One-Way Puzzles in Cryptography

Updated 10 January 2026

One-way puzzles are two-party challenges with easy instance generation and hard solution recovery under defined adversarial models.
Research demonstrates that these puzzles underpin secure cryptographic protocols, such as key exchange and commitment schemes, through hardness amplification.
Advances in quantum one-way puzzles generalize traditional one-way functions, enabling the construction of quantum-resistant cryptographic primitives.

A one-way puzzle is a two-party challenge characterized by easy instance generation and computationally hard solution recovery under prescribed adversarial models. The term encompasses both cryptographic protocols, such as variants of Merkle’s puzzles and quantum cryptographic constructs, and certain combinatorial puzzles with unique solution trajectories. Recent developments have positioned one-way puzzles as central objects in the theory of quantum cryptography, generalizing or relaxing the classical notion of one-way functions and enabling cryptographic primitives even in models where classical one-way functions may not exist.

1. Definitions and Formal Frameworks

The defining structure of a one-way puzzle consists of a puzzle-generation (sampling) procedure and an unbounded solution verification procedure, with correctness and (one-way) security properties. In the quantum setting, a one-way puzzle (“OWPuzz”) is defined by a pair of algorithms $(\mathsf{Samp},\mathsf{Ver})$ with the following attributes:

Sampling: $\mathsf{Samp}$ is a QPT (quantum polynomial-time) algorithm that, given $1^n$ , outputs a pair of classical bit strings $(k,s) \in \{0,1\}^n \times \{0,1\}^{m(n)}$ . Here $k$ is the solution (the "key"), $s$ is the puzzle instance.
Verification: $\mathsf{Ver}(k,s) \rightarrow \{0,1\}$ $Ver (k, s) \to {0, 1}$ is an unbounded predicate. The protocol satisfies:
- Correctness: $\Pr_{(k,s) \leftarrow \mathsf{Samp}(1^n)}[\mathsf{Ver}(k,s)=1] \geq 1-\text{negl}(n)$ .
- One-wayness: For every QPT adversary $A$ , $\Pr_{(k,s) \leftarrow \mathsf{Samp}(1^n)}[\mathsf{Ver}(A(s),s)=1] \leq \text{negl}(n)$ .

A combinatorial instance, such as a “one-way” peg solitaire puzzle, is marked by a state from which there exists exactly one initial move leading to successful completion, thereby forcing a unique trajectory to the solution and substantially increasing the puzzle’s complexity (Bell, 2016).

2. Historical Context and Prototypical Constructions

Merkle’s puzzles introduced in 1978 function as the archetype of one-way puzzles in cryptography, instantiating public-key exchange without number-theoretic assumptions. In a canonical one-round Merkle puzzle protocol (0801.4714), Alice and Bob each make $n$ queries to a random oracle $H: \{0,1\}^N \rightarrow \{0,1\}^N$ ; Alice constructs a set of “puzzles” using $H$ , Bob finds and solves one, and an eavesdropper must expend $O(n^2)$ effort to recover the shared key, a quadratic separation from the honest participants. The reduction of key recovery by adversarial sampling to collision-finding underpins this gap and has been formally quantified and proven optimal in this setting (0801.4714).

In combinatorial games—such as peg solitaire—a “one-way” puzzle denotes a board configuration where exactly one initial move leads to a win. Such puzzles are algorithmically enumerated via backward reachability, with uniqueness determined by counting the number of solvable successors per move. These highly asymmetric instances exhibit the greatest challenge due to the absence of alternatives at every move (Bell, 2016).

3. Hardness Amplification and Meta-Complexity Connections

The security and robustness of one-way puzzles are closely allied with hardness amplification—the process of transforming a weakly secure primitive into a strongly secure composite. A general hardness amplification framework for weakly verifiable puzzles equates the composition of many Weakly Verifiable Puzzle (WVP) instances (possibly under an arbitrary monotone Boolean function) with a non-rewinding, black-box transformation that yields tight trade-offs between base success probability and composite hardness (Holenstein et al., 2010). This framework not only captures classical results such as Yao’s XOR lemma but extends to the quantum domain for average-case hardness and interactive protocol amplification.

Recent advances establish a deep connection between one-way puzzles and meta-complexity. Specifically, existence of one-way puzzles in the quantum domain is equivalent to the average-case hardness of probability estimation and Gap-Kolmogorov (GapK) problems over quantum samplable distributions (Cavalar et al., 2024, Hiroka et al., 2024). Let $K(x)$ denote the plain Kolmogorov complexity of $x$ . The promise problem $\operatorname{GapK}[s_1, s_2]$ requires distinguishing whether $K(x)\leq s_1$ or $K(x)\geq s_2$ for $s_2-s_1\gg \log n$ . Hardness of this problem is necessary and sufficient for the existence of one-way puzzles in both the quantum and, with varying parameters, the classical regimes (Cavalar et al., 2024, Hiroka et al., 2024).

