1 Introduction

Pseudorandomness is a foundational concept in modern cryptography and theoretical computer science. A distribution \(\mathcal {D}\), e.g., over a set of strings or functions, is called pseudorandom if no computationally-efficient observer can distinguish between an object sampled from \(\mathcal {D}\), and a truly random object sampled from the uniform distribution [10, 56, 63]. Pseudorandom objects, such as pseudorandom generators (PRGs), pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) are fundamental cryptographic building blocks, such as in the design of stream ciphers, block ciphers and message authentication codes [23, 24, 27, 37, 53]. Pseudorandomness is also essential in algorithm design and complexity theory such as derandomization [32, 47].

The law of quantum physics asserts that truly random bits can be generated easily even with untrusted quantum devices [15, 41]. Is pseudorandomness, a seemingly weaker notion of randomness, still relevant in the context of quantum information processing? The answer is yes. By a simple counting argument, one needs exponentially many bits even to specify a truly random function on n-bit strings. Hence, in the computational realm, pseudorandom objects that offer efficiency as well as other unique characteristics and strengths are indispensable.

A fruitful line of work on pseudorandomness in the context of quantum information science has been about quantum t-designs and unitary t-designs [4, 11, 12, 16, 17, 26, 33, 40, 43,44,45, 59, 69]. However, while these objects are often called “pseudorandom” in the mathematical physics literature, they are actually analogous to t-wise independent random variables in theoretical computer science. Our focus in this work is a notion of computational pseudorandomness, and in particular suits (complexity-theoretical) cryptography.

The major difference between t-wise independence and cryptographic pseudorandomness is the following. In the case of t-wise independence, the observer who receives the random-looking object may be computationally unbounded, but only a priori (when the random-looking object is constructed) fixed number t samples are given. Thus, quantum t-designs satisfy an “information-theoretic” or “statistical” notion of security. In contrast, in the case of cryptographic pseudorandomness, the observer who receives the random-looking object is assumed to be computationally efficient, in that it runs in probabilistic polynomial time for an arbitrary polynomial that is chosen by the observer, after the random-looking object has been constructed. This leads to a “computational” notion of security, which typically relies on some complexity-theoretic assumption, such as the existence of one-way functions.

In general, these two notions, t-wise independence and cryptographic pseudorandomness, are incomparable. In some ways, the setting of cryptographic pseudorandomness imposes stronger restrictions on the observer, since it assumes a bound on the observer’s total computational effort (say, running in probabilistic polynomial time). In other ways, the setting of t-wise independence imposes stronger restrictions on the observer, since it forces the observer to make a limited number of non-adaptive “queries,” specified by the parameter t, which is usually a constant or a fixed polynomial. In addition, different distance measures are often used, e.g., trace distance or diamond norm, versus computational distinguishability.

Cryptographic pseudorandomness in quantum information, which has received relatively less study, mostly connects with quantum money and post-quantum cryptography. Pseudorandomness is used more-or-less implicitly in quantum money, to construct quantum states that look complicated to a dishonest party, but have some hidden structure that allows them to be verified by the bank [1,2,3, 39, 68]. In post-quantum cryptography, one natural question is whether the classical constructions such as PRFs and PRPs remain secure against quantum attacks. This is a challenging task as, for example, a quantum adversary may query the underlying function or permutation in superposition. Fortunately, people have so far restored several positive results. Assuming a one-way function that is hard to invert for polynomial-time quantum algorithms, we can attain quantum-secure PRGs as well as PRFs [27, 65]. Furthermore, one can construct quantum-secure PRPs from quantum-secure PRFs using various shuffling constructions [57, 67].

In this work, we study pseudorandom quantum objects such as quantum states and unitary operators. Quantum states (in analogy to strings) and unitary operations (in analogy to functions) form continuous spaces, and the Haar measure is considered the perfect randomness on the spaces of quantum states and unitary operators. A basic question is:

figure a

Our contributions. We propose definitions of pseudorandom quantum states (PRS’s) and pseudorandom unitary operators (PRUs), present efficient constructions of PRS’s, demonstrate basic properties such as no-cloning and high entanglement of pseudorandom states, and showcase the construction of private-key quantum money schemes as one of the applications.

  1. 1.

    We propose a suitable definition of quantum pseudorandom states.

    We employ the notion of quantum computational indistinguishability to define quantum pseudorandom states. Loosely speaking, we consider a collection of quantum states indexed by \(k\in \mathcal {K}\), and require that no efficient quantum algorithm can distinguish between for a random k and a state drawn according to the Haar measure. However, as a unique consideration in the quantum setting, we need to be cautious about how many copies of the input state are available to an adversary.

    Classically, this is a vacuous concern for defining a pseudorandom distribution on strings, since one can freely produce many copies of the input string. The quantum no-cloning theorem, however, forbids copying an unknown quantum state in general. Pseudorandom states in terms of single-copy indistinguishability have been discussed in the literature (see for example [13] and a recent study [14]). Though this single-copy definition may be suitable for certain cryptographic applications, it also loses many properties of Haar random states as a purely classical distributions already satisfies the definitionFootnote 1.

    Therefore we require that no adversary can tell a difference even given any polynomially many copies of the state. This subsumes the single-copy version and is strictly stronger. We gain from it many interesting properties, such as the no-cloning property and entanglement property for pseudorandom states as discussed later in the paper.

  2. 2.

    We present concrete efficient constructions of PRS’s with the minimal assumption that quantum-secure one-way functions exist.

    Our construction uses any quantum-secure \(\textsf {PRF} =\{\textsf {PRF} _k\}_{k\in \mathcal {K}}\) and computes it into the phases of a uniform superposition state (see Eq. (8)). We call such family of PRS the random phase states. This family of states can be efficiently generated using the quantum Fourier transform and a phase kick-back trick. We prove that this family of state is pseudorandom by a hybrid argument. By the quantum security of PRF, the family is computationally indistinguishable from a similar state family defined by truly random functions.

    We then prove that, this state family corresponding to truly random functions is statistically indistinguishable from Haar random states. Finally, by the fact that PRF exists assuming quantum-secure one-way functions, we can base our PRS construction on quantum-secure one-way functions.

    We note that Aaronson [1, Theorem 3] has described a similar family of states, which uses some polynomial function instead of a PRF in the phases. In that construction, however, the size of the state family depends on (i.e., has to grow with) the adversary’s number of queries that the family wants to tolerate. It therefore fails to satisfy our definition, in which any polynomial number queries independent of the family are permitted.

  3. 3.

    We prove cryptographic no-cloning theorems for PRS’s, and they give a simple and generic construction of private-key quantum money schemes based on any PRS.

