Paper 2020/693

Tight Quantum Time-Space Tradeoffs for Function Inversion

Kai-Min Chung, Siyao Guo, Qipeng Liu, and Luowen Qian


In function inversion, we are given a function $f: [N] \mapsto [N]$, and want to prepare some advice of size $S$, such that we can efficiently invert any image in time $T$. This is a well studied problem with profound connections to cryptography, data structures, communication complexity, and circuit lower bounds. Investigation of this problem in the quantum setting was initiated by Nayebi, Aaronson, Belovs, and Trevisan (2015), who proved a lower bound of $ST^2 = \tilde\Omega(N)$ for random permutations against classical advice, leaving open an intriguing possibility that Grover's search can be sped up to time $\tilde O(\sqrt{N/S})$. Recent works by Hhan, Xagawa, and Yamakawa (2019), and Chung, Liao, and Qian (2019) extended the argument for random functions and quantum advice, but the lower bound remains $ST^2 = \tilde\Omega(N)$. In this work, we prove that even with quantum advice, $ST + T^2 = \tilde\Omega(N)$ is required for an algorithm to invert random functions. This demonstrates that Grover's search is optimal for $S = \tilde O(\sqrt{N})$, ruling out any substantial speed-up for Grover's search even with quantum advice. Further improvements to our bounds would imply new classical circuit lower bounds, as shown by Corrigan-Gibbs and Kogan (2019). To prove this result, we develop a general framework for establishing quantum time-space lower bounds. We further demonstrate the power of our framework by proving the following results. * Yao's box problem: We prove a tight quantum time-space lower bound for classical advice. For quantum advice, we prove a first time-space lower bound using shadow tomography. These results resolve two open problems posted by Nayebi et al (2015). * Salted cryptography: We show that “salting generically provably defeats preprocessing,” a result shown by Coretti, Dodis, Guo, and Steinberger (2018), also holds in the quantum setting. In particular, we prove quantum time-space lower bounds for a wide class of salted cryptographic primitives in the quantum random oracle model. This yields a first quantum time-space lower bound for salted collision-finding, which in turn implies that ${PWPP}^{O} \not\subseteq {FBQP}^{O}{/qpoly}$ relative to a random oracle $O$.

Note: Minor updates from FOCS review comments.

Available format(s)
Publication info
Published elsewhere. FOCS2020
time-space tradeoffsquantum computationquantum query complexityquantum advicepost-quantum cryptographyfunction inversion
Contact author(s)
qipengl @ cs princeton edu
2020-11-22: revised
2020-06-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Kai-Min Chung and Siyao Guo and Qipeng Liu and Luowen Qian},
      title = {Tight Quantum Time-Space Tradeoffs for Function Inversion},
      howpublished = {Cryptology ePrint Archive, Paper 2020/693},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.