Quantum Resource Estimates of Grover’s Key Search on ARIA
TL;DR: Grover's algorithm provides a quantum attack against block ciphers by searching for a k-bit key using O(sqrt{2k} ) calls to the cipher, when given a small number of plaintext-ciphertext pairs as mentioned in this paper.
Abstract: Grover’s algorithm provides a quantum attack against block ciphers by searching for a k-bit key using \(O(\sqrt{2^k})\) calls to the cipher, when given a small number of plaintext-ciphertext pairs. Recent works by Grassl et al. in PQCrypto’16 and Almazrooie et al. in QIP’18 have estimated the cost of this attack against AES by analyzing the quantum circuits of the cipher.
Citations
More filters
•
TL;DR: This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.
Abstract: . Quantum computing is considered among the next big leaps in the computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the secret-key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover’s search on the three variants of AES (-128, -192, -256) with respect to the quantum implementation and the quantum key search using the Grover’s algorithm. We develop a pool of implementations, by mostly reducing the circuit depth metrics. We consider various strategies for optimization, as well as make use of the state-of-the-art advancements in the relevant fields. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.’s Asiacrypt’20 paper by more than 98 percent for all variants of AES. Our qubit count - Toffoli depth product is improved from theirs by more than 75 percent. Furthermore, we analyze the Jaques et al.’s Eurocrypt’20 implementations in details, fix its bugs and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the recent Eprint’22 paper by Huang and Sun) in terms of Toffoli/full depth and Toffoli depth - qubit count product.
19 citations
•
TL;DR: This paper presents the quantum implementation and analysis of the recently proposed block cipher, DEFAULT, and discusses about the the various choices made to keep the cost for the basic quantum circuit and that of the Grover’s oracle search.
Abstract: . In this paper, we present the quantum implementation and analysis of the recently proposed block cipher, DEFAULT. DEFAULT is consisted of two components, namely DEFAULT-LAYER and DEFAULT-CORE. Two instances of DEFAULT-LAYER is used before and after DEFAULT-CORE (the so-called ‘sandwich construction’). We discuss about the the various choices made to keep the cost for the basic quantum circuit and that of the Grover’s oracle search, and compare it with the levels of quantum security specified by the United States’ National Institute of Standards and Technology (NIST). All in all, our work nicely fits in the research trend of finding the possible quantum vulnerability of symmetric key ciphers.
14 citations
••
4 citations
••
TL;DR: This paper proposes a quantum circuit for the SPEEDY block cipher for the first time and estimates its security strength based on the post-quantum security strength presented by NIST and shows that SPEEDy provides either 128-bit security or 192-bitSecurity depending on the number of rounds.
Abstract: In this paper, we propose a quantum circuit for the SPEEDY block cipher for the first time and estimate its security strength based on the post-quantum security strength presented by NIST. The strength of post-quantum security for symmetric key cryptography is estimated at the cost of the Grover key retrieval algorithm. Grover’s algorithm in quantum computers reduces the n-bit security of block ciphers to n2 bits. The implementation of a quantum circuit is required to estimate the Grover’s algorithm cost for the target cipher. We estimate the quantum resource required for Grover’s algorithm by implementing a quantum circuit for SPEEDY in an optimized way and show that SPEEDY provides either 128-bit security (i.e., NIST security level 1) or 192-bit security (i.e., NIST security level 3) depending on the number of rounds. Based on our estimated cost, increasing the number of rounds is insufficient to satisfy the security against quantum attacks on quantum computers.
3 citations
TL;DR: This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.
Abstract: . Quantum computing is considered among the next big leaps in the computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the secret-key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover’s search on the three variants of AES (-128, -192, -256) with respect to the quantum implementation and the quantum key search using the Grover’s algorithm. We develop a pool of implementations, by mostly reducing the circuit depth metrics. We consider various strategies for optimization, as well as make use of the state-of-the-art advancements in the relevant fields. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.’s Asiacrypt’20 paper by more than 98 percent for all variants of AES. Our qubit count - Toffoli depth product is improved from theirs by more than 75 percent. Furthermore, we analyze the Jaques et al.’s Eurocrypt’20 implementations in details, fix its bugs and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the recent Eprint’22 paper by Huang and Sun) in terms of Toffoli/full depth and Toffoli depth - qubit count product.
1 citations
References
More filters
••
01 Jul 1996TL;DR: In this paper, it was shown that a quantum mechanical computer can solve integer factorization problem in a finite power of O(log n) time, where n is the number of elements in a given integer.
Abstract: were proposed in the early 1980’s [Benioff80] and shown to be at least as powerful as classical computers an important but not surprising result, since classical computers, at the deepest level, ultimately follow the laws of quantum mechanics. The description of quantum mechanical computers was formalized in the late 80’s and early 90’s [Deutsch85][BB92] [BV93] [Yao93] and they were shown to be more powerful than classical computers on various specialized problems. In early 1994, [Shor94] demonstrated that a quantum mechanical computer could efficiently solve a well-known problem for which there was no known efficient algorithm using classical computers. This is the problem of integer factorization, i.e. testing whether or not a given integer, N, is prime, in a time which is a finite power of o (logN) . ----------------------------------------------
6,335 citations
••
TL;DR: In this article, a tight analysis of Grover's recent algorithm for quantum database searching is provided, where the probability of success after any given number of iterations of the algorithm is given.
Abstract: We provide a tight analysis of Grover's recent algorithm for quantum database searching. We give a simple closed-form formula for the probability of success after any given number of iterations of the algorithm. This allows us to determine the number of iterations necessary to achieve almost certainty of finding the answer. Furthermore, we analyse the behaviour of the algorithm when the element to be found appears more than once in the table and we provide a new algorithm to find such an element even when the number of solutions is not known ahead of time. Using techniques from Shor's quantum factoring algorithm in addition to Grover's approach, we introduce a new technique for approximate quantum counting, which allows to estimate the number of solutions. Finally we provide a lower bound on the efficiency of any possible quantum database searching algorithm and we show that Grover's algorithm nearly comes within a factor 2 of being optimal in terms of the number of probes required in the table.
613 citations
••
TL;DR: An algorithm for computing depth-optimal decompositions of logical operations, leveraging a meet-in-the-middle technique to provide a significant speedup over simple brute force algorithms is presented.
Abstract: We present an algorithm for computing depth-optimal decompositions of logical operations, leveraging a meet-in-the-middle technique to provide a significant speedup over simple brute force algorithms. As an illustration of our method, we implemented this algorithm and found factorizations of commonly used quantum logical operations into elementary gates in the Clifford+T set. In particular, we report a decomposition of the Toffoli gate over the set of Clifford and T gates. Our decomposition achieves a total T-depth of 3, thereby providing a 40% reduction over the previously best known decomposition for the Toffoli gate. Due to the size of the search space, the algorithm is only practical for small parameters, such as the number of qubits, and the number of gates in an optimal implementation.
495 citations
••
TL;DR: A class of circuits whose T- depth can be reduced to 1 by using sufficiently many ancillas is described, and it is shown that the cost of adding an additional control to any controlled gate is at most 8 additional T-gates, and T-depth 2.
Abstract: We give a $\text{Clifford}+T$ representation of the Toffoli gate of $T$-depth one, using four ancillas. More generally, we describe a class of circuits whose $T$-depth can be reduced to one by using sufficiently many ancillas. We show that the cost of adding an additional control to any controlled gate is at most eight additional $T$ gates and $T$-depth two. We also show that the circuit $THT$ does not possess a $T$-depth one representation with an arbitrary number of ancillas initialized to $|0\ensuremath{\rangle}$.
199 citations