Quantum Multi-Solution Bernoulli Search with Applications to Bitcoin’s Post-Quantum Security

A proof of work (PoW) is an important cryptographic construct which enables a party to convince other parties that they have invested some eﬀort in solving a computational task. Arguably, its main impact has been in the setting of cryptocur-rencies such as Bitcoin and its underlying blockchain protocol, which have received signiﬁcant attention in recent years due to its potential for various applications as well as for solving fundamental distributed computing questions in novel threat models. PoWs enable the linking of blocks in the blockchain data structure, and thus the problem of interest is the feasibility of obtaining a sequence (“chain”) of such proofs. At the same time, the rapid development in quantum computing makes the threats to cryptography more and more concerning. In this work, we examine the hardness of ﬁnding such chain of PoWs against quantum strategies. We prove that the chain of PoWs problem reduces to a problem we call multi-solution Bernoulli search , for which we establish its quantum query complexity. Eﬀectively, this is an extension of a threshold direct product theorem to an average-case unstructured search problem. Our proof, adding to active recent eﬀorts, simpliﬁes and generalizes the recording technique due to Zhandry [Crypto 2019]. As an application, we revisit the formal treatment of security of the core of the Bitcoin consensus protocol, called the Bitcoin backbone [Eurocrypt 2015], in a setting where the adversary has quantum capabilities while the honest parties remain classical, and show that the protocol’s security holds under a quantum analogue of the classical “honest majority” assumption that we formulate. Our analysis indicates that the security of the Bitcoin backbone protocol is guaranteed provided that the number of adversarial quantum queries is bounded so that each quantum query is worth O ( p − 1 / 2 ) classical ones, where p is the probability of success of a


Introduction
A proof of work (PoW) enables a party to convince other parties that considerable effort has been invested in solving a computational task. First introduced by Dwork and Naor [1], PoWs serve as candidate solutions to thwarting spam emails and denial-of-service attacks. More recently in the setting of cryptocurrencies, PoWs have proven indispensable and manifested profound impact, where they lay the basis for consensus protocols in permissionless blockchains. In particular, Bitcoin [2] and its underlying blockchain protocol have drawn remarkable attention for the potential to resolve fundamental distributed computing problems in various threat models, as well as to enable novel applications.
In the blockchain setting, the objective of a PoW is to confirm new transactions to be included in the blockchain. To successfully create a PoW in Bitcoin, one needs to find a value ("witness") such that evaluating a hash function (SHA-256) on this value together with (the hash of) the last block and new transactions to be incorporated, yields an output below a threshold. A party who produces such a PoW gets to append a new block to the blockchain and is rewarded. A blockchain hence consists of a sequence of such blocks. Each party maintains such a blockchain, and attempts to extend it via solving a PoW. We refer to the task of creating a chain of multiple blocks as the Chain-of-PoWs problem. In more detail, we define these blockchain-inspired problems as follows.
Definition (Blockchain PoW-Informal). Given a hash function h, a positive integer T , and a string z representing the hash value of the previous block, the goal is to find a value ctr such that: h(ctr, z) ≤ T .
Definition (Chain-of-PoWs-Informal). Given a family of hash functions h i : X × Y → X, an initial value x 0 ∈ X, the goal is to output a chain of length k consisting of y 0 , . . . , y k−1 ∈ Y such that: Intuitively, the hardness of the Chain-of-PoWs problem is crucial to a robust blockchain and trustworthy Bitcoin applications. However, due to the complex nature of these protocols, obtaining a firm security claim in a formal mathematical model turns out to be challenging. At Eurocrypt 2015, Garay et al. [3] developed an abstraction of Bitcoin's underlying protocol termed the "Bitcoin backbone," which inspired a series of other formal treatments of Bitcoin (e.g., [4,5,6]). In essence, the backbone abstraction of [3] models the hash function of the PoW as a random oracle (RO) [7], and it assumes a uniform configuration among a fixed (albeit unknown) number of parties ("miners"), a fraction of which may behave arbitrarily as controlled by an adversary. Namely, the parties are endowed with the same computational power, as measured by the permitted number of queries to the RO per round. Following a modular approach, essential security properties of the backbone protocol, such as common prefix and chain quality, are formulated, which are proven sufficient to realize blockchain applications, notably a robust public transaction ledger (a.k.a. "Nakamoto consensus"). These properties, relying crucially on the hardness of Chain-of-PoWs, can then be established assuming honest majority of computational power.
The formal treatment in the works above assumes that parties are instantiated by "classical" computers. However, we are witnessing a rapid development in quantum computing bringing concerning threats to cryptographic protocols. For example, it is known that quantum computers can cause devastating breaks to both public key cryptography [8] and symmetric-key cryptography [9,10]. In addition, the unique features of quantum information, such as intrinsic randomness and no-cloning, render many classical security analyses (e.g., rewinding [11,12,13]) obsolete, and even the right modeling of security can be elusive (e.g., [14,15,16]). In particular, existing analyses of blockchain protocols are conducted in the random oracle model. When quantum attackers are present, Boneh et al. [17] argued the need for granting the attackers the ability to query the random oracle in quantum superposition. This gives rise to the quantum random oracle (QRO) model, which is far more challenging to reason about (see Section 1.3 for an account). Several fundamental questions need to be revisited, such as: What is the complexity of Chain-of-PoWs in the quantum query model? Can we formally establish the quantum security of the Bitcoin backbone protocol, by, for example, modifying the framework of [3] to work against quantum adversaries in the QRO model?
In the remainder of this section we summarize our contributions, provide a technical overview, and discuss closely related works. The full presentation of our results then follows.

