אם ירצה ה׳
Morimae, Shirakawa, Yamakawa STOC 2025 paper
Paper Discussion
If you can ship a classically-secure one-way puzzle, you automatically get every credible proof-of-quantumness and vice-versa
1️⃣ TL;DR Summaries for Five Audiences
| Audience | 3-Sentence Take-Away |
|---|---|
| Expert (theory / crypto) | The paper proves an if-and-only-if between inefficient-verifier proofs of quantumness (IV-PoQ) and classically secure one-way puzzles (OWPuzz). This yields the first complete cryptographic characterization of quantum advantage, dropping the need for full OWFs and unifying disparate advantage notions (sampling, search, protocols) under a single primitive. Consequences: quantum advantage exists ⟺ at least one Microcrypt primitive (PRUs, PRSGs, OWSGs, etc.) exists, and conversely, no quantum advantage ⇒ none of them exist. |
| Practitioner (post-quantum implementer) | The authors identify the minimum crypto building block you must assume to get any provable quantum edge: “one-way puzzles.” If you can instantiate an OWPuzz (even only against classical attackers) you automatically get certifiable quantum randomness and verification schemes; if not, no protocol can reliably demonstrate quantum speed-up. Practically, this shifts the focus from factoring-style hardness to puzzle generators, e.g., permanent-based tasks highlighted by Khurana & Tomer. |
| General public | Researchers found the precise link between “hard puzzles” and proofs that a computer is truly quantum. It shows that as soon as you can create a certain kind of digital puzzle that classical computers can’t crack, you automatically get ways to check that a chip is genuinely quantum — and if such puzzles don’t exist, neither will real quantum speed-ups. |
| Skeptic | The work doesn’t claim quantum computers already beat classical ones; it pins that question to a single assumption. Either one-way puzzles exist (something slightly weaker than the assumptions you already use in online security) or quantum advantage fails. So the debate boils down to attacking or supporting that narrower assumption instead of hand-waving about “quantum hype.” |
| Decision-maker / funder | The paper isolates the exact cryptographic primitive that must be developed or refuted to unlock secure, demonstrable quantum technologies. Funding efforts to build, break or instantiate one-way puzzles directly tests the feasibility of a quantum-enabled security ecosystem, providing a clear risk-management roadmap. |
2️⃣ Real-World Problem Addressed
Modern encryption rests on classical “one-way functions.” If future algorithms (or quantum computers) solve the underlying NP problems, today’s security collapses. Researchers therefore need a new foundation that:
1. Works even if NP problems become easy.
2. Provides verifiable evidence that a device is truly quantum (for certification, cloud services, regulatory compliance).
The paper asks: What is the weakest cryptographic assumption that both enables such quantum-secure protocols and is itself implied by the mere existence of quantum advantage?
3️⃣ Surprising / Counter-Intuitive Findings
• Equivalence, not hierarchy: A primitive (OWPuzz) once viewed as a quirky intermediate gadget is exactly as powerful as quantum advantage; neither is stronger.
• Classical security suffices: The puzzle need only resist classical adversaries, yet yields quantumly verifiable tasks.
• Sampling ↔ Search ↔ Interactive proofs: Seemingly unrelated manifestations of quantum speed-up collapse into the same statement once puzzles are involved.
4️⃣ Jargon Demystified
| Term (paper) | Plain-English Rephrase | Quick Example |
|---|---|---|
| One-way function (OWF) | “Digital lock” easy to close, hard to open | Multiplying primes is easy; factoring the product is hard. |
| One-way puzzle (OWPuzz) | A pair of generator & checker: generator spits out a puzzle+answer; checker can confirm an answer, but finding one is hard. Unlike OWF, even the right answer may not open the lock efficiently. | Generator outputs a big matrix M and the permanent value P; checker recomputes permanent slowly to verify. |
| Inefficient-verifier proof of quantumness (IV-PoQ) | A conversation where a quantum device convinces a classical referee it’s quantum, but the referee may need long offline computation afterward. | Device sends samples; referee later crunches them overnight. |
| Quantum advantage sampler (QAS) | A quantum program whose output distribution can’t be mimicked by any feasible classical program. | Random quantum circuit whose bit-string outputs defeat all classical samplers. |
| QAS/OWF condition | Either the sampler is classically hard or the function is one-way; at any parameter size at least one holds. | Safety net ensuring “something is hard” each time we pick a security parameter. |
5️⃣ Methodology Highlights
- Reductions & Equivalence Proofs
• Show IV-PoQ ⇒ Int-QAS ⇒ OWF/QAS condition ⇒ OWPuzz and back (tight “if and only if” chain). - Universal OWF Construction
• To avoid making OWF depend on a specific simulator, authors combine candidate functions à la Levin’s universal combiner. - Average-Case Cryptography Techniques
• Introduce interactive QAS and hardness of quantum probability estimation to bridge worst-case complexity (PH hierarchies) with average-case sampling. - Leverage Kolmogorov Complexity
• Non-interactive protocol uses description length of repeated samples as a statistical test, inspired by Aaronson but adapted to bounded-time verifiers. - Parameter-wise Security
• Constructions are “security-parameter preserving,” a fine-grained guarantee crucial for the equivalence to hold in both directions.