    We prove that a PRS remains pseudorandom, even if we additionally give the distinguisher an oracle that reflects about the given state (i.e., ). This establishes the equivalence between the standard and a strong definition of PRS’s. Technically, this is proved using the fact that with polynomially many copies of the state, one can approximately simulate the reflection oracle \(O_\phi \).

    We obtain general cryptographic no-cloning theorems of PRS’s both with and without the reflection oracle. The theorems roughly state that given any polynomially many copies of pseudorandom states, no polynomial-time quantum algorithm can produce even one more copy of the state. We call them cryptographic no-cloning theorems due to the computational nature of our PRS. The proofs of these theorems use SWAP tests in the reduction from a hypothetical cloning algorithm to an efficient distinguishing algorithm violating the definition of PRS’s.

    Using the strong pseudorandomness and the cryptographic no-cloning theorem with reflection oracle, we show that any PRS immediately gives a private-key quantum money scheme. While much attention has been focused on public-key quantum money [1,2,3, 39, 68], we emphasize that private-key quantum money is already non-trivial. Early schemes for private-key quantum money due to Wiesner and others were not query secure, and could be broken by online attacks [9, 20, 38, 61]. Aaronson and Christiano finally showed a query-secure scheme in 2012, which achieves information-theoretic security in the random oracle model, and computational security in the standard model [2]. They used a specific construction based on hidden subspace states, whereas our construction (which is also query-secure) is more generic and can be based on any PRS. The freedom to choose and tweak the underlying pseudorandom functions or permutations in the PRS may motivate and facilitate the construction of public-key quantum money schemes in future work.

  4. 4.

    We show that pseudorandom states are highly entangled.

    It is known that a Haar random state is entangled with high probability. We establish a similar result for any family of pseudorandom states. Namely, the states in any PRS family are entangled on average. It is shown that the expected Schmidt rank for any PRS is superpolynomial in \(\kappa \) and that the expected min entropy and von Neumann entropy are of the order \(\omega (\log \kappa )\) where \(\kappa \) is the security parameter. This is yet another evidence of the suitability of our definition.

    The proof again rests critically on that our definition grants multiple copies to the distinguisher—if the expected entanglement is low, then SWAP test with respect to the corresponding subsystems of two copies of the state will serve as a distinguisher that violates the definition.

  5. 5.

    We propose a definition of quantum pseudorandom unitary operators (PRUs). We also present candidate constructions of PRUs (without a proof of security), by extending our techniques for constructing PRS’s.

    Loosely speaking, these candidate PRUs resemble unitary t-designs that are constructed by interleaving random permutations with the quantum Fourier transform [26], or by interleaving random diagonal unitaries with the Hadamard transform [43, 44], and iterating this construction several times. We conjecture that a PRU can be obtained in this way, using only a constant number of iterations. This is in contrast to unitary t-designs, where a parameter counting argument suggests that the number of iterations must grow with t. This conjecture is motivated by examples such as the Luby-Rackoff construction of a pseudorandom permutation using multi-round Feistel network built using a PRF.

Table 1. Summary of various notions that approximate true randomness
Full size table

Discussion. We summarize the mentioned variants of randomness in Table 1. The focus of this work is mostly about PRS’s and we briefly touch upon PRUs. We view our work as an initial step and anticipate further fundamental investigation inspired by our notion of pseudorandom states and unitary operators.

We mention some immediate open problems. First, can we prove the security of our candidate PRU constructions? The techniques developed in quantum unitary designs [12, 26] seem helpful. Second, are quantum-secure one-way functions necessary for the construction of PRS’s? Third, can we establish security proofs for more candidate constructions of PRS’s? Different constructions may have their own special properties that may be useful in different settings. It is also interesting to explore whether our quantum money construction may be adapted to a public-key money scheme under reasonable cryptographic assumptions. Finally, the entanglement property we prove here refers to the standard definitions of entanglement. If we approach the concept of pseudo-entanglement as a quantum analogue of pseudo-entropy for a distribution [7], can we improve the quantitative bounds?

We point out a possible application in physics. PRS’s may be used in place of high-order quantum t-designs, giving a performance improvement in certain applications. For example, pseudorandom states can be used to construct toy models of quantum thermalization, where one is interested in quantum states that can be prepared efficiently via some dynamical process, yet have “generic” or “typical” properties as exemplified by Haar-random pure states, for instance [51]. Using t-designs with polynomially large t, one can construct states that are “generic” in a information-theoretic sense [35]. Using PRS, one can construct states that satisfy a weaker property: they are computationally indistinguishable from “generic” states, for a polynomial-time observer.

In these applications, PRS states may be more physically plausible than high-order quantum t-designs, because PRS states can be prepared in a shorter time, e.g., using a polylogarithmic-depth quantum circuit, based on known constructions for low-depth PRFs [6, 46].

2 Preliminaries

2.1 Notions

For a finite set \(\mathcal {X}\), \(\left|\mathcal {X} \right|\) denotes the number of elements in \(\mathcal {X}\). We use the notion \(\mathcal {Y}^\mathcal {X}\) to denote the set of all functions \(f:\mathcal {X}\rightarrow \mathcal {Y}\). For finite set \(\mathcal {X}\), we use \(x\leftarrow \mathcal {X}\) to mean that x is drawn uniformly at random from \(\mathcal {X}\). The permutation group over elements in \(\mathcal {X}\) is denoted as \(S_\mathcal {X}\). We use \({{\mathrm{poly}}}(\kappa )\) to denote the collection of polynomially bounded functions of the security parameter \(\kappa \), and use \({{\mathrm{negl}}}(\kappa )\) to denote negligible functions in \(\kappa \). A function \(\epsilon (\kappa )\) is negligible if for all constant \(c>0\), \(\epsilon (\kappa ) < \kappa ^{-c}\) for large enough \(\kappa \).

In this paper, we use a quantum register to name a collection of qubits that we view as a single unit. Register names are represented by capital letters in a sans serif font. We use \(\mathrm {S}(\mathcal {H})\), \(\mathrm {D}(\mathcal {H})\), \(\mathrm {U}(\mathcal {H})\) and \(\mathrm {L}(\mathcal {H})\) to denote the set of pure quantum states, density operators, unitary operators and bounded linear operators on space \(\mathcal {H}\) respectively. An ensemble of states \(\{(p_i, \rho _i)\}\) represents a system prepared in \(\rho _i\) with probability \(p_i\). If the distribution is uniform, we write the ensemble as \(\{\rho _i\}\). The adjoint of matrix M is denoted as \(M^*\). For matrix M, \(\left|M \right|\) is defined to be \(\sqrt{M^* M}\). The operator norm \(\left||M \right||\) of matrix M is the largest eigenvalue of \(\left|M \right|\). The trace norm \(\left||M \right||_1\) of M is the trace of \(\left|M \right|\). For two operators \(M,N\in \mathrm {L}(\mathcal {H})\), the Hilbert-Schmidt inner product is defined as

$$\begin{aligned} \left\langle M,N\right\rangle = {{\mathrm{tr}}}(M^*N). \end{aligned}$$

A quantum channel is a physically admissible transformation of quantum states. Mathematically, a quantum channel

$$\begin{aligned} \mathcal {E}:\mathrm {L}(\mathcal {H}) \rightarrow \mathrm {L}(\mathcal {K}) \end{aligned}$$

is a completely positive, trace-preserving linear map.

