Papers
Topics
Authors
Recent
Search
2000 character limit reached

Parallel-Query Pseudorandom Unitaries

Updated 7 July 2026
  • Parallel-query pseudorandom unitaries are ensembles of efficiently implementable unitaries that mimic Haar-random behavior under batched quantum oracle queries.
  • They combine random Clifford gates, pseudorandom binary phase and permutation operators to achieve strong security even against adaptive adversaries.
  • These constructions bridge unitary designs, quantum query complexity, and quantum cryptography, enabling practical simulations of Haar queries in quantum protocols.

Parallel-query pseudorandom unitaries are ensembles of efficiently implementable unitaries that are intended to be indistinguishable from Haar-random unitaries to quantum distinguishers with oracle access, in regimes where access may be batched, entangled, and non-adaptive, or more generally where arbitrary polynomial-time oracle access is allowed. In the non-adaptive formulation, the distinguisher prepares an arbitrary joint input state and applies a single parallel call UtU^{\otimes t}; in the full oracle formulation, it may interleave polynomially many calls to UU with arbitrary quantum computation, and in the strong formulation it may also query UU^\dagger. The subject therefore sits at the intersection of unitary designs, quantum query complexity, and quantum cryptography, with the main conceptual divide being between parallel-only security and full adaptive security (Metger et al., 2024, Ma et al., 2024).

1. Oracle models and definitions

The standard oracle model for pseudorandom unitaries fixes an nn-qubit oracle unitary O\mathcal{O} acting on a query register A\mathsf{A}, together with an ancilla or workspace register B\mathsf{B} of m=poly(n)m=\mathrm{poly}(n) qubits. A forward-only tt-query adversary is parameterized by inter-query unitaries A1,,AtA_1,\dots,A_t on UU0, and its final state is

UU1

In the strong setting, the adversary may alternate between forward and inverse queries. Writing UU2, with UU3 denoting UU4 and UU5 denoting UU6, the final state is

UU7

A family UU8, with UU9, is a pseudorandom unitary family if it is efficiently computable and if no polynomial-time oracle adversary can distinguish UU^\dagger0 from Haar-random with more than negligible advantage; a strong PRU is secure even when the adversary can query both UU^\dagger1 and UU^\dagger2 (Ma et al., 2024).

The non-adaptive, or parallel-query, formulation specializes this oracle model to a single batch query. The distinguisher prepares an arbitrary state UU^\dagger3, applies UU^\dagger4 once on registers UU^\dagger5, and then performs an arbitrary measurement. Security is equivalently phrased as computational indistinguishability of

UU^\dagger6

In this sense, “parallel-query PRU” originally meant indistinguishability under one use of UU^\dagger7, whereas later work uses the full oracle model and thereby strictly contains the parallel setting as a special case (Metger et al., 2024).

A recurring source of confusion is that the full oracle model already includes substantial parallelism. A single oracle call acts on the entire query register, so it automatically supports superpositions over all UU^\dagger8 basis inputs. What the formalism counts is the number of oracle uses UU^\dagger9, not a notion of rounds. This means that adaptivity, superposition queries, and arbitrary entanglement are unconstrained; only total oracle-gate complexity is polynomially bounded (Ma et al., 2024).

2. Non-adaptive and parallel-query constructions

The first explicit non-adaptive construction uses the composition

nn0

where nn1 is a random Clifford unitary, nn2 is a pseudorandom binary phase operator

nn3

and nn4 is a pseudorandom permutation operator

nn5

Assuming quantum-secure one-way functions, and hence quantum-secure PRFs and PRPs, this ensemble is secure against non-adaptive distinguishers, meaning that no efficient quantum query algorithm allowed a single application of nn6 can distinguish it from Haar randomness (Metger et al., 2024).

A closely related line of work introduced the nn7 ensemble,

nn8

with nn9 a random computational-basis permutation, O\mathcal{O}0 a random binary phase operator, and O\mathcal{O}1 a random Clifford unitary. The key information-theoretic statement is that the O\mathcal{O}2 ensemble is a diamond O\mathcal{O}3-approximate O\mathcal{O}4-design with

O\mathcal{O}5

Because this error is negligible for polynomial O\mathcal{O}6, replacing the truly random classical pieces by pseudorandom function and permutation families yields non-adaptive PRUs. The same framework also gives adaptive pseudorandom isometries once the unitary model is relaxed to isometries from O\mathcal{O}7 to O\mathcal{O}8 qubits (Metger et al., 2024).