6️⃣ Quantifiable Results
| Theorem | Formal Statement | Practical Reading |
|---|---|---|
| 1.1 | IV-PoQ exist ⇔ classically secure OWPuzz exist | Build either one, you automatically get the other. |
| 1.2 | IV-PoQ ⇒ (quantum-secure OWF) ∨ (SampBQP≠SampBPP) | Proof-of-quantumness forces either classic crypto hardness or sampling advantage separation. |
| 1.3 | Non-interactive IV-PoQ ⇔ Quantum Advantage Samplers | A single-message test is equivalent to having a hard-to-imitate sampler. |
| 1.4 | Standard “quantum supremacy” assumptions + #P hardness ⇒ QAS | Experiments like random-circuit sampling, under usual complexity conjectures, give the needed sampler. |
| 6.2 | Public-coin IV-PoQ ≡ IV-PoQ ≡ Quantum-verifier IV-PoQ | Letting the verifier be quantum or tossing public coins changes nothing in power. |
(Proofs are unconditional within standard complexity conjectures; no empirical confidence intervals apply, but logical equivalence = 100 % once assumptions hold.)
7️⃣ Deployment Considerations
- Instantiating OWPuzz
• Promising candidate: matrix permanent puzzle (Khurana & Tomer) — needs large-scale boson sampling or photonic circuits. - Verifier Workload
• Offline check can be exponential; practical schemes may leverage batching or post-selection to keep it tractable for medium security levels. - Integration Paths
• Cloud quantum services: client sends classical challenges (puzzles), server returns quantum responses; log retained for later audit. - User Experience
• Delay between interaction and verdict; transparent status dashboards could mitigate perceived latency. - Standards & Compliance
• Equivalence result offers a benchmark: regulators can ask vendors either to supply an OWPuzz construction or an IV-PoQ transcript.
8️⃣ Limitations & Boundary Conditions
| Aspect | Caveat |
|---|---|
| Classical-only security of puzzles | If future classical algorithms break the puzzle, equivalence evaporates. |
| Inefficient verification | For high parameters, verifier runtime may be prohibitive without heuristic shortcuts. |
| Uniform-model proofs | Some steps rely on uniform Turing machines; non-uniform (circuit) adversaries remain open. |
| No hardware noise model | Results are theoretical; real NISQ noise may invalidate sampling hardness unless error-mitigation improves. |
| Assumption transfer | Although OWF ⇒ IV-PoQ → advantage, we still assume NP hardness for typical OWF instantiations today. |
9️⃣ Future Directions
- Efficient-Verifier Variants — Close the gap to practical, polynomial-time referees.
- Quantum-Secure OWPuzz — Extend equivalence when adversaries themselves are quantum.
- Concrete Constructions — Develop permanent-based or lattice-based puzzles with public parameters and benchmarking suites.
- Meta-Complexity Links — Combine with recent meta-complexity work tying PRFs to circuit lower bounds.
- Protocol Toolkits — Turn theoretical IV-PoQ into drop-in libraries for quantum cloud providers (Rust/Python SDKs).
🔍 Conflict-of-Interest / Bias Check
• Authors are affiliated with Kyoto University and NTT; NTT runs a quantum labs division → potential interest in proving minimal assumptions for future quantum products.
