Efficient Simulation of Random States and Random Unitaries Gorjan - - PowerPoint PPT Presentation

Efficient Simulation of Random States and Random Unitaries

Gorjan Alagic, Christian Majenz and Alexander Russell

QCrypt 2020, in Cyberspace

Results — overview

• We study the simulation of random quantum objects, i.e. random

quantum states and random unitary operations

• We develop a theory of their stateful simulation, a quantum analogue of

“lazy sampling”

• For random states, we develop an efficient protocol for stateful simulation
• For random unitaries, we show that simulation can be done in polynomial

space

• As an application, we design a quantum money scheme that is

unconditionally unforgeable and untraceable.

Introduction

Randomness…

…is extremely useful. Applications:

• All of cryptography
• Monte Carlo simulation
• Randomized algorithms
• …

Easy example: random string

Random element x ∈R {0,1}n

Easy example: random string

Random element x ∈R {0,1}n Randomness cost Runtime limit distinguisher Exact No

n

Easy example: random string

Random element x ∈R {0,1}n Randomness cost Runtime limit distinguisher Exact No Pseudorandom generator

n poly(λ) poly(λ)

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

n ⋅ 2m

f

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

n ⋅ 2m

f runtime, memory

≤

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No

n ⋅ 2m

f

t

O(t ⋅ n)

q ≤ t

# of queries

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No Pseudorandom function No

n ⋅ 2m

f

time ≤ poly(λ) poly(λ)

t

O(t ⋅ n)

q ≤ t

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No Pseudorandom function No “Lazy sampling” Yes None

n ⋅ 2m

f

time ≤ poly(λ) poly(λ)

t

O(t ⋅ n)

q ≤ t

q ⋅ n

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No Pseudorandom function No “Lazy sampling” Yes None

n ⋅ 2m

f

time ≤ poly(λ) poly(λ)

t

O(t ⋅ n)

q ≤ t

q ⋅ n

Information-theoretically secure message authentication

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No Pseudorandom function No “Lazy sampling” Yes None

n ⋅ 2m

f

time ≤ poly(λ) poly(λ)

t

O(t ⋅ n)

q ≤ t

q ⋅ n

Information-theoretically secure message authentication Computationally secure symmetric-key crypto

Another example: random function

Function such that independently

f : {0,1}m → {0,1}n f(x) ∈R {0,1}n

Oracle simulation for Randomness cost Stateful simulation Limit distinguisher Exact No None

• wise

independent function No Pseudorandom function No “Lazy sampling” Yes None

n ⋅ 2m

f

time ≤ poly(λ) poly(λ)

t

O(t ⋅ n)

q ≤ t

q ⋅ n

Information-theoretically secure message authentication Computationally secure symmetric-key crypto Random oracle model security (e.g. indifferentiability)

Quantum states and operations

Quantum states and operations

Quantum state: unit vector

|ϕ⟩ ∈ S ⊂ ℂ2n Sphere

Quantum states and operations

Quantum state: unit vector

|ϕ⟩ ∈ S ⊂ ℂ2n Sphere Strictly speaking: , projective space

|ϕ⟩ ∈ P2n−1(ℂ)

Quantum states and operations

Quantum state: unit vector

|ϕ⟩ ∈ S ⊂ ℂ2n Sphere Strictly speaking: , projective space

|ϕ⟩ ∈ P2n−1(ℂ)

Quantum operation: unitary matrix U ∈ U(2n) ⊂ ℂ2n×2n

(Compact Lie-)group

• f unitary
• matrices

2n × 2n

Quantum states and operations

Quantum state: unit vector

|ϕ⟩ ∈ S ⊂ ℂ2n Sphere Strictly speaking: , projective space

|ϕ⟩ ∈ P2n−1(ℂ)

Quantum operation: unitary matrix U ∈ U(2n) ⊂ ℂ2n×2n

(Compact Lie-)group

• f unitary
• matrices

2n × 2n

Really nice mathematical objects with a natural notion of a uniform distribution!

