We construct quantum public-key encryption from one-way functions. In our construction, public keys are quantum, but ciphertexts are classical. Quantum public-key encryption from one-way functions (or weaker primitives such as pseudorandom function-like states) are also proposed in some recent works [Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Grilo-Sattath-Vu, eprint:2023/345; Barooti-Malavolta-Walter, eprint:2023/306]. However, they have a huge drawback: they are secure only when quantum public keys can be transmitted to the sender (who runs the encryption algorithm) without being tampered with by the adversary, which seems to require unsatisfactory physical setup assumptions such as secure quantum channels. Our construction is free from such a drawback: it guarantees the secrecy of the encrypted messages even if we assume only unauthenticated quantum channels. Thus, the encryption is done with adversarially tampered quantum public keys. Our construction based only on one-way functions is the first quantum public-key encryption that achieves the goal of classical public-key encryption, namely, to establish secure communication over insecure channels.

翻译：我们基于单向函数构造了量子公钥加密方案。在该构造中，公钥为量子态，而密文为经典比特。近期一些工作[Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282; Grilo-Sattath-Vu, eprint:2023/345; Barooti-Malavolta-Walter, eprint:2023/306]也提出了基于单向函数（或更弱原语如类伪随机函数态）的量子公钥加密方案。然而这些方案存在重大缺陷：它们仅在量子公钥能够未被敌手篡改地传输给发送方（即执行加密算法的一方）时才能保证安全性，这似乎需要依赖不切实际的物理设置假设（如安全量子信道）。我们的构造完全摆脱了这一缺陷：即便仅假设未认证的量子信道，仍能确保加密消息的机密性。换言之，即使公钥已被敌手篡改，加密过程依然安全。本方案是首个仅基于单向函数、实现经典公钥加密核心目标（即在非安全信道上建立安全通信）的量子公钥加密方案。