Pseudorandom Unitaries (PRUs)

• Pseudorandom unitaries (PRUs) are efficiently computable quantum operators indistinguishable from Haar random operators to any quantum polynomial-time adversary.
• They are constructed using methods like concatenated random Clifford unitaries and the path-recording framework, ensuring security against both standard and adaptive attacks.
• PRUs underpin critical quantum cryptographic applications such as authentication, secure quantum money, and hardware unclonable functions, while imposing stringent resource and circuit depth requirements.

Pseudorandom unitaries (PRUs) are families of efficiently computable unitary operators on quantum systems that are computationally indistinguishable from Haar-random unitaries to any efficient (quantum polynomial-time) adversary. PRUs play a central role in quantum cryptography, derandomization, complexity theory, and the emerging theory of quantum pseudorandomness. They are the quantum analog of classical pseudorandom functions, but with profound structural, resource, and separability differences unique to the quantum setting.

1. Definition, Characterization, and Security

A family $\mathcal{U} = \{ U_k \}_k$ of %%%%1%%%%-qubit unitary operators is called a pseudorandom unitary (PRU) if:

• There exists a quantum polynomial-time (QPT) algorithm capable of computing $U_k$ for any key $k$.
• For every QPT adversary $A$ with quantum query access, the probability difference

$$\left| \Pr_k[A^{U_k}(1^n) = 1] - \Pr_{U \sim \mu}[A^{U}(1^n) = 1] \right|$$

is negligible in $n$, where $U$ is drawn from the Haar measure $\mu$ over the unitary group $\mathrm{U}(2^n)$ (Doosti et al., 2021).

PRUs are defined in both standard and strong forms. The strong form remains secure even when the adversary can query both $U$ and $U^\dagger$ (Ma et al., 14 Oct 2024, Ananth et al., 29 Sep 2025). Security is typically proven either via reductions from quantum-secure one-way functions or, in oracle models, using information-theoretic simulation arguments.

2. Construction Techniques and the Path-Recording Framework

Early candidate constructions for PRUs were based on concatenation of random Clifford unitaries, pseudorandom binary phase operators, and pseudorandom permutations:

$U_k = P_{k_1} F_{k_2} C_{k_3}$

where $P_{k_1}$ is an efficiently computable pseudorandom permutation, $F_{k_2}$ applies a pseudorandom phase via a quantum-secure pseudorandom function, and $C_{k_3}$ is a random Clifford (Metger et al., 22 Feb 2024, Metger et al., 19 Apr 2024). Such constructions are secure against non-adaptive (parallel-query) adversaries. For full (adaptive) security, the "path-recording" framework was introduced (Ma et al., 14 Oct 2024, Ananth et al., 25 Oct 2024, Ananth et al., 29 Sep 2025). This reformulates simulation of queries to a Haar-random unitary as a process that "records" all input-output query pairs in an auxiliary "relation" register, enabling efficient isometric simulation that is indistinguishable from Haar up to negligible trace distance, even against adversaries making both $U$ and $U^\dagger$ queries.

In the quantum Haar random oracle model (QHROM), efficient constructions include "sandwich" forms:

$G_k = X^{(k_3)} U X^{(k_2)} U X^{(k_1)}$

where $U$ is a fixed Haar random oracle and $X^{(k)}$ is a tensor-product Pauli $X$ operation for key $k$ (Ananth et al., 29 Sep 2025).

For extension to large Hilbert spaces with minimal additional key, "gluing" techniques and recursive compositions assemble large PRUs from smaller blocks, preserving invertibility security and reducing key requirements to nearly sublinear in $n$ (Ananth et al., 5 Oct 2025).

3. Resource Requirements and Fundamental Limitations

PRUs differ sharply in resource requirements from pseudorandom states. They require:

• Maximal "imaginarity"

$$\mathcal{I}_\mathrm{p}(U) = 1 - 4^{-n}|\mathrm{tr}(U^\dagger U^*)|^2 \approx 1-\mathrm{negl}(n)$$

Any real or nearly real unitaries can be efficiently distinguished from Haar, so PRUs must encode nontrivial complex phases (Haug et al., 2023).

• High quantum coherence, quantified (e.g., via the relative entropy of coherence) to grow as $\omega(\log n)$ (Haug et al., 2023).
• PRUs cannot be realized by sparse unitaries or with shallow (constant-depth) quantum circuits. Any such shallow circuit is efficiently learnable and therefore not pseudorandom by the required criteria (Wadhwa et al., 20 May 2024).
• Extreme noise sensitivity: PRUs can only be generated on devices with error rates $p = \text{negl}(n)$; any higher noise makes the constructed unitaries efficiently distinguishable from Haar random (Haug et al., 2023). These constraints establish strong lower bounds on any physical or circuit realization of PRUs.

