1 Introduction
Randomness is one of the most fundamental resources for computation, and is indispensable for algorithms, complexity theory and cryptography. It is also a foundational tool for science in general, for purposes of describing and modeling natural phenomena. As our understanding of nature expands to quantum phenomena, the importance of understanding the uniform distribution over quantum states, and being able to sample from it, naturally emerges.
Quantum states can be described as unit vectors in a highdimensional complex Hilbert space. Thus, a random quantum state is just a random unit vector on this abstract sphere. This distribution is also referred to as the Haar measure over quantum states. We note that this is a continuous distribution, even if the Hilbert space is finite dimensional (i.e. can be described by a finite number of qubits). Since quantum states cannot be duplicated, the ability to generate random quantum states refers to the ability to generate multiple copies of the same random state vector. (In fact, a single copy of a quantum random state is identical to a classical random state.) Haar random quantum states have numerous computational and physical applications. The former includes optimal quantum communication channels
[Llo97], efficient quantum POVM measurements [RBKSC04]which are in turn useful in quantum state tomography, and gate fidelity estimation
[DCEL09]. The latter includes constructing physical models of quantum thermalization [PSW06].Since random states have infinitely long descriptions (and superexponential even if restricting to some finite precision), there is extensive literature studying approximate notions and specifically the notion of approximate designs. These are distributions whose
tensor (i.e. taking
copies of a sample from this distribution) are indistinguishable from (a tensor of) Haar (using the standard notion for statistical indistinguishability known as trace distance). We adopt the standard asymptotic convention and require by default that is negligible in our “security parameter”, which we associate with the logarithm of the dimension of the Hilbert space. In this work we focus on quantum states over qubits (i.e. dimensional Hilbert space), so we associate our security parameter with . However, our methods are extendable to any finitedimensional space (with efficient representation). There is extensive literature studying (approximate) designs with bounded , which also carry physical significance, see e.g. [AE07, DCEL09, HL09, NM13, NKM14, KG15]. Indeed, it is possible to efficiently generate designs using quantum circuits of size . Up to asymptotics, this matches the information theoretic bound (however, the important aspect of the depth complexity of generating designs remained open, to the best of our knowledge), and one cannot hope to efficiently generate designs for superpolynomial .Asymptotically Random States, Pseudorandom States and the JLS Conjecture.
Ji, Liu and Song [JLS18] (henceforth JLS) recently proposed to extend the notion of approximate designs. They proposed the notion of a pseudorandom quantum state (PRS) which has a finite description but is computationally indistinguishable from Haar given a tuple, for any . Thus, for any computationally bounded purpose (experiment, naturally occurring process) a PRS is indistinguishable from a Haar state, regardless of the number of copies. They also showed that PRS are useful for cryptographic applications such as quantum money.
Furthermore, [JLS18] proposed an insightful template for constructing PRS. They start by showing that given quantum RAM access to exponentially many classical random bits, it is possible to construct a approximate design. Let us call such a distribution ARS, for Asymptotically Random State.^{1}^{1}1Actually, their ARS, as well as the one proven in this work, is even stronger: they show that for all , their distribution is approximate design. An ARS is a statistical notion of PRS which has asymptotic limitations but no computational restrictions. Then, replacing the exponential random string with a quantumqueryresistant classicallycomputable pseudorandom function (PRF), the PRS construction naturally follows from ARS. The existence of such PRF is implied by the existence of quantum secure oneway functions [Zha12].
The ARS construction of JLS is quite straightforward to describe. Generate a uniform superposition over all strings . This is described in the standard Dirac notation as (with some normalization factor). Then, assign a random quantum phase to each component , i.e. generate for random independent roots of unity . To cope with finite precision, is taken to a finite but exponential resolution , where is a random function and is the th root of unity. Given RAM access to the truth table of
, this state can be efficiently computed using Quantum Fourier Transform (QFT) modulo
.JLS then conjecture (but were unable to prove) that a much simpler construction, where , should also imply ARS. That is, replacing the “highresolution” random phase, by the simplest binary phase. While this is only one of a few conjectures made in that work, it is the only one relevant to our work and we thus refer to it simply as the JLS conjecture.
