Quantum Pseudorandomness and Classical Complexity

William Kretschmer University of Texas at Austin. Email: kretsch@cs.utexas.edu. Supported by an NDSEG Fellowship.

Abstract

We construct a quantum oracle relative to which $\mathsf{BQP}=\mathsf{QMA}$ but cryptographic pseudorandom quantum states and pseudorandom unitary transformations exist, a counterintuitive result in light of the fact that pseudorandom states can be “broken” by quantum Merlin-Arthur adversaries. We explain how this nuance arises as the result of a distinction between algorithms that operate on quantum and classical inputs. On the other hand, we show that some computational complexity assumption is needed to construct pseudorandom states, by proving that pseudorandom states do not exist if $\mathsf{BQP}=\mathsf{PP}$ . We discuss implications of these results for cryptography, complexity theory, and shadow tomography.

1 Introduction

Pseudorandomness is a key concept in complexity theory and cryptography, capturing the notion of objects that appear random to computationally-bounded adversaries. Recent works have extended the theory of computational pseudorandomness to quantum objects, with a particular focus on quantum states and unitary transformations that resemble the Haar measure [JLS18, BS19, BFV20].

Ji, Liu, and Song [JLS18] define a pseudorandom state (PRS) ensemble as a keyed family of quantum states $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ such that states from the ensemble can be generated in time polynomial in $\kappa$ , and such that no polynomial-time quantum adversary can distinguish polynomially many copies of a random $|\varphi_{k}\rangle$ from polynomially many copies of a Haar-random state. They also define an ensemble of pseudorandom unitary transformations (PRUs) analogously as a set of efficiently implementable unitary transformations that are computationally indistinguishable from the Haar measure. These definitions can be viewed as quantum analogues of pseudorandom generators (PRGs) and pseudorandom functions (PRFs), respectively. The authors then present a construction of PRSs assuming the existence of quantum-secure one-way functions, and also give a candidate construction of PRUs that they conjecture is secure.

Several applications of pseudorandom states and unitaries are known. PRSs and PRUs are useful in quantum algorithms: in computational applications that require approximations to the Haar measure, PRSs and PRUs can be much more efficient than $t$ -designs, which are information-theoretic approximations to the Haar measure that are analogous to $t$ -wise independent functions.¹¹1 $t$ -designs are also sometimes called “pseudorandom” in the literature, e.g. [WBV08, BHH16a]. We emphasize that $t$ -designs and PRSs/PRUs are fundamentally different notions and that they are generally incomparable: a $t$ -design need not be a PRS/PRU ensemble, or vice-versa. Additionally, a variety of cryptographic primitives can be instantiated using PRSs and PRUs, including quantum money schemes, quantum commitments, secure multiparty communication, one-time digital signatures, some forms of symmetric-key encryption, and more [JLS18, AQY22, MY22b, BCQ23, MY22a, HMY23]. Finally, Bouland, Fefferman, and Vazirani [BFV20] have established a fundamental connection between PRSs and any possible resolution to the so-called “wormhole growth paradox” in the AdS/CFT correspondence.

1.1 Main results

Given the importance of pseudorandom states and unitaries across quantum complexity theory, cryptography, and physics, in this work we seek to better understand the theoretical basis for the existence of these primitives. We start with a very basic question: what hardness assumptions are necessary for the existence of PRSs,²²2Note that PRUs imply PRSs, so we focus only on PRSs for this part. and which unlikely complexity collapses (such as $\mathsf{P}=\mathsf{PSPACE}$ or $\mathsf{BQP}=\mathsf{QMA}$ ) would invalidate the security of PRSs? Viewed another way, we ask: what computational power suffices to distinguish PRSs from Haar-random states?

At first glance, it appears that an “obvious” upper bound on the power needed to break PRSs is $\mathsf{QMA}$ , the quantum analogue of $\mathsf{NP}$ consisting of problems decidable by a polynomial-time quantum Merlin-Arthur protocol (or even $\mathsf{QCMA}$ , where the witness is restricted to be classical). If Arthur holds many copies of a pure quantum state $|\psi\rangle$ that can be prepared by some polynomial-size quantum circuit $C$ , then Merlin can send Arthur a classical description of $C$ , and Arthur can verify via the swap test that the output of $C$ approximates $|\psi\rangle$ . By contrast, most Haar-random states cannot even be approximated by small quantum circuits. So, in some sense, PRSs can be “distinguished” from Haar-random by quantum Merlin-Arthur adversaries.

There is a subtle problem here, though: $\mathsf{QMA}$ is defined as a set of decision problems where the inputs are classical bit strings, whereas an adversary against a PRS ensemble inherently operates on a quantum input. As a result, it is unclear whether the hardness of breaking PRSs can be related to the hardness of $\mathsf{QMA}$ , or any other standard complexity class. Even if we had a proof that $\mathsf{BQP}=\mathsf{QMA}$ , this might not give rise to an efficient algorithm for breaking the security of PRSs.

One way to tackle this is to consider quantum adversaries that can query a classical oracle. If we can show that PRSs can be broken by a polynomial-time quantum algorithm with oracle access to some language $\mathcal{L}:\{0,1\}^{*}\to\{0,1\}$ , we conclude that if PRSs exist, then $\mathcal{L}\not\in\mathsf{BQP}$ . A priori, it is not immediately obvious whether oracle access to any language $\mathcal{L}$ suffices for a polynomial-time quantum adversary to break PRSs. For our first result, we show that a $\mathsf{PP}$ -complete language works. Hence, if $\mathsf{BQP}=\mathsf{PP}$ , then PRSs do not exist.

Theorem 1 (Informal version of Theorem 27).

There exists a polynomial-time quantum algorithm augmented with a $\mathsf{PP}$ oracle that can distinguish PRSs from Haar-random states.

This raises the natural question of whether the $\mathsf{PP}$ oracle in the above theorem can be made weaker. For instance, can we break PRSs with a $\mathsf{QCMA}$ or $\mathsf{QMA}$ oracle, coinciding with our intuition that the task is solvable by a quantum Merlin-Arthur protocol? In our second result, we show that this intuition is perhaps misguided, as we construct a quantum oracle relative to which such a $\mathsf{QMA}$ reduction is impossible.

Theorem 2 (Informal version of Theorems 30 and 33).

There exists a quantum oracle $\mathcal{O}$ such that:

(1)

$\mathsf{BQP}^{\mathcal{O}}=\mathsf{QMA}^{\mathcal{O}}$ , and
(2)

PRUs (and hence PRSs) exist relative to $\mathcal{O}$ .

In fact, our oracle $\mathcal{O}$ also satisfies $\mathsf{PromiseBQP}^{\mathcal{O}}=\mathsf{PromiseQMA}^{\mathcal{O}}$ , which is stronger. For the sake of clarity, in this introduction we will only state our results in terms of classes of languages (e.g. $\mathsf{QMA}$ ) instead of classes of promise problems (e.g. $\mathsf{PromiseQMA}$ ), unless the distinction matters.

Let us remark how bizarre this theorem appears from a cryptographer’s point of view. If $\mathsf{BQP}=\mathsf{QMA}$ , then no computationally-secure classical cryptographic primitives exist, because such primitives can be broken in $\mathsf{NP}$ , which is contained in $\mathsf{QMA}$ . So, our construction is a black-box separation between PRUs and all nontrivial quantum-secure classical cryptography—a relativized world in which any computationally-secure cryptography must use quantum communication. Theorem 2 thus provides a negative answer (in the quantum black box setting) to a question of Ji, Liu, and Song [JLS18] that asks if quantum-secure one-way functions are necessary for pseudorandom states.

Theorem 2 illustrates a stark contrast between quantum and classical cryptography, because the existence of hard problems in $\mathsf{NP}$ is necessary to have classical cryptography that is secure against polynomial-time adversaries. One can view our result as evidence that the same is not necessary for the existence of quantum cryptography; perhaps weaker assumptions suffice. Indeed, because a major goal in cryptography is to build cryptosystems from minimal computational assumptions, Theorem 2 has served as the primary motivation for many recent works that have built cryptography from pseudorandom states and unitaries [AQY22, MY22b, BCQ23, MY22a, HMY23]. Note that these works all appeared after this work was originally published [Kre21a].

1.2 Application: hyperefficient shadow tomography

An immediate corollary of our results is a new impossibility result for shadow tomography. Aaronson [Aar18] defined the shadow tomography problem as the following estimation task: given copies of an $n$ -qubit mixed state $\rho$ and a list of two-outcome measurements $O_{1},\ldots,O_{M}$ , estimate $\mathrm{Tr}(O_{i}\rho)$ for each $i$ up to additive error $\varepsilon$ . Aaronson showed that, remarkably, this is possible using very few copies of $\rho$ : just $\mathrm{poly}(n,\log M,\frac{1}{\varepsilon})$ copies suffice, which is polylogarithmic in both the dimension of $\rho$ and the number of quantities to be estimated.

Aaronson then asked in what cases shadow tomography can be made computationally efficient with respect to $n$ and $\log M$ . Of course, just writing down the input to the problem would take $\Omega(4^{n}M)$ time if the measurements are given explicitly as Hermitian matrices, and listing the outputs would also take $\Omega(M)$ time. But perhaps one could hope for an algorithm that only operates implicitly on both the inputs and outputs. For example, suppose we stipulate the existence of a quantum algorithm that performs the measurement $O_{i}$ given input $i\in[M]$ , and that this algorithm runs in time $\mathrm{poly}(n,\log M)$ . Consider a shadow tomography procedure that takes a description of such an algorithm as input, and that outputs a quantum circuit $C$ such that $|C(i)-\mathrm{Tr}(O_{i}\rho)|\leq\varepsilon$ for each $i\in[M]$ .³³3Note the slight abuse of notation here, as the shadow tomography procedure can err with some small probability, and $C$ itself might be a probabilistic quantum circuit. For simplicity, we assume that the shadow tomography procedure always succeeds and that $C$ is deterministic in this exposition. Aaronson calls this a “hyperefficient” shadow tomography protocol if it additionally runs in time $\mathrm{poly}(n,\log M,\frac{1}{\varepsilon})$ .

Aaronson gave some evidence that hyperefficient shadow tomography is unlikely to exist, by observing that if hyperefficient shadow tomography is possible, then quantum advice can always be efficiently replaced by classical advice—in other words, $\mathsf{BQP/qpoly}=\mathsf{BQP/poly}$ . However, Aaronson and Kuperberg [AK07] showed a quantum oracle $\mathcal{U}$ relative to which $\mathsf{BQP^{\mathcal{U}}/qpoly}\neq\mathsf{BQP^{\mathcal{U}}/poly}$ , which implies that hyperefficient shadow tomography is impossible if the observables are merely given as a black box that implements the measurement. The proof of this oracle separation amounts to showing that if the oracle $\mathcal{U}$ either (1) implements a reflection about a Haar-random $n$ -qubit state, or (2) acts as the identity, then no $\mathrm{poly}(n)$ -query algorithm can distinguish these two cases, even given a classical witness of size $\mathrm{poly}(n)$ .

One can consider stronger forms of query access to the observables. For instance, in the common scenario where each observable measures fidelity with a pure state, meaning it has the form $O_{i}=|\psi_{i}\rangle\langle\psi_{i}|$ , then in addition to the ability to measure overlap with $|\psi_{i}\rangle$ , one might also have the power to produce copies of $|\psi_{i}\rangle$ . Note that the ability to prepare $|\psi_{i}\rangle$ is generally much more powerful than the ability to recognize $|\psi_{i}\rangle$ , the latter of which is equivalent to oracle access to the reflection $I-2|\psi_{i}\rangle\langle\psi_{i}|$ . For example, Aaronson and Kuperberg’s oracle separation of $\mathsf{QCMA}$ and $\mathsf{QMA}$ [AK07] amounts to building an oracle relative to which certain quantum states can be recognized efficiently but cannot be approximately prepared by small quantum circuits. Other black-box separations of state preparation and state reflection are known, e.g. [BR20], so one might hope that this type of query access could be substantially more powerful for shadow tomography as well.

Nevertheless, our results imply that black-box hyperefficient shadow tomography is impossible even in this setting where we have state preparation access to the observables. This follows from the simple observation that hyperefficient shadow tomography of this form would suffice to break PRS ensembles with a ( $\mathsf{Promise}$ ) $\mathsf{QCMA}$ oracle.

Theorem 3.

If a hyperefficient shadow tomography procedure exists that works for any list of observables of the form $|\psi_{1}\rangle\langle\psi_{1}|,\ldots,\allowbreak|\psi_{M}\rangle\langle\psi% _{M}|$ given state preparation access to $|\psi_{1}\rangle,\ldots,\allowbreak|\psi_{M}\rangle$ , then all PRS ensembles can be broken by polynomial-time quantum adversaries with oracle access to $\mathsf{PromiseQCMA}$ .

Proof sketch.

For a given PRS ensemble $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ , we have state preparation access to the observable list $\{|\varphi_{k}\rangle\langle\varphi_{k}|\}_{k\in\{0,1\}^{\kappa}}$ by way of the generating algorithm of the PRS. Hence, we can run hyperefficient shadow tomography using this observable list on copies of some unknown state $|\psi\rangle$ . Suppose that with high probability, this produces a quantum circuit $C$ such that for each $k\in\{0,1\}^{\kappa}$ , $\Pr\left[|C(k)-\mathrm{Tr}(|\varphi_{k}\rangle\langle\varphi_{k}|\psi\rangle% \langle\psi|)|\leq\frac{1}{10}\right]\geq\frac{2}{3}$ . Observe that the problem of deciding whether there exists some $k$ such that $C(k)\geq\frac{9}{10}$ w.h.p. is in $\mathsf{PromiseQCMA}$ . If $|\psi\rangle$ is pseudorandom, then such a $k$ always exists (whichever $k$ satisfies $|\psi\rangle=|\varphi_{k}\rangle$ ), whereas if $|\psi\rangle$ is Haar-random, such a $k$ exists with negligible probability over the choice of $|\psi\rangle$ . Hence, these two ensembles can be distinguished by feeding $C$ into this $\mathsf{PromiseQCMA}$ promise problem. ∎

The above theorem also relativizes, in the sense that if the shadow tomography procedure only accesses the state preparation algorithm via a black box $\mathcal{O}$ , then hyperefficient shadow tomography lets us break PRSs in polynomial time with oracle access to $\mathcal{O}$ and $\mathsf{PromiseQCMA}^{\mathcal{O}}$ . Since Theorem 2 gives an oracle relative to which $\mathsf{PromiseBQP}^{\mathcal{O}}=\mathsf{PromiseQCMA}^{\mathcal{O}}=\mathsf{% PromiseQMA}^{\mathcal{O}}$ and PRSs exist, we conclude that hyperefficient shadow tomography is impossible with only black-box state preparation access to the observables.

1.3 Our techniques

We briefly summarize the proof techniques used in our main results.

1.3.1 Approximate $t$ -designs

Approximate $t$ -designs play a role in the proof of Theorem 1. So, in Section 3, we give formal definitions of $t$ -designs and prove some of their useful properties in the context of quantum query complexity. In particular, we establish conditions under which which substituting the Haar measure with a $t$ -design yields a relative-error approximation to the acceptance probability of a quantum query algorithm. Several authors have implicitly assumed without proof that this property holds, e.g. [BHH16b, AMR20], and also an earlier version of this work [Kre21a]. We consider it valuable to place these results on more rigorous footing, and believe that the results about $t$ -designs proved herein could find independent uses in other complexity-theoretic contexts.

1.3.2 Breaking pseudorandomness with $\mathsf{PP}$

The starting point for the proof of Theorem 1, which gives an upper bound of $\mathsf{PP}$ on the power needed to break pseudorandom states, is a theorem of Huang, Kueng, and Preskill [HKP20] that gives a simple procedure (sometimes called the classical shadows algorithm) for shadow tomography.

Theorem 4 (Classical shadows [HKP20]).

Fix $M$ different observables $O_{1},O_{2},\ldots,O_{M}$ and an unknown $n$ -qubit mixed state $\rho$ . Then there exists a quantum algorithm that performs $T=O(\log(M/\delta)/\varepsilon^{2}\cdot\max_{i}\mathrm{Tr}(O_{i}^{2}))$ single-copy measurements in random Clifford bases⁴⁴4Recall that the Clifford group is the group of unitary transformations generated by Hadamard, phase, and CNOT gates. A Clifford basis is any basis that can be obtained from the computational basis via multiplication by an element of the Clifford group. of $\rho$ , and uses the measurement results (called classical shadows) to estimate the quantities $\mathrm{Tr}(O_{1}\rho),\mathrm{Tr}(O_{2}\rho),\ldots,\mathrm{Tr}(O_{M}\rho)$ , such that with probability at least $1-\delta$ , all of the $M$ quantities are correct up to additive error $\varepsilon$ .

If $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ is a pseudorandom state ensemble, then by choosing $O_{k}=|\varphi_{k}\rangle\langle\varphi_{k}|$ for each key $k\in\{0,1\}^{\kappa}$ to be the list of observables, we can use the above algorithm to determine whether $\rho$ is close to one of the states in the PRS ensemble. A Haar-random state will be far from all of the pseudorandom states with overwhelming probability. Hence, Theorem 4 implies the existence of an algorithm that distinguishes the pseudorandom and Haar-random ensembles, by performing a polynomial number of random Clifford measurements and analyzing the results. The key observation is that the Clifford measurements can be performed efficiently, even though the resulting analysis (which operates on purely classical information) might be computationally expensive.

Next, one could try to argue that the computationally difficult steps in the above algorithm can be made efficient with a $\mathsf{PP}$ oracle. However, we take a different approach. We adopt a Bayesian perspective: suppose that with $50\%$ probability we are given copies of a Haar-random state, and otherwise with $50\%$ probability we are given copies of a randomly chosen state from the pseudorandom ensemble. We wish to distinguish these two cases using only the results of the random Clifford measurements as observed data. One way to do this is via the Bayes decision rule: we compute the posterior probability of being Haar-random or pseudorandom given the measurements, and then guess the more likely result. In fact, the Bayes decision rule is well-known to be the optimal decision rule in general, in the sense that any decision rule errs at least as often as the Bayes decision rule (see e.g. [Ber13, Chapter 4.4.1]). Hence, because the algorithm of Huang, Kueng, and Preskill (Theorem 4) distinguishes the Haar-random and pseudorandom ensembles with good probability, the Bayes decision rule conditioned on the random Clifford measurements must work at least as well at the same distinguishing task.

Finally, we observe that using a quantum algorithm with postselection, we can approximate the relevant posterior probabilities needed for the Bayes decision rule. This allows us to appeal to the equivalence $\mathsf{PostBQP}=\mathsf{PP}$ [Aar05] to simulate this postselection with a $\mathsf{PP}$ oracle.

