# Pseudorandom States, Non-Cloning Theorems and Quantum Money

We propose the concept of pseudorandom states and study their constructions, properties, and applications. Under the assumption that quantum-secure one-way functions exist, we present concrete and efficient constructions of pseudorandom states. The non-cloning theorem plays a central role in our study---it motivates the proper definition and characterizes one of the important properties of pseudorandom quantum states. Namely, there is no efficient quantum algorithm that can create more copies of the state from a given number of pseudorandom states. As the main application, we prove that any family of pseudorandom states naturally gives rise to a private-key quantum money scheme.

## Authors

• 7 publications
• 7 publications
• 9 publications
• ### Almost Public Quantum Coins

In a quantum money scheme, a bank can issue money that users cannot coun...
02/27/2020 ∙ by Amit Behera, et al. ∙ 0

• ### On the Structure of Abstract H*-Algebras

Previously we have shown that the topos approach to quantum theory of Do...
03/02/2018 ∙ by Kevin Dunne, et al. ∙ 0

• ### Measuring quantum discord using the most distinguishable steered states

Any two-qubit state can be represented, geometrically, as an ellipsoid w...
02/25/2018 ∙ by Vahid Nassajpour, et al. ∙ 0

• ### Quantum Pseudorandomness and Classical Complexity

We construct a quantum oracle relative to which 𝖡𝖰𝖯 = 𝖰𝖬𝖠 but cryptograp...
03/16/2021 ∙ by William Kretschmer, et al. ∙ 0

• ### States and channels in quantum mechanics without complex numbers

In the presented note we aim at exploring the possibility of abandoning ...
03/15/2016 ∙ by J. A. Miszczak, et al. ∙ 0

• ### Scalable Pseudorandom Quantum States

Efficiently sampling a quantum state that is hard to distinguish from a ...
04/04/2020 ∙ by Zvika Brakerski, et al. ∙ 0

• ### Designing quantum experiments with a genetic algorithm

We introduce a genetic algorithm that designs quantum optics experiments...
12/03/2018 ∙ by Rosanna Nichols, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Pseudorandomness is one of the foundational concepts in modern cryptography and theoretical computer science. A distribution function, or a permutation is pseudorandom if it is computationally indistinguishable from a corresponding truly random object [35, 41, 9]. Pseudorandom objects, such as pseudorandom generators (PRGs), pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) are fundamental and ubiquitous cryptographic building blocks in the design of stream ciphers, block ciphers and message authentication codes [19, 25, 18, 34, 21]. In complexity theory, pseudorandomness is of vital importance to an area called derandomization [29, 22].

In quantum information, truly random bits can be generated easily with trusted or even untrusted quantum devices. Is pseudorandomness, a seemingly weaker notion of randomness, still relevant in the context of quantum information processing? The answer is yes. Pseudorandom objects are usually much more computationally efficient. By simple counting argument, one needs exponentially many bits even to specify a truly random function or permutation on -bit strings. Hence, truly random objects are not feasible in most of the cryptography applications. In this sense, we should think of pseudorandomness not as a weaker but as a different variant of randomness with its own characteristics and strength.

There are recent studies of pseudorandom objects from quantum information perspectives motivated by their applications in post-quantum cryptography. One natural question is whether the classical constructions such as PRFs and PRPs remain secure in the quantum setting. This is a challenging task as, for example, a quantum adversary may query the underlying function or permutation in superposition. Fortunately, people have so far restored a lot of positive results. Assuming a one-way function that is hard to invert for polynomial-time quantum algorithms, we can attain quantum-secure PRGs as well as PRFs [21, 43]. Furthermore, assuming quantum-secure PRFs, one can construct quantum secure PRPs using various shuffling constructions [45, 36].

A related area of development in quantum information concerns state -designs and unitary -designs [4, 14, 20, 10, 13, 23, 37, 46]. These are quantum analogues of

-wise independent random variables, which are another useful relaxation of randomness. The major difference between

-wise independence and pseudorandomness is the following. In the case of -wise independence, the observer who receives the randomness is only given a fixed number of samples, but may be computationally unbounded; hence quantum -designs satisfy an “information theoretic” or “statistical” notion of security. In contrast, in the case of pseudorandomness, the observer who receives the randomness is assumed to be computationally efficient; this leads to a “computational” notion of security, based on some complexity theoretic assumption (e.g., the existence of one-way functions).

In general, these two notions, -wise independence and pseudorandomness, are incomparable. On one hand, the setting of pseudorandomness imposes stronger restrictions on the observer, since it assumes a bound on the observer’s computational effort (say, running in probabilistic polynomial time). On the other hand, the setting of -wise independence imposes stronger restrictions on the observer, since it forces the observer to be non-adaptive and limits the number of input copies to the fixed parameter , which is usually a constant or a fixed polynomial. In addition, different distance measures are often used, e.g., trace distance or diamond norm, versus computational distinguishability.

In this work, we study pseudorandom quantum objects such as quantum states and unitary operators.Quantum states (in analogy to strings) and unitary operations (in analogy to functions) form continuous spaces, and a “random” state or unitary operation inevitably exhibits unique as well as puzzling features. Formally, people consider the Haar measure to capture perfect randomness on the spaces of quantum states and unitary operators. A natural basic question is:

How to define and construct computational pseudorandom approximations of Haar randomness,

and what are their applications?

