CountCrypt: Quantum Cryptography between QCMA and PP
Eli Goldin, Tomoyuki Morimae, Saachi Mutreja, Takashi Yamakawa
TL;DR
The paper analyzes the landscape of quantum cryptographic primitives under quantum complexity constraints by introducing unitary oracle separations. It shows that there exist unitary oracles where BQP=QCMA yet QCCC primitives (KE/commitments) and 2QKD emerge, and another where BQP=QMA with quantum lightning exists; further, it links the existence of QCCC KE/commitments and 2QKD to one-way puzzles, placing these primitives in the CountCrypt class. The authors develop a refined unitary oracle framework (SG,Mix,PSPACE), construct simulators, and prove BQP=QCMA and BQP=QMA separations via concentration-preserving hybrids and compressed-oracle techniques. Collectively, the results demonstrate a broad class of CountCrypt primitives that can exist under BQP=QCMA but are vulnerable if BQP=PP, with one-way puzzles acting as a minimal primitive bridging to EFI/NanoCrypt primitives. The work thus maps structural boundaries between quantum cryptographic tasks and complexity classes, highlighting CountCrypt as a robust regime for practical quantum cryptography under weaker quantum hardness assumptions. $BQP$, $QCMA$, $QMA$, and $PP$ play central roles in these separations, while non-interactive quantum-communication constructs like QCCC KE/commitments and 2QKD anchor the CountCrypt primitives and their reductions to one-way puzzles.
Abstract
We construct a unitary oracle relative to which $\mathbf{BQP}=\mathbf{QCMA}$ but quantum-computation-classical-communication (QCCC) commitments and QCCC multiparty non-interactive key exchange exist. We also construct a unitary oracle relative to which $\mathbf{BQP}=\mathbf{QMA}$, but quantum lightning (a stronger variant of quantum money) exists. This extends previous work by Kretschmer [Kretschmer, TQC22], which showed that there is a quantum oracle relative to which $\mathbf{BQP}=\mathbf{QMA}$ but pseudorandm unitaries exist. We also show that (poly-round) QCCC key exchange, QCCC commitments, and two-round quantum key distribution can all be used to build one-way puzzles. One-way puzzles are a version of ``quantum samplable'' one-wayness and are an intermediate primitive between pseudorandom state generators and EFI pairs, the minimal quantum primitive. In particular, one-way puzzles cannot exist if $\mathbf{BQP}=\mathbf{PP}$. Our results together imply that aside from pseudorandom state generators, there is a large class of quantum cryptographic primitives which can exist even if $\mathbf{BQP} = \mathbf{QCMA}$, but are broken if $\mathbf{BQP} = \mathbf{PP}$. Furthermore, one-way puzzles are a minimal primitive for this class. We denote this class ``CountCrypt''.