On the Efficiency of Generic, Quantum Cryptographic Constructions

. One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption. Recently, quantum machines have been explored to construct cryptographic primitives other than quantum key distribution. This paper studies the efficiency of quantum black-box constructions of cryptographic primitives when the communications are classical . Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the quantum construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.


Introduction
It is widely believed that showing the existence of (trapdoor) one-way permutations/functions is incredibly hard.If it is shown, then the long-standing open problem P = NP is solved negatively, and we notice that we live in Minicrypt/Cryptomania of Impagliazzo's five worlds [Imp95].Cryptographers assume the existence of (trapdoor) one-way permutations/functions and construct various useful cryptographic schemes upon them.
Since cryptographic tools and protocols are used in the real world, the efficiency of the constructions is also an important target of studies.For example, Kim, Simon, and Tetali [KST99], Gennaro and Trevisan [GT00], and Gennaro, Gertner, and Katz [GGK03] (and their journal version [GGKT05]) studied the efficiency of cryptographic constructions based on general assumptions.
Example: pseudorandom generator from one-way permutation.As an example, let us consider the basic construction of pseudorandom generator (PRG) from one-way permutation (OWP) (See e.g., [KL20]): By using the Goldreich-Levin hardcore function [GL89], we can construct PRG : {0, 1} ℓ → {0, 1} ℓ+k from OWP : {0, 1} n → {0, 1} n , where ℓ = 2n.If we let the range of the hardcore function {0, 1} O(lg(n)) , this basic construction requires O(k/ lg(n))-invocations of the underlying OWP in the black-box way to extend k-bits.Gennaro and Trevisan [GT00] showed that this is optimal up to constant factor; they showed that if there exists a PRG of extension length k that invokes the underlying OWP o(k/ lg(n))-times in a black-box way, then there exists unconditionally-secure PRG, which immediately implies the existence of unconditionally-secure OWF, DistNP ̸ ⊆ AvgP, and P ̸ = NP. 1 2 Quantum adversary, quantum construction, and quantum reduction: Crytpgraphic researches exploit the properties of quantum machines and channels to advance the classical counterparts.See, e.g., certified deletion [BI20,HMNY21] and multi-party quantum computation [BCKM21a,BCKM21b,GLSV21].
Here, we consider the moderate setting where the machines are quantum but the channels are classical, which is called the quantum-computation classical-communication (QC-CC) model.This model has the benefit that we can reuse strings (e.g., secret key, public key, ciphertext, and signature) since we can copy classical strings easily.While the channels are classical, the quantum power of computation would improve the constructions and reductions; for example, if the construction is quantum, we can factor an integer and solve the discrete logarithm problem in polynomial time, which is already exploited by Okamoto, Tanaka, and Uchiyama for construction [OTU00] and by Gentry for reduction [Gen10].Moreover, Ananth, Gulati, Qian, and Yuen [AGQY22] constructed quantumly-computable secret-key encryption with classical keys/ciphertexts from pseudorandom state generator (PRS) [JLS18] which produces quantum states.
Let us turn back our example on PRG from OWP, where we consider post-quantumlysecure OWP (qOWP).In the case of the generic construction of PRG, we already know that the above PRG construction using the quantum version of the Goldreich-Levin hardcore function [AC02, KY10] yields a similar upperbound for quantum-secure PRG from classical access to qOWP, while it improves the tightness.Our question is: Can quantum access to qOWP improve the efficiency of the construction?

Our Contribution
In this paper, we give the lower bounds of the number of quantum invocations of underlying quantum-one-way permutation (qOWP) when the quantum construction of pseudorandom number generator (PRG) and symmetric-key encryption (SKE) is quantum-black-box.Our quantum lower bounds are asymptotically equivalent to those classical lower bounds in [GGKT05].