Technically, one challenge is that the postselected quantum algorithm requires the ability to prepare copies of a Haar-random state, even though a polynomial-time quantum algorithm cannot even approximately prepare most Haar-random states. The solution is to replace the Haar ensemble by an approximate quantum design, which we argue does not substantially change the success probability of the algorithm.

1.3.3 Instantiating pseudorandomness with $\mathsf{BQP}=\mathsf{QMA}$

For our second result (Theorem 2), the oracle $\mathcal{O}$ that we construct consists of two parts: a quantum oracle $\mathcal{U}=\{\mathcal{U}_{n}\}_{n\in\mathbb{N}}$ , where each $\mathcal{U}_{n}$ consists of $2^{n}$ different Haar-random $n$ -qubit unitary matrices, and a classical oracle (i.e. a language) $\mathcal{C}$ that we build independently of $\mathcal{U}$ . We prove that Theorem 2 holds with probability $1$ over the choice of $\mathcal{U}$ .

Showing that PRUs exist relative to $(\mathcal{U},\mathcal{C})$ is reasonably straightforward. Notably, the security proof does not depend on the choice of $\mathcal{C}$ , so long as $\mathcal{C}$ is independent of the randomly sampled $\mathcal{U}$ . The proof uses the BBBV theorem (i.e. the optimality of Grover’s algorithm) [BBBV97], and is analogous to showing that one-way functions or pseudorandom generators exist relative to a random classical oracle, as was shown by Impagliazzo and Rudich [IR89]. We only rigorously prove security against adversaries with classical advice, though we believe that the framework of Chung, Guo, Liu, and Qian [CGLQ20] should yield a security proof against adversaries with quantum advice.

Slightly more technically involved is proving that $\mathsf{BQP}^{\mathcal{U},\mathcal{C}}=\mathsf{QMA}^{\mathcal{U},\mathcal{C}}$ . To do so, we argue that a $\mathsf{QMA}$ verifier is not substantially more powerful than a $\mathsf{BQP}$ machine at learning nontrivial properties of $\mathcal{U}$ . More precisely, we argue that if a $\mathsf{QMA}$ verifier $\mathcal{V}$ makes $T$ queries to $\mathcal{U}_{n}$ for some $n\in\mathbb{N}$ , then either (1) $n=O(\log T)$ is sufficiently small that $\mathrm{poly}(T)$ queries to $\mathcal{U}_{n}$ actually suffice to learn $\mathcal{U}_{n}$ to inverse-polynomial precision, or else (2) $n=\omega(\log T)$ is sufficiently large that with high probability, the maximum acceptance probability of $\mathcal{V}$ (over the choice of Merlin’s witness) is close to the average maximum acceptance probability of $\mathcal{V}$ when $\mathcal{U}_{n}$ is replaced by a random set of matrices sampled from the Haar measure. We prove this as a consequence of the extremely strong concentration of measure properties exhibited by the Haar measure [Mec19].

For a certain carefully-constructed language $\mathcal{C}$ , this allows a $\mathsf{BQP}^{\mathcal{U},\mathcal{C}}$ machine to approximate the maximum acceptance probability of $\mathcal{V}^{\mathcal{U},\mathcal{C}}$ as follows. In case (1), the $\mathsf{BQP}^{\mathcal{U},\mathcal{C}}$ machine first queries $\mathcal{U}_{n}$ enough times to learn a unitary transformation $\widetilde{\mathcal{U}}_{n}$ that is close to $\mathcal{U}_{n}$ , and then hard codes $\widetilde{\mathcal{U}}_{n}$ into a new $\mathsf{QMA}^{\mathcal{C}}$ verifier $\mathcal{W}^{\mathcal{C}}$ that simulates $\mathcal{V}$ by replacing queries to $\mathcal{U}_{n}$ with calls to $\widetilde{\mathcal{U}_{n}}$ . In case (2), the $\mathsf{BQP}^{\mathcal{U},\mathcal{C}}$ machine similarly constructs a new $\mathsf{QMA}^{\mathcal{C}}$ verifier $\mathcal{W}^{\mathcal{C}}$ , instead simulating $\mathcal{V}$ by replacing queries to $\mathcal{U}_{n}$ with queries to independently chosen Haar-random unitaries $\overline{\mathcal{U}}_{n}$ . Thus, the problem of approximating the maximum acceptance probability of $\mathcal{V}^{\mathcal{U},\mathcal{C}}$ reduces to approximating the maximum acceptance probability of $\mathcal{W}^{\mathcal{C}}$ , averaged over $\overline{\mathcal{U}}_{n}$ . The language $\mathcal{C}$ is constructed in such a fashion that querying $\mathcal{C}$ on a description of $\mathcal{W}$ returns the desired approximation.

1.4 Open problems

Can we prove a similar result to Theorem 2 using a classical oracle, for either PRUs or PRSs? Attempting to resolve this question seems to run into many of the same difficulties that arise in constructing a classical oracle separation between $\mathsf{QCMA}$ and $\mathsf{QMA}$ , which also remains an open problem [AK07]. For one, as pointed out in [AK07], we do not even know whether every $n$ -qubit unitary transformation can be approximately implemented in $\mathrm{poly}(n)$ time relative to some classical oracle—this is sometimes known as the unitary synthesis problem [Aar16, Ros21, LMW24]. Even if one could resolve this, it is not clear whether the resulting PRUs or PRSs would be secure against adversaries with the power of $\mathsf{QMA}$ . For instance, we show in Appendix A that an existing construction of PRSs, whose security is provable in the random oracle model [BS19], can be broken with an $\mathsf{NP}$ oracle. Nevertheless, recent work by Kretschmer, Qian, Sinha, and Tal [KQST23] makes progress on this question by constructing an oracle relative to which $\mathsf{P}=\mathsf{NP}$ and a weaker version of pseudorandom states (with only single-copy security) exist.

What else can be said about the hardness of learning quantum states and unitary transformations, either in the worst case or on average? A related question is to explore the hardness of problems involving quantum meta-complexity: that is, problems that themselves encode computational complexity or difficulty. Consider, for example, a version of the minimum circuit size problem ( $\mathsf{MCSP}$ ) for quantum states: given copies of a pure quantum state $|\psi\rangle$ , determine the size of the smallest quantum circuit that approximately outputs $|\psi\rangle$ . If PRSs exist, then this task should be hard, but placing an upper bound on the complexity of this task might be difficult in light of our results. We view this problem as particularly intriguing because it does not appear to have an obvious classical analogue, and also because of its relevance to the wormhole growth paradox and Susskind’s Complexity=Volume conjecture in AdS/CFT [BFV20, Sus16b, Sus16a]. A number of recent breakthroughs in complexity theory have involved ideas from meta-complexity (see surveys by Allender [All17, All20] or Lu and Oliveira [LO22]), and it would be interesting to see which of these techniques could be ported to the quantum setting.

What other complexity-theoretic evidence can be given for the existence of PRSs and PRUs? Can we give candidate constructions of PRSs or PRUs that do not rely on the assumption $\mathsf{BQP}\neq\mathsf{QMA}$ ? To give a specific example, an interesting question is whether polynomial-size quantum circuits with random local gates form PRUs. Random circuits are known to information-theoretically approximate the Haar measure in the sense that they form approximate unitary designs [BHH16b], and it seems conceivable that they could also be computationally pseudorandom.

1.5 Conference version

This paper improves upon the earlier conference version [Kre21a] in two major ways. First, the section on $t$ -designs (Section 3) is a new addition. Second, the oracle $\mathcal{O}=(\mathcal{U},\mathcal{C})$ that we use to collapse $\mathsf{PromiseQMA}^{\mathcal{U},\mathcal{C}}$ to $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{C}}$ is different. In both versions, the quantum part $\mathcal{U}$ is the same. However, the conference version claimed that the classical oracle $\mathcal{C}$ could be any $\mathsf{PSPACE}$ -complete language. By contrast, in this paper $\mathcal{C}$ is a specific recursively-constructed language. The reason for this change is an error that was discovered in the proof. We discuss this error, along with the prospects of restoring the original oracle construction, in Section 5.4.

2 Preliminaries

2.1 Basic notation

Throughout, $[n]$ denotes the set of integers $\{1,2,\ldots,n\}$ . If $x\in\{0,1\}^{n}$ is a binary string, then $|x|$ denotes the length of $x$ , and $\operatorname{wt}(x)$ denotes its Hamming weight. For $X$ a finite set, we let $|X|$ denote the size of $X$ . If $X$ is a probability distribution, then we use $x\sim X$ to denote a random variable $x$ sampled according to $X$ . When $X$ is a finite set, we also use $x\sim X$ to indicate a random variable $x$ drawn uniformly from $X$ . A function $f(n)$ is negligible if for every constant $c>0$ , $f(n)\leq\frac{1}{n^{c}}$ for all sufficiently large $n$ . We use $\mathrm{negl}(n)$ to denote an arbitrary negligible function, and $\mathrm{poly}(n)$ to denote an arbitrary polynomially-bounded function.

2.2 Probability

We require two basic facts about probability. The first regards the optimality of the Bayes decision rule, which is a strategy for guessing a random variable $X$ from posterior information $Y$ . The Bayes decision rule is to always guess the value of $X$ that maximizes the posterior probability given $Y$ . The Bayes decision rule is optimal, in the sense that any other strategy that guesses $X$ using $Y$ errs at least as often as the Bayes decision rule. We only need the following special case of this fact, which also applies more generally (see [Ber13, Chapter 4.4.1] for further discussion).

Lemma 5 (Bayes decision rule).

Let $X$ be a $\{0,1\}$ -valued random variable, let $Y$ be a random variable (not necessarily independent of $X$ ) with domain $D$ , and let $f:D\to\{0,1\}$ . Then:

\Pr[f(Y)=X]\leq\Pr\left[\operatorname*{arg\,max}_{i}\Pr[X=i|Y]=X\right].

The other fact we need is the Borel–Cantelli lemma for sequences of probabilistic events. It gives a criterion under which at most finitely many of the events occur, with probability $1$ .

Lemma 6 (Borel–Cantelli [Bor09, Can17]).

Let $\{X_{n}\}_{n\in\mathbb{N}}$ be a sequence of (not necessarily independent) random variables with values in $\{0,1\}$ . If

\sum_{n=1}^{\infty}\mathop{\mathbb{E}}[X_{n}]<\infty,

then

\Pr\left[\sum_{n=1}^{\infty}X_{n}=\infty\right]=0.

2.3 Quantum information

We let $\mathrm{TD}(\rho,\sigma)$ denote the trace distance between density matrices $\rho$ and $\sigma$ . For a matrix $M$ we use $||M||_{F}\coloneqq\sqrt{\mathrm{Tr}\left(M^{\dagger}M\right)}$ to denote its Frobenius norm.

When $A$ and $B$ are Hermitian matrices, we use $A\preceq B$ to denote the semidefinite ordering, i.e. that $B-A$ is positive semidefinite. We extend this notation to superoperators $A$ and $B$ : $A\preceq B$ denotes that $B-A$ is completely positive. A superoperator $\Lambda$ is said to be completely positive if, for any identity superoperator $I$ and positive semidefinite matrix $\rho$ , $(\Lambda\otimes I)(\rho)$ is positive semidefinite. If $\Lambda$ has input dimension $N$ , a criterion equivalent to complete positivity is

(\Lambda\otimes I_{N})(|\Phi_{N}\rangle\langle\Phi_{N}|)\succeq 0,

where $I_{N}$ is the $N$ -dimensional identity channel, and $|\Phi_{N}\rangle\coloneqq\frac{1}{\sqrt{N}}\sum_{i=1}^{N}|i\rangle|i\rangle$ is the standard maximally entangled state of dimension $N\times N$ [BHH16b].

For a unitary matrix $U$ , we use $U\cdot U^{\dagger}$ to denote the superoperator that maps a density matrix $\rho$ to $U\rho U^{\dagger}$ . In a slight abuse of notation, if $\mathcal{A}$ denotes a quantum algorithm (which may consist of unitary gates, measurements, oracle queries, and initialization of ancilla qubits), then we also use $\mathcal{A}$ to denote the superoperator corresponding to the action of $\mathcal{A}$ on input density matrices.

We let $\left|\left|\mathcal{A}\right|\right|_{\diamond}$ denote the diamond norm [AKN98] of a superoperator $\mathcal{A}$ acting on density matrices, which is defined by

\left|\left|\mathcal{A}\right|\right|_{\diamond}\coloneqq\sup_{\mathrm{Tr}(% \rho)=1,\rho\succeq 0}||(\mathcal{A}\otimes I)(\rho)||_{1},

where $I$ denotes the identity superoperator acting on a space of the same dimension as $\mathcal{A}$ . Intuitively, the diamond norm gives an analogue of trace distance for channels: the distance between two channels in the diamond norm captures the maximum bias by which those two channels can be distinguished. In particular, we have the following:

Fact 7.

Let $\mathcal{A}$ and $\mathcal{B}$ be quantum channels and $\rho$ a density matrix. Then

\mathrm{TD}(\mathcal{A}(\rho),\mathcal{B}(\rho))\leq\frac{1}{2}\left|\left|% \mathcal{A}-\mathcal{B}\right|\right|_{\diamond}.

We use the following formula for the distance between unitary superoperators in the diamond norm.

Fact 8 ([AKN98]).

Let $U$ and $V$ be unitary matrices, and suppose $d$ is the distance between $0$ and the polygon in the complex plane whose vertices are the eigenvalues of $UV^{\dagger}$ . Then

\left|\left|U\cdot U^{\dagger}-V\cdot V^{\dagger}\right|\right|_{\diamond}=2% \sqrt{1-d^{2}}.

A consequence of 8 is the following well-known bound relating distance in diamond norm to the Frobenius norm for unitary channels. We provide a proof for completeness.

Lemma 9.

Let $U,V$ be $N\times N$ unitary matrices. Then $||U\cdot U^{\dagger}-V\cdot V^{\dagger}||_{\diamond}\leq 2||U-V||_{F}$ .

Proof.

Let $\{\lambda_{i}:i\in[N]\}$ denote the eigenvalues of $UV^{\dagger}$ . Then we have:

$\displaystyle\|\|U-V\|\|_{F}^{2}$	$\displaystyle=\mathrm{Tr}\left((U-V)(U-V)^{\dagger}\right)$
	$\displaystyle=\mathrm{Tr}(2I-UV^{\dagger}-VU^{\dagger})$
	$\displaystyle=2N-\sum_{i=1}^{N}(\lambda_{i}+\lambda_{i}^{*})$
	$\displaystyle=\sum_{i=1}^{N}(2-2\mathrm{Re}(\lambda_{i}))$
	$\displaystyle\geq\max_{i}(2-2\mathrm{Re}(\lambda_{i})),$	(1)

where $\mathrm{Re}(\lambda_{i})$ denotes the real part of $\lambda_{i}$ . The last line holds because the eigenvalues of a unitary matrix have absolute value $1$ .

Let $d$ be the distance in the complex plane between $0$ and the polygon whose vertices are $\lambda_{1},\ldots,\lambda_{N}$ . Then from 8 we may conclude:

	$\displaystyle\|\|U\cdot U^{\dagger}-V\cdot V^{\dagger}\|\|_{\diamond}$	$\displaystyle\leq\max_{i}2\sqrt{1-\max\{\mathrm{Re}(\lambda_{i}),0\}^{2}}$
		$\displaystyle\leq\max_{i}2\sqrt{2-2\mathrm{Re}(\lambda_{i})}$
		$\displaystyle\leq 2\|\|U-V\|\|_{F},$

where the first inequality uses the fact that either all of the eigenvalues have positive real components and therefore $d\geq\min_{i}\mathrm{Re}(\lambda_{i})$ , or else $d\geq 0$ ; the second inequality substitutes $1-\max\{x,0\}^{2}\leq 2-2x$ which holds for all $x\in\mathbb{R}$ ; and the third inequality substitutes (1). ∎

2.4 Haar measure and concentration

We use $\mathbb{S}(N)$ to denote the set of $N$ -dimensional pure quantum states, and $\mathbb{U}(N)$ to denote the group of $N\times N$ unitary matrices. When $N=2^{n}$ , we identify these with $n$ -qubit states and unitary transformations, respectively. We use $\sigma_{N}$ to denote the Haar measure on $\mathbb{S}(N)$ , and we let $\mu_{N}$ denote the Haar measure over $\mathbb{U}(N)$ . We write $\mathbb{U}(N)^{M}$ for the space of $MN\times MN$ block-diagonal unitary matrices, where each block has size $N\times N$ , and we also identify $\mathbb{U}(N)^{M}$ with $M$ -tuples of $N\times N$ unitary matrices. We use $\mu_{N}^{M}$ to denote the product measure $\mu_{N}^{M}(U_{1},U_{2},\ldots,U_{M})\coloneqq\mu_{N}(U_{1})\cdot\mu_{N}(U_{2}% )\cdots\mu_{N}(U_{M})$ on $\mathbb{U}(N)^{M}$ , which we interpret as a distribution over a direct sum $U_{1}\oplus U_{2}\oplus\ldots\oplus U_{M}$ of matrices.

We require the following concentration inequality on the Haar measure, which is stated in terms of Lipschitz continuous functions. For a metric space $\mathcal{M}$ with metric $d$ , a function $f:\mathcal{M}\to\mathbb{R}$ is $L$ -Lipschitz if for all $x,y\in\mathcal{M}$ , $|f(x)-f(y)|\leq L\cdot d(x,y)$ .

Theorem 10 ([Mec19, Theorem 5.17]).

Given $N_{1},\ldots,N_{k}\in\mathbb{N}$ , let $X=\mathbb{U}(N_{1})\oplus\cdots\oplus\mathbb{U}(N_{k})$ be the space of block-diagonal unitary matrices with blocks of size $N_{1},\ldots,N_{k}$ . Let $\mu=\mu_{N_{1}}\times\cdots\times\mu_{N_{k}}$ be the product of Haar measures on $X$ . Suppose that $f:X\to\mathbb{R}$ is $L$ -Lipschitz in the Frobenius norm. Then for every $t>0$ :

\Pr_{U\sim\mu}\left[f(U)\geq\mathop{\mathbb{E}}_{V\sim\mu}[f(V)]+t\right]\leq% \exp\left(-\frac{(N-2)t^{2}}{24L^{2}}\right),

where $N=\min\{N_{1},\ldots,N_{k}\}$ .

