Towards the Impossibility of Quantum Public Key Encryption with Classical Keys from One-Way Functions

. There has been a recent interest in proposing quantum protocols whose security relies on weaker computational assumptions than their classical counterparts. Importantly to our work, it has been recently shown that public-key encryption (PKE) from one-way functions (OWF) is possible if we consider quantum public keys. Notice that we do not expect classical PKE from OWF given the impossibility results of Impagliazzo and Rudich (STOC’89). However, the distribution of quantum public keys is a challenging task. Therefore, the main question that motivates our work is if quantum PKE from OWF is possible if we have classical public keys. Such protocols are impossible if ciphertexts are also classical, given the impossibility result of Austrin et al. (CRYPTO’22) of quantum enhanced key-agreement (KA) with classical communication. In this paper, we focus on black-box separation for PKE with classical public key and quantum ciphertext from OWF under the polynomial compatibility conjecture, first introduced in Austrin et al. . More precisely, we show the separation when the decryption algorithm of the PKE does not query the OWF. We prove our result by extending the techniques of Austrin et al. and we show an attack for KA in an extended classical communication model where the last message in the protocol can be a quantum state.


Introduction
After decades of focusing on the possibility of information-theoretically secure quantum protocols, initiated by the land-marking results on money schemes [Wie83] and key-agreement [BB84], there has been recent progress in understanding how quantum resources can be used to implement cryptographic primitives under weaker computational assumptions.
More concretely, it has been shown in [GLSV21,BCKM21] that Oblivious Transfer (OT) and Multi-party computation (MPC), two central primitives in cryptography can be constructed from one-way functions (OWF), the weakest classical cryptographic assumption.Such a result has been extended to show OT and MPC can be constructed from pseudo-random quantum states [AQY22], which is expected to be a weaker computational assumption than OWF [Kre21,KQST23].This is in stark contrast with the classical case since we do not expect OT and MPC to be built from one-way functions [IR89].
More recently, it has been asked if quantum protocols are possible for public-key encryption from OWF (or weaker assumptions).While the conditional impossibility result for key-agreement of [ACC + 22] implies that public-key encryption (PKE) from OWF with classical communication is impossible even if the honest parties are quantum,3 it has been recently shown that PKE can be constructed from OWF if we have a quantum public-key [Col23, BGHD + 23, KMNY23].However, having a quantum public key is not ideal, given the issues that appear with public-key distribution, authentication, and reusability.These results leave then as an open question if quantum PKE from OWF is possible with a classical public key and quantum ciphertext.
In this work, we extend the result of [ACC + 22] and we show that key agreement is impossible when Alice and Bob exchange classical messages and at the very last round, Bob sends a quantum message to Alice.
Our result holds under the same conjecture as [ACC + 22] but is limited to the setting where Alice does not query the random oracle in the last round of the protocol.More concretely, we achieve the following result.
Theorem 1.1 (Informal).Let Π be a key agreement protocol between Alice and Bob, where they first exchange classical messages and at the last round Bob sends a quantum message, and Alice and Bob agree on a key k.Let n be the number of queries that Alice and Bob make to a random oracle O.Then, assuming Alice does not query the oracle after receiving the quantum message from Bob, Eve can find k with O(poly(n)) classical queries to O with probability With this result in hand, we show that quantum PKE is impossible with a classical public key in the Quantum Random Oracle Model (QROM), when the decryption algorithm does not query the random oracle.
Corollary 1.2 (Informal).Assume (Gen, Enc, Dec) is a Public-Key Encryption scheme, where the public key is classical and the ciphertext is a quantum state.Assuming the algorithms Gen and Enc makes at most n quantum queries to a random oracle O, then there exists an algorithm Eve that can decipher by making O(poly(n)) classical queries to O.
Using known techniques from black-box separation, our results can easily be translated to give separations of qPKE from black-box OWF.We also note that our result (Corollary 1.2) marks an initial step towards proving the conjecture of [MY22] on the possibility of black-box constructions of qPKE with classical public keys from quantum symmetric key encryption.

