How to Construct Random Unitaries

Fermi Ma Simons Institute

\&

UC Berkeley. Email: fermima1@gmail.com Hsin-Yuan Huang Google Quantum AI, Caltech,

\&

MIT. This work was conducted while Hsin-Yuan Huang was visiting the Simons Institute for the Theory of Computing. Email: hsinyuan@google.com, hsinyuan@caltech.edu

Abstract

The existence of pseudorandom unitaries (PRUs)—efficient quantum circuits that are computationally indistinguishable from Haar-random unitaries—has been a central open question, with significant implications for cryptography, complexity theory, and fundamental physics. In this work, we close this question by proving that PRUs exist, assuming that any quantum-secure one-way function exists. We establish this result for both (1) the standard notion of PRUs, which are secure against any efficient adversary that makes queries to the unitary $U$ , and (2) a stronger notion of PRUs, which are secure even against adversaries that can query both the unitary $U$ and its inverse $U^{\dagger}$ . In the process, we prove that any algorithm that makes queries to a Haar-random unitary can be efficiently simulated on a quantum computer, up to inverse-exponential trace distance.

1 Introduction

This paper resolves the question: can efficient quantum circuits behave like truly random unitaries? Specifically, we prove that pseudorandom unitaries (PRUs) exist assuming the existence of any quantum-secure one-way function. First proposed by Ji, Liu, and Song in 2017 [ji2017pseudorandom], a PRU is the unitary analogue of a pseudorandom function (PRF) [goldreich1986construct]. A PRU consists of a family of efficiently computable quantum circuits with the guarantee that no polynomial-time quantum algorithm can distinguish between queries to a unitary sampled from the PRU family and a unitary sampled from the Haar measure.

Random unitaries play an essential role throughout quantum information science, arising in quantum algorithms, quantum supremacy experiments, quantum learning, cryptographic protocols, and much more [hayden2004randomizing, knill2008randomized, arute2019quantum, bouland2019complexity, huang2020predicting, ananth2022cryptography, huang2022provably, elben2022randomized, huang2022quantum, movassagh2023hardness, kretschmer2023quantum, lombardi2024one]. In physics, highly chaotic systems such as black holes are often modeled as Haar-random unitary transformations [cotler2017black, nahum2018operator, cotler2017chaos, kim2020ghost, choi2023preparing]. However, this approach has a fundamental problem: Haar-random unitaries are inherently unphysical, requiring exponential complexity to even specify. The notion of a PRU offers a tantalizing solution: efficient circuits that are as good as Haar-random. In fact, the idea that PRUs are a more accurate model of black hole dynamics is behind recent advances in fundamental physics [kim2020ghost, yang2023complexity, engelhardt2024cryptographic].

Despite considerable interest, the question of whether PRUs actually exist has remained open. In the past couple of years, a series of works has established that weaker notions are possible [lu2023quantum, brakerski2024real, haug2023pseudorandom, metger2024simple, ananth2024pseudorandom]. For example, [metger2024simple, chen2024efficient] constructed non-adaptive PRUs, which are secure against restricted adversaries that makes all of their queries at once in parallel. While these works represent important progress, the broader goal remains elusive, and constructing a PRU remains one of the central challenges in quantum cryptography.

1.1 Our results

In this work, we give the first proof that PRUs exist.

Theorem 1.

PRUs exist assuming the existence of any quantum-secure one-way function.

In fact, we go one step further. Theorem 1 is about PRUs that satisfy the original definition of [ji2018pseudorandom], which are secure against adversaries that can query an oracle for $U$ , but not the inverse unitary $U^{\dagger}$ . We therefore define strong PRUs, which are indistinguishable from Haar-random even to adverasaries that can query both $U$ and $U^{\dagger}$ . Our second main result builds strong PRUs from one-way functions.¹¹1The notion of strong PRUs is also discussed in [metger2024simple] as an open question.

Theorem 2.

Strong PRUs exist assuming the existence of any quantum-secure one-way function.

While Theorem 2 technically subsumes Theorem 1, the proof of Theorem 2 is significantly more involved. Since Theorem 1 may suffice for many applications, we present them separately. By establishing the existence of PRUs, our work provides the foundation for new avenues of research in quantum computation, cryptography, and fundamental physics.

1.2 Our techniques

We achieve our results on PRUs by proving that any quantum oracle algorithm $\mathcal{A}^{U}$ that queries an $n$ -qubit Haar-random unitary $U$ can be efficiently simulated with a remarkably simple procedure:

1.

Initialize an external register $\mathsf{E}$ to the state $\ket*{\varnothing}$ , where $\varnothing$ denotes the empty set. (Aside: When we write a set inside a ket, e.g., $\ket*{S}_{\mathsf{E}}$ , we are simply using the set $S$ as a label for a unit vector. The inner product $\innerproduct*{R}{S}$ equals $1$ if $R=S$ and $0$ otherwise.)

Run the oracle algorithm $\mathcal{A}$ , replacing each query to $U$ with the following linear map:

\displaystyle V:\ket*{x}\ket*{S}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{E}}}}\mapsto\frac{1}{\sqrt{2^{n}-\absolutevalue{S}}}\sum_{\begin{subarray}{c}y\in\{0,1\}^{n}:\\ y\not\in S_{Y}\end{subarray}}\ket*{y}\ket*{S\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{E}}}},

(1.1)

where $S_{Y}$ denotes the set of all $y$ such that $(x,y)\in S$ for some $x$ . In words, $V$ maps $x$ to a uniform superposition over $y\in\{0,1\}^{n}$ , except those that already appear in $S$ , and simultaneously “records” $(x,y)$ by inserting it into $S$ . We refer to $V$ as the path-recording oracle.

We prove that the following mixed states have trace distance $O(t^{2}/2^{n})$ :

•

$\operatorname*{{\mathbb{E}}}_{U}\outerproduct*{\mathcal{A}^{U}}{\mathcal{A}^{U}}$ , the state of $\mathcal{A}$ after $t$ queries to a Haar-random unitary $U$ , where $\ket*{\mathcal{A}^{U}}\coloneqq U\cdot A_{t}\cdots U\cdot A_{1}\ket*{0}$ denotes the state of the algorithm after $t$ queries to $U$ , and $\ket*{0}$ denotes an arbitrary initial state.
•

$\Tr_{\mathsf{E}}(\outerproduct*{\mathcal{A}^{V}}{\mathcal{A}^{V}})$ , where $\ket*{\mathcal{A}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{E}}}}\coloneqq V\cdot A_{t}\cdot\cdots V\cdot A_{1}\ket*{0}\ket*{\varnothing}_{\mathsf{E}}$ denotes the global state of the algorithm and the external register $\mathsf{E}$ after $t$ queries to $V$ .

Despite the extensive literature on Haar-random unitaries, to the best of our knowledge, this “path-recording” characterization was not known before.²²2We note that [alagic2020efficient] proves that there exists a space-efficient (but otherwise inefficient) way to exactly simulate Haar-random unitaries. Moreover, their proof is non-constructive, i.e., they do not give a simulator.³³3This can also be viewed as an analog of Zhandry’s compressed oracles for Haar-random unitaries [zhandry2019record]. Furthermore, it is easy to show that $V$ can be efficiently implemented on a quantum computer; see LABEL:sec:efficient-implementation-pro. This establishes the following fact:

Any algorithm that queries a Haar-random unitary can be efficiently simulated
on a quantum computer up to inverse-exponential trace distance.

As we now explain, this new path-recording perspective is the key to our PRU proof.

How to construct PRUs.

The main technical step in our PRU proof is to show that a $t$ -query oracle algorithm $\mathcal{A}$ can only distinguish between

•

$P_{\pi}\cdot F_{f}\cdot C$ , where $P_{\pi}=\sum_{x}\outerproduct*{\pi(x)}{x}$ for a random permutation $\pi\leftarrow S_{2^{n}}$ , $F_{f}=\sum_{x}(-1)^{f(x)}\outerproduct*{x}{x}$ for a random function $f\leftarrow\{0,1\}^{2^{n}}$ , and $C$ is a random $n$ -qubit Clifford.⁴⁴4This $PFC$ construction was introduced by [metger2024simple], who proved security against non-adaptive adversaries, i.e., adversaries that make all of their oracle queries at once, in parallel.
•

a Haar-random $n$ -qubit unitary $U$ ,

with probability $1/2+t^{2}/2^{n}$ .

Our proof works by purifying the randomness of the PRU. Ignoring $C$ for now, suppose we initialize an external register to the uniform superposition $\propto\sum_{\pi\in S_{2^{n}}}\ket*{\pi}\otimes\sum_{f\in\{0,1\}^{2^{n}}}\ket*{f}$ over all permutations $\pi$ and functions $f$ . In this view, a query to a random $P_{\pi}\cdot F_{f}$ is equivalent to a query to a fixed unitary that applies $P_{\pi}\cdot F_{f}$ controlled on $\ket*{\pi}\ket*{f}$ , i.e., the map

\displaystyle\ket*{x}\otimes\ket*{\pi,f}\mapsto(-1)^{f(x)}\cdot\ket*{\pi(x)}\otimes\ket*{\pi,f}.

(1.2)

Equivalently, we can view this map as sending $x$ to a superposition over all $y$ , while simultaneously multiplying the purifying register by the coefficient $\delta_{\pi(x)=y}\cdot(-1)^{f(x)}$ :

\displaystyle\ket*{x}\otimes\ket*{\pi,f}\mapsto\sum_{y\in\{0,1\}^{n}}\ket*{y}\otimes\Big{(}{\color[rgb]{0.15,0.25,0.8}\definecolor[named]{pgfstrokecolor}{rgb}{0.15,0.25,0.8}\delta_{\pi(x)=y}\cdot(-1)^{f(x)}}\cdot\ket*{\pi,f}\Big{)}.

(1.3)

After $t$ queries to the purified $P_{\pi}\cdot F_{f}$ , the global state including the purifying registers is (proportional to) a sum of terms

\outerproduct*{y_{t}}{x_{t}}\cdot A_{t}\cdots\outerproduct*{y_{1}}{x_{1}}\cdot A_{1}\ket*{0^{n}}\otimes\underbrace{\sum_{\pi\in S_{2^{n}}}\ket*{\pi,f}\cdot{\color[rgb]{0.15,0.25,0.8}\definecolor[named]{pgfstrokecolor}{rgb}{0.15,0.25,0.8}\delta_{\pi(x_{1})=y_{1}}\cdots\delta_{\pi(x_{t})=y_{t}}\cdot(-1)^{f(x_{1})+\cdots+f(x_{t})}}}_{\propto\ket*{\mathsf{pf}_{\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}}}},

(1.4)

over all possible $x_{1},y_{1},\dots,x_{t},y_{t}\in\{0,1\}^{n}$ , i.e., over all Feynman paths.

Crucially, when all the $x_{1},\dots,x_{t}$ are distinct, these $\ket*{\mathsf{pf}_{\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}}}$ states are orthogonal and is isometric to $\ket*{\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}}$ . Since the algorithm is not given the purifying registers, a query to a random $P_{\pi}\cdot F_{f}$ is identical to a query to the path-recording oracle $V$ described earlier—except on paths where there is a collision among the inputs $x_{1},\dots,x_{t}$ .

This is where $C$ comes in. We prove that $V$ satisfies a key property: for any $n$ -qubit unitary $C$ ,

(V\cdot C)\cdot A_{t}\cdots(V\cdot C)\cdot A_{1}\ket*{0^{n}}\ket*{\varnothing}_{\mathsf{E}}=((C\otimes\mathsf{Id})^{\otimes t})_{\mathsf{E}}\cdot V\cdot A_{t}\cdots V\cdot A_{1}\ket*{0^{n}}\ket*{\varnothing}_{\mathsf{E}}.

(1.5)

This says that applying $C$ to the adversary’s register before each query to $V$ is equivalent to applying $C$ to each $x_{i}$ in the purifying register $\ket*{\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}}$ . When $C$ is sampled from any $2$ -design, the randomness of $C$ ensures there are no collisions in the $x_{1},\dots,x_{t}$ with overwhelming probability. Consequently, we show that queries to $V$ are indistinguishable from queries to $P_{\pi}\cdot F_{f}\cdot C$ , as long as $C$ is sampled from any $2$ -design. By instantiating the $2$ -design to be either (1) a random Clifford or (2) a Haar-random unitary, we show that both $P_{\pi}\cdot F_{f}\cdot C$ and Haar-random unitaries are indistinguishable from $V$ , and thus, from each other.

Strong PRUs and a symmetrized path-recording oracle $\widetilde{V}$ .

To obtain strong PRUs, we use the construction: $D\cdot P_{\pi}\cdot F_{f}\cdot C$ , where $D,C$ are both random $n$ -qubit Cliffords, $P_{\pi}$ is the same as before, and $F_{f}$ is a random $q$ -ary phase (for any $q\geq 3$ ). By analyzing the purification of $P_{\pi}\cdot F_{f}$ , we show that when $\mathcal{A}$ makes forward and inverse queries, the purifying registers, viewed in the right basis, “record” information from two Feynman paths: one set $S^{\mathsf{for}}$ consists of $(x,y)$ tuples corresponding to the forward queries, and another set $S^{\mathsf{inv}}$ of tuples $(x,y)$ corresponds to the inverse queries. Whereas each query in the standard PRU proof always inserts a tuple $(x,y)$ into the set $S$ , when both forward and inverse queries are allowed, the effect is more intricate:

•

A forward query will sometimes add a tuple to $S^{\mathsf{for}}$ , but other times delete a tuple from $S^{\mathsf{inv}}$ .
•

An inverse query will sometimes add a tuple to $S^{\mathsf{inv}}$ , but other times delete a tuple from $S^{\mathsf{for}}$ .

We prove that this behavior corresponds to a more general “symmetrized” path recording oracle $\widetilde{V}$ . Moreover, as long as $D,C$ are sampled from any $2$ -design, the adversary cannot distinguish between queries to $D\cdot P_{\pi}\cdot F_{f}\cdot C$ and queries to $\widetilde{V}$ , and using similar reasoning as the standard PRU proof, conclude both of the following (1) strong PRUs exist and (2) $\widetilde{V}$ is indistinguishable from Haar-random even under inverse queries. As we show in LABEL:sec:efficient-implementation-pro, $\widetilde{V}$ can also be implemented efficiently, and consequently any algorithm that makes forward and inverse queries to a Haar-random unitary can also be simulated to inverse exponential error.

Our proof leverages the following property of $2$ -designs: if one samples $C$ from a $2$ -design and applies $C\otimes\overline{C}$ to any state (where $\overline{C}$ denotes the complex conjugate), then with overwhelmingly high probability, the result is either (a) a pair of distinct elements, or (b) the maximally entangled state. At a very high level, the fact that there are two kinds of outcomes after twirling by $C\otimes\overline{C}$ is related to how the purification “decides” whether it should add or delete a tuple $(x,y)$ .

We remark that the strong PRU proof is significantly more involved than standard PRU proof, and the reader may find it beneficial to start with the standard PRU proof.

A new approach to random unitaries.

More broadly, the path-recording oracle unlocks a new way to proving theorems about random unitaries. Before this work, analyzing mixed states such as $\mathbb{E}_{U}\outerproduct*{\text{Adv}^{U}}{\text{Adv}^{U}}$ often necessitated the use of Weingarten calculus, involving intricate asymptotic bounds on Weingarten functions through sophisticated combinatorial and representation-theoretic calculations. Our approach circumvents this complexity entirely.⁵⁵5Alternatively, one can view our technique as deriving a simplified and approximate version of the Weingarten calculus from purely elementary arguments.

We demonstrate the power of this approach by giving an elementary proof of the “gluing lemma” recently proven by [schuster2024random]. This lemma states that if two Haar-random unitaries $U_{1}$ and $U_{2}$ overlap, with $U_{1}$ acting on systems $\mathsf{A},\mathsf{B}$ and $U_{2}$ on $\mathsf{B},\mathsf{C}$ (where $\mathsf{B}$ has a super-logarithmic number of qubits), then queries to $U_{2}\cdot U_{1}$ are indistinguishable from queries to a larger Haar-random unitary $U$ acting on $\mathsf{A},\mathsf{B},\mathsf{C}$ . Using this lemma (and our Theorem 1), [schuster2024random] constructed low-depth PRUs secure against forward queries. However, their proof of the gluing lemma is highly technical, relying on careful representation-theoretic analysis and tight bounds on Weingarten functions.

The path-recording oracle yields an elementary proof of the gluing lemma (see LABEL:part:app). The key insight is to replace the Haar-random unitaries with path-recording oracles. This reduces to showing that the composition of two independent path-recording oracles $V_{2}\cdot V_{1}$ , where $V_{1}$ acts on $(\mathsf{A},\mathsf{B},\mathsf{E}_{1})$ and $V_{2}$ acts on $(\mathsf{B},\mathsf{C},\mathsf{E}_{2})$ , approximates a single path-recording oracle $V$ acting on $(\mathsf{A},\mathsf{B},\mathsf{C},\mathsf{E})$ .

Given the central role of random unitaries in physics and quantum computing, we expect the path-recording framework to have broad applications in the future.

1.3 Acknowledgments

Special thanks to John Wright for many helpful suggestions and extensive discussions at every stage of this project, and to Ewin Tang for providing significant feedback on the manuscript. We also thank Thiago Bergamaschi, John Bostanci, Adam Bouland, Chi-Fang (Anthony) Chen, Lijie Chen, Tudor Giurgica-Tiron, Jeongwan Haah, Jonas Haferkamp, William Kretschmer, Alex Lombardi, Tony Metger, Thomas Schuster, Joseph Slote, Xinyu (Norah) Tan, Umesh Vazirani, Henry Yuen, and Mark Zhandry for valuable discussions and feedback.

Fermi Ma is supported by the U.S. Department of Energy, Office of Science, National Quantum Information Science Research Centers, Quantum Systems Accelerator. Hsin-Yuan Huang acknowledges the visiting position at Center for Theoretical Physics, MIT. This work was conducted while both authors were at the Simons Institute for the Theory of Computing, supported by DOE QSA grant FP00010905.

2 Preliminaries

This section establishes basic notation, definitions, and lemmas that we use throughout the paper.

Notation.

We write $N\coloneqq 2^{n}$ , where $n$ typically denotes the number of qubits. We write $[N]\coloneqq\{1,\ldots,N\}$ to denote the set of integers from $1$ to $N$ , and we will identify $[N]$ with $\{0,1\}^{n}$ by associating each integer $i\in[N]$ with the string $x\in\{0,1\}^{n}$ corresponding to the binary representation of $i-1$ . For any integer $1\leq t\leq N$ , let $[N]^{t}_{\operatorname{{dist}}}$ denote the set of length- $t$ sequences of distinct integers from $1$ to $N$ , i.e.,

[N]^{t}_{\operatorname{{dist}}}\coloneqq\{(x_{1},\dots,x_{t})\in[N]^{t}:x_{i}\neq x_{j}\ \text{for all}\ i\neq j\}.

(2.1)

For $t=0$ , we adopt the convention that $[N]^{t}_{\operatorname{{dist}}}\coloneqq\{()\}$ is a set with a single element $()$ denoting a length- $0$ sequence. For any permutation $\pi\in\mathsf{Sym}_{t}$ , let $S_{\pi}$ be a unitary that acts on $(\mathbb{C}^{N})^{t}$ as follows:

S_{\pi}:\ket*{x_{1},\dots,x_{t}}\mapsto\ket*{x_{\pi^{-1}(1)},\dots,x_{\pi^{-1}(t)}}.

(2.2)

Quantum registers.

We use capital sans-serif letters to label quantum registers. For a register $\mathsf{A}$ , the associated Hilbert space is denoted $\mathcal{H}_{\mathsf{A}}$ . When a quantum state is supported on multiple registers, such as $(\mathsf{A},\mathsf{B})$ , this means that $\ket*{\psi}\in\mathcal{H}_{\mathsf{A}}\otimes\mathcal{H}_{\mathsf{B}}$ . To clarify which systems a state is defined on, we sometimes include the register labels as subscripts in dark gray sans-serif font, e.g., $\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ . If a linear operator $U$ acts only on subsystem $\mathsf{A}$ , we may write this as $U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ . Such an operator can be extended to a larger system by acting trivially on other registers; for example, $(U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}})\cdot\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ . To reduce notational clutter, we often omit the “ $\otimes\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ ” and simply write $U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ . Similarly, when summing operators that act on different registers, such as $U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ and $V_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ , we write $U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}+V_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ to mean $U_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}+V_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ .

Given a projector $\Pi$ acting on register $\mathsf{A}$ , we say that a state $\ket*{\psi}\in\mathcal{H}_{\mathsf{A}}$ is in the image of $\Pi$ if $\Pi\ket*{\psi}=\ket*{\psi}$ . For a state $\ket*{\psi}\in\mathcal{H}_{\mathsf{A}}\otimes\mathcal{H}_{\mathsf{B}}$ , we similarly say that $\ket*{\psi}$ is in the image of $\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ if $\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}=(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}})\cdot\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}=\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ .

Given a state $\ket*{\psi}$ on systems $(\mathsf{A},\mathsf{B})$ , we denote the partial trace over system $\mathsf{B}$ as $\Tr_{\mathsf{B}}(\outerproduct{\psi}{\psi})$ . Occasionally, we will write this as $\Tr_{-\mathsf{A}}(\outerproduct{\psi}{\psi})$ , where the minus sign indicates tracing out all systems except $\mathsf{A}$ .

2.1 Relations and variable-length registers

Fix a choice of $N=2^{n}$ . A relation $R$ is defined as a multiset $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ of ordered pairs $(x_{i},y_{i})\in[N]^{2}$ . This definition deviates slightly from the standard notion of a relation, which is typically an ordinary set of ordered pairs without repeated elements. The size of the relation refers to the number of ordered pairs in the relation, including multiplicities. We denote this by $\absolutevalue{R}$ , as the size corresponds to the cardinality of $R$ as a multiset.

Definition 1.

Let $\mathcal{R}$ denote the infinite set of all relations $R$ . For any $t\geq 0$ , let $\mathcal{R}_{t}$ denote the set of all size- $t$ relations.

Definition 2.

For a relation $R$ , we use $\operatorname{Dom}(R)$ to denote the set

\operatorname{Dom}(R)=\{x:x\in[N],\exists y\ \text{s.t.}(x,y)\in R\},

(2.3)

and $\imaginary(R)$ to denote the set

\imaginary(R)=\{y:y\in[N],\exists x\ \text{s.t.}(x,y)\in R\}.

(2.4)

Note that while $R$ may be a multi-set, $\operatorname{Dom}(R)$ and $\imaginary(R)$ are ordinary sets, i.e., they will not have repeated elements.

Each relation $R\in\mathcal{R}$ is associated with a relation state $\ket*{R}$ , defined as follows.

Notation 1 (Relation states).

For a relation $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ , define the corresponding relation state $\ket*{R}$ to be the state

\displaystyle\ket*{R}\coloneqq\frac{\sum_{\pi\in\mathsf{Sym}_{t}}\ket*{x_{\pi(1)},y_{\pi(1)},\dots,x_{\pi(t)},y_{\pi(t)}}}{\sqrt{t!\cdot\sum_{(x,y)\in[N]^{2}}\mathsf{num}(R,(x,y))!}}.

(2.5)

where $\mathsf{num}(R,(x,y))$ denotes the number of times the tuple $(x,y)$ appears in $R$ .

An elementary counting argument yields the following result.

Fact 1.

For any relation $R\in\mathcal{R}$ , the state $\ket*{R}$ is a unit vector.

The relation states $\ket*{R}$ for $R\in\mathcal{R}_{t}$ can also be viewed as the standard basis for the symmetric subspace of $(\mathbb{C}^{N^{2}})^{\otimes t}$ . Note that this is only true because we allow for multi-set relations. Specifically, if $\Pi_{\mathsf{sym}}^{N^{2},t}$ denotes the projector onto the symmetric subspace of $(\mathbb{C}^{N^{2}})^{\otimes t}$ , we have the equality

\displaystyle\Pi_{\mathsf{sym}}^{N^{2},t}=\sum_{R\in\mathcal{R}_{t}}\outerproduct{R}{R}.

(2.6)

However, we will typically use the following notation to refer to this projector.

Notation 2.

For any integer $t\geq 0$ , we define

\displaystyle\Pi^{\mathcal{R}}_{t}\coloneq\sum_{R\in\mathcal{R}:\absolutevalue{R}=t}\outerproduct*{R}{R}=\Pi^{N^{2},t}_{\mathsf{sym}}.

(2.7)

Notation 3 (Restricted sets of relations).

Define the following restricted sets of relations:

•

Let $\mathcal{R}_{t}^{\mathsf{inj}}$ be the set of all injective relations, i.e., relations $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ of size $t$ , where $(y_{1},\dots,y_{t})\in[N]^{t}_{\operatorname{{dist}}}$ . Let $\mathcal{R}^{\mathsf{inj}}\coloneqq\cup_{t=0}^{N}\mathcal{R}_{t}^{\mathsf{inj}}$ .
•

Let $\mathcal{R}_{t}^{\mathsf{bij}}$ be the set of all bijective relations, i.e., relations $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ of size $t$ , where $(x_{1},\dots,x_{t})\in[N]^{t}_{\operatorname{{dist}}}$ and $(y_{1},\dots,y_{t})\in[N]^{t}_{\operatorname{{dist}}}$ . Let $\mathcal{R}^{\mathsf{bij}}\coloneqq\cup_{t=0}^{N}\mathcal{R}_{t}^{\mathsf{bij}}$ .

If the tuples in a relation $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ are distinct, i.e., $(x_{i},y_{i})\neq(x_{j},y_{j})$ for $i\neq j$ , the normalization factor simplifies to $1/\sqrt{t!}$ , i.e.,

\displaystyle\ket*{R}=\frac{1}{\sqrt{t!}}\sum_{\pi\in\mathsf{Sym}_{t}}\ket*{x_{\pi(1)},y_{\pi(1)},\dots,x_{\pi(t)},y_{\pi(t)}}.

(2.8)

Note that any relation $R\in\mathcal{R}^{\mathsf{inj}}$ or $R\in\mathcal{R}^{\mathsf{bij}}$ satisfies this condition.

In both Parts I and II, we will consider linear maps that send superpositions of $\ket*{R}$ for $R\in\mathcal{R}_{t}$ to superpositions of $\ket*{R^{\prime}}$ for $R^{\prime}\in\mathcal{R}_{t+1}$ . This motivates the definition of variable-length registers.

2.1.1 Variable-length registers

For every integer $t\geq 0$ let $\mathsf{R}^{(t)}$ be a register associated with the Hilbert space $\mathcal{H}_{\mathsf{R}^{(t)}}\coloneqq(\mathbb{C}^{N}\otimes\mathbb{C}^{N})^{\otimes t}$ . Let $\mathsf{R}$ be a register corresponding to the infinite dimensional Hilbert space

\displaystyle\mathcal{H}_{\mathsf{R}}\coloneqq\bigoplus_{t=0}^{\infty}\mathcal{H}_{\mathsf{R}^{(t)}}=\bigoplus_{t=0}^{\infty}(\mathbb{C}^{N}\otimes\mathbb{C}^{N})^{\otimes t}.

(2.9)

When $t=0$ , the space $(\mathbb{C}^{N}\otimes\mathbb{C}^{N})^{\otimes 0}=\mathbb{C}$ is a one-dimensional Hilbert space. Thus, $\mathcal{H}_{\mathsf{R}^{(t)}}$ is spanned by the states $\ket*{x_{1},y_{1},\dots,x_{t},y_{t}}$ where $x_{i},y_{i}\in[N]$ . Note that the relation states $\ket*{R}$ for $R\in\mathcal{R}_{t}$ span the symmetric subspace of $\mathcal{H}_{\mathsf{R}^{(t)}}$ .

