Efficient simulation of random states and random unitaries

As is well-known, quantum sources of randomness exhibit dramatically different properties from their classical counterparts [23, 7]. Compare, for example, uniformly random $n$-bit classical states (i.e., $n$-bit strings) and uniformly random $n$-qubit (pure) quantum states. A random string $x$ is obviously trivial to sample perfectly given probabilistic classical (or quantum) computation, and can be copied and distributed arbitrarily. However, it is also (just as obviously) deterministic to all parties who have examined it before. By contrast, a random state $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$ would take an unbounded amount of information to describe perfectly. Even if one manages to procure such a state, it is then impossible to copy due to the no-cloning theorem. On the other hand, parties who have examined $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$ many times before, can still extract almost exactly $n$ bits of randomness from any fresh copy of $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$ they receive – even if they use the exact same measurement procedure each time.

The differences between random classical and random quantum maps are even more stark. The outputs of a classical random function are of course classical random strings, with all of the aforementioned properties. Outputs which have already been examined become effectively deterministic, while the rest remain uniformly random and independent. This is precisely what makes efficient simulation possible via lazy sampling. A Haar-random unitary $U$ queried on two inputs $\lvert\mspace{0.5mu}\psi\mspace{0.5mu}\rangle$ and $\lvert\mspace{0.5mu}\phi\mspace{0.5mu}\rangle$ also produces (almost) independent and uniformly random states when queried, but only if the queries are orthogonal, i.e., $\left\langle\psi\mid\phi\right\rangle=0$. Unitarity implies that overlapping queries must be answered consistently, i.e., if $\left\langle\psi\mid\phi\right\rangle=\delta$ then $\left\langle(U\psi)\mid(U\phi)\right\rangle=\delta$. This possibility of querying with a distinct pure state which is not linearly independent from previous queries simply doesn’t exist for classical functions.

We emphasize that the above differences should not be interpreted as quantum random objects simply being “stronger” than their classical counterparts. In the case of classical states, i.e. strings, the ability to copy is quite useful, e.g., in setting down basic security definitions [8, 3, 2] or when rewinding an algorithm [29, 30, 14]. In the case of maps, determinism is also quite useful, e.g., for verification in message authentication.

The first problem of interest is thus to efficiently simulate the following ideal object: an oracle $\mathfrak{IS}(n)$ which contains a description of a perfectly Haar-random $n$-qubit pure state $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$, and which outputs a copy of $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$ whenever it is invoked. We first make an obvious observation: the classical analogue, which is simply to generate a random bitstring $x\leftarrow\{0,1\}^{n}$ and then produce a copy whenever asked, is completely trivial. In the quantum case, efficient simulation is only known against limited query algorithms (henceforth, adversaries.)

If the adversary has an a priori bound on the number of queries, then state $t$-designs suffice. These are indexed families $\{\lvert\mspace{0.5mu}\varphi_{k,t}\mspace{0.5mu}\rangle:k\in K_{t}\}$ of pure states which perfectly emulate the standard uniform “Haar” measure on pure states, up to the first $t$ moments. State $t$-designs can be sampled efficiently, and thus yield a stateless simulator for this case [4]. A recent work of Ji, Liu and Song considered the case of polynomial-time adversaries [18]. They defined a notion of pseudorandom states (PRS), which appear Haar-random to polynomial-time adversaries who are allowed as many copies of the state as they wish. They also showed how to construct PRS efficiently, thus yielding a stateless simulator for this class of constrained adversaries [18]; see also [9].

The case of arbitrary adversaries is, to our knowledge, completely unexplored. In particular, before this work it was not known whether simulating $\mathfrak{IS}(n)$ against adversaries with no a priori bound on query or time complexity is possible, even if given polynomial space (in $n$ and the number of queries) and unlimited time. Note that, while the state family constructions from [18, 9] could be lifted to the unconditional security setting by instantiating them with random instead of pseudorandom functions, this would require space exponential in $n$ regardless of the number of queries.

In the case of simulating random unitaries, the ideal object is an oracle $\mathfrak{IU}$ (n) which contains a description of a perfectly Haar-random $n$-qubit unitary operator $U$, and applies $U$ to its input whenever it is invoked. The classical analogue is the well-known Random Oracle, and can be simulated perfectly using the aforementioned technique of lazy sampling. In the quantum case, the situation is even less well-understood than in the case of states.

