On the Two-sided Permutation Inversion Problem

In the permutation inversion problem, the task is to find the preimage of some challenge value, given oracle access to the permutation. This is a fundamental problem in query complexity, and appears in many contexts, particularly cryptography. In this work, we examine the setting in which the oracle allows for quantum queries to both the forward and the inverse direction of the permutation -- except that the challenge value cannot be submitted to the latter. Within that setting, we consider two options for the inversion algorithm: whether it can get quantum advice about the permutation, and whether it must produce the entire preimage (search) or only the first bit (decision). We prove several theorems connecting the hardness of the resulting variations of the inversion problem, and establish a number of lower bounds. Our results indicate that, perhaps surprisingly, the inversion problem does not become significantly easier when the adversary is granted oracle access to the inverse, provided it cannot query the challenge itself.


The permutation inversion problem
The permutation inversion problem is defined as follows: given a permutation π : [N ] → [N ] and an image y ∈ [N ], output the correct preimage x := π −1 (y).In the decision version of the problem, it is sufficient to output only the first bit of x.If the algorithm can only access π by making classical queries, then making T = Ω(N ) queries is necessary and sufficient for both problems.If quantum queries are allowed, then Grover's algorithm can be used to solve both problems with T = O( √ N ) queries [Gro96,Amb02], which is worst-case asymptotically optimal [BBBV97, Amb02,Nay10].
In this work, we consider the permutation inversion problem in a setting where the algorithm is granted both forward and inverse quantum query access to the permutation π.In order to make the problem nontrivial, we modify the inverse oracle so that it outputs a reject symbol when queried on the challenge image y.We call this the two-sided permutation inversion problem.This variant appears naturally in the context of chosen-ciphertext security for encryption schemes based on (pseudorandom) permutations [KL20], as well as in the context of sponge hashing (SHA3) [GJMG11].We consider several variants: 1. (Auxiliary information.)With this option enabled, the inversion algorithm now consists of two phases.The first phase is given a full description of π (e.g., as a table) and allowed to prepare an arbitrary quantum state ρ π consisting of S qubits.This state is called auxiliary information or advice.The second phase of the inversion algorithm is granted only the state ρ π and query access to π, and asked to invert an image y.The two phases of the algorithm can also share an arbitrarily long uniformly random string, referred to as shared randomness.The complexity of the algorithm is measured in terms of the number of qubits S of the advice state (generated by the first phase) and the total number of queries T (made during the second phase.) 2. (Adaptive restriction of challenge distribution.)In this case, the inversion algorithm again consists of two phases.The first phase is again given a full description of π, and allowed to output a string µ ∈ {0, 1} m for m < n, where n = √ N .The second phase is then granted query access to π and asked to invert an image y which is sampled uniformly at random from the set of all strings whose last m bits equal µ.

(Search vs Decision.)
Here the two options simply determine whether the inversion algorithm is tasked with producing the entire preimage x = π −1 (y) of the challenge y (search version), or only the first bit x 0 (decision version.) If the algorithm is solving the search problem, we refer to it as a search permutation inverter, or SPI.If it is solving the decision problem, we refer to it as a decision permutation inverter, or DPI.If an SPI uses S qubits of advice and T queries to succeed with probability at least ϵ in the search inversion experiment, we say it is a (S, T, ϵ)-SPI.If a DPI uses S qubits of advice and T queries to succeed with probability at least 1/2 + δ in the decision inversion experiment, we say it is a (S, T, δ)-DPI.If the algorithm is allowed to adaptively restrict the challenge distribution, we say it is adaptive and denote it by aSPI or aDPI, as appropriate.
In this work, we are mainly interested in the average-case setting.This means that both the permutation π and the challenge image y are selected uniformly at random.Moreover, the success probability is taken over all the randomness in the inversion experiment, i.e., over the selection of π and y along with all internal randomness and measurements of the inversion algorithm.
In Section 2, we present technical preliminaries, including the swapping lemma and quantum random access codes (QRAC), for subsequent proof.In Section 3, we introduce several definitions of the permutation inversion problem, with both auxiliary information and adaptive restriction of challenge distribution.Within Section 4, we show methods for amplifying the success probability of inversion in the non-adaptive case.Subsequently, in Section 5, we illustrate two reductions: from search-to-decision with auxiliary information and from unstructured search-to-decision without auxiliary information.These reductions are then utilized to derive lower bounds, as shown in Section 6.Finally, in Section 7, we propose a novel security notion, called one-way-QCCRA2, and establish the security of two common schemes under this notion, subject to specific conditions.
We remark that some of these previous works [CX21, CLQ19, NABT14] do not fully address the average-case setting.Specifically, they deal with inverters that are "restricted" in the following manner.First, the inverter is said to "invert y for π" if it succeeds in the inversion experiment for the specific pair (π, y) with probability at least 2/3.Second, the inverter is said to "invert a δ-fraction of inputs" if Pr π,y [the inverter inverts y for π] ≥ δ.This type of inverter is clearly captured by our notion above: it is an (S, T, 2δ/3)-SPI.However, there are successful inverters of interest that are captured by our definition but are not restricted.For example, in a cryptographic context, one would definitely be concerned about adversaries that can invert every (π, y) with a probability of exactly 1/n.Such an adversary is clearly a (S, T, 1/n)-SPI, but is not a restricted inverter for any value of δ.Other works also consider the general average-case (e.g., [CGLQ20,Liu23,HXY19]) but without two-way oracle access.Note that the lower bound for restricted adversaries described in [NABT14,CLQ19] can be translated to the more general lower bound in a black box way by applying our amplification procedure described in Lemma 3.
To our knowledge, the two-way variant of the inversion problem has only been considered in one other work.Specifically, [CX21] gives a lower bound of T = Ω(N 1/5 ) to invert a random injective function (with two-way access and no advice) with a non-negligible success probability.
Another novelty of our work is that we give lower bounds and time-space tradeoffs for the decision problem (rather than just search).While prior work [CGLQ20] also considered the general decision game, their generic framework crucially relies on compressed oracles [Zha19] which are only known to support random functions.Consequently, their techniques cannot readily be applied in the context of permutation inversion due to a lack of "compressed permutation oracles".
We remark that the notion of two-way quantum accessibility to a random permutation has been considered in other works; for example, [ABKM22, ABK + 22] studied the hardness of detecting certain modifications to the permutation in this model.By contrast, we are concerned with the problem of finding the inverse of a random image.

