Weak approximate unitary designs and applications to quantum encryption

(1)

Weak approximate unitary designs and applications to quantum encryption

Joint work with Christian Majenz (QuSoft & CWI) arXiv:1911.06742

Cécilia Lancien

Institut de Mathématiques de Toulouse & CNRS

QUASAR group meeting – November 12 2020

(2)

Outline

1 Background and motivations

2 Main technical results

3 Application to quantum cryptography

(3)

Haar and

t

-design unitaries

RandomHaar unitariesplay an important role in many aspects of theoretical quantum information (e.g. quantum source and channel coding, quantum encryption, typical properties of quantum states and channels etc.)

Problem:Implementing Haar unitaries, even approximately, is infeasible (requires an amount of randomness and a number of gates which is exponential in the number of qubits they act on).

Unitary t-design: measure on the unitary group that reproduces the Haar measure up to thet-th moment.

−→At-design unitary can replace a Haar unitary in situations where it is applied at mostttimes. Goal:Find “economical” such measures (e.g. with finite, as small as possible, support).

Often even just approximate versions of unitaryt-designs are sufficient. Question:What is the “right” metrics to quantify approximation?

−→The answer depends on the application... Notation

L(d)set of linear operators onC^d,U(d)subset of unitary ones,D(d)subset of quantum states.

L

⁽^d⁾set of linear maps onL(d),

C

⁽^d⁾subset of quantum channels.

(4)

Haar and

t

-design unitaries

−→At-design unitary can replace a Haar unitary in situations where it is applied at mostttimes.

Goal:Find “economical” such measures (e.g. with finite, as small as possible, support).

Often even just approximate versions of unitaryt-designs are sufficient. Question:What is the “right” metrics to quantify approximation?

−→The answer depends on the application... Notation

L

C

(5)

Haar and

t

-design unitaries

Often even just approximate versions of unitaryt-designs are sufficient.

Question:What is the “right” metrics to quantify approximation?

−→The answer depends on the application...

Notation

L

C

(6)

Haar and

t

-design unitaries

Often even just approximate versions of unitaryt-designs are sufficient.

Question:What is the “right” metrics to quantify approximation?

−→The answer depends on the application...

Notation

L

C

(7)

Exact and approximate unitary designs

Definition (Unitaryt-design)

Given a measureµonU(d), define its associatedU^⊗^t-twirl channel T_µ⁽^t⁾as T_µ⁽^t⁾:X∈L(d^t)7→

Z

U∈U(d)

U^⊗^tXU^∗⊗^tdµ(U)∈L(d^t).

SettingT⁽^t⁾:=T_Haar⁽^t⁾ ,µis called at-designifT_µ⁽^t⁾=T⁽^t⁾.

µis an approximatet-design ifT_µ⁽^t⁾≈T⁽^t⁾.

Natural measure of approximation: in 1→1 norm, i.e. sup

kXk161

^T

(t)

µ (X)−T⁽^t⁾(X) 16ε. Note:It is a quite weak notion of approximation. Sometimes, stronger results are needed (e.g. approximation ofT⁽^t⁾innorm, i.e. ofid_d⊗T⁽^t⁾in 1→1 norm).

Goal:Find an “economical” measureµonU(d)which is an approximatet-design, in this sense (e.g. a discrete measureµ={(p_i,U_i)}ⁿ_i₌₁withn“small” and theU_i’s “easy” to construct).

(8)

Exact and approximate unitary designs

Z

U∈U(d)

SettingT⁽^t⁾:=T_Haar⁽^t⁾ ,µis called at-designifT_µ⁽^t⁾=T⁽^t⁾. µis an approximatet-design ifT_µ⁽^t⁾≈T⁽^t⁾.

kXk16¹

^T

(t)

(9)

Exact and approximate unitary designs

Z

U∈U(d)

SettingT⁽^t⁾:=T_Haar⁽^t⁾ ,µis called at-designifT_µ⁽^t⁾=T⁽^t⁾. µis an approximatet-design ifT_µ⁽^t⁾≈T⁽^t⁾.

kXk16¹

^T

(t)

(10)

U^⊗^t

-twirl channel and representation theory

(C^d)^⊗^tcarries representations of the groupsS_tandU(d), whose actions are given by:

