Quantum Merkle Trees

Committing to information is a central task in cryptography, where a party (typically called a prover) stores a piece of information (e.g., a bit string) with the promise of not changing it. This information can be accessed by another party (typically called the verifier), who can later learn the information and verify that it was not meddled with. Merkle trees are a well-known construction for doing so in a succinct manner, in which the verifier can learn any part of the information by receiving a short proof from the honest prover. Despite its significance in classical cryptography, there was no quantum analog of the Merkle tree. A direct generalization using the Quantum Random Oracle Model (QROM) does not seem to be secure. In this work, we propose the quantum Merkle tree. It is based on what we call the Quantum Haar Random Oracle Model (QHROM). In QHROM, both the prover and the verifier have access to a Haar random quantum oracle $G$ and its inverse. Using the quantum Merkle tree, we propose a succinct quantum argument for the Gap-$k$-Local-Hamiltonian problem. Assuming the Quantum PCP conjecture is true, this succinct argument extends to all of QMA. This work raises a number of interesting open research problems.


Introduction
A commitment scheme [3] is a cryptographic primitive that allows a party (i.e., a prover) to (1) commit to a piece of information such as a bit string while keeping it hidden from others and (2) reveal the information they have committed to later.Commitment schemes are designed to ensure that a party cannot change the information after they have committed to it.Commitment schemes have numerous applications in cryptography, such as the construction of protocols for secure coin flipping, zero-knowledge proofs, and secure computation.
The Merkle tree [1] is an efficient example of commitment schemes, which captures the following scenario: There are two parties, the prover P and the verifier V. P first computes a short string called the commitment which is denoted by commit(x) from a long input string x and sends commit(x) to V. Then V asks P to reveal a subset of bits of x together with a short message that would enable V to verify that the string x has not been altered.The security promise is that after P sends commit(x) to V, then upon V's request of any subset of bits, a computational bounded P can only reveal those bits faithfully.Namely, if P claims that the i-th bit of x is the wrong value 1 − x i , then her claim will be rejected by V with high probability.
The Merkle tree has wide applications in cryptography since it allows P to delegate a potentially very long string to V (i.e., a database) while enabling V to maintain an efficient verifiable random access to that string (say to any subset of the bits of the string).A well-known application of the Merkle tree is the succinct arguments for NP from probabilistically checkable proofs [4,5] or interactive oracle proofs [6], where by succinctness one means that the total communication between the prover and verifier constitutes a small number of bits, say polylog(n) bits of communication.
Despite being very influential in (classical) cryptography, there is no known quantum analog of the Merkle tree that allows committing to quantum states.Such a quantum analog is appealing since it would allow a party to commit to a large quantum state σ while maintaining verifiable access to individual qubits.
Protocols based on the classical Merkle tree are often analyzed in the random oracle model.There are also quantum models such as the Quantum Random Oracle Model [2] (QROM) for analyzing the quantum attacks against the classical Merkle tree.There are works showing that classical Merkle-tree-based protocols are secure against quantum attacks [7,8].These works showed that commitment to classical bit strings by the Merkle tree cannot be broken by quantum adversaries.Here we hope to obtain a quantum analog of the Merkle tree that can be used to commit to quantum states.
In this work, we propose a new random oracle model which we call the Quantum Haar Random Oracle Model (QHROM).We then use it in our construction of the Quantum Merkle tree.We then use it to propose a quantum analog of Kilian's succinct argument for NP and conjecture its security.

The Merkle Tree Algorithm
Our definition of QHROM is motivated by our adaptation of the Merkle tree to the quantum setting, so it is instructive to recall the standard Merkle tree algorithm.
Let b ∈ N be the block-length parameter.We assume that both P and V have access to a random oracle function h : {0, 1} 2b → {0, 1} b .For simplicity of the argument, we will first focus on the simplest non-trivial case of a Merkle tree with two leaves and depth one, and take n = 2b to be the length of the string that P wishes to commit to.Here the string x resides on the leaves and commit(x) string resides on the root.As we will see shortly, a straightforward adaption of the Merkle tree to the quantum setting is not secure even in this simple setting.
x b+1 , . . ., x 2b P sends to V In this simplified setting, the protocol starts by P simply sending the hash value h = h(x) of x ∈ {0, 1} 2b as the commit(x) of length b to V (see Figure 1 for an illustration).Then V requests the values of a subset of bits in x, for which the honest P simply responds by revealing the whole string x to V. Then V checks that the string has the same hash value h.If a (dishonest) P can first commit to x and later convince V that its i-th bit is 1 − x i , then P has found two strings x ̸ = x with h(x) = h(x).This requires at least 2 b/2 queries to the random oracle h due to the birthday paradox, which is infeasible.

