Implementing Grover Oracles for Quantum Key Search on AES and LowMC

  title={Implementing Grover Oracles for Quantum Key Search on AES and LowMC},
  author={Samuel Jaques and Michael Naehrig and Martin Roetteler and Fernando Virdia},
  journal={Advances in Cryptology – EUROCRYPT 2020},
  pages={280 - 310}
Grover’s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\sqrt{N})$$\end{document}O(N) calls to the cipher to search a key space of size N. Previous work… 

Evaluation of Grover’s algorithm toward quantum cryptanalysis on ChaCha

This work designed a reversible quantum circuit of ChaCha and then estimated the resources required to implement Grover and implemented a ChaChA-like toy cipher in IBMQ simulator and recovered key using Grover’s algorithm.

Parallel quantum addition for Korean block ciphers

This paper presents optimized quantum circuits for Korean block ciphers based on ARX architectures and adopts the optimal quantum adder and design it in parallel way to provide performance improvements of 78%, 85%, and 70% in terms of circuit depth for LEA, HIGHT, and CHAM while keeping the number of qubits and quantum gates minimum.

Quantum algorithms for the Goldreich–Levin learning problem

  • Hongwei Li
  • Computer Science
    Quantum Information Processing
  • 2020
The quantum algorithm is generalized to apply for an n variable m output Boolean function F with query complexity O(2mlog1δϵ4) and setlength{\oddsidemargin}{-69pt} is given.

Resource Estimation of Grovers-kind Quantum Cryptanalysis against FSR based Symmetric Ciphers

A detailed study of the cost of the quantum key search attack using Grover and connects Grover with BSW sampling for stream ciphers with low sampling resistance, showing that cryptanalysis is possible with gates count less than 2 and providing a clear view of the exact status of quantum cryptanalysis against FSR based symmetric cipher.

Grover on $$\,SIMON\,$$ S I M O N

Grover’s search algorithm on all the variants of S I M O N and enumerate the quantum resources to implement such attack in terms of NOT, CNOT and Toffoli gates and the number of qubits required for the attack is presented.

Quantum Search for Lightweight Block Ciphers: GIFT, SKINNY, SATURNIN

This work presents quantum circuits for the lightweight block ciphers GIFT, SKINNY, and SATURNIN and gives overall cost in both the gate count and depth-times-width cost metrics, under NIST’s maximum depth constraints.

Quantum implementation and resource estimates for Rectangle and Knot

This work targets the lightweight block cipher Rectangle and the Authenticated Encryption with Associated Data (AEAD) Knot which is based on Rectangle; and implements those in the ProjectQ library (an open-source quantum compatible library designed by researchers from ETH Zurich).

Improved circuit implementation of the HHL algorithm and its simulations on QISKIT

The improved circuit implementation of the HHL algorithm can effectively reduce quantum resources without losing the fidelity of the results and is verified by IBM's qiskit.

Quantum Period Finding against Symmetric Primitives in Practice

An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

The security of both the permutation and the constructions that are based on it are studied and a practical distinguisher on 23 out of the full 24 rounds of Gimli's permutation was presented at CHES 2017.



Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

  • Itai Dinur
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2018
A block cipher family designed in 2015 by Albrecht et al. is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs.

Low-overhead constructions for the fault-tolerant Toffoli gate

Two constructions for the Toffoli gate are presented which substantially reduce resource costs in fault-tolerant quantum computing and a quantum circuit is presented which can detect a single ${\ensuremath{\sigma}}^{z}$ error occurring with probability $p$ in any one of eight $T$ gates required to produce the ToFFoli gate.

Applying Grover's Algorithm to AES: Quantum Resource Estimates

It is established that for all three variants of AES key size 128, 192, and 256i¾źbit that are standardized in FIPS-PUB 197, there are precise bounds for the number of qubits and thenumber of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.

Trading T-gates for dirty qubits in state preparation and unitary synthesis

A quantum algorithm for preparing any dimension-$N$ pure quantum state specified by a list of classical numbers, that realizes a trade-off between space and T-gates and is, in the best case, a quadratic improvement in T-count over prior ancillary-free approaches.

Quantum reversible circuit of AES-128

To maintain the key uniqueness when the quantum AES-128 is employed as a Boolean function within a Black-box in other key searching quantum algorithms, a method with a cost of 930 qubits is also proposed.

Quantum Security Analysis of AES

This paper analyzes for the first time the post-quantum security of AES, and proposes a new framework for structured search that encompasses both the classical and quantum attacks, and allows to efficiently compute their complexity.


I show that for any number of oracle lookups up to about {pi}/4thinsp{radical} (N) , Grover{close_quote}s quantum searching algorithm gives the maximal possible probability of finding the desired

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have

Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

A framework for estimating time–space complexity, with carefully accounting for characteristics of target cryptographic functions, is provided, applied to representative cryptosystems NIST as a guideline for security parameters, reassessing the security strengths of AES and SHA-2.

Reducing the Cost of Implementing AES as a Quantum Circuit

This article presents a quantum circuit to implement the S-box of AES and identifies new quantum circuits for all three AES key lengths that can be used to simplify a Grover-based key search for AES.