Conjecture 1 ([Jls18], restated).
The distribution over qubit quantum states defined by
where is a random function, is an ARS.
To highlight the gap between the conjecture and the provable ARS construction of JLS, let us describe a crucial point in the analysis of JLS. The analysis is based on an equivalence relation between tuples of bit strings, which naturally arises from the expression for statistical distance from Haar. The tuples , are equivalent if their histograms (i.e. the number of times each bit string appears) are equal modulo . Since this condition is equivalent to requiring that the tuples are permutations of each other, which makes it possible to analyze the equivalence classes of this relation and for the analysis to go through.
In the binary setting, the equivalence relates tuples whose histograms are equal modulo . Thus the equivalence classes can no longer be described simply as a set and all of its permutations, and they don’t even have the same size anymore. This creates many additional terms in the so called density matrix of the state (which is a complex matrix of exponential dimensions ). In order to prove the conjecture, one will have to show that the effect of these exponentially many new terms on the spectrum of the matrix is negligible and there seems to be no straightforward handle for this analysis. We resolve this problem in this work.
Our Results – Proving the Conjecture.
We prove the JLS conjecture, in fact we prove that the binary ARS implied by the conjecture has comparable properties to the prior construction (that used complex phase).
Theorem 1 (Main Result).
The distribution over qubit quantum states defined by
where is a random function, is a approximate design for all , and thus an ARS.
This result has various implications that we describe below. We furthermore hope that our techniques will be useful for analyzing similarly complicated quantum states.
We make two additional observations that refer to the requirement from a function to be plugged into either our theorem or that of JLS in order to imply PRS and quantum designs.

If we wish to obtain a PRS, the requirement of using a fullfledged quantum secure PRF can be relaxed. In fact, it is sufficient to have a function that is indistinguishable from random while allowing only uniform superposition queries (as opposed to arbitrary superposition queries). This leads to a quantum notion which is somewhat analogous to the classical notion of weak pseudorandom functions [NR99], an object that can be of interest for independent investigation and possibly more efficient constructions than PRFs.

If we only wish to obtain a design, it is sufficient to replace with a wise independent function, using the fact that given quantumquery access, a wise independent function is perfectly indistinguishable from a completely random function [Zha12].
Implications.
We find the JLS conjecture compelling from aesthetic, conceptual and perhaps even practical reasons. In terms of aesthetics, it is bothersome that one would need to go into exponentially finegrained resolution on the phase in order to generate an ARS/PRS, being able to achieve the same parameters with a more coarse resolution (and as we show next without compromising on parameters) seems to be a more desirable state of affairs. Conceptually, the result shows that ARS, which is for all efficiently observable purposes identical to a Haar random state, can be generated using only realvalued phases. Recalling that the Haar distribution is defined over complex vectors, it is appears not obvious that it can be approximated for all observable purposes by realvalued vectors.
In terms of computational complexity, our construction uses circuits with restricted structure known in the literature as [Nes08]. Concretely, the circuit contains a single parallel layer of Hadamard gates, followed by a circuit of Toffoli gates. This model is considered fairly weak (note that Hadamard and Toffoli are not even universal for arbitrary quantum computation) and in particular circuits are weakly classically simulatable (i.e. any distribution samplable by an circuit followed by measurement is also classically samplable). Result shows that even such a restricted model of quantum computation is enough to approximate the Haar measure.
Lastly, from a practical standpoint, replacing the function by an efficient quantumresilient PRF yields a very simple construction of a PRS, requiring only an circuit with the same circuit size and depth (up to asymptotics) as that of the PRF. Prior provable PRS candidates do not enjoy this property and appear to require a more complicated implementation (that in particular seem to need performing the Quantum Fourier Transform modulo , or a similar procedure) to allow for the highresolution of complex phase.
In the context of generating designs, using our aforementioned observation and replacing with a wise independent function (in either our theorem or JLS) implies a design construction with circuit size and depth . We are not aware of prior constructions of designs with depth for in the literature. Moreover, the design construction which is implied by our result can be implemented by an circuit with the same circuit size and depth (up to asymptotics) as that of the wise independent function.
Proof HighLevel Overview.
