Keywords

1 Introduction

The design and analysis of cryptographic primitives that are plausibly secure against quantum attackers is an increasingly important goal. The expected advent of quantum computers demands the cryptography community to be prepared well in advance, so much so that the National Institute of Standards and Technology (NIST) is already in the process of selecting, from among many proposals, a new set of cryptography standards that are “post-quantum” [50]. The proposals involve schemes for key agreement, public-key encryption, and digital signatures, and are intended to eventually replace existing standards based on the hardness of factoring or discrete logarithms.

In this paper we study the post-quantum security of a cryptographic primitive that has recently received much attention across theoretical and applied communities: succinct arguments [33]. These are argument systems [19] for non-deterministic languages where the communication complexity between the prover and verifier is sublinear in the size of the non-deterministic witness.Footnote 1 This notion originates in seminal works of Kilian [43] and Micali [49], which construct succinct arguments for languages in where communication complexity is and the time complexity of the verifier is ; here \(\lambda \) is the security parameter.

Researchers have studied many aspects of succinct arguments in the last two decades, leading to numerous constructions with different tradeoffs [62], efficient realizations in code [18, 24, 39, 46, 55,56,57], real-world deployments [29, 51], and standardization efforts [67]. A particularly useful feature is that many succinct arguments can be made zero knowledge with minimal overhead. At present, however, most approaches to obtain efficient succinct arguments are “pre-quantum”, since they rely on the discrete logarithm problem (and more).

A notable exception is a class of succinct arguments obtained by combining two ingredients: (a) probabilistic proof systems, which are unconditionally secure, and (b) cryptographic hash functions, for which we have post-quantum candidates. This class includes the succinct interactive argument of Kilian [43], which use probabilistically checkable proofs (PCPs) [4, 5, 7, 30] and collision-resistant hash functions. It also includes the succinct non-interactive argument (SNARG) of Micali [49], which uses PCPs and random oracles. More generally, by using random oracles one can construct a SNARG from a multi-round generalization of PCPs known as interactive oracle proofs (IOPs) [13, 54]. All of these succinct arguments are widely believed to be post-quantum, provided the hash function is suitably instantiated [11].Footnote 2

There is, however, no formal evidence that supports the above widely-held belief. Since succinct arguments are a fundamental cryptographic primitive with both theoretical and real-world applications, it is important to prove guarantees on their post-quantum security.

1.1 SNARGs with Random Oracles

In this paper we focus our attention on the SNARG construction of Micali [49], which is unconditionally secure in the random oracle model [10, 53]. SNARGs in the random oracle model are not only plausibly post-quantum secure but also enjoy other desirable features. Namely, the random oracle can be heuristically instantiated via hash functions that avoid expensive public-key cryptographic operations. Moreover, the SNARG uses a transparent (public-coin) setup, because the only public parameter needed to produce/verify proofs is the choice of hash function.

We are thus interested in asking: can we establish formal evidence that the SNARG construction of Micali is post-quantum secure? One way to establish formal evidence is to prove security in a quantum analogue of the random oracle model, as we now explain. A quantum attacker can, among other things, evaluate a hash function in superposition when given the hash function’s code. This enables the attacker, for instance, to find pre-images [38] or collisions [20] faster than a classical attacker. In light of this, Boneh et al. [15] have argued that, in the quantum setting, the correct way to model a random oracle is to allow the attacker to query the random oracle in superposition. The resulting model is known as the quantum random oracle model (QROM), and a line of work has established post-quantum security within this model for a variety of cryptographic primitives; see, e.g., [15, 28, 58, 64, 65].

Our goal is to study the SNARG construction of Micali in the quantum random oracle model. We also study the SNARG construction of BCS [13], which yields SNARGs of practical interest.

1.2 Our Results

The main result of this paper is establishing that the SNARG construction of Micali [49] is unconditionally secure in the quantum random oracle model. This is the first formal evidence that supports the widely-held belief that this construction is post-quantum secure when the oracle is instantiated via a suitable post-quantum hash function.

Theorem 1

(informal). The non-interactive argument of Micali, when based on a PCP with soundness error \(\epsilon \), has soundness error \(O({{t}}^{2}\epsilon +{{t}}^3/2^{\lambda })\) against quantum attackers that make \({{t}}\) queries to a random oracle with output size \(\lambda \). This soundness error is tight up to small factors.

A key step in our proof, of independent interest, is a Lifting Lemma that shows how, for a rich class of “oracle games”, we can generically deduce security against quantum attackers by bounding a natural classical property of these games, instability, that we introduce. This means that to prove Theorem 1 we only need to bound the instability of the Micali construction. This approach not only yields the theorem but also enables us to prove explicit bounds that are tight up to small factors.

If we base the Micali construction on suitable PCPs, we obtain new statements about the existence of post-quantum non-interactive arguments. First, if the PCP achieves (honest-verifier) zero knowledge and proof of knowledge then through the Micali construction we obtain a zero knowledge non-interactive argument of knowledge that is unconditionally secure in the quantum random oracle model. This strengthens a result of Unruh [59], which assumes the existence of a post-quantum \(\varSigma \)-protocol for . Moreover, if the PCP has polylogarithmic query complexity and verifier running time then we obtain the first construction of a zero knowledge succinct non-interactive argument of knowledge (zkSNARK) that is secure in the quantum random oracle model.

Theorem 2

(informal). There exists a zero knowledge non-interactive argument of knowledge for in the quantum random oracle model. Moreover, the non-interactive argument is succinct, in the sense that arguments have size \(\lambda ^{c}\) and can be verified in time \((\lambda \cdot n)^{c}\), where \(\lambda \) is the random oracle’s security parameter, n is instance size, and \(c>0\) is a universal constant.

The above theorem is stated for only for simplicity. Analogously to the classical case, a more general statement holds for all non-deterministic time languages by relying on suitable PCPs for non-deterministic time. For example, the PCP in [7] achieves proof of knowledge, can be made (honest-verifier) zero knowledge [27, 44], and supports non-deterministic time.

The BCS Construction. We conclude with a result that demonstrates how the tools in this paper can be used to study the post-quantum security of protocols that are of practical interest. Since known PCP constructions are expensive, efficient constructions of succinct arguments in the random oracle model are typically based on the BCS construction [13], which instead uses interactive oracle proofs (IOPs) [13, 54], a multi-round extension of PCPs. This extension additionally captures IPs [6, 37] and IPCPs [41] as special cases.

We prove that the BCS construction is unconditionally secure in the quantum random oracle model, if applied to public-coin IOPs that have round-by-round soundness [21]. The resulting argument inherits proof of knowledge and zero knowledge properties of the underlying IOP.

Theorem 3

(informal). The non-interactive argument of BCS, when based on a public-coin IOP with round-by-round soundness error \(\epsilon \), has soundness error \(O({{t}}^{2}\epsilon +{{t}}^3/2^{\lambda })\) against quantum attackers that make \({{t}}\) queries to a random oracle with output size \(\lambda \). Moreover, it is an argument of knowledge if the IOP has round-by-round proof of knowledge, and it is a (statistical) zero knowledge argument if the IOP is honest-verifier zero knowledge.

Round-by-round proof of knowledge is a natural notion that we introduce, analogous to round-by-round soundness, and is satisfied by many natural protocols. In particular, Theorem 3 enables us to deduce the post-quantum security of succinct arguments based on well-known IPs such as the sumcheck protocol [48] and the GKR protocol [36], as well as zkSNARKs based on recent IOPs such as [3, 11, 12]. These protocols (among others) are of interest to practitioners, and our result can be used to guide parameter choices in practice.

1.3 Related Work

Argument Systems That Use Random Oracles. Several works study the post-quantum security of zero knowledge non-interactive arguments of knowledge that use random oracles, most notably those obtained by applying the Fiat–Shamir transformation [31] to a post-quantum \(\varSigma \)-protocol. Such arguments are used to achieve post-quantum digital signatures [9, 22, 42], and underlie constructions submitted to the NIST call for post-quantum cryptography [50].

A security reduction for the Fiat–Shamir transformation in the quantum random oracle model has been recently achieved [26, 47]. Obtaining a security reduction had been elusive, as the classical approach of rewinding the adversary to reduce to special soundness of the \(\varSigma \)-protocol does not work for quantum adversaries.Footnote 3 Before, researchers were only able to prove security if the underlying \(\varSigma \)-protocol satisfies special properties [23, 45, 60], or resorted to proving security for alternative, less efficient, constructions such as the Unruh transformation [59].

The question that we study in this paper is complementary to these prior works. On the one hand, prior works study the security of the Fiat–Shamir transformation given that the underlying \(\varSigma \)-protocol is secure against efficient quantum attackers. On the other hand, we study protocols such as the Micali construction and BCS construction that can be viewed as applying the Fiat–Shamir transformation to specific public-coin protocols that are known to be unconditionally secure in the (classical) random oracle model. In particular, we establish unconditional security in the quantum random oracle model via an approach that considers the protocol as a whole (similarly to the classical analysis of these protocols).

The foregoing differences are reflected in a technical analysis that departs from prior works. Most of the effort in this paper is establishing classical security properties of the Micali and BCS constructions, which we then use to generically deduce their quantum security. This approach, besides being intuitive, yields tight bounds that can be used to guide parameter choices in practice.