Our contributions. We set forth to attack this question formally. To this end, we propose definitions of pseudorandom quantum states (PRS’s) and pseudorandom unitary operators (PRUs), present efficient constructions of PRS’s, and demonstrate their applications such as private-key quantum money schemes and quantum thermalization. Our main contributions include:

1. We propose a suitable definition of quantum pseudorandom states.

What is a proper definition of PRS’s? It is obvious that we should employ the notion of quantum computational indistinguishability in the definition of quantum pseudorandom states. Roughly, we consider a collection of quantum states indexed by ; and as in the definition of pseudorandom distributions, we may require that no efficient quantum algorithm can tell the difference between for a random and a state drawn according to the Haar measure. This is a reasonable definition that has been seriously considered in the literature (e.g. [11, 12]). Although this definition may be applicable in certain situations, it does not seem to grasp the quantum nature of the problem as purely classical distributions111

For example, a uniform distribution over the computational basis state

has identical density matrix as the Haar random states. Yet, there is however absolutely no quantum phenomena in this family of states and most of the interesting applications discussed later in this paper become impossible. may also satisfy the definition. Instead, we require that any adversary cannot tell the difference even given any polynomially many copies of the state. This stronger definition, motivated by the non-cloning theorem, will in turn give rise to an interesting non-cloning theorem for pseudorandom states. One can argue that this definition is also a faithful generalization of pseudorandom distributions to the quantum state setting—the access to many copies is not explicitly mentioned classically as one can always make arbitrarily many copies of classical information. It is also consistent with the definition of pseudorandom Unitary operators discussed later in this paper.

2. We present concrete efficient constructions of PRS’s with the minimal assumption that quantum-secure one-way functions exist.

Our construction uses any quantum-secure and computes it into the phases of a uniform superposition state. We call such family of PRS the random phase states

. This family of states can be efficiently generated using the quantum Fourier transform and a phase kick-back trick. We prove that this family of state is pseudorandom by a hybrid argument. By the quantum security of

PRF, the family is computationally indistinguishable from a similar state family defined by truly random functions. We then prove that, this state family corresponding to truly random functions is statistically indistinguishable from Haar random states. Finally, by the fact that PRF exists assuming quantum-secure one-way functions, we can base our PRS construction on quantum-secure one-way functions.

3. We establish interesting properties of PRS’s and discuss several applications. These include the cryptographic non-cloning theorems for PRS’s and the construction of private-key quantum money schemes based on PRS’s.

We prove that a PRS remains pseudorandom, even if we additionally give the distinguisher an oracle that reflects about the given state (i.e., ). This establishes the equivalence between the standard and a strong definition of PRS’s. Technically, this is proved using the fact that with polynomially many copies of the state, one can approximately simulate the reflection oracle .

We obtain general cryptographic non-cloning theorems of PRS’s both with and without the reflection oracle. The theorems roughly state that given any polynomially many copies of pseudorandom states, no polynomial-time quantum algorithm can produce even one more copy of the state. We call them cryptographic non-cloning theorems due to the background of PRS’s in pseudorandomness. The proofs of these theorems use SWAP tests in the reduction from a hypothetical cloning algorithm to an efficient distinguishing algorithm violating the definition of PRS’s.

Using the strong pseudorandomness and the cryptographic non-cloning theorem with reflection oracle, we are able to give simple proofs that the corresponding private-key quantum money scheme is secure. We stress that provably secure quantum money schemes had been elusive until Aaronson and Christiano finally proved the first secure scheme in the black-box setting in 2012 [2]. They used a specific construction based on hidden subspace state, whereas our construction is more generic and can be based on any PRS. The freedom to choose and tweak the underlying pseudorandom functions or permutations in the PRS may motivate and facilitate the construction of public-key quantum money schemes in future work. Our proof also takes an arguably simpler route than that in [2].

In general, PRS’s may be used in place of high-order quantum -designs, giving a performance improvement in certain applications. For example, pseudorandom states can be used to construct toy models of quantum thermalization, where one is interested in quantum states that can be prepared efficiently (via some dynamical process), yet have “generic” or “typical” properties (as exemplified by Haar-random pure states, for instance) [32]. Using -designs with polynomially large , one can construct states that are “generic” in a strong information-theoretic sense [24]. Using PRS, one can construct states that satisfy a weaker property: they are computationally indistinguishable from “generic” states, for a polynomial-time observer. But the PRS states may be more physically plausible, because they can be prepared in a shorter time (e.g., by a polylogarithmic-depth quantum circuit).

4. We propose a definition of quantum pseudorandom unitary operators (PRUs). We also present candidate constructions of PRUs (without a proof of security), by extending our techniques for constructing PRS’s.

Discussion. We summarize the mentioned variants of randomness in Table 1. The focus of this work is mostly about PRS’s and we briefly touch upon PRUs. We view our work as an initial step in an exciting direction and expect more applications and new questions inspired by our notion of pseudorandom states and unitary operators.

Here, we point out some open problems which are particularly important and interesting. First, can we prove the security of our candidate PRU constructions? The techniques developed in quantum unitary designs [20, 10] seem helpful. Second, it is a natural question to ask whether quantum-secure one-way functions are necessary for the construction of PRS’s. Third, can we establish security proofs for more candidate constructions of PRS’s? Different constructions may have their own special properties that may be useful in different settings. Finally, it is interesting to explore whether our quantum money construction may be adapted to a public-key money scheme under reasonable cryptographic assumptions.