Formally speaking, the proof follows by bounding the spectral norm of the difference between the density matrix of copies of the state with binary phase, and the density matrix of copies of the state with roots of unity. However, one needs not know much about density matrices, it suffices to say that we have a complex Hermitian matrix of dimensions
, where the sum of all eigenvalues is
, and we want to bound the sum of all absolute values of eigenvalues. It is thus sufficient to consider only positive or only negative eigenvalues.Each row of the matrix corresponds to a tuple and each column corresponds to a tuple . The entry in location is nonzero if the aforementioned “histogram condition” holds on the tuples.^{2}^{2}2Recall that the (modulo) histogram condition states that are equivalent if for all , the number of times appears in the first tuple and the number of times it appears in the second tuple have the same parity. In a bit more detail, up to a global scaling factor, if the modulo histogram condition holds but the modulo condition (i.e. permutation) does not hold then the entry will be , but if both hold then there is a cancellation and the entry will be .
We start by observing that the matrix can be decomposed into “combinatorial blocks”, each representing an equivalence class of the histogram relation. We analyze the properties of these blocks. We then provide two structural lemmas that together imply the theorem:

We provide a nontrivial upper bound on the rank of the matrix. While it is tempting to disregard the cancellations and just count the number of nonzero blocks and their respective rank, this implies an upper bound that is too coarse. We must therefore carefully take into account the cancellations induced by permutations in order to obtain a usable bound.

We provide an upper bound on the absolute value of each negative eigenvalue. We do this by computing the characteristic polynomial of the matrix (the polynomial whose roots are the eigenvalues), which amounts to a product of the characteristic polynomials of the blocks. Within each block we obtain a closed form formula for the characteristic polynomial and show that its root cannot exceed a bound that is determined by the cardinality of the respective equivalence class (properly normalized).
Combining the two lemmas by multiplying the rank bound with the eigenvalue absolute value bound implies the theorem.
Paper Organization.
2 Preliminaries
For , we denote . For a natural number , denote by the complex root of unity of order . Also for , denote by the set of unit vectors in , by the set of density matrices over , and by the set of unitary matrices over . Note that for , is the set of qubit pure quantum states, is the set of qubit mixed states, and is the set of qubit unitaries. When we consider quantum algorithms, we usually think of them as a uniform family of quantum circuits.
When we consider eigenvalues and singular values of matrices throughout this paper, we implicitly refer to eigenvalues and singular values that possibly repeat, e.g.
for matrix with , possibly identical eigenvalues.The trace distance, defined below, is a generalization of statistical distance to the quantum setting and represents the maximal distinguishing probability between quantum states.
Definition 1 (Trace distance).
Let be two density matrices of qubit mixed states. The trace distance between them is
where for a hermitian matrix , , where are the eigenvalues of .
The following is a basic fact that shows that classical circuits are a subset of quantum circuits. Recall that the Toffoli gate implements the qubit unitary defined by .
Proposition 2 (Toffoli gate is universal for classical computation).
Let be a function and let be a classical circuit that computes . Define the unitary . Then there exists a quantum circuit of size consisting only of Toffoli gates that computes (possibly using auxiliary qubits).
HT circuits are quantum circuits of a restricted structure, defined as follows.
Definition 2 (HT Circuit).
A quantum circuit is an circuit if the first layer of the circuit consists of only Hadamard gates on a subset of the qubits, and the rest of the circuit consists of only Toffoli gates.
2.1 Pseudorandom Functions and Wise Independent Functions
Here we define pseudorandom functions with quantum security (QPRFs).
Definition 3 (QuantumSecure Pseudorandom Function (QPRF)).
Let be an efficiently samplable key distribution, and let , be an efficiently computable function. We say that is a quantumsecure pseudorandom function if for every efficient nonuniform quantum algorithm that can make quantum queries there exists a negligible function s.t. for every ,
In [Zha12], QPRFs were proved to exist under the assumption that postquantum oneway functions exist.
We define wise independent functions are keyed functions s.t. when the key is sampled uniformly at random, then any different inputs to the function generate
wise independent random variables.
Definition 4 (Wise Independent Function).