Quantum states and operations

Quantum state: unit vector

|ϕ⟩ ∈ S ⊂ ℂ2n Sphere Strictly speaking: , projective space

|ϕ⟩ ∈ P2n−1(ℂ)

Quantum operation: unitary matrix U ∈ U(2n) ⊂ ℂ2n×2n

(Compact Lie-)group

• f unitary
• matrices

2n × 2n

Really nice mathematical objects with a natural notion of a uniform distribution! Haar measure

Example application: Haar money

No-cloning principle: quantum information cannot be copied.

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it!

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! |ϕ⟩ ∈R S ⊂ ℂ2n Haar money (JLS ’19):

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! |ϕ⟩ ∈R S ⊂ ℂ2n |ϕ⟩ |ϕ⟩ |ϕ⟩ |ϕ⟩ Haar money (JLS ’19):

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! |ϕ⟩ ∈R S ⊂ ℂ2n |ϕ⟩ |ϕ⟩ |ϕ⟩ |ϕ⟩ Unforgeable ✓ Haar money (JLS ’19):

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! |ϕ⟩ ∈R S ⊂ ℂ2n |ϕ⟩ |ϕ⟩ |ϕ⟩ |ϕ⟩ Unforgeable ✓ Untraceable ✓ Haar money (JLS ’19):

Example application: Haar money

No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! |ϕ⟩ ∈R S ⊂ ℂ2n |ϕ⟩ |ϕ⟩ |ϕ⟩ |ϕ⟩ Unforgeable ✓ Untraceable ✓

Can the Bank sample such a random state?

Haar money (JLS ’19):

Simulation of random quantum

• bjects

Can we sample a random quantum state?

Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n

Can we sample a random quantum state?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

∞

1 ↦ |ϕ⟩ Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n

Can we sample a random quantum state?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless

∞

1 ↦ |ϕ⟩ Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n O(log (1/ε) ⋅ 2n) q ≤ O (1/ε)

ε

# of queries

Can we sample a random quantum state?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless State -design efficient, stateless

∞

1 ↦ |ϕ⟩

t

poly(n, t)

q ≤ t

Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n O(log (1/ε) ⋅ 2n) q ≤ O (1/ε)

ε

Can we sample a random quantum state?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless State -design efficient, stateless

Pseudorandom quantum state (JLS ’19, BS ’20)

efficient, stateless

∞

1 ↦ |ϕ⟩

time ≤ poly(λ) poly(λ)

t

poly(n, t)

q ≤ t

Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n O(log (1/ε) ⋅ 2n) q ≤ O (1/ε)

ε

Can we sample a random quantum state?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless State -design efficient, stateless

Pseudorandom quantum state (JLS ’19, BS ’20)

efficient, stateless This work: quantum state “lazy sampling” efficient, stateful None

∞

1 ↦ |ϕ⟩

time ≤ poly(λ) poly(λ)

t

poly(n, t)

q ≤ t

poly(q, n)

Haar-random state .

|ϕ⟩ ∈ S ⊂ ℂ2n O(log (1/ε) ⋅ 2n) q ≤ O (1/ε)

ε

Can we simulate a random unitary?

Haar-random unitary U ∈ U(2n)

Can we simulate a random unitary?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless Haar-random unitary U ∈ U(2n)

∞

q ≤ O (1/ε)

ε

O(log (1/ε) ⋅ 22n) U

Can we simulate a random unitary?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless Unitary -design efficient, stateless

t

poly(n, t)

q ≤ t

Haar-random unitary U ∈ U(2n)

∞

q ≤ O (1/ε)

ε

O(log (1/ε) ⋅ 22n) U

Can we simulate a random unitary?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless Unitary -design efficient, stateless

Pseudorandom unitary??? (JLS ’19)

efficient, stateless

time ≤ poly(λ) poly(λ)

t

poly(n, t)

q ≤ t

Haar-random unitary U ∈ U(2n)

∞

q ≤ O (1/ε)

ε

O(log (1/ε) ⋅ 22n) U

Can we simulate a random unitary?