## 2 Preliminaries

### 2.1 Notions

For a finite set , denotes the number of elements in . We use the notion to denote the set of all functions . For finite set , we use to mean that is drawn uniformly at random from . The permutation group over elements in is denoted as . We use to denote the collection of polynomially bounded functions of the security parameter , and use to denote negligible functions in . A function is negligible if for all constant , for large enough .

In this paper, we use a quantum register

to name a collection of qubits that we view as a single unit. Register names are represented by capital letters in a

sans serif font. We use , , and to denote the set of pure quantum states, density operators, unitary operators and bounded linear operators on space respectively. An ensemble of states represents a system prepared in

with probability

. If the distribution is uniform, we write the ensemble as . The adjoint of matrix is denoted as . For matrix , is defined to be . The operator norm of matrix

is the largest eigenvalue of

. The trace norm of is the trace of . For two operators , the Hilbert-Schmidt inner product is defined as

 ⟨M,N⟩=tr(M∗N).

A quantum channel is a physically admissible transformation of quantum states. Mathematically, a quantum channel

 E:L(H)→L(K)

is a completely positive, trace-preserving linear map.

The trace distance of two quantum states is

 D(ρ0,ρ1)\tiny% \rm def=12∥ρ0−ρ1∥1. (1)

It is well known that for a state drawn uniformly at random from the set , the optimal distinguish probability is given by

 1+D(ρ0,ρ1)2.

Define number and set . The quantum Fourier transform on qubits is defined as

 (2)

It is a well-known fact in quantum computing that can be implemented in time .

For Hilbert space and integer , we use to denote the symmetric subspace of , the subspace of states that are invariant under permutations of the subsystems. Let be the dimension of and let be the set such that is the span of . For any , define state

 (3)

The summation runs over all possible permutations that give different tuples . Equivalently, we have

 (4)

The coefficients in the front of the above two equations are normalization constants. The set of states

 {∣∣x;Sym⟩}x∈Xm

forms an orthonormal basis of the symmetric subspace . This implies that the dimension of the symmetric subspace is

 (N+m−1m).

Let be the projection onto the symmetric subspace . For a permutation , define operator

We have the following useful identity

 ΠSymm=1m!∑σ∈SmWσ. (5)

Let be the Haar measure on , we have

### 2.2 Cryptography

In this section, we recall several definitions and results from cryptography that is necessary for this work.

Pseudorandom functions (PRF) and pseudorandom permutations (PRP) are important constructions in classical cryptography. Intuitively, they are families of functions or permutations that looks like truly random functions or permutations to polynomial-time machines. In the quantum case, we need a strong requirement that they still look random even to polynomial-time quantum algorithms.

###### Definition 1 (Quantum-Secure Pseudorandom Functions and Permutations).

Let , , be the key space, the domain and range, all implicitly depending on the security parameter . A keyed family of functions is a quantum-secure pseudorandom function (QPRF) if for any polynomial-time quantum oracle algorithm , with a random is indistinguishable from a truly random function in the sense that:

 ∣∣∣Prk←K[APRFk(1κ)=1]−Prf←YX[Af(1κ)=1]∣∣∣=negl(κ).

Similarly, a keyed family of permutations is a quantum-secure pseudorandom permutation (QPRP) if for any quantum algorithm making at most polynomially many queries, with a random is indistinguishable from a truly random permutation in the sense that:

 ∣∣∣Prk←K[APRPk(1κ)=1]−PrP←SX[AP(1κ)=1]∣∣∣=negl(κ).

In addition, both and are polynomial-time computable (on a classical computer).

###### Fact 1.

QPRFs and QPRPs exist if quantum-secure one-way functions exist.

Zhandry proved the existence of QPRFs assuming the existence of one-way functions that are hard to invert even for quantum algorithms [43]. Assuming QPRF, one can construct QPRP using various shuffling constructions [45, 36]. Since a random permutation and a random function is indistinguishable by efficient quantum algorithms [42, 44], existence of QPRP is hence equivalent to existence of QPRF.

## 3 Pseudorandom Quantum States

In this section, we will discuss the definition and constructions of pseudorandom quantum states.

### 3.1 Definition of Pseudorandom States

Intuitively speaking, a family pseudorandom quantum states are a set of random states that is indistinguishable from Haar random quantum states.

The first idea on defining pseudorandom states can be the following. Without loss of generality, we consider states in where is the Hilbert space for -qubit systems. We are given either a state randomly sampled from the set or a state sampled according to the Haar measure on , and we require that no efficient quantum algorithm will be able to tell the difference between the two case.

However, this definition does not seem to grasp the quantum nature of the problem. First, the state family where each is a uniform random bit string will satisfy the definition—in both cases, the mixed states representing the ensemble are . Second, many of the applications that we can find for PRS’s will not hold for this definition.

Instead, we require that the family of states looks random even if polynomially many copies of the state are given to the distinguishing algorithm. We argue that this is the more natural way to define pseudorandom states. One can see that this definition also naturally generalizes the definition of pseudorandomness in the classical case to the quantum setting. In the classical case, asking for more copies of a string is always possible and one does not bother making this explicit in the definition. This of course also rules out the example of classical random bit strings we discussed before. Moreover, this strong definition, once established, is rather flexible to use when studying the properties and applications of pseudorandom states.