Technical Overview
To prove Theorem 1.1, we start with a key-agreement protocol with perfect correctness where Alice and Bob have quantum access to a random oracle and exchange polynomially many rounds of classical messages, and then Bob sends a final quantum message |ψ to Alice. 4e show an attack where with inverse polynomial probability: 1. Given the classical transcript and |ψ , Eve guesses the key k that Alice and Bob would share.2. Eve sends a quantum state ψ E to Alice such that Alice agrees on the key k at the end of the protocol.
While the first item is sufficient to break the key agreement protocol, the second item allows us to show a much stronger attack: Eve is an active adversary that not only retrieves the key but also does it in a way that Alice and Bob will not detect later since both of them share the same key.
To prove the first item, we use the same technique as [ACC + 22, Construction 4.10], which queries all of the "ε-heavy queries" to the random oracle.This approach is similar to the classical approach of [BM09], whose construction queries all of the values that are queried by Alice and Bob with probability at least ε.These are called the "ε-heavy queries", and with the right parameter of ε, one can show that it allows Eve to find all of the intersection queries with high probability, that is the values queried by both Alice and Bob.A problem that appears in the quantum setting is that the notion of intersection queries is unclear, as Alice and Bob are allowed to query the oracle in superposition, it is thus hard to precisely define what information Alice and Bob know about the oracle.This means that a definition for quantum intersection queries must be such that the knowledge of the intersection queries is sufficient to find the key with high probability, which is a strong property.
In the quantum attack of [ACC + 22], they start by defining the quantum heavy queries.Roughly, these are the queries with high amplitude (see Definition 2.10 for a formal definition), which is the natural quantum equivalent of the classical definition that appears in [BM09].To replace the notion of intersection queries, which is problematic in the quantum setting, they propose the Polynomial Compatibility Conjecture (PCC).This conjecture implies that if a pair of quantum states satisfy some conditions, then there exists a random oracle that is consistent with the transcript and with both quantum states.In their attack, Eve learns all of the heavy queries and generates a simulation of the states of Alice and Bob.They show that if Eve is not able to retrieve the key with high probability from these simulated states, then the protocol does not have perfect correctness, leading to a contradiction.This is shown by proving that if Eve does not find the correct key, by the PCC, there exists an oracle h that is consistent with both states, and therefore there exists an execution of the protocol where Alice outputs keys 1 and Bob outputs key 0.
We extend this result to the case where the last message is quantum.Similar to [ACC + 22, Construction 4.10], we define the quantum-heavy query learner algorithm, which is formally defined in Construction 2.11 and whose goal is to query all of the ε-heavy queries.In this overview, we consider for simplicity that the last message sent by Bob is a pure state, denoted as |ψ .Eve then run Alice's last step of the protocol (which is publicly defined by the protocol) on the simulated internal state of Alice that Eve generated and the quantum message from Bob.We then need to show that Eve will still be able to guess the good key with high probability.This translates to showing that, for some noticeable parameter ν: where the register W ′ A contains Eve's simulated state of Alice |φ E A , register H contain the superposition of all possible oracles that are consistent with Eve's knowledge of the real oracle, and register M contains the message |ψ that Bob sent to Alice.The unitary A fin corresponds to Alice's operation in the last step of the protocol, after she receives Bob's message, and the projector Π k measures the key.Equation (1) translates to saying that given the real message that Bob sends to Alice, Eve can find Bob's key by applying the operations that Alice would have applied on the simulated state of Alice |φ E A that she obtained by using the quantum-heavy queries learner.This equation is proven in Section 3.2.2.
The proof of Equation (1) comes from the fact that since Alice does not query the oracle when she applies the operator A fin after receiving the quantum message ψ from Bob, then the register H is unchanged and thus the resulting state keeps the properties necessary to apply the PCC.
For the second item, we need to define the state ψ E that Eve sends to Alice.The idea is the following: Eve will pick the post-measurement state of the measurement described in Equation (1), and she applies A † fin to it.Then, Eve traces out the registers W ′ A and H and ψ E is the remaining state in register M .To show that Alice computes the same key as Bob and Eve with high probability, we show that ψ E is close to |ψ : Using Equation (2) and the perfect correctness of the protocol, we then show that Alice and Bob will agree on the same key with high probability.This corresponds to proving the following inequality: where |φ A is Alice's real internal state and ψ E is the message that Eve sends to Alice.Equation (3) translates to saying that given the message of Eve, Alice will find the same key as Eve with high probability when she does her final computation.These equations are proven in Section 3.2.3.Finally, Corollary 1.2 follows from the fact that if public key encryption with quantum ciphertexts is possible, then we can construct a key agreement protocol: Alice sends the public key and Bob answers with the encryption of a random key k.

