Toward the Impossibility of Perfect Complete Quantum PKE from OWFs

Li, Longcheng; Li, Qian; Li, Xingjian; Liu, Qipeng

doi:10.4230/LIPIcs.ITCS.2025.71

Toward the Impossibility of Perfect Complete Quantum PKE from OWFs

Longcheng Li

State Key Lab of Processors, Institute of Computing Technology, Chinese Academy of Sciences, Beijing, China Qian Li

Shenzhen International Center for Industrial and Applied Mathematics, Shenzhen Research Institute of Big Data, China Xingjian Li

Tsinghua University, Beijing, China Qipeng Liu

University of California, San Diego, La Jolla, CA, USA

Abstract

In this paper, we study the impossibility of constructing perfect complete quantum public key encryption (QPKE) from quantumly secure one-way functions (OWFs) in a black-box manner. We show that this problem is connected to a fundamental conjecture about the roots of low-degree polynomials on the Boolean hypercube. Informally, the conjecture asserts that for every nonconstant low-degree polynomial, there exists a universal (randomized) way to modify a small number of input bits such that, for every input string, the polynomial evaluated on the modified input string avoids 0 with sufficiently large probability (over the choice of how the input string is modified). Assuming this conjecture, we demonstrate the impossibility of constructing QPKE from quantumly secure one-way functions in a black-box manner, by employing the information-theoretical approach recently developed by Li, Li, Li, and Liu (CRYPTO’24). Towards resolving this conjecture, we provide various pieces of evidence supporting it and prove some special cases. In particular, we fully rule out perfect QPKE from OWFs when the key generation algorithm only makes a logarithmic number of quantum queries, improving the previous work, which can only handle classical queries.

Keywords and phrases:

Qautnum public-key encryption, Boolean function analysis

Funding:

Qian Li: Qian Li’s work was supported by Hetao Shenzhen-Hong Kong Science and Technology Innovation Cooperation Zone Project (No.HZQSWS-KCCYB-2024016).

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Cryptographic primitives ; Theory of computation

\rightarrow

Quantum complexity theory

DOI:

10.4230/LIPIcs.ITCS.2025.71

Event:

16th Innovations in Theoretical Computer Science Conference (ITCS 2025)

Editors:

Raghu Meka

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Public-key encryption (PKE) is a fundamental primitive in modern cryptography. It enables secure communication through an insecure channel. A server generates two keys, the secret key and the public key; the secret key is owned only by the server, whereas the public key is broadcasted to everyone else. PKE allows everyone to send messages to the server securely; even if a malicious party, who keeps listening to the channel, has no idea about the actual messages. Its counterpart, secret-key encryption, requires pre-shared keys to conduct secure communication. Since the first proposal ¹¹1The UK Government Communications Headquarters proposed and developed the same scheme even earlier than Diffie and Hellman (1973 and 1974), and was later declassified by the British government in 1997. by Diffie and Hellman [13], PKE has become one of the most important cryptographic primitives and concepts, with impacts ranging from theoretical computer science to real-world constructions.

Despite enjoying all the advancements in secret-key encryption (SKE), all PKE schemes have more structures. Therefore, PKE seems to require strictly stronger assumptions than one-way functions. This observation was later confirmed by Impagliazzo and Rudich [16]: there was no black-box construction of PKE solely from one-way functions (or in the random oracle model).

Quantum information has changed the landscape of cryptography, especially weakening the assumptions needed for various cryptographic primitives; for example, quantum key distribution [10], oblivious transfer/multi-party computation [7, 15], commitment [3, 23]. Talking about PKE, first introduced by Morimae and Yamakawa [22], then followed by [12, 17, 19, 6], QPKE with either quantum keys or quantum ciphertext can be constructed from OWFs. However, quantum public keys and quantum ciphertext are often more difficult to broadcast, use and authenticate than their classical counterparts. Thus, the possibility of basing quantum PKE with classical public key, secret key and ciphertext on one-way functions is still intriguing and largely unanswered. In the rest of the work, we will simply denote such QPKE with classical keys and ciphertext by “QPKE”. Following the similar questions in [16], in this work, we are interested in the problem:

Question 1: Whether QPKE can be constructed solely
in the quantum random oracle model (QROM)?

The direction was investigated first by Austrin, Chung, Chung, Fu, Lin and Mahmoody [5] and later by Li, Li, Li and Liu [18]. Austrin et al. proposed the so-called “polynomial compatible conjecture” (or PCC for short); basing on PCC, they fully rule out QPKE from OWFs. However, their conjecture is tailored to this separation problem; to which we will compare our conjecture later on. Besides, they are able to prove the non-existence of perfect complete QPKE in the QROM when (i) ${\sf Enc}$ or (ii) both ${\sf Gen}$ and ${\sf Dec}$ make only classical queries to a random oracle. Li et al. improved the result (ii) and showed that as long as the key generation algorithm ${\sf Gen}$ only makes classical queries, perfect correct QPKE can not exist in the QROM.

1.1 Our Results

In this work, we show that Question 1 is closely related to a fundamental conjecture about the roots of low-degree polynomials on the Boolean hypercube. More specifically, we propose the following conjecture, and show that it implies a full impossibility result of perfect complete QPKE in the QROM.

Conjecture 1.

For any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ , the following holds. There exists a distribution $\mathcal{D}$ on the set of partial assignments $\rho$ with $|\rho|\leq\mathrm{poly}(d)$ such that: for any $x\in\{-1,1\}^{n}$ ,

\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/\mathrm{poly}(d).

A partial assignment is denoted by $\rho\in\{-1,1,\star\}^{n}$ and $|\rho|$ is defined as the number of non- $\star$ entries. $x^{\rho}$ is defined as an input string whose $i$ -th bit will be equal to $x_{i}$ if $\rho_{i}=\star$ , and otherwise equal to $\rho_{i}$ . In other words, the conjecture asserts that for every degree $d$ nonconstant $f$ , there is a universal (randomized) way to modify $\mathrm{poly}(d)$ bits such that, every input string $x$ has an inverse-polynomial probability of evaluating to non-zero under this randomized modification.

$\blacktriangleright$ Remark 2 (Comparing PCC in [5] with our conjecture).

PCC (Conjecture 1.2) roughly asserts that, for two distributions $F, G$ over low degree polynomials with bounded influences, there always exists $f\in F,g\in G$ and $x$ such that $f(x)g(x)\neq 0$ . To the best of our knowledge, there is no obvious connection between PCC and our conjecture. Nonetheless, we hold that our conjecture appears simpler and offers an alternative path towards the ultimate objective; since our conjecture only involves a single polynomial (instead of two distributions) and resembles many fundamental notions in the literature of boolean function analysis. Furthermore, PCC might be too strong to hold: as it will imply attacks with only a polynomial number of classical queries, even if both Alice and Bob make quantum queries; on the other hand, our Eve makes quantum queries.

With the conjecture, we now present our main theorem.

Theorem 3 (Main Theorem).

If 1 is true, then perfect complete QPKE does not exist in the QROM.

$\blacktriangleright$ Remark 4.

In the proof of Theorem 3, $f$ is treated as a probability and ranges in $[0,1]$ . However, it would not weaken Conjecture 1 if we restrict the range of $f$ to $[0,1]$ . Precisely, in Conjecture 1, it does not lose generality to assume that $f$ is nonnegative, because we can consider $f^{2}$ instead; then we can scale the function to fit in the range $[0,1]$ .

1 is closely related to notions like certificate complexity, sensitivity in the literature of boolean function analysis (BFA), and also to the celebrated Combinatorial Nullstellensatz of Alon [2], making it a considerably natural conjecture. With the tools in BFA and the Combinatorial Nullstellensatz, we can provide many pieces of evidence and prove special cases. We mention some of the most important results below while leaving others in the main body.

Special Case 1: Gen makes only classical queries

This is the case that already was analyzed in [18]; there, they did not go through BFA, but rather proved it directly. We demonstrate the versatility of our conjecture and framework, by showing:

Lemma 5.

1 holds for all $f$ that can be expressed as the acceptance probability of a (randomized) classical decision tree.

Corollary 6 (Recasting [18]).

Perfect complete QPKE does not exist in the QROM, if ${\sf Gen}$ only makes classical queries.

Evidence 2: The Combinatorial Nullstellensatz

The following relaxed version of 1 directly follows from the Combinatorial Nullstellensatz of Alon (Lemma 22).

Lemma 7.

For any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ , the following holds. There exists a distribution $\mathcal{D}$ on the set of partial assignments $\rho$ with $|\rho|\leq d$ such that: for any $x$ ,

\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/2^{d}.

