# Implementing Grover Oracles for Quantum Key Search on AES and LowMC

@article{Jaques2019ImplementingGO, title={Implementing Grover Oracles for Quantum Key Search on AES and LowMC}, author={Samuel Jaques and Michael Naehrig and Martin Roetteler and Fernando Virdia}, journal={Advances in Cryptology – EUROCRYPT 2020}, year={2019}, volume={12106}, pages={280 - 310} }

Grover’s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\sqrt{N})$$\end{document}O(N) calls to the cipher to search a key space of size N. Previous work…

## 102 Citations

### Evaluation of Grover’s algorithm toward quantum cryptanalysis on ChaCha

- Materials Science, Computer ScienceQuantum Information Processing
- 2021

This work designed a reversible quantum circuit of ChaCha and then estimated the resources required to implement Grover and implemented a ChaChA-like toy cipher in IBMQ simulator and recovered key using Grover’s algorithm.

### Parallel quantum addition for Korean block ciphers

- Computer ScienceQuantum Information Processing
- 2022

This paper presents optimized quantum circuits for Korean block ciphers based on ARX architectures and adopts the optimal quantum adder and design it in parallel way to provide performance improvements of 78%, 85%, and 70% in terms of circuit depth for LEA, HIGHT, and CHAM while keeping the number of qubits and quantum gates minimum.

### Quantum algorithms for the Goldreich–Levin learning problem

- Computer ScienceQuantum Information Processing
- 2020

The quantum algorithm is generalized to apply for an n variable m output Boolean function F with query complexity O(2mlog1δϵ4) and setlength{\oddsidemargin}{-69pt} is given.

### Resource Estimation of Grovers-kind Quantum Cryptanalysis against FSR based Symmetric Ciphers

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A detailed study of the cost of the quantum key search attack using Grover and connects Grover with BSW sampling for stream ciphers with low sampling resistance, showing that cryptanalysis is possible with gates count less than 2 and providing a clear view of the exact status of quantum cryptanalysis against FSR based symmetric cipher.

### Grover on $$\,SIMON\,$$ S I M O N

- Computer Science, MathematicsQuantum Inf. Process.
- 2020

Grover’s search algorithm on all the variants of S I M O N and enumerate the quantum resources to implement such attack in terms of NOT, CNOT and Toffoli gates and the number of qubits required for the attack is presented.

### Quantum Search for Lightweight Block Ciphers: GIFT, SKINNY, SATURNIN

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work presents quantum circuits for the lightweight block ciphers GIFT, SKINNY, and SATURNIN and gives overall cost in both the gate count and depth-times-width cost metrics, under NIST’s maximum depth constraints.

### Quantum implementation and resource estimates for Rectangle and Knot

- Computer ScienceQuantum Information Processing
- 2021

This work targets the lightweight block cipher Rectangle and the Authenticated Encryption with Associated Data (AEAD) Knot which is based on Rectangle; and implements those in the ProjectQ library (an open-source quantum compatible library designed by researchers from ETH Zurich).

### Improved circuit implementation of the HHL algorithm and its simulations on QISKIT

- Computer ScienceScientific reports
- 2022

The improved circuit implementation of the HHL algorithm can effectively reduce quantum resources without losing the fidelity of the results and is verified by IBM's qiskit.

### Quantum Period Finding against Symmetric Primitives in Practice

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

### Internal Symmetries and Linear Properties: Full-permutation Distinguishers and Improved Collisions on Gimli

- Computer Science, MathematicsJournal of Cryptology
- 2021

The security of both the permutation and the constructions that are based on it are studied and a practical distinguisher on 23 out of the full 24 rounds of Gimli's permutation was presented at CHES 2017.

## References

SHOWING 1-10 OF 66 REFERENCES

### Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

A block cipher family designed in 2015 by Albrecht et al. is optimized for practical instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs.

### Low-overhead constructions for the fault-tolerant Toffoli gate

- Computer Science
- 2013

Two constructions for the Toffoli gate are presented which substantially reduce resource costs in fault-tolerant quantum computing and a quantum circuit is presented which can detect a single ${\ensuremath{\sigma}}^{z}$ error occurring with probability $p$ in any one of eight $T$ gates required to produce the ToFFoli gate.

### Applying Grover's Algorithm to AES: Quantum Resource Estimates

- Computer SciencePQCrypto
- 2016

It is established that for all three variants of AES key size 128, 192, and 256i¾źbit that are standardized in FIPS-PUB 197, there are precise bounds for the number of qubits and thenumber of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.

### Trading T-gates for dirty qubits in state preparation and unitary synthesis

- Computer Science
- 2018

A quantum algorithm for preparing any dimension-$N$ pure quantum state specified by a list of classical numbers, that realizes a trade-off between space and T-gates and is, in the best case, a quadratic improvement in T-count over prior ancillary-free approaches.

### Quantum reversible circuit of AES-128

- Computer Science, MathematicsQuantum Inf. Process.
- 2018

To maintain the key uniqueness when the quantum AES-128 is employed as a Boolean function within a Black-box in other key searching quantum algorithms, a method with a cost of 930 qubits is also proposed.

### Quantum Security Analysis of AES

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This paper analyzes for the first time the post-quantum security of AES, and proposes a new framework for structured search that encompasses both the classical and quantum attacks, and allows to efficiently compute their complexity.

### GROVER'S QUANTUM SEARCHING ALGORITHM IS OPTIMAL

- Computer Science
- 1999

I show that for any number of oracle lookups up to about {pi}/4thinsp{radical} (N) , Grover{close_quote}s quantum searching algorithm gives the maximal possible probability of finding the desired…

### Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

- Computer Science, MathematicsCCS
- 2017

We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have…

### Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

A framework for estimating time–space complexity, with carefully accounting for characteristics of target cryptographic functions, is provided, applied to representative cryptosystems NIST as a guideline for security parameters, reassessing the security strengths of AES and SHA-2.

### Reducing the Cost of Implementing AES as a Quantum Circuit

- Computer Science, PhysicsIEEE Transactions on Quantum Engineering
- 2020

This article presents a quantum circuit to implement the S-box of AES and identifies new quantum circuits for all three AES key lengths that can be used to simplify a Grover-based key search for AES.