Succinct Arguments Based on Lattices. Several lattice problems are presumed to remain hard even against quantum adversaries, and researchers have relied on such problems to propose numerous cryptographic constructions that are plausibly post-quantum. A handful of works have used lattices to achieve various notions of succinct arguments that are plausibly post-quantum. Baum et al. [8] rely on the short integer solution (SIS) problem to obtain an argument system for arithmetic circuits where the communication complexity grows with the square-root of circuit size; the argument system is constant-round, public-coin, and honest-verifier zero knowledge. Boneh et al. [16, 17] and Gennaro et al. [32] rely on lattice knowledge assumptions to construct designated-verifier SNARGs for boolean circuits, in the preprocessing model [14]. Whether one can use lattices to obtain public-coin argument systems with polylogarithmic communication complexity (as in the construction of Micali) remains an intriguing open problem.

2 Techniques

We discuss the main ideas behind our results. In Sect. 2.1 we recall the construction of Micali, and then in Sect. 2.2 we explain the challenges that arise when trying to prove its security in the quantum random oracle model. In Sect. 2.3 we outline our approach to obtain a proof of security for the Micali construction (Theorem 1); we elaborate on our approach in Sects. 2.4 to 2.7. Finally, in Sect. 2.8 we discuss how to further establish zero knowledge and proof of knowledge; we thus obtain the first zkSNARK secure in the quantum random oracle model (Theorem 2).

We conclude in Sect. 2.9 by explaining how our techniques extend to establish post-quantum security for the BCS construction applied to many protocols of practical interest (Theorem 3).

Many of the proofs/sections have been omitted from this version of the paper due space limitations. We refer the reader to the full version of the paper for all relevant details.

2.1 The Construction of Micali

The construction of Micali is a transformation that maps any probabilistically checkable proof (PCP) into a corresponding non-interactive argument in the random oracle model. (See Sect. 3.4 for the definition of a PCP, and Sect. 3.3 for that of a non-interactive argument.) The resulting non-interactive argument is succinct, i.e. a SNARG, provided the PCP has suitable parameters.

Let \((\mathbf {P},\mathbf {V})\) be a PCP for a relation \(\mathcal {R}\) with soundness error \(\epsilon \), proof length \(\ell \) over alphabet \(\varSigma \), and query complexity \({q}\). The honest prover \(\mathbf {P}\) takes as input an instance-witness pair and outputs a proof string \(\varPi :[\ell ] \rightarrow \varSigma \). The honest verifier \(\mathbf {V}\) takes as input the instance , makes \({q}\) probabilistic queries to a (possibly malicious) proof string \(\tilde{\varPi } :[\ell ] \rightarrow \varSigma \), and then accepts or rejects.

The PCP \((\mathbf {P},\mathbf {V})\) for \(\mathcal {R}\) is used to construct a SNARG \((\mathcal {P}, \mathcal {V})\) for \(\mathcal {R}\), as follows.

The SNARG prover \(\mathcal {P}\) takes as input an instance and witness . First, \(\mathcal {P}\) uses the random oracle \(h\) to commit to the proof string via a Merkle tree, obtaining a corresponding root \(\mathsf {rt}\). Second, \(\mathcal {P}\) applies the random oracle \(h\) to the root \(\mathsf {rt}\) in order to derive randomness \(\mathsf {r}\) for the PCP verifier \(\mathbf {V}\). Third, \(\mathcal {P}\) simulates the PCP verifier \(\mathbf {V}\) with the proof string \(\varPi \), input , and randomness \(\mathsf {r}\), in order to deduce the queried locations of \(\varPi \). Finally, \(\mathcal {P}\) assembles a SNARG proof \(\pi \) that contains the root \(\mathsf {rt}\), answers to the queries, and an authentication path for each answer.

Observe that the SNARG proof \(\pi \) is succinct because it is small (it has size \(|\pi | = O({q}\cdot (\log |\varSigma | + \lambda \log \ell )) = O_{\lambda }({q})\) for \(\ell ,|\varSigma | = 2^{O(\lambda )}\)) and it is cheap to validate via the algorithm described next.

The SNARG verifier \(\mathcal {V}\) takes as input an instance and a (possibly malicious) SNARG proof \(\tilde{\pi }\). First, \(\mathcal {V}\) uses the random oracle \(h\) to check that each answer in \(\tilde{\pi }\) is certified by an authentication path relative to the claimed root \(\tilde{\mathsf {rt}}\). Next, \(\mathcal {V}\) applies the random oracle \(h\) to the root \(\tilde{\mathsf {rt}}\) in order to derive randomness \(\tilde{\mathsf {r}}\). Finally, \(\mathcal {V}\) runs the PCP verifier \(\mathbf {V}\) on the instance and randomness \(\tilde{\mathsf {r}}\), answering \(\mathbf {V}\)’s queries using the claimed answers in \(\tilde{\pi }\).

The intuition behind the construction is that the soundness guarantee of a PCP holds only if the proof string \(\tilde{\varPi }\) to be validated is fixed before the randomness \(\tilde{\mathsf {r}}\) for the PCP verifier is known, and for this reason the SNARG prover must derive \(\tilde{\mathsf {r}}\) by hashing a commitment \(\tilde{\mathsf {rt}}\) to \(\tilde{\varPi }\).

This construction is unconditionally secure in the random oracle model [13, 49, 61]:

Theorem 1

The SNARG \((\mathcal {P}, \mathcal {V})\) has soundness error \(O({{t}}\epsilon +{{t}}^2/2^{\lambda })\) against (classical) attackers that make at most \({{t}}\) queries to the random oracle. This soundness error is tight up to small factors.

A SNARG obtained via the Micali construction also inherits zero knowledge and proof of knowledge properties of the underlying PCP. We discuss these additional properties and how we establish them in the quantum setting later on in Sect. 2.8. We focus on soundness first.

2.2 Challenges in the Quantum Setting

Our goal is to show that the SNARG construction of Micali is unconditionally secure in the quantum random oracle model. Suppose that \(\tilde{\mathcal {P}}\) is a \({{t}}\)-query quantum prover that convinces the SNARG verifier \(\mathcal {V}\) with probability \(\delta \) (over the random oracle). We wish to construct a malicious PCP prover \(\tilde{\mathbf {P}}\) that, using \(\tilde{\mathcal {P}}\) as a subroutine, outputs a proof string \(\tilde{\varPi } :[\ell ] \rightarrow \varSigma \) that convinces the PCP verifier \(\mathbf {V}\) with related probability \(\epsilon (\delta ,{{t}})\) (here the probability is over the randomness of \(\tilde{\mathbf {P}}\) and \(\mathbf {V}\)).

A natural approach to reduce the SNARG prover \(\tilde{\mathcal {P}}\) to the PCP prover \(\tilde{\mathbf {P}}\) would be to try to adapt to the quantum setting the reduction that is used for the classical setting. Below we recall the classical reduction, and then explain why adapting it to the quantum case is challenging.

The Reduction for Classical Attackers. The reduction from a classical SNARG prover \(\tilde{\mathcal {P}}\) to a PCP prover \(\tilde{\mathbf {P}}\) relies on a straightline extractor, as we now explain.

While the SNARG prover \(\tilde{\mathcal {P}}\) outputs a short proof \(\pi \) that contains a Merkle root and a few decommitted values, the PCP prover \(\tilde{\mathbf {P}}\) must output a “long” proof string \(\tilde{\varPi }\). How can \(\tilde{\mathbf {P}}\) obtain all this information from seeing only \(\pi \)? The answer is that, when running \(\tilde{\mathcal {P}}\) as a subroutine, \(\tilde{\mathbf {P}}\) observes the queries that \(\tilde{\mathcal {P}}\) makes to the oracle, and these queries reveal the proof string \(\tilde{\varPi }\).

This is only a caricature of how \(\tilde{\mathbf {P}}\) actually works, though. The reason is that \(\tilde{\mathcal {P}}\) need not produce a query sequence from which \(\tilde{\mathbf {P}}\) can just read off a proof string \(\tilde{\varPi }\) consistent with the Merkle root in \(\pi \). For example, \(\tilde{\mathcal {P}}\) could try to commit to many possible proof strings “in its head”, derive the corresponding randomness from each commitment, and then select which commitment to include in \(\pi \). Even worse, \(\tilde{\mathcal {P}}\) could try to commit to a partial proof string \(\tilde{\varPi }\) via an incomplete Merkle tree and, because the PCP verifier inspects only a small fraction of a proof string, hope that queries will land to leaves of the Merkle tree that do exist.

The proof of Theorem 1 shows that, despite these complications, there is a way for \(\tilde{\mathbf {P}}\) to observe all queries and answers of a single execution of the SNARG prover \(\tilde{\mathcal {P}}\), and then run an algorithm on these to extract a suitable proof string \(\tilde{\varPi }\).

How to Deal with Quantum Attackers? If we now return to the case where the SNARG prover \(\tilde{\mathcal {P}}\) is a quantum attacker, we are immediately confronted with a severe problem. Since \(\tilde{\mathcal {P}}\) can query the random oracle in superposition, how can \(\tilde{\mathbf {P}}\) “observe” queries and answers to the oracle? If \(\tilde{\mathbf {P}}\) were to just measure \(\tilde{\mathcal {P}}\)’s query register, \(\tilde{\mathcal {P}}\) may detect this and stop working. This basic problem has made obtaining security reductions against quantum attackers that access random oracles exceedingly difficult when compared to the case of classical attackers. Papers that study the security of cryptographic primitives in the quantum random oracle model have had to develop clever techniques to somehow circumvent this problem in various settings of interest.