For the case of query-limited adversaries, we can again rely on design techniques: (approximate) unitary $t$-designs can be sampled efficiently, and suffice for the task [10, 21]. Against polynomial-time adversaries, Ji, Liu and Song defined the natural notion of a pseudorandom unitary (or PRU) and described candidate constructions [18]. Unfortunately, at this time there are no provably secure constructions of PRUs. As in the case of states, the case of arbitrary adversaries is completely unexplored. Moreover, one could a priori plausibly conjecture that simulating $\mathfrak{IU}$ might even be impossible. The no-cloning property seems to rule out examining input states, which in turn seems to make it quite difficult for a simulator to correctly identify the overlap between multiple queries, and then answer correspondingly.

While the above problems already appear quite challenging, we mention several natural extensions that one might consider. First, for the case of repeatedly sampling a random state $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$, one would ideally want some additional features, such as the ability to apply the two-outcome measurement $\{|\varphi\rangle\langle\varphi|,\mathds{1}-|\varphi\rangle\langle\varphi|\}$ (verification) or the reflection $\mathds{1}-2|\varphi\rangle\langle\varphi|$. In the case of pseudorandom simulation, these additional features can be used to create a (computationally secure) quantum money scheme [18]. For the case of simulating random unitaries, we might naturally ask that the simulator for a unitary $U$ also has the ability to respond to queries to $U^{-1}=U^{\dagger}$.

As discussed above, we wish to construct an efficient simulator $\mathfrak{ES}(n)$ for the ideal oracle $\mathfrak{IS}(n)$. For now we focus on simulating the procedure which generates copies of the fixed Haar-random state; we call this $\mathfrak{IS}(n).\mathsf{Gen}$. We first note that the mixed state observed by the adversary after $t$ queries to $\mathfrak{IS}(n).\mathsf{Gen}$ is the expectation of the projector onto $t$ copies of $\lvert\mspace{0.5mu}\psi\mspace{0.5mu}\rangle$. Equivalently, it is the (normalized) projector onto the symmetric subspace $\mathbf{Sym}_{n,t}$ of $(\mathbb{C}^{2^{n}})^{\otimes t}$:

Recall that $\mathbf{Sym}_{n,t}$ is the subspace of $(\mathbb{C}^{2^{n}})^{\otimes t}$ of vectors which are invariant under permutations of the $t$ tensor factors. Our goal will be to maintain an entangled state between the adversary $\mathcal{A}$ and our oracle simulator $\mathfrak{ES}$ such that the reduced state on the side of $\mathcal{A}$ is $\tau_{t}$ after $t$ queries. Specifically, the joint state will be the maximally entangled state between the $\mathbf{Sym}_{n,t}$ subspace of the $t$ query output registers received by $\mathcal{A}$, and the $\mathbf{Sym}_{n,t}$ subspace of $t$ registers held by $\mathfrak{ES}$. If we can maintain this for the first $t$ queries, then it’s not hard to see that there exists an isometry $V^{t\rightarrow t+1}$ which, by acting only on the state of $\mathfrak{ES}$, implements the extension from the $t$-fold to the $(t+1)$-fold joint state.

The main technical obstacle, which we resolve, is showing that $V^{t\rightarrow t+1}$ can be performed efficiently. To achieve this, we develop some new algorithmic tools for working with symmetric subspaces, including an algorithm for coherent preparation of its basis states. We let $A$ denote an $n$-qubit register, $A_{j}$ its indexed copies, and $A^{t}=A_{1}\cdots A_{t}$ $t$-many indexed copies (and likewise for $B$.) We also let $\{\lvert\mspace{0.5mu}\mathrm{Sym}(\alpha)\mspace{0.5mu}\rangle:\alpha\in S^{\scriptscriptstyle\uparrow}_{n,t}\}$ denote a particular orthonormal basis set for $\mathbf{Sym}_{n,t}$, indexed by some set $S^{\scriptscriptstyle\uparrow}_{n,t}$ (see Section 3 for definitions of these objects.)

Above, $V$ is an operator defined to apply to a specific subset of registers of a state. When no confusion can arise, in such settings we will abbreviate $\mathds{1}\otimes V$—the application of this operator on the entire state—as simply $V$.