OWP-to-PRG:
Roughly speaking, we show that if there exists a quantumly-computable PRG of extension length k that invokes the underlying qOWP secure against S-size quantum adversaries o(k/ lg(S))-times in a quantum-black-box way, then there exists unconditionally-secure quantumly-computable PRG.This implies the existence of quantumly-computable qOWF (QC-qOWF in short), the proof of (QCMA, BQP-Samp) ̸ ⊆ AvgBQP in the average-case complexity, and the proof of BQP ̸ = QCMA, which are quantum analogs of OWF, DistNP ̸ ⊆ AvgP, and P ̸ = NP.
Gennaro and Trevisan [GT00] first showed that a random permutation is one-way.They then observed that, if the number of queries is at most q, then a random permutation can be simulated by random q strings, known as lazy sampling.Using this simulation, they constructed a new PRG that takes a random seed s and the random q strings and outputs the output of PRG on the seed s where the random permutation is simulated by the random q strings.Thus, this implies unconditionally secure PRG if the extension length k is longer than the length of the random q strings.
Let us consider the quantum version: In order to adopt their idea to the quantum setting, we need two techniques; one is the quantum one-wayness of the random permutation; the other is the way to simulate quantumly-queried random permutation with classical strings.
For the former, we need to show that the random permutation is one-way against quantum adversaries: Formally, due to a technical reason, we want to show that all but negligible δ fractions of random permutations over {0, 1} t cannot be invertible with probability at least 2 −t/c by any quantum adversary of size at most 2 t/c for some constant c, where the advantage of a quantum adversary A against a permutation f is defined as Pr (See Section 3.) There is research on quantum random permutation/fucntion's one-wayness (and more with advice), e.g., [Amb02, NABT15, HXY19, CLQ20, CGLQ20, Liu23].While Ambainis [Amb02] and Nayebi et al. [NABT15] considered one-wayness of random permutations, their advantage definitions do not fit our purpose.For example, the advantage in [NABT15] is defined as Pr , their theorems and that of [NABT15] are given in the relation between 2 t , the size S, the length of the advice α, and the advantage ϵ, e.g., ϵ = Õ((αS + S 2 )/2 t ) in [CGLQ20].To give the bound in our wanted form, we give an explicit proof by combining lemmas in [GGKT05, NABT15,HXY19].
For the latter, we need to emulate the random permutation quantumly queried qtimes with compact classical strings.We here use the quantum random-function/randompermutation switching lemma [Zha12a, Zha15, Yue14] and Zhandry's lemma that a random function can be simulated with 2q-wise independent functions [Zha12b], which can be described by random 2q + 1 strings.
Using those two ideas, we solve the above two problems and obtain the lower bound as we want.

OWP-to-SKE:
Roughly speaking, we show that if there exists a quantumly-computable SKE of message length m and key length k whose encryption and decryption algorithms invoke the underlying qOWP secure against S-size quantum adversaries o((m − k)/ lg(S))-times in a quantum-black-box way, then there exists unconditionally-secure quantumly-computable SKE.This implies the proof of (QCMA, BQP-Samp) ̸ ⊆ AvgBQP and the proof of BQP ̸ = QCMA.If the underlying SKE computes a function, then it further implies the existence of QC-qOWF.
Gennaro et al. [GGKT05] showed the relation between one-way trapdoor permutation and public-key encryption and obtained the results for OWP and SKE as a corollary.For simplicity, we review the SKE version here.Gennaro et al. [GGKT05] first observed that the queried points of encryption and decryption may be different.Thus, the simulations in new encryption and decryption algorithms should share the information between the underlying encryption and decryption.This is done by encrypting the list of pairs of queries and answers using the one-time pad.The new encryption algorithm takes a message M of length m and a new secret key K ′ , which is parsed as secret key K, random 2q strings for the answers, and a secret key for the one-time pad; it outputs a ciphertext C of M by the underlying encryption algorithm with secret key K and message M and a ciphertext C ′ of the list produced by the simulation of the random permutation.The new decryption algorithm takes a pair of ciphertexts C and C ′ and the new secret key K ′ ; it decrypts the list from C ′ and outputs a message M ′ by using the underlying decryption algorithm with secret key K and a ciphertext C by simulating the random permutation with the list.The length of a new secret key is k + O(q) lg(S).If m > k + O(q) lg(S), then the new SKE scheme is non-trivial, that is, not the one-time-pad, and unconditionally secure.
Let us consider the quantum setting: We again adopt the simulation of the random permutation by 2q-wise independent hash function.We note that this simulation is the same in both encryption and decryption algorithms, and we have no need to send the list.The construction of a new SKE scheme becomes simple.As in the classical case, if m > k + O(q) lg(S), then there exists an unconditionally secure SKE with negligible decryption failure.Such an SKE scheme implies (QCMA, BQP-Samp) ̸ ⊆ AvgBQP and BQP ̸ = QCMA.Roughly speaking, the secret key and message are the classical witness of QCMA, and the witness is verified by the decryption algorithm.As previously mentioned, if the SKE computes a function, then the SKE implies QC-qOWF.