Somewhat surprisingly, we find that if the probability of $f(x^{\rho})$ being non-zero in Lemma 7 can be improved from $1/2^{d}$ to $1/2^{d^{c}}$ for an arbitrary $c<1$ , then 1 would be affirmed. Formally, the following conjecture is equivalent to 1:

Conjecture 8.

There is a universal constant $c<1$ , such that for any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ , the following holds. There exists a distribution $\mathcal{D}$ on the set of partial assignments $\rho$ with $|\rho|\leq\mathrm{poly}(d)$ such that: for any $x$ ,

\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/2^{d^{c}}.

Lemma 9.

8 holds if and only if 1 holds.

Special Case 3: Gen makes $O(\log n)$ quantum queries

With Lemma 7, by following a similar argument in [18], we can directly conclude that when the generation algorithm only makes $O(\log n)$ quantum queries, such QPKE does not exist in the QROM.

Lemma 10.

Perfect complete QPKE does not exist in the QROM, if ${\sf Gen}$ only makes $O(\log n)$ quantum queries.

Thus, we make a step forward by improving the result (ii) in [5] and that in [18].

Table 1: Provable separations in [5, 18] and this work. Q and C denote a polynomial number of quantum and classical queries, respectively.

	[5] (i)	[5] (ii)	[18]	This work
${\sf Gen}$	Q	C	C	log Q
${\sf Enc}$	C	Q	Q	Q
${\sf Dec}$	Q	C	Q	Q

Special Case 4: Gen has “uniform” outputs

Here, by “uniform”, we mean that the output of ${\sf Gen}^{H}$ has support of the same size for every possible oracle $H$ , and the output distribution is uniform over the support. In other words, $|{\sf supp}({\sf Gen}^{H})|=|{\sf supp}({\sf Gen}^{H^{\prime}})|$ for every pair of $H,H^{\prime}$ , and ${\sf Gen}^{H}$ is uniform over samples with a non-zero probability. To resolve this case, we prove the following special case of 1:

Lemma 11.

1 holds for all $f$ that takes at most $\mathrm{poly}(d)$ values.

Corollary 12.

Perfect complete QPKE does not exist in the QROM, if ${\sf Gen}$ is “uniform”.

Evidence 5: Other equivalent conjectures

By the min-max principle, 1 has the following equivalent form.

Conjecture 13.

For any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ , and any distribution $X$ on $\{-1,1\}^{n}$ , there exists a partial assignment with $|\rho|\leq\mathrm{poly}(d)$ such that $\Pr_{x\sim X}[f(x^{\rho})\not=0]\geq 1/\mathrm{poly}(d)$ .

Lemma 14.

13 holds if and only if 1 holds. Thus, if 13 is true, then perfect complete QPKE does not exist in the QROM.

In the main body, we provide additional evidence for 13 (and consequently for 1). 13 has the advantage of requiring only a single partial assignment that works for the given input distribution, rather than a distribution of partial assignments. This simplifies the reasoning considerably, and much of our evidence supports 13.

1.2 Techniques

Here, we give a brief overview of why 1 implies a full impossibility result of QPKE in the QROM and the main differences between [18] and this work.

We will be mostly focusing on key agreement protocols in the QROM. In the QROM, all parties can quantumly query a random oracle. A key agreement protocol is an interactive protocol between two query-efficient quantum algorithms Alice and Bob, exchanging classical messages. Their goal is to agree on a key, whereas any query-efficient adversary can not learn the key, even observing all the communication on this channel. It is easy to see that QPKE implies a two-round key agreement protocol:

$\blacksquare$

Alice sends a single message $m_{0}$ to Bob; in this case, $m_{0}$ will be the public key.
$\blacksquare$

Bob sends a message $m_{1}$ to Alice; in this case, $m_{1}$ will be the encryption of a random key (which will be the agreed key in the two-round key agreement protocol).
$\blacksquare$

Finally, they both output their own keys $k_{A},k_{B}$ ; in this case, Alice decrypts the ciphertext using her secret key, whereas Bob simply outputs the random key.

Thus, to rule out QPKE in the QROM, it is sufficient to rule out the two-round key agreement in the QROM.

Li, Li, Li and Liu [18] proposed the following framework that rules out QPKE with classical-query key generation in the QROM. Let ${\sf View}_{A},{\sf View}_{B}$ denote the view of Alice and Bob, right after $m_{1}$ is received by Alice. They showed that, based on a novel approach called approximate quantum Markov chain, a quantum-query Eve can reconstruct Alice’s view ${\sf View}^{\prime}_{A}$ such that

\displaystyle{\sf View}^{\prime}_{A}{\sf View}_{B}\approx{\sf View}_{A}{\sf View% }_{B}.

More precisely, Eve can reconstruct Alice’s register such that the margin of the fake Alice and the real Bob is arbitrarily close to the real Alice and the real Bob. However, this is not sufficient; since to compute the key $k_{A}$ , Alice potentially needs to perform computation depending on its current state, the random oracle and all the messages $m_{0},m_{1}$ . As the marginal is defined by tracing out the random oracle, we do not know what oracle to work with. For example, a direct attempt is to run fake Alice under the real random oracle $H$ ; but it is possible that under real $H$ , conditioned on the messages being $m_{0},m_{1}$ , the view of Alice and Bob will never equal to ${\sf View}^{\prime}_{A}{\sf View}_{B}$ , making the attempt meaningless.

Li et al. solved this by adapting Bob; while perfectly preserving the functionality of the key agreement protocol, the new Bob has one additional nice property (let us call it “stability”):

$\blacksquare$

if under a random oracle $H$ , input message $m_{0}$ , Bob outputs certain $m_{1}$ with non-zero probability
$\blacksquare$

then for every $H^{\prime}$ that has a small Hamming distance to $H$ ²²2We ignore a detail here: $H^{\prime}$ should be consistent with $H$ on a small set of inputs, whereas on other inputs, their Hamming distance is small. This does not change the reasoning, thus we make the simplification in the introduction., Bob on $H^{\prime}$ and $m_{0}$ still has non-zero probability to output $m_{1}$ .

With this property, they show that the two-round key agreement can not exist, when $m_{0}$ together with ${\sf View}_{A}$ can be computed by a classical decision tree (or ${\sf Gen}$ only makes classical queries). For any fake Alice view ${\sf View}^{\prime}_{A}$ , it depends on at most $d$ locations of a random oracle; here $d$ is the number of queries made by the classical decision tree. Thus, for any oracle $H_{0}$ , as long as it is consistent on these $d$ locations, Alice on $H_{0}$ can output ${\sf View}_{A}^{\prime}$ and $m_{0}$ with non-zero probability. They construct an oracle $H^{\prime}$ such that: (i) it is almost $H$ , except (ii) on those $d$ locations, $H^{\prime}$ is reprogrammed to be consistent with these $d$ locations.

It is clear that Alice on $H^{\prime}$ still outputs $m_{0},{\sf View}^{\prime}_{A}$ with a non-zero probability (consistency of these $d$ locations). Moreover, the “stability” ensures that the adapted Bob on $H^{\prime}$ and $m_{0}$ outputs ${\sf View}_{B}$ also with a non-zero probability. Thus, there is a non-zero probability, under the oracle $H^{\prime}$ , Alice and Bob will end up with ${\sf View}_{A}^{\prime},{\sf View}_{B}$ and transcripts $(m_{0},m_{1})$ . Since we assume the QPKE is perfect, after the whole execution, Alice and Bob should agree on a key. As for Eve, it simply runs Alice with ${\sf View}_{A}^{\prime},m_{1}$ on $H^{\prime}$ and will recover the key.

The above reasoning in [18] does not work even if Alice only makes a single quantum query, and thus they can only rule out QPKE when ${\sf Gen}$ makes classical queries. Since a single quantum query can “store” information about exponentially many inputs, it seems that fixing a smaller number of input-output behaviors does not fix Alice’s behavior.

We realize that, we do not need to keep Alice’s behavior the same; we are only required to keep these probabilities non-zero. More precisely, our solution is to directly look at the polynomial $f$ describing the probability that a quantum Alice on some oracle, outputs $(m_{0},{\sf View}^{\prime}_{A})$ ,

\displaystyle f(x)=\Pr[(m_{0},{\sf View}^{\prime}_{A})\leftarrow A^{x}],

where we treat $x$ as the random oracle fed into $A$ . As the random oracle will be the input to a polynomial, to be consistent with the literature of BFA, we will denote a random oracle by $x$ . Since $A$ only makes $d$ quantum queries, such a polynomial $f$ has degree at most $2d$ . The real random oracle is some $x$ of which we have no knowledge about; the goal is to find another $x^{\prime}$ such that

$\blacksquare$

$f(x^{\prime})>0$ , meaning Alice on the random oracle $x^{\prime}$ outputs ${\sf View}^{\prime}_{A},m_{0}$ with a non-zero probability, just like the classical case; and,
$\blacksquare$

$x^{\prime}$ and $x$ have a small Hamming distance, so that Bob still has non-zero probability to output ${\sf View}_{B},m_{1}$ .

