On the (Im)plausibility of Public-Key Quantum Money
from Collision-Resistant Hash Functions

Prabhanjan Ananth
UCSB prabhanjan@cs.ucsb.edu Zihan Hu
Tsinghua University huzh19@mails.tsinghua.edu.cn Henry Yuen
Columbia University hyuen@cs.columbia.edu

Abstract

Public-key quantum money is a cryptographic proposal for using highly entangled quantum states as currency that is publicly verifiable yet resistant to counterfeiting due to the laws of physics. Despite significant interest, constructing provably-secure public-key quantum money schemes based on standard cryptographic assumptions has remained an elusive goal. Even proposing plausibly-secure candidate schemes has been a challenge.

These difficulties call for a deeper and systematic study of the structure of public-key quantum money schemes and the assumptions they can be based on. Motivated by this, we present the first black-box separation of quantum money and cryptographic primitives. Specifically, we show that collision-resistant hash functions cannot be used as a black-box to construct public-key quantum money schemes where the banknote verification makes classical queries to the hash function. Our result involves a novel combination of state synthesis techniques from quantum complexity theory and simulation techniques, including Zhandry’s compressed oracle technique.

1 Introduction

Unclonable cryptography is an emerging area in quantum cryptography that leverages the no-cloning principle of quantum mechanics [WZ82, Die82] to achieve cryptographic primitives that are classically impossible. Over the years, many interesting unclonable primitives have been proposed and studied. These include quantum copy-protection [Aar09], one-time programs [BGS13], secure software leasing [AL21], unclonable encryption [BL20], encryption with certified deletion [BI20], encryption with unclonable decryption keys [GZ20, CLLZ21], and tokenized signatures [BS16].

One of the oldest and (arguably) the most popular unclonable primitives is quantum money, which was first introduced in a seminal work by Wiesner [Wie83]. A quantum money scheme enables a bank to issue digital money represented as quantum states. Informally, the security guarantee states that it is computationally infeasible to produce counterfeit digital money states. That is, a malicious user, given one money state, cannot produce two money states that are both accepted by a pre-defined verification procedure. There are two notions we can consider here. The first notion is private-key quantum money, where the verification procedure is private. That is, in order to check whether a money state is valid, we need to submit the state to the bank which decides its validity. A more useful notion is public-key quantum money, where anyone can verify the validity of money states. While private-key money schemes have been extensively studied and numerous constructions, including information-theoretic ones, have been proposed, the same cannot be said for public-key quantum money schemes.

Aaronson and Christiano [AC13] first demonstrated the feasibility of information-theoretically secure public-key quantum money in the oracle model; meaning that all algorithms in the scheme (e.g., the minting and verification algorithms) query a black box oracle during their execution. In the standard (i.e., non-oracle) model, there are two types of constructions known for building quantum money:

•

In the first category, we have constructions borrowing sophisticated tools from different areas of mathematics, such as knot theory [FGH+12], quaternion algebras [KSS21] and lattices [Zha21, KLS22]. The constructions in this category have been susceptible to cryptanalytic attacks as demonstrated by a couple of recent works [Rob21, BDG22]. We are still in the nascent stages of understanding the security of these candidates.
•

In the second category, we have constructions based on well-studied (or perhaps better-studied) cryptographic primitives. In this category, we have constructions [Zha21, Shm22, Shm22a] based on indistinguishability obfuscation, first initiated by Zhandry [Zha21].

We focus on the second category. Constructions from existing primitives, especially from those that can be based on well-studied assumptions, would position public-key quantum money on firmer foundations. Unfortunately, existing constructions of indistinguishability obfuscation are either post-quantum insecure [AJL+19, JLS21, JLS22] or are based on newly introduced cryptographic assumptions [GP21, BDGM20, WW21, DQV+21] that have been subjected to cryptanalytic attacks [HJL21].

The goal of our work is to understand the feasibility of constructing public-key quantum money from fundamental and well-studied cryptographic primitives. We approach this direction via the lens of black-box separations. Black-box separations have been extensively studied in classical cryptography [Rud91, Sim98, GKM+00, RTV04, BM09, DLMM11, GKLM12, BDV17]. We say that a primitive $A$ cannot be constructed from another primitive $B$ in a black-box manner if there exists a computational world (defined by an oracle) where $B$ exists but $A$ does not. Phrased another way, these separations rule out constructions of primitive $A$ where primitive $B$ is used in a black-box manner. In this case, we say that there is a black-box separation between $A$ and $B$ . Black-box separations have been essential in understanding the relationship between different cryptographic primitives. Perhaps surprisingly, they have also served as a guiding light in designing cryptographic constructions. One such example is the setting of identity-based encryption (IBE). A couple of works [BPR+08, PRV12] demonstrated the difficulty of constructing IBE from the decisional Diffie Hellman (DDH) assumption using a black-box construction which prompted the work of [DG17] who used non-black-box techniques to construct IBE from DDH.

1.1 Our Work

Black-Box Separations for Unclonable Cryptography.

We initiate the study of black-box separations in unclonable cryptography. In this work, we study a black-box separation between public-key quantum money and (post-quantum secure) collision-resistant hash functions. To the best of our knowledge, our work takes the first step in ruling out certain approaches to constructing public-key quantum money from well-studied assumptions.

Model.

We first discuss the model in which we prove the black-box separation. We consider two oracles with the first being a random oracle ${\mathcal{R}}$ (i.e., a uniformly random function) and the second being a ${\sf PSPACE}$ oracle (i.e., one that can solve ${\sf PSPACE}$ -complete problems). We investigate the feasibility of quantum money schemes and collision-resistant hash functions in the presence of ${\mathcal{R}}$ and ${\sf PSPACE}$ . That is, all the algorithms of the quantum money schemes and also the adversarial entities are given access to the oracles ${\mathcal{R}}$ and ${\sf PSPACE}$ .

There are two ways we can model a quantum algorithm to have access to an oracle. The first is classical access, where the algorithms in the quantum money scheme can only make classical queries to the oracle; that is, each query to the oracle is measured in the computational basis before forwarding it to the oracle. If an algorithm ${\sf A}$ has classical access to an oracle, say ${\mathcal{U}}$ , we denote this by ${\sf A}^{{\mathcal{U}}}$ . The second is quantum access, where the algorithms can make superposition queries. That is, an algorithm can submit a state of the form $\sum_{x,y}\alpha_{x,y}\ket{x}\ket{y}$ to the oracle ${\mathcal{O}}$ and it receives back $\sum_{x,y}\alpha_{x,y}\ket{x}\ket{{\mathcal{O}}(x)\oplus y}$ . If an algorithm ${\sf A}$ has quantum access to an oracle ${{\mathcal{U}}}$ , we denote this by ${\sf A}^{\ket{{\mathcal{U}}}}$ .

Our ultimate goal is to obtain black-box separations in the quantum access model, where the algorithms in the quantum money scheme can query oracles in superposition. However, there are two major obstacles to achieving this.

First, analyzing the quantum access model in quantum cryptography has been notoriously challenging. For example, it is not yet known how to generalize to the quantum access setting black-box separations between key agreement protocols – a classical cryptographic primitive – and one-way functions [IR90]. Attempts to tackle special cases have already encountered significant barriers [ACC+22], and has connections to long-standing conjectures in quantum query complexity (like the Aaronson-Ambainis conjecture [AA09]).

Second, we have to contend with the difficulty that quantum money is an inherently quantum cryptographic primitive. A black-box separation requires designing an adversary that can effectively clone a quantum banknote given a single copy of it. Here one encounters problems of a uniquely quantum nature, such as the No-Cloning Theorem [WZ82, Die82] and the fact that measuring the banknote will in general disturb it.

We present partial progress towards the ultimate goal stated above by simplifying the problem and focusing exclusively on this second obstacle: we prove black-box separations where the banknote verification algorithm in the quantum money schemes makes classical queries to the random oracle $\mathcal{R}$ (but still can make quantum queries to the $\mathsf{PSPACE}$ oracle), and the minting algorithm may still make quantum queries to both $\mathcal{R}$ and $\mathsf{PSPACE}$ oracles. As we will see, even this special case of quantum money schemes is already challenging and nontrivial to analyze. We believe that our techniques may ultimately be extendable to the general setting (if there indeed exists a black-box impossibility in the general setting!), where all algorithms can make quantum queries to all oracles, and furthermore help prove black-box separations of other quantum cryptographic primitives.

Main Theorem.

We will state our theorem more formally. A quantum money scheme consists of three quantum polynomial-time (QPT) algorithms, namely $(\mathsf{KeyGen},\mathsf{Mint},\mathsf{Ver})$ , where $\mathsf{KeyGen}$ produces a public key-secret key pair, $\mathsf{Mint}$ uses the secret key to produce money states and a serial number associated with money states and finally, $\mathsf{Ver}$ determines the validity of money states using the public key. We consider oracle-aided quantum money schemes, where these algorithms have access to a random oracle ${\mathcal{R}}$ and a ${\sf PSPACE}$ oracle, defined above.

Theorem 1 (Informal).

Any public-key quantum money scheme $(\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{{\sf PSPACE}}},\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{{\sf PSPACE}}},\allowbreak\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}})$ is insecure.

By insecurity, we mean the following. There exists a quantum polynomial-time (QPT) adversary ${\mathcal{A}}$ such that ${\mathcal{A}}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , given a money state $({\sf pk},\rho_{s},s)$ , where ${\sf pk}$ is the public key and $s$ is a serial number, with non-negligible probability, can produce two (possibly entangled) states that both pass the verification checks with respect to the same serial number $s$ . The probability is taken over the randomness of ${\mathcal{R}}$ and also over the randomness of $\mathsf{KeyGen},\mathsf{Mint}$ and ${\mathcal{A}}$ . We note that only $\mathsf{KeyGen}$ and $\mathsf{Mint}$ can have quantum access to ${\mathcal{R}}$ , while $\mathsf{Ver}$ only has classical access. On the other hand, we show that the adversary ${\mathcal{A}}$ only needs classical access to ${\mathcal{R}}$ .

Furthermore, we note that the random oracle $\mathcal{R}$ constitutes a collision-resistant hash function against QPT adversaries that can make queries to $(\mathcal{R},\ket{\mathsf{PSPACE}})$ [Zha15]. We note that $\mathcal{R}$ still remains collision-resistant even when the adversaries can make quantum queries to $\mathcal{R}$ , not just classical ones.

Implications.

Our main result rules out a class of public-key quantum money constructions that (a) base their security on collision-resistant hash functions, (b) use the hash functions in a black-box way, and (c) where the verification algorithm makes classical queries to the hash function. Clearly, it would be desirable to generalize the result to the case where the verification algorithm can make quantum queries to the hash function. However, there are some conceptual challenges to going beyond classical verification queries (which we discuss in more detail in Section 2.2.3).

The class of quantum money schemes in this hybrid classical-quantum query model is quite interesting on its own and a well-motivated setting. For example, in Zhandry’s public-key quantum money scheme [Zha21], the mint procedure only needs classical access to the underlying cryptographic primitives (when the component that uses cryptographic primitives is viewed as a black-box) while the verification procedure makes quantum queries. In the constructions of copy-protection due to Coladangelo et al. [CLLZ21, CMP20], the copy-protection algorithm only makes classical queries to the cryptographic primitives in the case of [CLLZ21] and the random oracle in the case of [CMP20] whereas the evaluation algorithm in both constructions make quantum queries. Finally, in the construction of unclonable encryption in [AKL+22], all the algorithms only make classical queries to the random oracle. Given these constructions, we believe it is important to understand what is feasible or impossible for unclonable cryptosystems in the hybrid classical-quantum query model.

Secondly, we believe that the hybrid classical-quantum query model is a useful testbed for developing techniques needed for black-box separations, and for gaining insight into the structure of unclonable cryptographic primitives. Even in this special case, there are a number of technical and conceptual challenges to overcome in order to get our black-box separation of Theorem 1. We believe that the techniques developed in this paper will be a useful starting point for future work in black-box separations in unclonable cryptography.

Other Separations.

As a corollary of our main result, we obtain black-box separations between public-key quantum money and many other well-studied cryptographic primitives such as one-way functions, private-key encryption and digital signatures.

Our result also gives a separation between public-key quantum money and collapsing hash functions in the same setting as above; that is, when $\mathsf{Ver}$ makes classical queries to ${\mathcal{R}}$ . This follows from a result due to Unruh [Unr16] who showed that random oracles are collapsing. Collapsing hash functions are the quantum analogue of collision-resistant hash functions. Informally speaking, a hash function is collapsing if an adversary cannot distinguish a uniform superposition of inputs, say $\ket{\psi}$ , mapping to a random output $y$ versus a computational basis state obtained by measuring $\ket{\psi}$ in the computational basis. Zhandry [Zha21] showed that hash functions that are collision-resistant but not collapsing imply the existence of public-key quantum money. Thus our result rules out a class of constructions of quantum money from collapsing functions, improving our understanding of the relationship between them.

Acknowledgments.

We thank anonymous conference referees, Qipeng Liu, Yao Ching Hsieh, and Xingjian Li for their helpful comments. HY is supported by AFOSR award FA9550-21-1-0040 and NSF CAREER award CCF-2144219.

2 Our Techniques in a Nutshell

We present a high-level overview of the techniques involved in proving Theorem 1. But first, we will briefly discuss the correctness guarantee of oracle-aided public-key quantum money schemes.

Reusability.

In a quantum money scheme $(\mathsf{KeyGen},\mathsf{Mint},\mathsf{Ver})$ , we require that $\mathsf{Ver}$ accepts a state and a serial number produced by $\mathsf{Mint}$ with overwhelming probability. However, for all we know, $\mathsf{Ver}$ , during the verification process, might destroy the state. In general, a more useful correctness definition is reusability, which states that a money state can be repeatedly verified without losing its validity. In general, one can show that the gentle measurement lemma [Win99] does prove that correctness implies reusability. However, as observed in [AK22], this is not the case when $\mathsf{Ver}$ has classical access to an oracle. Specifically, $\mathsf{Ver}$ has classical access to ${\mathcal{R}}$ . Hence, we need to explicitly define reusability in this setting. Roughly speaking, we require the following: suppose we execute $\mathsf{Ver}$ on a money state $\rho^{(0)}$ produced using $\mathsf{Mint}$ and the verification algorithm accepts with probability $\delta$ . The residual state is (possibly) a different state $\rho^{(1)}$ which when executed upon by $\mathsf{Ver}$ is also accepted with probability close to $\delta$ . In fact, even if we run the verification process polynomially many times, the state obtained at the end of the process should still be accepted by $\mathsf{Ver}$ with probability close to $\delta$ .

2.1 Warmup: Insecurity when ${\mathcal{R}}$ is absent

Towards developing techniques to prove Theorem 1, let us first tackle a simpler statement. Suppose we have a secure public-key quantum money scheme $(\mathsf{KeyGen},\mathsf{Mint},\mathsf{Ver})$ . This means that any QPT adversary cannot break the security of this scheme. But what about oracle-aided adversaries? In more detail, we ask the following question: Does there exist a QPT algorithm, given quantum access to a ${\sf PSPACE}$ oracle, that violates the security of $(\mathsf{KeyGen},\mathsf{Mint},\mathsf{Ver})$ ? That is, given $(s,\rho_{s})$ , where $s$ is a serial number and $\rho_{s}$ is a valid banknote produced by $\mathsf{Mint}$ , it should be able to produce two states, with respect to the same serial number $s$ , that are both accepted by the verifier.

Even this seemingly simple question seems challenging! Let us understand why. Classical cryptographic primitives (even post-quantum secure ones) such as encryption schemes or digital signatures can be broken by efficient adversaries who have access to even ${\sf NP}$ oracles. This follows from the fact that we can efficiently reduce the problem of breaking the scheme to the problem of determining membership in a language. For instance, in order to succeed in breaking an encryption scheme, the adversary has to decide whether the instance $({\sf pk},{\sf ct},{\sf m})\in L$ , where ${\sf pk}$ is a public key, ${\sf ct}$ is a ciphertext, ${\sf m}$ is a message and $L$ consists of instances of the form $({\sf pk},{\sf ct},{\sf m})$ , where ${\sf ct}$ is an encryption of ${\sf m}$ with respect to the public key ${\sf pk}$ . Implicitly, we are using the fact that ${\sf pk},{\sf ct},{\sf m}$ are binary strings. Emulating a similar approach in the case of quantum money would result in quantum instances and it is not clear how to leverage ${\sf PSPACE}$ , or more generally a decider for any language, to complete the reduction.

Synthesizing Witness States.

Towards addressing the above question, we reduce the task of breaking the security of the quantum money scheme using ${\sf PSPACE}$ to the task of finding states accepted by the verifier in quantum polynomial space. This reduction is enabled by the following observation, due to Rosenthal and Yuen [RY21]: a set of pure states computable by a quantum polynomial space algorithm (which may in general include intermediate measurements) can be synthesized by a QPT algorithm with quantum access to a ${\sf PSPACE}$ oracle. Implicit in the result of [RY21] is the following important point: in order to synthesize the state using the ${\sf PSPACE}$ oracle, it is important that we know the entire description of the quantum polynomial space algorithm generating the pure states.

In more detail, we show the following statement: for every¹¹1Technically, we show a weaker statement which holds for an overwhelming fraction of $({\sf pk},s)$ . verification key ${\sf pk}$ , serial number $s$ , there exists a pure state²²2Technically, we require that the reduced density matrix of $\rho_{{\sf pk},s}$ is accepted by $\mathsf{Ver}$ . $\rho_{{\sf pk},s}$ that is accepted by $\mathsf{Ver}({\sf pk},s,\cdot)$ with non-negligible probability and moreover, can be generated by a quantum polynomial space algorithm.

The first attempt is to follow the classical brute-force search algorithm. Namely, we repeat the following for exponential times: guess a quantum state $\rho$ uniformly at random and if $\rho$ is accepted by $\mathsf{Ver}({\sf pk},s,\cdot)$ with non-negligible probability, output $\rho$ and terminate. (Output an arbitrary state if we run out of times.) However, there are two problems with this attempt. Firstly, in general, it’s not clear how to calculate the acceptance probability of $\mathsf{Ver}({\sf pk},s,\rho)$ in polynomial space ( $\rho$ needs exponential bits to represent). Secondly, $\rho$ might be destroyed when we calculate the acceptance probability.

To fix the first problem, we note that an estimation of the acceptance probability is already good enough and it can be done by using a method introduced by Marriott and Watrous [MW05] (called MW technique). The MW technique allows us to efficiently estimate the acceptance probability of a verification algorithm on a state with only one copy of that state. Furthermore, it does not disturb the state too much in the sense that the expected acceptance probability of the residual state does not decay too significantly, which fixes the second problem.

This brings us to our second attempt. We repeat the following process for exponentially many times: apply MW technique on a maximally mixed state and if the estimated acceptance probability happens to be non-negligible, output the residual state and terminate. (Output an arbitrary state if all the iterations fail.)

As the MW technique is efficient, this algorithm only uses polynomial space. Furthermore, intuitively we can get a state that is accepted by $\mathsf{Ver}$ with non-negligible acceptance probability given the fact that such a state exists. Because if such state exists, by a simple convexity argument, we can assume that without loss of generality that it’s pure. Maximally mixed state can be treated as a uniform mixture of a basis containing that pure state. Thus roughly speaking, we start from that pure state with inverse exponential probability, so we can find it in exponentially many iterations with overwhelming probability. This attempt almost succeeds except that it outputs a mixed state in general, but the known approach in [RY21] can only deal with pure states. There are two reasons for this. Firstly, we start with a maximally mixed state and secondly, MW technique involves intermediate measurements.

Our final attempt makes the following minor changes compared to the second attempt. To fix the first issue, it starts with a maximally entangled state (instead of maximally mixed state) and only operates on half of it. To fix the second issue, it runs the MW process coherently by deferring all the intermediate measurements. Then we will end up with a pure state whose reduced density matrix is the same as the output state of the second attempt.

2.2 Insecurity in the presence of ${\mathcal{R}}$

So far, we considered the task of violating the security of a quantum money scheme where the algorithms did not have access to any oracle. Let us go back to the oracle-aided quantum money schemes, where, all the algorithms (honest and adversarial) have access to ${\mathcal{R}}$ and $\ket{{\sf PSPACE}}$ . Our goal is to construct an adversary that violates the security of quantum money schemes. But didn’t we just solve this problem? Recall that when invoking [RY21], it was crucial that we knew the entire description of the polynomial space algorithm in order to synthesize the state. However, when we are considering oracle-aided verification algorithms, denoted by $\mathsf{Ver}^{{\mathcal{R}},\ket{\sf PSPACE}}$ , we don’t have the full description of³³3The fact that we don’t have the description of ${\mathcal{R}}$ is the problem here. $\mathsf{Ver}^{{\mathcal{R}},\ket{\sf PSPACE}}$ . Thus, we cannot carry out the synthesizing process.

A naive approach is to sample our own oracle ${\mathcal{R}}^{\prime}$ and synthesize the state with respect to $\mathsf{Ver}^{{\mathcal{R}}^{\prime},\ket{\sf PSPACE}}$ . However, this does not help. Firstly, there is no guarantee that $\mathsf{Ver}^{{\mathcal{R}}^{\prime},\ket{\sf PSPACE}}({\sf pk},s,\cdot)$ accepts any state with high enough probability. Without this guarantee, the synthesizing process does not work. For now, let us take for granted that there does exist some witness state $\sigma^{\prime}$ that is accepted by $\mathsf{Ver}^{{\mathcal{R}}^{\prime},\ket{\sf PSPACE}}({\sf pk},s,\cdot)$ with high enough probability. However, there is no guarantee that $\sigma^{\prime}$ is going to be accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{\sf PSPACE}}({\sf pk},s,\cdot)$ with better than negligible probability.

Towards addressing these hurdles, we first focus on a simple case when $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make classical queries to ${\mathcal{R}}$ and we later, focus on the quantum queries case.

2.2.1 $\mathsf{KeyGen}$ and $\mathsf{Mint}$ : Classical Queries to ${\mathcal{R}}$

Compiling out ${\mathcal{R}}$ .

Suppose we can magically find a database $D$ , using only polynomially many queries to ${\mathcal{R}}$ , such that all the query-answer pairs made by $\mathsf{Ver}$ to ${\mathcal{R}}$ are contained in $D$ . In this case, there is a QPT adversary ${\mathcal{A}}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ that given $({\sf pk},s,\rho_{s})$ , can find two states $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ such that $\mathsf{Ver}^{{\mathcal{R}},\ket{\sf PSPACE}}$ accepts both the states. ${\mathcal{A}}$ does the following: it first finds the database $D$ and constructs another circuit $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ such that $\mathsf{Ver}^{D,\ket{\sf PSPACE}}$ runs $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ and when $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ makes a query to ${\mathcal{R}}$ , the query is answered by $D$ . Then, ${\mathcal{A}}$ synthesizes two states $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ , using ${\sf PSPACE}$ , such that both the states are accepted by $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ . By definition of the database $D$ , these two states are also accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{\sf PSPACE}}$ .

Of course, it is wishful for us to hope that we can find a database $D$ by making only polynomially many queries to ${\mathcal{R}}$ that is perfectly consistent with the queries made by $\mathsf{Ver}$ . Instead, we hope to recover a good enough database $D$ . In more detail, we aim to recover a database $D$ that captures all the relevant queries made by $\mathsf{KeyGen}$ and $\mathsf{Mint}$ .

Let $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ be the collection of query-answer pairs made by ${\mathsf{KeyGen}}$ and ${\mathsf{Mint}}$ respectively. A query made by $\mathsf{Ver}$ is called bad if this query is in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ and moreover, this query was not recorded in $D$ . If $\mathsf{Ver}$ makes bad queries then the answers returned will likely be inconsistent with ${\mathcal{R}}$ and thus, there is no guarantee that $\mathsf{Ver}$ will work. Our hope is that the probability of $\mathsf{Ver}$ making bad queries is upper bounded by an inverse polynomial.

Once we have such a database $D$ , by a similar argument, we can conclude that the states synthesized using $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ are also accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ .

But how do we recover this database $D$ ? To see how, we will first focus on a simple case before dealing with the general case.

State-independent database simulation.

Note that the queries made by $\mathsf{Ver}$ could potentially depend on its input state. For now, we will assume that the distribution of queries made by $\mathsf{Ver}$ is independent of the input state. We will deal with the state-dependent query distributions later.

The first attempt to generate $D$ would be to rely upon techniques introduced by Canetti, Kalai and Paneth [CKP15] who, in a different context – that of proving impossibility of obfuscation in the random oracle model – showed how to generate a database that is sufficient to simulate the queries made by the evaluation algorithm. Suppose $(s,\rho_{s})$ is the state generated by $\mathsf{Mint}$ . Then, run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}(pk,s,\rho_{s})$ a fixed polynomially many times, referred to as test executions, by querying ${\mathcal{R}}$ . In each execution of $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , record all the queries made by $\mathsf{Ver}$ along with their answers. The union of queries made in all the executions of $\mathsf{Ver}$ will be assigned the database $D$ . In the context of obfuscation for classical circuits, [CKP15] argue that, except with inverse polynomial probability, the queries made by the evaluation algorithm can be successfully simulated by $D$ . This argument is shown by proving an upper bound on the probability that the evaluation algorithm makes bad queries.

A similar analysis can also be made in our context to argue that $D$ suffices for successful simulation. That is, we can argue that the state we obtain after all the executions of $\mathsf{Ver}$ (which could be very different from the state we started off with) can be successfully simulated using $D$ . However, it is crucial for our analysis to go through that $D_{\mathsf{Ver}}$ (the query-answer pairs made during $\mathsf{Ver}$ ) is independent of the state input to $\mathsf{Ver}$ .

State-dependent database simulation.

For all we know, $D_{\mathsf{Ver}}$ could indeed depend on the input state. In this case, we can no longer appeal to the argument of [CKP15]. At a high level, the reason is due to the fact that after each execution of $\mathsf{Ver}$ , the money state could potentially change and this would affect the distribution of $D_{\mathsf{Ver}}$ in the further executions of $\mathsf{Ver}$ in such a way that the execution of $\mathsf{Ver}$ on the final state (which could be different from the input state in the first execution of $\mathsf{Ver}$ ) cannot be simulated using the database $D$ .

Instead, we will rely upon a technique due to [AK22], who studied a similar problem in the context of copy-protection. They showed that by randomizing the number of executions, one can argue that the execution of $\mathsf{Ver}$ on the state obtained after all the test executions can be successfully simulated using $D$ , except with inverse polynomial probability. That is, suppose the initial state is $(s,\rho_{s}^{(0)})$ and after running $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , $t$ number of times where $t\xleftarrow{\$}\{0,1,\cdots,T\}$ , let the resulting state be $(s,\rho_{s}^{(t)})$ . Let $D$ be as defined before. Then, we have the guarantee that $\mathsf{Ver}$ accepts $(s,\rho_{s}^{(t)})$ , except with inverse polynomial probability, even when ${\mathcal{R}}$ is simulated using $D$ . This is because the sum of the number of bad queries we encounter during $T+1$ verifications is bounded by $\lvert D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\rvert$ . Then there are only at most $\epsilon^{-1}\lvert D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\rvert$ points $t^{\prime}\in\{0,1,\cdots,T\}$ such that the probability of making a bad query during the $(t^{\prime}+1)^{th}$ verification is at least $\epsilon$ . So when $T$ is large enough, there is a good chance that we choose $t$ such that the probability of making a bad query during the next verification (i.e. the $(t+1)^{th}$ verification if you count from the beginning) is small, in which case $D$ can simulate $\mathcal{R}$ well.