###### Definition 2 (Pseudorandom Quantum States (PRS’s)).

Let be a Hilbert space and the key space. and depend on the security parameter . A keyed family of quantum states is pseudorandom, if the following two conditions hold:

1. (Efficient generation). There is a polynomial-time quantum algorithm that generates state on input . That is, for all , .

2. (Pseudorandomness). Any polynomially many copies of with the same random is computationally indistinguishable from the same number of copies of a Haar random state. More precisely, for any efficient quantum algorithm and any ,

where is the Haar measure on .

### 3.2 Constructions and Analysis

In this section, we give an efficient construction of pseudorandom states which we call random phase states. We will prove that this family of states satisfies our definition of PRS’s. There are other interesting and simpler candidate constructions, but the family of random phase states is the easiest to analyze.

Let be a quantum-secure pseudorandom function with key space , and . and are implicitly functions of the security parameter . The family of pseudorandom states of qubits is defined

 (6)

for and .

###### Theorem 1.

For any QPRF , the family of states defined in Eq. (6) is a PRS.

###### Proof.

First, we prove that the state can be efficiently prepared with a single query to . As is efficient, this proves the efficient generation property.

The state generation algorithm works as follows. First, it prepares a state

 1N∑x∈X|x⟩∑y∈XωyN|y⟩.

This can be done by applying to the first register initialized in and the quantum Fourier transform to the second register in state .

Then the algorithm calls on the first register and subtract the result from the second register, giving state

 1N∑x∈X|x⟩∑y∈XωyN∣∣y−PRFk(x)⟩.

The state can be rewritten as

Therefore, the effect of this step is to transform the first register to the required form and leaving the second register intact.

Next, we prove the pseudorandomness property of the family. For this purpose, we consider three hybrids. In the first hybrid , the state will be for a uniform random . In the second hybrid , the state is for truly random functions where

 |f⟩=1√N∑x∈Xωf(x)N|x⟩.

In the third hybrid , the state is for chosen according to the Haar measure.

By the definition of the quantum-secure pseudorandom functions for PRF, we have for any polynomial-time quantum algorithm and any ,

 ∣∣Pr[A(H1)=1]−Pr[A(H2)=1]∣∣=negl(κ).

By Lemma 2, we have for any algorithm and ,

 ∣∣Pr[A(H2)=1]−Pr[A(H3)=1]∣∣=negl(κ).

This completes the proof by triangle inequality. ∎

###### Lemma 2.

For function , define quantum state

 |f⟩=1√N∑x∈Xωf(x)N|x⟩.

For , the state ensemble is statistically indistinguishable from for Haar random .

###### Proof.

Let be the number of copies of the state. We have

where and . For later convenience, define density matrix

We will compute the entries of explicitly.

For , let be the number of in for . Obviously, one has . Note that we have omitted the dependence of on for simplicity. Recall the basis states defined in Eq. (4)

For , let be the number of in and be the number of in .

We can compute the entries of as

It is not hard to verify that the entry is nonzero only if is a permutation of . These nonzero entries are on the diagonal of in the basis of . These diagonal entries are

Let be the density matrix of a random for chosen from the Haar measure . It is well-known that

We need to prove

 D(ρm,ρmμ)=negl(κ).

Define

 δx;Sym=m!Nm∏j∈Xmj!−(N+m−1m)−1.

Then

 D(ρm,ρmμ)=12∑x;% Sym∣∣δx;Sym∣∣.

The ratio of the two terms in is

For sufficient large security parameter , the ratio is larger than only if , which corresponds to ’s whose entries are all distinct. As there are such ’s, we can calculate the trace distance as

For , both terms in the last line of the equation is for sufficiently large security parameter , and this completes the proof. ∎

We remark that a similar family of states was considered in [1] (Theorem 3). However, the size of the state family there depends on a parameter which should be larger than the sum of the number of state copies and the number of queries. In our construction, the key space is fixed for a given security parameter, which may be advantageous for various applications.

We mention several other candidate constructions of PRS’s and leave detailed analysis of them to future work. A construction closely related to the random phase states in Eq. (6) uses random phases,

 |ϕk⟩=1√N∑x∈X(−1)PRFk(x)|x⟩.

Intuitively, this family is less random than the random phase states in Eq. (6) and the corresponding density matrix has small off-diagonal entries, making the proof more challenging. The other family of candidate states on qubits takes the form

 |ϕk⟩=1√N% PRPk[∑x∈X|x⟩⊗|0n⟩].

In this construction, the state is an equal superposition of a random subset of size of and PRP is any pseudorandom permutation over the set . We call this the random subset states construction.

Our PRS constructions can be implemented using shallow quantum circuits of polylogarithmic depth under appropriate cryptographic assumptions. To see this, note that there exist PRFs that can be computed in polylogarithmic depth, which are based on lattice problems such as “learning with errors” (LWE) [33], and are believed to be secure against quantum computers [6]. These PRFs can be used directly in our PRS construction. (Alternatively, one can use low-depth PRFs that are constructed from more general assumptions, such as the existence of trapdoor one-way permutations [28].)

