 Okay, all right. Good morning everyone and can everybody hear me well in the back Okay, let me get this closer That is sound better Great. All right. Let's uh, let's get started and thank you for the introduction and say I'm gonna talk about See the randomness in a quantum work Which will echo several of the talks we've heard so far and this is John's work with my great collaborators Junfeng Ji from UT Sydney and E. K. Liu at NIST and University of Maryland All right, so let me start off by claiming that randomness is useful period So I believe you've already have a lot tons of examples flying in your head Supporting this claim like all the nice randomized algorithms probabilistic constructions of you know nice commentary of objects and of course everywhere in cryptography But everything comes at a cost You know true randomness may be difficult may be expensive to come by for example You find a sample a random boolean function such that every n-bit input gets assigned one bit Random output Independently then we're gonna need two to the n fair random coins and that's an exponentially large number But most of the time a good approximation, which we call see the randomness is As useful if not more so see the randomness That means that we can efficiently sample from some universe such that This sample would just look no different from a sample from according to some ideally random distribution typically a uniform distribution over the universe and For the most part of this talk, we're only be concerned concerned with efficient observers Okay, and you've realized this is just the familiar computational indistinguishability All right, so just a refresher of some important pseudo random objects first of all pseudo random generator Which is a efficient algorithm tree such that It expands a relative short random seed K to a long string RK, which is indistinguishable from a uniform random string R and Next take all the functions With n-bit input and output as the universe then we can consider a set of functions fk indexed by a Kk and we call it pseudo random if If we pick a random K, then fk will appear just as a Function chose a uniform random from the universe from our functions Okay, so PRG is an PRFs. They are Central primitives in cryptography that appear All over the places and there is also a beautiful theory saying well PRG and PRFs They exist if only if one way functions exist So far so good But the question we're asking this work is how about a quantum word? What happens? Okay, so one could ask What if the observer which is the attacker in this in this setting here becomes capable of quantum computing? So are those pseudo random objects still secure? So this is a very important question that one has received quite a bit of research and I think it's safe to say that There are pseudo random generators and pseudo random functions, which we believe to be quantum secure under reasonable assumptions Okay, but notice that this side of the question Only considers the attacker being quantum, but there is another element in this picture Which can change in a common word That is The universe right we might want to sample from a quantum universe instead of just the classical objects like strings or functions and That's what we explore in this work towards developing a theory of quantum pseudo randomness So first of all we propose a definition of primitive called pseudo random quantum states Which is analogous to pseudo random generators and we gave a efficient construction Which uses any quantum secure pseudo random function as a black box? and then we Investigate all the nice properties and applications and most the most interesting one is To it's the construction of a private key quantum money from any pseudo random state due to a seemingly stronger, but equivalent formulation of pseudo random states and also a non-cannoning property of pseudo random states Okay, and finally we take an initial step for studying pseudo random Unity operators, which is analogous to pseudo random functions So we propose a definition and give several candidate constructions. Unfortunately, we're yet to prove them Okay, so let's get to some real meat and let me start with It's that's hard to see but let me start with defining pseudo random states Okay, so first of all, what are quantum states in case you're not familiar with that? Well, the basic information unit in quantum computing It's called quantum bit or Q it. It's just a vector with length one on a complex plane Okay, and for multiple qubits, they're composed by the so-called tensor product operator So the specifics are not important But it's crucial to keep in mind that dimension grows exponentially with the number of qubits and this is in sharp contrast with Costco strings Okay, and the ideal distribution for quantum states is called it's called hard random and A hard random state has been used to test all kinds of physics theories among other applications And it's not surprising that it takes exponential Many random days to sample a hard random state Okay, so with this element spelled out a seal run with a definition of seal run was for quantum states seems at hand right, so let's consider a collection of quantum states Psi K indexed by your class called key K. How about we call this Psi K seal the random if Number one we can efficiently generate Psi K on quantum computer and Number two the seal the