It will be helpful to view $V^{t\to t+1}$ as first preparing $\lvert\mspace{0.5mu}0^{n}\mspace{0.5mu}\rangle_{A_{t+1}}\lvert\mspace{0.5mu}0^{n}\mspace{0.5mu}\rangle_{B_{t+1}}$ and then applying a unitary $U^{t\to t+1}$ on $A_{t+1}B^{t+1}$. Theorem 1.1 then gives us a way to answer $\mathsf{Gen}$ queries efficiently, as follows. For the first query, we prepare a maximally entangled state $\lvert\mspace{0.5mu}\phi^{+}\mspace{0.5mu}\rangle_{A_{1}B_{1}}$ across two $n$-qubit registers $A_{1}$ and $B_{1}$, and reply with register $A_{1}$. Note that $\mathbf{Sym}_{n,1}=\mathbb{C}^{2^{n}}$. For the second query, we prepare two fresh registers $A_{2}$ and $B_{2}$, both in the $\lvert\mspace{0.5mu}0^{n}\mspace{0.5mu}\rangle$ state, apply $U^{1\to 2}$ on $A_{2}B_{1}B_{2}$, return $A_{2}$, and keep $B_{1}B_{2}$. For the $t$-th query, we proceed similarly, preparing fresh blank registers $A_{t+1}B_{t+1}$, applying $U^{t\to t+1}$, and then outputting the register $A_{t+1}$.

With this approach, as it turns out, there is also a natural way to respond to verification queries $\mathsf{Ver}$ and reflection queries $\mathsf{Reflect}$. The ideal functionality $\mathfrak{IS}$.$\mathsf{Ver}$ is to apply the two-outcome measurement $\{|\varphi\rangle\langle\varphi|,\mathds{1}-|\varphi\rangle\langle\varphi|\}$ corresponding to the Haar-random state $\lvert\mspace{0.5mu}\varphi\mspace{0.5mu}\rangle$. To simulate this after producing $t$ samples, we apply the inverse of $U^{t-1\to t}$, apply the measurement $\{|0^{2n}\rangle\langle 0^{2n}|,\mathds{1}-|0^{2n}\rangle\langle 0^{2n}|\}$ to $A_{t}B_{t}$, reapply $U^{t-1\to t}$, and then return $A_{t}$ together with the measurement outcome (i.e., yes/no). For $\mathfrak{IS}$.$\mathsf{Reflect}$, the ideal functionality is to apply the reflection $\mathds{1}-2|\varphi\rangle\langle\varphi|$ through the state. To simulate this, we perform a sequence of operations analogous to $\mathsf{Ver}$, but apply a phase of $-1$ on the $\lvert\mspace{0.5mu}0^{2n}\mspace{0.5mu}\rangle$ state of $A_{t}B_{t}$ instead of measuring.

Our main result on simulating random states is to establish that this collection of algorithms correctly simulates the ideal object $\mathfrak{IS}$, in the following sense.

A complete description of our construction, together with the proofs of Theorem 1.1 and Theorem 1.2, are given in Section 3.

To see that the efficient state sampler leads to a powerful quantum money scheme, consider building a scheme where the bank holds the ideal object $\mathfrak{IS}.$ The bank can mint bills by $\mathfrak{IS}.\mathsf{Gen}$, and verify them using $\mathfrak{IS}.\mathsf{Ver}$. As each bill is guaranteed to be an identical and Haar-random state, it is clear that this scheme should satisfy perfect unforgeability and untraceability, under quite strong notions of security.

By Theorem 3.2, the same properties should carry over for a money scheme built on $\mathfrak{ES}$, provided $\epsilon$ is sufficiently small. We call the resulting scheme Haar money. Haar money is an information-theoretically secure analogue of the scheme of [18], which is based on pseudorandom states. We remark that our scheme requires the bank to have quantum memory and to perform quantum communication with the customers. However, given that quantum money already requires customers to have large-scale, high-fidelity quantum storage, these additional requirements seem reasonable.

The notions of correctness and unforgeability (often called completeness and soundness) for quantum money are well-known (see, e.g., [1].) Correctness asks that honestly generated money schemes should verify, i.e., $\mathsf{Ver}(\mathsf{Mint})$ should always accept. Unforgeability states that an adversary with $k$ bills and oracle access to $\mathsf{Ver}$ should not be able to produce a state on which $\mathsf{Ver}^{\otimes k+1}$ accepts. In this work, we consider untraceable quantum money (also called “quantum coins” [24].) We give a formal security definition for untraceability, which states that an adversary $\mathcal{A}$ with oracle access to $\mathsf{Ver}$ and $\mathsf{Mint}$ cannot do better than random guessing in the following experiment:

1. 1.

   $\mathcal{A}$ outputs some candidate bill registers $\{M_{j}\}$ and a permutation $\pi$;

2. 2.

   $b\leftarrow\{0,1\}$ is sampled, and if $b=1$ the registers $\{M_{j}\}$ are permuted by $\pi$; each candidate bill is verified and the failed ones are discarded;

3. 3.

   $\mathcal{A}$ receives the rest of the bills and the entire internal state of the bank, and outputs a guess $b^{\prime}$ for $b$.