Swapping Lemma
Let A f be a quantum algorithm with quantum oracle access to a function f : X → Y, for some finite sets X and Y. Let S ⊆ X be a subset.Then, the total query magnitude of A f on the set S is defined as , where |ψ t ⟩ represents the state of A just before the (t + 1) st query and Π S is the projector onto S acting on the query register of A. We use the following simple fact: for any subset S ⊆ X and A making at most T queries, it holds that q(A f , S) ≤ T .The following lemma controls the ability of a query algorithm to distinguish two oracles, in terms of the total query magnitude to locations at which the oracles take differing values.
Lemma 1 (Swapping Lemma, [Vaz98]).Let f, g : X → Y be functions with f (x) = g(x) for all x / ∈ S, where S ⊆ X .Let |Ψ f ⟩ and |Ψ g ⟩ denote the final states of a quantum algorithm A with quantum oracle access to the functions f and g, respectively.Then, where ∥ |Ψ f ⟩ − |Ψ g ⟩ ∥ denotes the Euclidean distance and where T is an upper bound on the number of quantum oracle queries made by A.

Lower bounds for quantum random access codes
Quantum random access codes [Wie83, ANTSV99, ALMO08] are a means of encoding classical bits into (potentially fewer) qubits.We use the following variant from [CLQ19].
Definition 1 (Quantum random access codes with variable length).Let N be an integer and let F N = {f : [N ] → X N } be an ensemble of functions over some finite set X N .A quantum random access code with variable length (QRAC-VL) for F N is a pair (Enc, Dec) consisting of a quantum encoding algorithm Enc and a quantum decoding algorithm Dec: • Enc(f ; R): The encoding algorithm takes as input a function f ∈ F N together with a set of random coins R ∈ {0, 1} * , and outputs a quantum state ρ on ℓ = ℓ(f ) many qubits (where ℓ may depend on f ).
• Dec(ρ, x; R): The decoding algorithm takes as input a state ρ, an element x ∈ [N ] and random coins R ∈ {0, 1} * (same randomness used for the encoding), and seeks to output f (x).
The performance of a QRAC-VL is characterized by parameters L and δ.
be the average length of the encoding over the uniform distribution on f ∈ F N , and let be the probability that the scheme correctly reconstructs the image of the function, where and R are all chosen uniformly at random.
We use the following information-theoretic lower bound on the expected length of any QRAC-VL scheme for permutations, which is a consequence of [CLQ19, Theorem 5].