We will sometimes divide up the $\mathsf{R}^{(t)}$ register into $\mathsf{R}^{(t)}\coloneqq(\mathsf{R}^{(t)}_{\mathsf{X}},\mathsf{R}^{(t)}_{\mathsf{Y}})$ where $\mathsf{R}^{(t)}_{\mathsf{X}}$ refers to the registers containing $\ket*{x_{1},\dots,x_{t}}$ and $\mathsf{R}^{(t)}_{\mathsf{Y}}$ refers to the registers containing $\ket*{y_{1},\dots,y_{t}}$ . We denote $\mathsf{R}^{(t)}{\mathsf{X},i}$ as the register containing $\ket*{x_{i}}$ and $\mathsf{R}^{(t)}{\mathsf{Y},i}$ as the register containing $\ket*{y_{i}}$ . Following our convention for defining the length/size of a relation $R$ , we say that a state $\ket*{x_{1},y_{1},\dots,x_{t},y_{t}}$ has length/size $t$ . Two states of different lengths are orthogonal by definition, since $\mathcal{H}_{\mathsf{R}}$ is a direct sum $\bigoplus_{t=0}^{\infty}\mathcal{H}_{\mathsf{R}^{(t)}}$ .

Notation 4 (Extending fixed-length operators to variable-length).

For any operator $O$ defined on the fixed-size Hilbert space $\mathcal{H}_{\mathsf{R}^{(t)}}$ , we abuse notation by using $O$ to also refer to its extension on all of $\mathcal{H}_{\mathsf{R}}$ . The extended operator is the direct sum of $O$ and the $0$ operator on $\mathcal{H}_{\mathsf{R}^{(t^{\prime})}}$ for all $t^{\prime}\neq t$ .

Hence, if two operators $O_{1}$ and $O_{2}$ act on $\mathcal{H}_{\mathsf{R}^{(t)}}$ and $\mathcal{H}_{\mathsf{R}^{(t^{\prime})}}$ , respectively, then $O_{1}+O_{2}$ is the sum of their extensions over all of $\mathcal{H}_{\mathsf{R}}$ . We can now define the projector $\Pi^{\mathcal{R}}$ that projects onto the span of all relation states.

Notation 5.

We define the projector

\displaystyle\Pi^{\mathcal{R}}\coloneqq\sum_{t=0}^{\infty}\Pi^{\mathcal{R}}_{t}=\sum_{R\in\mathcal{R}}\outerproduct*{R}{R},

(2.10)

that projects onto the span of all relation states $\ket*{R}$ for all $R\in\mathcal{R}$ .

Finally, we introduce the notion of variable-length tensor powers, which will be useful to describe applying an operator to each $\ket*{x_{i},y_{i}}$ in a state $\ket*{x_{1},y_{1},\dots,x_{t},y_{t}}$ , in settings where $t$ is not explicitly known.

Notation 6 (Variable-length tensor powers).

For any unitary $U\in\mathcal{U}(N^{2})$ , let

\displaystyle U^{\otimes*}\coloneqq\sum_{t=0}^{\infty}U^{\otimes t}

(2.11)

be a unitary that acts on the Hilbert space $\mathcal{H}_{\mathsf{R}}$ .

2.1.2 Pairs of variable-length registers

In Part II, we will consider states of the form $\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , where $\ket*{L}$ and $\ket*{R}$ are both relation states, and $\mathsf{L}$ is another variable-length register defined analogously to $\mathsf{R}$ . Throughout Part II, we will use the following definitions.

Notation 7 (Fixed-length projectors).

For any integers $\ell,r\geq 0$ , let $\Pi_{\ell,r}$ denote the projector acting on $\mathcal{H}_{\mathsf{L}}\otimes\mathcal{H}_{\mathsf{R}}$ that projects onto the fixed-length Hilbert space $\mathcal{H}_{\mathsf{L}^{(\ell)}}\otimes\mathcal{H}_{\mathsf{R}^{(r)}}$ .

Notation 8 (Maximum-length projectors).

For any integer $t\geq 0$ , let $\Pi_{\leq t}$ denote the projector acting on $\mathcal{H}_{\mathsf{L}}\otimes\mathcal{H}_{\mathsf{R}}$ onto the Hilbert space $\bigoplus_{\ell,r\geq 0:\ell+r\leq t}\mathcal{H}_{\mathsf{L}^{(\ell)}}\otimes\mathcal{H}_{\mathsf{R}^{(r)}}$ .

Notation 9 (Length-restricted operators).

For any operator $B$ that acts on the variable-length registers $\mathsf{R}$ and $\mathsf{R}$ , let $B_{\ell,r}\coloneqq B\cdot\Pi_{\ell,r}$ denote the restriction of $B$ to input states where registers $\mathsf{R}$ and $\mathsf{R}$ have lengths $\ell$ and $r$ . Let $B_{\leq t}\coloneqq B\cdot\Pi_{\leq t}$ denote the restriction of $B$ to inputs states where the combined length of $\mathsf{L}$ and $\mathsf{R}$ is at most $t$ .

Note that, with this notation, $(B{\leq t})^{\dagger}$ does not necessarily equal $(B^{\dagger})_{\leq t}$ . We adopt the convention that $B_{\leq t}^{\dagger}$ refers to $(B_{\leq t})^{\dagger}$ .

2.2 The Haar measure, unitary $t$ -designs, and twirling channels

Definition 3 (Haar measure).

The Haar measure over the $n$ -qubit unitary group $\mathcal{U}(2^{n})$ is the unique probability measure $\mu$ on $\mathcal{U}(2^{n})$ that is:

1.

Left-invariant: For any measurable set $S\subseteq\mathcal{U}(2^{n})$ and any $V\in\mathcal{U}(2^{n})$ , $\mu(VS)=\mu(S)$ .
2.

Right-invariant: For any measurable set $S\subseteq\mathcal{U}(2^{n})$ and any $V\in\mathcal{U}(2^{n})$ , $\mu(SV)=\mu(S)$ .
3.

Normalized: $\mu(\mathcal{U}(2^{n}))=1$ .

The Haar measure provides a notion of uniform distribution over the unitary group.

We will refer to the Haar measure as $\mu_{\mathsf{Haar}}$ .

Definition 4 (Unitary $t$ -design).

A distribution $\mathfrak{D}$ on $n$ -qubit unitaries is a unitary $t$ -design if

\operatorname*{{\mathbb{E}}}_{U\sim\mathfrak{D}}[U^{\otimes t}\otimes U^{\dagger,\otimes t}]=\int_{\mathcal{U}(2^{n})}U^{\otimes t}\otimes U^{\dagger,\otimes t}d\mu(U),

(2.12)

where $\mu$ is the Haar measure over the unitary group $\mathcal{U}(2^{n})$ .

Notation 10.

Define the equality projector

\Pi^{\mathsf{eq}}=\sum_{x\in[N]}\outerproduct*{x}{x}\otimes\outerproduct*{x}{x}.

(2.13)

In the following, when we write $\mathbb{E}_{\psi}$ and $\mathbb{E}_{U}$ without any specified distribution, we always refer to the uniform distribution over pure states and the Haar measure over unitary groups, respectively. We will use the following standard fact about Haar-random states and the symmetric subspace.

Fact 2.

The expectation over Haar measure satisfies

\displaystyle\operatorname*{{\mathbb{E}}}_{\psi\leftarrow\mathbb{C}^{N}}\outerproduct*{\psi}{\psi}^{\otimes 2}=\frac{\Pi_{\mathsf{sym}}^{N,2}}{\Tr(\Pi_{\mathsf{sym}}^{N,2})}=\frac{\Pi_{\mathsf{sym}}^{N,2}}{\binom{N+1}{2}},

(2.14)

where $\Pi_{\mathsf{sym}}^{N,k}$ is the projector onto the symmetric subspace of $(\mathbb{C}^{N})^{\otimes k}$ .

We will use the following elementary claim about unitary $2$ -designs in Parts I and II.

Claim 1 (Standard twirling).

For any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ ,

\displaystyle\operatorname*{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}\Big{[}(U\otimes U)^{\dagger}\cdot\Pi^{\mathsf{eq}}\cdot(U\otimes U)\Big{]}=\frac{2}{N+1}\cdot\Pi_{\mathsf{sym}}^{N,2}.

(2.15)

Proof.

$\displaystyle\operatorname*{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}\Big{[}(U^{\dagger}\otimes U^{\dagger})\cdot\Pi^{\mathsf{eq}}\cdot(U\otimes U)\Big{]}$	$\displaystyle=\operatorname{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}\sum_{x\in[N]}U^{\dagger}\outerproduct{x}{x}U\otimes U^{\dagger}\outerproduct*{x}{x}U$	(definition of $\Pi^{\mathsf{eq}}$ )
	$\displaystyle=\operatorname{{\mathbb{E}}}_{U}\sum_{x\in[N]}U^{\dagger}\outerproduct{x}{x}U\otimes U^{\dagger}\outerproduct*{x}{x}U$	( $\mathfrak{D}$ is a $2$ -design)
	$\displaystyle=N\cdot\operatorname{{\mathbb{E}}}_{\psi}\outerproduct{\psi}{\psi}\otimes\outerproduct*{\psi}{\psi}$	( $U^{\dagger}\ket*{x}$ is a Haar-random state)
	$\displaystyle=\frac{2}{N+1}\cdot\Pi_{\mathsf{sym}}^{N,2}.$	(2)

∎

From the above claim, we immediately obtain the following lemma, which was also also used by [metger2024simple] to construct non-adaptive PRUs.

Lemma 2.1 (Twirling into the distinct subspace).

Given two integers $n,t>0$ . Define the distinct subspace projector acting on $nt$ qubits as follows,

\Pi^{\operatorname{{dist}}}\coloneq\sum_{(x_{1},\ldots,x_{t})\in[N]_{\operatorname{{dist}}}^{t}}\outerproduct*{x_{1}}{x_{1}}\otimes\ldots\otimes\outerproduct*{x_{t}}{x_{t}}.

(2.16)

For any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ and any state $\rho$ on at least $nt$ qubits, we have

\Tr(\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}(\Pi^{\operatorname{{dist}}}\otimes\mathsf{Id})\cdot(C^{\otimes t}\otimes\mathsf{Id})\cdot\rho\cdot(C^{\dagger,\otimes t}\otimes\mathsf{Id})\cdot(\Pi^{\operatorname{{dist}}}\otimes\mathsf{Id}))\geq 1-\frac{t(t-1)}{N+1}.

(2.17)

Proof.

From the definition of the distinct subspace projector, we have

\mathsf{Id}-\Pi^{\operatorname{{dist}}}=\sum_{(x_{1},\ldots,x_{t})\in[N]^{t}\setminus[N]_{\operatorname{{dist}}}^{t}}\outerproduct*{x_{1},\ldots,x_{t}}{x_{1},\ldots,x_{t}}.

(2.18)

Because for any $(x_{1},\ldots,x_{t})\in[N]^{t}\setminus[N]_{\operatorname{{dist}}}^{t}$ , there exists $i\neq j$ , such that $x_{i}=x_{j}$ , we have

\sum_{(x_{1},\ldots,x_{t})\in[N]^{t}\setminus[N]_{\operatorname{{dist}}}^{t}}\outerproduct*{x_{1},\ldots,x_{t}}{x_{1},\ldots,x_{t}}\preceq\sum_{1\leq i<j\leq t}\Pi^{\mathsf{eq}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}},

(2.19)

where $\preceq$ here denotes the PSD order and $\Pi^{\mathsf{eq}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}}$ is the equality projector in Eq. (2.13) on the $i$ -th and $j$ -th $n$ -qubit register $\mathsf{X}_{i},\mathsf{X}_{j}$ . This implies the following:

		$\displaystyle 1-\Tr(\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}(\Pi^{\operatorname{{dist}}}\otimes\mathsf{Id})\cdot(C^{\otimes t}\otimes\mathsf{Id})\cdot\rho\cdot(C^{\dagger,\otimes t}\otimes\mathsf{Id})\cdot(\Pi^{\operatorname{{dist}}}\otimes\mathsf{Id}))$		(2.20)
		$\displaystyle=1-\Tr(\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}(\Pi^{\operatorname{{dist}}}\otimes\mathsf{Id})\cdot(C^{\otimes t}\otimes\mathsf{Id})\cdot\rho\cdot(C^{\dagger,\otimes t}\otimes\mathsf{Id}))$		(2.21)
		$\displaystyle=\Tr(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\left(\sum_{(x_{1},\ldots,x_{t})\in[N]^{t}\setminus[N]_{\operatorname{{dist}}}^{t}}\outerproduct{x_{1},\ldots,x_{t}}{x_{1},\ldots,x_{t}}\otimes\mathsf{Id}\right)\cdot(C^{\otimes t}\otimes\mathsf{Id})\cdot\rho\cdot(C^{\dagger,\otimes t}\otimes\mathsf{Id}))$		(2.22)
		$\displaystyle\leq\sum_{1\leq i<j\leq t}\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Tr((\Pi^{\mathsf{eq}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}}\otimes\mathsf{Id})\cdot(C^{\otimes t}\otimes\mathsf{Id})\cdot\rho\cdot(C^{\dagger,\otimes t}\otimes\mathsf{Id}))$		(2.23)
		$\displaystyle=\sum_{1\leq i<j\leq t}\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Tr(\Pi^{\mathsf{eq}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}}\cdot C^{\otimes 2}\cdot\rho_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}}\cdot C^{\dagger,\otimes 2})$		(where $\rho_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}}\coloneq\Tr_{-\mathsf{X}_{i},\mathsf{X}_{j}}(\rho)$ )
		$\displaystyle=\sum_{1\leq i<j\leq t}\frac{2}{N+1}\Tr(\Pi_{\mathsf{sym}}^{N,2}\cdot\rho_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{i}},{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{X}_{j}}})\leq\sum_{1\leq i<j\leq t}\frac{2}{N+1}=\frac{t(t-1)}{N}.$		(2.24)

This completes the proof. ∎

The following claim will only be used in Part II.

Notation 11.

Let

\displaystyle\ket*{\mathsf{EPR}_{N}}\coloneqq\frac{1}{\sqrt{N}}\sum_{x\in[N]}\ket*{x}\ket*{x}.

(2.25)

Claim 2 (Mixed twirling).

For any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ ,

\displaystyle\operatorname*{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}\Big{[}(U\otimes\overline{U})^{\dagger}\cdot\Pi^{\mathsf{eq}}\cdot(U\otimes\overline{U})\Big{]}=\outerproduct*{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}+\frac{1}{N+1}(\mathsf{Id}-\outerproduct*{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}).

(2.26)

Proof.

Label the registers that $U$ and $\overline{U}$ act on as $A$ and $B$ respectively. For any operator $X$ acting on $A,B$ , define the partial transpose as

\displaystyle X^{T_{B}}=\Big{(}\sum_{i,j,k,\ell}X_{ijkl}\outerproduct*{i}{j}_{A}\otimes\outerproduct*{k}{\ell}_{B}\Big{)}^{T_{B}}=\sum_{i,j,k,\ell}X_{ijkl}\outerproduct*{i}{j}_{A}\otimes\outerproduct*{\ell}{k}_{B}.

(2.27)

We will use the identity

\displaystyle(U\otimes\overline{U})^{\dagger}\cdot X\cdot(U\otimes\overline{U})=\Big{(}(U\otimes U)^{\dagger}\cdot X^{T_{B}}\cdot(U\otimes U)\Big{)}^{T_{B}}.

(2.28)

Since $(\Pi^{\mathsf{eq}})^{T_{B}}=\Pi^{\mathsf{eq}}$ ,

	$\displaystyle\operatorname*{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}(U\otimes\overline{U})^{\dagger}\cdot\Pi^{\mathsf{eq}}\cdot(U\otimes\overline{U})$		(2.29)
	$\displaystyle=\Big{(}\operatorname*{{\mathbb{E}}}_{U\leftarrow\mathfrak{D}}(U\otimes U)^{\dagger}\cdot\Pi^{\mathsf{eq}}\cdot(U\otimes U)\Big{)}^{T_{B}}$		(2.30)
	$\displaystyle=\Big{(}\frac{2}{N+1}\cdot\Pi^{N,2}_{\mathsf{sym}}\Big{)}^{T_{B}}$		(by Claim 1)
	$\displaystyle=\frac{2}{N+1}\cdot\Bigg{(}\sum_{x\in[N]}\outerproduct{xx}{xx}+\sum_{x,y\in[N],x<y}\Big{(}\frac{\ket{xy}+\ket{yx}}{\sqrt{2}}\Big{)}\Big{(}\frac{\bra{xy}+\bra*{yx}}{\sqrt{2}}\Big{)}\Bigg{)}^{T_{B}}$		(2.31)
	$\displaystyle=\frac{2}{N+1}\cdot\Bigg{(}\sum_{x\in[N]}\outerproduct{xx}{xx}+\frac{1}{2}\sum_{x,y\in[N],x<y}\Big{(}\outerproduct{xy}{xy}+\outerproduct{xy}{yx}+\outerproduct{yx}{xy}+\outerproduct*{yx}{yx}\Big{)}\Bigg{)}^{T_{B}}$		(2.32)
	$\displaystyle=\frac{2}{N+1}\cdot\Bigg{(}\sum_{x\in[N]}\outerproduct{xx}{xx}+\frac{1}{2}\sum_{x,y\in[N],x<y}\Big{(}\outerproduct{xy}{xy}+\outerproduct{xx}{yy}+\outerproduct{yy}{xx}+\outerproduct*{yx}{yx}\Big{)}\Bigg{)}$		(2.33)
	$\displaystyle=\frac{2}{N+1}\cdot\Bigg{(}\frac{1}{2}\sum_{x,y\in[N]}\outerproduct{xx}{yy}+\frac{1}{2}\sum_{x,y\in[N]}\outerproduct{xy}{xy}\Bigg{)}$		(2.34)
	$\displaystyle=\frac{1}{N+1}\cdot\mathsf{Id}+\frac{N}{N+1}\outerproduct*{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}$		(2.35)
	$\displaystyle=\outerproduct{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}+\frac{1}{N+1}(\mathsf{Id}-\outerproduct{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}).$		(2.36)

This completes the proof. ∎

2.3 Oracle adversaries

We first define oracle adversaries that make only forward queries to an $n$ -qubit unitary oracle $\mathcal{O}$ . This definition will be used exclusively in Part I.

Definition 5 (Oracle adversaries with forward queries, used in Part I).

A $t$ -query oracle adversary $\mathcal{A}$ that makes only forward queries is parameterized by a sequence of $(n+m)$ -qubit unitaries $(A_{1},\dots,A_{t})$ , which act on registers $(\mathsf{A},\mathsf{B})$ , where $\mathsf{A}$ is the $n$ -qubit query register and $\mathsf{B}$ is an $m$ -qubit ancilla. We assume without loss of generality that the adversary’s initial state is $\ket*{0^{n+m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ . The state of the algorithm after $t$ queries to $\mathcal{O}$ is

\displaystyle\ket*{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\coloneqq\prod_{i=1}^{t}\Big{(}\mathcal{O}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0^{n+m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}.

(2.37)

We also define an oracle adversary that can make both forward and inverse queries to an $n$ -qubit unitary oracle $\mathcal{O}$ . This definition will be used exclusively in Part II.

Definition 6 (Oracle adversaries with forward and inverse queries, used in Part II).

A $t$ -query oracle adversary $\mathcal{A}$ that makes both forward and inverse queries is parameterized by

•

a sequence of $(n+m)$ -qubit unitaries $(A_{1},\dots,A_{t})$ , which act on registers $(\mathsf{A},\mathsf{B})$ , where $\mathsf{A}$ is the $n$ -qubit query register and $\mathsf{B}$ is an $m$ -qubit ancilla, and
•

a sequence of bits $(b_{1},\dots,b_{t})$ where $b_{i}=0$ means that the adversary’s $i$ th oracle query is to $\mathcal{O}$ , and $b_{i}=1$ means that query is to $\mathcal{O}^{\dagger}$ .

We assume without loss of generality that the adversary’s initial state is $\ket*{0^{n+m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ . The state of the algorithm after $t$ queries to $\mathcal{O}$ is

\displaystyle\ket*{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\coloneqq\prod_{i=1}^{t}\Bigg{(}\Big{(}(1-b_{i})\cdot\mathcal{O}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}+b_{i}\cdot\mathcal{O}^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\Big{)}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Bigg{)}\ket*{0^{n+m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}.

(2.38)

2.4 Pseudorandom unitaries

Definition 7 (pseudorandom unitaries).

We say $\{\mathcal{U}_{n}\}_{n\in\mathbb{N}}$ is a secure PRU if, for all $n\in\mathbb{N}$ , $\mathcal{U}_{n}=\{U_{k}\}_{k\in\mathcal{K}_{n}}$ is a set of $n$ -qubit unitaries where $\mathcal{K}_{n}$ denotes the keyspace, satisfying the following:

•

Efficient computation: There exists a $\mathrm{poly}(n)$ -time quantum algorithm that implements the $n$ -qubit unitary $U_{k}$ for all $k\in\mathcal{K}_{n}$ .

•

Indistinguishability from Haar: For any oracle adversary $\mathcal{A}$ that runs in time $\operatorname{poly}(n)$ (the runtime is the total number of gates that $\mathcal{A}$ uses, counting oracle gates as $1$ ), and measures a two-outcome observable $D_{\mathcal{A}}$ with eigenvalues $\{0,1\}$ after the queries, we have

\left|\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathcal{U}_{n}}\Tr\left(\,D_{\mathcal{A}}\cdot\outerproduct*{\mathcal{A}^{\mathcal{O}}}{\mathcal{A}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right)-\operatorname*{{\mathbb{E}}}_{\mathcal{O}\sim\mathsf{Haar}}\Tr\left(\,D_{\mathcal{A}}\cdot\outerproduct*{\mathcal{A}^{\mathcal{O}}}{\mathcal{A}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right)\right|\leq\mathsf{negl}(n),

(2.39)

where $\mathsf{negl}(n)$ is any function that is $o(1/n^{c})$ for all $c>0$ .

A standard PRU (i.e., the original [ji2018pseudorandom] notion) is one where indistinguishability holds against oracle adversaries that only make forward queries to $\mathcal{O}$ . A strong PRU is one where indistinguishability holds against oracle adversaries that make both forward and inverse queries to $\mathcal{O}$ .

2.5 Useful lemmas

The following lemma will be used in Part I to bound the distance between a pair of mixed states who purifications are related by a projection that acts only on the purifying register.

Lemma 2.2.

Let $\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ be a density matrix on registers $\mathsf{C},\mathsf{D}$ and let $\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ be a projector that acts on register $\mathsf{D}$ . Then

\displaystyle\norm{\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})-\Tr_{\mathsf{D}}(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})}_{1}=1-\Tr(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}).

(2.40)

Proof.

We can decompose $\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})$ as follows:

	$\displaystyle\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})$	$\displaystyle=\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})+\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot(\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}))$		(2.41)
		$\displaystyle=\Tr_{\mathsf{D}}(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})+\Tr_{\mathsf{D}}((\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot(\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}))$		(2.42)

where the second equality uses the fact that $\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}}\otimes\Pi^{\prime}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ , which allows us to invoke the cyclic property of $\Tr_{\mathsf{D}}$ . Using Eq. 2.42, we have

	$\displaystyle\norm{\Tr_{\mathsf{D}}(\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})-\Tr_{\mathsf{D}}(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})}_{1}$		(2.43)
	$\displaystyle=\norm{\Tr_{\mathsf{D}}((\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot(\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}))}_{1}$		(2.44)
	$\displaystyle=\Tr((\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot(\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}))$		(since $\norm{M}_{1}=\Tr(M)$ for PSD $M$ )
	$\displaystyle=\Tr((\mathsf{Id}-\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}})$		(2.45)
	$\displaystyle=1-\Tr(\Pi_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\rho_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}).$		(2.46)

∎

We will use the following “sequential” gentle measurement lemma in Part II.

Lemma 2.3 (sequential gentle measurement).

Let $\ket*{\psi}$ be a normalized state, $P_{1},\dots,P_{t}$ be projectors, and $U_{1},\dots,U_{t}$ be unitaries.

\displaystyle\norm{U_{t}\ldots U_{1}\ket*{\psi}-P_{t}U_{t}\ldots P_{1}U_{1}\ket*{\psi}}_{2}\leq t\sqrt{1-\norm{P_{t}U_{t}\ldots P_{1}U_{1}\ket*{\psi}}_{2}^{2}}.

(2.47)

To prove this, we will need the following version of the standard gentle measurement lemma.

Lemma 2.4 (gentle measurement).

For any projector $\Pi$ and sub-normalized state $\ket*{\psi}$ satisfying $\innerproduct{\psi}{\psi}\leq 1$ , we have

\norm{(\mathsf{Id}-\Pi)\ket*{\psi}}_{2}\leq\sqrt{1-\norm{\Pi\ket*{\psi}}_{2}^{2}}.

(2.48)

Proof of Lemma 2.4.

By direct expansion, we have

\displaystyle\norm{\ket*{\psi}-\Pi\ket*{\psi}}_{2}^{2}=\bra*{\psi}(\mathsf{Id}-\Pi)\ket*{\psi}=\innerproduct{\psi}{\psi}-\bra*{\psi}\Pi\ket*{\psi}\leq 1-\norm{\Pi\ket*{\psi}}^{2}_{2}.

(2.49)

∎

Proof of Lemma 2.3.

We prove this lemma by induction. For $t=0$ , we have $\norm{\ket*{\psi}-\ket*{\psi}}_{2}=0=1-\norm{\ket*{\psi}}_{2}^{2}$ . So the base case holds. Suppose the inductive hypothesis holds for $t-1$ , i.e.,

$\displaystyle\norm{U_{t-1}\ldots U_{1}\ket{\psi}-P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket{\psi}}_{2}$	$\displaystyle\leq(t-1)\sqrt{1-\norm{P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}^{2}}$	(2.50)
	$\displaystyle=(t-1)\sqrt{1-\norm{U_{t}P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}^{2}}$	(2.51)
	$\displaystyle\leq(t-1)\sqrt{1-\norm{P_{t}U_{t}P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}^{2}}.$	(2.52)

The second line uses the unitary invariance of $\norm{\cdot}_{2}$ . The third line uses the fact that $P_{t}$ is a projector and hence cannot increase the norm. We can use the unitary invariance of $\norm{\cdot}_{2}$ to obtain

\norm{U_{t-1}\ldots U_{1}\ket*{\psi}-P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}=\norm{U_{t}\ldots U_{1}\ket*{\psi}-U_{t}P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}.

(2.53)

Next we use Lemma 2.4 to obtain

\norm{(\mathsf{Id}-P_{t})U_{t}P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}\leq\sqrt{1-\norm{P_{t}U_{t}\ldots P_{1}U_{1}\ket*{\psi}}_{2}^{2}}.