Limilations
Gennaro et al. [GGKT05] showed the lower bounds of the numbers of the queries to construct a family of universal one-way hash functions (UOWHF) and weakly one-timesecure signature scheme from one-way permutation and the queries to construct a public-key encryption from trapdoor permutation.To upgrade those results into the quantum setting, there are several hurdles.
For OWP-to-UOWHF and OWP-to-Siganature, we fail to adapt the lower bounds in the classical setting into the quantum setting because the proofs exploit input/output pairs of the ideal one-way permutation.Very roughly speaking, the proof construct unconditionally secure UOWHF or OWF whose input contains the random strings y i 's returned by the 'one-way permutation' and the output contains the queries x i 's made by UOWHF or the verification algorithm of the signature scheme and y i 's.Constructing a proper UOWHF/OWF in the quantum setting is an interesting open problem.
For TDP-to-PKE, we fail at the first stone, the simulation of a TDP with a short classical description.As far as we know, this is a long-standing important open problem in this area.

Related works
Hosoyamada and Yamakawa studied the gap between collision-resistant hash function and one-way (trapdoor) permutations [HY20].Austrin et al. studied the impossibility of quantum construction of key exchange from one-way permutations [ACC + 22].Chung, Lin, and Mahmoody showed that there is no quantum black-box construction of a quantumcomputation and classical-communication (QCCC) non-interactive commitment scheme from OWP [CLM23].

Open Problems
As we discussed in above, the limit of the black-box OWP-to-UOWHF, OWP-to-Siganture, and TDP-to-PKE constructions are left as an open problem.
Holenstein and Sinha [HS12] improved the parameter setting of the limit of the blackbox OWP-to-PRG construction of Gennaro and Trevisan [GT00].It is interesting whether we can obtain a similar quantum lower-bound to that in Holenstein and Sinha [HS12].
An extension to a quantum-computation and quantum-communication (QCQC)-model is also interesting.Let λ be the security parameter.For example, [AQY22] showed that if we have appropriate PRS which outputs d = O(lg(λ)) qubits, then we have pseudorandom functional state generator (PRFS) by calling PRS at most O(2 d λ)-times.It is very interesting whether it matches the lower bound or not.
We also leave showing a general non-trivial unconditionally-secure SKE scheme implies QC-qOWF as an interesting open problem.We also have a question on the complete problems of (Q(C)MA, BQP-Samp) and (Q(C)MA, BQP-Comp), and the relation between them.
Organization: Section 2 reviews basic notions and notations.Section 3 gives a generic quantum hardness of one-way permutations.Section 4 and Section 5 give the lower bounds for PRGs and SKEs, respectively.
Appendix A reviews definitions of the average-case complexity class.Appendix B discusses the relation between unconditionally-secure non-trivial quantum SKE and the hard distributional problem in (QCMA, BQP-Samp).