The permutation inversion problem
We begin by formalizing the search version of the permutation inversion problem.We let [N ] = {1, ..., N }; typically we choose N = 2 n for some positive integer n.For f : X → Y a function from a set X to an additive group Y (typically just bitstrings), the quantum oracle O f is the unitary operator O f : |x⟩ |y⟩ → |x⟩ |y ⊕ f (x)⟩.We use A O f (or sometimes simply A f ) to denote that algorithm A has quantum oracle access to f .Definition 2. Let m, n ∈ N and M = 2 m , N = 2 n .An adaptive search-version permutation inverter (aSPI) is a pair aS = (aS 0 , aS 1 ) of quantum algorithms, where • aS 0 is an algorithm that receives as input a truth table for a permutation over [N ] and a random string r, and outputs a quantum state as well as a classical string µ ∈ {0, 1} m with 0 ≤ m < n; • aS 1 is an oracle algorithm that receives a quantum state, a classical string µ ∈ {0, 1} m , an image y ∈ [N ], and a random string r, and outputs x ∈ {0, 1} n−m .
Note that m is a parameter of the adaptivity, i.e. the length of the adaptive string.
We will consider the execution of an aSPI aS in the following experiment, where To keep the notation simple, we write this entire process as x * ← aS π ⊥y 1 (ρ π,r,µ , µ, y, r).We will use π ⊥y to denote simultaneous access to the two oracles in (1) throughout the paper.
Note that the two oracles allow for the evaluation of the permutation π in both the forward and inverse directions.To disallow trivial solutions, the oracle outputs a fixed "reject" element 1 ⌈log N ⌉ ∥1 ∈ [N ] × {0, 1} if queried on y in the inverse direction.Definition 3.An (S, T, ϵ)-aSPI is a search-version adaptive permutation inverter aS = (aS 0 , aS 1 ) satisfying all of the following: 1. Pr π −1 (y) ← aS π ⊥y 1 (ρ, µ, y, r) : (ρ, µ) ← aS 0 (π, r), y = π(x∥µ) ≥ ϵ, where the probability is taken over π ← S N , r ← {0, 1} * and x ← {0, 1} n−m , along with all internal randomness and measurements of aS; 2. S = S(aS) is an upper bound on the number of qubits of ρ in the above.
3. T = T (aS) is an upper bound on the number of oracle queries made by aS 1 .We emphasize that the running time of aS and the length of the shared randomness r are only required to be finite.We will assume that both S and T depend only on the parameter N ; in particular, they will not vary with π, y, r, or any measurements.Definition 4. A search-version permutation inverter (SPI) S = (S 0 , S 1 ) is defined as an aSPI with m = 0.An (S, T, ϵ)-SPI is an (S, T, ϵ)-aSPI with m = 0.

Decision version.
The decision version of the permutation inversion problem is defined similarly to the search version above.An adaptive decision-version permutation inverter (aDPI) is denoted aD = (aD 0 , aD 1 ), and outputs one bit b rather than a full candidate preimage.In the "check" phase of the experiment, the single-bit output b of aD 1 is compared to the first bit π −1 (y)| 0 of the preimage of the challenge y.Success probability is now measured in terms of the advantage over the random guessing probability of 1/2.Definition 5. A (S, T, δ)-aDPI is a decision-version adaptive permutation inverter aD = (aD 0 , aD 1 ) satisfying all of the following: 1. Pr π −1 (y)| 0 ← aD π ⊥y 1 (ρ, µ, y, r) : (ρ, µ) ← aD 0 (π, r), y = π(x∥µ) ≥ 1 2 + δ, where the probability is taken over π ← S N , r ← {0, 1} * and x ← {0, 1} n−m , along with all internal randomness and measurements of aD.Here π −1 (y)| 0 denotes the first bit of π −1 (y) 2. S = S(aS) is an upper bound on the number of qubits of ρ in the above.
3. T = T (aS) is an upper bound on the number of oracle queries made by aS 1 .Definition 6.A decision-version permutation inverter (DPI) D = (D 0 , D 1 ) is defined as an aDPI with m = 0.An (S, T, δ)-DPI is an (S, T, δ)-aDPI with m = 0.

Amplification
In this section, we show how to amplify the success probability of search and decision inverters, in the non-adaptive (i.e., m = 0) case.The construction for the search case is shown in Protocol 1.

(Oracle Algorithm) S[ℓ]
a How to construct this quantum oracle is described in Appendix B.1.
In the adaptive case, a difficulty arises with the above approach.To amplify the probability, we randomize the permutation in each iteration and aS[ℓ] 0 produces corresponding advice for each randomized permutation.In the adaptive case, aS[ℓ] 0 needs to output an adaptive string µ which is used to produce the image y.However, running aS 0 for each randomized permutation will, in general, result in a different µ in each execution, and it is unclear how one can use these to generate a single µ ′ in the amplified algorithm.We remark that other works considered different approaches to amplification, e.g., via quantum rewinding [HXY19] and the gentle measurement lemma [CGLQ20].
Proof.We consider the execution of the ℓ-time repetition of (S, T, ϵ)-SPI, denoted by SPI S[ℓ], in the search permutation inversion experiment defined in Protocol 1.By construction, S[ℓ] runs ℓ-many SPI procedures (S 0 , S 1 ).Since S is assumed to be an (S, T, ϵ)-SPI, let where the probability is taken over π ← S N and r ← {0, 1} * (which is used to sample permutations σ i ), along with all internal measurements of S.
Essentially, for all i ∈ [0, ℓ − 1], the goal of the i-th trial is to find the preimage x i such that σ 2,i (x i ) = π −1 (y).Since all {σ 2,i } are independently randomly generated, the elements σ 2,i (x i ) are independent for each i in the range [0, ℓ − 1].Therefore, all ℓ trails are mutually independent.Therefore, we get that Given that the SPI (S 0 , S 1 ) requires space S and T queries, we have that (S[ℓ] 0 , S[ℓ] 1 ) requires space S(S[ℓ]) = ℓ • S and query number T (S[ℓ]) = ℓ • (T + 1), as both algorithms need to run either S 0 or S 1 ℓ-many times as subroutines.This proves the claim.
We also need a variant of the above to compute the search lower bound.Lemma 3. Let S be a (S, T, ϵ)-SPI for some ϵ > 0.Then, we can construct an SPI S

using S(S[ℓ]) qubits of advice and making T (S[ℓ]) queries, with
The proof is analogous to Lemma 2 and is given in Appendix B.2.We also consider amplification for the decision version; the construction is essentially the same, except that the final "check" step is replaced by outputting the majority bit.