(2.54)

Together, we have

	$\displaystyle\norm{U_{t}\ldots U_{1}\ket{\psi}-P_{t}U_{t}\ldots P_{1}U_{1}\ket{\psi}}_{2}$		(2.55)
	$\displaystyle\leq\norm{U_{t-1}\ldots U_{1}\ket{\psi}-P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket{\psi}}_{2}+\norm{(\mathsf{Id}-P_{t})U_{t}P_{t-1}U_{t-1}\ldots P_{1}U_{1}\ket*{\psi}}_{2}$		(2.56)
	$\displaystyle\leq(t-1)\sqrt{1-\norm{P_{t}U_{t}\ldots P_{1}U_{1}\ket{\psi}}_{2}^{2}}+\sqrt{1-\norm{P_{t}U_{t}\ldots P_{1}U_{1}\ket{\psi}}_{2}^{2}}.$		(2.57)

This concludes the proof. ∎

Part I Standard PRUs

The goal of Part I is to construct standard PRUs (i.e., the definition of [ji2018pseudorandom]), which are secure against adversaries that only make forward queries to the unitary oracle.

3 The purified permutation-function oracle

In this section, we analyze the view of an adversary that makes forward queries to an oracle for $P_{\pi}\cdot F_{f}$ , for uniformly random $\pi\leftarrow\mathsf{Sym}_{N}$ and $f\leftarrow\{0,1\}^{N}$ . These operators are defined as

\displaystyle P_{\pi}\coloneqq\sum_{x\in[N]}\outerproduct{\pi(x)}{x}\quad\text{and}\quad F_{f}\coloneqq\sum_{x\in[N]}(-1)^{f(x)}\outerproduct{x}{x}.

(3.1)

Our first step will be to consider a purification of the adversary’s state where the randomness of $\pi$ and $f$ is replaced by the uniform superposition

\displaystyle\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},

(3.2)

and each query is implemented by the purified permutation-function oracle $\mathsf{pfO}$ , which applies $P_{\pi}\cdot F_{f}$ controlled on $\ket*{\pi}\ket*{f}$ .

Definition 8 (purified permutation-function oracle).

The purified permutation-function oracle $\mathsf{pfO}$ is a unitary acting on registers $\mathsf{A},\mathsf{P},\mathsf{F}$ , where

•

$\mathsf{P}$ is a register associated with the Hilbert space $\mathcal{H}_{\mathsf{P}}$ , defined to be the span of the orthonormal states $\ket*{\pi}$ for all $\pi\in\mathsf{Sym}_{N}$ .
•

$\mathsf{F}$ is a register associated with the Hilbert space $\mathcal{H}_{\mathsf{F}}$ , defined to be the span of the orthonormal states $\ket*{f}$ for all $f\in\{0,1\}^{N}$ .

The unitary $\mathsf{pfO}$ is defined to act as follows:

\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq(-1)^{f(x)}\ket*{\pi(x)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},

(3.3)

for all $x\in[N],\pi\in\mathsf{Sym}_{N},$ and $f\in\{0,1\}^{N}$ .

When $\mathsf{P}$ and $\mathsf{F}$ are initialized to the uniform superposition over permutations and functions respectively, the view of an adversary that queries the $\mathsf{pfO}$ is equivalent to the view of an adversary that queries the standard oracle $P_{\pi}\cdot F_{f}$ , for uniformly random $\pi\leftarrow\mathsf{Sym}_{N}$ and $f\leftarrow\{0,1\}^{N}$ .

Claim 3 (Equivalence of the purified and standard oracles).

For any oracle adversary $\mathcal{A}$ , the following oracle instantiations are perfectly indistinguishable:

•

(Queries to a random $P_{\pi}\cdot F_{f}$ ) Sample a uniformly random $\pi\leftarrow\mathsf{Sym}_{N},f\leftarrow\{0,1\}^{N}$ . On each query, apply $P_{\pi}\cdot F_{f}$ to register $\mathsf{A}$ .
•

(Queries to $\mathsf{pfO}$ ) Initialize registers $\mathsf{P},\mathsf{F}$ to $\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ . At each query, apply $\mathsf{pfO}$ to registers $\mathsf{A},\mathsf{P},\mathsf{F}$ .

Proof.

Since the adversary’s view does not contain the $\mathsf{P},\mathsf{F}$ registers, the adversary’s view in the second case is unchanged if the $\mathsf{P},\mathsf{F}$ registers are measured at the end. Since $\mathsf{pfO}$ is controlled on the $\mathsf{P},\mathsf{F}$ registers, the queries to $\mathsf{pfO}$ commute with the measurement of the $\mathsf{P},\mathsf{F}$ registers. Hence, measuring the $\mathsf{P},\mathsf{F}$ registers at the end produces the same view as measuring at the beginning, which is equivalent to the first case. ∎

The key to understanding the oracle $\mathsf{pfO}$ is to consider how it acts on the following “ $\mathsf{pf}$ -relation states”, defined below.

Definition 9 ( $\mathsf{pf}$ -relation state).

For $0\leq t\leq N$ and $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}\in\mathcal{R}_{t}$ , let

\displaystyle\ket*{\mathsf{pf}_{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\frac{1}{\sqrt{(N-t)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},

(3.4)

where $\delta_{\pi,R}$ is an indicator variable that equals $1$ if $\pi(x)=y$ for all $(x,y)\in R$ , and is $0$ otherwise.

Note that for $t=0$ and $R=\varnothing$ , the $\mathsf{pf}$ -relation state $\ket*{\mathsf{pf}_{\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ is the uniform superposition over all permutations $\pi\in\mathsf{Sym}_{N}$ and all functions $f\in\{0,1\}^{N}$ ,

\displaystyle\ket*{\mathsf{pf}_{\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(3.5)

3.1 Orthonormality of the $\mathsf{pf}$ -relation states

Claim 4 (Orthonormality of the distinct sets of $\mathsf{pf}$ -relation states).

$\{\ket*{\mathsf{pf}_{R}}\}_{R\in\mathcal{R}^{\mathsf{bij}}}$ forms a set of orthonormal vectors.

Proof of Claim 4.

We first recall the definition of $\ket*{\mathsf{pf}_{R}}$ :

\displaystyle\ket*{\mathsf{pf}_{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\frac{1}{\sqrt{(N-t)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(3.6)

For $x\in[N]$ , let $e_{x}\in\{0,1\}^{N}$ denote the $N$ -dimensional vector that has a $1$ in the $x$ -th position, and is $0$ everywhere else. Then by writing $f(x)$ as $f(x)=f\cdot e_{x}$ , we get

	$\displaystyle\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$	$\displaystyle=\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f\cdot(e_{x_{1}}+\cdots+e_{x_{t}})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(3.7)
		$\displaystyle=H^{\otimes N}\ket*{e_{x_{1}}+\cdots+e_{x_{t}}\ (\mathrm{mod}\ 2)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(3.8)

When $x_{1},\dots,x_{t}$ are distinct, $e_{x_{1}}+\cdots+e_{x_{t}}(\mod 2)$ is a vector in $\{0,1\}^{N}$ whose $x$ -th entry is $1$ if $x\in\{x_{1},\dots,x_{t}\}$ , and $0$ otherwise. Since this is simply the indicator vector for the set $\{x_{1},\dots,x_{t}\}$ , there exists an isometry that maps

\displaystyle\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\mapsto\ket*{\{x_{1},\dots,x_{t}\}}.

(3.9)

Applying this to the $\mathsf{F}$ register of $\ket*{\mathsf{pf}_{R}}$ , this tells us there is an isometry $M$ such that for all $R\in\mathcal{R}^{\mathsf{bij}}$ ,

\displaystyle M:\ket*{\mathsf{pf}_{R}}\mapsto\frac{1}{\sqrt{(N-t)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\ket*{\{x_{1},\dots,x_{t}\}}.

(3.10)

Consider $R,S\in\mathcal{R}^{\mathsf{bij}}$ , where $R=\{(x_{1},y_{1}),\dots,(x_{\absolutevalue{R}},y_{\absolutevalue{R}})\}$ and $S=\{(x^{\prime}_{1},y^{\prime}_{1}),\dots,(x^{\prime}_{\absolutevalue{S}},y^{\prime}_{\absolutevalue{S}})\}$ .

	$\displaystyle\innerproduct{\mathsf{pf}_{R}}{\mathsf{pf}_{S}}$	$\displaystyle=\bra{\mathsf{pf}_{R}}M^{\dagger}\cdot M\ket{\mathsf{pf}_{S}}$		(3.11)
		$\displaystyle=\frac{1}{\sqrt{(N-\absolutevalue{R})!(N-\absolutevalue{S})!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R}\cdot\delta_{\pi,S}\innerproduct*{\{x_{1},\dots,x_{\absolutevalue{R}}\}}{\{x^{\prime}_{1},\dots,x^{\prime}_{\absolutevalue{S}}\}}.$		(3.12)

This expression is equal to zero if $\operatorname{Dom}(R)\neq\operatorname{Dom}(S)$ due to the $\innerproduct*{\{x_{1},\dots,x_{\absolutevalue{R}}\}}{\{x^{\prime}_{1},\dots,x^{\prime}_{\absolutevalue{S}}\}}$ term. Thus, it remains to consider $R,S$ such that $\operatorname{Dom}(R)=\operatorname{Dom}(S)$ . This means that $\absolutevalue{R}=\absolutevalue{S}$ and thus Eq. 3.12 simplifies to

\displaystyle\frac{1}{(N-\absolutevalue{R})!}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R}\cdot\delta_{\pi,S}.

(3.13)

There are two cases to consider:

•

In the first case, $R\neq S$ . Then there exists $x,y,y^{\prime}$ such that $(x,y)\in R$ , $(x,y^{\prime})\in S$ , and $y\neq y^{\prime}$ . But then the above expression will be $0$ , since there are no permutations $\pi$ satisfying both $\pi(x)=y$ and $\pi(x)=y^{\prime}$ .
•

In the other case, $R=S$ . Then the sum is over all permutations $P$ such that $\pi(x)=y$ for all $(x,y)\in R$ . There are $(N-\absolutevalue{R})!$ such permutations, and so in this case the sum becomes $1$ .

This completes the proof. ∎

3.2 How $\mathsf{pfO}$ acts on the $\mathsf{pf}$ -relation states

Claim 5 (Action of $\mathsf{pfO}$ on $\mathsf{pf}$ -relation states).

For $0\leq t<N$ , $R\in\mathcal{R}_{t}$ and $x\in[N]$ ,

\displaystyle\mathsf{pfO}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\frac{1}{\sqrt{N-\absolutevalue{R}}}\sum_{y\in[N]}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{R\cup\{(x,y)\}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(3.14)

Proof of Claim 5.

From the definitions of $\mathsf{pfO}$ and $\ket*{\mathsf{pf}_{R}}$ (Eq. 3.3 and Eq. 3.4), we have

	$\displaystyle\mathsf{pfO}\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\mathsf{pf}_{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$
	$\displaystyle=\sum_{\pi\in\mathsf{Sym}_{N}}(-1)^{f(x)}\ket{\pi(x)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\frac{1}{\sqrt{(N-t)!}}\delta_{\pi,R}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(3.15)

We now rewrite the right-hand side of Eq. 3.15 using the substitution $\ket*{\pi(x)}=\sum_{y\in[N]}\delta_{\pi(x)=y}\ket*{y}$ . This gives

	$\displaystyle(\ref{eq:plug-in-pfo})$	$\displaystyle=\sum_{\pi\in\mathsf{Sym}_{N}}(-1)^{f(x)}\sum_{y\in[N]}\delta_{\pi,\{(x,y)\}}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\frac{1}{\sqrt{(N-t)!}}\delta_{\pi,R}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}$
		$\displaystyle\quad\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(3.16)

Since $\delta_{\pi,R}\cdot\delta_{\pi,\{(x,y)\}}=\delta_{\pi,R\cup\{(x,y)\}}$ , we can rearrange the expression to get

$\displaystyle(\ref{eq:plug-in-pfo-2})$	$\displaystyle=\frac{1}{\sqrt{N-t}}\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\frac{1}{\sqrt{(N-t-1)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,R\cup\{(x,y)\}}\ket{\pi}$
	$\displaystyle\quad\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}(-1)^{f(x_{1})+\cdots+f(x_{t})+f(x)}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$	(3.17)
	$\displaystyle=\frac{1}{\sqrt{N-t}}\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\mathsf{pf}_{R\cup\{(x,y)\}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},$	(3.18)

which completes the proof. ∎

4 The path-recording oracle $V$

In this section, we define the path-recording oracle. The path-recording oracle $V$ acts on an $n$ -qubit query register $\mathsf{A}$ held by the adversary, as well as a variable-length relation $\mathsf{R}$ containing a relation state $\ket*{R}$ (see Section 2.1). In section Section 4.3, we connect the path-recording oracle $V$ to the $\mathsf{pfO}$ oracle. In LABEL:subsec:imp-forward-q, we sketch how to implement $V$ efficiently.

4.1 Defining $V$

Definition 10 (Path-recording oracle).

The path-recording oracle $V$ is a linear map $V:\mathcal{H}_{\mathsf{A}}\otimes\mathcal{H}_{\mathsf{R}}\rightarrow\mathcal{H}_{\mathsf{A}}\otimes\mathcal{H}_{\mathsf{R}}$ defined as follows. For all $x\in[N]$ and $R\in\mathcal{R}^{\mathsf{inj}}$ such that $\absolutevalue{R}<N$ ,

V:\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\mapsto\frac{1}{\sqrt{N-\absolutevalue{R}}}\sum_{\begin{subarray}{c}y\in[N],\\ y\not\in\imaginary(R)\end{subarray}}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.1)

Note that $R\cup\{(x,y)\}\in\mathcal{R}^{\mathsf{inj}}$ since $y\notin\imaginary(R)$ .

Lemma 4.1 (Partial isometry).

The path-recording oracle $V$ is an isometry on the subspace of $\mathcal{H}_{\mathsf{A}}\otimes\mathcal{H}_{\mathsf{R}}$ spanned by the states $\ket*{x}\ket*{R}$ for $x\in[N]$ and $R\in\mathcal{R}^{\mathsf{inj}}$ such that $\absolutevalue{R}<N$ .

Proof of Lemma 4.1.

To prove that $V$ is an isometry on the specified subspace, it suffices to show that for all $x,x^{\prime}\in[N]$ and $R,R^{\prime}\in\mathcal{R}^{\mathsf{inj}}$ with $\absolutevalue{R},\absolutevalue{R^{\prime}}<N$ ,

\bra*{x^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\bra*{R^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}V^{\dagger}\cdot V\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=\innerproduct*{x^{\prime}}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot\innerproduct*{R^{\prime}}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.2)

We proceed by considering two cases:

•

Case 1: $\absolutevalue{R}\neq\absolutevalue{R^{\prime}}$ . $V\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ and $V\ket*{x^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{R^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ are orthogonal because, by the definition of $V$ , these two states are supported on relation states of different sizes. Therefore, the left-hand side of Eq. 4.2 is zero, which equals the right-hand side, since $\innerproduct*{R^{\prime}}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=0$ for $\absolutevalue{R}\neq\absolutevalue{R^{\prime}}$ .

•

Case 2: $\absolutevalue{R}=\absolutevalue{R^{\prime}}=t$ for some $0\leq t\leq N-1$ . In this case, we expand the left-hand side:

	$\displaystyle\bra{x^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\bra{R^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}V^{\dagger}\cdot V\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$
	$\displaystyle=\Bigg{(}\frac{1}{\sqrt{N-t}}\sum_{\begin{subarray}{c}y^{\prime}\in[N],\\ y^{\prime}\not\in\imaginary(R^{\prime})\end{subarray}}\bra{y^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\bra{R^{\prime}\cup\{(x^{\prime},y^{\prime})\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Bigg{)}\cdot\Bigg{(}\frac{1}{\sqrt{N-t}}\sum_{\begin{subarray}{c}y\in[N],\\ y\not\in\imaginary(R)\end{subarray}}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Bigg{)}$		(4.3)
	$\displaystyle=\frac{1}{N-t}\sum_{\begin{subarray}{c}y\in[N]\\ y\not\in\imaginary(R^{\prime})\cup\imaginary(R)\end{subarray}}\innerproduct*{R^{\prime}\cup\{(x^{\prime},y)\}}{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(4.4)

Now, we consider two sub-cases:

–

Case 2a: $(x,R)\neq(x^{\prime},R^{\prime})$ . For $y\not\in\imaginary(R)\cup\imaginary(R^{\prime})$ , the term $\innerproduct*{R^{\prime}\cup\{(x^{\prime},y)\}}{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is always zero because either $x\neq x^{\prime}$ or $R\neq R^{\prime}$ . Therefore, Eq. (4.4) is equal to zero, which matches the right-hand side of the original equation.

–

Case 2b: $(x,R)=(x^{\prime},R^{\prime})$ . In this case, we have:

	$\displaystyle\eqref{eq:chot-is-isometry}$	$\displaystyle=\frac{1}{N-t}\sum_{y\in[N]\setminus\imaginary(R)}\innerproduct*{R\cup\{(x,y)\}}{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(4.5)
		$\displaystyle=\frac{1}{N-t}\cdot(N-t)\cdot 1=1,$		(4.6)

which again matches the right-hand side of the original equation.

This shows that Eq. 4.2 holds in all cases, completing the proof. ∎

Next, we define the state $\ket*{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to be the state of the state of the entire system after the adversary has made $t$ queries to the path recording oracle, with the $\mathsf{R}$ register initialized to $\ket*{\varnothing}$ , the state associated with the empty set.

Definition 11.

Given a $t$ -query adversary $\mathcal{A}$ specified by a $t$ -tuple of unitaries $(A_{1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\dots,A_{t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}})$ , define the state

\ket*{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\prod_{i=1}^{t}\Big{(}V\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.7)

In fact, it will be useful to define a version of this state in which an arbitrary $n$ -qubit unitary $G$ is applied to the adversary’s query register $\mathsf{A}$ before each query to $V$ .

Definition 12.

Given an $n$ -qubit unitary $G$ and a $t$ -query adversary $\mathcal{A}$ specified by a $t$ -tuple of unitaries $(A_{1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\dots,A_{t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}})$ , define the state

\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\prod_{i=1}^{t}\Big{(}V\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.8)

One consequence of Lemma 4.1 is that $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ has unit norm as long as $t\leq N$ .

Lemma 4.2 ( $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ has unit norm).

For any adversary $\mathcal{A}$ making $t\leq N$ forward queries, and any $n$ -qubit unitary $G$ , $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ has unit norm.

Proof of Lemma 4.2.

We say that a state on registers $(\mathsf{A},\mathsf{B},\mathsf{R})$ is supported on $\mathcal{R}^{\mathsf{inj}}$ if the state is contained in the span of $\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for $R\in\mathcal{R}^{\mathsf{inj}}$ and any $x,z$ . We will prove by induction on $t$ that for all $0\leq t\leq N$ , $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is a unit-norm state supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ .

Base case ( $t=0$ ): $\ket*{\mathcal{A}^{V\cdot G}_{0}}=\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . This state clearly has unit norm, and $\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\in\mathcal{R}_{0}^{\mathsf{inj}}$ , so the claim holds for $t=0$ .

Inductive step: Assume the claim is true for some $0\leq t<N$ , i.e., $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is a unit-norm state supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ . We will prove that it must hold for $t+1$ . By definition, we have:

\ket*{\mathcal{A}^{V\cdot G}_{t+1}}=V\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{t+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\mathcal{A}^{V\cdot G}_{t}}

(4.9)

This state is unit norm because:

1.

$G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{t+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}$ is a unitary that acts only on the $\mathsf{A}$ and $\mathsf{B}$ registers, and so $G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{t+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\mathcal{A}^{V\cdot G}_{t}}$ is still a unit-norm state supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ .
2.

By Lemma 4.1, $V$ is an isometry on states supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ . Moreover, the definition of $V$ , ensures that it maps states supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ to states supported on $\mathcal{R}_{t+1}^{\mathsf{inj}}$ for $0\leq t<N$ . Thus, $\ket*{\Psi_{t+1}^{G}}$ is a unit-norm state supported on $\mathcal{R}_{t+1}^{\mathsf{inj}}$ .

Hence, for all $0\leq t\leq N$ , $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is a unit-norm state supported on $\mathcal{R}_{t}^{\mathsf{inj}}$ . ∎

4.2 Right unitary invariance

Our next step is to prove that $V$ satisfies right unitary invariance: for any unitary $G$ , queries to $V\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ are perfectly indistinguishable from queries to $V$ , from the point of view of the adversary who cannot access the purifying register $\mathsf{R}$ . This is captured by the following lemma.

Lemma 4.3 (Right unitary invariance).

For any $n$ -qubit unitary $G$ , we have

\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})\ket*{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.10)

Note that

	$\displaystyle\Tr_{\mathsf{R}}(\outerproduct*{\mathcal{A}^{V\cdot G}_{t}}{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})$
	$\displaystyle=\Tr_{\mathsf{R}}((G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})^{\dagger})$		(by Lemma 4.3)
	$\displaystyle=\Tr_{\mathsf{R}}(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}),$		(by the cyclic property of $\Tr_{\mathsf{R}}$ )

where the first line corresponds to the adversary’s view after making $t$ queries to $V\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ , and the last line corresponds to its view after making $t$ queries to $V$ .

Fact 3 (Explicit form).

From the definition of $V$ and $\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , we can expand out $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to obtain

$\displaystyle\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$	$\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\{(x_{i},y_{i})\}_{i=1}^{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$	(4.11)
	$\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]$
	$\displaystyle\otimes\frac{1}{\sqrt{t!}}\sum_{\pi\in\mathsf{Sym}_{t}}\left(S_{\pi}\ket{x_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\dots\ket{x_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}}\right)\otimes\left(S_{\pi}\ket{y_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},1}^{(t)}}}\dots\ket{y_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},t}^{(t)}}}\right),$	(4.12)

Proof of Lemma 4.3.

Our proof will use the following trivial identities for registers $\mathsf{A}$ and $(\mathsf{R}_{\mathsf{X},i}^{(t)})_{i\in[N]}$ :

	$\displaystyle\sum_{z\in[N]}\outerproduct*{z}{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	$\displaystyle=\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}},$		(4.13)
	$\displaystyle\sum_{z\in[N]}\outerproduct*{z}{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}$	$\displaystyle=\mathsf{Id}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}.$		(4.14)

For any $n$ -qubit unitary $G$ and $x,z\in[N]$ , we have

\bra*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}=\bra*{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket*{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}.

(4.15)

Therefore, we have

$\displaystyle\sum_{x\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	$\displaystyle=\sum_{x,z\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\left(\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\right)\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.13))
	$\displaystyle=\sum_{x,z\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\left(\bra{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\right)\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.15))
	$\displaystyle=\sum_{x,z\in[N]}\left(\outerproduct{x}{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\right)\otimes\bra*{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(4.16)
	$\displaystyle=\sum_{z\in[N]}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.14))
	$\displaystyle=\sum_{x\in[N]}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}.$	(Relabeling $z$ with $x$ )

Applying the above identity to registers ${\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}},\ldots,{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}$ to 3 yields

$\displaystyle\ket*{\mathcal{A}^{V\cdot G}_{t}}$	$\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\ket{y_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\bra{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes$	(4.17)
	$\displaystyle\frac{1}{\sqrt{t!}}\sum_{\pi\in\mathsf{Sym}_{t}}\left(S_{\pi}\ket{x_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\dots\ket{x_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}}\right)\otimes\left(S_{\pi}\ket{y_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},1}^{(t)}}}\dots\ket{y_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},t}^{(t)}}}\right)$	(4.18)
	$\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes$	(4.19)
	$\displaystyle\frac{1}{\sqrt{t!}}\sum_{\pi\in\mathsf{Sym}_{t}}\left(S_{\pi}\,G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\ket{x_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\dots G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}}\ket{x_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}}\right)\otimes\left(S_{\pi}\ket{y_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},1}^{(t)}}}\dots\ket{y_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{Y},t}^{(t)}}}\right)$	(4.20)
	$\displaystyle=(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})\ket*{\mathcal{A}^{V}_{t}}$	(4.21)

The last line follows from the fact that $(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})$ acts identically on all $t$ registers, so

S_{\pi}\cdot(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})=(G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}})\cdot S_{\pi}.

(4.22)

This concludes the proof. ∎

Corollary 4.1 (Trace distance between original state and the projected state).

\norm{\Tr_{\mathsf{R}}\left(\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\cdot\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct*{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)-\Tr_{\mathsf{R}}\left(\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct*{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)}_{1}\leq\frac{t(t-1)}{N+1}.

(4.23)

Proof.

The trace distance can be bounded as follows,

	$\displaystyle\norm{\Tr_{\mathsf{R}}\left(\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)-\Tr_{\mathsf{R}}\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)}_{1}$		(4.24)
	$\displaystyle=1-\Tr\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\cdot\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)$		(Lemma 2.2)
	$\displaystyle=1-\Tr\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}\cdot C^{\otimes t}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}^{(t)}_{\mathsf{X}}}}\cdot\outerproduct{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot C^{\otimes t}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}^{(t)}_{\mathsf{X}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)$		(By Lemma 4.3)
	$\displaystyle\leq\frac{t(t-1)}{N+1},$		(By Lemma 2.1)

which completes the proof of this corollary. ∎

4.3 Relating $V$ to $\mathsf{pfO}$

We now connect the path-recording oracle $V$ to the $\mathsf{pfO}$ oracle defined previously. We begin by defining the $\mathsf{pfO}$ analog of $\ket*{\mathcal{A}^{V\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ .

Definition 13.

\displaystyle\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\prod_{i=1}^{t}\Big{(}\mathsf{pfO}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{\mathsf{pf}_{\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(4.25)

Recall that

\displaystyle\ket*{\mathsf{pf}_{\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(4.26)

We can expand the definition of $\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ to obtain the following.

Fact 4 (Explicit form of $\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ ).

\displaystyle\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}

\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct*{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\mathsf{pf}_{\{(x_{i},y_{i})\}_{i=1}^{t}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(4.27)

While the state $\ket*{\mathsf{pf}_{\{(x_{i},y_{i})\}_{i=1}^{t}}}$ is supported on an exponential number of qubits, we can compress the environment using the following linear operator $\mathsf{Comp}$ . By Claim 4, $\mathsf{Comp}$ is a partial isometry. Intuitively, $\mathsf{Comp}$ “compresses” the state $\ket*{\mathsf{pf}_{R}}$ , which requires an exponential number of qubits $n$ , to $\ket*{R}$ , which is only as big as the size of the relation.

Definition 14.

Define $\mathsf{Comp}:\mathcal{H}_{\mathsf{P}}\otimes\mathcal{H}_{\mathsf{F}}\rightarrow\mathcal{H}_{\mathsf{R}}$ to be

\displaystyle\mathsf{Comp}\coloneqq\sum_{R\in\mathcal{R}^{\mathsf{bij}}}\outerproduct*{R}{\mathsf{pf}_{R}}

(4.28)

Next, we will use $\mathsf{Comp}$ to relate the path-recording oracle $V$ to the purified permutation-function oracle. To do so, we will need to define the following projectors.

Definition 15 (Distinct subspace projector).

Given $0\leq t\leq N$ . Let

\displaystyle\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}

\displaystyle\coloneq\sum_{(x_{1},\ldots,x_{t})\in[N]_{\operatorname{{dist}}}^{t}}\outerproduct*{x_{1}}{x_{1}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},1}^{(t)}}}\otimes\ldots\otimes\outerproduct*{x_{t}}{x_{t}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},t}^{(t)}}}.

(4.29)

Definition 16 (Distinct subspace projector for $\mathsf{pf}$ -relation states).

Let

\displaystyle\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\sum_{\begin{subarray}{c}R\in\mathcal{R}^{\mathsf{bij}},\\ \absolutevalue{R}=t\end{subarray}}\outerproduct*{\mathsf{pf}_{R}}{\mathsf{pf}_{R}}.