Our Contributions
In this work, we prove the quantum query complexity of Chain-of-PoWs, and then formally establish the quantum security of the Bitcoin backbone protocol in the QRO model. First, consider a family of independent and uniformly random functions {h i : X × Y → X}, given as quantum unitary black-boxes. Let p := T /|X| be the fraction of target outputs in the co-domain, which in the context of Bitcoin represents the difficulty of mining. We prove the following: Theorem 1.1 (Informal). For any quantum adversary A having N quantum queries, the probability that A solves the Chain-of-PoWs problem by outputting a chain of size at least k, is at most P (N, k) ≤ e 2 (N/k + 1) 2 p k .
We show this by considering a variant in which the solution does not need to form a chain. This amounts to searching multiple inputs in a non-uniform random function, and its quantum query hardness immediately implies the one for Chain-of-PoWs, which we derive precisely. More specifically, we have a Boolean function whose output is sampled according to a Bernoulli distribution independently for each input, and we wish to find multiple preimages of 1 (call it k-BerSearch). We prove the quantum query complexity of this search problem by extending Zhandry's elegant recording technique [18] to point-wise independent non-uniform distributions. In fact, this establishes a quantum average-case strong direct-product theorem (SDPT) for this family of non-uniform search problems 1 .
Turning to the quantum security of the Bitcoin backbone protocol, we examine all the components of the [3] framework in the presence of classical honest parties against quantum adversaries in the QRO model, and our guiding principle is to "lift" it to the quantum setting with as few changes as possible. One crucial change in our analysis is to reformulate a central analytical tool in [3] named typical execution, since in the presence of quantum adversaries it becomes ill-defined. Assisted by our quantum complexity bound for Chain-of-PoWs, we are able to identify a quantum analogue of the honest majority condition, under which the desired security properties of the Bitcoin backbone protocol follow. As a side benefit, the resulting analysis makes the reduction to Chain-of-PoWs explicit, which further improves the degree of modularity of the classical analysis.
We elaborate on our results and how they are obtained in the technical overview (Section 1.2). Before that, we highlight some interesting aspects of our results and put them in perspective.
Quantum query complexity of Chain-of-PoWs and k-BerSearch. Roughly speaking, the formal query bounds we show match the intuitive argument based on Grover's quantum search algorithm, which at first glance may not look surprising. Instead, we view the following values potentially more impactful.
Our proof provides another working example demonstrating the power and potential of the recording technique. While the conceptual idea behind the original technique is remarkably neat, the execution is often a lot more complex, which in turn dictates the success or failure of applying the technique. This is also the case in many recent generalizations. Our execution of a particular non-uniform recording technique is carefully specified and "packaged" in clean modules, and could be treated as a template to derive other proofs based on it.
We note that the basic idea of non-uniform extensions is natural and has already been investigated (e.g., [20]). In particular, in independent work, Hamoudi and Magniez [21] consider essentially the same search problem as we do (k-BerSearch), proving a quantum query bound by extending Zhandry's technique 2 . In fact, if the sole goal is to show a query bound for the search problem, not necessarily as tight as what we obtain, it is plausible that one can simulate non-uniform functions by uniform functions and then resort to the original uniform recording technique (cf. [22]). Again, the merit would lie in the execution, and in any case a stand-alone treatment of a non-uniform case remains beneficial. As also noted in [21], the quantum query complexity of the search problem establishes an average-case strong direct product theorem (SDPT) via the recording technique, which is combinatorial in nature. SDPTs are highly desirable in a host of theoretical models [23,24,25,19], and it basically assert that the success probability of solving multiple instances of a problem drops exponentially unless investing equal multiples of the resource for solving one instance. In the context of quantum query complexity, SDPT has been extensively investigated, where the polynomial method [26] and the (generalized) adversary method [27] are the two dominating approaches to prove it. The polynomial method builds upon analytical properties of polynomials, while the ("modern") adversary method often resorts to advanced algebraic tools such as representation theory. In contrast, the combinatorial approach based on the recording technique, which usually follows more elementary and intuitive arguments, could open a new route to establishing a SDPT. Besides, existing examples of SDPT proven by either method (polynomial or adversary method) are typically for worst-case problems and usually difficult to extend to the average-case. This for instance is the case for many examples of SDPT for the standard unstructured search [28,29,30,31]. Our new approach via the recording technique seems especially well suited to reason about average-case problems and also to induce hardness bounds needed in the cryptographic setting.
Quantum security of the Bitcoin backbone protocol. Once the quantum hardness of Chain-of-PoWs is established, it would be tempting to "plug" it into the classical framework of [3] in order to derive its quantum security. However, we stress that, as more and more works demonstrate, when quantum adversaries are present every link of the provable-security framework needs to be reexamined, including the attack models, security goals, and security reductions.
Specifically, it can be justified that the security goals of the Bitcoin backbone protocol (e.g., common prefix, chain quality) may stay unchanged fortunately. But as soon as the attacks come into play, we observe a crucial simplification assumption in [3] that bears no clear quantum analogue. In a nutshell, classically it is without loss of generality to assume that an adversary, just as honest users, solves every PoW simply by querying the random oracle on a sequence of inputs. As a result, the adversarial behavior is fixed and the protocol can be described by an explicit random experiment, in which we can conduct probabilistic analysis of various events such as those indicating secure configurations of the system. This is how the analysis proceeds in [3], by formulating a central notion of typical executions, which enables establishing the desired security properties under an honest-majority condition. In our case, since we can no longer assume a specific adversarial strategy that includes all possible quantum attacks, the above simplification becomes unsound.
Our solution introduces a simple remedy which allows inheriting the classical analysis to a large extent. It boils down to an alternative and stronger characterization of typical executions for the quantum setting. Although this characterization is not as intuitive as in the classical case, it enables the analysis of quantum adversaries and proof that the backbone protocol's security goals under a post-quantum honest-majority condition we identify. In addition, as we mentioned earlier, the security of the protocol is explicitly reduced to the hardness of Chain-of-PoWs. In turn, this leads to a more modular analysis even in the classical setting, and might help in the quantum security analysis of other blockchain-based protocols [5,32,33].
Finally, we remark that the focus of this work is the simplified scenario in which only the adversary is quantum-capable, while the honest parties remain classical. We consider this analysis a first step towards the more general scenario, that also has independent interest in its own right since it address a realistic practical situation that the near-term development of quantum technologies may bring us. Specifically, imagine that large quantum computers are not available to the public, due to their price and required technologies, hence most users participating in the Backbone Bitcoin would only own classical computing devices. Large quantum computers would only be held by a few big companies or states, where most of them would not be willing or interested in participating in the bitcoin blockchain. The question we address is what would happen if one of those very few but powerful players decided to attempt to compromise the security of a PoW-based blockchain. The ultimate aim would be to address the full quantum setting, in which there could be an arbitrary number of quantum-capable players (both honest and adversarial), and this remains an important direction for future research.

Quantum Query Complexity of Multi-solution Bernoulli Search and Chain-of-PoWs
To show the quantum query complexity of the Chain-of-PoWs problem (Theorem 1.1), we consider a simpler variant (for the adversary), called k-BerSearch, which relaxes the requirement that the PoWs need to form a chain. Bounding the adversary's performance in the simpler problem readily provides a bound for the Chain-of-PoWs problem. Hence, we focus on the quantum query complexity of k-BerSearch, and prove the main bound on the success probability for solving it.

