as if we define $a=a_1{a}_2^{-1}$, the current version is different from the original one only by a scaling factor $a_2$ and all the proofs go through. Further, Step 3 in the above specification is a simplified but equivalent version of the original protocol (see the remark after the scheme description in [23]). The proofs of the correctness and linearity do not involve the adversary and hence remain unchanged as in [23]. The simulability given in [23] holds statistically. It hence holds against a quantum attacker, where the model is the same except that the attacker can also internally run the quantum operations.

It remains to prove the quantum security of this ID scheme under Definition 5. The idea is to implement the classic rewinding technique in the quantum world. We start with the security game below with $u_1$ the honest signer’s public key. We first make the change that ${\lambda }_2,\cdots ,{\lambda }_t$ are provided by attacker (which will increase the attacker A’s success probability only).

$1.a_1,a_2\leftarrow \mathbf{Setup}\left(1^{\lambda }\right)$;

$2.(|s{t}_0\rangle ,{\lambda }_2,u_2,\cdots ,{\lambda }_t,u_t)\leftarrow A(a_1,a_2,u_1)$

$3.{\lambda }_1\leftarrow \mathcal{C}$

$4.(|s{t}_1\rangle ,\mathbf{v})\leftarrow A(|s{t}_0\rangle ,{\lambda }_1)$;

$5.c\leftarrow \mathcal{C}$; $z_1|z_2\leftarrow A(|s{t}_1\rangle ,c)$;

6. Check: ${\sum }_{j=1}^{\mu }{v}_j\stackrel{?}{=}{a}_1{z}_1+a_2{z}_2-\overline{u}c,||z_1{||}_{\infty }<{\eta }_t,||z_2{||}_{\infty }<{\eta }_t$?

In the classic proof, we first obtain a valid transcript $({\{{\lambda }_i|u_i\}}_{i=2}^t,{\lambda }_1,\mathbf{v},c,z_1|z_2)$ and then rewind A to line 5 and produce another valid transcript $({\{{\lambda }_i|u_i\}}_{i=2}^t,{\lambda }_1,\mathbf{v},c^{\prime },z_1^{\prime }|z_2^{\prime })$. This allows us to derive a short solution $(o_1,o_2,o_3)=(z_1-z_1^{\prime },z_2-z_2^{\prime },c-c^{\prime })$ for equation $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0.$ In the quantum world, this rewinding strategy is not quite working because when A produces $z_1,z_2$, it might do a measurement which is not reversible. If it only uses unitary (e.g., U), then the rewinding can be done by applying $U^{†}.$ Unruh [47] introduced a notion of collapsing property for a protocol: even with the measurement, the rewinding still can produce a successful new transcript with a good probability. In our quantum security proof, we will guarantee this property is satisfied. Next, we rewind A to step 3 with a new challenge ${\lambda }_1^{\prime }$ and repeat the above procedure to obtain a new solution $(o_1^{\prime },o_2^{\prime },o_3^{\prime })$ satisfying $a_1{o}_1^{\prime }+a_2{o}_2^{\prime }-\overline{u^{\prime }}{o}_3^{\prime }=0$, where $\overline{u^{\prime }}$ is updated as $u_1{\lambda }_1^{\prime }+{\sum }_{i=2}^t{\lambda }_i{u}_i.$ Combining these two solutions allows us to derive a short solution $(x_1,x_2,x_3)$ for $a_1{x}_1+a_2{x}_2+u_1{x}_3=0.$ If $u_1$ is uniformly random in $R_q$, this is the solution for Ring-SIS. However, even though $u_1$ is sampled as $a_1{s}_1+a_2{s}_2$, it is indistinguishable from the uniformly random $u_1$ by Ring-LWE assumption. Since the secret $(s_1,s_2)$ is never used in the above game, if we use the uniformly random $u_1$ in the game, we can obtain the solution $(x_1,x_2,x_3)$ with the similar probability. This contradicts the Ring-SIS assumption. The detailed implementation of this strategy is given Appendix A.

Theorem 6.

Under ${\text{ring-LWE}}_{q,\sigma ,2n}$ and ${\text{ring-SIS}}_{3,q,\beta }$ assumptions, the JAK ID scheme is secure (under Definition 5), where $\beta \ge 16{\eta }_t\sqrt{n}{log}^{2}n$.

Applying the compiler theorem to the JAK ID scheme, it gives a quantum-secure multi-signature scheme (denoted by RLWE-Multisig scheme). For a complete description of this scheme, see [23]. The following is a summary of its security.

Corollary 4.

Under ${\text{Ring-LWE}}_{q,\sigma ,2n}$ and ${\text{Ring-SIS}}_{3,q,\beta }$ assumptions,RLWE-MultiSigis EU-CMA secure in the quantum random oracle model, where $\beta \ge 16{\eta }_t\sqrt{n}{log}^{2}n$.

8. Conclusions

In this paper, we investigated the security analysis techniques in the quantum random oracle model. We combined and extended three existing techniques to form a model called compressed random oracle with adaptive special points (${\mathbf{CStO}}_s$). We extended the query extractions from previous models to ${\mathbf{CStO}}_s$. We can simulate this random oracle so that we can extract the query for a given commitment and we can also extract a query that is a witness for the future (unknown) adversary output. To see the power of this simulated oracle, we proved the security of our previous compact multi-signature scheme. This gives the first compact mult-signature provable secure in the quantum random oracle model. We hope that this oracle technique will be useful to prove the post-quantum security of many cryptographic systems.

Appendix A.1. Collapsing Public-Coin Protocol

For any quantum polynomial time distinguisher $\mathcal{D}$, we define a collapsing game $\mathsf{clpsExp}\left(\mathcal{D}\right)$ between $\mathcal{D}$ and a challenger $\mathsf{Chal}$ with respect to a n-round public-coin protocol $\mathsf{\Sigma }=(\mathbf{Gen},\mathcal{P},\mathcal{V})$.

