One-Way Puzzles in Quantum Cryptography

Updated 13 October 2025

One-way puzzles (OWPuzzs) are cryptographic primitives defined by a quantum polynomial-time sampler and a verifier that ensure correctness and security against quantum adversaries.
They employ hardness amplification and combiners to reinforce the difficulty of solving individual puzzle instances, even when attackers have moderate success on isolated cases.
OWPuzzs underpin various quantum applications, including commitment schemes, multi-party computation protocols, and proofs of quantumness, thereby shaping modern quantum cryptography.

A one-way puzzle (OWPuzz) is a cryptographic primitive that generalizes the classical notion of one-way functions to the quantum setting, serving as a linchpin for contemporary quantum cryptographic frameworks. An OWPuzz is formally defined as a pair of algorithms (Samp, Ver), where Samp is a quantum polynomial-time (QPT) sampling algorithm that outputs a puzzle and corresponding solution (ans, puzz), and Ver is a (potentially inefficient or unbounded) algorithm that verifies purported solutions. The core properties are: correctness (an honestly-generated answer always verifies), and security (no efficient adversary, given only the puzzle, can output a valid solution with non-negligible probability). OWPuzzs are central in "Microcrypt": quantum cryptography without the existence of classical one-way functions.

1. Foundational Definition and Core Properties

An OWPuzz is specified as follows:

The sampler Samp, given the security parameter $1^n$ , outputs a pair $(\text{puzz}, \text{ans}) \in \{0,1\}^{*} \times \{0,1\}^{*}$ .
The verifier Ver, on input $(\text{puzz}, \text{ans'})$ , outputs $\top$ iff $\text{ans'}$ is a valid solution for $\text{puzz}$ .

Correctness and security conditions take the form: $\Pr_{(\text{puzz},\,\text{ans}) \leftarrow \mathsf{Samp}(1^n)}[\mathsf{Ver}(\text{puzz}, \text{ans}) = \top] \geq 1 - \text{negl}(n)$

$\forall \text{QPT } \mathcal{A},~ \Pr_{(\text{puzz},\,\text{ans}) \leftarrow \mathsf{Samp}(1^n)}[\mathsf{Ver}(\text{puzz}, \mathcal{A}(\text{puzz})) = \top] \leq \text{negl}(n)$

This primitive is motivated by the desire to construct cryptographically hard problems assuming only quantum resources, even in settings where classical OWFs may not exist.

OWPuzzs are particularly situated for the QCCC (Quantum-Computation Classical-Communication) model, where protocols involve quantum-generation and classical verification (Chung et al., 27 Feb 2024).

2. Characterizations via Learning, Meta-Complexity, and Sampling Hardness

Recent advances provide complete equivalence characterizations between the existence of OWPuzzs and average-case hard learning problems, as well as meta-complexity and sampling hardness:

Distribution Learning: OWPuzzs exist if and only if proper quantum distribution learning is hard on average. Here, given sample access to a family of distributions governed by a hidden parameter $z$ , no QPT algorithm can, with non-negligible probability, output a hypothesis distribution from the family statistically close to the true one (Hiroka et al., 2 Jul 2025). Conversely, if such learning is possible on average, OWPuzzs cannot exist.
Meta-Complexity: OWPuzzs exist exactly when the promise problem $\mathrm{GapK}[s_1, s_2]$ —to determine whether a given string has Kolmogorov complexity below $s_1$ or above $s_2$ —is weakly quantum-average hard over some quantum samplable distribution. Formally, for a QPT sampler $Q$ there exists $k > 0$ such that for any QPT adversary $A$ :

$\Pr_{x \leftarrow Q(1^n)}[\text{A outputs\ incorrect decision}] \geq 1/n^k$

(Hiroka et al., 2 Oct 2024, Cavalar et al., 7 Oct 2024).

Sampling Hardness (SampPDQP): If sampling problems solvable by classical polynomial-time algorithms with access to a non-collapsing measurement oracle (SampPDQP) are hard on average for QPT algorithms, then OWPuzzs exist (Morimae et al., 6 Oct 2025). Non-collapsing measurement oracles are unphysical constructs that allow one to sample measurement results on a quantum state without disturbing it; simulating these is assumed to be infeasible for QPT.

3. Technical Tools: Amplification, Combiners, and Separations

Hardness amplification and combiners are fundamental for building robust OWPuzz constructions:

Hardness Amplification: Given a weak puzzle (solvable with moderate probability), it is possible to amplify its hardness using multiple independent instances and monotone functions. Let $\Gamma^{(g)}$ denote the checking circuit aggregating $k$ independent puzzles via a monotone Boolean function $g$ , and $\delta$ the success probability of a single instance. Then any adversary's success is bounded as:

$\Pr\left[\Gamma^{(g)}(\langle P^{(g)}, C\rangle_C) = 1\right] \leq \Pr_{u\leftarrow\mu_\delta^k}[g(u)=1] + \epsilon$

Excess success implies an efficient algorithm for solving the single-instance puzzle with improved probability. Critically, the reductions in these amplifications are “non-rewinding,” making them suitable for interactive cryptographic protocols (Holenstein et al., 2010).

