Weak approximate unitary designs and applications to quantum encryption

Unitary t -designs are the bread and butter of quantum information theory and beyond. An important issue in practice is that of eﬃciently constructing good approximations of such unitary t -designs. Building on results by Aubrun (Comm. Math. Phys. 2009), we prove that sampling d t poly( t, log d, 1 /(cid:15) ) uni-taries from an exact t -design provides with positive probability an (cid:15) -approximate t -design, if the error is measured in one-to-one norm distance of the corresponding t -twirling channels. As an application, we give a partially derandomized construction of a quantum encryption scheme that has roughly the same key size and security as the quantum one-time pad, but possesses the additional property of being non-malleable against adversaries without quantum side information.


Introduction
Random unitaries, drawn from the Haar measure on the unitary group, play an important role in many aspects of theoretical quantum information science. For instance, most results on quantum source and channel coding are obtained with Haar-random coding strategies [ADHW09; HHWY08; BCR11] using the decoupling technique [HOW07; SDTR13; DBWR14; MBDRC17]. The columns and rows of Haar random unitaries are Haar random unit vectors and have also found many applications in quantum information theory, e.g. for constructing quantum money schemes [JLS18; AMR19]. However Haar random unitaries are infeasible to even approximate, the randomness and number of gates necessary to sample and implement them being exponential in the number of qubits they act on.
In most situations, unitary t-designs, the quantum analogues of t-wise independent functions, come to the rescue [DCEL09]. A unitary t-design is a measure on the unitary group that reproduces the Haar measure up to the t-th moment. This means that a random unitary sampled from a t-design can replace a Haar-random unitary in any situation where it is only applied t times. For practical purposes, one would like this measure to be more economical than the Haar measure (for instance to have finite, as small as possible, support). Often even just approximate versions of unitary t-designs (in the right metrics) are sufficient. In quantum information theory and related fields the most common metric between measures on the unitary group is the completely bounded one-to-one norm, or diamond norm, on the induced t-twirling channels. The t-twirling channel associated to a measure is the channel that can be implemented by sampling a unitary according to the measure, and then applying it to each sub-system of a t-partite input system.
In [HLSW04], approximate 1-designs have been studied using a metric based on the (not completely bounded) one-to-one norm. There, it is shown that approximate 1-designs in this weaker sense can be made of much less unitaries, and that they still have interesting applications, such as unconditionally secure encryption of quantum data when confidentiality is only desired against adversaries without quantum side information. The former result is shown by proving that sampling a small number of independent Haar-random unitaries provides with high probability an approximate 1-design. This construction was subsequently partially derandomized in [Aub09], where it was shown that sampling from a measure which is only a 1-design works as well.
Let us mention one last result which was known prior to this work. It was shown in [LW17] that, in fact, any channel can be approximated in one-to-one norm by a channel having few Kraus operators. However, this does not tell us whether it can be further imposed that the Kraus operators of this approximating channel are of a specific form (such as e.g. being unitaries sampled from a simple enough distribution, which is what we are interested in here).

Our contribution
In this work, we generalize the approach of [Aub09] to construct small approximate tdesigns, for any given t, in one-to-one norm distance. In addition, for t = 2, we show that the approach extends to designs where the goal is to approximate the channel twirl, i.e. the transformation of quantum channels obtained by sampling a unitary, applying it to the input state before the channel acts on it, and undoing this action afterwards. Here, the appropriate distance is the one stemming from the operator norm induced by the diamond norm, which we call diamond-to-diamond norm. To prove the approximation result on the so-called U ⊗t -twirl, we use basic representation theory of the unitary group, including the Weyl dimension formula, to show that it has small one-to-operator norm. This allows us to apply the powerful probabilistic and functional analytic tools developed in [Aub09]. For the channel twirl, the invariant space spanned by the identity, as well as the off-diagonal terms involving this invariant space, require a careful analysis. Along the way, we also construct a design that approximates the so-called U ⊗Ū -twirl, the image of the channel twirl under the Choi-Jamiołkowski isomorphism.
What is more, we prove that our results are optimal, in the following sense: approximating the twirling channels under consideration cannot be done with less operators than what our sub-sampling approach gives, even without imposing any structure on them (in our case the constraint of being a tensor product of unitaries).