4. Quantum One-Way Puzzles and Complexity Assumptions

Quantum one-way puzzles fundamentally differ from classical one-way functions in that they allow classical outputs but universally require an inefficient (information-theoretic) verifier, in order to avoid trivial inversion via QMA protocols (Khurana et al., 2023, Morimae et al., 6 Oct 2025). The minimal cryptographic basis in quantum regimes appears to be strictly weaker than the existence of quantum one-way functions. Notably:

Quantum one-way state generators (OWSGs), producing hard-to-invert quantum states, probabilistically yield one-way puzzles via classical shadow tomography (Khurana et al., 2023).
Commitments, multi-party computation, non-interactive commitments, and one-shot signatures can be constructed from the existence of quantum one-way puzzles (Morimae et al., 6 Oct 2025, Khurana et al., 2023), via intermediate primitives such as pseudoentropy generators and distributional collision-resistant puzzles (dCRPuzz).
Quantum one-way puzzles are implied by the existence of average-case hard sampling problems in complexity classes associated with non-collapsing measurements, specifically $\mathbf{SampPDQP}$ (sampling problems solvable by a single query to a non-collapsing measurement oracle) (Morimae et al., 6 Oct 2025). If $\mathbf{SampPDQP}$ is hard on average, then one-way puzzles exist.

5. Distributional One-Way Puzzles and Further Structural Properties

Recent work has shown that standard and distributional one-way puzzles (DistOWPuzz)—where the adversary must not be able to statistically reproduce the joint distribution of (puzzle, solution)—are equivalent in the quantum setting (Morimae et al., 6 Oct 2025, Hiroka et al., 2024), mirroring the classical situation.

Relatedly, distributional collision-resistant puzzles (dCRPuzz) form a quantum analogue of distributional collision-resistant hash families and serve as a basis for constructing hard sampling problems, thereby bootstrapping one-way puzzles from standard cryptographic primitives including one-shot MACs, two-message honest-statistical-hiding commitments, and learning with errors (LWE)-based constructions (Morimae et al., 6 Oct 2025). Table 1 summarizes the quantum reductions:

Assumption/Primitive	Implies	Citation
One-way state generators (OWSG)	One-way puzzles	(Khurana et al., 2023)
Strongly hard GapK (meta-complexity)	One-way puzzles	(Cavalar et al., 2024, Hiroka et al., 2024)
Average-case hard $\mathbf{SampPDQP}$	One-way puzzles	(Morimae et al., 6 Oct 2025)
dCRPuzzs (distributional collision-resistant puzzles)	One-way puzzles	(Morimae et al., 6 Oct 2025)
One-shot MACs / honest statistically hiding commitments	dCRPuzz	(Morimae et al., 6 Oct 2025)

A key consequence is that plausible quantum-cryptographic primitives suffice for one-way puzzles, even when deterministic quantum one-way functions may not exist.

6. Applications and Open Directions

One-way puzzles are foundational for a range of cryptographic constructions:

Quantum and classical commitments: One-way puzzles enable the construction of statistically/computationally hiding and binding bit-commitment schemes, with parameter-free or non-uniform parallelization ensuring uniform binding and computational hiding (Khurana et al., 2023).
Cryptographic amplification: General hardness amplification transforms weak puzzles into stronger instances, enabling robust commitment and pseudoentropy generation frameworks (Holenstein et al., 2010).
Quantum advantage protocols: The meta-complexity characterization implies that quantum advantage in computational tasks may be based on average-case hardness of uncomputable problems, a striking departure from classical assumptions (Hiroka et al., 2024).
Peg Solitaire one-way puzzles: In the combinatorial domain, unique-first-move puzzles provide maximally constrained challenges for human and machine solvers, with backward enumeration algorithms enabling their systematic identification (Bell, 2016).

Several open problems remain, such as constructing explicit hard lattice-based distributions for which GapK is quantum-average-hard but does not imply a one-way function, extending meta-complexity characterizations to other so-called "Microcrypt" primitives, and establishing precise thresholds for quantum average-case hardness (Hiroka et al., 2024).

7. Summary and Prospects

One-way puzzles occupy a central role at the interface of combinatorial, classical, and quantum cryptography. The symmetry between average-case uncomputability (Kolmogorov complexity, probability estimation) and cryptographic hardness positions one-way puzzles as both a generalization of one-way functions and a flexible foundation for quantum-secure protocols. In combinatorial settings, uniqueness constraints yield some of the most challenging instances, while in cryptographic settings, recent reductions and equivalences suggest that quantum cryptographic primitives can be realized under substantially weaker assumptions than previously thought, often without recourse to quantum one-way functions. Current research focuses on the tightness of these reductions, their meta-complexity character, and the explicit instantiations required for practical protocols (Cavalar et al., 2024, Khurana et al., 2023, Morimae et al., 6 Oct 2025, Hiroka et al., 2024).