Most relevant to this paper is a work of Zhandry [66] that introduces compressed oracles, a set of notions and techniques that enables a quantum algorithm to simulate access to a random oracle for a quantum attacker. This is achieved by replacing a random oracle \(h:\{0,1\}^{m} \rightarrow \{0,1\}^{n}\) with the action of a specially-crafted unitary \(\mathcal {O}\) that implicitly keeps track of queries. This is a quantum analogue of when, in the classical setting, a simulator merely observes the queries made by the attacker and maintains a database of the query-answer pairs. Formally, the classical simulator keeps track of a database D, which is a partial function \(D :\{0,1\}^{m} \rightharpoonup \{0,1\}^{n}\). The database represents the part of the random oracle that has been “revealed” to the attacker by answering its queries. In the quantum setting, the state space of the quantum attacker is augmented with registers to store the database, which (loosely) keep track of the database D in superposition, as it evolves from query to query. Thus, while the original oracle \(h\) operates on the state of the adversary, the unitary \(\mathcal {O}\) operates on a bipartite state . This extended state represents a purification of the mixed state of the adversary induced by choosing the oracle \(h\) at random.

One may conjecture that compressed oracles, by virtue of “exposing” a quantum attacker’s queries, make proving the quantum security of the Micali construction, or indeed of any construction using random oracles, straightforward. This is, unfortunately, not the case.

For example, compressed oracles allow us to argue that, given an adversary that outputs a convincing SNARG proof \(\pi \) with high probability, if we measure the database D after the adversary terminates, then with high probability one can find a convincing SNARG proof \(\pi \) in the database D. This does not allow us to reduce to soundness of the underlying PCP, however, because to do that we need to argue that one can extract a PCP proof \(\varPi \) from D (that is much longer than the SNARG proof \(\pi \)) that convinces the PCP verifier with high probability.

Nevertheless, compressed oracles are a useful starting point for this work, and indeed a basic lemma about compressed oracles plays the role of a hybrid in our security proof.

2.3 Outline of Our Approach

The ideas that we use in this paper to analyze the Micali construction are almost entirely generic, and can be used to analyze any oracle game. Informally, given a “base game” \(G\subseteq A^k \times B^k \times C\), an adversary with oracle access to a random oracle \(h\) wins the oracle game for \(G\) if it outputs a tuple \((\mathbf {a}, \mathbf {b}, c) \in G\) where \(h(a_i) = b_i\) for each \(i \in [k]\). Oracle games are a natural notion that captures many games of interest, such as finding pre-images or finding collisions. Producing a valid proof in the Micali construction can also be cast as an oracle game, and we shall view the soundness property as stating that the value (maximum winning probability) of this game is small.

Our proof of quantum security consists of two main parts. First, we generically reduce the value of any oracle game to the instability of the game, a purely classical property of the game that we introduce. Second, we analyze the instability of the oracle game induced by the Micali construction. The instability of this oracle game is not too difficult to analyze because it is a classical quantity, and the “hard work” is crisply, and conveniently, encapsulated within our generic reduction. We view bounding values of oracle games via instability as the main technical contribution of this paper.

We now elaborate on our approach: in Sect. 2.4 we recast prior work in the language of oracle games; in Sect. 2.5 we explain what is instability and how we use it to bound game values; in Sect. 2.6 we introduce conditional instability and use it to prove tighter bounds on oracle game values; and in Sect. 2.7 we outline the analysis of instability for the Micali construction.

2.4 From Oracle Games to Database Games

We begin with a sequence of three games whose values are closely related. These games play the role of hybrids in our analysis, and are all defined relative to the given base game \(G\subseteq A^k \times B^k \times C\).

  • Oracle game. This is the game defined earlier that is played in the real world, using a random oracle \(h\). The adversary wins if it outputs a tuple \((\mathbf {a}, \mathbf {b}, c) \in G\) with \(h(a_i) = b_i\) for each \(i \in [k]\).

  • Simulated oracle game. The simulator of Zhandry [66] is used to run the adversary and its final state is measured, leading to a tuple \((\mathbf {a}, \mathbf {b}, c)\) and a database D. The adversary wins if \((\mathbf {a}, \mathbf {b}, c) \in G\) and \(D(a_i) = b_i\) for each \(i \in [k]\). (The oracle \(h:\{0,1\}^{m} \rightarrow \{0,1\}^{n}\) is now replaced by the database \(D :\{0,1\}^{m} \rightharpoonup \{0,1\}^{n}\) stored by the simulator.)

  • Database game. Again the simulator of Zhandry is used to run the adversary, leading to a tuple \((\mathbf {a}, \mathbf {b}, c)\) and a database D. However, now we ignore \((\mathbf {a}, \mathbf {b}, c)\) and only consider D. The adversary wins if there exists \((\mathbf {a}', \mathbf {b}', c') \in G\) such that \(D(a_i) = b_i\) for each \(i \in [k]\).

We let \(\omega _{\mathsf {O}}^{*}(G, {{t}})\), \(\omega _{\mathsf {S}}^{*}(G, {{t}})\), and \(\omega _{\mathsf {D}}^{*}(G, {{t}})\) denote the values of the oracle game, simulated oracle game, and database game against quantum adversaries that make at most \({{t}}\) oracle queries.

A result of Zhandry [66, Lemma 5], when stated via the notions above, shows that \(\sqrt{\omega _{\mathsf {O}}^{*}(G, {{t}})} \le \sqrt{\omega _{\mathsf {S}}^{*}(G, {{t}})} + \sqrt{k/2^{n}}\). Moreover, \(\omega _{\mathsf {S}}^{*}(G, {{t}}) \le \omega _{\mathsf {D}}^{*}(G, {{t}})\) holds trivially, because winning the simulated oracle game implies winning the database game, by taking \((\mathbf {a}', \mathbf {b}', c') \ {:=} \ (\mathbf {a}, \mathbf {b}, c)\). In sum:

Lemma 1

For any base game \(G\),

$$\begin{aligned} \sqrt{\omega _{\mathsf {O}}^{*}(G, {{t}})} \le \sqrt{\omega _{\mathsf {D}}^{*}(G, {{t}})} + \sqrt{k/2^{n}} . \end{aligned}$$

The above lemma is a conceptualization of prior work, and is the starting point for the technical contributions of this paper. In particular, the lemma tells us that in order to bound the maximum winning probability of a quantum adversary in an oracle game (played in the real world) it suffices to bound the maximum winning probability of the adversary in the corresponding database game.

See the full version of the paper for more details.

2.5 A Basic Lifting Lemma for Database Games

We describe how we use a classical quantity \(\mathbf {I}(\mathcal {P}_{G}, {{t}})\) to bound \(\omega _{\mathsf {D}}^{*}(G, {{t}})\), the maximum winning probability of any \({{t}}\)-query quantum algorithm in the database game of \(G\). When combined with the hybrids in Sect. 2.4, this reduces the quantum security of oracle games to studying \(\mathbf {I}(\mathcal {P}_{G}, {{t}})\).

Given a base game \(G\), we let \(\mathcal {P}_{G}\) be the set of databases that win the database game of \(G\). In the classical setting, a natural way to bound the maximum winning probability of the database game is to compute, for each possible database \(D \notin \mathcal {P}_{G}\) (a database that is currently losing the game), the maximum probability that adding a query-answer pair to D puts D in \(\mathcal {P}_{G}\). Assuming that the empty database is not in \(\mathcal {P}_{G}\) (for otherwise one can win trivially), this quantity characterizes the probability that the adversary gets lucky and ends up with a winning database D.

We define the instability of \(\mathcal {P}_{G}\) with query bound \({{t}}\), denoted \(\mathbf {I}(\mathcal {P}_{G}, {{t}})\), to be the maximum probability that, for any database D containing less than \({{t}}\) queries, making one additional (classical) query changes whether or not D is in \(\mathcal {P}_{G}\). The foregoing argument explains that the classical value of the database game \(G\) is bounded by \({{t}}\cdot \mathbf {I}(\mathcal {P}_{G}, {{t}})\). Intuitively this is because each query can increase the probability that the database D is in \(\mathcal {P}_{G}\) by at most \(\mathbf {I}(\mathcal {P}_{G}, {{t}})\).

We prove that an analogous result holds for quantum adversaries as well. We call this lemma a lifting lemma, because it enables us to use the classical quantity of instability to prove a bound on the maximum winning probability of quantum adversaries. The version below is a “basic” version, because we shall ultimately need a stronger statement, as we discuss in Sect. 2.6. The result below extends an idea of Zhandry sketched in [66, Section 4.3].

