 Hello, my name is Christel Mayans. This video talk is about the paper Efficient Simulation of Random States and Random Unitaries. And this is joint work with Goryan Allagich and Alexander Russell. Here is an overview over our results. In this work, we study the simulation of random quantum objects, like random quantum states and random unity operations. We develop a theory of their stateful simulation so this is a quantum analog of the well-known lazy sampling technique. Here's an overview over our results. In this work, we study the simulation of random quantum objects, like random quantum states and random unitaries. And we develop a theory of stateful simulation for these random objects. This is a quantum analog of the well-known lazy sampling technique. For random quantum states, we can do this efficiently. And for random unitaries, we can at least do it in polynomial space. As an application of the state version, we develop a scheme for quantum money that is unconditionally secure and both unforgible and untraceable. So that's privacy preserving in some sense. Let me begin with an introduction. As most of you might know, randomness is extremely useful, especially in cryptography, but also outside, for example, for Monte Carlo simulation and also more generally for randomized algorithms, et cetera, et cetera. An example of a random object is a random strings. That's basically the most basic random object, I guess. And it's a very simple object. So for example, it can be exactly generated using n bits of randomness. And because that's an exact realization of this random primitive, it cannot be distinguished from itself, of course. But we also have approximate ways of generating a random string. And this is what is called a pseudorandom generator. So here, we only want to generate something that looks like a random string to a polynomial time distinguisher. And in this case, we can do this with a lower randomness cost. And therefore, thereby also. Here's an example of a random object, namely a random string. This may be the most basic random object that's interesting to look at. It can be exactly generated using n bits of randomness, obviously. And because this is the exact object, it cannot be distinguished from itself, you know? But we also have approximate ways of generating such a random string. So more precisely, we have a primitive called a pseudorandom generator, which can use less than n bits of randomness to generate a string that is at least indistinguishable from a random string to any polynomial time distinguisher. Here's an example that's maybe a little bit more interesting and that is the example of a random function. Let's say the function goes from the set of n bit strings to the set of n bit strings. And such a random function is picked uniformly at random from all such functions. That means that each output is independently uniformly random from the set of n bit strings. In this case, the problem that we want to solve is the so-called oracle simulation problem. So that means that we should be able to interact with a distinguisher that expects oracle access to such a random function F in a way that they don't notice that they interact with us instead of with the random function. Again, we can of course do this exactly by sampling such a random function, but that costs a prohibitive amount of randomness unless the function has very short input length. And note that the randomness cost is a lower bound for the runtime and the memory cost as well. Now there are several ways to restrict the set of distinguishers that we want to simulate such a function against. The first one is to limit the distinguisher to a constant number of queries, say T. In this case, we can use what's called a T-wise independent function. And we can sample such a function efficiently using order T times n randomness. So again, there's no restrictions except that we limit the number of queries of the adversary to T. So in particular, there's no limit on the runtime. But now a complimentary approach is the case where we limit the distinguisher's runtime but not its queries. So this is the setting where a pseudo random function suffices. And here we have a security parameter lambda and such a pseudo random function can now be sampled using a polynomial amount of randomness in the security parameter lambda. And this is indistinguishable from a random function up to a negligible error to any distinguisher that has a runtime polynomial in that same security parameter lambda as well. Finally, there is a way of simulating such a random function against arbitrary adversaries efficiently, and this is called lazy sampling. And the only thing that we have to give up now is the fact that our simulations used to be stateless. Now we have a stateful simulator that just samples each output as requested and keeps a list of the outputs that he has returned before. So almost trivial algorithm, but it exactly simulates a random function in an efficient way using, you know, linear amount of randomness in the output length and in the number of queries. In this work, we want to look at random quantum objects. So in particular, random quantum states and random quantum operations. So let me introduce these objects. The quantum state is nothing else, but a unit vector in a finite dimensional complex vector space. And because it's a unit vector, it comes from the unit sphere inside that vector space. We're even more precise than actually we should restrict to the so-called projective space, but if you don't know that, that projective space, then it's fine to just think of this vector coming from the sphere. A quantum operation is a unitary matrix on that same space. So here we are taking a matrix from the two to the N by two to the N matrices, complex matrices, that is unitary, so it doesn't change the inner product. And the set of unitary matrices has a very nice structure. It's a group and actually it's more, it's a compact league group. These two sets, the sphere are more precisely the projective space and this unitary group, they're both very nice mathematical objects and they have a natural notion of a uniform distribution on them. And this uniform distribution is called the higher measure. Here's an example application of random quantum objects and that's a so-called quantum money scheme. The basis of security for quantum money is the so-called no-plawning principle, which says that quantum information cannot be copied. One of the oldest ideas in quantum cryptography is to make a money scheme, a digital money scheme out of that. One such quantum money scheme can be constructed using random quantum states and that's the so-called higher money scheme. This was observed in a paper by G. Liu and Song in 2019. So here the bank starts