Chain-of-PRs: Quantum PRS Expansion

• Chain-of-PRs is a method for expanding a k-bit key into a large quantum pseudo-random state via iterative, unitary expansion gadgets.
• It sequentially applies expansion circuits with Hadamard layers to output k+f(k) pseudo-random qubits while preserving negligible distinguishing advantage.
• The approach mirrors classical PRG expansion and achieves polynomial circuit complexity, ensuring practical security for quantum cryptographic applications.

A chain-of-PRs (chain of pseudo-random quantum states) is a black-box construction that enables the expansion of quantum pseudo-randomness by sequentially composing expansion gadgets, allowing the production of $k + f(k)$ pseudo-random qubits from a single $k$-bit key for any polynomial $f(k)$. This concept generalizes and adapts the classical cryptographic paradigm of iterative pseudo-random generator (PRG) expansion to the setting of quantum pseudo-random state (PRS) generation. The chain-of-PRs technique provides a rigorous method to extend quantum pseudo-random states to arbitrarily large output sizes while preserving essential cryptographic indistinguishability properties and maintaining polynomial resource requirements (Levy et al., 2024).

1. Formal Definition of PRS and Security

Let $\lambda$ denote the security parameter. A (keyed) family $$\{\,|\varphi_k\rangle \in S((\mathbb{C}^2)^{\otimes n(\lambda)})\,\}_{k\in\{0,1\}^k(\lambda)}$$ is a $\lambda$-secure, $n$-qubit PRS generator if:

• (Efficient generation) There exists a QPT (quantum polynomial-time) unitary $G$ such that $G|k\rangle|0^n\rangle = |k\rangle|\varphi_k\rangle$.
• (Indistinguishability) For every QPT distinguisher $A$ and all $t \leq \operatorname{poly}(\lambda)$, the advantage

$$\operatorname{Adv}_{A}^{\mathrm{PRS}}(\lambda) = \left| \Pr_{k\leftarrow\{0,1\}^k}[A(|\varphi_k\rangle^{\otimes t})=1] - \mathbb{E}_{|\psi\rangle\leftarrow\mathrm{Haar}}[A(|\psi\rangle^{\otimes t})=1] \right|$$

is negligible in $\lambda$. Thus, no efficient quantum adversary can distinguish the keyed state from Haar-random on up to polynomially many copies.

2. Black-Box Expansion: One-Step PRS Expansion Circuit

Theorem 2.1 of [Levy & Vidick, (Levy et al., 2024)] provides a universal black-box construction for PRS expansion. Given a PRS unitary $\mathrm{PRS}_k$ on $n$ qubits:

1. Fix $i = i(n)$ such that $n - i = \omega(\log \lambda)$.
2. To generate an $(n+i)$-qubit PRS on input $|0^{n+i}\rangle$:
   • Apply $\mathrm{PRS}_k$ on the first $n$ qubits.
   • Apply $\mathrm{PRS}_k$ on the last $n$ qubits (shifted by $i$).
   • Apply $H^{\otimes (n+i)}$ (Hadamard on all $(n+i)$ qubits).

The output $\{|\psi_k\rangle\}_k$ is an $(n+i)$-qubit PRS with the same $k$-bit key, with indistinguishability preserved up to negligible error for polynomial numbers of oracle calls.

3. Iterative Construction: Achieving $k + f(k)$ Expansion

To reach an output state on $n_0+f(k)$ qubits from an initial $n_0$-qubit PRS, this circuit is iterated $t$ times with geometrically growing register sizes:

• Each round $j$ expands by $i_j \approx e \cdot n_{j-1}$ with $e \in (0,1)$, typically $e = 1/2$.
• The number of steps is $t \ge \log_{3/2}(1 + f(k)/n_0)$, i.e., $O(\log f(k)) = O(\log k)$ if $f$ is polynomial.
• The composite expansion unitary is $$C_k^{(t)} := \mathrm{Exp}_{i_t} \circ \cdots \circ \mathrm{Exp}_{i_1} \circ \mathrm{PRS}_k$$, outputting $|0^{n_0}\rangle \mapsto |\psi_k^{(t)}\rangle$ on $n_0+f(k)$ qubits.