A Failed Attempt to Adapt Merkle Tree in the Quantum Setting
Let us see how one might directly try to adapt the special case above of the Merkle tree algorithm to the quantum setting.An immediate idea is that, given a 2b-qubit quantum state |ψ⟩ = z α z |z⟩ in the register denoted by data, P treats h as a quantum oracle O h1 , creates b qubits initialized to |0 b ⟩ in register com, applies O h to both data and com to obtain z α z |z⟩|h(z)⟩, and sends the com register to V; see Figure 2 for an illustration.To reveal qubits in |ψ⟩, P simply sends the data register to V as well, and V applies O h again to both data and com, and measures com in the computational basis to check if it is 0 b and rejects immediately otherwise.However, this is not secure against phase attack.After sending com to V, for every Boolean function f : {0, 1} 2b → {0, 1}, P can apply the unitary |z⟩ → (−1) f (z) |z⟩ to data, and then sends it to V. One can see that V still accepts this state with probability 1, but P has cheated by changing the state from z α z |z⟩ to z (−1) f (z) α z |z⟩, which can be entirely a different state for some function f .The issue above is that the mapping O h , |x⟩|y⟩ → |x⟩|y ⊕ h(x)⟩, has too much structure to be exploited by the attacker.This immediately suggests to us to consider a more random choice of quantum oracles which indeed we take to be the most random choice of quantum oracles: a Haar random quantum oracle.
Comment: One way to address the phase attack above is to make O h more complicated.For example, instead of applying O h once to the registers data and com, we can repeatedly apply O h H ⊗2b several times (H denotes the Hadamard gate).We found such a construction more cumbersome and even harder to analyze compared to a Haar random unitary.Moreover, it is conjectured [9, Section 6] that similar constructions may already be indistinguishable from a Haar random unitary (see Section 3.3 for more discussions).Hence, it seems more natural to directly work with a Haar random unitary.