(4.30)

Lemma 4.4 (Relating $V$ and $\mathsf{pfO}$ states).

For all $n$ -qubit unitaries $G$ ,

\displaystyle\mathsf{Comp}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}\cdot\ket*{\mathcal{A}^{V\cdot G}_{t}}

(4.31)

Proof.

By 3, we have

\displaystyle\ket*{\mathcal{A}^{V\cdot G}_{t}}

\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct*{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\{(x_{i},y_{i})\}_{i=1}^{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.32)

Applying $\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}$ to this state selects the terms corresponding to $(x_{1},\dots,x_{t})\in[N]^{t}_{\operatorname{{dist}}}$ :

\displaystyle\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}\cdot\ket*{\mathcal{A}^{V\cdot G}_{t}}

\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]_{\operatorname{{dist}}}^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct*{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\{(x_{i},y_{i})\}_{i=1}^{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(4.33)

By 4,

\displaystyle\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}

\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]^{t}\\ (y_{1},\ldots,y_{t})\in[N]^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct*{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket*{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\mathsf{pf}_{\{(x_{i},y_{i})\}_{i=1}^{t}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(4.34)

Applying $\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ selects the terms corresponding to $(x_{1},\dots,x_{t})\in[N]^{t}_{\operatorname{{dist}}}$ and $(y_{1},\dots,y_{t})\in[N]^{t}_{\operatorname{{dist}}}$ :

	$\displaystyle\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\ket*{\mathcal{A}^{\mathsf{pfO}\cdot G}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(4.35)
	$\displaystyle=\sqrt{\frac{(N-t)!}{N!}}\sum_{\begin{subarray}{c}(x_{1},\ldots,x_{t})\in[N]_{\operatorname{{dist}}}^{t}\\ (y_{1},\ldots,y_{t})\in[N]_{\operatorname{{dist}}}^{t}\end{subarray}}\left[\,\prod_{i=1}^{t}\Big{(}\outerproduct{y_{i}}{x_{i}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Big{)}\ket{0}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\,\right]\otimes\ket*{\mathsf{pf}_{\{(x_{i},y_{i})\}_{i=1}^{t}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(4.36)

Since $\mathsf{Comp}$ maps $\ket*{\mathsf{pf}_{R}}$ to $\ket*{R}$ for all $R\in\mathcal{R}^{\mathsf{bij}}$ , applying $\mathsf{Comp}$ to the right-hand side of Eq. 4.36 yields the right-hand side of Eq. 4.33, which proves the claim. ∎

Corollary 4.2 (Trace distance between original state and the projected state).

\displaystyle\norm{\Tr_{\mathsf{P}\mathsf{F}}\left(\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct*{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)-\Tr_{\mathsf{P}\mathsf{F}}\left(\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct*{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)}_{1}\leq\frac{t(t-1)}{N+1}.

(4.37)

Proof.

By Lemma 2.2, we have

	$\displaystyle\norm{\Tr_{\mathsf{P}\mathsf{F}}\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)-\Tr_{\mathsf{P}\mathsf{F}}\left(\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)}_{1}$
	$\displaystyle=1-\Tr\left(\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)$		(4.38)

Next, observe that $\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\mathsf{Comp}^{\dagger}\cdot\mathsf{Comp}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ since

	$\displaystyle\mathsf{Comp}^{\dagger}\cdot\mathsf{Comp}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(4.39)
	$\displaystyle=\Big{(}\sum_{R\in\mathcal{R}^{\mathsf{bij}}}\outerproduct{\mathsf{pf}_{R}}{R}\Big{)}\cdot\Big{(}\sum_{R\in\mathcal{R}^{\mathsf{bij}}}\outerproduct{R}{\mathsf{pf}_{R}}\Big{)}\cdot\Big{(}\sum_{\begin{subarray}{c}R\in\mathcal{R}^{\mathsf{bij}},\\ \absolutevalue{R}=t\end{subarray}}\outerproduct*{\mathsf{pf}_{R}}{\mathsf{pf}_{R}}\Big{)}$		(4.40)
	$\displaystyle=\sum_{\begin{subarray}{c}R\in\mathcal{R}^{\mathsf{bij}},\\ \absolutevalue{R}=t\end{subarray}}\outerproduct*{\mathsf{pf}_{R}}{\mathsf{pf}_{R}}=\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(4.41)

By plugging this identity into (4.38), we get

$\displaystyle(\ref{eq:pre-compress})$	$\displaystyle=1-\Tr\left(\mathsf{Comp}^{\dagger}\cdot\mathsf{Comp}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)$	(4.42)
	$\displaystyle=1-\Tr\left(\mathsf{Comp}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\mathsf{Comp}^{\dagger}\right)$	(4.43)
	$\displaystyle=1-\Tr\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Pi^{\operatorname{{dist}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X}}^{(t)}}}\cdot\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)$	(By Lemma 4.4)
	$\displaystyle\leq\frac{t(t-1)}{N+1},$	(By Corollary 4.1)

which completes the proof. ∎

5 The PRU proof

5.1 Setup

We define a distribution over $n$ -qubit unitaries parameterized by any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ .

Definition 17 ( $\mathsf{PRU}(\mathfrak{D})$ distribution).

Let $\mathfrak{D}$ be a distribution supported on $\mathcal{U}(N)$ . The distribution $\mathsf{PF}({\mathfrak{D}})$ is defined as follows:

1.

Sample a uniformly random permutation $\pi\leftarrow\mathsf{Sym}_{N}$ , a uniformly random $f\leftarrow\{0,1\}^{N}$ , and a uniformly random $n$ -qubit unitary $C\leftarrow\mathfrak{D}$ .
2.

Output the unitary $\mathcal{O}\coloneqq P_{\pi}\cdot F_{f}\cdot C$ .

The goal of this section is to prove the following theorem.

Theorem 3 ( $\mathsf{PF}(\mathfrak{D})$ is indistinguishable from Haar-random).

Let $\mathcal{A}$ be a $t$ -query oracle adversary that only makes forward queries, and let $\mathfrak{D}$ be an exact unitary $2$ -design. Then

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{PF}(\mathfrak{D})}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}},\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mu_{\mathsf{Haar}}}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}\right)\leq\frac{4t(t-1)}{N+1}

(5.1)

Since quantum-secure pseudorandom permutations and pseudorandom functions exist assuming one-way functions [zhandry2016note, zhandry2021construct], the existence of computationally-secure PRU follows immediately from Theorem 3.

Theorem 4.

If quantum-secure one-way functions exist, then pseudorandom unitaries exist.

The main technical component of the proof of Theorem 3 is the following lemma.

Lemma 5.1 ( $\mathsf{PRU}(\mathfrak{D})$ is indistinguishable from $V$ ).

Let $\mathcal{A}$ be a $t$ -query oracle adversary and let $\mathfrak{D}$ be an exact unitary $2$ -design. Then

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{PF}(\mathfrak{D})}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}},\,\,\,\Tr_{\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)\right)\leq\frac{2t(t-1)}{N+1}

(5.2)

Lemma 5.1 implies Theorem 3.

Lemma 5.1 implies Theorem 3 by the following argument. We can instantiate $\mathfrak{D}=\mu_{\mathsf{Haar}}$ , i.e., $\mathfrak{D}$ outputs a Haar-random $n$ -qubit unitary. Then the output of $\mathsf{PRU}(\mathfrak{D})=\mathsf{PRU}(\mu_{\mathsf{Haar}})$ is $P_{\pi}\cdot F_{f}\cdot C$ for random $\pi,f$ and Haar-random $C$ . By invariance of the Haar measure, this is exactly the same as outputting a Haar-random unitary. Thus, we have the following corollary of Lemma 5.1.

Theorem 5 ( $V$ is indistinguishable from Haar random).

Let $\mathcal{A}$ be a $t$ -query oracle adversary. Then

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\sim\mu_{\mathsf{Haar}}}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}},\Tr_{\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)\right)\leq\frac{2t(t-1)}{N+1}

(5.3)

Theorem 3 follows from combining Lemmas 5.1 and 5 using the triangle inequality. It remains to prove Lemma 5.1.

5.2 Proof of Lemma 5.1

Proof of Lemma 5.1.

We will use a hybrid argument. Define the mixed states

$\displaystyle\rho^{(\mathfrak{D})}_{0}$	$\displaystyle\coloneqq\operatorname{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{PF}(\mathfrak{D})}\outerproduct{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}$	(5.4)
$\displaystyle\rho^{(\mathfrak{D})}_{1}$	$\displaystyle\coloneqq\Tr_{\mathsf{P}\mathsf{F}}\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)$	(5.5)
$\displaystyle\rho^{(\mathfrak{D})}_{2}$	$\displaystyle\coloneqq\Tr_{\mathsf{P}\mathsf{F}}\left(\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}{\mathcal{A}^{\mathsf{pfO}\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\cdot\widetilde{\Pi}^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\right)$	(5.6)
$\displaystyle\rho^{(\mathfrak{D})}_{3}$	$\displaystyle\coloneqq\Tr_{\mathsf{R}}\left(\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\cdot\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\operatorname{{dist}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}X}}^{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}(t)}}}\right)$	(5.7)
$\displaystyle\rho^{(\mathfrak{D})}_{4}$	$\displaystyle\coloneqq\Tr_{\mathsf{R}}\left(\operatorname{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\outerproduct{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)$	(5.8)
$\displaystyle\rho_{5}$	$\displaystyle\coloneqq\Tr_{\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right).$	(5.9)

We argue indistinguishability between each consecutive pair of mixed states:

•

$\rho^{(\mathfrak{D})}_{0}=\rho^{(\mathfrak{D})}_{1}$ by Claim 3.
•

$\norm*{\rho^{(\mathfrak{D})}_{1}-\rho^{(\mathfrak{D})}_{2}}_{1}\leq t(t-1)/(N+1)$ by Corollary 4.2.
•

$\rho^{(\mathfrak{D})}_{2}=\rho^{(\mathfrak{D})}_{3}$ , since by Lemma 4.4, these are two mixed states whose purifications are related by the $\mathsf{Comp}$ isometry, which only acts on the purifying register.
•

$\norm*{\rho^{(\mathfrak{D})}_{3}-\rho^{(\mathfrak{D})}_{4}}_{1}\leq t(t-1)/(N+1)$ by Corollary 4.1.

•

$\rho^{(\mathfrak{D})}_{4}=\rho^{(\mathfrak{D})}_{5}$ since

\displaystyle\rho^{(\mathfrak{D})}_{4}

\displaystyle=\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Tr_{\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)=\operatorname*{{\mathbb{E}}}_{C\leftarrow\mathfrak{D}}\Tr_{\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)=\rho_{5},

(5.10)

where the second equality follows from Lemma 4.3, which states that for any $C$ , $\outerproduct*{\mathcal{A}^{V\cdot C}_{t}}{\mathcal{A}^{V\cdot C}_{t}}$ and $\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}$ are related by a unitary on the purifying register.

Using the triangle inequality, we obtain Eq. 5.2, which completes the proof. ∎

Part II Strong PRUs

The goal of Part II is to construct strong PRUs, which are secure against adversaries that make both forward and inverse queries to the unitary oracle. It is important to note that several operators that were defined in Part I, including $\mathsf{pfO},\mathsf{Comp}$ and $V$ , will be have new definitions in Part II.

6 The purified permutation-function oracle

In this section, we analyze the view of an adversary that makes queries to an oracle $P_{\pi}\cdot F_{f}$ , for uniformly random $\pi\leftarrow\mathsf{Sym}_{N}$ and a random ternary function $f\leftarrow\{0,1,2\}^{N}$ . We will do this by analyzing the purified permutation-function permutation oracle, which uses a purification of $\pi$ and $f$ .

Definition 18 (Purified permutation-function oracle).

The purified permutation-function oracle $\mathsf{pfO}$ is a unitary acting on registers $\mathsf{A},\mathsf{P},\mathsf{F}$ , where

•

$\mathsf{P}$ is a register associated with the Hilbert space $\mathcal{H}_{\mathsf{P}}$ , defined to be the span of the orthonormal states $\ket*{\pi}$ for all $\pi\in\mathsf{Sym}_{N}$ .
•

$\mathsf{F}$ is a register associated with the Hilbert space $\mathcal{H}_{\mathsf{F}}$ , defined to be the span of the orthonormal states $\ket*{f}$ for all $f\in\{0,1,2\}^{N}$ .

The unitary $\mathsf{pfO}$ is defined to act as follows:

	$\displaystyle\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$	$\displaystyle\coloneqq\omega_{3}^{f(x)}\ket{\pi(x)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},$		(6.1)
		$\displaystyle=\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\delta_{\pi(x)=y}\ket{\pi}\omega_{3}^{f(x)}\ket*{f},$		(6.2)

for all $x\in[N],\pi\in\mathsf{Sym}_{N},$ and $f\in\{0,1,2\}^{N}$ . Here, $\omega_{3}=\exp(2\pi i/3)$ .

The action of $\mathsf{pfO}^{\dagger}$ is

\displaystyle\mathsf{pfO}^{\dagger}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\pi}\ket*{f}

\displaystyle=\sum_{x\in[N]}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\delta_{\pi(x)=y}\ket*{\pi}\omega_{3}^{-f(x)}\ket*{f}.

(6.3)

The view of an adversary that queries the purified oracle is equivalent to the view of an adversary that queries the standard oracle $P_{\pi}\cdot F_{f}$ , for uniformly random $\pi\leftarrow\mathsf{Sym}_{N}$ and $f\leftarrow\{0,1,2\}^{N}$ .

Claim 6 (Equivalence of purified and standard oracles).

For any oracle adversary $\mathcal{A}$ , the following oracle instantiations are perfectly indistinguishable:

•

(Queries to a random $P_{\pi}\cdot F_{f}$ ) Sample a uniformly random $\pi\leftarrow\mathsf{Sym}_{N},f\leftarrow\{0,1,2\}^{N}$ . On each query, apply $P_{\pi}\cdot F_{f}$ to register $\mathsf{A}$ .
•

(Queries to $\mathsf{pfO}$ ) Initialize registers $\mathsf{P},\mathsf{F}$ to $\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{2^{N}}}\sum_{f\in\{0,1,2\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ . At each query, apply $\mathsf{pfO}$ to registers $\mathsf{A},\mathsf{P},\mathsf{F}$ .

The proof is the same as the proof of Claim 3 in Part I.

Next, we define the following states on the $\mathsf{P},\mathsf{F}$ registers.

Definition 19 ( $\mathsf{pf}$ -relation state).

For $L=\{(x_{1},y_{1}),\dots,(x_{\ell},y_{\ell})\}\in\mathcal{R}_{\ell}$ and $R=\{(x^{\prime}_{1},y^{\prime}_{1}),\dots,(x^{\prime}_{r},y^{\prime}_{r})\}\in\mathcal{R}_{r}$ , where $\ell$ and $r$ are non-negative integers such that $\ell+r\leq N$ , let

\displaystyle\ket*{\mathsf{pf}_{L,R}}\coloneqq\frac{1}{\sqrt{(N-\ell-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,L\cup R}\ket*{\pi}\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})-(f(x^{\prime}_{1})+\cdots+f(x^{\prime}_{r}))}\ket*{f},

(6.4)

where $\delta_{\pi,L\cup R}$ is an indicator variable that equals $1$ if $\pi(x)=y$ for all $(x,y)\in L\cup R$ , and is $0$ otherwise.

Note that when $\ell=r=0$ , i.e., $L=R=\varnothing$ are both the empty relation, the $\mathsf{pf}$ -relation state $\ket*{\mathsf{pf}_{\varnothing,\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ is the uniform superposition over all permutations $\pi\in\mathsf{Sym}_{N}$ and all ternary functions $f\in\{0,1,2\}^{N}$ ,

\displaystyle\ket*{\mathsf{pf}_{\varnothing,\varnothing}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\coloneqq\frac{1}{\sqrt{N!}}\sum_{\pi\in\mathsf{Sym}_{N}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1\}^{N}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(6.5)

Recall that a relation $R$ is bijective if and only if $\absolutevalue{\imaginary(R)}=\absolutevalue{\operatorname{Dom}(R)}=\absolutevalue{R}$ . Equivalently, writing $R=\{(x_{1},y_{1}),\dots,(x_{t},y_{t})\}$ , $R$ is bijective if $x_{1},\dots,x_{t}$ are all distinct, and $y_{1},\dots,y_{t}$ are also all distinct.

Definition 20.

Let $\mathcal{R}^{2,\operatorname{{dist}}}$ be the set of all ordered pairs of relations $(L,R)\in\mathcal{R}^{2}$ where $L\cup R$ is a bijective relation.

6.1 Orthonormality of the $\mathsf{pf}$ -relation states

Claim 7 (Orthonormality of $\mathsf{pf}$ -relation states).

$\{\ket*{\mathsf{pf}_{L,R}}\}_{(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}}$ is an orthonormal set of vectors.

Proof of Claim 7.

For $x\in[N]$ , let $e_{x}\in\{0,1,2\}^{N}$ denote the $N$ -dimensional vector that has a $1$ in the $x$ -th position, and is $0$ everywhere else. Then by writing $f(x)$ as $f(x)=f\cdot e_{x}$ , we get

	$\displaystyle\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})-(f(x_{1}^{\prime})+\cdots f(x_{r}^{\prime}))}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(6.6)
	$\displaystyle=\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f\cdot(e_{x_{1}}+\cdots+e_{x_{\ell}})-f\cdot(e_{x_{1}^{\prime}}+\cdots+e_{x_{r}^{\prime}})}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(6.7)
	$\displaystyle=\mathsf{QFT}_{3}^{\otimes N}\ket*{(e_{x_{1}}+\cdots+e_{x_{\ell}})-(e_{x^{\prime}_{1}}+\cdots+e_{x^{\prime}_{r}})\ (\mathrm{mod}\ 3)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},$		(6.8)

where $\mathsf{QFT}_{3}$ denotes the $3$ -ary quantum Fourier transform. When $\{x_{1},\dots,x_{\ell},x^{\prime}_{1},\dots,x^{\prime}_{r}\}$ are all distinct, there is a bijection between $(e_{x_{1}}+\cdots+e_{x_{\ell}})-(e_{x^{\prime}_{1}}+\cdots+e_{x^{\prime}_{r}})$ and the sets $\{x_{1},\dots,x_{\ell}\},\{x^{\prime}_{1},\dots,x^{\prime}_{r}\}$ : the first set corresponds to the indices where the vector is $1$ , and the second set is the indices where the vector is $-1\equiv 2\ (\mathrm{mod}\ 3)$ . Thus, there is an isometry that maps

\displaystyle\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})-(f(x_{1}^{\prime})+\cdots f(x_{r}^{\prime}))}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\mapsto\ket*{\{x_{1},\dots,x_{\ell}\}}\ket*{\{x_{1}^{\prime},\dots,x_{r}^{\prime}\}},

(6.9)

whenever $\{x_{1},\dots,x_{\ell},x^{\prime}_{1},\dots,x^{\prime}_{r}\}$ are all distinct. Thus, for any $L=\{(x_{1},y_{1}),\dots,(x_{\ell},y_{\ell})\}$ , $R=\{(x_{1}^{\prime},y_{1}^{\prime}),\dots,(x_{r}^{\prime},y_{r}^{\prime})\}$ where $L\cup R$ is a bijective relation, applying this isometry to the $\mathsf{F}$ register of $\ket*{\mathsf{pf}_{L,R}}$ yields

\displaystyle\ket*{\mathsf{pf}_{L,R}}\mapsto\frac{1}{\sqrt{(N-\ell-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,L\cup R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\ket*{\{x_{1},\dots,x_{\ell}\}}\ket*{\{x_{1}^{\prime},\dots,x_{r}^{\prime}\}}.

(6.10)

Next, we can apply an isometry that, controlled on $\ket*{\pi}$ , sends each $x_{i}$ to the tuple $(x_{i},\pi(x_{i}))=(x_{i},y_{i})$ . The result is

\displaystyle\frac{1}{\sqrt{(N-\ell-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,L\cup R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\otimes\ket*{\{(x_{1},y_{1}),\dots,(x_{\ell},y_{\ell})\}}\ket*{\{(x_{1}^{\prime},y_{1}^{\prime}),\dots,(x_{r}^{\prime},y_{r}^{\prime})\}}.

(6.11)

Finally, controlled on the last two registers, we can uncompute the superposition on the $\mathsf{P}$ register. The result is

\displaystyle\ket*{\{(x_{1},y_{1}),\dots,(x_{\ell},y_{\ell})\}}\ket*{\{(x_{1}^{\prime},y_{1}^{\prime}),\dots,(x_{r}^{\prime},y_{r}^{\prime})\}}=\ket*{L}\ket*{R}.

(6.12)

This completes the proof. ∎

Definition 21.

Define the partial isometry $\mathsf{Comp}:\mathcal{H}_{\mathsf{P}}\otimes\mathcal{H}_{\mathsf{F}}\rightarrow\mathcal{H}_{\mathsf{L}}\otimes\mathcal{H}_{\mathsf{R}}$ to be

\displaystyle\mathsf{Comp}\coloneqq\sum_{(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\bra{\mathsf{pf}_{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}

(6.13)

Here, $\mathsf{L}$ and $\mathsf{R}$ are variable-length registers as defined in Section 2.1. Note that $\mathsf{Comp}$ is a partial isometry by Claim 7.

6.2 How $\mathsf{pfO}$ acts on the $\mathsf{pf}$ -relation states

Claim 8 (Action of $\mathsf{pfO}$ ).

For any $(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}$ and $x\in[N]$ such that $x\not\in\operatorname{Dom}(L\cup R)$ , we have

\displaystyle\mathsf{pfO}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\frac{1}{\sqrt{N-\absolutevalue{L\cup R}}}\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{L\cup\{(x,y)\},R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(6.14)

Similarly, for any $(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}$ and $y\in[N]$ such that $y\not\in\imaginary(L\cup R)$ , we have

\displaystyle\mathsf{pfO}^{\dagger}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\frac{1}{\sqrt{N-\absolutevalue{L\cup R}}}\sum_{\begin{subarray}{c}x\in[N]:\\ x\not\in\operatorname{Dom}(L\cup R)\end{subarray}}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{L,R\cup\{(x,y)\}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.

(6.15)

Proof of Claim 8.

Recall that

\displaystyle\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\sum_{y\in[N]}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\delta_{\pi(x)=y}\ket*{\pi}\omega_{3}^{f(x)}\ket*{f}.

(6.16)

Let us write $L=\{(x_{1},y_{1}),\dots,(x_{\ell},y_{\ell})\}$ and $R=\{(x^{\prime}_{1},y^{\prime}_{1}),\dots,(x^{\prime}_{r},y^{\prime}_{r})\}$ . Then

\displaystyle\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\frac{1}{\sqrt{(N-\ell-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,L\cup R}\ket*{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})-f(x^{\prime}_{1})-\cdots-f(x^{\prime}_{r}))}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},

(6.17)

Thus, we have

	$\displaystyle\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(6.18)
	$\displaystyle=\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\frac{1}{\sqrt{(N-\ell-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}\delta_{\pi(x)=y}}\cdot\delta_{\pi,L\cup R}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}$
	$\displaystyle\quad\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})+{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}f(x)}-f(x^{\prime}_{1})-\cdots-f(x^{\prime}_{r}))}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(6.19)

In this sum, $\ket*{y}$ has a coefficient of $0$ whenever $y\in\imaginary(L\cup R)$ , since in that case the constraints that $\delta_{\pi,L\cup R}$ and $\delta_{\pi(x)=y}$ are impossible to satisfy since $x\not\in\operatorname{Dom}(L\cup R)$ , and thus satisfying both constraints would require $y$ to have two different preimages under the permutation $\pi$ . We can therefore rewrite the above sum as

	$\displaystyle\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(6.20)
	$\displaystyle=\frac{1}{\sqrt{N-\ell-r}}\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\frac{1}{\sqrt{(N-\ell-1-r)!}}\sum_{\pi\in\mathsf{Sym}_{N}}\delta_{\pi,L\cup\{(x,y)\}\cup R}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}$
	$\displaystyle\quad\frac{1}{\sqrt{3^{N}}}\sum_{f\in\{0,1,2\}^{N}}\omega_{3}^{f(x_{1})+\cdots+f(x_{\ell})+f(x)-f(x^{\prime}_{1})-\cdots-f(x^{\prime}_{r}))}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$		(6.21)
	$\displaystyle=\frac{1}{\sqrt{N-\ell-r}}\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\mathsf{pf}_{L\cup\{(x,y)\},R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}.$		(6.22)

This completes the proof of Eq. 6.14. Since $\mathsf{pfO}^{\dagger}$ applies the map

\displaystyle\mathsf{pfO}^{\dagger}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\pi}\ket*{f}

\displaystyle=\sum_{x\in[N]}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\delta_{\pi(x)=y}\ket*{\pi}\omega_{3}^{-f(x)}\ket*{f},

(6.23)

the proof for Eq. 6.15 follows by a symmetric argument. ∎

7 The partial path-recording oracle $W$

In the previous section, we proved Claim 8, which partially characterizes how the unitaries $\mathsf{pfO}$ and $\mathsf{pfO}^{\dagger}$ act in terms of states $\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ . We also proved that there exists an isometry $\mathsf{Comp}$ that maps $\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ to $\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for all pairs of relations $L,R$ such that their union $L\cup R$ is a bijective relation. In this section, we will define a linear operator $W$ that we call the partial path recording oracle. This $W$ operator, up to isometry, implements a restricted version of the $\mathsf{pfO}$ operator. In particular, we have the following.

•

On states of the form $\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ such that $L\cup R$ is a bijection and $x\not\in\operatorname{Dom}(L\cup R)$ , the linear map $W$ performs exactly the same map as $\mathsf{pfO}$ (up to isometry).
•

On states of the form $\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ such that $L\cup R$ is a bijection and $y\not\in\imaginary(L\cup R)$ , the linear map $W^{\dagger}$ performs exactly the same map as $\mathsf{pfO}^{\dagger}$ (up to isometry).

In the above, “up to isometry” refers to the isometry $\mathsf{Comp}$ that maps $\ket*{\mathsf{pf}_{L,R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ to $\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Formally, the registers $\mathsf{L}$ and $\mathsf{R}$ are both variable-length registers that store the two relations $L$ and $R$ . We refer the reader to Sections 2.1.1 and 2.1 in the Preliminaries section for our definitions of variable-length registers, relations, and relation states.

The role of the $W$ operator in our proof.

Looking ahead to our main proof, we will show that if $C,D$ are sampled from any $n$ -qubit $2$ -design, then an adversary (making both forward and inverse queries) cannot distinguish between an oracle that implements $D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot\mathsf{pfO}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ and an oracle that implements $D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot W\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ , except with negligible advantage. Thus, even though $W$ only behaves like (a compressed version of) $\mathsf{pfO}$ on a restricted subspace, we will show that the twirling of $C,D$ prevents the adversary from detecting the difference.

In the next section, we will show that the $W$ operator can also be seen as a restricted version of another linear operator $V$ that we call the path-recording oracle. The connection between $W$ and $V$ plays a crucial role in our proof; see Section 8 for further discussion.

7.1 Defining $W^{L}$ and $W^{R}$

Before we define $W$ , we will first define helper operators $W^{L}$ and $W^{R}$ . The $W^{L}$ operator is defined to capture the (partial) characterization of $\mathsf{pfO}$ given in Eq. 6.14, while $W^{R}$ is defined to capture the (partial) characterization of $\mathsf{pfO}^{\dagger}$ given in Eq. 6.15.

Definition 22 ( $W^{L}$ and $W^{R}$ ).