∀σ∈S_t,σ.|φ1i ⊗ · · · ⊗ |φti=|φ_σ⁻¹₍₁₎i ⊗ · · · ⊗ |φ_σ⁻¹₍_t₎iand∀U∈U(d),U.|φi=U^⊗^t|φi. Lemma (Schur-Weyl duality)

The actions ofS_tandU(d)on(C^d)^⊗^tcommute:(C^d)^⊗^tdecomposes into a direct sum of irreducible representations (irreps) of the product groupS_t×U(d), which are tensor products of irreps ofS_tandU(d). What is more, this decomposition is multiplicity free, and is given by

(C^d)^⊗^t∼= ^M

λ`(t,d)

V_λ⊗[λ],withV_λirrep ofU(d)and[λ]irrep ofS_t.

Consequence:SinceT⁽^t⁾is covariant with respect to the action ofU(d), T⁽^t⁾(X)=∼

∑

λ`(t,d) 1_V_λ

dim(V_λ)⊗TrVλ(P_λX), withP_λprojector ontoV_λ⊗[λ]. Examples:

T⁽¹⁾(X) = Z

U∈U(d)

UXU^∗dU=Tr(1X)¹ d. T⁽²⁾(X) =

Z

U∈U(d)

U^⊗²XU^∗⊗²dU=Tr 1+F

2 X

1+F d(d+1)+Tr

1−F

2 X

1−F d(d−1)^.

(11)

U^⊗^t

-twirl channel and representation theory

(C^d)^⊗^tcarries representations of the groupsS_tandU(d), whose actions are given by:

∀σ∈S_t,σ.|φ1i ⊗ · · · ⊗ |φti=|φ_σ⁻¹₍₁₎i ⊗ · · · ⊗ |φ_σ⁻¹₍_t₎iand∀U∈U(d),U.|φi=U^⊗^t|φi. Lemma (Schur-Weyl duality)

The actions ofS_tandU(d)on(C^d)^⊗^tcommute:(C^d)^⊗^tdecomposes into a direct sum of irreducible representations (irreps) of the product groupS_t×U(d), which are tensor products of irreps ofS_tandU(d). What is more, this decomposition is multiplicity free, and is given by

(C^d)^⊗^t∼= ^M

λ`(t,d)

V_λ⊗[λ],withV_λirrep ofU(d)and[λ]irrep ofS_t.

Consequence:SinceT⁽^t⁾is covariant with respect to the action ofU(d), T⁽^t⁾(X)∼=

∑

λ`(t,d) 1_V_λ

dim(V_λ)⊗TrVλ(P_λX), withP_λprojector ontoV_λ⊗[λ]. Examples:

T⁽¹⁾(X) = Z

U∈U(d)

UXU^∗dU=Tr(1X)¹ d. T⁽²⁾(X) =

Z

U∈U(d)

U^⊗²XU^∗⊗²dU=Tr 1+F

2 X

1+F d(d+1)+Tr

1−F

2 X

1−F d(d−1)^.

(12)

Outline

(13)

Previously known result: Approximating

T⁽¹⁾

with few Kraus operators

Theorem(Hayden/Leung/Shor/Winter, Aubrun)

LetU₁, . . . ,U_nbe sampled independently from the Haar measure onU(d). Define the random channelT_n⁽¹⁾:X∈L(d)7→¹

n

∑

i=1

U_iXU_i^∗.

For any fixed 0<ε<1, ifn>^Cd/ε², then with probability at least 1−e⁻^cd

∀ρ∈D(d), ^T

(1)

n (ρ)−T⁽¹⁾(ρ) 16ε.

Pros/Cons:Optimal result theoretically, but sampling from the Haar measure is hard in practice.

Theorem(Aubrun)

Letµbe a 1-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽¹_n⁾:X∈L(d)7→¹

n

∑

i=1

U_iXU_i^∗.

For any fixed 0<ε<1, ifn>^Cd(logd)⁶/ε², then with probability at least (say) 1/2

∀ρ∈D(d), ^T

(1)

µ,n(ρ)−T⁽¹⁾(ρ) 16ε.

Pros/Cons:Extra(logd)⁶factor and only (arbitrary) constant probability, but there are explicit 1-designs from which it is easy to sub-sample (→partial derandomization).

(14)

Previously known result: Approximating

T⁽¹⁾

with few Kraus operators

Theorem(Hayden/Leung/Shor/Winter, Aubrun)

LetU₁, . . . ,U_nbe sampled independently from the Haar measure onU(d). Define the random channelT_n⁽¹⁾:X∈L(d)7→¹

n

∑

i=1

U_iXU_i^∗.