random part just supports computational Indistinguishability here. We say, okay, I pick a random key and ask that Psi K is indistinguishable from a hard random state Well, unfortunately, this definition doesn't quite make the cut Due to a weirdness known as quantum non-colonial. So basically says that Given the unknown state Psi, it's impossible to produce two identical copies So what is that imply? Well, think about it Cascally if I give the observer a copy of the string Well, it's it's one have full knowledge and can make as many copies as it wants But quantum non-colonial says well, we cannot presume that in the quantum setting and in fact The number of copies we give to the observer really matters You can come up with a family of states such that if you only give one random copy It's perfectly indistinguishable from a higher random state But as long as you give it more than two copies, it's trivial to distinguish them. So instead The definition we propose which we think is a is a right one We explicitly give the observer multiple copies of the sample and In fact any polynomial in many samples and we ask indistinguishability to hold In this setting, okay, this is what we call a pseudo random state All right. Next. Let's see some nice properties and applications which would further justify our definition So first of all, let's consider a variant a variant definition where we additionally give Observer access to a reflection article which reflects a vector about the given vector So for any state fee This are sub fee operator the reflection operator will flip the sign of fee But we'll keep anything a thumb not to fee unchanged so We require the pseudo randomness the indistinguishability to hold with respect to this stronger seemingly stronger observer so Obviously a pseudo random states in this sense It's automatically a pseudo random states in earlier notion They also showed the reverse direction and the reason is So so that means the reflection article doesn't help the observer to distinguish the two cases and the basic idea is When we have multiple copies we can simulate this reflection article and this also shows a Love in multiple copies in our definition is crucial and that's we can show that a pseudo random state is hard to clone efficiently and In fact, given several copies of the of a theorem states It's in feasible to produce any surplus and to show this You can we can we can show that a good copier would give for a good distinguisher So let's take two m plus one qubits Okay, and we feed the first m qubits to the hypothetical Copier which would produce and plus one copies and then we run the swap test on the top and plus one and the bottom and plus One qubits which very loosely speaking will tell us whether the top ones and the bottom ones are identical So when the input states is a high random states It's been proven in the 90s that it cannot be cloned unconditionally So that means the swap test will say no the top ones and the bottom ones are not the same on the other hand If there is a good copier then can copy a theorem states then the swap test will say yes, and that's how the observer can tell a discrepancy and An interesting application follows from these two properties, which is it gives us a construction of quantum money So what is the quantum money? Well, it's a money design where the bank notes can be quantum states specifically, let's think about a bank which uses a secret key to produce a bank note called dollar SK and Suppose after some transaction this bank note goes to another client who submits it to a verifier to check if this This note is valid using a verification key VK So if SK and the VK are the same we call it a private key quantum money scheme and Here only the bank can verify the bank note but if the two keys are asymmetric and VK can be made public then we call it public key quantum money and Here anyone with the verification key can check the validity of the bank note And to make a secure money Obviously you want to make sure nobody can counterfeit a new bank note All right, and this should be true given that the counterfeiter can potentially take advantage of the verification procedure to help him or and It's not hard to convince yourself that classically any bank note can be copied can be counterfeited in principle unless we show that Any steal the random state Will give us a private key quantum money scheme almost immediately. So basically we just let the notes the bank notes dollar SK to be psi K and By the two properties we just shown It's will imply that psi K will be hard to counterfeit and here the reflection hour call will be pretty much the verification procedure Okay, and I want to point out that the idea of creating a quantum money using But by means of quantum information that Was proposed back in the sixties and was considered the born of quantum cryptography But getting a secure one Has been really non fever and there's a there's a long history of you know breaks and fixes It's not until 2012 Then our sin and Chris Daniel they proposed the probe the first privilege to cure private key money quantum money based on a specific algebraic assumption and In contrast in comparison our scheme is generic and can be based on any theorem state And we all see in second then can be based on any quantum secure pseudorandom function Okay, so this will be more versatile and could offer better