Related Works, Discussion and Open Problems
The Polynomial Compatibility Conjecture.First introduced in [ACC + 22], the Polynomial Compatibility Conjecture (PCC) is already known to imply separation results for key agreement [ACC + 22] and non-interactive commitments [CLM23].The conjecture has an alternative expression that uses polynomials and is equivalent to the statement in Conjecture 2.16.The PCC is known to be true with exponential parameters [ACC + 22], but it is still open with polynomial parameters.Proving it would be interesting as it would now also establish the separation result for quantum PKE, along with potentially more results as it is a strong statement.
Quantum Public Key Encryption.Classically, public key encryption (PKE) cannot be constructed from black-box one-way functions [IR89].In the quantum context, various definitions of quantum PKE exist, leading to different feasibility outcomes.With quantum public keys and classical ciphertexts, quantum PKE can be constructed from one-way functions [Col23, BGHD + 23, KMNY23].However, it remains unclear how the distribution of such public keys could be effectively distributed in practice among different parties.Our result focuses on quantum PKE with classical public keys and quantum ciphertexts.In this setting, the distribution of public keys could be implemented using currently available public key infrastructure (PKI).Moreover, compared to having a quantum public key and a classical ciphertext, having a classical public key and a quantum ciphertext is less problematic for implementations, as the message is supposed to be received by only one party and thus the potential destruction of the message after the decryption is inconsequential.With this definition of quantum PKE, we achieve a step towards proving a similar result as the classical case.
Classical Communication One Quantum Message Key Agreement Protocols.In our paper, we introduce a scheme that we call Classical Communication One Quantum Message Key Agreement (CC1QM-KA) protocols.In these types of protocol, Alice and Bob communicate classically, except for the last message that is quantum.We show that key agreement is impossible with this type of protocol in the QROM if Alice does not query the random oracle after receiving the last message.One natural question is what happens if we allow the first message to be quantum, while the rest of the communication is classical.Interestingly enough, [BB84] falls into this category of protocol, thus key agreement is possible unconditionally in this setting.This asymmetry in terms of feasibility results is quite surprising and a possible explanation is the fact that we cannot postselect on quantum messages, i.e. generate a state that is consistent with an algorithm and one of its output register being a specific quantum state.Indeed, the classical Eve attacks imply a simulation of the internal state of the parties that is consistent with the message, which corresponds to computing an internal state postselected on the classical messages that are communicated.With a quantum message, this would be possible with a classical description of the quantum message since Eve is unbounded, but it is non-trivial with only the quantum state as Eve must learn what the quantum message is in the first place somehow.However, in the CC1QM setting, we do not need to do this postselection, as a simulation of the last part of the protocol is enough to find the right key.

Allowing oracle queries in the decryption algorithm
To prove the stronger result that qPKE is impossible even when the decryption algorithms query the oracle, one needs to show an attack on CC1QM-KA protocols where Alice queries the oracle in the last part of the protocol.At first glance, one may think that Equation (1) should be true even if Alice makes queries to the oracle in A fin , because every new information about the oracle that she learns at this stage of the protocol will not be transmitted to Bob since there is no communication afterward.However, some issues that do not appear in [ACC + 22] arise when trying to prove such an inequality.
The first (natural) problem is that since the last message is quantum, Eve cannot compute the heavy queries (which would be sufficient for the attack).Therefore, we need to find another way of simulating Alice's last oracle calls without learning the heavy queries.
A first attempt is to use the operator A O fin , that corresponds to Alice's computation in the last step of the protocol with the real oracle O.Because this corresponds to the operation that the real Alice would have done and the real outcome is deterministic (since the protocol has perfect correctness), it could allow Eve to find the real key.However, the problem in this approach is that Eve has her simulated state that was constructed using a simulated oracle (with correct values for heavy-queries) and Alice's algorithm could use some consistency check that would fail when we decide to change the oracle.
On the other hand, if we want to use the simulated oracle instead of the real oracle, then there is a trivial protocol for which the attack does not work.In this protocol, Bob just picks a random value x ∈ X , queries it, and sends |x to Alice.Alice and Bob agree then on the key H(x).By using the simulation oracle, Eve would not be able to find the key with non-negligible probability.
While these two complications are artificial since they do not lead to a secure protocol, they put a barrier to finding a common attack that would make Eve find the keys from Alice and Bob.

Notation
The following notations will be used throughout the paper, -By λ we denote the security parameter.
-We use calligraphic letters (e.g., X ) to denote sets.We use Y X to denote the set of all functions from X to Y. -We use bold letters (e.g., m) to denote random variables and distributions.We write m ←$ m to denote that m is sampled from the distribution m.We write m ←$ M to denote that m is sampled uniformly from the set M. -We use the Dirac notation for pure states, e.g., |ψ , while mixed states will be denoted by lowercase Greek letters, e.g., ρ.
For the basics of quantum computation, we refer readers to [NC10].

