# Weak approximate unitary designs and applications to quantum encryption

###### Abstract

Unitary -designs are the bread and butter of quantum information theory and beyond. An important issue in practice is that of efficiently constructing good approximations of such unitary -designs. Building on results by Aubrun (Comm. Math. Phys. 2009), we prove that sampling unitaries from an exact -design provides with positive probability an -approximate -design, if the error is measured in one-to-one norm distance of the corresponding -twirling channels. As an application, we give a partially derandomized construction of a quantum encryption scheme that has roughly the same key size and security as the quantum one-time pad, but possesses the additional property of being non-malleable against adversaries without quantum side information.

## 1 Introduction

Random unitaries, drawn from the Haar measure on the unitary group, play an important role in many aspects of theoretical quantum information science. For instance, most results on quantum source and channel coding are obtained with Haar-random coding strategies [HHW+08, ADH+09, BCR11] using the decoupling technique [HOW07, SDT+13, DBW+14, MBD+17]. The columns and rows of Haar random unitaries are Haar random unit vectors and have also found many applications in quantum information theory, e.g. for constructing quantum money schemes [JLS18, AMR19]. However, it is infeasible in practice to even just approximate Haar random unitaries, the randomness and number of gates necessary to sample and implement them being exponential in the number of qubits they act on.

In most situations, unitary -designs, the quantum analogues of -wise independent functions, come to the rescue [DCE+09]. A unitary -design is a measure on the unitary group that reproduces the Haar measure up to the -th moment. This means that a random unitary sampled from a -design can replace a Haar-random unitary in any situation where it is only applied times. For practical purposes, one would like this measure to be more economical than the Haar measure (for instance to have finite, as small as possible, support). Often even approximate versions of unitary -designs (in the right metrics) are already sufficient. In quantum information theory and related fields the most common metric between measures on the unitary group is the completely bounded one-to-one norm, or diamond norm, on the induced -twirling channels. The -twirling channel associated to a measure is the channel that can be implemented by sampling a unitary according to the measure, and then applying it to each sub-system of a -partite input system.

In [HLS+04], approximate -designs have been studied using a metric based on the (not completely bounded) one-to-one norm. There, it is shown that approximate -designs in this weaker sense can be made of much fewer unitaries, and that they still have interesting applications, such as unconditionally secure encryption of quantum data when confidentiality is only desired against adversaries without quantum side information. The former result is shown by proving that sampling a small number of independent Haar-random unitaries provides with high probability an approximate -design. This construction was subsequently partially derandomized in [AUB09].

Let us mention one last result which was known prior to this work. It was shown in [LW17] that, in fact, any channel can be approximated in one-to-one norm by a channel having few Kraus operators. However, this does not tell us whether it can be further imposed that the Kraus operators of this approximating channel are of a specific form (such as e.g. being tensor powers of unitaries sampled from a simple enough distribution, which is what we are interested in here).

#### Our contribution

In this work, we generalize the approach of [AUB09] to construct small approximate -designs, for any given , in one-to-one norm distance. In addition, for , we show that the approach extends to designs where the goal is to approximate the channel twirl, i.e. the transformation of quantum channels obtained by sampling a unitary, applying it to the input state before the channel acts on it, and undoing this action afterwards. Here, the appropriate distance is the one stemming from the operator norm induced by the diamond norm, which we call diamond-to-diamond norm. To prove the approximation result on the so-called -twirl, we use basic representation theory of the unitary group, including the Weyl dimension formula, to show that this channel has small one-to-operator norm. This allows us to apply the powerful probabilistic and functional analytic tools developed in [AUB09]. For the channel twirl, the invariant space spanned by the identity, as well as the off-diagonal terms involving this invariant space, require a careful analysis. Along the way, we also construct a design that approximates the so-called -twirl, the image of the channel twirl under the Choi-Jamiołkowski isomorphism.

#### An application

Subsequently, we apply our results in a cryptographic context. We show, that an approximate channel-twirl design in the diamond-to-diamond norm metric can be used to construct a quantum encryption scheme that is as secure as the quantum one-time pad and has (essentially) the same key length, but also is non-malleable against adversaries without quantum side information.

#### Related work

Unitary -designs exist for all and all dimensions [KAN15]^{1}^{1}1In [KAN15], the existence of exact designs is proven in a much more general context, see [AMR19, Corollary 2] for a straightforward application to the unitary case.. For , time-efficient constructions are, however, only known for approximate unitary -designs [BHH16]. The sub-sampling technique that we use, following [AUB09], i.e. the strategy of sampling (a small number of) random unitaries from an exact design, was first introduced in [ABW09] to show the existence of small approximate -designs.

Non-malleability for quantum encryption was first introduced and characterized in [ABW09]. In this work it was also shown that the notion of quantum non-malleability is equivalent to the notion of approximate unitary -designs, under the condition that the encryption algorithm be unitary. Subsequently, non-malleability for quantum encryption has been further studied in [AM17, MSv19].

