Skip to main content

Superposition Attacks on Cryptographic Protocols

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8317)


Attacks on cryptographic protocols are usually modeled by allowing an adversary to ask queries to an oracle. Security is then defined by requiring that as long as the queries satisfy some constraint, there is some problem the adversary cannot solve, such as compute a certain piece of information. Even if the protocol is quantum, the queries are typically classical. In this paper, we introduce a new model of quantum attacks on protocols, where the adversary is allowed quantum access to the primitive, i.e., he may ask several classical queries in quantum superposition. This is a strictly stronger attack than the standard one, and we consider the security of several primitives in this model. We show that a secret-sharing scheme that is secure with threshold \(t\) in the standard model is secure against superposition attacks if and only if the threshold is lowered to \(t/2\). This holds for all classical as well as all known quantum secret sharing schemes. We then consider zero- knowledge and first show that known protocols are not, in general, secure in our model by designing a superposition attack on the well-known zero-knowledge protocol for graph isomorphism. We then use our secret-sharing result to design zero-knowledge proofs for all of NP in the common reference string model. While our protocol is classical, it is sound against a cheating unbounded quantum prover and computational zero-knowledge even if the verifier is allowed a superposition attack. Finally, we consider multiparty computation and give a characterization of a class of protocols that can be shown secure, though not necessarily with efficient simulation. We show that this class contains non-trivial protocols that cannot be shown secure by running a classical simulator in superposition.


  • Quantum Secret Sharing
  • Common Reference String (CRS)
  • Multiparty Computation
  • Quantum Access
  • CRS Model

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

The first three authors acknowledge support from the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, within which part of this work was performed; and also from the CFEM research center (supported by the Danish Strategic Research Council) within which part of this work was performed.

Louis Salvail is supported by Quebec’s INTRIQ, Canada’s NSERC strategic program FREQUENCY, and Canada’s NSERC discovery grant.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-04268-8_9
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-04268-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)


  1. 1.

    A preliminary announcement of some of our results was made in an invited talk by one of the authors at the ICITS 2011 conference.

  2. 2.

    Since we use the CRS model, the reader may ask why we do not use existing protocols for non-interactive zero-knowledge (NIZK), where the prover just sends a single message to the verifier. In this way, the adversary would not get a chance to do a superposition attack. However, the most general assumption under which NIZK is known to be possible with an efficient prover is existence of one-way trapdoor permutations. They in turn are only known to be realizable under assumptions that are easily broken by a quantum adversary, such as factoring. Therefore we do not consider NIZK a satisfactory solution.

  3. 3.

    We are grateful to Elad Verbin for pointing this reduction out to us.

  4. 4.

    An alternative construction can be derived from the public-key encryption scheme of Regev [Reg05], which is based on a worst-case lattice assumption. However, the resulting commitment scheme in unconditional hiding mode is only statistically secure (rather than perfect). To use this scheme in our protocol we would need a version of Theorem 1 that holds for secret-sharing schemes with statistical security. We believe such a result is true, but do not have a proof at the time of writing.

  5. 5.

    (This is in contrast to the pure secret-sharing model where only shareholders can be corrupted.)


  1. Ben-Or, M., Crépeau, C., Gottesman, D., Hassidim, A., Smith, A.: Secure multiparty quantum computation with (only) a strict honest majority. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 249–260 (2005)

    Google Scholar 

  2. Boneh, D., Dagdelen, O., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  3. Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. Electron. Colloquium. Comput. Complex. 19:136, 1–27 (2012)

    Google Scholar 

  4. Chefles, A., Jozsa, R., Winter, A.: On the existence of physical transformations between sets of quantum states. Int. J. Quant. Inf. 2(1), 11–21 (2004).

    CrossRef  MATH  Google Scholar 

  5. Damgård, I., Funder, J., Nielsen, J. B., Salvail, L.: Superposition attacks on cryptographic protocols. Cryptology ePrint archive, report 2011/421. (2011)

  6. Damgård, I.B., Fehr, S., Salvail, L.: Zero-knowledge proofs and string commitments withstanding quantum attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 254–272. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  7. Fehr, S., Schaffner, C.: Composing quantum protocols in a classical environment. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 350–367. Springer, Heidelberg (2009)

    Google Scholar 

  8. Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)

    CrossRef  MATH  MathSciNet  Google Scholar 

  9. Kol, G., Naor, M.: Cryptography and game theory: designing protocols for exchanging information. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 320–339. Springer, Heidelberg (2008)

    Google Scholar 

  10. Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  11. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: 37th Annual ACM Symposium on Theory of Computing (STOC), pp. 84–93 (2005)

    Google Scholar 

  12. Watrous, J.: Zero-knowledge against quantum attacks. In: 38th Annual ACM Symposium on Theory of Computing (STOC), pp. 296–305, (2006)

  13. Zhandry, M.: How to construct quantum random functions. In: FOCS, pp. 679–687 (2012)

    Google Scholar 

  14. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ivan Damgård .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Damgård, I., Funder, J., Nielsen, J.B., Salvail, L. (2014). Superposition Attacks on Cryptographic Protocols. In: Padró, C. (eds) Information Theoretic Security. ICITS 2013. Lecture Notes in Computer Science(), vol 8317. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04267-1

  • Online ISBN: 978-3-319-04268-8

  • eBook Packages: Computer ScienceComputer Science (R0)