Purification applied to indistinguishability

Question

In Zhandry's compressed oracle paper, one can read the following:

Next, we note that the oracle $h$ being chosen at random is equivalent (from the adversary’s point of view) to $h$ being in uniform superposition $\sum_h|h\rangle$. Indeed, the superposition can be reduced to a random $h$ by measuring, and measuring the $h$ registers (which is outside of $A$’s view) is undetectable to $A$. To put another way, the superposition over $h$ is a purification of the adversary’s mixed state.

Though it appears to be intuitive, I can't manage to prove this formally using density matrices.

Let us first consider an oracle that samples at random a function $h:\{0\,;\,1\}^m\to\{0\,;\,1\}^n$ and uses a register with $n\,2^m$ qubits, which can be decomposed in $2^m$ $n$-qubit registers, where the $i$-th register (indexing from 0) represents the value of $h(i)$. We consider three registers, namely the two adversary's registers $X$ and $Y$ and the oracle's register $F$. We define the unitary $\mathcal{O}$ to act on the basis states as follow: $$\mathcal{O}\left(|x,y\rangle\otimes|h\rangle\right)=|x,y\oplus h_x\rangle\otimes|h\rangle$$ with $h_x$ being the value stored in $F$'s $x$-th sub-register.

The goal is to show that, from the adversary's point of view, initialising $F$ with a uniformly sampled function $h$ or with a uniform superposition $\sum_h|h\rangle$ is equivalent.

Carrying out the computations and tracing out the oracle's registers, in the first case ($h$ is sampled once and for all) the system density matrix associated to the adversary's registers is: $$\rho^A_1 = \sum_{i,j,k,l}\rho_{i,j,k,l}\,|i,j\oplus h_i\rangle\,\langle k,l\oplus h_k|$$ while in the second case ($F$ is initialised with $\sum_h|h\rangle$), we get: $$\rho^A_2 = \frac{1}{2^{2\,n}}\,\sum_{i,j,k,l}\sum_{h_i, h_k}\rho_{i,j,k,l}\,|i,j\oplus h_i\rangle\,\langle k, l\oplus h_k|$$ which is very similar to $\rho^A_1$.

If we compute the probability of measuring $|x,y\rangle$, we get for the first case: $$\rho_{x,y\oplus h_x,x,y\oplus h_x}$$ which is the probability given $h$. By summing over the $h$, we find the same probability as the one in the second case, that is: $$\frac{1}{2^n}\,\sum_{h_x}\rho_{x,y\oplus h_x,x,y\oplus h_x}\,.$$

My questions are:

1. We are forced to use probability theory after having performed the measurement in the first case to find the same probability as in the second case. Since the density matrix contains all the statistical information about the system's state, shouldn't we be able to say these cases are indistinguishable just by looking at the density matrices? How can/should I bring the uncertainty over $h$ into the density matrix?
2. That's closely related to 1., but since the density matrices are different, are we sure that the adversary can't tell the difference by simply computing the probability once $\mathcal{O}$ has been applied? Shouldn't we consider that the adversary may apply an arbitrary unitary $\mathbf{U}$ on their state to help them distinguish between the cases? I guess it would work, but ocne again, can't we do it directly with the density matrices?
3. How can Zhandry's justification can be translated into the density matrix formalism? Why is the fact that the state is now pure a reason to tell that the adversary can't tell the difference between both cases?

Answer 1

I've been working a bit on this, and I think I can add at least some parts of an answer. To be fair, I'm not sure at all this reasoning is correct, so don't hesitate to tell me if you spot a mistake!

First, we will use a Lemma which we introduce below.

---

Lemma

Let us consider two density matrices $\rho_1$ and $\rho_2$. If, for any unitary $\mathbf{U}$ the probability of measuring any basis state on the density matrix $\mathbf{U}\rho_1\mathbf{U}^\dagger$ match with the one on $\mathbf{U}\rho_2\mathbf{U}^\dagger$, then $\rho_1=\rho_2$.

