Papers
Topics
Authors
Recent
Search
2000 character limit reached

Chain-of-PRs: Quantum PRS Expansion

Updated 4 March 2026
  • Chain-of-PRs is a method for expanding a k-bit key into a large quantum pseudo-random state via iterative, unitary expansion gadgets.
  • It sequentially applies expansion circuits with Hadamard layers to output k+f(k) pseudo-random qubits while preserving negligible distinguishing advantage.
  • The approach mirrors classical PRG expansion and achieves polynomial circuit complexity, ensuring practical security for quantum cryptographic applications.

A chain-of-PRs (chain of pseudo-random quantum states) is a black-box construction that enables the expansion of quantum pseudo-randomness by sequentially composing expansion gadgets, allowing the production of k+f(k)k + f(k) pseudo-random qubits from a single kk-bit key for any polynomial f(k)f(k). This concept generalizes and adapts the classical cryptographic paradigm of iterative pseudo-random generator (PRG) expansion to the setting of quantum pseudo-random state (PRS) generation. The chain-of-PRs technique provides a rigorous method to extend quantum pseudo-random states to arbitrarily large output sizes while preserving essential cryptographic indistinguishability properties and maintaining polynomial resource requirements (Levy et al., 2024).

1. Formal Definition of PRS and Security

Let λ\lambda denote the security parameter. A (keyed) family {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)} is a λ\lambda-secure, nn-qubit PRS generator if:

  • (Efficient generation) There exists a QPT (quantum polynomial-time) unitary GG such that Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle.
  • (Indistinguishability) For every QPT distinguisher AA and all kk0, the advantage

kk1

is negligible in kk2. Thus, no efficient quantum adversary can distinguish the keyed state from Haar-random on up to polynomially many copies.

2. Black-Box Expansion: One-Step PRS Expansion Circuit

Theorem 2.1 of [Levy & Vidick, (Levy et al., 2024)] provides a universal black-box construction for PRS expansion. Given a PRS unitary kk3 on kk4 qubits:

  1. Fix kk5 such that kk6.
  2. To generate an kk7-qubit PRS on input kk8:
    • Apply kk9 on the first f(k)f(k)0 qubits.
    • Apply f(k)f(k)1 on the last f(k)f(k)2 qubits (shifted by f(k)f(k)3).
    • Apply f(k)f(k)4 (Hadamard on all f(k)f(k)5 qubits).

The output f(k)f(k)6 is an f(k)f(k)7-qubit PRS with the same f(k)f(k)8-bit key, with indistinguishability preserved up to negligible error for polynomial numbers of oracle calls.

3. Iterative Construction: Achieving f(k)f(k)9 Expansion

To reach an output state on λ\lambda0 qubits from an initial λ\lambda1-qubit PRS, this circuit is iterated λ\lambda2 times with geometrically growing register sizes:

  • Each round λ\lambda3 expands by λ\lambda4 with λ\lambda5, typically λ\lambda6.
  • The number of steps is λ\lambda7, i.e., λ\lambda8 if λ\lambda9 is polynomial.
  • The composite expansion unitary is {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}0, outputting {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}1 on {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}2 qubits.

The parameter bookkeeping ensures that {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}3 in each expansion, so Theorem 2.1 remains applicable throughout the process.

4. Security Preservation Under Chaining

The expansion circuit is state-oblivious and requires no key-refresh or key-length extension per expansion. Security is shown as follows:

  • Each expansion step increases the distinguishing advantage by at most a negligible {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}4.
  • An end-to-end hybrid argument introduces a sequence of intermediate states {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}5, replacing the first {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}6 expansions with ideal Haar randomness:

{φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}7

  • Since {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}8 and {φkS((C2)n(λ))}k{0,1}k(λ)\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}9 is negligible, the overall distinguishing advantage remains negligible in λ\lambda0.

This establishes that the chain-of-PRs construction yields a quantum pseudo-random state over λ\lambda1 qubits, indistinguishable from Haar by any QPT for polynomially many copies.

5. Circuit-Complexity and Parameter Relationships

Let λ\lambda2 and λ\lambda3 denote the circuit size and depth of the base λ\lambda4 on λ\lambda5 qubits (typically, λ\lambda6 and λ\lambda7). For each expansion:

  • Each λ\lambda8 step: two calls to λ\lambda9 and a Hadamard layer.
  • After nn0 steps:
    • Total size: nn1.
    • Total depth: nn2.

With nn3, the chain construction is resource-efficient and remains in quantum polynomial time.

Summary Table: Chain-of-PRs Expansion Parameters

Parameter Symbol Value/Constraint
Key length nn4 security parameter nn5
Initial output size nn6 nn7
Expansion per round nn8 nn9
Total rounds GG0 GG1
Final output size GG2 GG3

6. Classical Analogy, Concrete Examples, and Key Distinctions

The iterative chain construction mirrors the classical method for expanding PRGs by one bit at a time, then chaining to achieve any polynomial output length. Key differences in the quantum setting:

  • Security relies on quantum state-indistinguishability, not output bit-string pseudorandomness.
  • Expansion gadgets must be unitary (no measurement); security arguments use the contractivity of trace distance under CPTP maps.
  • For soundness, each expansion requires that GG4: insufficient leftover qubits can be trivially distinguished, unlike constant-entropy leftovers in classical PRGs.

Numerical examples:

  • With GG5, GG6, GG7, GG8, the output reaches GG9 qubits, security at most Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle0.
  • For Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle1, Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle2, final output Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle3 qubits after Gk0n=kφkG|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle4 steps.

7. Open Questions and Implications

The chain-of-PRs construction addresses a longstanding challenge: achieving arbitrary polynomial expansion of pseudo-random quantum states without key length growth, in analogy with classical black-box PRG expansion. It remains an open question to characterize the full class of PRS that are chain-expandable by this method and to optimize the base PRS generator's circuit complexity for practical implementations. The approach demonstrates that, while classical and quantum pseudo-randomness exhibit structural similarities, expanded quantum pseudo-randomness imposes stricter requirements on circuit design and entropy left per round (Levy et al., 2024).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)
1.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Chain-of-PRs.