Let be a function, be a key distribution, and let , be a function. Thus, is a wise independent function if for all , for every distinct input values ,
It is not a part of the standard definition, but it is usually the case that we consider to be efficiently samplable and to be efficiently computable.
2.2 Quantum Randomness and Pseudorandomness
2.2.1 The Haar Measure on Quantum States
Intuitively, the Haar measure on quantum states is the quantum analogue of the classical uniform distribution over bit strings. More precisely, the Haar measure is the uniform (continuous) probability distribution on quantum states. Recall that an
qubit quantum state can be viewed as a unit vector in , thus the Haar measure on qubits is the uniform distribution over all unit vectors in .Formally, the density matrix representing the quantum distribution of drawing a random Haar vector and outputting copies of it is given below.
Definition 5 (Qubits, Copy Random Haar State).
Let , we define the qubits copy random Haar mixed state to be
where is the Haar measure on .
2.2.2 Approximate Quantum State Designs
Approximate designs are quantum distributions that are approximately random when the number of output copies of the sampled state is restricted. The formal definition follows.
Definition 6 (Qubits, Approximate State Design).
Let , and let be a quantum distribution over qubit states. We say that is an approximate state design if
For the sake of completeness, we give a definition for quantum state design generators.
Definition 7 (Approximate State Design Generator).
Let , be functions. We say that a pair of quantum algorithms is an approximate state design generator if the following holds:

Key Generation. For all , always outputs a classical key .

State Generation. For all and for all in the image of , there exists an qubit pure state s.t. .

Approximate Quantum Randomness. For all , the distribution is an qubit, approximate state design.
Note that we define the generator as two algorithms instead of one, to highlight the fact that a state that is sampled can be generated multiple times on demand.
For the purposes of this work it is convenient to define the notion of Asymptotically Random States (ARS) as follows.
Definition 8 (Asymptotically Random State (ARS)).
An Asymptotically Random State () is shorthand for an asymptotic sequence of approximate designs.
2.2.3 Quantum Pseudorandomness
The notion of pseudorandom quantum states was introduced in [JLS18], was shown to be implied by QPRFs, and is defined below.
Definition 9 (Pseudorandom Quantum State (PRS)).
A pair of quantum polynomialtime algorithms is a Pseudorandom State Generator (PRS Generator) if the following holds:

Key Generation. For all , always outputs a classical key .

State Generation. For all and for all in the image of , there exists an qubit pure state s.t. .

Security. For any polynomial and a nonuniform efficient quantum algorithm there exists a negligible function such that for all ,
where is the Haar measure on .
If the above holds, we say that the ensemble , where is the distribution , is a Pseudorandom Quantum State (PRS) which is generated by .
In the above definition, the number of qubits in the pseudorandom states can also be parameterized (i.e. can output qubit states and not necessarily qubit states), but in the current work we will ignore this.
3 Construction
The following construction will be the base of both our pseudorandom state and quantum state design constructions.
Definition 10 (Binary Phase State Generator for ).
Let be a key space and let be a keyed (boolean) function . is the procedure that takes as input a and outputs the superposition
The following claim establishes that is efficiently implementable when is.
Claim 3.
If is computable by a classical circuit of size and depth , then is computable by an circuit of size and depth .
Proof.
The algorithm of will get as input a key and generate the state by performing Hadamard gates (in parallel) on the ancillary classical state , then execute the circuit (which can be realized quantumly by Toffoli gates) on the state . After the execution of , the state is
thus by tracing out the last qubit we get the output state . ∎
We note that previous candidates required a more involved generation process which required applying quantum Fourier transform modulo , or a similar procedure.
3.1 Our Pseudorandom Quantum State (PRS) Generator and its Properties
Recall the definition of a (see Definition 9) and of a (Defintion 3). We present our construction of a candidate with binary phase as follows.
Claim 4.
If is a then (along with the key generation algorithm of ) is a secure generator.
Proof.
First, it’s clear that the key generation algorithm of our PRS is the key generation algorithm of (that for input , samples ), and that the state generation algorithm of our PRS is .
Now, we argue that by the quantumsecurity of , for any polynomial number of copies , the distribution is computationally indistinguishable (by quantum adversaries) from a random binary phase state, that is, the distribution over qubit quantum states defined by
where is a truly random function.
