Applying Grover’s Algorithm to AES: Quantum Resource Estimates

Grassl, Markus; Langenberg, Brandon; Roetteler, Martin; Steinwandt, Rainer

doi:10.1007/978-3-319-29360-8_3

Cited by 182 publications

(242 citation statements)

References 25 publications

(31 reference statements)

Supporting

Mentioning

230

Contrasting

Unclassified

Order By: Relevance

“…Although it is difficult to estimate the cost of a physical implementation which does not yet exist, we can compare security levels as quantum operation counts in this model. For example, Grover search of the secret key for AES-128 is known to require approximately 2 64 quantum evaluations of the cipher, and 2 84 quantum operations [21].…”

Section: The Quantum Circuit Modelmentioning

confidence: 99%

Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm

Bonnetain

Hosoyamada

Naya-Plasencia

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon's period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the results obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon's subroutines in a novel way. We manage to leverage the algebraic structure of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current literature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover's algorithm. In particular, we are able to break the Even-Mansour construction in quantum timeÕ(2 n/3 ), with O(2 n/3 ) classical queries and O(n 2 ) qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: reusing superposition queries during the iteration of a search using Grover's algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure. We provide a list of cryptographic applications, including the Even-Mansour construction, the FX construction, some Sponge authenticated modes of encryption, and many more.

show abstract

Section: The Quantum Circuit Modelmentioning

confidence: 99%

Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm

Bonnetain

Hosoyamada

Naya-Plasencia

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Random statistics of the target function are carefully handled which lead to increase in iteration number compared with the case of unique target. Surprisingly, however, the cost of dealing with random statistics in this paper is not expensive compared with the previous work [27] under single processor assumption. Furthermore, when processor parallelization is considered, we observed that this extra cost gets even more negligible.…”

Section: This Workmentioning

confidence: 89%

“…AES Key Search. Grassl et al reported the quantum costs of AES-k key search for k ∈ {128, 192, 256} in the units of logical qubit and gate [27]. In estimating the time cost, the author's focus was put on a specific gate called 'T' gate and its depth, although the overall gate count was also provided.…”

Section: Quantum Resource Estimatesmentioning

confidence: 99%

Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

Kim¹,

Han²,

Jeong³

2018

Quantum Inf Process

View full text Add to dashboard Cite

Performance of cryptanalytic quantum search algorithms is mainly inferred from query complexity which hides overhead induced by an implementation. To shed light on quantitative complexity analysis removing hidden factors, we provide a framework for estimating timespace complexity, with carefully accounting for characteristics of target cryptographic functions. Processor and circuit parallelization methods are taken into account, resulting in the time-space trade-offs curves in terms of depth and qubit. The method guides how to rank different circuit designs in order of their efficiency. The framework is applied to representative cryptosystems NIST referred to as a guideline for security parameters, reassessing the security strengths of AES and SHA-2.

show abstract

“…Note however that such complexity results are currently unproven, and may be weakened by technological progress. For instance, Shor's algorithm and quantum computing are effective for integer factorization [1], Grover's algorithm and quantum computing can be used against AES [2], and memcomputing has been proved to be effective to solve subset sum [3].…”

Section: Introductionmentioning

confidence: 99%

Universal Optimality of Apollonian Cell Encoders

Biondi

Given-Wilson

Legay

2018

2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International

View full text Add to dashboard Cite

Abstract-Preserving privacy of private communication against an attacker is a fundamental concern of computer science security. Unconditional encryption considers the case where an attacker has unlimited computational power, hence no complexity result can be relied upon for encryption. Optimality criteria are defined for the best possible encryption over a general collection of entropy measures. This paper introduces Apollonian cell encoders, a class of shared-key cryptosystems that are proven to be universally optimal. In addition to the highest possible security for the message, Apollonian cell encoders prove to have perfect secrecy on their key allowing unlimited key reuse. Conditions for the existence of Apollonian cell encoders are presented, as well as a constructive proof. Further, a compact representation of Apollonian cell encoders is presented, allowing for practical implementation.

show abstract

Applying Grover’s Algorithm to AES: Quantum Resource Estimates

Cited by 182 publications

References 25 publications

Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm

Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm

Time–space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

Universal Optimality of Apollonian Cell Encoders

Contact Info

Product

Resources

About