This suggests the following attack on the quantum money scheme. On input a money state $(s,\rho_{s})$ , do the following:

•

Run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , $t$ times, also referred to as test executions. The number of times we need to run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , namely $t$ , is randomized as per [AK22]. Let $D$ be the set of query-answer pairs made by $\mathsf{Ver}$ to ${\mathcal{R}}$ during the test executions. Denote $\rho_{s}^{(t)}$ to be the state obtained after $t$ executions of $\mathsf{Ver}$ .
•

Let $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ be the verification circuit as defined earlier.
•

Using quantum access to ${\sf PSPACE}$ , synthesize two states $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ , as per Section 2.1, such that both the states are accepted by $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ .
•

Output $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ .

From the witness synthesis method, we have the guarantee that $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ are both accepted by $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ . However, this is not sufficient to prove that the above attack works. Remember that the adversary is supposed to output two states that are both accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ . Unfortunately, there is no guarantee that $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ accepts these two states. Indeed, both $\sigma^{\prime}_{s}$ and $\sigma^{\prime\prime}_{s}$ could be quite different from $\rho_{s}^{(t)}$ . Hence, the above attack does not work.

Every mistake we make is progress.

Let us understand why the above attack does not work. Note that as long as $\mathsf{Ver}$ does not make any bad query (i.e., a query in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ but not contained in $D$ ), it cannot distinguish whether its queries are being simulated by $D$ or ${\mathcal{R}}$ . However, when $\mathsf{Ver}$ is executed on $(s,\sigma^{\prime}_{s})$ or $(s,\sigma^{\prime\prime}_{s})$ , we can no longer upper bound the probability that $\mathsf{Ver}$ will not make any bad queries.

We modify the above approach as follows: whenever $\mathsf{Ver}$ makes bad queries, we can update the database $D$ to contain the bad queries along with the correct answers (i.e., answers generated using ${\mathcal{R}}$ ). Once $D$ is updated, we can synthesize two new states using $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ . We repeat this process until we have synthesized two states that are accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ .

Is there any guarantee that this process will stop? Our key insight is that whenever we make a mistake and synthesize states that are not accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ then we necessarily learn a new query in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ that is not contained in $D$ . Thus, with each mistake, we make progress. Since there are only a polynomial number of queries in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ , we will ultimately end up synthesizing two states that are accepted by $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ .

Our Attack.

With this modification, we have the following attack. On input a money state $(s,\rho_{s})$ , do the following:

•

Test phase: Run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , $t$ times, also referred to as test executions. The number of times we need to run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ , namely $t$ , is randomized as per [AK22]. Let $D$ be the set of query-answer pairs made by $\mathsf{Ver}$ to ${\mathcal{R}}$ during the test executions. Denote $\rho_{s}^{(t)}$ to be the state obtained after $t$ executions of $\mathsf{Ver}$ .
•

Update phase: Repeat the following polynomially many times. Let $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ be the verification circuit as defined earlier. Using quantum access to ${\sf PSPACE}$ , synthesize a state $(s,\sigma_{s})$ as per Section 2.1, such that the state is accepted by $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ . Run $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}$ on this state and include any new queries made by $\mathsf{Ver}$ to ${\mathcal{R}}$ in $D$ .
•

Let $D_{1},\ldots,D_{{\rm poly}}$ be the databases obtained after every execution during the update phase.
•

Using quantum access to ${\sf PSPACE}$ , synthesize two states $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ such that both the states are accepted by $\mathsf{Ver}^{D_{j},\ket{{\sf PSPACE}}}$ for some randomly chosen $j$ .
•

Output $(s,\sigma^{\prime}_{s})$ and $(s,\sigma^{\prime\prime}_{s})$ .

In the technical sections, we analyze the above attack and prove that it works.

2.2.2 $\mathsf{KeyGen}$ and $\mathsf{Mint}$ : Quantum Queries to ${\mathcal{R}}$

The important point to note here is the form of our aforementioned attacker. It only takes advantage of the fact that $\mathsf{Ver}$ makes classical queries to ${\mathcal{R}}$ . When $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make quantum queries to ${\mathcal{R}}$ while $\mathsf{Ver}$ makes classical queries to ${\mathcal{R}}$ , we can still run the attacker. What is left is to show that the same attacker works even when $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make quantum queries to ${\mathcal{R}}$ .

The main difficulty in carrying out the intuitions in Section 2.2.1 to the case where $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make quantum queries to ${\mathcal{R}}$ is that it’s difficult to define analogue of $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ . To give a flavour of the difficulty, let’s first consider two naive attempts.

The first attempt is to define $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ to be those query-answer pairs asked (with non-zero amplitudes) during $\mathsf{KeyGen}$ and $\mathsf{Mint}$ . However, this attempt suffers from the problem that in this way, $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ can have exponential elements. So even if each time we can make progress in the sense that we recover some new elements in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}$ , there is no guarantee that the update phase will terminate in polynomial time.

The second attempt is to only include queries that are asked “heavily” during $\mathsf{KeyGen}$ and $\mathsf{Mint}$ . To be more specific, let $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ be query-answer pairs asked with inverse polynomial squared amplitudes during $\mathsf{KeyGen}$ and $\mathsf{Mint}$ . However, with this plausible definition, the claim does not hold that whenever the acceptance probability of $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}$ is far from that of $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ , then we can recover a query in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D$ , which is a crucial idea underlying our intuitions in Section 2.2.1. Let us understand why this claim is not true if we adopt this definition of $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ .

Consider the following contrived counterexample $(\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}})$ . Suppose there exists a quantum money scheme $(\mathsf{KeyGen}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{\prime{\mathcal{R}},\ket{\mathsf{PSPACE}}})$ . We modify this scheme into $(\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}})$ as follows:

•

$\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}(1^{n})$ : outputs the secret key-public key pair of $\mathsf{KeyGen}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ .
•

$\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}(sk)$ : takes as input $sk$ , makes quantum query to ${\mathcal{R}}$ on state $\frac{1}{\sqrt{2^{n}}}\sum_{s=0}^{2^{n}-1}\ket{s}\ket{0}$ to get a state $\frac{1}{\sqrt{2^{n}}}\sum_{s=0}^{2^{n}-1}\ket{s}\ket{{\mathcal{R}}(s)}$ , and then measures the first register to get a value $s$ . It also runs $\mathsf{Mint}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}(sk)$ to get a serial number $s^{\prime}$ along with a state $\rho_{s^{\prime}}$ . It outputs $(s,s^{\prime})$ as the serial number and $({\mathcal{R}}(s),\rho_{s^{\prime}})$ as the banknote.
•

$\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,((s,s^{\prime}),(h,\rho_{s^{\prime}})))$ : takes as input $pk$ and an alleged banknote $((s,s^{\prime}),(h,\rho_{s^{\prime}}))$ , makes classical query to ${\mathcal{R}}$ on the input $s$ to get $R(s)$ and checks if $h={\mathcal{R}}(s)$ . It also checks if $(s^{\prime},\rho_{s^{\prime}})$ is a valid money state with respect to $\mathsf{Ver}^{\prime{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ . Accepts if and only if both the checks pass.

In the above counterexample, it is possible that there is no query-answer pair that is asked with inverse polynomial squared amplitudes and thus $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}=\emptyset$ . At the beginning $D=\emptyset$ because we have not started to record query-answer pairs. In this case, the acceptance probability of $\mathsf{Ver}^{D,\ket{{\sf PSPACE}}}(pk,((s,s^{\prime}),({\mathcal{R}}(s),\rho_{s^{\prime}})))$ is smaller than or equal to $\frac{1}{2^{m}}$ where $m$ is the output length of ${\mathcal{R}}$ on input length $n$ while the acceptance probability of $\mathsf{Ver}^{{\mathcal{R}},\ket{{\sf PSPACE}}}(pk,((s,s^{\prime}),({\mathcal{R}}(s),\rho_{s^{\prime}})))$ is 1 if $(\mathsf{KeyGen}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\prime\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{\prime{\mathcal{R}},\ket{\mathsf{PSPACE}}})$ is (perfectly) correct. However, it’s impossible to recover a new query in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D$ because it’s empty.

Purified View.

Our insight is to consider an alternate world called the purified view. In this alternate world, we run everything coherently; in more detail, we consider a uniform superposition of ${\mathcal{R}}$ , run $\mathsf{Mint}$ , $\mathsf{KeyGen}$ and even the attacker coherently (i.e., no intermediate measurements). If the attacker is successful in this alternate world then he is also successful in the real world where ${\mathcal{R}}$ and the queries made by $\mathsf{Ver}$ to ${\mathcal{R}}$ are measured. We then employ the the compressed oracle technique by Zhandry [Zha18] to coherently recover the database of query-answer pairs recorded during $\mathsf{KeyGen},\mathsf{Mint}$ and relate this with the database recorded during $\mathsf{Ver}$ . Using an involved analysis, we then show many of the insights from the case when $\mathsf{KeyGen},\mathsf{Mint}$ make classical queries to ${\mathcal{R}}$ can be translated to the quantum query setting.

2.2.3 Challenges To Handling Quantum Verification Queries

It is natural to wonder whether we can similarly use the compressed oracle technique to handle quantum queries made by $\mathsf{Ver}$ . Unfortunately, there are inherent limitations. Recall that in our attack, the adversary records the verifier’s classical query-answer pairs in a database, uses this to produce a classical description of a verification circuit (that does not make any queries to the random oracle), and submits the circuit description to a $\mathsf{PSPACE}$ oracle in order to synthesize a money state. If the verifier instead makes quantum queries, then a natural idea is to use Zhandry’s compressed oracle technique to record the quantum queries. However, there are two conceptual challenges to implementing this idea.

First, in the compressed oracle technique, the queries are being recorded by the oracle itself in a “database register”, and not the adversary in the cryptosystem. In our setting, we are trying to construct an adversary to record the queries, but it does not have access to the oracle’s database register. In general, any attempts by the adversary to get some information about the query positions of $\mathsf{Ver}$ could potentially disturb the intermediate states of the $\mathsf{Ver}$ algorithm; it is then unclear how to use the original guarantees of $\mathsf{Ver}$ . Another way of saying this is that Zhandry’s compressed oracle technique is typically used in the security analysis to show limits on the adversary’s ability to break some cryptosystem. In our case, we want to use some kind of quantum recording technique in the adversary’s attack.

Secondly, the natural approach to using the $\mathsf{PSPACE}$ oracle is to leverage it to synthesize alleged banknotes. However, since the $\mathsf{PSPACE}$ oracle is a classical function (which may be accessed in superposition), it requires polynomial-length classical strings as input. In our approach, the adversary submits a classical description of a verification circuit with query/answer pairs hardcoded inside. On the other hand if $\mathsf{Ver}$ makes quantum queries, it may query exponentially many positions of the random oracle $\mathcal{R}$ in superposition, and it is unclear how to “squeeze” the relevant information about the queries into a polynomial-sized classical string that could be utilized by the $\mathsf{PSPACE}$ oracle.

This suggests that we may need a fundamentally new approach to recording quantum queries in order to handle the case when the verification algorithm makes quantum queries.

2.3 Related Work

Quantum Money.

The notion of quantum money was first conceived in the paper by Wiesner [Wie83]. In the same work, a construction of private-key quantum money was proposed. Wiesner’s construction has been well studied and its limitations [Lut10] and security guarantees [MVW12] have been well understood. Other constructions of private-key quantum money have also been studied. Ji, Liu and Song [JLS18] construct private-key quantum money from pseudorandom quantum states. Radian and Sattath [RS22] construct private-key quantum money with classical bank from quantum hardness of learning with errors.

With regards to public-key quantum money, Aaronson and Christiano [AC13] present a construction of public-key quantum money in the oracle model. Zhandry [Zha21] instantiated this oracle and showed how to construct public-key quantum money based on the existence of post-quantum indistinguishability obfuscation (iO) [BGI+01]. Recently, Shmueli [Shm22] showed how to achieve public-key quantum money with classical bank, assuming post-quantum iO and quantum hardness of learning with errors. Constructions [FGH+12, KSS21, KLS22] of public-key quantum money from newer assumptions have also been explored although they have been susceptible to quantum attacks [Rob21, BDG22].

Black-box Separations in Quantum Cryptography.

So far, most of the existing black-box separations in quantum cryptography have focused on extending black-box separations for classical cryptographic primitives to the quantum setting. Hosoyamada and Yamakawa [HY20] extend the black-box separation between collision-resistant hash functions and one-way functions [Sim98] to the quantum setting. Austrin, Chung, Chung, Fu, Lin and Mahmoody [ACC+22] showed a black-box separation between key agreement and one-way functions in the setting when the honest parties can perform quantum computation but only have access to classical communication. Cao and Xue [CX21] extended classical black-box separations between one-way permutations and one-way functions to the quantum setting.

3 Preliminaries

For a string $x$ , let ${\lvert{x}\rvert}$ denote its length. Let $[n]$ denote the set $\{0,1,\cdots,n-1\}$ for any positive integer $n$ . Define the symmetric difference of two sets $X$ and $Y$ to be the set of elements contained in exactly one of $X$ and $Y$ , i.e. $X\Delta Y=(X-Y)\cup(Y-X)$ .

3.1 Quantum States, Algorithms, and Oracles

A register $\mathsf{R}$ is a finite-dimensional complex Hilbert space. If $\mathsf{A},\mathsf{B},\mathsf{C}$ are registers, for example, then the concatenation $\mathsf{A}\mathsf{B}\mathsf{C}$ denotes the tensor product of the associated Hilbert spaces. For a linear transformation $L$ and register $\mathsf{R}$ , we sometimes write $L_{\mathsf{R}}$ to indicate that $L$ acts on $\mathsf{R}$ , and similarly we sometimes write $\rho_{\mathsf{R}}$ to indicate that a state $\rho$ is in the register $\mathsf{R}$ . We write $\mathrm{Tr}(\cdot)$ to denote trace, and $\mathrm{Tr}_{\mathsf{R}}(\cdot)$ to denote the partial trace over a register $\mathsf{R}$ .

For a pure state $\ket{\varphi}$ , we write $\varphi$ to denote the density matrix $\ket{\varphi}\!\bra{\varphi}$ . Let $I$ denote the identity matrix. Let $\operatorname{TD}(\rho,\sigma)$ denote the trace distance between two density matrices $\rho,\sigma$ .

For a pure state $\ket{\varphi}=\sum_{i}a_{i}\ket{i}$ written in computational basis, we write $\ket{\overline{\varphi}}=\sum_{i}\overline{a_{i}}\ket{i}$ to denote the conjugate of $\ket{\varphi}$ where $\overline{a_{i}}$ is the complex conjugate of the complex number $a_{i}$ . The following observation shows that what the maximally entangled state looks like in other basis.

Lemma 1.

For two registers $\mathsf{A}$ and $\mathsf{B}$ of the same dimension $N$ , let $\left(\ket{i}\right)_{i=1}^{N}$ be the computational basis and $\left(\ket{v_{i}}\right)_{i=1}^{N}$ be an arbitrary basis. Then $\frac{1}{\sqrt{N}}\sum_{i=1}^{N}\ket{i}_{\mathsf{A}}\ket{i}_{\mathsf{B}}=\frac{1}{\sqrt{N}}\sum_{i=1}^{N}\ket{v_{i}}_{\mathsf{A}}\ket{\overline{v_{i}}}_{\mathsf{B}}.$

Proof.

It’s easy to show that $\left(\ket{\overline{v_{i}}}\right)_{i=1}^{N}$ also forms a basis. Suppose $\ket{v_{j}}=\sum_{i=1}^{N}a_{j,i}\ket{i}$ . Then

	$\displaystyle\frac{1}{\sqrt{N}}\sum_{i=1}^{N}\ket{i}_{\mathsf{A}}\ket{i}_{\mathsf{B}}$	$\displaystyle=\sum_{j=1}^{N}\ket{v_{j}}\!\bra{v_{j}}_{\mathsf{A}}\sum_{j^{\prime}=1}^{N}\ket{\overline{v_{j^{\prime}}}}\!\bra{\overline{v_{j^{\prime}}}}_{\mathsf{B}}\frac{1}{\sqrt{N}}\sum_{i=1}^{N}\ket{i}_{\mathsf{A}}\ket{i}_{\mathsf{B}}$
		$\displaystyle=\frac{1}{\sqrt{N}}\sum_{j=1}^{N}\sum_{j^{\prime}=1}^{N}\sum_{i=1}^{N}\overline{a_{j,i}}a_{j^{\prime},i}\ket{v_{j}}_{\mathsf{A}}\ket{\overline{v_{j^{\prime}}}}_{\mathsf{B}}$
		$\displaystyle=\frac{1}{\sqrt{N}}\sum_{j=1}^{N}\sum_{j^{\prime}=1}^{N}\braket{v_{j}}{v_{j^{\prime}}}\ket{v_{j}}_{\mathsf{A}}\ket{\overline{v_{j^{\prime}}}}_{\mathsf{B}}$
		$\displaystyle=\frac{1}{\sqrt{N}}\sum_{j=1}^{N}\ket{v_{j}}_{\mathsf{A}}\ket{\overline{v_{j}}}_{\mathsf{B}}$

where we use the fact that $\sum_{j=1}^{N}\ket{v_{j}}\!\bra{v_{j}}_{\mathsf{A}}$ and $\sum_{j^{\prime}=1}^{N}\ket{\overline{v_{j^{\prime}}}}\!\bra{\overline{v_{j^{\prime}}}}_{\mathsf{B}}$ are identity. ∎

Quantum Circuits

We specify the model of quantum circuits that we work with in this paper. For convenience we fix the universal gate set $\{H,\mathit{CNOT},T\}$ [NC00, Chapter 4] (although our results hold for any universal gate set consisting of gates with algebraic entries). Quantum circuits can include unitary gates from the aforementioned universal gate set, as well as non-unitary gates that (a) introduce new qubits initialized in the zero state, (b) trace them out, or (c) measure them in the standard basis. We say that a circuit uses space $s$ if the total number of qubits involved at any time step of the computation is at most $s$ . The description of a circuit is a sequence of gates (unitary or non-unitary) along with a specification of which qubits they act on.

We call a sequence of quantum circuits $C=(C_{x})_{x\in\{0,1\}^{*}}$ a quantum algorithm. We say that $C$ is polynomial-time if there exists a polynomial $p$ such that $C_{x}$ has size at most $p(\lvert x\rvert)$ . We say that $C$ is polynomial-space if there exists a polynomial $p$ such that $C_{x}$ uses at most $p(|x|)$ space.

Let $C=(C_{x})_{x\in\{0,1\}^{*}}$ denote a quantum algorithm. Given a string $x\in\{0,1\}^{*}$ and a state $\rho$ whose number of qubits matches the input size of the circuit $C_{x}$ , we write $C(x,\rho)$ to denote the output of circuit $C_{x}$ on input $\rho$ . The output will in general be a mixed state as the circuit $C_{x}$ can perform measurements.

We say that a quantum algorithm $C=(C_{x})_{x\in\{0,1\}^{*}}$ is time-uniform (or simply uniform) if there exists a polynomial-time Turing machine that on input $x$ outputs the description of $C_{x}$ . Similarly we say that $C$ is space-uniform if there exists a polynomial-space Turing machine that on input $x$ outputs the description of $C_{x}$ .

Oracle Algorithms

Oracle algorithms are quantum algorithms whose circuits, in addition to having the gates as described above, have the ability to query (perhaps in superposition) a function $O$ (called an oracle) which may act on many qubits. This is essentially the same as the standard quantum query model [NC00, Chapter 6], except the circuits may perform non-unitary operations such as measurement, reset, and tracing out. Each oracle call is counted as a single gate towards the size complexity of a circuit. The notion of time- and space-uniformity for oracle algorithms is the same as with non-oracle algorithms: there is a polynomial-time/polynomial-space Turing machine – which does not have access to the oracle – that outputs the description of the circuits.

Given an oracle ${\mathcal{O}}=({\mathcal{O}}_{n})_{n\in\mathbb{N}}$ where each ${\mathcal{O}}_{n}:\{0,1\}^{n}\to\{0,1\}$ is an $n$ -bit boolean function, we write $C^{\mathcal{O}}=(C_{x}^{\mathcal{O}})_{x\in\{0,1\}^{*}}$ to denote an oracle algorithm where each circuit $C_{x}$ can query any of the functions $({\mathcal{O}}_{n})_{n\in\mathbb{N}}$ (provided that the oracle does not act on more than the number of qubits of $C_{x})$ .

In this paper we distinguish between classical and quantum queries. We say that an oracle algorithm $C^{\mathcal{O}}$ makes quantum queries if it can query ${\mathcal{O}}$ in superposition; this is akin to the standard query model. We say that $C^{\mathcal{O}}$ makes classical queries if, before every oracle call, the input qubits to the oracle are measured in the standard basis. In this case, the algorithm would be querying the oracle on a probabilistic mixture of inputs. For clarity, we write $C^{\ket{{\mathcal{O}}}}$ to denote $C$ making quantum queries, and $C^{\mathcal{O}}$ to denote $C$ making classical queries.

A specific oracle that we consider throughout is the $\mathsf{PSPACE}$ oracle. What we mean by this is a sequence of functions $(\mathsf{PSPACE}_{n})_{n\in\mathbb{N}}$ where for every $n$ , the function $\mathsf{PSPACE}_{n}$ decides $n$ -bit instances of a $\mathsf{PSPACE}$ complete language (such as Quantified Satisfiability [Pap94]).

We state the following observation.

Lemma 2.

Let $C^{\ket{\mathsf{PSPACE}}}=(C_{x}^{\ket{\mathsf{PSPACE}}})_{x\in\{0,1\}^{*}}$ denote a polynomial-time oracle algorithm (not necessarily uniform) that makes quantum queries to $\mathsf{PSPACE}$ and has one-bit classical output. Then there exists a polynomial-space algorithm $D=(D_{x})_{x\in\{0,1\}^{*}}$ such that for all $x\in\{0,1\}^{*}$ , $D_{x}$ is a unitary and the functionality of $C_{x}^{\ket{\mathsf{PSPACE}}}$ is exactly the same as introducing polynomial number of qubits initialized in the zero state, applying unitary $D_{x}$ and then measuring the first qubit in computational basis to get a classical output. Furthermore if $C$ is uniform, then $D$ is space-uniform.

Proof.

This follows because for a polynomial-time (oracle) algorithm, we can always introduce new qubits only at the beginning and defer measurements and tracing out to the end, and each oracle query in $C_{x}^{\ket{\mathsf{PSPACE}}}$ to the $\mathsf{PSPACE}$ oracle can be computed by first introducing several ancillas initialized in the zero state and then applying a unitary that implements the classical polynomial space algorithm for the PSPACE-complete language and uncomputes all the intermediate results. Furthermore, the description of the unitary can be generated by polynomial-space Turing machines. ∎

Finally, we will consider hybrid oracles ${\mathcal{O}}$ that are composed of two separate oracles ${\mathcal{R}}$ and the $\ket{\mathsf{PSPACE}}$ oracle. In this model, the oracle algorithm $C^{\mathcal{O}}$ makes classical queries to ${\mathcal{R}}$ , and quantum queries to $\mathsf{PSPACE}$ . We abuse the notation and refer to algorithms having access to hybrid oracles as oracle algorithms.

State Synthesis

We define the following “state complexity class”. Intuitively it captures the set of quantum states that can be synthesized by polynomial-space quantum algorithms.

Definition 1 ( ${\mathsf{statePSPACE}}$ ).

${\mathsf{statePSPACE}}$ is the class of all sequences $(\rho_{x})_{x\in S}$ for some set $S\subseteq\{0,1\}^{*}$ (called the promise) such that there is a polynomial $p$ where each $\rho_{x}$ is a density matrix on $p(|x|)$ qubits, and for every polynomial $q$ there exists a space-uniform polynomial-space quantum algorithm $C=(C_{x})_{x\in\{0,1\}^{*}}$ such that for all $x\in S$ , the circuit $C_{x}$ takes no inputs and outputs a density matrix $\sigma$ such that $\operatorname{TD}(\sigma,\rho_{x})\leq\exp(-q(\lvert x\rvert))$ .

We say that the state sequence $(\rho_{x})_{x\in S}$ is pure if each $\rho_{x}$ is a pure state $\ket{\psi_{x}}\!\bra{\psi_{x}}$ ; in that case we usually denote the sequence by $(\ket{\psi_{x}})_{x\in S}$ .

The following theorem says that, for ${\mathsf{statePSPACE}}$ sequences that are pure, there in fact is a polynomial-time oracle algorithm that makes quantum queries to a $\mathsf{PSPACE}$ oracle to synthesize the state sequence.

Theorem 2 (Section 5 of [RY21]).

Let $(\ket{\psi_{x}})_{x\in S}$ be a ${\mathsf{statePSPACE}}$ family of pure states. Then there exists a polynomial-time oracle algorithm $A^{\ket{\mathsf{PSPACE}}}$ such that on input $x\in S$ , the algorithm outputs a pure state that is $\exp(-\lvert x\rvert)$ -close in trace distance to $\ket{\psi_{x}}$ .

3.2 Public Key Quantum Money Schemes

Definition 2 (Oracle-aided Public Key Quantum Money Schemes).

A oracle-aided public key quantum money scheme $\mathcal{S}^{\mathcal{O}}$ consists of three uniform polynomial-time oracle algorithms $\left(\mathsf{KeyGen}^{{\mathcal{O}}},\mathsf{Mint}^{{\mathcal{O}}},\mathsf{Ver}^{{\mathcal{O}}}\right)$ :

•

$\mathsf{KeyGen}^{{\mathcal{O}}}(1^{n})$ : takes as input a security parameter $n$ in unary notation and generates secret key-public key pair $(sk,pk)$ .
•

$\mathsf{Mint}^{{\mathcal{O}}}(sk)$ : takes as input $sk$ and mints banknote $\rho_{s}$ associated with the serial number $s$ .
•

$\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}))$ : takes as inputs $pk$ and an alleged banknote $(s,\rho_{s})$ and outputs $\rho^{\prime}_{s}\otimes\ket{{\bf x}}\!\bra{{\bf x}}$ , where ${\bf x}\in\{{\sf Accept},{\sf Reject}\}$ .

For simplicity, when we don’t care about the output $\rho_{s}^{\prime}$ in $\mathsf{Ver}^{{\mathcal{O}}}$ , we sometimes denote the event that $\rho^{\prime}_{s}\otimes\ket{{\sf Accept}}\!\bra{{\sf Accept}}\leftarrow\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}))$ as $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}))$ accepts.

We require the above oracle-aided public key quantum money scheme to satisfy both correctness and security properties.

3.2.1 Correctness

We first consider the traditional definition of correctness considered by prior works. Roughly speaking, correctness states that the verification algorithm accepts the money state produced by the minting algorithm. Later, we consider a stronger notion called reusability which stipulates that the verification process on a valid money outputs another valid money state (not necessarily the same as before).

Definition 3 (Correctness).