Define $W^{L}$ to be the linear map such that for any $(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}$ and $x\in[N]$ such that $x\not\in\operatorname{Dom}(L\cup R)$ ,

\displaystyle W^{L}\cdot\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\frac{1}{\sqrt{N-\absolutevalue{L\cup R}}}\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(7.1)

Similarly, define $W^{R}$ be the linear map such that for any $(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}$ and $y\in[N]$ such that $y\not\in\imaginary(L\cup R)$ ,

\displaystyle W^{R}\cdot\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\frac{1}{\sqrt{N-\absolutevalue{L\cup R}}}\sum_{\begin{subarray}{c}x\in[N]:\\ x\not\in\operatorname{Dom}(L\cup R)\end{subarray}}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(7.2)

It is useful to define the following projectors to describe the actions of $W^{L},W^{R}$ .

Definition 23 (Bijective-relation projectors).

Define the projectors

\displaystyle\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneq\sum_{(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}}\outerproduct*{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}},\quad\quad\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneq\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}},

(7.3)

where the projector $\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is the maximum-length projector defined in 8.

By the definition of $W^{L}$ and $W^{R}$ , we have the following fact about the action of $W^{L}$ and $W^{R}$ on states with a bounded length.

Fact 5.

For any integer $i\geq 0$ , $W^{L},W^{R}$ map states in the subspace associated to the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ into the subspace associated with the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ .

The following property follows from the relation between $W^{L},W^{R}$ and $\mathsf{pfO},\mathsf{pfO}^{\dagger}$ .

Claim 9.

$W^{L}$ and $W^{R}$ are both partial isometries.

Proof.

Since $\mathsf{pfO}$ is a unitary operator, the operator obtained by restricting the domain of $\mathsf{pfO}$ to the span of the states $\ket*{x}\ket*{\mathsf{pf}_{L,R}}$ is a partial isometry. Up to relabeling $\ket*{\mathsf{pf}_{L,R}}$ as $\ket*{L,R}$ (i.e., applying the partial isometry $\mathsf{Comp}$ ), this is $W^{L}$ . Similarly, $\mathsf{pfO}^{\dagger}$ is a unitary, and the operator obtained by restricting $\mathsf{pfO}^{\dagger}$ to the span of states $\ket*{y}\ket*{\mathsf{pf}_{L,R}}$ is a partial isometry. Up to relabeling $\ket*{\mathsf{pf}_{L,R}}$ as $\ket*{L,R}$ , this is $W^{R}$ . ∎

Notation 12.

For a partial isometry $G$ , let $\mathcal{D}(G)$ and $\mathcal{I}(G)$ denote its domain and image. Let $\Pi^{\mathcal{D}(G)}=G^{\dagger}\cdot G$ and $\Pi^{\mathcal{I}(G)}=G\cdot G^{\dagger}$ denote the orthogonal projectors onto $\mathcal{D}(G)$ and $\mathcal{I}(G)$ .

Claim 10.

For all integers $t\geq 0$ , $\Pi_{\leq t}$ commutes with $\Pi^{\mathcal{D}(W^{L})}$ , $\Pi^{\mathcal{I}(W^{L})}$ , $\Pi^{\mathcal{D}(W^{R})}$ , and $\Pi^{\mathcal{I}(W^{R})}$ .

Proof.

By 5, $\Pi^{\mathcal{D}(W^{L})}=W^{L,\dagger}\cdot W^{L}$ maps states from $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for $t\geq 0$ . This implies that $\Pi^{\mathcal{D}(W^{L})}$ commutes with $\Pi_{\leq t}$ for all $t\geq 0$ . By 5, $\Pi^{\mathcal{I}(W^{L})}=W^{L}\cdot W^{L,\dagger}$ maps states from $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for $t+1\geq 0$ . This implies that $\Pi^{\mathcal{D}(W^{L})}$ commutes with $\Pi_{\leq t}$ for all $t\geq 1$ . Additionally, $\Pi^{\mathcal{I}(W^{L})}=W^{L}\cdot W^{L,\dagger}$ has no support on $\Pi_{\leq 0}$ , and thus it commutes with $\Pi_{\leq 0}$ . By symmetric arguments, we obtain the analogous statements for $W^{R}$ . ∎

It will be useful to state the connection between the $W^{L},W^{R}$ , and $\mathsf{pfO}$ more formally.

Fact 6.

We have

	$\displaystyle W^{L}$	$\displaystyle=\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W^{L})}=\Pi^{\mathcal{I}(W^{L})}\cdot\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger},$		(7.4)
	$\displaystyle W^{R}$	$\displaystyle=\mathsf{Comp}\cdot\mathsf{pfO}^{\dagger}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W^{R})}=\Pi^{\mathcal{I}(W^{R})}\cdot\mathsf{Comp}\cdot\mathsf{pfO}^{\dagger}\cdot\mathsf{Comp}^{\dagger}.$		(7.5)

7.2 Defining $W$

We now use $W^{L}$ and $W^{R}$ to define the partial path-recording oracle $W$ .

Definition 24.

The partial path-recording oracle is the operator $W$ defined as

W\coloneqq W^{L}+W^{R,\dagger}.

(7.6)

From 5, we immediately obtain the following fact.

Fact 7.

$\mathcal{D}(W)$ , $\mathcal{I}(W)$ are subspaces of the image of $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Moreover, for any integer $i\geq 0$ , $W$ and $W^{\dagger}$ map states in the subspace associated to the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ into the subspace associated with the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ .

Claim 11.

$W$ is a partial isometry.

Proof of Claim 11.

Since $W^{L}$ and $W^{R}$ (and hence $W^{R,\dagger}$ ) are partial isometries, the operator $W=W^{L}+W^{R,\dagger}$ is a partial isometry as long as both of the following are true:

•

The subspaces $\mathcal{D}(W^{L})$ and $\mathcal{D}(W^{R,\dagger})=\mathcal{I}(W^{R})$ are orthogonal, i.e., $W$ is a sum of two partial isometries with orthogonal domains.
•

The subspaces $\mathcal{I}(W^{L})$ and $\mathcal{I}(W^{R,\dagger})=\mathcal{D}(W^{R})$ are orthogonal, i.e., $W$ is a sum of two partial isometries with orthogonal images.

$\mathcal{D}(W^{L})$ and $\mathcal{I}(W^{R})$ are orthogonal because $\mathcal{D}(W^{L})$ is only supported on states $\ket*{x}\ket*{L}\ket*{R}$ where $x\not\in\operatorname{Dom}(L\cup R)$ , while $\mathcal{I}(W^{R})$ is only supported on states $\ket*{x}\ket*{L}\ket*{R}$ where $x\in\operatorname{Dom}(L\cup R)$ (this can be seen by inspecting the right-hand-side of Eq. 7.2). A symmetric argument shows that $\mathcal{D}(W^{R})$ and $\mathcal{I}(W^{L})$ are also orthogonal, which completes the proof. ∎

In fact, our proof of Claim 11 establishes the following relationship between the domain and image of $W$ and the domain and image of $W^{L}$ and $W^{R}$ .

Fact 8.

The domain and image of $W$ are given by

	$\displaystyle\Pi^{\mathcal{D}(W)}$	$\displaystyle=\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})},$		(7.7)
	$\displaystyle\Pi^{\mathcal{I}(W)}$	$\displaystyle=\Pi^{\mathcal{D}(W^{R})}+\Pi^{\mathcal{I}(W^{L})}.$		(7.8)

Claim 12.

For all integers $t\geq 0$ , $\Pi_{\leq t}$ commutes with $\Pi^{\mathcal{D}(W)}$ and $\Pi^{\mathcal{I}(W)}$ .

Proof.

This follows immediately from Claim 10, which states that the projector $\Pi_{\leq t}$ commutes with the projectors $\Pi^{\mathcal{D}(W^{L})}$ , $\Pi^{\mathcal{I}(W^{L})}$ , $\Pi^{\mathcal{D}(W^{R})}$ , $\Pi^{\mathcal{I}(W^{R})}$ . ∎

Corollary 7.1.

For all integers $t\geq 0$ , the image of $\Pi^{\mathcal{D}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is a subspace of the image of $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Similarly, the image of $\Pi^{\mathcal{I}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is a subspace of the image of $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ .

Using 8, we can now establish the following relationship between $W$ and $\mathsf{pfO}$ .

Claim 13 ( $W$ is a restriction of $\mathsf{pfO}$ up to isometry).

We have

	$\displaystyle W$	$\displaystyle=\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W)},$		(7.9)
	$\displaystyle W^{\dagger}$	$\displaystyle=\mathsf{Comp}\cdot\mathsf{pfO}^{\dagger}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{I}(W)}.$		(7.10)

In words, Claim 13 says that for any state in $\mathcal{D}(W)$ , the domain of $W$ , the action of $W$ is the same as $\mathsf{pfO}$ up to isometry. Additionally, it says that for any state in the image in $\mathcal{I}(W)$ , the image of $W$ , the action of $W^{\dagger}$ is the same as $\mathsf{pfO}^{\dagger}$ up to isometry.

Proof of Claim 13.

We will prove the first equality, Eq. 7.9; the second equality, Eq. 7.10, follows from a symmetric argument. From Eq. 7.4 and Eq. 7.5, we have

	$\displaystyle\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W^{L})}$	$\displaystyle=W^{L},$		(7.11)
	$\displaystyle\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{I}(W^{R})}$	$\displaystyle=W^{R,\dagger}.$		(7.12)

Summing Eqs. 7.11 and 7.12 yields

\displaystyle\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot(\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})})=W^{L}+W^{R,\dagger},

(7.13)

and plugging in $\Pi^{\mathcal{D}(W)}=\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})}$ from Eq. 7.7 and $W=W^{L}+W^{R,\dagger}$ yields Eq. 7.9. ∎

8 The path-recording oracle $V$

In the previous section, we defined a linear operator $W$ and showed that $W$ acts as a restricted version of $\mathsf{pfO}$ , up to an application of the $\mathsf{Comp}$ isometry. In this section, we will introduce a second linear operator $V$ , which will satisfy a number of key properties that will be crucial for our proof. We will show that $V$ satisfies the following properties:

•

$V$ is indistinguishable from $W$ under twirling, i.e., for $C,D$ sampled from any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ , an adversary making forward and inverse queries cannot distinguish between queries to $D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ and queries to $D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot W\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ .
•

$V$ satisfies approximate unitary invariance, which we will use to conclude the following: an adversary making forward and inverse queries cannot distinguish between queries to $D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ for $C,D$ sampled from any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ , and plain queries to $V$ .⁶⁶6For technical reasons, our main proof will handle both of these bullets in one argument.

We will refer to $V$ as the path-recording oracle. We remark that this definition of $V$ is different from the one given in Part I, as this $V$ will need to be designed to handle forward and inverse queries. In LABEL:subsec:imp-forward-inverse-q we describe how to implement $V$ efficiently.

8.1 Defining $V^{L}$ and $V^{R}$

To define $V$ , we first introduce helper operators $V^{L}$ and $V^{R}$ .

Definition 25 (left and right partial isometries).

Let $V^{L}$ be the linear operator that acts as follows. For $x\in[N]$ and $(L,R)\in\mathcal{R}^{2,\leq N-1}$ ,

\displaystyle V^{L}\cdot\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(8.1)

Define $V^{R}$ to be the linear operator such that for all $y\in[N]$ and $(L,R)\in\mathcal{R}^{2,\leq N-1}$ ,

\displaystyle V^{R}\cdot\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\sum_{\begin{subarray}{c}x\in[N]:\\ x\not\in\operatorname{Dom}(L\cup R)\end{subarray}}\frac{1}{\sqrt{N-\absolutevalue{\operatorname{Dom}(L\cup R)}}}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(8.2)

By construction, $V^{L}$ and $V^{R}$ take states in $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ .

Why these definitions of $V^{L}$ and $V^{R}$ ?

On states of the form $\ket*{x}\ket*{L}\ket*{R}$ within the domain of $W^{L}$ , the operators $W^{L}$ and $V^{L}$ act in the same way. However, the domain of $W^{L}$ is limited to states $\ket*{x}\ket*{L}\ket*{R}$ where $L\cup R$ forms a bijection and $x\notin\operatorname{Dom}(L\cup R)$ (which also implies that $\absolutevalue{L\cup R}\leq N-1$ ). On the other hand, the definition of $V^{L}$ extends $W^{L}$ so that it acts on all $\ket*{x}\ket*{L}\ket*{R}$ satisfying $\absolutevalue{L\cup R}\leq N-1$ . In particular, we have dropped the requirement that $L\cup R$ is a bijection and that $x\not\in\operatorname{Dom}(L\cup R)$ . An analogous relationship holds between $V^{R}$ and $W^{R}$ . We define these extended operators, $V^{L}$ and $V^{R}$ , to establish a property known as (approximate) unitary invariance (see Claim 23). Importantly, this property holds only for the extended operators $V^{L}$ and $V^{R}$ , and not for the original $W^{L}$ and $W^{R}$ operators.

Claim 14.

$V^{L}$ and $V^{R}$ are partial isometries.

Proof.

We will give the proof for $V^{L}$ ; the proof for $V^{R}$ follows by a symmetric argument. $V^{L}$ is a partial isometry if and only if $V^{L}\cdot V^{L,\dagger}$ is the orthogonal projector onto $\mathcal{D}(V^{L})$ . From the definition of $V^{L}$ , we can see that its domain is

\displaystyle\mathcal{D}(V^{L})=\mathrm{span}\{\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}:x\in[N],(L,R)\in\mathcal{R}^{2,\leq N-1}\}.

(8.3)

It suffices to show that for all $x,x^{\prime}\in[N]$ , and $(L,R)\in\mathcal{R}^{2,\leq N-1}$ and $(L^{\prime},R^{\prime})\in\mathcal{R}^{2,\leq N-1}$ that

\displaystyle\bra*{x^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\bra*{L^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\bra*{R^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L,\dagger}\cdot V^{L}\cdot\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=\innerproduct*{x^{\prime}}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\innerproduct*{L^{\prime}}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\innerproduct*{R^{\prime}}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(8.4)

We can expand out the LHS as

\displaystyle\Big{(}\sum_{y^{\prime}\not\in\imaginary(L^{\prime}\cup R^{\prime})}\frac{\bra*{y^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\bra*{L^{\prime}\cup x^{\prime}y^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\bra*{R^{\prime}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}}{\sqrt{N-\absolutevalue{\imaginary(L^{\prime}\cup R^{\prime})}}}\Big{)}\cdot\Big{(}\sum_{y\not\in\imaginary(L\cup R)}\frac{\ket*{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L\cup\{(x,y)\}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}\Big{)}

(8.5)

The summand is zero unless $y^{\prime}=y$ , $L^{\prime}\cup x^{\prime}y^{\prime}=L\cup\{(x,y)\}$ , and $R^{\prime}=R$ . Combining the first two constraints, we have $L^{\prime}\cup x^{\prime}y=L\cup\{(x,y)\}$ . Since $y$ does not appear in either $\imaginary(L^{\prime})$ or $\imaginary(L)$ , this implies $x^{\prime}=x$ and $L^{\prime}=L$ . This means that the sum is $0$ unless $x=x^{\prime}$ , $L=L^{\prime}$ and $R=R^{\prime}$ . When these constraints are satisfied, the sum becomes $\sum_{y\not\in\imaginary(L\cup R)}1/(N-\absolutevalue{\imaginary(L\cup R)})=1$ . This completes the proof that $V^{L}$ is a partial isometry. ∎

8.2 Defining $V$

Definition 26.

The path-recording oracle is the operator $V$ defined as

\displaystyle V

\displaystyle=V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})+(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}.

(8.6)

By construction, $V$ and $V^{\dagger}$ take states in $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for any integer $i\geq 0$ .

Why this definition of $V$ ?

Recall that since we defined $W\coloneqq W^{L}+W^{R,\dagger}$ , it might seem natural to define $V\coloneqq V^{L}+V^{R,\dagger}$ . However, if we defined $V$ this way, it would not be a partial isometry. As we showed in the proof of Claim 11, $W^{L}+W^{R,\dagger}$ is a partial isometry because $W^{L}$ and $W^{R,\dagger}$ do not “overlap”, i.e., they are partial isometries with orthogonal domains and orthogonal images . On the other hand, this is not true for $V^{L}$ and $V^{R,\dagger}$ . Thus, in order to ensure that $V$ is a partial isometry, we need to “project out” the overlap between $V^{L}$ and $V^{R,\dagger}$ .

Claim 15.

$V$ is a partial isometry.

Proof.

We will first show that $V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})$ is a partial isometry. This is true if and only if $(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})\cdot V^{L,\dagger}\cdot V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})$ is a projector. To show that this operator is a projector, it suffices to show that $\Pi^{\mathcal{D}(V^{L})}=V^{L,\dagger}\cdot V^{L}$ and $\Pi^{\mathcal{I}(V^{R})}=V^{R}\cdot V^{R,\dagger}$ commute. From the definition of $V^{L}$ , its domain is the image of the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq N-1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Since $V^{R}$ takes states in $\Pi^{\mathcal{R}^{2}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ (for $0\leq i\leq N-1$ ), it follows that $V^{R}\cdot V^{R,\dagger}$ takes states in $\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ (for $0\leq i\leq N-1$ ). In particular, this means it commutes with $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq N-1}$ . Using a symmetric argument, we can conclude that $(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}$ is also a partial isometry.

Now, we just need to show that the sum of these two partial isometries is a partial isometry. It suffices to show that their domains are orthogonal and their images are orthogonal. To see that their domains are orthogonal, note that the domain of $V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})$ is a subspace of $\mathsf{Id}-\Pi^{\mathcal{I}(V^{R})}$ , while the domain of $(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}$ is a subspace of $\Pi^{\mathcal{I}(V^{R})}$ , and hence they are orthogonal. A symmetric argument shows their images are orthogonal. This completes the proof. ∎

$V$ being a partial isometry implies that any state generated by an adversary that queries $V$ and $V^{\dagger}$ will have a norm at most $1$ . This is an important property that will be central to our strong PRU proof. Recall that in the standard PRU proof of Part I, the path-recording oracle acts as an isometry on all states that can be generated by querying the path-recording oracle. This first property of $V$ being a partial isometry is a relaxation of the isometric property of the standard path-recording oracle. While $V$ is a partial isometry, we will later show that the state generated by an adversary that queries $V$ and $V^{\dagger}$ will have a norm close to one for subexponential number of queries.

8.3 Two-sided unitary invariance

The path-recording oracle $V$ satisfies an (approximate) two-sided unitary invariance property, which we state below.

Definition 27.

For any $n$ -qubit unitary $C,D$ , define

\displaystyle Q[C,D]

\displaystyle\coloneqq(C\otimes D^{T})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(8.7)

Claim 16 (two-sided unitary invariance).

For any integer $0\leq t\leq N-1$ and any pair of $n$ -qubit unitaries $C,D$ ,

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(8.8)
	$\displaystyle\norm{C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot(V^{\dagger})_{\leq t}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{\dagger})_{\leq t}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(8.9)

Claim 16 is proven in Section 10. The two-sided unitary invariance of $V$ allows us to move the random unitaries $C$ and $D$ acting on system register $\mathsf{A}$ to the purifying registers $\mathsf{L},\mathsf{R}$ .

8.4 $W$ is a restriction of $V$

We now show that $W$ is a restriction of $V$ . First, we need the following basic facts relating $W^{L},W^{R},V^{L}$ , and $V^{R}$ that follow immediately from the definitions of these operators.

Fact 9.

We have

•

$W^{L}$ is a restriction of $V^{L}$ and $W^{R}$ is a restriction of $V^{R}$ :

	$\displaystyle W^{L}$	$\displaystyle=V^{L}\cdot\Pi^{\mathcal{D}(W^{L})}=\Pi^{\mathcal{I}(W^{L})}\cdot V^{L}$		(8.10)
	$\displaystyle W^{R}$	$\displaystyle=V^{R}\cdot\Pi^{\mathcal{D}(W^{R})}=\Pi^{\mathcal{I}(W^{R})}\cdot V^{R}$		(8.11)

•

The image of $V^{R}$ is in the kernel of $W^{L}$ , and the image of $V^{L}$ is in the kernel of $W^{R}$ , i.e.,

$\displaystyle W^{L}\cdot V^{R}=W^{R}\cdot V^{L}$ $\displaystyle=0,$ (8.12)

Lemma 8.1.

If $\Pi_{1}$ and $\Pi_{2}$ are projectors, and $\Pi_{1}=\Pi_{1}\Pi_{2}\Pi_{1}$ then $\Pi_{1}$ is a subspace of $\Pi_{2}$ .

Proof.

Consider any normalized state $\ket*{\psi}\in\Pi_{1}$ , i.e., $\Pi_{1}\ket*{\psi}=\ket*{\psi}$ . We have the following identity,

1=\bra*{\psi}\Pi_{1}\ket*{\psi}=\bra*{\psi}\Pi_{1}\Pi_{2}\Pi_{1}\ket*{\psi}=\bra*{\psi}\Pi_{2}\ket*{\psi}.

(8.13)

Because $\Pi_{2}$ is a projector and $\bra*{\psi}\Pi_{2}\ket*{\psi}=1$ , we have $\ket*{\psi}\in\Pi_{2}$ . ∎

Lemma 8.2.

Consider any partial isometries $V_{1},V_{2}$ . If $V_{2}=V_{1}\cdot\Pi^{\mathcal{D}(V_{2})}$ , then $\mathcal{D}(V_{2})$ is a subspace of $\mathcal{D}(V_{1})$ . And if $V_{2}=\Pi^{\mathcal{I}(V_{2})}\cdot V_{1}$ , then $\mathcal{I}(V_{2})$ is a subspace of $\mathcal{I}(V_{1})$ .

Proof.

From $V_{2}=V_{1}\cdot\Pi^{\mathcal{D}(V_{2})}$ , we have

\Pi^{\mathcal{D}(V_{2})}=V_{2}^{\dagger}\cdot V_{2}=\Pi^{\mathcal{D}(V_{2})}\cdot V_{1}^{\dagger}\cdot V_{1}\cdot\Pi^{\mathcal{D}(V_{2})}=\Pi^{\mathcal{D}(V_{2})}\cdot\Pi^{\mathcal{D}(V_{1})}\cdot\Pi^{\mathcal{D}(V_{2})}.

(8.14)

Hence from Lemma 8.1, we have $\mathcal{D}(V_{2})$ is a subspace of $\mathcal{D}(V_{1})$ .

From $V_{2}=\Pi^{\mathcal{I}(V_{2})}\cdot V_{1}$ , we have

\Pi^{\mathcal{I}(V_{2})}=V_{2}\cdot V_{2}^{\dagger}=\Pi^{\mathcal{I}(V_{2})}\cdot V_{1}\cdot V_{1}^{\dagger}\cdot\Pi^{\mathcal{I}(V_{2})}=\Pi^{\mathcal{I}(V_{2})}\cdot\Pi^{\mathcal{I}(V_{1})}\cdot\Pi^{\mathcal{I}(V_{2})}.

(8.15)

Hence from Lemma 8.1, we have $\mathcal{I}(V_{2})$ is a subspace of $\mathcal{I}(V_{1})$ . ∎

Corollary 8.1.

$\mathcal{I}(W^{L})$ is a subspace of $\mathcal{I}(V^{L})$ . And $\mathcal{I}(W^{R})$ is a subspace of $\mathcal{I}(V^{R})$ .

Proof.

This follows immediately from Eq. 8.10, Eq. 8.11, and Lemma 8.2. ∎

Claim 17 ( $W$ is a restriction of $V$ ).

We have

	$\displaystyle W$	$\displaystyle=V\cdot\Pi^{\mathcal{D}(W)},$		(8.16)
	$\displaystyle W^{\dagger}$	$\displaystyle=V^{\dagger}\cdot\Pi^{\mathcal{I}(W)}.$		(8.17)

In words, Claim 17 says that for any state in $\mathcal{D}(W)$ , the domain of $W$ , the action of $W$ is the same as $V$ . Additionally, it says that for any state in the image in $\mathcal{I}(W)$ , the image of $W$ , the action of $W^{\dagger}$ is the same as $V^{\dagger}$ .

Proof of Claim 17.

To prove Eq. 8.16, it suffices to show that

	$\displaystyle V\cdot\Pi^{\mathcal{D}(W^{L})}$	$\displaystyle=W^{L},$		(8.18)
	$\displaystyle V\cdot\Pi^{\mathcal{I}(W^{R})}$	$\displaystyle=W^{R,\dagger}.$		(8.19)

This is because summing these two equations gives

\displaystyle V\cdot(\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})})=W^{L}+W^{R,\dagger},

(8.20)

and plugging in $\Pi^{\mathcal{D}(W)}=\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})}$ from Eq. 7.7 and $W=W^{L}+W^{R,\dagger}$ yields Eq. 8.16. It remains to prove Eqs. 8.18 and 8.19.

•

Proof of Eq. 8.18. By the definition of $V$ , we have

\displaystyle V\cdot\Pi^{\mathcal{D}(W^{L})}=\Big{(}V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})+(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}\Big{)}\cdot\Pi^{\mathcal{D}(W^{L})}.

(8.21)

Note that $V^{R,\dagger}\cdot\Pi^{D({W^{L}})}=V^{R,\dagger}\cdot W^{L,\dagger}\cdot W^{L}=(W^{L}\cdot V^{R})^{\dagger}\cdot W^{L}=0$ , where the final equality uses Eq. 8.12. Thus,

\displaystyle V\cdot\Pi^{\mathcal{D}(W^{L})}=V^{L}\cdot\Pi^{\mathcal{D}(W^{L})}=W^{L},

(8.22)

where the second equality follows from Eq. 8.10.

•

Proof of Eq. 8.19. By the definition of $V$ ,

\displaystyle V\cdot\Pi^{\mathcal{I}(W^{R})}=\Big{(}V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})+(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}\Big{)}\cdot\Pi^{\mathcal{I}(W^{R})}.

(8.23)

Since $\mathcal{I}(W^{R})$ is a subspace of $\mathcal{I}(V^{R})$ by Corollary 8.1, we have $V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})\cdot\Pi^{\mathcal{I}(W^{R})}=0$ . Next, we have $V^{R,\dagger}\cdot\Pi^{\mathcal{I}(W^{R})}=(\Pi^{\mathcal{I}(W^{R})}\cdot V^{R})^{\dagger}=W^{R,\dagger}$ by Eq. 8.11. Thus, we have

$\displaystyle V\cdot\Pi^{\mathcal{I}(W^{R})}$	$\displaystyle=(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot W^{R,\dagger}$	(8.24)
	$\displaystyle=W^{R,\dagger}-V^{L}\cdot V^{L,\dagger}\cdot W^{R,\dagger}$	(8.25)
	$\displaystyle=W^{R,\dagger},$	(8.26)

where the last equality uses the fact that $V^{L,\dagger}\cdot W^{R,\dagger}=(W^{R}\cdot V^{L})^{\dagger}=0$ from Eq. 8.12.

This completes the proof of Eq. 8.16. The proof of Eq. 8.17 follows by a symmetric argument. ∎

Corollary 8.2.

$\Pi^{\mathcal{D}(W)}$ is a subspace of $\Pi^{\mathcal{D}(V)}$ . And $\Pi^{\mathcal{I}(W)}$ is a subspace of $\Pi^{\mathcal{I}(V)}$ .

Proof.

This follows immediately from Claim 17 and Lemma 8.2. ∎

Corollary 8.3.