by sampling a high random quantum state with n qubits. And now it can start handing out copies to people as banknotes, these all have unit value same. So now people can trade by basically handing these quantum states to each other and if anybody wants to check whether their banknotes is valid, they have to send it back to the bank and the bank can check whether it's the correct state that they sampled. So this is nice because these banknotes are affordable so you cannot make one your own and you can also not copy them, you cannot take a lot of them and make one more or something like that. You can prove that. And also it's untraceable in the sense that if somebody comes to the bank and says, please verify this banknote, then the bank cannot infer anything about the history of this banknote from looking at it. The question is of course, can the bank actually sample such a random state? This brings me to the next part of my talk which is about simulating random quantum objects. Let us start with quantum states. Here we want to solve the problem of simulating a higher random quantum state of n qubits. We also look at this problem as an oracle simulation problem. So we think of simulating an oracle that has a trivial input and every time it is invoked, outputs a copy of a certain fixed but high random quantum state. In this case, the prospect of simulating such an oracle exactly is even more grim than in the case of a random function. That's because we are looking at simulating a random object from a continuous space which is a sphere if you want. And so therefore strictly speaking, it would require an infinite amount of randomness to exactly simulate such an object. Okay, fine. If we cannot simulate this exactly, let's try the next best thing, which is discretizing it. So we just pick an so-called epsilon net on this sphere and we pick a random element of this epsilon net. This can be done of course, but it still costs an exponential amount of randomness in the number of qubits. In addition, it actually implies a query limit on the distinguisher and that is because every time we hand out another copy of the quantum state that we have sampled, we incur another error of size epsilon. So therefore, if we have an epsilon net, then there is an order one over epsilon query limit on the distinguisher. If we're already accepting that we need to limit ourselves to distinguishers that make no more than a constant number of queries, then we can do something smarter than epsilon nets and that's what's called a state T design. This is a family of quantum states that has the property that if you sample a random one of them and hand T copies of it to a distinguisher, then they cannot distinguish it from a high random state. It turns out that there's an analog of pseudo random functions in the setting of high random quantum states as well. This is a fairly recent result from a paper by G. Liu and Song from 2019 and from followup work by Berkersky and Schmurli from this year, where they develop a theory of pseudo random quantum states. So a pseudo random quantum state is a family of quantum states that has the property that if you sample a random one of them and hand a number of copies them to a distinguisher that's limited in runtime, polynomially in some security parameter, lambda, then they cannot distinguish it from the same number of copies of a high random state. So finally, what we do in this work is we develop an analog of this lazy sampling technique in the quantum setting. So we develop a stateful simulation algorithm that runs in polynomial time in both the number of qubits and the number of queries that a distinguisher makes. And that can approximately with a fixed error simulate a high random state to such an unlimited distinguisher. So let me repeat this once more. So while the runtime of our simulation algorithm scales in the number of queries of this distinguisher, there's no limit to this number. So a distinguisher can make an arbitrary number of queries. This just makes the runtime of our stateful simulation algorithm also scale with this number of queries. This is fairly natural, right? Because at least the simulation algorithm has to answer each query. So at least it should scale linearly in the number of queries. Let's have a look at the case of random unitary matrices. So here we have a more natural oracle simulation setting as well again. And that is because now we really have the setting where we're looking at a distinguisher that can make queries to a unitary operation. So it can input quantum states, then the unitary matrix is applied to them and they receive the output back. The picture for exact simulation and epsilon net simulation is very similar to the case of random quantum states, except that the scaling in the case of an epsilon net is slightly worse still because the set of unitary matrix has a larger dimension than a set of quantum states for a fixed number of qubits. Here we have again this situation that when we already accept that we limit ourselves to distinguishers that are limited to making a constant number of queries, then there's a smarter thing than sampling from an epsilon net. And that's sampling from a so-called unitary T design. This is the direct analog of a state D design for the unitary group. So here again, we have a family of unitary matrices where sampling from it costs a polynomial amount of randomness in both the number of qubits and the parameter T, which is the constant number of queries that a distinguisher is allowed to make. And the random element from this family can now be queried T times and still appears indistinguishable from a high random unitary. Now the next setting is the pseudo random setting, right? It turns out that the setting doesn't look so good, actually. And that's because pseudo random unitaries were indeed introduced as a concept in the paper by G Lu and Song, but they don't have a provably secure construction nor does anybody else have. So green is the color of hope. We hope, of course, to have such a construction at some point, but at this point, we don't have one. The last setting is the setting of lazy sampling again. So that's the stateful simulation of this random object, in this case, the high random unitary. And this is where our work makes a contribution. So we developed a notion of stateful simulation of a high random unitary and we construct such a stateful simulator that is unfortunately not provably efficient in the sense of a polynomial time. We have no idea about the time complexity of this simulation algorithm, but we can at least prove that it runs in polynomial space. Let us return to the application of higher money again. So we have seen that if we had a way to sample a high random state, then we could construct a money