Quantum Computation
Definition 2.1 (Oracle-aided quantum algorithms).A quantum algorithm A is a family of quantum circuits A := {A λ } λ∈N that act on three sets of registers: input registers X, output registers Y , and work registers Z.For convenience, we let W := (X, Y, Z) denote the internal registers of A. For each input x ∈ {0, 1} λ , the output is computed by running the algorithm A λ on |x X |0 Y |0 W and at the end the output registers are measured in the computational basis to obtain the output.A d-query quantum oracle algorithm A h that has access to an oracle h, defined by the unitary O h can be specified by a sequence of unitary matrices (U d , U d−1 , . . ., U 0 ).The final state of the algorithm is defined as When A h is clear from the context, we omit the superscript h and write A.
The following preliminary is borrowed from the formalization of [ACC + 22].
Definition 2.2 (The computational and the Fourier basis).Let Y be a finite Abelian group with cardinality |Y|.Let {|y } y∈Y be an orthonormal basis of C |Y| .We refer to this basis as the computational basis.Let Ŷ be the dual group which is known to be isomorphic to Y. Recall that a member ŷ ∈ Ŷ is a character function (i.e., a function from Y to the multiplicative group of non-zero complex numbers).The Fourier basis {|ŷ } ŷ∈ Ŷ of C |Y| is defined as Definition 2.3 (Functions and their (quantum) representations).For any function h ∈ Y X , we define its quantum representation to be |h H := x∈X |h(x) Hx in the computational basis, where the register H x is associated with C Y for all x ∈ X , and the register H is compounded of all H x .Similarly, for any ĥ ∈ ŶX we define | ĥ H := x∈X | ĥ(x) Hx in the Fourier basis.
Zhandry [Zha19] shows that the purified random oracle is perfectly indistinguishable from the (standard) quantum random oracle, and thus instead of considering the query operator O h , we can consider another equivalent query oracle O acting on three registers X, Y, H as follows.
where the oracle register H is initialized as Note that in the Fourier basis, the unitary O acts as follows: We now define some properties related to this new register for the database |h H .
Definition 2.5 (Non-zero queries in Fourier basis).Let Y be a finite Abelian group and Ŷ be the dual group.For any ŷ ∈ ŶX , we define the size of ĥ to be ĥ := {x : x ∈ X , ĥ(x) = 0} .
We denote ĥH max (|φ ) the function ĥ ∈ supp H (|φ ) that has the largest size ĥ (if such function is not unique, by default we pick the lexicographically first one).The definition extends naturally when the register W does not exist.
Similarly, if we write the oracle part in the computational basis |φ W H = w,h∈H β w,h |w W |h H , then we define the oracle support in the computational basis of |φ as supp H (|φ ) := {h : ∃w s.t.β w,h = 0} .Definition 2.7.A partial oracle L is a partial function from X to Y.The domain of L is denoted by Q L := dom(L).Equivalently, we view L as a finite set of pairs (x, y x ) ∈ X × Y such that for all (x, y x ), (x ′ , y ′ x ) ∈ L, x = x ′ .We say a partial oracle L is consistent with h : X → Y if and only if h(x) = y x holds for all x ∈ Q L .
For any partial oracle L, we define the associated projector Π L by where where H ′ is the set of registers corresponding to X \ Q L .

Quantum-Heavy Queries Learner
We now define the quantum-heavy queries learner algorithm.It was first defined in [ACC + 22, Construction 4.10], which can be seen as the quantum counterpart of the classical independence learner of [BM09], where Eve learns all the ε-heavy queries of both Alice and Bob.
Definition 2.10 (Quantum ε-heavy queries [ACC + 22, Definition 4.9]).For x ∈ X , define the projector Given a quantum state |ψ WAWB H , the weight of any x ∈ X is defined as that is, the quantum heaviness of x is the probability of obtaining a non-0 outcome while measuring H x in the Fourier basis.We call x ∈ X a quantum ε-heavy query if w(x) ≥ ε.
Construction 2.11 (Quantum-heavy queries learner [ACC + 22]).Let (A, B) be an inputless twoparty QCCC protocol relative to a random oracle h, in which Alice and Bob make at most d quantum queries to the oracle.Given the transcript t, (computationally-unbounded) attacking algorithm Eve is parameterized by ε and works as follows.
1. Let L denote the set of oracle query-answer pairs obtained by Eve from the oracle, and Q L is defined similarly while only containing the queries.Initially prepare L = ∅ and the classical description of the state where |Φ 0 is a uniform superposition over all h ∈ H, W ′ A , W ′ B and H ′ are the simulated registers for Alice, Bob, and the oracle prepared by Eve. 2. Simulate the state evolution during the protocol.Concretely, Eve calculates the state in W ′ A W ′ B H ′ after each round in the protocol.Whenever Eve encounters the moments in which Alice (Bob) sends their message, Eve calculates the post-measurement state that is consistent with t. 3.While there is any query x / ∈ Q L that is quantum ε-heavy conditioned on (t, L), do the following: (a) Ask the lexicographically first quantum ε-heavy query x from the real oracle h.

(b) Update the state in W ′
A W ′ B H ′ to the post-measurement state that is consistent with (x, h(x)).(c) Update L by adding (x, h(x)) to L. 4. When there is no quantum ε-heavy query left to ask, Eve outputs the simulated quantum state B H ′ and her list L, conditioned on the transcript t. Remark 2.12.We note that Construction 2.11 described above is almost identical to [ACC + 22, Construction 4.10].The only difference is that Eve outputs the simulated state, which can be constructed from the classical description that Eve has computed, along with the list of queries she made to the oracle.
The technical properties of the quantum-heavy queries learner in Construction 2.11 are stated in the following lemma.
Lemma 2.13 ([ACC + 22]).For any 0 < ε < 1, the quantum-heavy queries learner described in Construction 2.11 satisfies the following properties: where the expectation is over the randomness of the oracle and the algorithm Eve.
-Security: When the learner stops and learns a list L, there is no x ∈ Q L that is ε-quantum heavy in the purified view of Eve conditioned on knowing L and the transcript t.

