Hard Quantum Extrapolations in Quantum Cryptography

Luowen Qian¹ Justin Raizes² Mark Zhandry¹

(¹NTT Research, Inc.
²Carnegie Mellon University)

Abstract

Although one-way functions are well-established as the minimal primitive for classical cryptography, a minimal primitive for quantum cryptography is still unclear. Universal extrapolation, first considered by Impagliazzo and Levin (1990), is hard if and only if one-way functions exist. Towards better understanding minimal assumptions for quantum cryptography, we study the quantum analogues of the universal extrapolation task. Specifically, we put forth the classical $\rightarrow$ quantum extrapolation task, where we ask to extrapolate the rest of a bipartite pure state given the first register measured in the computational basis. We then use it as a key component to establish new connections in quantum cryptography: (a) quantum commitments exist if classical $\rightarrow$ quantum extrapolation is hard; and (b) classical $\rightarrow$ quantum extrapolation is hard if any of the following cryptographic primitives exists: quantum public-key cryptography (such as quantum money and signatures) with a classical public key or 2-message quantum key distribution protocols.

For future work, we further generalize the extrapolation task and propose a fully quantum analogue. We show that it is hard if quantum commitments exist, and it is easy for quantum polynomial space.

1 Introduction

Modern cryptography works by reducing the security of complicated cryptosystems down to the hardness of solving simpler problems. These reductions also have the side benefit that it enables us to modularize cryptographic constructions and theorems. A celebrated example developed through a sequence of such transformations is the fact that one-way functions — functions that are easy to compute but hard to invert — are sufficient to realize a large swath of symmetric key cryptography [GGM86, LR88, Rom90, HILL99]. On the other hand, one-way functions are inherent to the vast majority of complexity-based cryptography [IL89, Gol90]. This makes the one-way function abstraction a bedrock of modern cryptography, and cryptographers frequently refer to the assumed existence of one-way functions as the “minimal” assumption in cryptography.

The similar question for quantum cryptography is just as important but is a lot less studied for now. Interestingly, one-way functions are no longer minimal: recent works have demonstrated that using quantum information, cryptography can be based on assumptions that appear strictly milder than even a one-way function [Kre21, AQY22, MY22, KQST23]. This leads to the following fundamental question:

Is there a quantum analog of a one-way function, that is both inherent to essentially all of complexity-based cryptography, while also being sufficient to build useful cryptosystems?

In recent years, there have been some progress towards answering this question but it does not have a satisfactory answer yet. To explain this, let us first recall how classical cryptographic security is usually formalized. Broadly, we can divide them into two categories:

•

In a decision-style security game, the adversary’s goal is to distinguish between two experiments, such as distinguishing whether the encrypted message is $0$ or $1$ , or whether the game is in the real world or the ideal world.

Decision-style quantum security assumptions are fairly well understood. Specifically, security games of this style can be captured by the notion of an EFI pair, and any such EFI pairs implies a number of cryptographic tasks, such as commitments [Yan22, BCQ23].
•

In a search-style security game, the adversary’s goal is simply to produce certain message to satisfy some predicate, such as forging a signature or a quantum money state.

Search-style quantum security assumptions are a lot less studied. One glaring issue is that public-key quantum money, a very natural quantum cryptographic primitive, is not known to be related to the other quantum cryptographic primitives. In fact, public-key quantum money and its strengthening, quantum lightning [Zha21], are only known from extremely strong assumptions like post-quantum obfuscation or in ideal oracle models, yet we do not even know if any cryptographic assumption such as EFI pairs are necessary for them.

A few recent works have studied what we call a quantum $\rightarrow$ classical search-style assumption, where the adversary is given a potentially quantum input, and must produce some classical output. An example is a quantum one-way state generator [MY24], where informally a keyed mixed state can be efficiently prepared from its classical key but it is hard to find its key given the state. It was shown that quantum one-way state generators are existentially equivalent to EFI pairs [KT24, BJ24]. As a consequence of this, EFI pairs are implied by primitives like secret-key quantum money, given the scheme has a classical secret. However, public-key quantum money may not have a classical secret, and quantum lightning must not have a classical secret. Thus, this does not give us a way to construct EFI pairs from public-key quantum money.

Going to more general search-style assumptions, very little is known about the search-style assumption where the adversary is supposed to output some quantum state, or even a classical $\rightarrow$ quantum search-style assumption such as public-key quantum money. To make progress towards toward addressing the fundamental question above, we can ask a more concrete question:

Is it possible to build EFI pairs from public-key quantum money?

1.1 Classical $\rightarrow$ Quantum Extrapolation

To understand how EFI pairs, or equivalently, commitments may be built from public-key cryptography, let us take a step back and think about how a classical analogue of this is proved, for example, how we can construct a classical commitment scheme or a one-way function from a classical signature scheme. The key middle step of the classical proof [IL90] is the hardness of the universal extrapolation task. In particular, it is shown that secure signature schemes imply hardness of universal extrapolation, which in turn implies the existence of (distributional) one-way functions.

Inspired by this template, we study quantum analogues of this extrapolation task, which we emphasize is a search-style assumption. We first define classical $\rightarrow$ quantum extrapolation which, given an efficient quantum pure state, asks to extrapolate the rest of the quantum state conditioned/post-selected on measuring the first half of the state (in the computational basis).

Definition 1.1 (Classical $\rightarrow$ Quantum Extrapolation, informal).

A classical $\rightarrow$ quantum extrapolation problem is specified by a circuit $\mathsf{Gen}$ that produces a pure state, which can be written as

\ket{\mathsf{Gen}}=\sum_{s}\alpha_{s}\ket{s}_{\mathsf{A}}\otimes\ket{\psi_{s}}_{\mathsf{B}}

for some $\alpha_{s}\geq 0$ and unit vectors $\ket{\psi_{s}}$ . We say (a uniform family of) $\mathsf{Gen}$ is hard if for every QPT adversary $\mathsf{Adv}$ (potentially with auxiliary input), its output has a negligible overlap with the correct state $\ket{\psi_{s}}$ given the classical part $s$ , i.e.

\operatorname*{\mathbb{E}}[\mathrm{Tr}(\ket{\psi_{s}}\!\bra{\psi_{s}}\mathsf{Adv}(s))]=\mathrm{Tr}\left(\sum_{s}\alpha_{s}^{2}\ket{\psi_{s}}\!\bra{\psi_{s}}\mathsf{Adv}(s)\right)

is negligible.

Using similar proof ideas as classically, we can straightforwardly establish the following.

Proposition 1.2.

There exists a hard classical $\rightarrow$ quantum extrapolation task if any of the following exists:

•

Public-key quantum money scheme (with a classical public key).
•

Public-key quantum signature scheme (with a classical public key).
•

2-message quantum key distribution that is only unpredictably-secure.

Our main theorem then finishes the proof by establishing the following.

Theorem 1.3.

If there exists a hard classical $\rightarrow$ quantum extrapolation task, then quantum commitment schemes exist.

In fact, our commitment construction trivially adapts to cloneable $\rightarrow$ quantum extrapolation, where we only require the challenge $\mathsf{A}$ register to be cloneable instead of strictly classical. As a consequence, we can construct commitments from public-key quantum money scheme with a cloneable quantum public key as well. Interested readers should refer to the formal treatment later.

We remark that these results are optimal in a few perspectives. First, asking for the public key to be cloneable is barely a restriction: if one would like to reap the benefits of having a public key infrastructure, it is important for the authority to be able to efficiently clone and distribute public keys without all the users being online to produce new copies of the public key. Second, it is known that uncloneable public-key signatures (with bounded number of copies of the public key) are in fact statistically possible [GC01]. Third, 3-message quantum key distribution with unpredictability security is also statistically possible.

Remark 1.4.

It might be tempting to think that some form of distributional one-wayness should follow from hard classical $\rightarrow$ quantum extrapolation tasks. Classically, the truncated sampler of a hard-to-extrapolate distribution is immediately a distributionally one-way function; however, since a quantum algorithm can build a pure state from scratch, it is unclear if any meaningful form of distributional one-wayness can be constructed here. From this perspective, it appears that extrapolation is a more useful abstraction than distributional one-wayness.

1.2 Quantum Extrapolation

Given the result above, it is natural to wonder if some version of the following generalization is true: any search-style assumption implies EFI pairs, even if both the inputs and outputs are potentially quantum. With that said, to the best of our knowledge, all natural examples (binding security of commitments, or soundness of zero knowledge arguments) already imply EFI pairs.

Hence, we put forth a candidate quantum input, quantum output search task. Intuitively, the task is to convert a bipartite pure state into its canonical purification. We show that this task is implied by commitment schemes and on the other hand, can be solved in quantum polynomial space. We do not know how to use it to construct other primitives such as commitments, and we provide a discussion of the difficulties in extending our construction in Section 2.3.

Theorem 1.5 (Informal).

If quantum bit commitments exist, then there exists an efficiently preparable state with Schmidt decomposition

\sum_{i}\alpha_{i}\ket{A_{i}}\otimes\ket{B_{i}},

such that it is hard to coherently “strongly” map $\ket{B_{i}}$ to $\ket{A_{i}^{*}}$ on average over $\alpha_{i}$ . On the other hand, this task is possible in $\mathsf{pureUnitaryPSPACE}$ for any efficiently preparable state.

We leave as interesting open question whether the hardness of this task can be used to construct EFI pairs or other cryptographically useful hardness.

2 Technical Overview

2.1 Why a New Approach?

Before we discuss our commitment construction, one might wonder if it might be simpler to generalize the construction of commitments (or EFI pairs) from quantum one-way state generators [KT24, BJ24] to this setting. After all, their techniques can handle quantum $\rightarrow$ classical search-style assumption and we only need to do the other way around.

Upon closer inspection, it appears that unfortunately their techniques crucially rely on having access to a classical secret. More specifically, their construction of EFI pair on a high level still goes through the classical construction of hardcore predicates from one-way functions, and this in turn builds on the fact that the secret is classical.

To see this, recall that the construction essentially leaks some random inner product about the secret and argues that such a leakage appears computationally random to the adversary. However, the presence of a quantum secret shuts down this approach due to the lack of a quantum analogue of the Goldreich–Levin hardcore bit. In fact, some natural formulation of such an analogue is flat out impossible. For example, assume the quantum secret is a (computationally) Haar random state. Then a non-trivial leakage would instead be statistically independent of the secret, whereas the GL hardcore bit is statistically determined by the secret.

Another naïve approach is to try to apply the construction of one-way functions from hardness of universal extrapolation to the classical $\rightarrow$ quantum extrapolation setting. Unfortunately, this construction also applies randomness extractors on the secret and we run into a similar difficulty as above.

2.2 Commitments from Classical $\rightarrow$ Quantum Extrapolation

Given the known approaches of constructing EFI pairs do not seem to work, it appears that a drastically different approach is needed. The initial idea is that since the binding security game of the commitment scheme is already a search-style assumption and is known to be existentially equivalent to EFI pairs, it might be easier to construct a computationally binding commitment instead. Perhaps we can carefully craft a commitment scheme so that breaking its binding would directly correspond to solving the extrapolation problem. This idea was also used to construct commitments from secretly-verifiable statistically-invertible one-way state generators [MY24].

To construct a commitment, we will use the canonical commitment scheme template [Yan22]. As a starting point, imagine a sender who manufactures $\ket{\mathsf{Gen}}$ in the opening register $\mathsf{D}$ and copies $s$ to the commitment register $\mathsf{C}$ . This results in the state

\sum_{s}\alpha_{s}\ket{s}_{\mathsf{C}}\otimes\ket{s,\psi_{s}}_{\mathsf{D}},

which we will use as the commitment and the decommitment register if we want to commit to bit $1$ .

Now imagine if we could also “obliviously” quantum sample the challenge distribution, that is, we can prepare the following pure state

\sum_{s}\alpha_{s}\ket{s}_{\mathsf{C}}\otimes\ket{s}_{\mathsf{D}}

for the case of committing to $0$ . For example, if the reduced density matrix on $s$ is maximally mixed, then this is essentially asking to prepare the maximally entangled state, which can be efficiently done.

However, note that if this were indeed possible, we would be done as the commitment would be computationally binding. If a malicious committer commits to $0$ and wishes to change his mind to decommit to $1$ , he would essentially be forced to craft the state $\ket{\psi_{s}}$ given only $s$ .

Removing quantum sampling assumption.

Unfortunately, not every efficient distribution can be quantum sampled unless, for example, $\mathsf{SZK}\subseteq\mathsf{BQP}$ [AT07]. Thus we want to also handle the case where $s$ can be arbitrarily distributed, which could be the case for a general quantum money scheme.

A first idea is that maybe starting from the $0$ -commitment state, we can “effectively” remove $\ket{\psi_{s}}$ from the committer’s view (or equivalently, its register $\mathsf{D}$ ). Naïvely we could simply assign the state $\ket{\psi_{s}}$ to the $\mathsf{C}$ register. However, the resulting commitment scheme would be not hiding, so some care has to be taken.

The next idea, then, is to maybe employ some encryption scheme to do this. More specifically, our second attempt is as follows:

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{s}\alpha_{s}\ket{s,k}_{\mathsf{C}}\otimes\ket{s,Enc(k,\psi_{s})}_{\mathsf{D}}\right],$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{s}\alpha_{s}\ket{s,k}_{\mathsf{C}}\otimes\ket{s,Enc(k,0),\psi_{s}}_{\mathsf{D}}\right],$

for some encryption scheme $Enc$ .