An application
Subsequently, we apply our results in a cryptographic context. We show, that an approximate channel-twirl design in the diamond-to-diamond norm metric can be used to construct a quantum encryption scheme that is as secure as the quantum one-time pad and has (essentially) the same key length, but also is non-malleable against adversaries without quantum side information. While the construction is not time-efficient, it provides theoretical insights, and constitutes evidence that savings in key size are possible. In particular, the construction quantifies in a precise way the amount of secret key that a full two-design-based non-malleable quantum encryption scheme uses just to counter side information attacks.
Beyond applications to cryptography, the Kraus rank of a quantum channel can be considered, more generally, as a measure of its complexity. It indeed quantifies the minimal amount of ancillary resources needed to implement it. Equivalently, it quantifies the amount of degrees of freedom in it that one is ignorant of. It is thus natural to ask: given a quantum channel, is it possible to reduce its complexity while not affecting its action too much? Or, in other words, is it possible to find a channel with much smaller Kraus rank which approximately simulates it? In our case, we further impose that the Kraus operators of the approximating channel, in addition to being few, inherit the structure of those of the original channel. Our results can therefore be seen as statements about complexity reduction of twirling channels, under extra constraints. As explained in [LW17], results of this type provide, amongst other, efficient schemes for the destruction of correlations and data hiding in bipartite states.

Related work
Unitary t-designs exist for all t and all dimensions [SZ84; Kan15] 1 . For t > 3, time-efficient constructions are, however, only known for approximate unitary t-designs [BHH16]. An appealing approach to try and exhibit unitary t-designs would be to look for them amongst unitary groups, equipped with their uniform measure. For t 3 the Clifford group is known to be such a unitary t-group [Web16;Zhu17]. Nevertheless, it was recently proved in [BNRT20] that there is no unitary t-group for t 4 (except in dimension 2), so that this strategy cannot work anymore. The sub-sampling technique that we use, following [Aub09], i.e. the strategy of sampling a random subset of unitaries from an exact design, was first introduced in [ABW09] to show the existence of small approximate 2-designs.
Non-malleability for quantum encryption was first introduced and characterized in [ABW09]. In this work it was also shown that the notion of quantum non-malleability is equivalent to the notion of approximate unitary 2-designs, under the condition that the encryption algorithm be unitary. Subsequently, non-malleability for quantum encryption has been further studied in [AM17; MSW19].

Notation and standard definitions
Let us gather here notation that we will be using throughout the whole paper. Given d ∈ N, we denote by L(d) the set of linear operators on C d , by D(d) the set of quantum states (i.e. positive semidefinite and trace 1 operators) on C d , and by U (d) the set of unitary operators on C d . We additionally denote by L(d) the set of linear operators on L(d), and by C(d) the set of quantum channels (i.e. completely positive and tracepreserving operators) on L(d). Let us conclude with a some standard notation/definitions from probability theory. Given a random variable X, we denote by E X its average and by P(X ∈ E) the probability that X satisfies event E. We say that ε is a Bernoulli random variable if P(ε = +1) = P(ε = −1) = 1/2.