scheme that is fundamentally unforgible and untraceable. That's unconditionally. Now we asked the question of whether a bank can sample such a random state. So now we know the answer, it's no, right? They cannot, but they can simulate it. And now we have seen that there's two options here. First of all, one can use a pseudo random quantum state. So this was already observed in the paper by Tiu and Sanz. Using that, one obtains a quantum money scheme that is unforgible and untraceable, but only computationally so. So this is against polynomial time adversaries. With our new technique, now we can simulate such a high random state statefully, right? And thereby obtain an unconditionally secure untraceable quantum money scheme. Let me say a couple of words about the necessity of statefulness. Consider a stateless simulation scheme for a high random quantum state. Such as a stateless simulation scheme can only work in the following way. It's defined in terms of a family of quantum states and the simulation is initialized by picking a random element from this family and then outputting copies of this random element whenever a query. The problem is as follows. If you have two quantum states that are not the same, then it turns out that if I hand you either end copies of the first one or end copies of the second one, then you can distinguish these two cases with a probability that approaches one for end to infinity. A similar reasoning can also be applied when we're talking about two families of random quantum states that follow a different distribution. This implies that statelessness implies a query limit, right? Because for any stateless simulation scheme, we know that if it's more efficient than a high random state, which requires infinite randomness, then it's not the same as a high quantum state. And therefore it can be distinguished from it with probability approaching one for the number of copies going to infinity. And a similar argument can be made, of course, for the case of unitary matrices as well. The last part of this talk, I would like to explain a bit the techniques that we use to obtain our results. For this, we need to dive a bit into a quantum theory. So quantum theory is inherently probabilistic. In particular, quantum measurement produces randomness. So therefore there's really no need for an external source of randomness when performing a simulation of random quantum objects. Here's a fact that's even slightly weirder than the above one. It turns out that a random quantum state looks exactly like half of a deterministic quantum state that has the so-called entanglement property. So let me try to paint a picture of this. Here you have two quantum systems. You can imagine two quantum computers and they are in a state that is deterministic, but entangled. So if we now discard or forget about one half of the states, so one of the quantum computers, then the state of the other quantum computer is in fact the same as if we had prepared this quantum computer in a random quantum state. This means that for a stateful oracle simulation of a random quantum object, like a random state or a random unitary, we actually don't need randomness at all because the stateful simulation algorithm can just maintain an entangled state with the distinguisher, making the distinguisher believe that they actually have a random object. Here's a version of this fact that we use for the case of higher random quantum states. N copies of a higher random quantum state in D dimensions. So D is equal to two to the N for N qubits. Look exactly like a single higher random quantum state on the so-called symmetric subspace of the unfold tensor product of the D dimensional complex vector space. But this state in turn looks exactly like half of a maximally entangled state of two copies of this symmetric subspace. This is about as far as I wanted to go in terms of explaining the techniques that we use to prove our results. So here's an overview over the technical contributions. So first of all, we developed several new algorithmic tools that one could call garbage list preparation of quantum states. These are algorithms that use a read-only register in some sense, but a quantum version of it to transform a standard state, say the all zero state into a quantum state that is specified on the read-only register, but without producing any additional garbage. So that's important because we can now initialize this read-only register in a superposition of different specifications and thereby prepare a superposition of different quantum states. We use these tools to devise concrete algorithms for the manipulation of states on the symmetric subspaces that I've talked about. So in particular, we have an algorithm that takes a maximally entangled state on two copies of the unfold symmetric subspace and transforms it into a maximally entangled state of two copies of the n plus one fold symmetric subspace. This is very important because it's a key step in the algorithm, in the stateful simulation that produces in some sense another copy of the high random quantum state. Finally, for the stateful simulation of random unitaries that I didn't have time to talk about in detail, we use very different techniques. Here we mainly combine several nice ingredients, like for example, we think that this is the first application in the quantum setting of exact unitary designs that were constructed by Kane in a nice 2015 paper. In addition, we describe an adaptive to non-adaptive reduction that uses post-election. So in some sense, instead of making adaptive queries to an oracle, we make non-adaptive queries using a standard state, which is again a maximally entangled state and later use a version of the teleportation protocol to teleport in our actual input. And also we use the uniqueness property of the so-called steinspring dilation of a quantum channel. This was my last slide. Here's the summary and some open questions. We have developed a theory of stateful simulation of random quantum objects. For random quantum states, we can do an efficient stateful simulation. And for random unitaries, we can at least do a stateful simulation that is a space efficient in the sense that it uses polynomial space in the number of qubits and the number of queries. As an application, we construct an unconditionally secure and untraceable quantum mining scheme using the random state simulator. Open questions about this approach include, can we simulate random unitaries efficiently actually? And I mean officially in terms of polynomial time. And then one extremely interesting open question that is actually an open question from the paper by G. Liu and Song from 2019 is, you know, can we construct sewer and immunitaries? This is all I wanted to say. Thank you very much.