An oracle-aided public key quantum money scheme $\left(\mathsf{KeyGen}^{{\mathcal{O}}},\mathsf{Mint}^{{\mathcal{O}}},\mathsf{Ver}^{{\mathcal{O}}}\right)$ is $\delta$ -correct if the following holds for every $n\in\mathbb{N}$ :

\mathsf{Pr}\left[\rho^{\prime}_{s}\otimes\ket{{\sf Accept}}\!\bra{{\sf Accept}}\leftarrow\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}))\ :\ \begin{subarray}{c}(sk,pk)\leftarrow\mathsf{KeyGen}^{{\mathcal{O}}}(1^{n})\\ (s,\rho_{s})\leftarrow\mathsf{Mint}^{{\mathcal{O}}}(sk)\end{subarray}\right]\geq\delta,

where the probability is also over the randomness of ${\mathcal{O}}$ .

We omit $\delta$ when $\delta\geq 1-\mathsf{negl}(n)$ .

Reusability.

In this work, we consider quantum money schemes satisfying the stronger notion of reusability.

Definition 4 (Reusability).

An oracle-aided public key quantum money scheme $\left(\mathsf{KeyGen}^{{\mathcal{O}}},\mathsf{Mint}^{{\mathcal{O}}},\mathsf{Ver}^{{\mathcal{O}}}\right)$ is $\delta$ -reusable if the following holds for every $n\in\mathbb{N}$ and for every polynomial $q(n)$ :

\mathsf{Pr}\left[\rho_{s}^{(q(n))}\otimes\ket{{\sf Accept}}\!\bra{{\sf Accept}}\leftarrow\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(q(n)-1)}))\ :\ \begin{subarray}{c}(sk,pk)\leftarrow\mathsf{KeyGen}^{{\mathcal{O}}}(1^{n})\\ \ \\ (s,\rho_{s}^{(0)})\leftarrow\mathsf{Mint}^{{\mathcal{O}}}(sk)\\ \ \\ \forall i\in[q(n)-1],\ \rho_{s}^{(i+1)}\otimes\ket{{\bf x}}\!\bra{{\bf x}}\leftarrow\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(i)}))\end{subarray}\right]\geq\delta,

where the probability is also over the randomness of ${\mathcal{O}}$ .

We omit $\delta$ when $\delta\geq 1-\mathsf{negl}(n)$ .

In general, gentle measurement lemma [Win99] can be invoked to prove that correctness generically implies reusability. However, this is not the case in our context. The reason being that the verification algorithm performs intermediate measurements whenever it makes classical queries to an oracle and these measurements cannot be deferred to the end.

3.2.2 Security

We consider the following security notion. Basically, it says that no efficient adversary can produce two alleged banknotes from one valid banknote with the same serial number.

Definition 5 (Security).

An oracle-aided public key quantum money scheme $\left(\mathsf{KeyGen}^{{\mathcal{O}}},\mathsf{Mint}^{{\mathcal{O}}},\mathsf{Ver}^{{\mathcal{O}}}\right)$ is $\delta$ -secure if the following holds for every $n\in\mathbb{N}$ and for every uniform polynomial-time oracle algorithm $\mathcal{A}^{{\mathcal{O}}}$ :

\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{1}))\text{ accepts and }\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{2}))\text{ accepts}\ :\ \begin{subarray}{c}(sk,pk)\leftarrow\mathsf{KeyGen}^{{\mathcal{O}}}(1^{n})\\ (s,\rho_{s})\leftarrow\mathsf{Mint}^{{\mathcal{O}}}(sk)\\ \phi\leftarrow\mathcal{A}^{{\mathcal{O}}}(pk,(s,\rho_{s}))\end{subarray}\right]\leq\delta,

where the probability is also over the randomness of ${\mathcal{O}}$ . By $\phi_{i}$ , we mean the reduced density matrix of $\phi$ on the $i^{th}$ register.

We omit $\delta$ when $\delta\leq\mathsf{negl}(n)$ .

3.3 Jordan’s Lemma and Alternating Projections

In this section, we analyze alternating projection algorithm, a tool for estimating the acceptance of the verification algorithm on a state with only one copy of that state, which was introduced by Marriott and Watrous [MW05] for witness-preserving error reduction. This section follows section 4.1 in [CMSZ22] mostly.

For two binary-outcome projective measurements $M_{1}=\{\Pi_{1},I-\Pi_{1}\},M_{2}=\{\Pi_{2},I-\Pi_{2}\}$ , the alternating projection algorithm applies measurements $M_{1}$ and $M_{2}$ alternatively ( $\Pi_{1},\Pi_{2}$ corresponds to outcome $1$ ) until a stopping condition is met. The following lemma can help us analyze the distribution of the outcomes by decomposing it into several small subspaces.

Lemma 3 (Jordan’s Lemma).

For any two projectors $\Pi_{1}$ , $\Pi_{2}$ , there exists an orthogonal decomposition of the Hilbert space into one-dimensional and two-dimensional subspaces $S_{i}$ that are invariant under both $\Pi_{1}$ and $\Pi_{2}$ . Moreover, if $S_{i}$ is a one-dimensional subspace, then $\Pi_{1}$ and $\Pi_{2}$ act as identity or rank-zero projectors inside $S_{i}$ . If $S_{i}$ is a two-dimensional subspace, then $\Pi_{1}$ and $\Pi_{2}$ are rank-one projectors inside $S_{i}$ . To be more specific, there are two unit vectors $\ket{v_{i}}$ and $\ket{w_{i}}$ such that inside $S_{i}$ , $\Pi_{1}$ projects on $\ket{v_{i}}$ and $\Pi_{2}$ projects on $\ket{w_{i}}$ .

Let measurement $M_{\mathsf{Jor}}=\{P_{i}\}_{i}$ where $P_{i}$ is the projector onto the subspace $S_{i}$ defined above. Then both $M_{1}$ and $M_{2}$ commute with $M_{\mathsf{Jor}}$ . Therefore the distribution of outcomes of each $M_{1}$ and $M_{2}$ will not change if we insert $M_{\mathsf{Jor}}$ at any point of the alternating projections. We can analyze the distribution of outcome sequence by first applying $M_{\mathsf{Jor}}$ and then applying $M_{1}$ , $M_{2}$ alternatively. For each two-dimensional subspace $S_{i}$ , denote $p_{i}:=\lvert\braket{v_{i}}{w_{i}}\rvert^{2}$ . (This can be seen as a quantity that measures the angle between $\Pi_{1}$ and $\Pi_{2}$ inside $S_{i}$ .)

For now, let’s assume that there are only two-dimensional subspaces in the decomposition. The general case where there exist one-dimensional subspaces is essentially the same and can be handled similarly. Then, $\Pi_{1}=\sum_{i}\ket{v_{i}}\!\bra{v_{i}},\Pi_{2}=\sum_{i}\ket{w_{i}}\!\bra{w_{i}}$ .⁴⁴4Generally, for each one-dimensional subspace $S_{i}$ on which $\Pi_{1}$ acts as identity, we can set $\ket{v_{i}}$ to be the vector that spaces $S_{i}$ . Let $A$ be the set of index $i$ such that $\Pi_{1}$ is not a rank-zero projector inside $S_{i}$ . Then $\Pi_{1}=\sum_{i\in A}\ket{v_{i}}\!\bra{v_{i}}$ . Similarly $\Pi_{2}=\sum_{i\in B}\ket{w_{i}}\!\bra{w_{i}}$ where $B$ and $\ket{w_{i}}$ are defined in a similar way.

Now let’s state a result first proven in [MW05] and restated in many later works (e.g., [CMSZ22]).

Proposition 1.

If initially the state is $\ket{v_{i}}$ ⁵⁵5The same holds for each $\ket{v_{i}}(i\in A)$ generally where we define $p_{i}=1$ if $\Pi_{1}$ and $\Pi_{2}$ act both as identity in subspace $S_{i}$ and we define $p_{i}=0$ if $\Pi_{1}$ acts as identity while $\Pi_{2}$ acts as zero-projector in subspace $S_{i}$ . and we apply $M_{2}$ , $M_{1}$ alternatively for $N$ times, then the outcome sequence $b_{1},b_{2},b_{3},\cdots,b_{2N}$ will follow the distribution below

1.

Set $b_{0}=1$ (because applying $M_{1}$ to $\ket{v_{i}}$ will give outcome 1).
2.

For each $j$ , we set $b_{j}$ to be $b_{j-1}$ with probability $p_{i}$ , and $1-b_{j-1}$ otherwise.

Moreover, whenever we measure $M_{1}$ and get outcome 1, we will go back to state $\ket{v_{i}}$ .

Then the fraction of bit-flips in the outcome sequence will be a good estimation of $1-p_{i}$ if we start from $\ket{v_{i}}$ .

3.4 Compressed Oracle Techniques

In this section, we present some basics of compressed oracle techniques introduced by Zhandry [Zha18].

For a quantum query algorithm $A$ interacting with a random oracle, let’s assume that $A$ only queries the random oracle with $n$ -bit input and gets $1$ -bit output for simplicity. By the deferred measurement principle, without loss of generality we can write $A$ in the form of a sequence of unitaries $U_{0},U_{f},U_{1},U_{f},\cdots,U_{k-1},U_{f},U_{k}$ where $U_{i}$ is the unitary that prepares the ${(i+1)^{th}}$ query of $A$ to $R$ and $U_{f}$ maps $\ket{x}\ket{y}$ to $\ket{x}\ket{y\oplus f(x)}$ where $f$ is the chosen random function from all the functions with $n$ -bit input and $1$ -bit output.

Then the behavior of $A$ when it is interacting with a random oracle can be analyzed in the following purified view:

•

Initialize register $\mathsf{A}$ to be the input for $A$ (along with enough ancillas $\ket{0}$ ) and initialize register $\mathsf{F}$ to be a uniform superposition of the truth tables of all functions from $[2^{n}]$ to $\{0,1\}$ (to be more specific, $\mathsf{F}$ is initialized to $\frac{1}{\sqrt{2^{2^{n}}}}\sum_{f\text{ is a $2^{n}$-bit string}}\ket{f}$ where $\ket{f}=\ket{f(0)}\ket{f(1)}\cdots\ket{f(2^{n}-1)}$ and $\ket{f(i)}$ consists of one qubit).
•

Apply $U_{0},U_{F},U_{1},U_{F},\cdots,U_{k-1},U_{F},U_{k}$ where $U_{i}$ is acting on $\mathsf{A}$ and $U_{F}$ maps $\ket{x}\ket{y}\ket{f}_{\mathsf{F}}$ to $\ket{x}\ket{y\oplus f(x)}\ket{f}_{\mathsf{F}}$ .

In fact, the output (mixed) state of $A$ (we also take the randomness of $f$ into account) equals to the reduced density matrix on the output register of the state we obtain from the above procedure as $U_{i},U_{F}$ commutes with computational basis measurement on $\mathsf{F}$ . More generally, the output (mixed) state of a sequence of algorithms with access to random oracle can also be analyzed in the same way.

Definition 6 (Fourier basis).

$\ket{\hat{0}}:=\ket{+}=\frac{1}{\sqrt{2}}\left(\ket{0}+\ket{1}\right)$ . $\ket{\hat{1}}:=\ket{-}=\frac{1}{\sqrt{2}}\left(\ket{0}-\ket{1}\right)$ .

One can easily check that $\{\ket{\hat{0}},\ket{\hat{1}}\}$ is a basis because it’s just the result of applying hermitian matrix $H$ to $\ket{0},\ket{1}$ . We call this basis as Fourier basis.

The following fact is simple and easy to check, but crucial in compressed oracle techniques. Roughly speaking, it says that if we see $\mathit{CNOT}$ in Fourier basis, its control bit and target bit swaps.

Fact 1.

The operator defined by $\ket{y}\ket{y^{\prime}}\rightarrow\ket{y\oplus y^{\prime}}\ket{y^{\prime}}$ for all $y,y^{\prime}\in\{0,1\}$ is the same as the operator defined by $\ket{\widehat{y}}\ket{\widehat{y^{\prime}}}\rightarrow\ket{\hat{y}}\ket{\widehat{y^{\prime}\oplus y}}$ for all $y,y^{\prime}\in\{0,1\}$ .

By 1, when we look at the last two registers in Fourier basis, $U_{F}$ becomes

\ket{x}\ket{\widehat{y}}\ket{\widehat{y_{0}}}\ket{\widehat{y_{1}}}\cdots\ket{\widehat{y_{2^{n}-1}}}\rightarrow\ket{x}\ket{\widehat{y}}\ket{\widehat{y_{0}}}\ket{\widehat{y_{1}}}\cdots\ket{\widehat{y_{x-1}}}\ket{\widehat{y_{x}\oplus y}}\ket{\widehat{y_{x+1}}}\cdots\ket{\widehat{y_{2^{n}-1}}}.

Initially, $\mathsf{F}$ is $\ket{\hat{0}}\ket{\hat{0}}\cdots\ket{\hat{0}}$ and each call of $U_{F}$ only changes one position if we look at the last two registers in Fourier basis. So after $k$ calls of $U_{F}$ , the state can be written as

\sum_{\begin{subarray}{c}a,y_{0},y_{1},\cdots,y_{2^{n}-1}\\ \text{such that there are at most $k$ non-zero}\\ \text{in $y_{0},y_{1},\cdots,y_{2^{n}-1}$}\end{subarray}}\alpha_{a,y_{0},y_{1},\cdots,y_{2^{n}-1}}\ket{a}_{\mathsf{A}}\ket{\widehat{y_{0}}}\ket{\widehat{y_{1}}}\cdots\ket{\widehat{y_{2^{n}-1}}}.

We can record those non- $\hat{0}$ into a database. To be more specific, there exists a unitary that maps those $\ket{\widehat{y_{0}}}\ket{\widehat{y_{1}}}\cdots\ket{\widehat{y_{2^{n}-1}}}$ (perhaps along with some ancillas) to a database $\ket{x_{1}}\ket{\widehat{y_{x_{1}}}}\cdots\ket{x_{l}}\ket{\widehat{y_{x_{l}}}}$ (perhaps along with some unused space) where $x_{1}<x_{2}<\cdots<x_{l},\widehat{y_{x_{i}}}\neq\hat{0}$ and $l\leq k$ . That is, there exists a unitary that can compress the oracle. Furthermore, the inverse of the unitary can decompress the database back to the oracle.

Chernoff bound

Finally, we state here a variant of the Chernoff bound that we will use.

Theorem 3 (Chernoff Bound).

Suppose $X_{1},X_{2},\cdots,X_{n}$ are independent random variables taking values from $\{0,1\}$ such that each $X_{i}=1$ with probability $p$ . Let $\mu=pn$ . Then for any $\delta>0$ ,

\mathsf{Pr}\left[\sum_{i=1}^{n}X_{i}\geq(1+\delta)\mu\right]\leq e^{-\delta^{2}\mu/(2+\delta)},

\mathsf{Pr}\left[\sum_{i=1}^{n}X_{i}\leq(1-\delta)\mu\right]\leq e^{-\delta^{2}\mu/2}.

4 Synthesizing Witness States In Quantum Polynomial Space

In the classical setting it is easy to see that given a (classical) verifier circuit $V$ (which may make oracle queries to $\mathsf{PSPACE}$ ), one can find in polynomial space a witness string $y$ that is accepted by $V$ : one can simply perform brute-force search over all strings and check whether $V^{\mathsf{PSPACE}}$ accepts $x$ .

In the section, we prove the quantum counterpart, where now the verifier circuit is quantum and can make quantum queries to the $\mathsf{PSPACE}$ oracle. We show that given the description of such a verifier circuit, with the help of the quantum $\ket{\mathsf{PSPACE}}$ oracle, we can efficiently synthesize a witness state $\rho$ that is accepted by $V$ with probability greater than the desired guarantee (provided that there exists a witness state with acceptance probability greater than the threshold). Formally:

Theorem 4.

Let $a$ (called the guarantee), $b$ (called the threshold) be functions such that $b(n)-a(n)\geq\frac{1}{p(n)}$ for every $n$ where $p$ is a polynomial. Let $\mathsf{V}^{\ket{\mathsf{PSPACE}}}$ denote a uniform oracle algorithm. Then there exists a uniform oracle algorithm $\mathsf{Syn}$ (called the synthesizer) such that for every $x\in S$ ,

\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(x))\text{ accepts}\right]\geq a({\lvert{x}\rvert})

where $S:=\left\{x:\max_{\rho}\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho)\text{ accepts}\right]\geq b({\lvert{x}\rvert})\right\}$ .

This theorem follows directly from Theorem 2 and the following lemma.

Lemma 4.

Let $a,b$ be functions such that $b(n)-a(n)\geq\frac{1}{p(n)}$ for every $n$ where $p$ is a polynomial. Let $\mathsf{V}^{\ket{\mathsf{PSPACE}}}$ denote a uniform oracle algorithm, and let $S$ be the corresponding set as in Theorem 4. Then there exists a ${\mathsf{statePSPACE}}$ family of pure states $(\ket{\psi_{x}})_{x\in S}$ where each state $\ket{\psi_{x}}$ is bipartite on two registers (labeled $\mathsf{M}$ and $\mathsf{E}$ ) such that for every $x\in S$ ,

\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho_{\mathsf{M}})\text{ accepts}\right]\geq a({\lvert{x}\rvert})

where $\rho_{\mathsf{M}}$ is the reduced density matrix of $\ket{\psi_{x}}$ on register $\mathsf{M}$ , i.e. $\rho_{\mathsf{M}}=\mathrm{Tr}_{\mathsf{E}}(\psi_{x})$ .

Proof of Theorem 4.

Let $a^{\prime}(n)=a(n)+\exp(-n)$ and $b^{\prime}(n)=b(n)$ , where $a(n),b(n)$ are as given by the conditions in Theorem 4. Applying Lemma 4 with functions $a^{\prime}(n),b^{\prime}(n)$ , we obtain a ${\mathsf{statePSPACE}}$ state sequence $(\ket{\psi_{x}})_{x\in S}$ such that for every $x\in S$ ,

\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho_{\mathsf{M}})\text{ accepts}\right]\geq a({\lvert{x}\rvert})+\exp(-{\lvert{x}\rvert})

where $S:=\left\{x:\max_{\rho}\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho)\text{ accepts}\right]\geq b({\lvert{x}\rvert})\right\}$ .

Theorem 2 implies that there exists a polynomial-time oracle algorithm $A^{\ket{\mathsf{PSPACE}}}$ that on input $x\in S$ , outputs a pure state $\ket{\varphi_{x}}$ that is $\exp(-{\lvert{x}\rvert})$ -close to $\ket{\psi_{x}}$ . This implies that the reduced density matrix of $A^{\ket{\mathsf{PSPACE}}}(x)$ on register $\mathsf{M}$ , which we denote by $\sigma_{\mathsf{M}}$ , is also $\exp(-{\lvert{x}\rvert})$ -close to $\rho_{\mathsf{M}}=\mathrm{Tr}_{\mathsf{E}}(\psi_{x})$ (this follows from the fact that trace distance is non-increasing when you discard subsystems). Thus for every $x\in S$ , we have

\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\sigma_{\mathsf{M}})\text{ accepts}\right]\geq a({\lvert{x}\rvert})

because otherwise $\mathsf{V}^{\ket{\mathsf{PSPACE}}}$ would be able to distinguish between $\rho_{\mathsf{M}}$ and $\sigma_{\mathsf{M}}$ with more than $\exp(-{\lvert{x}\rvert})$ bias.

The synthesizer $\mathsf{Syn}$ works as follows: on input $x\in S$ it runs the oracle algorithm $A^{\ket{\mathsf{PSPACE}}}(x)$ to obtain a pure state $\ket{\varphi_{x}}$ , and then traces out the $\mathsf{E}$ register and returns the remaining state on the $\mathsf{M}$ register as output. ∎

The remainder of Section 4 will be devoted to the proof of Lemma 4. We will use the techniques and results from [MW05] (also presented in Section 3.3 for completeness). In Section 4.1 we present the description of the state family along with the description of a circuit family that generates (an approximation of) the state family. In Section 4.2 we prove that the state family satisfies the requirements.

4.1 Description of the State Family and Circuit Family

In this section, we implement our ideas from Section 2.1 in a formal way. Recall that our algorithm in Section 2.1 repeatedly does the following (which we will call a trial): start from a maximally entangled state, estimate the acceptance probability coherently using MW technique and if the estimated acceptance probability high, then output the remaining state. Roughly speaking, the target state we aim to generate will be the remaining state after a successful trial (a trial is successful if the estimated acceptance probability is high). Looking ahead, in order to prove Lemma 4, we only need to show two things. Firstly, our algorithm actually outputs a good approximation of the target state, so our target state forms a ${\mathsf{statePSPACE}}$ family; Secondly, our target state will indeed be accepted with high probability.

Now let’s start by giving a formal description of the state family.

The state family

Let $\mathsf{V}^{\ket{\mathsf{PSPACE}}}$ be the uniform oracle algorithm given in the condition of Lemma 4. From Lemma 2, there exists a space-uniform polynomial-space algorithm $\widehat{\mathsf{V}}=(\widehat{\mathsf{V}}_{x})_{x\in\{0,1\}^{*}}$ such that $\widehat{\mathsf{V}}_{x}$ is unitary and the functionality of $\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}$ is exactly the same as introducing $k({\lvert{x}\rvert})$ new ancilla qubits in $\ket{0}$ , applying unitary $\widehat{\mathsf{V}}_{x}$ and then measuring the first qubit in computational basis where $k$ is a polynomial. Let $m({\lvert{x}\rvert})$ be the number of qubits that $\mathsf{V}_{x}$ takes as input, which is also a polynomial.

Fix $x\in S,n={\lvert{x}\rvert}$ . We sometimes omit subscript $x$ when it is clear from the context. For convenience, we write $m(n),k(n)$ as $m,k$ respectively from now on.

Let ${\mathsf{M}}$ denote the register containing the $m$ input qubits. Let ${\mathsf{K}}$ denote the register containing the $k$ ancilla qubits. Let ${\mathsf{Ans}}$ denote the first qubit (i.e. the one that will be measured in computational basis to decide whether $\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}$ accepts or rejects, and outcome $1$ means accept while outcome $0$ means reject). Let ${\mathsf{Aux}}$ denote a register containing another $m$ fresh qubits.

Here we define two binary-outcome projective measurements on $\mathsf{MK}$ . Define $P^{1}:=\ket{0^{k}}\!\bra{0^{k}}_{{\mathsf{K}}}$ , $P^{0}:=I_{\mathsf{MK}}-P^{1}$ and $P:=\{P^{0},P^{1}\}$ . Intuitively, $P^{1}$ corresponds to “valid input subspace” (i.e., the ancilla qubits are initialized properly). Define $Q^{1}:=\widehat{\mathsf{V}}_{x}^{\dagger}\ket{1}\!\bra{1}_{{\mathsf{Ans}}}\widehat{\mathsf{V}}_{x},Q^{0}:=\widehat{\mathsf{V}}_{x}^{\dagger}\ket{0}\!\bra{0}_{{\mathsf{Ans}}}\widehat{\mathsf{V}}_{x}$ and $Q:=\{Q^{0},Q^{1}\}$ . Intuitively, $Q^{1}$ corresponds to the state that will be accepted if we apply $\widehat{\mathsf{V}}_{x}$ to it and then measure $\mathsf{Ans}$ in computational basis. So $Q$ checks whether $\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}$ will accept as long as register ${\mathsf{K}}$ is initialized properly. The following simple observation is implicitly shown in [MW05].

Observation 1.

The maximum acceptance probability of $\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\cdot)$ is exactly the largest eigenvalue of $P^{1}Q^{1}P^{1}$ .

Proof.

First, we show that the maximum eigenvalue of $P^{1}Q^{1}P^{1}$ is upper bounded by the maximum acceptance probability of $\mathsf{V}^{\ket{\sf PSPACE}}(x,\cdot)$ .

For any pure state $\ket{\phi}$ on register $\mathsf{MK}$ , let $\rho_{\mathsf{M}}=\frac{1}{\|P^{1}\ket{\phi}\|^{2}}\mathrm{Tr}_{\mathsf{K}}(P^{1}\ket{\phi}\!\bra{\phi}P^{1})$ . Then

	$\displaystyle\bra{\phi}P^{1}Q^{1}P^{1}\ket{\phi}=$	$\displaystyle\mathrm{Tr}(Q^{1}P^{1}\ket{\phi}\!\bra{\phi}P^{1})=\\|P^{1}\ket{\phi}\\|^{2}\mathrm{Tr}(Q^{1}\frac{1}{\\|P^{1}\ket{\phi}\\|^{2}}P^{1}\ket{\phi}\!\bra{\phi}P^{1})$
	$\displaystyle=$	$\displaystyle\\|P^{1}\ket{\phi}\\|^{2}\mathrm{Tr}(Q^{1}(\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}))$
	$\displaystyle=$	$\displaystyle\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho_{\mathsf{M}})\text{ accepts}\right]$
	$\displaystyle\leq$	$\displaystyle\max_{\rho}\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho)\text{ accepts}\right]$

Second, we show that the maximum eigenvalue of $P^{1}Q^{1}P^{1}$ is lower bounded by the maximum acceptance probability of $\mathsf{V}^{\ket{\sf PSPACE}}(x,\cdot)$ . By a simple convexity argument, we can assume without loss of generality, the acceptance probability of $\mathsf{V}^{\ket{\sf PSPACE}}(x,\cdot)$ achieves its maximum on pure state $\ket{\phi_{0}}$ . Let $\ket{\phi}=\ket{\phi_{0}}\ket{0^{k}}$ . Then

\bra{\phi}P^{1}Q^{1}P^{1}\ket{\phi}=\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\phi_{0})\text{ accepts}\right]=\max_{\rho}\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\rho)\text{ accepts}\right]

Therefore, this observation holds true.

∎

We first define a subroutine $\mathsf{Trial}$ where $N:=\max\left(\frac{3a+b}{(b-a)^{2}}\left(m+2-\log(b-a)\right),\frac{16b}{(b-a)^{2}}\right)$ is polynomial in $n$ (recall that $b(n)-a(n)\geq\frac{1}{p(n)}$ where $p$ is a polynomial).

1:Initialize register

\mathsf{MAux}

to be

\frac{1}{\sqrt{2^{m}}}\sum_{i\in\{0,1\}^{m}}\ket{i}_{{\mathsf{M}}}\ket{i}_{{\mathsf{Aux}}}

2:Initialize register

\mathsf{K}

to be

\ket{0^{k}}_{{\mathsf{K}}}

3:Introduce a new

2N+1

qubit register

{\mathsf{Y}}:=\mathsf{{Y}_{0}\cdots{Y}_{2N}}

initialized to be

\ket{1}\ket{0^{2N}}

4:Introduce a new register

{\mathsf{Cnt}}

initialized in

\ket{0}

5:for

i=1,2,\cdots,N

6: Measure

\mathsf{MK}

with

Q

coherently, store the outcome in

{\mathsf{Y}}_{2i-1}

7: Measure

\mathsf{MK}

with

P

coherently, store the outcome in

{\mathsf{Y}}_{2i}

8:end for

9:Compute the number of times that

y_{j}=y_{j-1}

in superposition and store the result in

{\mathsf{Cnt}}

10:Do the projective measurement

\mathsf{Test}:=\{\mathsf{Yes}:=\sum_{j\geq N(a+b)}\ket{j}\!\bra{j}_{{\mathsf{Cnt}}}\otimes\ket{1}\!\bra{1}_{{\mathsf{Y}}_{2N}},\mathsf{No}:=I-\mathsf{Yes}\}

Define $\mathsf{E}:={\mathsf{K}}\otimes{\mathsf{Aux}}\otimes{\mathsf{Y}}\otimes{\mathsf{Cnt}}$ (i.e., all registers except $\mathsf{M}$ ).