#### Notation and standard definitions

Let us gather here notation that we will be using throughout the whole paper. Given , we denote by the set of linear operators on , by the set of quantum states (i.e. positive semidefinite and trace operators) on , and by the set of unitary operators on . We additionally denote by the set of linear operators on , and by the set of quantum channels (i.e. completely positive and trace-preserving operators) on . Let us conclude with some standard notation/definitions from probability theory. Given a random variable , we denote by its average and by the probability that satisfies event . We say that is a Bernoulli random variable if .

## 2 Representation theoretic preliminaries

Given let be the permutation group of . The irreducible representations of are called *Specht modules* and are indexed by integer partitions of , denoted as . Such a partition is represented as a tuple , for some , with and .

Given let be the unitary group of . The polynomial irreducible representations of are called *Weyl modules* and are indexed by integer partitions of any number into exactly parts (some of which might be ), denoted as . The dimension of the Weyl module is given by the Weyl dimension formula

(1) |

A particular vector space that carries representations of both and is . The corresponding actions are defined as

The two actions commute, i.e. decomposes into a direct sum of irreducible representations (irreps) of the product group . These irreps are just tensor products of an irrep of with an irrep of . What is more, the corresponding representations of the group algebras of and are double commutants, implying that the decomposition is multiplicity free.

###### Theorem 2.1 (Schur-Weyl duality).

Let and act on as described above. The direct sum decomposition into irreducible representations of is multiplicity free, and is given by

(2) |

Define the quantum channel on as

(3) |

where stands for the Haar measure on . The channel is often referred to as a twirling channel. It is obviously covariant with respect to the action of . Hence, denoting by the isomorphism between the right and left hand sides of equation (2) above, Schur’s Lemma implies that

(4) |

where is the projector onto in and is the maximally mixed state on .

Let us make things slightly more explicit in the case . We have

where and are, respectively, the symmetric and anti-symmetric subspaces of . The corresponding projectors are and , where denotes the so-called flip operator. And the action of can be explicitly written as, for any ,

Fix a basis for (which we refer to as the computational basis). Let be the transposition in this basis and denote by the partial transposition of (i.e. ). It is easy to check that, for any ,

Let us define the quantum channel on as

(5) |

By the preceding discussion, we know that can be written as a linear combination of and . Now, and , where

is the standard maximally entangled state with respect to . So equivalently, can be written as a linear combination of and , which are orthogonal to one another. More specifically

(6) |

## 3 Several channel approximation results

### 3.1 Approximating the twirling channel

Let be such that . The goal here is to show that the twirling channel , as defined by equation (3), can be approximated with ‘few’ Kraus operators sampled from a ‘simple’ probability measure. We will be able to prove such approximation in a strong sense, namely in one-to-infinity norm.

A probability measure on is called a -design if

We will show the following result:

###### Theorem 3.1.

Let . Assume that the probability measure on is a -design, and let be sampled independently from . There exists a universal constant such that, if , then with probability at least , we have

Theorem 3.1 generalizes [AUB09, Theorem 2] to -designs for any rather than only for -designs. We actually follow the exact same proof strategy as that of [AUB09, Theorem 2]. The only additional technical lemma that we need in the case is one that tells us that has a small -norm (a fact which is obvious for ).

###### Lemma 3.2.

The quantum channel is such that

###### Proof.

By equation (4), the operator norm in question is just given by the inverse of the minimal dimension of an irrep ,

Indeed, let us denote by the partition minimizing . It is clear that if and , then . And this is obviously maximizing as begins with a pinching with respect to the direct sum decomposition (2). We go on to find a lower bound on using the formula (1). To this end we first note that is a partition of into parts, so for all . Noting that all the factors in the product in equation (1) are lower bounded by , and only keeping factors such that we get

As a final step we use that for all such that , and that . We thus conclude that

where the last inequality is because by assumption and . ∎

We then need the technical result below, which is an immediate corollary of [AUB09, Lemma 5] (which itself makes crucial use of Dudley’s inequality and a duality argument for entropy numbers).

###### Lemma 3.3.

Let . For independent Bernoulli random variables, we have

where is a universal constant.

###### Proof.

This follows directly from [AUB09, Lemma 5], applied with playing the role of and playing the role of , . ∎

With these two preliminary lemmas at hand, we are now in position to prove Theorem 3.1.

###### Proof of Theorem 3.1.

Let be independent copies of and let be independent Bernoulli random variables. Setting

we then have

where the first inequality is by Jensen’s inequality, the second equality is by symmetry, and the third inequality is by the triangle inequality.

Hence, by Lemma 3.3, we get

where the second inequality is by Lemma 3.2 while the third inequality is by Jensen’s inequality.