Proof

Since the probabilities match, we have, for any unitary $\mathbf{U}$ and any state $|x\rangle$: $$\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\rho_1\mathbf{U}^\dagger\right)=\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\rho_2\mathbf{U}^\dagger\right)$$ Using the linearity of the trace: $$\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\left(\rho_1-\rho_2\right)\mathbf{U}^\dagger\right)=0$$ which can be rewritten as: $$\langle x|\mathbf{U}\,\left(\rho_1-\rho_2\right)\mathbf{U}^\dagger|x\rangle$$ Since this is true for any state $|x\rangle$ and any unitary $\mathbf{U}$, then for any unitary vector $u$, we have: $$u^\dagger\,\left(\rho_1-\rho_2\right)u=0$$ Multiplying by an arbitrary complex $\mu$ and its conjugate, this equation remains true for any vector $u$, not necessarily unitary. If we now consider an eigenvector $u$ of $\rho_1-\rho_2$ with associated eigenvalue $\lambda$, we get that $\lambda$ is necessarily nil. Hence, $\rho_1-\rho_2$ is nil, and thus $\rho_1=\rho_2$.

---

Answer to 1.

We can carry out the computations for $\mathbf{U}\rho^A_1\mathbf{U}^\dagger$ and $\mathbf{U}\rho^A_2\mathbf{U}^\dagger$ and compute their probabilites to measure a given state $|x,y\rangle$ only to find that they are equal. The Lemma tells us that they should thus be equal, which does not seem to be the case.

This is due to the fact that $\rho^A_1$, as defined in the question, is the density matrix from the oracle's point of view. This explains why, to get the probability to measure a given state, we have to consider all possible cases from the adversary's point of view. So now the question is: what is the density matrix associated to the adversary in the first case? By the computations of the probabilities, we know that this matrix has to be $\rho^A_2$. The more interesting question now is: could have we written this from the beginning?

The most intuitive way I have found is:

1. Compute $\rho^A$ from the adversary's point of view, that is where $h$ is known, which we will denote $\left.\rho^A\middle|h\right.$
2. Introduce the adversary uncertainty by summing over all possible $\left.\rho^A\middle|h\right.$, which will give: $$\rho^A = \sum_h\mathbb{P}[h]\,\left.\rho^A\middle|h\right.$$

The insight behind this is the following. We want to use the Lemma to show that these two matrices are equal. Note that though the lemma statement uses density matrices, the proof actually works with general matrices, so we don't have to show that $\sum_h\mathbb{P}[h]\,\left.\rho^A\middle|h\right.$ is a density matrix in the first place.

Thus, we want to show that, for any unitary $\mathbf{U}$, the probability of measuring the basis state $|x\rangle$ after having applied $\mathbf{U}$ is given by: $$\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\sum_h\mathbb{P}[h]\left.\rho^A\middle|h\right.\mathbf{U}^\dagger\right)$$ Now, the linearity of the trace gives: $$\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\sum_h\mathbb{P}[h]\left.\rho^A\middle|h\right.\mathbf{U}^\dagger\right)=\sum_h\mathbb{P}[h]\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\left.\rho^A\middle|h\right.\mathbf{U}^\dagger\right)\,.$$ By definition of $\left.\rho^A\middle|h\right.$, $\mathrm{tr}\left(|x\rangle\langle x|\mathbf{U}\left.\rho^A\middle|h\right.\mathbf{U}^\dagger\right)$ is the probability of the adversary measuring $|x\rangle$ given h. hence, this does give the probability of measuring $|x\rangle$, which concludes the proof.

In this case, we would thus have: $$\rho^A = \frac{1}{2^{n2^m}}\sum_h\sum_{i,j,k,l}\rho_{i,j,k,l}\,|i,j\oplus h_i\rangle\langle k,l\oplus h_k|$$ which can be rewritten as: $$\rho^A = \frac{1}{2^{n2^m}}\sum_{i,j,k,l}\sum_{h_i,h_k}\rho_{i,j,k,l}\,|i,j\oplus h_i\rangle\langle k,l\oplus h_k|\sum_{\substack{h_j\\j\notin\{i, k\}}}1$$ which finally gives the expected result: $$\rho^A = \sum_{i,j,k,l}\sum_{h_i, h_k}\rho_{i,j,k,l}\,|i,j\oplus h_i\rangle\langle k,l\oplus h_k|\,.$$

Answer to 2.

The Lemma by itself answers question 2 : you can't have two different density matrices whose probabilities of measuring basis states after having applied any unitary $\mathbf{U}$ are the same.

Answering to 3.

I still don't the the answer to this one unfortunately. I understand neither why using a superposition gives a purification nor why this argument allows us to argue that both cases are equivalent, so I'm looking forward to hearing some insights about it.