Superposition Attacks on Cryptographic Protocols

Attacks on classical cryptographic protocols are usually modeled by allowing an adversary to ask queries from an oracle. Security is then defined by requiring that as long as the queries satisfy some constraint, there is some problem the adversary cannot solve, such as compute a certain piece of information. In this paper, we introduce a fundamentally new model of quantum attacks on classical cryptographic protocols, where the adversary is allowed to ask several classical queries in quantum superposition. This is a strictly stronger attack than the standard one, and we consider the security of several primitives in this model. We show that a secret-sharing scheme that is secure with threshold $t$ in the standard model is secure against superposition attacks if and only if the threshold is lowered to $t/2$. We use this result to give zero-knowledge proofs for all of NP in the common reference string model. While our protocol is classical, it is sound against a cheating unbounded quantum prover and computational zero-knowledge even if the verifier is allowed a superposition attack. Finally, we consider multiparty computation and show that for the most general type of attack, simulation based security is not possible. However, putting a natural constraint on the adversary, we show a non-trivial example of a protocol that can indeed be simulated.

💡 Research Summary

The paper introduces a fundamentally new quantum‑enhanced attack model for classical cryptographic protocols, called a “superposition attack.” In the traditional setting, an adversary interacts with an oracle by issuing classical queries (e.g., “corrupt this subset of parties”) and receives classical answers. The new model allows the adversary to prepare a quantum superposition of several such classical queries and submit them simultaneously to the oracle, thereby receiving a superposition of the corresponding answers. This capability strictly strengthens the adversary and forces a re‑examination of security guarantees that were previously considered sufficient.

The authors first study secret‑sharing schemes. In the classical model a scheme with threshold t guarantees that any set of at most t corrupted parties learns nothing about the secret. Under superposition attacks, however, the adversary can query two (or more) disjoint subsets in superposition. The paper proves that a secret‑sharing scheme remains perfectly secure against superposition attacks if and only if the adversary’s combined subsets (the union of any two subsets it can query in superposition) are still within the original adversary structure. Consequently, a scheme that is secure for threshold t in the classical world is only secure for threshold t/2 against superposition attacks. The authors formalize this with the notion F₂ = {A∪B | A,B∈F} and show that security holds exactly when F₂ ⊆ G, where G is the classical adversary structure. A concrete two‑party bit‑sharing example demonstrates that the secret can be perfectly distinguished when the adversary uses a superposition of the two possible corruption sets.

Leveraging the secret‑sharing result, the paper constructs zero‑knowledge proofs for all languages in NP within the common reference string (CRS) model. The protocol itself is entirely classical, but it is sound against an unbounded quantum prover and remains computationally zero‑knowledge even if the verifier performs superposition attacks. The authors argue that non‑interactive zero‑knowledge (NIZK) cannot be used here because the verifier would never have an opportunity to launch a superposition attack, and the standard one‑way permutation assumptions underlying known NIZK schemes are broken by quantum adversaries.

The final part of the paper addresses multiparty computation (MPC). The authors define a UC‑style security model for static, passive superposition attacks on classical MPC protocols. They show that for the most powerful version of the attack—where the adversary can place its query in an arbitrary quantum state—simulation‑based security is impossible: the adversary can entangle its query with the honest parties’ views in such a way that no simulator can reproduce the joint distribution of inputs and outputs. However, by imposing a natural restriction on the adversary (e.g., limiting the size of subsets that may appear in superposition, or restricting to protocols whose underlying secret‑sharing satisfies the t/2 condition), they exhibit a non‑trivial protocol that can be simulated. The simulation technique is “more quantum” than simply running a classical simulator in superposition; it may involve quantum state cloning, measurement strategies, or other quantum information‑theoretic tools. The resulting simulators are not necessarily efficient, but they demonstrate that positive results are achievable under reasonable constraints.

Overall, the paper makes several key contributions: (1) it formalizes a stronger quantum attack model for classical protocols; (2) it precisely characterizes how secret‑sharing thresholds must be halved to retain security; (3) it builds the first classical zero‑knowledge proofs that stay zero‑knowledge under verifier superposition attacks; and (4) it delineates the limits of simulation‑based security for MPC under such attacks, while providing a concrete example where simulation is still possible. These results highlight that many classical security proofs need to be revisited in the presence of quantum superposition capabilities, and they open new directions for designing protocols that are robust against this more powerful class of quantum adversaries.