• Initially, Chal generates $pk$ and gives it to $\mathcal{D}$.
• Then, $\mathcal{D}$ (in the role of $\mathcal{P}$) and Chal (in the role of $\mathcal{V}$) executes the protocol $\mathsf{\Sigma }$ except for round n. At round n, $\mathcal{D}$ generates a quantum superposition $|\varphi \rangle$ (over the response $a_n$) which might be entangled with states in extra registers. He then provides $|\varphi \rangle$ to Chal.
• Upon $|\varphi \rangle$, $\mathsf{Chal}$ uses a measurement to check if $a_n$ in $|\varphi \rangle$ is a valid response for $a_1|c_1|\cdots |a_{n-1}|c_{n-1}$. If the verification fails, Chal aborts; otherwise, let $|{\varphi }^{\prime }\rangle$ be the superposition containing all the valid $a_n$’s. Then, $\mathsf{Chal}$ flips a coin $b\leftarrow \{0,1\}$. If $b=0$, it does nothing; otherwise, it measures $|{\varphi }^{\prime }\rangle$ in the computational basis. Finally, it sends the resulting superposition back to $\mathcal{D}.$
• Finally, $\mathcal{D}$ outputs a guess bit $b^{\prime }$ for b, which is also set as the output of the game.

We use ${\mathsf{clpsExp}}_{\mathcal{D}}^b$ to denote the game with challenge bit $b.$

Definition A2.

A Σ-protocol is collapsing if

$$\begin{array}{c}\hfill Pr({\mathsf{clpsExp}}_{\mathcal{D}}^1=0)=Pr({\mathsf{clpsExp}}_{\mathcal{D}}^0=0)+\mathbf{negl}\left(\lambda \right).\end{array}$$

(A1)

It is γ-weakly collapsing if

$$\begin{array}{c}\hfill Pr({\mathsf{clpsExp}}_{\mathcal{D}}^1=0)\ge \gamma ·Pr({\mathsf{clpsExp}}_{\mathcal{D}}^0=0)-\mathbf{negl}\left(\lambda \right).\end{array}$$

(A2)

Remark. This definition was extended from [30] for the Sigma protocol to a general public coin protocol. In this definition, the collapsing property states that no attacker can detect whether the final round is a superposition or a classic response by measuring the former. This property is concerned only with the last round and all the previous $n-1$ prover messages are still classic.

Appendix A.2. Two Public-Coin Protocols from Our ID Scheme

We define two public-coin protocols ${\mathsf{\Sigma }}_1$ and ${\mathsf{\Sigma }}_2$ between quantum algorithm A and challenger, which are derived from the JAK ID protocol. We keep the notations in Section 7.2 unless specified.

Appendix A.2.1. Protocol Σ 1 .

Let $u_1,a_1,a_2\leftarrow R_q$. A interacts with challenger as follows.

1.

A sends $({\lambda }_2,u_2,\cdots ,{\lambda }_t,u_t)$ to challenger and holds a state $|{\psi }_1\rangle$, where ${\lambda }_i\leftarrow \mathsf{\Theta }$.

2.

Challenger sends ${\lambda }_1\leftarrow \mathsf{\Theta }$ to A.

3.

A applies a unitary $U_{{\lambda }_1}$ to $|{\psi }_1\rangle$ and results in ${\sum }_{o,{\psi }_o}|o,{\psi }_o\rangle$. It measures $o=(o_1,o_2,o_3)$ in the computational basis and sends it to challenger.

4.

Challenger accepts if $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0$ and $||o_i{||}_{\infty }\le 2{\eta }_t$ for $i=1,2,3$, where $\overline{u}={\sum }_{i=1}^t{\lambda }_i{u}_i$.

Appendix A.2.2. Protocol Σ 2 .

Let $u_1,a_1,a_2\leftarrow R_q$. A interacts with challenger as follows.

1.

A sends $({\lambda }_2,u_2,\cdots ,{\lambda }_t,u_t)$ to challenger, where ${\lambda }_i\leftarrow \mathsf{\Theta }$.

2.

Challenger sends ${\lambda }_1\leftarrow \mathsf{\Theta }$ to A.

3.

A sends $\mathbf{v}\in R_q^{\mu }$ to challenger and prepares a state $|{\psi }_1\rangle$.

4.

Challenger replies with $c\leftarrow \mathsf{\Theta }$.

5.

A applies a unitary $V_{{\lambda }_{1}c}$ to its state $|{\psi }_1\rangle$ and results in ${\sum }_{\mathbf{z},{\psi }_{\mathbf{z}}}|\mathbf{z},{\psi }_{\mathbf{z}}\rangle$, where, although not stated,$V_{{\lambda }_{1}c}$ also depends on the previous messages. It measures $\mathbf{z}=(z_1,z_2)$ in the computational basis and sends it to challenger.

6.

Challenger accepts if ${\sum }_{i=1}^{\mu }{v}_i=a_1{z}_1+a_2{z}_2-\overline{u}c$ and $||z_1{||}_{\infty }\le {\eta }_t,||z_2{||}_{\infty }\le {\eta }_t$.

Appendix A.3. Security of the JAK ID Scheme when Σ 1 and Σ 2 are Weakly Collapsing

In the following we prove that the JAK ID is secure (w.r.t. Def. 5) based on the assumptions that ${\mathsf{\Sigma }}_1$ and ${\mathsf{\Sigma }}_2$ are both weakly collapsing. This proof is threaded by two observations.