Lemma 4 (Amplification, decision). Let D be a (S, T, δ)-DPI for some
The proof is analogous to the search version and given in Appendix B.3.

Reductions
We give two reductions related to the inversion problem: a search-to-decision reduction (for the case of advice), and a reduction from unstructured search to the decision inversion problem (for the case of no advice).

A search-to-decision reduction
To construct a search inverter from a decision inverter, we take the following approach.We first amplify the decision inverter so that it correctly computes the first bit of the preimage with certainty.We then repeat this amplified inverter n times (once for each bit position) but randomize the instance in such a way that the j-th bit of the preimage is permuted to the first position.We then output the string of resulting bits as the candidate preimage.
Theorem 2. Let D be a (S, T, δ)-DPI.Then for any ℓ ∈ N, we can construct a (nℓS, nℓT, η)-SPI with Proof.Given an δ-DPI (D 0 , D 1 ) with storage size S and query size T , we can construct a η ′ -DPI (D[ℓ] 0 , D[ℓ] 1 ) with storage size ℓS and query size ℓT through ℓ-time repetition.By Lemma 4, we have that η as a subroutine.In the following, we represent elements in [N ] using a binary decomposition of length ⌈log N ⌉.To state our search-to-decision reduction, we introduce a generalized swap operation, denoted by swap a,b , which acts as follows for any quantum state of m qubits: 1 Here, we borrow the notation for Oπ and O π −1 ⊥y from the experiment described in Section 3.
We now argue that the probability that D[ℓ] 1 correctly recovers the pre-image bits b i and b j is independent for each i ̸ = j.From Lemma 4, we know that D[ℓ] 1 runs D 1 as a subroutine, i.e. it decides the first bit of the pre-image of y by running D 1 (in Lemma 4) ℓ times with different random coins.It actually needs to recall D 1 for amplification and for each iteration in this amplification k ∈ [0, ℓ − 1], where the actual modified permutation under use is σ i,k • π • swap 0,i and image is σ i,k (y).Similarly for term j, σ j,k • π • swap 0,j and σ j,k (y) is used as the permutation and image.Since the random coins (r i and r j ), which are used to modify the target permutation π, are independently random, those random permutations (σ i,k and σ j,k ) generated from random coins are independently random and so do those modified composition permutations, images, and advice states.
Similarly, S 1 runs D[ℓ] 1 to obtain b j and thus it requires ⌈log N ⌉ℓT queries in total.
Comparison to O2H lemma.The one-way to hiding (O2H) lemma [AHU19] also presents a natural reduction from search to decision in the context of general quantum oracle algorithms.However, it is quite limited in our setting.For example, given a decision inverter capable of computing the first bit of π −1 (y) with certainty after q queries, the O2H lemma yields a search inverter that can invert y with success probability 1 4q 2 after ≈ q queries.By comparison, our amplification technique achieves an inversion of y with a success probability of 1 with nq queries, which is significantly better in the relevant setting of q ≫ n.However, in applications where only one copy of the advice is available for the amplified algorithm, O2H still works while our amplification technique fails.

A reduction from unstructured search
Second, we generalize the method used in [Nay10] to give a lower bound for adaptive decision inversion without advice.Unlike in Nayak's original reduction, here we grant two-way access to the permutation.Recall that, in the unique search problem, one is granted quantum oracle access to a function f : [N ] → {0, 1} which is promised to satisfy either |f −1 (1)| = 0 or |f −1 (1)| = 1; the goal is to decide which is the case.The problem is formally defined below.Definition 7. (UNIQUESEARCH n ) Given a function f : {0, 1} n → {0, 1}, such that f maps at most one element to 1, output YES if f −1 (1) is non-empty and NO otherwise.Definition 8. (Distributional error) Suppose an algorithm solves a decision problem with error probability at most p 0 for NO instances and p 1 for YES instances.Then we say this algorithm has distributional error (p 0 , p 1 ).
We now establish a reduction from unstructured search to adaptive decision inversion.Theorem 3. If there exists a (0, T, δ)-aDPI, then there exists a quantum algorithm that solves UNIQUESEARCH n−m−1 with at most 2T queries and distributional error 1 2 − δ, 1 2 .Proof.Our proof is similar to that of Nayak [Nay10]: given a (0, T, δ)-aDPI A, we construct another algorithm B which solves the UNIQUESEARCH n−m−1 problem.
Let N = 2 n .For any uniform image t ∈ [N ], define the NO and YES instances sets (corresponding to the image t) of the decision permutation inversion problem with size N : Note that for a random permutation π, whether π ∈ π t,0 or π t,1 simply depends on the choice of t.Since t is uniform, Pr[π ∈ π t,0 ] = Pr[π ∈ π t,1 ] = 1/2.We also consider functions h : [N ] → [N ] with a unique collision at t.One of the colliding pairs should have the first bit 0, and the other one should have the first bit 1.Moreover, the last m bits of the colloding pair is µ.Formally speaking, h(0∥i∥µ) = h(1∥j∥µ) = t, where i, j ∈ {0, 1} n−m−1 .Let Q t,µ denote the set of all such functions.Furthermore, given a permutation π on [N ], consider functions in Q t,µ that differ from π at exactly one point.These are functions h with a unique collision and the collision is at t.If π ∈ π t,0 , π(0∥i∥µ) = h(0∥i∥µ) = t and 1∥j∥µ is the unique point where π and h differ; if π ∈ π t,1 , π(1∥j∥µ) = h(1∥j∥µ) = t and 0∥i∥µ is the unique point where π and h differ.Let Q π,t,µ denote the set of such functions h and clearly Q π,t,µ ⊆ Q t,µ .Note that if we pick a random permutation π in {π N } and choose a uniform random h ∈ Q π,t,µ , h is also uniform in Q t,µ .Next, we construct an algorithm B that tries to solve UNIQUESEARCH n−m−1 as follows, with quantum oracle access to f : 1. B first samples some randomness r ∈ {0, 1} * , a uniform random string s ∈ {0, 1} n−m and a permutation π ∈ {π N }.