Now, what encryption scheme would work? The most natural candidate, quantum one-time pad, turns out not to work: if $\ket{\psi_{s}}$ are all encoded in Hadamard basis then the resulting scheme would again not be hiding.

Nevertheless, we make the crucial observation: this attack appears to rely on the secret quantum state being encoded in a specific basis. If we attempt to encrypt, instead of only in two bases, in exponentially many bases, then the probability that we hit such a bad basis would be negligible. To make this efficient, let us say that we just pick one of bases to encrypt uniformly at random. Since adding random phases to a basis is equivalent to measuring it, this gives us the following random-measurement commitment scheme.

Construction 2.1 (Informal).

Consider an (exponentially large) family of complete measurement bases $M=\{\ket{\phi_{k,x}}\}$ indexed by $k$ and measurement outcome $x$ . Given a quantum state $\ket{\psi}$ , we use the notation $\ket{M_{k}(\psi)}\otimes\ket{M_{k}(\psi)}$ to informally denote measuring $\ket{\psi}$ in basis $k$ and then cloning the outcome into the second register. More formally,

\ket{M_{k}(\psi)}\otimes\ket{M_{k}(\psi)}=\sum_{x}\left\langle\phi_{k,x}\middle|\psi\right\rangle\ket{x}\otimes\ket{x}.

Then the random-measurement commitment with bases $M$ is the following construction:

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{s}\alpha_{s}\ket{s,k,M_{k}(\psi_{s})}_{\mathsf{C}}\otimes\ket{s,k,M_{k}(\psi_{s})}_{\mathsf{D}}\right],$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{s}\alpha_{s}\ket{s,k,M_{k}(0)}_{\mathsf{C}}\otimes\ket{s,k,M_{k}(0),\psi_{s}}_{\mathsf{D}}\right].$

In the encryption perspective, this is equivalently using a random encryption scheme indexed by some public randomness $k$ , and secret random phases are added to the basis specified by $k$ . Moving forward, we will use the measurement perspective since it is more convenient for the analysis.

We now need to argue that the commitment is hiding and binding and neither is obvious at this point. Intuitively, hiding should hold as our intuition above indicates that a sufficiently random set of bases should evade the bad distinguishing attack with overwhelming probability. On the other hand, giving the adversary a complete measurement of the state in a probably useless basis should not help the adversary to swap the state out with the zero state — or in the encryption perspective, the encryption should be secure enough that the adversary could only build the state from scratch instead of extracting useful information from the encryption.

Weak statistical hiding.

As observed above, the family of measurement bases must be sufficiently large, and different bases need to be “independent” enough to avoid the attack above. Given these criteria, we consider a few candidates: (1) mutually unbiased bases (MUBs); (2) unitary $t$ -designs; (3) stripped down $t$ -designs such as binary phase bases [MPSY24]. It turns out that both MUBs and $t$ -designs for $t\geq 2$ work, while $1$ -designs and binary phase bases do not necessarily work. For comparison, MUBs have very good randomness complexity ( $n$ bits of randomness for hiding $n$ qubits) while $2$ -designs or random Cliffords are more efficient (can be applied in quasi-linear time). For interested readers, we explain the counterexamples in Appendix A.

On a high level, the hiding proof can be reduced the following question: given any two mixed states $\rho_{0},\rho_{1}$ that could be statistically far; is it true that the states after measuring them in a random basis $k$ , $(\rho_{0}^{(k)},k),(\rho_{1}^{(k)},k)$ are somewhat statistically close? This also might be an independently interesting question on its own beyond this application: traditionally, tomography asks for a set of measurements that preserves the quantum information; here, we ask for a set of measurements that destroys quantum information with respect to statistical distance.

Crucially, we need to bound the statistical distance even if the basis choice $k$ is revealed. This is problematic for the proof of $t$ -designs, since $t$ -designs generally do not guarantee anything if the secret key $k$ is revealed: everyone can check that the specific unitary corresponding to $k$ is applied instead of a Haar random unitary. However, there is a simple trick we can apply: the statistical distance we need to bound above can be equivalently expressed as $\operatorname*{\mathbb{E}}_{k}[TD(\rho_{0}^{(k)},\rho_{1}^{(k)}]$ , as the distribution over $k$ is identical. Furthermore, here the key is no longer given to the distinguisher. Even though trace distance is not a polynomial (due to the absolute value), we can nevertheless bound it by an appropriate degree- $2$ polynomial and then invoke the security of $2$ -designs. In the end, we prove that the average statistical distance under $2$ -designs is at most $1/\sqrt{2}$ . Curiously, it appears that even measurements under Haar random unitaries would still leave behind $1/2$ statistical distance.

To prove MUBs work, we leverage a useful fact by Ivanovic [Iva81, Iva92] that any density matrix can be decomposed into the sum of its post-measurement states over all MUBs; furthermore, each pair of states are orthogonal with respect to the Hilbert–Schmidt inner product after appropriate renormalization. Utilizing the orthogonality, we can translate the average ( $L^{1}$ ) statistical distance to ( $L^{2}$ ) Hilbert–Schmidt distance to invoke the decomposition, and then back to statistical distance without losing too much. In the end, we can compute that the average statistical distance under MUBs is at most $1/\sqrt{2}$ as well.

We refer interested readers to the later sections for a more detailed proof.

Computational binding.

To show (honest) binding, we show that any adversary who is given register $\mathsf{D}$ of $\ket{\mathsf{com}_{0}}$ and successfully opens to $1$ can be used to solve the classical $\rightarrow$ quantum extrapolation problem. In the classical $\rightarrow$ quantum extrapolation game, the reduction is essentially given a mixed state $\sum_{s}\alpha_{s}^{2}\ket{s}\!\bra{s}$ . In order to meaningfully invoke the binding adversary, the reduction must produce the reduced density matrix on $\mathsf{D}$ of $\mathsf{com}_{0}$ , which looks like

\sum_{k,s}\alpha_{s}^{2}\ket{s}\!\bra{s}\otimes\ket{k}\!\bra{k}\otimes\rho_{k,s}\otimes\ket{\vec{0}}\!\bra{\vec{0}}

when $\mathsf{C}$ is traced out, where $\rho_{k,s}$ denotes the mixed state resulting from measuring $\ket{\psi_{s}}$ in the basis $k$ . Observe that since the canonical-form commitment receiver is going to project on to the $\ket{\mathsf{com}_{1}}$ state, the adversary’s output must (at the very least) be the following form:

\sum_{k,s}\alpha_{s}^{2}\ket{s}\!\bra{s}\otimes\ket{k}\!\bra{k}\otimes\ket{\psi_{s}}\!\bra{\psi_{s}}\otimes\rho^{\prime}_{k,s}

for some $\rho^{\prime}_{k,s}$ . This is true since the committer already holds a copy of $k$ and $s$ . Therefore, as long as we can mimic the distribution on $k$ and $\rho_{k,s}$ , the reduction would work.

Recall our intuition above that $\rho_{k,s}$ should disclose very little information so that it would not help the adversary to prepare $\ket{\psi_{s}}$ . This suggests that maybe the reduction can just put there maybe a maximally mixed state and hope that the adversary would not notice. However, recall from above that $\rho_{k,s}$ is only weakly hiding. In other words, it may contain some information about $\ket{\psi_{s}}$ . It is not clear that the reduction can generate such a state without already violating the hardness of the extrapolation problem.

Our solution is to simply generate $\rho_{k,0}$ , a measurement of $\ket{\vec{0}}$ in the basis $k$ , and feed it to the binding adversary instead. In other words, we are again measuring all zeroes and expect the adversary to not see a difference. This turns out to work. Although $\rho_{k,0}$ only matches $\rho_{k,s}$ to a limited degree, it does match register $\mathsf{C}$ from $\ket{\mathsf{com}_{0}}$ . Since register $\mathsf{C}$ in $\ket{\mathsf{com}_{1}}$ would contain $\rho_{k,s}$ instead of $\rho_{k,0}$ , the support states where $\rho_{k,s}$ significantly differs from $\rho_{k,0}$ precisely cover the case where the commitment is statistically binding. Thus, the assumed binding adversary’s advantage must be entirely on the portion of $\rho_{k,s}$ which matches $\rho_{k,0}$ . In order for the substitution to work, the receiver’s view of $\rho_{k,0}$ in $\ket{\mathsf{com}_{0}}$ must be symmetric with the sender’s view of $\rho_{k,s}$ in $\ket{\mathsf{com}_{1}}$ . Therefore if the choice of basis $k$ appears in one view, it must appear in both.

2.3 Quantum Extrapolation

Here, we discuss the more general task of quantum extrapolation, where an adversary operates on register $\mathsf{B}$ of the Schmidt decomposed state

\sum_{i}\alpha_{i}\ket{A_{i}}_{\mathsf{A}}\otimes\ket{B_{i}}_{\mathsf{B}}.

For the sake of exposition, we omit conjugations of the states and assume it is hard to coherently map $\ket{B_{i}}$ to $\ket{A_{i}}$ on average over $\alpha_{i}$ . Technically, the conjugation is necessary for ensuring that the solution is well-defined, since the Schmidt decomposition of a state is not necessarily unique. See the technical sections for a formal treatment.

Implications from Public-Key Quantum Money and Commitments.

It is not hard to see that both public-key quantum money and commitments imply hard quantum extrapolation tasks. In the case of public-key quantum money, we may regard the serial number as $\ket{B_{i}}$ and the banknote as $\ket{A_{i}}$ ; thus, any adversary mapping $\ket{B_{i}}\mapsto\ket{A_{i}}$ counterfeits banknotes using their serial numbers.

The case of commitments is only slightly more complicated. A perfectly hiding commitment in canonical quantum form has a Schmidt decomposition

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle=\sum_{i}\alpha_{i}\ket{c_{i}}_{\mathsf{C}}\otimes\ket{d_{i,0}}_{\mathsf{D}},$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle=\sum_{i}\alpha_{i}\ket{c_{i}}_{\mathsf{C}}\otimes\ket{d_{i,1}}_{\mathsf{D}}.$

Note that because the commitment is perfectly hiding, the left hand side of the two decompositions are the same. Thus, if an adversary could coherently map $\ket{d_{i,0}}\mapsto\ket{c_{i}}\mapsto\ket{d_{i,1}}$ , they could open $\ket{\mathsf{com}_{0}}$ to $\ket{\mathsf{com}_{1}}$ by operating only on the opening register, breaking computational binding.

Handling statistical hiding is essentially the same reduction, but the analysis is more difficult. Essentially, we need to argue that statistical hiding implies that the two target states are close. We prove this by establishing that the closeness of the target states is captured by the Holevo fidelity and then utilizing a tight connection between Holevo fidelity and trace distance [Hol72].

Difficulties in Building Commitments.

It is natural to wonder whether our construction from cloneable $\rightarrow$ quantum extrapolation can be extended to the more general quantum extrapolation task. A natural attempt is to prepare the extrapolation state in the opening register $\mathsf{D}$ , then “destroy” either $\ket{A_{i}}$ or $\ket{B_{i}}$ , depending on the message bit, by measuring it and copying it in a random basis to the commitment register $\mathsf{C}$ . This results in a commitment which looks like the following:

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{i}\alpha_{i}\Ket{k,M_{k}\left(A_{i}\right)}_{\mathsf{C}}\otimes\Ket{k,B_{i},M_{k}\left(A_{i}\right)}_{\mathsf{D}}\right],$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle=\operatorname*{\mathbb{E}}_{k}\left[\sum_{i}\alpha_{i}\Ket{k,M_{k}\left(B_{i}\right)}_{\mathsf{C}}\otimes\Ket{k,A_{i},M_{k}\left(B_{i}\right)}_{\mathsf{D}}\right].$

In order to open $\ket{\mathsf{com}_{1}}$ to $\ket{\mathsf{com}_{0}}$ , it would suffice to map $\ket{B_{i}}\mapsto\ket{A_{i}}$ and let the statistical hiding take care of the differences between $M_{k}(A_{i})$ and $M_{k}(B_{i})$ . Unfortunately, it is not clear whether this mapping is necessary to break binding. In particular, the commitment register only contains partial information about $\ket{A_{i}}$ , so the adversary is not necessarily bound to any particular $i$ when breaking binding. instead, it could potentially map $\ket{B_{i}}$ onto a superposition of $\ket{A_{j}}$ ’s.

For a more concrete example, consider the state $\sum_{x}\ket{x}\otimes H\ket{x}=\sum_{xy}(-1)^{x\cdot y}\ket{x}\otimes\ket{y}$ and the fixed measurement of measuring in the computational basis (note that our binding proof before works for any family of measurement bases). Then the resulting commitment has identical commitment states: $\sum_{xy}(-1)^{x\cdot y}\ket{x}\otimes\ket{y,x}=\sum_{xy}(-1)^{x\cdot y}\ket{y}\otimes\ket{x,y}$ . This means that the action to break binding is the identity unitary, whereas we would expect the adversary to apply the Hadamard gates.

2.4 Related Works

Both our construction and the commitment construction from one-way state generator [KT24, BJ24] (can) make use of unitary $t$ -designs. Interestingly, the similarity is superficial since the purposes are opposite. (As a historical note, we actually arrived at this construction before we became aware of [KT24].) In our work, we use $2$ -designs to reduce statistical distance, whereas in their work, $3$ -designs are indirectly used by classical shadow to preserve information about the quantum state since they are tomographically complete.