For any fixed 0<ε<1, ifn>^Cd/ε², then with probability at least 1−e⁻^cd

∀ρ∈D(d), ^T

(1)

n (ρ)−T⁽¹⁾(ρ) 16ε.

Pros/Cons:Optimal result theoretically, but sampling from the Haar measure is hard in practice.

Theorem(Aubrun)

Letµbe a 1-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽¹_n⁾:X∈L(d)7→¹

n

∑

i=1

U_iXU_i^∗.

For any fixed 0<ε<1, ifn>^Cd(logd)⁶/ε², then with probability at least (say) 1/2

∀ρ∈D(d), ^T

(1)

µ,n(ρ)−T⁽¹⁾(ρ) 16ε.

Pros/Cons:Extra(logd)⁶factor and only (arbitrary) constant probability, but there are explicit 1-designs from which it is easy to sub-sample (→partial derandomization).

(15)

Main result: Approximating

T⁽^t⁾

with few Kraus operators

Theorem (ApproximatingT⁽^t⁾)

Letµbe at-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽^t_n⁾:X∈L(d^t)7→¹

n

∑

i=1

U_i^⊗^tXU_i^∗⊗^t.

For any fixed 0<ε<1, ifn>^C(td)^t(tlogd)⁶/ε², then with probability at least 1/2

∀ρ∈D(d^t), ^T

(t)

µ,n(ρ)−T⁽^t⁾(ρ) ₁6ε.

Remarks:

The result is optimal (up to apoly(t,logd)factor): it is impossible to approximateT⁽^t⁾in 1→1 norm with less than orderd^tKraus operators(Lancien/Winter).

In fact, stronger result:T_µ,⁽^t_n⁾approximatesT⁽^t⁾in 1→∞norm up to errorε/d^t.

The result still holds if unitaries are sampled from an approximatet-design (errors add up). Interest: There are quite efficient constructions of approximatet-designs (in a strong sense). For instance: a random circuit onnqubits withpoly(t,n)independent 2-qubit Haar gates (Brandão/Harrow/Horodecki, Harrow/Mehraban, etc).

(16)

Main result: Approximating

T⁽^t⁾

with few Kraus operators

Theorem (ApproximatingT⁽^t⁾)

Letµbe at-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽^t_n⁾:X∈L(d^t)7→¹

n

∑

i=1

U_i^⊗^tXU_i^∗⊗^t.

For any fixed 0<ε<1, ifn>^C(td)^t(tlogd)⁶/ε², then with probability at least 1/2

∀ρ∈D(d^t), ^T

(t)

µ,n(ρ)−T⁽^t⁾(ρ) ₁6ε.

Remarks:

The result is optimal (up to apoly(t,logd)factor): it is impossible to approximateT⁽^t⁾in 1→1 norm with less than orderd^tKraus operators(Lancien/Winter).

In fact, stronger result:T_µ,⁽^t_n⁾approximatesT⁽^t⁾in 1→∞norm up to errorε/d^t.

The result still holds if unitaries are sampled from an approximatet-design (errors add up).

Interest: There are quite efficient constructions of approximatet-designs (in a strong sense).

For instance: a random circuit onnqubits withpoly(t,n)independent 2-qubit Haar gates (Brandão/Harrow/Horodecki, Harrow/Mehraban, etc).

(17)

Technical tools in the proof

Fact:All outputs of the channelT⁽^t⁾are very mixed. Concretely: sup

ρ∈D(d^t)

^T

(t)(ρ) ∞6

2t d

t

.

Proof:By Schur-Weyl duality, sup

ρ∈D(d^t)

^T

(t)(ρ) ∞

= _min ¹

λ`(t,d)dim(Vλ). The result then follows from Weyl’s dimension formula:dim(V_λ) =

∏

16i<j6d

λi−λj+j−i j−i .

Lemma(Aubrun)

Let_Uˆ₁, . . . ,_Uˆ_n∈U(d)and letε1, . . . ,ε_nbe independent Bernoulli random variables. Then,

E_ε sup

ρ∈D(d^t)

n

∑

i=1

εi_Uˆ^⊗^t

i ρ_Uˆ^∗⊗^t

i

∞

!