B then runs
A with quantum orale access to π, π −1 until it receives a string µ ∈ {0, 1} m from A.
4. B then constructs a function h f,π,t,µ and h −1 * f,π,t,µ as follows.If π ∈ π t,0 , for any i ∈ {0, 1} and j ∈ {0, No matter what instance sets π belongs to, the corresponding "inverse" function is defined as 5. B then sends t, µ and r to A, runs it with quantum oracle access to h f,π,t,µ and h −1 * f,π,t,µ , and finally gets back b ′ .For simplicity, we write this process as b ′ ← A h ⊥t (t, µ, r).2

B outputs b
Let δ 1 be the error probability of A in the YES case and δ 0 be that in the NO case of (0, T, δ)-DPI.Since s is uniform random and then Pr We now analyze the error probability of B in the YES and NO cases.In the NO case, f −1 (1) is empty, so no matter whether π ∈ π t,0 or π ∈ π t,1 , h f,π,t,µ = π.It follows that In the YES case, f −1 (1) is not empty, so function h f,π,t,µ has a unique collision at t, with one of the colliding pair having first bit 0 and the other one having first bit 1, no matter π ∈ π t,0 or π t,1 .As f is a black-box function, the place j where f (j) = 1 is uniform and so h f,π,t,µ is uniform in Q π,t,µ .By arguments at the beginning of this proof, as π is uniform, the function is also uniform in Q t,µ .Let p := Pr Therefore, where the third equality comes from the fact stated above: no matter π ∈ π t,0 or π ∈ π t,1 , the corresponding h is uniform in Q t,µ and then can be viewed as uniform randomly generated from Q t,µ .Since A is granted with oracle access to h, both conditions can be changed to h f,π,t,µ $ ← − Q t,µ .Note that given h, even if A can notice that it is not a permutation and then acts arbitrarily, this can only influence the probability of two terms individually, i.e. the value of p and 1 − p.But as we only care about their summation, we do not need to handle the consequence of A noticing the difference, including the probability of oracle distinguishability.

Search version
We now give lower bounds for the search version of the permutation inversion problem over [N ].We begin with a lower bound for a restricted class of inverters (and its formal definition); these inverters succeed on an ϵ-fraction of inputs with constant probability (say, 2/3.).The proof uses a similar approach as in previous works on one-sided permutation inversion with advice [NABT14, CLQ19, HXY19].
Proof.To prove the claim, we construct a QRAC-VL scheme that encodes the function π −1 and then derive the desired space-time trade-off via Theorem 1.Let S = (S 0 , S 1 ) be an 2ϵ/3-SPI that succeeds on a ϵ-fraction of inputs with probability at least 2/3.In other words, S satisfies Pr By the averaging argument in Lemma 7 with parameter θ = 1/2, it follows that there exists a large subset X ⊆ S N of permutations with size at least N !/2 such that for any permutation π ∈ X , we have that Pr For a given permutation π ∈ X we let I be the set of indices x ∈ [N ] such that S correctly inverts π(x) with probability at least 2/3 over the choice of r.By the definition of the set X , we have that |I| ≥ ϵ/2 • N .Our QRAC-VL scheme (Enc, Dec) for encoding permutations is described in detail in Protocol 2. Below, we introduce some additional notations that will be relevant to the scheme.For convenience, we model the two-way accessible oracle given to S 1 in terms of a single oracle for the merged function of the form3 π ⊥y (w, a) Let c, γ ∈ (0, 1) be parameters.As part of the encoding, we use the shared randomness R ∈ {0, 1} * to sample a subset R ⊆ [N ] such that each element of [N ] is contained in R with probability γ/T (S) 2 .Moreover, we define the following two disjoint subsets of [N ] × {0, 1}: Let G ⊆ I be the set of x ∈ [N ] which satisfy the following two properties: 1.The element x is contained in the set R, i.e.

