We construct quantum public-key encryption from one-way functions. In our construction, public keys are quantum, but ciphertexts are classical. Quantum public-key encryption from one-way functions (or weaker primitives such as pseudorandom function-like states) are also proposed in some recent works [Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Grilo-Sattath-Vu, eprint:2023/345; Barooti-Malavolta-Walter, eprint:2023/306]. However, they have a huge drawback: they are secure only when quantum public keys can be transmitted to the sender (who runs the encryption algorithm) without being tampered with by the adversary, which seems to require unsatisfactory physical setup assumptions such as secure quantum channels. Our construction is free from such a drawback: it guarantees the secrecy of the encrypted messages even if we assume only unauthenticated quantum channels. Thus, the encryption is done with adversarially tampered quantum public keys. Our construction based only on one-way functions is the first quantum public-key encryption that achieves the goal of classical public-key encryption, namely, to establish secure communication over insecure channels.

翻译：我们从单向函数构造了量子公钥加密方案。在该构造中，公钥为量子态，而密文为经典比特。近期一些工作[Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Grilo-Sattath-Vu, eprint:2023/345; Barooti-Malavolta-Walter, eprint:2023/306]也提出了基于单向函数（或更弱原语如伪随机函数态）的量子公钥加密方案。然而，这些方案存在一个重大缺陷：它们仅在量子公钥能未经敌手篡改地传输给加密算法执行者（发送方）时才能保证安全性——这似乎需要不可实现的物理假设（如安全量子信道）。我们的构造彻底消除了这一缺陷：即使仅假设非认证量子信道，仍能保证加密消息的保密性。因此，即便公钥已被敌手篡改，加密操作仍可安全进行。这种仅依赖单向函数的构造方案，是首个实现经典公钥加密核心目标——在不安全信道上建立安全通信——的量子公钥加密方案。