A second construction lifts random permutations on O\mathcal{O}9 to random unitaries on A\mathsf{A}0, A\mathsf{A}1, by forming products of exponentials of sparse Hermitian matrices built from phased permutations. The resulting ensemble is shown to approximate Haar moments up to A\mathsf{A}2, and substituting A\mathsf{A}3-wise independent permutations gives efficient A\mathsf{A}4-designs, while substituting quantum-secure PRPs gives a parallel-secure PRU. In that framework, the operational distinguishability of an ensemble A\mathsf{A}5 under A\mathsf{A}6 parallel queries is captured by the diamond norm between the twirling channels

A\mathsf{A}7

and the Haar twirl A\mathsf{A}8 (Chen et al., 2024).

These works established a precise parallel-query notion but also exposed its limitation. The non-adaptive model captures a single global batch A\mathsf{A}9, whereas adaptive distinguishers may interleave arbitrary channels between oracle calls. The early papers therefore left open whether the same simple B\mathsf{B}0-type constructions remain secure against fully adaptive distinguishers, and that gap became the main structural question for PRUs (Metger et al., 2024, Metger et al., 2024).

3. Full existence theorems for standard and strong PRUs

The general existence question was resolved by proving that pseudorandom unitaries exist assuming any quantum-secure one-way function exists. Two variants were established. For standard PRUs, secure against forward-only oracle adversaries, the construction is

B\mathsf{B}1

where B\mathsf{B}2 is a random permutation of B\mathsf{B}3, B\mathsf{B}4 is a random Boolean function on B\mathsf{B}5, B\mathsf{B}6, B\mathsf{B}7, and B\mathsf{B}8 is drawn from an exact unitary 2-design such as the random Clifford group. For every B\mathsf{B}9-query adversary,

m=poly(n)m=\mathrm{poly}(n)0

Replacing the truly random permutation, function, and 2-design pieces by pseudorandom counterparts under quantum-secure one-way functions yields a computational PRU (Ma et al., 2024).

For strong PRUs, secure against adversaries that can query both m=poly(n)m=\mathrm{poly}(n)1 and m=poly(n)m=\mathrm{poly}(n)2, the construction becomes

m=poly(n)m=\mathrm{poly}(n)3

where m=poly(n)m=\mathrm{poly}(n)4 is now ternary, m=poly(n)m=\mathrm{poly}(n)5 with m=poly(n)m=\mathrm{poly}(n)6, and both m=poly(n)m=\mathrm{poly}(n)7 and m=poly(n)m=\mathrm{poly}(n)8 come from a unitary 2-design. The statistical bound for every m=poly(n)m=\mathrm{poly}(n)9-query forward-and-inverse adversary is

tt0

This gives strong computational PRUs under the same quantum-secure one-way-function assumption (Ma et al., 2024).

These theorems are stronger than the earlier parallel-only results in two ways. First, the security definition is not restricted to a single batch call tt1, but quantifies over arbitrary polynomial-time oracle circuits. Second, the strong notion explicitly allows inverse access. A non-adaptive parallel distinguisher is therefore just one special case of the general theorem. This suggests that the conceptual distinction is not “parallel versus non-parallel” in isolation, but rather “single-batch non-adaptive access versus unrestricted oracle access” (Ma et al., 2024).

4. Path-recording simulation of Haar queries

The conceptual core of the adaptive theory is the path-recording oracle. In the forward-only case, for an tt2-qubit Haar-random unitary tt3, one defines an efficiently implementable linear map tt4 acting on the query register together with a relation register tt5 that stores pairs tt6. In simplified form,

tt7

It maps an input tt8 to a uniform superposition over currently unused outputs tt9, while recording the pair in A1,,AtA_1,\dots,A_t0. For every A1,,AtA_1,\dots,A_t1-query algorithm,

A1,,AtA_1,\dots,A_t2

Thus any algorithm making up to A1,,AtA_1,\dots,A_t3 queries to a Haar-random unitary can be simulated by an explicit efficient quantum circuit up to trace distance A1,,AtA_1,\dots,A_t4 (Ma et al., 2024).

When inverse queries are allowed, the bookkeeping is richer. The strong-security analysis introduces forward and inverse relation registers, partial path-recording isometries, and a symmetrized fully defined oracle A1,,AtA_1,\dots,A_t5 that reproduces the purified dynamics of the ternary permutation-function construction. The corresponding simulation theorem states that for any A1,,AtA_1,\dots,A_t6-query forward-and-inverse algorithm,

A1,,AtA_1,\dots,A_t7

The paper’s abstract summarizes the upshot more broadly: any algorithm that makes queries to a Haar-random unitary can be efficiently simulated on a quantum computer, up to inverse-exponential trace distance (Ma et al., 2024).