The total query magnitude of S
π ⊥y 1 with input (S 0 (π, r), y, r) on the set Σ R 0 ∪ Σ R 1 is bounded by c/T (S).In other words, we have Claim 1.Let G ⊆ [N ] be the set of x which satisfy the conditions in (5) and (6).Then, there exist constants γ, c ∈ (0, 1) such that In other words, we have |G| = Ω(ϵN/T (S) 2 ) with high probability.
Proof.(of the claim) Let H = R ∩ I denote the set of x ∈ R for which S correctly inverts π(x) with probability at least 2/3 over the choice of r.By the definition of the set R, it follows that |H| has a binomial distribution.Therefore, in expectation, we have that |H| = γ|I|/T (S) 2 .Using the multiplicative Chernoff bound in Lemma 5 and the fact that for all sufficiently large N .Because each query made by S 1 has unit length and because S 1 makes at most T (S) queries, it follows that We obtain the following upper bound for the average total query magnitude: .
(by the inequality in (8)) Hence, by Markov's inequality, Let us now denote by J the subset of x ∈ I that satisfy Eq. ( 5) but not Eq.( 6).Note that Eq. (5) and Eq. ( 6) are independent for each x ∈ I, since Eq. ( 5) is about whether x ∈ R and Eq. ( 6) only concerns the intersection of R and [N ] \ {x}, as well as π(R) and π([N ]) \ {π(x)}.Therefore, by (9), the probability that x ∈ I satisfies x ∈ J is at most γ 2 /(cT (S) 2 ).Hence, by Markov's inequality, Using ( 7) and (10), we get with probability at least 0.8 over the the choice of R, given that γ is a sufficiently small positive constant.
. Use the classical flag case = 2 (taking one additional bit) and output the following 1.The size of G, encoded using log N bits; 2. the set G ⊆ R, encoded using log |R| |G| bits; 3. The permutation π restricted to inputs outside of G, encoded using log(N !/|G|!) bits; 4. Quantum advice used by the algorithm repeated ρ times with α ⊗ρ , for α ← S 0 (π, r) for some ρ that we will decide later.(We can compute this as the encoder can preprocess multiple copies of the same advice.Note that this is the only part of our encoding that is not classical.) • Dec(β, y; R): On input encoding β, image y ∈ [N ] and randomness R ∈ {0, 1} * , first use R to extract random coins r and then proceed as follows: Case 1: This corresponds to the flag case = 1.Search the permutation table for π −1 and output x such that π −1 (y) = x.
Let us now analyze the performance of our QRAC-VL scheme (Enc, Dec) in Protocol 2. Let |Ψ π ⊥y ⟩ and |Ψ π⊥y ⟩ denote the final states of S 1 when it is given the oracles π ⊥y and π⊥y , respectively.By Lemma 1 and the properties of the total query magnitude: Since x ∈ I, it follows from the definition of I that measuring |Ψ π ⊥y ⟩ results in x with probability at least 2/3.Given a small enough positive constant c, we can ensure that measuring |Ψ π⊥y ⟩ will result in x with probability at least 0.6.We now examine the length of our encoding.With probability 1 − ϵ/2, we have π / ∈ X ; with probability ϵ(1 − 0.8)/2, we have π ∈ X but G is small, i.e., Therefore, except with probability 1 − 0.4ϵ, our encoding will result in the flag case = 1, where the encoding consists of 1 + log N !classical bits and the decoder succeeds with probability 1.With probability 0.4ϵ , our encoding has the flag case = 2, and the size equals By the assumption that In the case when the decoder is queried on an input that is already known, that is y / ∈ π(G) (which occurs with probability 1 − |G|/N ), the decoder recovers the correct pre-image with probability 1.Otherwise, the analysis is the following: with just one copy of the advice, the decoder recovers the correct pre-image with probability 2/3, and hence with ρ many copies, the decoder can take the majority vote and recover the correct pre-image with probability 1 − exp(−Ω(ρ)).The latter follows from the Chernoff bound in Lemma 5. Overall, the average encoding length is where the average success probability is 1 − |G|/N • exp(−Ω(ρ)).By setting ρ = Ω(log(N/ϵ)) = Ω(log N ), the average success probability amounts to 1 − O(1/N 2 ).Therefore, using the lower bound in Theorem 1, we have where the second and the last equality comes from the fact that ϵ = ω(1/N ) and ρ = Ω(log N ), respectively.Since log |G|! = O(|G| log |G|), it follows that As we are conditioning on the event that G is large, plugging in the lower bound on |G|, we have that, for sufficiently large N , S(S) ≥ Ω(|G|), and thus This gives the desired space-time trade-off.
We remark that the search inverter we consider in Theorem 4 succeeds on more than just a constant number of inputs, that is ϵ = ω(1/N ), and beats the time complexity of T = Ω( √ ϵN ) which is required for unstructured search using Grover's algorithm.[Gro96,DH08,Zha19].Next, we remove the restriction on the inverter by applying amplification (specifically, Corollary 3.) This yields a lower bound in the full average-case version of the search inversion problem.

