# Implementing Grover Oracles for Quantum Key Search on AES and LowMC

@article{Jaques2019ImplementingGO,
title={Implementing Grover Oracles for Quantum Key Search on AES and LowMC},
author={Samuel Jaques and Michael Naehrig and Martin Roetteler and Fernando Virdia},
journal={Advances in Cryptology – EUROCRYPT 2020},
year={2019},
volume={12106},
pages={280 - 310}
}
• Published 3 October 2019
• Computer Science, Mathematics
• Advances in Cryptology – EUROCRYPT 2020
Grover’s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\sqrt{N})$$\end{document}O(N) calls to the cipher to search a key space of size N. Previous work…
93 Citations

### Parallel quantum addition for Korean block ciphers

• Computer Science
Quantum Information Processing
• 2022
This paper presents optimized quantum circuits for Korean block ciphers based on ARX architectures and adopts the optimal quantum adder and design it in parallel way to provide performance improvements of 78%, 85%, and 70% in terms of circuit depth for LEA, HIGHT, and CHAM while keeping the number of qubits and quantum gates minimum.

### Resource Estimation of Grovers-kind Quantum Cryptanalysis against FSR based Symmetric Ciphers

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
A detailed study of the cost of the quantum key search attack using Grover and connects Grover with BSW sampling for stream ciphers with low sampling resistance, showing that cryptanalysis is possible with gates count less than 2 and providing a clear view of the exact status of quantum cryptanalysis against FSR based symmetric cipher.

### Grover on $$\,SIMON\,$$ S I M O N

• Computer Science, Mathematics
Quantum Inf. Process.
• 2020
Grover’s search algorithm on all the variants of S I M O N and enumerate the quantum resources to implement such attack in terms of NOT, CNOT and Toffoli gates and the number of qubits required for the attack is presented.

### Quantum Search for Lightweight Block Ciphers: GIFT, SKINNY, SATURNIN

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
This work presents quantum circuits for the lightweight block ciphers GIFT, SKINNY, and SATURNIN and gives overall cost in both the gate count and depth-times-width cost metrics, under NIST’s maximum depth constraints.

### Quantum Period Finding against Symmetric Primitives in Practice

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

### Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

• Computer Science, Mathematics
Journal of Cryptology
• 2021
The security of both the permutation and the constructions that are based on it are studied and a practical distinguisher on 23 out of the full 24 rounds of Gimli's permutation was presented at CHES 2017.

### A Parallel Quantum Circuit Implementations of LSH Hash Function for Use with Grover’s Algorithm

• Computer Science
Applied Sciences
• 2022
Grover’s search algorithm accelerates the key search on the symmetric key cipher and the pre-image attack on the hash function. To conduct Grover’s search algorithm, the target cipher algorithm

### Quantum Analysis of AES Lowering Limit of Quantum Attack Complexity

• Computer Science
• 2022
This work presents the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.

### Quantum Implementation and Resource Estimates for RECTANGLE and KNOT

• Computer Science
IACR Cryptol. ePrint Arch.
• 2021
This work targets the lightweight block cipher RECTANGLE and the AuA, a generic attack against symmetric key cryptographic primitives, that can reduce the search complexity to square root and is among the first works to do this.

### Grover on SPECK: Quantum Resource Estimates

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
This paper presents optimized implementations of SPECK 32/64 and SPECK 64/128 block ciphers for quantum computers, and is the first implementation ofSPECK in quantum circuits.

## References

SHOWING 1-10 OF 66 REFERENCES

### Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

• Itai Dinur
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2018
A block cipher family designed in 2015 by Albrecht et al. is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs.

### Applying Grover's Algorithm to AES: Quantum Resource Estimates

• Computer Science
PQCrypto
• 2016
It is established that for all three variants of AES key size 128, 192, and 256i¾źbit that are standardized in FIPS-PUB 197, there are precise bounds for the number of qubits and thenumber of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.

### Trading T-gates for dirty qubits in state preparation and unitary synthesis

• Computer Science
• 2018
A quantum algorithm for preparing any dimension-$N$ pure quantum state specified by a list of classical numbers, that realizes a trade-off between space and T-gates and is, in the best case, a quadratic improvement in T-count over prior ancillary-free approaches.

### Quantum reversible circuit of AES-128

• Computer Science, Mathematics
Quantum Inf. Process.
• 2018
To maintain the key uniqueness when the quantum AES-128 is employed as a Boolean function within a Black-box in other key searching quantum algorithms, a method with a cost of 930 qubits is also proposed.

### Quantum Security Analysis of AES

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2019
This paper analyzes for the first time the post-quantum security of AES, and proposes a new framework for structured search that encompasses both the classical and quantum attacks, and allows to efficiently compute their complexity.

### GROVER'S QUANTUM SEARCHING ALGORITHM IS OPTIMAL

I show that for any number of oracle lookups up to about {pi}/4thinsp{radical} (N) , Grover{close_quote}s quantum searching algorithm gives the maximal possible probability of finding the desired

### Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

• Computer Science, Mathematics
CCS
• 2017
We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have

### Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

• Computer Science
IACR Cryptol. ePrint Arch.
• 2018
A framework for estimating time–space complexity, with carefully accounting for characteristics of target cryptographic functions, is provided, applied to representative cryptosystems NIST as a guideline for security parameters, reassessing the security strengths of AES and SHA-2.

### Encoding Electronic Spectra in Quantum Circuits with Linear T Complexity

• Computer Science
Physical Review X
• 2018
Compiling to surface code fault-tolerant gates and assuming per gate error rates of one part in a thousand reveals that one can error correct phase estimation on interesting instances of these problems beyond the current capabilities of classical methods.

### Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2019
These models of computation that enable direct comparisons between classical and quantum algorithms are introduced and the relevance of these models to cryptanalysis is demonstrated by revisiting, and increasing, the security estimates for the Supersingular Isogeny Diffie–Hellman (SIDH) and Superserpine Key Encapsulation (SIKE) schemes.