Representation theoretic preliminaries
A good introduction to the representation-theoretic concepts used in this work can be found in [FH13] (see also [Chr06] for a short introduction that is very accessible for quantum information theorists). Given t ∈ N let S t be the permutation group of {1, . . . , t}. The irreducible representations [λ] of S t are called Specht modules and are indexed by integer partitions of t, denoted as λ t. Such a partition is represented as a tuple λ = (λ 1 , ..., λ r ) ∈ N r , for some r ∈ N, with λ 1 · · · λ r and r i=1 λ i = t. Given d ∈ N let U (d) be the unitary group of C d . The polynomial irreducible representations V λ of U (d) are called Weyl modules and are indexed by integer partitions of any number t ∈ N into exactly d parts (some of which might be 0), denoted as λ (t, d). The dimension of the Weyl module V λ is given by the Weyl dimension formula (1) A particular vector space that carries representations of both S t and U (d) is (C d ) ⊗t , the corresponding actions are defined as The two actions commute, i.e. (C d ) ⊗t decomposes into a direct sum of irreducible representations (irreps) of the product group S t × U (d). These irreps are just tensor products of an irrep of S t with an irrep of U (d). What is more, the corresponding representations of the group algebras of S t and U (d) are double commutants, implying that the decomposition is multiplicity free.
Theorem 2.1 (Schur-Weyl duality). Let S t and U (d) act on (C d ) ⊗t as described above. The direct sum decomposition into irreducible representations of S t × U (d) is multiplicity free, and is given by Define the quantum channel T (t) on (C d ) ⊗t as where dU stands for the Haar measure on U (d). The channel T (t) is often referred to as a twirling channel. It is obviously covariant with respect to the action of U (d). Hence, denoting by W the isomorphism between the right and left hand sides of the equation (2) above, Schur's Lemma implies that where P λ is the projector onto Let us make things slightly more explicit in the case t = 2. We have Accepted in Quantum 2020-08-24, click title to verify. Published under CC-BY 4.0.
where ∧ 2 (d) and ∨ 2 (d) are, respectively, the symmetric and anti-symmetric subspaces of (C d ) ⊗2 . The corresponding projectors are P ∧ 2 (d) = (1 + F )/2 and P ∨ 2 (d) = (1 − F )/2, where F denotes the so-called flip operator. And the action of T (2) can be explicitly written as, for all X ∈ L(d 2 ), Fix a basis B = {|i } d−1 i=0 for C d and let T be the transposition in this basis. It is easy to check that, denoting by X Γ the partial transposition of X (i.e. X Γ = id ⊗ T(X)), we have, for all X ∈ L(d 2 ), By the preceding discussion, we know that T (1,1) (X) can be written as a linear combination |i is the standard maximally entangled state with respect to B. So equivalently, T (1,1) (X) can be written as a linear combination of |ψ ψ| and Q = 1 − |ψ ψ|, which are orthogonal to one another. More specifically, for all X ∈ L(d 2 ),

Several channel approximation results
Before we present our various twirling channel approximation results, let us state here the key technical lemma which is the starting point of most of our proofs. This lemma first appeared as [Aub09, Lemma 5]. Its proof consists in estimating the average of the supremum of an empirical process through covering numbers, thanks to Dudley's inequality and a duality argument for entropy numbers.

Approximating the twirling channel T (t)
Let t ∈ N be such that t < d. The goal here is to show that the twirling channel T (t) , as defined by equation (3), can be approximated with 'few' Kraus operators sampled from a 'simple' probability measure. We will be able to prove such approximation in a strong sense, namely in one-to-infinity norm.
We will show the following result: Theorem 3.2. Let 0 < < 1. Assume that the probability measure µ on U (d) is a t-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n C(td) t (t log d) 6 / 2 , then with probability at least 1/2, we have Theorem 3.2 generalizes [Aub09, Theorem 2] to t-designs for any t ∈ N rather than only for 1-designs. We actually follow the exact same proof strategy as that of [Aub09, Theorem 2]. The only additional technical lemma that we need in the case t > 1 is one that tells us that T (t) has a small (1 → ∞)-norm (a fact which is obvious for t = 1).
Proof. By equation (4), the operator norm in question is just given by the inverse of the minimal dimension of an irrep V λ , Indeed, let us denote by λ * the partition minimizing m λ . It is clear that if as T (t) begins with a pinching with respect to the direct sum decomposition (2). We go on to find a lower bound on m λ * using the formula (1). To this end we first note that λ * is a partition of t into d parts, so λ * i = 0 for all i > t. Noting that all the factors in the product in equation (1) are lower bounded by 1, and only keeping factors such that i ≤ t < j we get As a final step we use that We then need the technical result below, which is an immediate corollary of [Aub09, Lemma 5], recalled earlier as Lemma 3.1.
Proof. This follows directly from [Aub09, Lemma 5], applied with d t playing the role of d and U ⊗t i playing the role of U i , 1 i n.
With these two preliminary lemmas at hand, we are now in position to prove Theorem 3.2.
Proof of Theorem 3.2. Let V 1 , . . . , V n be independent copies of U 1 , . . . , U n and ε 1 , . . . , ε n be independent Bernoulli random variables. Setting we then have where the first inequality is by Jensen's inequality, the second equality is by symmetry, and the third inequality is by the triangle inequality.
Hence, by Lemma 3.4, we get where the second inequality is by Lemma 3.3 while the third inequality is by Jensen's inequality. Now, it is easy to check that, given And the latter quantity is smaller than /d t as soon as n is larger than C (td) t (t log d) 6 / 2 . To conclude, we just have to use Markov's inequality, which guarantees that, if E M /d t , then This is exactly what we wanted to show (after relabelling 2 in and 4C in C).
Remark 3.5. Note that, up to a poly(t, log d) factor, the result of Theorem 3.2 is optimal, in the sense that it is impossible to approximate the twirling channel T (t) with less than order d t operators. This is true even if we only require -approximation in (1 → 1)-norm rather than /d t -approximation in (1 → ∞)-norm. The argument has a similar flavor as the one appearing in [LW17,Section 5.1], proving optimality of channel approximation in a more general setting. Indeed, let T,T be channels on L(n) which are -close in (1 → 1)-norm. Suppose that T is such that, for all ρ ∈ D(n), T (ρ) ∞ c/n. Now, ifT has Kraus rank k < c/n, then a pure input state ρ is necessarily sent on an output stateT (ρ) of rank at most k. Hence for ρ ∈ D(n) pure, we have But since by assumption we also have this means that necessarily k (1 − )n/c In the case of the channel T (t) on L(d t ), we know by Lemma 3.3 that, for all ρ ∈ D(d t ), So if a channel is -close to T (t) in (1 → 1)-norm, then it has to have Kraus rank at least (1 − )(d/2t) t .

