Subspace-Preserving Strong PRU (spsPRU)

• spsPRU is a cryptographic quantum primitive comprising efficient unitary transformations that act as the identity on a fixed subspace while ensuring strong pseudorandomness on its complement.
• It leverages standard post-quantum tools like PRFs and PRPs, combining diagonal phase gates, basis permutations, and restricted 2-designs for efficient and secure construction.
• spsPRUs underpin secure quantum obfuscation and model energy-conserving dynamics, while highlighting computational limits in settings such as translationally invariant Hamiltonians.

A subspace-preserving strong pseudorandom unitary (spsPRU) is a cryptographic quantum primitive defined as a family of highly efficient unitary transformations that act as the identity on a fixed subspace $S$ while behaving, even under quantum oracle access, as computationally indistinguishable from Haar-random unitaries on the orthogonal complement $S^\perp$. spsPRUs have emerged as a foundational tool for constructing ideal obfuscators for arbitrary quantum circuits and for modeling physically constrained pseudorandom dynamics, such as energy conservation, in quantum many-body systems (Huang et al., 13 Jan 2026, Mao et al., 9 Oct 2025).

1. Formal Definition and Main Properties

Let $n \in \mathbb{N}$ and let $d \le 2^n$. Define the "honest" subspace

$$S = \mathrm{Span}\{\ket{x} : x \in \{0,1\}^n \setminus [d]\},$$

with orthogonal complement

$S^\perp = \mathrm{Span}\{\ket{x} : x \in [d]\}.$

Consider the subgroup of unitaries

$$\{ U\in U(2^n): U\ket{s}=\ket{s} \ \forall \ket{s} \in S \},$$

that is, unitaries acting nontrivially only on $S^\perp$.

An spsPRU is formally a family of unitaries $\{\mathrm{spsPRU}_k\}_{k\in\{0,1\}^\lambda}$ such that:

• Efficiency: There exists a QPT (quantum polynomial-time) algorithm that, given $k$, outputs a circuit of size $\mathrm{poly}(n)$ approximating $\mathrm{spsPRU}_k$ to negligible error in operator-norm.
• Subspace Preservation: For all $k$, $\mathrm{spsPRU}_k \ket{s} = \ket{s}$ for all $\ket{s} \in S$.
• Strong Pseudorandomness: For every QPT distinguisher $\mathcal{D}$ making up to polynomially many quantum queries (to both the unitary and its inverse), the distributions $\mathrm{spsPRU}_k$ (for random $k$) and Haar-random unitaries from the above subgroup are computationally indistinguishable on $S^\perp$.

This guarantees that every efficient adversary cannot distinguish oracle access to $\mathrm{spsPRU}_k$ from access to a genuinely Haar-random unitary (restricted to $S^\perp$) [(Huang et al., 13 Jan 2026), §3].

2. Efficient Cryptographic Construction

The construction of spsPRUs relies on standard post-quantum assumptions, notably quantum-secure one-way functions, to instantiate pseudorandom functions (PRFs) and pseudorandom permutations (PRPs). The spsPRU circuit is assembled as

$$\mathrm{spsPRU}_k = \widehat{D} \circ P_\pi \circ F_f \circ \widehat{C}$$

where all components act as the identity on $S$:

• $F_f$: Diagonal phase gate with phases determined by a PRF (outputting in $\{0,1,2\}$), composed using generalized third roots of unity $\omega_3 = e^{2\pi i/3}$, restricted to $x \in [d]$ and identity otherwise.
• $P_\pi$: Basis permutation defined by a PRP over $[d]$, again identity outside $S^\perp$.
• $\widehat{C}, \widehat{D}$: Independently and efficiently computable approximate restricted unitary 2-designs acting on $S^\perp$, implemented using random phase polynomials interleaved with $d \times d$ quantum Fourier transforms, with randomness from a dedicated PRF.

The key $k$ is a tuple $(k_{PRF}, k_{PRP}, k_{des})$ of total length $O(n)$. The entire circuit remains $\mathrm{poly}(n)$-size, and key sampling, evaluation (both forward and inverse), and correctness are efficient [(Huang et al., 13 Jan 2026), §3.2].