Definition (k-BerSearch).
Given a Boolean function f as a black-box, such that each input x is independently assigned the value f (x) = 1 with probability p, find k distinct preimages of 1 for f . Theorem 1.2 (Informal). For any quantum adversary A having N quantum queries, the probability that A solves k-BerSearch is bounded by: (1.1) Our proof of Theorem 1.2 relies on the recording technique of quantum queries in the quantum random oracle model due to Zhandry [18], designed for uniformly sampled functions. We modify the framework to accommodate functions sampled according to Bernoulli distributions. In Zhandry's recording technique, the key observation is that the oracle holds a private register with the (uniform) superposition over all possible functions. Then if we view the oracle register in the Fourier domain (i.e., applying a Fourier transformation on it), each query modifies exactly one position (from 0 to 1, or the other way around).
In our setting, the oracle's state will now be a Bernoulli superposition of the form where α f is the probability to sample the function f according to a Bernoulli distribution. The view between the standard and Fourier domains in the uniform does not hold anymore. Instead, we consider a different dual domain, and extend the primal-dual perspective to Bernoulli distributions. Switching between the primal and dual domain is based on a unitary U p , which essentially rotates around the Z axis depending on the probability parameter p, which specializes to the Hadamard transformation in the uniform case when p = 1/2. As a result, in the dual domain we start with the oracle state being initialized in the all-0 state, and each adversarial quantum query will rotate exactly one of its positions (in superposition) using the U p transformation. Consequently, after N quantum queries we will have at most N rotated qubits in the oracle register and the rest of the qubits will remain 0. Intuitively, this gives us a bound on the adversary's knowledge by examining how many non-zero entries are in the oracle's register.
Having established a relation between solving the k-BerSearch problem and the oracle's property of having at least k non-zero entries in its register, we just need to bound the probability of the latter event. The final step is achieved by bounding the "progress" made in enhancing the probability amplitude of the desired oracle's states after each query.
From the obtained bound on the k-BerSearch problem, we can also derive a bound on the harder variant, the Chain-of-PoWs problem.

Bitcoin Backbone Security against Quantum Adversaries
We assume a single quantum adversary who runs a computation up to depth Q per round, i.e., that the adversary makes at most Q superposition queries sequentially in each round to the QRO. When we consider s consecutive rounds, we denote N = sQ the total number of queries to the QRO in s rounds, which is also the depth of the quantum computation in s rounds 3 . We "lift" the classical analytical framework of [3] to the quantum setting in the following steps: 1. Define the notion of post-quantum typical execution of a blockchain in the presence of honest players and a quantum adversary. This is a critical step towards modularizing the analysis;

2.
show that under a post-quantum typical execution, the two desired properties, common prefix and chain quality, follow for suitable choices of parameters; 3. identify a post-quantum honest majority condition under which a post-quantum typical execution occurs with high probability. From our main theorem regarding the query complexity of the Chain-of-PoWs problem (Theorem 1.1), we can bound two relevant quantities: (i) the expected length of an adversarial chain, and (ii) the (overwhelming) probability that this bound holds. The former leads to a post-quantum "honest majority" condition, where we require that the total number of quantum queries Q per round of the attacker, has to be less than the total number of classical queries of all the honest parties divided by an extra O(p −1/2 ) factor, where p is the probability of success of a single query and, informally, represents the difficulty level of the PoW. To get this condition, we examine closely the requirements for a typical execution and ensure that the honest chain exceeds by a small constant factor the largest chain that adversaries can make with non-negligible probability.
The latter determines the wait time for safe settlement, which intuitively represents the number of rounds s that need to pass in order to ensure that the common prefix and chain quality properties hold except with the same negligible probability as in the classical case. Our analysis indicates that the required number of rounds matches, up to a constant, the number of rounds required in the classical adversarial setting. This somewhat surprising result implies that for post-quantum security, the number of "block confirmations" necessary for a transaction to be accepted in order to protect against double-spending, is almost the same as in the classical setting.
Finally, we emphasize that our work, apart from setting different parameters, preserves the generality of the classical analysis of [3]. For instance, it captures strategies correlated with honest-parties' actions as well as long-term attacks (such as selfish mining [34]).

Interpretation of results for Bitcoin security.
We can now provide a comparison between the analysis of the Bitcoin backbone protocol against classical adversaries of [3] and the current analysis against general quantum adversaries. First off, let us summarize the parameters in the Bitcoin backbone analysis: n: # honest parties q: # honest classical queries per round Q: # adversarial quantum queries per f : prob. at least one honest party round generates a PoW in a round : concentration quality of random variables κ: security parameter k: # blocks for common prefix µ: chain quality parameter s: # rounds p: prob. of success of a single (We refer to Section 4.1 for the definition of round.) classical query Table 1: Parameters used in our analysis. Table 2 shows the comparison of results obtained in the two adversarial settings. The relevant conditions and quantities are: "Honest Majority," which expresses the relation between the honest hashing power and the (classical or quantum) hashing power of the adversary; the expected number of adversarial blocks in s consecutive rounds; the probability of a "typical execution" (i.e., the probability that the required bounds on the number of adversarial queries hold); and the number of rounds required to reach the same level of security as in the classical adversaries setting.

Classical Adversary General Quantum Adv. (this work)
Honest Majority From Table 2 we highlight two main aspects. First, noting that the probability that at least one honest party generates a PoW in a round is f = npq, (we emphasize that p is much smaller than the honest hashing power, implying that f = npq < 1), the current post-quantum honest majority condition can be expressed as Q n · q · p 1/2 · O(1), meaning that each quantum query is worth p −1/2 classical queries. Second, the number of rounds for safe settlement is (up to a constant) the same as in the classical case.