Approximating the twirling channel T (1,1)
The goal here is to show that the twirling channel T (1,1) , as defined by equation (5), can be approximated with 'few' Kraus operators sampled from a 'simple' probability measure. We will only be able to prove such approximation in a weaker sense than in the case of T (t) treated before, namely in one-to-one norm.
If µ is a 2-design on U (d), then, by equation (5), we have that We will show the following result: Theorem 3.6. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 / 2 , then with probability at least 1/2, we have The way we prove Theorem 3.6 is by first analysing separately the cases where the input state is the maximally entangled state or a state orthogonal to it. This is the content of Propositions 3.7 and 3.8 below.
Proposition 3.7. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. Then, Proof. We just have to notice that, for any U ∈ U (d), U ⊗Ū |ψ = |ψ . And thus, as announced.
Proposition 3.8. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 / 2 , then with probability at least 1/2, we have In order to prove Proposition 3.8 we follow the same route as to prove Theorem 3.2. We thus begin by observing that T (1,1) has a small (1 → ∞)-norm on the orthogonal complement of the maximally entangled state, which is the analogue of Lemma 3.3 in the study of T (t) .
We then need the technical result below, which is the analogue of Lemma 3.4 in the study of T (t) , and which is as well an immediate corollary of [Aub09, Lemma 5], recalled earlier as Lemma 3.1.
Lemma 3.10. Let U 1 , . . . , U n ∈ U (d) . For ε 1 , . . . , ε n independent Bernoulli random variables, we have Proof. This follows directly from [Aub09, Lemma 5], applied with d 2 − 1 playing the role of d and U i ⊗Ū i playing the role of U i , 1 i n.
With Lemmas 3.9 and 3.10 at hand it is straightforward to prove Proposition 3.8, starting from the same symmetrization trick than the one which allows to prove Theorem 3.2 from Lemmas 3.3 and 3.4. We therefore do not repeat the proof here.
So we can now combine Propositions 3.7 and 3.8 to get Theorem 3.6. It is interesting to note that Propositions 3.7 and 3.8 give us approximation results for the channel T (1,1) in (1 → ∞)-norm, on the maximally entangled state and on states which are orthogonal to it. However, when combining them in order to deal with the case of input states supported on both subspaces, we are only able to get an approximation result in (1 → 1)-norm. Indeed, as it will be clear in the proof, in order to show that the approximation error is small also for mixed terms, we need to use the approximation result from Theorem 3.2 for the channel T (1) . Now, since the latter acts on L(d), and not L(d 2 ) as T (1,1) , the approximation error that we can guarantee for it is not small enough to give an interesting approximation result for T (1,1) in the strong (1 → ∞)-norm, which is why we have to relax to the weaker (1 → 1)-norm. A way around this limitation would probably be to try and prove an analogue of [Aub09, Lemma 5] which encompasses the action of the channel T (1,1) on the whole input space, rather than analysing separately its action on two subspaces, as we do here.
Putting everything together we eventually obtain that, with probability at least 1/2, for any |ϕ , which, up to re-labelling 3 /2 in , is exactly what we wanted to prove.
Remark 3.11. It can be shown that the result of Theorem 3.6 is optimal, up to a poly(log d) factor, just as the one of Theorem 3.2. Indeed, using the same reasoning as in Remark 3.5, together with Lemma 3.9, we see that, if a channelT (1,1) is -close to T (1,1) in (1 → 1)-norm, then it has to satisfy r(T (1,1) ) (1 − )(d 2 − 1).