Lemma 2

(Basic lifting lemma). For any base game \(G\),

$$\begin{aligned} \omega _{\mathsf {D}}^{*}(G, {{t}}) \le O\big ({{t}}^2 \cdot \mathbf {I}(\mathcal {P}_{G}, {{t}})\big ) . \end{aligned}$$

In particular, combining the above with Lemma 1, we get

$$\begin{aligned} \omega _{\mathsf {O}}^{*}(G, {{t}}) \le O\big ( {{t}}^2 \cdot \mathbf {I}(\mathcal {P}_{G}, {{t}}) + k/2^{n} \big ) . \end{aligned}$$

Even the above basic lifting lemma is a powerful tool. For example, suppose that \(G\) is the collision game, where the adversary wins if it outputs an oracle collision. Then \(\mathbf {I}(\mathcal {P}_{G}, {{t}}) < {{t}}/2^{n}\), because if D is a database with no collisions and less than \({{t}}\) entries, then making one more query produces a collision with probability less than \({{t}}/2^{n}\), and if D has collisions then it is not possible to make an additional query and remove collisions. Then (since \(k = 2\) in the collision game) the lifting lemma immediately tells us that \(\omega _{\mathsf {O}}^{*}(G, {{t}}) \le O({{t}}^3/2^{n})\), which shows that the probability that a \({{t}}\)-query quantum oracle algorithm finds a collision is bounded by \(O({{t}}^3/2^{n})\). This further simplifies the analysis of this fact in [66] and matches the bound of [1] (which is tight [20]).

We now sketch the proof of the basic lifting lemma. The proof sketch differs slightly from the actual proof, as in the actual proof we do a slightly more complicated analysis that gives us smaller constants. The main ideas, however, remain the same.

We let \(P_{G}\) be the operator that projects onto databases that win the database game \(G\): for any basis state in the database register, if \(D\in \mathcal {P}_{G}\), and if \(D \not \in \mathcal {P}_{G}\); \(P_{G}\) acts as the identity on other registers. If is the final joint state of the quantum adversary and database, then is the probability that \(D \in \mathcal {P}_{G}\) after measurement. We will assume that \(\emptyset \notin \mathcal {P}_{G}\), i.e., that the empty database does not win the database game of \(G\) (or else the adversary can win by doing nothing).

We can represent any simulated quantum adversary making at most \({{t}}\) queries as a sequence of unitary operators \(U = A_{{{t}}} \mathcal {O}A_{{{t}}- 1} \mathcal {O}\dots A_1 \mathcal {O}\) applied to an initial state , where \(\mathcal {O}\) is the compressed oracle and is the state of the empty database. Each \(A_i\) acts non-trivially only on the registers of the adversary being simulated and \(P_{G}\) acts non-trivially only on the database registers, so \(P_{G}\) and \(A_i\) commute. So, if \(P_{G}\) and \(\mathcal {O}\) were to also commute, then we could simply conclude that , i.e., that the adversary never wins. (Here we used the fact that \(\emptyset \notin \mathcal {P}_{G}\).)

However, it is not the case that \(P_{G}\) and \(\mathcal {O}\) commute. This should be expected because in general an adversary can win with some positive probability. However, if we could show that they almost commute, then we could apply the previous argument to show that ; i.e., the adversary wins with small probability. The notion of “almost” commuting we use is that the operator norm of the commutator is small.

Unfortunately, for interesting games the operator norm may not be small. For example, if \(G\) is the collision game and D is a database with a pre-image of every \(y \in \{0,1\}^{n}\) but no collisions, then . Generally, this norm may be large if D has many entries.

Query-bounded adversaries, however, cannot produce nonzero amplitudes on databases with more entries than the query bound. Hence, intuitively we should not consider states that correspond to large databases when bounding the operator norm of the aforementioned commutator. We follow this intuition by introducing the notion of a projected oracle, which acts as the compressed oracle except that it discards databases that do not belong to a certain subset.

Definition 1

Let \(P_{}\) be the operator that projects onto databases that belong to a given subset \(\mathcal {P}_{}\) of databases. A projected oracle is an operator of the form \(P_{} \mathcal {O}P_{}\).

We thus consider the projected oracle \(P_{{{t}}} \mathcal {O}P_{{{t}}}\), where \(P_{{{t}}}\) is operator that projects onto databases containing at most \({{t}}\) queries. For adversaries that make at most \({{t}}\) queries, replacing \(\mathcal {O}\) with \(P_{{{t}}} \mathcal {O}P_{{{t}}}\) has no effect because the adversary cannot create a database that contains more than \({{t}}\) entries. Moreover, if D contains more than \({{t}}\) entries, so the operator norm of accounts for the action of \(\mathcal {O}\) only on databases containing at most \({{t}}\) entries.

In sum, projected oracles allow us to cleanly compute the operator norm only over databases that are reachable by an adversary making a bounded number of queries. By carefully analyzing the action of \(\mathcal {O}\), we show that

We additionally prove that . Combining these two inequalities yields the lifting lemma.

See Sect. 4.1 for more details.

2.6 Stronger Lifting via Conditional Instability

The lifting lemma implies that to prove soundness of the Micali construction, it suffices to bound the instability of the Micali database game. Unfortunately, the instability of the Micali database game is actually large, even given the query bound. For example, suppose that D is a database containing Merkle trees for many different proof strings, but each of these Merkle trees has (miraculously) the same root due to collisions. Then, the probability that querying the root yields a good randomness for the underlying PCP verifier is large, because the answer to the query only needs to be a good random string for any one of the many proofs that D contains.

This counterexample, however, should not be of concern because it relies on the database having many collisions, and we have already argued that creating even a single collision in the database is difficult. To deal with this issue, we introduce the notion of conditional instability: \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}})\). This is a refined notion of instability that allows us to condition on events, e.g., that the database has no collisions. Our main technical contribution is the following stronger variant of Lemma 2.

Definition 2

A database property \(\mathcal {P}_{}\) is a set of databases. The complement of \(\mathcal {P}_{}\) is \(\bar{\mathcal {P}}_{}\).

Lemma 3

(Lifting lemma). For any base game \(G\) and database property \(\mathcal {Q}\),

$$\begin{aligned} \omega _{\mathsf {D}}^{*}(G, {{t}}) \le O\Big ({{t}}^2 \cdot \big (\mathbf {I}( \mathcal {P}_{G} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}}) \big ) \Big ). \end{aligned}$$

In particular, combining the above with Lemma 1, we get

$$\begin{aligned} \omega _{\mathsf {O}}^{*}(G, {{t}}) \le O\Big ({{t}}^2 \cdot \big (\mathbf {I}( \mathcal {P}_{G} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}}) \big ) + k/2^{n}\Big ) . \end{aligned}$$

The above statement is an “instability analogue” of the standard fact that for any two events \(E_1\) and \(E_2\), \(\Pr [E_1] \le \Pr [E_1 \cup E_2] \le \Pr [E_1 \,\vert \,\bar{E_2}] + \Pr [E_2]\).

The proof of Lemma 3 has three steps. First, we relax the database game \(\mathcal {P}_{G}\) so that the adversary wins if the database is in \(\mathcal {P}_{G} \cup \mathcal {Q}\). Clearly, winning the relaxed game is only easier than the original database game. Lemma 2 then implies that \(\omega _{\mathsf {D}}^{*}(G, {{t}}) \le O\Big ({{t}}^2 \cdot \mathbf {I}( \mathcal {P}_{G} \cup \mathcal {Q}, {{t}})\Big )\). Finally, we show that for any two database properties \(\mathcal {P}_{}\) and \(\mathcal {Q}\) it holds that \(\mathbf {I}( \mathcal {P}_{} \cup \mathcal {Q}, {{t}}) \le \mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}})\), which completes the proof.

We remark that Lemma 3 cannot be proved by simply arguing that \(\mathbf {I}(\mathcal {P}_{}, {{t}}) \le \mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}})\) and then applying Lemma 2. This is because \(\mathbf {I}(\mathcal {P}_{}, {{t}})\) and \(\mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}})\) are in general incomparable (see Proposition 5 for examples).

See Sect. 4.2 for more details.

2.7 Instability of the Micali Oracle Game

Armed with our lifting lemma, establishing the quantum security of the Micali construction is now relatively straightforward. Let \(\mathcal {P}_{\mathsf {Mic}}\) be the database property for the Micali game, and let \(\bar{\mathcal {P}}_{\mathsf {col}}\) be the no-collision property (the set of databases that do not contain collisions). We show that, for a random oracle of the form \(h:\{0,1\}^{2\lambda } \rightarrow \{0,1\}^{\lambda }\),

$$\begin{aligned} \mathbf {I}(\mathcal {P}_{\mathsf {col}}, {{t}})< {{t}}/2^{\lambda } \quad \text {and}\quad \mathbf {I}(\mathcal {P}_{\mathsf {Mic}}\,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}}) < \varepsilon + O({{t}}/2^{\lambda }) . \end{aligned}$$

Proving each of these inequalities is merely a classical argument.

  • \(\mathbf {I}(\mathcal {P}_{\mathsf {col}}, {{t}})\): If D is a database containing less than \({{t}}\) entries and has a collision, then adding an entry to D cannot remove the collision, so the probability that adding a new entry to D makes D have no collisions is 0. Let D be a database containing less than \({{t}}\) entries and no collisions. For any new query x, adding the query-answer pair (xy) to D for a random y will contain a collision with probability less than \({{t}}/2^{\lambda }\). Thus, \(\mathbf {I}(\mathcal {P}_{\mathsf {col}}, {{t}}) < {{t}}/2^{\lambda }\).

