1,095 research outputs found
Quantum Differential and Linear Cryptanalysis
Quantum computers, that may become available one day, would impact many
scientific fields, most notably cryptography since many asymmetric primitives
are insecure against an adversary with quantum capabilities. Cryptographers are
already anticipating this threat by proposing and studying a number of
potentially quantum-safe alternatives for those primitives. On the other hand,
symmetric primitives seem less vulnerable against quantum computing: the main
known applicable result is Grover's algorithm that gives a quadratic speed-up
for exhaustive search.
In this work, we examine more closely the security of symmetric ciphers
against quantum attacks. Since our trust in symmetric ciphers relies mostly on
their ability to resist cryptanalysis techniques, we investigate quantum
cryptanalysis techniques. More specifically, we consider quantum versions of
differential and linear cryptanalysis. We show that it is usually possible to
use quantum computations to obtain a quadratic speed-up for these attack
techniques, but the situation must be nuanced: we don't get a quadratic
speed-up for all variants of the attacks. This allows us to demonstrate the
following non-intuitive result: the best attack in the classical world does not
necessarily lead to the best quantum one. We give some examples of application
on ciphers LAC and KLEIN. We also discuss the important difference between an
adversary that can only perform quantum computations, and an adversary that can
also make quantum queries to a keyed primitive.Comment: 25 page
Applying Grover's algorithm to AES: quantum resource estimates
We present quantum circuits to implement an exhaustive key search for the
Advanced Encryption Standard (AES) and analyze the quantum resources required
to carry out such an attack. We consider the overall circuit size, the number
of qubits, and the circuit depth as measures for the cost of the presented
quantum algorithms. Throughout, we focus on Clifford gates as the
underlying fault-tolerant logical quantum gate set. In particular, for all
three variants of AES (key size 128, 192, and 256 bit) that are standardized in
FIPS-PUB 197, we establish precise bounds for the number of qubits and the
number of elementary logical quantum gates that are needed to implement
Grover's quantum algorithm to extract the key from a small number of AES
plaintext-ciphertext pairs.Comment: 13 pages, 3 figures, 5 tables; to appear in: Proceedings of the 7th
International Conference on Post-Quantum Cryptography (PQCrypto 2016
- …