Founding Quantum Cryptography on Quantum Advantage, or, Towards Cryptography from $\mathsf{\#P}$-Hardness (2409.15248v2)

Abstract: Recent oracle separations [Kretschmer, TQC'21, Kretschmer et. al., STOC'23] have raised the tantalizing possibility of building quantum cryptography from sources of hardness that persist even if the polynomial hierarchy collapses. We realize this possibility by building quantum bit commitments and secure computation from unrelativized, well-studied mathematical problems that are conjectured to be hard for $\mathsf{P^{#P}}$ -- such as approximating the permanents of complex Gaussian matrices, or approximating the output probabilities of random quantum circuits. Indeed, we show that as long as any one of the conjectures underlying sampling-based quantum advantage (e.g., BosonSampling, Random Circuit Sampling, IQP, etc.) is true, quantum cryptography can be based on the extremely mild assumption that $\mathsf{P^{#P}} \not\subseteq \mathsf{(io)BQP/qpoly}$. We prove that the following hardness assumptions are equivalent. (1) The hardness of approximating the probability assigned to a randomly chosen string in the support of certain efficiently sampleable distributions (upto inverse polynomial multiplicative error).(2) The existence of one-way puzzles, where a quantum sampler outputs a pair of classical strings -- a puzzle and its key -- and where the hardness lies in finding the key corresponding to a random puzzle. These are known to imply quantum bit commitments [Khurana and Tomer, STOC'24]. (3) The existence of state puzzles, or one-way state synthesis, where it is hard to synthesize a secret quantum state given a public classical identifier. These capture the hardness of search problems with quantum inputs (secrets) and classical outputs (challenges). These are the first constructions of quantum cryptographic primitives (one-way puzzles, quantum bit commitments, state puzzles) from concrete, well-founded mathematical assumptions that do not imply the existence of classical cryptography.

• The paper establishes a connection between quantum advantage and cryptographic primitives by leveraging #P-hardness assumptions to construct one-way puzzles and quantum commitments.
• Its methodology rigorously proves average-case hardness in approximating quantumly sampleable probabilities using techniques like anticoncentration and binary search for inversion.
• The research unifies complexity theory with cryptography, paving the way for practical quantum communications under minimal yet realistic hardness assumptions.

Founding Quantum Cryptography on Quantum Advantage

The paper, "Founding Quantum Cryptography on Quantum Advantage or, Towards Cryptography from #P-Hardness," by Dakshita Khurana and Kabir Tomer, investigates novel approaches towards constructing quantum cryptographic primitives from well-founded mathematical hardness assumptions. These assumptions are believed to hold even if the Polynomial Hierarchy (PH) collapses. Through this exploration, the authors present a significant bridge between complexity theory and quantum cryptography.

Core Contributions

Key Assumptions and Hardness Results

The authors put forth several assumptions and provide rigorous proofs delineating their implications. Specifically:

1. Hardness of Approximating Probabilities:
   • Anticoncentration: For a family of efficiently sampleable distributions, there exists a noticeable fraction of outcomes with significant probability.
   • Hardness of Sampling: Approximating the probabilities of certain outcomes is assumed to be $\#P$-hard on average with polynomially bounded errors.
2. Native Approximation Hardness: This modified version targets the cryptographic implications more directly by defining the probabilities in terms of classical strings, thus aligning better with practical cryptographic constructions.

One-way Puzzles and Sampling-Based Quantum Advantage

The authors detail the dual implications between quantum advantage and cryptographic primitives: - From Sampling to Cryptography: If the assumptions regarding the hardness of approximating probabilities in quantumly sampleable distributions hold, one can construct one-way puzzles. These puzzles further imply the existence of quantum bit commitments and secure computations. - From Cryptography to Sampling: The existence of one-way puzzles implies that it is infeasible to sample from certain distributions non-quantumly, ensuring a basis for quantum advantage.

Quantum Commitments from Pseudo-deterministic Sampling

Exploring further, the paper demonstrates that if there exist distributions that cannot be pseudo-deterministically sampled, then quantum bit commitments can be derived. This implies that any classically infeasible but quantumly feasible sampling task can serve as a foundation for cryptographic primitives.

State Puzzles and Cryptographic Applications

This paper brings to the fore the concept of state puzzles, which necessitates synthesizing a quantum state given a classical identifier. The authors prove that: - State Puzzles imply One-way Puzzles: This connection binds the hardness of generating quantum states with cryptographic security. - Amplification: Weak state puzzles can be amplified to provide strong cryptographic primitives, analogous to classical amplification paradigms for cryptographic hardness.

Analytical and Constructive Techniques

The paper employs a host of technical techniques to solidify its arguments: - Post-Selected Sampling: The concept that exactly sampling certain distributions implies hardness of approximating their probabilities. - Binary Search for Inversion: Employing binary search over the probabilities ensures an efficient method to invert cryptographic puzzles. - Two-Designs for Regularity: Using unitary two-designs to ensure anti-concentration properties and regular distributions, essential for synthesizing quantum states and deriving phases.

Implications and Future Directions

The research extends beyond immediate cryptographic constructions to broader implications: - Microcrypt's Realistic Foundations: Constructing quantum cryptographic primitives without relying on classical one-way functions showcases Microcrypt is not merely a theoretical possibility but can be based on realistic assumptions in quantum computing. - Separation of Cryptographic Primitives: The paper sets boundaries for what types of quantum cryptography can be constructively achieved, differentiating between weaker and stronger assumptions. - Unifying Complexity and Cryptography: It bridges conjectures from quantum advantage literature with tangible cryptographic applications, offering a rich ground for further explorations in overlapping fields of complexity theory and cryptography.

Conclusion

This foundational paper paves the way for constructing robust quantum cryptography frameworks from minimal and well-founded assumptions. By establishing strong links between sampling-based quantum advantage and cryptographic primitives, the authors significantly advance the potential of secure quantum communications and computations, leveraging the inherent hardness of approximating quantum processes. This work opens doors to multiple avenues in both theoretical research and practical implementations in quantum cryptography.