Definition 7 (State family $(\ket{\psi_{x}})_{x\in S}$ ).

Let $S$ be the set defined in Lemma 4. When $x\in S$ , let $\ket{\psi_{x}}$ denote the state in register ${\mathsf{M}}\otimes{\mathsf{E}}$ after a successful implementation of $\mathsf{Trial}$ (i.e., the outcome of $\mathsf{Test}$ is $\mathsf{Yes}$ ). When $x$ are clear from the context, we also write it as $\ket{\psi}$ .

Observe that in $\mathsf{Trial}$ , we initialize a pure state in register ${\mathsf{M}}\otimes{\mathsf{E}}$ (line 1 - line 4), then apply a unitary on it (line 5- line 9) as all measurements are conducted coherently, and finally do a projective measurement (line 10). So the definition above indeed gives us a family of states $(\ket{\psi_{x}})_{x\in S}$ such that each $\ket{\psi_{x}}$ is a pure state on $l(n)$ qubits where $l$ is a polynomial.

The circuit family

Now let’s construct a circuit family (or algorithm) that can generate efficiently an approximation of the state family $(\ket{\psi_{x}})_{x\in S}$ . For any polynomial $q$ and approximation factor $\exp(-q(n))$ , the circuit $C_{x}$ operates as follows where $T:=2^{m+2}q(n)$ is exponential in $n$ .

1:for

t=1,\cdots,T

2: Run

\mathsf{Trial}

3: if it is successful then

4: return the state in the register

{\mathsf{M}}{\mathsf{E}}

5: end if

6:end for

7:return an arbitrary state with

l(n)

qubits

4.2 Proof of Lemma 4

In the section, we prove that the pure state family $(\ket{\psi_{x}})_{x\in S}$ satisfies the requirements in Lemma 4 by applying known result in Section 3.3.

Fix $x\in S$ . We associate $\Pi_{1}$ with $P^{1}$ , $\Pi_{2}$ with $Q^{1}$ , $M_{1}$ with $P$ and $M_{2}$ with $Q$ , and adopt the notations in Section 3.3. Then $P^{1}Q^{1}P^{1}=\sum_{i}\ket{v_{i}}\!\bra{v_{i}}\sum_{i}\ket{w_{i}}\!\bra{w_{i}}\sum_{i}\ket{v_{i}}\!\bra{v_{i}}=\sum_{i}p_{i}\ket{v_{i}}\!\bra{v_{i}}$ . From $x\in S$ and 1, we can assume $p_{1}=\max_{i}p_{i}\geq b$ . ⁶⁶6Generally $P^{1}Q^{1}P^{1}=\sum_{i\in A\cap B}p_{i}\ket{v_{i}}\!\bra{v_{i}}$ . We can assume $p_{1}=\max_{i\in A\cap B}p_{i}\geq b$ .

To begin with, let’s prove that the state family $(\ket{\psi_{x}})_{x\in S}$ satisfies the first requirement in Lemma 4. That is, it is a ${\mathsf{statePSPACE}}$ family, which can be approximately generated by the circuit family. Notice that $C_{x}$ outputs $\ket{\psi_{x}}$ whenever one of the exponential $\mathsf{Trial}$ s succeeds. So we first analyze the success probability of one $\mathsf{Trial}$ .

Lemma 5.

$\mathsf{Pr}\left[\mathsf{Trial}\text{ succeeds}\right]\geq\frac{1}{2^{m+2}}.$

Proof.

The success probability of $\mathsf{Trial}$ doesn’t change if we measure each qubit of ${\mathsf{Y}}$ once the outcome is stored in it because computational basis measurements on $\mathsf{Y}$ commutes with the operations in line 9 and 10 of $\mathsf{Trial}$ . Thus we can think of it as measure $\mathsf{MK}$ directly with $P$ and $Q$ alternatively, get a classical outcome sequence $y:=y_{1}y_{2}\cdots y_{2N}$ and return $\mathsf{Yes}$ if $y_{2N}=1$ and the number of times that $y_{j}=y_{j-1}(1\leq j\leq 2N)$ is at least $N(a+b)$ (where $y_{0}=1$ ), which is an alternating projection algorithm. For simplicity, we will denote by ${\sf Good}$ the set of $y$ that corresponds to outcome $\mathsf{Yes}$ . Now let’s analyze the probability of $y\in{\sf Good}$ .

An important observation is that the initial state can also be written in forms of $\ket{v_{i}}$ . Because $P^{1}=\sum_{i}\ket{v_{i}}\!\bra{v_{i}}$ , $\ket{v_{i}}$ forms a basis for the Hilbert space $\mathcal{H}_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ . Let $\ket{u_{i}}$ be a truncation on $\mathsf{M}$ of $\ket{v_{i}}$ , i.e. $\ket{v_{i}}_{\mathsf{MK}}=\ket{u_{i}}_{\mathsf{M}}\ket{0^{k}}_{\mathsf{K}}$ . Then $\ket{u_{i}}$ forms a basis for $\mathcal{H}_{\mathsf{M}}$ . Thus by Lemma 1, the state

\frac{1}{\sqrt{2^{m}}}\sum_{i=0}^{2^{m}-1}\ket{i}_{{\mathsf{M}}}\ket{i}_{{\mathsf{Aux}}}=\frac{1}{\sqrt{2^{m}}}\sum_{i}\ket{u_{i}}_{{\mathsf{M}}}\ket{\overline{u_{i}}}_{{\mathsf{Aux}}}

Consequently, $\frac{1}{\sqrt{2^{m}}}\sum_{i=0}^{2^{m}-1}\ket{i}_{{\mathsf{M}}}\ket{0^{k}}_{\mathsf{K}}\ket{i}_{{\mathsf{Aux}}}=\frac{1}{\sqrt{2^{m}}}\sum_{i}\ket{v_{i}}_{{\mathsf{MK}}}\ket{\overline{u_{i}}}_{{\mathsf{Aux}}}.$ ⁷⁷7In the general case, the summation is over $i\in A$ . That is, $\frac{1}{\sqrt{2^{m}}}\sum_{i=0}^{2^{m}-1}\ket{i}_{{\mathsf{M}}}\ket{0^{k}}_{\mathsf{K}}\ket{i}_{{\mathsf{Aux}}}=\frac{1}{\sqrt{2^{m}}}\sum_{i\in A}\ket{v_{i}}_{{\mathsf{MK}}}\ket{\overline{u_{i}}}_{{\mathsf{Aux}}}.$ Thus for each $i\in A$ , we will be in subspace $S_{i}$ with probability $\frac{1}{2^{m}}$ if we apply $M_{\mathsf{Jor}}$ .

Notice that we can apply $M_{\mathsf{Jor}}$ on register $\mathsf{MK}$ before the alternating projections without changing the distribution of $y$ . Applying $M_{\mathsf{Jor}}$ to the above state, the post-measurement state will be $\ket{v_{i}}_{\mathsf{MK}}\ket{\overline{u_{i}}}_{\mathsf{Aux}}$ with probability $\frac{1}{2^{m}}$ . And by Proposition 1, when we start from $\ket{v_{i}}_{\mathsf{MK}}\ket{\overline{u_{i}}}_{\mathsf{Aux}}$ , $y_{j}=y_{j-1}$ with probability $p_{i}$ for each $j$ independently.

In particular, we will start from $\ket{v_{1}}_{\mathsf{MK}}\ket{\overline{u_{1}}}_{\mathsf{Aux}}$ with probability $\frac{1}{2^{m}}$ . And when we start from $\ket{v_{1}}_{\mathsf{MK}}\ket{\overline{u_{1}}}_{\mathsf{Aux}}$ , $y_{j}=y_{j-1}$ with probability $p_{1}$ for each $j$ independently. This can be seen as performing $2N$ independent coin flips with bias $p_{1}\geq b$ . And $y\in{\sf Good}$ if the number of heads (denote as $cnt$ ) is an even greater than or equal to $N(a+b)$ .

By Chernoff bound,

\mathsf{Pr}\left[cnt<(a+b)N\right]\leq\exp(-Np_{1}(1-\frac{a+b}{2p_{1}})^{2})\leq\exp(-N\frac{(b-a)^{2}}{4b})\leq\frac{1}{4}

	$\displaystyle\mathsf{Pr}\left[cnt\text{ is an odd}\right]=$	$\displaystyle\sum_{j=0}^{N-1}\binom{2N}{2j+1}p_{1}^{2j+1}(1-p_{1})^{2N-2j-1}$
	$\displaystyle=$	$\displaystyle\frac{1}{2}((p_{1}+1-p_{1})^{2N}-(p_{1}-(1-p_{1}))^{2N})$
	$\displaystyle\leq$	$\displaystyle\frac{1}{2}$

Thus by union bound, when the post-measurement state after $M_{\mathsf{Jor}}$ is $\ket{v_{1}}_{\mathsf{MK}}\ket{\overline{u_{1}}}_{\mathsf{Aux}}$ , $y\in{\sf Good}$ with probability at least $\frac{1}{4}$ .

So $\mathsf{Pr}\left[\mathsf{Trial}\text{ succeeds}\right]=\mathsf{Pr}\left[y\in{\sf Good}\right]\geq\frac{1}{2^{m}}\frac{1}{4}=\frac{1}{2^{m+2}}.$

∎

Claim 1.

$(\ket{\psi_{x}})_{x\in S}$ is a ${\mathsf{statePSPACE}}\left[S\right]$ family.

Proof.

We only need to show that our construction $C_{x}$ satisfies the requirements in Definition 1.

From the construction, $C_{x}$ can be generated by polynomial space Turing machine on input $x$ and $C_{x}$ uses at most polynomial space at any time. Thus $C=(C_{x})_{x\in\{0,1\}^{*}}$ is a space-uniform polynomial-space quantum algorithm. It is obvious from the construction that $C_{x}$ takes no inputs. The only remaining thing is to prove $C_{x}$ outputs a good approximation of $\ket{\psi_{x}}$ when $x\in S$ .

Fix $x\in S$ . Whenever there is a successful implementation of $\mathsf{Trial}$ , $C_{x}$ will output $\ket{\psi_{x}}$ . Moreover, by Lemma 5, recall that $T=2^{m+2}q(n)$ ,

\mathsf{Pr}\left[\text{$T$ independent repetitions of $\mathsf{Trial}$ all fail}\right]=(1-\mathsf{Pr}\left[\mathsf{Trial}\text{ succeeds}\right])^{T}\leq(1-\frac{1}{2^{m+2}})^{T}\leq e^{-q(n)}

That is, except with probability $e^{-q(n)}$ , $C_{x}$ outputs $\ket{\psi_{x}}$ .

As a result, the state outputted by $C_{x}$ is $e^{-q(n)}$ -close to $\ket{\psi_{x}}$ in trace distance. ∎

The second requirement in Lemma 4 that $(\ket{\psi_{x}})_{x\in S}$ needs to satisfy is that the reduced density matrix of $\ket{\psi_{x}}$ will be accepted by $\mathsf{V}^{\ket{\mathsf{PSPACE}}}(x,\cdot)$ with high probability. This is intuitively correct because the real acceptance probability should not be too far from the estimated acceptance probability. Now let’s prove it formally.

Claim 2.

For every $x\in S$ , $\mathsf{Pr}\left[\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}(\rho_{\mathsf{M}})\text{ accepts}\right]\geq a$ where $\rho_{\mathsf{M}}$ is the reduced density matrix of $\psi_{x}$ on register $\mathsf{M}$ .

Proof.

Fix $x\in S$ . We will omit subscripts when it is clear from the context.

Similar with what we did in Lemma 5, this probability doesn’t change if in the generation of $\psi_{x}$ (i.e. $\mathsf{Trial}$ ), we measure $\mathsf{Y}$ directly instead (as we only care about the part in $\mathsf{M}$ ). Let $\psi^{\prime}_{x}$ be the state we obtain from a successful implementation of $\mathsf{Trial}$ if we measure directly instead. Then the reduced density matrices of $\psi_{x}$ and $\psi^{\prime}_{x}$ are the same on register $\mathsf{M}$ .

Notice that $\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}(\rho_{\mathsf{M}})$ is just applying $\widehat{\mathsf{V}}_{x}$ to $\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ and then measuring the first qubit in computational basis, or equivalently, it is just measuring $\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ with $Q$ . By the definition, $\psi^{\prime}_{x}$ is $\ket{0^{k}}$ on register $\mathsf{K}$ (because the outcome $y_{2N}$ should be 1). So the reduced density matrix of $\psi^{\prime}_{x}$ on register $\mathsf{MK}$ is exactly $\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ .

Consider the following alternating projection algorithm:

We start from $\frac{1}{\sqrt{2^{m}}}\sum_{i\in\{0,1\}^{m}}\ket{i}_{{\mathsf{M}}}\ket{0^{k}}_{{\mathsf{K}}}\ket{i}_{{\mathsf{Aux}}}$ , apply $Q,P$ to the state alternatively for $N$ times to obtain a classical outcome sequence $y:=y_{1}y_{2}\cdots y_{2N}$ and if $y$ meets the requirement (to be more accurate, $y\in{\sf Good}$ where ${\sf Good}$ is defined in Lemma 5), we will additionally apply $Q$ to get an outcome $z$ and accept if $z=1$ .

In the above algorithm, if $y\in{\sf Good}$ , the (mixed) state remaining is exactly $\psi_{x}^{\prime}$ , whose reduced density matrix on $\mathsf{MK}$ is $\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ . Recall that $\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}(\rho_{\mathsf{M}})$ is just measuring $\rho_{\mathsf{M}}\otimes\ket{0^{k}}\!\bra{0^{k}}_{\mathsf{K}}$ with $Q$ . Therefore,

\mathsf{Pr}\left[\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}(\rho_{\mathsf{M}})\text{ accepts}\right]=\mathsf{Pr}\left[z=1\ |\ y\in{\sf Good}\right]

From Section 3.3, $\mathsf{Pr}\left[z=1\ |\ y\in{\sf Good}\right]$ will not change if we insert $M_{\mathsf{Jor}}$ in front of the alternating projections. So we can calculate it by projecting the initial state $\frac{1}{\sqrt{2^{m}}}\sum_{i=0}^{2^{m}-1}\ket{i}_{{\mathsf{M}}}\ket{0^{k}}_{\mathsf{K}}\ket{i}_{{\mathsf{Aux}}}$ to one of the subspaces $S_{i}$ , getting the post-measurement state $\ket{v_{i}}_{\mathsf{MK}}\ket{\overline{u_{i}}}_{\mathsf{Aux}}$ and then sampling $y$ and $z$ as if we start from this state (here we also use the fact that $\frac{1}{\sqrt{2^{m}}}\sum_{i=0}^{2^{m}-1}\ket{i}_{{\mathsf{M}}}\ket{0^{k}}_{\mathsf{K}}\ket{i}_{{\mathsf{Aux}}}$ can be written in the form $\frac{1}{\sqrt{2^{m}}}\sum_{i}\ket{v_{i}}_{{\mathsf{MK}}}\ket{\overline{u_{i}}}_{{\mathsf{Aux}}}$ ). Denote $E_{i}$ be the event that we get the post-measurement state $\ket{v_{i}}_{\mathsf{MK}}\ket{\overline{u_{i}}}_{\mathsf{Aux}}$ . Then $\mathsf{Pr}\left[E_{i}\right]=\frac{1}{2^{m}}$ ⁸⁸8Generally, $\mathsf{Pr}\left[E_{i}\right]=\frac{1}{2^{m}}$ for each $i\in A$ . And thus all the summations below will be only over $i\in A$ . . Therefore,

	$\displaystyle\mathsf{Pr}\left[z=1\ \|\ y\in{\sf Good}\right]=$	$\displaystyle\frac{\mathsf{Pr}\left[z=1\wedge y\in{\sf Good}\right]}{\mathsf{Pr}\left[y\in{\sf Good}\right]}$
	$\displaystyle=$	$\displaystyle\frac{\sum_{i}\mathsf{Pr}\left[E_{i}\right]\mathsf{Pr}\left[y\in{\sf Good}\ \|\ E_{i}\right]\mathsf{Pr}\left[z=1\ \|\ E_{i}\wedge y\in{\sf Good}\right]}{\sum_{i}\mathsf{Pr}\left[E_{i}\right]\mathsf{Pr}\left[y\in{\sf Good}\ \|\ E_{i}\right]}$
	$\displaystyle=$	$\displaystyle\frac{\sum_{i}p_{i}\mathsf{Pr}\left[y\in{\sf Good}\ \|\ E_{i}\right]}{\sum_{i}\mathsf{Pr}\left[y\in{\sf Good}\ \|\ E_{i}\right]}$

Same as Lemma 5, when we start from $\ket{v_{i}}_{\mathsf{MK}}\ket{\overline{u_{i}}}_{\mathsf{Aux}}$ , the probability of $y\in{\sf Good}$ is the same as the probability that during $2N$ independent coin flips with bias $p_{i}$ , the number of heads (denote as $cnt$ ) is an even greater than or equal to $N(a+b)$ .

So if $p_{i}<a$ , by Chernoff bound,

\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{i}\right]\leq\mathsf{Pr}\left[cnt\geq N(a+b)\right]\leq\exp(-2Np_{i}(\frac{a+b}{2p_{i}}-1)^{2}/(1+\frac{a+b}{2p_{i}}))\leq\exp(-N\frac{(b-a)^{2}}{3a+b})

From Lemma 5, $\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{1}\right]\geq\frac{1}{4}$ . As a result,

\displaystyle\sum_{p_{i}\geq a}(p_{i}-a)\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{i}\right]-\sum_{p_{i}<a}(a-p_{i})\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{i}\right]\geq(b-a)\frac{1}{4}-2^{m}a\exp(-N\frac{(b-a)^{2}}{3a+b})>0

where we use the fact that there are only $2^{m}$ $\ket{v_{i}}$ s because $P^{1}$ has rank $2^{m}$ .⁹⁹9For the general case, we only sum over $i\in A$ and $|A|$ equals to the rank of $P^{1}$ , which is $2^{m}$ .

The above inequality can be rearranged into $\sum_{i}p_{i}\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{i}\right]>a\sum_{i}\mathsf{Pr}\left[y\in{\sf Good}\ |\ E_{i}\right].$

Therefore, $\mathsf{Pr}\left[\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}}(\rho_{\mathsf{M}})\text{ accepts}\right]\geq a$ , which ends the proof of this claim. ∎

Lemma 4 follows directly from the above two claims.

5 Insecurity of Oracle-Aided Public-Key Quantum Money

In this section, we will use the synthesizer from Section 4 as a building block to attack the oracle-aided public key quantum money scheme where ${\mathcal{O}}$ is a hybrid oracle composed of random oracle ${\mathcal{R}}$ and $\ket{\mathsf{PSPACE}}$ . Formally:

Theorem 5.

Reusable and secure oracle-aided public key quantum money scheme $(\mathsf{KeyGen}^{{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\allowbreak\mathsf{Mint}^{{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{{{\mathcal{R}}},\ket{\mathsf{PSPACE}}})$ does not exist where ${\mathcal{R}}$ is a random oracle.

Informally speaking, our synthesizer in Theorem 4 works for uniform oracle algorithm $\mathsf{V}^{\ket{\mathsf{PSPACE}}}$ . However, in the oracle-aided public key quantum money scheme we aim to attack, the verification algorithm has access to random oracle ${\mathcal{R}}$ in addition to $\ket{\mathsf{PSPACE}}$ . Inspired by [CKP15, AK22], we try to remove ${\mathcal{R}}$ and simulate it with a good database. Based on the ideas in Section 2.2, we give the following attacker.

Let ${\mathcal{O}}$ be the hybrid oracle composed of random oracle ${\mathcal{R}}$ and $\ket{\mathsf{PSPACE}}$ . For a $\delta_{r}$ -reusable $\delta_{s}$ -secure oracle-aided quantum money scheme $\left(\mathsf{KeyGen}^{{\mathcal{O}}},\mathsf{Mint}^{{\mathcal{O}}},\mathsf{Ver}^{{\mathcal{O}}}\right)$ where $\delta_{r}=0.99,\delta_{s}=\mathsf{negl}(n)$ , denote $l(n)$ to be the number of queries to ${\mathcal{R}}$ made by one execution of $\mathsf{KeyGen}^{{\mathcal{O}}}$ and one execution of $\mathsf{Mint}^{{\mathcal{O}}}$ . By efficiency of $\mathsf{Ver}^{{\mathcal{O}}}$ , there exists a uniform oracle algorithm $\mathsf{V}^{\ket{\mathsf{PSPACE}}}=(\mathsf{V}_{x}^{\ket{\mathsf{PSPACE}}})_{x\in\{0,1\}^{*}}$ such that running $\mathsf{V}_{(pk,D,s)}^{\ket{\mathsf{PSPACE}}}(\rho)$ is the same as running $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho))$ where ${\mathcal{R}}$ is simulated with database $D$ .

Let $\epsilon=0.01$ , $b=1-\sqrt{1-\delta_{r}+\epsilon}$ , $a=0.99b$ . By Theorem 4, there exists a polynomial-time uniform oracle algorithm $\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}$ which can generate an “almost optimal” witness state of $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D,s)}$ with guarantee $a$ and threshold $b$ . Now let’s construct the adversary $\mathcal{A}^{{\mathcal{O}}}$ .

Adversary $\mathcal{A}^{{\mathcal{O}}}$ .

It takes as input a valid banknote $(s,\rho_{s})$ and public key $pk$ , and behaves as follows.

1.
Let $t\xleftarrow{\$}\{0,\ldots,\lceil\frac{l}{\epsilon}\rceil-1\}$ . Let $D=\emptyset$ , $\rho_{s}^{(0)}=\rho_{s}$ . Run the following $t$ times. In $i^{th}$ iteration,
1. (a)
  
  $\rho_{s}^{(i)}\otimes\ket{{\bf x}}\!\bra{{\bf x}}\leftarrow\mathsf{Ver}^{{\mathcal{O}}}(pk,s,\rho_{s}^{(i-1)})$ .
2. (b)
  
  Add query-answer pairs to ${\mathcal{R}}$ in item (a) into $D$ .
2.

Denote $D_{0}=D$ .
3.
For $k=0,1,\cdots,N(n)-1$ where $N(n)=\frac{100l(n)}{\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}}$ is polynomial in $n$ ,
1. (a)
  
  $\sigma_{D_{k}}\leftarrow\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(pk,D_{k},s)$ .
2. (b)
  
  Run $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))$ .
3. (c)
  
  Let $D_{k+1}$ consist of all the query-answer pairs to ${\mathcal{R}}$ in item (b) and the pairs in $D_{k}$ .
4.

$j\xleftarrow{\$}\{0,1,\ldots,N(n)-1\}$ .
5.

Output $\phi=\phi_{1}\otimes\phi_{2}$ where $\phi_{i}\leftarrow\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(pk,D_{j},s)$ $(i=1,2)$ .

Analysis of $\mathcal{A}^{{\mathcal{O}}}$

Now let’s prove that $\mathcal{A}^{{\mathcal{O}}}$ outputs what we want. We will use the notations defined in the construction of $\mathcal{A}^{{\mathcal{O}}}$ .

Theorem 6.

Given input $(pk,(s,\rho_{s}))$ generated by $\mathsf{KeyGen}^{{\mathcal{O}}}$ and $\mathsf{Mint}^{{\mathcal{O}}}$ , $\mathcal{A}^{{\mathcal{O}}}$ outputs two alleged banknotes associated with the serial number $s$ that will be accepted with high probability. Formally:

\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{1}))\text{ accepts and }\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{2}))\text{ accepts}\right]\geq 1.8\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}-1,

where the probability is over the randomness of ${\mathcal{R}}$ , the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{O}}}$ (that is, the randomness of $\mathsf{KeyGen}^{{\mathcal{O}}}$ and $\mathsf{Mint}^{{\mathcal{O}}}$ ) and the randomness of our adversary $\mathcal{A}^{{\mathcal{O}}}$ .

Proof of Theorem 6.

The proof will be divided into two parts. Informally speaking, in the first part, we will show that for every $k$ , $\sigma_{D_{k}}$ works well on the simulation, i.e. $\mathsf{V}_{(pk,D_{k},s)}^{\mathsf{PSPACE}}(\sigma_{D_{k}})$ accepts with high probability; In the second part, we will show that for every $k$ , if $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\cdot))$ behaves far from $\mathsf{V}_{(pk,D_{k},s)}^{\mathsf{PSPACE}}$ on input $\sigma_{D_{k}}$ , then we make progress. Then we will combine the results to prove Theorem 6.

The first part

The synthesizer $\mathsf{Syn}$ in Theorem 4 works well provided that good witness state for $\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}$ exists. Our candidate for the good witness state is $\rho_{s}^{(t)}$ as it is accepted by $\mathsf{Ver}^{{\mathcal{O}}}$ with high probability by the definition of reusability. We begin by arguing that with high probability, our databases contain necessary information for running verification on $\rho_{s}^{(t)}$ and thus $\mathsf{Ver}$ can not distinguish whether it is interacting with random oracle ${\mathcal{R}}$ or the simulated one. Formally:

Claim 3.

Let $D_{\mathsf{KeyGen}},D_{\mathsf{Mint}}$ be the query-answer pairs made during the generation of the input $pk$ and $(s,\rho_{s})$ (that is, the execution of $\mathsf{KeyGen}^{{\mathcal{O}}}$ and $\mathsf{Mint}^{{\mathcal{O}}}$ ). Then

\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$}\right]\leq\epsilon,

where the probability is over the randomness of ${\mathcal{R}}$ , the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{O}}}$ and the randomness of our adversary $\mathcal{A}^{{\mathcal{O}}}$ .

Proof.

We only care about $l(n)$ query positions (those inside $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}$ ) and we repeatedly sample $t\xleftarrow{\$}\{0,\ldots,\lceil\frac{l}{\epsilon}\rceil-1\}$ times. Thus intuitively $D$ should reveal all the positions we care about. Formally,

		$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$}\right]$
	$\displaystyle\leq$	$\displaystyle\sum_{q\in D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}}\mathsf{Pr}\left[t=\min_{j}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(j)}))\text{ queries $q$}\right]\right]$
	$\displaystyle\leq$	$\displaystyle\ l\cdot\frac{1}{\lceil\frac{l}{\epsilon}\rceil}$
	$\displaystyle\leq$	$\displaystyle\epsilon$

where the probabilities are only over the randomness of our adversary $\mathcal{A}^{{\mathcal{O}}}$ and we use the fact that $t$ is picked uniformly random from $\{0,1,\ldots,\lceil\frac{l}{\epsilon}\rceil-1\}$ , so it matches $\min_{j}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(j)}))\text{ queries $q$}\right]$ (which may follow some distribution, but is independent of $t$ anyway) with probability less or equal $\frac{1}{\lceil\frac{l}{\epsilon}\rceil}$ .

After taking the randomness of ${\mathcal{R}}$ and the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{O}}}$ into account, we can get the claim.