Oracle simulation for Randomness/ Memory cost Simulation Limit distinguisher Exact inefficient, stateless None

• Net

inefficient, stateless Unitary -design efficient, stateless

Pseudorandom unitary??? (JLS ’19)

efficient, stateless This work space-efficient, stateful None

time ≤ poly(λ) poly(λ)

t

poly(n, t)

q ≤ t

poly(q, n)

Haar-random unitary U ∈ U(2n)

∞

q ≤ O (1/ε)

ε

O(log (1/ε) ⋅ 22n) U

Example application: Haar money

No-cloning principle: quantum information cannot be copied. |ϕ⟩ ∈R S ⊂ ℂ2n Unforgeable ✓ Untraceable ✓

Can the Bank sample such a random state?

Haar money (JLS ’19): Oldest idea in quantum crypto: Let’s make money out of it!

Example application: Haar money

No-cloning principle: quantum information cannot be copied. |ϕ⟩ ∈R S ⊂ ℂ2n Unforgeable ✓ Untraceable ✓

Can the Bank sample such a random state?

Haar money (JLS ’19): Oldest idea in quantum crypto: Let’s make money out of it! No, but they can simulate it!

Example application: Haar money

No-cloning principle: quantum information cannot be copied. |ϕ⟩ ∈R S ⊂ ℂ2n Unforgeable ✓ Untraceable ✓

Can the Bank sample such a random state?

Haar money (JLS ’19): Oldest idea in quantum crypto: Let’s make money out of it! No, but they can simulate it! Two options:

• Use pseudorandom quantum state, computationally

secure untraceable quantum money (JLS ’19)

Example application: Haar money

No-cloning principle: quantum information cannot be copied. |ϕ⟩ ∈R S ⊂ ℂ2n Unforgeable ✓ Untraceable ✓

Can the Bank sample such a random state?

Haar money (JLS ’19): Oldest idea in quantum crypto: Let’s make money out of it! No, but they can simulate it! Two options:

• Use pseudorandom quantum state, computationally

secure untraceable quantum money (JLS ’19)

• Use stateful simulation, unconditionally secure

untraceable quantum money (AMR)

Limitations of stateless simulation

Stateless simulation scheme , pick , output copies of

⇔ {|ϕk⟩}k∈K k ∈R K |ϕk⟩

Limitations of stateless simulation

Stateless simulation scheme , pick , output copies of

⇔ {|ϕk⟩}k∈K k ∈R K |ϕk⟩

Problem: quantum states can be distinguished with probability

|ϕ⟩ ≠ |ψ⟩ ⇒ |ϕ⟩⊗n, |ψ⟩⊗n p(n) → 1 (n → ∞)

Limitations of stateless simulation

Stateless simulation scheme , pick , output copies of

⇔ {|ϕk⟩}k∈K k ∈R K |ϕk⟩

Problem: quantum states can be distinguished with probability

|ϕ⟩ ≠ |ψ⟩ ⇒ |ϕ⟩⊗n, |ψ⟩⊗n p(n) → 1 (n → ∞)

Also works for random states sampled according to different measures.

Limitations of stateless simulation

Stateless simulation scheme , pick , output copies of

⇔ {|ϕk⟩}k∈K k ∈R K |ϕk⟩

Problem: quantum states can be distinguished with probability

|ϕ⟩ ≠ |ψ⟩ ⇒ |ϕ⟩⊗n, |ψ⟩⊗n p(n) → 1 (n → ∞)

Statelessness implies query limit! Also works for random states sampled according to different measures.

Limitations of stateless simulation

Stateless simulation scheme , pick , output copies of

⇔ {|ϕk⟩}k∈K k ∈R K |ϕk⟩

Problem: quantum states can be distinguished with probability

|ϕ⟩ ≠ |ψ⟩ ⇒ |ϕ⟩⊗n, |ψ⟩⊗n p(n) → 1 (n → ∞)

Statelessness implies query limit! Also works for random states sampled according to different measures. Similar argument for unitaries.