After we have announced our results, a more recent work by Dakshita Khurana and Kabir Tomer [KT24a] independently constructs commitment schemes from a state puzzle, which is equivalent to our definition of a hard classical $\rightarrow$ quantum extrapolation task. They also prove an amplification theorem for state puzzles, thus commitments can also be built from weak state puzzles, or equivalently, weakly-hard classical $\rightarrow$ quantum extrapolation tasks. However, their techniques would not immediately extend if we instead have a hard cloneable $\rightarrow$ quantum extrapolation task. To see this, their main idea is to view this hardness as a hard state synthesis problem, and construct hard one-way puzzles (or classical $\rightarrow$ classical extrapolation tasks) from this hardness using similar techniques as for solving state synthesis with a classical oracle; afterwards, commitments are built using prior work [KT24]. In comparison, we construct a commitment directly from hard classical $\rightarrow$ quantum extrapolation tasks and the construction trivially extends to cloneable bases as well.

3 Commitments

We recall the definition of a canonical non-interactive quantum bit commitment from [Yan22].

Definition 3.1 (Quantum Bit Commitment Syntax).

A canonical (non-interactive) quantum bit commitment) is specified by a family of unitaries $\{\mathsf{Com}_{\lambda}\}_{\lambda\in\mathbb{N}}$ which acts on two registers $\mathsf{C}$ and $\mathsf{D}$ . It consists of two stages:

•

Commit. To commit to a bit $b$ , the sender prepares the state $\ket{b}\otimes\ket{\vec{0}}$ in register $(\mathsf{C},\mathsf{D})$ , then applies $\mathsf{Com}_{\lambda}$ to it to obtain the state $\ket{\mathsf{com}_{b}}_{\mathsf{C},\mathsf{D}}$ .¹¹1To simplify the notation, we write $\ket{\vec{0}}$ to denote enough $\ket{0}$ states to finish filling the register. It sends register $\mathsf{C}$ to the receiver as the commitment register and keeps $\mathsf{D}$ as the opening register.
•

Open. To open the commitment, the sender sends register $\mathsf{D}$ to the receiver. The receiver applies $\mathsf{Com}_{\lambda}^{\dagger}$ to register $(\mathsf{C},\mathsf{D})$ , then measures the register in the computational basis. If the measurement result is of the form $b\|\vec{0}$ for a bit $b$ , the receiver outputs $b$ . Otherwise they output $\bot$ .

Note that a canonical commitment inherently enjoys completeness; the receiver will always output $b$ as the result of opening a commitment to $b$ , because its measurement for output $b$ is exactly a projection onto the state the sender prepares.

A quantum bit commitment must also satisfy hiding and a notion of binding. We consider honest-binding, which informally guarantees that no adversary given an honestly-prepared commitment to $0$ can open it to $1$ instead, and vice-versa. It is known that honest-binding for canonical form commitments suffices for stronger binding security [Yan22].

Definition 3.2 (Honest Binding).

A commitment scheme $\{\mathsf{Com}_{\lambda}\}_{\lambda\in\mathbb{N}}$ is computationally (resp. statistically) $\epsilon$ -honest-binding if for every sufficiently large security parameter $\lambda$ , every auxiliary input $\ket{\psi}$ in register $\mathsf{A}$ , and every polynomial-time (resp. physically) realizable unitary $U$ operating on register $(\mathsf{A},\mathsf{D})$ ,

\mathrm{Tr}[\left(I\otimes\ket{\mathsf{com}_{1}}\!\bra{\mathsf{com}_{1}}\right)U\left(\ket{\psi}\!\bra{\psi}\otimes\ket{\mathsf{com}_{0}}\!\bra{\mathsf{com}_{0}}\right)U^{\dagger}]\leq\epsilon

When $\epsilon=\mathsf{negl}$ , we simply refer to the commitment as honest-binding.

It is known that binding on $0\to 1$ as defined above also implies binding on $1\to 0$ , where the adversary’s task is instead transforming an honest commitment to the $1$ bit into one to the $0$ bit.

Definition 3.3 (Commitment Hiding).

A commitment is computationally (resp. statistically) $\epsilon$ -hiding if the states

	$\displaystyle\mathrm{Tr}_{\mathsf{D}}\left(\ket{\mathsf{com}_{0}}\!\bra{\mathsf{com}_{0}}\right)$
	$\displaystyle\mathrm{Tr}_{\mathsf{D}}\left(\ket{\mathsf{com}_{1}}\!\bra{\mathsf{com}_{1}}\right)$

are $\epsilon$ -computationally (resp. $\epsilon$ -statistically) indistinguishable for every sufficiently large $\lambda$ . When $\epsilon=\mathsf{negl}$ , we simply refer to the commitment as hiding.

While the security presented here may appear weak, it is known that canonical form commitments satisfying honest binding and hiding is sufficient for constructing commitments with stronger security.

4 Statistical Hiding via Random Measurements

We give two methods to coherently “destroy” the information in a quantum state by dividing it into two registers so that each register on its own contains only a limited amount of information about the original state. Concretely, consider measuring a $n$ -qubit register ${\cal R}$ with respect to a basis $B_{i}$ which is drawn from a set of bases ${\cal B}$ , then outputting both the measurement result and the choice of basis $i$ . We prove that for certain sets of bases, the expected distance between the distributions induced by this procedure on any two states (averaged over the choice of basis, which equals the total trace distance) is bounded away from $1$ .

We first prove hiding when the set of bases ${\cal B}$ is mutually unbiased. To do this, we recall the definition of mutually unbiased bases and their properties.

Consider an $N$ -dimensional quantum state. A complete measurement is a set of rank-1 projectors $\{P_{i}\}_{i\in[N]}$ such that $\mathrm{Tr}\left(P_{i}P_{j}\right)=\delta_{ij}$ . Two complete measurements $\{P_{i}\}_{i\in[N]}$ and $\{Q_{i}\}_{i\in[N]}$ are mutually unbiased if $\mathrm{Tr}\left(P_{i}Q_{j}\right)=1/N$ for all $i,j$ . A maximum set of mutually unbiased bases (MUBs) is a set of $(N+1)$ complete measurements $\{\{P_{i}^{(r)}\}_{i\in[N]}\}_{r\in[N+1]}$ that are mutually unbiased. For the qubit-string case ( $N=2^{n}$ ), it is known how to measure any complete measurement in a maximum set of MUBs in time $O(n^{3})$ [DPS04, Section 5.1].

All Hermitian $N$ -dimensional matrices form an $N^{2}$ -dimensional real vector space under the Hilbert–Schmidt inner product $\langle X,Y\rangle:=\mathrm{Tr}\left(XY\right)$ . This also induces the Hilbert–Schmidt norm $\left\lVert X\right\rVert=\sqrt{\mathrm{Tr}\left(X^{2}\right)}$ .

Lemma 4.1 ([Iva81, Iva92]).

When a maximum set of MUBs is known, a density matrix $W$ has the following orthogonal decomposition

W=\frac{I}{N}+\sum_{r}\left(W^{(r)}-\frac{I}{N}\right)

(1)

with respect to the Hilbert–Schmidt inner product, where $W^{(r)}:=\sum_{i}P_{i}^{(r)}WP_{i}^{(r)}$ is the projection onto the $r$ -th MUB.

Leveraging these, we prove the following lemma, which intuitively states that the statistical distance would be somewhat hidden under most MUB measurements. Notably, this is true even if the distinguisher knows the measurement basis.

Lemma 4.2.

Let $N$ be a prime power and let ${\cal B}$ be any set of $p\leq N+1$ MUBs. For any two density matrices $W_{0}$ and $W_{1}$ , the expected trace distance between the post-measurement state of $W_{0}$ and $W_{1}$ under a random $r\leftarrow{\cal B}$ is

\operatorname*{\mathbb{E}}_{r\leftarrow{\cal B}}\left[\mathsf{TD}\left(W_{0}^{(r)},W_{1}^{(r)}\right)\right]\leq\sqrt{\frac{N}{2p}}\cdot\mathsf{TD}\left(W_{0},W_{1}\right).

In particular, if we instantiate $p=N$ , then we get statistical distance to be at most $1/\sqrt{2}$ .

Proof.

Leveraging the orthogonal decomposition from (1), we can see that

\left\lVert W_{0}-W_{1}\right\rVert^{2}=\sum_{r}\left\lVert W_{0}^{(r)}-W_{1}^{(r)}\right\rVert^{2}

as all the cross terms are $0$ . Dividing both sides by $p$ , we get

	$\displaystyle\operatorname*{\mathbb{E}}_{r}\left[\left\lVert W_{0}^{(r)}-W_{1}^{(r)}\right\rVert^{2}\right]$	$\displaystyle=\frac{1}{p}\left\lVert W_{0}-W_{1}\right\rVert^{2}$
		$\displaystyle=\frac{1}{p}\left\lVert W_{+}-W_{-}\right\rVert^{2}$
		$\displaystyle=\frac{\left\lVert W_{+}\right\rVert^{2}+\left\lVert W_{-}\right\rVert^{2}}{p}$
		$\displaystyle\leq\frac{\left\lVert W_{+}\right\rVert_{1}^{2}+\left\lVert W_{-}\right\rVert_{1}^{2}}{p}$
		$\displaystyle=\frac{\left\lVert W_{0}-W_{1}\right\rVert_{1}^{2}}{2p},$

where the second equality is considering the Jordan–Hahn decomposition of $W_{0}-W_{1}$ , which gives two orthogonal PSD matrices $W_{+},W_{-}$ such that $\mathrm{Tr}\left(W_{+}\right)=\mathrm{Tr}\left(W_{-}\right)=\frac{1}{2}\left\lVert W_{0}-W_{1}\right\rVert_{1}$ . This is because $\mathrm{Tr}\left(W_{+}\right)+\mathrm{Tr}\left(W_{-}\right)=\mathrm{Tr}\left(W_{+}+W_{-}\right)=\left\lVert W_{0}-W_{1}\right\rVert_{1}$ and $\mathrm{Tr}\left(W_{+}\right)-\mathrm{Tr}\left(W_{-}\right)=\mathrm{Tr}\left(W_{+}-W_{-}\right)=\mathrm{Tr}\left(W_{0}-W_{1}\right)=0$ .

Then the overall trace distance of doing a random MUB measurement is, by Cauchy–Schwarz,

	$\displaystyle\frac{1}{2}\operatorname*{\mathbb{E}}_{r}\left[\left\lVert W_{0}^{(r)}-W_{1}^{(r)}\right\rVert_{1}\right]$	$\displaystyle\leq\frac{1}{2}\sqrt{N}\cdot\operatorname*{\mathbb{E}}_{r}\left[\left\lVert W_{0}^{(r)}-W_{1}^{(r)}\right\rVert\right]$
		$\displaystyle\leq\frac{\sqrt{N}}{2}\cdot\sqrt{\operatorname*{\mathbb{E}}_{r}\left[\left\lVert W_{0}^{(r)}-W_{1}^{(r)}\right\rVert^{2}\right]}$
		$\displaystyle\leq\sqrt{\frac{N}{2p}}\cdot\frac{\left\lVert W_{0}-W_{1}\right\rVert_{1}}{2},$

where the second inequality is due to Jensen’s inequality. ∎

In Appendix A, we further discuss a few alternative choices of bases of measurement that work or do not work.

5 Commitments from Hard Classical $\rightarrow$ Quantum Extrapolation

5.1 Classical $\rightarrow$ Quantum Extrapolation

Here, we define a computational task which we call classical $\rightarrow$ quantum extrapolation. At a high level, a classical $\rightarrow$ quantum extrapolation problem is specified by an efficiently sampleable distribution over pairs $(s,\ket{\psi_{s}})$ consisting of a classical string $s$ and a quantum state $\ket{\psi_{s}}$ . Given a random $s$ , the adversary’s task is to extrapolate the quantum half of the pair $\ket{\psi_{s}}$ . We say that this task is hard if no QPT adversary succeeds at this with noticeable probability over the choice of $s$ .

Definition 5.1.

A cloneable $\rightarrow$ quantum extrapolation problem is specified by two efficient families of isometries $(\mathsf{Gen},\mathsf{Clone})$ satisfying the following property.

•

(Cloning correctness) For every $\lambda$ , let $\left\{\ket{\mathsf{chal}_{i}}\right\}_{i}$ be the set of unit vectors such that $\mathsf{Clone}_{\lambda}\ket{\mathsf{chal}_{i}}=\ket{\mathsf{chal}_{i}}\ket{\mathsf{chal}_{i}}$ .²²2By the fact that isometries preserve inner products, it is not hard to see that all vectors in this set are mutually orthogonal. However, this might not form a basis since the set might be empty. Then the state generated by $\mathsf{Gen}_{\lambda}$ should admit the following decomposition $\mathsf{Gen}_{\lambda}=\sum_{i}\alpha_{i}\ket{\mathsf{chal}_{i}}_{\mathsf{A}}\otimes\ket{\psi_{i}}_{\mathsf{B}}$ for some $\alpha_{i}\geq 0$ and unit vector $\ket{\psi_{i}}$ . In other words, $\left(\left(I-\sum_{i}\ket{\mathsf{chal}_{i}}\!\bra{\mathsf{chal}_{i}}\right)\otimes I\right)\mathsf{Gen}_{\lambda}=0$ .

