There is a large body of work studying what forms of computational hardness are needed to realize classical cryptography. In particular, one-way functions and pseudorandom generators can be built from each other, and thus require equivalent computational assumptions to be realized. Furthermore, the existence of either of these primitives implies that $\rm{P} \neq \rm{NP}$, which gives a lower bound on the necessary hardness. One can also define versions of each of these primitives with quantum output: respectively one-way state generators and pseudorandom state generators. Unlike in the classical setting, it is not known whether either primitive can be built from the other. Although it has been shown that pseudorandom state generators for certain parameter regimes can be used to build one-way state generators, the implication has not been previously known in full generality. Furthermore, to the best of our knowledge, the existence of one-way state generators has no known implications in complexity theory. We show that pseudorandom states compressing $n$ bits to $\log n + 1$ qubits can be used to build one-way state generators and pseudorandom states compressing $n$ bits to $\omega(\log n)$ qubits are one-way state generators. This is a nearly optimal result since pseudorandom states with fewer than $c \log n$-qubit output can be shown to exist unconditionally. We also show that any one-way state generator can be broken by a quantum algorithm with classical access to a $\rm{PP}$ oracle. An interesting implication of our results is that a $t(n)$-copy one-way state generator exists unconditionally, for every $t(n) = o(n/\log n)$. This contrasts nicely with the previously known fact that $O(n)$-copy one-way state generators require computational hardness. We also outline a new route towards a black-box separation between one-way state generators and quantum bit commitments.
翻译:关于实现经典密码学需要何种形式的计算困难性,已有大量研究工作。特别地,单向函数和伪随机生成器可以相互构建,因此需要等价的计算假设才能实现。此外,这两种原语中任一者的存在都意味着 $\rm{P} \neq \rm{NP}$,这为必要的困难性提供了下界。我们也可以定义这些原语的量子输出版本:分别是单向态生成器和伪随机态生成器。与经典情形不同,目前尚不清楚这两种原语能否相互构建。尽管已有研究表明,特定参数体制下的伪随机态生成器可用于构建单向态生成器,但该蕴含关系此前并未在完全一般性下获知。此外,据我们所知,单向态生成器的存在性在复杂性理论中尚无已知的推论。我们证明:将 $n$ 比特压缩至 $\log n + 1$ 个量子比特的伪随机态可用于构建单向态生成器;而将 $n$ 比特压缩至 $\omega(\log n)$ 个量子比特的伪随机态本身就是单向态生成器。这是一个近乎最优的结果,因为输出少于 $c \log n$ 个量子比特的伪随机态可被证明无条件存在。我们还证明:任何单向态生成器均可被具有经典访问 $\rm{PP}$ 预言机能力的量子算法破解。我们的研究结果引出一个有趣推论:对于任意 $t(n) = o(n/\log n)$,$t(n)$-副本单向态生成器无条件存在。这与先前已知的结论——$O(n)$-副本单向态生成器需要计算困难性——形成了鲜明对比。我们同时勾勒出一条实现单向态生成器与量子比特承诺之间黑盒分离的新路径。