∎

The random oracle ${\mathcal{R}}$ can be implemented by on-the-fly simulation. Thus $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))$ can be implemented by simulating ${\mathcal{R}}$ with database $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}\cup D$ . If $\mathsf{Ver}$ doesn’t make queries in $(D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}\cup D)\Delta D=D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$ , then it can not distinguish whether ${\mathcal{R}}$ is simulated with $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}\cup D$ or $D$ . That is, $D$ is a good database to simulate the verification process on input $\rho_{s}^{(t)}$ if $\mathsf{Ver}$ doesn’t make queries inside $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$ . Thus the acceptance probability of $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D,s)}(\rho_{s}^{(t)})$ should be close to that of $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))$ , which is high by the definition of reusability. On average, the performance of the simulation on input $\rho_{s}^{(t)}$ can only increase if we include more queries into the database. Thus for every $k$ , $\rho_{s}^{(t)}$ should be a good witness state for $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}$ . The intuition above is captured by the following claim.

Claim 4.

We use the same definition of $D_{\mathsf{KeyGen}}$ and $D_{\mathsf{Mint}}$ as in 3. $\forall k\in\left[N(n)\right],$

\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\rho_{s}^{(t)})\text{ accepts}\right]\geq\delta_{r}-\epsilon

Proof.

This claim follows from Definition 4 and 3. The following probabilities are over the same randomness as the probability in the above claim.

		$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]$
	$\displaystyle=$	$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts and queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
		$\displaystyle+\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts and never queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
	$\displaystyle\leq$	$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$}\right]$
		$\displaystyle+\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}(\rho_{s}^{(t)})\text{ accepts and never queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
	$\displaystyle\leq$	$\displaystyle\epsilon+\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}(\rho_{s}^{(t)})\text{ accepts}\right]$

where we use the fact that $D\subseteq D_{k}$ and the fact that we can use on-the-fly simulation to implement ${\mathcal{R}}$ . As a result, $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))$ can also be seen as simulating ${\mathcal{R}}$ with $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\cup D_{k}$ , which is different from $D_{k}$ only on $(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\cup D_{k})\Delta D_{k}=D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ . Thus $\mathsf{Ver}$ can not distinguish whether ${\mathcal{R}}$ is simulated with $D_{k}$ or $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}\cup D_{k}$ if it never queries in $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ . The above inequality can be rearranged as

\mathsf{Pr}\left[\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}(\rho_{s}^{(t)})\text{ accepts}\right]\geq\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]-\epsilon\geq\delta_{r}-\epsilon.

∎

Intuitively, from 4, for a large fraction of $\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}$ , good witness state exists. Therefore, our synthesizer can find an “almost optimal” one. Formally:

Claim 5.

For every $k\in[N(n)],$

\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]\geq 0.99\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}

Proof.

The following probabilities are over the same randomness as the probability in the above claim unless otherwise stated.

Define $S:=\{(pk,D_{k},s):\max_{w}\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(w)\text{ accepts}\right]\geq 1-\sqrt{1-\delta_{r}+\epsilon}\}$ where the probability is only over the randomness of $\mathsf{V}$ . Then by 4 and averaging argument,

\mathsf{Pr}\left[(pk,D_{k},s)\in S\right]\geq 1-\sqrt{1-\delta_{r}+\epsilon}

By Theorem 4, $\forall(pk,D_{k},s)\in S$ , $\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]\geq 0.99(1-\sqrt{1-\delta_{r}+\epsilon})$ where the probability is only over the randomness of $\mathsf{V}$ . Therefore,

\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]\geq 0.99\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}.

∎

The second part

We already know that $\sigma_{D_{k}}$ is accepted by $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}$ with high probability. The next step is to associate the acceptance probability of $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,D_{k},s)}$ and that of $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\cdot))$ on $\sigma_{D_{k}}$ . If the difference of these two terms is large, the simulation with $D_{k}$ is not good enough. That is, $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))$ asks some important queries outside $D_{k}$ . So in this case, $D_{k+1}$ will contain more important queries and we make progress. Formally:

Claim 6.

We use the same notation as above. For every $k\in[N(n)],$

		$\displaystyle\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts}\right]$
	$\displaystyle\leq$	$\displaystyle\mathbf{E}\left[\lvert D_{k+1}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]-\mathbf{E}\left[\lvert D_{k}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]$

where the probabilities and the expectations are over the randomness of ${\mathcal{R}}$ , the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{O}}}$ and the randomness of our adversary $\mathcal{A}^{{\mathcal{O}}}$ .

Proof.

The following probabilities and expectations are over the same randomness of those in the above claim unless otherwise stated.

Similar as the arguments in 4, $\mathsf{V}^{\ket{\mathsf{PSPACE}}}_{(pk,s,D_{k})}(\sigma_{D_{k}})$ and $\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))$ behave differently only when they make queries in $(D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}\cup D_{k})\Delta D_{k}=D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$ . Therefore,

		$\displaystyle\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]$
	$\displaystyle=$	$\displaystyle\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts and queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
		$\displaystyle+\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts and never queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
	$\displaystyle\leq$	$\displaystyle\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
		$\displaystyle+\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts and never queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
	$\displaystyle=$	$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
		$\displaystyle+\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts and never queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$}\right]$
	$\displaystyle\leq$	$\displaystyle\mathsf{Pr}\left[\left(D_{k+1}-D_{k}\right)\cap\left(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\right)\neq\emptyset\right]+\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts}\right]$
	$\displaystyle\leq$	$\displaystyle\mathbf{E}\left[\lvert\left(D_{k+1}-D_{k}\right)\cap\left(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\right)\rvert\right]+\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts}\right]$

Note that $D_{k}\subseteq D_{k+1}$ ,

\mathbf{E}\left[\lvert\left(D_{k+1}-D_{k}\right)\cap\left(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}\right)\rvert\right]=\mathbf{E}\left[\lvert D_{k+1}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]-\mathbf{E}\left[\lvert D_{k}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]

Therefore, the claim holds true. ∎

Now let’s combine the above results to prove Theorem 6. The probabilities and expectations below are over the randomness of ${\mathcal{R}}$ , the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{O}}}$ and the randomness of our adversary $\mathcal{A}^{{\mathcal{O}}}$ (thus over the randomness of $t$ and $j$ ) unless otherwise stated.

By our construction and the union bound,

		$\displaystyle\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{1}))\text{ accepts and }\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{2}))\text{ accepts}\right]$
	$\displaystyle\geq$	$\displaystyle 2\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]-1$
	$\displaystyle=$	$\displaystyle\frac{2}{N(n)}\sum_{k=0}^{N(n)-1}\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts}\right]-1$

From 5 and 6,

		$\displaystyle\frac{1}{N(n)}\sum_{k=0}^{N(n)-1}\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\sigma_{D_{k}}))\text{ accepts}\right]$
	$\displaystyle\geq$	$\displaystyle\frac{1}{N(n)}\sum_{k=0}^{N(n)-1}\left(\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]-\mathbf{E}\left[\lvert D_{k+1}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]+\mathbf{E}\left[\lvert D_{k}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]\right)$
	$\displaystyle\geq$	$\displaystyle\frac{1}{N(n)}\sum_{k=0}^{N(n)-1}\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]-\frac{1}{N(n)}\mathbf{E}\left[\lvert D_{N(n)}\cap(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}})\rvert\right]$
	$\displaystyle\geq$	$\displaystyle\frac{1}{N(n)}\sum_{k=0}^{N(n)-1}\mathsf{Pr}\left[\mathsf{V}_{(pk,D_{k},s)}^{\ket{\mathsf{PSPACE}}}(\sigma_{D_{k}})\text{ accepts}\right]-\frac{l(n)}{N(n)}$
	$\displaystyle\geq$	$\displaystyle 0.99\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}-0.01\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}$
	$\displaystyle\geq$	$\displaystyle 0.9\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}$

Therefore,

\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{1}))\text{ accepts and }\mathsf{Ver}^{{\mathcal{O}}}(pk,(s,\phi_{2}))\text{ accepts}\right]\geq 1.8\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}-1,

which ends our proof of Theorem 6. ∎

Proof of Theorem 5.

The proposed adversary $\mathcal{A}^{{\mathcal{O}}}$ is a valid attack because when $\epsilon=0.01,\delta_{r}=0.99$ ,

1.8\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}-1\geq 1.8(1-0.2)^{2}-1\geq 0.1,

which is non-negligible. ∎

6 Extensions to Quantum Access

In this section, we will explore a special case where some algorithms can have quantum access to the random oracle. We consider reusable secure oracle-aided public key quantum money scheme $(\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}})$ . Formally:

Theorem 7.

Reusable and secure oracle-aided public key quantum money scheme $(\mathsf{KeyGen}^{{\ket{{\mathcal{R}}}},\ket{\mathsf{PSPACE}}},\allowbreak\mathsf{Mint}^{{\ket{{\mathcal{R}}}},\ket{\mathsf{PSPACE}}},\mathsf{Ver}^{{{\mathcal{R}}},\ket{\mathsf{PSPACE}}})$ does not exist where ${\mathcal{R}}$ is a random oracle.

Without loss of generality, we can suppose the algorithms only make queries to the random oracle on input length $l(n)$ and receive $1$ bit output where $l$ is a polynomial. (If they make queries to ${\mathcal{R}}$ on various input lengths, suppose the maximal input length is $l^{\prime}(n)$ . Let $l(n)=l^{\prime}(n)+\log l^{\prime}(n)$ . We can modify the algorithms so that their queries on input length $k(n)$ will be made on input length $l(n)$ where the first $k(n)$ bits stores the true query position, the middle $l^{\prime}(n)-k(n)$ bits are 0, and the last $\log l^{\prime}(n)$ bits indicates $k(n)$ .)

Let $\mathsf{Ver}$ make $q(n)$ classical queries to ${\mathcal{R}}$ . Let $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make $q^{\prime}(n)$ quantum queries to ${\mathcal{R}}$ in total. Denote the reusability and the security of the scheme as $\delta_{r}$ and $\delta_{s}$ respectively where $\delta_{r}=1-\mathsf{negl}(n),\delta_{s}=\mathsf{negl}(n)$ . When it is clear from the context, we sometimes omit $n$ for simplicity.

It’s worth noting that the attacker in Section 5 doesn’t take advantage of the fact that $\mathsf{KeyGen}$ and $\mathsf{Mint}$ there can only make classical queries to ${\mathcal{R}}$ . In fact, the same attacker works even when $\mathsf{KeyGen}$ and $\mathsf{Mint}$ can make quantum queries to ${\mathcal{R}}$ (with some modifications on the number of iterations). To be more specific, here is our construction of the attacker where $T(n)$ , $N(n)$ , the guarantee $a$ and the threshold $b$ of $\mathsf{Syn}$ will be determined later.

$\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$

It takes as input a valid banknote $(s,\rho_{s})$ and public key $pk$ , and behaves as follows.

1.
Test phase: Let $t\xleftarrow{\$}\{0,1,\ldots,T(n)-1\}$ . Let $D=\emptyset$ , $\rho_{s}^{(0)}=\rho_{s}$ . Run the following $t$ times. In $i^{th}$ iteration,
1. (a)
  
  $\rho_{s}^{(i)}\otimes\ket{{\bf x}}\!\bra{{\bf x}}\leftarrow\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,s,\rho_{s}^{(i-1)})$ .
2. (b)
  
  Add query-answer pairs to ${\mathcal{R}}$ in item (a) into $D$ .
2.
Update phase: Let $j\xleftarrow{\$}\{0,1,\ldots,N(n)-1\}$ . Let $D_{0}=D$ . Run the following $j$ times. In $k^{th}$ iteration,
1. (a)
  
  $\sigma_{D_{k-1}}\leftarrow\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(pk,D_{k-1},s)$ .
2. (b)
  
  Run $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{k-1}}))$ .
3. (c)
  
  Let $D_{k}$ consist of all the query-answer pairs to ${\mathcal{R}}$ in item (b) and the pairs in $D_{k-1}$ .
3.

Synthesize phase: Output $\phi=\phi_{1}\otimes\phi_{2}$ where $\phi_{i}\leftarrow\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(pk,D_{j},s)$ $(i=1,2)$ .

This description of $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ is actually equivalent to our adversary in Section 5. We move the line $j\xleftarrow{\$}\{0,1,\ldots,N(n)-1\}$ to the front because it will be easier to analyze.

What is left is to prove an analogue of Theorem 6. That is, the output states of $\mathcal{A}$ will be accepted with high probability.

Theorem 8.

Given input $(pk,(s,\rho_{s}))$ generated by $\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ and $\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ , $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ outputs two alleged banknotes associated with the serial number $s$ that will be accepted with high probability. Formally:

\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\phi_{1}))\text{ accepts and }\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\phi_{2}))\text{ accepts}\right]\geq 1.8\left(1-\sqrt{1-\delta_{r}+\epsilon}\right)^{2}-1,

where the probability is over the randomness of ${\mathcal{R}}$ , the randomness of the generation of the input for $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ (that is, the randomness of $\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ and $\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ ) and the randomness of our adversary $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ .

Similar to Theorem 6, we will show that the verification on $\sigma_{D_{j}}\leftarrow\mathsf{Syn}^{\ket{\mathsf{PSPACE}}}(pk,D_{j},s)$ accepts with high probability and then prove the theorem by union bound.

In Section 5, we crucially rely on the fact that whenever we make a mistake, we make progress in the sense that we recover a query inside $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ . However, now $\mathsf{KeyGen},\mathsf{Mint}$ can make quantum queries. As a result, $\mathsf{KeyGen}$ and $\mathsf{Mint}$ could “touch” exponentially many positions. Fortunately, the compressed oralce technique introduced by Zhandry [Zha18] can be seen as a quantum analogue of recording queries into a database. Basically, if we run all the algorithms in the purified view and see the register containing the oracle (labeled $\mathsf{F}$ ) in Fourier basis, then all except polynomial positions are $\ket{\hat{0}}$ after polynomial quantum queries, and thus the register can be compressed using a unitary. In this work, in order to better mimic $D_{k}$ and $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ in Section 5, we take advantage of the fact that $\mathsf{Ver}$ only makes classical queries. To be more specific, we will maintain a register to store a database for all the classical queries and only record those non- $\ket{\hat{0}}$ positions outside the database into $\mathsf{F}$ . These two registers will be our analogue of $D_{k}$ and $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ . We will elaborate on this idea in Section 6.2.

6.1 A Purified View of the Algorithms

From Section 3.4, for any sequence of algorithms that only make queries to the random oracle on input length $l(n)$ and receive 1 bit output, we can analyze the output using a pure state that we obtain by running all the algorithms in the purified view instead. By purified view, we mean that we will purify the execution of the algorithms in the following way:

•

We will introduce a register $\mathsf{F}$ that contains the truth table of the oracle. Before the execution of the first algorithm, it is initialized to a uniform superposition of all the possible truth tables of the oracle, i.e. $\ket{\hat{0}}^{\otimes 2^{l}}$ .
•

Instead of quantum query to ${\mathcal{R}}$ , we apply a unitary $U_{Q}:\ket{x}_{\mathsf{Q}}\ket{y}_{\mathsf{A}}\ket{f}_{\mathsf{F}}\rightarrow\ket{x}_{\mathsf{Q}}\ket{y\oplus f(x)}_{\mathsf{A}}\ket{f}_{\mathsf{F}}$ where $\mathsf{Q}$ stores the query position and $\mathsf{A}$ is for the answer bit. (The subscript $Q$ in $U_{Q}$ is for Quantum queries.)
•

Instead of computational basis measurements, we apply $\mathit{CNOT}$ to copy it to a fresh ancilla.

Without loss of generality, we can suppose for any classical query to ${\mathcal{R}}$ , the register for query answer is always set to $\ket{0}$ before the query. Notice that a classical query to ${\mathcal{R}}$ is equivalent to a computational basis measurement on the query position followed by a quantum query to ${\mathcal{R}}$ . An extra computational basis measurement on the answer of the query won’t change the view. So a classical query in the purified view can be treated as applying the unitary

U_{C}:\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{f}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\rightarrow\ket{x}_{\mathsf{Q}}\ket{f(x)}_{\mathsf{A}}\ket{f}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,f(x))}_{\mathsf{D}_{{\mathcal{R}}}}

where $\mathsf{D}_{{\mathcal{R}}}$ is a register that we will use to purify the computational basis measurements in the classical queries. By $\ket{D_{{\mathcal{R}}}}$ , we mean a sequence of pairs $\ket{(x_{1},z_{1}),(x_{2},z_{2}),\cdots(x_{k},z_{k})}$ where $x_{1},x_{2},\cdots,x_{k}$ are not necessary to be distinct but if $x_{i}=x_{j}$ , then we have the guarantee that $z_{i}=z_{j}$ . Here $\mathsf{D}_{{\mathcal{R}}}$ has enough space. That is, by $\ket{(x_{1},z_{1}),\cdots(x_{k},z_{k})}$ , we actually mean $\ket{(x_{1},z_{1}),\cdots(x_{k},z_{k}),\bot,\cdots,\bot}$ where $\bot$ is a special symbol that represents empty. Despite not being standard, we sometimes call $D_{{\mathcal{R}}}$ database. (The subscript $C$ in $U_{C}$ is for Classical queries.)

Another convenient way to think of the purified view is to treat the execution of the algorithms as an interaction between two parties, the algorithm and the oracle. The oracle will maintain two private registers $\mathsf{F}$ and $\mathsf{D}_{{\mathcal{R}}}$ (and also some ancillas initialized to be $\ket{0}$ ). If the algorithm is allowed to make quantum queries to ${\mathcal{R}}$ , the algorithm will submit $\mathsf{Q}\mathsf{A}$ to the oracle, and then the oracle will apply $U_{Q}$ and send $\mathsf{Q}\mathsf{A}$ back to the algorithm. If the algorithm is only allowed to make classical queries, the algorithm will submit $\mathsf{Q}$ to the oracle, and then the oracle will put a fresh ancilla on $\mathsf{A}$ , apply $U_{C}$ and send $\mathsf{Q}\mathsf{A}$ to the algorithm.

We will use $U_{\mathsf{KeyGen},n},U_{\mathsf{Mint},n},U_{\mathsf{Ver},n}$ and $U_{\mathsf{Syn},n}$ to denote the unitary corresponding to the purified version of $\mathsf{KeyGen}$ , $\mathsf{Mint}$ , $\mathsf{Ver}$ and $\mathsf{Syn}$ on security number $n$ respectively. Then $U_{\mathsf{KeyGen},n},U_{\mathsf{Mint},n}$ and $U_{\mathsf{Ver},n}$ are all in the form of preparing the first query and then repeatively answering the query by applying $U_{Q}$ or $U_{C}$ and preparing the next query (or the final output if there is no further query). In particular, we will write $U_{\mathsf{Ver},n}$ as $U_{q(n)}U_{C}U_{q(n)-1}\cdots U_{C}U_{0}$ . We will omit the subscript $n$ when it is clear from the context.

Let $U_{\mathsf{Ver}}^{\prime}:=U_{q}U_{R}U_{q-1}\cdots U_{R}U_{0}$ where $U_{R}$ (the subscript $R$ is for Recording) is a unitary that in addition to a classical query $U_{C}$ , it records the query-answer pair into a database maintained by $\mathcal{A}$ . That is,

U_{R}:\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{\mathcal{A}}}_{\mathsf{D}_{\mathcal{A}}}\ket{f}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\rightarrow\ket{x}_{\mathsf{Q}}\ket{f(x)}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,f(x))}_{\mathsf{D}_{\mathcal{A}}}\ket{f}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,f(x))}_{\mathsf{D}_{{\mathcal{R}}}}

where $\mathsf{D}_{\mathcal{A}}$ is the register that stores the database maintained by $\mathcal{A}$ . Again by $\ket{D_{\mathcal{A}}}$ and $\ket{D_{{\mathcal{R}}}}$ , we mean a sequence of query-answer pairs where the query positions are not necessary to be distinct, but the pairs are consistent. $\mathsf{D}_{\mathcal{A}}$ has enough space.

It’s easy to see that $U_{\mathsf{Ver}}^{\prime}$ corresponds to running $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ while the adversary records the query-answer pairs made by $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ .

Then in the purified view, $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ is the following (we will denote by $U_{\mathcal{A}}$ ):

1.

Given input public key, serial number, the alleged banknote along with the register containing the truth table of the oracle, introduce a register $\mathsf{T}$ initialized to be $\frac{1}{\sqrt{T(n)}}\sum_{t=0}^{T(n)-1}\ket{t}_{\mathsf{T}}$ and introduce a register $\mathsf{J}$ initialized to be $\frac{1}{\sqrt{N(n)}}\sum_{j=0}^{N(n)-1}\ket{j}_{\mathsf{J}}$ .
2.

Test phase: Conditioned on the content in $\mathsf{T}$ is $t$ , apply $U_{\mathsf{Ver}}^{\prime}$ on the banknote for $t$ times in sequential. (Or equivalently apply unitary $U_{\mathsf{Test}}:=\sum_{t=0}^{T(n)-1}U_{\mathsf{Ver}}^{\prime t}\otimes\ket{t}\!\bra{t}_{\mathsf{T}}$ where $U_{\mathsf{Ver}}^{\prime t}$ means applying $U_{\mathsf{Ver}}^{\prime}$ for $t$ times.)
3.
Update phase: Conditioned on the content in $\mathsf{J}$ is $j$ , apply the following for $j$ times:
1. (a)
  
  Apply $U_{\mathsf{Syn}}$ on all the query-answer pairs we learn so far (i.e. the contents in $\mathsf{D}_{\mathcal{A}}$ ).
2. (b)
  
  Apply $U_{\mathsf{Ver}}^{\prime}$ on the state synthesized in item (a).
(Or equivalently apply unitary $U_{\mathsf{Upd}}:=\sum_{j=0}^{N(n)-1}(U_{\mathsf{Ver}}^{\prime}U_{\mathsf{Syn}})^{j}\otimes\ket{j}\!\bra{j}_{\mathsf{J}}$ where $(U_{\mathsf{Ver}}^{\prime}U_{\mathsf{Syn}})^{j}$ means alternatively applying $U_{\mathsf{Syn}}$ and $U_{\mathsf{Ver}}^{\prime}$ for $j$ times.)
4.

Synthesize phase: Apply $U_{\mathsf{Syn}_{1}}$ and $U_{\mathsf{Syn}_{2}}$ on the query-answer pairs in $\mathsf{D}_{\mathcal{A}}$ to obtain two alleged banknotes where $U_{\mathsf{Syn}_{1}}$ and $U_{\mathsf{Syn}_{2}}$ are $U_{\mathsf{Syn}}$ that acts on different registers.

Then the acceptance probability of the following algorithms on the corresponding states (taking the randomness of ${\mathcal{R}}$ into account) can be analyzed by running the following sequence of algorithms in the purified view.

$\bm{\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\rho_{s}^{(t)}}$

The acceptance probability is the probability that

1.

Run the algorithms $\mathsf{KeyGen}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{\ket{{\mathcal{R}}},\ket{\mathsf{PSPACE}}}$ and $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ in a purified view sequentially where the input of $\mathsf{KeyGen}$ is the security parameter in unary notion, the input of $\mathsf{Mint}$ is the output register corresponding to secret key of $\mathsf{KeyGen}$ , and the input of $\mathcal{A}$ is the output register of $\mathsf{Mint}$ and the register for the public key.
2.

Furthermore run $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ in a purified view where the input of $\mathsf{Ver}$ is the register for the public key, the register for the serial number and the register for $\rho_{s}^{(t)}$ (It’s inside working space register of $\mathcal{A}$ ).
3.

Measure the outcome register of the above $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ and obtain ${\sf Accept}$ .

$\bm{\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\rho_{s}^{(t)}}$

Here $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ means running $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ where the queries to ${\mathcal{R}}$ is answered by the database $D_{j}$ (all the query-answer pairs in $\mathsf{D}_{\mathcal{A}}$ ).

Define a unitary

U_{D}:\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{j}}_{\mathsf{D}_{\mathcal{A}}}\rightarrow\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{j}(x)}_{\mathsf{A}}\ket{D_{j},(x,D_{j}(x))}_{\mathsf{D}_{\mathcal{A}}},&x\in D_{j}\\ \ket{x}_{\mathsf{Q}}\sum_{z=0}^{1}\frac{1}{\sqrt{2}}\ket{z}_{\mathsf{A}}\ket{D_{j},(x,z)}_{\mathsf{D}_{\mathcal{A}}},&x\notin D_{j}\end{cases}

where by $\ket{D_{j}}$ , we mean a sequence of query-answer pairs $\ket{(x_{1},z_{1}),(x_{2},z_{2}),\cdots(x_{k},z_{k})}$ where the query positions $x_{1},x_{2},\cdots,x_{k}$ are not necessary to be distinct, but the pairs are consistent. By $x\in D_{j}$ , we mean there exists $z$ such that $(x,z)$ is a pair in $D_{j}$ and we will denote this $z$ as $D_{j}(x)$ . By $x\notin D_{j}$ , we mean for all $z$ , $(x,z)$ is not a pair in $D_{j}$ . (The subscript $D$ in $U_{D}$ is for simulating with Database.)

Then applying $U_{D}$ is exactly answering the query $x$ using $D_{j}$ (If $x$ is in the database, then answer the query using $D_{j}$ ; Otherwise, give a random answer while recording this query-answer pair into the database for later use). Thus the purified version of $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ is

U_{\mathsf{Sim}}:=U_{q}U_{D}U_{q-1}\cdots U_{D}U_{0}.

So the acceptance probability of $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))$ on $\rho_{s}^{(t)}$ is the probability that

1.

Run the first step in the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ .
2.

Furthermore run $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ in a purified view where the input of $\mathsf{Ver}$ is the register for the public key, the register for the serial number, and the register for $\rho_{s}^{(t)}$ (The input is the same as the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ ).
3.

Measure the outcome register of the above $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ and obtain ${\sf Accept}$ .

$\bm{\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\sigma_{D_{j}}}$

The acceptance probability is the probability that

1.

Run the first step in the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ .
2.

Furthermore run $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ in a purified view where the input of $\mathsf{Ver}$ is the register for the public key, the register for the serial number, and the register for $\sigma_{D_{j}}$ (It’s the first register of the output state of $\mathcal{A}$ ).
3.

Measure the outcome register of the above $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ and obtain ${\sf Accept}$ .

$\bm{\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\sigma_{D_{j}}}$

The acceptance probability is the probability that

1.

Run the first step in the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ .
2.

Furthermore run $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ in a purified view where the input of $\mathsf{Ver}$ is the register for the public key, the register for the serial number, and the register for $\sigma_{D_{j}}$ (The input is the same as the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\sigma_{D_{j}}}$ ).
3.

Measure the outcome register of the above $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ and obtain ${\sf Accept}$ .

6.2 Compress and Decompress

Intuitively, $\ket{\hat{0}}$ position in $\mathsf{F}$ is a uniform superposition of the range and it is unentangled with all other things, so it can be seen as choosing a value from the range uniformly at random independently, which is exactly what the simulation does. It is an analog of those positions that are never asked during the sequence of algorithms in the purely classical query case.

In this subsection, we will show how to extract an analog of $D_{k}$ and $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ from the pure state. Roughly speaking, the recorded classical queries are an analog of $D_{k}$ and we will compress the register $\mathsf{F}$ to extract those non- $\ket{\hat{0}}$ positions outside $D_{k}$ to form our analog of $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ .

As it’s easier to write down and analyze the inverse operation of compress, we first give a formal description of decompress unitary $\mathsf{Decomp}$ . Recall that $\mathsf{D}_{{\mathcal{R}}}$ stores all the classical queries to ${\mathcal{R}}$ . $\mathsf{F}$ is a register for the random function. Define

\mathsf{Decomp}:\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\rightarrow\ket{f_{0},f_{1},\cdots,f_{2^{l}-1}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}

where $\ket{D_{F}}_{\mathsf{F}}$ can be written as a sequence of pairs $\ket{(x_{1},\widehat{y_{1}}),(x_{2},\widehat{y_{2}}),\cdots,(x_{k^{\prime}},\widehat{y_{k^{\prime}}})}_{\mathsf{F}}$ , $\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}$ can be written as a sequence of pairs $\ket{(x_{1}^{\prime},z_{1}),(x_{2}^{\prime},z_{2}),\cdots,(x_{k}^{\prime},z_{k})}$ and the input $\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}$ satisfies

•

if $x_{i}^{\prime}=x_{j}^{\prime}$ , then $z_{i}=z_{j}$ ;
•

$x_{1}<x_{2}<\cdots<x_{k^{\prime}},\widehat{y_{i}}\neq\widehat{0}$ ;
•

$\forall i,j,x_{j}\neq x_{i}^{\prime}$ ;

and the output satisfies

•

If $x_{j}^{\prime}=i$ , then $f_{i}=z_{j}$ ;
•

If $x_{j}=i$ , then $f_{i}=\widehat{y_{j}}$ ;
•

If $\forall j,x_{j}\neq i,x_{j}^{\prime}\neq i$ , then $f_{i}=\widehat{0}$ .

Roughly speaking, we fill $f_{0},f_{1},\cdots,f_{2^{l}-1}$ by looking at the pairs $(x_{1}^{\prime},z_{1}),(x_{2}^{\prime},z_{2}),\cdots,(x_{k}^{\prime},z_{k})$ and $(x_{1},\widehat{y_{1}}),(x_{2},\widehat{y_{2}}),\cdots,(x_{k^{\prime}},\widehat{y_{k^{\prime}}})$ . And we fill all the remaining positions with $\hat{0}$ .

Here our register $\mathsf{F}$ also have enough space. As our random function only has one-bit outputs, $z_{1},z_{2},\cdots,z_{k},y_{1},y_{2},\cdots,y_{k^{\prime}}\in\{0,1\}$ . Recall that $\ket{\hat{0}}=\ket{+}=\frac{1}{\sqrt{2}}(\ket{0}+\ket{1}),\ket{\hat{1}}=\ket{-}=\frac{1}{\sqrt{2}}(\ket{0}-\ket{1})$ . One can check that each two inputs in the above form are orthogonal and they are mapped to orthogonal outputs. So we can define the outputs of other inputs that are not in the above form so that $\mathsf{Decomp}$ is a unitary.

More Notations

For simplicity, when we write $D_{{\mathcal{R}}}$ , we mean a sequence of consistent pairs $(x_{1}^{\prime},z_{1}),(x_{2}^{\prime},z_{2}),\cdots,(x_{k}^{\prime},z_{k})$ by default. By $x\in D_{{\mathcal{R}}}$ , we mean $\exists i$ , $x_{i}^{\prime}=x$ . By $D_{{\mathcal{R}}}(x)$ where $x\in D_{{\mathcal{R}}}$ , we mean $z_{i}$ where $x_{i}^{\prime}=x$ . When we write $D_{F}$ , we mean a sequence $(x_{1},\widehat{y_{1}}),(x_{2},\widehat{y_{2}}),\cdots,(x_{k^{\prime}},\widehat{y_{k^{\prime}}})$ that satisfies the second item of the input requirements above. By $x\in D_{F}$ , we mean $\exists i$ , $x_{i}=x$ . By $D_{F}(x)$ where $x\in D_{F}$ , we mean $\widehat{y_{i}}$ where $x_{i}=x$ . By $\widehat{D_{F}(x)}$ where $x\in D_{F}$ , we mean $y_{i}$ where $x_{i}=x$ . By $D_{F}-x$ , we mean the sequence we obtain after deleting $x_{i},\widehat{y_{i}}$ from the sequence $D_{F}$ where $x_{i}=x$ . Define $D_{{\mathcal{R}}}\cap D_{F}=\{x:x\in D_{{\mathcal{R}}}\text{ and }x\in D_{F}\}$ .

The inverse operation of the above unitary $\mathsf{Decomp}$ is compress, which can take our database $D_{{\mathcal{R}}}$ and the truth table in register $\mathsf{F}$ as inputs and compress them into two databases $D_{{\mathcal{R}}}$ and $D_{F}$ . Define it as $\mathsf{Comp}:=\mathsf{Decomp}^{\dagger}$ . These two unitaries enable us to change our view between the decompressed one (a database for classical queries and a truth table) and the compressed one (a database for classical queries and another database). Here is a picture to illustrate this. $\ket{\theta}$ is an arbitrary state without compression. ${U}$ is a unitary in the decompressed view (It takes a state without compression as input and outputs a state without compression). Then ${\widetilde{U}}:=\mathsf{Comp}{U}\mathsf{Decomp}$ is a compressed view version of ${U}$ (It takes a state after compression as input and outputs a state after compression). From now on, when we write unitary ${\widetilde{\cdot}}$ , we mean it is in the compressed view.

Readers can treat $D_{{\mathcal{R}}}$ as an analog of database $D_{k}$ in Section 5 and treat $D_{F}$ as an analog of databases $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ in Section 5. Roughly speaking, $D_{{\mathcal{R}}}$ stores our classical queries. The query positions in $D_{F}$ are those asked by $\mathsf{KeyGen}$ and $\mathsf{Mint}$ , but not recorded in $D_{{\mathcal{R}}}$ . We can understand this analog better after taking a look of the following query unitaries in the compressed view.

Recall the unitaries $U_{C}$ , $U_{R}$ and $U_{D}$ from Section 6.1. They are for classical query, classical query while recording and simulated classical query respectively. Their compressed versions are the unitaries ${\widetilde{U_{C}}}:=\mathsf{Comp}{U_{C}}\mathsf{Decomp}$ , ${\widetilde{U_{R}}}:=\mathsf{Comp}{U_{R}}\mathsf{Decomp}$ and ${\widetilde{U_{D}}}:=\mathsf{Comp}{U_{D}}\mathsf{Decomp}$ .

From the description of $\mathsf{Decomp}$ , we can get for $D_{F}\cap D_{{\mathcal{R}}}=\emptyset,$

		$\displaystyle{\widetilde{U_{C}}}(\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}})$
	$\displaystyle=$	$\displaystyle\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}}&x\in D_{{\mathcal{R}}}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{z}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\notin D_{F}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}(-1)^{z\widehat{D_{F}(x)}}\ket{z}_{\mathsf{A}}\ket{D_{F}-x}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\in D_{F}\end{cases}$

		$\displaystyle{\widetilde{U_{R}}}(\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{\mathcal{A}}}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}})$
	$\displaystyle=$	$\displaystyle\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}}&x\in D_{{\mathcal{R}}}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{z}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,z)}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\notin D_{F}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}(-1)^{z\widehat{D_{F}(x)}}\ket{z}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,z)}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}-x}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\in D_{F}\end{cases}$

Since $U_{D}$ does not act on $\mathsf{F}$ and $\mathsf{D}_{{\mathcal{R}}}$ , ${\widetilde{U_{D}}}=U_{D}$ . Thus

		$\displaystyle{\widetilde{U_{D}}}(\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{\mathcal{A}}}_{\mathsf{D}_{\mathcal{A}}})$
	$\displaystyle=$	$\displaystyle\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{\mathcal{A}}(x)}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,D_{\mathcal{A}}(x))}_{\mathsf{D}_{\mathcal{A}}},&x\in D_{\mathcal{A}}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{z}_{\mathsf{A}}\ket{D_{\mathcal{A}},(x,z)}_{\mathsf{D}_{\mathcal{A}}},&x\notin D_{\mathcal{A}}\end{cases}$

By the description of ${\widetilde{U_{C}}}$ and ${\widetilde{U_{R}}}$ , whenever we ask a classical query on input $x\in D_{{\mathcal{R}}}$ , we answer it with our database $D_{{\mathcal{R}}}$ and record $(x,D_{{\mathcal{R}}}(x))$ for another time; whenever we ask a classical query on input $x\notin D_{{\mathcal{R}}}\cup D_{F}$ , we answer it with a random $z$ and record $(x,z)$ in our database for later use; whenever we ask a classical query on input $x\in D_{F}$ , we actually copy the answer from the $D_{F}$ , record it, and remove $x$ from $D_{F}$ . The above three cases is analogous to the classical on-the-fly simulation where the query to ${\mathcal{R}}$ inside $D_{k}$ can be answered by $D_{k}$ , the query to ${\mathcal{R}}$ inside $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ should be answered consistently by $D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}$ and we can give a random answer to the query to outside $(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k})\cup D_{k}$ . It is worth pointing out that ${\widetilde{U_{C}}}$ and ${\widetilde{U_{R}}}$ maintain the property that $D_{{\mathcal{R}}}\cap D_{F}$ is empty (analogous to $\left(D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}\right)\cap D_{k}=\emptyset$ ).

Furthermore, recall that ${U_{\mathsf{Ver}}}=U_{q}{U_{C}}U_{q-1}\cdots U_{1}{U_{C}}U_{0}$ and $U_{i}$ does not act on $\mathsf{F}$ or $\mathsf{D}_{{\mathcal{R}}}$ . Thus ${\widetilde{U_{i}}}=U_{i}$ , ${\widetilde{U_{\mathsf{Ver}}}}={\widetilde{U_{q}}}{\widetilde{U_{C}}}{\widetilde{U_{q-1}}}\cdots{\widetilde{U_{1}}}{\widetilde{U_{C}}}{\widetilde{U_{0}}}=U_{q}{\widetilde{U_{C}}}U_{q-1}\cdots U_{1}{\widetilde{U_{C}}}U_{0}.$ Similarly, recall that the purified version of $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ is $U_{\mathsf{Sim}}=U_{q}U_{D}U_{q-1}\cdots U_{D}U_{0}$ . Thus ${\widetilde{U_{\mathsf{Sim}}}}=U_{q}{\widetilde{U_{D}}}U_{q-1}\cdots{\widetilde{U_{D}}}U_{0}=U_{\mathsf{Sim}}$ (Because ${\widetilde{U_{D}}}=U_{D}$ ).

6.3 Analysis of $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$

Here we analyze the acceptance probability of $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ on the output of our $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ . We reuse our ideas in Section 5. Readers are encouraged to refer to our notation table in Appendix C when confused about the notations.

The following proposition can be seen as an analog of 6 except that we work on a general state instead of solely analyzing $\sigma_{D_{k}}$ . It basically says that when the behavior of $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ (corresponding to ${\widetilde{U_{\mathsf{Ver}}}}=U_{q}{\widetilde{U_{C}}}\cdots{\widetilde{U_{C}}}U_{0}$ ) is far from a simulation $\mathsf{Ver}^{D,\ket{\mathsf{PSPACE}}}$ (corresponding to ${\widetilde{U_{\mathsf{Sim}}}}=U_{q}U_{D}\cdots U_{D}U_{0}$ ), then the number of pairs in $\mathsf{F}$ (analogous to ${\lvert{D_{\mathsf{KeyGen}}\cup D_{\mathsf{Mint}}-D_{k}}\rvert}$ ) will drop a lot after the verification. The intuition is that roughly speaking, ${\widetilde{U_{C}}}$ and $U_{D}$ only behave differently when given a query position $x\in D_{F}$ , in which case $x$ will be excluded from $D_{F}$ after applying ${\widetilde{U_{C}}}$ . So it results in a decrement of the number of pairs in $\mathsf{F}$ . Formally:

Proposition 2.

Denote $O$ to be the observable corresponding to the number of pairs in $\mathsf{F}$ . To be more specific, $O=\sum_{D_{F}}{\lvert{D_{F}}\rvert}\ket{D_{F}}\!\bra{D_{F}}_{\mathsf{F}}$ where ${\lvert{D_{F}}\rvert}$ is the number of pairs in $D_{F}$ .

For a state $\ket{\phi}$ in the following form (i.e. it’s in the compressed view and the contents in $\mathsf{D}_{{\mathcal{R}}}$ and $\mathsf{D}_{\mathcal{A}}$ are the same),

\ket{\phi}=\sum_{\begin{subarray}{c}pk,s,m,D,D_{F},g\\ \text{s.t. }D\cap D_{F}=\emptyset\end{subarray}}\alpha_{pk,s,m,D,D_{F},g}\ket{pk}_{\mathsf{Pk}}\ket{s}_{\mathsf{S}}\ket{m}_{\mathsf{M}}\ket{D}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}}_{\mathsf{F}}\ket{D}_{\mathsf{D}_{{\mathcal{R}}}}\ket{g}_{\mathsf{G}}.

Let $\mathsf{Pr}\left[{\widetilde{U_{\mathsf{Ver}}}}\text{ accepts when running on $\ket{\phi}$}\right]$ be the acceptance probability of ${\widetilde{U_{\mathsf{Ver}}}}$ when the public key, the serial number and the alleged money state are in $\mathsf{Pk},\mathsf{S}$ and $\mathsf{M}$ respectively (It also equals to the acceptance probability of $U_{\mathsf{Ver}}$ on $\mathsf{Decomp}\ket{\phi}$ because ${\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}=\mathsf{Comp}U_{\mathsf{Ver}}(\mathsf{Decomp}\ket{\phi})$ and $\mathsf{Comp}$ does not act on the output bit).

Let $\mathsf{Pr}\left[{\widetilde{U_{\mathsf{Sim}}}}\text{ accepts when running on $\ket{\phi}$}\right]$ be the acceptance probability of ${\widetilde{U_{\mathsf{Sim}}}}$ when the public key, the serial number, the alleged money state and the database for simulating the random oracle are in $\mathsf{Pk},\mathsf{S},\mathsf{M}$ and $\mathsf{D}_{\mathcal{A}}$ respectively (It also equals to the acceptance probability of $U_{\mathsf{Sim}}$ on $\mathsf{Decomp}\ket{\phi}$ ).

		$\displaystyle\left\|\mathsf{Pr}\left[{\widetilde{U_{\mathsf{Ver}}}}\text{ accepts when running on $\ket{\phi}$}\right]-\mathsf{Pr}\left[{\widetilde{U_{\mathsf{Sim}}}}\text{ accepts when running on $\ket{\phi}$}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle{\operatorname{TD}\left(\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger}),\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Sim}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Sim}}}}^{\dagger})\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$

Proof.

The first inequality follows immediately from the fact that we can measure a qubit (not in $\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}$ ) of ${\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}$ and ${\widetilde{U_{\mathsf{Sim}}}}\ket{\phi}$ to obtain whether they accept and the fact that we can not distinguish two states with probability greater than their trace distance.

As for the second inequality, recall that ${\widetilde{U_{\mathsf{Ver}}}}=U_{q}{\widetilde{U_{C}}}\cdots{\widetilde{U_{C}}}U_{0}$ and ${\widetilde{U_{\mathsf{Sim}}}}=U_{q}U_{D}\cdots U_{D}U_{0}$ . Let $U_{D}^{\prime}$ be the same as $U_{D}$ except that it uses the contents in $D_{{\mathcal{R}}}$ for simulation instead of the contents in $D_{\mathcal{A}}$ . To be more specific,

\displaystyle U_{D}^{\prime}(\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}})=\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}},&x\in D_{{\mathcal{R}}}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{z}_{\mathsf{A}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}},&x\notin D_{{\mathcal{R}}}\end{cases}

Define $\ket{\phi_{j}}={\widetilde{U_{C}}}U_{j-1}\cdots{\widetilde{U_{C}}}U_{0}\ket{\phi}$ where $0\leq j\leq q$ . In order to analyze the difference of ${\widetilde{U_{\mathsf{Ver}}}}$ and ${\widetilde{U_{\mathsf{Sim}}}}$ on $\ket{\phi}$ , it’s enough to analyze the difference between one true query and one simulated query. Formally,

		$\displaystyle{\operatorname{TD}\left(\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger}),\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Sim}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Sim}}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle{\operatorname{TD}\left(\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}(U_{q}\ket{\phi_{q}}\!\bra{\phi_{q}}U_{q}^{\dagger}),\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}(U_{q}U_{D}^{\prime}\cdots U_{D}^{\prime}U_{0}\ket{\phi_{0}}\!\bra{\phi_{0}}U_{0}^{\dagger}U_{D}^{\prime\dagger}\cdots U_{D}^{\prime\dagger}U_{q}^{\dagger})\right)}$
	$\displaystyle\leq$	$\displaystyle{\sum_{j=0}^{q-1}{\operatorname{TD}\left(\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}(U_{q}U_{D}^{\prime}\cdots U_{j+1}\ket{\phi_{j+1}}\!\bra{\phi_{j+1}}U_{j+1}^{\dagger}U_{D}^{\prime\dagger}\cdots U_{q}^{\dagger}),\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}(U_{q}U_{D}^{\prime}\cdots U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\cdots U_{q}^{\dagger})\right)}}$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{q-1}{\operatorname{TD}\left({\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger},U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right)}$

where we use the fact that $\ket{\phi}$ have the same contents on $\mathsf{D}_{\mathcal{A}}$ and $\mathsf{D}_{{\mathcal{R}}}$ and thus $\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Sim}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Sim}}}}^{\dagger})$ equals to $\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}(U_{q}U_{D}^{\prime}\cdots U_{D}^{\prime}U_{0}\ket{\phi_{0}}\!\bra{\phi_{0}}U_{0}^{\dagger}U_{D}^{\prime\dagger}\cdots U_{D}^{\prime\dagger}U_{q}^{\dagger})$ .

${\widetilde{U_{C}}}$ and $U_{D}^{\prime}$ act differently only when the query position is inside $D_{F}$ . So the difference between one true query and one simulated query can be bounded by the weight of queries inside $D_{F}$ , which equals the decrement of the number of pairs in $\mathsf{F}$ after the query. Formally, we give the following lemma, whose proof is deferred to Appendix A.

Lemma 6.

${\operatorname{TD}\left({\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger},U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right)}\leq 6\sqrt{\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})}.$

We can insert Lemma 6 into the above inequality and obtain

		$\displaystyle{\operatorname{TD}\left(\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger}),\mathrm{Tr}_{\mathsf{F}\mathsf{D}_{\mathcal{A}}\mathsf{D}_{{\mathcal{R}}}}({\widetilde{U_{\mathsf{Sim}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Sim}}}}^{\dagger})\right)}$
	$\displaystyle\leq$	$\displaystyle\sum_{j=0}^{q-1}6\sqrt{\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\sum_{j=0}^{q-1}\left(\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})\right)}\text{ (Cauchy\textendash Schwarz inequality)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{C}}}U_{q-1}\cdots{\widetilde{U_{C}}}U_{0}\ket{\phi}\!\bra{\phi}U_{0}^{\dagger}{\widetilde{U_{C}}}^{\dagger}\cdots U_{q-1}^{\dagger}{\widetilde{U_{C}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(OU_{q}{\widetilde{U_{C}}}\cdots{\widetilde{U_{C}}}U_{0}\ket{\phi}\!\bra{\phi}U_{0}^{\dagger}{\widetilde{U_{C}}}^{\dagger}\cdots{\widetilde{U_{C}}}^{\dagger}U_{q}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$

where we use again the fact that $U_{q}$ does not act on $\mathsf{F}$ and thus $O$ commutes with $U_{q}$ .

∎

The next claim is an analog of 4. Basically, it argues that on average, $\rho_{s}^{(t)}$ is a good witness state for the simulation with database $D_{j}$ even when $\mathsf{KeyGen}$ and $\mathsf{Mint}$ can make quantum queries to ${\mathcal{R}}$ .

The intuition of the proof is the following: from Section 6.1, the difference between the acceptance probabilities of $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))$ and $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))$ on $\rho_{s}^{(t)}$ is the difference between running $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ and $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ in the purified view on the same state (i.e. the difference between applying $U_{\mathsf{Ver}}$ and $U_{\mathsf{Sim}}$ on the same state), which can be transformed to the compressed view and by Proposition 2 can be bounded by the decrement of the number of pairs in $\mathsf{F}$ after the verification. Roughly speaking, the decrement equals to the number of pairs in $D_{F}$ asked during the verification. But we randomize $t$ , so running another verification on $\rho_{s}^{(t)}$ should not decrease the number of pairs in $\mathsf{F}$ too much on average. Formally:

Claim 7.

\left|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]\right|\leq 6\sqrt{\frac{q(n)q^{\prime}(n)}{T(n)}}

where the probabilities are taken over the randomness of ${\mathcal{R}}$ , the randomness of the inputs to the adversary and the randomness of the adversary (so $t$ and $j$ are both randomized).

Proof.

From Section 6.1, these two probabilities can be analyzed by running a sequence of algorithms in the purified view. As $\mathsf{Comp}\mathsf{Decomp}=I$ , we can insert $\mathsf{Comp}$ and $\mathsf{Decomp}$ between the algorithms. So these two probabilities can also be analyzed by running the sequence of algorithms in the compressed view.

Let $\ket{\phi}$ be the whole pure state we obtain by applying the unitaries ${\widetilde{U_{\mathsf{KeyGen}}}}=\mathsf{Comp}U_{\mathsf{KeyGen}}\mathsf{Decomp}$ , ${\widetilde{U_{\mathsf{Mint}}}}=\mathsf{Comp}U_{\mathsf{Mint}}\mathsf{Decomp}$ and ${\widetilde{U_{\mathcal{A}}}}=\mathsf{Comp}U_{\mathcal{A}}\mathsf{Decomp}$ to the state $\ket{1^{n}}\ket{\emptyset}_{\mathsf{D}_{\mathcal{A}}}\ket{\emptyset}_{\mathsf{F}}\ket{\emptyset}_{\mathsf{D}_{{\mathcal{R}}}}$ along with enough ancillas (i.e. the compressed version of the first step of “ ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ ” in Section 6.1). Let $\mathsf{M}$ be the register corresponding to $\rho_{s}^{(t)}$ .

It’s easy to see that every classical query is recorded by the adversary. That is, $\ket{\phi}$ has the same contents in $\mathsf{D}_{\mathcal{A}}$ and $\mathsf{D}_{{\mathcal{R}}}$ . From Proposition 2,

		$\displaystyle\left\|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$

Denote ${\widetilde{U_{\mathsf{Upd}}}}$ to be unitary that describes our update phase in the compressed view. Formally, ${\widetilde{U_{\mathsf{Upd}}}}=\mathsf{Comp}U_{\mathsf{Upd}}\mathsf{Decomp}=\sum_{j=0}^{N(n)-1}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\otimes\ket{j}\!\bra{j}_{\mathsf{J}}$ where ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ is running on the state synthesized by ${\widetilde{U_{\mathsf{Syn}}}}$ .

Let $\ket{\psi}$ be the whole pure state we obtain by applying the unitaries ${\widetilde{U_{\mathsf{KeyGen}}}}$ , ${\widetilde{U_{\mathsf{Mint}}}}$ and ${\widetilde{U_{\mathsf{Test}}}}:=\mathsf{Comp}U_{\mathsf{Test}}\mathsf{Decomp}$ to the state $\ket{1^{n}}\ket{\emptyset}_{\mathsf{D}_{\mathcal{A}}}\ket{\emptyset}_{\mathsf{F}}\ket{\emptyset}_{\mathsf{D}_{{\mathcal{R}}}}\frac{1}{\sqrt{T(n)}}\sum_{t=0}^{T(n)-1}\ket{t}_{\mathsf{T}}\frac{1}{\sqrt{N(n)}}\sum_{j=0}^{N(n)-1}\ket{j}_{\mathsf{J}}$ along with enough ancillas (i.e. running the compressed version of the first step of “ ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ ” until the end of the test phase of $\mathcal{A}$ ). That is to say, $\ket{\phi}=U_{\mathsf{Syn}_{2}}U_{\mathsf{Syn}_{1}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}$ where $U_{\mathsf{Syn}_{i}}$ synthesizes the $i^{th}$ alleged banknote. Notice that $U_{\mathsf{Syn}_{i}}$ only reads the public key, the serial number and acts on $\mathsf{D}_{\mathcal{A}}$ and some fresh ancillas. So $U_{\mathsf{Syn}_{i}}$ commutes with $O$ and ${\widetilde{U_{\mathsf{Ver}}}}$ . (Recall that ${\widetilde{U_{\mathsf{Ver}}}}$ is the one that does not record queries for $\mathcal{A}$ . That is, it does not act on $\mathsf{D}_{\mathcal{A}}$ .) Thus

		$\displaystyle\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O{\widetilde{U_{\mathsf{Syn}_{2}}}}{\widetilde{U_{\mathsf{Syn}_{1}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Syn}_{1}}}}^{\dagger}{\widetilde{U_{\mathsf{Syn}_{2}}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Syn}_{2}}}}{\widetilde{U_{\mathsf{Syn}_{1}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Syn}_{1}}}}^{\dagger}{\widetilde{U_{\mathsf{Syn}_{2}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$

The next step is to bound the decrement of the pairs in $\mathsf{F}$ during the verification on ${\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}$ . However, the update phase between ${\widetilde{U_{\mathsf{Ver}}}}$ and the randomized number of verifications in the test phase may bring some trouble. So we give the following lemma, which is the counterpart of the fact that in the classical case, the number of queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D_{k}$ asked during a verification is no more than the number of queries in $D_{\mathsf{Mint}}\cup D_{\mathsf{KeyGen}}-D$ asked during a verification.

Lemma 7.

We use the same notation as above. Then

		$\displaystyle\mathrm{Tr}(O{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$

The proof of the lemma is deferred to Appendix B.

Now let’s bound the decrement of the pairs in $\mathsf{F}$ during the verification. From Lemma 7,

		$\displaystyle\left\|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$

where we use the fact that ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ is the same as ${\widetilde{U_{\mathsf{Ver}}}}$ except that it records the query-answer pairs for $\mathcal{A}$ .