Related Work
A first step towards understanding Bitcoin's vulnerabilities against quantum attacks was taken by Aggarwal et al. [35]. They pointed out the imminent break of the elliptic-curve-based signature scheme in Bitcoin, and argued that in contrast the PoW is relatively resistant to near-term quantum computations due to their slow clock speed and large overhead of quantum error correction. The Bitcoin protocol in a setting where honest parties are also quantum was considered in [36,37]. While these papers offer interesting observations, they fall short of formal security guarantees. Applications of smart contracts in the quantum world are explored in [38], where the authors propose a classical-quantum payment system which can scale better than blockchains by relying on quantum money techniques.
A number of proof techniques have been developed for the QRO over the years. For example, one can simulate a quantum random oracle [39,40,41], program it under a variety of circumstances [42,43], establish generic security of hash functions [44,45,46,22]. These techniques enable proving the quantum security of many cryptographic schemes in the QRO model [47,48,49,50,51]. Zhandry's recording technique has inspired many follow-up with various improvements and new applications (e.g., [52,53,54,55]).
A related but different problem than Chain-of-PoWs, called proofs of sequential work, was analyzed in [56,57]. A central task there is to find a q-chain, which is a sequence using fewer than q queries. This strict relation between the number of quantum queries and the size of the solution marks a drastic distinction from our search problem in the Bitcoin setting.
An interesting generalization of the recording technique to a parallel query model is investigated in the two papers above [56,57] as well as in [58]. We want to point out that this generalization however would not be sufficient in the Bitcoin context in its current form. One immediate challenge is that the parties can act in an adaptive and heterogeneous way, and one needs to take into account classical communication between parallel parties.
As a final note, in a previous version of this work [59], we analyzed a restricted family of quantum-attack strategies. In the current version, we fully resolve this limitation using completely different techniques. A more thorough discussion is deferred to Appendix A.

The Recording Oracle Technique
The recording oracle technique of Zhandry [18] is a powerful tool that allows keeping track of a quantum adversary's knowledge when interacting with a uniform random oracle.
Assume that the underlying uniformly sampled function of the quantum random oracle is . This is typically modelled as queries to an oracle performing the map: |x |y → |x |y ⊕ f (x) . Alternatively, this is equivalent to queries to a "phase" oracle performing the map: |x |y → The starting point is the following essential observation: an adversary querying the quantum oracle cannot distinguish between the following two settings. In the first setting the function is fixed and sampled uniformly at random. In the second setting, there exists an extra function register, prepared in uniform superposition over all possible functions 1 √ 2 2 m f |f , and all further actions/operations are conditional on this register 4 . The function register is not accessible to the adversary and, mathematically, we can trace-it out, resulting exactly to a uniform (classical) mixture over all possible functions.
Using this observation, we will consider that when the adversary performs a query x,y a x,y |x, y , the entire state of the system before the query (composed of adversary's and oracle's state) is of the form: x,y a x,y |x, y ⊗ 1 Then the state of the system after the query (using the phase oracle) becomes: . This shows that the phase resulted from the query can equally be viewed as affecting the oracle's state.
Specifically, we will next analyze how each query affects the oracle's state. We first denote the 2 m -bit string P (x,y) as the string having value y on position x and 0 everywhere else. Using this notation, we can express the state after the query: denotes the inner product of the two strings. This can also be generalized to obtain the state of the system after t queries is of the form: . But now, by applying the Hadamard operation to all the qubits of the final register (oracle's state), the oracle state would become: Consequently, we notice that in the Fourier domain the evolution of the adversary's queries would be the following: We start with the all-zero quantum state in the oracle register; namely, the state of the oracle is denoted with D = 0 2 m . Then, with each adversarial query we will XOR P (x,y) to the string D. Finally, we notice that as a result, after t queries the oracle's state D will have at most t bits equal to 1.

Query Complexity of k-BerSearch
In this section we prove the quantum query complexity of the randomized search problem denoted as k-BerSearch. This generalizes existing direct product theorems (cf. [30,24,25,19]) to an average-case setting.
Problem k-BerSearch: k solutions randomized search Theorem 3.1. For any quantum adversary making at most N queries, the probability p N k of solving k-BerSearch satisfies: The expression following the second inequality comes from some elementary algebraic simplification, whose proof can be found in Appendix B. In the following sections we prove the bound in the first expression. We first develop a framework of the recording technique for functions drawn according to a point-wise independent Bernoulli distribution, and then apply it to k-BerSearch.

Recording Technique Framework for Bernoulli Distributions
At a high level, we proceed in the following steps: 1. Extend the primal-dual framework to functions sampled according to Bernoulli distributions: 1. Relate solving k-BerSearch to causing the desired property in the oracle (i.e., at least k non-zero entries in the visited positions).
2. Bound the probability of the occurrence of desired property in the oracle for any N -query algorithm.
We recall from Section 2.1 that the key observation in the uniform setting is to keep the random function coherent, i.e., a uniform superposition of the truth table of all possible functions f ∈{0,1} 2 m |f . Then if we look at it in the Fourier domain, this superposition becomes simply 0 2 m . In this viewpoint, a query |x, y to the oracle has the effect that it modifies (in superposition) one position x of the truth table. Along the course of the query algorithm, the truth table gets updated and an algorithm's knowledge of the oracle translates to combinatorial properties of the truth table.
In our case, we extend this primal-dual framework to a non-uniform distribution. Loosely speaking, we will see that solving k-BerSearch amounts to that at least k of the entries in the truth table being rotated towards |1 .  Recall in the standard query model, an oracle query is modelled as: |x, y → (−1) y·f (x) |x |y . The standard Bernoulli oracle action can be described as follows:

Definition 3.3 (Standard Bernoulli Oracle Query
). An oracle query in StdBO is modelled as: From the perspective of any quantum query algorithm A, it is indistinguishable whether it accesses StdBO or a sampled Bernoulli random function f . Namely: We describe a map which will allow us to switch between the standard and dual domains. Note that in the special case of a uniform random function, it becomes the Hadamard gate (p = 1/2). Standard-Dual domains). For general p, we consider the following unitary U p acting on a single qubit:

Definition 3.4 (Map
We observe that: We can now examine the knowledge of an algorithm about the underlying oracle. Consider running any query algorithm A with respect to the standard domain. Intuitively, by our earlier observation, at the end of the execution, the function register will contain superposition of strings D of bounded Hamming weight, representing modified truth tables in the dual domain. The non-zero positions (in these strings D) would entail what the query algorithm can infer about the oracle. In particular, once we convert the non-zero entries back to the primal domain through the unitary U p , i.e., assigning Bernoulli function values, the likelihood of getting k or more 1s essentially bounds the probability of successfully solving k-BerSearch. where x and y are tuples consisting of k inputs and outputs respectively and z represents the "workspace" register of the algorithm.
Intuitively, the tuple x represents the solution (of size k) the adversary outputs for the k-BerSearch problem and these k inputs may or may not be queried. In this way, after each query, if we were to measure the first registers x and y, we can determine the success probability that the tuple represents a solution for our search problem. We will also decompose |D as: where D x contains the entries that coincide with x, and Dx contains the oracle's state on the rest of the inputs.
Using the definitions of the standard-dual map and of the system state, we can now describe how the system evolves after each query in the dual domain:  3. We denote the state of the entire system in the standard domain after t queries with ψ t .
Dual domain: 1. The oracle query isÕ := (I ⊗ U † p ) · StdBO · (I ⊗ U p ); 2. The initial state of the oracle is the state 0 M F ; 3. Denote the state of the entire system in the dual domain after t queries with φ t .
It can easily be seen that the two domains are equivalent up to a final U p unitary applied on the state of the system corresponding to the dual domain.

