Pseudorandom Function-like State Generators

• PRSFGs are quantum analogues of pseudorandom functions that generate quantum states from classical keys and inputs, achieving indistinguishability from Haar-random states.
• They are constructed using quantum-secure one-way functions and idealized models, employing techniques like Haar twirl and hybrid arguments to maintain robust security.
• PRSFGs underpin various quantum cryptographic applications while highlighting separations from classical pseudorandomness and posing open challenges in adaptability and scalability.

A pseudorandom function-like state generator (PRSFG) is a mathematical object that generalizes the classical notion of a pseudorandom function (PRF) to the quantum domain by producing quantum states indexed by a classical key and input. Formally, a PRSFG is a family of efficiently computable quantum states $\{|\psi_{k,x}\rangle\}$—where $k$ is a secret key and $x$ is a classical input—such that for any efficient quantum adversary, the collection $$\{|\psi_{k,x_1}\rangle, ..., |\psi_{k,x_s}\rangle\}$$ (for any polynomial $s$ and distinct polynomially chosen $x_i$) is computationally indistinguishable from $s$ independent Haar-random states. The PRSFG paradigm has become foundational in the paper of quantum pseudorandomness, as well as a minimal building block for quantum cryptography distinct from both pseudorandom state generators (PRSGs) and pseudorandom unitaries (PRUs).

1. Formal Definitions and Variants

The core definition of a PRSFG, following (Ananth et al., 2022), specifies a quantum polynomial-time (QPT) algorithm $G$ that, on input key $k$ and input $x$, outputs a state $|\psi_{k,x}\rangle$. The key pseudorandomness property is: for all polynomial $s(\lambda)$ and $t(\lambda)$, and any QPT adversary $A$,

$$\big| \Pr_k \big[A(x_1, \dots, x_s, G(k,x_1)^{\otimes t}, \dots, G(k,x_s)^{\otimes t}) = 1\big] - \Pr_{\theta_1,\dots,\theta_s \sim \text{Haar}} \big[A(x_1, \dots, x_s, |\theta_1\rangle^{\otimes t}, \dots, |\theta_s\rangle^{\otimes t}) = 1\big] \big| \leq \text{negl}(\lambda).$$

Variants include:

• Selective security (non-adaptive): adversary must choose queries in advance.
• Classically-accessible adaptive PRFSGs: adversary can adaptively choose classical queries; security is defined against classical-access distinguishing.
• Quantum-accessible adaptive PRFSGs: adversary can make superposition (quantum) queries; this is a strictly stronger setting. A quantum-accessible adaptive PRFSG is sometimes abbreviated QAPRFS (see (Ananth et al., 2022)).

2. Structural Properties and Relationships

• Comparison with PRFs: PRSFGs are natural quantum analogues of PRFs, but—crucially—do not always imply PRFs or vice versa (see (Gulati et al., 6 Oct 2025, Bouaziz--Ermann et al., 6 Oct 2025)). Whereas classical pseudorandomness notions are existentially equivalent, quantum pseudorandomness displays strict separations.
• Hierarchy of quantum pseudorandom objects:
  • PRUs (pseudorandom unitaries) $\implies$ PRIs (pseudorandom isometries) $\implies$ PRSFGs.
  • The converse directions are ruled out in the black-box setting; there are no black-box constructions of $O(\log\lambda)$-ancilla PRUs (or PRIs with small stretch) from PRSFGs (Gulati et al., 6 Oct 2025).
  • PRSFGs and PRSGs (state generators) are also not interreducible in general: shrinking/expanding PRSG outputs is nontrivial (Bouaziz--Ermann et al., 20 Feb 2024, Levy et al., 5 Nov 2024, Bouaziz--Ermann et al., 6 Oct 2025).

3. Known Constructions, Scalability, and Security

• Assumptions: Explicit PRSFG constructions exist under quantum-secure one-way functions (Q-OWFs) or post-quantum one-way functions (PQ-OWFs) (Ananth et al., 2022, Batra et al., 30 Jul 2025), and can sometimes be constructed in idealized models such as the invertible quantum Haar random oracle (QHRO) (Hhan et al., 5 Nov 2024).
• Scalability: Modern constructions separate the security parameter $\lambda$ from the output size $n$ (Brakerski et al., 2020, Batra et al., 30 Jul 2025). This allows the statistical/computational distinguishing advantage to be made arbitrarily small, independent of the state dimension, an essential property for cryptographic applications where security must be chosen large even for small quantum states.
• Quantum-(in)accessibility: Some constructions achieve only classical-access security (resisting classical queries), while others (based on stronger assumptions) are quantum-accessible/adaptive (Ananth et al., 2022, Batra et al., 30 Jul 2025). It is established that in the invertible QHRO model, classically-accessible adaptive secure PRFSGs can be built—by analogy to Even-Mansour constructions—whereas quantum-accessible variants remain elusive (Hhan et al., 5 Nov 2024).
• Adversarial limits: Oracle separation results (e.g., (Gulati et al., 6 Oct 2025)) show that, even with strong oracle access, one cannot use a PRSFG as a black-box to build a quantum pseudorandom unitary with $O(\log \lambda)$ ancilla and analogous resource stretching as in the classical case.