efficiency and security All right, let's see how to construct a pseudorandom state Well, we're gonna take a quantum secure pseudorandom function fk here, and then we're gonna create the superposition which Superpose over all numbers from zero to two to the n minus one and the amplitudes are determined by raising the the root of unity to the power of fk of x okay, and we can show this will be a pseudorandom state and To see this well, basically pseudorandomness comes from the fact that if we can just first switch fk to a truly random function because fk fk is a pseudorandom function and Then we can explicitly calculate the distance It's distance to a hard random state, which is negligible small and we can also Generate the state psi k efficiently essentially by quantum for a transfer Okay, and we call this construction random phase states and they're pseudorandom All right, finally, let me tell you briefly over some preliminary result on pseudorandom unity operators Okay, so similar to The class setting where we use functions to manipulate strings Quantum physics says that the legit operations on quantum states are going to be unitary which are reversible and length-preserving and simple examples include rotating or changing the phase of a vector and The ideal distribution here when it comes to Unitary operators is also caught called hard random think of that's the uniform distribution for unitary operators and hard random unit errors they found use in designing quantum algorithms and cryptographic primitives etc and Again, it's expensive to sample so instead We're going to define a pseudorandom unitary operator, which is a collection of unitary is again indexed by your class called KK Such that for a random K UK will be indistinguishable from a hard random unitary and more specifically This sample the unitary is given to the observer as an oracle or you can think that as a basic gate So then you can invoke it in your computation any polynomial times All right, but how do we construct a pseudorandom unitary? Well, we've come up with several candidates, but unfortunately, we haven't been able to prove them But let me tell you the construction So we're going to take a pseudorandom permutation a column secure pseudorandom permutation which exists assuming a Quantum secure pseudorandom function, okay, and then given any n qubit input we're going to hit it first by this pseudorandom permutation and then we're going to apply a bunch of hard words which Will change the basis of the qubit and then we repeat this and we conjecture With enough repetitions, this will be a pseudorandom unitary and you can think of you can think of our various Variants of this for example instead of doing hardware you can apply Confer a transform in between Okay, so before I conclude my talk I'll mention the important Related work which some of you might be expecting since the very beginning So we've been treating pseudorandoms as a Approximation to true randomness as far as efficient observers are concerned Okay, so what if we don't restrict the running time, but rather The number of observations that the observer can can see This will give us a statistical notion of pseudorandomness commonly known as TY's independence for example a Statistical version of a pseudorandom function would be a family function such that it's going to be indistinguishable from a true Truly random function as long as the observer only Evaluates the function t times and t is typically a small a small number like a constant Okay, and the statistical pseudorandomness in the column saying has been studied quite a bit before they are known as t designs both for quantum states and for Unitary operators and I should say many Applications have been identified For those t designs and we anticipate that we can pretty much plug in our computational variants of this pseudorandom objects as long as we are fine with efficient adversaries All right. Okay. Let me quickly wrap up. So we've seen a definition of pseudorandom quantum states and we've seen the construction of pseudorandom states from any quantum secure pseudorandom function and also a private K quantum minus game falling from some nice characteristics characteristics of our pseudorandom quantum states and Also some preliminary results on pseudorandom unity operators so we believe there are lots of new directions to explore and Ultimately, it would be nice to have a unified theory for quantum pseudorandomness similar to the success in the classical literature and That still seems steps away, but let me just list a few immediate questions So first of all, can we simplify our random phase state construction by using an active one instead of In-through to unity and that's actually our first attempt it's not as easy to analyze, but we think it should work and Also our construction of pseudorandom state relies on pseudorandom functions How about the reverse direction? It's not clear to us, you know, that's necessary And another question is, you know, obviously can we construct public key quantum minus game from you know, our pseudorandom states and Finally, you know, if you can Prove our kind of construction of pseudorandom units, let me know I'll definitely buy your drink or Anything or anything you prefer as long as I can pay for it using my quantum money All right with that, thank you for your attention and I'm happy to take your questions