Preliminaries
For a positive integer N , [N ] denotes the set {1, 2, . . ., N }.We use lg(•) := log 2 (•).For two finite sets D and R, Func(D, R) denotes a set of all functions whose domain is D and whose range is R.For a finite set F , U (F ) denotes the uniform distribution over F .For a distribution D, d ← D indicates we take a random sample d according to D. For a finite set F , we often write d ← F instead of d ← U (F ).
PPT (and QPT resp.)stands for probabilistic (quantum resp.)polynomial-time.For gates of quantum machines, we employ Toffoli (CCX ), Hadamard (H), and R π/4 gates as the basis of the universal computation due to Kitaev.
We say that a PPT oracle machine P (•) is a black-box construction from OWP if for any OWP π, (1) P π satisfies the functionalities and (2) P π is secure against ever efficient adversary A π .We consider its quantum version: We say that a QPT oracle machine P |•⟩ is a quantum black-box construction from qOWP if for any qOWP π, (1) P |π⟩ satisfies the functionalities and (2) P |π⟩ is secure against ever quantum efficient adversary A |π⟩ .
We review k-wise independent functions and their properties.
).For any finite sets D and R of classical strings and q-quantum query algorithm A, we have where H 2q (D, R) is a family of 2q-wise independent hash functions from D to R.

One-way Permutation/Function
We define the quantum one-wayness of permutation and function in the concrete security style: Definition 2. We say that a function f : {0, 1} n → {0, 1} n is (S, ϵ)-quantumly-one-way or quantumly-one-way function (qOWF) if for every quantum circuit A of size at most S, we have When f is given as a quantum oracle, we will denote A |f ⟩ .We say if a function is (S, 1/S)-qOWF, then we will call it S-qOWF.
If f is a permutation, then we use the term quantumly-one-way permutation (qOWP).
We will denote the set of all permutations over {0, 1} n by Π n .For t ≤ n, we define Π t,n the subset of Π n such that the set of all permutations which keep n − t last bits unchanged; that is, We also denote the set of all functions over {0, 1} n by Φ n and define the set of all functions which keep the n − t last bits unchanged by Φ n,t ; that is, The following theorem is a quantum version of the random-function and randompermutation (RF-RP) switching lemma shown by Zhandry [Zha15].

Pseudorandom Number Generator
A pseudorandom number generator is a QPT algorithm PRG which takes a seed s ∈ {0, 1} ℓ as input and outputs a pseudorandom string y ∈ {0, 1} ℓ+k .Definition 3. We say a function PRG : {0, 1} ℓ → {0, 1} ℓ+k is an (S, ϵ)-secure pseudorandom number generator (PRG) if for any quantum circuit A of size at most S, we have We call ℓ as the seed length and k as the stretch length.

Symmetric-Key Encryption
The symmetric-key encryption (SKE) scheme for m-bit messages using k-bit keys is a pair of QPT algorithms SKE = (Enc, Dec); • Enc takes a key K ∈ {0, 1} k and a message M ∈ {0, 1} m as input and outputs a ciphertext C ∈ {0, 1} m ′ .
We require statistical correctness as follows: SKE is statistically correct if for any We consider the basic security notion of SKE: Definition 4. We say that SKE is (S, ϵ)-secure if for any quantum circuit A of size at most S and for any messages M 0 , M 1 ∈ {0, 1} m we have Remark 1.We remark that the above definitions can be extended into an interactive symmetric-key encryption.In the interactive case, we will consider a transcript between an encryption algorithm and a decryption algorithm as a ciphertext and denote C ← ⟨Enc(K, M ), Dec(K)⟩.As Gennaro et al. [GGKT05], our result applies to the interactive case.

Hardness of Random Permutations
In what follows, we only consider purified quantum circuits with Toffoli (CCX ), Hadamard (H), R π/4 , and f gates, where f will be a function.The following lemma gives the upperbound of the number of quantum circuits.
Proof.Let us count the number of possible quantum circuits.A quantum circuit of size S is specified as follows: For i = 1, . . ., S, the i-th step is specified by the type of gates (CCX , H, R π/4 , and f ) and the list of input-output qubits.The numbers of the possible list of qubits are at most S • (S − 1) In addition, the numbers of the possible output wires are at most S!/(S − n)!.Thus, the upperbound of the number of quantum circuits is at most

Preliminaries:
Before giving the proof, we review useful lemmas.The first one is the randomized compression lemma.
Lemma 3 ([DTT10, Fact 8.1], Randomized Compression Lemma).Suppose there is a randomized encoding procedure E : X × R → Y and a decoding procedure The next one is taken from Hhan et al. [HXY19], while we adapt it slightly to consider permutations instead of keyed functions to permutations.