One might reasonably ask if there are even stronger definitions of security for quantum money. Given its relationship to the ideal state sampler, we believe that Haar money should satisfy almost any notion of unforgeability and untraceability, including composable notions. We also remark that, based on the structure of the state simulator, which maintains an overall pure state supported on two copies of the symmetric subspace of banknote registers, it is straightforward to see that the scheme is also secure against an “honest but curious” or “specious” [27, 15] bank. We leave the formalization of these added security guarantees to future work.

Next, we turn to the problem of simulating Haar-random unitary operators. In this case, the ideal object $\mathfrak{IU}(n)$ initially samples a description of a perfectly Haar-random $n$-qubit unitary $U$, and then responds to two types of queries: $\mathfrak{IU}.\mathsf{Eval}$, which applies $U$, and $\mathfrak{IU}.\mathsf{Invert}$, which applies $U^{\dagger}$. In this case, we are able to construct a stateful simulator that runs in space polynomial in $n$ and the number of queries $q$, and is exactly indistinguishable from $\mathfrak{IU}(n)$ to arbitrary adversaries. Our result can be viewed as a polynomial-space quantum analogue of the classical technique of lazy sampling for random oracles.

Our high-level approach is as follows. For now, suppose the adversary $\mathcal{A}$ only makes parallel queries to $\mathsf{Eval}$. If the query count $t$ of $\mathcal{A}$ is a priori bounded, we can simply sample an element of a unitary $t$-design. We can also do this coherently: prepare a quantum register $I$ in uniform superposition over the index set of the $t$-design, and then apply the $t$-design controlled on $I$. Call this efficient simulator $\mathfrak{EU}_{t}$. Observe that the effect of $t$ parallel queries is just the application of the $t$-twirling channel $\mathcal{T}^{(t)}$ to the $t$ input registers [10], and that $\mathfrak{EU}_{t}$ simulates $\mathcal{T}^{(t)}$ faithfully. What is more, it applies a Stinespring dilation¹¹1The Stinespring dilation of a quantum channel is an isometry with the property that the quantum channel can be implemented by applying the isometry and subsequently discarding an auxiliary register. [28] of $\mathcal{T}^{(t)}$ with dilating register $I$.

Now suppose $\mathcal{A}$ makes an “extra” query, i.e., query number $t+1$. Consider an alternative Stinespring dilation of $\mathcal{T}^{(t)}$, namely the one implemented by $\mathfrak{EU}_{t+1}$ when queried $t$ times. Recall that all Stinespring dilations of a quantum channel are equivalent, up to a partial isometry on the dilating register. It follows that there is a partial isometry, acting on the private space of $\mathfrak{EU}_{t}$, that transforms the dilation of $\mathcal{T}^{(t)}$ implemented by $\mathfrak{EU}_{t}$ into the dilation of $\mathcal{T}^{(t)}$ implemented by $\mathfrak{EU}_{t+1}$. If we implement this transformation, and then respond to $\mathcal{A}$ as prescribed by $\mathfrak{EU}_{t+1}$, we have achieved perfect indistinguishability against the additional query. By iterating this process, we see that the a priori bound on the number of queries is no longer needed. We let $\mathfrak{EU}$ denote the resulting simulator. The complete construction is described in Construction 4 below.

Our high-level discussion above did not take approximation into account. All currently known efficient constructions of $t$-designs are approximate. Here, we take a different approach: we will implement our construction using exact $t$-designs. This addresses the issue of adaptive queries: if there exists an adaptive-query distinguisher with nonzero distinguishing probability, then by post-selection there also exists a parallel-query one via probabilistic teleportation. This yields that the ideal and efficient unitary samplers are perfectly indistinguishable to arbitrary adversaries.

The existence of exact unitary $t$-designs for all $t$ is a fairly recent result. It follows as a special case of a result of Kane [19], who shows that designs exist for all finite-dimensional vector spaces of well-behaved functions on path-connected topological spaces. He also gives a simpler result for homogeneous spaces when the vector space of functions is invariant under the symmetry group action. Here, the number of elements of the smallest design is bounded just in terms of the dimension of the space of functions. The unitary group is an example of such a space, and the dimension of the space of homogeneous polynomials of degree $t$ in both $U$ and $U^{\dagger}$ can be explicitly derived, see e.g. [26]. This yields the following.

We now sketch another potential approach to lazy sampling of unitaries. Very briefly, this approach takes a representation-theoretic perspective and suggests that the Schur transform [5] could lead to a polynomial-time algorithm for lazy sampling Haar-random unitaries. The discussion below uses tools and language from quantum information theory and the representation theory of the unitary and symmetric groups to a much larger extent than the rest of the article, and is not required for understanding our main results.