2.5 Complexity theory

A language is a function $L:\{0,1\}^{*}\to\{0,1\}$ . A promise problem is a function $\Pi:\{0,1\}^{*}\to\{0,1,\bot\}$ . The domain of a promise problem $\Pi$ , denoted $\mathrm{Dom}(\Pi)$ , is

\mathrm{Dom}(\Pi)\coloneqq\left\{x\in\{0,1\}^{*}:\Pi(x)\in\{0,1\}\right\}

We assume familiarity with standard complexity classes such as $\mathsf{BQP}$ and $\mathsf{PP}$ . For completeness, we define some complexity classes used prominently in this work.

Definition 11.

A promise problem $\Pi:\{0,1\}^{*}\to\{0,1,\bot\}$ is in $\mathsf{PromiseBQP}$ (Bounded-error Quantum Polynomial time) if there exists a randomized polynomial-time quantum algorithm $\mathcal{A}(x)$ such that:

(i)

If $\Pi(x)=1$ , then $\Pr\left[\mathcal{A}(x)=1\right]\geq\frac{2}{3}$ .
(ii)

If $\Pi(x)=0$ , then $\Pr\left[\mathcal{A}(x)=1\right]\leq\frac{1}{3}$ .

$\mathsf{BQP}$ is defined as the set of languages in $\mathsf{PromiseBQP}$ .

Definition 12.

A promise problem $\Pi:\{0,1\}^{*}\to\{0,1,\bot\}$ is in $\mathsf{PromiseQMA}$ (Quantum Merlin–Arthur) if there exists a polynomial-time quantum algorithm $\mathcal{V}(x,|\psi\rangle)$ called a verifier and a polynomial $p$ such that:

(i)

(Completeness) If $\Pi(x)=1$ , then there exists a quantum state $|\psi\rangle$ on $p(|x|)$ qubits (called a witness or proof) such that $\Pr\left[\mathcal{V}(x,|\psi\rangle)=1\right]\geq\frac{2}{3}$ .
(ii)

(Soundness) If $\Pi(x)=0$ , then for every state $|\psi\rangle$ on $p(|x|)$ qubits, $\Pr\left[\mathcal{V}(x,|\psi\rangle)=1\right]\leq\frac{1}{3}$ .

$\mathsf{QMA}$ is defined as the set of languages in $\mathsf{PromiseQMA}$ .

Note: we will sometimes call any algorithm of the form $\mathcal{V}(x,|\psi\rangle)$ a $\mathsf{QMA}$ verifier, even if it does not satisfy the promise of a $\mathsf{QMA}$ language.

Definition 13.

A promise problem $\Pi:\{0,1\}^{*}\to\{0,1,\bot\}$ is in $\mathsf{PromisePostBQP}$ (Postselected Bounded-error Quantum Polynomial time) if there exists a polynomial-time quantum algorithm $\mathcal{A}(x)$ that outputs a trit in $\{0,1,*\}$ such that:

(i)

For all $x\in\mathrm{Dom}(\Pi)$ , $\Pr[\mathcal{A}(x)\in\{0,1\}]>0$ . When $\mathcal{A}(x)\in\{0,1\}$ , we say that postselection succeeds.
(ii)

If $\Pi(x)=1$ , then $\Pr\left[\mathcal{A}(x)=1\mid\mathcal{A}(x)\in\{0,1\}\right]\geq\frac{2}{3}$ . In other words, conditioned on postselection succeeding, $\mathcal{A}$ outputs $1$ with at least $\frac{2}{3}$ probability.
(iii)

If $\Pi(x)=0$ , then $\Pr\left[\mathcal{A}(x)=1\mid\mathcal{A}(x)\in\{0,1\}\right]\leq\frac{1}{3}$ . In other words, conditioned on postselection succeeding, $\mathcal{A}$ outputs $1$ with at most $\frac{1}{3}$ probability.

$\mathsf{PostBQP}$ is defined as the set of languages in $\mathsf{PromisePostBQP}$ .

Technically, the definition of $\mathsf{PromisePostBQP}$ is sensitive to the choice of universal gate set used to specify quantum algorithms, as was observed by Kuperberg [Kup15]. However, for most “reasonable” gate sets, such as unitary gates with algebraic entries [Kup15], the choice of gate set is irrelevant. We assume such a gate set, e.g. $\{\mathrm{CNOT},H,T\}$ .

We require the following equivalent characterization of $\mathsf{PromisePostBQP}$ :

Lemma 14 (Aaronson [Aar05]).

$\mathsf{PromisePostBQP}=\mathsf{PromisePP}$

2.6 Quantum oracles

We frequently consider quantum algorithms that query quantum oracles. In this work, unless otherwise specified, we define queries to a unitary matrix $\mathcal{U}$ to mean a single application of either $\mathcal{U}$ , $\mathcal{U}^{\dagger}$ , controlled- $\mathcal{U}$ (i.e. $I\oplus\mathcal{U}$ , where $I$ is the identity of the same dimension), or controlled- $\mathcal{U}^{\dagger}$ (i.e. $I\oplus\mathcal{U}^{\dagger}$ ), unless otherwise specified. We use superscript notation for algorithms that query oracles. For instance, $\mathcal{A}^{\mathcal{U}}(x,|\psi\rangle)$ denotes a quantum algorithm $\mathcal{A}$ that queries an oracle $\mathcal{U}$ and receives a classical input $x$ and a quantum input $|\psi\rangle$ .

We consider versions of $\mathsf{PromiseBQP}$ , $\mathsf{PromiseQMA}$ , and $\mathsf{PromisePostBQP}$ augmented with quantum oracles, where the algorithm (or in the case of $\mathsf{PromiseQMA}$ , the verifier) can apply unitary transformations from an infinite sequence $\mathcal{U}=\{\mathcal{U}_{n}\}_{n\in\mathbb{N}}$ . We denote the respective complexity classes by $\mathsf{PromiseBQP}^{\mathcal{U}}$ , $\mathsf{PromiseQMA}^{\mathcal{U}}$ , and $\mathsf{PromisePostBQP}^{\mathcal{U}}$ . We assume the algorithm incurs a cost of $n$ to query $\mathcal{U}_{n}$ so that a polynomial-time algorithm on input $x$ can query $\mathcal{U}_{n}$ for any $n\leq\mathrm{poly}(|x|)$ . In this model, a query to $\mathcal{U}_{n}$ consists of a single application of either $\mathcal{U}_{n}$ , controlled- $\mathcal{U}_{n}$ , or their inverses.

The quantum oracle model includes classical oracles as a special case. For a language $\mathcal{L}$ , a query to $\mathcal{L}$ is implemented via the unitary transformation $\mathcal{U}$ that acts as $\mathcal{U}|x\rangle|b\rangle=|x\rangle|b\oplus\mathcal{L}(x)\rangle$ .

2.7 Cryptography

We use the following definitions of pseudorandom quantum states (PRSs) and pseudorandom unitaries (PRUs), which were introduced by Ji, Liu, and Song [JLS18].

Definition 15 (Pseudorandom quantum states [JLS18]).

Let $\kappa\in\mathbb{N}$ be the security parameter, and let $n(\kappa)$ be the number of qubits in the quantum system. A keyed family of $n$ -qubit quantum states $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ is pseudorandom if the following two conditions hold:

(1)

(Efficient generation) There is a polynomial-time quantum algorithm $G$ that generates $|\varphi_{k}\rangle$ on input $k$ , meaning $G(k)=|\varphi_{k}\rangle$ .

(2)

(Computationally indistinguishable) For any polynomial-time quantum adversary $\mathcal{A}$ and for every $T=\mathrm{poly}(\kappa)$ :

\left|\Pr_{k\sim\{0,1\}^{\kappa}}\left[\mathcal{A}\left(1^{\kappa},|\varphi_{k% }\rangle^{\otimes T}\right)=1\right]-\Pr_{|\psi\rangle\sim\sigma_{2^{n}}}\left% [\mathcal{A}\left(1^{\kappa},|\psi\rangle^{\otimes T}\right)=1\right]\right|% \leq\mathrm{negl}(\kappa).

We emphasize that the above security definition must hold for all polynomial values of $T$ (i.e. $T$ is not bounded in advance). That being said, there do exist alternative definitions of pseudorandom states in which the adversary only receives a single copy of the state [MY22b].

Definition 16 (Pseudorandom unitary transformations [JLS18]).

Let $\kappa\in\mathbb{N}$ be the security parameter, and let $n(\kappa)$ be the number of qubits in the quantum system. A keyed family of $n$ -qubit unitary transformations $\{U_{k}\}_{k\in\{0,1\}^{\kappa}}$ is pseudorandom if the following two conditions hold:

(1)

(Efficient computation) There is a polynomial-time quantum algorithm $G$ that implements $U_{k}$ on input $k$ , meaning that for any $n$ -qubit $|\psi\rangle$ , $G(k,|\psi\rangle)=U_{k}|\psi\rangle$ .

(2)

(Computationally indistinguishable) For any polynomial-time quantum algorithm $\mathcal{A}^{U}$ that queries $n$ -qubit $U$ :

\left|\Pr_{k\sim\{0,1\}^{\kappa}}\left[\mathcal{A}^{U_{k}}\left(1^{\kappa}% \right)=1\right]-\Pr_{U\sim\mu_{2^{n}}}\left[\mathcal{A}^{U}\left(1^{\kappa}% \right)=1\right]\right|\leq\mathrm{negl}(\kappa).

We sometimes call the negligible quantities in the above definitions the advantage of the quantum adversary $\mathcal{A}$ . Additionally, we may instantiate these primitives relative to an oracle $\mathcal{O}$ , which just means that both the generating algorithm $G$ and the adversary $\mathcal{A}$ are additionally allowed to query $\mathcal{O}$ .

In this work, we will only consider pseudorandom state and unitary ensembles where $n(\kappa)=\omega(\log\kappa)$ . Although the original definition of Ji, Liu, and Song [JLS18] did not impose this condition, later works have shown that $O(\log\kappa)$ -qubit pseudorandom ensembles behave very differently from $\omega(\log\kappa)$ -qubit ensembles [BS20, AQY22, BEM24]; the former are often called “short PRSs/PRUs”. Intuitively, this difference is because one can perform tomography on a quantum state or unitary of $O(\log\kappa)$ qubits to any desired precision $\varepsilon$ in time $\mathrm{poly}(\kappa,\varepsilon)$ , so short PRSs/PRUs behave more like cryptographic objects with classical output.

We must also be careful about the type of adversary $\mathcal{A}$ considered in Definitions 15 and 16. In this work, we consider security against non-uniform quantum algorithms with classical advice, which means that the adversary is allowed to be a different polynomial-time quantum algorithm for each setting of the security parameter $\kappa\in\mathbb{N}$ . Without loss of generality, such an adversary can always be assumed to take the form of a uniform $\mathrm{poly}(\kappa)$ -time quantum algorithm $\mathcal{A}\left(1^{\kappa},x\right)$ , where $x\in\{0,1\}^{\mathrm{poly}(\kappa)}$ is an advice string that depends only on $\kappa$ .

3 Approximate $t$ -designs

We start by defining an $\varepsilon$ -approximate quantum (state) $t$ -design, which is a distribution over quantum states that information-theoretically approximates the Haar measure over states. While there are several definitions of approximate $t$ -designs used in the literature, for this work it is crucial that we use multiplicative approximate designs for both states and unitaries, meaning that the designs approximate the first $t$ moments of the Haar measure to within a multiplicative $1\pm\varepsilon$ error (as opposed to additive error).

Definition 17 (Approximate quantum design, cf. [AE07]).

A probability distribution $S$ over $\mathbb{S}(N)$ is an $\varepsilon$ -approximate quantum $t$ -design if:

(1-\varepsilon)\mathop{\mathbb{E}}_{|\psi\rangle\sim\sigma_{N}}\left[|\psi% \rangle\langle\psi|^{\otimes t}\right]\preceq\mathop{\mathbb{E}}_{|\psi\rangle% \sim S}\left[|\psi\rangle\langle\psi|^{\otimes t}\right]\preceq(1+\varepsilon)% \mathop{\mathbb{E}}_{|\psi\rangle\sim\sigma_{N}}\left[|\psi\rangle\langle\psi|% ^{\otimes t}\right].

Similarly, we require $\varepsilon$ -approximate unitary $t$ -designs, which are approximations to the Haar measure over unitary matrices.

Definition 18 (Approximate unitary design [BHH16b]).

A probability distribution $S$ over $\mathbb{U}(N)$ is an $\varepsilon$ -approximate unitary $t$ -design if:

(1-\varepsilon)\mathop{\mathbb{E}}_{U\sim\mu_{N}}\left[(U\cdot U^{\dagger})^{% \otimes t}\right]\preceq\mathop{\mathbb{E}}_{U\sim S}\left[(U\cdot U^{\dagger}% )^{\otimes t}\right]\preceq(1+\varepsilon)\mathop{\mathbb{E}}_{U\sim\mu_{N}}% \left[(U\cdot U^{\dagger})^{\otimes t}\right].

An important observation is that unitary designs give rise to state designs:

Proposition 19.

Let $S$ be an $\varepsilon$ -approximate unitary $t$ -design over $\mathbb{U}(N)$ . Then for any $|\varphi\rangle\in\mathbb{S}(N)$ , $S|\varphi\rangle$ is an $\varepsilon$ -approximate quantum $t$ -design.

Proof.

We only establish the right inequality in Definition 17; the proof of the left inequality is similar. We have:

	$\displaystyle\mathop{\mathbb{E}}_{\|\psi\rangle\sim S\|\varphi\rangle}\left[\|% \psi\rangle\langle\psi\|^{\otimes t}\right]$	$\displaystyle=\mathop{\mathbb{E}}_{U\sim S}\left[U^{\otimes t}\left(\|\varphi% \rangle\langle\varphi\|^{\otimes t}\right)(U^{\dagger})^{\otimes t}\right]$
		$\displaystyle\preceq(1+\varepsilon)\mathop{\mathbb{E}}_{U\sim\mu_{N}}\left[U^{% \otimes t}\left(\|\varphi\rangle\langle\varphi\|^{\otimes t}\right)(U^{\dagger})% ^{\otimes t}\right]$
		$\displaystyle=(1+\varepsilon)\mathop{\mathbb{E}}_{\|\psi\rangle\sim\sigma_{N}}% \left[\|\psi\rangle\langle\psi\|^{\otimes t}\right],$

where the second line applies Definition 18 and the definition of complete positivity, and the last line uses the invariance of the Haar measure. This implies that $S|\varphi\rangle$ satisfies Definition 17. ∎

Efficient constructions of approximate unitary $t$ -designs over qubits are known, as below.

Lemma 20.

For each $n,t\in\mathbb{N}$ and $\varepsilon>0$ , there exists $m\leq\mathrm{poly}(n,t,\log\frac{1}{\varepsilon})$ and a $\mathrm{poly}(n,t,\log\frac{1}{\varepsilon})$ -time classical algorithm $\mathcal{S}$ that takes as input a random string $x\sim\{0,1\}^{m}$ and outputs a description of a quantum circuit on $n$ qubits such that the circuits sampled from $\mathcal{S}$ form an $\varepsilon$ -approximate unitary $t$ -design over $\mathbb{U}(2^{n})$ .

Proof sketch.

Fix an arbitrary universal quantum gate set $G$ with algebraic entries that is closed under taking inverses (e.g. $G=\{\mathrm{CNOT},H,T,T^{\dagger}\}$ ). Brandão, Harrow, and Horodecki [BHH16b, Corollary 7] show that $n$ -qubit quantum circuits consisting of $\mathrm{poly}(n,t,\log\frac{1}{\varepsilon})$ random gates sampled from $G$ , applied to random pairs of qubits, form $\varepsilon$ -approximate unitary $t$ -designs. So, $\mathcal{S}$ just has to sample from this distribution, which can be done with $\mathrm{poly}(n,t,\log\frac{1}{\varepsilon})$ bits of randomness. ∎

Note that this also implies an efficient construction of $\varepsilon$ -approximate quantum (state) $t$ -designs, by taking $|\varphi\rangle=|0^{n}\rangle$ in Proposition 19.

Essentially the only property we need of approximate $t$ -designs is that they can be used in place of the Haar measure in any quantum algorithm that uses $t$ copies of a Haar-random state (or $t$ queries to a Haar-random unitary), and the measurement probabilities of the algorithm will change by only a small multiplicative factor.

Lemma 21.

Let $S$ be an $\varepsilon$ -approximate quantum $t$ -design over $\mathbb{S}(N)$ , and let $\mathcal{A}$ be an arbitrary quantum measurement. Then:

(1-\varepsilon)\Pr_{|\psi\rangle\sim\sigma_{N}}\left[\mathcal{A}\left(|\psi% \rangle^{\otimes t}\right)=1\right]\leq\Pr_{|\psi\rangle\sim S}\left[\mathcal{% A}\left(|\psi\rangle^{\otimes t}\right)=1\right]\leq(1+\varepsilon)\Pr_{|\psi% \rangle\sim\sigma_{N}}\left[\mathcal{A}\left(|\psi\rangle^{\otimes t}\right)=1% \right].

Proof.

Let $0\preceq M\preceq I$ be the measurement performed at the end of the algorithm, so that on input a state $\rho$ , $\Pr[\mathcal{A}(\rho)=1]=\mathrm{Tr}(M\rho)$ . Then:

	$\displaystyle\Pr_{\|\psi\rangle\sim S}\left[\mathcal{A}\left(\|\psi\rangle^{% \otimes t}\right)=1\right]$	$\displaystyle=\mathrm{Tr}\left(M\mathop{\mathbb{E}}_{\|\psi\rangle\sim S}\left[% \|\psi\rangle\langle\psi\|^{\otimes t}\right]\right)$
		$\displaystyle\leq\mathrm{Tr}\left(M(1+\varepsilon)\mathop{\mathbb{E}}_{\|\psi% \rangle\sim\mu_{N}}\left[\|\psi\rangle\langle\psi\|^{\otimes t}\right]\right)$
		$\displaystyle=(1+\varepsilon)\Pr_{\|\psi\rangle\sim\mu_{N}}\left[\mathcal{A}% \left(\|\psi\rangle^{\otimes t}\right)=1\right],$

where the inequality in the second line follows from Definition 17 and the fact that $A\preceq B$ implies $\mathrm{Tr}(MB)-\mathrm{Tr}(MA)=\mathrm{Tr}(M(B-A))\geq 0$ , because the trace of a product of two positive semidefinite matrices is always nonnegative. This establishes the right inequality in the statement of the lemma; the left inequality follows by following the same steps with the other half of Definition 17. ∎

A similar statement can easily be shown for unitary designs when the only queries made by the algorithm are parallel:

Lemma 22.

