Efficient Simulation of Random States and Random Unitaries Gorjan - PowerPoint PPT Presentation

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and Alexander Russell QCrypt 2020, in Cyberspace

Results — overview ‣ We study the simulation of random quantum objects , i.e. random quantum states and random unitary operations ‣ We develop a theory of their stateful simulation , a quantum analogue of “lazy sampling” ‣ For random states, we develop an efficient protocol for stateful simulation ‣ For random unitaries, we show that simulation can be done in polynomial space ‣ As an application , we design a quantum money scheme that is unconditionally unforgeable and untraceable.

Introduction

Randomness… …is extremely useful. Applications: ‣ All of cryptography ‣ Monte Carlo simulation ‣ Randomized algorithms ‣ …

Easy example: random string Random element x ∈ R {0,1} n

Easy example: random string Random element x ∈ R {0,1} n Runtime limit Randomness cost distinguisher Exact No n

Easy example: random string Random element x ∈ R {0,1} n Runtime limit Randomness cost distinguisher Exact No n Pseudorandom poly( λ ) poly( λ ) generator

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m

Another example: random function runtime, f : {0,1} m → {0,1} n ≤ Function such that independently f ( x ) ∈ R {0,1} n memory Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent function # of queries

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent function Pseudorandom time ≤ poly( λ ) poly( λ ) No function

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent function Pseudorandom time ≤ poly( λ ) poly( λ ) No function q ⋅ n “Lazy sampling” Yes None

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent Information-theoretically secure message authentication function Pseudorandom time ≤ poly( λ ) poly( λ ) No function q ⋅ n “Lazy sampling” Yes None

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent Information-theoretically secure message authentication function Pseudorandom time ≤ poly( λ ) poly( λ ) No Computationally secure symmetric-key crypto function q ⋅ n “Lazy sampling” Yes None

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle simulation Randomness cost Stateful simulation Limit distinguisher for f Exact No None n ⋅ 2 m -wise t O ( t ⋅ n ) q ≤ t No independent Information-theoretically secure message authentication function Pseudorandom time ≤ poly( λ ) poly( λ ) No Computationally secure symmetric-key crypto function q ⋅ n “Lazy sampling” Random oracle model security (e.g. indifferentiability) Yes None

Quantum states and operations

Quantum states and operations Quantum state: unit vector | ϕ ⟩ ∈ S ⊂ ℂ 2 n Sphere

Quantum states and operations Quantum state: unit vector | ϕ ⟩ ∈ S ⊂ ℂ 2 n Sphere Strictly speaking: , | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) projective space

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space Really nice mathematical objects with a natural notion of a uniform distribution!

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space Really nice mathematical objects with a natural notion of a uniform distribution! Haar measure

Example application: Haar money No-cloning principle: quantum information cannot be copied.

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it!

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ ∈ R S ⊂ ℂ 2 n

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓ Untraceable ✓

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Can the Bank Haar money (JLS ’19): sample such a random state? | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓ Untraceable ✓

Simulation of random quantum objects

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state .

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle simulation Randomness/ Simulation Limit distinguisher for Memory cost 1 ↦ | ϕ ⟩ Exact ∞ inefficient, stateless None

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle simulation Randomness/ Simulation Limit distinguisher for Memory cost 1 ↦ | ϕ ⟩ Exact ∞ inefficient, stateless None # of queries ε -Net O (log (1/ ε ) ⋅ 2 n ) inefficient, stateless q ≤ O (1/ ε )

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle simulation Randomness/ Simulation Limit distinguisher for Memory cost 1 ↦ | ϕ ⟩ Exact ∞ inefficient, stateless None ε -Net O (log (1/ ε ) ⋅ 2 n ) inefficient, stateless q ≤ O (1/ ε ) State -design efficient, stateless q ≤ t poly( n , t ) t

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle simulation Randomness/ Simulation Limit distinguisher for Memory cost 1 ↦ | ϕ ⟩ Exact ∞ inefficient, stateless None ε -Net O (log (1/ ε ) ⋅ 2 n ) inefficient, stateless q ≤ O (1/ ε ) State -design efficient, stateless q ≤ t poly( n , t ) t Pseudorandom efficient, stateless poly( λ ) time ≤ poly( λ ) quantum state (JLS ’19, BS ’20)

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle simulation Randomness/ Simulation Limit distinguisher for Memory cost 1 ↦ | ϕ ⟩ Exact ∞ inefficient, stateless None ε -Net O (log (1/ ε ) ⋅ 2 n ) inefficient, stateless q ≤ O (1/ ε ) State -design efficient, stateless q ≤ t poly( n , t ) t Pseudorandom efficient, stateless poly( λ ) time ≤ poly( λ ) quantum state (JLS ’19, BS ’20) This work: poly( q , n ) quantum state efficient, stateful None “lazy sampling”

Can we simulate a random unitary? Haar-random unitary U ∈ U(2 n )