Pseudorandom and Pseudoentangled States from Subset States

Pseudorandom states (PRS) are an important primitive in quantum cryptography. In this paper, we show that subset states can be used to construct PRSs. A subset state with respect to $S$, a subset of the computational basis, is $$\frac{1}{\sqrt{|S|}}\sum_{i\in S} |i\rangle.$$ As a technical centerpiece, we show that for any fixed subset size $|S|=s$ such that $s = 2^n/\omega(\mathrm{poly}(n))$ and $s=\omega(\mathrm{poly}(n))$, where $n$ is the number of qubits, a random subset state is information-theoretically indistinguishable from a Haar random state even provided with polynomially many copies. This range of parameter is tight. Our work resolves a conjecture by Ji, Liu and Song. Since subset states of small size have small entanglement across all cuts, this construction also illustrates a pseudoentanglement phenomenon.Comment: 9 pages; add a minimum background on pseudoentanglemen

On the Impossibility of Probabilistic Proofs in Relativized Worlds

We initiate the systematic study of probabilistic proofs in relativized worlds, where the goal is to understand, for a given oracle, the possibility of "non-trivial" proof systems for deterministic or nondeterministic computations that make queries to the oracle. This question is intimately related to a recent line of work that seeks to improve the efficiency of probabilistic proofs for computations that use functionalities such as cryptographic hash functions and digital signatures, by instantiating them via constructions that are "friendly" to known constructions of probabilistic proofs. Informally, negative results about probabilistic proofs in relativized worlds provide evidence that this line of work is inherent and, conversely, positive results provide a way to bypass it. We prove several impossibility results for probabilistic proofs relative to natural oracles. Our results provide strong evidence that tailoring certain natural functionalities to known probabilistic proofs is inherent

Communication Lower Bounds for Cryptographic Broadcast Protocols

Broadcast protocols enable a set of $n$ parties to agree on the input of a designated sender, even facing attacks by malicious parties. In the honest-majority setting, randomization and cryptography were harnessed to achieve low-communication broadcast with sub-quadratic total communication and balanced sub-linear cost per party. However, comparatively little is known in the dishonest-majority setting. Here, the most communication-efficient constructions are based on Dolev and Strong (SICOMP '83), and sub-quadratic broadcast has not been achieved. On the other hand, the only nontrivial $\omega(n)$ communication lower bounds are restricted to deterministic protocols, or against strong adaptive adversaries that can perform "after the fact" removal of messages. We provide new communication lower bounds in this space, which hold against arbitrary cryptography and setup assumptions, as well as a simple protocol showing near tightness of our first bound. 1) We demonstrate a tradeoff between resiliency and communication for protocols secure against $n-o(n)$ static corruptions. For example, $\Omega(n\cdot {\sf polylog}(n))$ messages are needed when the number of honest parties is $n/{\sf polylog}(n)$; $\Omega(n\sqrt{n})$ messages are needed for $O(\sqrt{n})$ honest parties; and $\Omega(n^2)$ messages are needed for $O(1)$ honest parties. Complementarily, we demonstrate broadcast with $O(n\cdot{\sf polylog}(n))$ total communication facing any constant fraction of static corruptions. 2) Our second bound considers $n/2 + k$ corruptions and a weakly adaptive adversary that cannot remove messages "after the fact." We show that any broadcast protocol within this setting can be attacked to force an arbitrary party to send messages to $k$ other parties. This rules out, for example, broadcast facing 51% corruptions in which all non-sender parties have sublinear communication locality.Comment: A preliminary version of this work appeared in DISC 202