Note that we can also write $\ket{\psi}$ as $\frac{1}{\sqrt{T(n)}}\sum_{t=0}^{T(n)-1}\ket{\psi^{(t)}}\ket{t}_{\mathsf{T}}$ where $\ket{\psi^{(t)}}$ is the state after we run $t$ iterations in the test phase. Then $\ket{\psi^{(t+1)}}={\widetilde{U_{\mathsf{Ver}}^{\prime}}}\ket{\psi^{(t)}}$ . As $O$ and ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ do not run on $\mathsf{T}$ , tracing out $\mathsf{T}$ does not change the quantity. Therefore,

		$\displaystyle\left\|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\mathrm{Tr}_{\mathsf{T}}(\ket{\psi}\!\bra{\psi}))-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}\mathrm{Tr}_{\mathsf{T}}(\ket{\psi}\!\bra{\psi}){\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\frac{1}{T(n)}\sum_{t=0}^{T(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(t)}}\!\bra{\psi^{(t)}}\right)-\frac{1}{T(n)}\sum_{t=0}^{T(n)-1}\mathrm{Tr}\left(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}\ket{\psi^{(t)}}\!\bra{\psi^{(t)}}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger}\right)\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\frac{1}{T(n)}\sum_{t=0}^{T(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(t)}}\!\bra{\psi^{(t)}}\right)-\frac{1}{T(n)}\sum_{t=0}^{T(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(t+1)}}\!\bra{\psi^{(t+1)}}\right)\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{\frac{q}{T(n)}\mathrm{Tr}\left(O\ket{\psi^{(0)}}\!\bra{\psi^{(0)}}\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{\frac{qq^{\prime}}{T(n)}}$

where we use the property of compressed oracle techniques that after $q^{\prime}(n)$ quantum queries, there are at most $q^{\prime}(n)$ non- $\hat{0}$ elements in $\mathsf{F}$ . $\ket{\psi^{(0)}}$ is just the state we obtain after we run $\mathsf{KeyGen}$ and $\mathsf{Mint}$ (so there are at most $q^{\prime}(n)$ quantum queries) and then apply the unitary $\mathsf{Comp}$ . So there are at most $q^{\prime}(n)$ pairs in $\mathsf{F}$ of $\ket{\psi^{(0)}}$ . Hence $\mathrm{Tr}\left(O\ket{\psi^{(0)}}\!\bra{\psi^{(0)}}\right)\leq q^{\prime}(n)$ .

∎

The next claim is an analog of summing over $k$ of 6 to get a bound for how well $\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}$ behaves on $\sigma_{D_{j}}$ . The intuition of the proof is similar to 7.

Claim 8.

\left|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]\right|\leq 6\sqrt{\frac{q(n)q^{\prime}(n)}{N(n)}}

where the probabilities are taken over the randomness of ${\mathcal{R}}$ , the randomness of the inputs to the adversary and the randomness of the adversary (so $t$ and $j$ are both randomized).

Proof.

Similar to the proof of 7, these two probabilities can be analyzed by running a sequence of algorithms specificed in Section 6.1 in the compressed view. Let $\ket{\phi}$ be the same state as in 7 except that now $\mathsf{M}$ is the first output register of $\mathcal{A}$ (corresponding to the first synthesized state $\sigma_{D_{j}}$ ). Let $\ket{\psi}$ be the state we obtain by running the compressed version of the first step of “ ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ ” in Section 6.1 until the end of the update phase of $\mathcal{A}$ . That is to say, $\ket{\phi}=U_{\mathsf{Syn}_{2}}U_{\mathsf{Syn}_{1}}\ket{\psi}$ . Then $\ket{\phi}$ has the same contents in $\mathsf{D}_{\mathcal{A}}$ and $\mathsf{D}_{{\mathcal{R}}}$ .

Recall that ${\widetilde{U_{\mathsf{Ver}}}}$ and ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ both run the verification for the state in $\mathsf{M}$ , i.e. the first synthesized state $\sigma_{D_{j}}$ . Recall the fact that ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ is the same as ${\widetilde{U_{\mathsf{Ver}}}}$ except that it also records query-answer pairs for $\mathcal{A}$ and that $O$ only acts on $\mathsf{F}$ . From Proposition 2,

		$\displaystyle\left\|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\phi}\!\bra{\phi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\phi}\!\bra{\phi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(OU_{\mathsf{Syn}_{2}}U_{\mathsf{Syn}_{1}}\ket{\psi}\!\bra{\psi}U_{\mathsf{Syn}_{1}}^{\dagger}U_{\mathsf{Syn}_{2}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}U_{\mathsf{Syn}_{2}}U_{\mathsf{Syn}_{1}}\ket{\psi}\!\bra{\psi}U_{\mathsf{Syn}_{1}}U_{\mathsf{Syn}_{2}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}U_{\mathsf{Syn}_{1}}\ket{\psi}\!\bra{\psi}U_{\mathsf{Syn}_{1}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}U_{\mathsf{Syn}_{1}}\ket{\psi}\!\bra{\psi}U_{\mathsf{Syn}_{1}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$

This is because $U_{\mathsf{Syn}_{2}}$ acts on the second output register, and thus it commutes with ${\widetilde{U_{\mathsf{Ver}}}}$ (it verifies the first output state). Moreover, both $U_{\mathsf{Syn}_{1}}$ and $U_{\mathsf{Syn}_{2}}$ do not act on $\mathsf{F}$ , and thus commute with $O$ .

Note that we can write $\ket{\psi}=\frac{1}{\sqrt{N(n)}}\sum_{j=0}^{N(n)-1}\ket{\psi^{(j)}}\ket{j}_{\mathsf{J}}$ where $\ket{\psi^{(j)}}$ is the state we obtain after we run a randomized number of iterations in the test phase and $j$ iterations in the update phase. Then $\ket{\psi^{(j+1)}}={\widetilde{U_{\mathsf{Ver}}^{\prime}}}U_{\mathsf{Syn}}\ket{\psi^{(j)}}$ . Notice that $O$ , $U_{\mathsf{Syn}_{1}}$ and ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ do not run on $\mathsf{J}$ . So tracing out $\mathsf{J}$ won’t change the value. Therefore,

		$\displaystyle\left\|\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]-\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]\right\|$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}U_{\mathsf{Syn}_{1}}\ket{\psi}\!\bra{\psi}U_{\mathsf{Syn}_{1}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\mathrm{Tr}(O\mathrm{Tr}_{\mathsf{J}}(\ket{\psi}\!\bra{\psi}))-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}U_{\mathsf{Syn}_{1}}\mathrm{Tr}_{\mathsf{J}}(\ket{\psi}\!\bra{\psi})U_{\mathsf{Syn}_{1}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\frac{1}{N(n)}\sum_{j=0}^{N(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(j)}}\!\bra{\psi^{(j)}}\right)-\frac{1}{N(n)}\sum_{j=0}^{N(n)-1}\mathrm{Tr}\left(O{\widetilde{U_{\mathsf{Ver}}^{\prime}}}U_{\mathsf{Syn}_{1}}\ket{\psi^{(j)}}\!\bra{\psi^{(j)}}U_{\mathsf{Syn}_{1}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger}\right)\right)}$
	$\displaystyle=$	$\displaystyle 6\sqrt{q\left(\frac{1}{N(n)}\sum_{j=0}^{N(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(j)}}\!\bra{\psi^{(j)}}\right)-\frac{1}{N(n)}\sum_{j=0}^{N(n)-1}\mathrm{Tr}\left(O\ket{\psi^{(j+1)}}\!\bra{\psi^{(j+1)}}\right)\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{\frac{q}{N(n)}\mathrm{Tr}\left(O\ket{\psi^{(0)}}\!\bra{\psi^{(0)}}\right)}$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{\frac{qq^{\prime}}{N(n)}}$

where we use the property of compressed oracle techniques that after $q^{\prime}(n)$ quantum queries, there are at most $q^{\prime}(n)$ non- $\hat{0}$ elements in $\mathsf{F}$ . $\ket{\psi^{(0)}}$ is just the state we obtain after we run $\mathsf{KeyGen}$ and $\mathsf{Mint}$ (so there are at most $q^{\prime}(n)$ quantum queries) and run the test phase of $\mathcal{A}$ (only classical queries with recording) in the compressed view. By the description of ${\widetilde{U_{R}}}$ , the number of pairs in $\mathsf{F}$ can not increase when we make classical queries and record them. So there are at most $q^{\prime}(n)$ pairs in $\mathsf{F}$ of $\ket{\psi^{(0)}}$ . Hence $\mathrm{Tr}\left(O\ket{\psi^{(0)}}\!\bra{\psi^{(0)}}\right)\leq q^{\prime}(n)$ . ∎

Now let’s combine the above results to prove Theorem 8.

Proof.

Let $\epsilon=0.01$ , $b=1-\sqrt{1-\delta_{r}+\epsilon}$ , $a=0.99b$ , $T(n)=\frac{36q(n)q^{\prime}(n)}{\epsilon^{2}}$ and $N(n)=\frac{q(n)q^{\prime}(n)}{\epsilon^{2}(1-\sqrt{1-\delta_{r}+\epsilon})^{4}}$ .

From 7, $\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\rho_{s}^{(t)}))\text{ accepts}\right]\geq\delta_{r}-\epsilon$ . Hence using the same argument in 5, $\mathsf{Pr}\left[\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]\geq 0.99(1-\sqrt{1-\delta_{r}+\epsilon})^{2}$ . From 8, $\mathsf{Pr}\left[\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\sigma_{D_{j}}))\text{ accepts}\right]\geq 0.99(1-\sqrt{1-\delta_{r}+\epsilon})^{2}-6\sqrt{\frac{q(n)q^{\prime}(n)}{N(n)}}\geq 0.9(1-\sqrt{1-\delta_{r}+\epsilon})^{2}.$ Thus by union bound, the outputs of our adversary pass two verifications simultaneously with probability at least $1.8(1-\sqrt{1-\delta_{r}+\epsilon})^{2}-1$ , which is non-negligible when $\delta_{r}\geq 0.99$ . ∎

That is, the adversary we construct gives a valid attack to $(\mathsf{KeyGen}^{{\ket{{\mathcal{R}}}},\ket{\mathsf{PSPACE}}},\mathsf{Mint}^{{\ket{{\mathcal{R}}}},\ket{\mathsf{PSPACE}}},\allowbreak\mathsf{Ver}^{{{\mathcal{R}}},\ket{\mathsf{PSPACE}}})$ where $\delta_{r}\geq 0.99$ and $\delta_{s}=\mathsf{negl}(n)$ , which establishes Theorem 7.

References

[AA09] Scott Aaronson and Andris Ambainis “The need for structure in quantum speedups” In arXiv preprint arXiv:0911.0996, 2009
[Aar09] Scott Aaronson “Quantum copy-protection and quantum money” In 24th Annual IEEE Conference on Computational Complexity IEEE Computer Soc., Los Alamitos, CA, 2009, pp. 229–242 DOI: 10.1109/CCC.2009.42
[AC13] Scott Aaronson and Paul Christiano “Quantum money from hidden subspaces” In Theory Comput. 9, 2013, pp. 349–401 DOI: 10.4086/toc.2013.v009a009
[ACC+22] Per Austrin et al. “On the Impossibility of Key Agreements from Quantum Random Oracles” In Cryptology ePrint Archive, 2022
[AJL+19] Prabhanjan Ananth et al. “Indistinguishability obfuscation without multilinear maps: new paradigms via low degree weak pseudorandomness and security amplification” In Annual International Cryptology Conference, 2019, pp. 284–332 Springer
[AK22] Prabhanjan Ananth and Fatih Kaleoglu “A Note on Copy-Protection from Random Oracles” https://eprint.iacr.org/2022/1109, Cryptology ePrint Archive, Paper 2022/1109, 2022 URL: https://eprint.iacr.org/2022/1109
[AKL+22] Prabhanjan Ananth et al. “On the feasibility of unclonable encryption, and more” In Annual International Cryptology Conference, 2022, pp. 212–241 Springer
[AL21] Prabhanjan Ananth and Rolando L La Placa “Secure Software Leasing” In Eurocrypt, 2021
[BDG22] Andriyan Bilyk, Javad Doliskani and Zhiyong Gong “Cryptanalysis of Three Quantum Money Schemes” In arXiv preprint arXiv:2205.10488, 2022
[BDGM20] Zvika Brakerski, Nico Döttling, Sanjam Garg and Giulio Malavolta “Factoring and pairings are not necessary for iO: circular-secure LWE suffices” In Cryptology ePrint Archive, 2020
[BDV17] Nir Bitansky, Akshay Degwekar and Vinod Vaikuntanathan “Structure vs. hardness through the obfuscation lens” In Annual International Cryptology Conference, 2017, pp. 696–723 Springer
[BGI+01] Boaz Barak et al. “On the (im) possibility of obfuscating programs” In Annual international cryptology conference, 2001, pp. 1–18 Springer
[BGS13] Anne Broadbent, Gus Gutoski and Douglas Stebila “Quantum one-time programs” In Annual Cryptology Conference, 2013, pp. 344–360 Springer
[BI20] Anne Broadbent and Rabib Islam “Quantum encryption with certified deletion” In Theory of Cryptography Conference, 2020, pp. 92–122 Springer
[BL20] Anne Broadbent and Sébastien Lord “Uncloneable Quantum Encryption via Oracles” In 15th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2020) 158, Leibniz International Proceedings in Informatics (LIPIcs) Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum für Informatik, 2020, pp. 4:1–4:22 DOI: 10.4230/LIPIcs.TQC.2020.4
[BM09] Boaz Barak and Mohammad Mahmoody-Ghidary “Merkle puzzles are optimal—an o (n 2)-query attack on any key exchange from a random oracle” In Annual International Cryptology Conference, 2009, pp. 374–390 Springer
[BPR+08] Dan Boneh et al. “On the impossibility of basing identity based encryption on trapdoor permutations” In 2008 49th Annual IEEE Symposium on Foundations of Computer Science, 2008, pp. 283–292 IEEE
[BS16] Shalev Ben-David and Or Sattath “Quantum tokens for digital signatures” In arXiv preprint arXiv:1609.09047, 2016
[CKP15] Ran Canetti, Yael Tauman Kalai and Omer Paneth “On obfuscation with random oracles” In Theory of Cryptography Conference, 2015, pp. 456–467 Springer
[CLLZ21] Andrea Coladangelo, Jiahui Liu, Qipeng Liu and Mark Zhandry “Hidden cosets and applications to unclonable cryptography” In Annual International Cryptology Conference, 2021, pp. 556–584 Springer
[CMP20] Andrea Coladangelo, Christian Majenz and Alexander Poremba “Quantum copy-protection of compute-and-compare programs in the quantum random oracle model” In arXiv preprint arXiv:2009.13865, 2020
[CMSZ22] Alessandro Chiesa, Fermi Ma, Nicholas Spooner and Mark Zhandry “Post-quantum succinct arguments: breaking the quantum rewinding barrier” In 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science—FOCS 2021 IEEE Computer Soc., Los Alamitos, CA, [2022] ©2022, pp. 49–58 DOI: 10.1109/FOCS52979.2021.00014
[CX21] Shujiao Cao and Rui Xue “Being a permutation is also orthogonal to one-wayness in quantum world: Impossibilities of quantum one-way permutations from one-wayness primitives” In Theoretical Computer Science 855 Elsevier, 2021, pp. 16–42
[DG17] Nico Döttling and Sanjam Garg “Identity-based encryption from the Diffie-Hellman assumption” In Annual International Cryptology Conference, 2017, pp. 537–569 Springer
[Die82] DGBJ Dieks “Communication by EPR devices” In Physics Letters A 92.6 Elsevier, 1982, pp. 271–272
[DLMM11] Dana Dachman-Soled, Yehuda Lindell, Mohammad Mahmoody and Tal Malkin “On the black-box complexity of optimally-fair coin tossing” In Theory of Cryptography Conference, 2011, pp. 450–467 Springer
[DQV+21] Lalita Devadas et al. “Succinct LWE sampling, random polynomials, and obfuscation” In Theory of Cryptography Conference, 2021, pp. 256–287 Springer
[FGH+12] Edward Farhi et al. “Quantum money from knots” In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, 2012, pp. 276–289
[GKLM12] Vipul Goyal, Virendra Kumar, Satya Lokam and Mohammad Mahmoody “On black-box reductions between predicate encryption schemes” In Theory of Cryptography Conference, 2012, pp. 440–457 Springer
[GKM+00] Yael Gertner et al. “The relationship between public key encryption and oblivious transfer” In Proceedings 41st Annual Symposium on Foundations of Computer Science, 2000, pp. 325–335 IEEE
[GP21] Romain Gay and Rafael Pass “Indistinguishability obfuscation from circular security” In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, 2021, pp. 736–749
[GZ20] Marios Georgiou and Mark Zhandry “Unclonable decryption keys” In Cryptology ePrint Archive, 2020
[HJL21] Sam Hopkins, Aayush Jain and Huijia Lin “Counterexamples to new circular security assumptions underlying iO” In Annual International Cryptology Conference, 2021, pp. 673–700 Springer
[HY20] Akinori Hosoyamada and Takashi Yamakawa “Finding collisions in a quantum world: quantum black-box separation of collision-resistance and one-wayness” In International Conference on the Theory and Application of Cryptology and Information Security, 2020, pp. 3–32 Springer
[IR90] Russell Impagliazzo and Steven Rudich “Limits on the provable consequences of one-way permutations” In Advances in cryptology—CRYPTO ’88 (Santa Barbara, CA, 1988) 403, Lecture Notes in Comput. Sci. Springer, Berlin, 1990, pp. 8–26 DOI: 10.1007/0-387-34799-2\_2
[JLS18] Zhengfeng Ji, Yi-Kai Liu and Fang Song “Pseudorandom quantum states” In Annual International Cryptology Conference, 2018, pp. 126–152 Springer
[JLS21] Aayush Jain, Huijia Lin and Amit Sahai “Indistinguishability obfuscation from well-founded assumptions” In Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing, 2021, pp. 60–73
[JLS22] Aayush Jain, Huijia Lin and Amit Sahai “Indistinguishability Obfuscation from LPN over, DLIN, and PRGs in NC” In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, pp. 670–699 Springer
[KLS22] Andrey Boris Khesin, Jonathan Z Lu and Peter W Shor “Publicly verifiable quantum money from random lattices” In arXiv preprint arXiv:2207.13135, 2022
[KSS21] Daniel M Kane, Shahed Sharif and Alice Silverberg “Quantum money from quaternion algebras” In arXiv preprint arXiv:2109.12643, 2021
[Lut10] Andrew Lutomirski “An online attack against Wiesner’s quantum money” In arXiv preprint arXiv:1010.0256, 2010
[MVW12] Abel Molina, Thomas Vidick and John Watrous “Optimal counterfeiting attacks and generalizations for Wiesner’s quantum money” In Conference on Quantum Computation, Communication, and Cryptography, 2012, pp. 45–64 Springer
[MW05] Chris Marriott and John Watrous “Quantum arthur–merlin games” In computational complexity 14.2 Springer, 2005, pp. 122–152
[NC00] Michael A. Nielsen and Isaac L. Chuang “Quantum computation and quantum information” Cambridge University Press, Cambridge, 2000, pp. xxvi+676
[Pap94] Christos H. Papadimitriou “Computational Complexity” Addison-Wesley, 1994
[PRV12] Periklis A Papakonstantinou, Charles W Rackoff and Yevgeniy Vahlis “How powerful are the DDH hard groups?” In Cryptology ePrint Archive, 2012
[Rob21] Bhaskar Roberts “Security analysis of quantum lightning” In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2021, pp. 562–567 Springer
[RS22] Roy Radian and Or Sattath “Semi-quantum money” In Journal of Cryptology 35.2 Springer, 2022, pp. 1–70
[RTV04] Omer Reingold, Luca Trevisan and Salil Vadhan “Notions of reducibility between cryptographic primitives” In Theory of Cryptography Conference, 2004, pp. 1–20 Springer
[Rud91] Steven Rudich “The Use of Interaction in Public Cryptosystems.” In Annual International Cryptology Conference, 1991, pp. 242–251 Springer
[RY21] Gregory Rosenthal and Henry Yuen “Interactive Proofs for Synthesizing Quantum States and Unitaries” In arXiv preprint arXiv:2108.07192, 2021
[Shm22] Omri Shmueli “Public-key Quantum money with a classical bank” In Proceedings of the 54th Annual ACM SIGACT Symposium on Theory of Computing, 2022, pp. 790–803
[Shm22a] Omri Shmueli “Semi-Quantum Tokenized Signatures” In Cryptology ePrint Archive, 2022
[Sim98] Daniel R Simon “Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?” In International Conference on the Theory and Applications of Cryptographic Techniques, 1998, pp. 334–345 Springer
[Unr16] Dominique Unruh “Computationally binding quantum commitments” In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2016, pp. 497–527 Springer
[Wie83] Stephen Wiesner “Conjugate coding” In ACM Sigact News 15.1 ACM New York, NY, USA, 1983, pp. 78–88
[Win99] Andreas Winter “Coding theorem and strong converse for quantum channels” In IEEE Transactions on Information Theory 45.7 IEEE, 1999, pp. 2481–2485
[WW21] Hoeteck Wee and Daniel Wichs “Candidate obfuscation via oblivious LWE sampling” In Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2021, pp. 127–156 Springer
[WZ82] William K Wootters and Wojciech H Zurek “A single quantum cannot be cloned” In Nature 299.5886 Nature Publishing Group, 1982, pp. 802–803
[Zha15] Mark Zhandry “A note on the quantum collision and set equality problems” In Quantum Information & Computation 15.7-8 Rinton Press, Incorporated Paramus, NJ, 2015, pp. 557–567
[Zha18] Mark Zhandry “How to Record Quantum Queries, and Applications to Quantum Indifferentiability” https://eprint.iacr.org/2018/276, Cryptology ePrint Archive, Paper 2018/276, 2018 URL: https://eprint.iacr.org/2018/276
[Zha21] Mark Zhandry “Quantum lightning never strikes the same state twice. Or: quantum money from cryptographic assumptions” In J. Cryptology 34.1, 2021, pp. Paper No. 6\bibrangessep56 DOI: 10.1007/s00145-020-09372-x

Appendix A Missing Proof of Lemma 6

The proof consists of two parts. In the first part, we will bound ${\operatorname{TD}\left({\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger},U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right)}$ by the weight of queries inside $D_{F}$ . In the second part, we will show that the weight equals the decrement of the number of pairs in $\mathsf{F}$ after the query.

Proof.

Let’s begin the first part with some notations.

For $0\leq j\leq q-1$ , $U_{j}$ prepares the $(j+1)^{th}$ query, thus we can write $U_{j}\ket{\phi_{j}}$ as follows,

U_{j}\ket{\phi_{j}}=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}

where $\mathsf{Q}$ is the next query position, $\mathsf{A}$ is for the query answer and $\mathsf{H}$ contains all other registers including the public key, serial number, $\mathsf{D}_{\mathcal{A}}$ , etc. We can divide these terms into two categories, one is $x\notin D_{F}$ , and the other one is $x\in D_{F}$ . That is, $U_{j}\ket{\phi_{j}}=\sqrt{1-\alpha}\ket{u}+\sqrt{\alpha}\ket{v}$ where $\alpha:=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{F}\end{subarray}}\left|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right|^{2}$ is the weight of queries inside $D_{F}$ ,

\sqrt{1-\alpha}\ket{u}=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\notin D_{F}\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}

\sqrt{\alpha}\ket{v}=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{F}\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}

Recall that

		$\displaystyle{\widetilde{U_{C}}}(\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}})$
	$\displaystyle=$	$\displaystyle\begin{cases}\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}}&x\in D_{{\mathcal{R}}}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{z}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\notin D_{F}\\ \ket{x}_{\mathsf{Q}}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}(-1)^{z\widehat{D_{F}(x)}}\ket{z}_{\mathsf{A}}\ket{D_{F}-x}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}&x\notin D_{{\mathcal{R}}},x\in D_{F}\end{cases}$

So when $x\notin D_{F}$ , ${\widetilde{U_{C}}}$ and $U_{D}^{\prime}$ act exactly the same. As a result, ${\widetilde{U_{C}}}\ket{u}=U_{D}^{\prime}\ket{u}$ . Therefore,

		$\displaystyle{\operatorname{TD}\left({\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger},U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right)}$
	$\displaystyle=$	$\displaystyle{\left\lVert{\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger}-U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right\rVert}_{1}$
	$\displaystyle=$	$\displaystyle\\|{\widetilde{U_{C}}}\left((1-\alpha)\ket{u}\!\bra{u}+\alpha\ket{v}\!\bra{v}+\sqrt{\alpha(1-\alpha)}\left(\ket{u}\!\bra{v}+\ket{v}\!\bra{u}\right)\right){\widetilde{U_{C}}}^{\dagger}$
		$\displaystyle-U_{D}^{\prime}\left((1-\alpha)\ket{u}\!\bra{u}+\alpha\ket{v}\!\bra{v}+\sqrt{\alpha(1-\alpha)}\left(\ket{u}\!\bra{v}+\ket{v}\!\bra{u}\right)\right)U_{D}^{\prime\dagger}\\|_{1}$
	$\displaystyle=$	$\displaystyle\\|{\widetilde{U_{C}}}\left(\alpha\ket{v}\!\bra{v}+\sqrt{\alpha(1-\alpha)}\left(\ket{u}\!\bra{v}+\ket{v}\!\bra{u}\right)\right){\widetilde{U_{C}}}^{\dagger}-U_{D}^{\prime}\left(\alpha\ket{v}\!\bra{v}+\sqrt{\alpha(1-\alpha)}\left(\ket{u}\!\bra{v}+\ket{v}\!\bra{u}\right)\right)U_{D}^{\prime\dagger}\\|_{1}$
	$\displaystyle\leq$	$\displaystyle 2{\left\lVert\alpha\ket{v}\!\bra{v}+\sqrt{\alpha(1-\alpha)}\left(\ket{u}\!\bra{v}+\ket{v}\!\bra{u}\right)\right\rVert}_{1}$
	$\displaystyle\leq$	$\displaystyle 2(\alpha+2\sqrt{\alpha(1-\alpha)})$
	$\displaystyle\leq$	$\displaystyle 6\sqrt{\alpha}$

where we use properties of trace norm of matrices ${\left\lVert A+B\right\rVert}_{1}\leq{\left\lVert A\right\rVert}_{1}+{\left\lVert B\right\rVert}_{1},{\left\lVert UAU^{\dagger}\right\rVert}_{1}={\left\lVert A\right\rVert}_{1}$ and ${\left\lVert A\right\rVert}_{1}=\sum_{i}\lvert\lambda_{i}\rvert$ if $A=\sum_{i}\lambda_{i}\ket{s_{i}}\!\bra{v_{i}}$ where $\ket{s_{i}},\ket{v_{i}}$ are two bases.

Now let’s move to the second part. We will show that $\alpha$ equals to the difference of the number of pairs in $\mathsf{F}$ on $\ket{\phi_{j}}$ and $\ket{\phi_{j+1}}={\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}$ .

First, let’s calculate the number of pairs in $\mathsf{F}$ on state $\ket{\phi_{j}}$ .

Notice that $U_{j}$ does not act on $\mathsf{F}$ , so it commutes with $O$ . Then $\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})=\mathrm{Tr}(OU_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger})$ . Recall that

U_{j}\ket{\phi_{j}}=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\ket{x}_{\mathsf{Q}}\ket{0}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}

In the summation, the terms are orthogonal to each other. Thus the expected number of pairs in $\mathsf{F}$ of $U_{j}\ket{\phi_{j}}$ is $\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}{\lvert{D_{F}}\rvert}\left|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right|^{2}$ . So

\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})=\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}{\lvert{D_{F}}\rvert}\left|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right|^{2}

Next, let’s calculate the number of pairs in $\mathsf{F}$ on state $\ket{\phi_{j+1}}$ .