Approximating the twirling super-channel Θ
We are now interested in a slightly different kind of twirling, namely one that acts on channels rather than states. We thus define the quantum super-channel Θ on C d as Similarly as before, we here want to show that Θ can be approximated by sampling 'few' unitaries from a 'simple' probability measure. We will be able to prove approximation in completely bounded one-to-one norm (also known as diamond norm) for all input channel. More precisely, denoting by id : L(d) → L(d) the identity map on L(d), we will show the following result: Theorem 3.12. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 / 2 , then with probability at least 1/2, we have, for all N ∈ C(d), Proof. By convexity of · 1 and extremality of pure states amongst all states, it is enough to prove that the result is true for all pure input states (and all input channels). Let N be a channel and |ϕ be a pure state, which we can write as |ϕ = X ⊗ 1|ψ for some X such that X 2 = √ d. Now, for any U ∈ U (d), X ⊗ U * |ψ = XŪ ⊗ 1|ψ , so that Therefore, defining ∆ as in equation (7), we have We now proceed exactly as in the proof of Theorem 3.6. First, by Proposition 3.7, ∆(|ψ ψ|) = 0, so that X ⊗ 1 ∆(|ψ ψ|) X * ⊗ 1 1 = 0.
Second, by Proposition 3.8, with probability at least 3/4, for any |ψ orthogonal to |ψ , where the first inequality is by Hölder inequality while the last inequality is simply recalling that X 2 = 1 2 = √ d. Third, any |ψ orthogonal to |ψ can be written as |ψ = Y ⊗ 1|ψ for some Y such that Tr(Y ) = 0 and Y 2 = √ d. Since for any U ∈ U (d), U ⊗Ū |ψ = |ψ and U Y ⊗Ū |ψ = U Y U * ⊗ 1|ψ , we then get where the second equality is because X ⊗ 1|ψ = |ϕ = 1. Now on the one hand And on the other hand, by Theorem 3.2 for t = 1 and / √ d instead of , we get that, for n Cd 2 (log d) 6 / 2 , with probability at least 3/4, for all Y such that And thus, with probability at least 3/4, for any |ψ orthogonal to |ψ , Putting everything together, we obtain that, with probability at least 1/2, for any state σ (in particular for σ = id ⊗ N (|ψ ψ|)), Inserting this into equation (9), and re-labelling 3 /2 in , yields exactly the claimed result.