We have

	$\displaystyle W^{\dagger}\cdot V$	$\displaystyle=\Pi^{\mathcal{D}(W)}$		(8.27)
	$\displaystyle W\cdot V^{\dagger}$	$\displaystyle=\Pi^{\mathcal{I}(W)}.$		(8.28)

Proof.

From $W=V\cdot\Pi^{\mathcal{D}(W)}$ , we can multiply $V^{\dagger}$ on the left of both sides to obtain

V^{\dagger}\cdot W=V^{\dagger}\cdot V\cdot\Pi^{\mathcal{D}(W)}.

(8.29)

Using $V^{\dagger}\cdot V=\Pi^{\mathcal{D}(V)}$ , we have

V^{\dagger}\cdot W=\Pi^{\mathcal{D}(V)}\cdot\Pi^{\mathcal{D}(W)}=\Pi^{\mathcal{D}(W)},

(8.30)

since $\Pi^{\mathcal{D}(W)}$ is a subspace of $\Pi^{\mathcal{D}(V)}$ from Corollary 8.2. Taking dagger yields $W^{\dagger}\cdot V=\Pi^{\mathcal{D}(W)}$ .

From $W^{\dagger}=V^{\dagger}\cdot\Pi^{\mathcal{I}(W)}$ , we can multiply $V$ on the left of both sides to obtain

V\cdot W^{\dagger}=V\cdot V^{\dagger}\cdot\Pi^{\mathcal{I}(W)}.

(8.31)

Using $V\cdot V^{\dagger}=\Pi^{\mathcal{I}(V)}$ , we have

V\cdot W^{\dagger}=\Pi^{\mathcal{I}(V)}\cdot\Pi^{\mathcal{I}(W)}=\Pi^{\mathcal{I}(W)},

(8.32)

since $\Pi^{\mathcal{I}(W)}$ is a subspace of $\Pi^{\mathcal{I}(V)}$ from Corollary 8.2. Taking dagger yields $W\cdot V^{\dagger}=\Pi^{\mathcal{I}(W)}$ . ∎

9 The strong PRU proof

9.1 Setup

We define a distribution over $n$ -qubit unitaries parameterized by any $n$ -qubit unitary $2$ -design $\mathfrak{D}$ .

Definition 28 ( $\mathsf{sPRU}(\mathfrak{D})$ distribution).

For any distribution $\mathfrak{D}$ supported on $\mathcal{U}(N)$ , define the distribution $\mathsf{sPRU}({\mathfrak{D}})$ as follows:

Sample a uniformly random permutation $\pi\leftarrow\mathsf{Sym}_{N}$ , a uniformly random $f\leftarrow\{0,1,2\}^{N}$ , and two independently sampled $n$ -qubit unitaries $C,D\leftarrow\mathfrak{D}$ . Following the definitions in Section 6,

\displaystyle F_{f}\coloneqq\sum_{x\in[N]}e^{2\pi\cdot f(x)\cdot i/3}\outerproduct*{x}{x}\quad\text{and}\quad P_{\pi}\coloneqq\sum_{x\in[N]}\outerproduct*{\pi(x)}{x}.

(9.1)

2.

Output the $n$ -qubit unitary $\mathcal{O}\coloneqq D\cdot P_{\pi}\cdot F_{f}\cdot C$ .

The goal of this section is to prove the following theorem.

Theorem 6 ( $\mathsf{sPRU}(\mathfrak{D})$ is a statistical strong PRU).

Let $\mathcal{A}$ be a $t$ -query oracle adversary that can perform forward and inverse queries and let $\mathfrak{D}$ be an exact unitary $2$ -design. Then

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{sPRU}(\mathfrak{D})}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mu_{\mathsf{Haar}}}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\right)\leq\frac{18t(t+1)}{N^{1/8}}

(9.2)

Since quantum-secure pseudorandom permutations and pseudorandom functions exist assuming one-way functions by [zhandry2016note, zhandry2021construct], the existence of computationally-secure strong PRUs follows immediately from Theorem 6.

Theorem 7.

If quantum-secure one-way functions exist, then strong pseudorandom unitaries exist.

The main technical component of the proof of Theorem 6 is Lemma 9.1, which relates the PRU adversary to an adversary that queries the path-recording oracle $V$ , defined previously in Section 8. Recall that $V$ is a partial isometry that acts on registers $(\mathsf{A},\mathsf{L},\mathsf{R})$ , where $\mathsf{L}$ and $\mathsf{R}$ are variable-length registers. Initially, $\mathsf{L}$ and $\mathsf{R}$ are both initialized to the length- $0$ state $\ket*{\varnothing}$ . To state Lemma 9.1, we will need the following definition.

Definition 29 (the global state after queries to $V$ ).

For a $t$ -query oracle adversary $\mathcal{A}$ that can perform forward and inverse queries and any $0\leq i\leq t$ , let

\displaystyle\ket*{\mathcal{A}_{i}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\coloneqq\prod_{i=1}^{t}\Bigg{(}\Big{(}(1-b_{i})\cdot V_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}+b_{i}\cdot V_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Big{)}\cdot A_{i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\Bigg{)}\ket*{0^{n+m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\otimes\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}

(9.3)

denote the global state on registers $\mathsf{A},\mathsf{B},\mathsf{L},\mathsf{R}$ after $\mathcal{A}$ makes $i$ queries to $V$ .

Lemma 9.1 ( $\mathsf{sPRU}(\mathfrak{D})$ is indistinguishable from $V$ ).

Let $\mathfrak{D}$ be any exact unitary $2$ -design. For any $t$ -query oracle adversary $\mathcal{A}$ ,

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{sPRU}(\mathfrak{D})}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\,\,\,\Tr_{\mathsf{L}\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)\right)\leq\frac{9t(t+1)}{N^{1/8}}

(9.4)

Lemma 9.1 implies Theorem 6.

Lemma 9.1 implies Theorem 6 by the following argument. We can instantiate $\mathfrak{D}=\mu_{\mathsf{Haar}}$ , i.e., $\mathfrak{D}$ outputs a Haar-random $n$ -qubit unitary. Then the output of $\mathsf{sPRU}(\mathfrak{D})=\mathsf{sPRU}(\mu_{\mathsf{Haar}})$ is $D\cdot P_{\pi}\cdot F_{f}\cdot C$ for random $\pi,f$ and Haar-random $D$ and $C$ . By invariance of the Haar measure, this is exactly the same as outputting a Haar-random unitary. Thus, we have the following corollary of Lemma 9.1.

Theorem 8 ( $V$ is indistinguishable from a Haar-random unitary).

Let $\mathcal{A}$ be a $t$ -query oracle adversary that can perform forward and inverse queries. Then

\displaystyle\mathsf{TD}\left(\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mu_{\mathsf{Haar}}}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\,\,\,\Tr_{\mathsf{L}\mathsf{R}}\left(\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)\right)\leq\frac{9t(t+1)}{N^{1/8}}.

(9.5)

Theorem 6 follows from combining Lemmas 9.1 and 8 using the triangle inequality. The remainder of this section is devoted to proving Lemma 9.1.

9.2 $V$ is indistinguishable from twirled $W$

Our first step towards proving Lemma 9.1 is to prove that an oracle adversary $\mathcal{A}$ that makes both forward and inverse queries cannot distinguish whether its query is implemented by the path-recording oracle $V$ (Definition 26), or as $D\cdot W\cdot C$ where $C,D\leftarrow\mathfrak{D}$ are sampled from a $2$ -design, and $W$ is the partial path-recording oracle (Definition 24).

We will require the following definitions. Let $\mathsf{C}$ and $\mathsf{D}$ be a pair of registers that each contain the description of an $n$ -qubit unitary. These registers will be part of the purification and will not be in the adversary’s view.

Definition 30.

For any distribution $\mathfrak{D}$ over $n$ -qubit unitaries, define the state

\displaystyle\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\coloneq\int_{C,D}\sqrt{d\mu_{\mathfrak{D}}(C)d\mu_{\mathfrak{D}}(D)}\ket*{C}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}}\otimes\ket*{D}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},

(9.6)

where $\mu_{\mathfrak{D}}(C)$ is the probability measure for which $C$ is sampled from $\mathfrak{D}$ .

Recall from Definition 27 that for any pair of $n$ -qubit unitaries $C,D$ , the operator $Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is defined as

\displaystyle Q[C,D]

\displaystyle\coloneqq(C\otimes D^{T})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(9.7)

Definition 31 (Controlled $C,D$ and $Q$ ).

Define the following operators

	$\displaystyle\mathsf{cC}\coloneq\int_{C}C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{C}{C}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}},\quad\mathsf{cD}\coloneq\int_{D}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{D}{D}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},$		(9.8)
	$\displaystyle\mathsf{cQ}\coloneq\int_{C,D}Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25},}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\outerproduct{C}{C}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}}\otimes\outerproduct{D}{D}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}.$		(9.9)

We now state a key lemma that we will need for our proof.

Lemma 9.2 (Twirling).

For any unitary $2$ -design $\mathfrak{D}$ , and any integer $0\leq t\leq N-1$ , we have

	$\displaystyle\norm{\operatorname*{{\mathbb{E}}}_{C,D\leftarrow\mathfrak{D}}(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-\Pi^{\mathcal{D}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\cdot(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})}_{\mathrm{op}}$	$\displaystyle\leq 6t\sqrt{\frac{t}{N}},$		(9.10)
	$\displaystyle\norm{\operatorname*{{\mathbb{E}}}_{C,D\leftarrow\mathfrak{D}}(D^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-\Pi^{\mathcal{I}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\cdot(D^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})}_{\mathrm{op}}$	$\displaystyle\leq 6t\sqrt{\frac{t}{N}},$		(9.11)

Note that in the statement of Lemma 9.2, $\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is shorthand for $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , and thus the operators inside the $\norm{\cdot}_{\mathrm{op}}$ act on $\mathsf{A},\mathsf{L},\mathsf{R}$ . We prove Lemma 9.2 in Section 11.

Next, we define the following adversary states.

Definition 32 (Twirled- $W$ purification).

Define the states $\ket*{\mathcal{A}_{i}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ as follows:

	$\displaystyle\ket*{\mathcal{A}_{0}^{W,\mathfrak{D}}}$	$\displaystyle\coloneqq\ket{0^{n}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{0^{m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},$		(9.12)
	$\displaystyle\mathrm{For}\quad i=1,\dots,t:\quad\ket*{\mathcal{A}_{i}^{W,\mathfrak{D}}}$	$\displaystyle\coloneqq\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot W\cdot\mathsf{cC})+b_{i}\cdot(\mathsf{cD}\cdot W\cdot\mathsf{cC})^{\dagger}\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{W,\mathfrak{D}}_{i-1}}.$		(9.13)

For contrast, let us recall the definition of $\ket*{\mathcal{A}_{i}^{V}}$ .

Definition 33 ( $V$ purification).

Define the states $\ket*{\mathcal{A}_{i}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ for $0\leq i\leq t$ as follows:

	$\displaystyle\ket*{\mathcal{A}_{0}^{V}}$	$\displaystyle\coloneqq\ket{0^{n}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}},$		(9.14)
	$\displaystyle\mathrm{For}\quad i=1,\dots,t:\quad\ket*{\mathcal{A}_{i}^{V}}$	$\displaystyle\coloneqq\Big{(}(1-b_{i})\cdot V+b_{i}\cdot V^{\dagger}\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{V}_{i-1}}.$		(9.15)

Note that because $b_{i}\in\{0,1\}$ , in the construction of these purified states, one either queries $V$ , $\mathsf{cD}\cdot W\cdot\mathsf{cC}$ for $b_{i}=0$ or $V^{\dagger}$ , $(\mathsf{cD}\cdot W\cdot\mathsf{cC})^{\dagger}$ for $b_{i}=1$ . Because $W$ and $V$ are partial isometries from Claim 11 and Claim 15, $W,W^{\dagger},V,V^{\dagger}$ are all equal to applying a projector followed by a unitary. Hence, $\ket*{\mathcal{A}_{t}^{V}}$ , $\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}$ are both states with norm at most $1$ .

Fact 10 (Norm of the purified states).

For any $t\geq 0$ , $\ket*{\mathcal{A}_{t}^{V}}$ , $\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}$ both have norm at most $1$ .

Furthermore, from Definition 26, $V$ and $V^{\dagger}$ take states in the subspace associated with the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to the the subspace associated with the projector $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}^{2}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Hence, after $t$ queries in total to $V$ and $V^{\dagger}$ , we have $\ket*{\mathcal{A}_{t}^{V}}$ is in the image of $\Pi^{\mathcal{R}^{2}}_{\leq t}$ . Similarly, from 7, $W$ and $W^{\dagger}$ map states in $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq i+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . Hence, after $t$ queries to $W$ and $W^{\dagger}$ , we have $\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}$ is in the image of $\Pi^{\mathsf{bij}}_{\leq t}$ . We collect these two basic properties in 11.

Fact 11 (Spaces that the purified states are in).

For any $t\geq 0$ , we have the following guarantees:

•

$\ket*{\mathcal{A}_{t}^{V}}$ is in the image of $\Pi^{\mathcal{R}^{2}}_{\leq t}$ .
•

$\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}$ is in the image of $\Pi^{\mathsf{bij}}_{\leq t}$ .

The main technical claim of this subsection is the following.

Claim 18.

For any integer $t\geq 0$ ,

\displaystyle\real\left[\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket*{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right]\geq 1-\frac{35t^{2}}{N^{1/4}}

(9.16)

Proof of Claim 18.

We prove this claim by induction. When $t=0$ , we have

$\displaystyle\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{0}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}$	$\displaystyle=\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{0^{n}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}$	(9.17)
	$\displaystyle=\ket{0^{n}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$	(9.18)
	$\displaystyle=\ket*{A_{0}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},$	(9.19)

where the first equality is by the definition of $\ket*{\mathcal{A}_{0}^{V}}$ (Definition 33), the second is because $\mathsf{cQ}$ acts as identity on $\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , and the third equality is the definition of $\ket*{\mathcal{A}_{0}^{W,\mathfrak{D}}}$ (Definition 32). This implies that

\displaystyle\real\left[\bra*{\mathcal{A}_{0}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket*{\mathcal{A}_{0}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right]=1,

(9.20)

so the base case holds.

For the inductive step, assume that

\displaystyle\real\left[\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket*{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right]\geq 1-\frac{35t^{2}}{N^{1/4}}

(9.21)

for some integer $t\geq 0$ . We will prove that the claim holds for $t+1$ . To simplify notation, let us assume that the adversary makes a forward query at step $t+1$ , i.e., $b_{t+1}=0$ ; this is without loss of generality because the argument is symmetric if the adversary makes an inverse query at step $t+1$ . We have

	$\displaystyle\ket*{\mathcal{A}_{t+1}^{W,\mathfrak{D}}}$	$\displaystyle=\mathsf{cD}\cdot W\cdot\mathsf{cC}\cdot A_{t+1}\cdot\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}},$		(9.22)
	$\displaystyle\mathsf{cQ}\cdot\Big{(}\ket{\mathcal{A}_{t+1}^{V}}\ket{\mathsf{init}(\mathfrak{D})}\Big{)}$	$\displaystyle=\mathsf{cQ}\cdot V\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket{\mathsf{init}(\mathfrak{D})}$		(9.23)

and thus

	$\displaystyle\real\left[\bra{\mathcal{A}_{t+1}^{W,\mathfrak{D}}}\cdot\mathsf{cQ}\cdot\Big{(}\ket{\mathcal{A}_{t+1}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\Big{)}\right]$		(9.24)
	$\displaystyle=\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W^{\dagger}\cdot\mathsf{cD}^{\dagger}\cdot\mathsf{cQ}\cdot V\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]$		(9.25)

By 11, the states $\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}$ and $\ket*{\mathcal{A}_{t}^{V}}$ are both in the image of $\Pi_{\leq t}$ . Following 9, we write $W_{\leq t}=W\cdot\Pi_{\leq t}$ and $V_{\leq t}=V\cdot\Pi_{\leq t}$ . We can then rewrite (9.25) as

\displaystyle(\ref{eq:overlap-twirled-W-Q-plain-V-expand-1})

\displaystyle=\real\left[\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W_{\leq t}^{\dagger}\cdot\mathsf{cD}^{\dagger}\cdot\mathsf{cQ}\cdot V_{\leq t}\cdot A_{t+1}\cdot\ket*{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]

(9.26)

Next, we will write $\mathsf{cQ}\cdot V_{\leq t}$ as

\displaystyle\mathsf{cQ}\cdot V_{\leq t}=\mathsf{cD}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}.+\Big{(}\mathsf{cQ}\cdot V_{\leq t}-\mathsf{cD}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}\Big{)}

(9.27)

This allows us to rewrite (9.26) as

	$\displaystyle\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W_{\leq t}^{\dagger}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]$
	$\displaystyle\quad+\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W_{\leq t}^{\dagger}\cdot\mathsf{cD}^{\dagger}\cdot\Big{(}\mathsf{cQ}\cdot V_{\leq t}-\mathsf{cD}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}\Big{)}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right].$		(9.28)

We can lower bound the second term in the sum as follows. We know that $A_{t+1}\cdot\ket*{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}$ and $\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W_{\leq t}^{\dagger}\cdot\mathsf{cD}^{\dagger}$ have at most unit norm by 10 and the fact that $A_{t+1},\mathsf{cC},\mathsf{cD},W_{\leq t}^{\dagger}$ all have operator norm at most $1$ (since $W_{\leq t}^{\dagger}=(W\cdot\Pi_{\leq t})^{\dagger}$ and $W$ is a partial isometry by Claim 11). Then by Claim 16, the second term can be lower bounded by

	$\displaystyle-\norm{\Big{(}\mathsf{cD}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}-\mathsf{cQ}\cdot V_{\leq t}\Big{)}}_{\mathrm{op}}$		(9.29)
	$\displaystyle-\norm{\sum_{C,D}\Big{(}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}\Big{)}\otimes\outerproduct*{C,D}{C,D}}_{\mathrm{op}}$		(9.30)
	$\displaystyle-\max_{C,D}\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}}_{\mathrm{op}}$		(9.31)
	$\displaystyle\geq-16\sqrt{\frac{2t(t+1)}{N}}.$		(by Claim 16)

Combining this bound with the sequence of equalities $(\ref{eq:overlap-twirled-W-Q-plain-V-expand-0})=(\ref{eq:overlap-twirled-W-Q-plain-V-expand-1})=(\ref{eq:overlap-twirled-W-Q-plain-V-expand-2})=(\ref{eq:overlap-twirled-W-Q-plain-V-expand-3})$ , we get

	$\displaystyle\real\left[\bra{\mathcal{A}_{t+1}^{W,\mathfrak{D}}}\cdot\mathsf{cQ}\cdot\Big{(}\ket{\mathcal{A}_{t+1}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\Big{)}\right]$		(9.32)
	$\displaystyle\geq\underbrace{\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot W_{\leq t}^{\dagger}\cdot V_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]}_{\coloneqq\gamma_{t}}-16\sqrt{\frac{2t(t+1)}{N}}.$		(9.33)

Next we can use properties of the $W$ and $V$ operators to rewrite

$\displaystyle W_{\leq t}^{\dagger}\cdot V_{\leq t}$	$\displaystyle=\Big{(}W\cdot\Pi_{\leq t}\Big{)}^{\dagger}\cdot V\cdot\Pi_{\leq t}$	(9.34)
	$\displaystyle=\Pi_{\leq t}\cdot W^{\dagger}\cdot V\cdot\Pi_{\leq t}$	(9.35)
	$\displaystyle=\Pi_{\leq t}\cdot\Pi^{\mathcal{D}(W)}\cdot\Pi_{\leq t}$	(by Corollary 8.3)
	$\displaystyle=\Pi_{\leq t}\cdot\Big{(}\Pi^{\mathsf{bij}}-(\Pi^{\mathsf{bij}}-\Pi^{\mathcal{D}(W)})\Big{)}\cdot\Pi_{\leq t}$	(9.36)
	$\displaystyle=\Pi^{\mathsf{bij}}_{\leq t}-\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}$	(Definition 23 and Claim 12)

Plugging this into $\gamma_{t}$ , we get

	$\displaystyle\gamma_{t}$	$\displaystyle=\underbrace{\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot\Pi^{\mathsf{bij}}_{\leq t}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]}_{\coloneqq\alpha_{t}}$		(9.37)
		$\displaystyle\quad-\underbrace{\real\left[\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]}_{\coloneqq\beta_{t}}$		(9.38)

Bounding $\alpha_{t}$ .

Observe that

	$\displaystyle\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot\Pi^{\mathsf{bij}}_{\leq t}$		(9.39)
	$\displaystyle=\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot\Pi^{\mathsf{bij}}_{\leq t}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}$		( $\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ commutes with $(A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger})_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$ )
	$\displaystyle=\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}.$		(by 11)

Thus,

\displaystyle\alpha_{t}=\real\left[\bra*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot\mathsf{cQ}\cdot\ket*{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\right]\geq 1-\frac{35t^{2}}{N^{1/4}},

(9.40)

by the inductive hypothesis.

Bounding $\beta_{t}$ .

We will lower bound $-\beta_{t}$ by upper bounding $\beta_{t}$ :

$\displaystyle\beta_{t}$	$\displaystyle\leq\absolutevalue{\bra{\mathcal{A}_{t}^{W,\mathfrak{D}}}\cdot A_{t+1}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot A_{t+1}\cdot\ket{\mathcal{A}_{t}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}}$	(9.41)
	$\displaystyle\leq\max_{\begin{subarray}{c}\ket{u}\in\mathcal{H}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}:\norm{\ket{u}}_{2}\leq 1\\ \ket{v}\in\mathcal{H}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}:\norm{\ket{v}}_{2}\leq 1\end{subarray}}\absolutevalue{\bra{u}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot\ket{v}\ket*{\mathsf{init}(\mathfrak{D})}},$	(9.42)
	$\displaystyle=\Bigg{(}\max_{\begin{subarray}{c}\ket{v}\in\mathcal{H}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}:\\ \norm{\ket{v}}_{2}\leq 1\end{subarray}}\bra{v}\bra{\mathsf{init}(\mathfrak{D})}\cdot\mathsf{cQ}^{\dagger}\cdot\mathsf{cC}^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}\cdot\mathsf{cC}\cdot\mathsf{cQ}\cdot\ket{v}\ket{\mathsf{init}(\mathfrak{D})}\Bigg{)}^{1/2}$	(9.43)
	$\displaystyle=\norm{\operatorname*{{\mathbb{E}}}_{C,D\leftarrow\mathfrak{D}}(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}\cdot(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})}_{\mathrm{op}}^{1/2}$	(9.44)
	$\displaystyle\leq\Big{(}6t\sqrt{\frac{t}{N}}\Big{)}^{1/2}\leq\frac{3t^{3/4}}{N^{1/4}}$	(9.45)

where:

•

the first inequality uses the fact that $\real(z)\leq\absolutevalue{z}$ ,
•

the second inequality holds because $\mathsf{cC}\cdot A_{t+1}\cdot\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}\in\mathcal{H}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ and $A_{t+1}\cdot\ket*{\mathcal{A}_{t}^{V}}\in\mathcal{H}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ both have at most unit norm,

•

the third line uses the fact that

\displaystyle\max_{\begin{subarray}{c}\ket*{u}:\norm{\ket*{u}}_{2}\leq 1,\\ \ket*{v}:\norm{\ket*{v}}_{2}\leq 1\end{subarray}}\absolutevalue{\bra*{u}\cdot M\cdot\ket*{v}}=\Big{(}\max_{\ket*{v}:\norm{\ket*{v}}_{2}\leq 1}\bra*{v}\cdot M^{\dagger}\cdot M\cdot\ket*{v}\Big{)}^{1/2},

(9.46)

and the fact that $\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}\Big{)}=\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}$ , since $\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}$ is a projector.⁷⁷7By 7, $\Pi^{\mathsf{bij}}-\Pi^{\mathcal{D}(W)}$ is a projector. By Claim 12, $\Pi^{\mathcal{D}(W)}$ commutes with $\Pi_{\leq t}$ and by Claim 12, $\Pi^{\mathsf{bij}}$ commutes with $\Pi_{\leq t}$ by Definition 23. Recall the fact that if $\Pi_{1}$ and $\Pi_{2}$ are projectors such that $[\Pi_{1},\Pi_{2}]=0$ , then $\Pi_{1}\cdot\Pi_{2}$ is a projector. Thus, since $\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}=(\Pi^{\mathsf{bij}}-\Pi^{\mathcal{D}(W)})\cdot\Pi_{\leq t}$ , we have that $\Pi^{\mathsf{bij}}_{\leq t}-\Pi^{\mathcal{D}(W)}_{\leq t}$ is a projector.

•

the fourth line follows from the definitions of $\ket*{\mathsf{init}(\mathfrak{D})},\mathsf{cC},\mathsf{cQ}$ (Definitions 30 and 31),
•

and the last line follows from Lemma 9.2.

Note that in the fourth line, we can drop the $\mathsf{B}$ register since the operator inside the $\norm{\cdot}_{\mathrm{op}}$ acts as identity on $\mathsf{B}$ . Putting everything together, we have

$\displaystyle\real\left[\bra{\mathcal{A}_{t+1}^{W,\mathfrak{D}}}\cdot\mathsf{cQ}\cdot\Big{(}\ket{\mathcal{A}_{t+1}^{V}}\ket*{\mathsf{init}(\mathfrak{D})}\Big{)}\right]$	$\displaystyle\geq\alpha_{t}-\beta_{t}-16\sqrt{\frac{2t(t+1)}{N}}$	(9.47)
	$\displaystyle\geq 1-\frac{35t^{2}}{N^{1/4}}-\frac{3t^{3/4}}{N^{1/4}}-16\sqrt{\frac{2t(t+1)}{N}}$	(9.48)
	$\displaystyle\geq 1-\frac{1}{N^{1/4}}\cdot\Big{(}35t^{2}+3t^{3/4}+16\cdot\frac{2t}{N^{1/4}}\Big{)}$	(9.49)
	$\displaystyle\geq 1-\frac{1}{N^{1/4}}\cdot\Big{(}35t^{2}+35t\Big{)}$	(9.50)
	$\displaystyle\geq 1-\frac{35(t+1)^{2}}{N^{1/4}},$	(9.51)

which establishes the claim for $t+1$ . This concludes the proof. ∎

Lemma 9.3.

For any $0\leq t<N$ and any unitary $2$ -design $\mathfrak{D}$ , we have

\displaystyle\mathsf{TD}(\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})\leq\frac{9t}{N^{1/8}}.

(9.52)

Proof.