• Result builds on their prior work; intellectual investment may bias presentation toward optimism. No commercial funding disclosed.
Bottom Line
Morimae, Shirakawa & Yamakawa pin the entire “quantum advantage vs. classical hardness” debate on a single, elegant cryptographic primitive. Whether you are designing next-gen secure protocols, funding quantum hardware, or scrutinizing supremacy claims, one-way puzzles are now the critical battleground.
Karpian Board Briefing
The STOC 2025 result detonates the neat hierarchy of crypto assumptions. It stipulates a single fulcrum classically secure one-way puzzles on which the entire promise of quantum advantage teeters.
Our strategic imperative is not to pick sides in the supremacy debate but to control the fulcrum: invest, standardise, or break the puzzles. Whichever reality materialises, we dictate the narrative and capture the choke-point economics of verification.
1. Taxonomic Disruption – Smashing the Familiar Map
| Conventional Bucket | Our Recut Taxonomy | What Snaps Into Focus |
|---|---|---|
| “Quantum advantage” vs. “Classical crypto” | Verification Stack (Signals → Puzzles → Institutional Acceptance) | The decisive layer isn’t hardware or math; it’s the puzzle-signal that institutions can audit. |
| “Hard problems” (NP) vs. “Harder problems” (#P) | Hardness Source Utilitarianism | Any hardness good enough to forge a one-way puzzle is the sole currency. Pedigree (NP vs. #P) is noise. |
| Security primitives ladder (OWF → PRF → etc.) | Micro-primitives web | OWPuzz sits at the web’s center. Break or instantiate it and the rest rearrange themselves. |
| Proofs-of-Quantumness niche | Compliance product | Once IV-PoQ = OWPuzz, a technical curiosity becomes a potential audit standard for quantum cloud vendors. |
2. Steel-Man Construction – Toughest Forms of Opposing Views
A. Quantum-Skeptic Thesis
“Quantum devices will not meaningfully outperform optimized classical clusters; therefore, founding cryptography on ‘quantum advantage’ is building on sand.”
Steel-Maned:
1. Classical simulation keeps advancing (tensor-network breakthroughs).
2. Hardness assumptions cascade; break one puzzle family and the whole edifice collapses.
3. Regulatory inertia favors FIPS-style primitives, not exotic puzzles.
B. Quantum-Optimist Thesis
“Quantum will dwarf classical; we must pivot everything to quantum-native cryptography immediately.”
Steel-Maned:
1. Physical qubits doubling every ~24 months; error-rates plunging.
2. Permanent-based photonic samplers already beating supercomputers in niche regimes.
3. Strategic coercion: whoever certifies quantum first sets global standards.
Synthesis Truth: The paper’s equivalence result weaponises uncertainty: either puzzles stand or quantum supremacy falls. We can operationalise that uncertainty into portfolio decisions.
3. Pragmatic Outcome Tracing – Does It Work on the Ground?
| Path | Observable Milestones | Operational Hurdles | Time-to-Impact |
|---|---|---|---|
| Instantiate OWPuzz (e.g., matrix-permanent puzzles) | Hardware demo of 40-photon boson sampler; open-sourced checker code | Stability of photonic sources, reproducible randomness, verifier cost blow-up | 3–5 yrs for pilot audits |
| Leverage IV-PoQ for cloud attestations | AWS-style “quantum certificate” appended to job result | Latency (hours/days), user trust in offline verification, legal weight | 2 yrs prototype → 6 yrs standard |
| Exploit failure case (no puzzles) | Redirect R&D spend to classical post-quantum only; PR spin: “advantage disproven” | Requires credible break of all puzzle candidates; reputational risk if wrong | 5–10 yrs (breakthrough dependent) |
Board takeaway: Small-capex R&D on puzzle generators is a cheap call-option. Worst case: learn puzzles are weak → reinforce classical roadmap; best case: own the audit layer for quantum services.
4. Philosophical Underpinning Exposure – Hidden Assumptions Surfaced
- Epistemic Minimalism – Authors implicitly prize “minimal sufficient assumption.” Operationally, this is a bet that regulators & markets reward parsimony in proofs.
- Verification > Performance – The market seldom pays purely for speed-up; it pays for trustable claims of speed-up. Paper elevates verifiability as the scarce resource.