By Theorem 1, a random binary phase state is an ARS (Definition 8), which in particular means that a random Haar state and a random binary phase state are computationally indistinguishable for any polynomial number of copies. By the the triangle inequality of computational indistinguishability, we deduce that for any polynomial number of copies, the quantum distribution and the Haar distribution are computationally indistinguishable, which completes our proof. ∎
Remark 1.
We note that in our security proof we did not use the full power of quantumly secure PRFs. Indeed, it is sufficient to construct a PRF whose security only holds with respect to uniform superposition queries . This can be thought of as a quantum analog of the classical notion of weak PRFs [NR99]. In the classical setting, it is conjectured that weak PRFs reside in a lower complexity class than full fledged PRFs [ABG14]. If similar behavior can be shown in the quantum case it could improve the efficiency of PRS constructions.
We leave the investigation of this new notion (which we propose to call quantumly weak PRFs) to future works.
We conclude with observing that by our result, the complexity of PRSs is no greater than that of QPRFs, and is moreover implementable by circuits.
Corollary 5.
Let be a . Thus there is a generator construction implemented by circuits, where is implemented by circuits of the same size and depth as that of the key sampling algorithm of , and is implemented by circuits of the same size and depth (up to asymptotics) as that of .
3.2 ShallowCircuit Approximate Design Generators
We note that by a simple observation, we can replace the truly random function in Theorem 1 with a wise independent function to gain an elementary and efficient construction of quantum state approximate designs. Formally, we use the following fact.
Fact 6 ([Zha12], Fact 2).
The behavior of any quantum algorithm making at most queries to a wise independent function is identical to its behavior when the queries are made to a random function.
This implies that when is a wise independent function, then the state from Theorem 1 is a approximate design. We note that this observation can also be applied to the ARS from [JLS18], and it would imply a different (but seemingly less efficient) construction of designs.
Corollary 7.
The distribution over qubit quantum states defined by
where is a wise independent function, is a approximate design.
More explicitly, combining the above with Claim 3 implies that that when is a wise independent function, is an approximate design generator (along with the key generation algorithm of ). The following corollary relates the complexity of design generators with that of the wise independent functions.
Corollary 8.
Let be a function and let , be a wise independent function. Thus there is an approximate quantum state design generator implemented by circuits, where is implemented by circuits of the same size and depth as that of the key sampling algorithm of , and is implemented by circuits of the same size and depth (up to asymptotics) as that of .
Finally, we can instantiate with known construction of wise independent functions to obtain the following.
Corollary 9.
For every function , there exists a approximate quantum state design generator, implemented by circuits of size and depth.
Proof.
We recall the most elementary construction of wise independent distributions over variables. Consider the field and recall that elements correspond to degree formal polynomials with binary coefficients. Thus there is a natural bijection between and that allows to represent elements as elements in . This representation allows to perform field arithmetic operations using circuits of size and depth .
A wise independent distribution over is defined by the evaluations of a random degree polynomial over , on all elements in . The computational complexity of evaluating such a polynomial is and its depth is . Plugging in completes the proof (note that we only require wise independence over so our instantiation is actually a slight overkill). ∎
4 Proof of Theorem 1
We introduce the following notation.
Notation 11 (Complex phase state by ).
For a function we denote
when it is clear from the context, the subscript will be dropped from .
Notation 12 (Binary phase state by ).
For a function we denote
when it is clear from the context, the subscript will be dropped from .
Notation 13 (copy random complex phase mixed state).
For , denote
where the expectation is taken over a uniformly random function .
Notation 14 (copy random binary phase mixed state).
For , denote
where the expectation is taken over a uniformly random function .
In [JLS18] It is shown that the random complex phase state is an ARS.
Lemma 10 ([Jls18], Lemma 2).
Let , then
We will show that a random binary phase state is asymptotically statistically close to a random complex phase state. More precisely, we will prove the following lemma.
Lemma 11.
Let , then
Using the triangle inequality of trace distance and Lemmas 10 and 11 (below, in the first inequality), we show that a random binary phase state is an ARS:
where is due to one variant of Bernoulli’s inequality (), and follows from the more popular variant of Bernoulli’s inequality ().