The trace distance of two quantum states \(\rho _0, \rho _1 \in \mathrm {D}(\mathcal {H})\) is

(1)

It is known (Holevo-Helstrom theorem [29, 30]) that for a state drawn uniformly at random from the set \(\{\rho _0, \rho _1\}\), the optimal distinguish probability is given by

$$\begin{aligned} \frac{1 + {\text {TD}}(\rho _0, \rho _1)}{2}. \end{aligned}$$

Define number \(N = 2^n\) and set \(\mathcal {X}= \{0,1,\ldots ,N-1\}\). The quantum Fourier transform on n qubits is defined as

(2)

It is a well-known fact in quantum computing that F can be implemented in time \({{\mathrm{poly}}}(n)\).

For Hilbert space \(\mathcal {H}\) and integer m, we use \(\vee ^m \mathcal {H}\) to denote the symmetric subspace of \(\mathcal {H}^{\otimes m}\), the subspace of states that are invariant under permutations of the subsystems. Let N be the dimension of \(\mathcal {H}\) and let \(\mathcal {X}\) be the set \(\{0,1,\ldots ,N-1\}\) such that \(\mathcal {H}\) is the span of . For any \(\mathbf {x}=(x_1,x_2,\ldots ,x_m)\in \mathcal {X}^m\), let \(m_j\) be the number of j in \(\mathbf {x}\) for \(j\in \mathcal {X}\). Define state

(3)

The summation runs over all possible permutations \(\sigma \) that give different tuples \((x_{\sigma (1)}, x_{\sigma (2)}, \ldots , x_{\sigma (m)})\). Equivalently, we have

(4)

The coefficients in the front of the above two equations are normalization constants. The set of states

(5)

forms an orthonormal basis of the symmetric subspace \(\vee ^m \mathcal {H}\) [58, Proposition 7.2]. This implies that the dimension of the symmetric subspace is

$$\begin{aligned} \left( {\begin{array}{c}N+m-1\\ m\end{array}}\right) . \end{aligned}$$

Let \(\varPi ^\text {Sym}_m\) be the projection onto the symmetric subspace \(\vee ^m \mathcal {H}\). For a permutation \(\sigma \in S_m\), define operator

The following identity will be useful [58, Proposition 7.1]

$$\begin{aligned} \varPi ^\text {Sym}_m = \frac{1}{m!} \sum _{\sigma \in S_m} W_\sigma . \end{aligned}$$
(6)

Let \(\mu \) be the Haar measure on \(\mathrm {S}(\mathcal {H})\), it is known that [25, Proposition 6]

(7)

2.2 Cryptography

In this section, we recall several definitions and results from cryptography that is necessary for this work.

Pseudorandom functions (PRF) and pseudorandom permutations (PRP) are important constructions in classical cryptography. Intuitively, they are families of functions or permutations that looks like truly random functions or permutations to polynomial-time machines. In the quantum case, we need a strong requirement that they still look random even to polynomial-time quantum algorithms.

Definition 1

(Quantum-Secure Pseudorandom Functions and Permutations). Let \(\mathcal {K}, \mathcal {X}, \mathcal {Y}\) be the key space, the domain and range, all implicitly depending on the security parameter \(\kappa \). A keyed family of functions \(\bigl \{ \textsf {PRF} _k : \mathcal {X}\rightarrow \mathcal {Y}\bigr \}_{k\in \mathcal {K}}\) is a quantum-secure pseudorandom function (QPRF) if for any polynomial-time quantum oracle algorithm \(\mathcal {A}\), \(\textsf {PRF} _k\) with a random \(k \leftarrow \mathcal {K}\) is indistinguishable from a truly random function \(f \leftarrow \mathcal {Y}^\mathcal {X}\) in the sense that:

$$\begin{aligned} \left| {\mathop {\Pr }\limits _{k\leftarrow \mathcal {K}}} \bigl [ \mathcal {A}^{\textsf {PRF} _k}(1^\kappa ) = 1 \bigr ] - {\mathop {\Pr }\limits _{f\leftarrow \mathcal {Y}^\mathcal {X}}} \bigl [ \mathcal {A}^{f}(1^\kappa ) = 1 \bigr ] \right| = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

Similarly, a keyed family of permutations \(\bigl \{ \textsf {PRP} _k \in S_\mathcal {X}\bigr \}_{k\in \mathcal {K}}\) is a quantum-secure pseudorandom permutation (QPRP) if for any quantum algorithm \(\mathcal {A}\) making at most polynomially many queries, \(\textsf {PRP} _k\) with a random \(k\leftarrow \mathcal {K}\) is indistinguishable from a truly random permutation in the sense that:

$$\begin{aligned} \left|{\mathop {\Pr }\limits _{k \leftarrow \mathcal {K}}} \bigl [ \mathcal {A}^{\textsf {PRP} _k}(1^\kappa ) = 1 \bigr ] - {\mathop {\Pr }\limits _{P \leftarrow S_\mathcal {X}}} \bigl [ \mathcal {A}^{P}(1^\kappa ) = 1 \bigr ] \right| = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

In addition, both \(\textsf {PRF} _k\) and \(\textsf {PRP} _k\) are polynomial-time computable (on a classical computer).

Fact 1

QPRFs and QPRPs exist if quantum-secure one-way functions exist.

Zhandry proved the existence of QPRFs assuming the existence of one-way functions that are hard to invert even for quantum algorithms [65]. Assuming QPRF, one can construct QPRP using various shuffling constructions [57, 67]. Since a random permutation and a random function is indistinguishable by efficient quantum algorithms [64, 66], existence of QPRP is hence equivalent to existence of QPRF.

3 Pseudorandom Quantum States

In this section, we will discuss the definition and constructions of pseudorandom quantum states.

3.1 Definition of Pseudorandom States

Intuitively speaking, a family pseudorandom quantum states are a set of random states that is indistinguishable from Haar random quantum states.