6^C(tlogd)⁵^/²(logn)¹^/² sup

ρ∈D(d^t)

n

∑

i=1

Uˆ^⊗_i ^tρ_Uˆ^∗⊗^t

i

1/2

∞

.

Proof:Consists in estimating the average of the supremum of an empirical process through covering numbers (thanks to Dudley’s inequality and a duality argument for entropy numbers).

(18)

Technical tools in the proof

Fact:All outputs of the channelT⁽^t⁾are very mixed. Concretely: sup

ρ∈D(d^t)

^T

(t)(ρ) ∞6

2t d

t

.

Proof:By Schur-Weyl duality, sup

ρ∈D(d^t)

^T

(t)(ρ) ∞

= _min ¹

λ`(t,d)dim(Vλ). The result then follows from Weyl’s dimension formula:dim(V_λ) =

∏

16i<j6d

λi−λj+j−i j−i . Lemma(Aubrun)

Let_Uˆ₁, . . . ,_Uˆ_n∈U(d)and letε1, . . . ,ε_nbe independent Bernoulli random variables. Then,

E_ε sup

ρ∈D(d^t)

n

∑

i=1

εi_Uˆ^⊗^t

i ρ_Uˆ^∗⊗^t

i

∞

!

6^C(tlogd)⁵^/²(logn)¹^/² sup

ρ∈D(d^t)

n

∑

i=1

Uˆ_i^⊗^tρ_Uˆ^∗⊗^t

i

1/2

∞

.

Proof:Consists in estimating the average of the supremum of an empirical process through covering numbers (thanks to Dudley’s inequality and a duality argument for entropy numbers).

(19)

Outline of the proof

SetM:= sup

ρ∈D(d^t)

1 n

n

∑

i=1

U_i^⊗^tρU^∗⊗_i ^t−T⁽^t⁾(ρ) ∞

.

We want to show that, forn>^C(td)^t(tlogd)⁶/ε²,M6ε/d^twith probability at least 1/2.

Note thatT⁽^t⁾(ρ) =E_V 1 n

n

∑

i=1

V_i^⊗^tρV_i^∗⊗^t

!

, for theV_i’s independent copies of theU_i’s.

So by a symmetrization trick,E_UM6^2EU,ε sup

ρ∈D(d^t)

1 n

n

∑

i=1

εiU_i^⊗^tρU_i^∗⊗^t ∞

! .

Hence by Aubrun’s lemma,EM6√^2C

n(tlogd)⁵^/²(logn)¹^/²E



 sup

ρ∈D(d^t)

1 n

n

∑

i=1

U_i^⊗^tρU_i^∗⊗^t

1/2

∞



.

Now by the fact about the 1→∞norm ofT⁽^t⁾, sup

ρ∈D(d^t)

1 n

n

∑

i=1

U_i^⊗^tρU_i^∗⊗^t ∞

6^M+ 2t

d t

.

Putting everything together,EM6^4C

2

n (tlogd)⁵logn+√^2C

n(tlogd)⁵^/²(logn)¹^/² _2t

d t/2

. And the latter quantity is smaller thanε/d^tas soon asnis larger thanC⁰(td)^t(tlogd)⁶/ε². If this is so, then by Markov’s inequalityP

M6 ²ε

d^t

>¹− ^EM 2ε/d^t > ¹

2.

(20)

Other result: Approximating the Haar

U

⊗

U-twirl channel

¯

Given a measureµonU(d), define theU⊗U-twirl channel T¯ _µ⁽¹^,¹⁾as T_µ⁽¹^,¹⁾:X∈L(d²)7→

Z

U∈U(d)

U⊗_UXU¯ ^∗⊗_U¯^∗_dµ(U)∈L(d²).

SetT⁽¹^,¹⁾:=T_Haar⁽¹^,¹⁾. Note that, ifµis a 2-design onU(d), thenT_µ⁽¹^,¹⁾=T⁽¹^,¹⁾. Indeed:T_µ⁽¹^,¹⁾(X) =T_µ⁽²⁾(X^Γ)^Γ, whereY^Γis the partial transposition ofY.

Theorem (ApproximatingT⁽¹^,¹⁾)

Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽¹_n^,¹⁾:X∈L(d²)7→ ¹

n

∑

i=1

U_i⊗_U¯_i_XU^∗

i ⊗_U¯^∗

i. For any 0<ε<1, ifn>^Cd²(logd)⁶/ε², then with probability at least 1/2

∀ρ∈D(d²), ^T

(1,1)

µ,n −T⁽¹^,¹⁾(ρ) 16ε. Proof idea:Distinguish between:

The maximally entangled state, whereT⁽¹^,¹⁾andT_µ,⁽¹_n^,¹⁾both act as the identity.