Let $S$ be an $\varepsilon$ -approximate unitary $t$ -design over $\mathbb{U}(N)$ , and let $\mathcal{A}^{U}$ be a quantum algorithm whose only queries to $U\in\mathbb{U}(N)$ consist of a single application of $U^{\otimes t}$ . Then:

(1-\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right]\leq\Pr_{U\sim S% }\left[\mathcal{A}^{U}=1\right]\leq(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[% \mathcal{A}^{U}=1\right].

Proof.

Let $\rho$ be the input state of the algorithm, and let $0\preceq M\preceq I$ be the measurement performed at the end of the algorithm, so that

\Pr\left[\mathcal{A}^{U}=1\right]=\mathrm{Tr}\left(M(U^{\otimes t}\otimes I)% \rho(U^{\otimes t}\otimes I)^{\dagger}\right).

Then:

	$\displaystyle\Pr_{U\sim S}\left[\mathcal{A}^{U}=1\right]$	$\displaystyle=\mathop{\mathbb{E}}_{U\sim S}\left[\mathrm{Tr}\left(M(U^{\otimes t% }\otimes I)\rho(U^{\otimes t}\otimes I)^{\dagger}\right)\right]$
		$\displaystyle=\mathrm{Tr}\left(M\mathop{\mathbb{E}}_{U\sim S}\left[(U^{\otimes t% }\otimes I)\rho(U^{\otimes t}\otimes I)^{\dagger}\right]\right)$
		$\displaystyle\leq\mathrm{Tr}\left(M(1+\varepsilon)\mathop{\mathbb{E}}_{U\sim% \mu_{N}}\left[(U^{\otimes t}\otimes I)\rho(U^{\otimes t}\otimes I)^{\dagger}% \right]\right)$
		$\displaystyle=(1+\varepsilon)\mathop{\mathbb{E}}_{U\sim\mu_{N}}\left[\mathrm{% Tr}\left(M(U^{\otimes t}\otimes I)\rho(U^{\otimes t}\otimes I)^{\dagger}\right% )\right]$
		$\displaystyle=(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right],$

where the second and fourth lines hold by linearity of expectation, and the inequality in the third line follows from Definition 18. Specifically, the third line uses the fact that if $A\preceq B$ are superoperators and $\rho$ is positive semidefinite, then $\mathrm{Tr}(M\cdot(B\otimes I)(\rho))-\mathrm{Tr}(M\cdot(A\otimes I)(\rho))=% \mathrm{Tr}(M\cdot((B-A)\otimes I)(\rho))\geq 0$ , because $B-A$ is completely positive, and the trace of a product of two positive semidefinite matrices is always nonnegative. This establishes the right inequality in the statement of the lemma; the left inequality follows by following the same steps with the other half of Definition 18. ∎

Using an idea from [AMR20], one can straightforwardly generalize Lemma 22 to algorithms that make adaptive queries to $U$ , but not controlled- $U$ . The key idea is that using quantum gate teleportation, one can simulate adaptive queries to a unitary transformation using parallel queries and postselection. For the next lemma that shows this, recall that the Choi state of a unitary $U\in\mathbb{U}(N)$ is the state

|\phi_{U}\rangle\coloneqq(U\otimes I)|\Phi_{N}\rangle,

where $|\Phi_{N}\rangle\coloneqq\frac{1}{\sqrt{N}}\sum_{i=1}^{N}|i\rangle|i\rangle$ is the standard maximally entangled state.

Lemma 23.

Let $\mathcal{A}^{U}$ be a quantum algorithm that makes $t$ adaptive queries to $U\in\mathbb{U}(N)$ (but not controlled- $U$ or $U^{\dagger}$ ). Then there exists an algorithm $\mathcal{B}\left(|\phi_{U}\rangle^{\otimes t}\right)$ such that:

\Pr\left[\mathcal{B}\left(|\phi_{U}\rangle^{\otimes t}\right)=1\right]=\frac{% \Pr\left[\mathcal{A}^{U}=1\right]}{N^{2t}}.

Proof.

Consider the following circuit:

\Qcircuit@C=1em@R=0.8em@!R{\lstick{}&\qw\inputgroupv{1}{2}{.7em}{.7em}{|\phi_{% U}\rangle}\qw\rstick{U|\psi\rangle}\qw\\ \lstick{}\multimeasureD{1}{|\Phi_{N}\rangle}\\ \lstick{|\psi\rangle}\ghost{|\Phi_{N}\rangle}\\ }

In words, given an unknown state $|\psi\rangle$ on the bottom register, this circuit initializes $|\phi_{U}\rangle$ on the top two registers and then postselects on measuring $|\Phi_{N}\rangle$ on the bottom two registers. Conditioned on postselection succeeding, the output of the top register is exactly $U|\psi\rangle$ , as the following calculation shows:

	$\displaystyle(I\otimes\langle\Phi_{N}\|)(\|\phi_{U}\rangle\otimes\|\psi\rangle)$	$\displaystyle=(U\otimes\langle\Phi_{N}\|)(\|\Phi_{N}\rangle\otimes\|\psi\rangle)$
		$\displaystyle=\frac{1}{N}\left(U\otimes\sum_{i=1}^{N}\langle i\|\langle i\|% \right)\left(\sum_{i=1}^{N}\sum_{j=1}^{N}\psi_{j}\|i\rangle\|i\rangle\|j\rangle\right)$
		$\displaystyle=\frac{1}{N}\left(U\otimes\sum_{i=1}^{N}\langle i\|\langle i\|% \right)\left(\sum_{i=1}^{N}\psi_{i}\|i\rangle\|i\rangle\|i\rangle\right)$
		$\displaystyle=\frac{U}{N}\sum_{i=1}^{n}\psi_{i}\|i\rangle$
		$\displaystyle=\frac{U\|\psi\rangle}{N}.$

This also shows that postselection succeeds with probability $\frac{1}{N^{2}}$ , independent of $U$ or $|\psi\rangle$ .

Let $\mathcal{B}$ simulate each query that $\mathcal{A}$ makes to $U$ using the above circuit and a copy of $|\phi_{U}\rangle$ . Conditioned on all $t$ postselection steps succeeding, which occurs with probability $\frac{1}{N^{2t}}$ , the output state of $\mathcal{B}$ is exactly the same as the output state of $\mathcal{A}$ . Thus,

\Pr\left[\mathcal{B}\left(|\phi_{U}\rangle^{\otimes t}\right)=1\right]=\frac{% \Pr\left[\mathcal{A}^{U}=1\right]}{N^{2t}}.\qed

An interesting question is whether Lemma 23 can be generalized to algorithms $\mathcal{A}^{U}$ that can make queries to both $U$ and $U^{\dagger}$ . In a sense, we are just asking whether queries to $U^{\dagger}$ can be simulated by a combination of queries to $U$ and postselection. Notably, in the case that $U$ is a real orthogonal matrix, this is possible, because $|\phi_{U}\rangle$ is equivalent to $|\phi_{U^{\top}}\rangle$ up to swapping the two registers, and $U^{\top}=U^{\dagger}$ for real matrices $U$ .

The generalization of Lemma 22 to algorithms that make adaptive queries now follows.

Lemma 24.

Let $S$ be an $\varepsilon$ -approximate unitary $t$ -design over $\mathbb{U}(N)$ , and let $\mathcal{A}^{U}$ be a quantum algorithm that makes $t$ queries to $U$ (but not controlled- $U$ or $U^{\dagger}$ ). Then:

(1-\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right]\leq\Pr_{U\sim S% }\left[\mathcal{A}^{U}=1\right]\leq(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[% \mathcal{A}^{U}=1\right].

Proof.

Let $\mathcal{B}\left(|\phi_{U}\rangle^{\otimes t}\right)$ be the algorithm from Lemma 23. Then:

	$\displaystyle\Pr_{U\sim S}\left[\mathcal{A}^{U}=1\right]$	$\displaystyle=N^{2t}\Pr_{U\sim S}\left[\mathcal{B}\left(\|\phi_{U}\rangle^{% \otimes t}\right)=1\right]$
		$\displaystyle\leq(1+\varepsilon)N^{2t}\Pr_{U\sim\mu_{N}}\left[\mathcal{B}\left% (\|\phi_{U}\rangle^{\otimes t}\right)=1\right]$
		$\displaystyle=(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right],$

where the first and last lines use Lemma 23, and the second line applies Lemma 22. The other inequality in the lemma follows by similar steps, using the other half of Lemma 22. ∎

Finally, we wish to extend Lemma 24 to algorithms that can also make queries to controlled- $U$ . It is not at all obvious that this is possible, because it is well known that queries to controlled- $U$ cannot be simulated efficiently using queries to $U$ [GST24]. At the same time, it is unclear how one should pick the phase on controlled- $U$ , because the definition of an approximate unitary $t$ -design (Definition 18) “forgets” the global phase of $U$ . We address both problems simultaneously by observing that the argument using Lemma 23 can still go through if we choose the phase of $U$ randomly. In order for this argument to hold, we assume that our approximate unitary $t$ -design $S$ is phase-invariant, which we take to mean that for any $U$ sampled from the design, $U$ and $\omega U$ are chosen with the same probability, where $\omega=e^{\frac{2\pi i}{t+1}}$ is a primitive $(t+1)$ th root of unity.⁵⁵5Actually, our proof only requires that the design be invariant under any group of complex units whose first $t$ moments are the same as the uniform measure over complex units. We choose the group generated by $\omega$ only because it is the smallest group with this property. Note that we can make any unitary design phase-invariant via multiplication by a uniformly random $(t+1)$ th root of unity.

Lemma 25.

Let $S$ be a phase-invariant $\varepsilon$ -approximate unitary $t$ -design over $\mathbb{U}(N)$ , and let $\mathcal{A}^{U}$ be a quantum algorithm that makes $t$ queries to $U$ (including controlled- $U$ , but not $U^{\dagger}$ ). Then:

(1-\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right]\leq\Pr_{U\sim S% }\left[\mathcal{A}^{U}=1\right]\leq(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[% \mathcal{A}^{U}=1\right].

Proof.

Let $\langle\omega\rangle$ be the group of $(t+1)$ th roots of unity. We first claim that given $t$ copies of the Choi state of $U$ (i.e. $|\phi_{U}\rangle^{\otimes t}$ ), we can generate the state

\sigma_{U,t}\coloneqq\mathop{\mathbb{E}}_{\varphi\sim\langle\omega\rangle}% \left[|\phi_{I\oplus\varphi U}\rangle\langle\phi_{I\oplus\varphi U}|^{\otimes t% }\right],

which is $t$ copies of the Choi state of controlled- $\varphi U$ , averaged over all phases $\varphi$ that are $(t+1)$ th roots of unity. Assuming this claim holds, then

	$\displaystyle\Pr_{U\sim S}\left[\mathcal{A}^{U}=1\right]$	$\displaystyle=\mathop{\mathbb{E}}_{U\sim S}\left[\Pr_{\varphi\sim\langle\omega% \rangle}\left[\mathcal{A}^{\varphi U}=1\right]\right]$
		$\displaystyle=\mathop{\mathbb{E}}_{U\sim S}\left[(2N)^{2t}\Pr_{\varphi\sim% \langle\omega\rangle}\left[\mathcal{B}\left(\|\phi_{I\oplus\varphi U}\rangle^{% \otimes t}\right)=1\right]\right]$
		$\displaystyle=(2N)^{2t}\Pr_{U\sim S}\left[\mathcal{B}\left(\sigma_{U,t}\right)% =1\right]$
		$\displaystyle\leq(1+\varepsilon)(2N)^{2t}\Pr_{U\sim\mu_{N}}\left[\mathcal{B}% \left(\sigma_{U,t}\right)=1\right]$
		$\displaystyle=(1+\varepsilon)\Pr_{U\sim\mu_{N}}\left[\mathcal{A}^{U}=1\right],$

where the first line applies the phase-invariance of the design, the second line holds for the algorithm $\mathcal{B}$ defined in Lemma 23, the third line holds by the definition of $\sigma_{U,t}$ , the fourth line applies Lemma 22 and the claim that $\sigma_{U,t}$ can be prepared from $|\phi_{U}\rangle^{\otimes t}$ , and the last line appeals to Lemma 23 and the phase-invariance of the Haar measure. The other inequality in the statement of the lemma follows from similar steps, so for the rest of the proof we turn to proving the claim. We remark that the remainder of the proof is closely related to the proof of [Kre21b, Lemma 15], which also involves showing how to prepare a state obtained by averaging over phases.

Recall that $|\phi_{I\oplus\varphi U}\rangle$ is defined by

|\phi_{I\oplus\varphi U}\rangle\coloneqq\frac{1}{\sqrt{2N}}\left(\sum_{i=1}^{N% }|i\rangle|i\rangle+\sum_{i=N}^{2N}\varphi U|i\rangle|i\rangle\right).

By identifying $[2N]$ with $\{0,1\}\times[N]$ , we can also write this in the form

|\phi_{I\oplus\varphi U}\rangle\equiv\frac{1}{\sqrt{2N}}\left(\sum_{i=1}^{N}|0% \rangle|i\rangle|0\rangle|i\rangle+\sum_{i=1}^{N}\varphi U|1\rangle|i\rangle|1% \rangle|i\rangle\right).

Swapping the ordering of the second and third registers, we identify this state with

|\phi_{I\oplus\varphi U}\rangle\equiv\frac{|00\rangle|\Phi_{N}\rangle+\varphi|% 11\rangle|\phi_{U}\rangle}{\sqrt{2}}.

For convenience, define $|\psi_{0}\rangle\coloneqq|00\rangle|\Phi_{N}\rangle$ and $|\psi_{1}\rangle\coloneqq|11\rangle|\phi_{U}\rangle$ . For $x\in\{0,1\}^{t}$ , we extend this notation via $|\psi_{x}\rangle\coloneqq\bigotimes_{i=1}^{t}|\psi_{x_{i}}\rangle$ . For $i=0,\ldots,t$ , define

|\overline{\psi}_{i}\rangle\coloneqq\binom{t}{i}^{-1/2}\sum_{\begin{subarray}{% c}x\in\{0,1\}^{t}:\\ \operatorname{wt}(x)=i\end{subarray}}|\psi_{x}\rangle

We claim that $\sigma_{U,t}=\rho_{U,t}$ , where

\rho_{U,t}\coloneqq\sum_{i=1}^{t}\frac{\binom{t}{i}}{2^{t}}|\overline{\psi}_{i% }\rangle\langle\overline{\psi}_{i}|.

To see why, note that both $\sigma_{U,t}$ and $\rho_{U,t}$ are only supported on the orthonormal basis $\{|\psi_{x}\rangle:x\in\{0,1\}^{t}\}$ , so it suffices to show $\langle\psi_{x}|\sigma_{U,t}|\psi_{y}\rangle=\langle\psi_{x}|\rho_{U,t}|\psi_{% y}\rangle$ for each $x,y\in\{0,1\}^{t}$ . Observe that

	$\displaystyle\langle\psi_{x}\|\sigma_{U,t}\|\psi_{y}\rangle$	$\displaystyle=\mathop{\mathbb{E}}_{\varphi\sim\langle\omega\rangle}\left[\left% (\prod_{i=1}^{t}\frac{1}{\sqrt{2}}\varphi^{x_{i}}\right)\left(\prod_{i=1}^{t}% \frac{1}{\sqrt{2}}\varphi^{-y_{i}}\right)\right]$
		$\displaystyle=\frac{1}{2^{t}}\cdot\mathop{\mathbb{E}}_{\varphi\sim\langle% \omega\rangle}\left[\varphi^{\operatorname{wt}(x)-\operatorname{wt}(y)}\right]$
		$\displaystyle=\begin{cases}\frac{1}{2^{t}}&\operatorname{wt}(x)=\operatorname{% wt}(y)\\ 0&\operatorname{wt}(x)\neq\operatorname{wt}(y).\end{cases}$

Above, we are using the fact that the first $t$ moments of $\langle\omega\rangle$ are the same as the first $t$ moments of the full group of complex units.

Clearly, $\langle\psi_{x}|\rho_{U,t}|\psi_{y}\rangle=\langle\psi_{x}|\sigma_{U,t}|\psi_{% y}\rangle=0$ whenever $\operatorname{wt}(x)\neq\operatorname{wt}(y)$ , because $\rho_{U,t}$ is a mixture of pure states that are each a superposition over basis states that have the same Hamming weight. On the other hand, when $\operatorname{wt}(x)=\operatorname{wt}(y)=i$ , we have

\langle\psi_{x}|\rho_{U,t}|\psi_{y}\rangle=\frac{\binom{t}{i}}{2^{n}}\langle% \psi_{x}|\overline{\psi}_{i}\rangle\langle\overline{\psi}_{i}|\psi_{y}\rangle=% \frac{1}{2^{t}},

as claimed.

To complete the proof, we only have to show how to produce the state $\rho_{U,t}$ from $t$ copies of $|\phi_{U}\rangle$ . Since $\rho_{U,t}$ is a probabilistic mixture of the $|\overline{\psi}_{i}\rangle$ s, it suffices to show how to produce $|\overline{\psi}_{i}\rangle$ . Begin by initializing the state

\binom{t}{i}^{-1/2}\sum_{\begin{subarray}{c}x\in\{0,1\}^{t}:\\ \operatorname{wt}(x)=i\end{subarray}}|x\rangle|\psi_{1^{i}0^{t-i}}\rangle,

which can be viewed as a tensor product of $i$ copies of $|\phi_{U}\rangle$ and a fixed state independent of $|\phi_{U}\rangle$ . Using permutations on the second register controlled on the first register, the above state can be mapped to

\binom{t}{i}^{-1/2}\sum_{\begin{subarray}{c}x\in\{0,1\}^{t}:\\ \operatorname{wt}(x)=i\end{subarray}}|x\rangle|\psi_{x}\rangle.

Finally, we can erase the $|x\rangle$ by, for each $i$ , flipping the $i$ th bit of the first register controlled on the $i$ th part of the second register being orthogonal to $|\psi_{0}\rangle$ . This works because $|\psi_{0}\rangle$ is a known state and $|\psi_{1}\rangle$ is orthogonal to $|\psi_{0}\rangle$ . Doing so leaves us with:

\binom{t}{i}^{-1/2}\sum_{\begin{subarray}{c}x\in\{0,1\}^{t}:\\ \operatorname{wt}(x)=i\end{subarray}}|0^{t}\rangle|\psi_{x}\rangle,

which is just $|0^{t}\rangle|\overline{\psi}_{i}\rangle$ . ∎

4 Breaking pseudorandomness with a classical oracle

In this section, we prove that a polynomial-time quantum algorithm with a $\mathsf{PP}$ oracle can distinguish a pseudorandom state from a Haar-random state. First, we need a lemma about the overlap between a fixed state $|\varphi\rangle$ and a Haar-random state $|\psi\rangle$ .

Lemma 26.