The first idea on defining pseudorandom states can be the following. Without loss of generality, we consider states in \(\mathrm {S}(\mathcal {H})\) where \(\mathcal {H}= (\mathbb {C}^2)^{\otimes n}\) is the Hilbert space for n-qubit systems. We are given either a state randomly sampled from the set or a state sampled according to the Haar measure on \(\mathrm {S}(\mathcal {H})\), and we require that no efficient quantum algorithm will be able to tell the difference between the two cases.

However, this definition does not seem to grasp the quantum nature of the problem. First, the state family where each is a uniform random bit string will satisfy the definition—in both cases, the mixed states representing the ensemble are \(\mathbbm {1}/2^n\). Second, many of the applications that we can find for PRS’s will not hold for this definition.

Instead, we require that the family of states looks random even if polynomially many copies of the state are given to the distinguishing algorithm. We argue that this is the more natural way to define pseudorandom states. One can see that this definition also naturally generalizes the definition of pseudorandomness in the classical case to the quantum setting. In the classical case, asking for more copies of a string is always possible and one does not bother making this explicit in the definition. This of course also rules out the example of classical random bit strings we discussed before. Moreover, this strong definition, once established, is rather flexible to use when studying the properties and applications of pseudorandom states.

Definition 2

(Pseudorandom Quantum States (PRS’s)). Let \(\kappa \) be the security parameter. Let \(\mathcal {H}\) be a Hilbert space and \(\mathcal {K}\) the key space, both parameterized by \(\kappa \). A keyed family of quantum states is pseudorandom, if the following two conditions hold:

  1. 1.

    (Efficient generation). There is a polynomial-time quantum algorithm G that generates state on input k. That is, for all \(k\in \mathcal {K}\), .

  2. 2.

    (Pseudorandomness). Any polynomially many copies of with the same random \(k\in \mathcal {K}\) is computationally indistinguishable from the same number of copies of a Haar random state. More precisely, for any efficient quantum algorithm \(\mathcal {A}\) and any \(m\in {{\mathrm{poly}}}(\kappa )\),

    where \(\mu \) is the Haar measure on \(\mathrm {S}(\mathcal {H})\).

3.2 Constructions and Analysis

In this section, we give an efficient construction of pseudorandom states which we call random phase states. We will prove that this family of states satisfies our definition of PRS’s. There are other interesting and simpler candidate constructions, but the family of random phase states is the easiest to analyze.

Let \(\textsf {PRF}:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {X}\) be a quantum-secure pseudorandom function with key space \(\mathcal {K}\), \(\mathcal {X}= \{0, 1, 2, \ldots , N-1\}\) and \(N=2^n\). \(\mathcal {K}\) and N are implicitly functions of the security parameter \(\kappa \). The family of pseudorandom states of n qubits is defined

(8)

for \(k \in \mathcal {K}\) and \(\omega _N = \exp (2\pi i/N)\).

Theorem 1

For any QPRF \(\textsf {PRF}:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {X}\), the family of states defined in Eq. (8) is a PRS.

Proof

First, we prove that the state can be efficiently prepared with a single query to \(\textsf {PRF} _k\). As \(\textsf {PRF} _k\) is efficient, this proves the efficient generation property.

The state generation algorithm works as follows. First, it prepares a state

This can be done by applying \(H^{\otimes n}\) to the first register initialized in and the quantum Fourier transform to the second register in state .

Then the algorithm calls \(\textsf {PRF} _k\) on the first register and subtract the result from the second register, giving state

The state can be rewritten as

Therefore, the effect of this step is to transform the first register to the required form and leaving the second register intact.

Next, we prove the pseudorandomness property of the family. For this purpose, we consider three hybrids. In the first hybrid \(H_1\), the state will be for a uniform random \(k\in \mathcal {K}\). In the second hybrid \(H_2\), the state is for truly random functions \(f\in \mathcal {X}^\mathcal {X}\) where

In the third hybrid \(H_3\), the state is for chosen according to the Haar measure.

By the definition of the quantum-secure pseudorandom functions for \(\textsf {PRF} \), we have for any polynomial-time quantum algorithm \(\mathcal {A}\) and any \(m\in {{\mathrm{poly}}}(\kappa )\),

$$\begin{aligned} \left|\Pr \bigl [ \mathcal {A}(H_1) = 1 \bigr ] - \Pr \bigl [ \mathcal {A}(H_2) = 1 \bigr ] \right| = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

By Lemma 1, we have for any algorithm \(\mathcal {A}\) and \(m\in {{\mathrm{poly}}}(\kappa )\),

$$\begin{aligned} \left|\Pr \bigl [ \mathcal {A}(H_2) = 1 \bigr ] - \Pr \bigl [ \mathcal {A}(H_3) = 1 \bigr ] \right| = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

This completes the proof by triangle inequality.

Lemma 1

For function \(f:\mathcal {X}\rightarrow \mathcal {X}\), define quantum state

For \(m\in {{\mathrm{poly}}}(\kappa )\), the state ensemble is statistically indistinguishable from for Haar random .

Proof

Let \(m\in {{\mathrm{poly}}}(\kappa )\) be the number of copies of the state. We have

where \(\mathbf {x}= (x_1, x_2, \ldots , x_m)\) and \(\mathbf {y}= (y_1, y_2, \ldots , y_m)\). For later convenience, define density matrix

We will compute the entries of \(\rho ^m\) explicitly.

For \(\mathbf {x}= (x_1, x_2, \ldots , x_m) \in \mathcal {X}^m\), let \(m_j\) be the number of j in \(\mathbf {x}\) for \(j\in \mathcal {X}\). Obviously, one has \(\sum _{j\in \mathcal {X}} m_j = m\). Note that we have omitted the dependence of \(m_j\) on \(\mathbf {x}\) for simplicity. Recall the basis states defined in Eq. (4)

For \(\mathbf {x}, \mathbf {y}\in \mathcal {X}^m\), let \(m_j\) be the number of j in \(\mathbf {x}\) and \(m_j'\) be the number of j in \(\mathbf {y}\).