Plugging in the expressions for S(S[ℓ]) and T (S[ℓ]
), we get that with assumption the trade-off between space and time complexities is Note that we incur a loss (ϵ 3 versus ϵ) in our search lower bound due to the fact that we need to amplify the restricted search inverter in Theorem 4. This results in a multiplicative overhead of Θ(1/ϵ) in terms of space and time complexity, as compared to the restricted inverter.We remark that a similar loss as a result of amplification is also inherent in [HXY19].

Space-time tradeoff, no adaptive sampling
The search lower bound of Theorem 5, when combined with the search-to-decision reduction of Theorem 2, yields a lower bound for the decision version.
Corollary 1.Let D be a (S, T, δ)-DPI for some δ > 0. Suppose that δ = ω(1/N ) and N and S ≥ 1.Then, for sufficiently large N we have .It directly follows from Theorem 5 that with conditions S satisfies the space-time trade-off lower bound for sufficiently large N .
Similar to the search lower bound from before, we incur a loss that amounts to a factor δ 6 .This results from our specific approach which is based on the search-to-decision reduction in Theorem 2. We believe that our lower bound could potentially be improved even further.

Time lower bound, adaptive sampling
In the case of an adaptive decision inverter without advice, we can get a tight bound by means of the reduction from the unique search problem (Theorem 3), combined with well-known lower bounds on the average-case unique search problem.Theorem 6.Let D be a (0, T, δ)-aDPI.Then T 2 ≥ Ω(δN/M ).
Proof.Since D is a (0, T, δ)-DPI, by the lower bound of unique search problem [Gro96, Zal99, Nay10, Zha19], we get a 2T -query algorithm for UNIQUESEARCH n−1 with distributional error ( 1 2 − δ, 1 2 ).Since the YES and NO cases are uniformly distributed, we can write the overall error probability as Then by the lower bound of unique search, we have We note that with non-adaptive D, i.e. m = 0, the above bound reduces to query lower bound T 2 ≥ Ω (δN ).PRP Scheme.Let {P k : {0, 1} 2n → {0, 1} 2n } be a family of ϵ-Qsecure PRPs and consider the following scheme: • Gen takes as input a security parameter 1 n and returns a key k ∈ {0, 1} n for P k ; • Enc is given key k ∈ {0, 1} n , m ∈ {0, 1} n and r ∈ {0, 1} n , and outputs c := P k (m||r); • Dec is given key k ∈ {0, 1} n and c ∈ {0, 1} 2n , and outputs the first n bits of P −1 k (c).Of course, any practical scheme should be efficient, and indeed we can show that the PRP scheme is OW-QCCRA2 in two special cases: when there is no advice, i.e., S = 0 (we call this OW-QCCRA2-v1) and when there is no adaptivity, i.e., |µ| = 0 (we call this OW-QCCRA2-v2).We are able to prove the following theorems.
Theorem 7. The PRP scheme is OW-QCCRA2-v1.In other words, for any quantum adversary A who makes t(n) quantum queries in the pre-challenge phase and ℓ(n) quantum queries in the post-challenge phase, it holds that Here, and ϵ is a negligible function.Proof.Given an adversary A that attacks the RP scheme in the OW-QCCRA2 experiment described in Definition 9 with S = 0, we can construct a (0, T, δ)-aDPI aD = (aD 0 , aD 1 ) in the decision inversion experiment, which takes place as follows: 1. (sample instance and coins) a random permutation π : {0, 1} n → {0, 1} n is sampled; 2. (prepare advice) aD 0 is given the whole permutation table of π.Then it constructs oracles Enc(•; •) = π(•∥•) and Dec(•) = π −1 (•) and gives A quantum oracle access.aD 0 will get back a (n − 1)-bit output string µ and then output it.Suppose A makes t(n) quantum queries.

It trivially follows that
Pr Exp OW-QCCRA2-v1 A,RP By assumption we have that, for all efficient quantum adversary A, there exists a negligible ϵ such that Where δ ≤ O( ℓ 2 2 n−1 2 2n ) by Theorem 6, and by Definition 10 ϵ is negligible.Remark that the above bound becomes 1 2 + negl(n) when A is a quantum polynomial time (QPT) adversary since both δ and ϵT are negligible when t and ℓ are of polynomial size.
Theorem 8.The PRP scheme is OW-QCCRA2-v2.In other words, for any quantum adversary A who makes t(n) quantum queries in the pre-challenge phase and ℓ(n) quantum queries in the post-challenge phase, it holds that Here, and ϵ is a negligible function.
Proof.Given an adversary A that attacks the RP scheme in the OW-QCCRA2 experiment described in Definition 9 with |µ| = 0, we can construct a (S, T, δ)-DPI D = (D 0 , D 1 ) in the decision inversion experiment.The construction is the same as Theorem 7, with slight modifications at the "prepare advice" and the "invert" step: By following the same procedure as in Theorem 7 but using the bound of Corollary 1, we get the desired bound.
Finally, we remark that the above results hold for the following strengthening of OW-QCCRA2, described as follows.Suppose that an encryption scheme satisfies the property that there exists an alternative decryption algorithm that can both compute the plaintext and also deduce the randomness that was initially used to encrypt.This property is true for the RP and PRP schemes, as well as some other standard encryption methods (e.g., Regev's secret-key LWE scheme, implicit in [Reg09]).For schemes in this category, one can also grant access to such an alternative decryption algorithm, thus expanding the form of "randomness access" that the adversary has.Our proofs show that the RP and PRP schemes are secure (in their respective setting) even against this form of additional adversarial power.

