46 research outputs found
Implementing Grover Oracles for Quantum Key Search on AES and LowMC
Grover's search algorithm gives a quantum attack against block ciphers by
searching for a key that matches a small number of plaintext-ciphertext pairs.
This attack uses calls to the cipher to search a key space of
size . Previous work in the specific case of AES derived the full gate cost
by analyzing quantum circuits for the cipher, but focused on minimizing the
number of qubits. In contrast, we study the cost of quantum key search attacks
under a depth restriction and introduce techniques that reduce the oracle
depth, even if it requires more qubits. As cases in point, we design quantum
circuits for the block ciphers AES and LowMC. Our circuits give a lower overall
attack cost in both the gate count and depth-times-width cost models. In NIST's
post-quantum cryptography standardization process, security categories are
defined based on the concrete cost of quantum key search against AES. We
present new, lower cost estimates for each category, so our work has immediate
implications for the security assessment of post-quantum cryptography. As part
of this work, we release Q# implementations of the full Grover oracle for
AES-128, -192, -256 and for the three LowMC instantiations used in Picnic,
including unit tests and code to reproduce our quantum resource estimates. To
the best of our knowledge, these are the first two such full implementations
and automatic resource estimations.Comment: 36 pages, 8 figures, 14 table
Implementing Grover oracles for quantum key search on AES and LowMC
Grover\u27s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses calls to the cipher to search a key space of size . Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits.
In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depth-times-width cost models. In NIST\u27s post-quantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of post-quantum cryptography.
As part of this work, we release Q# implementations of the full Grover oracle for AES-128, -192, -256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.
This is a revised version that corrects the estimates for AES to account for some issues in Q# that made the original estimates inaccurate. We did not revise the estimates for LowMC, so the resource counts are likely lower than possible
Optimized Quantum Implementation of SEED
With the advancement of quantum computers, it has been demonstrated that Shor\u27s algorithm enables public key cryptographic attacks to be performed in polynomial time. In response, NIST conducted a Post-Quantum Cryptography Standardization competition. Additionally, due to the potential reduction in the complexity of symmetric key cryptographic attacks to square root with Grover\u27s algorithm, it is increasingly challenging to consider symmetric key cryptography as secure. In order to establish secure post-quantum cryptographic systems, there is a need for quantum post-quantum security evaluations of cryptographic algorithms. Consequently, NIST is estimating the strength of post-quantum security, driving active research in quantum cryptographic analysis for the establishment of secure post-quantum cryptographic systems.
In this regard, this paper presents a depth-optimized quantum circuit implementation for SEED, a symmetric key encryption algorithm included in the Korean Cryptographic Module Validation Program (KCMVP). Building upon our implementation, we conduct a thorough assessment of the post-quantum security for SEED. Our implementation for SEED represents the first quantum circuit implementation for this cipher
Improved Quantum Analysis of SPECK and LowMC (Full Version)
As the prevalence of quantum computing is growing in leaps and bounds over the past few years, there is an ever-growing need to analyze the symmetric-key ciphers against the upcoming threat. Indeed, we have seen a number of research works dedicated to this. Our work delves into this aspect of block ciphers, with respect to the SPECK family and LowMC family.
The SPECK family received two quantum analysis till date (Jang et al., Applied Sciences, 2020; Anand et al., Indocrypt, 2020). We revisit these two works, and present improved benchmarks SPECK (all 10 variants). Our implementations incur lower full depth compared to the previous works.
On the other hand, the quantum circuit of LowMC was explored earlier in Jaques et al.\u27s Eurocrypt 2020 paper. However, there is an already known bug in their paper, which we patch. On top of that, we present two versions of LowMC (on L1, L3 and L5 variants) in quantum, both of which incur significantly less full depth than the bug-fixed implementation
On Forging SPHINCS-Haraka Signatures on a Fault-Tolerant Quantum Computer
SPHINCS is a state-of-the-art hash based signature scheme, the security of which is either based on SHA-256, SHAKE-256 or on the Haraka hash function. In this work, we perform an in-depth analysis of how the hash functions are embedded into SPHINCS and how the quantum pre-image resistance impacts the security of the signature scheme. Subsequently, we evaluate the cost of implementing Grover’s quantum search algorithm to find a pre-image that admits a universal forgery.
In particular, we provide quantum implementations of the Haraka and SHAKE-256 hash functions in Q# and consider the efficiency of attacks in the context of fault-tolerant quantum computers. We restrict our findings to SPHINCS-128 due to the limited security margin of Haraka. Nevertheless, we present an attack that performs better, to the best of our knowledge, than previously published attacks.
We can forge a SPHINCS-128-Haraka signature in about surface code cycles and physical qubits, translating to about logical-qubit-cycles. For SHAKE-256, the same attack requires qubits and cycles resulting in about logical-qubit-cycles
Optimizing the depth of quantum implementations of linear layers
Synthesis and optimization of quantum circuits are important and fundamental research topics in quantum computation, due to the fact that qubits are very precious and decoherence time which determines the computation time available is very limited. Specifically in cryptography, identifying the minimum quantum resources for implementing an encryption process is crucial in evaluating the quantum security of symmetric-key ciphers. In this work, we investigate the problem of optimizing the depth of quantum circuits for linear layers while utilizing a small number of qubits and quantum gates. To this end, we present a framework for the implementation and optimization of linear Boolean functions, by which we significantly reduce the depth of quantum circuits for many linear layers used in symmetric-key ciphers without increasing the gate count
Quantum Circuit Implementation and Resource Analysis of LBlock and LiCi
Due to Grover's algorithm, any exhaustive search attack of block ciphers can
achieve a quadratic speed-up. To implement Grover,s exhaustive search and
accurately estimate the required resources, one needs to implement the target
ciphers as quantum circuits. Recently, there has been increasing interest in
quantum circuits implementing lightweight ciphers. In this paper we present the
quantum implementations and resource estimates of the lightweight ciphers
LBlock and LiCi. We optimize the quantum circuit implementations in the number
of gates, required qubits and the circuit depth, and simulate the quantum
circuits on ProjectQ. Furthermore, based on the quantum implementations, we
analyze the resources required for exhaustive key search attacks of LBlock and
LiCi with Grover's algorithm. Finally, we compare the resources for
implementing LBlock and LiCi with those of other lightweight ciphers.Comment: 29 pages,21 figure
Quantum Search for Scaled Hash Function Preimages
We present the implementation of Grover's algorithm in a quantum simulator to
perform a quantum search for preimages of two scaled hash functions, whose
design only uses modular addition, word rotation, and bitwise exclusive or. Our
implementation provides the means to assess with precision the scaling of the
number of gates and depth of a full-fledged quantum circuit designed to find
the preimages of a given hash digest. The detailed construction of the quantum
oracle shows that the presence of AND gates, OR gates, shifts of bits and the
reuse of the initial state along the computation, require extra quantum
resources as compared with other hash functions based on modular additions, XOR
gates and rotations. We also track the entanglement entropy present in the
quantum register at every step along the computation, showing that it becomes
maximal at the inner core of the first action of the quantum oracle, which
implies that no classical simulation based on Tensor Networks would be of
relevance. Finally, we show that strategies that suggest a shortcut based on
sampling the quantum register after a few steps of Grover's algorithm can only
provide some marginal practical advantage in terms of error mitigation.Comment: 24 pages, 14 figure