6

0

A quantum computer running Shor's algorithm would be famously useful for *de*crypting information encrypted by many classical public-key cryptography algorithms. Is there any reason (either a specific proposed protocol or a general heuristic argument) to suspect that a quantum computer could be useful for *encrypting* information in a way that's more secure than is possible with a classical computer with comparable resources? Ideally, secure even against attacks by quantum computers?

I'm *not* talking about "physics-based" quantum encryption schemes like quantum key distribution (discussed here) or other schemes that require transmitting a coherent quantum state over a quantum channel. I'm talking about more traditional "mathematics-based" encryption schemes, in which one or both parties have a quantum *computer* at each end, but they can only transmit the encoded information in the form of classical bit strings over an insecure classical channel (potentially after having transmitted a symmetric key out of band).

This question is inspired by Scott Aaronson's comments here and here on his blog. Apparently people regularly claim that quantum *computers* (not QKD) could be useful for *en*cryption, but Prof. Aaronson has never understood why.

This is thought-provoking, but I'm not sure if I made my question clear. Please correct me if I'm misunderstanding, but you seem to be proposing a cryptosystem that's secure against classical attacks (perhaps even more so than RSA?), vulnerable to quantum attacks, and requires a quantum computer to both encrypt and decrypt. But I'm not sure what that's useful for, since RSA is already believed to be secure against classical attacks. I'm looking for a public-key cryptosystem that's secure even against

quantumattacks. Is yours? – tparker – 2020-01-03T05:17:41.187@tparker this would be secure against quantum attacks to the extent that we believe QCMA and BQP are not equal, which is at least as strong a belief as you’d get from post quantum cryptography because QCMA contains NP. – DaftWullie – 2020-01-03T06:29:52.193

I think a slight nitpick is that there aren't actually any cryptosystems that are based on NP-complete problems (which haven't already been broken). As discussed at https://stackoverflow.com/q/311064/5133482, NP-completeness isn't really relevant for cryptography, because it considers worst-case hardness, while average-case hardness is what's important for cryptography. But think your basic point still stands.

– tparker – 2020-01-04T23:10:23.523Agreed. I was trying to avoid over-complicating the answer. – DaftWullie – 2020-01-05T06:40:47.410