As we do not know $x$ , the only way we can obtain $x^{\prime}$ is by locally modifying some locations of $x$ . For example, reprogramming some locations of the real oracle, and running the rest of Alice under the reprogrammed oracle – this is where the partial assignment takes place. If we can find a partial assignment $\rho$ with $|\rho|$ is small, such that for every $x$ , $f(x^{\rho})>0$ , then the problem is resolved! This is the high-level intuition why our conjecture (1) implies a full impossibility result of QPKE in the QROM.

Towards Conjecture 1, we remark that the Combinatorial Nullstellensatz [2] directly implies the existence of such $\rho$ . More specifically, the Combinatorial Nullstellensatz claims that: given any maximal monomial $x_{S}$ of $f$ , for any $x\in\{-1,1\}^{n}$ , there exists a $\rho$ with ${\sf supp}(\rho)=S$ such that $f(x^{\rho})\neq 0$ . Therefore, Conjecture 1 holds if we swap the order of quantifiers of $\rho$ and $x$ . Consequently, by letting $\mathcal{D}$ be the uniform distribution on the set of partial assignments $\rho$ with ${\sf supp}(\rho)=S$ , we have $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/2^{d}$ for any $x$ , as claimed by Lemma 7. In particular, when ${\sf Gen}$ makes only $O(\log n)$ queries and then $\deg(f)=O(\log n)$ , we have $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/\mathrm{poly}(n)$ , which implies Lemma 10.

1.3 Related works

In Conjecture 1, we characterize $d$ -query quantum algorithms as degree- $2d$ polynomials [8]. This characterization was further strengthened by Aaronson and Ambainis [1] in terms of bounded degree- $2d$ block-multilinear polynomials. Later, Arunachalam, Briet, and Palazuelos [4] provided an exact characterization of quantum query algorithms in terms of the so-called completely bounded norm.

2 Preliminaries

2.1 Basic notions in Boolean function analysis

Every function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ on the hypercube can be uniquely expressed as a multilinear polynomial

f(x)=\sum_{S\subseteq[n]}a_{S}\cdot x_{S},

where $x_{S}:=\Pi_{i\in S}x_{i}$ . Indeed, this expression is called the Fourier expansion of $f$ , where $a_{S}=2^{-n}\sum_{x}f(x)\cdot x_{S}$ . The degree of $f$ , denoted $\deg(f)$ , is defined as the degree of its multilinear polynomial expression, i.e., $\max\{|S|\mid a_{S}\neq 0\}$ . A monomial $x_{S}$ is called maximal if it has degree $\deg(f)$ , i.e., $|S|=\deg(f)$ and $a_{S}\neq 0$ . The rank of $f$ , denoted $\mathrm{rank}(f)$ , is the maximum number of disjoint maximal monomials.

A partial assignment is a function $\rho:[n]\rightarrow\{-1,1,\star\}$ . We define the support of $\rho$ as ${\sf supp}(\rho):=\{i|\rho_{i}\neq\star\}$ , and the size as $|\rho|:=|{\sf supp}(\rho)|$ . For $x\in\{-1,1\}^{n}$ , we define the modification of $x$ with $\rho$ , denoted $x^{\rho}$ , as the string $x^{\prime}\in\{-1,1\}^{n}$ where $x^{\prime}_{i}=\rho_{i}$ for $i\in{\sf supp}(\rho)$ and $x_{i}^{\prime}=x_{i}$ for any other $i$ .

We use ${\sf Var}(f):=\mathop{\mathbb{E}}_{x}[f(x)^{2}]-\big{(}\mathop{\mathbb{E}}_{x}% f(x)\big{)}^{2}$ to denote $f$ ’s variance, and define $\|f\|_{\infty}:=\max_{x}|f(x)|$ . A real polynomial $p$ $\epsilon$ -approximates $f$ if $|f(x)-p(x)|\leq\epsilon$ for every $x\in\{-1,1\}^{n}$ . The approximate degree of $f$ , denoted by $\widetilde{\deg}(f)$ , is defined to be the minimum degree needed to $1/3$ -approximate $f$ .

The following lemma will be used.

Lemma 15 ([8]).

Suppose a quantum algorithm makes $d$ queries to a Boolean string $x\in\{-1,1\}^{n}$ , and the acceptance probability is denoted by $f(x)$ . Then the function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ has degree at most $2d$ . That is, $f$ can be expressed as

f(x)=\sum_{|S|\leq 2d}a_{S}\cdot x_{S}

2.2 Quantum public key encryption

In this paper, we will consider constructions in the quantum random oracle model. Given security parameter $\lambda$ , the oracle $H$ is chosen from the uniformly random distribution over the family of functions $\mathcal{H}_{\lambda}\colon[2^{n_{\lambda}}]\to\{0,1\}$ , where $n_{\lambda}$ is a polynomial of $\lambda$ . The quantum circuit has access to the oracle unitary $U_{H}$ that maps $\ket{i,y}$ to $\ket{i,y\oplus H(i)}$ . We can also view the oracle unitary in the phase basis $U_{H}^{\prime}\ket{i,y}\to(-1)^{H(i)y}\ket{i,y}$ .

We will consider quantum public key encryption with classical public key ${\sf pk}$ and ciphertext ${\sf ct}$ in this paper. Particularly, we will consider the quantum public key encryption (QPKE) scheme in the quantum random oracle model (QROM) defined as follows:

Definition 16 (Quantum public key encryption in QROM).

A public key encryption scheme, relative to a random oracle $H\leftarrow\mathcal{H}_{\lambda}$ consists of the following three bounded quantum query algorithms:

$\blacksquare$

${\sf Gen}^{H}(1^{\lambda})\to({\sf pk},{\sf sk})$ : The key generation algorithm that generates a pair of classical public key ${\sf pk}$ and secret key ${\sf sk}$ .
$\blacksquare$

${\sf Enc}^{{H}}({\sf pk},m)\to{\sf ct}$ : the encryption algorithm that takes a public key ${\sf pk}$ , the plaintext $m$ , produces the ciphertext ${\sf ct}$ .
$\blacksquare$

${\sf Dec}^{{H}}({\sf sk},{\sf ct})\to m^{\prime}$ : the decryption algorithm that takes secret key ${\sf sk}$ and ciphertext ${\sf ct}$ and outputs the plaintext $m^{\prime}$ .

The algorithms should satisfy the following requirements:

Perfect Completeness

$\Pr\left[{\sf Dec}^{{H}}\left({\sf sk},{\sf Enc}^{{H}}({\sf pk},m)\right)=m% \colon{\sf Gen}^{H}(1^{\lambda})\to({\sf pk},{\sf sk})\right]=1$ .

IND-CPA Security

For any QPT adversary $\mathcal{E}^{{H}}$ , for every two plaintexts $m_{0}\neq m_{1}$ chosen by $\mathcal{E}^{{H}}({\sf pk})$ we have

\displaystyle\Pr\left[\mathcal{E}^{{H}}\left({\sf pk},{\sf Enc}^{{H}}({\sf pk}% ,m_{b})\right)=b\right]\leq\frac{1}{2}+\frac{\epsilon(\lambda)}{2}.

where we call $\epsilon(\lambda)$ as the advantage of the adversary. The scheme is IND-CPA secure if $\epsilon(\lambda)$ is negligible for any adversary $\mathcal{E}^{H}$ .

3 Consequences of our BFA conjecture

In this section, we will show the consequence in cryptography of 1. If 1 holds, we can obtain a black box separation between post-quantum secure one-way functions and quantum public key encryption schemes.

Theorem 17 (Restate of Theorem 3).

Assuming 1 is true, for any quantum public key encryption scheme in the quantum random oracle model, if ${\sf Gen}^{H}$ and ${\sf Enc}^{H}$ make $d$ queries to $H$ in total, and ${\sf Dec}^{H}$ makes $D$ queries, there exists an adversary Eve $\mathcal{E}^{H}$ which can break the IND-CPA security with advantage $1/\mathrm{poly}(d)$ by making $O(\mathrm{poly}(d)+D)$ queries.