This shows that PRS states can be prepared in surprisingly small depth, compared to quantum state -designs, which generally require at least linear depth (when is a constant greater than 2), or polynomial depth (when grows polynomially with the number of qubits) [4, 10]. (Note, however, that for , quantum state 2-designs can be generated in logarithmic depth [13].) Moreover, PRS states are sufficient for many applications where high-order -designs are used, provided that one only requires states to be computationally (not statistically) indistinguishable from Haar-random.

## 4 Cryptographic Non-cloning Theorem and Quantum Money

A fundamental fact in quantum information theory is that unknown or random quantum states cannot be cloned [40, 15, 38, 30, 31]. The main topic of this section is to investigate the cloning problem for pseudorandom states. As we will see, even though pseudorandom states can be efficiently generated, they do share the non-cloning property of generic quantum states.

Let be the Hilbert space of dimension and be two integers. The numbers depend implicitly on a security parameter . We will assume that is exponential in and in the following discussion.

We first recall the fact that for Haar random state , the success probability of producing copies of the state given copies is negligibly small. Let be a cloning channel that on input tries to output a state that is close to for . The expected success probability of is measured by

 ∫⟨(|ψ⟩⟨ψ|)⊗m′,C((|ψ⟩⟨ψ|)⊗m)⟩dμ(ψ).

It is known that [38], for all cloning channel , this success probability is bounded by

 (N+m−1m)/(N+m′−1m′),

which is for our choices of .

We establish a non-cloning theorem for PRS’s which says that no efficient quantum cloning procedure exists for a general PRS. The theorem is called the cryptographic non-cloning theorem because of its deep roots in pseudorandomness in cryptography.

###### Theorem 3 (Cryptographic Non-cloning Theorem).

For any PRS , , and any polynomial-time quantum algorithm , the success cloning probability

###### Proof.

Assume on the contrary that there is a polynomial-time quantum cloning algorithm such that the success cloning probability of producing from copies is for some constant . We will construct a polynomial-time distinguisher that violates the definition of PRS’s. Distinguisher will draw copies of the state, call on the first copies, and perform the SWAP test on the output of and the remaining copies. It is easy to see that outputs with probability if the input is from PRS, while if the input is Haar random, it outputs with probability . Since is polynomial-time, it follows that is also polynomial-time. This is a contradiction with the definition of PRS’s and completes the proof. ∎

### 4.1 A Strong notion of PRS and equivalence to PRS

In this section, we show that, somewhat surprisingly, PRS in fact implies a seemingly stronger notion, where indistinguishability needs to hold even if a distinguisher additionally has access to an oracle that reflects about the given state. There are at least a couple of motivations to consider an augmented notion. Firstly, unlike a classical string, a quantum state is inherently hidden. Give a quantum register prepared in some state (i.e., a physical system), we can only choose some observable to measure which just reveals partial information and will collapse the state in general. Therefore, it is meaningful to consider offering a distinguishing algorithm more information describing the given state, and the reflection oracle comes naturally. Secondly, this stronger notion is extremely useful in our application of quantum money schemes, and could be interesting elsewhere too.

More formally, for any state , define an oracle that reflects about .

###### Definition 3 (Strongly Pseudorandom Quantum States).

Let be a Hilbert space and be the key space. and depend on the security parameter . A keyed family of quantum states is strongly pseudorandom, if the following two conditions hold:

1. (Efficient generation). There is a polynomial-time quantum algorithm that generates state on input . That is, for all , .

2. (Strong Pseudorandomness). Any polynomially many copies of with the same random is computationally indistinguishable from the same number of copies of a Haar random state. More precisely, for any efficient quantum oracle algorithm and any ,

 ∣∣∣Prk←K[AOϕk(|ϕk⟩⊗m)=1]−Pr|ψ⟩←μ[AOψ(|ψ⟩⊗m)=1]∣∣∣=negl(κ),

where is the Haar measure on .

Note that since the distinguisher is polynomial-time, the number of queries to the reflection oracle ( or ) is also polynomially bounded.

We prove the advantage that a reflection oracle may give to a distinguisher is limited. In fact, standard PRS implies strong PRS, and hence they are equivalent.

###### Theorem 4.

A family of states is strongly pseudorandom if and only if it is (standard) pseudorandom.

###### Proof.

Clearly a strong PRS is also a standard PRS by definition. It suffice to prove that any PRS is also strongly pseudorandom.

Suppose for contradiction that there is a distinguishing algorithm that breaks the strongly pseudorandom condition. Namely, there exists and constant such that for sufficiently large ,

 ∣∣∣Prk←K[AOϕk(|ϕk⟩⊗m)=1]−Pr|ψ⟩←μ[AOψ(|ψ⟩⊗m)=1]∣∣∣=ε(κ)≥κ−c.

We assume makes queries to the reflection oracle. Then, by Theorem 5, there is an algorithm such that for any

 ∣∣∣Prk←K[AOϕk(|ϕk⟩⊗m)]−Prk←K[B(|ϕk⟩⊗(m+l))]∣∣∣≤2q√l+1,

and

 ∣∣∣Pr|ψ⟩←μ[AOψ(|ψ⟩⊗m)]−Pr|ψ⟩←μ[B(|ψ⟩⊗(m+l))]∣∣∣≤2q√l+1.

