We construct quantum public-key encryption from one-way functions. In our
construction, public keys are quantum, but ciphertexts are classical. Quantum
public-key encryption from one-way functions (or weaker primitives such as
pseudorandom function-like states) are also proposed in some recent works
[Morimae-Yamakawa, eprint:2022/1336; Coladangelo, eprint:2023/282;
Barooti-Grilo-Malavolta-Sattath-Vu-Walter, eprint:2023/877]. However, they have
a huge drawback: they are secure only when quantum public keys can be
transmitted to the sender (who runs the encryption algorithm) without being
tampered with by the adversary, which seems to require unsatisfactory physical
setup assumptions such as secure quantum channels. Our construction is free
from such a drawback: it guarantees the secrecy of the encrypted messages even
if we assume only unauthenticated quantum channels. Thus, the encryption is
done with adversarially tampered quantum public keys. Our construction is the
first quantum public-key encryption that achieves the goal of classical
public-key encryption, namely, to establish secure communication over insecure
channels, based only on one-way functions. Moreover, we show a generic compiler
to upgrade security against chosen plaintext attacks (CPA security) into
security against chosen ciphertext attacks (CCA security) only using one-way
functions. As a result, we obtain CCA secure quantum public-key encryption
based only on one-way functions.Comment: 48 page