Polynomial Compatibility Conjecture
In

Useful Lemmas
We will use the following lemma frequently in our proofs in subsequent sections.
Lemma 2.17 (Independence [ACC + 22, Lemma 3.2]).Suppose two quantum algorithms A and B interact classically in the quantum random oracle model.Let W A and W B denote their internal registers respectively.Then, at any time during the protocol, conditioned on the (classical) transcript t and the fixed oracle h ∈ H, the joint state of the registers W A and W B conditioned on t and h is a product state.

Attack on the Key Agreement Protocols
In this section, we consider key agreement protocols in an extended setting where both parties are quantum algorithms but they can only send classical strings over the public authenticated channel to the other party, except that the last message in the protocol can be a quantum state (in this case, the last message is not authenticated).We call this the Classical Communication One Quantum Message (CC1QM) model.In this extended setting, we show a conditional result based on the polynomial compatibility conjecture, that any protocol in the CC1QM model with perfect completeness where Alice does not query the oracle after receiving the last message can be broken with an expected polynomial number of queries.We present the formal definition of key agreement protocols in the CC1QM model in Section 3.1.In Section 3.2, we state the main result and its proof.

Definitions
We start by defining the model of Classical Communication One Quantum Message, where two quantum parties (Alice and Bob) communicate using the public authenticated classical channel, except for the last message that can be quantum.We assume the first message is from Alice to Bob, while the last message is from Bob to Alice, and the last quantum message is non-authenticated.This can be assumed without loss of generality since if the first message is from Bob to Alice, we can always transform it into the other case, by letting Alice sends a dummy message to Bob for the first message.Furthermore, we consider the case where the key that Alice and Bob agree on is one bit and the protocol succeeds with probability 1 (i.e., perfect correctness).Also, as for Quantum Key Distribution (QKD), we allow the parties to abort the protocol at any time, if they detect suspicious activity in the quantum communication.Formally, this is done by making Alice output the character ⊥ instead of a key when the protocol is aborted.More formally, we define: Definition 3.1 (Key agreement protocols in the CC1QM model).We say that (A, B) is a key agreement protocol between two parties Alice and Bob in the CC1QM model (CC1QM-KA) if the following holds: 1.At the beginning of the protocol, Alice and Bob share no common information.Their corresponding algorithms, A and B, are stateful oracle-aided quantum algorithms which make at most d oracle queries.2. CC1QM.All of the messages are classical messages, except for the last message (from Bob to Alice) that can be a (mixed) quantum state, denoted as ψ.The transcript of the protocol is denoted as At the end of the protocol, Alice and Bob agree on a key k ∈ {0, 1} with probability 1 when the protocol succeeds (i.e. when neither Alice or Bob outputs k = ⊥).

Security.
Let A ′ fin be Alice's last computation in the protocol after she receives the final message from Bob.By deferred measurement principle, we can modify A ′ fin so that it applies a unitary transformation A fin followed by a measurement in the computational basis {Π k } k∈{0,1} and outputting a key k, and we write A ′ fin := Π k A fin .Similarly, let B ′ fin := Π k B fin be Bob's last computation in the protocol after he sends the final message to Alice.We note that A fin and B fin can make quantum queries to the oracle, and the output of A fin (resp.B ′ fin ) is the output key of Alice (resp.Bob) at the end of the protocol execution.Let (T, φ A , φ B ) ← A |= B be the output of an execution of the protocol right before Alice receives the last quantum message from Bob, where is the transcript of the execution, φ A and φ B are the internal state of A and B, respectively.(A, B) is secure if for any polynomially-bounded query adversary E: We say that a CC1QM-KA protocol (A, B) is (ε, s)-broken if there exists an attacker Eve that finds the key of (A, B) with probability at least ε, (A, B) succeeds with probability at least poly(ε), and Eve makes an expected number of queries at most s.

The Attack on Key Agreements Protocols
The goal of the section is to prove the following theorem that states that are no CC1QM-KA protocol in the QROM.
Theorem 3.2.Let (A, B) be a CC1QM-KA protocol, where Alice and Bob make at most d queries to a random oracle h : X → Y, and Alice does not query the oracle in the last part of the protocol (after receiving the quantum message from Bob).Assuming Conjecture 2.16 is true, then there exists an attacker Eve that makes at most poly(d, |Y|) many classical queries to h and breaks the security (according to Definition 3.1) with probability at least 0.8.
The proof consists of two parts, the first one shows that Eve manages to find the same key as the one computed as Bob, and this is proven in Section 3.2.2.The second part consists of showing that Alice agrees on the same key as Eve and Bob and this corresponds to Section 3.2.3.First, in the next section, we prove that the attack does not depend on the group of the domain of the function.