We can compute the entries of \(\rho ^m\) as

When \(\mathbf {x}\) is not a permutation of \(\mathbf {y}\), the summation \(\sum _{l=1}^m \bigr ( f(x_l) - f(y_l) \bigr )\) is a summation of terms \(\pm f(z_j)\) for distinct values \(z_j\). As f is a truly random function, \(f(z_j)\) is uniformly random and independent of \(f(z_{j'})\) for \(z_j\ne z_{j'}\). So it is not hard to verify that the entry is nonzero only if \(\mathbf {x}\) is a permutation of \(\mathbf {y}\). These nonzero entries are on the diagonal of \(\rho ^m\) in the basis of . These diagonal entries are

Let \(\rho ^m_\mu \) be the density matrix of a random state , for chosen from the Haar measure \(\mu \). From Eqs. (5) and (7), we have that

We need to prove

$$\begin{aligned} {\text {TD}}\bigl ( \rho ^m, \rho ^m_\mu \bigr ) = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

Define

$$\begin{aligned} \delta _{\mathbf {x};\text {Sym}} = \frac{m!}{N^m \prod _{j\in \mathcal {X}} m_j!} - \left( {\begin{array}{c}N+m-1\\ m\end{array}}\right) ^{-1}. \end{aligned}$$

Then

$$\begin{aligned} {\text {TD}}(\rho ^m, \rho ^m_\mu ) = \frac{1}{2} \sum _{\mathbf {x};\text {Sym}} \left|\delta _{\mathbf {x};\text {Sym}} \right|. \end{aligned}$$

The ratio of the two terms in \(\delta _{\mathbf {x};\text {Sym}}\) is

$$\begin{aligned} \frac{\displaystyle m! \left( {\begin{array}{c}N+m-1\\ m\end{array}}\right) }{\displaystyle N^m \prod _{j\in \mathcal {X}} m_j!} = \frac{\displaystyle \prod _{l=0}^{m-1} \Bigl ( 1+\frac{l}{N} \Bigr )}{\displaystyle \prod _{j\in \mathcal {X}} m_j!}. \end{aligned}$$

For sufficient large security parameter \(\kappa \), the ratio is larger than 1 only if \(\prod _{j\in \mathcal {X}}m_j! = 1\), which corresponds to \(\mathbf {x}\)’s whose entries are all distinct. As there are \(\left( {\begin{array}{c}N\\ m\end{array}}\right) \) such \(\mathbf {x}\)’s, we can calculate the trace distance as

$$\begin{aligned} \begin{aligned} {\text {TD}}\bigl (\rho ^m, \rho ^m_\mu \bigr )&= \left( {\begin{array}{c}N\\ m\end{array}}\right) \biggl [ \frac{m!}{N^m} - \left( {\begin{array}{c}N+m-1\\ m\end{array}}\right) ^{-1} \biggr ]\\&= \frac{N (N-1) \cdots (N-m+1)}{N^m} - \frac{N (N-1) \cdots (N-m+1)}{(N+m-1) \cdots N}. \end{aligned} \end{aligned}$$

As first term is less than 1 and is at least

$$\begin{aligned} (1-\frac{1}{N})\cdots (1-\frac{m-1}{N}) \ge 1-\frac{1+2+\cdots +(m-1)}{N} \end{aligned}$$

For our choices of \(m\in {{\mathrm{poly}}}(\kappa )\) and \(N \in 2^{{{\mathrm{poly}}}(\kappa )}\), this term is \(1-{{\mathrm{negl}}}(\kappa )\) for sufficiently large security parameter \(\kappa \). Similar analysis applies to the second term and this completes the proof.

3.3 Comparison with Related Work

We remark that a similar family of states was considered in [1] (Theorem 3). However, the size of the state family there depends on a parameter d which should be larger than the sum of the number of state copies and the number of queries. In our construction, the key space is fixed for a given security parameter, which may be advantageous for various applications.

We mention several other candidate constructions of PRS’s and leave detailed analysis of them to future work. A construction closely related to the random phase states in Eq. (8) uses random \(\pm 1\) phases,

Intuitively, this family is less random than the random phase states in Eq. (8) and the corresponding density matrix \(\rho ^m\) has small off-diagonal entries, making the proof more challenging. The other family of candidate states on 2n qubits takes the form

In this construction, the state is an equal superposition of a random subset of size \(2^n\) of \(\{0,1\}^{2n}\) and \(\textsf {PRP} \) is any pseudorandom permutation over the set \(\{0,1\}^{2n}\). We call this the random subset states construction.

Finally, we remark that under plausible cryptographic assumptions our PRS constructions can be implemented using shallow quantum circuits of polylogarithmic depth. To see this, note that there exist PRFs that can be computed in polylogarithmic depth [6], which are based on lattice problems such as “learning with errors” (LWE) [52], and are believed to be secure against quantum computers. These PRFs can be used directly in our PRS construction. (Alternatively, one can use low-depth PRFs that are constructed from more general assumptions, such as the existence of trapdoor one-way permutations [46].)

This shows that PRS states can be prepared in surprisingly small depth, compared to quantum state t-designs, which generally require at least linear depth when t is a constant greater than 2, or polynomial depth when t grows polynomially with the number of qubits [4, 12, 40, 43]. (Note, however, that for \(t=2\), quantum state 2-designs can be generated in logarithmic depth [16].) Moreover, PRS states are sufficient for many applications where high-order t-designs are used [35, 51], provided that one only requires states to be computationally (not statistically) indistinguishable from Haar-random.

4 Cryptographic No-cloning Theorem and Quantum Money

A fundamental fact in quantum information theory is that unknown or random quantum states cannot be cloned [18, 48, 50, 60, 62]. The main topic of this section is to investigate the cloning problem for pseudorandom states. As we will see, even though pseudorandom states can be efficiently generated, they do share the no-cloning property of generic quantum states.

Let \(\mathcal {H}\) be the Hilbert space of dimension N and \(m<m'\) be two integers. The numbers \(N,m,m'\) depend implicitly on a security parameter \(\kappa \). We will assume that N is exponential in \(\kappa \) and \(m\in {{\mathrm{poly}}}(\kappa )\) in the following discussion.

We first recall the fact that for Haar random state , the success probability of producing \(m'\) copies of the state given m copies is negligibly small. Let \(\mathcal {C}\) be a cloning channel that on input tries to output a state that is close to for \(m'>m\). The expected success probability of \(\mathcal {C}\) is measured by

It is known that [60], for all cloning channel \(\mathcal {C}\), this success probability is bounded by

$$\begin{aligned} \left( {\begin{array}{c}N+m-1\\ m\end{array}}\right) \bigg / \left( {\begin{array}{c}N+m'-1\\ m'\end{array}}\right) , \end{aligned}$$

which is \({{\mathrm{negl}}}(\kappa )\) for our choices of \(N,m,m'\).

We establish a no-cloning theorem for PRS’s which says that no efficient quantum cloning procedure exists for a general PRS. The theorem is called the cryptographic no-cloning theorem because of its deep roots in pseudorandomness in cryptography.