Corollary 3.7 (Relation between states in standard-dual domains). After any t queries, we have the relation:
where U p only acts on the last function register (3.5) Evolution of the query algorithm in Dual domain. We keep track of the adversary's knowledge in the dual domain, where for the evolution of the system state, we notice the following: • After each query, only one position from the function register of each of the states in the superposition of the system state is modified, by being rotated using the unitary U p , the rest of the positions remain unchanged. Therefore, after N queries there are at most N positions containing rotated qubits and the rest of them remain the |0 state.
• However, after all N queries, we need to return to the standard domain, by applying a final U p on all qubits of the function register and then measure in the computational basis the function register. Note that there is a small chance that the positions that were never queried (corresponding to |0 state) will also collapse to 1.
Once we have established this framework for the recording technique for Bernoulli random functions, we will show how to apply it for our target problem k-BerSearch.

Analysis of k-BerSearch via the Bernoulli Recording Technique
To determine the success probability of the adversary to solve the k-BerSearch problem using N quantum queries, denoted as p N k , we use the oracle's state as follows: 1. We look at the vector x and at the measurement outcome of the function register (previously described), let us call this measurementf .
2. Then, we check iff (x i ) = 1 for all x i ∈ x. Importantly, the probability of success is defined with respect to the standard domain, hence after the final U p application.

Relation between success probability and oracle state.
In order to relate the success probability p N k with the evolution of the oracle we need to define the following set of projectors. Firstly, we introduce two families of projectors P and Π, acting on the states of the standard domain (Eq. 3.4):

Definition 3.8 (Projection Family P ). For any integer k, consider the following family of projectors P acting in the standard domain:
P k : defined by all basis states |x, y, z |D such that D contains exactly k ones; P ≤k : defined by all basis states |x, y, z |D such that D contains at most k ones, P ≤k = k i=0 P i ; P ≥k : defined by all basis states |x, y, z |D such that D contains at least k ones, P ≥k = i≥k P i . In addition, related to P k , we will also define the projectors: P 0 k defined by the basis states |x, y, z |D such that D contains exactly k ones, y = 1 and f (x) = 0. For this, we can consider that |x, y is an extra register containing a single input x and a single bit y (different from |x, y ) which is used for the queries to the function oracle StdBO. P 1 k defined by the basis states |x, y, z |D such that D contains exactly k ones, y = 1 and f (x) = 1.

Definition 3.9 (Projection Π). The projector Π is acting in the standard domain and is defined by the basis states |x, y, z, D x , Dx such that D x has hamming weight k.
Finally, we introduce the family of projectors Ξ i , which will act on the dual domain (hence before the final application of U p ): Now, we will see how to employ all these projectors in order to bound the success probability of the adversary to solve the k-BerSearch problem when having N available quantum queries.
For the success event of finding k preimages of 1, we must have k ones in D x for ψ Nthe state in the standard domain. In other words, the adversary's success probability will be bounded by: (3.6) Deriving the bound on success probability. Next, we will determine the bound on p N k by following the next two steps: 1. Derive a bound on the norm of the projection Π using the norms of the projection Ξ i and subsequently bound this norm with the norms of P ≥i .

2.
Bound the norm of P ≥i . This will determine the progress after N queries as: For the first step we show the following result: Lemma 3.11. The norm of projection Π can be bounded using the progress measure after N queries as follows: For the second step we will show that: Lemma 3.12. For any N and any k, given the state φ N of the dual domain after N queries, we have the following bound: In the following sections we will show how to derive these two results and finally we will combine them to obtain the final bound stated in Theorem 3.1.

Bounding the Success Probability with Progress Measure
We now show how to bound the success probability using the progress measure, as stated in Lemma 3.11.
Proof of Lemma 3.11. Firstly, using the definition of ψ N we have: Observe that k i=0 Ξ i = I, hence we obtain: Hence to complete the proof, we need to show that: Now let us consider separately the state |ρ i := Ξ i φ N for any quantum state φ N . Then, from the definition of Ξ i , |ρ i has exactly i ones and k − i zeros in the register D x . Let us denote the set of allowed D x (having exactly i ones) by D x , where |D x | = k i ; and denote the set of possible configurations of Dx by Dx, where |Dx| = 2 M −k . Then we can write: For simplicity we drop the |y |z register as they will not be affected, and instead denote |ρ as: (3.14) Now let us consider applying Π to a single state from this superposition, namely |x |D x ⊗ |Dx : Therefore, we have that:

Bounding the Progress Measure
We now show how to bound the progress measure a N,k := P ≥k φ N , as stated in Lemma 3.12.
Proof of Lemma 3.12. First, we want to define a recurring relation for the progress measure sequence. Specifically, for any t, we have: Now let us consider separately the term P ≥kÕ P k−1 φ t . A basis state |x, y, z |D contributes to a t+1,k if D has exactly k − 1 ones, but also if y = 1 and f (x) = 1.
What would actually contribute to a t+1,k is the state P ≥kÕ P 0 k−1 φ t , hence we have: Now, to bound the second term, for any basis state |x, y, z |D in the support of P 0 k−1 , we will make use of the following observation.
Using the definition ofÕ, we notice that each query |x, y in the dual domain has the following effect on the zero entries of the D strings (oracle state) -when f (x) = 0 : (3.22) This leads us to: where (x, y) is the query to the function oracle StdBO, as in Definition 3.8. As a result, we have: Therefore, we obtain: Applying this relation iteratively for any t ∈ {N − 1, ..., 0}, leads us to the following bound on the progress measure after N queries: By using Lemma 3.13, we obtain the bound on a N,k : Lemma 3.13. Let φ i be the state before the i + 1'th query and β i k−1 : Proof. We analyze β i k−1 case by case: • If i < k − 1, then β i k−1 = 0. This is because unless at least k − 1 queries have been made, the number of non-zero entries in D is below k − 1 and falls out of the support of P 0 k−1 .
By applying k −1 queries the magnitude of all resulting in |1 is √ p k−1 .
This follows from a combinatorial argument, reminiscent of binomial coefficients. Think of taking a random walk on a line for i steps, we need to move forward k − 1 times. There are i k−1 "routes", and each route contributes a weight of at most ( Hence we have: where for the last equality we used the identity: m n=t n t = m+1 t+1 .