We remark that the analogous problem of lazy sampling a quantum oracle for a random classical function was recently solved by Zhandry [32]. One of the advantages of Zhandry’s technique is that it partly recovers the ability to inspect previously made queries, an important feature of classical lazy sampling. The key insight is that the simulator can implement the Stinespring dilation of the oracle channel, and thus record the output of the complementary channel.²²2The complementary channel of a quantum channel maps the input to the auxiliary output of the Stinespring dilation isometry. As the classical function is computed via XOR, changing to the $\mathbb{Z}_{2}^{n}$-Fourier basis makes the recording property explicit. It also allows for an efficient implementation.

In the case of Haar-random unitary oracles, we can make an analogous observation. Consider an algorithm that makes $t$ parallel queries to $U$. The relevant Fourier transform is now over the unitary group, and is given by the Schur transform [5]. By Schur-Weyl duality (see e.g. [12]), the decomposition of $\left(\mathbb{C}^{2^{n}}\right)^{\otimes t}$ into irreducible representations is given by

Here $\lambda\vdash_{d}t$ means $\lambda$ is any partition of $t$ into at most $d$ parts, $[\lambda]$ is the Specht module of $S_{t}$, and $V_{\lambda,d}$ is the Weyl module of $U(d)$, corresponding to the partition $\lambda$, respectively. By Schur’s lemma, the $t$-twirling channel acts as

where $\mathrm{id}$ is the identity channel, and $\Lambda=\mathrm{Tr}(\cdot)\tau$ with the maximally mixed state $\tau$ is the depolarizing channel. We therefore obtain a Stinespring dilation of the $t$-twirling channel as follows. Let $\tilde{B},\tilde{B}^{\prime}$ be registers with Hilbert spaces

and denote the subregisters by $\tilde{B}_{\lambda}$ and $\tilde{B}^{\prime}_{\lambda}$, respectively. Let further $\lvert\mspace{0.5mu}\phi^{+}\mspace{0.5mu}\rangle_{\tilde{B}\tilde{B}^{\prime}}$ be the standard maximally entangled state on these registers, and let $C$ be a register whose dimension is the number of partitions of $t$ (into at most $2^{n}$ parts). Define the isometry

In the above equation $V_{\lambda,d}$ and $[\lambda]$ are understood to be subspaces of $A^{t}$, the identity operators on $\tilde{B}_{\mu}$, $\mu\neq\lambda$ are omitted and $F$ is the swap operator. By (3), a Stinespring dilation of the $t$-twirling channel is then given by

By the equivalence of all Stinespring dilations, the exists an isometry $W_{\hat{B}_{t}\to\tilde{B}\tilde{B}^{\prime}C}$ that transforms the state register of $\mathfrak{EU}(n)$ after $t$ parallel queries so that the global state is the same as if the Stinespring dilation above had been applied to the $t$ input registers. But now the quantum information that was contained in the subspace $V_{\lambda,d}$ of the algorithm’s query registers can be found in register $\tilde{B}_{\lambda}$.

We recall an explicit orthonormal basis of the symmetric subspace (see, e.g., [18] or [17].) Let

be the set of lexicographically-ordered $t$-tuples of $n$ bit strings. For each $\alpha\in S^{\scriptscriptstyle\uparrow}_{n,t}$, define the unit vector

Here, $f_{x}(\alpha)$ is the number of times the string $x$ appears in the tuple $\alpha$. The set $\{\lvert\mspace{0.5mu}\mathrm{Sym}(\alpha)\mspace{0.5mu}\rangle:\alpha\in S^{\scriptscriptstyle\uparrow}_{n,t}\}$ is an orthonormal basis for $\mathrm{Sym}^{t}\mathbb{C}^{2^{n}}$. We remark that the Schmidt decomposition of $\lvert\mspace{0.5mu}\mathrm{Sym}(\alpha)\mspace{0.5mu}\rangle$ with respect to the bipartition formed by the $t$-th register vs. the rest is given by

where $\alpha^{-x}\in S^{\scriptscriptstyle\uparrow}_{n,t-1}$ is the tuple $\alpha$ with one copy of $x$ removed.

We now describe some algorithms for working in the above basis. Let $A$ and $B$ denote $n$-qubit registers. Recall that $A_{j}$ denotes indexed copies of $A$ and that $A^{t}$ denotes $A_{1}A_{2}\cdots A_{t}$, and likewise for $B$. In our setting, the various copies of $A$ will be prepared by the oracle simulator and then handed to the query algorithm at query time. The copies of $B$ will be prepared by, and always remain with, the oracle simulator.