First, in ${\mathsf{\Sigma }}_2$, if we can rewind the execution to the beginning of Step 4, then we can obtain two tuples ($z_1,z_2,c)$ and $(z_1^{\prime },z_2^{\prime },c^{\prime })$ with $z_1,z_2,z_1^{\prime },z_2^{\prime }$ short, satisfying

$$\begin{array}{c}\hfill \sum _{i=1}^{\mu }{v}_i=a_1{z}_1+a_2{z}_2-\overline{u}c,\sum _{i=1}^{\mu }{v}_i=a_1{z}_1^{\prime }+a_2{z}_2^{\prime }-\overline{u}{c}^{\prime }.\end{array}$$

(A3)

This gives a solution $(o_1,o_2,o_3)$ with short $o_i$ (as $c,c^{\prime }$ are also short) so that $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0$ If A executes Step 5 by unitary operator $U_c$ on its state (i.e., without measuring $(z_1,z_2)$), then the rewinding is just to apply $U_c^{†}$. The weakly collapsing property of ${\mathsf{\Sigma }}_2$ assures that even if it measure $(z_1,z_2)$, the rewinding technique by $U^{†}$ still produces two accepting tuples $(z_1,z_2,c)$ and $(z_1^{\prime },z_2^{\prime },c^{\prime })$ with a good probability.

Second, in ${\mathsf{\Sigma }}_1$, if we can rewind the execution to the beginning of Step 2, we obtain two solutions $(o_1,o_2,o_3,{\lambda }_1)$ and $(o_1^{\prime },o_2^{\prime },o_3^{\prime },{\lambda }_1^{\prime })$ so that

$$\begin{array}{c}\hfill a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0,a_1{o}_1^{\prime }+a_2{o}_2^{\prime }-\overline{u^{\prime }}{o}_3^{\prime }=0,\end{array}$$

(A4)

where $\overline{u^{\prime }}={\lambda }_1^{\prime }{u}_1+{\sum }_{i=2}^t{\lambda }_i{u}_i$. This allows us to derive a short solution $(t_1,t_2,t_3)$ for $a_1{t}_1+a_2{t}_2+u{t}_3=0$, contradiction to the ring-SIS assumption. Again, due to the weakly collapsing property of ${\mathsf{\Sigma }}_1$, this rewinding with measuring $(o_1,o_2,o_3)$ can still succeed with good probability, compared with the rewinding without measuring $(o_1,o_2,o_3)$.

With these observations, we can now return the ID security game (Def. 5). We notice that this game can be formulated as ${\mathsf{\Sigma }}_2$. On the other hand, ${\mathsf{\Sigma }}_1$ can be regarded as the internal execution of ${\mathsf{\Sigma }}_2$ after step 2, the rewinding of which gives a solution $(o_1,o_2,o_3).$ This leads to an attack for ring-SIS: the attacker runs A to run ${\mathsf{\Sigma }}_2$ to produce $(o_1,o_2,o_3)$ and with rewinding, it produces another $(o_1^{\prime },o_2^{\prime },o_3^{\prime }).$ As seen above, this gives a solution to the ring-SIS problem.

Lemma A1.

If ${\mathsf{\Sigma }}_1$ is ${\gamma }_1$-weakly collapsing and ${\mathsf{\Sigma }}_2$ is ${\gamma }_2$-weakly collapsing, then under ${\text{ring-LWE}}_{q,\sigma ,2n}$ and ${\text{ring-SIS}}_{3,q,\beta }$ assumptions, the JAK ID scheme is secure, where $\beta \ge 16{\eta }_t\sqrt{n}{log}^{2}n$.

Proof. Assume that A has a success probability $ϵ$ in the security game of an ID scheme (see Definition 5). We revise the game so that $u_1$ is uniformly random over $R_q$ (instead of $u_1=a_1{s}_1+a_2{s}_2$ which is indistinguishable from uniformly random over $R_q$ under ring-LWE assumption, as $a_2$ is invertible in $R_q$ except for a negligible probability). Then, by ring-LWE assumption, the success of A is changed only negligibly. Further, we change the game so that A chooses ${\lambda }_2,\cdots ,{\lambda }_t$. This will only increase the success of A. Finally, we change the game so that A is unitary (whenever operating on its quantum state) except when it needs to measure its state to produce a protocol message (in the computational basis). This does not change the success probability of A as any A can always be made into this kind without changing its output distribution by adding more ancilla registers and also applying the deferred measurement principle. Now the security game is simply ${\mathsf{\Sigma }}_2$. For brevity, we still assume A can succeed with probability $ϵ.$ Let $\tau$ be the partial transcript $(u_1,a_1,a_2,{\{u_i,{\lambda }_i\}}_{i=2}^t,{\lambda }_1,\mathbf{v})$. Let ${\omega }_{\tau }$ be the probability of $\tau .$ For fixed $\tau$, let $P_{\tau c}$ be the projection to the subspace from all $|z_1,z_2\rangle \langle z_1,z_2|$ so that $(\mathbf{v},c,(z_1,z_2))$ is accepting. Further, let ${ϵ}_{\tau }$ be the accepting probability (over c), given the partial transcript $\tau$. We modify ${\mathsf{\Sigma }}_2$ to ${\mathsf{\Sigma }}_2^{\prime }$ so that A does not measure $(z_1,z_2)$ and instead it only measures $P_{\tau c}.$ It is not hard to see that A in ${\mathsf{\Sigma }}_2^{\prime }$ and ${\mathsf{\Sigma }}_2$ has the same success probability $ϵ$ (by Lemma 3(2)). Let $|{\psi }_{\tau }\rangle$ be the normalized state after A sending $\mathbf{v}$. Then, ${ϵ}_{\tau }={\displaystyle \frac{1}{|\mathsf{\Theta }|}}{\sum }_{c\in \mathsf{\Theta }}||V_{\tau c}^{†}{P}_{\tau c}{V}_{\tau c}|{\psi }_{\tau }{\rangle ||}^2$ and $ϵ={\sum }_{\tau }{\omega }_{\tau }{ϵ}_{\tau }.$ Define ${\tilde{P}}_{\tau c}=V_{\tau c}^{†}{P}_{\tau c}{V}_{\tau c}.$ Before moving on, we give a claim from [47, Lemma 7].

Claim 1.