Putting Everything Together
We now can combine the results to obtain the bound on p N k : Theorem 3.14. The success probability p N k of solving k-BerSearch satisfies Proof. First by Lemma 3.11 we have We know from Lemma 3.12 that Hence we have: (3.32)

The Bitcoin Backbone Protocol: Model and Definitions
We will analyze our post-quantum version of the Bitcoin backbone protocol, where the honest parties are classical but the adversary is not, in the network model considered in [3], namely, a synchronous communication network which is based on Canetti's formulation of "real world" execution for multi-party cryptographic protocols [60,61]).
In such a network model, the protocol execution proceeds in rounds; in each round, parties receive messages from the network through their communication interface (e.g., input tape or register), perform some computation, and send messages to the network, which are delivered at the beginning of the next round. The inputs to the computation performed by the parties are provided by an environment program denoted by Z. For further details about the synchronous network model, refer to [60].
The execution is assumed to have a polynomial (in the security parameter) time bound. The actual message delivery is provided by a "diffusion" mechanism that is guaranteed to deliver all messages, without however preserving their order and allowing the adversary to arbitrarily inject its own messages. Importantly, the parties are not guaranteed to have the same view of the messages delivered in each round, except for the fact that all the messages sent by the honest parties in the previous round are delivered. Furthermore, and in line with the cryptographic protocols literature, we assume the presence of a single adversary (which may in turn "corrupt" many parties), albeit equipped with quantum computing power. The adversary is allowed to "spoof" messages by changing the source information in them (i.e., communication is not authenticated).
The Bitcoin backbone protocol. First, we introduce some blockchain notation, following [3]. A block is any triple of the form B = s, x, ctr where s ∈ {0, 1} κ , x ∈ {0, 1} * , ctr ∈ N are such that satisfy predicate validblock D q (B) defined as: (H(ctr, G(s, x)) < T ) ∧ (ctr ≤ q), (4.1) where H, G are cryptographic hash functions (e.g., SHA-256) modelled as random oracles. The parameter T ∈ N is also called the block's difficulty level. We then define p = T /2 κ to be the probability that a single classical query solves a PoW. The parameter q ∈ N is a bound that in the Bitcoin implementation determines the size of the register ctr; in our treatment we allow this to be arbitrary, and use it to denote the maximum allowed number of hash queries performed by the (classical) parties in a round. A blockchain, or simply a chain is a sequence of blocks. The rightmost block is the head of the chain, denoted head(C). Note that the empty string ε is also a chain; by convention we set head(ε) = ε. A chain C with head(C) = s , x , ctr can be extended to a longer chain by appending a valid block B = s, x, ctr that satisfies s = H(ctr , G(s , x )). In case C = ε, by convention any valid block of the form s, x, ctr may extend it. In either case we have an extended chain C new = CB that satisfies head(C new ) = B. Consider a chain C of length m (written as len(C) = m) and any non-negative integer k. We denote by C k the chain resulting from the "pruning" of the k rightmost blocks. Note that for k ≥ len(C), The Bitcoin backbone protocol is executed by an arbitrary number of parties over an unauthenticated network, as described above. It is assumed in [3] that the number of parties running the protocol is fixed, however, parties need not be aware of this number when they execute the protocol. In our analysis we will have n honest parties and a single quantum adversary. Also as mentioned above, communication over the network is achieved by utilizing a send-to-all Diffuse functionality that is available to all parties (and may be abused by the adversary in the sense of delivering different messages to different parties).
Each party maintains a blockchain, as defined above, starting from the empty chain and mining a block that contains the value s = 0 (by convention this is the "genesis block"). If in a given round, an honest party is successful in generating a PoW (i.e. satisfying conjunction 4.1), it diffuses it to the network. At each round, each party chooses the longest chain amongst the one he received, and tries to extend it by computing (mining) another block. In such a process, each party's chain may be different, but under certain well-defined conditions, it is shown in [3] that the chains of honest parties will share a large common prefix (see below).
In the backbone protocol, the type of values that parties try to insert in the chain is intentionally left unspecified, as well as the type of chain validation they perform (beyond checking for its structural properties with respect to the hash functions G(·), H(·)), and the way they interpret the chain. Instead, these actions are abstracted by the external functions V (·) (the content validation predicate), I(·) (the input contribution function), and R(·) (the chain reading function), which are specified by the application that runs "on top" of the backbone protocol (e.g., a transaction ledger).

Basic security properties of the blockchain.
It is shown in [3] that the blockchain data structure built by the Bitcoin backbone protocol satisfies a number of basic properties. At a high level, the first property, called common prefix, has to do with the existence, as well as persistence in time, of a common prefix of blocks among the chains of honest parties. The second, called chain quality, stipulates the proportion of honest blocks in any portion of some honest party's chain.

Definition 4.1 (Common Prefix).
The common prefix property with parameter k ∈ N, states that for any pair of honest players P 1 , P 2 adopting chains C 1 , C 2 at rounds r 1 ≤ r 2 , it holds that C k 1 C 2 (the chain resulting from pruning the k rightmost blocks of C 1 is a prefix of C 2 ).

Definition 4.2 (Chain Quality)
. The chain quality property with parameters µ ∈ R and l ∈ N, states that for any honest party P with chain C, it holds that for any l consecutive blocks of C, the ratio of blocks created by honest players is at least µ.
Parameters and Random Variables. Next, we recall some important notions in the Bitcoin backbone protocol setting.
n denotes the number of honest parties; q represents the number of classical queries of each honest party per round; Q denotes the number of adversarial quantum queries per round; f is the probability that at least one honest party generates a PoW (i.e. satisfy conjunction 4.1) in a round; will be used for the concentration quality of random variables while κ for the security parameter; k denotes the number of blocks for common prefix property and µ denotes the chain quality parameter; s refers to the total number of rounds; p is the probability of success of generating a PoW (conjunction 4.1) using a single classical query; X(s) and Y (s) represent within s rounds, the numbers of rounds at least one honest player and exactly one honest player solves a PoW respectively. Z(s) represents the number of PoWs solved by an adversary in s consecutive rounds. f denotes the probability that at least one honest player generates a PoW (conjunction 4.1) in a single round (e.g., in the Bitcoin system, f is about 2 − 3%). In condition (c), an insertion denotes the event that given a chain C with two consecutive blocks B and B , a block B * created after B is such that B, B * , B form three consecutive blocks of a valid chain. A copy occurs if the same block exists in two different positions. A prediction occurs when a block extends one which was computed at a later round.