It is known that we can use a QPKE scheme for a two-message key agreement protocol, by setting the first message $m_{0}={\sf pk}$ , and the second message $m_{1}={\sf Enc}({\sf pk},k)$ , where $k$ is the key the two parties agree on. We can assume the key $k$ is chosen uniformly random from $\{0,1\}^{n}$ . In the following section, we will refer to the two parties as $\mathcal{A}$ and $\mathcal{B}$ , and call the algorithm of $\mathcal{A}$ before sending $m_{0}$ as $\mathcal{A}_{0}$ , and the algorithm after receiving message $m_{1}$ as $\mathcal{A}_{1}$ . If we can learn the key $k$ with probability $p$ , we can also break the semantic security of the QPKE scheme with advantage $p$ , which implies that we also break the IND-CPA security of the protocol. In the language of key agreement, we are considering the case where $\mathcal{A}_{0},\mathcal{A}_{1}$ , and $\mathcal{B}$ can both make quantum queries while only sending classical messages, and we will show how to learn the key $k$ with probability $1/\mathrm{poly}(d)$ .

Let us recall the results from [18]. In their paper, they are considering the case where $\mathcal{A}_{0}$ can only make classical queries. The key part of their analysis is to show how to construct a register $\mathsf{A}^{\prime}$ , such that there exists some oracle $H^{\prime}$ , the content ${\sf View}_{A}^{\prime}$ in $\mathsf{A}^{\prime}$ is consistent with $H^{\prime}$ and transcript $\pi=(m_{0},m_{1})$ . We can think the algorithm $\mathcal{B}$ proceeds as follows: it first receives the message $m_{0}$ from $\mathcal{A}$ , and after making some queries to the oracle $H$ , it makes a measurement in the computational basis, and generates the key $k_{B}$ and the second message $m_{1}$ . The state under consideration in [18] $\sigma_{AB}=\mathop{\mathbb{E}}_{H}[\sigma_{AB}^{H}]$ is the state before $\mathcal{B}$ makes the final measurement and sends the second message $m_{1}$ , where $\sigma_{AB}^{H}$ is the state under oracle $H$ , and the expectation is over the posterior distribution of $H$ given the first message $m_{0}$ .

To construct the register $\mathsf{A}^{\prime}$ , they used tools from quantum information theory. They used the following theorem from [14].

Theorem 18.

For any state $\rho_{{\sf AEB}}$ over systems $\mathsf{A}\mathsf{E}\mathsf{B}$ , there exists a channel ${\cal T}:{\sf E}\to{\sf E}\otimes{\sf B}^{\prime}$ such that the trace distance between the reconstructed state $\sigma_{\sf A^{\prime}E^{\prime}B^{\prime}}={\cal T}(\rho_{\mathsf{A}\mathsf{E% }})$ and the original state $\rho_{\sf AEB}$ is at most

\displaystyle\sqrt{\ln 2\cdot I(\mathsf{A}:\mathsf{B}|\mathsf{E})_{\rho}}.

The theorem says that if the conditional mutual information $I(\mathsf{A}:\mathsf{B}|\mathsf{E})$ is small, we can generate a consistent copy of $\mathsf{A}^{\prime}$ by a channel only acting on $\mathsf{E}$ .

To decrease the conditional mutual information $I(\mathsf{A}:\mathsf{B}|\mathsf{E})$ , we have the following lemma from [18].

Definition 19 (Permutation Invariance).

Let $\mathsf{A}_{1},\mathsf{A}_{2},\mathsf{A}_{3},\ldots,\mathsf{A}_{t},\mathsf{B}$ be $(t+1)$ -partite quantum system. Given the joint state $\rho_{\mathsf{B}\mathsf{A}_{1}\mathsf{A}_{2}\cdots\mathsf{A}_{t}}$ , we say $A_{1},\ldots,A_{t}$ are permutation invariant, if for any permutation $\pi$ on $[t]$ , we have

\rho_{\mathsf{B}\mathsf{A}_{1}\mathsf{A}_{2}\cdots\mathsf{A}_{t}}=\rho_{% \mathsf{B}\mathsf{A}_{\pi(1)}\mathsf{A}_{\pi(2)}\cdots\mathsf{A}_{\pi(t)}}.

Lemma 20.

Let $\mathsf{A}_{1},\mathsf{A}_{2},\mathsf{A}_{3},\ldots,\mathsf{A}_{t},\mathsf{B},% \mathsf{E}$ be $(t+2)$ -partite quantum system. Suppose the state of the composite system $\rho_{\mathsf{B}\mathsf{E}\mathsf{A}_{1}\mathsf{A}_{2}\cdots\mathsf{A}_{t}}$ is fully separable. If $\mathsf{A}_{1},\mathsf{A}_{2},\mathsf{A}_{3},\ldots,\mathsf{A}_{t}$ are permutation invariant, then there is a $0\leq i\leq t-1$ such that

I(\mathsf{A}_{t}:\mathsf{B}\mid\mathsf{E},\mathsf{A}_{1},\ldots,\mathsf{A}_{i}% )_{\rho}\leq S(\mathsf{B})/t.

The lemma shows that if Eve parallel repeats multiple copies of $\mathcal{B}$ , the mutual information will be decreased.

The following lemma from [9] will also be used.

Lemma 21.

Consider a quantum algorithm $\mathcal{B}$ that makes $d$ queries to an oracle $H$ . Denote the quantum state immediately after $t$ queries to the oracle as

\displaystyle\ket{\psi_{t}}=\sum_{x,w}\alpha_{x,w,t}\ket{x,w},

where $w$ is the content of the workspace register. Denote the query weight $q_{x}$ of input $x$ as

\displaystyle q_{x}=\sum_{t=1}^{d}\sum_{w}|\alpha_{x,w,t}|^{2}.

For any oracle $\tilde{H}$ , denote $\ket{\phi_{d}}$ as the final state before measurement obtained by running $\mathcal{B}$ with oracle $\tilde{H}$ , we have that

\displaystyle\lVert\ket{\psi_{d}}-\ket{\phi_{d}}\rVert\leq 2\sqrt{d}\sqrt{\sum% _{x\colon\tilde{H}(x)\neq H(x)}q_{x}}.

In [18], they defined the heavy query of Bob as $\{x\colon q_{x}\geq\epsilon^{2}/d^{2}\}$ . We summarize their adversary Eve’s algorithm $\mathcal{E}$ as follows:

1.

Eve parallelly simulates Bob’s algorithm $\mathcal{B}^{H}(m_{0})$ for multiple times. In this process, Eve records heavy queries of $\mathcal{B}$ under $H$ classically and maintains an input-output pair register $R_{E}=\{(i_{E},H(i_{E}))\}$ .
2.

By Lemma 20, if Eve repeat $\mathcal{B}^{H}(m_{0})$ for $\mathrm{poly}(d,1/\epsilon)$ times, the conditional mutual information $I(\mathsf{A}:\mathsf{B}\mid\mathsf{E})$ of state $\sigma_{ABE}$ can be reduced to smaller than $O(\epsilon^{2})$ . By Theorem 18,the channel $\mathcal{T}\colon\mathsf{E}\to\mathsf{A}^{\prime}\mathsf{E}$ provides a state $\mathcal{T}(\sigma_{BE})=\sigma_{A^{\prime}BE}$ is $\epsilon$ close to the state $\sigma_{ABE}$ . In the following section, we will choose $\epsilon=1/\mathrm{poly}(d)$ .
3.

Eve measures the secret key register as well as the query input-output history register of $\mathsf{A}^{\prime}$ . Note that in their case, we can assume $\mathcal{A}_{0}^{H}$ records its classical queries. The measurement will give us some secret key ${\sf sk}^{\prime}$ and input-output pairs $R_{A^{\prime}}=\{(i_{A^{\prime}},H^{\prime}(i_{A^{\prime}}))\}$ , since $\sigma_{A^{\prime}BE}\approx_{\epsilon}\sigma_{ABE}$ , with high probability, the measurement result ${\sf sk}^{\prime}$ and $R_{A^{\prime}}$ are consistent with message $m_{0}$ and $R_{E}$ . Specifically, every query that is both in $R_{A^{\prime}}$ and $R_{E}$ should be consistent, meaning $R_{A^{\prime}}$ is consistent with $\mathcal{B}$ ’s heavy queries under oracle $H$ .
4.