Using the fact that $\ket*{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ and $\ket*{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ are subnormalized states from 10 and that $\mathsf{TD}(\outerproduct*{u}{u},\outerproduct*{v}{v})\leq\norm{\ket*{u}-\ket*{v}}_{2}$ for subnormalized states $\ket*{u},\ket*{v}$ , we have

	$\displaystyle\mathsf{TD}\left(\outerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\outerproduct{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\outerproduct*{\mathsf{init}(\mathfrak{D})}{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}^{\dagger}\right)^{2}$		(9.53)
	$\displaystyle\leq\norm{\ket{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}}_{2}^{2}$		(9.54)
	$\displaystyle=\innerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}+\innerproduct{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}-2\real\left[\bra{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right]$		(9.55)
	$\displaystyle\leq 2-2\cdot(1-\frac{35t^{2}}{N^{1/4}})=\frac{70t^{2}}{N^{1/4}}.$		(Using Claim 18)

Therefore, using the fact that $\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ acts only on $\mathsf{L},\mathsf{R},\mathsf{C},\mathsf{D}$ and $\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ is a unitary, we obtain

	$\displaystyle\mathsf{TD}(\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})$		(9.56)
	$\displaystyle=\mathsf{TD}\Big{(}\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},$
	$\displaystyle\quad\quad\quad\quad\quad\Tr_{-\mathsf{A}\mathsf{B}}\left[\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\outerproduct{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\outerproduct{\mathsf{init}(\mathfrak{D})}{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}^{\dagger}\right]\Big{)}$		(9.57)
	$\displaystyle\leq\mathsf{TD}\left(\outerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\outerproduct{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\outerproduct*{\mathsf{init}(\mathfrak{D})}{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}^{\dagger}\right)$		(9.58)
	$\displaystyle\leq\sqrt{\frac{70t^{2}}{N^{1/4}}}\leq\frac{9t}{N^{1/8}}.$		(9.59)

This completes the proof. ∎

9.3 Twirled $W$ and twirled $\mathsf{pfO}$ are indistinguishable

Let $\ket*{+_{N!}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}$ and $\ket*{+_{3^{N}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$ denote the uniform superposition over all permutations and functions, respectively. We define the follow state obtained by querying twirled $\mathsf{pfO}$ .

Definition 34 (Twirled $\mathsf{pfO}$ purification).

Let

\displaystyle\ket*{\mathcal{A}_{0}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\coloneqq\ket*{0^{n}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{0^{m}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}\ket*{+_{N!}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{+_{3^{N}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},

(9.60)

For $1\leq i\leq t$ , define

\displaystyle\ket*{\mathcal{A}_{i}^{\mathsf{pfO},\mathfrak{D}}}\coloneqq\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot\mathsf{pfO}\cdot\mathsf{cC})+b_{i}\cdot(\mathsf{cD}\cdot\mathsf{pfO}\cdot\mathsf{cC})^{\dagger}\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{\mathsf{pfO},\mathfrak{D}}_{i-1}}.

(9.61)

To connect twirled $W$ and twirled $\mathsf{pfO}$ , we need to define the following projections.

Definition 35.

Define the projectors

	$\displaystyle\widetilde{\Pi}^{\mathcal{D}(W)}$	$\displaystyle\coloneqq\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W)}\cdot\mathsf{Comp},$		(9.62)
	$\displaystyle\widetilde{\Pi}^{\mathcal{I}(W)}$	$\displaystyle\coloneqq\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{I}(W)}\cdot\mathsf{Comp}.$		(9.63)

We define the following state obtained by querying twirled $\mathsf{pfO}$ , but depending on whether forward or inverse query (determined by $b_{i}$ ) is made, we will add a projector.

Definition 36 (Twirled projected $\mathsf{pfO}$ purification).

Let $\ket*{\mathcal{A}_{0}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}\coloneqq\ket*{\mathcal{A}_{0}^{\mathsf{pfO},\mathfrak{D}}}$ . For $1\leq i\leq t$ , define

\displaystyle\ket*{\mathcal{A}_{i}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}\coloneqq\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot\mathsf{pfO}\cdot\widetilde{\Pi}^{\mathcal{D}(W)}\cdot\mathsf{cC})+b_{i}\cdot(\mathsf{cC}^{\dagger}\cdot\mathsf{pfO}^{\dagger}\cdot\widetilde{\Pi}^{\mathcal{I}(W)}\cdot\mathsf{cD}^{\dagger})\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}_{i-1}}.

(9.64)

Claim 19.

For all integers $0\leq t\leq N$ ,

\displaystyle\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\mathsf{Comp}\cdot\ket*{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}.

(9.65)

Proof.

We prove this using induction. The base case $t=0$ follows from the fact that

\mathsf{Comp}\cdot\ket*{+_{N!}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{+_{3^{N}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}=\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{\varnothing}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(9.66)

If $\ket*{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\mathsf{Comp}\cdot\ket*{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ for $t>0$ , then we have

	$\displaystyle\ket*{\mathcal{A}_{t+1}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(9.67)
	$\displaystyle=\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot W\cdot\mathsf{cC})+b_{i}\cdot(\mathsf{cD}\cdot W\cdot\mathsf{cC})^{\dagger}\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(9.68)
	$\displaystyle=\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot\mathsf{Comp}\cdot\mathsf{pfO}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{D}(W)}\cdot\mathsf{cC})$
	$\displaystyle\,\,\,+b_{i}\cdot(\mathsf{cC}^{\dagger}\cdot\mathsf{Comp}\cdot\mathsf{pfO}^{\dagger}\cdot\mathsf{Comp}^{\dagger}\cdot\Pi^{\mathcal{I}(W)}\cdot\mathsf{cD}^{\dagger})\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(Using Claim 13)
	$\displaystyle=\mathsf{Comp}\cdot\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot\mathsf{pfO}\cdot\widetilde{\Pi}^{\mathcal{D}(W)}\cdot\mathsf{cC})$
	$\displaystyle\quad\,\,\,+b_{i}\cdot\mathsf{cC}^{\dagger}\cdot\mathsf{pfO}^{\dagger}\cdot\widetilde{\Pi}^{\mathcal{I}(W)}\cdot\mathsf{cD}^{\dagger}\Big{)}\cdot A_{i}\cdot\mathsf{Comp}^{\dagger}\cdot\ket*{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(9.69)
	$\displaystyle=\mathsf{Comp}\cdot\Big{(}(1-b_{i})\cdot(\mathsf{cD}\cdot\mathsf{pfO}\cdot\widetilde{\Pi}^{\mathcal{D}(W)}\cdot\mathsf{cC})$
	$\displaystyle\quad\,\,\,+b_{i}\cdot\mathsf{cC}^{\dagger}\cdot\mathsf{pfO}^{\dagger}\cdot\widetilde{\Pi}^{\mathcal{I}(W)}\cdot\mathsf{cD}^{\dagger}\Big{)}\cdot A_{i}\cdot\ket*{\mathcal{A}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(inductive hypothesis)
	$\displaystyle=\mathsf{Comp}\cdot\ket*{\mathcal{A}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}_{t+1}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}.$		(9.70)

This concludes the proof. ∎

Lemma 9.4 (Norm bound).

For any $0\leq t<N$ and any unitary $2$ -design $\mathfrak{D}$ , we have

\displaystyle 1\geq\innerproduct*{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\geq 1-\frac{70t^{2}}{N^{1/4}}.

(9.71)

Proof.

We can utilize the following bounds,

	$\displaystyle\innerproduct*{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$		(9.72)
	$\displaystyle\geq\innerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\innerproduct{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		( $\innerproduct*{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\leq 1$ from 10)
	$\displaystyle=\innerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\bra{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\bra{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\cdot\mathsf{cQ}^{\dagger}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}$		(9.73)
	$\displaystyle\geq\left\|\bra{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right\|^{2}$		(Cauchy-Schwarz inequality)
	$\displaystyle\geq\real\left[\bra{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\mathsf{cQ}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\cdot\Big{(}\ket{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\mathsf{init}(\mathfrak{D})}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\Big{)}\right]^{2}$		(9.74)
	$\displaystyle\geq(1-\frac{35t^{2}}{N^{1/4}})^{2}\geq 1-\frac{70t^{2}}{N^{1/4}},$		(Using Claim 18)

which completes the proof. ∎

Lemma 9.5.

For all integers $0\leq t\leq N$ ,

\mathsf{TD}\left(\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)\leq\frac{9t^{2}}{N^{1/8}}.

(9.75)

Proof.

Because $\mathsf{Comp}$ acts on registers $\mathsf{P},\mathsf{F}$ and maps to $\mathsf{L},\mathsf{R}$ , we have

\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct*{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}.

(9.76)

Because $\mathsf{pfO}$ is an isometry, $\ket*{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}$ has norm $1$ . Furthermore, from Claim 19, because $\mathsf{Comp}$ is an isometry, we have

\innerproduct*{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\innerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\leq 1.

(9.77)

Together, we can obtain the following,

	$\displaystyle\mathsf{TD}\left(\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)$		(9.78)
	$\displaystyle=\mathsf{TD}\left(\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{-\mathsf{A}\mathsf{B}}\outerproduct{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)$		(9.79)
	$\displaystyle\leq\mathsf{TD}\left(\outerproduct{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\outerproduct{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)$		(9.80)
	$\displaystyle\leq\norm{\ket{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}-\ket{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}}_{2}$		( $\frac{1}{2}\norm{uu^{\dagger}-vv^{\dagger}}_{\mathrm{tr}}\leq\norm{u-v}_{2}$ if $\norm{u}_{2},\norm{v}_{2}\leq 1$ )
	$\displaystyle\leq t\cdot\sqrt{1-\innerproduct{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}{\mathcal{A}_{t}^{\widetilde{\mathsf{pfO}},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}}$		(Lemma 2.3 on sequential gentle measurement)
	$\displaystyle=t\cdot\sqrt{1-\innerproduct{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}}$		(Claim 19)
	$\displaystyle\leq t\cdot\sqrt{\frac{70t^{2}}{N^{1/4}}}\leq\frac{9t^{2}}{N^{1/8}}.$		(Lemma 9.4)

This concludes the proof. ∎

9.4 Proof of Lemma 9.1

From Claim 6, we have

\Tr_{\mathsf{P}\mathsf{F}\mathsf{C}\mathsf{D}}\outerproduct*{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}=\operatorname*{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{sPRU}(\mathfrak{D})}\outerproduct*{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}}.

(9.81)

From Lemma 9.3, we have

\displaystyle\mathsf{TD}\left(\Tr_{\mathsf{L}\mathsf{R}\mathsf{C}\mathsf{D}}\outerproduct*{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{\mathsf{L}\mathsf{R}}\outerproduct*{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)\leq\frac{9t}{N^{1/8}}.

(9.82)

From Lemma 9.5, we have

\mathsf{TD}\left(\Tr_{\mathsf{P}\mathsf{F}\mathsf{C}\mathsf{D}}\outerproduct*{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{\mathsf{L}\mathsf{R}\mathsf{C}\mathsf{D}}\outerproduct*{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)\leq\frac{9t^{2}}{N^{1/8}}.

(9.83)

By triangle inequality, we have

	$\displaystyle\mathsf{TD}\left(\operatorname{{\mathbb{E}}}_{\mathcal{O}\leftarrow\mathsf{sPRU}(\mathfrak{D})}\outerproduct{\mathcal{A}_{t}^{\mathcal{O}}}{\mathcal{A}_{t}^{\mathcal{O}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}},\Tr_{\mathsf{L}\mathsf{R}}\outerproduct*{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)$		(9.84)
	$\displaystyle=\mathsf{TD}\left(\Tr_{\mathsf{P}\mathsf{F}\mathsf{C}\mathsf{D}}\outerproduct{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{\mathsf{L}\mathsf{R}}\outerproduct{\mathcal{A}_{t}^{V}}{\mathcal{A}_{t}^{V}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)$		(9.85)
	$\displaystyle\leq\mathsf{TD}\left(\Tr_{\mathsf{P}\mathsf{F}\mathsf{C}\mathsf{D}}\outerproduct{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}{\mathcal{A}_{t}^{\mathsf{pfO},\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{\mathsf{L}\mathsf{R}\mathsf{C}\mathsf{D}}\outerproduct{\mathcal{A}_{t}^{W,\mathfrak{D}}}{\mathcal{A}_{t}^{W,\mathfrak{D}}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}}\right)$
	$\displaystyle+\mathsf{TD}\left(\Tr_{\mathsf{L}\mathsf{R}\mathsf{C}\mathsf{D}}\outerproduct{\mathcal{A}^{W,\mathfrak{D}}_{t}}{\mathcal{A}^{W,\mathfrak{D}}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{C}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{D}}}},\Tr_{\mathsf{L}\mathsf{R}}\outerproduct{\mathcal{A}^{V}_{t}}{\mathcal{A}^{V}_{t}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{B}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\right)$		(9.86)
	$\displaystyle\leq\frac{9t(t+1)}{N^{1/8}}.$		(9.87)

This completes the proof of Lemma 9.1.

10 Proof of Claim 16

In this section, we prove Claim 16, which states that the symmetric path recording oracle $V$ is approximately unitary invariant. For convenience, we restate the lemma below:

Lemma 10.1 (Claim 16, restated).

For any $0\leq t<N$ , and any pair of $n$ -qubit unitaries $C,D$ , we have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(10.1)
	$\displaystyle\norm{C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot(V^{\dagger})_{\leq t}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{\dagger})_{\leq t}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(10.2)

To prove this lemma, we will define a pair of operators $E^{L}$ and $E^{R}$ that satisfy exact unitary invariance. We will then prove that $E^{L}$ is close in operator norm to $V^{L}$ , and that $E^{R}$ is close in operator norm to $E^{R}$ . By combining these guarantees, we will show that $V^{L}$ and $V^{R}$ satisfy approximate unitary invariance, which we will use to prove that $V$ satisfies approximate unitary invariance.

10.1 Defining $E^{L}$ and $E^{R}$

Definition 37.

Define the operator $E^{L}$ and $E^{R}$ that act on registers $\mathsf{A},\mathsf{L},\mathsf{R}$ as follows:

	$\displaystyle E^{L}\coloneqq\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}\outerproduct{y}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\sum_{L\in\mathcal{R}}\sqrt{\mathsf{num}(L,(x,y))+1}\cdot\outerproduct{L\cup\{(x,y)\}}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{R\in\mathcal{R}}\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(10.3)
	$\displaystyle E^{R}\coloneqq\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}\outerproduct{x}{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\sum_{L\in\mathcal{R}}\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{R\in\mathcal{R}}\sqrt{\mathsf{num}(R,(x,y))+1}\cdot\outerproduct*{R\cup\{(x,y)\}}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(10.4)

We will show that $E^{L}$ and $E^{R}$ satisfies the following unitary invariance property. To state the property, recall that we define the operator $Q[C,D]$ as follows:

Definition 38 (Definition 27, restated).

For any pair of $n$ -qubit unitaries $C,D$ , define

\displaystyle Q[C,D]

\displaystyle\coloneqq(C\otimes D^{T})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(10.5)

Claim 20 (Exact unitary invariance of $E^{L}$ and $E^{R}$ ).

For any pair of $n$ qubit unitaries $C,D$ , we have

	$\displaystyle D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	$\displaystyle=Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger},$		(10.6)
	$\displaystyle C^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot E^{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot D^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	$\displaystyle=Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot E^{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger},$		(10.7)

To prove Claim 20, it will be useful to have the following alternative expressions for $E^{L}$ and $E^{R}$ .

Claim 21 (Alternative form of $E^{L}$ and $E^{R}$ ).

The $E^{L}$ operator can also be written as

	$\displaystyle E^{L}$	$\displaystyle=\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}\outerproduct{y}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\sum_{\ell\geq 0}\Pi^{\mathcal{R}}_{\ell+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot\Big{(}\sqrt{\ell+1}\cdot\ket{x,y}\otimes\Pi_{\ell}\Big{)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\Pi^{\mathcal{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(10.8)
	$\displaystyle E^{R}$	$\displaystyle=\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}\outerproduct{x}{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathcal{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{r\geq 0}\Pi^{\mathcal{R}}_{r+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Big{(}\sqrt{r+1}\cdot\ket{x,y}\otimes\Pi_{r}\Big{)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(10.9)

Here $\Pi_{\ell}$ denotes the projector onto the span of length- $\ell$ states $\ket*{x_{1},y_{1},\dots,x_{\ell},y_{\ell}}$ , and $(\ket*{x,y}\otimes\Pi_{\ell})_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}$ is the linear operator that maps

\displaystyle(\ket*{x,y}\otimes\Pi_{\ell})_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot\ket*{x_{1},y_{1},\dots,x_{\ell},y_{\ell}}=\ket*{x,y,x_{1},y_{1},\dots,x_{\ell},y_{\ell}}.

(10.10)

Proof.

We will prove the statement for $E^{L}$ , and the proof for $E^{R}$ will be symmetric. To establish $(\ref{def:EL-operator-num-form})=(\ref{def:EL-operator-sym-form})$ , we need to prove that for all $(x,y)\in[N]^{2}$ and $\ell\geq 0$ ,

\displaystyle\sum_{L\in\mathcal{R}_{\ell}}\sqrt{\mathsf{num}(L,(x,y))+1}\cdot\outerproduct*{L\cup\{(x,y)\}}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}=\Pi^{\mathcal{R}}_{\ell+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot\Big{(}\sqrt{\ell+1}\cdot\ket*{x,y}\otimes\Pi_{\ell}\Big{)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}.

(10.11)

Since $\Pi^{\mathcal{R}}_{\ell+1}=\sum_{R\in\mathcal{R}_{\ell+1}}\outerproduct*{R}{R}$ (5), we can write the right-hand side of Eq. 10.11 as

	$\displaystyle\sum_{L\in\mathcal{R}_{\ell+1}}\outerproduct{L}{L}\cdot\Big{(}\sqrt{\ell+1}\cdot\ket{x,y}\otimes\Pi_{\ell}\Big{)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(10.12)
	$\displaystyle=\sum_{L\in\mathcal{R}_{\ell}}\outerproduct{L\cup\{(x,y)\}}{L\cup\{(x,y)\}}\cdot\Big{(}\sqrt{\ell+1}\cdot\ket{x,y}\otimes\Pi_{\ell}\Big{)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(10.13)

Therefore, we need to prove that for all $\ell\geq 0$ and $L\in\mathcal{R}_{\ell}$ that

\displaystyle\bra*{L\cup\{(x,y)\}}\cdot\Big{(}\sqrt{\ell+1}\cdot\ket*{x,y}\otimes\Pi_{\ell}\Big{)}=\sqrt{\mathsf{num}(L,(x,y))}\cdot\bra*{L}.

(10.14)

To see this, note that $\bra*{L\cup\{(x,y)\}}$ is a superposition over all permutations of the elements of $L\cup\{(x,y)\}$ , and thus when we right multiply by $\Big{(}\sqrt{\ell+1}\cdot\ket*{x,y}\otimes\Pi_{\ell}\Big{)}$ , the resulting state is proportional to $\bra*{L}$ . To compute the proportionality constant, note that a

\displaystyle\frac{\binom{\ell-1}{\mathsf{num}(L,(x,y))-1}}{\binom{\ell}{\mathsf{num}(L,(x,y))}}=\frac{\mathsf{num}(L,(x,y))}{\ell}

(10.15)

fraction of the permutations of the elements of $L\cup\{(x,y)\}$ will have $(x,y)$ in the left-most slot. Thus,

\displaystyle\bra*{L\cup\{(x,y)\}}\cdot\Big{(}\ket*{x,y}\otimes\Pi_{\ell}\Big{)}=\frac{\sqrt{\mathsf{num}(L,(x,y))}}{\sqrt{\ell+1}}\cdot\bra*{L},

(10.16)

which gives Eq. 10.14 when we multiply by $\sqrt{\ell+1}$ . ∎

We can use Claim 21 to prove exact unitary invariance of $E^{L}$ and $E^{R}$ (Claim 20).

Proof of Claim 20.

To prove Eq. 10.6, it suffices to prove that

\displaystyle D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(10.17)

Recall that

\displaystyle Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=(C\otimes D^{T})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(10.18)

Expanding the left-hand-side using the definition of $Q[C,D]$ and the expression for $E$ given by Claim 21, we have

	$\displaystyle D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(10.19)
	$\displaystyle=\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot\outerproduct{y}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\sum_{\ell\geq 0}\Pi^{\mathcal{R}}_{\ell+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot(\sqrt{\ell+1}\cdot\ket{x,y}\otimes\Pi^{\mathcal{R}}_{\ell,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}})\cdot(C\otimes D^{T})^{\otimes\ell}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}$		(10.20)
	$\displaystyle\quad\otimes\Pi^{\mathcal{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(10.21)
	$\displaystyle=\frac{1}{\sqrt{N}}\sum_{x,y\in[N]}\outerproduct{y}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\sum_{\ell\geq 0}\Pi^{\mathcal{R}}_{\ell+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot(C\otimes D^{T})^{\otimes\ell+1}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\cdot(\sqrt{\ell+1}\cdot\ket{x,y}\otimes\Pi^{\mathcal{R}}_{\ell,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}})$		(10.22)
	$\displaystyle\quad\otimes(\overline{C}\otimes D^{\dagger})^{\otimes*}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\mathcal{R}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(10.23)
	$\displaystyle=Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(10.24)

A similar argument works for $E^{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ to establish Eq. 10.7. ∎

10.2 Approximate unitary invariance of $V^{L}$ and $V^{R}$

We now prove approximate unitary invariance of the operators $V^{L}$ and $V^{R}$ . The key step is the following lemma, which relates these operators to $E^{L}$ and $E^{R}$ .

Recall that for an operator $M$ acting on registers $\mathsf{L},\mathsf{R}$ , the notation $M_{\leq t}=M\cdot\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ refers to the restriction of the operator $M$ to states where the combined length of the $\mathsf{L}$ and $\mathsf{R}$ components is at most $t$ .

Claim 22.

For any positive integer $t$ ,

\displaystyle\norm{V^{L}_{\leq t}-E^{L}_{\leq t}}_{\mathrm{op}}\leq\sqrt{\frac{2t(t+1)}{N}}\quad\text{and}\quad\norm{V^{R}_{\leq t}-E^{R}_{\leq t}}_{\mathrm{op}}\leq\sqrt{\frac{2t(t+1)}{N}}.

(10.25)

Proof.

We will only prove this for $V^{L}_{\leq t}$ , as the proof for $V^{R}_{\leq t}$ is analogous. Let $\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ be an arbitrary unit-norm state in the image of $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ . In particular,

\displaystyle\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\alpha_{x,L,R}\ket*{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket*{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\ket*{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.

(10.26)

where $\alpha_{x,L,R}$ is zero whenever $\absolutevalue{L\cup R}>t$ . It suffices to show that for any such $\ket*{\psi}$ ,

\displaystyle\norm{V^{L}\ket*{\psi}-E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}}_{\mathrm{op}}\leq\sqrt{\frac{2t(t+1)}{N}}.

(10.27)

Expanding out $V^{L}\ket*{\psi}$ , we get

\displaystyle V^{L}\ket*{\psi}

\displaystyle=\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\frac{\alpha_{x,L,R}}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\ket*{y}\ket*{L\cup\{(x,y)\}}\ket*{R}.

(10.28)

Expanding out $E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , we get

\displaystyle E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}

\displaystyle=\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\frac{\alpha_{x,L,R}}{\sqrt{N}}\sum_{y\in[N]}\ket*{y}\sqrt{\mathsf{num}(L,(x,y))+1}\cdot\ket*{L\cup\{(x,y)\}}\ket*{R}

(10.29)

Then we have

	$\displaystyle V^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket{\psi}-E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket{\psi}$		(10.30)
	$\displaystyle=\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\alpha_{x,L,R}\sum_{y\in[N]}\ket{y}\ket{L\cup\{(x,y)\}}\ket*{R}\Bigg{(}\frac{\delta_{y\not\in\imaginary(L\cup R)}}{\sqrt{N-\absolutevalue{L\cup R}}}-\frac{\sqrt{\mathsf{num}(L,(x,y))+1}}{\sqrt{N}}\Bigg{)}$		(10.31)
	$\displaystyle=\underbrace{\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\alpha_{x,L,R}\sum_{\begin{subarray}{c}y\in[N]:\\ y\not\in\imaginary(L\cup R)\end{subarray}}\ket{y}\ket{L\cup\{(x,y)\}}\ket{R}\Bigg{(}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}-\frac{1}{\sqrt{N}}\Bigg{)}}_{\coloneqq\ket{v}}$
	$\displaystyle\quad+\underbrace{\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\alpha_{x,L,R}\sum_{y\in\imaginary(L\cup R)}\ket{y}\ket{L\cup\{(x,y)\}}\ket{R}\Bigg{(}-\frac{\sqrt{\mathsf{num}(L,(x,y))+1}}{\sqrt{N}}\Bigg{)}}_{\coloneqq\ket{w}}.$		(10.32)

Note that $\ket*{v}$ and $\ket*{w}$ are orthogonal, since $\ket*{v}$ is a superposition of states $\ket*{y}\ket*{L^{\prime}}\ket*{R}$ where $y$ is in $\imaginary(L^{\prime}\cup R)$ exactly once, while $\ket*{w}$ is a superposition of states $\ket*{y}\ket*{L^{\prime}}\ket*{R}$ where $y$ is in $\imaginary(L^{\prime}\cup R)$ at least twice. Thus,

\displaystyle\norm{V^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}-E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}}^{2}

\displaystyle=\innerproduct{v}{v}+\innerproduct{w}{w}

(10.33)

Bounding $\innerproduct{v}{v}$ .

By changing the order of summation, we can rewrite $\ket*{v}$ as

\displaystyle\ket*{v}=\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\ket*{y}\ket*{L^{\prime}}\ket*{R}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\alpha_{x,L,R}\Big{(}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}-\frac{1}{\sqrt{N}}\Big{)}\Bigg{)},

(10.34)

and thus

	$\displaystyle\innerproduct{v}{v}$	$\displaystyle=\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\alpha_{x,L,R}\Big{(}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}-\frac{1}{\sqrt{N}}\Big{)}\Bigg{)}^{2}$		(10.35)
		$\displaystyle\leq\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\Bigg{)}\cdot\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\Big{(}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}-\frac{1}{\sqrt{N}}\Big{)}^{2}\Bigg{)},$		(10.36)

where the last inequality is by Cauchy-Schwarz. We can bound the summand by writing

$\displaystyle\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\Big{(}\frac{1}{\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}-\frac{1}{\sqrt{N}}\Big{)}^{2}$	$\displaystyle=\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\Big{(}\frac{\sqrt{N}-\sqrt{N-\absolutevalue{\imaginary(L\cup R)}}}{\sqrt{N(N-\absolutevalue{\imaginary(L\cup R)})}}\Big{)}^{2}$	(10.37)
	$\displaystyle\leq\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\Big{(}\frac{\sqrt{\absolutevalue{\imaginary(L\cup R)}}}{\sqrt{N(N-\absolutevalue{\imaginary(L\cup R)})}}\Big{)}^{2}$	(since $\sqrt{a}-\sqrt{b}\leq\sqrt{a-b}$ when $a\geq b\geq 0$ )
	$\displaystyle=\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\frac{\absolutevalue{\imaginary(L\cup R)}}{N(N-\absolutevalue{\imaginary(L\cup R)})}$	(10.38)
	$\displaystyle\leq\frac{(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N(N-\absolutevalue{\imaginary(L\cup R)})}$	(10.39)

where the last inequality uses the fact that for any fixed $L^{\prime}$ , there are at most $\absolutevalue{L}+1$ choices of $(x,L)$ that can satisfy $L^{\prime}=L\cup\{(x,y)\}$ . Thus,

$\displaystyle\innerproduct{v}{v}$	$\displaystyle\leq\frac{(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N(N-\absolutevalue{\imaginary(L\cup R)})}\cdot\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\Bigg{)}$	(10.40)
	$\displaystyle=\frac{(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N(N-\absolutevalue{\imaginary(L\cup R)})}\cdot\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\cdot\Big{(}\sum_{y\in[N]}\delta_{y\not\in\imaginary(L\cup R)}\Big{)}$	(10.41)
	$\displaystyle\leq\frac{(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N}\cdot\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}=\frac{(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N}.$	(10.42)

Bounding $\innerproduct{w}{w}$ .

By changing the order of summation, we can rewrite $\ket*{w}$ as

\displaystyle\ket*{w}=\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\ket*{y}\ket*{L^{\prime}}\ket*{R}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\alpha_{x,L,R}\Big{(}-\frac{\sqrt{\mathsf{num}(L,(x,y))+1}}{\sqrt{N}}\Big{)}\Bigg{)}.