Group Equivalence of the Attack
We first show that if there is an attack for an Abelian group Y, then there is an attack for any other Abelian group Y ′ , up to some error terms.This allows us to relax the conjecture to be true for any Abelian group, as in [ACC + 22].The proof follows closely [ACC + 22]'s proof as they are almost identical, and we include it here for completeness.
Lemma 3.3.Suppose there exists a finite Abelian group Y, a constant τ > 0 and a function s(•) such that for all d ∈ N and any CC1QM-KA protocol A h 1 , B h 1 where Alice and Bob asks d queries to a random oracle h whose range is Y, and Alice does not query the oracle after receiving the last message, it holds that where Alice and Bob asks d ′ queries to another random oracle , and Alice does not query the oracle after receiving the last message, can be (τ − δ, 4s(md ′ ))-broken, where Proof.The proof follows from the proof of Lemma 4.8 from [ACC + 22].The only difference is that we must also show that with probability at least τ − δ, Alice and Bob agree on the same key as Eve.However, their proof relies on the fact that we can simulate a random oracle with another random oracle, even when their ranges are different, up to some errors.Thus, their proof follows through in our setting as well, and with the same parameters.
Lemma 3.4 (Attacking CC1QM-KA protocols).Assume Conjecture 2.16 is true for some Abelian group Y and parameters d and δ = ν/ε.Let (A, B) be a CC1QM-KA protocol where Alice and Bob make at most d queries to a random oracle h : X → Y, and Alice does not query the oracle after receiving the last message.Then, there exists an active attacker Eve who finds the secret key k with probability 1 − ν according to Definition 3.1.Moreover, Eve is expected to make at most d/ε queries to h.
The proof of Lemma 3.4 is given in subsequent Sections 3.2.2 and 3.2.3.We can now prove Theorem 3.2: Proof of Theorem 3.2.The proof follows immediately from Lemma 3.4, Lemma 3.3 and the proof of [ACC + 22, Theorem 4.5].

Part 1: Finding Bob's Key
In this subsection, we show that the attack algorithm described in Construction 2.11 can efficiently find Bob's key with high probability, assuming that Conjecture 2.16 is true.We first state and show a useful lemma that allows us to assume that when Bob sends the last message, he has already computed the key k on his side.Lemma 3.5.Let (A, B) be a CC1QM-KA protocol.Let φ B be the internal state of B after he computed the message ψ.Then, we can assume w.l.o.g. that Bob has computed the key k B from φ B before he sends the last message ψ to Alice.
Proof.Since the last message of the protocol is sent to Alice by Bob, by the no-signaling principle, Alice's computation after receiving ψ must commute with Bob's computation after sending ψ.Thus, Bob can compute the key on his side before sending the last message ψ.Lemma 3.6 (Simulation).Let (A, B) be a CC1QM-KA protocol where Alice and Bob make at most d queries to an oracle h : X → Y, and Alice does not query the oracle after receiving the last message.Assuming Conjecture 2.16 is true, for 0 < ν < 1, there exists an active attacker Eve that finds Bob's key k B with probability at least 1 − ν and Eve is expected to make at most poly d, 1 ν queries to h.
Proof of Lemma 3.6.Let Bob's last message be ψ M = i q i |ψ i ψ i | M , and let A ′ fin := Π k A fin be Alice's computation in the last step of the protocol.Let k B be the key computed by Bob at the end of the protocol.By Lemma 3.5, we can assume that Bob already computes his key k B before sending the last message to Alice.
Our attacking algorithm Eve 1 is described below.
Construction 3.7.Eve 1 runs the quantum-heavy queries learner Eve in Construction 2.11 with parameter ε := conditioned on the classical transcript t until before Bob sends his last message, except that it aborts if Eve asks more than d ε queries.In the case Eve 1 does not abort, let be the state that Eve outputs, conditioned on the classical transcript t. Eve 1 then outputs the measurement outcome of fin makes no oracle query to h and acts on two registers W ′ A and M only.
By Lemma 2.13, the number of queries asked by Eve satisfies E [|L|] ≤ d ε .By Markov's inequality, we have Thus, we can conclude that with probability at least 1 − ν, all of the following events hold: - where A fin cannot make queries to h and only acts on W ′ A and M .Fix i and write | Ψ because this property only depends on the H register, who is unchanged there.Then, since A fin makes no query to the random oracle, the oracle register H is not modified and thus | Ψ We are going to show that there exists a key k ′ = b ∈ {0, 1} such that the probability of the key b in the key distribution of | Ψ (i) t,L is larger than 1 − ν.By contradiction, assume that for both b = 0 and b = 1, we have that the probability of this key is smaller than 1 − ν.By considering the complementary events, we have that: t,L,k ′ =b be the residual state conditioned on the key equal to b.Then, it follows that | Ψ where the last inequality comes from the fact that | Ψ Then Conjecture 2.16 implies that the states | Ψ t,L,k ′ =1 are compatible, which means that there exists two different states w 0 , w 1 ∈ W ′ A EW and an oracle ĥ such that ĥ is consistent with w 0 and w 1 .And for this specific oracle, w 0 outputs the key 0 and w 1 outputs the key 1, both with non-zero probability.However, Bob's key has already been computed by Lemma 3.5, and is fixed to some k B ∈ {0, 1}.Thus, there is an oracle such that Bob outputs k B .Plus, for this specific oracle, Alice outputs key 0 with non-zero probability, and outputs key 1 with non-zero probability as well.Hence there is an execution of the protocol such that Bob outputs k B and Alice outputs k A = 1 − k B , which breaks the perfect completeness of the protocol.
We now show that the key computed by Eve is the same as hypothetical Alice's key, defined by , that is the key that Alice would have computed if the protocol had continued normally.Since the protocol is perfect, we have that k