The goal of the task is on input $\ket{\mathsf{chal}_{i}}$ , produce $\ket{\psi_{i}}$ with non-negligible probability, or more formally, the probability that $\mathsf{Adv}$ with auxiliary input $\mathsf{aux}$ succeeds

\mathrm{Tr}\left(\sum_{i}\alpha_{i}^{2}\ket{\psi_{i}}\!\bra{\psi_{i}}\mathsf{Adv}\left(\ket{\mathsf{chal}_{i}}\!\bra{\mathsf{chal}_{i}}\otimes\mathsf{aux}\right)\right)

is non-negligible.³³3Here, we do not require that the target states $\ket{\psi_{i}}$ are orthogonal. For example, in public key quantum money, different serial numbers may recognize overlapping banknotes. The challenger can prepare the challenge mixed state $\sum_{i}\alpha_{i}^{2}\ket{\mathsf{chal}_{i}}\!\bra{\mathsf{chal}_{i}}$ in the adversary’s view by preparing $\mathsf{Gen}_{\lambda}$ , then cloning $\ket{\mathsf{chal}_{i}}$ into an internal register.

In particular, if $\mathsf{Clone}\ket{x}=\ket{x}\ket{x}$ is simply cloning in the computational basis, then we consider this as a classical $\rightarrow$ quantum extrapolation task.

Here, we make the distinction between efficiently cloneable basis and classical (or telegraphable) basis since efficiently cloneable basis might be a larger class [NZ24].

5.2 Hardness from Cryptographic Primitives

Hard classical $\rightarrow$ quantum extrapolation is implied by many natural quantum primitives, such as public-key quantum money and signatures with classical verification keys. Morally, such hard extrapolation task is simply the impossibility to sample the secret quantum state conditioned on the public classical verification key. In more details,

•

In the case of public-key quantum money, no QPT adversary who is given the public verification key $\mathsf{vk}$ should be able to construct a state $\ket{\$}$ which passes $\mathsf{Verify}(\mathsf{vk},\ket{\$})$ with noticeable probability; otherwise, they could “clone” or forge banknotes just by looking at the verification key. Since it is efficent to sample $\mathsf{vk}$ together with a passing banknote $\ket{\$}$ , any adversary for the classical $\rightarrow$ quantum extrapolation task defined by that sampling procedure forges banknotes with noticeable probability. This also extends to public-key quantum money where the public key is only cloneable instead of classical (and we get a hard cloneable $\rightarrow$ quantum extrapolation task instead), or if the money has a serial number.
•

Similarly, we can construct a hard cloneable $\rightarrow$ quantum extrapolation task from signatures with cloneable verification keys. The task is again “inverting” the quantum secret state corresponding to the cloneable verification key that is used to sign additional messages. If we can create the quantum secret state with some noticeable overlap, then the forged signature would also pass verification with some noticeable probability as well.

Finally, we consider a slightly different task of quantum key distribution (QKD) with a bounded number of rounds. In QKD, two parties, Alice and Bob, have access to an insecure quantum channel and a classically authenticated channel⁴⁴4Having access to a classically authenticated channel is also required classically: it is easy to see that without any authenticated channel the task is trivially impossible since the interceptor could always pretend to be Bob to Alice and pretend to be Alice to Bob. Public key infrastructure also does not get around this problem since it still assumes authenticated channels between the parties and the authority.. In the protocol, they take turns to send messages over the two channels with Alice sending the first message. The malicious party, called the interceptor, can passively monitor the messages in the classical authenticated channel and can arbitrarily modify messages in the quantum channel.

There are many variants of QKD security considered in the literature. Here we consider a very weak security notion, which we note is a search-type assumption.

Definition 5.2.

Consider a QKD protocol. Let $k_{A},k_{B},k_{*}$ be the keys Alice, Bob, and the interceptor produce correspondingly at the end of the protocol. We require the QKD protocol to be correct, meaning that without the presence of the interceptor, $\Pr[k_{A}=k_{B}\neq\bot]$ is negligibly close to $1$ .

We say the QKD protocol is (statistically) unpredictably-secure if for all efficient (or unbounded, resp.) interceptors, $\Pr[k_{*}=k_{A}\neq\bot\lor k_{*}=k_{B}\neq\bot]$ is negligible.

Fact 5.3 ([SP00, Protocol 2]).

There exists a 3-message QKD that is statistically unpredictably-secure. Furthermore, the only quantum message is sent in the first message.

Fact 5.4 ([MW24]).

Assuming the existence of post-quantum one-way functions, there exists a 2-message QKD that is computationally unpredictably-secure.

Fact 5.5.

1-message QKD cannot be unpredictably secure.

Proof sketch.

This follows from a straightforward observation that the interceptor could simply perform Bob’s honest action coherently and do a gentle measurement to extract Bob’s key. The measurement is gentle since Alice’s key is already determined after the first message, and by correctness, Bob should output the correct key with overwhelming probability. Finally, note that this attack is efficient. ∎

Given these known results, it is natural to wonder if 2-message QKD can be statistically secure, and whether it requires computational assumptions. We observe that hard classical $\rightarrow$ quantum extrapolation task also follows from 2-message QKD and thus it requires computational assumptions somewhere between a post-quantum one-way function and a hard classical $\rightarrow$ quantum extrapolation task. In fact, we can prove something slightly stronger.

Proposition 5.6.

If there is an unpredictably-secure QKD where all but the last two messages are classical, then there exists a hard classical $\rightarrow$ quantum extrapolation task.

Proof.

Without loss of generality, let us say Alice receives the last message. Then consider the state immediately after Alice sends her quantum message, and the task is to produce the joint quantum state on Alice’s and Bob’s internal register and the message register conditioned on the classical transcript so far: this is a classical $\rightarrow$ quantum extrapolation task. Note that this is the state before any quantum communication reaches the other party, thus Bob’s internal registers must be unentangled from the rest conditioned on the classical transcript.

Suppose for contradiction that this is easy, then we construct the interceptor as follows:

•

Upon receipt of Alice’s last classical message, disgard her quantum message and produce a fresh copy of the joint quantum state and use its message register as the quantum message to send to Bob.
•

Upon receipt of Bob’s messages, run Alice’s honest action to extract Bob’s key.

By correctness of the QKD protocol, whenever we succeed in producing the quantum state with some noticeable overlap (which happens with non-negligible probability by assumption), Bob will not abort the protocol and we can predict Bob’s key with roughly the same probability, breaking its security. ∎

Note that as special cases, this proposition covers any 2-message QKD, or any 3-message QKD whose first message is classical.

5.3 A Quantum Bit Commitment Scheme

Let $\{\mathsf{Rand}_{k}\}_{k\in\{0,1\}^{\mathsf{poly}(n)}}$ be a family of efficiently implementable $n$ -qubit “randomizing” unitaries, which satisfy

\operatorname*{\mathbb{E}}_{k\leftarrow\{0,1\}^{\mathsf{poly}(n)}}\left[\mathsf{TD}\left(\ket{\psi_{0}}\!\bra{\psi_{0}}^{(k)},\ket{\psi_{1}}\!\bra{\psi_{1}}^{(k)}\right)\right]\leq\frac{1}{\sqrt{2}}

(2)

for any orthogonal states $\ket{\psi_{0}}$ and $\ket{\psi_{1}}$ , where $\ket{\psi}\!\bra{\psi}^{(k)}$ is mixed state resulting from applying $\mathsf{Rand}_{k}$ to $\ket{\psi}$ and measuring it in the standard basis.⁵⁵5The key may be much longer than the number of qubits operated on, for example if using random Cliffords. These exist by Lemma 4.2 or Lemma A.1. More explicitly, for $P_{x}^{k}\coloneqq\mathsf{Rand}_{k}\ket{x}\!\bra{x}\mathsf{Rand}_{k}^{\dagger}$ , we define

\ket{\psi}\!\bra{\psi}^{(k)}\coloneqq\sum_{x\in\{0,1\}^{n}}P_{x}^{k}\ket{\psi}\!\bra{\psi}P_{x}^{k}.

Roughly speaking, for any fixed state $\ket{\psi}$ , with high probability over $k\leftarrow\{0,1\}^{n}$ , the state $\mathsf{Rand}_{k}\ket{\psi}$ is well-spread in the standard basis (i.e., measuring it gives an outcome that is somewhat uniform).

Let $\mathsf{CRand}$ denote the controlled $\mathsf{Rand}_{k}$ unitary

\displaystyle\mathsf{CRand}\coloneqq\sum_{k\in\{0,1\}^{\mathsf{poly}(n)}}\ket{k}\!\bra{k}\otimes\mathsf{Rand}_{k}.

We use the notation $\mathsf{CRand}_{\mathsf{A}\rightarrow\mathsf{B}}$ as shorthand for $\sum_{k}\ket{k}\!\bra{k}_{\mathsf{A}}\otimes\left(\mathsf{Rand}_{k}\right)_{\mathsf{B}}$ , and we follow a similar convention for other controlled gates such as $\mathsf{CNOT}$ .

Construction 5.7 (Weakly Hiding Commitment).

Let $(\mathsf{Gen},\mathsf{Clone})$ be a cloneable $\rightarrow$ quantum extrapolation task. Our weakly-binding quantum bit commitment works as follows.

•

To commit to a bit $b$ :

The sender first prepares the following initial state (which is independent of $b$ ):

\displaystyle\ket{\mathsf{init}}\coloneqq\ket{0}_{\mathsf{C}_{0}}\otimes\ket{+^{n}}_{\mathsf{K}}\otimes\left(\sum_{s}\beta_{s}\ket{\mathsf{chal}_{s}}_{\mathsf{S}}\ket{\psi_{s}}_{\mathsf{M}_{0}}\right)\otimes\ket{0}_{\mathsf{M}_{1}},

where $\mathsf{M}_{0},\mathsf{M}_{1}$ are both $m$ qubit registers, and $\mathsf{C}_{0}$ is the same as size $(\mathsf{K},\mathsf{M}_{0})$ .

2.

Next apply $\bigl{(}\mathsf{Clone}_{\mathsf{S}\rightarrow(\mathsf{S},\mathsf{C}_{1})}\cdot\mathsf{CNOT}_{(\mathsf{K},\mathsf{M}_{b})\rightarrow\mathsf{C}_{0}}\bigr{)}\cdot\bigl{(}\mathsf{CRand}_{\mathsf{K}\rightarrow\mathsf{M}_{b}}\bigr{)}$ .
3.

Finally, send the $\mathsf{C}=(\mathsf{C}_{0},\mathsf{C}_{1})$ register.

•

To decommit, send $b$ along with all the remaining registers $\mathsf{K},\mathsf{S},\mathsf{M}_{0},\mathsf{M}_{1}$ . The receiver verifies by checking that the state is the expected state

\displaystyle\ket{\mathsf{com}_{b}}\coloneqq\bigl{(}\mathsf{Clone}_{\mathsf{S}\rightarrow(\mathsf{S},\mathsf{C}_{1})}\cdot\mathsf{CNOT}_{(\mathsf{K},\mathsf{M}_{b})\rightarrow\mathsf{C}_{0}}\bigr{)}\cdot\bigl{(}\mathsf{CRand}_{\mathsf{K}\rightarrow\mathsf{M}_{b}}\bigr{)}\cdot\ket{\mathsf{init}}.

Theorem 5.8.

If $(\mathsf{Gen},\mathsf{Clone})$ is a hard cloneable $\rightarrow$ quantum extrapolation problem, then Construction 5.7 is a $\frac{1}{\sqrt{2}}$ -statistically hiding and computationally binding commitment.

Proof.

We prove $\frac{1}{\sqrt{2}}$ -statistically hiding in Claim 5.11 and prove computational binding in Claim 5.12. ∎

We compile the weakly-statistically binding construction to be statistically binding using standard XOR amplification. In detail:

Construction 5.9 (Full Commitment).

The commitment scheme works as follows.

•
To commit to a bit $b$ :
1. 1.
  
  The sender samples a string $x\leftarrow\{0,1\}^{\lambda}$ such that the parity of $x$ is $b$ .
2. 2.
  
  For each bit $x_{i}$ of $x$ , the sender commits to $x_{i}$ using Construction 5.7.
•

To decommit, send $b$ , $x$ and the openings of the commitments to each bit of $x$ . The verifier verifies by checking that for each $i\in[n]$ , commitment $i$ validly opens to $x_{i}$ according to Construction 5.7, then checks that the parity of $x$ is $b$ .

Corollary 5.10.

If $(\mathsf{Gen},\mathsf{Clone})$ is a hard cloneable $\rightarrow$ quantum extrapolation problem, then Construction 5.9 is a statistically hiding and computationally binding commitment.

Proof.

Statistical hiding amplification follows from the fact that trace distance is amplified exponentially under XOR compositions [Wat02, Lemma 2]. Computational binding holds since in order to change the final bit revealed, the adversary must flip at least one of the $\lambda$ bits committed using the original commitment scheme; by randomly guessing the index, we complete the reduction to breaking the binding security of the original commitment scheme. ∎

5.4 Statistical Hiding

Claim 5.11.

Construction 5.7 is $\frac{1}{\sqrt{2}}$ -statistically hiding.

Proof.