(10.43)

Thus,

$\displaystyle\innerproduct{w}{w}$	$\displaystyle=\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{\lvert}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\alpha_{x,L,R}\Big{(}-\frac{\sqrt{\mathsf{num}(L,(x,y))+1}}{\sqrt{N}}\Big{)}\Bigg{\rvert}^{2}$	(10.44)
	$\displaystyle\leq\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\Bigg{)}\cdot\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\frac{\mathsf{num}(L,(x,y))+1}{N}\Bigg{)}$	(by Cauchy-Schwarz)
	$\displaystyle\leq\sum_{\begin{subarray}{c}y\in[N],\\ (L^{\prime},R)\in\mathcal{R}^{2}\end{subarray}}\Bigg{(}\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\Bigg{)}\cdot\frac{(\absolutevalue{L}+1)}{N},$	(10.45)

where we have used the fact that for any $y,L^{\prime}$ , we have the upper bound

\displaystyle\sum_{\begin{subarray}{c}(x,L):\\ L^{\prime}=L\cup\{(x,y)\},\\ y\in\imaginary(L\cup R)\end{subarray}}\mathsf{num}(L,(x,y))+1\leq\absolutevalue{L}+1,

(10.46)

since each tuple in $L^{\prime}$ increases the value of $\mathsf{num}(L,(x,y))$ by $1$ for at most one $x$ . Thus,

	$\displaystyle\innerproduct{w}{w}$	$\displaystyle=\frac{\absolutevalue{L}+1}{N}\cdot\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}\cdot\Big{(}\sum_{y\in[N]}\delta_{y\in\imaginary(L\cup R)}\Big{)}$		(10.47)
		$\displaystyle\leq\frac{(\absolutevalue{L}+1)\cdot\|\imaginary(L\cup R)\|}{N}\cdot\sum_{\begin{subarray}{c}x\in[N],\\ (L,R)\in\mathcal{R}^{2}\end{subarray}}\absolutevalue{\alpha_{x,L,R}}^{2}=\frac{(\absolutevalue{L}+1)\cdot\|\imaginary(L\cup R)\|}{N}.$		(10.48)

Putting everything together, we have that for all $\ket*{\psi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ in the image of $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\Pi_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ ,

\displaystyle\norm{V^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}-E^{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\ket*{\psi}}

\displaystyle\leq\sqrt{\frac{2(\absolutevalue{L}+1)\cdot\absolutevalue{\imaginary(L\cup R)}}{N}}\leq\sqrt{\frac{2t(t+1)}{N}},

(10.49)

since $\absolutevalue{\imaginary(L\cup R)}\leq t$ and $\absolutevalue{L}+1\leq t+1$ . This completes the claim. ∎

Claim 23.

For any positive integer $t$ , and any pair of $n$ -qubit unitaries $C,D$ , we have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 2\cdot\sqrt{\frac{2t(t+1)}{N}}$		(10.50)
	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{R,\dagger}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{R,\dagger}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 2\cdot\sqrt{\frac{2t(t+1)}{N}}.$		(10.51)

Proof.

We first prove Eq. 10.50. Using Claim 20 together and the triangle inequality, we have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$		(10.52)
	$\displaystyle\leq\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot E^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}}_{\mathrm{op}}$
	$\displaystyle\quad+\norm{Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot E^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$		(10.53)
	$\displaystyle\leq 2\cdot\norm{V^{L}_{\leq t}-E^{L}_{\leq t}}_{\mathrm{op}}$		(by unitary invariance of $\norm{\cdot}_{\mathrm{op}}$ )
	$\displaystyle\leq 2\cdot\sqrt{\frac{2t(t+1)}{N}}.$		(by Claim 22)

Eq. 10.51 follows from a symmetric argument. ∎

Note that with our convention that $M_{\leq t}=M\cdot\Pi_{\leq t}$ , the operator $M_{\leq t}^{\dagger}=(M\cdot\Pi_{\leq t})^{\dagger}=\Pi_{\leq t}\cdot M^{\dagger}$ is not the same as $(M^{\dagger})_{\leq t}=M^{\dagger}\cdot\Pi_{\leq t}$ . However, since our $V^{L}$ and $V^{R}$ operators map $\Pi_{\leq t}$ to $\Pi_{\leq t+1}$ , we have the following identities,

	$\displaystyle(V^{L,\dagger})_{\leq t}$	$\displaystyle=V^{L,\dagger}\cdot\Pi_{\leq t}=\Pi_{\leq t-1}\cdot V^{L,\dagger}=V^{L,\dagger}_{\leq t-1}$		(10.54)
	$\displaystyle(V^{R,\dagger})_{\leq t}$	$\displaystyle=V^{R,\dagger}\cdot\Pi_{\leq t}=\Pi_{\leq t-1}\cdot V^{R,\dagger}=V^{R,\dagger}_{\leq t-1}.$		(10.55)

As a consequence, Eq. 10.51 also holds for the “mis-parenthesized” version. In particular, for any positive integer $t$ and any $C,D$ , we have

\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot(V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}\leq 2\cdot\sqrt{\frac{2t(t+1)}{N}}.

(10.56)

To prove the approximate unitary invariance of $V$ , we need to utilize the following basic lemma.

Lemma 10.2.

Given any operators $A,B,A^{\prime},B^{\prime}$ with operator norm bounded above by one, we have

\displaystyle\norm{A\cdot B-A^{\prime}\cdot B^{\prime}}_{\mathrm{op}}\leq\norm{A-A^{\prime}}_{\mathrm{op}}+\norm{B-B^{\prime}}_{\mathrm{op}}.

(10.57)

Proof.

We can prove this lemma via triangle inequality,

$\displaystyle\norm{A\cdot B-A^{\prime}\cdot B^{\prime}}_{\mathrm{op}}$	$\displaystyle\leq\norm{A\cdot B-A^{\prime}\cdot B}_{\mathrm{op}}+\norm{A^{\prime}\cdot B-A^{\prime}\cdot B^{\prime}}_{\mathrm{op}}$	(10.58)
	$\displaystyle\leq\norm{A-A^{\prime}}_{\mathrm{op}}\cdot\norm{B}_{\mathrm{op}}+\norm{A^{\prime}}_{\mathrm{op}}\cdot\norm{B-B^{\prime}}_{\mathrm{op}}$	(10.59)
	$\displaystyle\leq\norm{A-A^{\prime}}_{\mathrm{op}}+\norm{B-B^{\prime}}_{\mathrm{op}}.$	(10.60)

This completes the proof. ∎

We start by proving the approximate unitary invariance for the projectors $V^{L}\cdot V^{L,\dagger}$ and $V^{R}\cdot V^{R,\dagger}$ .

Claim 24.

For any positive integer $t$ , and any pair of $n$ -qubit unitaries $C,D$ , we have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot\Big{(}V^{L}\cdot V^{L,\dagger}\Big{)}_{\leq t}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Big{(}V^{L}\cdot V^{L,\dagger}\Big{)}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 4\cdot\sqrt{\frac{2t(t+1)}{N}}$		(10.61)
	$\displaystyle\norm{C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot\Big{(}V^{R}\cdot V^{R,\dagger}\Big{)}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Big{(}V^{R}\cdot V^{R,\dagger}\Big{)}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 4\cdot\sqrt{\frac{2t(t+1)}{N}}.$		(10.62)

Proof.

By the definition of $V^{L}$ , we have $(V^{L}\cdot V^{L,\dagger})_{\leq t}=V^{L}_{\leq t-1}\cdot V^{L,\dagger}_{\leq t-1}$ . We have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t-1}\cdot V^{L,\dagger}_{\leq t-1}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t-1}\cdot V^{L,\dagger}_{\leq t-1}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$		(10.63)
	$\displaystyle=\Bigg{\lVert}\Big{(}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t-1}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\Big{)}\cdot\Big{(}C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot V^{L,\dagger}_{\leq t-1}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\Big{)}$
	$\displaystyle\quad-\Big{(}Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t-1}\cdot Q[C,D]^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\cdot\Big{(}Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L,\dagger}_{\leq t-1}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Big{)}\Bigg{\rVert}_{\mathrm{op}}$		(10.64)
	$\displaystyle\leq\Bigg{\lVert}\Big{(}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t-1}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\Big{)}-\Big{(}Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t-1}\cdot Q[C,D]^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\Bigg{\rVert}_{\mathrm{op}}$
	$\displaystyle\quad+\Bigg{\lVert}\Big{(}C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot V^{L,\dagger}_{\leq t-1}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\Big{)}-\Big{(}Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L,\dagger}_{\leq t-1}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Big{)}\Bigg{\rVert}_{\mathrm{op}}$		(by Lemma 10.2)
	$\displaystyle\leq 4\cdot\sqrt{\frac{2t(t+1)}{N}}$		(by Claim 23)

The statement for $V^{R}$ can be proven similarly. This concludes the proof of this claim. ∎

We can now prove approximate invariance of $V$ (Claim 16). By unitary invariance of $\norm{\cdot}_{\mathrm{op}}$ we can restate lemma Claim 16 as follows.

Lemma 10.3 (Claim 16, restated).

For any positive integer $t$ , and any pair of $n$ -qubit unitaries $C,D$ , we have

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(10.65)
	$\displaystyle\norm{C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot(V^{\dagger})_{\leq t}\cdot D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$	$\displaystyle\leq 16\sqrt{\frac{2t(t+1)}{N}},$		(10.66)

Proof.

We will prove the first inequality, as the second follows from a symmetric argument. From the definition of $V$ , we have

\displaystyle V=V^{L}\cdot(\mathsf{Id}-V^{R}\cdot V^{R,\dagger})+(\mathsf{Id}-V^{L}\cdot V^{L,\dagger})\cdot V^{R,\dagger}.

(10.67)

From the definitions of $\Pi_{\leq t}$ , $V^{L}$ , and $V^{R}$ , we note that

	$\displaystyle(V^{L}\cdot V^{R}\cdot V^{R,\dagger})_{\leq t}$	$\displaystyle=V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t},$		(10.68)
	$\displaystyle(V^{L}\cdot V^{L,\dagger}\cdot V^{R,\dagger})_{\leq t}$	$\displaystyle=(V^{L}\cdot V^{L,\dagger})_{\leq t}\cdot(V^{R,\dagger})_{\leq t}.$		(10.69)

Using this fact and the definition of $V$ , we can apply the triangle inequality to obtain,

	$\displaystyle\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}$		(10.70)
	$\displaystyle\leq\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.71)
	$\displaystyle+\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.72)
	$\displaystyle+\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot(V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.73)
	$\displaystyle+\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot(V^{L}\cdot V^{L,\dagger})_{\leq t}\cdot(V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{L}\cdot V^{L,\dagger})_{\leq t}\cdot(V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}.$		(10.74)

We now bound each of the four terms. The first term Eq. 10.71 is bounded above by $2\cdot\sqrt{\frac{2t(t+1)}{N}}$ from Eq. 10.50. The third term Eq. 10.73 is also bounded above by $2\cdot\sqrt{\frac{2t(t+1)}{N}}$ from Eq. 10.56. The second and fourth terms Eq. 10.72, Eq. 10.74 require the use of Lemma 10.2. Hence, we can bound the second term Eq. 10.72 as follows,

	$\displaystyle\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.75)
	$\displaystyle=\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$
	$\displaystyle\quad\quad\quad\quad-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.76)
	$\displaystyle\leq\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}$		(10.77)
	$\displaystyle+\Bigg{\lVert}C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}^{\dagger}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}},$		(10.78)
	$\displaystyle\leq 6\cdot\sqrt{\frac{2t(t+1)}{N}}.$		(10.79)

where we used the fact that Eq. 10.77 is bounded above by $2\cdot\sqrt{\frac{2t(t+1)}{N}}$ from Eq. 10.50 and Eq. 10.78 is bounded above by $4\cdot\sqrt{\frac{2t(t+1)}{N}}$ from Eq. 10.62. Similarly, we can bound the fourth term given Eq. 10.74 using the same argument to obtain

\Bigg{\lVert}D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V^{L}_{\leq t}\cdot(V^{R}\cdot V^{R,\dagger})_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}\Bigg{\rVert}_{\mathrm{op}}\leq 6\cdot\sqrt{\frac{2t(t+1)}{N}}.

(10.80)

Combining the bounds on the four terms, we obtain

\norm{D_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\cdot V_{\leq t}\cdot C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}-Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot V_{\leq t}\cdot Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}^{\dagger}}_{\mathrm{op}}\leq 16\cdot\sqrt{\frac{2t(t+1)}{N}}.

(10.81)

This completes the proof of the approximate unitary invariance of $V$ . ∎

11 Proof of Lemma 9.2

In this section, we prove Lemma 9.2. For convenience, we restate the lemma below.

Lemma 11.1 (Lemma 9.2, restated).

For any unitary $2$ -design $\mathfrak{D}$ and integer $0\leq t\leq N-1$ , we have

	$\displaystyle\norm{\operatorname*{{\mathbb{E}}}_{C,D\leftarrow\mathfrak{D}}(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-\Pi^{\mathcal{D}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\cdot(C_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})}_{\mathrm{op}}$	$\displaystyle\leq 6t\sqrt{\frac{t}{N}},$		(11.1)
	$\displaystyle\norm{\operatorname*{{\mathbb{E}}}_{C,D\leftarrow\mathfrak{D}}(D^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})^{\dagger}\cdot\Big{(}\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}-\Pi^{\mathcal{I}(W)}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Big{)}\cdot(D^{\dagger}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes Q[C,D]_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}})}_{\mathrm{op}}$	$\displaystyle\leq 6t\sqrt{\frac{t}{N}},$		(11.2)

In the above expressions, $\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is shorthand for $\mathsf{Id}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\Pi^{\mathsf{bij}}_{\leq t,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , and thus the operators inside the $\norm{\cdot}_{\mathrm{op}}$ act on $\mathsf{A},\mathsf{L},\mathsf{R}$ .

11.1 The domain and image of $W$

In order to prove Lemma 11.1, we will first need to give an explicit characterization of the projectors $\Pi^{\mathcal{D}(W)}$ and $\Pi^{\mathcal{I}(W)}$ .

Definition 39.

Let

	$\displaystyle\Pi^{\not\in\operatorname{Dom}}$	$\displaystyle\coloneqq\sum_{\begin{subarray}{c}(L,R)\in\mathcal{R}^{2},\\ x\not\in\operatorname{Dom}(L\cup R)\end{subarray}}\outerproduct{x}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(11.3)
	$\displaystyle\Pi^{\not\in\imaginary}$	$\displaystyle\coloneqq\sum_{\begin{subarray}{c}(L,R)\in\mathcal{R}^{2},\\ y\not\in\imaginary(L\cup R)\end{subarray}}\outerproduct{y}{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$		(11.4)

Definition 40.

Let

\displaystyle\Pi^{\mathsf{EPR}}\coloneqq\outerproduct*{\mathsf{EPR}_{N}}{\mathsf{EPR}_{N}}=\Big{(}\frac{1}{\sqrt{N}}\sum_{x\in[N]}\ket*{x}\ket*{x}\Big{)}\cdot\Big{(}\frac{1}{\sqrt{N}}\sum_{y\in[N]}\bra*{y}\bra*{y}\Big{)}.

(11.5)

Notation 13.

We use the notation $\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{R}^{(r)}_{\mathsf{X},i}}}$ for the projector on registers $\mathsf{A},\mathsf{R}^{(r)}$ that applies $\Pi^{\mathsf{EPR}}$ to the registers $\mathsf{A}$ , $\mathsf{R}^{(r)}_{\mathsf{X},i}$ (where $i\in[r]$ ), and acts as identity on the rest of $\mathsf{R}^{(r)}$ . The same notation applies for $\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{L}^{(\ell)}_{\mathsf{Y},i}}}$ .

Fact 12.

The projectors $\Pi^{\mathcal{R}^{2}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ and $\Pi^{\mathrm{dist}_{X,Y}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ commute, and moreover

\displaystyle\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}=\Pi^{\mathcal{R}^{2}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\mathrm{dist}_{X,Y}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}

(11.6)

Claim 25.

	$\displaystyle\Pi^{\mathcal{D}(W)}$	$\displaystyle=\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Bigg{(}\Pi^{\not\in\operatorname{Dom}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}+\sum_{\begin{subarray}{c}\ell,r\geq 0:\\ \ell+r<N\end{subarray}}\frac{N}{N-\ell-r}\Pi_{\ell,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{i\in[r+1]}\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{R}^{(r+1)}_{\mathsf{X},i}}}\Bigg{)}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(11.7)
	$\displaystyle\Pi^{\mathcal{I}(W)}$	$\displaystyle=\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Bigg{(}\Pi^{\not\in\imaginary}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}+\sum_{\begin{subarray}{c}\ell,r\geq 0:\\ \ell+r<N\end{subarray}}\frac{N}{N-\ell-r}\Pi_{r,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\otimes\sum_{i\in[\ell+1]}\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{L}^{(\ell+1)}_{\mathsf{Y},i}}}\Bigg{)}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(11.8)

Proof.

By 8,

\displaystyle\Pi^{\mathcal{D}(W)}

\displaystyle=\Pi^{\mathcal{D}(W^{L})}+\Pi^{\mathcal{I}(W^{R})}.

(11.9)

To prove Eq. 11.7, it suffices to prove

	$\displaystyle\Pi^{\mathcal{D}(W^{L})}$	$\displaystyle=\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\not\in\operatorname{Dom}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(11.10)
	$\displaystyle\Pi^{\mathcal{I}(W^{R})}$	$\displaystyle=\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Bigg{(}\sum_{\begin{subarray}{c}\ell,r\geq 0:\\ \ell+r<N\end{subarray}}\frac{N}{N-\ell-r}\Pi_{\ell,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{i\in[r+1]}\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{R}^{(r+1)}_{\mathsf{X},i}}}\Bigg{)}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$		(11.11)

Proof of Eq. 11.10.

From the definition of $W^{L}$ , its domain is the image of the projector

$\displaystyle\Pi^{\mathcal{D}(W^{L})}$	$\displaystyle=\sum_{\begin{subarray}{c}(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}},\\ x\not\in\operatorname{Dom}(L,R)\end{subarray}}\outerproduct{x}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$	(11.12)
	$\displaystyle=\Bigg{(}\sum_{(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}}\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Bigg{)}\cdot\Bigg{(}\sum_{\begin{subarray}{c}(L,R)\in\mathcal{R}^{2},\\ x\not\in\operatorname{Dom}(L\cup R)\end{subarray}}\outerproduct{x}{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\otimes\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct*{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Bigg{)}$
	$\displaystyle\quad\cdot\Bigg{(}\sum_{(L,R)\in\mathcal{R}^{2,\operatorname{{dist}}}}\outerproduct{L}{L}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\outerproduct{R}{R}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\Bigg{)}$	(11.13)
	$\displaystyle=\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\not\in\operatorname{Dom}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Pi^{\mathsf{bij}}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}.$	(11.14)

Proof of Eq. 11.11.

We can expand out

	$\displaystyle\Pi^{\mathcal{I}(W^{R})}=W^{R}\cdot W^{R,\dagger}$	$\displaystyle=W^{R}\cdot\sum_{\begin{subarray}{c}\ell,r\geq 0,\\ \ell+r<N\end{subarray}}\Pi_{\ell,r,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot W^{R,\dagger}$		(11.15)
		$\displaystyle=\sum_{\begin{subarray}{c}\ell,r\geq 0,\\ \ell+r<N\end{subarray}}W_{\ell,r}^{R}\cdot W^{R,\dagger}_{\ell,r}$		(11.16)

where the second equality uses the fact that the domain of $W^{R}$ is contained in the image of the projector $\sum_{\ell,r\geq 0,\ell+r<N}\Pi_{\ell,r,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ , i.e., $W^{R}$ is only defined on states where the $\mathsf{L}$ and $\mathsf{R}$ registers have sizes $\ell,r\geq 0$ where $\ell+r<N$ . Thus, it suffices to prove that for all $\ell,r\geq 0$ such that $\ell+r<N$ that

\displaystyle W_{\ell,r}^{R}\cdot W_{\ell,r}^{R,\dagger}=\frac{N}{N-\ell-r}\Pi^{\mathsf{bij}}_{\ell,r+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}\cdot\Bigg{(}\Pi_{\ell,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}}\otimes\sum_{i\in[r+1]}\Pi^{\mathsf{EPR}}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A},\mathsf{R}^{(r+1)}_{\mathsf{X},i}}}\Bigg{)}\cdot\Pi^{\mathsf{bij}}_{\ell,r+1,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}},

(11.17)

where we use our notational convention that for an operator $B$ acting on a variable-length registers $\mathsf{L},\mathsf{R}$ , the operator $B_{\ell,r}=B\cdot\Pi_{\ell,r,{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{L}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}}}}$ is the restriction of $B$ to states where the $\mathsf{L}$ register is length $\ell$ and

$\displaystyle\sum_{x\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	$\displaystyle=\sum_{x,z\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\left(\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}G_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\right)\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.13))
	$\displaystyle=\sum_{x,z\in[N]}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\left(\bra{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\right)\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.15))
	$\displaystyle=\sum_{x,z\in[N]}\left(\outerproduct{x}{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\right)\otimes\bra*{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(4.16)
	$\displaystyle=\sum_{z\in[N]}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{z}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{z}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}$	(Using Eq. (4.14))
	$\displaystyle=\sum_{x\in[N]}G_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\ket{x}_{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{R}_{\mathsf{X},i}^{(t)}}}\otimes\bra{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}.$	(Relabeling $z$ with $x$ )

	$\displaystyle\mathsf{pfO}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}\ket{x}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}}$	$\displaystyle\coloneqq\omega_{3}^{f(x)}\ket{\pi(x)}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\ket{\pi}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{P}}}}\ket*{f}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{F}}}},$		(6.1)
		$\displaystyle=\sum_{y\in[N]}\ket{y}_{{{\color[rgb]{.25,.25,.25}\definecolor[named]{pgfstrokecolor}{rgb}{.25,.25,.25}\pgfsys@color@gray@stroke{.25}\pgfsys@color@gray@fill{.25}\mathsf{A}}}}\delta_{\pi(x)=y}\ket{\pi}\omega_{3}^{f(x)}\ket*{f},$		(6.2)

How to Construct Random Unitaries

Abstract

1 Introduction

1.1 Our results

Theorem 1.

Theorem 2.

1.2 Our techniques

How to construct PRUs.

Strong PRUs and a symmetrized path-recording oracle V~\widetilde{V}.

A new approach to random unitaries.

1.3 Acknowledgments

2 Preliminaries

Notation.

Quantum registers.

2.1 Relations and variable-length registers

Definition 1.

Definition 2.

Notation 1 (Relation states).

Fact 1.

Notation 2.

Notation 3 (Restricted sets of relations).

2.1.1 Variable-length registers

Notation 4 (Extending fixed-length operators to variable-length).

Notation 5.

Notation 6 (Variable-length tensor powers).

2.1.2 Pairs of variable-length registers

Notation 7 (Fixed-length projectors).

Notation 8 (Maximum-length projectors).

Notation 9 (Length-restricted operators).

2.2 The Haar measure, unitary tt-designs, and twirling channels

Definition 3 (Haar measure).

Definition 4 (Unitary tt-design).

Notation 10.

Fact 2.

Claim 1 (Standard twirling).

Proof.

Lemma 2.1 (Twirling into the distinct subspace).

Proof.

Notation 11.

Claim 2 (Mixed twirling).

Proof.

2.3 Oracle adversaries

Definition 5 (Oracle adversaries with forward queries, used in Part I).

Definition 6 (Oracle adversaries with forward and inverse queries, used in Part II).

2.4 Pseudorandom unitaries

Definition 7 (pseudorandom unitaries).

2.5 Useful lemmas

Lemma 2.2.

Proof.

Lemma 2.3 (sequential gentle measurement).

Lemma 2.4 (gentle measurement).

Proof of Lemma 2.4.

Proof of Lemma 2.3.

Part I Standard PRUs

3 The purified permutation-function oracle

Definition 8 (purified permutation-function oracle).

Claim 3 (Equivalence of the purified and standard oracles).

Proof.

Definition 9 (𝗉𝖿\mathsf{pf}-relation state).

3.1 Orthonormality of the 𝗉𝖿\mathsf{pf}-relation states

Claim 4 (Orthonormality of the distinct sets of 𝗉𝖿\mathsf{pf}-relation states).

Proof of Claim 4.

3.2 How 𝗉𝖿𝖮\mathsf{pfO} acts on the 𝗉𝖿\mathsf{pf}-relation states

Claim 5 (Action of 𝗉𝖿𝖮\mathsf{pfO} on 𝗉𝖿\mathsf{pf}-relation states).

Proof of Claim 5.

4 The path-recording oracle VV

4.1 Defining VV

Definition 10 (Path-recording oracle).

Lemma 4.1 (Partial isometry).

Proof of Lemma 4.1.

Definition 11.

Definition 12.

Proof of Lemma 4.2.

4.2 Right unitary invariance

Lemma 4.3 (Right unitary invariance).

Fact 3 (Explicit form).

Proof of Lemma 4.3.

Corollary 4.1 (Trace distance between original state and the projected state).

Proof.

4.3 Relating VV to 𝗉𝖿𝖮\mathsf{pfO}

Strong PRUs and a symmetrized path-recording oracle $\widetilde{V}$ .

2.2 The Haar measure, unitary $t$ -designs, and twirling channels

Definition 4 (Unitary $t$ -design).

Definition 9 ( $\mathsf{pf}$ -relation state).

3.1 Orthonormality of the $\mathsf{pf}$ -relation states

Claim 4 (Orthonormality of the distinct sets of $\mathsf{pf}$ -relation states).

3.2 How $\mathsf{pfO}$ acts on the $\mathsf{pf}$ -relation states

Claim 5 (Action of $\mathsf{pfO}$ on $\mathsf{pf}$ -relation states).

4 The path-recording oracle $V$

4.1 Defining $V$

4.3 Relating $V$ to $\mathsf{pfO}$

Definition 16 (Distinct subspace projector for $\mathsf{pf}$ -relation states).

Lemma 4.4 (Relating $V$ and $\mathsf{pfO}$ states).

Definition 17 ( $\mathsf{PRU}(\mathfrak{D})$ distribution).

Theorem 3 ( $\mathsf{PF}(\mathfrak{D})$ is indistinguishable from Haar-random).

Lemma 5.1 ( $\mathsf{PRU}(\mathfrak{D})$ is indistinguishable from $V$ ).

Theorem 5 ( $V$ is indistinguishable from Haar random).

Definition 19 ( $\mathsf{pf}$ -relation state).

6.1 Orthonormality of the $\mathsf{pf}$ -relation states

Claim 7 (Orthonormality of $\mathsf{pf}$ -relation states).

6.2 How $\mathsf{pfO}$ acts on the $\mathsf{pf}$ -relation states

Claim 8 (Action of $\mathsf{pfO}$ ).

7 The partial path-recording oracle $W$

The role of the $W$ operator in our proof.

7.1 Defining $W^{L}$ and $W^{R}$

Definition 22 ( $W^{L}$ and $W^{R}$ ).

7.2 Defining $W$

Claim 13 ( $W$ is a restriction of $\mathsf{pfO}$ up to isometry).

8 The path-recording oracle $V$

8.1 Defining $V^{L}$ and $V^{R}$

Why these definitions of $V^{L}$ and $V^{R}$ ?

8.2 Defining $V$

Why this definition of $V$ ?