6

3

Such a public key cryptosystem would be "quantum safe" in the sense that quantum computers cannot efficiently solve QMA hard problems.

6

3

Such a public key cryptosystem would be "quantum safe" in the sense that quantum computers cannot efficiently solve QMA hard problems.

4

Please start by reading my answer here. I believe you've mistaken the requirements for post-quantum crypto. If you use a scheme which is QMA-hard, then that means either your problem is QMA-complete (in which case, you can decrypt the message using a quantum computer, but not with a classical computer unless NP=QMA), or not (in which case you cannot decrypt efficiently even on a quantum computer). What you typically want for post-quantum crypto is something for which the decryption (by the holder of the private key) can be performed efficiently on a classical computer.

There may be schemes out there which are designed to be run with quantum computers performing the (allowed) decryption, but I'm not aware of any, and they are not the main focus of research at the moment.

As I also described in the other answer, what you're more likely to be interested in is some form of typical case complexity. I suppose it's conceivable that cases with an NP-complete typical case complexity *could* have worst-case complexity that's QMA-hard.

I think the original question is worded ambiguously. Probably the OP is asking about decryption of the public message without having the "private key" (?). – Sanchayan Dutta – 2018-06-29T07:13:53.137

1@Blue Of course they are concerned that if you don't have the public key it must be hard to decrypt, but you also need that there exists a public key with which it is easy to decrypt, otherwise the scheme is kind of useless. My point is that these complexity classes prohibit that part of the scheme. – DaftWullie – 2018-06-29T07:23:42.137

@Blue: is right, I meant "decrypting by an eavesdropper" not "decrypting by the sender or the rightful receiver". I changed the title of the question to "decrypting by an eavesdropper" and then changed it again to just "hacking", let me know if it is still unclear. – user1271772 – 2018-06-29T08:34:57.763

Again, I'm looking for some examples of classical public-key cryptosystems where it would be hard for a quantum computer to successfully hack. – user1271772 – 2018-06-29T08:35:56.590

1Yes, but my point is that for it to be hard for a quantum computer to hack, the problem only has to not be in BQP, rather than being QMA-hard. For example, in the normal classical case of RSA, the central function is factoring. The problem is (assumed to be) outside P making it hard for a classical computer to hack, but inside NP (NOT NP-hard) so that the rightful receiver can decrypt it on a classical computer. – DaftWullie – 2018-06-29T08:48:05.493

2

This doesn't directly answer your question but however, they may be relevant to what you're looking for: 1. Zero knowledge proof is possible for all NP statements (https://link.springer.com/chapter/10.1007/3-540-47721-7_11) 2. All problems in NP admit classical zero-knowledge proof systems, and under reasonable hardness assumptions for quantum computations, these proof systems can be made secure against quantum attacks (https://arxiv.org/abs/quant-ph/0511020) 3. Every problem in the complexity class QMA has a quantum zero-knowledge proof system (https://arxiv.org/abs/1604.02804)

– Sanchayan Dutta – 2018-06-29T06:44:56.0872

Interestingly, Watrous says in the abstract: "This paper proves that several interactive proof systems are zero-knowledge against general quantum attacks. This includes the well-known Goldreich–Micali–Wigderson classical zero-knowledge protocols for graph isomorphism and graph 3-coloring (assuming the existence of quantum computationally concealing commitment schemes in the second case). " Relevant: How do zero knowledge protocol with vertex-3-coloring work?

– Sanchayan Dutta – 2018-06-29T06:52:56.160