Lemma 4 ([HXY19], Reduction to biased adversary, adapted). Let Π be the set of all permutations over
[N ] and let X be its subset.Suppose that we have a quantum adversary B of size S whose number of queries is at most Q such that, for all π ∈ X, B inverts π with advantage at least ϵ, that is, (1) Then, we have a biased quantum adversary A of size S whose number of queries is at most Q such that, for all π ∈ X, we have In order to verify how we can compute S, Q, and ε, we include the proof of this lemma.
Proof.Fix π ∈ X.By applying the average argument to Equation 1, we have Pr Let us consider B, B−1 , the unitaries corresponding to B without final measurement.Using the amplitude amplification technique (see e.g., [BHMT00]), with O(1/ ϵ/2) repetition of B and B−1 , the success probability is amplified to 2/3.The amplified circuit is called as A.
From the above arguments, we can set S = S We finally review the main theorem of Nayebi et al. [NABT15], which states that if there exists a biased quantum adversary for π ∈ X, then we can construct randomized encoding procedures.

Lemma 5 ([NABT15, Lemma 5], adapted). Let Π be the set of all permutations over [N ]
and let X be its subset.Let A be a quantum adversary of size at most S that queries to π at most Q times.Suppose that, for all π ∈ X, we have Then, there exists a randomized encoding procedure E : X×R → Y and a decoding procedure D : Y ×R → X such that, for all π ∈ X, we have

Proof of Theorem 2:
We first show the following claim: Claim.Let X be a subset of Π.Let δ be a fraction of X in Π, that is, δ := |X|/N !.If there exists a quantum adversary B of size S such that, for all π ∈ X, B inverts π with a probability at least ϵ by making at most Q queries, then we have

Proof of Claim. Using Lemma 4, we can construct a quantum adversary
According to Lemma 5, there exists a randomized encoding procedure E and its decoder D such that for all π ∈ X, we have Using Lemma 3, the former implies that |Y | ≥ 0.8|X|.Therefore, we have the following inequality: Recall that the relations |X| = δN !, ε = ϵ/2, and Q = Q • O(1/ ϵ/2).Putting them into the above and dividing by N !, we obtain Now, we can prove Theorem 2 as follows: Let N = 2 t .Let c > 1 be a constant, which we will set later.Let A be an oracle quantum circuit of size S = 2 t/c = N 1/c .This yields Q = 2 t/c .First, we recall that the number of circuits of size at most S is at most (4S) Second, according to our claim, if B of size S inverts for all π ∈ X with a probability at least ϵ = 1/S, then the fraction of X should be δ Taking the union bound, the probability over a random choice of π that there exists a quantum circuit of size S which will invert π with a probability at least 1/S is at most the product of the number of circuits of size S and the maximum fraction of invertible X for S, that is, 2 Õ(N 1/c ) • 2 − Ω(N 1−4/c ) .By setting c = 6, the probability is at most 2 Õ(N 1/6 ) • 2 − Ω(N 1/3 ) ≤ 2 −N 1/6 for sufficiently large N .Hence, a random π ∈ Π t is S = 2 t/6 -hard with a probability greater than 1 − 2 −2 t/6 as we wanted.