Let $|\varphi\rangle\in\mathbb{S}(N)$ , and let $\varepsilon>0$ . Then:⁶⁶6As observed in [CGG⁺23], an earlier version of this work [Kre21a] gave the incorrect bound $e^{-\varepsilon N}$ here, which was carried over from [BHH16b, Equation (14)].

\Pr_{|\psi\rangle\sim\sigma_{N}}\left[|\langle\psi|\varphi\rangle|^{2}\geq% \varepsilon\right]\leq e^{-\varepsilon(N-1)}.

Proof.

It is well known that if a Haar-random state $|\psi\rangle$ is measured in any fixed basis (say, a basis containing $|\varphi\rangle$ ), the measurement probabilities are uniform over the $N$ -dimensional probability simplex, or equivalently sampled according to a standard Dirichlet distribution. $|\langle\psi|\varphi\rangle|^{2}$ is one of the marginals of this Dirichlet distribution, and hence it is distributed as $|\langle\psi|\varphi\rangle|^{2}\sim\mathrm{Beta}(1,N-1)$ . The probability density function of this distribution is given by

p(x)=(N-1)(1-x)^{N-2}.

It follows that

	$\displaystyle\Pr_{\|\psi\rangle\sim\sigma_{N}}\left[\|\langle\psi\|\varphi\rangle% \|^{2}\geq\varepsilon\right]$	$\displaystyle=\int_{\varepsilon}^{1}(N-1)(1-x)^{N-2}\mathrm{d}x$
		$\displaystyle=(1-\varepsilon)^{N-1}$
		$\displaystyle\leq e^{-\varepsilon(N-1)}.\qed$

The formal statement of our result is below.

Theorem 27.

For any PRS ensemble $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ of $n$ -qubit states with security parameter $\kappa$ satisfying $n=\omega(\log\kappa)$ , there exists a $\mathsf{PP}$ language $\mathcal{L}$ , a $\mathrm{poly}(\kappa)$ -time quantum algorithm $\mathcal{A}^{\mathcal{L}}$ , and $T=\mathrm{poly}(\kappa)$ such that the following holds. Let $X\sim\{0,1\}$ be a uniform random bit. Let $|\psi\rangle$ be sampled uniformly from the PRS ensemble if $X=0$ , and otherwise let $|\psi\rangle$ be sampled from the Haar measure $\sigma_{2^{n}}$ if $X=1$ . Then we have:

\Pr_{X,|\psi\rangle}\left[\mathcal{A}^{\mathcal{L}}\left(1^{\kappa},|\psi% \rangle^{\otimes T}\right)=X\right]\geq 0.995.

Proof.

We first describe $\mathcal{A}$ . For some $T$ to be chosen later, on input $|\psi\rangle^{\otimes T}$ , $\mathcal{A}$ measures each copy of $|\psi\rangle$ in a different randomly chosen Clifford basis. Call the list of measurement bases $b=(b_{1},b_{2},\ldots,b_{T})$ and the measurement results $c=(c_{1},c_{2},\ldots,c_{T})$ . $\mathcal{A}$ then feeds $(b,c)$ into a single query to $\mathcal{L}$ , and outputs the result of the query. This takes polynomial time because there exists an $O(n^{3})$ -time algorithm to sample a random $n$ -qubit Clifford unitary, and this algorithm also produces an implementation of the unitary with $O(n^{2}/\log n)$ gates [KS14, AG04].

The $\mathsf{PP}$ language $\mathcal{L}$ that we choose is most easily described in terms of a $\mathsf{PromisePostBQP}$ algorithm $\mathcal{B}(b,c)$ (i.e. a postselected polynomial-time quantum algorithm, as in Definition 13), by the equivalence $\mathsf{PromisePostBQP}=\mathsf{PromisePP}$ (Lemma 14). That is, we specify an algorithm $\mathcal{B}(b,c)$ that outputs a trit in $\{0,1,*\}$ , and this algorithm defines a promise problem $\Pi\in\mathsf{PromisePostBQP}$ as follows:

(i)

If $\Pr[\mathcal{B}(b,c)\in\{0,1\}]>0$ and $\Pr[\mathcal{B}(b,c)=1\mid\mathcal{B}(b,c)\in\{0,1\}]\geq\frac{2}{3}$ , then $\Pi(b,c)=1$ .
(ii)

If $\Pr[\mathcal{B}(b,c)\in\{0,1\}]>0$ and $\Pr[\mathcal{B}(b,c)=1\mid\mathcal{B}(b,c)\in\{0,1\}]\leq\frac{1}{3}$ , then $\Pi(b,c)=0$ .
(iii)

Otherwise, $\Pi(b,c)=\bot$ .

By Aaronson’s theorem (Lemma 14), $\Pi$ is also in $\mathsf{PromisePP}$ . Because $\mathsf{PP}$ is a syntactic class, the promise problem $\Pi$ can be extended to a language $\mathcal{L}\in\mathsf{PP}$ .

Let $S$ be a $\frac{1}{17}$ -approximate $n$ -qubit quantum $T$ -design (Definition 17) such that a state can be drawn from $S$ in $\mathrm{poly}(\kappa)$ time (because $n,T\leq\mathrm{poly}(\kappa)$ , the existence of such a design follows from Proposition 19 and Lemma 20). $\mathcal{B}$ begins by initializing the state:

\hat{\rho}\coloneqq\frac{1}{2}|0\rangle\langle 0|\otimes\mathop{\mathbb{E}}_{k% \sim\{0,1\}^{\kappa}}\left[|\varphi_{k}\rangle\langle\varphi_{k}|^{\otimes T}% \right]+\frac{1}{2}|1\rangle\langle 1|\otimes\mathop{\mathbb{E}}_{|\phi\rangle% \sim S}\left[|\phi\rangle\langle\phi|^{\otimes T}\right].

$\mathcal{B}$ measures all but the leftmost qubit of $\hat{\rho}$ in the basis given by $b$ , and postselects on observing $c$ (i.e. $\mathcal{B}$ outputs $*$ if the measurements are not equal to $c$ ). Finally, conditioned on postselection succeeding, $\mathcal{B}$ measures and outputs the result of the leftmost qubit that was not measured.

It remains to show that $\mathcal{A}$ distinguishes the pseudorandom and Haar-random state ensembles. For the purpose of this analysis, it will be convenient to view $\hat{\rho}$ as an approximation to the state:

\rho\coloneqq\frac{1}{2}|0\rangle\langle 0|\otimes\mathop{\mathbb{E}}_{k\sim\{% 0,1\}^{\kappa}}\left[|\varphi_{k}\rangle\langle\varphi_{k}|^{\otimes T}\right]% +\frac{1}{2}|1\rangle\langle 1|\otimes\mathop{\mathbb{E}}_{|\phi\rangle\sim% \sigma_{2^{n}}}\left[|\phi\rangle\langle\phi|^{\otimes T}\right],

where the $\varepsilon$ -approximate $T$ -design $S$ is replaced by the Haar measure $\sigma_{2^{n}}$ . Indeed, we will essentially argue the algorithm’s correctness if the state $\hat{\rho}$ is replaced by $\rho$ , and then argue that this implies the correctness of the actual algorithm.

For each $k\in\{0,1\}^{\kappa}$ , define $O_{k}\coloneqq|\varphi_{k}\rangle\langle\varphi_{k}|$ . Note that if $X=0$ (i.e. $|\psi\rangle$ is pseudorandom), there always exists a $k$ such that $\mathrm{Tr}(O_{k}|\psi\rangle\langle\psi|)=1$ , namely whichever $k$ satisfies $|\psi\rangle=|\varphi_{k}\rangle$ . On the other hand, by Lemma 26 and a union bound, if $X=1$ (i.e. $|\psi\rangle$ is Haar-random), $\mathrm{Tr}(O_{k}|\psi\rangle\langle\psi|)<\frac{1}{3}$ for every $k\in\{0,1\}^{\kappa}$ , except with probability at most $2^{\kappa}\cdot e^{-(2^{n}-1)/3}$ over $|\psi\rangle$ . This probability is negligible in $\kappa$ because $n=\omega(\log\kappa)$ , by assumption.

If we choose $M=|\{0,1\}^{\kappa}|=2^{\kappa}$ , $\varepsilon=\frac{1}{3}$ , and $\delta=0.001-2^{k}\cdot e^{-(2^{n}-1)/3}$ , then by Theorem 4 there exists a quantum algorithm that takes as input the results $(b,c)$ of $T=O(\kappa)$ single-copy random Clifford measurements of $|\psi\rangle$ , uses the measurement results to estimate $\mathrm{Tr}(O_{k}|\psi\rangle\langle\psi|)$ for each $k$ up to additive error $\frac{1}{3}$ , and is correct with probability at least $0.999+2^{\kappa}\cdot e^{-(2^{n}-1)/3}$ . In particular, this algorithm can distinguish the pseudorandom ensemble from the Haar-random ensemble, by checking if there exists a $k$ such that the estimate for $\mathrm{Tr}(O_{k}|\psi\rangle\langle\psi|)$ is at least $\frac{2}{3}$ . Call this algorithm $\mathcal{C}$ , so that $\Pr[\mathcal{C}(b,c)=X]\geq 0.999$ .

We will not actually use $\mathcal{C}$ , but only its existence. By the optimality of the Bayes decision rule (Lemma 5), because $\mathcal{C}$ uses $(b,c)$ to identify a state $|\psi\rangle$ as either Haar-random or pseudorandom with probability $0.999$ , an algorithm that computes the maximum a posteriori estimate of $X$ also succeeds with probability at least $0.999$ . In symbols, let $p_{i}=\Pr[X=i\mid b,c]$ , which we view as a random variable (depending on $b$ and $c$ ) for each $i\in\{0,1\}$ . Then $\Pr\left[\operatorname*{arg\,max}_{i}p_{i}=X\right]\geq 0.999$ .

Next, observe that $\Pr\left[\operatorname*{arg\,max}_{i}p_{i}=X\right]=\mathop{\mathbb{E}}\left[% \Pr\left[\operatorname*{arg\,max}_{i}p_{i}=X|b,c\right]\right]=\mathop{\mathbb% {E}}\left[\max_{i}p_{i}\right]$ , by the law of total expectation. So, by Markov’s inequality (and the fact that $\max_{i}p_{i}\leq 1$ ), we know $\Pr\left[\max_{i}p_{i}\geq\frac{3}{4}\right]\geq 0.996$ . In other words, the Bayes decision rule is usually at least $75\%$ confident in its predictions, so to speak.

Notice that $p_{i}$ equals the probability (conditioned on postselection succeeding) that $\mathcal{B}$ outputs $i$ if it starts with $\rho$ in place of $\hat{\rho}$ . For $i\in\{0,1\}$ , define $\hat{p}_{i}$ analogously as the postselcted output probabilities of $\mathcal{B}$ itself: $\hat{p}_{i}\coloneqq\Pr\left[\mathcal{B}(b,c)=i\mid\mathcal{B}(b,c)\in\{0,1\}\right]$ . To argue that $\mathcal{A}$ is correct with $0.995$ probability, it suffices to show that

\Pr\left[\max_{i}\hat{p}_{i}\geq\frac{2}{3}\land\operatorname*{arg\,max}_{i}% \hat{p}_{i}=X\right]\geq 0.995,

as in this case the $\mathsf{PromisePostBQP}$ promise is satisfied and the output of $\mathcal{L}$ agrees with $X$ . We have that:

	$\displaystyle\Pr\left[\max_{i}\hat{p}_{i}\geq\frac{2}{3}\land\operatorname*{% arg\,max}_{i}\hat{p}_{i}=X\right]$	$\displaystyle\geq\Pr\left[\max_{i}p_{i}\geq\frac{3}{4}\land\operatorname*{arg% \,max}_{i}p_{i}=X\right]$
		$\displaystyle\geq 1-\Pr\left[\max_{i}p_{i}<\frac{3}{4}\right]-\Pr\left[% \operatorname*{arg\,max}_{i}p_{i}\neq X\right]$
		$\displaystyle\geq 0.996-\Pr\left[\operatorname*{arg\,max}_{i}p_{i}\neq X\right]$
		$\displaystyle\geq 0.995.$

Above, the first inequality follows from the assumption that $S$ is a $\frac{1}{17}$ -approximate $T$ -design, because the acceptance probability of a postselected quantum algorithm can be viewed as the ratio of two probabilities:

\hat{p_{i}}=\frac{\Pr[\mathcal{B}(b,c)=i]}{\Pr[\mathcal{B}(b,c)\in\{0,1\}]}.

Lemma 21 implies that both the numerator and denominator change by at most a multiplicative factor of $1\pm\frac{1}{17}$ when switching between $\rho$ and $\hat{\rho}$ . So, if $p_{i}\geq\frac{3}{4}$ , then $\hat{p_{i}}\geq\frac{3}{4}\cdot\frac{1-\frac{1}{17}}{1+\frac{1}{17}}=\frac{2}{3}$ . The second inequality follows by a union bound, and the remaining inequalities were established above. ∎

We remark that the above theorem also holds relative to all oracles, in the sense that if the state generation algorithm $G$ in the definition of the PRS (Definition 15) queries a classical or quantum oracle $\mathcal{U}$ , then the corresponding ensemble of states can be distinguished from Haar-random by a polynomial-time quantum algorithm with a $\mathsf{PromisePostBQP}^{\mathcal{U}}$ oracle.

5 Pseudorandomness from a quantum oracle

In this section, we construct a quantum oracle $(\mathcal{U},\mathcal{C})$ relative to which $\mathsf{PromiseBQP}=\mathsf{PromiseQMA}$ and PRUs exist. Let us first describe the oracle, which consists of two parts: a quantum oracle $\mathcal{U}$ and a classical oracle (i.e. a language) $\mathcal{C}$ .

5.1 Definition of the oracle

The oracle $\mathcal{U}$ is a sequence of unitaries $\{\mathcal{U}_{n}\}_{n\in\mathbb{N}}$ , where each $\mathcal{U}_{n}$ is a direct sum of $2^{n}$ different Haar-random $n$ -qubit unitaries. In other words, for each $n$ we sample $\mathcal{U}_{n}\sim\mu_{2^{n}}^{2^{n}}$ . We denote this distribution over $\mathcal{U}$ by $\mathcal{U}\sim\mathcal{D}$ .

We construct the language $\mathcal{C}$ deterministically and independently of $\mathcal{U}$ . We specify the language in stages: first we define $\mathcal{C}$ ’s behavior on the $1$ -bit strings, then the $2$ -bit strings, then the $3$ -bit strings, and so on. For a string $x$ , we define $\mathcal{C}(x)=1$ if the following all hold:

(1)

$x$ is a description of a quantum oracle circuit $\mathcal{V}^{\overline{\mathcal{U}},\mathcal{C}}(|\psi\rangle)$ that takes a quantum state $|\psi\rangle$ as input, and makes queries to a quantum oracle $\overline{\mathcal{U}}$ and the classical oracle $\mathcal{C}$ . Note that $|\psi\rangle$ and $\overline{\mathcal{U}}$ are not part of the description of $\mathcal{V}$ ; they are auxiliary inputs.
(2)

$\mathcal{V}$ runs in time at most $|x|-1$ , and hence can query $\mathcal{C}$ on inputs of length at most $|x|-1$ .

(3)

The average acceptance probability of $\mathcal{V}$ (viewed as a $\mathsf{QMA}$ verifier) is greater than $1/2$ when averaged over $\overline{\mathcal{U}}\sim\mathcal{D}$ . In symbols, we mean precisely:

\mathop{\mathbb{E}}_{\overline{\mathcal{U}}\sim\mathcal{D}}\left[\max_{|\psi% \rangle}\Pr[\mathcal{V}^{\overline{\mathcal{U}},\mathcal{C}}(|\psi\rangle)=1]% \right]>\frac{1}{2}.

Condition (2) guarantees that $\mathcal{C}$ is not circularly defined, because the quantity in condition (3) depends only on the previously constructed parts of the oracle. Notice also the care we have used in our notation: $\overline{\mathcal{U}}$ is merely used to take an average in the definition of $\mathcal{C}$ ; it is not the same as $\mathcal{U}$ .

5.2 $\mathsf{PromiseBQP}=\mathsf{PromiseQMA}$ relative to $(\mathcal{U},\mathcal{C})$

Now we turn to showing that our oracle satisfies the desired properties. We start with a lemma showing that the acceptance probability of a quantum query algorithm, viewed as a function of the unitary transformation used in the query, is Lipschitz.

Lemma 28.

Let $\mathcal{A}^{U}$ be a quantum algorithm that makes $T$ queries to $U\in\mathbb{U}(D)$ . Define $f:\mathbb{U}(D)\to\mathbb{R}$ by $f(U)\coloneqq\Pr\left[\mathcal{A}^{U}=1\right]$ . Then $f$ is $T$ -Lipschitz in the Frobenius norm.

Proof.

Suppose that $||U-V||_{F}\leq d$ . Then $||I\oplus U-I\oplus V||_{F}\leq d$ , and also $||I\oplus U^{\dagger}-I\oplus V^{\dagger}||_{F}\leq d$ , recalling that $I\oplus U$ is controlled- $U$ and $I\oplus V$ is controlled- $V$ . By Lemma 9, this implies that the distance between controlled- $U$ and controlled- $V$ in the diamond norm is at most $2d$ (and likewise for controlled- $U^{\dagger}$ and controlled- $V^{\dagger}$ ). The sub-additivity of the diamond norm under composition implies that as superoperators, $||\mathcal{A}^{U}-\mathcal{A}^{V}||_{\diamond}\leq 2Td$ . By 7, we conclude that $|f(U)-f(V)|\leq Td$ . ∎

The next lemma extends Lemma 28 to $\mathsf{QMA}$ verifiers: we should think of $\mathcal{V}$ as a $\mathsf{QMA}$ verifier that receives a witness $|\psi\rangle$ , in which case this lemma states that the maximum acceptance probability of $\mathcal{V}$ is Lipschitz with respect to the queried unitary.

Lemma 29.

Let $\mathcal{V}^{U}(|\psi\rangle)$ be a quantum algorithm that makes $T$ queries to $U\in\mathbb{U}(D)$ and takes as input a quantum state $|\psi\rangle$ on some fixed (but arbitrary) number of qubits. Define $f:\mathbb{U}(D)\to\mathbb{R}$ by $f(U)\coloneqq\max_{|\psi\rangle}\Pr\left[\mathcal{V}^{U}(|\psi\rangle)=1\right]$ . Then $f$ is $T$ -Lipschitz in the Frobenius norm.

Proof.