By triangle inequality, we have

Choosing , we have

which is a contradiction with the definition of PRS for . Therefore, we conclude that PRS and strong PRS are equivalent. ∎

We now show a technical ingredient that allows us to simulate the reflection oracle about a state by using multiple copies of the given state. This result is inspired by a similar theorem proved by Ambainis et al. [5, Lemma 42]. We have improved their reduction by replacing a reflection operation about a particular subspace to the reflection about the standard symmetric subspace, which we know how to implement efficiently.

###### Theorem 5.

Let be a quantum state. Define oracle to be the reflection about . Let be a state not necessarily independent of . Let be an oracle algorithm that makes queries to . For any integer , there is a quantum algorithm that does not make any queries to such that

Moreover, the running time of algorithm is polynomial in that of algorithm and .

###### Proof.

Consider a quantum register T, initialized in state . Let be the projection onto the symmetric subspace and be the reflection about the symmetric subspace.

Assume without loss of generality that algorithm is unitary and only perform measurements in the end. We define algorithm to be same as except that when queries on register D, applies the reflection on the collection of quantum registers D and T where T is initialized in state . We first analyze the corresponding states after the first oracle call to in algorithms and ,

For any two state , we have

where the first step uses the identity in Eq. (5) and the second step follows by observing that the probability of a random mapping to is . These calculations imply that,

We can compute the inner product of the two states and as

 ⟨ΨA|ΨB⟩=⟨|ϕ,Θ⟩⟨ϕ,Θ|,(Oψ⊗1)R⟩=⟨|ϕ⟩⟨ϕ|,Oψ⟨Θ|R|Θ⟩⟩≥1−2l+1.

This implies that

Let and be the final states of algorithm and before measurement respectively.

Then by induction on the number of queries, we have

 ∥∥|ΨqA⟩−|ΨqB⟩∥∥≤2q√l+1.

This concludes the proof by noticing that

 D(|ΨqA⟩,|ΨqB⟩)≤∥∥|ΨqA⟩−|ΨqB⟩∥∥.

Finally, we show that if is polynomial-time, then so is . Based on the construction of , it suffices to show that the reflection is efficiently implementable for any polynomially large . Here we use a result by Barenco et al. [7] which proposes an efficient implementation for the projection onto . More precisely, they design a quantum circuit of size that implements a unitary such that on for an auxiliary space of dimension . Here corresponds to the projection of on the symmetric subspace. With , we can implement the reflection as where is the unitary that introduces a minus sign conditioned on the second register being .

### 4.2 Quantum Money from PRS

Using Theorem 4, we can improve Theorem 3 to the following version. The proof is omitted as it is very similar to that for Theorem 3 and uses the complexity-theoretic non-cloning theorem [1, 2] for Haar random states.

###### Theorem 6 (Cryptographic Non-cloning Theorem with Oracle).

For any PRS , , and any polynomial-time quantum query algorithm , the success cloning probability

A direct application of this non-cloning theorem is that it gives rise to new constructions for private-key quantum money. As one of the earliest foundational findings in quantum information [39, 8], quantum money schemes have received revived interests in the past decade (see e.g. [1, 26, 27, 16, 17, 3]). First, we recall the definition of quantum money scheme adapted from [2].

###### Definition 4 (Quantum Money Scheme).

A private-key quantum money scheme consists of three algorithms:

• KeyGen, which takes as input the security parameter and randomly samples a private key .

• Bank, which takes as input the private key and generates a quantum state called a banknote.

• Ver, which takes as input the private key and an alleged banknote , and either accepts or rejects.

The money scheme has completeness error if accepts with probability at least for all valid banknote .

Let Count be the money counter that output the number of valid banknotes when given a collection of (possibly entangled) alleged banknotes . Namely, Count will call Ver on each banknotes and return the number of times that Ver accepts. The money scheme has soundness error if for any polynomial-time counterfeiter that maps valid banknotes to alleged banknotes satisfies

The scheme is secure if it has completeness error and negligible soundness error.

For any with key space , we can define a private-key quantum money scheme as follows:

• randomly outputs .

• generates the banknote .

• applies the projective measurement that accepts with probability .

We remark that usually the money state takes the form where the first register contains a classical serial number. Our scheme, however, does not require the use of the serial numbers. This simplification is brought to us by the strong requirement that any polynomial copies of are indistinguishable from Haar random states.

###### Theorem 7.

The private-key quantum money scheme is secure for all PRS.

###### Proof.

It suffices to prove the soundness of is negligible. Assume to the contrary that there is a counterfeiter such that

for some constant and sufficiently large . From the counterfeiter , we will construct an oracle algorithm that maps copies of to copies with noticeable probability and this leads to a contradiction with Theorem 6.

The oracle algorithm first runs and implement the measurement

on each copy of the money state outputs. This measurement can be implemented by attaching an auxiliary qubit initialized in and call the reflection oracle conditioned on the qubit being at and performs the measurement on this auxiliary qubit. This gives -bit of outcome . If has Hamming weight at least , algorithm outputs any registers that corresponds to outcome ; otherwise, it outputs . By the construction of , the probability that it succeeds in cloning money states from copies is at least . ∎

Our security proof of the quantum money scheme is arguably simpler than that in [2]. In [2], to prove their hidden subspace money scheme is secure, one needs to develop the so called inner-product adversary method to show the worst-case query complexity for the hidden subspace states and use a random self-reducible argument to establish the average-case query complexity. In our case, it follows almost directly from the cryptographic non-cloning theorem with oracles. The quantum money schemes derived from PRS’s enjoy many nice features of the hidden subspace scheme. Most importantly, they are also query-secure [2], meaning that the bank can simply return the money state back to the user after verification.

