Applying Grover's Algorithm to AES: Quantum Resource Estimates

@inproceedings{Grassl2016ApplyingGA,
  title={Applying Grover's Algorithm to AES: Quantum Resource Estimates},
  author={Markus Grassl and Brandon Langenberg and Martin R{\"o}tteler and Rainer Steinwandt},
  booktitle={PQCrypto},
  year={2016}
}
We present quantum circuits to implement an exhaustive key search for the Advanced Encryption Standard AES and analyze the quantum resources required to carry out such an attack. We consider the overall circuit size, the number of qubits, and the circuit depth as measures for the cost of the presented quantum algorithms. Throughout, we focus on Clifford$$+T$$ gates as the underlying fault-tolerant logical quantum gate set. In particular, for all three variants of AES key size 128, 192, and 256i… 
View PDF on arXiv
133 Citations
Highly Influential Citations
15
Background Citations
52
Methods Citations
32
Results Citations
1

133 Citations

Citation Type

Citation Type

A quantum circuit design of AES requiring fewer quantum qubits and gate operations
Advanced Encryption Standard (AES) is one of the most widely used block ciphers nowadays, and has been established as an encryption standard in 2001. Here we design AES-128 and the sample-AES (S-AES)
Alternative Tower Field Construction for Quantum Implementation of the AES S-box
TLDR
Four methods of trade-off between time and space for the quantum implementation of the AES S-box are proposed, one of which turns out to use the smallest number of qubits among the existing methods, significantly reducing its T -depth.
Towards Optimizing Quantum Implementation of AES S-box
TLDR
Four methods of trade-off between time and space for the quantum implementation of the AES S-box are proposed, one of which turns out to use the smallest number of qubits among the existing methods, significantly reducing its T -depth.
Reducing the Cost of Implementing AES as a Quantum Circuit
TLDR
This article presents a quantum circuit to implement the S-box of AES and identifies new quantum circuits for all three AES key lengths that can be used to simplify a Grover-based key search for AES.
Grover on SM3
TLDR
This work proposes an optimal SM3 hash function (Chinese standard) in a quantum circuit that is focused on minimizing the use of qubits and reducing theUse of quantum gates and estimates the quantum resources required for the quantum pre-image attack.
Quantum Period Finding against Symmetric Primitives in Practice
TLDR
An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.
Quantum Analysis of AES
TLDR
This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.
Parallel Quantum Addition for Korean Block Cipher
TLDR
This paper adopts the optimal quantum adder and design in parallel way with only a few trade-offs between quantum resources and provides a performance improvement of 78% in LEA, 85% in HIGHT, and 70% in CHAM in terms of circuit depth.
Grover on PIPO
The emergence of quantum computers is threatening the security of cryptography through various quantum algorithms. Among them, the Grover search algorithm is known to be efficient in accelerating
Quantum Implementation and Resource Estimates for RECTANGLE and KNOT
TLDR
This work targets the lightweight block cipher RECTANGLE and the AuA, a generic attack against symmetric key cryptographic primitives, that can reduce the search complexity to square root and is among the first works to do this.
...
...

References

SHOWING 1-10 OF 43 REFERENCES
Quantum Differential and Linear Cryptanalysis
TLDR
This work examines more closely the security of symmetric ciphers against quantum attacks, and investigates quantum versions of differential and linear cryptanalysis techniques, showing that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced.
A Meet-in-the-Middle Algorithm for Fast Synthesis of Depth-Optimal Quantum Circuits
We present an algorithm for computing depth-optimal decompositions of logical operations, leveraging a meet-in-the-middle technique to provide a significant speedup over simple brute force
A note on quantum related-key attacks
Quantum arithmetic and numerical analysis using Repeat-Until-Success circuits
We develop a method for approximate synthesis of single--qubit rotations of the form $e^{-i f(\phi_1,\ldots,\phi_k)X}$ that is based on the Repeat-Until-Success (RUS) framework for quantum circuit
Elementary gates for quantum computation.
TLDR
U(2) gates are derived, which derive upper and lower bounds on the exact number of elementary gates required to build up a variety of two- and three-bit quantum gates, the asymptotic number required for n-bit Deutsch-Toffoli gates, and make some observations about the number of unitary operations on arbitrarily many bits.
Efficient quantum circuits for binary elliptic curve arithmetic: reducing T-gate complexity
TLDR
This paper shows that changing the curve representation allows a substantial reduction in the number of T-gates needed to implement the curve arithmetic, and presents a quantum circuit for computing multiplicative inverses in F2n in depth O(n log2 n), which may be of independent interest.
Fixed-point quantum search with an optimal number of queries.
TLDR
This work provides the first version of amplitude amplification that achieves fixed-point behavior without sacrificing the quantum speedup and incorporates an adjustable bound on the failure probability and guarantees that this bound is satisfied over the broadest possible range of λ.
Surface codes: Towards practical large-scale quantum computation
TLDR
The concept of the stabilizer, using two qubits, is introduced, and the single-qubit Hadamard, S and T operators are described, completing the set of required gates for a universal quantum computer.
Quantum Counting
TLDR
This work generalizes the Grover iteration in the light of a concept called amplitude amplification, and shows that the quadratic speedup obtained by the quantum searching algorithm over classical brute force can still be obtained for a large family of search problems for which good classical heuristics exist.
Tight bounds on quantum searching
TLDR
A lower bound on the efficiency of any possible quantum database searching algorithm is provided and it is shown that Grover''s algorithm nearly comes within a factor 2 of being optimal in terms of the number of probes required in the table.
...
...