The Quantum Haar Random Oracle Model (QHROM) and Quantum Merkle Tree
We are now ready to introduce the Quantum Haar Random Oracle Model (QHROM).In QHROM both P and V have access to a Haar random quantum oracle G and its inverse G † that act on 3b qubits (see Definition 2.1 for a precise definition).The protocol between P and V remains the same for the special case n = 2b except for replacing O h by G.It is easy to see x (2)  x (ℓ−1) x (ℓ) Figure 3: An illustration of the quantum Merkle tree with ℓ = 2 d input blocks; when block x (2) is requested by V, P sends all the diamond shape nodes.
that since G completely obfuscates the original state |ψ⟩, the phase attack described above no longer applies.Next, we describe the quantum Merkle tree in the general setting in which n can be arbitrarily large and denotes the number of qubits in the state that P wishes to commit to.Given a quantum state σ on n = b • ℓ qubits for some ℓ = 2 d and d ∈ N,2 we partition x into ℓ consecutive blocks of length b as x (1) , x (2) , . . ., x (ℓ) .Then, we build a perfect binary tree with ℓ leaves (see Figure 4), where each leaf corresponds to a block of the input.Next, from the leaves to the root, we assign to each node α a b-qubit register com α as follows: (1) if α is a leaf, then com α is simply the qubits of the assigned block and (2) if α is an intermediate node with two children β and γ, then we initialize com α to |0 b ⟩, and apply G to the three registers com β , com γ , and com α .Finally, P sends the register com rt to V, where rt is the root of the binary tree.
Suppose V requests the state of the i-th block x (i) of the quantum state.To reveal the i-th block x (i) on a leaf (which we denote µ) of the tree P sends all the com α for nodes α that are the (1) ancestors of µ, (2) siblings of an ancestor of µ, or (3) µ or the sibling of µ.V then "undoes" all the applied G in the exact reverse order by applying G † to the registers sent by P starting from the register com rt , and then from the root downwards to the leaves.After that, for every ancestor α of µ, V checks that com α is |0 b ⟩ by measuring it in the computational basis.To illustrate, if V asks for the block x (2) , then P sends the corresponding com α registers for all diamond shape nodes in Figure 3.
Comment: So how might one heuristically instantiate a Haar-Random unitary?One might use a random quantum circuit that well approximates the behavior of a Haar unitary.For example, one might use a polynomially deep circuit.One way to formalize the degree of approximation is via the ideas in k-design [10].
is at most αm or at least βm.Below we abbreviate this problem by (α, β)-k-LH.Formally, in Π succinct the honest prover P applies the quantum Merkle tree to a ground state σ of m i=1 H i , and sends com rt to V. Then V draws an integer i from {1, 2, . . ., m} uniformly at random and asks P to reveal the qubits in the support of the term H i .V does the decommitment from the root towards the qubits in the support of H i as described above.If in this decommitment phase the ancestors of the qubits in the support of H i all result in 0 b it proceeds to the last step.In the last step, it measures the POVM {H i , 1 − H i } on the qubits in the support of H i and rejects if it sees H i .Indeed, this is the natural analog of Kilian's succinct argument [4] in the quantum setting.
We prove that if P follows the protocol, then (1) when λ min ( m i=1 H i ) ≤ α • m, P can make V accept with probability at least 1 − α, and (2) when λ min ( m i=1 H i ) ≥ β • m, P cannot force V to accept with a probability greater than 1 − β < 1 − α (See Theorem 3.1 for details).By a sequential repetition argument, the completeness 1 − α and the soundness 1 − β can be boosted to 1 − n −ω (1) and n −ω (1) respectively where ω(1) means super constant.
However, a malicious P may not follow the protocol, but instead come up with some arbitrary states for the different nodes that are not the result of the quantum Merkle tree algorithm and send those to V instead.We currently do not know how to analyze such an arbitrary attack, but we conjecture the following: Conjecture 1.2.For the constants k ∈ N and 0 < α < β ≤ 1, Π succinct (with sequential repetition) for (α, β)-k-LH has completeness 1 − n −ω (1) and soundness n −ω (1) in QHROM.

Open Questions and Follow-up Works
We believe our inability to prove Conjecture 1.2 is mainly due to the lack of tools available for analyzing this new QHROM setting.We remark that only two years ago [7] managed to prove that the succinct argument for NP [4,5] is secure in the QROM model by using the recently proposed compressed oracles technique introduced in [11] which gives a nice way to analyze QROM.To prove the security of our succinct argument for Gap-k-LH, one likely needs similar advances for analyzing the QHROM.We now list some specific open problems: Open Problem 1.Is there an analog of the compressed oracle technique in [11] for the QHROM?
Above we generalized Kilian's constant-round succinct argument [4] to the quantum setting and conjectured its soundness.A natural open question is whether we can generalize Micali's non-interactive succinct argument for NP [5] to the quantum settings as well.

Open Problem 2. Is there an analog of Micali's non-interactive succinct argument for Gapk-LH?
A particularly useful feature of previous succinct arguments for NP [4,5] is that they can be made zero-knowledge with minimal overhead.A natural open question is whether we can make our proposed succinct argument for Gap-k-LH zero-knowledge as well.

Open Problem 3. Is there a zero-knowledge succinct argument for Gap-k-LH in QHROM?
Subsequent work.Finally, we remark that this paper formed the basis of the ideas in an exciting subsequent work [12].They proved the security of a tree commitment similar to what is presented here but from standard (quantum) cryptographic assumptions.Note that it is not a priori clear what "security" even means for commitments to quantum states 3 , and a major contribution of [12] is to formally define the security of commitments to quantum states.We refer readers to [12] for an overview of more prior works on quantum commitment schemes.As far as we know, the security of the precise protocol (in the QHROM) given in this paper remains open.