An alternative formulation
Given a linear map acting on a normed vector space (that of either operators or superoperators in our case), it is natural to define its so-called induced norms. For a linear map M : L(d) → L(d), the most relevant induced norm is the one-to-one norm, as well as its completely bounded counterpart (also known as diamond norm). These are defined as where id k : L(k) → L(k) denotes the identity map on L(k). By extension, for a linear map Ξ : L(d) → L(d), the most relevant induced norm is the diamond-to-diamond norm, as well as its completely bounded counterpart (which we denote with a double diamond). These are defined as where id k : L(k) → L(k) denotes the identity map on L(k).
Using these definitions, we can reformulate Theorems 3.2 and 3.12 as follows: Corollary 3.13. Let 0 < < 1. Assume that the probability measure µ on U (d) is a t-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n C(td) t (t log d) 6 / 2 , then with probability at least 1/2, we have Corollary 3.14. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 / 2 , then with probability at least 1/2, we have For the applications in the next section, it is natural to define a k-bounded variant of the completely bounded one-to-one and diamond-to-diamond norms, i.e.
By the Schmidt decomposition it is clear that · ,d = · and · ,d 2 = · . What is more, it is well-known that, for any k d, · ,k k · 1→1 . We now prove a similar upper bound for · ,k in terms of · → .
Proof. Let M ∈ L(kd) with M = 1 be such that By concavity of the diamond norm, we can assume that M has a Choi matrix η M ∈ L(k 2 d 2 ) of rank one, i.e. η M = |ϕ M φ M | for some |ϕ M , |φ M ∈ C k 2 d 2 . Let us now write |ϕ M , |φ M ∈ C k 2 ⊗ C d 2 in their Schmidt decomposition: with {p i } 1 i k 2 , {q i } 1 i k 2 subnormalized probability distributions and with {|α i } 1 i k 2 , {|γ i } 1 i k 2 and {|β i } 1 i k 2 , {|ζ i } 1 i k 2 orthonormal families in C k 2 and C d 2 respectively. We can hence write where M k ij : L(k) → L(k) is defined as having Choi matrix η M k ij = |α i γ j | ∈ L(k 2 ) and . We then have by the triangle inequality To finish the proof, we then simply have to observe that where the first inequality is by definition of the diamond-to-diamond norm and the second inequality is due to the Cauchy-Schwarz inequality.
4 Application: Quantum non-malleable encryption against adversaries with small quantum memory Information-theoretically secure quantum encryption has been studied extensively. In particular, the one-time variants of security goals such as confidentiality, authenticity and non-malleability have been defined for quantum encryption. When assessing the efficiency of a symmetric-key encryption scheme, there are three main figures of merit, the running time of the encryption and decryption algorithms, the ciphertext length and the key length. Here, we focus on the latter two figures of merit. Protocols have been designed which achieve the optimal scaling with respect to key length (up to log factors). More precisely, the results are as follows. The quantum one-time pad scheme, that encrypts a quantum system by applying a random element of the Pauli group, requires 2 log d bits of key [AMTDW00]. The quantum authentication scheme presented in [BCGST02] uses 2 log d + O(s) bits of key and log d + O(s) bits of ciphertext to achieve s bits of security. And non-malleable encryption with unitaries (hence with plaintext space and ciphertext space being the same) can be done with (4 + o(1)) log d bits of key [ABW09]. Here we describe a construction for non-malleable encryption without adversarial side information with unitaries using 2 log d + O(log log d) bits of key. In addition, our scheme has confidentiality against adversaries with side information. In other words, it is an alternative to the standard quantum one-time pad with the added property of non-malleability without side information at only an additive logarithmic cost in terms of key length.

One-time-secure quantum encryption
We begin by defining more rigorously the different cryptographic notions mentioned above. In the following, given a a finite set X , the notation E x∈X is used to denote the expectation value of a random variable x distributed uniformly on X . is called quantum encryption scheme if The parameters log 2 |X |, log 2 d M and log 2 d C are called key length, message length and ciphertext length, respectively.

Definition 4.2 (Indistinguishability of ciphertexts). A quantum encryption scheme has -indistinguishable ciphertexts, if there exists a quantum state
A quantum encryption scheme has -indistinguishable ciphertexts against adversaries without side information if the above inequality holds with the diamond norm replaced by the one-to-one norm.

Definition 4.3 (Non-malleability). A quantum encryption scheme is -non-malleable, if
there exists a quantum state σ ∈ D(d C ) such that for all side information dimension d E and all Λ ∈ C(d C d E ) there exist completely positive maps Λ = , Λ = ∈ L(d E ) whose sum is trace-preserving and p ∈ [0, 1] such that A quantum encryption scheme is -non-malleable against adversaries without side information, if there exists a quantum state σ ∈ D(d C ) such that for all Λ ∈ C(d C ) there exists p ∈ [0, 1] such that