Its orthogonal complement, where the 1→∞norm ofT⁽¹^,¹⁾is small (equal to 1/(d²−1)), so that the same argument as forT⁽^t⁾can be applied.

(21)

Other result: Approximating the Haar

U

⊗

U-twirl channel

¯

Given a measureµonU(d), define theU⊗U-twirl channel T¯ _µ⁽¹^,¹⁾as T_µ⁽¹^,¹⁾:X∈L(d²)7→

Z

U∈U(d)

U⊗_UXU¯ ^∗⊗_U¯^∗_dµ(U)∈L(d²).

SetT⁽¹^,¹⁾:=T_Haar⁽¹^,¹⁾. Note that, ifµis a 2-design onU(d), thenT_µ⁽¹^,¹⁾=T⁽¹^,¹⁾. Indeed:T_µ⁽¹^,¹⁾(X) =T_µ⁽²⁾(X^Γ)^Γ, whereY^Γis the partial transposition ofY.

Theorem (ApproximatingT⁽¹^,¹⁾)

Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random channelT_µ,⁽¹_n^,¹⁾:X∈L(d²)7→ ¹

n

∑

i=1

U_i⊗_U¯_i_XU^∗

i ⊗_U¯^∗

i. For any 0<ε<1, ifn>^Cd²(logd)⁶/ε², then with probability at least 1/2

∀ρ∈D(d²), ^T

(1,1)

µ,n −T⁽¹^,¹⁾(ρ) 16ε.

Proof idea:Distinguish between:

The maximally entangled state, whereT⁽¹^,¹⁾andT_µ,⁽¹_n^,¹⁾both act as the identity.

Its orthogonal complement, where the 1→∞norm ofT⁽¹^,¹⁾is small (equal to 1/(d²−1)), so that the same argument as forT⁽^t⁾can be applied.

(22)

Other result: Approximating the Haar twirl super-channel

Given a measureµonU(d), define thetwirl super-channelΘµas Θ_µ:

M

^∈

L

⁽^d⁾^7→

X∈L(d)7→

Z

U∈U(d)

U

M

⁽Û^∗^XU⁾Û^∗^d^µ(Û⁾^∈^L⁽^d⁾

∈

L

⁽^d^).

SetΘ := Θ_Haar. Note that, ifµis a 2-design onU(d), thenΘµ= Θ.

Indeed:id⊗Θµ(

M

)(|ψihψ|) =Tµ⁽¹^,¹⁾(id⊗

M

(|ψihψ|)), with|ψithe maximally entangled state.

Theorem (ApproximatingΘ)

Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random super-channelΘµ,n:

M

^∈

L

⁽^d⁾^7→ ^X^∈^L⁽^d⁾^7→¹

n

∑

i=1

U_i

M

⁽^Ui^∗XU_i)U_i^∗

! . For any fixed 0<ε<1, ifn>^Cd²(logd)⁶/ε², then with probability at least 1/2

∀

N

^∈

C

⁽^d^),^∀ρ∈D(d²),

id⊗Θµ,n(

N

^)(ρ)⁻^id^⊗^Θ(

N

^)(ρ)₁6ε. Proof idea:Derived from approximation results forT⁽¹⁾andT⁽¹^,¹⁾.

(23)

Other result: Approximating the Haar twirl super-channel

Given a measureµonU(d), define thetwirl super-channelΘµas Θ_µ:

M

^∈

L

⁽^d⁾^7→

X∈L(d)7→

Z

U∈U(d)

U

M

⁽Û^∗^XU⁾Û^∗^d^µ(Û⁾^∈^L⁽^d⁾

∈

L

⁽^d^).

SetΘ := Θ_Haar. Note that, ifµis a 2-design onU(d), thenΘµ= Θ.

Indeed:id⊗Θµ(

M

)(|ψihψ|) =Tµ⁽¹^,¹⁾(id⊗

M

(|ψihψ|)), with|ψithe maximally entangled state.

