Superposition Attacks on Cryptographic Protocols

TL;DR

This paper introduces a new quantum attack model on classical cryptographic protocols where adversaries query in superposition, revealing that security thresholds must be adjusted and enabling new zero-knowledge protocols resilient to quantum attacks.

Contribution

It defines a novel superposition attack model, analyzes its impact on existing cryptographic primitives, and develops quantum-resistant zero-knowledge proofs and insights into multiparty computation security.

Findings

Superposition attacks weaken secret-sharing security thresholds by half.

Classical zero-knowledge proofs can be made sound against quantum superposition attacks.

Simulation-based security in multiparty computation faces fundamental limitations under superposition attacks.

Abstract

Attacks on classical cryptographic protocols are usually modeled by allowing an adversary to ask queries from an oracle. Security is then defined by requiring that as long as the queries satisfy some constraint, there is some problem the adversary cannot solve, such as compute a certain piece of information. In this paper, we introduce a fundamentally new model of quantum attacks on classical cryptographic protocols, where the adversary is allowed to ask several classical queries in quantum superposition. This is a strictly stronger attack than the standard one, and we consider the security of several primitives in this model. We show that a secret-sharing scheme that is secure with threshold $t$ in the standard model is secure against superposition attacks if and only if the threshold is lowered to $t/2$. We use this result to give zero-knowledge proofs for all of NP in the common reference string model. While our protocol is classical, it is sound against a cheating unbounded quantum prover and computational zero-knowledge even if the verifier is allowed a superposition attack. Finally, we consider multiparty computation and show that for the most general type of attack, simulation based security is not possible. However, putting a natural constraint on the adversary, we show a non-trivial example of a protocol that can indeed be simulated.