Theorem 2

(Cryptographic No-cloning Theorem). For any PRS family , \(m\in {{\mathrm{poly}}}(\kappa )\), \(m<m'\) and any polynomial-time quantum algorithm \(\mathcal {C}\), the success cloning probability

Proof

Assume on the contrary that there is a polynomial-time quantum cloning algorithm \(\mathcal {C}\) such that the success cloning probability of producing \(m+1\) from m copies is \(\kappa ^{-c}\) for some constant \(c>0\). We will construct a polynomial-time distinguisher \(\mathcal {D}\) that violates the definition of PRS’s. Distinguisher \(\mathcal {D}\) will draw \(2m+1\) copies of the state, call \(\mathcal {C}\) on the first m copies, and perform the SWAP test on the output of \(\mathcal {C}\) and the remaining \(m+1\) copies. It is easy to see that \(\mathcal {D}\) outputs 1 with probability \((1+\kappa ^{-c})/2\) if the input is from PRS, while if the input is Haar random, it outputs 1 with probability \((1+{{\mathrm{negl}}}(\kappa ))/2\). Since \(\mathcal {C}\) is polynomial-time, it follows that \(\mathcal {D}\) is also polynomial-time. This is a contradiction with the definition of PRS’s and completes the proof.

4.1 A Strong Notion of PRS and Equivalence to PRS

In this section, we show that, somewhat surprisingly, PRS in fact implies a seemingly stronger notion, where indistinguishability needs to hold even if a distinguisher additionally has access to an oracle that reflects about the given state. There are at least a couple of motivations to consider an augmented notion. Firstly, unlike a classical string, a quantum state is inherently hidden. Give a quantum register prepared in some state (i.e., a physical system), we can only choose some observable to measure which just reveals partial information and will collapse the state in general. Therefore, it is meaningful to consider offering a distinguishing algorithm more information describing the given state, and the reflection oracle comes naturally. Secondly, this stronger notion is extremely useful in our application of quantum money schemes, and could be interesting elsewhere too.

More formally, for any state , define an oracle that reflects about .

Definition 3

(Strongly Pseudorandom Quantum States). Let \(\mathcal {H}\) be a Hilbert space and \(\mathcal {K}\) be the key space. \(\mathcal {H}\) and \(\mathcal {K}\) depend on the security parameter \(\kappa \). A keyed family of quantum states is strongly pseudorandom, if the following two conditions hold:

  1. 1.

    (Efficient generation). There is a polynomial-time quantum algorithm G that generates state on input k. That is, for all \(k\in \mathcal {K}\), .

  2. 2.

    (Strong Pseudorandomness). Any polynomially many copies of with the same random \(k\in \mathcal {K}\) is computationally indistinguishable from the same number of copies of a Haar random state. More precisely, for any efficient quantum oracle algorithm \(\mathcal {A}\) and any \(m\in {{\mathrm{poly}}}(\kappa )\),

    where \(\mu \) is the Haar measure on \(\mathrm {S}(\mathcal {H})\).

Note that since the distinguisher \(\mathcal {A}\) is polynomial-time, the number of queries to the reflection oracle (\(O_{\phi _k}\) or \(O_\psi \)) is also polynomially bounded.

We prove the advantage that a reflection oracle may give to a distinguisher is limited. In fact, standard PRS implies strong PRS, and hence they are equivalent.

Theorem 3

A family of states is strongly pseudorandom if and only if it is (standard) pseudorandom.

Proof

Clearly a strong PRS is also a standard PRS by definition. It suffice to prove that any PRS is also strongly pseudorandom.

Suppose for contradiction that there is a distinguishing algorithm \(\mathcal {A}\) that breaks the strongly pseudorandom condition. Namely, there exists \(m\in {{\mathrm{poly}}}(\kappa )\) and constant \(c>0\) such that for sufficiently large \(\kappa \),

We assume \(\mathcal {A}\) makes \(q\in {{\mathrm{poly}}}(\kappa )\) queries to the reflection oracle. Then, by Theorem 4, there is an algorithm \(\mathcal {B}\) such that for any l

and

By triangle inequality, we have

Choosing \(l = 64q^2\kappa ^{2c} \in {{\mathrm{poly}}}(\kappa )\), we have

which is a contradiction with the definition of PRS for . Therefore, we conclude that PRS and strong PRS are equivalent.

We now show a technical ingredient that allows us to simulate the reflection oracle about a state by using multiple copies of the given state. This result is inspired by a similar theorem proved by Ambainis et al. [5, Lemma 42]. Our simulation applies the reflection about the standard symmetric subspace, as opposed to a reflection operation about a particular subspace in [5], on the multiple copies of the given state, which we know how to implement efficiently.

Theorem 4

Let be a quantum state. Define oracle to be the reflection about . Let be a state not necessarily independent of . Let \(\mathcal {A}^{O_\psi }\) be an oracle algorithm that makes q queries to \(O_\psi \). For any integer \(l>0\), there is a quantum algorithm \(\mathcal {B}\) that makes no queries to \(O_\psi \) such that

Moreover, the running time of \(\mathcal {B}\) is polynomial in that of \(\mathcal {A}\) and l.

Proof

Consider a quantum register T, initialized in the state . Let \(\varPi \) be the projection onto the symmetric subspace \(\vee ^{l+1}\mathcal {H}\subset \mathcal {H}^{\otimes (l+1)}\), and let \(R = \mathbbm {1}- 2\varPi \) be the reflection about the symmetric subspace.

Assume without loss of generality that algorithm \(\mathcal {A}\) is unitary and only performs measurements at the end. We define algorithm \(\mathcal {B}\) to be the same as \(\mathcal {A}\), except that when \(\mathcal {A}\) queries \(O_\psi \) on register \(\textsf {D}\), \(\mathcal {B}\) applies the reflection R on the collection of quantum registers \(\textsf {D}\) and \(\textsf {T}\). We first analyze the corresponding states after the first oracle call to \(O_\psi \) in algorithms \(\mathcal {A}\) and \(\mathcal {B}\),

For any two states , we have

where the first step uses the identity in Eq. (6) and the second step follows by observing that the probability of a random \(\pi \in S_{l+1}\) mapping 1 to 1 is \(1/(l+1)\). These calculations imply that,

We can compute the inner product of the two states and as

This implies that

Let and be the final states of algorithm \(\mathcal {A}\) and \(\mathcal {B}\) before measurement respectively. Then by induction on the number of queries, we have

This concludes the proof by noticing that

Finally, we show that if \(\mathcal {A}\) is polynomial-time, then so is \(\mathcal {B}\). Based on the construction of \(\mathcal {B}\), it suffices to show that the reflection R is efficiently implementable for any polynomially large l. Here we use a result by Barenco et al. [8] which provides an efficient implementation for the projection \(\varPi \) onto \(\vee ^{l+1} \mathcal {H}\). More precisely, they design a quantum circuit of size \(O({{\mathrm{poly}}}(l, \log \dim \mathcal {H}))\) that implements a unitary U such that on \(\mathcal {H}^{\otimes (l+1)}\otimes \mathcal {H}'\) for an auxiliary space \(\mathcal {H}'\) of dimension O(l!). Here corresponds to the projection of on the symmetric subspace. With U, we can implement the reflection R as \(U^* S U\) where S is the unitary that introduces a minus sign conditioned on the second register being 0.