Note that $f$ is well-defined because of the extreme value theorem. Define $f_{\psi}:\mathbb{U}(D)\to\mathbb{R}$ by:

f_{\psi}(U)\coloneqq\Pr\left[\mathcal{V}^{U}(|\psi\rangle)=1\right],

so that $f(U)=\max_{|\psi\rangle}f_{\psi}(U)$ . Lemma 28 implies that $f_{\psi}$ is $T$ -Lipschitz for every $|\psi\rangle$ . Let $U,V\in\mathbb{U}(D)$ , and suppose that $|\psi\rangle$ and $|\varphi\rangle$ are such that $f(U)=f_{\psi}(U)$ and $f(V)=f_{\varphi}(V)$ . Then:

	$\displaystyle\|f(U)-f(V)\|$	$\displaystyle=\|f_{\psi}(U)-f_{\varphi}(V)\|$
		$\displaystyle=\max\{f_{\psi}(U)-f_{\varphi}(V),f_{\varphi}(V)-f_{\psi}(U)\}$
		$\displaystyle\leq\max\{f_{\psi}(U)-f_{\psi}(V),f_{\varphi}(V)-f_{\varphi}(U)\}$
		$\displaystyle\leq T\|\|U-V\|\|_{F},$

where the third line uses the fact that $f_{\psi}(V)\leq f_{\varphi}(V)$ and $f_{\varphi}(U)\leq f_{\psi}(U)$ , and the last line uses the fact that $f_{\psi}$ and $f_{\varphi}$ are $T$ -Lipschitz. ∎

We are ready to prove the first main result of this section, that $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{C}}=\mathsf{PromiseQMA}^{\mathcal{U}% ,\mathcal{C}}$ .

Theorem 30.

With probability $1$ over $\mathcal{U}\sim\mathcal{D}$ , $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{C}}=\mathsf{PromiseQMA}^{\mathcal{U}% ,\mathcal{C}}$ .

Proof.

Let $\Pi\in\mathsf{PromiseQMA}^{\mathcal{U},\mathcal{C}}$ , which means there exists a polynomial-time verifier $\mathcal{V}^{\mathcal{U},\mathcal{C}}(x,|\psi\rangle)$ with completeness $\frac{2}{3}$ and soundness $\frac{1}{3}$ according to Definition 12. Without loss of generality, we can amplify the completeness and soundness probabilities of $\mathcal{V}$ to $\frac{11}{12}$ and $\frac{1}{12}$ , respectively. Let $p(n)$ be a polynomial upper bound on the running time of $\mathcal{V}$ on inputs $x$ of length $n$ .

We now describe a $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{C}}$ algorithm $\mathcal{A}^{\mathcal{U},\mathcal{C}}(x)$ such that, with probability $1$ over $\mathcal{U}$ , $\mathcal{A}$ computes $\Pi$ on all but finitely many inputs $x\in\mathrm{Dom}(\Pi)$ . The steps of $\mathcal{A}$ are:

(1)

Let $d\coloneqq\lfloor\log_{2}\left(3456|x|p(|x|)^{2}+2\right)\rfloor$ . For each $n\in[d]$ , $\mathcal{A}$ performs process tomography on each $\mathcal{U}_{n}$ , producing estimates $\widetilde{\mathcal{U}}_{n}$ such that $||\widetilde{\mathcal{U}}_{n}\cdot\widetilde{\mathcal{U}}_{n}^{\dagger}-% \mathcal{U}_{n}\cdot\mathcal{U}_{n}^{\dagger}||_{\diamond}\leq\frac{1}{6p(|x|)}$ for every $n$ ,with probability at least $\frac{2}{3}$ over the randomness of $\mathcal{A}$ .⁷⁷7Specifically, one can use the algorithm of [HKOT23] to estimate each $\mathcal{U}_{n}$ to $2^{-\Omega(n)}$ error in diamond norm distance. The estimated unitary transformation $\widetilde{\mathcal{U}}_{n}$ can then be compiled to a circuit using $2^{O(n)}$ $1$ - and $2$ -qubit gates [VMS04]. Since $n\leq d=O(\log|x|)$ , this can be done in polynomial time. Note also that we are using shorthand here: we should really perform process tomography on controlled- $\mathcal{U}_{n}$ , so that $||I\oplus\widetilde{\mathcal{U}}_{n}\cdot I\oplus\widetilde{\mathcal{U}}_{n}^{% \dagger}-I\oplus\mathcal{U}_{n}\cdot I\oplus\mathcal{U}_{n}^{\dagger}||_{% \diamond}\leq\frac{1}{6p(|x|)}$ . We use this same shorthand further below. We denote the collection of estimates by $\widetilde{\mathcal{U}}\coloneqq\{\widetilde{\mathcal{U}}_{n}\}_{n\in[d]}$
(2)

Next, $\mathcal{A}$ constructs a description $x$ of a quantum oracle circuit $\mathcal{W}^{\overline{\mathcal{U}},\mathcal{C}}(x,\widetilde{\mathcal{U}};|% \psi\rangle)$ . This $\mathcal{W}$ has $x$ and the unitaries in $\widetilde{\mathcal{U}}$ hard-coded into its description, takes an auxiliary input $|\psi\rangle$ ,⁸⁸8This distinction is why the last argument $|\psi\rangle$ is separated with a semicolon. and queries oracles $\overline{\mathcal{U}}$ and $\mathcal{C}$ . On input $|\psi\rangle$ , $\mathcal{W}^{\overline{\mathcal{U}},\mathcal{C}}(x,\widetilde{\mathcal{U}};|% \psi\rangle)$ replicates the behavior of $\mathcal{V}^{\mathcal{U},\mathcal{C}}(x,|\psi\rangle)$ , except that for each $n\in[d]$ , queries to $\mathcal{U}_{n}$ are replaced by $\widetilde{\mathcal{U}}_{n}$ , and for each $n\in[p(|x|)]\setminus[d]$ , queries to $\mathcal{U}_{n}$ are replaced by queries to $\overline{\mathcal{U}}_{n}$ .
(3)

Finally, $\mathcal{A}$ queries $\mathcal{C}(x)$ and outputs the result.

We now show that for any $x\in\mathrm{Dom}(\Pi)$ , with high probability over $\mathcal{U}$ , $\mathcal{A}$ correctly decides $\Pi$ on $x$ , which is to say that $\Pr\left[\mathcal{A}^{\mathcal{U},\mathcal{C}}(x)=\Pi(x)\right]\geq\frac{2}{3}$ .

For a fixed $x$ , given sequences of unitaries $\widetilde{\mathcal{U}}=\{\widetilde{\mathcal{U}}_{n}\}_{n\in[d]}$ and $\overline{\mathcal{U}}=\{\overline{\mathcal{U}}_{n}\}_{n\in[p(|x|)]\setminus[d]}$ , define

f(\widetilde{\mathcal{U}},\overline{\mathcal{U}})\coloneqq\max_{|\psi\rangle}% \Pr\left[\mathcal{W}^{\overline{\mathcal{U}},\mathcal{C}}(x,\widetilde{% \mathcal{U}};|\psi\rangle)=1\right].

Note that, in this notation, $\mathcal{A}$ outputs $1$ if and only if

\mathop{\mathbb{E}}_{\overline{\mathcal{U}}\sim\mathcal{D}}\left[f(\widetilde{% \mathcal{U}},\overline{\mathcal{U}})\right]>\frac{1}{2}.

(2)

By contrast, the $\mathsf{QMA}$ acceptance probability of $\mathcal{V}$ itself may be written consistently with this notation as:

f(\mathcal{U},\mathcal{U})=\max_{|\psi\rangle}\Pr\left[\mathcal{V}^{\mathcal{U% },\mathcal{C}}(x,|\psi\rangle)=1\right].

(3)

In effect, our goal is to show that Equation 2 gives a good estimator for Equation 3. We will do so in two steps: we first show that replacing $\mathcal{U}$ in $f$ ’s second argument with an average over $\overline{\mathcal{U}}$ approximately preserves the $\mathsf{QMA}$ acceptance probability, and then we argue similarly when replacing $\mathcal{U}$ by the estimate $\widetilde{\mathcal{U}}$ in $f$ ’s first argument.

By Lemma 29, $f$ is $p(|x|)$ -Lipschitz with respect to the second argument $\overline{\mathcal{U}}$ , viewed as a direct sum of matrices $\overline{\mathcal{U}}\equiv\bigoplus_{n=d+1}^{p(|x|)}\overline{\mathcal{U}}_{n}$ .⁹⁹9This is because each query to a single $\overline{\mathcal{U}}_{n}$ may be simulated via one query to the entire direct sum. Hence, from Theorem 10 with $N=3456|x|p(|x|)^{2}+2$ , $L=p(|x|)$ , and $t=\frac{1}{12}$ , we have that:

$\displaystyle\Pr_{\mathcal{U}\sim\mathcal{D}}\left[\left\|f(\mathcal{U},% \mathcal{U})-\mathop{\mathbb{E}}_{\overline{\mathcal{U}}\sim\mathcal{D}}[f(% \mathcal{U},\overline{\mathcal{U}})]\right\|\geq\frac{1}{12}\right]$	$\displaystyle\leq 2\exp\left(-\frac{(N-2)t^{2}}{24L^{2}}\right)$
	$\displaystyle=2\exp\left(-\frac{3456\|x\|p(\|x\|)^{2}\cdot\frac{1}{144}}{24p(\|x\|)^% {2}}\right)$
	$\displaystyle=2e^{-\|x\|}.$	(4)

The factor of $2$ appears because Theorem 10 applies to one-sided error, but the absolute value forces us to consider two-sided error.

Because $\mathcal{W}$ calls $\widetilde{\mathcal{U}}$ at most $p(|x|)$ times, and because diamond distance between unitary channels is preserved under taking inverses, 7 implies that for any $|\psi\rangle$ ,

{\left|\Pr\left[\mathcal{W}^{\overline{\mathcal{U}},\mathcal{C}}(x,\widetilde{% \mathcal{U}};|\psi\rangle)=1\right]-\Pr\left[\mathcal{W}^{\overline{\mathcal{U% }},\mathcal{C}}(x,\mathcal{U};|\psi\rangle)=1\right]\right|}\leq\frac{p(|x|)}{% 2}||\widetilde{\mathcal{U}}_{n}\cdot\widetilde{\mathcal{U}}_{n}^{\dagger}-% \mathcal{U}_{n}\cdot\mathcal{U}_{n}^{\dagger}||_{\diamond}.

Hence, we also have

	$\left\|f(\widetilde{\mathcal{U}},\overline{\mathcal{U}})-f(\mathcal{U},% \overline{\mathcal{U}})\right\|$	$\displaystyle={\left\|\max_{\|\psi\rangle}\Pr\left[\mathcal{W}^{\overline{% \mathcal{U}},\mathcal{C}}(x,\widetilde{\mathcal{U}};\|\psi\rangle)=1\right]-% \max_{\|\psi\rangle}\Pr\left[\mathcal{W}^{\overline{\mathcal{U}},\mathcal{C}}(x% ,\mathcal{U};\|\psi\rangle)=1\right]\right\|}$
		$\displaystyle\leq\frac{p(\|x\|)}{2}\|\|\widetilde{\mathcal{U}}_{n}\cdot\widetilde{% \mathcal{U}}_{n}^{\dagger}-\mathcal{U}_{n}\cdot\mathcal{U}_{n}^{\dagger}\|\|_{% \diamond},$

and therefore, by Jensen’s inequality,

{\left|\mathop{\mathbb{E}}_{\overline{U}\sim\mathcal{D}}[f(\widetilde{\mathcal% {U}},\overline{\mathcal{U}})]-\mathop{\mathbb{E}}_{\overline{U}\sim\mathcal{D}% }[f(\mathcal{U},\overline{\mathcal{U}})]\right|}\leq\frac{p(|x|)}{2}||% \widetilde{\mathcal{U}}_{n}\cdot\widetilde{\mathcal{U}}_{n}^{\dagger}-\mathcal% {U}_{n}\cdot\mathcal{U}_{n}^{\dagger}||_{\diamond}.

Because the estimates $\widetilde{\mathcal{U}_{n}}$ satisfy $||\widetilde{\mathcal{U}}_{n}\cdot\widetilde{\mathcal{U}}_{n}^{\dagger}-% \mathcal{U}_{n}\cdot\mathcal{U}_{n}^{\dagger}||_{\diamond}\leq\frac{1}{6p(|x|)}$ with probability at least $\frac{2}{3}$ over the randomness of $\mathcal{A}$ , we see:

\Pr_{\mathcal{A}}\left[\left|\mathop{\mathbb{E}}_{\overline{\mathcal{U}}\sim% \mathcal{D}}\left[f(\mathcal{U},\overline{\mathcal{U}})\right]-\mathop{\mathbb% {E}}_{\overline{\mathcal{U}}\sim\mathcal{D}}\left[f(\widetilde{\mathcal{U}},% \overline{\mathcal{U}})\right]\right|\geq\frac{1}{12}\right]\leq\frac{1}{3}.

Combining with Equation 4, and recalling the acceptance criterion of $\mathcal{A}$ from Equation 2, we conclude that except with probability at most $2e^{-|x|}$ over $\mathcal{U}$ ,

\Pr_{\mathcal{A}}\left[\left|f(\mathcal{U},\mathcal{U})-\mathop{\mathbb{E}}_{% \overline{\mathcal{U}}\sim\mathcal{D}}\left[f(\widetilde{\mathcal{U}},% \overline{\mathcal{U}})\right]\right|\geq\frac{1}{6}\right]\leq\frac{1}{3}.

So, except with probability $2e^{-|x|}$ over $\mathcal{U}$ :

	$\displaystyle\Pi(x)=1\quad$	$\displaystyle\implies\quad f(\mathcal{U},\mathcal{U})\geq\frac{11}{12}\quad% \implies\quad\Pr\left[\mathcal{A}^{\mathcal{U},\mathcal{C}}(x)=1\right]\geq% \frac{2}{3}$
	$\displaystyle\Pi(x)=0\quad$	$\displaystyle\implies\quad f(\mathcal{U},\mathcal{U})\leq\frac{1}{12}\quad% \implies\quad\Pr\left[\mathcal{A}^{\mathcal{U},\mathcal{C}}(x)=0\right]\geq% \frac{2}{3}.$

This is to say that $\mathcal{A}$ correctly decides $\Pi(x)$ , expect with probability at most $2e^{-|x|}$ over $\mathcal{U}$ . By the Borel–Cantelli lemma (Lemma 6), because $\sum_{i=1}^{\infty}2^{i}\cdot 2e^{-i}=\frac{4}{e-2}<\infty$ , $\mathcal{A}$ correctly decides $\Pi(x)$ for all but finitely many $x\in\mathrm{Dom}(\Pi)$ , with probability $1$ over $\mathcal{U}$ . Hence, with probability $1$ over $\mathcal{U}$ , $\mathcal{A}$ can be modified into an algorithm $\mathcal{A}^{\prime}$ that agrees with $\Pi$ on every $x\in\mathrm{Dom}(\Pi)$ , by simply hard-coding those $x$ on which $\mathcal{A}$ and $\Pi$ disagree.

Because there are only countably many $\mathsf{PromiseQMA}^{\mathcal{U},\mathcal{C}}$ machines, we can union bound over all $\Pi\in\mathsf{PromiseQMA}^{\mathcal{U},\mathcal{C}}$ to conclude that $\mathsf{PromiseQMA}^{\mathcal{U},\mathcal{C}}\subseteq\mathsf{PromiseBQP}^{% \mathcal{U},\mathcal{C}}$ with probability $1$ . ∎

5.3 Pseudorandom unitaries relative to $(\mathcal{U},\mathcal{C})$

We proceed to the second part of the oracle construction, showing that PRUs exist relative to $(\mathcal{U},\mathcal{C})$ . In fact, the security proof will not depend on $\mathcal{C}$ : the same PRU construction is secure for any language $\mathcal{C}$ that is independent of the randomly sampled $\mathcal{U}$ . The PRU ensemble for a given length is supplied directly by $\mathcal{U}$ . That is, for a given length $n$ , the PRU ensemble is uniform over the $2^{n}$ different $n$ -qubit unitaries in $\mathcal{U}_{n}$ .

We begin with a lemma establishing that the average advantage of a polynomial-time adversary is small against our PRU construction. Here, we should think of $\{U_{k}\}_{k\in[N]}$ as the PRU ensemble.

Lemma 31.

Consider a quantum algorithm $\mathcal{A}^{O,U}$ that makes $T$ queries to $U=(U_{1},\ldots,U_{N})\in\mathbb{U}(D)^{N}$ and $O\in\mathbb{U}(D)$ . For fixed $U$ , define:

\mathrm{adv}(\mathcal{A}^{U})\coloneqq\Pr_{k\sim[N]}\left[\mathcal{A}^{U_{k},U% }=1\right]-\Pr_{O\sim\mu_{D}}\left[\mathcal{A}^{O,U}=1\right].

Then there exists a universal constant $c>0$ such that:

\mathop{\mathbb{E}}_{U\sim\mu_{D}^{N}}\left[\mathrm{adv}(\mathcal{A}^{U})% \right]\leq\frac{cT^{2}}{N}.

Proof.

Our strategy is to reduce to the quantum query lower bound for unstructured search. Intuitively, if $\mathcal{A}$ could identify whether $O\in\{U_{1},\ldots,U_{N}\}$ or not, then $\mathcal{A}$ could be modified into a quantum algorithm $\mathcal{B}$ that finds a single marked item from a list of size $N$ . Then the BBBV theorem [BBBV97] forces $T$ to be $\Omega\left(\sqrt{N}\right)$ .

More formally, we construct an algorithm $\mathcal{B}^{x}$ that queries a string $x\in\{0,1\}^{N}$ as follows. $\mathcal{B}$ draws a unitary $V=(V_{0},V_{1},\ldots,V_{N})\in\mathbb{U}(D)^{N+1}$ from $\mu_{D}^{N+1}$ . Then, $\mathcal{B}$ runs $\mathcal{A}$ , replacing queries to $O$ by queries to $V_{0}$ , and replacing queries to $U_{k}\in U$ by $V_{0}$ if $x_{k}=1$ and by $V_{k}$ if $x_{k}=0$ .