The state of $(\mathsf{C},\mathsf{R})$ after a commitment to $b$ is:

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle\coloneqq\sum_{s}\beta_{s}2^{-n/2}\sum_{k\in\{0,1\}^{n}}\sum_{x\in\{0,1\}^{n}}\ket{k,s,x}_{\mathsf{C}}\otimes\left(\ket{k,\mathsf{chal}_{s}}\otimes\ket{x}\!\bra{x}\mathsf{Rand}_{k}\ket{\psi_{s}}\otimes\ket{0}\right)_{\mathsf{D}},$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle\coloneqq\sum_{s}\beta_{s}2^{-n/2}\sum_{k\in\{0,1\}^{n}}\sum_{x\in\{0,1\}^{n}}\ket{k,\mathsf{chal}_{s},x}_{\mathsf{C}}\otimes\left(\ket{k,\mathsf{chal}_{s}}\otimes\ket{\psi_{s}}\otimes\ket{x}\!\bra{x}\mathsf{Rand}_{k}\ket{0}\right)_{\mathsf{D}}.$

After tracing out register $\mathsf{D}$ , the mixed states on register $\mathsf{C}$ are

	$\displaystyle\rho_{0}$	$\displaystyle\coloneqq\sum_{s}\beta_{s}^{2}\ket{\mathsf{chal}_{s}}\!\bra{\mathsf{chal}_{s}}\otimes\sum_{k\in\{0,1\}^{n}}2^{-n}\ket{k}\!\bra{k}\otimes\sum_{x\in\{0,1\}^{n}}\left\|\bra{x}\mathsf{Rand}_{k}\ket{\psi_{s}}\right\|^{2}\ket{x}\!\bra{x},$
	$\displaystyle\rho_{1}$	$\displaystyle\coloneqq\sum_{s}\beta_{s}^{2}\ket{\mathsf{chal}_{s}}\!\bra{\mathsf{chal}_{s}}\otimes\sum_{k\in\{0,1\}^{n}}2^{-n}\ket{k}\!\bra{k}\otimes\sum_{x\in\{0,1\}^{n}}\left\|\bra{x}\mathsf{Rand}_{k}\ket{0}\right\|^{2}\ket{x}\!\bra{x}.$

Denote the projections of $\ket{\psi_{s}}$ and $\ket{0}$ , respectively, onto measurement in the basis $\mathsf{Rand}_{k}$ as

	$\displaystyle\rho_{0,s,k}$	$\displaystyle\coloneqq\sum_{x\in\{0,1\}^{n}}\left\|\bra{x}\mathsf{Rand}_{k}\ket{\psi_{s}}\right\|^{2}\ket{x}\!\bra{x},$
	$\displaystyle\rho_{1,s,k}$	$\displaystyle\coloneqq\sum_{x\in\{0,1\}^{n}}\left\|\bra{x}\mathsf{Rand}_{k}\ket{0}\right\|^{2}\ket{x}\!\bra{x}.$

Then the trace distance between $\rho_{0}$ and $\rho_{1}$ is bounded as

$\displaystyle\frac{1}{2}\\|\rho_{0}-\rho_{1}\\|_{1}$	$\displaystyle\leq\frac{1}{2}\sum_{s}\beta_{s}^{2}\sum_{k\in\{0,1\}^{n}}2^{-n}\left\\|\rho_{0,s,k}-\rho_{1,s,k}\right\\|_{1}$	(3)
	$\displaystyle=\sum_{s}\beta_{s}^{2}\operatorname*{\mathbb{E}}_{k\in\{0,1\}^{n}}\left[\frac{1}{2}\left\\|\rho_{0,s,k}-\rho_{1,s,k}\right\\|_{1}\right]$
	$\displaystyle\leq\sum_{s}\beta_{s}^{2}\frac{1}{\sqrt{2}}$	(4)
	$\displaystyle=\frac{1}{\sqrt{2}}.$

(3) follows from the convexity of the trace norm and its invariance under tensor product with the same state; (4) follows from (2). ∎

5.5 Computational Binding

Claim 5.12.

If $(\mathsf{Gen},\mathsf{Clone})$ is a hard cloneable $\rightarrow$ quantum extrapolation problem, then Construction 5.7 is computationally binding.

Proof.

Suppose we have an adversary $\mathsf{Adv}$ that can map $\ket{\mathsf{com}_{0}}$ to $\ket{\mathsf{com}_{1}}$ by acting only on the decommitment register $(\mathsf{K},\mathsf{S},\mathsf{M}_{0},\mathsf{M}_{1})$ .

We’ll use this to give a solver for the cloneable $\rightarrow$ quantum extrapolation problem. Let’s think of the cloneable $\rightarrow$ quantum extrapolation problem as follows. The challenger prepares

\displaystyle\ket{\chi_{\mathrm{start}}}\coloneqq\sum_{s}\beta_{s}\ket{\mathsf{chal}_{s}}_{\mathsf{S}}\ket{\psi_{s}}_{\mathsf{M}}\otimes\ket{\mathsf{chal}_{s}}_{\mathsf{S}^{\prime}}

and gives us the $\mathsf{S}^{\prime}$ register. To win the game, it suffices to turn this into the pure state

\displaystyle\ket{\chi_{\mathrm{end}}}\coloneqq\sum_{s}\beta_{s}\ket{\mathsf{chal}_{s}}_{\mathsf{S}}\ket{\psi_{s}}_{\mathsf{M}}\otimes\ket{\mathsf{aux}_{s}}_{\mathsf{A}}\ket{\psi_{s}}_{\mathsf{M}^{\prime}}

for some $\mathsf{aux}_{s}$ since the $\mathsf{M}^{\prime}$ register will also pass the verification.

The reduction, given the $(\mathsf{S}^{\prime},\mathsf{M}^{\prime})$ register of $\ket{\chi_{\mathrm{start}}}$ , initializes a $\mathsf{K}$ register to the uniform superposition $\ket{+^{n}}$ , $\mathsf{M}_{1}$ registers to $\ket{0}$ , and then applies $\bigl{(}\mathsf{Clone}_{(\mathsf{K},\mathsf{S},\mathsf{M}^{\prime})\rightarrow\mathsf{C}}\bigr{)}\cdot\bigl{(}\mathsf{CRand}_{\mathsf{K}\rightarrow\mathsf{M}^{\prime}}\bigr{)}$ . It applies the binding adversary on registers $\mathsf{K},\mathsf{S}^{\prime},\mathsf{M}^{\prime},\mathsf{M}_{1}$ . It then coherently checks that the registers $\mathsf{K},\mathsf{S}^{\prime},\mathsf{M}_{1}$ agrees⁶⁶6This can be done efficiently for any cloneable basis. In particular, take any efficient unitary completion of $\mathsf{Clone}$ and we simply compute its inverse and check if the auxiliary registers return to $\ket{0}$ . with $\mathsf{C}$ and abort if not (in other words only the decision is measured). Finally, it returns register $\mathsf{M}^{\prime}$ to the challenger.

Random measurements.

In general, the result of applying $\mathsf{Rand}_{k}$ can be expressed as

	$\displaystyle\mathsf{Rand}_{k}\ket{\psi_{s}}$	$\displaystyle=\sum_{x}\alpha_{k,s,x}\ket{x},$
	$\displaystyle\mathsf{Rand}_{k}\ket{0}$	$\displaystyle=\sum_{x}\alpha_{k,x}\ket{x}$

for some complex coefficient $\alpha$ ’s. Using these, we can write the commitment states as

	$\displaystyle\ket{\mathsf{com}_{0}}$	$\displaystyle=\sum_{k,s,x}2^{-n/2}\beta_{s}\alpha_{k,s,x}\ket{k,\mathsf{chal}_{s},x}_{\mathsf{C}}\otimes\ket{k,\mathsf{chal}_{s},x,0}_{\mathsf{D}}$
	$\displaystyle\ket{\mathsf{com}_{1}}$	$\displaystyle=\sum_{k,s,x}2^{-n/2}\beta_{s}\alpha_{k,x}\ket{k,\mathsf{chal}_{s},x}_{\mathsf{C}}\otimes\ket{k,\mathsf{chal}_{s},\psi_{s},x}_{\mathsf{D}}$

Here, $\mathsf{C}$ contains the commitment (sent to the receiver) and $\mathsf{D}$ contains the opening (kept by the sender).

Binding adversary’s attack.

Say the adversary consists of a unitary $U_{A}$ and an auxiliary quantum input $\ket{\mathsf{aux}}_{\mathsf{A}}$ . It applies $U_{A}$ to registers $\mathsf{C}$ and $\mathsf{A}$ . We assume the adversary always prepares a state $\ket{k,s,\phi_{k,s,x},x}$ in register $D$ along with potentially another private register. This is without loss of generality since not preparing a state like this form can only decrease the binding attack advantage since when the challenger projects onto $\ket{\mathsf{com}_{1}}$ it necessarily projects $k,s,x$ to the correct value; furthermore, in our reduction, we also perform this check so the amplitude outside would not affect the reduction either. More formally, we can account for this by considering the residual state to be potentially sub-normalized when the adversary does not comply. The output of the adversary is

\ket{\varphi_{A}}=\sum_{k,s,x,y}2^{-n/2}\beta_{s}\alpha_{k,s,x}\ket{k,\mathsf{chal}_{s},x}_{\mathsf{C}}\otimes\ket{k,\mathsf{chal}_{s},y,x}_{\mathsf{D}}\otimes\ket{\mathsf{aux}_{k,s,y,x}}_{\mathsf{A}}.

The state $\ket{\phi_{k,s,x}}:=\sum_{y}\ket{y}\ket{\mathsf{aux}_{k,s,y,x}}$ might be subnormalized but the remaining component will never contribute (in either direction) to the binding advantage. From this we can see that the adversary’s action can be seen as first swapping $\mathsf{M}_{0}\mathsf{M}_{1}$ and then prepare a (possibly subnormalized) quantum state on the registers $\mathsf{M}_{0}\mathsf{A}$ controlled on $k,s,x$ .

We now consider the state after projecting $\mathsf{M}_{0}$ to $\ket{\psi_{s}}$ to be

\ket{\varphi^{\prime}_{A}}=\sum_{k,s,x}2^{-n/2}\beta_{s}\alpha_{k,s,x}\ket{k,s,x}_{\mathsf{C}}\otimes\ket{k,\mathsf{chal}_{s},\psi_{s},x}_{\mathsf{D}}\otimes\ket{\mathsf{aux}_{k,s,x}}_{\mathsf{A}},

where $\ket{\mathsf{aux}_{k,s,x}}:=\sum_{y}\left\langle\psi_{s}\middle|y\right\rangle\ket{\mathsf{aux}_{k,s,y,x}}$ . Note that this projection again contains both the commitment receiver’s projection as well as the extrapolation verification projection. As a consequence, we can for simplicity consider the overlap with this state, which will be a lower bound on the success probability.

Additional notations.

Let $\Pr[s]=\beta_{s}^{2}$ be the probability of sampling a challenge $s$ . Define $p_{k,s}(x)=|\alpha_{k,s,x}|^{2}$ to be the probability that a measurement of $\ket{\psi_{s}}$ in the basis $k$ outputs $x$ . Similarly define $q_{k}(x)=|\alpha_{k,x}|^{2}$ . $w(k,s,x)$ denotes the probability that the adversary, given $\ket{k,\mathsf{chal}_{s},x}$ , successfully produces $\ket{\psi_{s}}$ . In other words,

\displaystyle w(k,s,x)

\displaystyle=\left\lVert\ket{\mathsf{aux}_{k,s,x}}\right\rVert^{2}.

Reduction success probability.

Given the notation above, the reduction’s success probability in the cloneable $\rightarrow$ quantum extrapolation game is

\sum_{k,s}2^{-n}\Pr[s]\sum_{x}q_{k}(x)w(k,s,x)=\operatorname*{\mathbb{E}}_{k,s}\left[\sum_{x}q_{k}(x)w(k,s,x)\right],

since again, in the reduction we also trimmed out the useless amplitudes.

We now show that the reduction’s success probability in the cloneable $\rightarrow$ quantum extrapolation game is at least the adversary’s probability of success in the binding attack. To that end, we compute the binding success probability to be

$\displaystyle\left\lVert(\bra{\mathsf{com}_{1}}\otimes I)\ket{\varphi^{\prime}_{A}}\right\rVert^{2}$	$\displaystyle=\left\lVert 2^{-n}\sum_{k,s,x}\beta_{s}^{2}\alpha_{k,s,x}\overline{\alpha_{k,x}}\ket{\mathsf{aux}_{k,s,x}}\right\rVert^{2}$
	$\displaystyle\leq\left(2^{-n}\sum_{k,s,x}\beta_{s}^{2}\left\|\alpha_{k,s,x}\overline{\alpha_{k,x}}\right\|\cdot\left\lVert\ket{\mathsf{aux}_{k,s,x}}\right\rVert\right)^{2}$	(5)
	$\displaystyle=\operatorname*{\mathbb{E}}_{k,s}\left[\sum_{x}\left\|\alpha_{k,s,x}\alpha_{k,x}\right\|\sqrt{w(k,s,x)}\right]^{2}$
	$\displaystyle\leq\operatorname*{\mathbb{E}}_{k,s}\left[\left(\sum_{x}\left\|\alpha_{k,s,x}\alpha_{k,x}\right\|\sqrt{w(k,s,x)}\right)^{2}\right]$	(6)
	$\displaystyle\leq\operatorname*{\mathbb{E}}_{k,s}\left[\left(\sum_{x}\left\|\alpha_{k,s,x}\right\|^{2}\right)\left(\sum_{x}{\left\|\alpha_{k,x}\right\|^{2}w(k,s,x)}\right)\right]$	(7)
	$\displaystyle=\operatorname*{\mathbb{E}}_{k,s}\left[\sum_{x}q_{k}(x)w(k,s,x)\right].$

(5) follows from triangle inequality; (6) follows from Jensen’s inequality; (7) follows from Cauchy–Schwarz inequality. Therefore, our reduction succeeds with the same probability as the binding adversary’s advantage, completing the proof. ∎

6 Quantum Extrapolation

In this section, we define (fully) quantum extrapolation tasks and give some initial observations.