Now, it is easy to check that, given , if , then . Therefore, we eventually obtain

And the latter quantity is smaller than as soon as is larger than .

To conclude, we just have to use Markov’s inequality, which guarantees that, if , then

This is exactly what we wanted to show (after relabelling in and in ). ∎

###### Remark 3.4.

Note that, up to a factor, the result of Theorem 3.1 is optimal, in the sense that it is impossible to approximate the twirling channel with less than order operators. This is true even if we only require -approximation in -norm rather than -approximation in -norm. Indeed, the following general result was shown in [LW17, Section 5.1]: If are channels on which are -close in -norm, then the Kraus rank of (i.e. the minimal number of Kraus operators for ) satisfies

where is the von Neumann entropy. In particular, if is such that, for all , , then

and hence necessarily

In the case of the channel on , we know by Lemma 3.2 that, for all , . So if a channel is -close to in -norm, then it has to satisfy .

### 3.2 Approximating the twirling channel

The goal here is to show that the twirling channel , as defined by equation (5), can be approximated with ‘few’ Kraus operators sampled from a ‘simple’ probability measure. We will only be able to prove such approximation in a weaker sense than in the case of treated before, namely in one-to-one norm.

If is a -design on , then, by equation (5), we have that

We will show the following result:

###### Theorem 3.5.

Let . Assume that the probability measure on is a -design, and let be sampled independently from . There exists a universal constant such that, if , then with probability at least , we have

The way we prove Theorem 3.5 is by first analysing separately the cases where the input state is the maximally entangled state or a state orthogonal to it. This is the content of Propositions 3.6 and 3.7 below.

###### Proposition 3.6.

Assume that the probability measure on is a -design, and let be sampled independently from . Then,

###### Proof.

We just have to notice that, for any , . And thus,

as announced. ∎

###### Proposition 3.7.

Let . Assume that the probability measure on is a -design, and let be sampled independently from . There exists a universal constant such that, if , then with probability at least , we have

In order to prove Proposition 3.7 we follow the same route as to prove Theorem 3.1. We thus begin by observing that has a small -norm on the orthogonal of the maximally entangled state, which is the analogue of Lemma 3.2 in the study of .

###### Lemma 3.8.

The quantum channel is such that

###### Proof.

By equation (6), we see that, for any state orthogonal to , , so that . ∎

We then need the technical result below, which is the analogue of Lemma 3.3 in the study of .

###### Lemma 3.9.

Let . For independent Bernoulli random variables, we have

where is a universal constant.

###### Proof.

This follows directly from [AUB09, Lemma 5], applied with playing the role of and playing the role of , . ∎

With Lemmas 3.8 and 3.9 at hand it is straightforward to prove Proposition 3.7, starting from the same symmetrization trick than the one which allows to prove Theorem 3.1 from Lemmas 3.2 and 3.3. We therefore do not repeat the proof here.

###### Proof of Theorem 3.5.

By convexity of and extremality of pure states amongst all states, it is enough to prove that the result is true for all pure input states. Given a unit vector, we can write it as , where , and is a unit vector orthogonal to . Defining

(7) |

we then have

First, we know from Proposition 3.6 that , while we know from Proposition 3.7 that, with probability at least , for any orthogonal to , . Second, we know that we can write for some such that and . That way, since for any , and , we get

Now, we know from Theorem 3.1 (for ) that, with probability at least , for any such that ,

(actually as soon as , hence a fortiori for ).

Putting everything together we eventually obtain that, with probability at least , for any ,

which, up to re-labelling in , is exactly what we wanted to prove. ∎

### 3.3 Approximating the twirling super-channel

We are now interested in a slightly different kind of twirling, namely one that acts on channels rather than states. We thus define the quantum super-channel on as

(8) |

Similarly as before, we here want to show that can be approximated by sampling ‘few’ unitaries from a ‘simple’ probability measure. We will be able to prove approximation in completely bounded one-to-one norm (also known as diamond norm) for all input channel.

More precisely, denoting by the identity map on , we will show the following result:

###### Theorem 3.11.

Let . Assume that the probability measure on is a -design, and let be sampled independently from . There exists a universal constant such that, if , then with probability at least , we have, for all and all ,

###### Proof.

By convexity of and extremality of pure states amongst all states, it is enough to prove that the result is true for all pure input states (and all input channels). Let be a channel and be a pure state, which we can write as for some such that . Now, for any , , so that

Therefore, defining as in equation (7), we have

(9) |

We now proceed exactly as in the proof of Theorem 3.5. First, by Proposition 3.6, , so that

Second, by Proposition 3.7, with probability at least , for any orthogonal to , , so that

where the first inequality is by Hölder inequality while the last inequality is simply recalling that . Third, any orthogonal to can be written as for some such that and . Since for any , and , we then get