The subset cover problem for $k \geq 1$ hash functions, which can be seen as an extension of the collision problem, was introduced in 2002 by Reyzin and Reyzin to analyse the security of their hash-function based signature scheme HORS. The security of many hash-based signature schemes relies on this problem or a variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, $\dots$). Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset cover problem, called restricted subset cover, and proposed a quantum algorithm for this problem. In this work, we prove that any quantum algorithm needs to make $\Omega\left((k+1)^{-\frac{2^{k}}{2^{k+1}-1}}\cdot N^{\frac{2^{k}-1}{2^{k+1}-1}}\right)$ queries to the underlying hash functions with codomain size $N$ to solve the restricted subset cover problem, which essentially matches the query complexity of the algorithm proposed by Yuan, Tibouchi and Abe. We also analyze the security of the general $(r,k)$-subset cover problem, which is the underlying problem that implies the unforgeability of HORS under a $r$-chosen message attack (for $r \geq 1$). We prove that a generic quantum algorithm needs to make $\Omega\left(N^{k/5}\right)$ queries to the underlying hash functions to find a $(1,k)$-subset cover. We also propose a quantum algorithm that finds a $(r,k)$-subset cover making $O\left(N^{k/(2+2r)}\right)$ queries to the $k$ hash functions.

翻译：对于$k \geq 1$个哈希函数的子集覆盖问题可视为碰撞问题的扩展，由Reyzin和Reyzin于2002年提出，用于分析其基于哈希函数的签名方案HORS的安全性。许多基于哈希函数的签名方案（如HORS、SPHINCS、SPHINCS+等）的安全性均依赖于此问题或其变体。近期，Yuan、Tibouchi和Abe（2022）引入了子集覆盖问题的一个变体——受限子集覆盖，并提出了该问题的量子算法。本文证明，任何量子算法需对值域大小为$N$的底层哈希函数进行$\Omega\left((k+1)^{-\frac{2^{k}}{2^{k+1}-1}}\cdot N^{\frac{2^{k}-1}{2^{k+1}-1}}\right)$次查询才能解决受限子集覆盖问题，该查询复杂度与Yuan、Tibouchi和Abe提出的算法基本匹配。我们还分析了广义$(r,k)$-子集覆盖问题的安全性，该问题实质上是保证HORS在$r$次选择消息攻击下不可伪造性的底层问题（其中$r \geq 1$）。我们证明，通用量子算法需对底层哈希函数进行$\Omega\left(N^{k/5}\right)$次查询才能找到$(1,k)$-子集覆盖。同时，我们提出一种量子算法，通过对$k$个哈希函数进行$O\left(N^{k/(2+2r)}\right)$次查询即可找到$(r,k)$-子集覆盖。