4. Practical Constructions and Techniques

• Modular construction via PRS/secure PRF composition: The canonical construction for a PRSFG uses a quantum-secure PRF $F$ and a secure PRS generator $g$ as $G(k,x) = g(F(k,x))$ (Ananth et al., 2022). This realizes the desired pseudorandomness provided both $F$ and $g$ meet strong quantum security standards.
• Sampling for scalable PRFs: Advanced constructions use deterministic efficient classical algorithms (notably, rounded Gamma and Beta samplers as building blocks) to provide isometries for amplitude randomization, allowing the resulting PRSFG to be scalable and quantum-accessible (Batra et al., 30 Jul 2025). The error of the finite-precision samplers is rigorously controlled to ensure that the output distribution remains negligibly close to the true Beta or Gamma distribution.
• Idealized models: In the invertible QHRO model, one can instantiate a PRSFG as $|{\phi_{k}(x)}\rangle = X^{k'} U X^{k} |x\rangle$, where $U$ is the public Haar unitary, and $k,k'$ are parts of the secret key (Hhan et al., 5 Nov 2024). The security proof combines Haar twirl approximation, unitary reprogramming, and resampling lemmas showing adversaries making polynomial classical queries cannot distinguish outputs from independently Haar-random states.
• Hybrid and trace distance arguments: Security proofs routinely invoke concentration inequalities for subsystems of Haar-random states and rely on hybrid arguments bounding the trace distance between the actual generator’s outputs and Haar-random states. For example, trace distance bounds of $O(q^2/2^{\kappa})$ for $q$ queries and key length $\kappa$ (Bouaziz--Ermann et al., 6 Oct 2025).

5. Applications in Cryptography

PRSFGs allow for the design of a broad class of cryptographic primitives—sometimes under strictly weaker assumptions than post-quantum (classical) OWFs:

• Secret-key encryption (SKE) and MACs: PRSFGs can be used to instantiate the randomness or tag-generation functions in standard secret-key encryption and message authentication code schemes (Hhan et al., 5 Nov 2024, Morimae et al., 7 May 2024). In particular, IND-CPA secure SKE and EUF-CMA MACs with unclonable tags can be realized.
• Commitments and one-time encryption schemes: Statistically binding, computationally hiding commitments and pseudo one-time encryption schemes have been realized assuming PRSFGs with output of length $\omega(\log \lambda)$ (Ananth et al., 2021, Ananth et al., 2022).
• Digital signatures and tamper-resilient encryption: Variants of the PRSFG with pseudodeterministic evaluation/abort outputs ($\perp$-PRG, $\perp$-PRF) can be leveraged to construct digital signature schemes and public-key encryption with unique or tamper-resilient quantum public keys (Barhoush et al., 2023).
• ZK proofs and multiparty computation: PRSFGs with logarithmic output suffice as building blocks for maliciously secure MPC protocols in various threat models (Ananth et al., 2021).

6. Barriers, Separations, and Open Problems

• Inequivalence to PRUs/PRIs: Black-box separations preclude the construction of pseudorandom unitaries or isometries from PRSFGs with only $O(\log \lambda)$ ancilla without access to additional structure or oracle power (Gulati et al., 6 Oct 2025).
• Length extension and shrinking: In contrast to classical PRGs, it is not generally possible to shrink the output size of a PRSG or PRSFG from polynomial to logarithmic qubits while retaining pseudorandomness; oracle separation exists (Bouaziz--Ermann et al., 20 Feb 2024). Conversely, certain constructions can “glue” or expand PRSGs to produce longer outputs without extra key material, but this technique is not completely general (Levy et al., 5 Nov 2024).
• Conjectural barriers: There are scenarios, contingent on isoperimetric inequality-style conjectures for quantum state spaces, where length extension of PRSFG outputs is impossible in black-box fashion, and QPRGs with negligible correctness error cannot be constructed from short-output PRSFGs unless major complexity-theoretic breakthroughs occur (e.g., separating BQP and QCMA) (Bouaziz--Ermann et al., 6 Oct 2025).
• Resource theory and near-term quantum: For settings where the adversary is restricted to sub-polynomial resources, PRSFGs with lower coherence, entanglement, or “magic” can suffice to fool all feasible observers (Tanggara et al., 24 Apr 2025).

7. Perspectives and Future Directions

Recent work suggests that PRSFGs are inherently weaker than classical PRFs and challenge the expectation of existential equivalence among pseudorandomness primitives in the quantum regime (Gulati et al., 6 Oct 2025, Bouaziz--Ermann et al., 6 Oct 2025). Key directions for research include:

• Developing quantum-accessible PRSFGs secure against quantum queries with minimal assumptions beyond quantum-secure OWFs (Batra et al., 30 Jul 2025, Ananth et al., 2022).
• Exploring whether efficient, generic black-box constructions can realize output-length manipulation (shrinking or expansion) for PRSFGs beyond current boundaries (Bouaziz--Ermann et al., 20 Feb 2024, Levy et al., 5 Nov 2024, Bouaziz--Ermann et al., 6 Oct 2025).
• Clarifying the minimal assumptions (possibly below one-way functions) necessary for various cryptographic applications, particularly those allowing for purely information-theoretic or idealized model realizations (Hhan et al., 5 Nov 2024, Ananth et al., 8 Apr 2024).
• Bridging theory and implementation in near-term settings, where PRSFGs can be instantiated efficiently with limited quantum computational and physical resources (Tanggara et al., 24 Apr 2025).

In conclusion, PRSFGs represent a distinct and robust quantum pseudorandomness primitive with subtle relationships to other pseudorandom objects and a wide array of cryptographic applications. Their paper typifies the foundational differences between classical and quantum pseudorandomness, with significant implications for complexity theory and the design of future quantum protocols.