It is also interesting to point out that quantum money states are not necessarily pseudorandom states. The hidden subspace state [2], for example, do not satisfy our definition of PRS as one can measure polynomially many copies of the state in the computational basis and recover a basis for the hidden subspace with high probability.

## 5 Pseudorandom Unitary Operators

Let be a Hilbert space and let a key space, both of which depend on a security parameter . Let be the Haar measure on the unitary group .

###### Definition 5.

A family of unitary operators is pseudorandom, if two conditions hold:

1. (Efficient computation) There is an efficient quantum algorithm , such that for all and any , .

2. (Pseudorandomness) with a random key is computationally indistinguishable from a Haar random unitary operator. More precisely, for any efficient quantum algorithm that makes at most polynomially many queries to the oracle,

 ∣∣∣Prk←K[AUk(1κ)=1]−PrU←μ[AU(1κ)=1]∣∣∣=negl(κ).

Our techniques for constructing pseudorandom states can be extended to give candidate constructions for pseudorandom unitary operators (PRUs) in the following way. Let . Assume we have a pseudorandom function , with domain and . Using the phase kick-back technique, we can implement the unitary transformation that maps

 Tk:|x⟩↦ω%PRFk(x)N|x⟩,ωN=exp(2πi/N). (7)

Our pseudorandom states were given by , where denotes the -qubit Hadamard transform. We conjecture that by repeating the operation a polynomial number of times, we get a pseudorandom unitary operation. Alternatively, a polynomial number of times of repetition of the circuit

 PRPk(H⊗n⊗1⊗n),

on qubits may be another candidate construction.

Pseudorandom unitary operators may be useful and provide efficient alternatives for unitary -designs in may settings. It also trivially implies the existence of PRS’s by definition and can be employed whenever a PRS is used.

###### Lemma 8.

For any PRU , is a PRS.

###### Proof.

If there is a quantum algorithm that takes copies of state and distinguishes it from Haar random states, we can design algorithm that distinguishes from the Haar random in the following way. prepares copies of , calls the unitary oracle on each copy, sends these states to algorithm and outputs whatever outputs. ∎

## References

• [1] Aaronson, S. Quantum copy-protection and quantum money. In Proceedings of the 2009 24th Annual IEEE Conference on Computational Complexity (Washington, DC, USA, 2009), CCC ’09, IEEE Computer Society, pp. 229–242.
• [2] Aaronson, S., and Christiano, P. Quantum money from hidden subspaces. In

Proceedings of the Forty-fourth Annual ACM Symposium on Theory of Computing

(New York, NY, USA, 2012), STOC ’12, ACM, pp. 41–60.
• [3] Aaronson, S., Farhi, E., Gosset, D., Hassidim, A., Kelner, J., and Lutomirski, A. Quantum money. Commun. ACM 55, 8 (Aug. 2012), 84–92.
• [4] Ambainis, A., and Emerson, J. Quantum -designs: -wise Independence in the Quantum World. In Twenty-Second Annual IEEE Conference on Computational Complexity (CCC’07) (June 2007), pp. 129–140.
• [5] Ambainis, A., Rosmanis, A., and Unruh, D. Quantum attacks on classical proof systems: The hardness of quantum rewinding. In Proceedings of the 2014 IEEE 55th Annual Symposium on Foundations of Computer Science (2014), IEEE Computer Society, pp. 474–483. Full version at https://arxiv.org/abs/1404.6898.
• [6] Banerjee, A., Peikert, C., and Rosen, A. Pseudorandom functions and lattices. In Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques (Berlin, Heidelberg, 2012), EUROCRYPT’12, Springer-Verlag, pp. 719–737.
• [7] Barenco, A., Berthiaume, A., Deutsch, D., Ekert, A., Jozsa, R., and Macchiavello, C. Stabilization of quantum computations by symmetrization. SIAM Journal on Computing 26, 5 (1997), 1541–1557.
• [8] Bennett, C. H., Brassard, G., Breidbart, S., and Wiesner, S. Quantum Cryptography, or Unforgeable Subway Tokens. Springer, Boston, MA, 1983, pp. 267–275.
• [9] Blum, M., and Micali, S. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. SIAM Journal on Computing 13, 4 (1984), 850–864.
• [10] Brandão, F. G. S. L., Harrow, A. W., and Horodecki, M. Local random quantum circuits are approximate polynomial-designs. Communications in Mathematical Physics 346, 2 (Sep 2016), 397–434.
• [11] Bremner, M. J., Mora, C., and Winter, A. Are random pure states useful for quantum computation? Phys. Rev. Lett. 102 (May 2009), 190502.
• [12] Chen, Y.-H., Chung, K.-M., Lai, C.-Y., Vadhan, S. P., and Wu, X. Computational notions of quantum min-entropy. arXiv:1704.07309, 2017.
• [13] Cleve, R., Leung, D., Liu, L., and Wang, C. Near-linear constructions of exact unitary 2-designs. Quantum Information & Computation 16, 9&10 (2016), 721–756.
• [14] Dankert, C., Cleve, R., Emerson, J., and Livine, E.

