scispace - formally typeset
Search or ask a question
Book ChapterDOI

Quantum Resource Estimates of Grover’s Key Search on ARIA

17 Dec 2020-Space (Springer Science and Business Media Deutschland GmbH)-pp 238-258
TL;DR: Grover's algorithm provides a quantum attack against block ciphers by searching for a k-bit key using O(sqrt{2k} ) calls to the cipher, when given a small number of plaintext-ciphertext pairs as mentioned in this paper.
Abstract: Grover’s algorithm provides a quantum attack against block ciphers by searching for a k-bit key using \(O(\sqrt{2^k})\) calls to the cipher, when given a small number of plaintext-ciphertext pairs. Recent works by Grassl et al. in PQCrypto’16 and Almazrooie et al. in QIP’18 have estimated the cost of this attack against AES by analyzing the quantum circuits of the cipher.
Citations
More filters
Journal Article
TL;DR: This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.
Abstract: . Quantum computing is considered among the next big leaps in the computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the secret-key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover’s search on the three variants of AES (-128, -192, -256) with respect to the quantum implementation and the quantum key search using the Grover’s algorithm. We develop a pool of implementations, by mostly reducing the circuit depth metrics. We consider various strategies for optimization, as well as make use of the state-of-the-art advancements in the relevant fields. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.’s Asiacrypt’20 paper by more than 98 percent for all variants of AES. Our qubit count - Toffoli depth product is improved from theirs by more than 75 percent. Furthermore, we analyze the Jaques et al.’s Eurocrypt’20 implementations in details, fix its bugs and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the recent Eprint’22 paper by Huang and Sun) in terms of Toffoli/full depth and Toffoli depth - qubit count product.

19 citations

Journal Article
TL;DR: This paper presents the quantum implementation and analysis of the recently proposed block cipher, DEFAULT, and discusses about the the various choices made to keep the cost for the basic quantum circuit and that of the Grover’s oracle search.
Abstract: . In this paper, we present the quantum implementation and analysis of the recently proposed block cipher, DEFAULT. DEFAULT is consisted of two components, namely DEFAULT-LAYER and DEFAULT-CORE. Two instances of DEFAULT-LAYER is used before and after DEFAULT-CORE (the so-called ‘sandwich construction’). We discuss about the the various choices made to keep the cost for the basic quantum circuit and that of the Grover’s oracle search, and compare it with the levels of quantum security specified by the United States’ National Institute of Standards and Technology (NIST). All in all, our work nicely fits in the research trend of finding the possible quantum vulnerability of symmetric key ciphers.

14 citations

Journal ArticleDOI
TL;DR: This paper proposes a quantum circuit for the SPEEDY block cipher for the first time and estimates its security strength based on the post-quantum security strength presented by NIST and shows that SPEEDy provides either 128-bit security or 192-bitSecurity depending on the number of rounds.
Abstract: In this paper, we propose a quantum circuit for the SPEEDY block cipher for the first time and estimate its security strength based on the post-quantum security strength presented by NIST. The strength of post-quantum security for symmetric key cryptography is estimated at the cost of the Grover key retrieval algorithm. Grover’s algorithm in quantum computers reduces the n-bit security of block ciphers to n2 bits. The implementation of a quantum circuit is required to estimate the Grover’s algorithm cost for the target cipher. We estimate the quantum resource required for Grover’s algorithm by implementing a quantum circuit for SPEEDY in an optimized way and show that SPEEDY provides either 128-bit security (i.e., NIST security level 1) or 192-bit security (i.e., NIST security level 3) depending on the number of rounds. Based on our estimated cost, increasing the number of rounds is insufficient to satisfy the security against quantum attacks on quantum computers.

3 citations

TL;DR: This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.
Abstract: . Quantum computing is considered among the next big leaps in the computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the secret-key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover’s search on the three variants of AES (-128, -192, -256) with respect to the quantum implementation and the quantum key search using the Grover’s algorithm. We develop a pool of implementations, by mostly reducing the circuit depth metrics. We consider various strategies for optimization, as well as make use of the state-of-the-art advancements in the relevant fields. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.’s Asiacrypt’20 paper by more than 98 percent for all variants of AES. Our qubit count - Toffoli depth product is improved from theirs by more than 75 percent. Furthermore, we analyze the Jaques et al.’s Eurocrypt’20 implementations in details, fix its bugs and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the recent Eprint’22 paper by Huang and Sun) in terms of Toffoli/full depth and Toffoli depth - qubit count product.