4. Structural Relations, Separations, and Oracle Worlds

Quantum pseudorandom constructs form a strict hierarchy:

• PRU $\Rightarrow$ PRI (pseudorandom isometry) $\Rightarrow$ PRFSG (pseudorandom function-like state generator). However, there are no known black-box constructions from PRFSGs or generic PRIs back to PRUs (Gulati et al., 6 Oct 2025, Bouaziz--Ermann et al., 6 Oct 2025).
• Oracle separations constructed using tools such as the quantum singular value transformation show that even adaptively secure, quantum-accessible PRFSGs do not imply ancilla-efficient PRUs (Gulati et al., 6 Oct 2025).
• In unitary oracle worlds, non-ancilla PRUs are unachievable even as PRFSGs are possible (Bouaziz--Ermann et al., 6 Oct 2025).
• These findings contrast sharply with the classical setting, where pseudorandom generators, functions, and permutations are equivalent up to polynomial reductions.

Key stretching is possible: using gluing techniques (e.g., with path-recording purification and composite projections), it is possible to extend a strong PRU acting on $n$ qubits to one acting on $N \gg n$ qubits using a total key of $O(N^{1/c})$ bits for any constant $c$ (Ananth et al., 5 Oct 2025, Ananth et al., 25 Oct 2024). This indicates a difference where key lengths can be shorter than the output dimension, in contrast to the classical case.

5. Applications: Cryptography, Hardware, and Fast Scrambling

PRUs allow a range of quantum cryptographic and cryptanalytic applications:

• Quantum authentication and encryption: PRUs underlie the pseudorandom quantum authentication scheme (PQAS), which achieves indistinguishability from the maximally mixed state, strong message integrity, and resistance to meta-information leakage, all with potentially much weaker assumptions than quantum-secure one-way functions (Haug et al., 1 Jan 2025).
• Secure quantum money: PRU-based state simulation yields "Haar money" protocols with information-theoretic unforgeability and untraceability (Alagic et al., 2019).
• Commitment and key distribution limitations: Despite the power of PRUs, black-box constructions of classical-communication quantum commitments or key agreements from PRUs are ruled out by separability and indistinguishability bounds—PRUs are too "random" to coordinate classical outputs (Ananth et al., 29 Sep 2025).
• Connection to quantum hardware: PRUs can be constructed (and conversely, used to construct) quantum physical unclonable functions (qPUFs), with a complete equivalence provided sufficient separation in diamond norm between qPUF instances (Doosti et al., 2021).
• Fast scrambling: Strong PRUs (robust to $U$, $U^\dag$, $U^T$, $U^*$ queries) can be constructed in $O(\log n)$ depth and provide a rigorous proof of the fast scrambling conjecture: any observable feature expressible with access to $U$, $U^\dag$, $U^T$, $U^*$ is indistinguishable from Haar random after logarithmic depth (Schuster et al., 30 Sep 2025, Ananth et al., 5 Oct 2025).

6. Circuit Depth, Complexity, and Physical Realizability

Efficient PRUs can be constructed in $\mathrm{poly}(\log n)$ depth in architectures with all-to-all connectivity and $O(\log n)$ depth even in 1D circuits, using gluing of patchwise PRUs (Schuster et al., 10 Jul 2024, Foxman et al., 15 Aug 2025). In models with enhanced gates (e.g., many-qubit TOFFOLI or FANOUT), constant-depth circuits suffice for PRU and strong PRU construction (Foxman et al., 15 Aug 2025). However, any attempt to aggregate PRUs via constant-depth circuits of two-qubit gates alone is impossible due to efficient learnability. Furthermore, the possibility of constructing strong PRUs in QAC$^0$ circuits is intimately related to the question of whether PARITY is in QAC$^0$ (Foxman et al., 15 Aug 2025).

In the context of quantum random oracle models (QHROMs), PRUs with security against unbounded queries can be constructed using two sequential queries to the oracle, but not with a single query; bounded security is possible with a single query (Ananth et al., 25 Oct 2024, Ananth et al., 29 Sep 2025).

7. Open Problems, Limitations, and Future Directions

PRUs are foundational in quantum cryptography yet exhibit sharp distinctions from both classical pseudorandomness and even related quantum primitives. Major open questions include:

• The full equivalence (or lack thereof) between PRUs, PRIs, and PRFSGs.
• Characterizing necessary and sufficient physical resources for realizing strong PRUs in minimal circuit depth and key length.
• Closing the adaptive security gap for simple constructions and generalizing path-recording simulation to broader classes of quantum functions.
• Determining the minimal assumptions required for existence in the plain model (i.e., are PRUs strictly weaker than quantum-secure one-way functions?).

Theoretical progress in these areas will clarify the precise role of PRUs as quantum cryptographic and computational primitives, further establish their hierarchy of power, and influence the design of both fundamental protocols and quantum hardware.