Let E be a set. Let ${\left(Q_e\right)}_{e\in E}$ be orthogonal projectors on Hilbert space $\mathcal{H}$. Let $|\Phi \rangle \in \mathcal{H}$ be a unit vector. Let $V={\sum }_{e\in E}{\displaystyle \frac{1}{|E|}}||Q_e{|\Phi \rangle ||}^2$ and $F={\sum }_{e_1,e_2\in E}{\displaystyle \frac{1}{|E|}}||Q_{e_1}{Q}_{e_2}{|\Phi \rangle ||}^2.$ Then, $F\ge V^3.$

From this claim, we have that ${\displaystyle \frac{1}{{|\mathsf{\Theta }|}^2}}{\sum }_{c^{\prime },c\in \mathsf{\Theta }}||{\tilde{P}}_{\tau c^{\prime }}{\tilde{P}}_{\tau c}|{\psi }_{\tau }{\rangle ||}^2\ge {ϵ}_{\tau }^3.$ This is the probability that we rewind A in ${\mathsf{\Sigma }}_2^{\prime }$, after $P_{\tau c}$ projection, to produce a second response $(z_1^{\prime },z_2^{\prime })$ using challenge $c^{\prime }$. If we require $c^{\prime }\ne c$, then this probability will change to ${ϵ}_{\tau }^3-{ϵ}_{\tau }/|\mathsf{\Theta }|$, as ${\tilde{P}}_{\tau c^{\prime }}{\tilde{P}}_{\tau c}={\tilde{P}}_{\tau c}$ when $c^{\prime }=c$.

Now consider this success probability in ${\mathsf{\Sigma }}_2$ (not ${\mathsf{\Sigma }}_2^{\prime }$) when $c^{\prime }\ne c$, where the projective measurement for $(z_1,z_2)$ after $P_{\tau c}$ and the projective measurement for $(z_1^{\prime },z_2^{\prime })$ after $P_{\tau c^{\prime }}$ will be applied. By $\gamma$-weakly collapsing property of ${\mathsf{\Sigma }}_2$, it is easy to show that this probability is at least ${\gamma }_2^2({ϵ}_{\tau }^3-{ϵ}_{\tau }/|\mathsf{\Theta }|)$ (similar to [30, Lemma 5] and the analysis right after it). Therefore, ${\mathsf{\Sigma }}_2$ rewindings produce two accepting transcripts $(c,z_1,z_2)$ and $(c^{\prime },z_1^{\prime },z_2^{\prime })$ for $c^{\prime }\ne c$, with probability at least ${\gamma }_2^2({ϵ}_{\tau }^3-{ϵ}_{\tau }/|\mathsf{\Theta }|).$ Notice that these two accepting transcripts will result in a witness $(o_1,o_2,o_3)=(z_1-z_1^{\prime },z_2-z_2^{\prime },c-c^{\prime })$ so that $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0.$ When ${\tau }^{\prime }=(u_1,a_1,a_2,{\{u_i,{\lambda }_i\}}_{i=2}^t)$ is fixed, this occurs with probability at least ${\sum }_{{\lambda }_1\mathbf{v}}{P}_{{\lambda }_1\mathbf{v}|{\tau }^{\prime }}{\gamma }_2^2({ϵ}_{{\tau }^{\prime }{\lambda }_1\mathbf{v}}^3-{ϵ}_{{\tau }^{\prime }{\lambda }_1\mathbf{v}}/|\mathsf{\Theta }|)\ge {\gamma }_2^2({ϵ}_{{\tau }^{\prime }}^3-{ϵ}_{{\tau }^{\prime }}/|\mathsf{\Theta }|)$ by Cauchy-Schwarz inequality, where ${ϵ}_{{\tau }^{\prime }}={\mathbf{E}}_{{\lambda }_1\mathbf{v}}({ϵ}_{{\tau }^{\prime }{\lambda }_1\mathbf{v}}|{\tau }^{\prime })$ and marginal probability $P_{{\tau }^{\prime }}={\sum }_{{\lambda }_1\mathbf{v}}{P}_{{\tau }^{\prime }{\lambda }_1\mathbf{v}}$ is the occurrence of ${\tau }^{\prime }$.