Non-stabilized norms and adversaries without quantum side information
Any family of unitary matrices {U x } x∈X defines a quantum encryption scheme via, for all x ∈ X , Enc x (X) = U x XU * x and Dec x = Enc * x . For such unitary quantum encryption schemes, it is easy to see that -indistinguishability of ciphertexts implies that the family of unitaries is a 2 -approximate 1-design in diamond norm, and any -approximate 1design in diamond norm gives rise to a quantum encryption scheme with -indistinguishable ciphertexts. The weaker property of -indistinguishability of ciphertexts against adversaries without side information and the -approximate 1-design property measured in one-to-one norm have the same relationship.
Similarly, if a unitary quantum encryption scheme is -non-malleable, then it is a 2approximate channel twirl in completely bounded diamond-to-diamond norm, and anapproximate channel twirl in completely bounded diamond-to-diamond norm gives rise to a quantum encryption scheme that is -non-malleable [ABW09; AM17]. Again, the weakernon-malleability against adversaries without side information and the -approximate channel twirl property measured in diamond-to-diamond norm have the same relationship.
The results in the previous section thus immediately imply the following for random unitary encryption schemes: Theorem 4.4. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 / 2 , then with probability at least 1/2, the quantum encryption scheme defined by the family of unitaries {U 1 , . . . , U n } has / √ dindistinguishable ciphertexts and is -non-malleable against adversaries without side information.
Proof. Let us define To begin with notice that, if µ is a 2-design then it is a fortiori a 1-design. Hence by Corollary 3.13 (for t = 1 and / √ d instead of ) and Corollary 3.14, the probability that T (1) µ,n is an / √ d-approximate 1-design in one-to-one norm and the probability that Θ µ,n is an -approximate channel twirl in diamond-to-diamond norm are both at least 3/4 for n Cd 2 (log d) 6 / 2 . By the union bound, both properties hold simultaneously with probability at least 1/2. And as explained before, if this is so then the corresponding unitary quantum encryption scheme has / √ d-indistinguishable ciphertexts and is -nonmalleable against adversaries without side information.
Using the result of Lemma 3.15, relating the k-bounded diamond norm to the one-toone norm and the k-bounded double diamond norm to the diamond-to-diamond norm, we can immediately derive from Theorem 4.4 a generalisation of it that applies to the case where the adversary has side information, but in bounded quantity.
Corollary 4.5. Let 0 < < 1. Assume that the probability measure µ on U (d) is a 2-design, and let U 1 , . . . , U n be sampled independently from µ. There exists a universal constant C > 0 such that, if n Cd 2 (log d) 6 k 4 / 2 , then with probability at least 1/2, the quantum encryption scheme defined by the family of unitaries {U 1 , . . . , U n } has /k √ dindistinguishable ciphertexts and is -non-malleable against adversaries with k-bounded side information.
Proof. Let T (1) µ,n , Θ µ be defined as in equation (10). We have shown in the proof of Theorem 4.4 that, for n Cd 2 (log d) 6 / 2 , with probability larger than 1/2, Hence redefining as k 2 , we get that, for n Cd 2 (log d) 6 k 4 / 2 , with probability larger than 1/2, T (1) µ,n is an /k √ d-approximate 1-design in k-bounded diamond norm and Θ µ,n is an -approximate channel twirl in k-bounded double diamond norm. And if this is so then the corresponding unitary quantum encryption scheme has /k √ d-indistinguishable ciphertexts and is -non-malleable against adversaries with k-bounded side information.

A note on efficiency
While our scheme is more efficient in terms of key length and in terms of encryption and decryption given the element of the design that needs to be applied (if instantiated with an efficiently implementable 2-design, such as e.g. the Clifford group), specifying the randomly chosen subset of the exact 2-design is inefficient. This is a problem shared by all schemes based on the sub-sampling technique, i.e. in particular by the ones constructed in [HLSW04] and [ABW09]. To construct efficiently specifiable approximate designs in the weak norms we consider, that are still smaller than approximate designs in the diamond norm, additional new techniques seem to be necessary. A possible approach would for instance be to analyse random quantum circuits with respect to these norms. Indeed, all results showing that random quantum circuits of a given size are expected to be approximate t-designs, following the seminal work [BHH16], use a metrics which is stronger than the one we need for our cryptographic applications. It is thus probable that, for the latter, shorter random quantum circuits are already working well.
It is also worth pointing out that our results can be easily generalized to the case where the unitaries are sampled from an approximate rather than exact design. For instance, in the case of Theorem 3.2 we would have the following result: If µ is an /d t -approximate t-design in (1 → ∞)-norm, then we can obtain a 2 /d t -approximate t-design in (1 → ∞)norm by sampling C(td) t (t log d) 6 / 2 unitaries from µ. Indeed, the proof of Theorem 3.2 relates the behaviour of the sampled twirling channel T (t) µ,n to that of its average T (t) µ , independently of whether or not this average is the same as if taken over the Haar measure, i.e. equal or not to T (t) . Once you have proven that T (t) µ,n is close to T (t) µ , you just have to use that, by assumption on µ, T (t) µ is close to T (t) , and add the two approximation errors. This provides a strategy to circumvent the difficulty of constructing exact t-designs for t > 3, since on the contrary efficient constructions of approximate ones (even in a stronger sense than the one we require) are known.