Notation
We always denote by log the logarithm in base 2. We denote by [n] the set of integers {1, 2, . . ., n}.Let reg be a register of n qubits.For each i ∈ [n], reg(i) denotes the i-th qubit in reg, and reg[ℓ, r] denotes the qubits from reg(ℓ) to reg(r).The corresponding Hilbert space is denoted by H reg .For k pairwise-disjoint sets S 1 , . . ., S k , we use i∈[k] S i to denote their union.We say a function α : For a quantum state σ on n qubits and a subset S ⊆ [n], σ S := Tr [n]\S [σ] is the reduced density matrix.For a quantum state |ψ⟩ ∈ H reg , for simplicity we sometimes use ψ to denote the corresponding density matrix ψ = |ψ⟩⟨ψ|.Given a unitary sequence U 1 , . . ., U T , we write U [ℓ,r] to denote the product U r U r−1 • • • U ℓ for ease of notation.
For two quantum states σ and ρ, we use ∥σ − ρ∥ 1 to denote their trace distance.We also write x ∈ R A to mean that x is drawn from the set A uniformly at random.

The Quantum Haar Random Oracle Model
We will consider the Quantum Haar random oracle model (QHROM), in which every agent (prover and verifier) gets access to a Haar random oracle G acting on λ qubits and its inverse G † , where λ is the so-called security parameter.
We denote by U(N ) the set of all N × N unitaries.By G ∈ R U(N ) we mean that G is an N × N unitary drawn from the Haar measure.Definition 2.1.An interactive protocol Π between the prover P and verifier V is a proof system for a promise problem L = (L yes , L no ) with completeness c(n, λ) and soundness s(n, t, λ) in QHROM, if the following holds: P and V: P and V are both given an input x ∈ L yes ∪ L no .V is polynomial-time and outputs a classical bit indicating acceptance or rejection of x, and P is unbounded.Both V and P are given access to a Haar random quantum oracle G and its inverse G † that act on λ qubits (that is, G ∈ R U(2 λ )).Let n = |x|.
Soundness: If x ∈ L no , for every t ∈ N and any unbounded prover P * making at most t total queries to G and G † , we have that In the above ⇆" denotes the interactive nature of the protocol between P and V.
We remark that in the soundness part, the only restriction on a malicious prover P * is the number of queries it can make to G and G † .In particular, this means that even if P * has unbounded computational power, as long as it makes a small number of queries to G and G † , it cannot fool the verifier.

Quantum Local Proofs
Next, we provide formal definitions of LocalQMA.For a reader familar with QMA in the following definition, one can think of x as the classical description of the local Hamiltonian problem, and m(n) as the number of terms in it (i.e., H = m i=1 H i ).
Definition 2.2 ((k, γ)-LocalQMA).For two constants k, γ ∈ N, a promise problem L = (L yes , L no ) is in the complexity class (k, γ)-LocalQMA with soundness s(n) and completeness c(n) if there are polynomials m and p such that the following hold: There is a verifier V L that acts as follows: ] and a γ-size quantum circuit C i that is over the Clifford + T gate-set and acts on k qubits.C i may use γ ancilla qubits, with the first ancilla qubit being the output qubit.
2. V L next applies C i to the restriction of σ on qubits in S i and measures the first ancilla qubit.V L accepts if the outcome is 1 and rejects otherwise.
• (Completeness) If x ∈ L yes , there is a p(n)-qubit state σ such that V L accepts σ with probability at least c(n).
• (Soundness) If x ∈ L no , V L accepts every p(n)-qubit state σ with probability at most s(n).
• (Strongly explicit) Moreover, we say that V L is strongly explicit, if V L computes S i and C i in poly(log n, k, γ) time instead of poly(n, k, γ) time.
We will use (k, γ)-LocalQMA s,c to denote the class above for notational convenience.

The Quantum PCP Conjecture
We first recall the quantum PCP conjecture [16,17].

A Candidate Succinct Argument for LocalQMA in QHROM
In this section, we present a candidate succinct argument for LocalQMA in QHROM.Assuming QPCP, this succinct argument also works for all of QMA.