Definition 6.1 (Quantum Extrapolation).

Let $\mathsf{Gen}$ be a family of efficiently preparable bipartite pure states on registers $\mathsf{A},\mathsf{B}$ . Let $\rho$ be the reduced density matrix on $\mathsf{A}$ . For every $\lambda$ , define the target state to be its canonical purification

\ket{T_{\lambda}}\coloneqq(\sqrt{\rho}\otimes I)\ket{\Phi}

where $\ket{\Phi}_{\mathsf{A}\mathsf{B}^{\prime}}=\sum_{i}\ket{i}\ket{i}$ is the unnormalized maximally entangled state where $\mathsf{B}^{\prime}$ has same dimension as $\mathsf{A}$ . $\mathsf{Gen}$ is a hard quantum extrapolation problem if there exists a polynomial $p$ such that for every auxiliary input $\mathsf{aux}$ and polynomial-time channel $V_{\mathsf{B}\mathsf{C}\rightarrow\mathsf{B}^{\prime}}$ ,

F\left(\ket{T_{\lambda}}\!\bra{T_{\lambda}}_{\mathsf{A},\mathsf{B}^{\prime}},V_{\mathsf{B}\mathsf{C}\rightarrow\mathsf{B}^{\prime}}(\mathsf{Gen}_{\lambda}()\otimes\mathsf{aux}_{\lambda})\right)\leq 1-\frac{1}{p(\lambda)}.

Readers might notice that this is defined differently from Theorem 1.5. We now explain why the two definitions are equivalent, or why Definition 6.1 can be viewed as a extrapolation problem.

Lemma 6.2.

Let

\ket{\mathsf{Gen}}=\sum_{i}\alpha_{i}\ket{A_{i}}_{\mathsf{A}}\otimes\ket{B_{i}}_{\mathsf{B}}

be any of $\ket{\mathsf{Gen}}$ ’s Schmidt decompositions. Then the target state

\ket{T}=\sum_{i}\alpha_{i}\ket{A_{i}}_{\mathsf{A}}\otimes\ket{A_{i}^{*}}_{\mathsf{B}^{\prime}}

where $\ket{A_{i}^{*}}$ is the complex conjugate of $\ket{A_{i}}$ .

Proof.

By the Schmidt decomposition, we can see that $\rho=\sum_{i}\alpha_{i}^{2}\ket{A_{i}}\!\bra{A_{i}}$ . Since $\{A_{i}\}_{i}$ ’s form an orthonormal basis, $\sqrt{\rho}=\sum_{i}\alpha_{i}\ket{A_{i}}\!\bra{A_{i}}$ and $\ket{\Phi}=\sum_{i}\ket{A_{i}}\otimes\ket{A_{i}^{*}}$ . The lemma follows by plugging these into the definition of $\ket{T}$ . ∎

Corollary 6.3.

For any $\mathsf{Gen}$ , there exists an isometry $U$ such that $U_{\mathsf{B}\to\mathsf{B}^{\prime}}\ket{\mathsf{Gen}}=\ket{T}$ .

Proof.

Consider any Schmidt decomposition as above. Take any $U$ such that $U\ket{B_{i}}=\ket{A_{i}^{*}}$ for all $i$ . This is well defined since $\ket{B_{i}}$ ’s and $\ket{A_{i}^{*}}$ ’s form a basis. ∎

The reader may notice that the Schmidt decomposition of a state is not necessarily unique. Indeed, if we asked the adversary to map $\ket{B_{i}}$ to $\ket{A_{i}}$ directly, the optimal action would depend on the specific Schmidt decomposition that we consider. However, by requiring the adversary to instead map it to $\ket{A_{i}^{*}}$ instead, we ensure uniqueness of the target state $\ket{T}$ , and thus that the quantum extrapolation problem is well-defined.

Let us briefly compare this task with classical $\rightarrow$ quantum extrapolation. On a high level, there are three important differences:

1.

Obviously, the input or the challenge is now a quantum state instead of classical bitstrings.
2.

We also require the solver to solve the problem coherently, in other words, the solver cannot measure (or remember) which $i$ is given if he wishes to succeed. This is different from classical $\rightarrow$ quantum extrapolation where the solver is free to measure the input. This condition is important to ensure the uniqueness of the action as otherwise the action would depend on the specific Schmidt decomposition that we consider.
3.

Finally, we also require the problem to be “strongly” solved, i.e. solving the task to arbitrary inverse polynomial error; whereas we can accept any non-negligible overlap for classical $\rightarrow$ quantum extrapolation.⁷⁷7This difference would be not as important if one could show an amplification theorem for this task. Known techniques [BQSY24] do not apply since it is inefficient to project onto the target state.

Before proceeding, let us first establish the robustness of the quantum extrapolation task. Informally, we show that if the instance specified by $\mathsf{Gen}$ is slightly disturbed, then the target state will not change drastically either. As a corollary, the same optimal action will still do pretty good even if a slightly disturbed input is given instead. This is not obvious since the target state depends on $\mathsf{Gen}$ non-linearly. In particular, the square-root superoperator is not linear.

To prove this, we first need the following lemma on Holevo fidelity $F_{H}(\rho,\sigma):=\mathrm{Tr}(\sqrt{\rho}\sqrt{\sigma})$ .

Lemma 6.4 ([Hol72]).

Let $\rho,\sigma$ be two density matrices. Then $1-\sqrt{F_{H}(\rho,\sigma)}\leq TD(\rho,\sigma)\leq\sqrt{1-F_{H}(\rho,\sigma)}$ .

Lemma 6.5.

If two quantum extrapolation tasks $\left|\left\langle\mathsf{Gen}\middle|\mathsf{Gen}^{\prime}\right\rangle\right|=\sqrt{1-\varepsilon}$ have a large overlap, then their target states has noticeable overlap as well: $\left\langle T\middle|T^{\prime}\right\rangle\geq(1-\sqrt{\varepsilon})^{2}$ .

Proof.

Let $\rho,\sigma$ be the reduced density matrices of $\mathsf{Gen}$ and $\mathsf{Gen}^{\prime}$ respectively. By Uhlmann’s theorem,

\sqrt{F}(\rho,\sigma)\geq|\left\langle\mathsf{Gen}\middle|\mathsf{Gen}^{\prime}\right\rangle|=\sqrt{1-\varepsilon}.

(8)

Since the target states are the canonical purifications of the bipartite states, we compute the overlap of the two target states

$\displaystyle\left\langle T^{\prime}\middle\|T\right\rangle$	$\displaystyle=\bra{\Phi}(\sqrt{\sigma}\otimes I)(\sqrt{\rho}\otimes I)\ket{\Phi}$
	$\displaystyle=\mathrm{Tr}(\sqrt{\sigma}\sqrt{\rho})$
	$\displaystyle=F_{H}(\rho,\sigma)$
	$\displaystyle\geq(1-TD(\rho,\sigma))^{2}$	(9)
	$\displaystyle\geq(1-\sqrt{1-F(\rho,\sigma)})^{2}$	(10)
	$\displaystyle\geq(1-\sqrt{\varepsilon})^{2}.$	(11)

(9) is by Lemma 6.4; (10) is by Fuchs–van de Graaf inequality; and finally, (11) is by (8). ∎

6.1 Relations to Other Hardness Assumptions

In this section, we begin by showing that quantum extrapolation easily generalizes classical $\rightarrow$ quantum extrapolation tasks, and then move onto construction from commitments.

Proposition 6.6.

If hard classical $\rightarrow$ quantum extrapolation exists, then hard quantum extrapolation exists.

Proof.

In classical $\rightarrow$ quantum extrapolation, the challenger efficiently prepares the state

U\ket{\vec{0}}=\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x},x}_{\mathsf{A}}\otimes\ket{x}_{\mathsf{B}}

and asks the adversary to find $\ket{A_{x}}$ given $x$ .⁸⁸8Here, the extra copy of $x$ in $\mathsf{A}$ acts as a delayed measurement of $x$ , which purifies the classical $\rightarrow$ quantum extrapolation experiment. Observe that the complex conjugate of this state can also be prepared efficiently by conjugating each gate in $U$ , producing

U^{*}\ket{\vec{0}}=\left(U\ket{\vec{0}}\right)^{*}=\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x}^{*},x}_{\mathsf{A}}\otimes\ket{x}_{\mathsf{B}}.

(12)

Sice both $\ket{A_{x}^{*},x}$ ’s as well as $\ket{x}$ ’s are orthonormal, (12) must be a Schmidt decomposition.

Assume for contradiction that quantum extrapolation were easy, then there exists a QPT adversary operating on register $\mathsf{B}$ of $U^{*}\ket{\vec{0}}$ which produces a state with $\frac{1}{2}$ fidelity to

\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x}^{*},x}_{\mathsf{A}}\otimes\ket{A_{x},x}_{\mathsf{B}}.

We now show that this adversary, when applied to register $\mathsf{B}$ of $U\ket{\vec{0}}$ , produces a state with noticeable fidelity to

\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x},x}_{\mathsf{A}}\otimes\ket{A_{x},x}_{\mathsf{B}}.

Thus, this contradicts the hardness of classical $\rightarrow$ quantum extrapolation.

Since $\ket{A_{x},x}$ is orthogonal to $\ket{A_{x^{\prime}},x^{\prime}}$ for any $x\neq x^{\prime}$ , there exists a unitary $M$ mapping $\ket{A_{x},x}\mapsto\ket{A_{x}^{*},x}$ . Applying $M$ to register $\mathsf{A}$ maps $U\ket{\vec{0}}$ to $U^{*}\ket{\vec{0}}$ Then, since

	$\displaystyle(I_{\mathsf{A}}\otimes V_{\mathsf{B},\mathsf{C}})\left(U\ket{\vec{0}}\otimes\ket{\mathsf{aux}}_{\mathsf{C}}\right)$	$\displaystyle=(M^{\dagger}_{\mathsf{A}}M_{\mathsf{A}}\otimes V_{\mathsf{B},\mathsf{C}})\left(U\ket{\vec{0}}\otimes\ket{\mathsf{aux}}_{\mathsf{C}}\right)$
		$\displaystyle=(M^{\dagger}_{\mathsf{A}}\otimes I_{\mathsf{B},\mathsf{C}})(I_{\mathsf{A}}\otimes V_{\mathsf{B},\mathsf{C}})(M_{\mathsf{A}}\otimes I_{\mathsf{B},\mathsf{C}})\left(U\ket{\vec{0}}\otimes\ket{\mathsf{aux}}_{\mathsf{C}}\right)$
		$\displaystyle=(M^{\dagger}_{\mathsf{A}}\otimes I_{\mathsf{B},\mathsf{C}})(I_{\mathsf{A}}\otimes V_{\mathsf{B},\mathsf{C}})\left(U^{*}\ket{\vec{0}}\otimes\ket{\mathsf{aux}}_{\mathsf{C}}\right),$

the adversary produces a state with fidelity $\frac{1}{2}$ to

(M^{\dagger}_{\mathsf{A}}\otimes I_{\mathsf{B},\mathsf{C}})\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x}^{*},x}_{\mathsf{A}}\otimes\ket{A_{x},x}_{\mathsf{B}}\otimes I_{\mathsf{C}}=\sum_{x\in\{0,1\}^{\lambda}}\alpha_{x}\ket{A_{x},x}_{\mathsf{A}}\otimes\ket{A_{x},x}_{\mathsf{B}}\otimes I_{\mathsf{C}}.

Since this state is always accepted by the classical $\rightarrow$ quantum extrapolation challenger, the reduction must succeed with probability at least $\frac{1}{2}$ as well, which is non-negligible. ∎

We next prove that the hardness is also implied by commitments. This technically subsumes the proposition above, but the reduction is slightly more involved.

Lemma 6.7 (Triangle-Like Inequality for Fidelity [NC10]).

For any three states $\rho$ , $\sigma$ , and $\tau$ , the following inequality holds:

\arccos(F(\rho,\tau))\leq\arccos(F(\rho,\sigma))+\arccos(F(\sigma,\tau)).

Theorem 6.8.

If quantum bit commitments exist, then hard quantum extrapolation exists.

Proof.

Without loss of generality, we can simply consider this for statistically hiding commitment schemes, which can be constructed from general quantum bit commitments [Yan22, BCQ23]. Consider the commitment states $\ket{\mathsf{Com}_{0}},\ket{\mathsf{Com}_{1}}$ when committing to $0,1$ respectively. Let $\rho_{b}:=\mathrm{Tr}_{D}(\ket{\mathsf{Com}_{b}}\!\bra{\mathsf{Com}_{b}})$ be the commitment message for bit $b$ . By statistical hiding, we have that $TD(\rho_{0},\rho_{1})\leq.01$ for all sufficiently large security parameters.

Let the target states $\ket{T_{b}}=(\sqrt{\rho_{b}}\otimes I)\ket{\Phi}$ . On a high level, we will construct an adversary that turns $\ket{\mathsf{Com}_{0}}$ to $\ket{T_{0}}$ using quantum extrapolation, and then pretend that $\ket{T_{0}}\approx\ket{T_{1}}$ by statistical hiding, and then undo the quantum extrapolation to turn $\ket{T_{1}}$ to $\ket{\mathsf{Com}_{1}}$ , breaking the binding property.

