Pseudorandomness in the (Inverseless) Haar Random Oracle Model

TL;DR

When the Haar random unitary is instantiated suitably, the results present viable approaches for building quantum pseudorandom objects without relying upon one-way functions and for the first time, it is shown that the key length in pseudorandom unitaries can be generically shrunk.

Abstract

We study the (in)feasibility of quantum pseudorandom notions in a quantum analog of the random oracle model, where all the parties, including the adversary, have oracle access to the same Haar random unitary. In this model, we show the following: - (Unbounded-query secure) pseudorandom unitaries (PRU) exist. Moreover, the PRU construction makes two calls to the Haar oracle. - We consider constructions of PRUs making a single call to the Haar oracle. In this setting, we show that unbounded-query security is impossible to achieve. We complement this result by showing that bounded-query secure PRUs do exist with a single query to the Haar oracle. - We show that multi-copy pseudorandom state generators and function-like state generators (with classical query access), making a single call to the Haar oracle, exist. Our results have two consequences: (a) when the Haar random unitary is instantiated suitably, our results present viable approaches for building quantum pseudorandom objects without relying upon one-way functions and, (b) for the first time, we show that the key length in pseudorandom unitaries can be generically shrunk (relative to the output length). Our results are also some of the first usecases of the new "path recording" formalism for Haar random unitaries, introduced in the recent breakthrough work of Ma and Huang.

Figures (4)

• Figure 1: A summary of our results, time goes up in all diagrams. (a) We show that the simple $U X U$ is indistinguishable from an independently sampled Haar random unitary for adversaries who have query access to $U$. (b) We also show that up to ${\lambda} / \log({\lambda})$ queries, the even simpler unitary $Z U$ is indistinguishable from a Haar random unitary to adversaries that have query access to $U$. (c) We also show that there is no construction of $O({\lambda})$-secure pseudo-random unitaries that only make a single parallel query to the common Haar random unitary, if the adversary is given polynomial-space computation. (d) Finally, we show that simply calling the Haar random unitary on a uniformly random classical basis state is indistinguishable from a Haar random state to adversaries that get polynomially many queries to $U$, yielding both PRSGs and PRFSs
• Figure 2: Implementation of key-stretched PRU from any PRU. Going from left to right, the first approximation uses the definition of the PRU, the next one uses \ref{['thm:intro:prus:iqhrom']}, and the final one uses the result from schuster2024random.
• Figure 3: Implementation of low depth, short key pseudorandom unitaries from any pseudorandom unitary family. Long blue boxes are a single sample of the original pseudorandom unitary family, and short colored boxes are additional $\omega(\log({\lambda}))$ sized Pauli $X$ strings.
• Figure 4: Modeling classical queries to $\mathcal{O}$.

Theorems & Definitions (98)

• Theorem 1: Informal
• Theorem 2: Informal
• Theorem 3: Informal
• Theorem 4: Informal
• Theorem 5: Informal
• Theorem 6: Informal
• Theorem 7: Informal
• Definition 8: Pseudorandom states
• Definition 9: Pseudorandom function-like states
• Definition 10: Pseudorandom unitaries