4.2 Quantum Money from PRS

Using Theorem 3, we can improve Theorem 2 to the following version. The proof is omitted as it is very similar to that for Theorem 2 and uses the complexity-theoretic no-cloning theorem [1, 2] for Haar random states.

Theorem 5

(Cryptographic no-cloning Theorem with Oracle). For any PRS , \(m\in {{\mathrm{poly}}}(\kappa )\), \(m<m'\) and any polynomial-time quantum query algorithm \(\mathcal {C}\), the success cloning probability

A direct application of this no-cloning theorem is that it gives rise to new constructions for private-key quantum money. As one of the earliest findings in quantum information [9, 61], quantum money schemes have received revived interests in the past decade (see e.g. [1, 3, 20, 21, 39, 42]). First, we recall the definition of quantum money scheme adapted from [2].

Definition 4

(Quantum Money Scheme). A private-key quantum money scheme \(\mathcal {S}\) consists of three algorithms:

  • KeyGen, which takes as input the security parameter \(1^\kappa \) and randomly samples a private key k.

  • Bank, which takes as input the private key k and generates a quantum state called a banknote.

  • Ver, which takes as input the private key k and an alleged banknote , and either accepts or rejects.

The money scheme \(\mathcal {S}\) has completeness error \(\varepsilon \) if accepts with probability at least \(1-\varepsilon \) for all valid banknote .

Let Count be the money counter that output the number of valid banknotes when given a collection of (possibly entangled) alleged banknotes . Namely, Count will call Ver on each banknotes and return the number of times that Ver accepts. The money scheme \(\mathcal {S}\) has soundness error \(\delta \) if for any polynomial-time counterfeiter C that maps q valid banknotes to r alleged banknotes satisfies

The scheme \(\mathcal {S}\) is secure if it has completeness error \(\le 1/3\) and negligible soundness error.

For any with key space \(\mathcal {K}\), we can define a private-key quantum money scheme \(\mathcal {S}_\textsf {PRS} \) as follows:

  • \(\textsf {KeyGen} (1^\kappa )\) randomly outputs \(k\in \mathcal {K}\).

  • \(\textsf {Bank} (k)\) generates the banknote .

  • \(\textsf {Ver} (k,\rho )\) applies the projective measurement that accepts \(\rho \) with probability .

We remark that usually the money state takes the form where the first register contains a classical serial number. Our scheme, however, does not require the use of the serial numbers. This simplification is brought to us by the strong requirement that any polynomial copies of are indistinguishable from Haar random states.

Theorem 6

The private-key quantum money scheme \(\mathcal {S}_\textsf {PRS} \) is secure for all \(\textsf {PRS} \).

Proof

It suffices to prove the soundness of \(S_\textsf {PRS} \) is negligible. Assume to the contrary that there is a counterfeiter C such that

for some constant \(c>0\) and sufficiently large \(\kappa \). From the counterfeiter C, we will construct an oracle algorithm \(\mathcal {A}^{O_{\phi _k}}\) that maps q copies of to \({q+1}\) copies with noticeable probability and this leads to a contradiction with Theorem 5.

The oracle algorithm \(\mathcal {A}\) first runs C and implement the measurement

on each copy of the money state C outputs. This measurement can be implemented by attaching an auxiliary qubit initialized in and call the reflection oracle \(O_\phi \) conditioned on the qubit being at 1 and performs the X measurement on this auxiliary qubit. This gives r-bit of outcome \(\mathbf {x}\in \{0,1\}^r\). If \(\mathbf {x}\) has Hamming weight at least \(q+1\), algorithm \(\mathcal {A}\) outputs any \(q+1\) registers that corresponds to outcome 1; otherwise, it outputs . By the construction of \(\mathcal {A}\), it succeeds in cloning \({q+1}\) money states from q copies with probability at least \(\kappa ^{-c}\).

Our security proof of the quantum money scheme is arguably simpler than that in [2]. In [2], to prove their hidden subspace money scheme is secure, one needs to develop the so called inner-product adversary method to show the worst-case query complexity for the hidden subspace states and use a random self-reducible argument to establish the average-case query complexity. In our case, it follows almost directly from the cryptographic no-cloning theorem with oracles. The quantum money schemes derived from PRS’s enjoy many nice features of the hidden subspace scheme. Most importantly, they are also query-secure [2], meaning that the bank can simply return the money state back to the user after verification.

It is also interesting to point out that quantum money states are not necessarily pseudorandom states. The hidden subspace state [2], for example, do not satisfy our definition of PRS as one can measure polynomially many copies of the state in the computational basis and recover a basis for the hidden subspace with high probability.

5 Entanglement of Pseudorandom Quantum States

In this section, we study the entanglement property of pseudorandom quantum states. Our result shows that any PRS consists of states that have high entanglement on average.

The entanglement property of a bipartite pure quantum state is well understood and is completely determined by the Schmidt coefficients of a bipartite state (see e.g. [31]). Any state on system A and B can be written as

where \(\lambda _j > 0\) for all \(1\le j \le R\) and the states (and ) form a set of orthonormal states on A (and B respectively). Here, the positive real numbers \(\lambda _j\)’s are the Schmidt coefficients and R is the Schmidt rank of state . Let \(\rho _A\) be the reduced density matrix of on system A, then \(\lambda _j\) is the nonzero eigenvalues of \(\rho _A\). Entanglement can be measured by the Schmidt rank R or entropy-like quantities derived from the Schmidt coefficients. We consider the quantum \(\alpha \)-Rényi entropy of \(\rho _A\)

$$\begin{aligned} S_\alpha (\rho _A) := \frac{1}{1-\alpha } \log \biggl ( \sum _{j=1}^R \lambda _j^\alpha \biggr ). \end{aligned}$$

When \(\alpha \rightarrow 1\), \(S_\alpha \) coincides with the von Neumann entropy of \(\rho _A\)

$$\begin{aligned} S(\rho _A) = - \sum _{j=1}^R \lambda _j \log \lambda _j. \end{aligned}$$

When \(\alpha \rightarrow \infty \), \(S_\alpha \) coincides with the quantum min entropy of \(\rho _A\)

where \(\lambda _{\max }\) is the largest eigenvalue of \(\rho _A\). For \(\alpha =2\), the entropy \(S_2\) is the quantum analogue of the collision entropy.