Finally, by the observation beyond, if the oracle $H$ is reprogrammed to $H^{\prime}$ using the input-output pairs in $R_{A^{\prime}}$ , from $\mathcal{B}$ ’s view, only $\mathrm{poly}(d)$ light query points under $H$ are modified. Using Lemma 21, it can be shown that w.h.p., $\mathcal{B}^{H^{\prime}}(m_{0})$ will output $m_{1}$ with nonzero probability, implying that $\pi=(m_{0},m_{1})$ is a valid transcript under oracle $H^{\prime}$ . Thus by perfect completeness, if we simulate $\mathcal{A}_{1}$ given input $({\sf sk}^{\prime},m_{1})$ over oracle $H^{\prime}$ , it can still agree with $\mathcal{B}$ .

We refer interested readers to their paper for the proof details.

Our observation is that in step 3, we do not need to generate the input-output pair $R_{A^{\prime}}$ by measuring $\mathsf{A}^{\prime}$ . Given the algorithm of $\mathcal{A}_{0}$ , if we can find some $\mathrm{poly}(d)$ -sized assignment $R_{A^{\prime}}$ that is consistent with $R_{E}$ and guarantees the output probability of $({\sf sk}^{\prime},m_{0})$ is still non-zero, by similar arguments, we can see that $\mathcal{B}$ is consistent with the reprogrammed oracle $H^{\prime}$ , and will output $m_{1}$ with non-zero probability. From Lemma 15, if we define the algorithm outputs $({\sf sk}^{\prime},m_{0})$ as acceptance, we can characterize the probability with a $2d$ -degree polynomial $f(x)$ , viewing the truth table of random oracle $H$ as a $N_{\lambda}=2^{n_{\lambda}}$ length vector $x$ .

Now we show how to leverage 1 to prove our main theorem. We use $x$ for the truth table of original oracle $H$ , setting $x_{i}=(-1)^{H(i)}$ , and $\rho_{E}$ for the restriction given by $R_{E}$ , and apply 1 to polynomial $g(x)=f(x^{\rho_{E}})$ . In an operational meaning, considering $g(x)$ means that we first fix the input-output pairs given by $R_{E}$ when selecting the random oracle. We now argue $g(x)$ is a non-zero polynomial with high probability. We can obtain the joint view ${\sf View}_{A^{\prime}E}=({\sf sk}^{\prime},m_{0},R_{E})$ of $\mathsf{A}^{\prime}\mathsf{E}$ by performing a computational basis measurement on corresponding registers. Since $\sigma_{A^{\prime}E}$ is $\epsilon$ close to $\sigma_{AE}$ , we can see that w.p. $1-\epsilon$ , ${\sf View}_{A^{\prime}E}=({\sf sk}^{\prime},m_{0},R_{E})$ is a possible valid view obtained by measuring $\sigma_{AE}$ .

By 1, there exists a distribution of polynomial-sized restrictions $\mathcal{D}$ such that for any $x$ , $\Pr_{\rho\sim\mathcal{D}}[g(x^{\rho})\neq 0]\geq 1/\mathrm{poly}(d)$ , with $|\rho|\leq\mathrm{poly}(d)$ . In our case, this implies that $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho\cup\rho_{E}})\neq 0]\geq 1/\mathrm{poly}(d)$ . If we select a polynomial-sized restriction $\rho$ , there is $1/\mathrm{poly}(d)$ probability such that $({\sf sk}^{\prime},m_{0})$ is still a valid view of $\mathcal{A}_{0}$ under the new oracle given by $x^{\rho\cup\rho_{E}}$ . The other arguments follow from the original proof.

4 Toward our BFA conjecture: evidences and special cases

In this section, we explore Conjecture 1 by providing some evidence and proving some special cases.

4.1 Main evidence: Combinatorial Nullstellensatz

The main evidence for 1 comes from the celebrated Combinatorial Nullstellensatz of Alon [2], which implies 1, except with $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/2^{d}$ instead of $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/\mathrm{poly}(d)$ . Let us state the special case of the Combinatorial Nullstellensatz for polynomials on the hypercube.

Lemma 22 ([2]).

Let $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ be any nonconstant function with degree $d$ , and $x_{S}$ be any maximal monomial of $f$ . For any $x\in\{-1,1\}^{n}$ , there exists a $\rho$ with ${\sf supp}(\rho)=S$ such that $f(x^{\rho})\neq 0$ .

Consequently, by letting $\mathcal{D}$ be the uniform distribution on the set of partial assignments $\rho$ with ${\sf supp}(\rho)=S$ , we have $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/2^{d}$ for any $x$ .

We remark that Lemma 22 was also proven by Midrijanis [21]. Even though Lemma 22 has an exponential rather than polynomial dependence on $1/d$ , we observe that it already has a nontrivial implication on the separation between QPKE and OWFs. Precisely, it implies that

Theorem 23 (Restate of Lemma 10).

For any quantum public key encryption scheme in the quantum random oracle model, if ${\sf Enc}^{H}$ makes $d$ queries to $H$ , ${\sf Gen}^{H}$ makes $O(\log d)$ queries, and ${\sf Dec}^{H}$ makes $D$ queries, there exists an adversary Eve $\mathcal{E}^{H}$ which can break the IND-CPA security with advantage $1/\mathrm{poly}(d)$ by making $O(\mathrm{poly}(d)+D)$ queries.

The proof of Theorem 23 is the same as Theorem 17 by replacing 1 with Lemma 22.

4.2 Proof of Lemma 9

In this subsection, we present the proof of Lemma 9, which claims that Conjecture 1 is equivalent to a seemingly much weaker conjecture, namely Conjecture 8.

See 8 See 9

Proof.

1 implying 8 is trivial. Conversely, given any nonconstant function $f:\{-1,1\}^{n}\to\mathbb{R}$ with degree $d$ , define

\tilde{f}(x_{1},\ldots,x_{t}):=\prod_{i=1}^{t}f(x_{i})

where $x_{i}\in\{-1,1\}^{n}$ . Note that $\deg(\tilde{f})=td$ . Assuming 8 holds for $\tilde{f}$ , there exists a distribution $\tilde{\mathcal{D}}_{0}$ of partial assignment $\tilde{\rho}=(\rho_{1},\ldots,\rho_{t})\in\left(\{-1,1,\star\}^{n}\right)^{t}$ with $|\tilde{\rho}|\leq(dt)^{c_{1}}$ such that

\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim\tilde{\mathcal{D}}_{0}}\left[\tilde{f}(% \tilde{x}^{\tilde{\rho}})\neq 0\right]\geq\frac{1}{2^{(dt)^{c_{2}}}}

where $c_{1},c_{2}$ are universal constants satisfying $c_{1}\geq 0$ and $0\leq c_{2}<1$ . Observe that

\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim\tilde{\mathcal% {D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]\geq\min_{\tilde{x}% }\Pr_{\tilde{\rho}\sim\tilde{\mathcal{D}}_{0}}\left[\tilde{f}(\tilde{x}^{% \tilde{\rho}})\neq 0\right]\geq\frac{1}{2^{(dt)^{c_{2}}}}

where $\tilde{\mathcal{D}}$ is a distribution of partial assignment $\tilde{\rho}=(\rho_{1},\ldots,\rho_{t})\in\left(\{-1,1,\star\}^{n}\right)^{t}$ with $|\rho_{i}|\leq(dt)^{c_{1}}$ for all $i$ . Then by Lemma 24, we have

\left(\max_{\mathcal{D}}\min_{x}\Pr_{\rho\sim\mathcal{D}}\left[f(x^{\rho})\neq 0% \right]\right)^{t}=\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}% \sim\tilde{\mathcal{D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]% \geq\frac{1}{2^{(dt)^{c_{2}}}}

where $\mathcal{D}$ is a distribution of partial assignment $\rho\in\{-1,1,\star\}^{n}$ with $|\rho|\leq(dt)^{c_{1}}$ . Thus there exists a distribution $\mathcal{D}^{*}$ such that

\left(\min_{x}\Pr_{\rho\sim\mathcal{D}^{*}}\left[f(x^{\rho})\neq 0\right]% \right)^{t}\geq\frac{1}{2^{(dt)^{c_{2}}}}.

By setting $t=d^{\frac{c_{2}}{1-c_{2}}}\log^{\frac{1}{c_{2}-1}}d$ , we have

\min_{x}\Pr_{\rho\sim\mathcal{D}^{*}}\left[f(x^{\rho})\neq 0\right]\geq 2^{-(% dt)^{c_{2}}/t}=2^{-\log d}=1/d.\

$\hfill\blacktriangleleft$

Lemma 24.