  • \(\mathbf {I}(\mathcal {P}_{\mathsf {Mic}}\,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}})\): It is impossible to go from a database D in \(\mathcal {P}_{\mathsf {Mic}}\) to a database D not in \(\mathcal {P}_{\mathsf {Mic}}\) by adding entries. Let D be a database not in \(\mathcal {P}_{\mathsf {Mic}}\) containing less than \({{t}}\) entries that contains no collisions. There are two ways to make D in \(\mathcal {P}_{\mathsf {Mic}}\): either the new query is for the randomness of the PCP verifier in the Micali construction, in which case this finds a good choice of randomness with probability at most \(\varepsilon \), or the new query extends one of the Merkle trees that the adversary is constructing. To extend the Merkle tree the adversary must find a pre-image, which happens with probability less than \(O({{t}}/2^{\lambda })\). Hence, \(\mathbf {I}(\mathcal {P}_{\mathsf {Mic}}\,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}}) < \varepsilon + O({{t}}/2^{\lambda })\), completing the proof.

Combining these bounds on instability with the lifting lemma completes the proof of soundness, and completes a proof sketch for Theorem 1. See the full version of the paper for more details.

2.8 zkSNARKs in the QROM

We have so far discussed how to establish soundness of the Micali construction in the quantum setting. We now discuss how to further establish zero knowledge and proof of knowledge, obtaining the first zkSNARKs secure in the quantum random oracle model (and thereby proving Theorem 2).

Zero Knowledge. In the classical setting, the Micali construction achieves statistical zero knowledge provided the underlying PCP is (honest-verifier) statistical zero knowledge (and leaves in the Merkle tree are suitably salted to ensure statistical hiding of unrevealed leaves) [13, 40]. In the quantum setting, an analogous statement is immediate simply because the zero knowledge property holds against computationally unbounded verifiers that make an unbounded number of queries to the random oracle, and any quantum verifier can be simulated by an unbounded verifier.

Proof of Knowledge. In the classical setting, the Micali construction achieves proof of knowledge provided the underlying PCP is a proof of knowledge [61]. The quantum analogue of this statement, however, does not immediately follow from our soundness analysis. Recall that our strategy was to bound the instability of the Micali property for \(x \notin \mathcal {L}\), conditioned on no collisions. But when \(x \in \mathcal {L}\) this approach will not work, because the instability of the Micali property even conditioned on the absence of collisions is 1 (as witnessed by the existence of the honest prover).

Nevertheless, the tools that we develop in this work are flexible enough that we can apply them to also establish proof of knowledge. We consider the following natural extractor strategy: run the prover until completion, and measure the database. Then, for each entry in the database, try to extract a PCP proof rooted at that entry, and then run the PCP extractor on this proof.

Let \(\mathcal {P}_{}\) be the set of databases D where there exists a root \(\mathsf {rt}\) such that D wins the Micali game with a SNARG proof rooted at \(\mathsf {rt}\), but the PCP extractor does not extract a valid witness from the PCP proof rooted at \(\mathsf {rt}\). If the prover wins the Micali game but the extractor fails, then D must be in \(\mathcal {P}_{}\). We then argue that \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}})\) is at most \(\mathsf {k}+ O({{t}}/2^{\lambda })\), where \(\mathsf {k}\) is the knowledge error of the underlying PCP. Intuitively, this is because if the PCP extractor fails to extract a witness from the PCP proof \(\varPi \) rooted at \(\mathsf {rt}\), then \(\varPi \) convinces the verifier with probability at most \(\mathsf {k}\), and hence the probability of finding good randomness for \(\varPi \) is at most \(\mathsf {k}\). Combining this with Lemma 3 implies that the probability that the prover wins the Micali game but the extractor fails is at most \(O({{t}}^2 \mathsf {k}+ {{t}}^3/2^{\lambda })\). Hence, if \(\mu \) is the probability that the prover wins the Micali game, then the probability that the extractor succeeds is at least \(\varOmega (\mu - {{t}}^2 \mathsf {k}- {{t}}^3/2^{\lambda })\).

See the full version of the paper for more details.

2.9 The BCS Construction: Succinct Arguments Beyond Micali

We apply our techniques to prove post-quantum security of the BCS construction [13], when the underlying public-coin IOP satisfies a notion of soundness achieved by many protocols of practical interest. The notion is round-by-round soundness, and was introduced for IPs in [21] for the purposes of facilitating proofs of security of the Fiat–Shamir transformation for correlation-intractable hash functions. The notion can be extended in a straightforward way to any IOP, and this is the notion that we consider in this work. We further show that if the underlying IOP is honest-verifier zero knowledge and/or has round-by-round proof of knowledge, then the BCS argument inherits these properties. Round-by-round proof of knowledge is a type of knowledge property that is analogous to round-by-round soundness (and is also achieved by many protocols of practical interest). Below we sketch our analysis; see the full version of the paper for details.

Soundness. An IOP has round-by-round soundness if, for any partial transcript \(\mathsf {tr}\) of the protocol, one can tell if \(\mathsf {tr}\) is “doomed”, i.e., that it is highly unlikely to be accepted by the verifier when completed to a full transcript; a doomed full transcript is never accepted by the verifier.

By the lifting lemma, in order to prove the post-quantum security of the BCS construction it suffices to bound the conditional instability of the database property \(\mathcal {P}_{}\), where \(D \in \mathcal {P}_{}\) if D contains a partial transcript where the last verifier message has flipped the transcript from “doomed” to “not doomed”. We argue that \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}}) < \epsilon + O({{t}}/2^{\lambda })\), where \(\epsilon \) is the round-by-round soundness error of the IOP. The proof is similar to the proof for the Micali construction. If \(D \notin \mathcal {P}_{}\), there are two ways to add an entry and make \(D \in \mathcal {P}_{}\): either the new query is for the randomness of the next verifier message in the IOP for some doomed transcript \(\mathsf {tr}\), in which case we find a message that makes \(\mathsf {tr}\) not doomed with probability \(\epsilon \); or the new query extends one of the Merkle trees that the adversary is constructing, which happens with probability less than \(O({{t}}/2^{\lambda })\) as this implies finding a pre-image. Hence, \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}, {{t}}) < \epsilon + O({{t}}/2^{\lambda })\), which completes the proof.

Zero Knowledge. As in the case of Micali, zero knowledge is straightforward, as the BCS construction classically achieves statistical zero knowledge when the IOP is honest-verifier zero knowledge.

Proof of Knowledge. Analogously to our analysis of the Micali construction, we define a property \(\mathcal {Q}{}\), where \(D \in \mathcal {Q}{}\) if D contains a partial transcript that is in \(\mathcal {P}_{}\) but the BCS extractor fails to extract a valid witness. We then argue that \(\mathbf {I}(\mathcal {Q}{} \,\vert \,\bar{\mathcal {P}}_{\mathsf {col}}) < \mathsf {k}+ O({{t}}/2^{\lambda })\), where \(\mathsf {k}\) is the round-by-round knowledge error of the IOP; the proof of this fact is similar to the proof of soundness. We conclude that if the prover causes the verifier to accept with probability at least \(\mu \), then the probability that the extractor succeeds is at least \(\varOmega (\mu - {{t}}^2 \mathsf {k}- {{t}}^3/2^{\lambda })\).

3 Preliminaries

We denote by \(\mathcal {R}\) a binary relation of instance-witness pairs , and by \(\mathcal {L}(\mathcal {R})\) its corresponding language, which is the set . We denote by \(f :X \rightarrow Y\) a function from a set X to a set Y; similarly, we denote by \(f :X \rightharpoonup Y\) a partial function from a set X to a set Y, i.e., a function \(f :X \rightarrow Y \cup \{\bot \}\), where \(\bot \notin Y\) is a special symbol indicating that f(x) is undefined.

3.1 Quantum Notation

We briefly recall standard quantum notation. We let denote an arbitrary quantum state, and let denote an element of the standard (computational) basis. The norm of a state is . In general, the states that we consider will have norm 1. The operator norm of an operator A is , defined to be . Note that if A is unitary then . The commutator of two operators A and B is . The following proposition relates operator norms and commutators.

Proposition 1

Let ABC be operators with . Then

Proof

By definition, . Therefore, , as .

A projector P is an idempotent linear operator (i.e., \(P^{2} = P\)). Throughout, we will only consider orthogonal projectors of the form , where S is a set of binary strings. Measuring a state in the standard basis results in an output that is in S with probability equal to . Since all \(P_{S}\) are diagonal in the same basis, they commute with each other. Note that for any non-zero orthogonal projector P it holds that . In particular, since , we see that if A is the product of projectors and unitaries then .

3.2 Oracle Algorithms

Let \(f :\{0,1\}^{m} \rightarrow \{0,1\}^{n}\) be a function. The standard way to model oracle access to f in the quantum setting is via a unitary operator \(O_{f}\) that acts as for all \(x \in \{0,1\}^{m}\) and \(y \in \{0,1\}^{n}\). We label the input and output registers \(\mathsf {X}\) and \(\mathsf {Y}\), respectively.

A \({{t}}\)-query quantum oracle algorithm \(\mathcal {A}\) is specified via \(m,n\in \mathbb {N}\), \({{t}}\) unitary operators \(A_{1},\dots ,A_{{{t}}}\) and an initial state on four registers \(\mathsf {X},\mathsf {Y},\mathsf {S},\mathsf {T}\). The register \(\mathsf {X}\) is on \(m\) qubits and is for queries to the oracle; the register \(\mathsf {Y}\) is on \(n\) qubits and is for answers from the oracle; the register \(\mathsf {S}\) is for the output of \(\mathcal {A}\); and the register \(\mathsf {T}\) is for scratch space of \(\mathcal {A}\). The initial state and unitary operators \(A_{i}\) need not be efficiently computable.