Assume for contradiction that quantum extrapolation were easy, then there exist efficient quantum channels ${\cal A}_{b}$ that only act on the $\mathsf{D}$ register, such that $\mathrm{Tr}(\ket{T_{b}}\!\bra{T_{b}}{\cal A}_{b}(\ket{\mathsf{Com}_{b}}\!\bra{\mathsf{Com}_{b}}))\geq.99$ for both $b=0,1$ . Note that this also implies the ability to efficiently invert the extrapolation: there exists efficient ${\cal A}^{\prime}_{b}$ that only acts on the $\mathsf{D}$ register, such that $\mathrm{Tr}(\ket{\mathsf{Com}_{b}}\!\bra{\mathsf{Com}_{b}}{\cal A}_{b}^{\prime}(\ket{T_{b}}\!\bra{T_{b}}))\geq.99$ for both $b=0,1$ .⁹⁹9One essentially runs the unitary purification of ${\cal A}_{b}(\ket{\mathsf{Com}_{b}}\!\bra{\mathsf{Com}_{b}})$ for some sufficiently high-fidelity ${\cal A}_{b}$ , swap its output register with the input and then uncompute the purified ${\cal A}_{b}$ .

The adversary for breaking computational binding is simply ${\cal A}^{\prime}_{1}\circ{\cal A}_{0}$ . We now analyze the success probability. After running ${\cal A}_{0}$ , we must have some state that has fidelity $\geq.99$ with $\ket{T_{0}}$ . Since $\left|\left\langle T_{1}\middle|T_{0}\right\rangle\right|^{2}=\left|\bra{\Phi}(\sqrt{\sigma}\otimes I)(\sqrt{\rho}\otimes I)\ket{\Phi}\right|^{2}=\left|\mathrm{Tr}(\sqrt{\sigma}\sqrt{\rho})\right|^{2}=\left|F_{H}(\rho,\sigma)\right|^{2}\geq(1-TD(\rho,\sigma))^{4}\geq.96$ by Lemma 6.4, this state must have fidelity $\geq.9$ with $\ket{T_{1}}$ by Lemma 6.7. Using Lemma 6.7 again, we get that after running ${\cal A}^{\prime}_{1}$ , the output state has fidelity $\geq.8$ with $\ket{\mathsf{Com}_{1}}$ . Therefore, we break computational binding with noticeable probability for all sufficiently large security parameters, a contradiction. ∎

6.2 Polynomial-Space Upper Bound

Finally, we give an upper bound on how one could solve any quantum extrapolation task in (quantum) polynomial space, more specifically $\mathsf{pureUnitaryPSPACE}$ [MY23, Definition 2.7]. This suggests that it might be hard to unconditionally establish the hardness of a quantum extrapolation task with an explicit classical description.

Theorem 6.9.

For any quantum extrapolation task specified by $\mathsf{Gen}$ , it can be solved in quantum polynomial space and exponential time.

Proof sketch.

The algorithm essentially reduces to a special case of a succinct Uhlmann instance, which can be solved in quantum polynomial space [BEM+23]. To solve a quantum extrapolation task specified by $\mathsf{Gen}$ , it is equivalent to consider the fidelity-1 Uhlmann transformation problem from $\ket{\mathsf{Gen}}$ to $\ket{T}$ . Recall that the target state is simply the canonical purification of $\ket{\mathsf{Gen}}$ , i.e. consider the reduced density matrix $\rho:=\mathrm{Tr}_{B}\left(\ket{\mathsf{Gen}}\!\bra{\mathsf{Gen}}\right)$ , then $\ket{T}=(\sqrt{\rho}\otimes I)\ket{\Phi}$ where $\ket{\Phi}_{\mathsf{A}\mathsf{B}}$ is the unnormalized maximally entangled state. Then by the Algorithmic Uhlmann’s Theorem [MY23, Theorem 7.4], it suffices to show how to (approximately) prepare the state $\ket{T}$ in polynomial space, or equivalently, to compute the amplitudes of $\ket{T}$ in $\mathsf{PSPACE}$ ; and this follows from the fact that we can space-efficiently approximate the block encoding of $\rho$ [MY23, Lemma 3.3], the square root superoperator [MY23, Lemma 3.15], as well as the product of two operators [MY23, Lemma 3.5], and from there it is easy to compute the amplitude from the block encoding. ∎

Acknowledgements

We thank Fermi Ma for his extended insightful discussions. We also thank John Bostanci, Yuval Efron, Tony Metger, Alexander Poremba, and Henry Yuen for their initial discussions on the quantum extrapolation task. Finally, we thank Tomoyuki Morimae for the reference on the 3-message QKD protocol [SP00].

This work was done in part when LQ was at Boston University and supported by DARPA under Agreement No. HR00112020023.

References

[AGQY22] Prabhanjan Ananth, Aditya Gulati, Luowen Qian and Henry Yuen “Pseudorandom (Function-Like) Quantum State Generators: New Definitions and Applications” In Theory of Cryptography Cham: Springer Nature Switzerland, 2022, pp. 237–265 DOI: 10.1007/978-3-031-22318-1_9
[AQY22] Prabhanjan Ananth, Luowen Qian and Henry Yuen “Cryptography from Pseudorandom Quantum States” In Advances in Cryptology – CRYPTO 2022 Cham: Springer Nature Switzerland, 2022, pp. 208–236 DOI: 10.1007/978-3-031-15802-5_8
[AT07] Dorit Aharonov and Amnon Ta-Shma “Adiabatic Quantum State Generation” In SIAM Journal on Computing 37.1, 2007, pp. 47–82 DOI: 10.1137/060648829
[BCQ23] Zvika Brakerski, Ran Canetti and Luowen Qian “On the Computational Hardness Needed for Quantum Cryptography” In 14th Innovations in Theoretical Computer Science Conference (ITCS 2023) 251, Leibniz International Proceedings in Informatics (LIPIcs) Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2023 DOI: 10.4230/LIPIcs.ITCS.2023.24
[BEM+23] John Bostanci et al. “Unitary Complexity and the Uhlmann Transformation Problem”, 2023 arXiv:2306.13073
[BJ24] Rishabh Batra and Rahul Jain “Commitments are equivalent to one-way state generators” In 2024 IEEE 65th Symposium on Foundations of Computer Science (FOCS) Los Alamitos, CA, USA: IEEE Computer Society, 2024
[BQSY24] John Bostanci, Luowen Qian, Nicholas Spooner and Henry Yuen “An Efficient Quantum Parallel Repetition Theorem and Applications” In Proceedings of the 56th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2024 Vancouver, Canada: Association for Computing Machinery, 2024 DOI: 10.1145/3618260.3649603
[BS19] Zvika Brakerski and Omri Shmueli “(Pseudo) Random Quantum States with Binary Phase” In Theory of Cryptography Cham: Springer International Publishing, 2019, pp. 229–250 DOI: 10.1007/978-3-030-36030-6_10
[CLLW16] Richard Cleve, Debbie Leung, Li Liu and Chunhao Wang “Near-Linear Constructions of Exact Unitary 2-Designs” In Quantum Information and Computation 16.9–10 Paramus, NJ: Rinton Press, Incorporated, 2016, pp. 721–756 DOI: 10.5555/3179473.3179474
[DPS04] Ivan Damgård, Thomas Pedersen and Louis Salvail “On the Key-Uncertainty of Quantum Ciphers and the Computational Security of One-Way Quantum Transmission” In Advances in Cryptology - EUROCRYPT 2004 Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 91–108 DOI: 10.1007/978-3-540-24676-3_6
[GC01] Daniel Gottesman and Isaac Chuang “Quantum Digital Signatures”, 2001 arXiv:quant-ph/0105032
[GGM86] Oded Goldreich, Shafi Goldwasser and Silvio Micali “How to construct random functions” In J. ACM 33.4 New York, NY, USA: Association for Computing Machinery, 1986, pp. 792–807 DOI: 10.1145/6490.6503
[Gol90] Oded Goldreich “A note on computational indistinguishability” In Information Processing Letters 34.6, 1990, pp. 277–281 DOI: 10.1016/0020-0190(90)90010-U
[HILL99] Johan Håstad, Russell Impagliazzo, Leonid A. Levin and Michael Luby “A Pseudorandom Generator from any One-way Function” In SIAM Journal on Computing 28.4, 1999, pp. 1364–1396 DOI: 10.1137/S0097539793244708
[Hol72] Alexander S. Holevo “On quasiequivalence of locally normal states” In Theoretical and Mathematical Physics 13.2, 1972, pp. 1071–1082 DOI: 10.1007/BF01035528
[IL89] Russell Impagliazzo and Michael Luby “One-way functions are essential for complexity based cryptography” In 30th Annual Symposium on Foundations of Computer Science, 1989, pp. 230–235 DOI: 10.1109/SFCS.1989.63483
[IL90] Russell Impagliazzo and Leonid A. Levin “No better ways to generate hard NP instances than picking uniformly at random” In Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science, 1990, pp. 812–821 vol.2 DOI: 10.1109/FSCS.1990.89604
[Iva81] I D Ivanovic “Geometrical description of quantal state determination” In Journal of Physics A: Mathematical and General 14.12, 1981, pp. 3241 DOI: 10.1088/0305-4470/14/12/019
[Iva92] I D Ivanovic “An inequality for the sum of entropies of unbiased quantum measurements” In Journal of Physics A: Mathematical and General 25.7, 1992, pp. L363 DOI: 10.1088/0305-4470/25/7/014
[JLS18] Zhengfeng Ji, Yi-Kai Liu and Fang Song “Pseudorandom Quantum States” In Advances in Cryptology – CRYPTO 2018 Cham: Springer International Publishing, 2018, pp. 126–152 DOI: 10.1007/978-3-319-96878-0_5
[KQST23] William Kretschmer, Luowen Qian, Makrand Sinha and Avishay Tal “Quantum Cryptography in Algorithmica” In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, STOC 2023 Orlando, FL, USA: Association for Computing Machinery, 2023, pp. 1589–1602 DOI: 10.1145/3564246.3585225
[Kre21] William Kretschmer “Quantum Pseudorandomness and Classical Complexity” In 16th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2021) 197, Leibniz International Proceedings in Informatics (LIPIcs) Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2021 DOI: 10.4230/LIPIcs.TQC.2021.2
[KT24] Dakshita Khurana and Kabir Tomer “Commitments from Quantum One-Wayness” In Proceedings of the 56th Annual ACM Symposium on Theory of Computing, STOC 2024 Vancouver, BC, Canada: Association for Computing Machinery, 2024, pp. 968–978 DOI: 10.1145/3618260.3649654
[KT24a] Dakshita Khurana and Kabir Tomer “Founding Quantum Cryptography on Quantum Advantage, or, Towards Cryptography from #P-Hardness”, 2024 arXiv:2409.15248
[LR88] Michael Luby and Charles Rackoff “How to Construct Pseudorandom Permutations from Pseudorandom Functions” In SIAM Journal on Computing 17.2, 1988, pp. 373–386 DOI: 10.1137/0217022
[MPSY24] Tony Metger, Alexander Poremba, Makrand Sinha and Henry Yuen “Simple constructions of linear-depth t-designs and pseudorandom unitaries”, 2024 arXiv:2404.12647
[MW24] Giulio Malavolta and Michael Walter “Robust Quantum Public-Key Encryption with Applications to Quantum Key Distribution” In Advances in Cryptology – CRYPTO 2024 Cham: Springer Nature Switzerland, 2024, pp. 126–151 DOI: 10.1007/978-3-031-68394-7_5
[MY22] Tomoyuki Morimae and Takashi Yamakawa “Quantum Commitments and Signatures Without One-Way Functions” In Advances in Cryptology – CRYPTO 2022 Cham: Springer Nature Switzerland, 2022, pp. 269–295 DOI: 10.1007/978-3-031-15802-5_10
[MY23] Tony Metger and Henry Yuen “stateQIP = statePSPACE” In 2023 IEEE 64th Annual Symposium on Foundations of Computer Science (FOCS), 2023, pp. 1349–1356 DOI: 10.1109/FOCS57990.2023.00082
[MY24] Tomoyuki Morimae and Takashi Yamakawa “One-Wayness in Quantum Cryptography” In 19th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2024) 310, Leibniz International Proceedings in Informatics (LIPIcs) Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2024 DOI: 10.4230/LIPIcs.TQC.2024.4
[NC10] Michael A. Nielsen and Isaac L. Chuang “Quantum Computation and Quantum Information: 10th Anniversary Edition” Cambridge University Press, 2010 DOI: 10.1017/CBO9780511976667
[NZ24] Barak Nehoran and Mark Zhandry “A Computational Separation Between Quantum No-Cloning and No-Telegraphing” In 15th Innovations in Theoretical Computer Science Conference (ITCS 2024) 287, Leibniz International Proceedings in Informatics (LIPIcs) Dagstuhl, Germany: Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2024, pp. 82:1–82:23 DOI: 10.4230/LIPIcs.ITCS.2024.82
[Rom90] John Rompel “One-way functions are necessary and sufficient for secure signatures” In Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, STOC ’90 Baltimore, Maryland, USA: Association for Computing Machinery, 1990, pp. 387–394 DOI: 10.1145/100216.100269
[SP00] Peter W. Shor and John Preskill “Simple Proof of Security of the BB84 Quantum Key Distribution Protocol” In Physical Review Letters 85 American Physical Society, 2000, pp. 441–444 DOI: 10.1103/PhysRevLett.85.441
[Wat02] John Watrous “Limits on the power of quantum statistical zero-knowledge” In The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings., 2002, pp. 459–468 DOI: 10.1109/SFCS.2002.1181970
[Yan22] Jun Yan “General Properties of Quantum Bit Commitments (Extended Abstract)” In Advances in Cryptology – ASIACRYPT 2022 Cham: Springer Nature Switzerland, 2022, pp. 628–657 DOI: 10.1007/978-3-031-22972-5_22
[Zha21] Mark Zhandry “Quantum Lightning Never Strikes the Same State Twice. Or: Quantum Money from Cryptographic Assumptions” In Journal of Cryptology 34.1, 2021, pp. 6 DOI: 10.1007/s00145-020-09372-x

Appendix A Alternative choices of bases

A.1 A Counterexample for Binary Phase Bases

Without loss of generality, we are going to consider a basis to be described by a unitary followed by a complete measurement in the standard basis. In this language, a set of bases can be equivalently expressed as a set of unitaries.

