Linear-input coset partition functions with 2^λ-sized preimage sets

Construct or prove the existence and collision-resistance of a coset partition function Q: {0,1}^n → {0,1}^m whose preimage sets are affine subspaces of size 2^λ and whose input length n is Θ(λ), such that any quantum adversary making polynomially many queries has at most 2^{-Ω(λ)} probability of finding a collision. Establishing such a function would enable embedding Q inside the OSS oracles P and P^{-1} while keeping the quantum signing keys O(λ) qubits.

Background

In the security reduction of the oracle-based OSS, the authors embed a coset partition function (CPF) Q inside the oracles P and P^{-1} to argue collision-resistance of the hash H. Known CPF constructions that are provably collision-resistant use parallel repetition of 2-to-1 functions, forcing the input size to be Θ(λ^2) to obtain preimage sets of size 2^λ. This growth directly drives up the quantum signing key size.

The paper introduces a folding technique to circumvent this barrier in their construction, but they note that obtaining a CPF with input length Θ(λ) and 2^λ-sized preimage sets with provable collision-resistance would directly yield linear-size quantum keys without relying on folding. They explicitly state they do not know how to prove such a CPF exists.