Theorem (ApproximatingΘ)

Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Define the random super-channelΘµ,n:

M

^∈

L

⁽^d⁾^7→ ^X^∈^L⁽^d⁾^7→¹

n

∑

i=1

U_i

M

⁽^Ui^∗XU_i)U_i^∗

! . For any fixed 0<ε<1, ifn>^Cd²(logd)⁶/ε², then with probability at least 1/2

∀

N

∈

C

⁽^d^),∀ρ∈D(d²),

id⊗Θµ,n(

N

^)(ρ)−id⊗Θ(

N

^)(ρ)₁6ε.

Proof idea:Derived from approximation results forT⁽¹⁾andT⁽¹^,¹⁾.

(24)

Outline

(25)

One-time-secure quantum encryption

A quantum encryption scheme is given by families of channels{

E

i:L(d)→L(d⁰)}ⁿ_i₌₁ (encoders) and{

D

i:L(d⁰)→L(d)}ⁿ_i₌₁(decoders) satisfying

D

i◦

E

i=idfor all 16ⁱ6^n.

The parameterslogn,logdandlogd⁰are thekey,messageandciphertextlength, respectively.

Given a stateσ, define the channel

N

σas

N

σ:X7→Tr(X)σ. Definition (Indistinguishabilty)

A quantum encryption scheme hasε-indistinguishable ciphertexts against adversaries without side information, if there existsσ∈D(d⁰)such that

1 n

n

∑

i=1

E

i−

N

σ

1→1

6ε.

Definition (Non-malleability)

A quantum encryption scheme isε-non-malleable against adversaries without side information, if there existsσ∈D(d⁰)such that, for all

N

∈

C

⁽^d⁰⁾, there exists 06^p61 such that

1 n

n

∑

i=1

D

i◦

N

◦

E

i−(pid+ (1−p)

N

σ)

6ε.

(26)

One-time-secure quantum encryption

A quantum encryption scheme is given by families of channels{

E

i:L(d)→L(d⁰)}ⁿ_i₌₁ (encoders) and{

D

i:L(d⁰)→L(d)}ⁿ_i₌₁(decoders) satisfying

D

i◦

E

i=idfor all 16ⁱ6^n.

The parameterslogn,logdandlogd⁰are thekey,messageandciphertextlength, respectively.

Given a stateσ, define the channel

N

σas

N

σ:X7→Tr(X)σ. Definition (Indistinguishabilty)

A quantum encryption scheme hasε-indistinguishable ciphertexts against adversaries without side information, if there existsσ∈D(d⁰)such that

1 n

n

∑

i=1

E

i−

N

σ

1→1

6ε.

Definition (Non-malleability)

A quantum encryption scheme isε-non-malleable against adversaries without side information, if there existsσ∈D(d⁰)such that, for all

N

∈

C

⁽^d⁰⁾, there exists 06^p61 such that

1 n

n

∑

i=1

D

i◦

N

◦

E

i−(pid+ (1−p)

N

σ)

6ε.

(27)

One-time-secure quantum encryption scheme with small key

A family of unitaries{U_i}ⁿ_i₌₁defines a quantum encryption scheme (with same message and cyphertext length) via:

E

i:X7→U_iXU_i^∗and

D

i=

E

_i^∗^{for all 1}6ⁱ6^n.

Fact:SettingT_E:X7→¹_n ∑ⁿ

i=1

E

i(X)andΘ_E_,_D:

M

^7→_n¹∑ⁿ

i=1

D

i◦

M

^◦

E

i, we have: ε-indistinguishable⇒

T_E−T⁽¹⁾

1→16²ε,

T_E−T⁽¹⁾

1→16ε⇒ε-indistinguishable. ε-non-malleable⇒

Θ_E_,_D−Θ

_→6²ε,

Θ_E_,_D−Θ

_→6ε⇒ε-non-malleable.

−→Proving security of a unitary encryption scheme(

E

,

D

)boils down to proving that its associated channelT_Eand super-channelΘ_E_,_Dare approximate twirls.

Theorem

Fix 0<ε<1. Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Ifn>^Cd²(logd)⁶/ε², then with probability at least 1/2, the quantum encryption scheme defined by the family of unitaries{U_i}ⁿ_i₌₁hasε/√

d-indistinguishable ciphertexts and isε-non-malleable against adversaries without side information.

−→Unitary encryption scheme for a message oflogdbits using 2logd+O(log logd)bits of key, which is secure against adversaries without side information.