One natural choice of basis, inspired by the binary phase construction of pseudorandom states [JLS18, BS19, AGQY22], is to first apply a (pseudo-)random $\pm 1$ diagonal matrix and then measure in the Hadamard basis. Consider the counterexample where we have two states $\ket{\pm 0\cdots 0}=\frac{1}{\sqrt{2}}(\ket{0^{n}}\pm\ket{10^{n-1}})$ . (In other words, state $b$ is $\frac{1}{\sqrt{2}}(\ket{0^{n}}+(-1)^{b}\ket{10^{n-1}})$ .) After applying a random diagonal matrix, these states are still either $\ket{\pm 0\cdots 0}$ or $\ket{\mp 0\cdots 0}$ , and thus perfectly distinguishable when measured in the Hadamard basis.

A.2 A Counterexample for Pauli Bases

Consider two states $\ket{0^{n}}$ and $\ket{1^{n}}$ . Applying a random Pauli and then measuring in the standard basis will not work in this case since with overwhelming probability at least $n/2-o(n)$ qubits will be measured in the standard basis, thus the measurement outcome can be distinguished with overwhelming probability. This shows that 1-design cannot work since Pauli group forms a 1-design.

A.3 Statistical Hiding with $2$ -Designs

In this section, we are going to show that using a unitary 2-design suffices, and we can efficiently sample a unitary 2-design over $n$ qubits uniformly from $2^{5n}-2^{3n}$ elements and it can be implemented in quasi-linear time using Clifford gates [CLLW16].

Lemma A.1.

Let $D_{2}$ be a unitary 2-design over dimension $N$ and $D_{\infty}$ be the Haar random unitary distribution. For any two mixed states $\rho_{0}$ and $\rho_{1}$ , the expected trace distance after a random measurement drawn from $D_{2}$ is

\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[\mathsf{TD}\left(\rho_{0}^{(U)},\rho_{1}^{(U)}\right)\right]\leq\sqrt{\frac{N}{2(N+1)}}\cdot\mathsf{TD}(\rho_{0},\rho_{1})

where $\rho^{(U)}\coloneqq\sum_{x=0}^{N-1}\ket{x}\!\bra{x}U\rho U^{\dagger}\ket{x}\!\bra{x}$ is the projection onto the basis $\{U\ket{x}\}_{x}$ .

Proof.

Consider the normalized Jordan–Hahn decomposition of $\rho_{0}-\rho_{1}=TD(\rho_{0},\rho_{1})\cdot(P_{+}-P_{-})$ for two orthogonal density matrices $P_{+},P_{-}$ . Then we compute

	$\displaystyle\mathrel{\phantom{=}}\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[TD\left(\sum_{x}{\ket{x}\!\bra{x}U\rho_{0}U^{\dagger}\ket{x}\!\bra{x}},\sum_{x}{\ket{x}\!\bra{x}U\rho_{1}U^{\dagger}\ket{x}\!\bra{x}}\right)\right]$
	$\displaystyle=\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[\frac{1}{2}\sum_{x}\left\|\bra{x}U\rho_{0}U^{\dagger}\ket{x}-\bra{x}U\rho_{1}U^{\dagger}\ket{x}\right\|\right]$
	$\displaystyle=\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[\frac{1}{2}\sum_{x}\left\|\bra{x}U(\rho_{0}-\rho_{1})U^{\dagger}\ket{x}\right\|\right]$
	$\displaystyle=\frac{N}{2}TD(\rho_{0},\rho_{1})\cdot\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[\left\|\bra{0}U(P_{+}-P_{-})U^{\dagger}\ket{0}\right\|\right]$
	$\displaystyle\leq\frac{N}{2}TD(\rho_{0},\rho_{1})\cdot\sqrt{\operatorname*{\mathbb{E}}_{U\sim D_{2}}\left[\left(\bra{0}U(P_{+}-P_{-})U^{\dagger}\ket{0}\right)^{2}\right]}$
	$\displaystyle=\frac{N}{2}TD(\rho_{0},\rho_{1})\cdot\sqrt{\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\left(\bra{0}U(P_{+}-P_{-})U^{\dagger}\ket{0}\right)^{2}\right]}.$

where the inequality is due to Jensen’s inequality.

It remains to calculate the last term. To that end, let $P_{+}-P_{-}=\sum_{i}p_{i}\ket{\psi_{i}}\!\bra{\psi_{i}}$ be its eigendecomposition since it is Hermitian. Plugging this in, we get that

	$\displaystyle\mathrel{\phantom{=}}\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\left(\bra{0}U(P_{+}-P_{-})U^{\dagger}\ket{0}\right)^{2}\right]$
	$\displaystyle=\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\left(\bra{0}U\left(\sum_{i}p_{i}\ket{\psi_{i}}\!\bra{\psi_{i}}\right)U^{\dagger}\ket{0}\right)^{2}\right]$
	$\displaystyle=\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\sum_{i}p_{i}^{2}\left(\bra{0}U\ket{\psi_{i}}\!\bra{\psi_{i}}U^{\dagger}\ket{0}\right)^{2}+\sum_{i\neq j}p_{i}p_{j}\bra{0}U\ket{\psi_{i}}\!\bra{\psi_{i}}U^{\dagger}\ket{0}\!\bra{0}U\ket{\psi_{j}}\!\bra{\psi_{j}}U^{\dagger}\ket{0}\right]$
	$\displaystyle=\sum_{i}p_{i}^{2}\cdot\frac{2}{N(N+1)}+\sum_{i\neq j}p_{i}p_{j}\cdot\frac{1}{N(N+1)}$		(13)
	$\displaystyle=\frac{1}{N(N+1)}\cdot\sum_{i}\left(p_{i}^{2}+p_{i}\sum_{j}p_{j}\right)$
	$\displaystyle=\frac{1}{N(N+1)}\cdot\sum_{i}p_{i}^{2}$		(14)
	$\displaystyle\leq\frac{2}{N(N+1)}.$		(15)

(13) holds since by unitary invariance, it is equivalent to consider $\bra{0}U\ket{\psi_{i}}$ as the overlap between a Haar random state $\ket{\psi}$ and $\ket{0}$ , thus $\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\left(\bra{0}U\ket{\psi_{i}}\!\bra{\psi_{i}}U^{\dagger}\ket{0}\right)^{2}\right]=\operatorname*{\mathbb{E}}[\left|\left\langle 0\middle|\psi\right\rangle\right|^{4}]$ , where $\ket{\psi}$ is a Haar random state; on the other hand, $\operatorname*{\mathbb{E}}[\left|\left\langle 0\middle|\psi\right\rangle\right|^{4}]=\frac{2}{N(N+1)}$ can be computed via the probability of measuring $\ket{0}\otimes\ket{0}$ on the maximally mixed state over the symmetric subspace $\textrm{Sym}_{2}^{N}$ , which has dimension $\binom{N+1}{2}$ . Similarly, $\operatorname*{\mathbb{E}}_{U\sim D_{\infty}}\left[\bra{0}U\ket{\psi_{i}}\!\bra{\psi_{i}}U^{\dagger}\ket{0}\!\bra{0}U\ket{\psi_{j}}\!\bra{\psi_{j}}U^{\dagger}\ket{0}\right]=\operatorname*{\mathbb{E}}\left[\left|\left\langle 0\middle|\psi\right\rangle\left\langle 1\middle|\psi\right\rangle\right|^{2}\right]=\frac{1}{N(N+1)}$ . (14) holds since $\sum_{j}p_{j}=\mathrm{Tr}(P_{+}-P_{-})=0$ . (15) holds since $\sum_{i}p_{i}^{2}=\left\lVert P_{+}-P_{-}\right\rVert_{2}^{2}=\left\lVert P_{+}\right\rVert_{2}^{2}+\left\lVert P_{-}\right\rVert_{2}^{2}\leq\left\lVert P_{+}\right\rVert_{1}^{2}+\left\lVert P_{-}\right\rVert_{1}^{2}=2$ .

Putting everything together, we obtain that it is upper bounded by $TD(\rho_{0},\rho_{1})\cdot\sqrt{\frac{N}{2(N+1)}}$ . ∎

Higher $t$ -Designs.

Interestingly, the bound gets only a bit better than $1/\sqrt{2}$ if we use Haar random unitaries. Consider $\rho_{0}=\ket{0}\!\bra{0}$ and $\rho_{1}=\ket{1}\!\bra{1}$ . The calculation starts the same as the last section except that we start with using $D_{\infty}$ instead of $D_{2}$ and we avoid the step involving Jensen’s inequality, so we obtain that the trace distance is

\displaystyle\frac{N}{2}\cdot\operatorname*{\mathbb{E}}\left[\left|\left|\left\langle 0\middle|\psi\right\rangle\right|^{2}-\left|\left\langle 1\middle|\psi\right\rangle\right|^{2}\right|\right].

We note that when $N\to\infty$ , each $\left|\left\langle x\middle|\psi\right\rangle\right|^{2}$ is approximately an independent draw from the exponential distribution with rate $1/N$ (also known as the Porter–Thomas distribution). Let $X,Y$ be two such independent random variables with PDF $p$ , then we get that it is approximately

	$\displaystyle\frac{N}{2}\cdot\operatorname*{\mathbb{E}}\left[\left\|X-Y\right\|\right]$	$\displaystyle=N\cdot\operatorname*{\mathbb{E}}_{X\geq Y}\left[X-Y\right]$
		$\displaystyle=N\cdot\int_{0}^{\infty}p(y)\int_{y}^{\infty}p(x)(x-y)dxdy$
		$\displaystyle=\frac{1}{2}.$

This implies that going to higher $t$ -designs does not seem to lead to a more asymptotically efficient construction.

Hard Quantum Extrapolations in Quantum Cryptography

Abstract

1 Introduction

1.1 Classical→\rightarrowQuantum Extrapolation

Definition 1.1 (Classical→\rightarrowQuantum Extrapolation, informal).

Proposition 1.2.

Theorem 1.3.

Remark 1.4.

1.2 Quantum Extrapolation

Theorem 1.5 (Informal).

2 Technical Overview

2.1 Why a New Approach?

2.2 Commitments from Classical→\rightarrowQuantum Extrapolation

Removing quantum sampling assumption.

Construction 2.1 (Informal).

Weak statistical hiding.

Computational binding.

2.3 Quantum Extrapolation

Implications from Public-Key Quantum Money and Commitments.

Difficulties in Building Commitments.

2.4 Related Works

3 Commitments

Definition 3.1 (Quantum Bit Commitment Syntax).

Definition 3.2 (Honest Binding).

Definition 3.3 (Commitment Hiding).

4 Statistical Hiding via Random Measurements

Lemma 4.1 ([Iva81, Iva92]).

Lemma 4.2.

Proof.

5 Commitments from Hard Classical→\rightarrowQuantum Extrapolation

5.1 Classical→\rightarrowQuantum Extrapolation

Definition 5.1.

5.2 Hardness from Cryptographic Primitives

Definition 5.2.

Fact 5.3 ([SP00, Protocol 2]).

Fact 5.4 ([MW24]).

Fact 5.5.

Proof sketch.

Proposition 5.6.

Proof.

5.3 A Quantum Bit Commitment Scheme

Construction 5.7 (Weakly Hiding Commitment).

Theorem 5.8.

Proof.

Construction 5.9 (Full Commitment).

Corollary 5.10.

Proof.

5.4 Statistical Hiding

Claim 5.11.

Proof.

5.5 Computational Binding

Claim 5.12.

Proof.

Random measurements.

Binding adversary’s attack.

Additional notations.

Reduction success probability.

6 Quantum Extrapolation

Definition 6.1 (Quantum Extrapolation).

Lemma 6.2.

Proof.

Corollary 6.3.

Proof.

Lemma 6.4 ([Hol72]).

Lemma 6.5.

Proof.

6.1 Relations to Other Hardness Assumptions

Proposition 6.6.

Proof.

Lemma 6.7 (Triangle-Like Inequality for Fidelity [NC10]).

Theorem 6.8.

Proof.

6.2 Polynomial-Space Upper Bound

Theorem 6.9.

Proof sketch.

Acknowledgements

References

Appendix A Alternative choices of bases

A.1 A Counterexample for Binary Phase Bases

A.2 A Counterexample for Pauli Bases

1.1 Classical $\rightarrow$ Quantum Extrapolation

Definition 1.1 (Classical $\rightarrow$ Quantum Extrapolation, informal).

2.2 Commitments from Classical $\rightarrow$ Quantum Extrapolation

5 Commitments from Hard Classical $\rightarrow$ Quantum Extrapolation

5.1 Classical $\rightarrow$ Quantum Extrapolation

A.3 Statistical Hiding with $2$ -Designs

Higher $t$ -Designs.