1 citations

References
More filters
Proceedings ArticleDOI
Lov K. Grover1
01 Jul 1996
TL;DR: In this paper, it was shown that a quantum mechanical computer can solve integer factorization problem in a finite power of O(log n) time, where n is the number of elements in a given integer.
Abstract: were proposed in the early 1980’s [Benioff80] and shown to be at least as powerful as classical computers an important but not surprising result, since classical computers, at the deepest level, ultimately follow the laws of quantum mechanics. The description of quantum mechanical computers was formalized in the late 80’s and early 90’s [Deutsch85][BB92] [BV93] [Yao93] and they were shown to be more powerful than classical computers on various specialized problems. In early 1994, [Shor94] demonstrated that a quantum mechanical computer could efficiently solve a well-known problem for which there was no known efficient algorithm using classical computers. This is the problem of integer factorization, i.e. testing whether or not a given integer, N, is prime, in a time which is a finite power of o (logN) . ----------------------------------------------

6,335 citations

Journal ArticleDOI
TL;DR: In this article, a tight analysis of Grover's recent algorithm for quantum database searching is provided, where the probability of success after any given number of iterations of the algorithm is given.
Abstract: We provide a tight analysis of Grover's recent algorithm for quantum database searching. We give a simple closed-form formula for the probability of success after any given number of iterations of the algorithm. This allows us to determine the number of iterations necessary to achieve almost certainty of finding the answer. Furthermore, we analyse the behaviour of the algorithm when the element to be found appears more than once in the table and we provide a new algorithm to find such an element even when the number of solutions is not known ahead of time. Using techniques from Shor's quantum factoring algorithm in addition to Grover's approach, we introduce a new technique for approximate quantum counting, which allows to estimate the number of solutions. Finally we provide a lower bound on the efficiency of any possible quantum database searching algorithm and we show that Grover's algorithm nearly comes within a factor 2 of being optimal in terms of the number of probes required in the table.

613 citations

DOI
Gadi Aleksandrowicz, Thomas Alexander, Panagiotis Kl. Barkoutsos, Luciano Bello, Yael Ben-Haim, David Bucher, Francisco Jose Cabrera-Hernández, Jorge Carballo-Franquis, Adrian Chen, Chun-Fu Chen, Jerry M. Chow, Antonio D. Córcoles-Gonzales, Abigail J. Cross, Andrew W. Cross, Juan Cruz-Benito, Chris Culver, Salvador De La Puente González, Enrique De La Torre, Delton Ding, Eugene F. Dumitrescu, Ivan Duran, Pieter T. Eendebak, Mark Everitt, Ismael Faro Sertage, Albert Frisch, Andreas Fuhrer, Jay M. Gambetta, Borja Godoy Gago, Juan Gomez-Mosquera, Donny Greenberg, Ikko Hamamura, Vojtech Havlicek, Joe Hellmers, Łukasz Herok, Hiroshi Horii, Shaohan Hu, Takashi Imamichi, Toshinari Itoko, Ali Javadi-Abhari, Naoki Kanazawa, Anton Karazeev, Kevin Krsulich, Peng Liu, Yang Luh, Yunho Maeng, Manoel Marques, Francisco Martín-Fernández, Douglas McClure, David McKay, Srujan Meesala, Antonio Mezzacapo, Nikolaj Moll, Diego Moreda Rodríguez, Giacomo Nannicini, P. D. Nation, Pauline J. Ollitrault, Lee James O'Riordan, Hanhee Paik, Jesús Pérez, Anna Phan, Marco Pistoia, Viktor Prutyanov, Max Reuter, Julia E. Rice, Abdón Rodríguez Davila, Raymond Harry Rudy, Mingi Ryu, Ninad Sathaye, Chris Schnabel, Eddie Schoute, Kanav Setia, Yunong Shi, Adenilton Silva, Yukio Siraichi, Seyon Sivarajah, John A. Smolin, Mathias Soeken, Hitomi Takahashi, Ivano Tavernelli, Charles Taylor, Pete Taylour, Kenso Trabing, Matthew Treinish, Wes Turner, Desiree Vogt-Lee, Christophe Vuillot, Jonathan A. Wildstrom, Jessica Wilson, Erick Winston, Christopher J. Wood, Stephen P. Wood, Stefan Wörner, Ismail Yunus Akhalwaya, Christa Zoufal 
23 Jan 2019

574 citations

Journal ArticleDOI
TL;DR: An algorithm for computing depth-optimal decompositions of logical operations, leveraging a meet-in-the-middle technique to provide a significant speedup over simple brute force algorithms is presented.
Abstract: We present an algorithm for computing depth-optimal decompositions of logical operations, leveraging a meet-in-the-middle technique to provide a significant speedup over simple brute force algorithms. As an illustration of our method, we implemented this algorithm and found factorizations of commonly used quantum logical operations into elementary gates in the Clifford+T set. In particular, we report a decomposition of the Toffoli gate over the set of Clifford and T gates. Our decomposition achieves a total T-depth of 3, thereby providing a 40% reduction over the previously best known decomposition for the Toffoli gate. Due to the size of the search space, the algorithm is only practical for small parameters, such as the number of qubits, and the number of gates in an optimal implementation.

495 citations

Journal ArticleDOI
TL;DR: A class of circuits whose T- depth can be reduced to 1 by using sufficiently many ancillas is described, and it is shown that the cost of adding an additional control to any controlled gate is at most 8 additional T-gates, and T-depth 2.
Abstract: We give a $\text{Clifford}+T$ representation of the Toffoli gate of $T$-depth one, using four ancillas. More generally, we describe a class of circuits whose $T$-depth can be reduced to one by using sufficiently many ancillas. We show that the cost of adding an additional control to any controlled gate is at most eight additional $T$ gates and $T$-depth two. We also show that the circuit $THT$ does not possess a $T$-depth one representation with an arbitrary number of ancillas initialized to $|0\ensuremath{\rangle}$.

199 citations