Implementing Grover Oracles for Quantum Key Search on AES and LowMC

  title={Implementing Grover Oracles for Quantum Key Search on AES and LowMC},
  author={Samuel Jaques and Michael Naehrig and Martin Roetteler and Fernando Virdia},
  journal={Advances in Cryptology – EUROCRYPT 2020},
  pages={280 - 310}
Grover’s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\sqrt{N})$$\end{document}O(N) calls to the cipher to search a key space of size N. Previous work… 

Parallel quantum addition for Korean block ciphers

This paper presents optimized quantum circuits for Korean block ciphers based on ARX architectures and adopts the optimal quantum adder and design it in parallel way to provide performance improvements of 78%, 85%, and 70% in terms of circuit depth for LEA, HIGHT, and CHAM while keeping the number of qubits and quantum gates minimum.

Resource Estimation of Grovers-kind Quantum Cryptanalysis against FSR based Symmetric Ciphers

A detailed study of the cost of the quantum key search attack using Grover and connects Grover with BSW sampling for stream ciphers with low sampling resistance, showing that cryptanalysis is possible with gates count less than 2 and providing a clear view of the exact status of quantum cryptanalysis against FSR based symmetric cipher.

Grover on $$\,SIMON\,$$ S I M O N

Grover’s search algorithm on all the variants of S I M O N and enumerate the quantum resources to implement such attack in terms of NOT, CNOT and Toffoli gates and the number of qubits required for the attack is presented.

Quantum Search for Lightweight Block Ciphers: GIFT, SKINNY, SATURNIN

This work presents quantum circuits for the lightweight block ciphers GIFT, SKINNY, and SATURNIN and gives overall cost in both the gate count and depth-times-width cost metrics, under NIST’s maximum depth constraints.

Quantum Period Finding against Symmetric Primitives in Practice

An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

The security of both the permutation and the constructions that are based on it are studied and a practical distinguisher on 23 out of the full 24 rounds of Gimli's permutation was presented at CHES 2017.

A Parallel Quantum Circuit Implementations of LSH Hash Function for Use with Grover’s Algorithm

Grover’s search algorithm accelerates the key search on the symmetric key cipher and the pre-image attack on the hash function. To conduct Grover’s search algorithm, the target cipher algorithm

Quantum Analysis of AES Lowering Limit of Quantum Attack Complexity

This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.

Quantum Implementation and Resource Estimates for RECTANGLE and KNOT

This work targets the lightweight block cipher RECTANGLE and the AuA, a generic attack against symmetric key cryptographic primitives, that can reduce the search complexity to square root and is among the first works to do this.

Grover on SPECK: Quantum Resource Estimates

This paper presents optimized implementations of SPECK 32/64 and SPECK 64/128 block ciphers for quantum computers, and is the first implementation ofSPECK in quantum circuits.



Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

  • Itai Dinur
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2018
A block cipher family designed in 2015 by Albrecht et al. is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs.

Applying Grover's Algorithm to AES: Quantum Resource Estimates

It is established that for all three variants of AES key size 128, 192, and 256i¾źbit that are standardized in FIPS-PUB 197, there are precise bounds for the number of qubits and thenumber of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.

Trading T-gates for dirty qubits in state preparation and unitary synthesis

A quantum algorithm for preparing any dimension-$N$ pure quantum state specified by a list of classical numbers, that realizes a trade-off between space and T-gates and is, in the best case, a quadratic improvement in T-count over prior ancillary-free approaches.

Quantum reversible circuit of AES-128

To maintain the key uniqueness when the quantum AES-128 is employed as a Boolean function within a Black-box in other key searching quantum algorithms, a method with a cost of 930 qubits is also proposed.

Quantum Security Analysis of AES

This paper analyzes for the first time the post-quantum security of AES, and proposes a new framework for structured search that encompasses both the classical and quantum attacks, and allows to efficiently compute their complexity.


I show that for any number of oracle lookups up to about {pi}/4thinsp{radical} (N) , Grover{close_quote}s quantum searching algorithm gives the maximal possible probability of finding the desired

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have

Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

A framework for estimating time–space complexity, with carefully accounting for characteristics of target cryptographic functions, is provided, applied to representative cryptosystems NIST as a guideline for security parameters, reassessing the security strengths of AES and SHA-2.

Encoding Electronic Spectra in Quantum Circuits with Linear T Complexity

Compiling to surface code fault-tolerant gates and assuming per gate error rates of one part in a thousand reveals that one can error correct phase estimation on interesting instances of these problems beyond the current capabilities of classical methods.

Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE

These models of computation that enable direct comparisons between classical and quantum algorithms are introduced and the relevance of these models to cryptanalysis is demonstrated by revisiting, and increasing, the security estimates for the Supersingular Isogeny Diffie–Hellman (SIDH) and Superserpine Key Encapsulation (SIKE) schemes.