Component	Definition	Subspace Action
$F_f$	Diagonal phase PRF	Identity on $S$
$P_\pi$	PRP-based basis permutation	Identity on $S$
$\widehat{C},\widehat{D}$	Restricted 2-designs	Identity on $S$

3. Security Proof and Parameter Selection

The proof of security exploits a hybrid argument:

1. Replace the PRF with a truly random function; by PRF security, this is indistinguishable to polynomial-query adversaries.
2. Replace the PRP with a truly random permutation; again secured by PRP guarantees.
3. Substitute 2-designs with truly Haar-random unitaries on $S^\perp$; this introduces a statistical distance bounded by $18t(t+1)/d^{1/8}$ for $t$ queries, which is negligible for $d = n^{\omega(1)}$ [(Huang et al., 13 Jan 2026), Theorem 3.5].

Parameter selection is driven by the need for negligible statistical error and efficient computation: typically $n \geq 256$, $d = 2^{n/2}$ or $d = n^3$, and key lengths of order $O(n)$.

4. Role in Quantum Obfuscation

spsPRUs are pivotal in constructing ideal quantum obfuscators for arbitrary circuits, including those implementing general CPTP maps rather than mere unitaries. In the obfuscation scheme [(Huang et al., 13 Jan 2026), §5]:

• The original circuit $Q$ is padded with $\lambda$ ancilla qubits in the $\ket{1}$ state.
• The combined circuit $Q'$ is constructed as

$$Q' = (\mathrm{PRU}_{k'} \otimes I) \circ (\mathrm{ctrl}_{1^\lambda} \text{-} U_Q) \circ \mathrm{spsPRU}_k,$$

where $\mathrm{ctrl}_{1^\lambda}\text{-}U_Q$ denotes ancilla-conditioned execution, $\mathrm{PRU}_{k'}$ is a standard (non-subspace-preserving) strong PRU obscuring unused outputs, and $\mathrm{spsPRU}_k$ ensures that only the "honest" subspace (with correct ancilla) is transmitted unchanged.

• Any deviation in ancilla preparation triggers Haar-randomization on the full register due to $\mathrm{spsPRU}_k$, enforcing black-box access to the functionality.

This construction allows the obfuscator to remain fully quantum-homomorphic, reusable, and capable of supporting general quantum processes (Huang et al., 13 Jan 2026).

5. Generalizations: Energy-Conserving spsPRUs

The concept of spsPRU extends beyond arbitrary subspaces to structured subgroups defined by physical symmetries, notably energy preservation under a Hamiltonian $H$ (Mao et al., 9 Oct 2025):

• For a local, commuting Hamiltonian $H$, efficient spsPRUs can be realized as PRUs block-diagonal in the eigenbasis of $H$ and acting Haar-randomly within energy eigenspaces.
• Construction uses quantum phase estimation (QPE) to resolve eigenstates, random phase oracles (PRF-based), and fast-forwarding techniques where commuting structure is present.
• For certain families of 1D translationally-invariant Hamiltonians (with nontrivial computational structure), it is provable that no efficient energy-preserving spsPRU exists; any attempt is distinguishable from Haar, and the problem of determining existence for general families is undecidable [(Mao et al., 9 Oct 2025), Theorems 4.2-4.3].

6. Limitations and Open Problems

The existence of spsPRUs is highly parameter and symmetry-dependent:

• For arbitrary subspaces or generic local commuting Hamiltonians, spsPRUs are efficiently constructible.
• For structured cases such as translationally-invariant 1D Hamiltonians encoding hard computation, no efficient construction exists and even subexponential-size circuits fail to achieve pseudorandomness.
• It is algorithmically undecidable to determine, given a uniform local Hamiltonian family, whether an energy-conserving spsPRU can exist (Mao et al., 9 Oct 2025).

Future research includes exploration of spsPRUs under other physical constraints (particle number, spin), understanding average-case behavior for noncommuting Hamiltonians, and delineating precise spectral properties that govern constructibility.

7. Significance in Quantum Cryptography and Physics

spsPRUs serve as versatile primitives for cryptographic applications requiring selective pseudorandomization, especially in quantum obfuscation and secure protocol design. In many-body physics, they model "physically random" time evolution respecting symmetry constraints, illuminating cryptographically robust aspects of chaotic versus integrable dynamics. The fundamental separation between generic and symmetry-constrained pseudorandomness highlights new complexity-theoretic signatures induced by conservation laws.

For comprehensive details and proofs of the construction, security, and limitations, see "Obfuscation of Arbitrary Quantum Circuits" (Huang et al., 13 Jan 2026) and "Random unitaries that conserve energy" (Mao et al., 9 Oct 2025).