Towards the Impossibility of Quantum Public Key Encryption with Classical Keys from One-Way Functions

TL;DR

This paper investigates the fundamental limitations of quantum public key encryption using classical keys derived from one-way functions, establishing a black-box separation under certain conjectures and extending previous attack techniques.

Contribution

It provides a black-box separation result for quantum PKE with classical public keys and quantum ciphertext from OWF, under the polynomial compatibility conjecture.

Findings

Separation when the decryption algorithm does not query the OWF

Extension of Austrin et al.'s techniques to quantum communication models

An attack for key-agreement in an extended classical-quantum communication setting

Abstract

There has been a recent interest in proposing quantum protocols whose security relies on weaker computational assumptions than their classical counterparts. Importantly to our work, it has been recently shown that public-key encryption (PKE) from one-way functions (OWF) is possible if we consider quantum public keys. Notice that we do not expect classical PKE from OWF given the impossibility results of Impagliazzo and Rudich (STOC'89). However, the distribution of quantum public keys is a challenging task. Therefore, the main question that motivates our work is if quantum PKE from OWF is possible if we have classical public keys. Such protocols are impossible if ciphertexts are also classical, given the impossibility result of Austrin et al. (CRYPTO'22) of quantum enhanced key-agreement (KA) with classical communication. In this paper, we focus on black-box separation for PKE with classical public key and quantum ciphertext from OWF under the polynomial compatibility conjecture, first introduced in Austrin et al.. More precisely, we show the separation when the decryption algorithm of the PKE does not query the OWF. We prove our result by extending the techniques of Austrin et al. and we show an attack for KA in an extended classical communication model where the last message in the protocol can be a quantum state.