Given positive integers $t, K,$ and function $f:\{-1,1\}^{n}\to\mathbb{R}$ , let $\tilde{f}(x_{1},\ldots,x_{t}):=\prod_{i=1}^{t}f(x_{i})$ . Then

\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim\tilde{\mathcal% {D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]=\left(\max_{% \mathcal{D}}\min_{x}\Pr_{\rho\sim\mathcal{D}}\left[f(x^{\rho})\neq 0\right]% \right)^{t}

where $\mathcal{D}$ is a distribution of partial assignments $\rho\in\{-1,1,\star\}^{n}$ with $|\rho|\leq K$ , $\tilde{\mathcal{D}}$ is a distribution of partial assignments $\tilde{\rho}=(\rho_{1},\ldots,\rho_{t})\in\left(\{-1,1,\star\}^{n}\right)^{t}$ with $|\rho_{i}|\leq K$ for all $i$ .

Proof.

By the min-max principle, we have

\max_{\mathcal{D}}\min_{x}\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]=\min_{X% }\max_{\rho}\Pr_{x\sim X}[f(x^{\rho})\neq 0]:=p.

Let $\mathcal{D}^{*}$ be the optimal distribution that reaches the maximum, $X^{*}$ the optimal distribution that reaches the minimum. Let $\tilde{p}:=\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim% \tilde{\mathcal{D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right].$

Claim 1: $\tilde{p}\leq p^{t}$ .

By min-max principle,

	$\displaystyle\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim% \tilde{\mathcal{D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]$	$\displaystyle=\min_{\tilde{X}}\max_{\tilde{\rho}}\Pr_{\tilde{x}\sim\tilde{X}}% \left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]$
		$\displaystyle=\min_{\tilde{X}}\max_{\rho_{1},\ldots,\rho_{t}}\Pr_{(x_{1},% \ldots,x_{t})\sim\tilde{X}}\left[f(x_{1}^{\rho_{1}})\neq 0,\ldots,f(x_{t}^{% \rho_{t}})\neq 0\right].$

By setting $\tilde{X}$ to be $X^{*}\times X^{*}\times\cdots\times X^{*}$ , we have

	$\displaystyle\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim% \tilde{\mathcal{D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]$	$\displaystyle\leq\max_{\rho_{1},\ldots,\rho_{t}}\Pr_{x_{i}\sim X^{*}}\left[f(x% _{1}^{\rho_{1}})\neq 0,\ldots,f(x_{t}^{\rho_{t}})\neq 0\right]$
		$\displaystyle=\max_{\rho_{1},\ldots,\rho_{t}}\prod_{i}\Pr_{x_{i}\sim X^{}}% \left[f(x_{i}^{\rho_{i}})\neq 0\right]=\prod_{t}\max_{\rho_{i}}\Pr_{x_{i}\sim X% ^{}}\left[f(x_{i}^{\rho_{i}})\neq 0\right]=p^{t}.$

Claim 2: $\tilde{p}\geq p^{t}$ .

By setting $\tilde{\mathcal{D}}$ to be $\mathcal{D}^{*}\times\mathcal{D}^{*}\times\cdots\times\mathcal{D}^{*}$ , we have

	$\displaystyle\max_{\tilde{\mathcal{D}}}\min_{\tilde{x}}\Pr_{\tilde{\rho}\sim% \tilde{\mathcal{D}}}\left[\tilde{f}(\tilde{x}^{\tilde{\rho}})\neq 0\right]$	$\displaystyle\geq\min_{x_{1},\ldots,x_{t}}\Pr_{\rho_{i}\sim\mathcal{D}^{*}}% \left[f(x_{1}^{\rho_{1}})\neq 0,\ldots,f(x_{t}^{\rho_{t}})\neq 0\right]$
		$\displaystyle=\min_{x_{1},\ldots,x_{t}}\prod_{i}\Pr_{\rho_{i}\sim\mathcal{D}^{% }}\left[f(x_{i}^{\rho_{i}})\neq 0\right]=\prod_{i}\min_{x_{i}}\Pr_{\rho_{i}% \sim\mathcal{D}^{}}\left[f(x_{i}^{\rho_{i}})\neq 0\right]=p^{t}.$

Thus $\tilde{p}=p^{t}$ and $\tilde{p}$ can be reached by i.i.d. distribution $\mathcal{D}^{*}\times\cdots\times\mathcal{D}^{*}$ . $\hfill\blacktriangleleft$

$\blacktriangleright$ Remark 25.

By the same technique, the non-zero probability in 1 can be further improved from $1/\mathrm{poly}(d)$ to $1-1/\mathrm{poly}(d)$ , while still keeping $|\rho|\leq\mathrm{poly}(d)$ .

4.3 Special cases of boolean functions

We also affirm 1 for some special classes of functions.

Lemma 26.

Conjecture 1 holds when $f$ satisfies one of the following conditions:

(a)

$f$ can be expressed as the acceptance probability of a classical randomized decision tree with depth $\leq\mathrm{poly}(d)$ (Lemma 5).
(b)

$f$ is Boolean-valued, more generally when $f$ takes at most $\mathrm{poly}(d)$ values (Lemma 11).
(c)

$f$ is a symmetric function.

Proof.

Part (a).

Recall that a randomized decision tree can be viewed as a distribution $\mu$ over deterministic decision trees, such that the tree is evaluated by (i) first sampling a deterministic decision tree from $\mu$ , and (ii) then evaluating this deterministic decision tree. Since $f(x)$ is the probability that the output of the evaluation is “yes”, and $f$ is non-zero, there exists a deterministic decision tree $T$ with $\mu(T)>0$ such that at least one of its leaves is labeled with “yes”. We can set $\rho$ to be the partial assignment corresponding to the path from the root to the leaf. Then $f(x^{\rho})\neq 0$ for any $x$ .

Part (b).

Without loss of generality, assume $\|f\|_{\infty}=1$ . Since $f$ takes at most $\mathrm{poly}(d)$ values, there exists a gap $b-a\geq 1/\mathrm{poly}(d)$ such that $f(x)\in[-1,a]\cup[b,1]$ for all $x$ . Define $f^{\prime}(x):=\left(1+\left|\frac{a+b}{2}\right|\right)^{-1}\left(f(x)-\frac{% a+b}{2}\right)$ . Then $f^{\prime}(x)\in[-1,-1/\mathrm{poly}(d)]\cup[1/\mathrm{poly}(d),1]$ for all $x$ . Define a boolean function

\tilde{f}(x):=\begin{cases}-1&\text{if }f^{\prime}(x)<0\\ 1&\text{if }f^{\prime}(x)>0\end{cases}.

Then $\tilde{f}$ is $(1-1/\mathrm{poly}(d))$ -approximated by $f^{\prime}$ . $f^{\prime}$ can be amplified to a degree- $\mathrm{poly}(d)$ polynomial that $1/3$ -approximates $\tilde{f}$ . Thus we have $\widetilde{\deg}(\tilde{f})\leq\mathrm{poly}(d)$ , which further implies $\tilde{f}$ can be computed by a decision tree with depth $\mathrm{poly}(d)$ [11].

(i) If $a<0<b$ , then $f(x)\not=0$ alway holds. (ii) If $a\geq 0$ , by Part (a), there exists a partial assignment $|\rho|\leq\mathrm{poly}(d)$ such that $\tilde{f}(x)=1$ , which implies $f(x^{\rho})\geq b>0$ for any $x$ . (iii) If $b\leq 0$ , by Part (a), there exists a partial assignment $|\rho|\leq\mathrm{poly}(d)$ such that $\tilde{f}(x)=-1$ , which implies $f(x^{\rho})\leq a<0$ for any $x$ .

Part (c).

Let $x_{S}=x_{i_{1}}x_{i_{2}}\cdots x_{i_{d}}$ be a maximal monomial of $f$ , and $\rho_{k}$ be the partial assignment such that $\rho_{k}(i_{1})=\cdots=\rho_{k}(i_{k})=1$ and $\rho_{k}(i_{k+1})=\cdots=\rho_{k}(i_{d})=-1$ . By Lemma 22, for any $x$ , there exists a $\rho$ with ${\sf supp}(\rho)=S$ such that $f(x^{\rho})\neq 0$ . Since $f$ is symmetric, we have $f(x^{\rho_{j}})=f(x^{\rho})\not=0$ where $j$ is the number of $1$ ’s in $\rho$ . Let $\mathcal{D}$ be the uniform distribution over $\{\rho_{0},\rho_{1},\ldots,\rho_{d}\}$ . Then $\Pr_{\rho\sim\mathcal{D}}[f(x^{\rho})\neq 0]\geq 1/(d+1)$ for any $x$ . $\hfill\blacktriangleleft$

The above lemma implies the non-existence of perfect complete QPKE in QROM which the key generation takes special forms, e.g., the special cases 1 and 3 mentioned in the introduction.