and the state | Ψ t,L W ′
A EW H is a superposition of all of Alice's internal states that are consistent with Eve's view so far.The state |ψ i M corresponds to the real message that Bob sent to Alice.First note that Alice will never output k A = ⊥, because the state of Eve consists of a superposition of Alice's states that are consistent with the transcript.Indeed, if the message |ψ i M from Bob is inconsistent with the oracle, Alice is not able to detect it as she does not query the oracle in A fin .Note that the real oracle used in the protocol is one of the oracles in the superposition of oracles that are consistent with Eve's view.Also, for a fixed oracle, the key is computed deterministically by the perfectness of the protocol, and thus Eve's key is equal to Bob's hypothetical key with probability Π k | Ψ (i) t,L 2 over the random oracles.This shows that Eve succeeds with probability at least 1 − ν.
since the right term is a pure state.Replacing τ with its value, we have: where the last inequality comes from Equation (4).Now fix i.We write |Φ A = A fin |φ A ⊗ |h ⊗ |ψ i where |φ A corresponds to Alice's real register before receiving the message ψ.Since Π k is a projector and Π k |Φ A = |Φ A from perfect correctness, we can write it: where the σ i are such that σ i |Φ = 0. We write: For every |ψ i , we have that: where the fourth equality comes from the fact that and that σ i |Φ A = 0.The first inequality comes from the fact that the terms in the sum are positive, because they correspond to the probability of measuring the state |φ A φ A | ⊗ |h h| ⊗ ρ using the projection A fin σ i A fin † , and the last inequality comes from Equation (5).
This means that Alice measures the key k with probability at least 1 − λ when receiving the message ψ E from Eve and for pure message |ψ i , and if this is the case the meet-in-the-middle attack is a success.Since this is true for all of the |ψ i , it also follows for ψ by convexity.This concludes the proof.