(28)

One-time-secure quantum encryption scheme with small key

E

D

i=

E

i=1

E

i(X)andΘ_E_,_D:

M

^7→_n¹∑ⁿ

i=1

D

i◦

M

^◦

E

i, we have:

ε-indistinguishable⇒

T_E−T⁽¹⁾

1→16²ε,

T_E−T⁽¹⁾

1→16ε⇒ε-indistinguishable.

ε-non-malleable⇒

Θ_E_,_D−Θ

_→6²ε,

Θ_E_,_D−Θ

E

,

D

)boils down to proving that its associated channelT_E and super-channelΘ_E_,_Dare approximate twirls.

Theorem

(29)

One-time-secure quantum encryption scheme with small key

E

D

i=

E

i=1

E

i(X)andΘ_E_,_D:

M

^7→_n¹∑ⁿ

i=1

D

i◦

M

^◦

E

i, we have:

ε-indistinguishable⇒

T_E−T⁽¹⁾

1→16²ε,

T_E−T⁽¹⁾

1→16ε⇒ε-indistinguishable.

ε-non-malleable⇒

Θ_E_,_D−Θ

_→6²ε,

Θ_E_,_D−Θ

E

,

D

)boils down to proving that its associated channelT_E and super-channelΘ_E_,_Dare approximate twirls.

Theorem

(30)

Generalization to adversaries with limited side information

If the adversary has at mostlogkbits of side information:

Indistinguishability⇔

id_k⊗T_E−id_k⊗T⁽¹⁾

₁_→₁small.

Non-malleability⇔

idk⊗Θ_E_,_D−idk⊗Θ

_→small.

Fact:kid_k⊗Sk₁_→₁6^kkSk₁_→₁andkid_k⊗Σk_→6^k²kΣk_→. Corrolary

Fix 0<ε<1. Letµbe a 2-design onU(d)andU₁, . . . ,U_nbe sampled independently fromµ. Ifn>^Cd²(logd)⁶k⁴/ε², then with probability at least 1/2, the quantum encryption scheme defined by the family of unitaries{U_i}ⁿ_i₌₁hasε/k√

d-indistinguishable ciphertexts and is ε-non-malleable against adversaries withk-bounded side information.

−→Unitary encryption scheme for a message oflogdbits using 2logd+4logk+O(log logd) bits of key, which is secure against adversaries withk-bounded side information.

This is interesting only fork√

d, since security against adversaries with full side information (i.e.logdbits) is possible with 4logd+O(log logd)bits of key(Ambainis/Bouda/Winter).

(31)

Generalization to adversaries with limited side information

₁_→₁small.

Non-malleability⇔

_→small.

Fact:kid_k⊗Sk₁_→₁6^kkSk₁_→₁andkid_k⊗Σk_→6^k²kΣk_→.

Corrolary

(32)

Generalization to adversaries with limited side information

₁_→₁small.

Non-malleability⇔

_→small.

Fact:kid_k⊗Sk₁_→₁6^kkSk₁_→₁andkid_k⊗Σk_→6^k²kΣk_→. Corrolary

(33)

Final comments

Our approach to construct “economical” approximate unitary designs: sub-sampling few operators from a known (approximate) unitary design.

Problem:How to efficiently construct the latter in the first place? (i.e. equivalently: how to efficiently construct more specifiable approximate unitary designs?)

−→Analyze known such constructions with respect to our, weaker, notion of approximation.

More general question:Is it possible to approximate a quantum channel by one with few Kraus operators, under the constraint that those must be of a specific form? (here: unitaries with a tensor product structure)

Other potential applications:data hiding and data locking(Hayden/Leung/Shor/Winter).

(34)

Final comments

(35)

Final comments

(36)

References

A. Ambainis, J. Bouda, A. Winter.Non-malleable encryption of quantum information.

2009.

G. Aubrun.On almost randomizing channels with a short Kraus decomposition. 2009.

F.G.S.L. Brandão, A.W. Harrow, M. Horodecki.Local random quantum circuits are approximate polynomial-designs. 2016.

A.W. Harrow, S. Mehraban.Approximate unitaryt-designs by short random quantum circuits using nearest-neighbor and long-range gates. 2018.

P. Hayden, D. Leung, P.W. Shor, A. Winter.Randomizing quantum states: constructions and applications. 2004.

C. Lancien, A. Winter.Approximating quantum channels by completely positive maps with small Kraus rank. 2017.