Therefore, all that remains is to prove Lemma 11, which will require most technical effort.
4.1 Proof of Lemma 11
Denote the difference matrix . The proof of the lemma contains two main components. First, an upper bound on the number of nonzero eigenvalues of .
Lemma 12.
Let and let , thus the number of nonzero eigenvalues of is upper bounded by
Second, a lower bound on the minimal (as in most negative) eigenvalue of .
Lemma 13.
Let and let , thus for all eigenvalues of we have .
Note that this will give an upper bound on the absolute values of all negative eigenvalues of .
Given the last two lemmas, we can prove Lemma 11.
Proof.
Let and let . is a difference between two density matrices, and because that trace is linear and density matrices have a trace of 1, the trace of is 0. Also recall that the sum of eigenvalues of a matrix is equal to its trace, so, the positive and negative eigenvalues of balance each other to 0, and thus, a bound on the sum of absolute values of all eigenvalues of can be obtained by bounding the sum of the absolute values of its negative eigenvalues. Formally:
Using Lemma 12 and Lemma 13, we obtain an upper bound on the last sum, which yields the wanted inequality.
∎
4.2 The Structure of the Matrix
We identify the structure of in order to prove Lemma 14, which will be used in both proofs of Lemmas 12, 13. We do this by first describing and . More precisely, we will derive combinatorial expressions for and , and as a consequence we’ll have an expression for their difference .
4.2.1 The Structure of
We will start with giving a formula for the entries of ; for convenience, the definition is restated:
Observe that for a function ,
Now we can compute :
So, for , the th entry of is
Now, define:
Definition 15 ( permutations).
Let , and denote , where . We say that , are permutations of each other (or just permutations of each other) if there exists a permutation s.t.
Note that an equivalent convenient characterization of the two strings being permutations of each other is that the multisets are equal.
Observe that when and are permutations of each other, then for every we have and thus the expected value is 1 and the entry’s value is . We would like to also claim that if are not permutations of each other then the entry is 0, and it turns out we indeed can. Observe that if are not permutations of each other then there exists a string that appears a different number of times in and , and we can say that the th entry is
where is some real number (which we won’t care about) and is the (nonzero) difference between the number of appearances of in and (last equality follows from the fact that the expectation of a product of independent random variables is the product of expectations). Now we will use our restriction on , which is that is strictly smaller then . Combined with the fact that , it is necessarily the case that (if could be as big as then will be able to be or some integer multiple of it, which will yield ). After this restriction we obtain:
Finally, the above yields a combinatorial description of :
4.2.2 The Structure of
By the same reasoning as in the case of , we obtain that the th entry of is
where this time is a random function from to (rather than from to ). Because , the entry is simplified to
Like in the case of , we would like a nice and clean combinatorial predicate to describe the entries of the matrix, and as we’ll see in a bit, the matrix indeed have the same general structure as but with different predicate on .
First, define the following:
Definition 16 ( stabilizations).
Let , and denote , where . We say that , are stabilizations of each other (or just stabilizations of each other) if in the concatenated string , for every , appears an even number of times (this, of course, includes appearing 0 times).
We note that the stabilization relation (which is all pairs that stabilize each other) is an equivalence relation over the set (just like the permutation relation, which we didn’t mention it being an equivalence relation, but it can easily be seen as one). It is clear that the stabilization relation is reflexive ( is always stabilizing ), and it is also easy to verify that it is symmetric. To see why it is also transitive, we will use an additional characterization:
Definition 17.
For example, if and then .
We claim that two strings are stabilizations of each other if and only if . It is easy to verify the correctness of this claim, and also the fact that this claim implies the transitivity of the stabilization relation.
To identify the elements of it remains to observe that when are stabilizations of each other then the entry is , and when they are not, then we have and it can be verified that the entry is 0, which yields the following description of :
4.2.3 Conclusion
Note that if are permutations then they necessarily stabilize each other, but the opposite is not true generally, furthermore, it is fairly easy to find stabilizing pairs that are not permutations, for instance and
Comments
There are no comments yet.