Let $e_{k}\in\{0,1\}^{N}$ be the string with $1$ in the $k$ th position and $0$ s everywhere else. We have that:

	$\displaystyle\mathop{\mathbb{E}}_{U\sim\mu_{D}^{N}}\left[\mathrm{adv}(\mathcal% {A}^{U})\right]$	$\displaystyle=\mathop{\mathbb{E}}_{U\sim\mu_{D}^{N}}\left[\Pr_{k\sim[N]}\left[% \mathcal{A}^{U_{k},U}=1\right]\right]-\mathop{\mathbb{E}}_{U\sim\mu_{D}^{N}}% \left[\Pr_{O\sim\mu_{D}}\left[\mathcal{A}^{O,U}=1\right]\right]$
		$\displaystyle=\Pr_{k\sim[N]}\left[\mathcal{B}^{e_{k}}=1\right]-\Pr\left[% \mathcal{B}^{0^{N}}=1\right]$
		$\displaystyle\leq\frac{cT^{2}}{N}.$

Above, the first line applies linearity of expectation, the second line holds by definition of $\mathcal{B}$ , and the third line holds for some universal $c$ by the BBBV theorem [BBBV97]. ∎

The next lemma uses Lemma 31 to show that the advantage of $\mathcal{A}$ is small with extremely high probability, which follows from the strong concentration properties of the Haar measure (Theorem 10). This strengthening of Lemma 31 will be needed to argue that the advantage remains small even after union bounding over all choices of the classical advice.

Lemma 32.

Consider a quantum algorithm $\mathcal{A}^{O,U}$ that makes $T$ queries to $U=(U_{1},\ldots,U_{N})\in\mathbb{U}(D)^{N}$ and $O\in\mathbb{U}(D)$ . Let $\mathrm{adv}(\mathcal{A}^{U})$ be defined as in Lemma 31. Then there exists a universal constant $c>0$ such that for any $p\geq cT^{2}/N$ ,

\Pr_{U\sim\mu_{D}^{N}}\left[\left|\mathrm{adv}(\mathcal{A}^{U})\right|\geq p% \right]\leq 2\exp\left(-\frac{(D-2)\left(p-cT^{2}/N\right)^{2}}{96T^{2}}\right).

Proof.

By Lemma 28, $\mathrm{adv}(\mathcal{A}^{U})$ is $2T$ -Lipschitz as a function of $U$ , because $\mathrm{adv}(\mathcal{A}^{U})$ can be expressed as the difference between the acceptance probabilities of two algorithms that each make $T$ queries to $U$ . Combining Lemma 31 and Theorem 10, we obtain:

\Pr_{U\sim\mu_{D}^{N}}\left[\mathrm{adv}(\mathcal{A}^{U})\geq p\right]\leq\exp% \left(-\frac{(D-2)\left(p-cT^{2}/N\right)^{2}}{96T^{2}}\right).

Similar reasoning yields the same upper bound on $\Pr_{U\sim\mu_{D}^{N}}\left[\mathrm{adv}(\mathcal{A}^{U})\leq-p\right]$ , so we get the final bound (with an additional factor of 2) by a union bound. ∎

Completing the security proof of the pseudorandom unitary construction amounts to combining Lemma 32 with the aforementioned union bound over all possible polynomial-time adversaries.

Theorem 33.

Let $\mathcal{C}$ be any fixed language. Then with probability $1$ over $\mathcal{U}\sim\mathcal{D}$ , there exists a family of PRUs relative to $(\mathcal{U},\mathcal{C})$ with $n(\kappa)=\kappa$ .

Proof.

Fix an input length $n\in\mathbb{N}$ . We take the key set $\{0,1\}^{\kappa}=\{0,1\}^{n}\equiv[2^{n}]$ and take the PRU family to be $\{U_{k}\}_{k\in\{0,1\}^{n}}$ , where $\mathcal{U}_{n}=(U_{1},U_{2},\ldots,U_{2^{n}})\in\mathbb{U}(2^{n})^{2^{n}}$ . In words, the family consists of the $2^{n}$ different Haar-random $n$ -qubit unitaries supplied by $\mathcal{U}_{n}$ . Note that this family of unitaries has an efficient implementation relative to the oracle. This is because we can simulate an application of $U_{k}$ to some $n$ -qubit $|\psi\rangle$ using one query to $\mathcal{U}_{n}$ , via $\mathcal{U}_{n}|k\rangle|\psi\rangle=(I\otimes U_{k})|k\rangle|\psi\rangle$ . So, it remains only to show the computational indistinguishability criterion of Definition 16.

Without loss of generality, assume the adversary is a uniform polynomial-time quantum algorithm $\mathcal{A}^{O,\mathcal{U},\mathcal{C}}(1^{n},x)$ , where $x\in\{0,1\}^{\mathrm{poly}(n)}$ is the advice and $O\in\mathbb{U}(2^{n})$ is the oracle that the adversary seeks to distinguish as pseudorandom or Haar-random.

By Lemma 32 with $N=D=2^{n}$ and $T=\mathrm{poly}(n)$ , for any fixed $x\in\{0,1\}^{\mathrm{poly}(n)}$ , $\mathcal{A}^{O,\mathcal{U},\mathcal{C}}(1^{n},x)$ achieves non-negligible advantage with extremely low probability over $\mathcal{U}$ . (The additional oracle $\mathcal{C}$ has no effect on the query complexity result because it fixed and independent of $\mathcal{U}$ .) This is to say that for any $p=\frac{1}{\mathrm{poly}(n)}$ :

\Pr_{\mathcal{U}_{n}\sim\mu_{2^{n}}^{2^{n}}}\left[\left|\Pr_{k\sim[2^{n}]}% \left[\mathcal{A}^{U_{k},\mathcal{U},\mathcal{C}}(1^{n},x)=1\right]-\Pr_{O\sim% \mu_{2^{n}}}\left[\mathcal{A}^{O,\mathcal{U},\mathcal{C}}(1^{n},x)=1\right]% \right|\geq p\right]\leq\exp\left(-\frac{2^{n}}{\mathrm{poly}(n)}\right).

By a union bound over all $x\in\{0,1\}^{\mathrm{poly}(n)}$ , $\mathcal{A}^{O,\mathcal{U},\mathcal{C}}(1^{n},x)$ achieves advantage larger than $p$ for any $x\in\{0,1\}^{\mathrm{poly}(n)}$ with probability at most $2^{\mathrm{poly}(n)}\cdot\exp\left(-\frac{2^{n}}{\mathrm{poly}(n)}\right)\leq% \mathrm{negl}(n)$ . Hence, by the Borel–Cantelli lemma (Lemma 6), $\mathcal{A}$ achieves negligible advantage for all but finitely many input lengths $n\in\mathbb{N}$ with probability $1$ over $\mathcal{U}$ , as $\sum_{n=1}^{\infty}\mathrm{negl}(n)<\infty$ . This is to say that $\{U_{k}\}_{k\in\{0,1\}^{n}}$ defines a PRU ensemble. ∎

We expect that using the techniques of Chung, Guo, Liu, and Qian [CGLQ20], one can extend Theorem 33 to a security proof against adversaries with quantum advice. Some version of [CGLQ20, Theorem 5.14] likely suffices. The idea is that breaking the PRU should remain hard even if $\mathcal{A}$ could query an explicit description of $O$ and explicit descriptions of $U_{k}$ for $k\in[2^{n}]$ , which is a strictly more powerful model. But then this corresponds to the security game defined in [CGLQ20, Definition 5.12], except that the range of the random oracle is $\mathbb{U}(D)$ rather than the finite set $[M]$ . Perhaps a sufficiently fine discretization of $\mathbb{U}(D)$ would suffice to apply the [CGLQ20] framework. We believe this is doable but tedious, and leave it to future work.

5.4 Alternative oracles

An earlier version of this paper [Kre21a] claimed to show the same results, Theorems 30 and 33, but relative to a different oracle. Instead of $\mathcal{O}=(\mathcal{U},\mathcal{C})$ for $\mathcal{U}\sim\mathcal{D}$ , the earlier oracle used a different classical language in place of $\mathcal{C}$ ; the oracle chosen was $\mathcal{O}=(\mathcal{U},\mathcal{P})$ where $\mathcal{P}$ is an arbitrary $\mathsf{PSPACE}$ -complete language. As noted above, PRUs still exist relative to this oracle because Theorem 33 works regardless of the choice of classical language. However, the claim that $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{P}}=\mathsf{PromiseQMA}^{\mathcal{U}% ,\mathcal{P}}$ contained a bug in the proof. This incorrect step amounted to conflating the two quantities

\mathop{\mathbb{E}}_{\mathcal{U}\sim\mathcal{D}}\left[\max_{|\psi\rangle}\Pr% \left[\mathcal{V}^{\mathcal{U},\mathcal{P}}(|\psi\rangle)=1\right]\right]

(5)

and

\max_{|\psi\rangle}\mathop{\mathbb{E}}_{\mathcal{U}\sim\mathcal{D}}\left[\Pr% \left[\mathcal{V}^{\mathcal{U},\mathcal{P}}(|\psi\rangle)=1\right]\right],

which are not the same. Nevertheless, we conjecture that the previous proof can be restored:

Conjecture 34.

With probability $1$ over $\mathcal{U}\sim\mathcal{D}$ , $\mathsf{PromiseBQP}^{\mathcal{U},\mathcal{P}}=\mathsf{PromiseQMA}^{\mathcal{U}% ,\mathcal{P}}$ , where $\mathsf{P}$ is an arbitrary $\mathsf{PSPACE}$ -complete language.

A careful inspection of [Kre21a] reveals that 34 could be proved by showing that the quantity in Equation 5 is approximable in $\mathsf{PSPACE}$ . We see a possible approach to establishing this, which relies on the following well-known analogue of the polynomial method [BBC⁺01] for $\mathsf{QMA}$ verifiers:

Proposition 35 (Proved in [Aar09, Lemma 4]).

Let $\mathcal{V}$ be a $\mathsf{QMA}$ -verifier that receives an $m$ -qubit witness and makes $T$ queries to a unitary $\mathcal{O}$ . Then there exists a matrix-valued polynomial $M(\mathcal{O})$ of degree $2T$ in $\mathcal{O}$ and $\mathcal{O}^{\dagger}$ such that for any $m$ -qubit $|\psi\rangle$ ,

\langle\psi|M(\mathcal{O})|\psi\rangle=\Pr\left[\mathcal{V}^{\mathcal{O}}(|% \psi\rangle)=1\right].

Proof.

Without loss of generality, suppose that on input $|\psi\rangle$ , $\mathcal{V}$ appends $n$ ancilla qubits initialized to $|0\rangle$ , applies a unitary $U(\mathcal{O})$ that may involve queries to $\mathcal{O}$ , and then measures the first qubit. Then the matrix $M(\mathcal{O})$ is:

(I\otimes\langle 0^{n}|)U(\mathcal{O})^{\dagger}(|1\rangle\langle 1|\otimes I)% U(\mathcal{O})(I\otimes|0^{n}\rangle),

which clearly satisfies

\langle\psi|M(\mathcal{O})|\psi\rangle=\Pr\left[\mathcal{V}^{\mathcal{O}}(|% \psi\rangle)=1\right].

Additionally, the entries of $M(\mathcal{O})$ are polynomials of degree $2T$ in $\mathcal{O}$ and $\mathcal{O}^{\dagger}$ because $U(\mathcal{O})$ is a polynomial of degree $T$ [BBC⁺01], and $U(\mathcal{O})$ appears twice in the expression. ∎

A key observation is the following: if $p(\mathcal{O})\coloneqq\max_{|\psi\rangle}\Pr\left[\mathcal{V}^{\mathcal{O}}(|% \psi\rangle)=1\right]$ , then for any $k\in\mathbb{N}$

p(\mathcal{O})^{k}\leq\mathrm{Tr}(M(\mathcal{O})^{k})\leq 2^{m}p(\mathcal{O})^% {k}.

Equivalently,

\frac{\mathrm{Tr}(M(\mathcal{O})^{k})^{1/k}}{2^{m/k}}\leq p(\mathcal{O})\leq% \mathrm{Tr}(M(\mathcal{O})^{k})^{1/k}.

So, by choosing $k$ to be sufficiently large (say, $100m$ ), $\mathrm{Tr}(M(\mathcal{O})^{k})^{1/k}$ provides an arbitrarily precise estimate of $p(\mathcal{O})$ . Thus, to approximate Equation 5, it suffices to approximate

\mathop{\mathbb{E}}_{\mathcal{U}\sim\mathcal{D}}\left[\mathrm{Tr}(M(\mathcal{U% },\mathcal{P})^{k})^{1/k}\right],

which we believe is achievable in $\mathsf{PSPACE}$ . We first observe that, as a consequence of the concentration of the Haar measure (Theorem 10), the above quantity should satisfy

\mathop{\mathbb{E}}_{\mathcal{U}\sim\mathcal{D}}\left[\mathrm{Tr}(M(\mathcal{U% },\mathcal{P})^{k})^{1/k}\right]\approx\mathop{\mathbb{E}}_{\mathcal{U}\sim% \mathcal{D}}\left[\mathrm{Tr}(M(\mathcal{U},\mathcal{P})^{k})\right]^{1/k},

as long as $\mathcal{V}$ only makes queries to $\mathcal{U}$ in sufficiently large dimension.

Notice that $\mathrm{Tr}(M(\mathcal{U},\mathcal{P})^{k})$ is a polynomial of degree $2Tk$ in the entries of $\mathcal{U}$ and $\mathcal{P}$ (and their inverses). Moreover, the proof of Proposition 35 reveals that the coefficients of this polynomial are computable in $\mathsf{PSPACE}$ , by standard path integral techniques [NC10, Section 4.5.5]. The main question, then, is whether one can average this polynomial over the Haar measure in $\mathsf{PSPACE}$ . With some additional work, we believe this could be established via either

(1)

Showing that the Weingarten calculus [CMN22], used for evaluating Haar integrals, is computable in $\mathsf{PSPACE}$ , or
(2)

Proving that a sufficiently strong notion of unitary $t$ -design (Definition 18) yields an approximation of $\mathop{\mathbb{E}}_{\mathcal{U}\sim\mathcal{D}}\left[\mathrm{Tr}(M(\mathcal{U% },\mathcal{P})^{k})\right]$ . The challenge here is that this expression involves applications of both $\mathcal{U}$ and $\mathcal{U}^{\dagger}$ , even when $\mathcal{V}$ only makes queries to $\mathcal{U}$ in the forward direction. So, Lemma 25 does not seem applicable.

Acknowledgments

I thank many people for their assistance in completing this work, including: Scott Aaronson for suggestions on the writing, Amit Behera for pointing out several flaws in an earlier version of this work, Adam Bouland for numerous insightful discussions, Nick Hunter-Jones for conversations about $t$ -designs, Qipeng Liu for clarifying some questions about [CGLQ20], Ewin Tang for drawing my attention to [HKOT23], Shogo Yamada for identifying a bug in Theorem 30, and Chinmay Nirkhe for discussions on rectifying said bug.