We then modify A in ${\mathsf{\Sigma }}_2$ to an attacker $A^{\prime }$ for ${\mathsf{\Sigma }}_1$: in ${\mathsf{\Sigma }}_1$, $A^{\prime }$ follows A to prepare Step 1 message and after receiving ${\lambda }_1$, it makes use of A in ${\mathsf{\Sigma }}_2$ in the above rewinding technique (where the challenge $c^{\prime },c$ are sampled randomly) to produce $(o_1,o_2,o_2).$ We then modify $A^{\prime }$ so that it defers the measurements (after receiving ${\lambda }_1$) other than measuring $(o_1,o_2,o_3)$ to the end of the game (where $A^{\prime }$ has already produced $(o_1,o_2,o_3)$). This does not change the success probability of $A^{\prime }$ by the deferred measurement principle (with some ancilla registers as in Corollary 1, extended from Lemma 7). Next, we modify $A^{\prime }$ so that $A^{\prime }$ does not do the deferred measurements mentioned above. This does not change the success probability of $A^{\prime }$ as the deferred measurements are done after $(o_1,o_2,o_3)$ are obtained. Let ${ϵ}_{{\tau }^{\prime }}^{\prime }$ be the success probability of this $A^{\prime }$ that produces $(o_1,o_2,o_3)$ with short $(o_1,o_2,o_3)$ so that $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0$ with $||o_i{||}_{\infty }\le 2{\eta }_t$. By our foregoing argument, ${ϵ}_{{\tau }^{\prime }}^{\prime }\ge {\gamma }_2^2({ϵ}_{{\tau }^{\prime }}^3-{ϵ}_{{\tau }^{\prime }}/|\mathsf{\Theta }|).$ Let $|{\psi }_{{\tau }^{\prime }{\lambda }_1}\rangle$ be the state right before the projective measurement that results in $(o_1,o_2,o_3)$ and $Q_{{\tau }^{\prime }{\lambda }_1}$ be the test measurement on $|{\psi }_{{\tau }^{\prime }{\lambda }_1}\rangle$ to check if $a_1{o}_1+a_2{o}_2-\overline{u}{o}_3=0.$ Let $A^{\prime \prime }$ be the variant of $A^{\prime }$ so that projective measure resulting in $(o_1,o_2,o_3)$ is not made and instead it makes only the test measurement $Q_{{\tau }^{\prime }{\lambda }_1}.$ Under this, $A^{\prime \prime }$ still has the success probability ${ϵ}_{{\tau }^{\prime }}^{\prime }$. Let the unitary that produces $|{\psi }_{{\tau }^{\prime }{\lambda }_1}\rangle$ be $U_{{\tau }^{\prime }{\lambda }_1}$. Then, using Claim above, we similarly have that ${\displaystyle \frac{1}{{|\mathsf{\Theta }|}^2}}{\sum }_{{\lambda }_1,{\lambda }_1^{\prime }}||{\tilde{Q}}_{{\tau }^{\prime }{\lambda }_1^{\prime }}{\tilde{Q}}_{{\tau }^{\prime }{\lambda }_1}|{\psi }_{{\tau }^{\prime }}{\rangle ||}^2\ge {{ϵ}^{\prime }}_{{\tau }^{\prime }}^3,$ where ${\tilde{Q}}_{{\tau }^{\prime }{\lambda }_1}=U_{{\tau }^{\prime }{\lambda }_1}^{†}{Q}_{{\tau }^{\prime }{\lambda }_1}{U}_{{\tau }^{\prime }{\lambda }_1}.$ Further, if we require ${\lambda }_1\ne {\lambda }_1^{\prime }$, then ${\displaystyle \frac{1}{{|\mathsf{\Theta }|}^2}}{\sum }_{{\lambda }_1\ne {\lambda }_1^{\prime }}||{\tilde{Q}}_{{\tau }^{\prime }{\lambda }_1^{\prime }}{\tilde{Q}}_{{\tau }^{\prime }{\lambda }_1}|{\psi }_{{\tau }^{\prime }}{\rangle ||}^2\ge {{ϵ}^{\prime }}_{{\tau }^{\prime }}^3-{{ϵ}^{\prime }}_{{\tau }^{\prime }}/|\mathsf{\Theta }|.$ Again, by applying weakly-collapsing property of ${\mathsf{\Sigma }}_1$, if $A^{\prime \prime }$ does the measurement for $(o_1,o_2,o_3)$ after $Q_{{\tau }^{\prime }{\lambda }_1}$ and the measurement for $(o_1^{\prime },o_2^{\prime },o_3^{\prime })$ after $Q_{{\tau }^{\prime }{\lambda }_1^{\prime }}$, then the success probability producing successful $(o_1,o_2,o_3)$ and $(o_1^{\prime },o_2^{\prime },o_3^{\prime })$ with probability at least ${\gamma }_1^2({{ϵ}^{\prime }}_{{\tau }^{\prime }}^3-{{ϵ}^{\prime }}_{{\tau }^{\prime }}/|\mathsf{\Theta }|)\ge {\gamma }_1^2({{ϵ}^{\prime }}_{{\tau }^{\prime }}^3-1/|\mathsf{\Theta }|).$ Since ${{ϵ}^{\prime }}_{{\tau }^{\prime }}\ge {\gamma }_2^2({ϵ}_{{\tau }^{\prime }}^3-{ϵ}_{{\tau }^{\prime }}/|\mathsf{\Theta }|)$, averaging over ${\tau }^{\prime }$ and using Cauchy-Schwarz inequality, the success probability to produce two accepting $(o_1,o_2,o_3)$ and $(o_1^{\prime },o_2^{\prime },o_3^{\prime })$ with ${\lambda }_1\ne {\lambda }_1^{\prime }$ is at least ${\gamma }_1^2({\gamma }_2^6({ϵ}^3-ϵ/{|\mathsf{\Theta }|)}^3-1/|\mathsf{\Theta }|).$ Since ${\gamma }_1,{\gamma }_2$ and $ϵ$ are all non-negligible, this lower bound is non-negligible either. However, $(o_1,o_2,o_3)$ and $(o_1^{\prime },o_2^{\prime },o_3^{\prime })$ with ${\lambda }_1\ne {\lambda }_1^{\prime }$ leads to a solution $(x_1,x_2,x_3)$ for Ring-SIS problem $a_1{x}_1+a_2{x}_2+u_1{x}_3=0$ (see Eqs (36)-(38) in [23] where our length bound $\beta$ for $||x_i{||}_{\infty }$ is summarized from there). This contradicts the ${\text{ring-SIS}}_{q,n,\beta }$ assumption! □

Appendix A.4. Σ 2 and Σ 1 are Weakly Collapsing

We introduce the notation of compatible lossy function of a n-round public-coin protocol (as a straightforward generalization of the same notion in [30] for a sigma protocol).

Definition A3.

A compatible lossy function for a n-round public-coin protocol $\mathsf{\Sigma }=(\mathbf{Gen},\mathcal{P},\mathcal{V})$ is an efficiently computable function generator $\mathsf{CLF}.\mathsf{gen}(\lambda ,pk,sk,{\{a_i|c_i\}}_{i=1}^{n-1},\mathsf{mode})$ which takes λ (security parameter), $pk,sk,$ partial transcript ${\{a_i|c_i\}}_{i=1}^{n-1}$ in Σ and mode (either constant or injective) and outputs an efficiently computable function f so that

• constantmode: Let the domain of f be all r with ${\{a_i|c_i\}}_{i=1}^{n-1}|r$ being a valid transcript when $a_n=r$. Then, the probability that f has an image of size at most p, is at least $\gamma .$ That is, ${Pr}_f(Im\left(f\right)\le p)\ge \gamma$, for $f\leftarrow \mathsf{CLF}.\mathsf{gen}(\lambda ,pk,sk,{\{a_i|c_i\}}_{i=1}^{n-1},\mathsf{constant})$.
• injectivemode: for $f\leftarrow \mathsf{CLF}.\mathsf{gen}(\lambda ,pk,sk,{\{a_i|c_i\}}_{i=1}^{n-1},\mathsf{injective})$, f is injective over all r s.t. $({\{a_i|c_i\}}_{i=1}^{n-1}|r)$ is a valid transcript when $a_n=r$, except for a negligible probability.
• indistinguishability. We first define game ${\mathsf{clfExp}}_{\mathcal{D},pk,sk}^b$ for $b=0,1.$

  -

  $\mathcal{D}$ is given $pk$ and challenge $\mathsf{Chal}$ has $pk,sk$.