We write to denote , the final state of the adversary before measurement. (We implicitly extend \(O_{f}\) to act as the identity on \(\mathsf {S},\mathsf {T}\).) We write \(\mathcal {A}^{f}\) to denote the random variable which is the outcome of measuring the register \(\mathsf {S}\) of in the computational basis. This is the output of \(\mathcal {A}\) when accessing the oracle f.

A random oracle is a function \(h:\{0,1\}^{m} \rightarrow \{0,1\}^{n}\) sampled from \(\mathcal {U}(m,n)\), the uniform distribution over functions from \(\{0,1\}^{m}\) to \(\{0,1\}^{n}\). We write \(h\leftarrow \mathcal {U}(m,n)\) to say that \(h\) is sampled from \(\mathcal {U}(m,n)\). In the quantum random oracle model [15], we study \(\mathcal {A}^{h}\) for \(h\leftarrow \mathcal {U}(m,n)\).

3.3 Non-interactive Arguments in the Quantum Random Oracle Model

Let \((\mathcal {P}, \mathcal {V})\) be two polynomial-time (classical) algorithms, known as the prover and verifier. We say that \((\mathcal {P}, \mathcal {V})\) is a non-interactive argument in the quantum random oracle model (QROM) with soundness error \(\epsilon \) for a relation \(\mathcal {R}\) if it satisfies the following properties.

  • Completeness. For every and function \(h\in \mathcal {U}(2\lambda , \lambda )\), outputs a (classical) proof string \(\pi \) for which .

  • Soundness. For every and \({{t}}\)-query quantum oracle algorithm \(\tilde{\mathcal {P}}\), the probability over a function \(h\leftarrow \mathcal {U}(2\lambda , \lambda )\) and (classical) proof string \(\tilde{\pi } \leftarrow \tilde{\mathcal {P}}^{h}\) that is at most \(\epsilon ({{t}},\lambda )\).

We say that \((\mathcal {P}, \mathcal {V})\) has argument size \(s\) if a proof \(\pi \) output by consists of bits.

We also consider non-interactive arguments that additionally achieve proof of knowledge and zero knowledge. The first property will hold against query-bounded adversaries (that are otherwise all-powerful), while the second property will hold against unbounded adversaries (and in particular need not refer to quantum algorithms). We define both of these properties below.

Knowledge. The non-interactive argument \((\mathcal {P}, \mathcal {V})\) is an argument of knowledge with extraction probability \(\kappa \) if there exists a polynomial-time quantum extractor \(\mathcal {E}\) such that, for every instance and \({{t}}\)-query quantum oracle algorithm \(\tilde{\mathcal {P}}\), if, over a random oracle \(h\leftarrow \mathcal {U}(2\lambda , \lambda )\), for \(\pi \ {:=} \ \tilde{\mathcal {P}}^{h}\) it holds that with probability \(\mu \), the probability that outputs a valid witness for is at least \(\kappa ({{t}},\mu ,\lambda )\). Here the notation \(\mathcal {E}^{\tilde{\mathcal {P}}}\) denotes that \(\mathcal {E}\) has black-box access to \(\tilde{\mathcal {P}}\) as defined by Unruh [60]. Informally, this means that if \(\tilde{\mathcal {P}} = (A_{1},\ldots ,A_{{{t}}})\) with initial state , then \(\mathcal {E}\) is given an auxiliary register containing and may apply, in addition to any efficient quantum operation, any \(A_{i}\) to any of its registers.

Zero Knowledge. The non-interactive argument \((\mathcal {P}, \mathcal {V})\) has (statistical) zero knowledge if there exists a probabilistic polynomial-time simulator \(\mathcal {S}\) such that for every instance-witness pair the distributions below are statistically close (as a function of \(\lambda \)):

Above, \(h[\mu ]\) is the function that, on input x, equals \(\mu (x)\) if \(\mu \) is defined on x, or \(h(x)\) otherwise. This definition uses explicitly-programmable random oracles [10]. (Non-interactive zero knowledge with non-programmable random oracles is impossible for non-trivial languages [13, 52].)

Succinctness for Non-deterministic Time. A zkSNARK for in the QROM is a non-interactive argument for in the QROM such that: (a) it has (statistical) zero knowledge; (b) it has extraction probability ; (c) arguments have size , the prover runs in time , and the verifier runs in time .

3.4 Probabilistically Checkable Proofs

A probabilistically checkable proof (PCP) for a relation \(\mathcal {R}\) with soundness error \(\epsilon \), proof length \(\ell \), and alphabet \(\varSigma \) is a pair of polynomial-time algorithms \((\mathbf {P}, \mathbf {V})\) for which the following holds.

  • Completeness. For every instance-witness pair , outputs a proof string \(\varPi :[\ell ] \rightarrow \varSigma \) such that .

  • Soundness. For every instance and proof string \(\varPi :[\ell ] \rightarrow \varSigma \), .

The quantities \(\epsilon ,\ell ,\varSigma \) can be functions of the instance size . Probabilities are taken over the randomness of \(\mathbf {V}\). The randomness complexity is the number of random bits used by \(\mathbf {V}\), and the query complexity \({q}\) is the number of locations of \(\varPi \) read by \(\mathbf {V}\). (Both can be functions of .)

We also consider PCPs that achieve proof of knowledge and (honest-verifier) zero knowledge. We define both of these properties below.

Proof of Knowledge. The PCP \((\mathbf {P}, \mathbf {V})\) has knowledge error \(\mathsf {k}\) if there exists a polynomial-time extractor \(\mathbf {E}\) such that for every instance and proof string \(\varPi :[\ell ] \rightarrow \varSigma \) if then outputs a valid witness for .

Zero Knowledge. The PCP \((\mathbf {P}, \mathbf {V})\) is (perfect) honest-verifier zero knowledge if there exists a probabilistic polynomial-time simulator \(\mathbf {S}\) such that for every instance-witness pair the view of when given access to a proof string sampled as equals the view of when given access to . In the latter case, adaptively answers queries received from .

3.5 Databases

A database mapping X to Y is a partial function \(D :X \rightharpoonup Y\). The support of a database D is \(\mathrm {supp}(D) \ {:=} \ \{x \in X :D(x) \ne \bot \}\) and its image \(\mathrm {im}(D)\) is \(\{ D(x) :x\in \mathrm {supp}(D) \}\). The size of a database is the size of its support: . Given two databases D and \(D'\), we write \(D \subseteq D'\) if \(\mathrm {supp}(D) \subseteq \mathrm {supp}(D')\) and \(D(x) = D'(x)\) for every \(x \in \mathrm {supp}(D)\).

We define two operations on databases, corresponding to deletions and insertions. Given a database D, input values \(x,x' \in X\), and output value \(y \in Y\), we define the two databases

$$\begin{aligned} (D - x)(x') \ {:=} \ {\left\{ \begin{array}{ll} \bot &{} \text { if } x = x' \\ D(x') &{} \text { if } x \ne x' \end{array}\right. } \quad \text {and}\quad (D + [x \mapsto y])(x') \ {:=} \ {\left\{ \begin{array}{ll} y &{} \text {if } x = x' \\ D(x') &{} \text { if } x \ne x' \end{array}\right. }. \end{aligned}$$

For \(D :\{0,1\}^{m} \rightharpoonup \{0,1\}^{n}\) and \({{t}}\in \mathbb {N}\) with , we define the pure quantum state

where is the lexicographic ordering of \(\mathrm {supp}(D)\) and \(y_{i} \ {:=} \ D(x_{i})\) for each . We will write for when the bound \({{t}}\) is clear from context.

3.6 Compressed Phase Oracle

The standard method to encode a function \(h:\{0,1\}^{m} \rightarrow \{0,1\}^{n}\) as a quantum operation is the unitary matrix \(O_h\) defined in Sect. 3.2, which acts as . Another method is to encode \(h\) in the phase of a quantum state, via the unitary matrix \(O_h'\) that acts as . These two encodings are equivalent under an efficient change of basis: \(O_h= (I^{m} \otimes H^{n}) O_h'(I^{m} \otimes H^{n})\) where \(I^{m}\) is the identity on the first \(m\) qubits and \(H^{n}\) is the Hadamard transformation on the other \(n\) qubits. Thus, choosing between the standard oracle \(O_h\) or the phase oracle \(O_h'\) is a matter of convenience. For example, the Deutsch–Josza algorithm [25] is easier to describe with a standard oracle, while Grover’s algorithm [38] is easier with a phase oracle.

In this paper it is more convenient to always work with phase oracles. All quantum query algorithms will thus have an oracle phase register \(\mathsf {U}\) instead of the oracle answer register \(\mathsf {Y}\). Moreover, since \(h\) is sampled at random from the set of all functions from \(m\) bits to \(n\) bits, we follow Zhandry [66] and extend the adversary’s initial state with a random superposition of all functions \(h\), which represents a purification of the adversary’s mixed state relative to the random oracle.

In fact, instead of considering a superposition of functions \(h\), we will consider a superposition of databases D, according to the compressed oracle formalism of [66]. Specifically, throughout this paper we will only deal with the compressed phase oracle with \(m\) input bits and \(n\) output bits, which we denote by \(\mathcal {O}\). We fix the database query bound of the compressed oracle to be \({{t}}\) in advance. For the purposes of this paper, we will only use the fact that \(\mathcal {O}\) is a certain unitary matrix, indistinguishable from a real random oracle, whose action is given by the following lemma. We refer the reader to [66] for more details.