For Haar random state where the dimensions of \(\mathcal {H}_A\) and \(\mathcal {H}_B\) are \(d_A\) and \(d_B\) respectively, the Page conjecture [49] proved in [22, 54, 55] states that for \(d_A \le d_B\), the average entanglement entropy is explicitly given as

That is, the Haar random states are highly entangled on average and, in fact, a typical Haar random state is almost maximumly entangled. A more detailed discussion on this phenomena is give in [28, 34]. The following theorem and its corollary tell us that pseudorandom states are also entangled on average though the quantitative bound is much weaker.

Theorem 7

Let be a family of PRS with security parameter \(\kappa \). Consider partitions of the state into systems A and B consisting of \(n_A\) and \(n_B\) qubits each where both \(n_A\) and \(n_B\) are polynomial in the security parameter. Let \(\rho _k\) be the reduced density matrix on system A. Then,

Proof

Assume to the contrary that

for some constant \(c>0\) and sufficiently large \(\kappa \). We will construct a distinguisher \(\mathcal {A}\) that tells the family of state apart from the Haar random states.

Consider the SWAP test performed on the system A of two copies of . The test accepts with probability

$$\begin{aligned} \frac{1 + {{\mathrm{tr}}}(\rho _k^2)}{2}. \end{aligned}$$

Let distinguisher \(\mathcal {A}\) be the above SWAP test, we have

for sufficiently large \(\kappa \). The last step follows by a formula of Lubkin [36]

Corollary 1

Let be a family of PRS with security parameter \(\kappa \). Consider partitions of the state into systems A and B consisting of \(n_A\) and \(n_B\) qubits each where both \(n_A\) and \(n_B\) are polynomial in the security parameter. We have

  1. 1.

    Let \(R_k\) be the Schmidt rank of state under the A, B partition, then for all constant \(c>0\) and sufficiently large \(\kappa \).

  2. 2.

    and .

Proof

The first item follows from the fact that

$$\begin{aligned} {{\mathrm{tr}}}(\rho _k^2) \ge \frac{1}{R_k}. \end{aligned}$$

where \(R_k\) is the Schmidt rank of state . The second item for the min entropy follows by Jensen’s inequality and

$$\begin{aligned} {{\mathrm{tr}}}(\rho _k^2) \ge \lambda _{\max }^2. \end{aligned}$$

Finally, the bound on the expected entanglement entropy follows by the fact that min entropy is the smallest \(\alpha \)-Rényi entropy for all \(\alpha >0\).

6 Pseudorandom Unitary Operators (PRUs)

6.1 Definitions

Our notion of pseudorandom states readily extends to distributions over unitary operators. Let \(\mathcal {H}\) be a Hilbert space and let \(\mathcal {K}\) a key space, both of which depend on a security parameter \(\kappa \). Let \(\mu \) be the Haar measure on the unitary group \(\mathrm {U}(\mathcal {H})\).

Definition 5

A family of unitary operators \(\{U_k \in \mathrm {U}(\mathcal {H})\}_{k\in \mathcal {K}}\) is pseudorandom, if two conditions hold:

  1. 1.

    (Efficient computation). There is an efficient quantum algorithm Q, such that for all k and any , .

  2. 2.

    (Pseudorandomness). \(U_k\) with a random key k is computationally indistinguishable from a Haar random unitary operator. More precisely, for any efficient quantum algorithm \(\mathcal {A}\) that makes at most polynomially many queries to the oracle,

    $$\begin{aligned} \left|{\mathop {\Pr }\limits _{k\leftarrow \mathcal {K}}} \bigl [ \mathcal {A}^{U_k}(1^\kappa ) =1 \bigr ] - {\mathop {\Pr }\limits _{U\leftarrow \mu }} \bigl [\mathcal {A}^U(1^\kappa ) = 1 \bigr ] \right| = {{\mathrm{negl}}}(\kappa ). \end{aligned}$$

The extensive literature on approximation of Haar randomness on unitary groups concerns with unitary designs [12, 19], which are statistical approximations to the Haar random distribution up to a fixed t-th moment. Our notion of pseudorandom unitary operators in terms of computational indistinguishability, in addition to independent interest, supplements and could substitute for unitary designs in various applications.

6.2 Candidate Constructions

Clearly, given a pseudorandom unitary family \(\{U_k\}\), it immediately gives pseudorandom states as well (e.g., ). On the other hand, our techniques for constructing pseudorandom states can be extended to give candidate constructions for pseudorandom unitary operators (PRUs) in the following way. Let \(\mathcal {H}= (\mathbb {C}^2)^{\otimes n}\). Assume we have a pseudorandom function \(\textsf {PRF}:\, \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {X}\), with domain \(\mathcal {X}= \{0, 1, 2, \ldots , N-1\}\) and \(N=2^n\). Using the phase kick-back technique, we can implement the unitary transformation \(T_k \in \mathrm {U}(\mathcal {H})\) that maps

(9)

Our pseudorandom states were given by , where \(H^{\otimes n}\) denotes the n-qubit Hadamard transform. We conjecture that by repeating the operation \(T_k H^{\otimes n}\) a constant number of times (with different keys k), we get a PRU. This is resembles the construction of unitary t-designs in [43, 44].

Alternatively, one can give a candidate construction for PRUs based on pseudorandom permutations (PRPs) as follows. First, let \(\textsf {PRP} _k\) be a pseudorandom permutation (with key \(k \in \mathcal {K}\)) acting on \(\{0,1\}^n\), and suppose we have efficient quantum circuits that compute the permutation as well as its inverse (where \(\oplus \) denotes the bitwise xor operation). Then we can compute the permutation in-place by applying the following sequence of operations:

(10)

For simplicity, let us denote this operation by (ignoring the second register, which stays in the state ). Now we can consider repeating the operation \(S_k H^{\otimes n}\) several times (with different keys k), as a candidate for a PRU. Note that this resembles the construction of unitary t-designs in [26].

It is an interesting challenge to prove that these constructions actually yield PRUs. For the special case of non-adaptive adversaries, one could try to use the proof techniques of [26, 43, 44] for unitary t-designs. For the general case, where the adversary can make adaptive queries to the pseudorandom unitary, new proof techniques seem to be needed. Finally, we can consider combining all of these ingredients (the pseudorandom operations \(S_k\) and \(T_k\), and the Hadamard transform) to try to obtain more efficient constructions of PRUs.