How (not) to Build Quantum PKE in Minicrypt
Longcheng Li, Qian Li, Xingjian Li, Qipeng Liu
TL;DR
The paper tackles whether quantum public-key encryption (QPKE) can be constructed from one-way functions within Minicrypt by proving unconditional impossibility results in the quantum random oracle model (QROM) under classical-key-generation constraints. The authors develop a quantum-information framework centered on conditional mutual information (CMI) and approximate quantum Markov chains to show that QPKE with classical keys and classical ciphertext cannot exist in the QROM if key generation uses classical queries, and similarly for QPKE with quantum public keys under purity or clonability constraints. They connect QPKE to two-round quantum key agreement (QKA) and extend impossibility to QPKE with quantum ciphertext when the decryption oracle makes no queries, removing reliance on conjectures and highlighting the role of reusability and key-generation capabilities. The results illuminate fundamental obstructions to building QPKE from OWFs in Minicrypt, motivate necessary sampling/survival properties (un-simulatable key generation), and provide a versatile toolkit (CMI-based Eve, quantum Markov sampling) with potential applications to broader quantum cryptographic separations.
Abstract
The seminal work by Impagliazzo and Rudich (STOC'89) demonstrated the impossibility of constructing classical public key encryption (PKE) from one-way functions (OWF) in a black-box manner. However, the question remains: can quantum PKE (QPKE) be constructed from quantumly secure OWF? A recent line of work has shown that it is indeed possible to build QPKE from OWF, but with one caveat -- they rely on quantum public keys, which cannot be authenticated and reused. In this work, we re-examine the possibility of perfect complete QPKE in the quantum random oracle model (QROM), where OWF exists. Our first main result: QPKE with classical public keys, secret keys and ciphertext, does not exist in the QROM, if the key generation only makes classical queries. Therefore, a necessary condition for constructing such QPKE from OWF is to have the key generation classically ``un-simulatable''. Previous discussions (Austrin et al. CRYPTO'22) on the impossibility of QPKE from OWF rely on a seemingly strong conjecture. Our work makes a significant step towards a complete and unconditional quantization of Impagliazzo and Rudich's results. Our second main result extends to QPKE with quantum public keys. The second main result: QPKE with quantum public keys, classical secret keys and ciphertext, does not exist in the QROM, if the key generation only makes classical queries and the quantum public key is either pure or ``efficiently clonable''. The result is tight due to all existing QPKEs constructions. Our result further gives evidence on why existing QPKEs lose reusability. To achieve these results, we use a novel argument based on conditional mutual information and quantum Markov chain by Fawzi and Renner (Communications in Mathematical Physics). We believe the techniques used in the work will find other usefulness in separations in quantum cryptography/complexity.