By definition of $\ket{\phi_{j+1}}$ and ${\widetilde{U_{C}}}$

		$\displaystyle\ket{\phi_{j+1}}$
	$\displaystyle=$	$\displaystyle{\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}$
	$\displaystyle=$	$\displaystyle\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{{\mathcal{R}}}\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$
		$\displaystyle+\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\notin D_{{\mathcal{R}}},x\notin D_{F}\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{x}_{\mathsf{Q}}\ket{z}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$
		$\displaystyle+\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{F}\end{subarray}}\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\frac{1}{\sqrt{2}}\sum_{z=0}^{1}(-1)^{z\widehat{D_{F}(x)}}\ket{x}_{\mathsf{Q}}\ket{z}_{\mathsf{A}}\ket{D_{F}-x}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$

${\widetilde{U_{C}}}$ is a unitary, so the terms $\ket{x}_{\mathsf{Q}}\ket{D_{{\mathcal{R}}}(x)}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,D_{{\mathcal{R}}}(x))}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$ where $D_{F}\cap D_{{\mathcal{R}}}=\emptyset$ and $x\in D_{{\mathcal{R}}}$ , $\frac{1}{\sqrt{2}}\sum_{z=0}^{1}\ket{x}_{\mathsf{Q}}\ket{z}_{\mathsf{A}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$ where $D_{F}\cap D_{{\mathcal{R}}}=\emptyset$ and $x\notin D_{{\mathcal{R}}}\cup D_{F}$ , and $\frac{1}{\sqrt{2}}\sum_{z=0}^{1}(-1)^{z\widehat{D_{F}(x)}}\ket{x}_{\mathsf{Q}}\ket{z}_{\mathsf{A}}\ket{D_{F}-x}_{\mathsf{F}}\ket{D_{{\mathcal{R}}},(x,z)}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}}$ where $D_{F}\cap D_{{\mathcal{R}}}=\emptyset$ and $x\in D_{F}$ in the above summation are orthogonal to each other.

Thus the expected number of pairs in $\mathsf{F}$ of $\ket{\phi_{j+1}}$ is

		$\displaystyle\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})$
	$\displaystyle=$	$\displaystyle\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\notin D_{F}\end{subarray}}{\lvert{D_{F}}\rvert}\left\|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right\|^{2}+\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{F}\end{subarray}}{\lvert{D_{F}-x}\rvert}\left\|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right\|^{2}$
	$\displaystyle=$	$\displaystyle\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}{\lvert{D_{F}}\rvert}\left\|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right\|^{2}-\sum_{\begin{subarray}{c}x,D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x\in D_{F}\end{subarray}}\left\|\alpha_{x,D_{F},D_{{\mathcal{R}}},h}\right\|^{2}$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\alpha$

So $\alpha=\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})$ . That is to say, the weight of queries outside $D_{F}$ equals the decrement of the number of pairs in $\mathsf{F}$ after the query.

Combine the above two parts, and we can obtain

{\operatorname{TD}\left({\widetilde{U_{C}}}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}{\widetilde{U_{C}}}^{\dagger},U_{D}^{\prime}U_{j}\ket{\phi_{j}}\!\bra{\phi_{j}}U_{j}^{\dagger}U_{D}^{\prime\dagger}\right)}\leq 6\sqrt{\mathrm{Tr}(O\ket{\phi_{j}}\!\bra{\phi_{j}})-\mathrm{Tr}(O\ket{\phi_{j+1}}\!\bra{\phi_{j+1}})}.

∎

Appendix B Missing Proof of Lemma 7

We prove Lemma 7 by first showing that for two parallel queries, we can remove one of them without decreasing the value and then extending the result to ${\widetilde{U_{\mathsf{Ver}}}}$ on $\rho_{s}^{(t)}$ and ${\widetilde{U_{\mathsf{Upd}}}}$ (each has polynomial queries).

Proof.

Let ${\widetilde{U_{R}}}$ act on the first query position register $\mathsf{Q}_{1}$ , the first query answer register $\mathsf{A}_{1},\mathsf{D}_{\mathcal{A}},\mathsf{F}$ and $\mathsf{D}_{{\mathcal{R}}}$ while ${\widetilde{U_{C}}}$ acts on the second query position register $\mathsf{Q}_{2}$ , the second query position register $\mathsf{A}_{2},\mathsf{F}$ and $\mathsf{D}_{{\mathcal{R}}}$ .

We first show that for any state

\ket{\varphi}=\sum_{\begin{subarray}{c}x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}\alpha_{x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h}\ket{x_{1}}_{\mathsf{Q}_{1}}\ket{0}_{\mathsf{A}_{1}}\ket{x_{2}}_{\mathsf{Q}_{2}}\ket{0}_{\mathsf{A}_{2}}\ket{D_{\mathcal{A}}}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{F}}_{\mathsf{F}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}}\ket{h}_{\mathsf{H}},

we have the inequality

\mathrm{Tr}(O{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})\leq\mathrm{Tr}(O\ket{\varphi}\!\bra{\varphi})-\mathrm{Tr}(O{\widetilde{U_{C}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{C}}}^{\dagger}).

In fact, from the same argument in Lemma 6, $\mathrm{Tr}(O\ket{\varphi}\!\bra{\varphi})-\mathrm{Tr}(O{\widetilde{U_{C}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{C}}}^{\dagger})$ is exactly the probability that we get outcome $(x_{2},D_{F})$ such that $x_{2}\in D_{F}$ when we measure the registers $\mathsf{Q}_{2}$ and $\mathsf{D}_{F}$ on state $\ket{\varphi}$ . That is

\mathrm{Tr}(O\ket{\varphi}\!\bra{\varphi})-\mathrm{Tr}(O{\widetilde{U_{C}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{C}}}^{\dagger})=\sum_{\begin{subarray}{c}x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x_{2}\in D_{F}\end{subarray}}\left|\alpha_{x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h}\right|^{2}.

Similarly, $\mathrm{Tr}(O{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})$ is exactly the probability that we get outcome $(x_{2},D_{F})$ such that $x_{2}\in D_{F}$ when we measure the registers $\mathsf{Q}_{2}$ and $\mathsf{D}_{F}$ on state ${\widetilde{U_{R}}}\ket{\varphi}$ . Notice that we can write ${\widetilde{U_{R}}}\ket{\varphi}$ as

\sum_{\begin{subarray}{c}x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset\end{subarray}}\alpha_{x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h}\ket{x_{2}}_{\mathsf{Q}_{2}}\ket{0}_{\mathsf{A}_{2}}\ket{x_{1}}_{\mathsf{Q}_{1}}U_{x_{1},D_{F}}(\ket{0}_{\mathsf{A}_{1}}\ket{D_{\mathcal{A}}}_{\mathsf{D}_{\mathcal{A}}}\ket{D_{{\mathcal{R}}}}_{\mathsf{D}_{{\mathcal{R}}}})\ket{D_{F}-x_{1}}_{\mathsf{F}}\ket{h}_{\mathsf{H}}

where $U_{x_{1},D_{F}}$ is a unitary that only depends on $x_{1},D_{F}$ . ${\widetilde{U_{R}}}$ is a unitary, so the terms in the above summation are orthogonal. Thus

\mathrm{Tr}(O{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})=\sum_{\begin{subarray}{c}x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h\\ \text{s.t. }D_{F}\cap D_{{\mathcal{R}}}=\emptyset,x_{2}\in D_{F}-x_{1}\end{subarray}}\left|\alpha_{x_{1},x_{2},D_{\mathcal{A}},D_{F},D_{{\mathcal{R}}},h}\right|^{2}.

As a result, $\mathrm{Tr}(O{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}{\widetilde{U_{R}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})\leq\mathrm{Tr}(O\ket{\varphi}\!\bra{\varphi})-\mathrm{Tr}(O{\widetilde{U_{C}}}\ket{\varphi}\!\bra{\varphi}{\widetilde{U_{C}}}^{\dagger}).$ That is to say, an extra query ${\widetilde{U_{R}}}$ on another part of the state can only decrease the chance of making a bad query in ${\widetilde{U_{C}}}$ because that extra query can only make the set of bad queries smaller.

${\widetilde{U_{\mathsf{Ver}}}}$ and ${\widetilde{U_{\mathsf{Upd}}}}$ are composed of ${\widetilde{U_{C}}}$ and ${\widetilde{U_{R}}}$ . In fact, the above argument can also be extended to ${\widetilde{U_{\mathsf{Ver}}}}$ and ${\widetilde{U_{\mathsf{Upd}}}}$ to capture our intuition that ${\widetilde{U_{\mathsf{Upd}}}}$ can only decrease the number of bad queries made during ${\widetilde{U_{\mathsf{Ver}}}}$ because ${\widetilde{U_{\mathsf{Upd}}}}$ can only make the set of bad queries smaller.

We will first show a fixed number of iterations of the update phase can only decrease the number of bad queries made during ${\widetilde{U_{\mathsf{Ver}}}}$ and then show it holds for ${\widetilde{U_{\mathsf{Upd}}}}$ .

Let $\ket{\psi}$ be the state $\ket{\psi}$ as in 7. We can write it as $\ket{\psi_{0}}\otimes\frac{1}{\sqrt{N(n)}}\sum_{j=0}^{N(n)-1}\ket{j}_{\mathsf{J}}$ .

For any $j\geq 1$ , for unitary ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ that acts on the synthesized state and records the query for $\mathcal{A}$ , and unitary ${\widetilde{U_{\mathsf{Ver}}}}$ that acts on $\rho_{s}^{(t)}$ , denote $\ket{\mu}={\widetilde{U_{\mathsf{Syn}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j-1}\ket{\psi_{0}}$ . Let $U_{i}^{(1)}$ prepare the next query for $\rho_{s}^{(t)}$ and $U_{i}^{(2)}$ prepare the next query for the synthesized state. For every $i$ , denote $U_{i,C}^{(1)}=U_{i}^{(1)}{\widetilde{U_{C}}}\cdots U_{0}^{(1)}$ and $U_{i,R}^{(2)}=U_{i}^{(2)}{\widetilde{U_{R}}}\cdots U_{0}^{(2)}$ . Apply the above inequality, and we can get that

		$\displaystyle\mathrm{Tr}(O({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(OU_{q,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q,R}^{(2)}}^{\dagger})-\mathrm{Tr}(OU_{q,C}^{(1)}U_{q,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q,R}^{(2)}}^{\dagger}{U_{q,C}^{(1)}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(OU_{q}^{(2)}{\widetilde{U_{R}}}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{\widetilde{U_{R}}}^{\dagger}{U_{q}^{(2)}}^{\dagger})$
		$\displaystyle-\mathrm{Tr}(OU_{q}^{(1)}U_{q}^{(2)}{\widetilde{U_{C}}}{\widetilde{U_{R}}}U_{q-1,C}^{(1)}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{U_{q-1,C}^{(1)}}^{\dagger}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger}{U_{q}^{(2)}}^{\dagger}{U_{q}^{(1)}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O{\widetilde{U_{R}}}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{\widetilde{U_{R}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}{\widetilde{U_{R}}}U_{q-1,C}^{(1)}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{U_{q-1,C}^{(1)}}^{\dagger}{\widetilde{U_{R}}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(OU_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{C}}}U_{q-1,C}^{(1)}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{U_{q-1,C}^{(1)}}^{\dagger}{\widetilde{U_{C}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(OU_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger})-\mathrm{Tr}(OU_{q,C}^{(1)}U_{q-1,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{q-1,R}^{(2)}}^{\dagger}{U_{q,C}^{(1)}}^{\dagger})$

That is, we can delete a query for the synthesized state without decreasing the number of bad queries made during ${\widetilde{U_{\mathsf{Ver}}}}$ on $\rho_{s}^{(t)}$ . Repetitively removing the queries for the synthesized state, we can get that

		$\displaystyle\mathrm{Tr}(O({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(OU_{0,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{0,R}^{(2)}}^{\dagger})-\mathrm{Tr}(OU_{q,C}^{(1)}U_{0,R}^{(2)}\ket{\mu}\!\bra{\mu}{U_{0,R}^{(2)}}^{\dagger}{U_{q,C}^{(1)}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O\ket{\mu}\!\bra{\mu})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\mu}\!\bra{\mu}{{\widetilde{U_{\mathsf{Ver}}}}}^{\dagger})$

where we use the fact that $U_{i}^{(1)}$ commutes with $U_{j}^{(2)}$ and ${\widetilde{U_{C}}}$ , $U_{i}^{(2)}$ commutes with ${\widetilde{U_{R}}}$ , and both $U_{i}^{(1)}$ and $U_{j}^{(2)}$ commute with $O$ .

We successfully removed one ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ on the synthesized state. We can do it until we remove all of ${\widetilde{U_{\mathsf{Ver}}^{\prime}}}$ on the synthesized state. That is,

		$\displaystyle\mathrm{Tr}(O({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(O{\widetilde{U_{\mathsf{Syn}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j-1}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j-1}{{\widetilde{U_{\mathsf{Syn}}}}}^{\dagger})$
		$\displaystyle-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Syn}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j-1}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j-1}{{\widetilde{U_{\mathsf{Syn}}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j-1}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j-1})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j-1}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j-1}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle\leq$	$\displaystyle\cdots$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(O\ket{\psi_{0}}\!\bra{\psi_{0}})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\psi_{0}}\!\bra{\psi_{0}}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$

where we use the fact that ${\widetilde{U_{\mathsf{Syn}}}}$ uses the database in $D_{\mathcal{A}}$ and ${\widetilde{U_{\mathsf{Ver}}}}$ does not record query for $\mathcal{A}$ . Thus ${\widetilde{U_{\mathsf{Syn}}}}$ and ${\widetilde{U_{\mathsf{Ver}}}}$ commute. ${\widetilde{U_{\mathsf{Syn}}}}$ does not act on $\mathsf{F}$ and $\mathsf{D}_{{\mathcal{R}}}$ , so it commutes with $O$ .

Finally, we will show a randomized number of iterations of the update phase can not increase the number of bad queries made during ${\widetilde{U_{\mathsf{Ver}}}}$ . As both ${\widetilde{U_{\mathsf{Ver}}}}$ and $O$ do not act on register $\mathsf{J}$ , tracing out $\mathsf{J}$ after ${\widetilde{U_{\mathsf{Upd}}}}$ does not change the quantity. Recall that ${\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}=\frac{1}{\sqrt{N(n)}}\sum_{j=0}^{N(n)-1}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}(\ket{\psi_{0}})\ket{j}_{\mathsf{J}}$ . Thus

		$\displaystyle\mathrm{Tr}(O{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}{\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O\mathrm{Tr}_{\mathsf{J}}({\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}))-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\mathrm{Tr}_{\mathsf{J}}({\widetilde{U_{\mathsf{Upd}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Upd}}}}^{\dagger}){\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\frac{1}{N(n)}\sum_{j=0}^{N(n)-1}\left(\mathrm{Tr}(O({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}({\widetilde{U_{\mathsf{Ver}}^{\prime}}}{\widetilde{U_{\mathsf{Syn}}}})^{j}\ket{\psi_{0}}\!\bra{\psi_{0}}({\widetilde{U_{\mathsf{Syn}}}}^{\dagger}{\widetilde{U_{\mathsf{Ver}}^{\prime}}}^{\dagger})^{j}{{\widetilde{U_{\mathsf{Ver}}}}^{\dagger}})\right)$
	$\displaystyle\leq$	$\displaystyle\mathrm{Tr}(O\ket{\psi_{0}}\!\bra{\psi_{0}})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\psi_{0}}\!\bra{\psi_{0}}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$
	$\displaystyle=$	$\displaystyle\mathrm{Tr}(O\ket{\psi}\!\bra{\psi})-\mathrm{Tr}(O{\widetilde{U_{\mathsf{Ver}}}}\ket{\psi}\!\bra{\psi}{\widetilde{U_{\mathsf{Ver}}}}^{\dagger})$

∎

Appendix C Notation Tables

Table 1: Parameters in Section 6.3

$q(n),q^{\prime}(n)$	$n$ is the security number. $\mathsf{Ver}$ makes $q(n)$ classical queries. $\mathsf{KeyGen}$ and $\mathsf{Mint}$ make $q^{\prime}(n)$ quantum queries in total. We sometimes omit $n$ .
$T(n),N(n)$	two polynomials that will decide the maximal possible number of iterations we run in the test phase and the update phase.

Table 2: Registers in Section 6.3

$\mathsf{Pk}$	the register storing the public key
$\mathsf{S}$	the register storing the serial number
$\mathsf{M}$	the register storing the alleged money state
$\mathsf{D}_{\mathcal{A}}$	the register storing the classical queries database maintained by $\mathcal{A}$
$\mathsf{D}_{{\mathcal{R}}}$	the register storing the classical queries we made so far along with their answers (maintained by the oracle)
$\mathsf{F}$	the register storing the oracle if in the decompressed view or the register storing $D_{F}$ (the database for non- $\ket{\hat{0}}$ elements) if in compressed view
$\mathsf{G}$ , $\mathsf{H}$	the register storing unimportant things for the analysis. For example, it may include the secret key, working space for $\mathsf{KeyGen}$ and $\mathsf{Mint}$ , and some unused fresh ancillas.
$\mathsf{T}$	the register storing the number of iterations for test phase.
$\mathsf{J}$	the register storing the number of iterations for update phase.
$\mathsf{Q},\mathsf{Q}_{1},\mathsf{Q}_{2}$	the register storing the next query position.
$\mathsf{A},\mathsf{A}_{1},\mathsf{A}_{2}$	the register to store the next query answer.

Table 3: States in Section 6.3

$\ket{\phi}$	A state in the following form (i.e. it’s in the compressed view and the contents in $\mathsf{D}_{{\mathcal{R}}}$ and $\mathsf{D}_{\mathcal{A}}$ are the same), \|ϕ⟩ = ∑_pk, s, m, D, D_F, g s.t. D ∩D_F = ∅α_pk, s, m, D, D_F, g\|pk⟩_Pk\|s⟩_S\|m⟩_M\|D⟩_D_A\|D_F⟩_F\|D⟩_D_R\|g⟩_G. In 7 and 8, we will instantiate it with the pure state we obtain by applying the unitaries ${\widetilde{U_{\mathsf{KeyGen}}}}$ , ${\widetilde{U_{\mathsf{Mint}}}}$ and ${\widetilde{U_{\mathcal{A}}}}$ to the state $\ket{1^{n}}\ket{\emptyset}_{\mathsf{D}_{\mathcal{A}}}\ket{\emptyset}_{\mathsf{F}}\ket{\emptyset}_{\mathsf{D}_{{\mathcal{R}}}}$ along with enough ancillas.
$\ket{\phi_{j}}$	$\ket{\phi_{j}}={\widetilde{U_{C}}}U_{j-1}\cdots{\widetilde{U_{C}}}U_{0}\ket{\phi}$ . It’s the state when we run $\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$ on $\ket{\phi}$ in the compressed view until we have answered the $j^{th}$ query.
$\ket{\psi}$	We abuse the notation. $\ket{\psi}$ is the pure state we obtain by running the first step in the compressed view in the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ until the end of the test phase (in 7) or the update phase (in 8) of $\mathcal{A}$ .
$\ket{\varphi}$	an arbitary state ready for two “parallel” classical queries on different registers.
$\ket{\psi_{0}}$	the pure state we obtain by running the first step in the compressed view in the case ${\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on ${\rho_{s}^{(t)}}$ until we finish the test phase and then truncating $\mathsf{J}$ .
$\ket{\psi^{(t)}},\ket{\psi^{(j)}}$	We abuse the notation. In 7, $\ket{\psi^{(t)}}$ is the state after we run $t$ iterations in the test phase but not run the update phase in the compressed view. In 8, $\ket{\psi^{(j)}}$ is the state we obtain after we run a randomized number of iterations in the test phase and $j$ iterations in the update phase in the compressed view.

Table 4: Observable and Unitaries in Section 6.3

$O$	the observable corresponding to the number of pairs in $\mathsf{F}$ (i.e. half of the nonempty length in $\mathsf{F}$ ). Formally, $O=\sum_{D_{F}}{\lvert{D_{F}}\rvert}\ket{D_{F}}\!\bra{D_{F}}_{\mathsf{F}}$ where ${\lvert{D_{F}}\rvert}$ is the number of pairs in $D_{F}$ . It will only be applied to those states in compressed view.
$\mathsf{Decomp}$	the unitary defined in Section 6.2. It acts on $\mathsf{D}_{{\mathcal{R}}}$ and $\mathsf{F}$ and decompresses two databases to one database and the oracle.
$\mathsf{Comp}$	the inverse of the unitary $\mathsf{Decomp}$ .
${\widetilde{U}}$	${\widetilde{U}}=\mathsf{Comp}{U}\mathsf{Decomp}$ . It’s the compressed view version of $U$ for a general unitary $U$ . See the figure in Section 6.2 for more details.
${U_{Q}}$	the unitary corresponding to answering a quantum query with the real oracle.
${U_{C}}$	the unitary corresponding to answering a classical query with the real oracle.
${U_{R}}$	the same as ${U_{C}}$ except that it records the query-answer for $\mathcal{A}$ at the same time.
${U_{D}}$	the unitary corresponding to answering a classical query with the database in register $\mathsf{D}_{\mathcal{A}}$ while recording the query-answer to $\mathsf{D}_{\mathcal{A}}$ for later use.
${U_{D}^{\prime}}$	the unitary corresponding to answering a classical query with the database in register $\mathsf{D}_{{\mathcal{R}}}$ while recording the query-answer to $\mathsf{D}_{{\mathcal{R}}}$ for later use.
$U_{i}$	When $0\leq i\leq q-1$ , it’s the unitary corresponding to the preparation of the ${(i+1)}^{th}$ query of $\mathsf{Ver}$ . When $i=q$ , it’s the unitary after the final query of $\mathsf{Ver}$ .
$U_{\mathsf{KeyGen}},U_{\mathsf{Mint}}$	the unitary $U_{\mathsf{KeyGen},n},U_{\mathsf{Mint},n}$ defined in Section 6.1.
$U_{\mathsf{Ver}},U_{\mathsf{Syn}}$	the unitary $U_{\mathsf{Ver},n},U_{\mathsf{Syn},n}$ defined in Section 6.1, $U_{\mathsf{Ver}}=U_{q}U_{C}U_{q-1}\cdots U_{C}U_{0}$ .
$U_{\mathsf{Ver}}^{\prime}$	the unitary corresponding to doing the verification while recording the query-answer pair for $\mathcal{A}$ , $U_{\mathsf{Ver}}^{\prime}=U_{q}U_{R}U_{q-1}\cdots U_{R}U_{0}$ .
$U_{\mathsf{Sim}}$	the unitary corresponding to running $\mathsf{Ver}^{D,\ket{\mathsf{PSPACE}}}$ where $D$ is the content in $\mathsf{D}_{\mathcal{A}}$ , $U_{\mathsf{Sim}}=U_{q}U_{D}U_{q-1}\cdots U_{D}U_{0}$ .
$U_{\mathsf{Upd}}$	the unitary defined in Section 6.1 that describes our update phase. Formally, it’s the unitary $\sum_{j=0}^{N(n)-1}(U_{\mathsf{Ver}}U_{\mathsf{Syn}})^{j}\ket{j}\!\bra{j}_{\mathsf{J}}.$

On the (Im)plausibility of Public-Key Quantum Money from Collision-Resistant Hash Functions

Abstract

1 Introduction

1.1 Our Work

Black-Box Separations for Unclonable Cryptography.

Model.

Main Theorem.

Theorem 1 (Informal).

Implications.

Other Separations.

Acknowledgments.

2 Our Techniques in a Nutshell

Reusability.

2.1 Warmup: Insecurity when ℛ{\mathcal{R}} is absent

Synthesizing Witness States.

2.2 Insecurity in the presence of ℛ{\mathcal{R}}

2.2.1 𝖪𝖾𝗒𝖦𝖾𝗇\mathsf{KeyGen} and 𝖬𝗂𝗇𝗍\mathsf{Mint}: Classical Queries to ℛ{\mathcal{R}}

Compiling out ℛ{\mathcal{R}}.

State-independent database simulation.

State-dependent database simulation.

Every mistake we make is progress.

Our Attack.

2.2.2 𝖪𝖾𝗒𝖦𝖾𝗇\mathsf{KeyGen} and 𝖬𝗂𝗇𝗍\mathsf{Mint}: Quantum Queries to ℛ{\mathcal{R}}

Purified View.

2.2.3 Challenges To Handling Quantum Verification Queries

2.3 Related Work

Quantum Money.

Black-box Separations in Quantum Cryptography.

3 Preliminaries

3.1 Quantum States, Algorithms, and Oracles

Lemma 1.

Proof.

Quantum Circuits

Oracle Algorithms

Lemma 2.

Proof.

State Synthesis

Definition 1 (𝗌𝗍𝖺𝗍𝖾𝖯𝖲𝖯𝖠𝖢𝖤{\mathsf{statePSPACE}}).

Theorem 2 (Section 5 of [RY21]).

3.2 Public Key Quantum Money Schemes

Definition 2 (Oracle-aided Public Key Quantum Money Schemes).

3.2.1 Correctness

Definition 3 (Correctness).

Reusability.

Definition 4 (Reusability).

3.2.2 Security

Definition 5 (Security).

3.3 Jordan’s Lemma and Alternating Projections

Lemma 3 (Jordan’s Lemma).

Proposition 1.

3.4 Compressed Oracle Techniques

Definition 6 (Fourier basis).

Fact 1.

Chernoff bound

Theorem 3 (Chernoff Bound).

4 Synthesizing Witness States In Quantum Polynomial Space

Theorem 4.

Lemma 4.

Proof of Theorem 4.

4.1 Description of the State Family and Circuit Family

The state family

Observation 1.

Proof.

Definition 7 (State family (|ψx⟩)x∈S(\ket{\psi_{x}})_{x\in S}).

The circuit family

4.2 Proof of Lemma 4

Lemma 5.

Proof.

Claim 1.

Proof.

Claim 2.

Proof.

5 Insecurity of Oracle-Aided Public-Key Quantum Money

Theorem 5.

Adversary 𝒜𝒪\mathcal{A}^{{\mathcal{O}}}.

Analysis of 𝒜𝒪\mathcal{A}^{{\mathcal{O}}}

Theorem 6.

Proof of Theorem 6.

The first part

Claim 3.

On the (Im)plausibility of Public-Key Quantum Money
from Collision-Resistant Hash Functions

2.1 Warmup: Insecurity when ${\mathcal{R}}$ is absent

2.2 Insecurity in the presence of ${\mathcal{R}}$

2.2.1 $\mathsf{KeyGen}$ and $\mathsf{Mint}$ : Classical Queries to ${\mathcal{R}}$

Compiling out ${\mathcal{R}}$ .

2.2.2 $\mathsf{KeyGen}$ and $\mathsf{Mint}$ : Quantum Queries to ${\mathcal{R}}$

Definition 1 ( ${\mathsf{statePSPACE}}$ ).

Definition 7 (State family $(\ket{\psi_{x}})_{x\in S}$ ).

Adversary $\mathcal{A}^{{\mathcal{O}}}$ .

Analysis of $\mathcal{A}^{{\mathcal{O}}}$

$\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$

$\bm{\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\rho_{s}^{(t)}}$

$\bm{\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\rho_{s}^{(t)}}$

$\bm{\mathsf{Ver}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\sigma_{D_{j}}}$

$\bm{\mathsf{Ver}^{D_{j},\ket{\mathsf{PSPACE}}}(pk,(s,\cdot))}$ on $\bm{\sigma_{D_{j}}}$

6.3 Analysis of $\mathcal{A}^{{\mathcal{R}},\ket{\mathsf{PSPACE}}}$