The importance for parallel-query security is that these simulation bounds depend only on A1,,AtA_1,\dots,A_t8 and A1,,AtA_1,\dots,A_t9, not on the temporal organization of queries. The proofs reason about the full joint adversary state after UU00 oracle uses, together with projectors onto “distinct” subspaces and variable-length relation registers encoding full coherent histories. This removes any need for a sequential Markovian interpretation of the oracle interaction (Ma et al., 2024).

5. How parallel access fits into the modern theory

In the single-oracle setting, the standard quantum oracle model already subsumes parallel-query strategies. A single call UU01 acts on the full UU02-dimensional query register and therefore supports superpositions over all classical inputs. A non-adaptive batch adversary that applies UU03 once is just a special case of a more general oracle algorithm, and the full PRU and strong-PRU definitions strictly contain such models (Ma et al., 2024).

Earlier non-adaptive papers made this distinction explicit. In the non-adaptive model, the relevant object is one global twirl channel on UU04 copies, and the proof strategy reduces everything to the comparison of

UU05

That analysis is sufficient for batch security but does not automatically address arbitrary adaptive compositions

UU06

which explains why adaptive security remained open in the unitary case even after non-adaptive PRUs had been constructed (Metger et al., 2024).

A second misconception concerns “many independent parallel oracle instances.” The single-oracle theory does not explicitly formalize a multi-instance model in which the adversary receives independent oracles UU07 and can query them all in parallel. The full adaptive PRU proofs are stated for repeated uses of one oracle instance. The paper notes that if one wants UU08 independent parallel queries to an UU09-qubit unitary, that corresponds to a different oracle model, and it is not explicitly treated. A plausible implication is that many applications can still be reduced to a larger single-instance Hilbert space, but this extension is not part of the formal theorem (Ma et al., 2024).

The gluing perspective reinforces the same point. Low-depth constructions built from overlapping local Haar blocks are analyzed through the adversary’s joint state and overall query count rather than any syntactic notion of rounds, which is why the resulting indistinguishability statements are naturally compatible with wide, low-depth, highly parallel oracle use (Ma et al., 2024, Metger et al., 2024).

6. Stronger oracle models, idealized variants, and later extensions

The inverseless Haar random oracle model provides an idealized benchmark for parallel-query pseudorandomness. In that model, all parties share access to a common Haar-random unitary UU10, but not to UU11. It was shown that unbounded-query secure PRUs exist with a construction that makes two calls to the Haar oracle, while any construction making only a single call to the Haar oracle cannot achieve unbounded-query security. The single-call regime nevertheless admits bounded-query secure PRUs, with a threshold around UU12 queries in the parallel or non-adaptive setting (Ananth et al., 2024).

A distinct idealized model, the invertible quantum Haar random oracle model, gives all parties access to a common Haar-random unitary and its inverse. In that setting, classically-accessible adaptive secure pseudorandom function-like state generators were constructed, but simple keyed-unitary templates such as

UU13

were shown not to be quantum-accessible PRFSGs and in particular not to be PRUs. The attack uses a Simon-type quantum procedure and exploits coherent access to both the public Haar unitary and the keyed construction. This demonstrates that not every apparently natural “mask a Haar unitary by simple conjugation” template survives quantum parallel access (Hhan et al., 2024).

The strongest post-2024 extension enlarges the oracle model beyond UU14 and UU15 to include UU16 and UU17. This work introduces strong unitary designs and strong PRUs that remain robust under all such queries, including parallel and adaptive access patterns, and proves constructions of depth UU18 for strong designs and UU19 for ancilla-free strong PRUs. Its motivation is that butterfly-effect experiments, Hayden–Preskill decoding, and related scrambling diagnostics use precisely these richer oracle interfaces, which conventional designs and strong PRUs do not cover (Schuster et al., 30 Sep 2025).

Taken together, these results give a layered picture of parallel-query pseudorandomness. Non-adaptive PRUs address one batch UU20; standard and strong PRUs address arbitrary polynomial-time oracle use of UU21 and possibly UU22; and later strong-design notions extend further to UU23 and UU24. This suggests that “parallel-query pseudorandom unitary” is best understood not as one single definition, but as a family of oracle indistinguishability notions ordered by the richness of the allowed query interface and the extent of adaptivity they permit.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Parallel-Query Pseudorandom Unitaries.