  -

  $\mathcal{D}$ (in the role of $\mathcal{P}$) andChal(in the role of $\mathcal{V}$) execute Σ in the first $n-1$ rounds, resulting in the partial transcript ${\{a_i|c_i\}}_{i=1}^{n-1}$.

  -

  If $b=0,$ let $\mathsf{mode}=\mathsf{constant}$; otherwise,mode=injective. Then, challenger samples

  $$f\leftarrow \mathsf{CLF}.\mathsf{gen}(\lambda ,pk,sk,{\{a_i|c_i\}}_{i=1}^{n-1},\mathsf{mode})$$

  and provides it to $\mathcal{D}.$ Then, $\mathcal{D}$ outputs a guess bit $b^{\prime }$ for b, which is also defined as the output of the game.

  The function generator $\mathsf{CLF}.\mathsf{gen}$ is $(p,\gamma )$-compatible w.r.t. Σ if for any polynomial time quantum algorithm $\mathcal{D}$ and for $(pk,sk)\leftarrow \mathsf{Gen}\left(1^{\lambda }\right)$, we have

  $$\begin{array}{c}\hfill Pr({\mathsf{clfExp}}_{\mathcal{D},pk,sk}^0=0)=Pr({\mathsf{clfExp}}_{\mathcal{D},pk,sk}^1=0)+\mathbf{negl}\left(\lambda \right).\end{array}$$

  (A5)

The following lemma is adapted from Liu and Zhandry [30], which shows that the existence of a compatible function for $\mathsf{\Sigma }$ implies that $\mathsf{\Sigma }$ is weakly collapsing. The result is stated with respect to a quantum secure sigma protocol. But their proof does not require the quantum security of the sigma protocol and can also be trivially extended to a n-round public-coin protocol. Thus, we state it without a proof.

Lemma A2.

If A n-round public-coin protocol Σ has a $(p,\gamma )$-compatible lossy function, then Σ is $\gamma /p$-weakly collapsing.

In the following, we prove that ${\mathsf{\Sigma }}_2$ has a compatible lossy function.

Lemma A3.

Let ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ w.r.t. $a_1|a_2|{\{u_i|{\lambda }_i\}}_{i=1}^t|\mathbf{v}|c$ in ${\mathsf{\Sigma }}_2$ be two distributions of function families: for each valid $(z_1,z_2)\in R_q^2$ (w.r.t. ${\{u_i|{\lambda }_i\}}_{i=1}^t|\mathbf{v}|c$),

$$\begin{array}{cc}\hfill {\mathcal{F}}_0& =\{f\mid f(z_1,z_2)={\lfloor (\mathbf{s}(a_1,a_2)+\mathbf{e}){(z_1,z_2)}^T+\mathbf{r}\rceil }_{\theta },\mathbf{s}\leftarrow R_q^{2logn},\mathbf{e}\leftarrow D_{R,\sigma }^{2logn\times 2},\mathbf{r}\leftarrow R_q^{2logn}\}\hfill \\ \hfill {\mathcal{F}}_1& =\{f\mid f(z_1,z_2)={\lfloor \mathbf{B}{(z_1,z_2)}^T+\mathbf{r}\rceil }_{\theta },\mathbf{B}\leftarrow R_q^{2logn\times 2},\mathbf{r}\leftarrow R_q^{2logn}\},\hfill \end{array}$$

where $8\sigma n{\eta }_t^{1.5}logn<\theta <{\displaystyle \frac{q}{nlogn}}$ and ${\lfloor \mathbf{x}\rceil }_{\theta }$ for $\mathbf{x}\in R_q^2$ rounds each coefficient $x_i\in {\mathbb{F}}_q$ (when representing $\mathbf{x}$ as a vector in ${\mathbb{F}}_q^{2n}$) using the ${\lfloor x\rceil }_{\theta }$ function: it first repsents $x=k\theta +y$ with $y\in (-\theta /2,\theta /2]$ and $k\in \mathbb{Z}$ and then outputs $k\theta$. Then, ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ are $({\displaystyle \frac{2^6}{3^6}},1)$-compatible w.r.t. ${\mathsf{\Sigma }}_2$.

Proof. First, we show that ${\mathcal{F}}_0$ is a constant function family; second, we show that ${\mathcal{F}}_1$ is an injective function family; finally, we show that they are indistinguishable. In ${\mathsf{\Sigma }}_2$, the message flows in order are ${\{{\lambda }_i|u_i\}}_{i=2}^t$, ${\lambda }_1$, $\mathbf{v}$, c and $(z_1,z_2)$. The transcript is valid if $||z_1{||}_{\infty }<{\eta }_t$ and $||z_2{||}_{\infty }<{\eta }_t$ and ${\sum }_{i=1}^{\mu }{v}_i=a_1{z}_1+a_2{z}_2-\overline{u}c$, where $\overline{u}={\sum }_{i=1}^t{\lambda }_i{u}_i$.