Exact and approximate unitary 2-designs and their application to fidelity estimation.

Phys. Rev. A 80 (Jul 2009), 012304.
• [15] Dieks, D. Communication by EPR devices. Physics Letters A 92, 6 (1982), 271–272.
• [16] Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Nagaj, D., and Shor, P. Quantum State Restoration and Single-Copy Tomography for Ground States of Hamiltonians. Phys. Rev. Lett. 105 (Nov 2010), 190503.
• [17] Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., and Shor, P. Quantum money from knots. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference (New York, NY, USA, 2012), ITCS ’12, ACM, pp. 276–289.
• [18] Goldreich, O., Goldwasser, S., and Micali, S. On the cryptographic applications of random functions. In Advances in Cryptology – CRYPTO 1984 (1985), Springer-Verlag New York, Inc., pp. 276–288.
• [19] Goldreich, O., Goldwasser, S., and Micali, S. How to Construct Random Functions. J. ACM 33, 4 (Aug. 1986), 792–807.
• [20] Harrow, A. W., and Low, R. A.

Efficient quantum tensor product expanders and k-designs.

In

Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques

. Springer, 2009, pp. 548–561.
• [21] Håstad, J., Impagliazzo, R., Levin, L. A., and Luby, M. A pseudorandom generator from any one-way function. SIAM Journal on Computing 28, 4 (1999), 1364–1396.
• [22] Impagliazzo, R., and Wigderson, A. P = BPP if E Requires Exponential Circuits: Derandomizing the XOR Lemma. In Proceedings of the Twenty-ninth Annual ACM Symposium on Theory of Computing (New York, NY, USA, 1997), STOC ’97, ACM, pp. 220–229.
• [23] Kueng, R., and Gross, D. Qubit stabilizer states are complex projective 3-designs, 2015. arXiv:1510.02767.
• [24] Low, R. A. Large deviation bounds for k-designs. Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences 465, 2111 (2009), 3289–3308.
• [25] Luby, M., and Rackoff, C. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17, 2 (1988), 373–386.
• [26] Lutomirski, A., Aaronson, S., Farhi, E., Gosset, D., Hassidim, A., Kelner, J., and Shor, P. Breaking and making quantum money: toward a new quantum cryptographic protocol. In Proceedings of the Innovations in Theoretical Computer Science Conference (2010), ITCS ’10, Tsinghua University Press, pp. 20–31.
• [27] Mosca, M., and Stebila, D. Quantum coins. In Error-Correcting Codes, Finite Geometries and Cryptography (2010), A. A. Bruen and D. L. Wehlau, Eds., vol. 523 of Contemporary Mathematics, American Mathematical Society, pp. 35–47.
• [28] Naor, M., and Reingold, O. Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58, 2 (Apr. 1999), 336–375.
• [29] Nisan, N., and Wigderson, A. Hardness vs randomness. J. Comput. Syst. Sci. 49, 2 (Oct. 1994), 149–167.
• [30] Ortigoso, J. Twelve years before the quantum no-cloning theorem. arXiv:1707.06910, 2017.
• [31] Park, J. L. The concept of transition in quantum mechanics. Found. Phys. 1 (1970), 23–33.
• [32] Popescu, S., Short, A. J., and Winter, A. Entanglement and the foundations of statistical mechanics. Nature Physics 2, 11 (2006), 754.
• [33] Regev, O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM) 56, 6 (2009), 34.
• [34] Rompel, J. One-way functions are necessary and sufficient for secure signatures. In Proceedings of the twenty-second annual ACM symposium on Theory of computing (1990), ACM, pp. 387–394.
• [35] Shamir, A. On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. 1, 1 (Feb. 1983), 38–44.
• [36] Song, F. Quantum-secure pseudorandom permutations, June, 2017. Blog post, available at http://qcc.fangsong.info/2017-06-quantumprp/.
• [37] Webb, Z. The clifford group forms a unitary 3-design. Quantum Information & Computation 16, 15&16 (2016), 1379–1400.
• [38] Werner, R. F. Optimal cloning of pure states. Phys. Rev. A 58 (Sep 1998), 1827–1832.
• [39] Wiesner, S. Conjugate Coding. SIGACT News 15, 1 (1983), 78–88. Original manuscript written circa 1970.
• [40] Wootters, W. K., and Zurek, W. H. A single quantum cannot be cloned. Nature 299 (Oct 1982), 802–803.
• [41] Yao, A. C. Theory and application of trapdoor functions. In 23rd Annual Symposium on Foundations of Computer Science (SFCS 1982) (Nov 1982), pp. 80–91.
• [42] Yuen, H. A quantum lower bound for distinguishing random functions from random permutations. Quantum Information & Computation 14, 13-14 (2014), 1089–1097.
• [43] Zhandry, M. How to Construct Quantum Random Functions. In FOCS 2012 (2012), IEEE, pp. 679–687.
• [44] Zhandry, M. A Note on the Quantum Collision and Set Equality Problems. Quantum Information and Computation 15, 7 & 8 (2015). http://arxiv.org/abs/1312.1027.
• [45] Zhandry, M. A Note on Quantum-Secure PRPs, 2016. Available at https://eprint.iacr.org/2016/1076.
• [46] Zhu, H. Multiqubit clifford groups are unitary 3-designs, 2015. ArXiv:1510.02619.