Combiners and Universal Constructions: It is possible to robustly combine several puzzle instances or candidate generators so that the combined OWPuzz remains secure as long as at least one component is. Universal constructions concatenate a list of candidate puzzle generators into a universal puzzle, mirroring classical universal OWFs (Chung et al., 27 Feb 2024).
Black-Box Separations: There are quantum oracle constructions where efficiently verifiable OWPuzzs (EV-OWPuzz) do not exist, even though general OWPuzzs do—indicating that efficient verification is a strictly stronger requirement (Behera et al., 4 Oct 2024, Chung et al., 27 Feb 2024). Such separations clarify that many QCCC primitives imply OWPuzzs but not necessarily efficiently verifiable OWPuzzs.

4. Applications and Implications: Commitments, MPC, Quantum Advantage

OWPuzzs underpin an extensive array of quantum cryptographic applications:

Commitment Schemes: Hardness amplification of OWPuzzs allows amplification of weak bit commitments to strong commitments, even in interactive protocols, by assembling multiple instances and using monotone extraction circuits. The non-rewinding nature of the reductions is essential for security in interactive contexts (Holenstein et al., 2010, Khurana et al., 2023, Chung et al., 27 Feb 2024).
Multi-party Computation (MPC): Quantum bit commitments constructed from OWPuzzs yield building blocks for secure multi-party computation, including protocols secure against quantum adversaries (Khurana et al., 2023).
Quantum Advantage: The existence of (classically-secure) OWPuzzs is equivalent to the existence of inefficient-verifier proofs of quantumness (IV-PoQ), which serve as cryptographic characterizations of quantum computational advantage. If IV-PoQ protocols exist, then so do OWPuzzs, and vice versa, placing quantum advantage within this cryptographic framework (Morimae et al., 1 Oct 2024).
CountCrypt: OWPuzzs are minimal primitives in the “CountCrypt” class: primitives that are secure when quantum adversaries do not have access to #P (i.e., PP) oracles. If $\text{BQP} = \text{PP}$ , OWPuzzs cannot exist (Goldin et al., 18 Oct 2024).

5. Relation to Other Quantum and Classical Primitives

OWPuzzs generalize and bridge the gap between various cryptographic primitives:

Connection to OWFs: In the classical setting, OWPuzzs are nearly equivalent to standard one-way functions: sampling a (key, puzzle) pair mimics evaluating a one-way function with uniform randomness. In the quantum setting, the situation diverges sharply; OWPuzzs may exist absent classical OWFs due to the inability to "flatten" the induced randomness of quantum samplers (Khurana et al., 2023, Cavalar et al., 7 Oct 2024).
Distributional and Random-Input Variants: OWPuzzs are equivalent to their distributional and random-input variants, where the hidden solution (“key”) is sampled from a complex or correlated distribution rather than uniform randomness (Chung et al., 27 Feb 2024).
EFI Pairs and Pseudorandom States: OWPuzzs sit between pseudorandom state generators and EFI pairs, serving as an intermediate and central primitive. Oracle separations demonstrate that QEFID pairs can exist even when OWPuzzs with efficient verification and unclonable state generators do not (Behera et al., 4 Oct 2024).
Collision-Resistant Puzzles (dCRPuzzs): Distributional collision-resistant puzzles form a related primitive, implying average-case hardness for SampPDQP sampling problems and hence the existence of OWPuzzs (Morimae et al., 6 Oct 2025).

6. Complexity-Theoretic Prerequisites and Limitations

The possibility and impossibility of constructing OWPuzzs rests on intricate complexity-theoretic boundaries:

Complexity Separations: OWPuzzs exist if $PP \neq BQP$ (Hiroka et al., 2 Jul 2025, Goldin et al., 18 Oct 2024), and implications to sampling complexity classes such as $SampBQP \neq SampBPP$ arise in the presence of robust worst-case to average-case reductions.
Meta-Complexity Barriers: OWPuzzs are characterized not by the hardness of problems in NP or QMA (as ruled out by the Kretschmer oracle separations), but rather by meta-complexity and probability estimation hardness on quantum samplable distributions (Cavalar et al., 7 Oct 2024).
Limits of Efficient Verification: Separation results show that some primitives implied by OWPuzzs (e.g., private-key quantum money, strong unclonable state generators) cannot be achieved via fully black-box reductions from QEFID pairs or in oracle worlds where only OWPuzzs exist without efficient verification (Behera et al., 4 Oct 2024).

7. Open Problems and Research Directions

Several directions are highlighted for further investigation:

Extending to Mixed States: Current constructions often use pure-state outputs for the sampler; extension to mixed states is an active area (Khurana et al., 2023).
Worst-Case to Average-Case Reductions: Direct reductions from worst-case hardness to average-case hardness for quantum distribution learning are elusive and would have strong implications for quantum complexity theory (Hiroka et al., 2 Jul 2025).
Zero-Knowledge Quantumness Proofs: The potential for analogues of IV-PoQ with zero-knowledge properties remains open (Morimae et al., 1 Oct 2024).
Robustness under Non-Uniform Adversaries: Adapting constructions to the non-uniform adversary setting is a challenging problem in extending meta-complexity characterizations (Morimae et al., 1 Oct 2024).
Broader Primitive Foundations: The exploration of whether MPC, digital signatures, or other cryptographic tasks can be based directly on OWPuzzs within QCCC models, and the extent to which existing protocol transformations are optimal, remain open (Khurana et al., 2023, Chung et al., 27 Feb 2024).

OWPuzzs thus cement their position as a central and technically nuanced primitive in quantum cryptography, with a foundational status defined by tight equivalence results to learning theory, meta-complexity, and quantum sampling hardness. Their flexibility, amplification properties, and minimal complexity-theoretic assumptions make them indispensable in advancing both theoretical and applied aspects of quantum cryptographic protocol design.