To show ${\mathcal{F}}_0$ is a constant function family, we first show that

$$\begin{array}{c}\hfill {\mathcal{F}}_0^{\prime }=\{f\mid f(z_1,z_2)={\lfloor \mathbf{s}(a_1,a_2){(z_1,z_2)}^T+\mathbf{r}\rceil }_{\theta },\mathbf{s}\leftarrow R_q^{2logn}\}\end{array}$$

(A6)

is a constant function family for ${\mathsf{\Sigma }}_2$. Indeed, since transcript is valid, $f(z_1,z_2)={\lfloor \mathbf{r}+\mathbf{s}({\sum }_i{v}_i+\overline{u}c)\rceil }_{\theta }$ (invariant). Then, we continue to show that ${\mathcal{F}}_0$ is a constant function family. The strategy is to show that there is a constant probability that

$${\lfloor \mathbf{r}+\mathbf{s}(\sum _i{v}_i+\overline{u}c)\rceil }_{\theta }={\lfloor \mathbf{s}(a_1,a_2){(z_1,z_2)}^T+\mathbf{r}+\mathbf{e}{(z_1,z_2)}^T\rceil }_{\theta },\forall \mathrm{valid}(z_1,z_2).$$

(A7)

Since the left side is constant, ${\mathcal{F}}_0$ is a constant family. Now we implement this strategy.

Claim. Let $\sigma >\omega \left(\sqrt{n}\right)$. For $e\leftarrow D_{R,\sigma }$ and $z\in R_q$ with ${||z||}_{\infty }<{\eta }_t$, then ${Pr(||ez||}_{\infty }\ge {\eta }_t^{1.5}\sigma )<n·exp(-\pi {\eta }_t).$

Proof. Notice that ith component of $ez\in R_q$ is ${\sum }_{j=0}^{n-1}\pm e_j{z}_{i-j}$, where $i-j$ means $(i-j)$ mod n and the sign is - when $i<j$ and is + otherwise. By [40, Lemma 4.4], $Pr(|{\sum }_{j=0}^{n-1}\pm e_j{z}_{i-j}{|>\sigma ||z||}_{\infty }\sqrt{{\eta }_t})<e^{-\pi {\eta }_t}.$ The union bound on i gives the result. □

Back to our proof, the above claim implies that

$$Pr(||e_{b1}{z}_1+e_{b2}{z}_2{||}_{\infty }>2\sigma {\eta }_t\sqrt{{\eta }_t}:\exists b\in [2logn])<2nlogn·exp(-\pi {\eta }_t).$$

(A8)

The space of $x\in R_q$ with ${||x||}_{\infty }\le {\eta }_t$ has a size at most ${\left(2{\eta }_t\right)}^n$. Since $||z_1{||}_{\infty }\le {\eta }_t$ and $||z_2{||}_{\infty }\le {\eta }_t$, $(z_1,z_2)$ has at most ${\left(2{\eta }_t\right)}^{2n}$ choices. By union bound, $||e_{b1}{z}_1+e_{b2}{z}_2{||}_{\infty }>2\sigma {\eta }_t\sqrt{{\eta }_t}$ for some $(z_1,z_2,b)$ only has an exponentially small probability (over $({\mathbf{e}}_1,{\mathbf{e}}_2)$), as ${\eta }_t=\omega (nlogn)$. Assume that $||e_{b1}{z}_1+e_{b2}{z}_2{||}_{\infty }\le 2\sigma {\eta }_t^{1.5}$ holds for any $(b,z_1,z_2)$. Notice that $\mathbf{w}:=\mathbf{s}(a_1,a_2){(z_1,z_2)}^T+\mathbf{r}$ is uniformly random in $R_q^{2logn}$ (as $\mathbf{r}$ is). For $x\in R_q$, we use $\underline{x}$ to denote the coeffient vector of x over ${\mathbb{F}}_q$. Similarly, for a vector $\mathbf{x}\in R_q^{\ell }$, we still use $\underline{\mathbf{x}}$ to denote the concatenated vector from ${\underline{x}}_i$ for all $i=1,\cdots ,\ell$ and use $\underline{\mathbf{x}}\left[j\right]$ to denote the jth coordinate in $\underline{\mathbf{x}}.$ Then, $\underline{\mathbf{w}}$ is uniformly random over ${\mathbb{F}}_q^{2nlogn}.$ If all $\underline{\mathbf{w}}\left[i\right]$ mod $\theta$ belong to $(-\theta /2+2\sigma {\eta }_t^{1.5},\theta /2-2\sigma {\eta }_t^{1.5})$, then ${\lfloor \underline{\mathbf{w}}\left[i\right]\rceil }_{\theta }={\lfloor \underline{\mathbf{w}}\left[i\right]+\underline{({\mathbf{e}}_1,{\mathbf{e}}_2){(z_1,z_2)}^T}\left[i\right]\rceil }_{\theta }$ for all i. By a simple calculation, the statistical distance between $\underline{\mathbf{w}}\left[i\right]$ mod $\theta$ and the uniform distribution over $(-\theta /2,\theta /2)$ is at most ${\displaystyle \frac{\theta }{2q}}.$ Hence, $\underline{\mathbf{w}}\left[i\right]$ mod $\theta$ is in that interval for all i with probability at least ${(1-{\displaystyle \frac{4\sigma {\eta }_t^{1.5}}{\theta }}-{\displaystyle \frac{\theta }{2q}})}^{2nlogn}\ge {(1-{\displaystyle \frac{1}{nlogn}})}^{2nlogn}$, which is at least $2^6/3^6$ by our assumption on $\theta$ due to the fact that ${(1-1/x)}^x$ is increasing when $x\ge 3$. This indicates that $({\mathbf{e}}_1,{\mathbf{e}}_2){(z_1,z_2)}^T$ does not change the value of $f(z_1,z_2)$. In addition, $\mathbf{w}$ is unchanged over all valid $(z_1,z_2)$ (as seen in ${\mathcal{F}}_0^{\prime }$). Hence, f is constant, which occurs with probability at least $2^6/3^6.$