The Bound on Pseudo-Random Number Generator
We show the lower bound for the number of invocations of qOWP to construct PRG.We first review the definition of the black-box construction of PRG from qOWP.Definition 5. A construction of a PRG scheme based on qOWP is an oracle procedure PRG |•⟩ : {0, 1} ℓ → {0, 1} ℓ+k .We refer k as the stretch length of PRG.
We say that PRG |•⟩ is an (S p , S g , ϵ)-qOWP-to-PRG weak black-box construction if for every π ∈ Π n that is S p -hard, PRG |π⟩ is (S g , ϵ)-secure PRG.
Intuition: First, we review the proof in the classical setting by Gennaro and Trevisan.We note that the answers of the random permutation π ∈ Π t,n on q queries can be simulated with q random t-bit strings y 1 , . . ., y q unless the strings y 1 , . . ., y q collide: On the i-th query x i = (a i , b i ) ∈ {0, 1} t × {0, 1} 4t , we answer with (y i , b i ).Based on PRG with extension length k using OWF q-times, Gennaro and Trevisan constructed a new secure PRG with longer seed s, y 1 , . . ., y q which emulates a random permutation by using y 1 , . . ., y q .Thus, if the extension length k is larger than qt, then we have unconditionally-secure PRG, which implies the unconditionally-secure OWF.
In the quantum setting, the black-box construction will access to the random permutation with the superposition queries.Thus, the classical pre-sampling strings y 1 , . . ., y q are not enough to answer those q superposition queries.Instead, we simulate the random permutation by 2q-wise independent hash function.Zhandry showed that such hash function perfectly simulates the random function (Lemma 1).In addition, the random function and the random permutation is indistinguishable up to 2 t/2 queries (Theorem 1).Hence, we can construct an unconditionally-secure PRG from secure PRG upon qOWF and this implies unconditionally-secure QC-qOWF.Theorem 3. Let PRG |•⟩ be an (S p , S g , ϵ)-qOWP-to-PRG weak black-box quantum construction for message of length m using a key of length k in which PRG makes q quantum queries to an oracle |π⟩, where π ∈ Π n .Let t = 6 lg S p < n.If (2q + 1)t < k, then there exists an (S p , ϵ + 2 −Sp + ϵ 0 )-secure PRG scheme without any access to oracles, where ϵ 0 = (8π 2 /3)(q 3 /S 6 p ) is the maximum advantage of q-query distinguisher against the random permutation in Π t and the random function in Φ t .
Proof of Theorem 3. From the hypothesis, if π : {0, 1} n → {0, 1} n is (S p , 1/S p )-hard, then for any distinguisher T of size at most S g , we have We here drop the quantum oracle access of T , since this only makes T weaker.Let t = 6 lg(S p ) < n.According to Corollary 1, a random permutation π ∈ Π t,n is S p -hard with probability greater than 1 − 2 −2 t/6 = 1 − 2 −Sp .Using the average argument, we have We next replace π ∈ Π t,n with ϕ ∈ Φ t,n .Due to Theorem 1, we have where ϵ 0 := (8π 2 /3)(q 3 /2 t ) = (8π 2 /3)(q 3 /S 7 p ).Using the triangle inequality, we obtain Here, we note that PRG |ϕ⟩ (s) may fail because the construction might exploit the fact that π is the permutation.However, the failure probability of PRG |ϕ⟩ (s) is at most ϵ 0 due to Theorem 1.
According to Zhandry's lemma (Lemma 1), the 2q-wise independent hash functions and the random functions are indistinguishable up to q-queries and we have Pr Combining the (in)equalities, we obtain our theorem.
Remark 3. We note that PRG ′ : {0, 1} ℓ ′ → {0, 1} ℓ ′ +k is efficiently computable because it just runs PRG with simulation of F based on 2q-wise independent hash function f (z) = i f i z i .Thus, PRG ′ yields an unconditionally-secure QC-qOWF; if it is not qOWF, then it is not secure PRG.

The Bound on Symmetric-Key Encryption
We show the lower bound for the number of invocations of qOWP to construct SKE.We start with a review of the definition of the black-box construction of SKE from qOWP.Definition 6. Construction of an SKE scheme based on qOWP is a pair of oracle procedures SKE |•⟩ = (Enc |•⟩ , Dec |•⟩ ) such that, for all π ∈ Π n , the resulting SKE |π⟩ satisfies the functional definition of an SKE scheme.