Lemma 4

([66]). The compressed phase oracle \(\mathcal {O}\) (with query bound \({{t}}\)) acts on a quantum state , where \(x \in \{0,1\}^{m}\), \(u \in \{0,1\}^{n}\), \(z \in \{0,1\}^{*}\), and \(D :\{0,1\}^{m} \rightharpoonup \{0,1\}^{n}\) is a database with , as follows.

  • If or \(u = 0^{n}\), then , where \(u \cdot \bot \ {:=} \ 0\).

  • If \(D(x) = \bot \), , and \(u \ne 0^{n}\), then where

  • If \(D(x) \ne \bot \), , and \(u \ne 0^{n}\), then where

Given a quantum algorithm \(\mathcal {A}\) described by unitaries \(A_{1},\dots ,A_{{{t}}}\) and initial state , we write to represent the final state of \(\mathcal {A}\) before measurement when simulated using \(\mathcal {O}\) as the oracle. Formally, , where \(\emptyset \) denotes that the \(\mathsf {D}\) register holds the empty database with \({{t}}\) slots, and we implicitly extend each \(A_{i}\) to act as the identity on \(\mathsf {D}\).

The following lemma of [66] shows simulating \(\mathcal {A}\) by using \(\mathcal {O}\) as the oracle is perfectly indistinguishable from running \(\mathcal {A}\) with access to a random oracle.

Lemma 5

([66, Lemma 4]). For any quantum oracle algorithm \(\mathcal {A}\) making at most \({{t}}\) queries,

I.e., purifies the mixed state of \(\mathcal {A}\) when interacting with a random oracle \(h\leftarrow \mathcal {U}(m,n)\).

The notation denotes the partial trace over the \(\mathsf {D}\) (database) register, defined as the unique linear operator such that for all vectors . Here \(\mathsf {Z}\) denotes all the registers of the adversary.

4 A Lifting Lemma for Database Games

In this section we show how to bound the value of a (classical or quantum) database game via the instability of the game, a purely classical quantity that we introduce in this paper. As we will see shortly, it is straightforward to argue that for any base game \(G\) (Sect. 2.4), the value \(\omega _{\mathsf {D}}(G, {{t}})\) is at most \({{t}}\) times the instability of \(G\). The goal of this section is to prove that the (quantum) value \(\omega _{\mathsf {D}}^{*}(G, {{t}})\) is at most \({{t}}^2\) times the instability of \(G\). In particular, we enable lifting a bound on the (classical) instability of \(G\) to a bound on the (quantum) value \(\omega _{\mathsf {D}}^{*}(G, {{t}})\). Combining the lifting lemma with the fact that oracle games can be generically reduced to database games (Lemma 1), we are able to establish the post-quantum security of the Micali construction solely by analyzing classical properties of it.

4.1 Database Properties and the Basic Lifting Lemma

A database property is a more general notion of a database game.

Definition 3

A database property \(\mathcal {P}_{}\) is a set of databases \(D :X \rightharpoonup Y\). The negation of \(\mathcal {P}_{}\), denoted \(\bar{\mathcal {P}}_{}\), is the set \((X \rightharpoonup Y) \setminus \mathcal {P}_{}\).

Given a base game, we define a corresponding database property as follows.

Definition 4

The database property of a base game \(G\subseteq A^{k} \times B^{k} \times C\) is

$$\begin{aligned} \mathcal {P}_{G} \ {:=} \ \{D : \exists \, (\mathbf {a}, \mathbf {b}, c) \in G\text { with } D(a_i) = b_i \ \forall \, i \in [k]\} . \end{aligned}$$

For a base game \(G\), the database property \(\mathcal {P}_{G}\) is closely related to the database game of \(G\). This is because winning the database game is equivalent to the database outputted by being in \(\mathcal {P}_{G}\). In particular, the following proposition holds.

Proposition 2

For every base game \(G\subseteq A^{k} \times B^{k} \times C\) and quantum algorithm ,

We define the flip probability of a pair of database properties.

Definition 5

The flip probability \(\mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}, t)\) from property \(\mathcal {P}_{}\) to property \(\mathcal {Q}\) is the quantity

and \(\mathrm {flip}(\emptyset \rightarrow \mathcal {Q}, {{t}}) := 0\).

Intuitively, this is the maximum probability over all databases \(D \in \mathcal {P}_{}\) with less than \({{t}}\) entries that making an additional query puts \(D \in \mathcal {Q}\). The following properties can be obtained easily from the above definition.

Proposition 3 (Properties of the flip probability)

Let \(\mathcal {P}_{},\mathcal {P}_{}',\mathcal {Q},\mathcal {Q}'\) be database properties.

  1. (i)

    If \(\mathcal {P}_{} \subseteq \mathcal {P}_{}'\) and \(\mathcal {Q}\subseteq \mathcal {Q}'\) then \(\mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}) \le \mathrm {flip}(\mathcal {P}_{}' \rightarrow \mathcal {Q}')\).

  2. (ii)

    \(\mathrm {flip}(\mathcal {P}_{} \cup \mathcal {P}_{}' \rightarrow \mathcal {Q}) = \max \big (\mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}), \mathrm {flip}(\mathcal {P}_{}' \rightarrow \mathcal {Q})\big )\).

  3. (iii)

    \(\mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}\cup \mathcal {Q}') \le \mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}) + \mathrm {flip}(\mathcal {P}_{} \rightarrow \mathcal {Q}')\).

The instability of a database property is the following classical quantity.

Definition 6

The instability \(\mathbf {I}(\mathcal {P}_{}, {{t}})\) of a database property \(\mathcal {P}_{}\) with query bound \({{t}}\) is the maximum probability that, for any database D containing less than \({{t}}\) queries, making one additional (classical) query changes whether or not D has the property \(\mathcal {P}_{}\). Formally, we let

$$\begin{aligned} \mathbf {I}(\mathcal {P}_{}, {{t}}) \ {:=} \ \max \{\mathrm {flip}(\bar{\mathcal {P}}_{} \rightarrow \mathcal {P}_{}, {{t}}) , \mathrm {flip}(\mathcal {P}_{} \rightarrow \bar{\mathcal {P}}_{}, {{t}})\} . \end{aligned}$$

Note that instability is symmetric: \(\mathbf {I}(\mathcal {P}_{}, {{t}}) = \mathbf {I}(\bar{\mathcal {P}}_{}, {{t}})\). There is a direct argument that shows that \(\omega _{\mathsf {D}}(G, {{t}})\) is bounded by \({{t}}\mathbf {I}( \mathcal {P}_{G}, {{t}})\).Footnote 4 Similarly, our basic lifting lemma shows that \(\omega _{\mathsf {D}}^{*}(G, {{t}})\) is bounded by the instability of the database property \(\mathcal {P}_{G}\). Thus, it lifts a classical notion to prove a bound on the quantum value of a database game.

Lemma 6

(Basic lifting lemma). For any base game \(G\),

$$\begin{aligned} \omega _{\mathsf {D}}^{*}(G, {{t}}) \le {{t}}^2 \cdot 6\mathbf {I}( \mathcal {P}_{G}, {{t}}). \end{aligned}$$

Before we proceed to the proof of Lemma 6, we first introduce some quantum notation. Recall that we let denote the final quantum state of the simulated adversary. Using the definition of measurement, we can express the probability that the final measured database D is in a database property \(\mathcal {P}_{}\) in terms of the state .

Proposition 4

For every database property \(\mathcal {P}_{}\) and quantum adversary ,

where is the projector that maps all basis states of the form to 0 if \(D \notin \mathcal {P}_{}\), and is otherwise the identity.

We learn that in order to bound \(\omega _{\mathsf {D}}^{*}(G, {{t}})\) it suffices to bound for every .

Next, define to be the projector that maps all basis states of the form to 0 if , and is otherwise the identity.

The proof of Lemma 6 follows from two lemmas. The first lemma shows that is bounded by . Intuitively, this is because if \(P_{}\) and \(P_{{{t}}}\mathcal {O}P_{{{t}}}\) almost commute (i.e., \(P_{}\) and \(\mathcal {O}\) almost commute when acting on databases with at most \({{t}}\) entries) then each oracle query cannot change the probability that the database is in \(\mathcal {P}_{}\) by too much. The second lemma shows that is bounded by \(\mathbf {I}(\mathcal {P}_{}, {{t}})\). Combining the two lemmas with Proposition 4 completes the proof of Lemma 6.

Lemma 7

Let \(\mathcal {P}_{}\) be a database property with \(\emptyset \notin \mathcal {P}_{}\). For every ,

Lemma 8

For any database property \(\mathcal {P}_{}\),

Lemmas 7 and 8 strengthen the proof sketch outlined in Sect. 2.5. This is because for any operator A and projector \(P_{}\), , and so . Hence, Lemma 7 implies that and Lemma 8 implies that .

We now prove Lemma 7; the proof of Lemma 8 can be found in the full version of the paper.