- Hardness Monoculture Risk – Equivalence means a single puzzle species supports the pyramid. That concentrates systemic risk (cf. RSA factoring monoculture).
- Uniformity Bias – Proofs live in the uniform model. Real attackers are non-uniform (nation-state ASICs). Gap could invalidate security guarantees in practice.
5. Contrarian Value Identification – Where Asymmetric Upside Hides
-
Puzzle IP as Regulatory Moat
• Secure a public, royalty-free puzzle construction → become de-facto standard setter (NIST-style).
• Or, guard a proprietary variant → force competitors to prove harder assumptions. -
Audit-as-a-Service Platform
• Provide hosted “long-offline verifier” infrastructure. Every quantum hardware vendor must buy attestations; recurring revenue, low marginal cost. -
Short Quantum Hype / Long Verification
• Public markets overprice quantum compute capacity, underprice verification capability. Allocate capital accordingly. -
Exploit Philosophical Vacuum
• Firms fixated on throughput overlook epistemic assurance. Craft messaging around “provability” to capture CIO mindshare in regulated sectors (finance, pharma, defense). -
Dual-Track Investment Hedge
• Fund both (a) puzzle-based crypto teams and (b) classical algorithms groups tasked with breaking those same puzzles. Whichever side wins, you own the insight.
End briefing.
Addendum
Scorecard for One-Way Puzzle (OWPuzz) Candidates
| Criterion | Why It Matters | Quick Diagnostic Questions |
|---|---|---|
| 1. Correctness Headroom | Users must reliably open the puzzle with the given answer. | • Does Ver(puzz, ans) accept with ≥ 99.9 % probability? • How sensitive is it to rounding / noise? |
| 2. Security Gap | Needs a visible moat between honest success rate and best classical cheat. | • Can you quantify a ≥ poly⁻¹(λ) gap? • Any published classical attacks < 2^λ cost? |
| 3. Classical-Hard Evidence | The whole equivalence crumbles if a laptop cracks it. | • Reduction to a well-studied hard problem (#P, lattice worst-case, etc.)? • Any average-case hardness proof—not just folklore? |
| 4. Quantum-Friendly Generation | A quantum prover must sample it fast. | • Can a QPU create (puzz, ans) in poly time? • Resource estimate in logical qubits / circuit depth? |
| 5. Verifier Cost & Scalability | Audit latency dictates adoption. | • Runtime of Ver at λ = 128? • Any parallel-check or batching tricks? |
| 6. Public Parameter Footprint | Long PEM blobs annoy implementers. | • Size of puzzle + answer? • Can parameters be reused safely or need fresh randomness each run? |
| 7. Implementation Maturity | Vaporware ≠ candidate. | • Is there a reference implementation? • Hardware demos or just equations? |
| 8. Diversity of Assumptions | Avoid monoculture risk. | • Does it rely on the same hardness class as other leading candidates? • Orthogonal failure modes? |
| 9. Side-Channel Robustness | Real attackers don’t respect the model. | • Any leak-free generation paths? • Resistance to timing / power analysis on samplers? |
| 10. Upgradability / Tunability | Need λ→λ+ε agility as CPUs grow. | • Clear parameter knob that boosts security without redesign? |
| 11. IP & Licensing Clarity | Standards bodies hate patent mud. | • Is the construction royalty-free? • Any lurking academic patents? |
| 12. Compliance Narrative | Easier story = faster regulation. | • Can you explain the puzzle to a non-PhD auditor in < 5 slides? |
| 13. Cryptanalytic Track Record | No news is bad news—means no one looked. | • Has it survived public competitions / bounty programs? |
| 14. Interoperability Hooks | Plays nice with other primitives. | • Can it embed into commitment schemes, IV-PoQ templates, etc., without Frankenstein surgery? |
Rapid Triage Flow
- Theory Gate: fails hardness proof → discard.
- Prototype Gate: no working sampler/verifier code → icebox until demo.
- Stress Test Gate: subject to public breakathon; top three survive.
- Economics Gate: verifier cost per run must beat threshold (e.g., <$0.01 CPU-hours at λ = 128).
- Governance Gate: IP & compliance green-light.
Only puzzles clearing all five gates earn the “OWPuzz-Grade” stamp and move toward standardization.