The parameter bookkeeping ensures that $n_{j-1} - i_j = \omega(\log \lambda)$ in each expansion, so Theorem 2.1 remains applicable throughout the process.

4. Security Preservation Under Chaining

The expansion circuit is state-oblivious and requires no key-refresh or key-length extension per expansion. Security is shown as follows:

• Each expansion step increases the distinguishing advantage by at most a negligible $\varepsilon(\lambda)$.
• An end-to-end hybrid argument introduces a sequence of intermediate states $H_j$, replacing the first $j$ expansions with ideal Haar randomness:

$$\operatorname{TD}(\rho_0, \sigma) \leq \sum_{j=1}^t \operatorname{TD}(H_{j-1}, H_j) \leq t \cdot \varepsilon(\lambda)$$

• Since $t = O(\log k)$ and $\varepsilon$ is negligible, the overall distinguishing advantage remains negligible in $\lambda$.

This establishes that the chain-of-PRs construction yields a quantum pseudo-random state over $n_0+f(k)$ qubits, indistinguishable from Haar by any QPT for polynomially many copies.

5. Circuit-Complexity and Parameter Relationships

Let $S(n)$ and $D(n)$ denote the circuit size and depth of the base $\mathrm{PRS}_k$ on $n$ qubits (typically, $S(n) = \operatorname{poly}(n, |\mathrm{PRF}|)$ and $D(n) = O(n^2 + \operatorname{depth}(\mathrm{PRF}))$). For each expansion:

• Each $\mathrm{Exp}_i$ step: two calls to $\mathrm{PRS}_k$ and a Hadamard layer.
• After $t$ steps:
  • Total size: $$\lesssim \sum_{j=0}^{t-1} S(n_j) = \operatorname{poly}(n_t)$$.
  • Total depth: $$\lesssim \sum_{j=0}^{t-1} D(n_j) = \operatorname{poly}(n_t)$$.

With $n_t = n_0(3/2)^t = \operatorname{poly}(k, f(k))$, the chain construction is resource-efficient and remains in quantum polynomial time.

Summary Table: Chain-of-PRs Expansion Parameters

Parameter	Symbol	Value/Constraint
Key length	$k$	security parameter $\lambda$
Initial output size	$n_0$	$\operatorname{poly}(k)$
Expansion per round	$i_j$	$\approx e n_{j-1},~e = 1/2$
Total rounds	$t$	$O(\log f(k))$
Final output size	$n_t$	$n_0 + f(k)$

6. Classical Analogy, Concrete Examples, and Key Distinctions

The iterative chain construction mirrors the classical method for expanding PRGs by one bit at a time, then chaining to achieve any polynomial output length. Key differences in the quantum setting:

• Security relies on quantum state-indistinguishability, not output bit-string pseudorandomness.
• Expansion gadgets must be unitary (no measurement); security arguments use the contractivity of trace distance under CPTP maps.
• For soundness, each expansion requires that $n_{j-1} - i_j = \omega(\log \lambda)$: insufficient leftover qubits can be trivially distinguished, unlike constant-entropy leftovers in classical PRGs.

Numerical examples:

• With $k=128$, $n_0=512$, $i_1=256$, $i_2=384$, the output reaches $n_2=1152$ qubits, security at most $2\cdot\operatorname{negl}(128)$.
• For $f(k) = k^3$, $n_0 = k^2 \gg \log k$, final output $k^2 + k^3$ qubits after $O(\log k)$ steps.

7. Open Questions and Implications

The chain-of-PRs construction addresses a longstanding challenge: achieving arbitrary polynomial expansion of pseudo-random quantum states without key length growth, in analogy with classical black-box PRG expansion. It remains an open question to characterize the full class of PRS that are chain-expandable by this method and to optimize the base PRS generator's circuit complexity for practical implementations. The approach demonstrates that, while classical and quantum pseudo-randomness exhibit structural similarities, expanded quantum pseudo-randomness imposes stricter requirements on circuit design and entropy left per round (Levy et al., 2024).