Proof

(Proof of Lemma 7). Recall that the quantum algorithm is described by some unitaries \((A_{1},\ldots ,A_{{{t}}})\) and initial state . We can thus describe the quantum algorithm via the cumulative unitary \(U \ {:=} \ A_{{{t}}} \mathcal {O}A_{{{t}}- 1} \cdots \mathcal {O}A_1 \mathcal {O}\) acting on the initial state where \(\emptyset \) denotes the empty database. (We abuse notation and implicitly extend \(A_i\) to act as the identity on the database register.) The final state is .

Let \(U' \ {:=} \ A_{{{t}}} (P_{{{t}}}\mathcal {O}P_{{{t}}}) A_{{{t}}- 1} \cdots (P_{{{t}}}\mathcal {O}P_{{{t}}}) A_1 (P_{{{t}}}\mathcal {O}P_{{{t}}})\). We have that , as applying each \(P_{{{t}}}\) has no effect, since the database can only have at most \({{t}}\) queries when \(P_{{{t}}}\) is applied.

For any operators \(C_1, \dots , C_{{{t}}}\) and projector \(P_{}\), we have that

$$\begin{aligned} C_{{{t}}} \cdots C_1 = \bar{P}_{} C_{{{t}}} \bar{P}_{} C_{{{t}}- 1} \bar{P}_{} \cdots C_{1} \bar{P}_{} + \sum _{i = 0}^{{{t}}} (C_{{{t}}} \cdots C_{i+1}) \cdot P_{} \cdot (C_i \bar{P}_{} \cdots C_1 \bar{P}_{}) . \end{aligned}$$
(1)

To see this, we observe that

$$\begin{aligned} C_{{{t}}} \cdots C_1 = (C_{{{t}}} \cdots C_2) ( C_{1} \bar{P}_{}) + (C_{{{t}}} \cdots C_1) \cdot P_{} , \end{aligned}$$

which implies Eq. (1) by induction.

Let \(C_i = A_i(P_{{{t}}} \mathcal {O}P_{{{t}}})\). Then we have that

where we use the fact that the operator norm of a product of unitaries/projectors is at most 1, and that \(\emptyset \notin \mathcal {P}_{}\). Since \(P_{}\) and \(A_i\) commute for every i, we get that . Hence, .

4.2 Conditional Instability and the Lifting Lemma

Lemma 6 is not quite sufficient to analyze the database game that corresponds to the Micali construction. In fact, the instability of this game is high because we take a maximum over all bounded databases, including those which contain collisions. If we were to only take the maximum over databases that do not contain collisions, then the instability would be low. Moreover, the instability of the “no collision” property is itself low.

In this section, we strengthen the results of the previous section by introducing the notion of conditional instability, which allows us to analyze the value \(\omega _{\mathsf {D}}^{*}(G, {{t}})\) by splitting its database property \(\mathcal {P}_{G}\) into subproperties and analyzing the subproperties separately, analogous to conditioning in probability. In particular, we can then analyze the Micali game by analyzing the no collision property and the instability of the Micali database property conditioned on the no collision property.

For the entirety of this section we will let \(\mathcal {P}_{}\) and \(\mathcal {Q}\) be database properties, and we will analyze quantities about \(\mathcal {P}_{}\) conditioned on \(\mathcal {Q}\). These results strengthen the results of Sect. 4.1, as the previous results can be recovered by setting \(\mathcal {Q}\) to be the database property containing all databases.

Definition 7

Let \(\mathcal {P}_{}\) and \(\mathcal {Q}\) be two database properties, and let \({{t}}\) be a query bound. We define

$$\begin{aligned} \mathrm {flip}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) \ {:=} \ \mathrm {flip}(\bar{\mathcal {P}}_{} \cap \mathcal {Q}\rightarrow \mathcal {P}_{} \cap \mathcal {Q}, {{t}}) . \end{aligned}$$

The conditional instability \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}})\) is defined as

$$\begin{aligned} \mathbf {I}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) \ {:=} \ \max \{\mathrm {flip}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) , \ \mathrm {flip}(\bar{\mathcal {P}}_{} \,\vert \,\mathcal {Q}, {{t}})\} . \end{aligned}$$

Before we state the lifting lemma, we observe the following properties of instability.

Proposition 5

Let \(\mathcal {P}_{}\) and \(\mathcal {Q}\) be two database properties. Then

  1. 1.

    \(\mathbf {I}(\mathcal {P}_{}, {{t}})\) and \(\mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}})\) are incomparable.

  2. 2.

    \(\mathrm {flip}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) \le \mathrm {flip}(\bar{\mathcal {P}}_{} \rightarrow \mathcal {P}_{}, {{t}})\), and therefore \(\mathbf {I}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) \le \mathbf {I}(\mathcal {P}_{}, {{t}})\).

  3. 3.

    \(\mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}}) \le \mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}})\).

Proof

To show Item 1, we give database properties \(\mathcal {P}_{},\mathcal {Q}\) such that \(\mathbf {I}(\mathcal {P}_{},{{t}}) > \mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}})\) and properties \(\mathcal {P}_{}',\mathcal {Q}'\) such that \(\mathbf {I}(\mathcal {P}_{}',{{t}}) < \mathbf {I}(\mathcal {P}_{}' \cup \mathcal {Q}', {{t}})\). Let \(\mathcal {P}_{}\) be the property that \(D \ne \emptyset \). Then clearly \(\mathbf {I}(\mathcal {P}_{}, {{t}}) \ge \mathrm {flip}(\bar{\mathcal {P}}_{} \rightarrow \mathcal {P}_{},{{t}}) = 1\). Let \(\mathcal {Q}\) be the property that \(D = \emptyset \). Now \(\mathcal {P}_{} \cup \mathcal {Q}\) is the set of all databases, so \(\mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}}) = 0\).

On the other hand, let \(\mathcal {P}_{}' = \emptyset \) be the empty property, and let \(\mathcal {Q}'\) be the property that \(D = \emptyset \). Then, \(\mathbf {I}(\mathcal {P}_{}', {{t}}) = 0\), and \(\mathbf {I}(\mathcal {P}_{}' \cup \mathcal {Q}', {{t}}) = \mathbf {I}(\mathcal {Q}', {{t}}) = 1\).

Item 2 holds since

$$\begin{aligned} \mathrm {flip}(\mathcal {P}_{} \,\vert \,\mathcal {Q}, {{t}}) = \mathrm {flip}(\bar{\mathcal {P}}_{} \cap \mathcal {Q}\rightarrow \mathcal {P}_{} \cap \mathcal {Q}, {{t}}) \le \mathrm {flip}(\bar{\mathcal {P}}_{} \rightarrow \mathcal {P}_{}, {{t}}) . \end{aligned}$$

Finally, for Item 3 we observe that

$$\begin{aligned} \mathrm {flip}(\overline{\mathcal {P}_{} \cup \mathcal {Q}} \rightarrow \mathcal {P}_{} \cup \mathcal {Q}, {{t}})&= \mathrm {flip}(\bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}\rightarrow \mathcal {P}_{} \cup \mathcal {Q}, {{t}}) \\&\le \mathrm {flip}(\bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}\rightarrow \mathcal {P}_{} \cap \bar{\mathcal {Q}}, {{t}}) + \mathrm {flip}(\bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}\rightarrow \mathcal {Q}, {{t}}) \\&\le \mathrm {flip}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathrm {flip}(\bar{\mathcal {Q}}\rightarrow \mathcal {Q}, {{t}}) . \end{aligned}$$

On the other hand,

$$\begin{aligned} \mathrm {flip}(\mathcal {P}_{} \cup \mathcal {Q}\rightarrow \overline{\mathcal {P}_{} \cup \mathcal {Q}}, {{t}})&= \mathrm {flip}(\mathcal {P}_{} \cup \mathcal {Q}\rightarrow \bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}, {{t}}) \\&= \max (\mathrm {flip}(\mathcal {P}_{} \cap \bar{\mathcal {Q}}{} \rightarrow \bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}, {{t}}), \mathrm {flip}(\mathcal {Q}\rightarrow \bar{\mathcal {P}}_{} \cap \bar{\mathcal {Q}}, {{t}})) \\&\le \max (\mathrm {flip}(\bar{\mathcal {P}}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}), \mathrm {flip}(\mathcal {Q}\rightarrow \bar{\mathcal {Q}}, {{t}})) . \end{aligned}$$

Therefore, we get that \(\mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}) \le \mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q},{{t}})\).

We now state the lifting lemma.

Lemma 9

(Lifting lemma). Let \(G\) be a base game. Then for any database property \(\mathcal {Q}\),

$$\begin{aligned} \omega _{\mathsf {D}}^{*}(G, {{t}}) \le {{t}}^2 \cdot 6\left( \mathbf {I}( \mathcal {P}_{G} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}})\right) . \end{aligned}$$

Proof

Let \(\mathcal {P}_{}\) and \(\mathcal {Q}\) be two database properties. We show that for every it holds that

Let \(\mathcal {R}= \mathcal {P}_{} \cup \mathcal {Q}\). Then by Lemmas 7 and 8 we have that

where the first inequality holds since \(\mathcal {P}_{} \subseteq \mathcal {R}\). Finally, we use the fact that \(\mathbf {I}(\mathcal {R}, {{t}}) = \mathbf {I}(\mathcal {P}_{} \cup \mathcal {Q}, {{t}}) \le \mathbf {I}(\mathcal {P}_{} \,\vert \,\bar{\mathcal {Q}}, {{t}}) + \mathbf {I}(\mathcal {Q}, {{t}})\), which completes the proof.