The Chain-of-PoWs Problem
In the Bitcoin backbone protocol, an adversary aims to produce a chain of blocks that is longer than the honest chain. We formalize it as the Chain-of-PoWs search problem below.
Problem Π G : Chain-of-PoWs Given: N , x 0 ∈ X and h 0 , . . . , h N −1 as (quantum) random oracles, where each h i : X × Y → X is independently sampled. Goal: Using N total queries find a sequence y 0 , . . . , y k−1 such that x i+1 := h i (x i , y i ) and x i+1 ≤ T ∀ i ∈ {0, · · · , k − 1} such that the length of the sequence k ≤ N is the maximum that can be achieved. T is a fixed positive integer.
Note that the output of this problem is the maximum length k and the corresponding sequence (y 0 , ..., y k−1 ). For ease of notations, we will omit h 0 , . . . , h N −1 from the input of Π G . We call any pair (x, y) s.t. h(x, y) ≤ T a PoW.
A possible approach is to prove a composition theorem for the query complexity of such a search problem. This however appears beyond the scope of existing results and techniques in quantum query complexity. Instead, we show its hardness by reducing to the k-BerSearch problem we analyzed before.

Theorem 4.3 (Main Theorem).
For any quantum adversary A having N quantum queries, the probability that A solves the Chain-of-PoWs problem, by outputting a solution of size at least k is at most: where p := T 2 κ is the probability of success of a single query to the random oracle.

Hardness of Chain-of-PoWs
We relate Chain-of-PoWs to k-BerSearch formally below.

Lemma 4.4. If for any quantum adversary A having N quantum queries the probability that
A obtains a solution of size k for k-BerSearch is at most p 1 (N, k), then for any quantum adversary A having N quantum queries, the probability that A obtains a solution of size k for Chain-of-PoWs is at most p 2 (N, k), satisfying: Proof. We first state k-BerSearch in an equivalent form, which we call Bag-of-PoWs. That is, we consider N functions h 0 , . . . , h N −1 as oracles, where each h i : X ×Y → X is independently sampled, and the goal is to find a set of pairs We construct an algorithm A that using N + k queries obtains a solution of size k for the Bag-of-PoWs problem, and hence a solution also for the k-BerSearch problem, with the same probability p 2 .
A first samples at random an element x 0 (from the domain of any oracle h i ). Then, it will run A on input (N, x 0 ), in order to obtain the sequence y 0 , . . . , y k−1 with probability p 2 spending N queries. Next, starting from y 0 , A computes x i = h i−1 (x i−1 , y i−1 ) for all i ∈ {1, · · · , k − 1} (which is guaranteed to hold from the setting of Chain-of-PoWs) spending one extra query per element of the sequence, i.e. extra k queries. Then the algorithm A outputs the pairs (x 0 , y 0 ), (x 1 , y 1 ), . . . (x k−1 , y k−1 ) having used N + k queries and will succeed with probability p 2 > p 1 (N + k, k).
But from the initial assumption, the probability that A using N + k queries obtains a solution of size k for the k-BerSearch is at most p 1 (N + k, k).
By combining Lemma 4.4 together with the bound on the success probability for the k-BerSearch problem from Theorem 3.1, we can obtain a bound on the success probability for the Chain-of-PoWs problem: Lemma 4.5. Any quantum adversary having N queries to the QRO, can obtain a chain of PoWs of length k, with probability at most: where p is the probability of a successful PoW with a single query.

Post-Quantum Security of the Bitcoin Backbone Protocol
Now that we have established the hardness of the Chain-of-PoWs problem, we will use it to identify the conditions under which the central properties of blockchains, common prefix and chain quality, can be satisfied in the presence of quantum adversaries. To do so, it is helpful to take a closer look at the classical analysis [3], which proceeds in three steps.

1.
A notion of typical execution of a blockchain is defined in the presence of honest players and adversaries. This is a critical vehicle that modularizes the analysis.

2.
It is proven that under a typical execution, the desired properties will follow for suitable parameters.
3. An honest majority condition is identified under which a typical execution occurs with high probability.
We would like to "lift" this analytical framework to the quantum setting with as few changes as possible. However, we run into a roadblock immediately since the definition of a typical execution dose not make sense any more. To see this, let us recall the classical definition. Definition 4.6 (Classical typical execution [3]). An execution is ( , s)-typical (or just typical), for ∈ (0, 1), if for any set S of at least s consecutive rounds, we have:

(c) No insertions, no copies, and no predictions occurred.
For completeness, let us first revisit now four main results of [3] which would help us extract the necessary conditions on the number of adversarial PoWs required to satisfy the security of the backbone protocol.

Lemma 4.8 ([3]).
Assuming that X(s) + Z(s) < 2f s, then in a typical execution, any k ≥ 2f s consecutive blocks of a chain have been computed in more than k/2f consecutive rounds.

Lemma 4.9 (Common Prefix Lemma ([3])).
Assuming that Z(s) < Y (s) and that at round r of a typical execution an honest party has a chain C 1 , while a chain C 2 of length at least len(C 1 ) is adopted by an honest party. Then C Post-quantum typical executions. As it turns out, the definition of classical typical executions (Def. 4.6) is not adequate for our post-quantum analysis, for the following main reason. Note that in the classical random oracle model, in terms of solving a PoW, everyone including malicious players runs the same procedure. Hence, there is a universal well-defined distribution on Z(s), regardless what an adversary does otherwise, based on which we can discuss its expectation. When we consider a quantum adversary, however, it is unclear how to formulate an appropriate "expectation" that is independent of the specific adversary's quantum strategy.
To address this, we observe that some alternative quantitative characterizations of a typical execution in [3] actually admit simple counterparts in the quantum setting. Hence we adopt these as our notion of typical executions below. As a result, we can lift the classical analysis in step 2 almost verbatim to show that common prefix and chain quality hold under this new definition of typical execution.
Finally, we will use the hardness of Chain-of-PoWs to derive a quantum analogue of a honest-majority condition, under which typical execution occurs with overwhelming probability. Definition 4.11 (Post-quantum typical execution). An execution is post-quantum (ε, s)-typical (or just post-quantum typical), for ε ∈ (0, 1) and sf ≥ 2, if for any set S of at least s consecutive rounds, the following hold:

(c) No insertions, no copies, and no predictions occurred.
Note that Conditions (a) and (c) remain unchanged, and in particular, (a) concerns honest parties only. As in the classical setting, under our new definition of a typical execution, the desired properties of a blockchain follow easily. The second condition follows from the derived bounds on the hardness of the Chain-of-PoWs problem. The common prefix property of the Bitcoin backbone protocol holds with parameter k ≥ 2sf , for any s ≥ 2 f consecutive rounds; The chain quality property holds with parameter l ≥ 2sf and ratio of honest blocks µ with µ = f . Proof. Using Lemma 4.8 we know that we can ensure that any k ≥ 2f s consecutive blocks of a chain have been computed in s ≥ k 2f consecutive rounds, as long as we can impose the following condition: for any quantum adversary A and for any s ≥ 2 f , we have: X(s) + Z(s) < 2f s. Then, in a typical execution (Def. 4.11) we have that X(s) < (1 + )f s which implies that we must have Z(s) s < (1 − )f . Secondly, the condition between Z(s) and Y (s) comes from Lemma 4.9, which then implies the common prefix property. To apply Lemma 4.9, what we must guarantee is that for any quantum adversary A and for s ≥ 2 f , we have: Z(s) < Y (s). Therefore, in order to prove that the common prefix property holds with parameter k ≥ 2sf , it is sufficient to impose on the quantum adversary the following two conditions for any s ≥ 2 f consecutive rounds: Using the bounds on the honest players variables X(s) and Y (s) from Lemma 4.7, the sufficient conditions become: , this leads to: which is exactly the second condition of the post-quantum typical execution (Def. 4.11).
For the chain quality property, the statement follows directly from the proof of chain quality in Lemma 4.10.
Finally we are just left to find out an appropriate quantum analogue of the honest-majority condition, and show that it will ensure a post-quantum typical execution occurs with high probability. Definition 4.13 (Post-quantum honest majority). We say that the post-quantum honest majority condition 5 holds if: where Q denotes the total number of quantum queries performed by the adversary per round. Then, it is sufficient to obtain an honest majority condition by imposing that the honest players can achieve k 0 (s) chained PoWs. As a result, by using Definition 4.11 , the sufficient condition becomes: Consequently, the honest majority condition can be described by the following bound on the quantum adversarial hashing power: Computing the probability P q of the post-quantum honest majority follows directly by using where s cl is the required number of rounds in the classical setting [3].
On parallel quantum processors. A final note is to highlight an assumption we made about the depth of the quantum computation of the adversary in s rounds which is sQ. This assumption overestimates the power of the quantum adversary, since one can imagine an adversary that controls two or more quantum processors, so the overall depth of the computation is smaller than the total number of queries. It is known that search algorithms are not parallelizable, meaning that we have been over-pessimistic on the honest majority condition we derived. On the one hand, as we have mentioned in Section 1.3, the recording techniques cannot generalize to this setting. On the other hand, based on simple calculations of restricted parallel quantum adversaries, the factor p −1/2 remains, reduced at best by a constant factor. Thus, qualitatively, our results persist in that case.

A Comparison with Other Query Complexity Work
In this section we compare three different approaches to the query complexity analysis of the k-BerSearch problem, in terms of their performance (not the techniques to derive the bounds). We will denote the three different bounds of the works we are comparing as follows: • Gen 1 -analysis performed in the work of [21] leading to success probabilityp N k ; • Gen 2 -analysis performed in the current work leading to success probability p N k ; • NonS -analysis in our previous work leading to success probability P NonS ; We note that Gen 1 and Gen 2 deal with the most general (powerful) quantum adversaries, while in NonS the adversary is restricted in treating the number of queries to the oracle as a classical variable. The comparison can be summarized as follows:  The first thing to observe is that for the analysis of Gen 1 and Gen 2 , their results can be directly compared in terms of probability of success as function of the number of available queries and size of solution for the k-BerSearch problem. Hence, we can notice from the two functionsp N k and p N k , that our current work provides a tighter bound (besides the extra term 1/2 k , their function has for the first term exponent k, while our expression has almost the same term with exponent 2k). Hence, we remark that while the result for expected optimal length is only a constant better in our case compared to Gen 1 , the bound on the probability of success we obtained is much stronger than the one obtained in Gen 1 (roughly our bound is the square of the bound in Gen 1 ).

NonS
Second thing to note is that from the form of the success probability we can deduce the smallest value of k, above which each expression decays. This can be viewed as a bound on the expected optimal quantum strategy, since these bounds rule-out any larger value of k (on average). Here we see that the best (tightest) bound on the best average quantum strategy is given by this current work and next is our previous work, with looser bound given in Gen 1 : Recall that c is given by bounds on the query complexity of standard search and is known to be c ∼ 8, making our new and old results very close.
A direct consequence is that the value of k that Gen 1 starts decaying is eight times bigger than the value that Gen 2 starts decaying. This means that Gen 1 overestimates the capabilities of what a quantum party (adversary) can achieve eightfold compared to Gen 2 . In the language of the backbone Bitcoin protocol, this means that Gen 1 leads to much worse honest majority.
The third thing to consider, is the "speed" of convergence to zero, as each of the cases considered moves away from its own average value. Here we see that Gen 2 and Gen 1 both perform better (equally well) by having a factor of exp −N O(p 1/2 ) , than our earlier work NonS that has a factor of exp −N O(p 2/3 ) . In the language of the backbone Bitcoin protocol, this means that Gen 1 , Gen 2 have smaller settlement time (actually essentially the same with the classical case), while our earlier work NonS has greater settlement time by a factor of O(p −1/6 ). Of course, the settlement time is determined by assuming that the adversary controls the maximum allowed, by the honest majority, computational power. Given that Gen 1 requires that the honest parties must have much bigger advantage (many more queries) than in NonS, in practice even if such honest majority is assumed, NonS might perform better. To upper bound the ratio R N,k , we will lower bound the sum S N,k−1 with the last two terms in the sum: S N,k−1 > N k−1 + N k−2 = N +1 k−1 . Hence we will upper bound the ratio as: From this we obtain that: which holds as long as 4 ≤ k ≤ N . This implies that: S N,k < N k S N,k−1 . By applying this iteratively, and by using that S N,0 = 1,