Corollary 27.

Perfect complete QPKE does not exist in the QROM, if one of the following holds:

(1)

${\sf Gen}$ only makes classical queries. (Corollary 6)
(2)

${\sf Gen}$ is uniform, i.e., it satisfies (i) $|{\sf supp}({\sf Gen}^{H})|=|{\sf supp}({\sf Gen}^{H^{\prime}})|$ for every pair of $H,H^{\prime}$ , and (ii) ${\sf Gen}^{H}$ is uniform over ${\sf supp}({\sf Gen}^{H})$ with a non-zero probability. (Corollary 12)

Proof.

Consider the polynomial $g(H)$ defined in the proof of Theorem 17, which is defined to be the probability of ${\sf Gen}^{H^{\rho_{E}}}$ outputting $({\sf sk}^{\prime},m_{0})$ .

(1)

$g$ can be expressed as the acceptance probability of a classical randomized decision tree with depth $d$ . Then the proposition follows from Part (a) of Lemma 26.
(2)

$g$ takes only two values $0$ and $1/|{\sf supp}({\sf Gen}^{H})|$ . Then the proposition follows from Part (b) of Lemma 26.

$\hfill\blacktriangleleft$

4.4 More evidences for 13

Additionally, we provide evidence for the equivalent form 13 (and consequently for 1). The first piece of evidence is from the anti-concentration result for low-degree polynomials by Meka, Nguyen and Vu [20], which implies Conjecture 13 when $X$ is uniform distribution on $\{-1,1\}^{n}$ , except that $|\rho|$ is allowed to be as large as $d^{8d+4}$ instead of $|\rho|\leq\mathrm{poly}(d)$ .

Theorem 28 ([20]).

Let $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ be a nonconstant polynomial with degree $d$ , and $U$ denote the uniform distribution on $\{-1,1\}^{n}$ . If $\mathrm{rank}(f)\geq d^{8d+2}$ , then $\Pr_{x\sim U}[f(x)\neq 0]=1-o(1)$ .

Lemma 29.

For any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ , there exists a partial assignment with $|\rho|\leq d^{8d+4}$ such that $\Pr_{x\sim U}[f(x^{\rho})\neq 0]\geq 1-o(1)$ .

Proof.

We construct a partial assignment $\rho$ by the following algorithm, which contains at most $d$ rounds and each round reduces $\deg(f)$ by at least $1$ . Denote the function at round $t$ by $f^{t}$ . Initia,lly $\rho$ is empty. At round $t$ ,

1.

If $\mathrm{rank}(f^{t})\geq d^{8d+2}$ , the algorithm stops. By Theorem 28, we have

$\Pr_{x\sim U}[f(x^{\rho})\neq 0]=\Pr_{x\sim U}[f^{t}(x)\neq 0]=1-o(1).$
2.

If $\mathrm{rank}(f^{t})<d^{8d+2}$ , let $T$ be the variables contained a maximum disjoint set of maximal monomials of $f^{t}$ . The algorithm assigns all the variables in $T$ such that the function after the assignment is still nonconstant and adds them to $\rho$ . This step increases $|\rho|$ by $|T|=\deg(f^{t})\mathrm{rank}(f^{t})<d^{8d+3}$ . For any maximal monomial $S$ of $f^{t}$ , we have $S\cap T\not=\emptyset$ because otherwise $S\cup T$ is a disjoint set of maximal monomials larger than $T$ . Thus this step reduces $\deg(f^{t})$ by at least one.

Because there are at most $d$ rounds, we have $|\rho|\leq d^{8d+4}$ . $\hfill\blacktriangleleft$

The second evidence is that 13 holds for any function $f$ with large variance when $X$ is uniform.

Lemma 30.

For any nonconstant function $f:\{-1,1\}^{n}\rightarrow\mathbb{R}$ with degree $d$ and ${\sf Var}(f)\geq\|f\|_{\infty}^{2}/\mathrm{poly}(d)$ , there exists a partial assignment with $|\rho|\leq\mathrm{poly}(d)$ such that $\Pr_{x\sim U}[f(x^{\rho})\neq 0]\geq 1/\mathrm{poly}(d)$ .

Proof.

${\sf Var}(f)=\mathop{\mathbb{E}}_{x}[f^{2}(x)]-\left(\mathop{\mathbb{E}}_{x}f(% x)\right)^{2}\leq\mathop{\mathbb{E}}_{x}[f^{2}(x)]\leq\Pr_{x}[f(x)\neq 0]\|f\|% _{\infty}^{2}$ . Thus $\Pr_{x}[f(x)\neq 0]\geq\frac{{\sf Var}(f)}{\|f\|_{\infty}^{2}}\geq 1/\mathrm{% poly}(d)$ . $\hfill\blacktriangleleft$

References

[1] Scott Aaronson and Andris Ambainis. Forrelation: A problem that optimally separates quantum from classical computing. SIAM J. Comput., 47(3):982–1038, 2018. doi:10.1137/15M1050902.
[2] Noga Alon. Combinatorial nullstellensatz. Comb. Probab. Comput., 8(1–2):7–29, January 1999.
[3] Prabhanjan Ananth, Luowen Qian, and Henry Yuen. Cryptography from pseudorandom quantum states. In Annual International Cryptology Conference, pages 208–236. Springer, 2022. doi:10.1007/978-3-031-15802-5_8.
[4] Srinivasan Arunachalam, Jop Briët, and Carlos Palazuelos. Quantum query algorithms are completely bounded forms. SIAM J. Comput., 48(3):903–925, 2019. doi:10.1137/18M117563X.
[5] Per Austrin, Hao Chung, Kai-Min Chung, Shiuan Fu, Yao-Ting Lin, and Mohammad Mahmoody. On the impossibility of key agreements from quantum random oracles. In Annual International Cryptology Conference, pages 165–194. Springer, 2022. doi:10.1007/978-3-031-15979-4_6.
[6] Khashayar Barooti, Alex B. Grilo, Loïs Huguenin-Dumittan, Giulio Malavolta, Or Sattath, Quoc-Huy Vu, and Michael Walter. Public-key encryption with quantum keys, 2023. doi:10.48550/arXiv.2306.07698.
[7] James Bartusek, Andrea Coladangelo, Dakshita Khurana, and Fermi Ma. On the round complexity of secure quantum computation. In Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part I 41, pages 406–435. Springer, 2021. doi:10.1007/978-3-030-84242-0_15.
[8] Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf. Quantum lower bounds by polynomials. J. ACM, 48(4):778–797, 2001. doi:10.1145/502090.502097.
[9] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM J. Comput., 26(5):1510–1523, 1997. doi:10.1137/S0097539796300933.
[10] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. Theoretical Computer Science, 560:7–11, December 2014. doi:10.1016/j.tcs.2014.05.025.
[11] Harry Buhrman and Ronald De Wolf. Complexity measures and decision tree complexity: a survey. Theoretical Computer Science, 288(1):21–43, 2002. doi:10.1016/S0304-3975(01)00144-X.
[12] Andrea Coladangelo. Quantum trapdoor functions from classical one-way functions. arXiv preprint arXiv:2302.12821, 2023. URL: https://eprint.iacr.org/2023/282.
[13] Whitfield Diffie and Martin E Hellman. New directions in cryptography. In Democratizing Cryptography: The Work of Whitfield Diffie and Martin Hellman, pages 365–390. 2022. doi:10.1145/3549993.3550007.
[14] Omar Fawzi and Renato Renner. Quantum conditional mutual information and approximate markov chains. Communications in Mathematical Physics, 340(2):575–611, 2015.
[15] Alex B Grilo, Huijia Lin, Fang Song, and Vinod Vaikuntanathan. Oblivious transfer is in miniqcrypt. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 531–561. Springer, 2021. doi:10.1007/978-3-030-77886-6_18.
[16] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the twenty-first annual ACM symposium on Theory of computing, pages 44–61, 1989. doi:10.1145/73007.73012.
[17] Fuyuki Kitagawa, Tomoyuki Morimae, Ryo Nishimaki, and Takashi Yamakawa. Quantum public-key encryption with tamper-resilient public keys from one-way functions. arXiv preprint arXiv:2304.01800, 2023. URL: https://eprint.iacr.org/2023/490.
[18] Longcheng Li, Qian Li, Xingjian Li, and Qipeng Liu. How (not) to build qpke in minicrypt. In Annual International Cryptology Conference. Springer, 2024. doi:10.1007/978-3-031-68394-7_6.
[19] Giulio Malavolta and Michael Walter. Robust quantum public-key encryption with applications to quantum key distribution. Cryptology ePrint Archive, Paper 2023/500, 2023. doi:10.1007/978-3-031-68394-7_5.
[20] Raghu Meka, Oanh Nguyen, and Van Vu. Anti-concentration for polynomials of independent random variables. Theory of Computing, 12:11, 2016. doi:10.4086/toc.2016.v012a011.
[21] Gatis Midrijanis. Exact quantum query complexity for total boolean functions, 2004. arXiv:quant-ph/0403168.
[22] Tomoyuki Morimae and Takashi Yamakawa. One-wayness in quantum cryptography. arXiv preprint arXiv:2210.03394, 2022. URL: https://eprint.iacr.org/2022/1336.
[23] Tomoyuki Morimae and Takashi Yamakawa. Quantum commitments and signatures without one-way functions. In Annual International Cryptology Conference, pages 269–295. Springer, 2022. doi:10.1007/978-3-031-15802-5_10.