The Succinct Protocol Π succinct
Notation.Let L = (L yes , L no ) ∈ (k, γ)-LocalQMA s,c for two integers k, γ ∈ N and two reals s, c ∈ [0, 1] such that s < c.Let m L and p L be the polynomials and V L be the k-local verifier in Definition 2.2.Throughout this section, we will always use n to denote the length of the input to L, N = p L (n) to denote the number of qubits in a witness for V L , and λ to denote the security parameter.
We set b = λ/3, and ℓ = N/b.We assume that b is an integer and ℓ is a power of 2 for simplicity and without loss of generality since one can always add dummy qubits to the witness.The perfect binary tree T ℓ .We will consider a perfect binary tree T ℓ of ℓ leafs (see Figure 4 for an illustration).Note that T ℓ has log ℓ layers.We label the nodes in T ℓ first from root to leaves and then from left to right, starting with 1.
For a node u in T ℓ , we observe that u's parent is ⌊u/2⌋ if u is not the root (i.e., u ̸ = 1) and u's two children are 2u and 2u + 1 if u is not a leaf (i.e., u < ℓ).We use P u to denote the set of nodes consisting of u and all ancestors of u.Formally, we have We also define R u as follows: Given an N -qubit state σ, we define the following commitment algorithm (Algorithm 1) and the corresponding local decommitment algorithm (Algorithm 2).
Let W i be the set of leaves in T ℓ that contain the qubits indexed by S i .That is, • (Third message: P → V) The honest prover P sends {η u } u∈R W i ,u̸ =1 to V. V then runs decommit(N, λ, W i , {η u } u∈R W i ) (note that V already has η 1 ).If decommit returns ⊥, V rejects immediately.
Otherwise, V continues the simulation of V L by running C i using {η u } u∈W i , and V accepts if and only if V L accepts.

Analysis of Π succinct
We say a prover P is semi-honest, if P commits to an arbitrary N -qubit state (as opposed to the true ground state) σ in the first message but indeed follows Π succinct .We remark that, unlike an honest prover, a semi-honest prover may not necessarily commit to a state that makes V L accepts with probability at least c. 4Now we prove the completeness and succinctness of Π succinct .We also show Π succinct is sound against semi-honest provers.5 Theorem 3.1.Let Π succinct be the protocol between P and V for the promise language L ∈ (k, γ)-LocalQMA s,c .For every x ∈ {0, 1} n , the following hold: For the running time of V, one can see that its running time is dominated by the running time of decommit(N, λ, W i , {η u } u∈R W i ) and the running time of V L computing W i and C i , which are at most O(k • λ • log N ) and poly(n, k, γ) respectively.The latter becomes (poly(log n, k, γ) if V L is strongly explicit.
How easy is it for the prover to cheat after having sent the commitment to the verifier in the quantum Merkle tree construction?We believe (but cannot yet prove; see Conjecture 3.2) that a computationally bounded prover will not be able to make the verifier accept.However, a computationally unbounded prover can.We now demonstrate this by the application of Schrödinger-HJW theorem [18] to the simple toy example of a Merkle tree with depth one.Suppose |ψ⟩ is the 2b-qubit state P initially committed to, and |ϕ⟩ is another 2b-qubit state that P wishes to cheat by switching |ψ⟩ with.Mathematically the process of committing, switching the initial state and lastly decommitting writes where in the above we think of |0 b ⟩ as the parent and see that the initially committed 2bqubit state |ψ⟩ can be changed to another completely different 2b-qubit state |ϕ⟩ by applying Schrödinger-HJW theorem (i.e., application of a W ⊗ I) for a suitable unitary W that acts on the first 2b qubits.We note that such W exists, because the reduced density matrix of the last b qubits of both G(|ψ⟩⊗|0 b ⟩) and G(|ϕ⟩⊗|0 b ⟩) are very close to the maximally mixed state, for any two fixed states |ϕ⟩ and |ψ⟩.However, we conjecture that finding W requires computationally unbounded prover.For example, in the foregoing equation a direct way to solve for W would require solving a linear system of equations that is exponentially large.Moreover, the oracle G is fully random and does not afford any structure we can utilize to reduce the computation.This is exacerbated by the fact that finding a unitary W that makes the two sides approximately equal can also make the verifier accept with sufficiently high probability.We leave this resolution as a mathematical challenge.

Figure 1 :
Figure 1: An illustration of the toy example for the classical Merkle tree apply G or O h P sends to V

Figure 2 :
Figure 2: An illustration of the toy example for the quantum Merkle tree

1. 4 A
Candidate for Succinct Quantum Argument for Gap-k-LH in QHROM Similar to Kilian's succinct argument for NP, the quantum Merkle tree naturally suggests a succinct argument Π succinct for the Gap Local Hamiltonian Problem.We first recall its definition below.Definition 1.1.(Gap-k-Local Hamiltonian Problem) Given α, β with 0 < α < β ≤ 1 and a k-local Hamiltonian with m local terms

Figure 4 :
Figure 4: An illustration of the labeling of the nodes in the tree T ℓ with ℓ leaves