Next, we prove that ${\mathcal{F}}_1$ is injective. That is, $\mathbf{B}(z_1,z_2)+\mathbf{r}$ is injective. Indeed, $\mathbf{B}$ is invertible if $det\left(B\right)$ is invertible in $R_q$, where B is ${\mathbf{B}}_i\in R_q^{2\times 2}$ for some i while $\mathbf{B}={\left({\mathbf{B}}_i\right)}_{i=1}^{logn}$. Let $B={\left(a_{ij}\right)}_{i,j=1,2}$. Represented using Chinese Remainder basis, $det\left(B\right)=a_{11}\odot a_{22}-a_{12}\odot a_{21}$, where ⊙ is the coordinate-wise multiplication over $F_q$ and x is the coordinate vector of $x\in R_q$ under Chinese Remainder basis (for background on this, see [24,35]). Notice that $x\in R_q$ is invertible if and only if each coordinate of x is non-zero. Since $a_{ij}$ is uniformly random over $R_q$, a calculation shows that $det\left(B\right)$ is invertible with probability ${(1-1/q-1/q^2+1/q^3)}^n$ and so $det\left(B\right)$ is not invertible with probability at most $n/q+O(n^2/q^2)$. Thus, the statement that no ${\mathbf{B}}_i$ is invertible, has a probability at most ${(n/q+O\left(n^2{q}^{-2}\right))}^{logn}=O\left(2^{-{log}^{2}n}\right),$ negligible.

Finally, we prove that ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ are indistinguishable. This directly follows from ring-LWE assumption as $s_b(a_1,a_2)+(e_{b1},e_{b2})$ for $s_b\leftarrow R_q,e_{b1},e_{b2}\leftarrow D_{R,\sigma }$ is indistinguishable from $(B_{b1},B_{b2})\leftarrow R_q^2$ for $b=1,2,\cdots ,2logn$. This concludes our proof. □

Next, we consider the compatible function families ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ for ${\mathsf{\Sigma }}_1$.

Lemma A4.

Assume that $\ell =logn$. Let ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ be the two families of function distributions w.r.t. $a_1|a_2|{\{u_i|{\lambda }_i\}}_{i=1}^t$ in ${\mathsf{\Sigma }}_1$ defined as follows.

$$\begin{array}{cc}\hfill {\mathcal{F}}_0& =\{f\mid f(o_1,o_2,o_3)={\lfloor (\mathbf{s}(a_1,a_2,-\overline{u})+\mathbf{e}){(o_1,o_2,o_3)}^T+\mathbf{r}\rceil }_{\theta },\mathbf{s}\leftarrow R_q^{3\ell \times 1},\mathbf{e}\leftarrow D_{R,\sigma }^{3\ell \times 3},\mathbf{r}\leftarrow R_q^{3\ell }\}\hfill \\ \hfill {\mathcal{F}}_1& =\{f\mid f(o_1,o_2,o_3)={\lfloor \mathbf{B}{(o_1,o_2,o_3)}^T+\mathbf{r}\rceil }_{\theta },\mathbf{B}\leftarrow R_q^{3\ell \times 3},\mathbf{r}\leftarrow R_q^{3\ell }\},\hfill \end{array}$$

where $12\sigma n{{\eta }^{\prime }}_t^{1.5}logn\le \theta \le {\displaystyle \frac{q}{nlogn}}$ and ${\eta }_t^{\prime }=2{\eta }_t$. Then, ${\mathcal{F}}_0$ and ${\mathcal{F}}_1$ are $({\displaystyle \frac{2^9}{3^9}},1)$-compatible w.r.t. ${\mathsf{\Sigma }}_1$.

Proof. The proof is very similar to Lemma A3. We only sketch the main changes: (1) we use $(a_1,a_2,-\overline{u}){(o_1,o_2,o_3)}^T=0$ (fixed) instead of $(a_1,a_2){(z_1,z_2)}^T={\sum }_i{v}_i+uc$ (fixed), and hence ${\mathcal{F}}_0^{\prime }$ consists only of a constant function r; (2) ${\eta }_t$ is replaced by ${\eta }_t^{\prime }$. Further, the injective property of $\mathbf{B}(o_1,o_2,o_3)+\mathbf{r}$ is reduced to the invertibility of $B={\left(a_{ij}\right)}_{i,j=1,2,3}$ (instead of order 2 matrix) when $a_{ij}$ is random in $R_q$. By Gaussian elimination, if $a_{11}$ is invertible, then we make the entries (1, 2) and (1, 3) in B as zero. This updates $a_{22}$ to $a_{22}^{\prime }$ and $a_{33}$ to $a_{33}^{\prime }$ while $a_{22}^{\prime }$ and $a_{33}^{\prime }$ are still uniformly random in $R_q$. If $a_{22}^{\prime }$ is invertible, then we can make $a_{23}^{\prime }$ zero similarly that updates $a_{33}^{\prime }$ to $a_{33}^{\prime \prime }$ while preserving its uniformity. So B is invertible if $a_{11},a_{22}^{\prime }$ and $a_{33}^{\prime \prime }$ are all invertible, which has a probability at least ${(1-1/q)}^{3n}$. So for $\mathbf{B}={\left({\mathbf{B}}_i\right)}_{i=1}^{\ell }$, $\mathbf{B}(o_1,o_2,o_3)+\mathbf{r}$ is invertible if some ${\mathbf{B}}_i$ is invertible. This is violated with probability at most ${(3n/q+O(n^2/q^2))}^{logn}\le 2^{-{log}^{2}n}$, negligible. □

From Lemmas A2, A3 and A4, we can immediately conclude the following corollary.

Corollary A1.

${\mathsf{\Sigma }}_2$ is ${\displaystyle \frac{2^6}{3^6}}$-weakly collapsing and ${\mathsf{\Sigma }}_1$ is ${\displaystyle \frac{2^9}{3^9}}$-weakly collapsing.

Proof of Theorem 6. From Corollary A1, we know that ${\mathsf{\Sigma }}_1$ and ${\mathsf{\Sigma }}_2$ are both weakly collapsing. Then, Lemma A1 gives our desired result. □