Efficient Simulation of Random States and Random Unitaries Gorjan - PowerPoint PPT Presentation

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and Alexander Russell Eurocrypt 2020, in Cyberspace

Results — overview ‣ We study the simulation of random quantum objects , i.e. random states and random unitary operations ‣ We develop a theory of their stateful simulation , a quantum analogue of Lazy sampling ‣ For random states, we develop an efficient protocol for stateful simulation ‣ For random unitaries, we devise a simulation method that runs in polynomial space ‣ As an application , we design a quantum money scheme that is unconditionally unforgeable and untraceable.

Introduction

Randomness… …is extremely useful. Applications: ‣ All of cryptography ‣ Monte Carlo simulation ‣ Randomized algorithms ‣ …

Easy example: random string Random element x ∈ R {0,1} n

Easy example: random string Random element x ∈ R {0,1} n Runtime limit Randomness cost distinguisher Exact No n

Easy example: random string Random element x ∈ R {0,1} n Runtime limit Randomness cost distinguisher Exact No n Pseudorandom poly( λ ) poly( λ ) generator

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle Randomness Stateful Runtime limit Query limit simulation for cost simulation distinguisher distinguisher f n ⋅ 2 m Exact No None None

Another example: random function runtime, f : {0,1} m → {0,1} n ≤ Function such that independently f ( x ) ∈ R {0,1} n memory Oracle Randomness Stateful Runtime limit Query limit simulation for cost simulation distinguisher distinguisher f n ⋅ 2 m Exact No None None

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle Randomness Stateful Runtime limit Query limit simulation for cost simulation distinguisher distinguisher f n ⋅ 2 m Exact No None None -wise t O ( t ⋅ n ) No None independent t function

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle Randomness Stateful Runtime limit Query limit simulation for cost simulation distinguisher distinguisher f n ⋅ 2 m Exact No None None -wise t O ( t ⋅ n ) No None independent t function Pseudorandom poly( λ ) No poly( λ ) None function

Another example: random function f : {0,1} m → {0,1} n Function such that independently f ( x ) ∈ R {0,1} n Oracle Randomness Stateful Runtime limit Query limit simulation for cost simulation distinguisher distinguisher f n ⋅ 2 m Exact No None None -wise t O ( t ⋅ n ) No None independent t function Pseudorandom poly( λ ) No poly( λ ) None function “Lazy q ⋅ n Yes None None sampling” # of queries

Quantum states and operations

Quantum states and operations Quantum state: unit vector | ϕ ⟩ ∈ S ⊂ ℂ 2 n Sphere

Quantum states and operations Quantum state: unit vector | ϕ ⟩ ∈ S ⊂ ℂ 2 n Sphere Strictly speaking: , | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) projective space

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space Really nice mathematical objects with a natural notion of a uniform distribution!

Quantum states and operations Quantum state: unit vector Quantum operation: unitary | ϕ ⟩ ∈ S ⊂ ℂ 2 n matrix U ∈ U(2 n ) ⊂ ℂ 2 n × 2 n Sphere Strictly speaking: (Compact Lie-)group , of unitary | ϕ ⟩ ∈ P 2 n − 1 ( ℂ ) 2 n × 2 n -matrices projective space Really nice mathematical objects with a natural notion of a uniform distribution! Haar measure

Example application: Haar money No-cloning principle: quantum information cannot be copied.

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it!

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ ∈ R S ⊂ ℂ 2 n

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Haar money (JLS ’19): | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓ Untraceable ✓

Example application: Haar money No-cloning principle: quantum information cannot be copied. Oldest idea in quantum crypto: Let’s make money out of it! Can the Bank Haar money (JLS ’19): sample such a random state? | ϕ ⟩ | ϕ ⟩ ∈ R S ⊂ ℂ 2 n | ϕ ⟩ | ϕ ⟩ | ϕ ⟩ Unforgeable ✓ Untraceable ✓

Simulation of random quantum objects

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state .

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher 1 ↦ | ϕ ⟩ inefficient, Exact ∞ None None stateless

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher 1 ↦ | ϕ ⟩ inefficient, Exact ∞ None None stateless inefficient, ε -Net O (log (1/ ε ) ⋅ 2 n ) None O (1/ ε ) stateless

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher 1 ↦ | ϕ ⟩ inefficient, Exact ∞ None None stateless inefficient, ε -Net O (log (1/ ε ) ⋅ 2 n ) None O (1/ ε ) stateless efficient, State -design None poly( n , t ) t t stateless

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher 1 ↦ | ϕ ⟩ inefficient, Exact ∞ None None stateless inefficient, ε -Net O (log (1/ ε ) ⋅ 2 n ) None O (1/ ε ) stateless efficient, State -design None poly( n , t ) t t stateless Pseudorandom efficient, None poly( λ ) poly( λ ) quantum state stateless (JLS ’19, BS ’20)

Can we sample a random quantum state? | ϕ ⟩ ∈ S ⊂ ℂ 2 n Haar-random state . Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher 1 ↦ | ϕ ⟩ inefficient, Exact ∞ None None stateless inefficient, ε -Net O (log (1/ ε ) ⋅ 2 n ) None O (1/ ε ) stateless efficient, State -design None poly( n , t ) t t stateless Pseudorandom efficient, None poly( λ ) poly( λ ) quantum state stateless (JLS ’19, BS ’20) This work: efficient, quantum “lazy None None poly( q , n ) stateful sampling” # of queries

Can we simulate a random unitary? Haar-random unitary U ∈ U(2 n )

Can we simulate a random unitary? Haar-random unitary U ∈ U(2 n ) Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher U inefficient, Exact ∞ None None stateless inefficient, ε -Net None O (log (1/ ε ) ⋅ 2 2 n ) O (1/ ε ) stateless

Can we simulate a random unitary? Haar-random unitary U ∈ U(2 n ) Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher U inefficient, Exact ∞ None None stateless inefficient, ε -Net None O (log (1/ ε ) ⋅ 2 2 n ) O (1/ ε ) stateless Unitary efficient, None poly( n , t ) t -design stateless t

Can we simulate a random unitary? Haar-random unitary U ∈ U(2 n ) Oracle Randomness/ Runtime limit Query limit Simulation simulation for Memory cost distinguisher distinguisher U inefficient, Exact ∞ None None stateless inefficient, ε -Net None O (log (1/ ε ) ⋅ 2 2 n ) O (1/ ε ) stateless Unitary efficient, None poly( n , t ) t -design stateless t Pseudorandom efficient, None poly( λ ) poly( λ ) unitary??? stateless (JLS ’19)