Intuition:
We start to review the proof in the classical setting by Gennaro, Gertner, and Katz [GGK03]: Let k be the key length and m be the message length.We again note that the answers of the random permutation π ∈ Π t,n on q queries can be simulated with q random t-bit strings y 1 , . . ., y q unless the strings y 1 , . . ., y q collide: On the i-the query x i = (a i , b i ) ∈ {0, 1} t × {0, 1} 4t , we answer with (y i , b i ).However, SKE involves two algorithms Enc and Dec which may ask different queries.In order to maintain the queried points, they make a new encryption algorithm Enc ′ sends a ciphertext made by Enc plus the encrypted list of queried points by the one-time pad.If the key length k is shorter than m − O(qt), then we have unconditionally-secure SKE, which implies the unconditionally-secure OWF [IL89,GGKT05].
In the quantum setting, we again simulate the random permutation by 4q-wise independent hash function, since Enc and Dec make q queries.Since this simulation allows us to share the same function in both algorithms, we do not need to send the encrypted list and the simulation becomes simple.
Using the same idea, we can show that if the key length k is shorter than m − (4q + 1)t, then we have unconditionally-secure non-trivial SKE.While we tend to conclude this unconditionally-secure SKE implies the unconditional existence of qOWF, we cannot say so since the new encryption algorithm and decryption algorithm are probabilistic, which we discuss later.
The hypothesis of the theorem on We here drop the quantum oracle access of B, since this only makes B weaker.According to Theorem 2, π ∈ Π t,n is S p -hard for all but except 2 −Sp fraction.By using the averaging argument, for any circuit B of size at most S e and for any two messages M 0 , M 1 ∈ {0, 1} m we have Using Zhandry's lemma (Theorem 1), we can replace π ← Π t,n with ϕ ← Φ t,n as follows: where ϵ 0 = (8π 2 /3)(q 3 /S 6 p ).Let us construct a new SKE scheme SKE ′ for m-bit messages using a random key of length k ′ = k+(4q+1)•t, which is (S e , ε)-secure and has no oracle access.Again, we simulate the random function ϕ by 4q-wise independent hash function.The simulation is very simple: We prepare F (a, b) := (f (a), b), where f : {0, 1} t → {0, 1} t : f (a) = 4q i=0 f i a i ∈ GF(2 t ).Now, SKE ′ is defined as follows: • Enc ′ parses the shared key s ′ ∈ {0, 1} k ′ as the original shared key s and 4q-wise independent hash function f and encrypts a message into C by C ← Enc |F ⟩ (s, M ).
• Dec ′ parses the shared key s ′ as s and f and decrypts a ciphertext C by M ′ ← Dec |F ⟩ (s, C).
The (S e , ε)-security of SKE ′ directly follows from Equation 3.
Remark 4. We note that our SKE ′ may have negligible decryption errors because we replace a permutation with a 4q-wise independent hash function.This is similar to the case that y i 's collide in the classical setting.Remark 5. We only consider a non-interactive SKE scheme for simplicity.We can extend the results into the interactive setting by replacing ⟩ in the equations in the proof.
Theorem 5. Let (Enc, Dec) be an (S, δ)-secure perfectly-correct quantum SKE scheme whose message length is m and key length is k < m.Let S e be the size of the circuit of Enc and let S d be the size of the circuit of Dec.For any ℓ, there exists a pair of a QPT instance generator and a QPT verifier (E, D) that is (S − 2ℓS e − 2ℓS d − poly(m, k, ℓ), ℓδ + 2 −ℓ(m−k) )hard.
We can easily extend the correctness to quantum SKE to statistical one.
Proof We want to show that the distribution E(U ℓk , U ℓm ) generates average-case hard instances.Let us assume the contrary; suppose that there exists an algorithm B of size at most S ′ breaking (S ′ , δ ′ )-hardness of E. Let adv B denote the advantage of B, that is, We note that if Enc computes a function, then the above construction implies QC-qOWF as in [GGKT05].