We study the output length of one-way state generators (OWSGs), their weaker variants, and EFIs. - Standard OWSGs. Recently, Cavalar et al. (arXiv:2312.08363) give OWSGs with $m$-qubit outputs for any $m=\omega(\log \lambda)$, where $\lambda$ is the security parameter, and conjecture that there do not exist OWSGs with $O(\log \log \lambda)$-qubit outputs. We prove their conjecture in a stronger manner by showing that there do not exist OWSGs with $O(\log \lambda)$-qubit outputs. This means that their construction is optimal in terms of output length. - Inverse-polynomial-advantage OWSGs. Let $\epsilon$-OWSGs be a parameterized variant of OWSGs where a quantum polynomial-time adversary's advantage is at most $\epsilon$. For any constant $c\in \mathbb{N}$, we construct $\lambda^{-c}$-OWSGs with $((c+1)\log \lambda+O(1))$-qubit outputs assuming the existence of OWFs. We show that this is almost tight by proving that there do not exist $\lambda^{-c}$-OWSGs with at most $(c\log \lambda-2)$-qubit outputs. - Constant-advantage OWSGs. For any constant $\epsilon>0$, we construct $\epsilon$-OWSGs with $O(\log \log \lambda)$-qubit outputs assuming the existence of subexponentially secure OWFs. We show that this is almost tight by proving that there do not exist $O(1)$-OWSGs with $((\log \log \lambda)/2+O(1))$-qubit outputs. - Weak OWSGs. We refer to $(1-1/\mathsf{poly}(\lambda))$-OWSGs as weak OWSGs. We construct weak OWSGs with $m$-qubit outputs for any $m=\omega(1)$ assuming the existence of exponentially secure OWFs with linear expansion. We show that this is tight by proving that there do not exist weak OWSGs with $O(1)$-qubit outputs. - EFIs. We show that there do not exist $O(\log \lambda)$-qubit EFIs. We show that this is tight by proving that there exist $\omega(\log \lambda)$-qubit EFIs assuming the existence of exponentially secure PRGs.
翻译:本文研究单向态生成器(OWSGs)、其弱化变体以及EFI(可高效生成且不可区分的态对)的输出长度问题。 - 标准OWSGs:近期,Cavalaret等人(arXiv:2312.08363)构造了具有$m$量子比特输出的OWSGs,其中$m=\omega(\log \lambda)$($\lambda$为安全参数),并推测不存在输出为$O(\log \log \lambda)$量子比特的OWSGs。我们以更强形式证明了该猜想:不存在输出为$O(\log \lambda)$量子比特的OWSGs,这表明他们的构造在输出长度维度已达到最优。 - 逆多项式优势OWSGs:令$\epsilon$-OWSGs为OWSGs的参数化变体,要求量子多项式时间敌手的优势至多为$\epsilon$。对于任意常数$c\in \mathbb{N}$,在单向函数(OWFs)存在的假设下,我们构造了具有$((c+1)\log \lambda+O(1))$量子比特输出的$\lambda^{-c}$-OWSGs。通过证明不存在最多具有$(c\log \lambda-2)$量子比特输出的$\lambda^{-c}$-OWSGs,我们表明该构造在紧性上近乎最优。 - 常数优势OWSGs:对于任意常数$\epsilon>0$,在亚指数安全单向函数存在的假设下,我们构造了具有$O(\log \log \lambda)$量子比特输出的$\epsilon$-OWSGs。通过证明不存在具有$((\log \log \lambda)/2+O(1))$量子比特输出的$O(1)$-OWSGs,我们表明该构造在紧性上近乎最优。 - 弱OWSGs:我们将$(1-1/\mathsf{poly}(\lambda))$-OWSGs称为弱OWSGs。在线性扩展的指数安全单向函数存在的假设下,我们构造了对于任意$m=\omega(1)$具有$m$量子比特输出的弱OWSGs。通过证明不存在具有$O(1)$量子比特输出的弱OWSGs,我们表明该构造具有紧性。 - EFIs:我们证明不存在$O(\log \lambda)$量子比特的EFIs。在指数安全伪随机生成器(PRGs)存在的假设下,通过构造$\omega(\log \lambda)$量子比特的EFIs,我们表明该界限具有紧性。