Future Work
For future applications, the two-sided permutation inversion problem appears naturally in the context of sponge hashing [GJMG11] which is used by the international hash function standard SHA3 [Dwo15].Previous work [CGBH + 18, CMSZ21] studied the post-quantum security of the sponge construction where the block function is either a random function or a (non-invertible) random permutation.However, as the core permutation in SHA3 is public and efficiently invertible, the "right setting" of theoretical study is one in which the block function consists of an invertible permutation.This setting is far less understood, and establishing the security of the sponge in this setting is a major open problem in post-quantum cryptography.Our results on two-sided permutation inversion may serve as a stepping stone towards this goal.

A Some basic probabilistic lemmas
In this section we collect a series of known probabilistic results, which we used in our main proofs.
We first record some basic lemmas about the behavior of certain types of random variables.
Lemma 7 (Averaging argument).Let X and Y be any finite sets and let Ω : X ×Y → {0, 1} be a predicate.Suppose that Pr x,y [Ω(x, y) = 1] ≥ ϵ, for some ϵ ∈ [0, 1], where x is chosen uniformly at random in X .Let θ ∈ (0, 1).Then, there exists a subset X θ ⊆ X of size Proof.Define p x = Pr y [Ω(x, y) = 1], for x ∈ X .Then, for ϵ ∈ [0, 1], we have Fix θ ∈ (0, 1).Because the weighted average above is at least ϵ, there must exist a subset X θ such that Recall that x is chosen uniformly at random in X .Using the reverse Markov's inequality, it follows that In other words, the subset X θ ⊆ X is of size at least

B Amplification proofs B.1 Quantum oracle construction in Protocol 1
In Protocol 1 step 2(c), S[ℓ] 1 , with quantum oracle access to O π , O π −1 ⊥y , needs to grant S 1 quantum oracle access to (σ . Here we give detailed constructions of these two oracles: • Whenever the algorithm S 1 queries the oracle O σ1,i•π•σ2,i on |w⟩ 1 |z⟩ 2 , S[ℓ] 1 performs the following reversible operations Then, S[ℓ] 1 sends the final state back to S 1 .
• Whenever S 1 queries the oracle on |w⟩ 1 |z⟩ 2 , the algorithm S[ℓ] 1 performs the following reversible operations: Then, S[ℓ] 1 sends the final state back to S 1 .

B.2 Another amplification lemma proof
Lemma 3. Let S = (S 0 , S 1 ) be an ϵ-SPI with space and time complexity given by S(S) and T (S), respectively, for some ϵ > 0.Then, we can construct an SPI S Let S N denote the set of permutations over [N ].From Lemma 7 it follows that there exists θ = 7/9 and a subset X θ ⊆ S N × [N ] of size at least such that, for every (π, y) ∈ X θ , we have Pr This proves the claim.

B.3 Decision amplification proof
Same as the search amplification, we amplify the success probability of a δ-DPI through ℓ-time repetition defined in Protocol 3. (b) D[ℓ] 0 uses r 0 , ..., r ℓ−1 to generate ℓ permutation pairs {σ 1,i , σ 2,i } ℓ−1 i=0 in S N , where σ 1,i is a random permutation, σ 2,i has the following form where r * i is some random bit generated from r i for all
Note that the resource requirements needed for the amplification procedure amount to space and time complexities ℓS and ℓT , respectively, similar as in Lemma 2.

C Quantum oracle constructions in Theorem 3
In Theorem 3, B, with quantum oracle access to f , needs to grant A quantum oracle access to h f,π,t,µ and h −1 * f,π,t,µ .Here we give detailed constructions of O h f,π,t,µ and O h −1 * f,π,t,µ . Note that π is sampled by B and so it is easy for it to construct quantum oracles O It is easy to see that y ⊕ (g(x) • t) ⊕ (g(x) • π(x)) = y ⊕ h f,π,t,µ (x).Therefore, to respond to one query to O h f,π,t,µ , B needs to query O f twice (once for computing and once for eliminating).The same thing can be done when π ∈ π t,1,µ .
prepare advice) D 0 is given the whole permutation table of π.Then it constructs oracles Enc(•; •) = π(•∥•) and Dec(•) = π −1 (•) and gives A quantum oracle access.D 0 will get back a S-qubit quantum state ρ and then output it.Suppose A makes t(n) quantum queries.(invert) An instance c = π(b||r) is computed, with b ∈ {0, 1} and r ∈ {0, 1} n are sampled.D 1 is run with c, quantum advice ρ and quantum oracle access O π and O π −1 ⊥y .It then directly passes c and two oracles to A and gets back a bit b ′ and outputs it.Suppose A makes ℓ(n) quantum queries.

Table 1 :
Summary of previous work on permutation inversion with advice.Success probability is denoted by ϵ.Note that ϵ = O(1) in [NABT14].