Paper 2023/161

Quantum Advantage from One-Way Functions

Tomoyuki Morimae, Kyoto University
Takashi Yamakawa, NTT (Japan)
Abstract

Is quantum computing truly faster than classical computing? Demonstrating unconditional quantum computational advantage lies beyond the reach of the current complexity theory, and therefore we have to rely on some complexity assumptions. While various results on quantum advantage have been obtained, all necessitate relatively stronger or less standard assumptions in complexity theory or classical cryptography. In this paper, we show quantum advantage based on several fundamental assumptions, specifically relying solely on the existence of classically-secure one-way functions. Given the fact that one-way functions are necessary for almost all classical cryptographic primitives, our findings yield a surprising implication: if there is no quantum advantage, then there is no classical cryptography! More precisely, we introduce inefficient-verifier proofs of quantumness (IV-PoQ), and construct it from statistically-hiding and computationally-binding classical bit commitments. IV-PoQ is an interactive protocol between a verifier and a quantum polynomial-time prover consisting of two phases. In the first phase, the verifier is classical probabilistic polynomial-time, and it interacts with the quantum polynomial-time prover over a classical channel. In the second phase, the verifier becomes inefficient, and makes its decision based on the transcript of the first phase. If the quantum prover is honest, the inefficient verifier accepts with high probability, but any classical probabilistic polynomial-time malicious prover only has a small probability of being accepted by the inefficient verifier. In our construction, the inefficient verifier can be a classical deterministic polynomial-time algorithm that queries an NP oracle. Our construction demonstrates the following results based on the known constructions of statistically-hiding and computationally-binding commitments from one-way functions or distributional collision-resistant hash functions: • If one-way functions exist, then IV-PoQ exist. • If distributional collision-resistant hash functions exist (which exist if hard-on-average problems in SZK exist), then constant-round IV-PoQ exist. We also demonstrate quantum advantage based on worst-case-hard assumptions. We define auxiliary-input IV-PoQ (AI-IV-PoQ) that only require that for any malicious prover, there exist infinitely many auxiliary inputs under which the prover cannot cheat. We construct AI-IV-PoQ from an auxiliary-input version of commitments in a similar way, showing that • If auxiliary-input one-way functions exist (which exist if CZK ̸ ⊆ BPP), then AI-IV-PoQ exist. • If auxiliary-input collision-resistant hash functions exist (which is equivalent to PWPP ⊈ FBPP) or SZK ⊈ BPP, then constant-round AI-IV-PoQ exist. Finally, we also show that some variants of PoQ can be constructed from quantum-evaluation one-way functions (QE-OWFs), which are similar to classically-secure classical one-way functions except that the evaluation algorithm is not classical but quantum. QE-OWFs appear to be weaker than classically-secure classical one-way functions, and therefore it demonstrates quantum advantage based on assumptions even weaker than one-way functions.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A minor revision of an IACR publication in CRYPTO 2024
Keywords
proofs of quantumnessquantum advantagecommitmentsone-way functions
Contact author(s)
tomoyuki morimae @ yukawa kyoto-u ac jp
takashi yamakawa ga @ hco ntt co jp
History
2024-05-22: revised
2023-02-09: received
See all versions
Short URL
https://ia.cr/2023/161
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/161,
      author = {Tomoyuki Morimae and Takashi Yamakawa},
      title = {Quantum Advantage from One-Way Functions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/161},
      year = {2023},
      url = {https://eprint.iacr.org/2023/161}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.