References

[Aar05] Scott Aaronson. Quantum computing, postselection, and probabilistic polynomial-time. Proceedings of the Royal Society A, 461:3473–3482, 2005. doi:10.1098/rspa.2005.1546.
[Aar09] Scott Aaronson. On perfect completeness for QMA. Quantum Inf. Comput., 9(1):81–89, jan 2009. doi:10.26421/QIC9.1-2-5.
[Aar16] Scott Aaronson. The complexity of quantum states and transformations: From quantum money to black holes, 2016. arXiv:1607.05256.
[Aar18] Scott Aaronson. Shadow tomography of quantum states. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, pages 325–338, New York, NY, USA, 2018. Association for Computing Machinery. doi:10.1145/3188745.3188802.
[AE07] Andris Ambainis and Joseph Emerson. Quantum t-designs: T-wise independence in the quantum world. In Proceedings of the Twenty-Second Annual IEEE Conference on Computational Complexity, CCC ’07, pages 129–140, USA, 2007. IEEE Computer Society. doi:10.1109/CCC.2007.26.
[AG04] Scott Aaronson and Daniel Gottesman. Improved simulation of stabilizer circuits. Phys. Rev. A, 70:052328, Nov 2004. doi:10.1103/PhysRevA.70.052328.
[AK07] Scott Aaronson and Greg Kuperberg. Quantum versus classical proofs and advice. Theory of Computing, 3(7):129–157, 2007. doi:10.4086/toc.2007.v003a007.
[AKN98] Dorit Aharonov, Alexei Kitaev, and Noam Nisan. Quantum circuits with mixed states. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, STOC ’98, pages 20–30, New York, NY, USA, 1998. Association for Computing Machinery. doi:10.1145/276698.276708.
[All17] Eric Allender. The Complexity of Complexity, pages 79–94. Springer International Publishing, Cham, 2017. doi:10.1007/978-3-319-50062-1\_6.
[All20] Eric Allender. The new complexity landscape around circuit minimization. In Alberto Leporati, Carlos Martín-Vide, Dana Shapira, and Claudio Zandron, editors, Language and Automata Theory and Applications, pages 3–16, Cham, 2020. Springer International Publishing. doi:10.1007/978-3-030-40608-0\_1.
[AMR20] Gorjan Alagic, Christian Majenz, and Alexander Russell. Efficient simulation of random states and random unitaries. In Anne Canteaut and Yuval Ishai, editors, Advances in Cryptology – EUROCRYPT 2020, pages 759–787, Cham, 2020. Springer International Publishing. doi:10.1007/978-3-030-45727-3\_26.
[AQY22] Prabhanjan Ananth, Luowen Qian, and Henry Yuen. Cryptography from pseudorandom quantum states. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, volume 13507 of Lecture Notes in Computer Science, pages 208–236. Springer International Publishing, 2022. doi:10.1007/978-3-031-15802-5\_8.
[BBBV97] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM Journal on Computing, 26(5):1510–1523, 1997. doi:10.1137/S0097539796300933.
[BBC⁺01] Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf. Quantum lower bounds by polynomials. J. ACM, 48(4):778–797, Jul 2001. doi:10.1145/502090.502097.
[BCQ23] Zvika Brakerski, Ran Canetti, and Luowen Qian. On the Computational Hardness Needed for Quantum Cryptography. In Yael Tauman Kalai, editor, 14th Innovations in Theoretical Computer Science Conference (ITCS 2023), volume 251 of Leibniz International Proceedings in Informatics (LIPIcs), pages 24:1–24:21, Dagstuhl, Germany, 2023. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.ITCS.2023.24.
[BEM24] Samuel Bouaziz-Ermann and Garazi Muguruza. Quantum pseudorandomness cannot be shrunk in a black-box way. Cryptology ePrint Archive, Paper 2024/291, 2024. URL: https://eprint.iacr.org/2024/291.
[Ber13] James O. Berger. Statistical Decision Theory and Bayesian Analysis. Springer Series in Statistics. Springer New York, 2013. doi:10.1007/978-1-4757-4286-2.
[BFV20] Adam Bouland, Bill Fefferman, and Umesh Vazirani. Computational Pseudorandomness, the Wormhole Growth Paradox, and Constraints on the AdS/CFT Duality (Abstract). In Thomas Vidick, editor, 11th Innovations in Theoretical Computer Science Conference (ITCS 2020), volume 151 of Leibniz International Proceedings in Informatics (LIPIcs), pages 63:1–63:2, Dagstuhl, Germany, 2020. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. doi:10.4230/LIPIcs.ITCS.2020.63.
[BHH16a] Fernando G. S. L. Brandão, Aram W. Harrow, and Michał Horodecki. Efficient quantum pseudorandomness. Phys. Rev. Lett., 116:170502, Apr 2016. doi:10.1103/PhysRevLett.116.170502.
[BHH16b] Fernando G. S. L. Brandão, Aram W. Harrow, and Michał Horodecki. Local random quantum circuits are approximate polynomial-designs. Communications in Mathematical Physics, 346(2):397–434, 2016. doi:10.1007/s00220-016-2706-8.
[Bor09] Émile Borel. Les probabilités dénombrables et leurs applications arithmétiques. Rendiconti del Circolo Matematico di Palermo (1884-1940), 27(1):247–271, 1909. doi:10.1007/BF03019651.
[BR20] Aleksandrs Belovs and Ansis Rosmanis. Tight quantum lower bound for approximate counting with quantum states, 2020. arXiv:2002.06879.
[BS19] Zvika Brakerski and Omri Shmueli. (Pseudo) random quantum states with binary phase. In Dennis Hofheinz and Alon Rosen, editors, Theory of Cryptography, pages 229–250, Cham, 2019. Springer International Publishing. doi:10.1007/978-3-030-36030-6\_10.
[BS20] Zvika Brakerski and Omri Shmueli. Scalable pseudorandom quantum states. In Daniele Micciancio and Thomas Ristenpart, editors, Advances in Cryptology – CRYPTO 2020, pages 417–440, Cham, 2020. Springer International Publishing. doi:10.1007/978-3-030-56880-1\_15.
[Can17] F.P. Cantelli. Sulla probabilità come limite della frequenza. Atti Reale Academia Nazionale dei Lincei, 26(1):39–45, 1917.
[CGG⁺23] Bruno Cavalar, Eli Goldin, Matthew Gray, Peter Hall, Yanyi Liu, and Angelos Pelecanos. On the computational hardness of quantum one-wayness, 2023. arXiv:2312.08363.
[CGLQ20] Kai-Min Chung, Siyao Guo, Qipeng Liu, and Luowen Qian. Tight quantum time-space tradeoffs for function inversion. In 2020 IEEE 61st Annual Symposium on Foundations of Computer Science (FOCS), pages 673–684, 2020. doi:10.1109/FOCS46700.2020.00068.
[CMN22] Benoît Collins, Sho Matsumoto, and Jonathan Novak. The Weingarten calculus. Notices of the American Mathematical Society, 69(5):734–745, 2022. doi:10.1090/noti2474.
[GST24] Zuzana Gavorová, Matan Seidel, and Yonathan Touati. Topological obstructions to quantum computation with unitary oracles. Phys. Rev. A, 109:032625, Mar 2024. doi:10.1103/PhysRevA.109.032625.
[HKOT23] Jeongwan Haah, Robin Kothari, Ryan O’Donnell, and Ewin Tang. Query-optimal estimation of unitary channels in diamond distance. In 2023 IEEE 64th Annual Symposium on Foundations of Computer Science (FOCS), pages 363–390, 2023. doi:10.1109/FOCS57990.2023.00028.
[HKP20] Hsin-Yuan Huang, Richard Kueng, and John Preskill. Predicting many properties of a quantum system from very few measurements. Nature Physics, 2020. doi:10.1038/s41567-020-0932-7.
[HMY23] Minki Hhan, Tomoyuki Morimae, and Takashi Yamakawa. From the hardness of detecting superpositions to cryptography: Quantum public key encryption and commitments. In Carmit Hazay and Martijn Stam, editors, Advances in Cryptology – EUROCRYPT 2023, pages 639–667, Cham, 2023. Springer Nature Switzerland. doi:10.1007/978-3-031-30545-0\_22.
[IR89] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, STOC ’89, pages 44–61, New York, NY, USA, 1989. Association for Computing Machinery. doi:10.1145/73007.73012.
[JLS18] Zhengfeng Ji, Yi-Kai Liu, and Fang Song. Pseudorandom quantum states. In Hovav Shacham and Alexandra Boldyreva, editors, Advances in Cryptology – CRYPTO 2018, pages 126–152, Cham, 2018. Springer International Publishing. doi:10.1007/978-3-319-96878-0\_5.
[KQST23] William Kretschmer, Luowen Qian, Makrand Sinha, and Avishay Tal. Quantum cryptography in Algorithmica. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, STOC 2023, pages 1589–1602, New York, NY, USA, 2023. Association for Computing Machinery. doi:10.1145/3564246.3585225.
[Kre21a] William Kretschmer. Quantum Pseudorandomness and Classical Complexity. In Min-Hsiu Hsieh, editor, 16th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2021), volume 197 of Leibniz International Proceedings in Informatics (LIPIcs), pages 2:1–2:20, Dagstuhl, Germany, 2021. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.TQC.2021.2.
[Kre21b] William Kretschmer. The Quantum Supremacy Tsirelson Inequality. Quantum, 5:560, October 2021. doi:10.22331/q-2021-10-07-560.
[KS14] Robert Koenig and John A. Smolin. How to efficiently select an arbitrary Clifford group element. Journal of Mathematical Physics, 55(12):122202, 2014. doi:10.1063/1.4903507.
[Kup15] Greg Kuperberg. How hard is it to approximate the Jones polynomial? Theory of Computing, 11(6):183–219, 2015. doi:10.4086/toc.2015.v011a006.
[LMW24] Alex Lombardi, Fermi Ma, and John Wright. A one-query lower bound for unitary synthesis and breaking quantum cryptography. In Proceedings of the 56th Annual ACM Symposium on Theory of Computing, STOC 2024, pages 979–990, New York, NY, USA, 2024. Association for Computing Machinery. doi:10.1145/3618260.3649650.
[LO22] Zhenjian Lu and Igor C. Oliveira. Theory and applications of probabilistic Kolmogorov complexity. Bull. EATCS, 137, 2022. URL: http://bulletin.eatcs.org/index.php/beatcs/article/view/700.
[Mec19] Elizabeth S. Meckes. The Random Matrix Theory of the Classical Compact Groups. Cambridge Tracts in Mathematics. Cambridge University Press, 2019. doi:10.1017/9781108303453.
[MY22a] Tomoyuki Morimae and Takashi Yamakawa. One-wayness in quantum cryptography, 2022. arXiv:2210.03394.
[MY22b] Tomoyuki Morimae and Takashi Yamakawa. Quantum commitments and signatures without one-way functions. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology – CRYPTO 2022, volume 13507 of Lecture Notes in Computer Science, pages 269–295. Springer International Publishing, 2022. doi:10.1007/978-3-031-15802-5\_10.
[NC10] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge University Press, 2010. doi:10.1017/CBO9780511976667.
[Ros21] Gregory Rosenthal. Query and depth upper bounds for quantum unitaries via Grover search, 2021. arXiv:2111.07992.
[Sus16a] Leonard Susskind. Addendum to computational complexity and black hole horizons. Fortschritte der Physik, 64(1):44–48, 2016. doi:10.1002/prop.201500093.
[Sus16b] Leonard Susskind. Computational complexity and black hole horizons. Fortschritte der Physik, 64(1):24–43, 2016. doi:10.1002/prop.201500092.
[VMS04] Juha J. Vartiainen, Mikko Möttönen, and Martti M. Salomaa. Efficient decomposition of quantum gates. Phys. Rev. Lett., 92:177902, Apr 2004. doi:10.1103/PhysRevLett.92.177902.
[WBV08] Yaakov S. Weinstein, Winton G. Brown, and Lorenza Viola. Parameters of pseudorandom quantum circuits. Phys. Rev. A, 78:052332, Nov 2008. doi:10.1103/PhysRevA.78.052332.

Appendix A PRSs with Binary Phases

In this section, we sketch a proof that a PRS construction proposed by Ji, Liu, and Song [JLS18] and shown secure by Brakerski and Shmueli [BS19] can be broken efficiently with an $\mathsf{NP}$ oracle. The PRS family is based on pseudorandom functions (PRFs). Let $\{f_{k}\}_{k\in\{0,1\}^{\kappa}}$ be a PRF family of functions $f_{k}:\{0,1\}^{n}\to\{0,1\}$ keyed by $\{0,1\}^{\kappa}$ . The corresponding PRS family is the set of states $\{|\varphi_{k}\rangle\}_{k\in\{0,1\}^{\kappa}}$ given by:

|\varphi_{k}\rangle\coloneqq\frac{1}{2^{n/2}}\sum_{x\in\{0,1\}^{n}}(-1)^{f_{k}% (x)}|x\rangle.

For simplicity, suppose that each $f_{k}$ is balanced, meaning that $|f^{-1}_{k}(0)|=|f^{-1}_{k}(1)|=2^{n-1}$ . Consider the quantum circuit below:

\Qcircuit@C=1em@R=.7em{\lstick{|0\rangle}&\qw\gate{H}\ctrl{2}\qw\targ\qw\qw\\ \lstick{|\psi\rangle}{/}\qw\qw\qswap\gate{H^{\otimes n}}\ctrlo{-1}\gate{H^{% \otimes n}}\qw\\ \lstick{|0^{\otimes n}\rangle}{/}\qw\gate{H^{\otimes n}}\qswap\qw\qw\qw\qw\qw}

Observe that if $|\psi\rangle=|\varphi_{k}\rangle$ , then this circuit produces the state $|0\rangle\frac{|\varphi_{k}\rangle|+\rangle^{\otimes n}+|+\rangle^{\otimes n}|% \varphi_{k}\rangle}{\sqrt{2}}$ from a single copy of $|\varphi_{k}\rangle$ . Notice that if we measure the resulting state in the computational basis, then we observe $|0\rangle|x\rangle|y\rangle$ with nonzero probability for $x,y\in\{0,1\}^{n}$ if and only if $f_{k}(x)=f_{k}(y)$ . This is because the amplitude on this basis state is given by:

\langle x|\langle y|\frac{|\varphi_{k}\rangle|+\rangle^{\otimes n}+|+\rangle^{% \otimes n}|\varphi_{k}\rangle}{\sqrt{2}}=\frac{(-1)^{f_{k}(x)}+(-1)^{f_{k}(y)}% }{2^{n}\sqrt{2}}.

Furthermore, this shows that we in fact sample a uniformly random pair $(x,y)$ such that $f_{k}(x)=f_{k}(y)$ .

Suppose that given a state $|\psi\rangle$ which is either pseudorandom or Haar-random, we repeat this procedure $\mathrm{poly}(n)$ times to obtain a list of pairs $\{(x_{i},y_{i})\}$ . It is an $\mathsf{NP}$ problem to decide whether there exists a $k$ such that $f_{k}(x_{i})=f_{k}(y_{i})$ for all $i$ . If $|\psi\rangle=|\varphi_{k}\rangle$ for some $k$ then this $\mathsf{NP}$ language always returns true, while if $|\psi\rangle$ is Haar-random, this $\mathsf{NP}$ language returns true with negligible probability, so long as we take sufficiently many samples $(x_{i},y_{i})$ .

In the case where $f_{k}$ is not perfectly balanced, we simply observe that the above procedure still works with good probability so long as $f_{k}$ is close to a balanced function. But PRFs must be close to balanced functions, in the sense that for most $k\in\{0,1\}^{\kappa}$ , it must be possible to change a $\mathrm{negl}(n)$ fraction of the outputs of $f_{k}$ to turn it into a balanced function. Otherwise, the PRF family could be distinguished efficiently from random functions, which are $\mathrm{negl}(n)$ -close to balanced with high probability.

	$\displaystyle\mathop{\mathbb{E}}_{\|\psi\rangle\sim S\|\varphi\rangle}\left[\|% \psi\rangle\langle\psi\|^{\otimes t}\right]$	$\displaystyle=\mathop{\mathbb{E}}_{U\sim S}\left[U^{\otimes t}\left(\|\varphi% \rangle\langle\varphi\|^{\otimes t}\right)(U^{\dagger})^{\otimes t}\right]$
		$\displaystyle\preceq(1+\varepsilon)\mathop{\mathbb{E}}_{U\sim\mu_{N}}\left[U^{% \otimes t}\left(\|\varphi\rangle\langle\varphi\|^{\otimes t}\right)(U^{\dagger})% ^{\otimes t}\right]$
		$\displaystyle=(1+\varepsilon)\mathop{\mathbb{E}}_{\|\psi\rangle\sim\sigma_{N}}% \left[\|\psi\rangle\langle\psi\|^{\otimes t}\right],$

	$\displaystyle\Pr_{\|\psi\rangle\sim S}\left[\mathcal{A}\left(\|\psi\rangle^{% \otimes t}\right)=1\right]$	$\displaystyle=\mathrm{Tr}\left(M\mathop{\mathbb{E}}_{\|\psi\rangle\sim S}\left[% \|\psi\rangle\langle\psi\|^{\otimes t}\right]\right)$
		$\displaystyle\leq\mathrm{Tr}\left(M(1+\varepsilon)\mathop{\mathbb{E}}_{\|\psi% \rangle\sim\mu_{N}}\left[\|\psi\rangle\langle\psi\|^{\otimes t}\right]\right)$
		$\displaystyle=(1+\varepsilon)\Pr_{\|\psi\rangle\sim\mu_{N}}\left[\mathcal{A}% \left(\|\psi\rangle^{\otimes t}\right)=1\right],$

	$\displaystyle(I\otimes\langle\Phi_{N}\|)(\|\phi_{U}\rangle\otimes\|\psi\rangle)$	$\displaystyle=(U\otimes\langle\Phi_{N}\|)(\|\Phi_{N}\rangle\otimes\|\psi\rangle)$
		$\displaystyle=\frac{1}{N}\left(U\otimes\sum_{i=1}^{N}\langle i\|\langle i\|% \right)\left(\sum_{i=1}^{N}\sum_{j=1}^{N}\psi_{j}\|i\rangle\|i\rangle\|j\rangle\right)$
		$\displaystyle=\frac{1}{N}\left(U\otimes\sum_{i=1}^{N}\langle i\|\langle i\|% \right)\left(\sum_{i=1}^{N}\psi_{i}\|i\rangle\|i\rangle\|i\rangle\right)$
		$\displaystyle=\frac{U}{N}\sum_{i=1}^{n}\psi_{i}\|i\rangle$
		$\displaystyle=\frac{U\|\psi\rangle}{N}.$

	$\displaystyle\|f(U)-f(V)\|$	$\displaystyle=\|f_{\psi}(U)-f_{\varphi}(V)\|$
		$\displaystyle=\max\{f_{\psi}(U)-f_{\varphi}(V),f_{\varphi}(V)-f_{\psi}(U)\}$
		$\displaystyle\leq\max\{f_{\psi}(U)-f_{\psi}(V),f_{\varphi}(V)-f_{\varphi}(U)\}$
		$\displaystyle\leq T\|\|U-V\|\|_{F},$

$\displaystyle\Pr_{\mathcal{U}\sim\mathcal{D}}\left[\left\|f(\mathcal{U},% \mathcal{U})-\mathop{\mathbb{E}}_{\overline{\mathcal{U}}\sim\mathcal{D}}[f(% \mathcal{U},\overline{\mathcal{U}})]\right\|\geq\frac{1}{12}\right]$	$\displaystyle\leq 2\exp\left(-\frac{(N-2)t^{2}}{24L^{2}}\right)$
	$\displaystyle=2\exp\left(-\frac{3456\|x\|p(\|x\|)^{2}\cdot\frac{1}{144}}{24p(\|x\|)^% {2}}\right)$
	$\displaystyle=2e^{-\|x\|}.$	(4)

Quantum Pseudorandomness and Classical Complexity

Abstract

1 Introduction

1.1 Main results

Theorem 1 (Informal version of Theorem 27).

Theorem 2 (Informal version of Theorems 30 and 33).

1.2 Application: hyperefficient shadow tomography

Theorem 3.

Proof sketch.

1.3 Our techniques

1.3.1 Approximate t𝑡titalic_t-designs

1.3.2 Breaking pseudorandomness with 𝖯𝖯𝖯𝖯\mathsf{PP}sansserif_PP

Theorem 4 (Classical shadows [HKP20]).

1.3.3 Instantiating pseudorandomness with 𝖡𝖰𝖯=𝖰𝖬𝖠𝖡𝖰𝖯𝖰𝖬𝖠\mathsf{BQP}=\mathsf{QMA}sansserif_BQP = sansserif_QMA

1.4 Open problems

1.5 Conference version

2 Preliminaries

2.1 Basic notation

2.2 Probability

Lemma 5 (Bayes decision rule).

Lemma 6 (Borel–Cantelli [Bor09, Can17]).

2.3 Quantum information

Fact 7.

Fact 8 ([AKN98]).

Lemma 9.

Proof.

2.4 Haar measure and concentration

Theorem 10 ([Mec19, Theorem 5.17]).

2.5 Complexity theory

Definition 11.

Definition 12.

Definition 13.

Lemma 14 (Aaronson [Aar05]).

2.6 Quantum oracles

2.7 Cryptography

Definition 15 (Pseudorandom quantum states [JLS18]).

Definition 16 (Pseudorandom unitary transformations [JLS18]).

3 Approximate t𝑡titalic_t-designs

Definition 17 (Approximate quantum design, cf. [AE07]).

Definition 18 (Approximate unitary design [BHH16b]).

Proposition 19.

Proof.

Lemma 20.

Proof sketch.

Lemma 21.

Proof.

Lemma 22.

Proof.

Lemma 23.

Proof.

Lemma 24.

Proof.

Lemma 25.

Proof.

4 Breaking pseudorandomness with a classical oracle

Lemma 26.

Proof.

Theorem 27.

Proof.

5 Pseudorandomness from a quantum oracle

5.1 Definition of the oracle

Lemma 28.

Proof.

Lemma 29.

Proof.

Theorem 30.

Proof.

5.3 Pseudorandom unitaries relative to (𝒰,𝒞)𝒰𝒞(\mathcal{U},\mathcal{C})( caligraphic_U , caligraphic_C )

Lemma 31.

Proof.

Lemma 32.

Proof.

Theorem 33.

Proof.

5.4 Alternative oracles

Conjecture 34.

Proposition 35 (Proved in [Aar09, Lemma 4]).

Proof.

Acknowledgments

References

1.3.1 Approximate $t$ -designs

1.3.2 Breaking pseudorandomness with $\mathsf{PP}$

1.3.3 Instantiating pseudorandomness with $\mathsf{BQP}=\mathsf{QMA}$

3 Approximate $t$ -designs

5.3 Pseudorandom unitaries relative to $(\mathcal{U},\mathcal{C})$