[bib.bib1] [1] Scott Aaronson and Andris Ambainis. Forrelation: A problem that optimally separates quantum from classical computing. SIAM J. Comput., 47(3):982–1038, 2018. doi:10.1137/15M1050902.

[bib.bib2] [2] Noga Alon. Combinatorial nullstellensatz. Comb. Probab. Comput., 8(1–2):7–29, January 1999.

[bib.bib3] [3] Prabhanjan Ananth, Luowen Qian, and Henry Yuen. Cryptography from pseudorandom quantum states. In Annual International Cryptology Conference, pages 208–236. Springer, 2022. doi:10.1007/978-3-031-15802-5_8.

[bib.bib4] [4] Srinivasan Arunachalam, Jop Briët, and Carlos Palazuelos. Quantum query algorithms are completely bounded forms. SIAM J. Comput., 48(3):903–925, 2019. doi:10.1137/18M117563X.

[bib.bib5] [5] Per Austrin, Hao Chung, Kai-Min Chung, Shiuan Fu, Yao-Ting Lin, and Mohammad Mahmoody. On the impossibility of key agreements from quantum random oracles. In Annual International Cryptology Conference, pages 165–194. Springer, 2022. doi:10.1007/978-3-031-15979-4_6.

[bib.bib6] [6] Khashayar Barooti, Alex B. Grilo, Loïs Huguenin-Dumittan, Giulio Malavolta, Or Sattath, Quoc-Huy Vu, and Michael Walter. Public-key encryption with quantum keys, 2023. doi:10.48550/arXiv.2306.07698.

[bib.bib7] [7] James Bartusek, Andrea Coladangelo, Dakshita Khurana, and Fermi Ma. On the round complexity of secure quantum computation. In Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part I 41, pages 406–435. Springer, 2021. doi:10.1007/978-3-030-84242-0_15.

[bib.bib8] [8] Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and Ronald de Wolf. Quantum lower bounds by polynomials. J. ACM, 48(4):778–797, 2001. doi:10.1145/502090.502097.

[bib.bib9] [9] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani. Strengths and weaknesses of quantum computing. SIAM J. Comput., 26(5):1510–1523, 1997. doi:10.1137/S0097539796300933.

[bib.bib10] [10] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. Theoretical Computer Science, 560:7–11, December 2014. doi:10.1016/j.tcs.2014.05.025.

[bib.bib11] [11] Harry Buhrman and Ronald De Wolf. Complexity measures and decision tree complexity: a survey. Theoretical Computer Science, 288(1):21–43, 2002. doi:10.1016/S0304-3975(01)00144-X.

[bib.bib12] [12] Andrea Coladangelo. Quantum trapdoor functions from classical one-way functions. arXiv preprint arXiv:2302.12821, 2023. URL: https://eprint.iacr.org/2023/282.

[bib.bib13] [13] Whitfield Diffie and Martin E Hellman. New directions in cryptography. In Democratizing Cryptography: The Work of Whitfield Diffie and Martin Hellman, pages 365–390. 2022. doi:10.1145/3549993.3550007.

[bib.bib14] [14] Omar Fawzi and Renato Renner. Quantum conditional mutual information and approximate markov chains. Communications in Mathematical Physics, 340(2):575–611, 2015.

[bib.bib15] [15] Alex B Grilo, Huijia Lin, Fang Song, and Vinod Vaikuntanathan. Oblivious transfer is in miniqcrypt. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 531–561. Springer, 2021. doi:10.1007/978-3-030-77886-6_18.

[bib.bib16] [16] Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the twenty-first annual ACM symposium on Theory of computing, pages 44–61, 1989. doi:10.1145/73007.73012.

[bib.bib17] [17] Fuyuki Kitagawa, Tomoyuki Morimae, Ryo Nishimaki, and Takashi Yamakawa. Quantum public-key encryption with tamper-resilient public keys from one-way functions. arXiv preprint arXiv:2304.01800, 2023. URL: https://eprint.iacr.org/2023/490.

[bib.bib18] [18] Longcheng Li, Qian Li, Xingjian Li, and Qipeng Liu. How (not) to build qpke in minicrypt. In Annual International Cryptology Conference. Springer, 2024. doi:10.1007/978-3-031-68394-7_6.

[bib.bib19] [19] Giulio Malavolta and Michael Walter. Robust quantum public-key encryption with applications to quantum key distribution. Cryptology ePrint Archive, Paper 2023/500, 2023. doi:10.1007/978-3-031-68394-7_5.

[bib.bib20] [20] Raghu Meka, Oanh Nguyen, and Van Vu. Anti-concentration for polynomials of independent random variables. Theory of Computing, 12:11, 2016. doi:10.4086/toc.2016.v012a011.

[bib.bib21] [21] Gatis Midrijanis. Exact quantum query complexity for total boolean functions, 2004. arXiv:quant-ph/0403168.

[bib.bib22] [22] Tomoyuki Morimae and Takashi Yamakawa. One-wayness in quantum cryptography. arXiv preprint arXiv:2210.03394, 2022. URL: https://eprint.iacr.org/2022/1336.

[bib.bib23] [23] Tomoyuki Morimae and Takashi Yamakawa. Quantum commitments and signatures without one-way functions. In Annual International Cryptology Conference, pages 269–295. Springer, 2022. doi:10.1007/978-3-031-15802-5_10.

Toward the Impossibility of Perfect Complete Quantum PKE from OWFs

Abstract

Keywords and phrases:

Funding:

Copyright and License:

2012 ACM Subject Classification:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

1.1 Our Results

Conjecture 1.

▶ Remark 2 (Comparing PCC in [5] with our conjecture).

Theorem 3 (Main Theorem).

▶ Remark 4.

Special Case 1: Gen makes only classical queries

Lemma 5.

Corollary 6 (Recasting [18]).

Evidence 2: The Combinatorial Nullstellensatz

Lemma 7.

Conjecture 8.

Lemma 9.

Special Case 3: Gen makes 𝑶⁢(𝐥𝐨𝐠⁡𝒏) quantum queries

Lemma 10.

Special Case 4: Gen has “uniform” outputs

Lemma 11.

Corollary 12.

Evidence 5: Other equivalent conjectures

Conjecture 13.

Lemma 14.

1.2 Techniques

1.3 Related works

2 Preliminaries

2.1 Basic notions in Boolean function analysis

Lemma 15 ([8]).

2.2 Quantum public key encryption

Definition 16 (Quantum public key encryption in QROM).

3 Consequences of our BFA conjecture

Theorem 17 (Restate of Theorem 3).

Theorem 18.

Definition 19 (Permutation Invariance).

Lemma 20.

Lemma 21.

4 Toward our BFA conjecture: evidences and special cases

4.1 Main evidence: Combinatorial Nullstellensatz

Lemma 22 ([2]).

Theorem 23 (Restate of Lemma 10).

4.2 Proof of Lemma 9

Proof.

Lemma 24.

Proof.

Claim 1: 𝒑~≤𝒑𝒕.

Claim 2: 𝒑~≥𝒑𝒕.

▶ Remark 25.

4.3 Special cases of boolean functions

Lemma 26.

Proof.

Part (a).

Part (b).

Part (c).

Corollary 27.

Proof.

4.4 More evidences for 13

Theorem 28 ([20]).

Lemma 29.

Proof.

Lemma 30.

Proof.

References

$\blacktriangleright$ Remark 2 (Comparing PCC in [5] with our conjecture).

$\blacktriangleright$ Remark 4.

Special Case 3: Gen makes $O(\log n)$ quantum queries

Claim 1: $\tilde{p}\leq p^{t}$ .

Claim 2: $\tilde{p}\geq p^{t}$ .

$\blacktriangleright$ Remark 25.