Impossibility of quantum public-key encryption with classical keys
In this section, we show that the (conditional) impossibility of CC1QM-KA protocols proven above also implies a (conditional) impossibility for quantum public key encryption (qPKE) with classical public keys, but ciphertexts can be quantum states.
We first define the notion of qPKE with classical keys which is modified from the notion of qPKE with quantum keys given in [BGHD + 23], then prove our impossibility.Furthermore, in the quantum random oracle model, we allow these algorithms to make quantum queries to a random function H.We also allow these algorithms to be inefficient, but can only make at most polynomially (in the security parameter) many queries to the random oracle.
We say that a qPKE scheme is perfectly correct if for every message m ∈ {0, 1} * and any security parameter λ ∈ N, the following holds: where the probability is taken over the randomness of Gen, Enc and Dec.
We next define indistinguishability security of one-bit qPKE in Definition 3.11.When considering one-bit encryption this notion coincides with the one-way security notion, which is considered the weakest security notion of encryption.Thus, using this notion makes our negative result stronger.Since the existence of an IND-CPA secure qPKE scheme with classical public keys in the QROM implies the existence of a CC1QM-KA protocol in the QROM, we also obtain the following result.
Corollary 3.12.Assuming Conjecture 2.16 is true, there is no IND-CPA secure qPKE scheme with classical public keys in the QROM, where the decryption algorithm does not query the random oracle.
Proof.By contradiction, let Π = (Gen, Enc, Dec) be a qPKE scheme with classical public keys and assume it is IND-CPA secure.We construct a two-message one-bit CC1QM-KA protocol Π, where the first message from Alice to Bob is classical and the second message from Bob to Alice is quantum, as follows.
It is easy to see that Π is a secure CC1QC-KM protocol in the QROM if Π is IND-CPA secure.Furthermore, if Π is perfectly correct, Π is also perfectly correct.Finally, if Dec(•, •) does not query the oracle, then Alice in the last step of Π does not query the oracle as well.This contradicts Theorem 3.2 and concludes our proof.
Remark 3.13.We note that our impossibility of CC1QM-KA is the strongest possible impossibility (conditioned on the assumption that Conjecture 2.16 is true), in the sense that the adversary can find the shared key and maintain the correctness of the protocol (that is, Alice and Bob can still find the shared key), while the usual security definition only asks the adversary to find the key of one of two parties.This strong impossibility allows us to rule out the possibility of qPKE in the QROM with stronger requirements, for example, qPKE with decryption error detectability as defined in [KMNY23].
Definition 3.10 (Public-key encryption with classical public keys).Public-key encryption with classical public keys (qPKE) consists of three algorithms with the following syntax:• (pk, sk) ← Gen(1 λ ) : a quantum algorithm, which takes as input the security parameter and outputs a classical key pair (pk, sk).• qc ← Enc(pk, m): a quantum algorithm, which takes as input a classical public key pk, a plaintext m, and outputs a possibly quantum ciphertext qc.• m/⊥ ← Dec(sk, qc): a quantum algorithm, which takes as input a decryption key sk, a ciphertext qc, and outputs a classical plaintext m or a distinguished symbol ⊥ indicating decryption failure.
Let |Ψ WAWB H denote the state at the end of the protocol, and let |Ψ t WAWB H denote the postmeasurement state of |Ψ WAWB H which is consistent with the transcript t.
and 0 otherwise, and the oracle register H is initialized as|Φ 0 H = x∈X | 0 Hx .Definition 2.4 (Purified view of two-party protocols in the QROM).A two-party protocol in the Quantum-Computation Classical-Computation (QCCC) model is a protocol in which two quantum algorithms, Alice and Bob, can query the oracle, apply quantum operation on their internal registers, and send classical strings over the public (authenticated) channel to the other party.The sequence of the strings sent during the protocol is called the transcript of the protocol.Let W A and W B be Alice's and Bob's internal registers, respectively.Let H := Y X .For any two-party protocol, we define its purified version as follows.-Iftheprotocol is inputless, start with |0 WA |0 WB h∈H 1 √ |H| |h H . Otherwise, if Alice takes as input a classical string a ∈ X and Bob takes as input a classical string b ∈ X , start with |a WA |b WB h∈H 1 √ |H| |h H .-Alice and Bob run the protocol in superposition, that is, all the measurements (including those used for generating the transcript) are delayed and the query operator O h is replaced by O. - Hx is the identity operator acting on H x .It holds that Π L |h H = |h H if h is consistent with L, and Π L |h H = 0 otherwise.Lemma 2.8.If A asks at most d queries to the superposition oracle, then for all possible outcomes of A's intermediate measurements, the joint state |ψ W H conditioned on the outcome satisfies ĥH Lemma 2.9.Given a state |ψ W H and a partial oracle L, the state Π L |ψ W H can be written as max (|ψ ) ≤ d.
This means that for any measurement of registers H in the Fourier basis, and W in any basis, the oracle support in the Fourier basis is at most d.δ-lightness:For every x ∈ X , if we measure the H x register of |ψ in the Fourier basis, the probability of getting 0 is at least 1 − δ.This mean that |ψ has no δ-heavy queries.Two quantum states |φ and |ψ over registers W and H are compatible if their oracle supports in the computational basis (as defined in Definition 2.6) have non-empty intersection, i.e., if supp H (|φ ) ∩ supp H (|ψ ) = ∅.
this section, we recall the Polynomial Compatibility Conjecture (PCC) of [ACC + 22].The formulation we use here is based on quantum states.Definition 2.14 ((Y, δ, d, N )-state [ACC + 22, Definition 4.1]).Let H be a register over the Hilbert space Y N .A quantum state |ψ over registers W and H is a (Y, δ, d, N )-state if it satisfies the following two conditions: -d-sparsity: ĥH max (|ψ ) ≤ d. + 22, Conjecture 4.3]).There exists a finite Abelian group Y and δ = 1/poly(d) such that for any d, N ∈ N, it holds that any two (Y, δ(d), d, N )-states |φ and |ψ are compatible.
Eve 1 is efficient: Eve 1 does not abort and asks at most d ν•ε = poly(d, 1/ν) queries.-Upuntil before Bob sends his last message, no quantum ε-heavy query is left: for all x / ∈ Q L , w(x) < ε, where w(•) is defined in Definition 2.10.Suppose that all the above events occur for the rest of the proof ( ⋆ ).For simplicity, denote |Ψ Eve We will consider the purified version of the protocol.Let |φ t W H be the joint state of the real protocol before Bob sends his last message to Alice, conditioned on the classical transcript t.After Eve 1 learns the heavy queries, the resulting state becomes |φ t,L conditioned on t and Eve's list of query-answer L. Since the oracle registers corresponding to Q L are now measured, we can consider the "truncated" version of |φ t,L W H by discarding those registers.Let H := {H x } x∈X \QL be the set of remaining registers.By |φ t,L W H we denote the truncated |φ t,L W H .A E |φ t,L W H be the joint state of Eve 1 and the real protocol right before Bob sends his last message to Alice.By Lemma 2.8, it holds that ĥH By the assumption ( ⋆ ) above, we have that | Ψ t,L is a (Y, ε, poly(d, ν), |X |)-state (with the register H in Definition 2.14 being H).Next, let ψ M