Techniques

Going to both churches…

A random state and part of an entangled state look the same.

Going to both churches…

A random state and part of an entangled state look the same.

Deterministic

Going to both churches…

A random state and part of an entangled state look the same.

Random!

Going to both churches…

A random state and part of an entangled state look the same.

Random!

stateful oracle simulation without any randomness, just by maintaining entanglement with the distinguisher!

⇒

Going to both churches…

A random state and part of an entangled state look the same.

Random!

stateful oracle simulation without any randomness, just by maintaining entanglement with the distinguisher!

⇒

What do copies of a Haar random state look like to the distingusher?

ℓ

Going to both churches…

A random state and part of an entangled state look the same.

Random!

stateful oracle simulation without any randomness, just by maintaining entanglement with the distinguisher!

⇒

What do copies of a Haar random state look like to the distingusher?

ℓ

From representation theory: 𝔽|ψ⟩∼Haar [|ψ⟩

⟨ψ |⊗ℓ ] = τSymℓℂd

Stateful simulation algorithm

Fact: copies of a Haar random state look like a single Haar random state on the symmetric subspace

• f

looks like half a maximally entangled state on

ℓ Symd,ℓ ℂd ⊗ ℂd ⊗ … ⊗ ℂd Symd,ℓ ⊗ Symd,ℓ

Stateful simulation algorithm

Fact: copies of a Haar random state look like a single Haar random state on the symmetric subspace

• f

looks like half a maximally entangled state on

ℓ Symd,ℓ ℂd ⊗ ℂd ⊗ … ⊗ ℂd Symd,ℓ ⊗ Symd,ℓ

Strategy: 1. Maintain maximally entangled state of two copies of . 2. On query: extend it from to by acting on one of the copies only.

Symd,ℓ ℓ ℓ + 1

Stateful simulation algorithm

} }

Distinguisher Stateful simulator

Stateful simulation algorithm

} }

Distinguisher Stateful simulator Vℓ→ℓ+1

Stateful simulation algorithm

} }

Distinguisher Stateful simulator

Stateful simulation algorithm

} }

Distinguisher Stateful simulator

} }

Stateful simulation algorithm

Distinguisher Stateful simulator

Technical contributions

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation
• Concrete algorithms: approximate algorithms for the extension of

maximally entangled states on symmetric subspaces by an additional copy

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation
• Concrete algorithms: approximate algorithms for the extension of

maximally entangled states on symmetric subspaces by an additional copy

• Stateful simulation of random unitaries: combining several nice ingredients.

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation
• Concrete algorithms: approximate algorithms for the extension of

maximally entangled states on symmetric subspaces by an additional copy

• Stateful simulation of random unitaries: combining several nice ingredients.
• first (we think) quantum application of exact unitary designs (Kane ’15)

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation
• Concrete algorithms: approximate algorithms for the extension of

maximally entangled states on symmetric subspaces by an additional copy

• Stateful simulation of random unitaries: combining several nice ingredients.
• first (we think) quantum application of exact unitary designs (Kane ’15)
• Exact adaptive-to-nonadaptive reduction using “postselection”

Technical contributions

• Several new algorithmic tools for garbageless quantum state preparation
• Concrete algorithms: approximate algorithms for the extension of

maximally entangled states on symmetric subspaces by an additional copy

• Stateful simulation of random unitaries: combining several nice ingredients.
• first (we think) quantum application of exact unitary designs (Kane ’15)
• Exact adaptive-to-nonadaptive reduction using “postselection”
• Uniqueness property of the Stinespring dilation

Summary, open questions

Summary:

• We develop a theory of stateful simulation of random quantum primitives.
• Random quantum states can be approximately simulated efficiently using a stateful

algorithm

• Random unitaries can be simulated exactly in a space-efficient way using a stateful

algorithm.

• The random state simulator can be used to construct unconditionally secure untraceable

quantum money. Open questions:

• Can we simulate random unitaries efficiently?
• (From JLS ’19) Construct pseudorandom unitaries!