Inverse-query security of a modified PRU (C′PFC)

Establish security against inverse queries for the modified pseudorandom unitary ensemble C′PFC, where an additional independent random Clifford C′ is appended, by proving that the ensemble remains computationally indistinguishable from Haar-random unitaries even when a distinguisher has oracle access to both U and U^†.

Background

The authors point out that their original PFC-based construction is distinguishable from Haar-random unitaries when inverse queries are allowed, due to stabilizer-state behavior on |0⟩. They suggest adding a second independent Clifford C′ may remedy this, but lack an analysis.

This raises a concrete open question: whether the modified ensemble achieves inverse-query security, a stronger adversarial model where the distinguisher can use both the unitary and its inverse.

References

However, if one simply adds another independent Clifford at the end (i.e.~considers C′PFC), the construction is plausibly secure against inverse queries, but we do not know how to analyse this.

Simple constructions of linear-depth t-designs and pseudorandom unitaries (2404.12647 - Metger et al., 19 Apr 2024) in Section 7 (Discussion and future directions)