1,866 research outputs found
Applying Grover's algorithm to AES: quantum resource estimates
We present quantum circuits to implement an exhaustive key search for the
Advanced Encryption Standard (AES) and analyze the quantum resources required
to carry out such an attack. We consider the overall circuit size, the number
of qubits, and the circuit depth as measures for the cost of the presented
quantum algorithms. Throughout, we focus on Clifford gates as the
underlying fault-tolerant logical quantum gate set. In particular, for all
three variants of AES (key size 128, 192, and 256 bit) that are standardized in
FIPS-PUB 197, we establish precise bounds for the number of qubits and the
number of elementary logical quantum gates that are needed to implement
Grover's quantum algorithm to extract the key from a small number of AES
plaintext-ciphertext pairs.Comment: 13 pages, 3 figures, 5 tables; to appear in: Proceedings of the 7th
International Conference on Post-Quantum Cryptography (PQCrypto 2016
Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3
We investigate the cost of Grover's quantum search algorithm when used in the
context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions.
Our cost model assumes that the attack is run on a surface code based
fault-tolerant quantum computer. Our estimates rely on a time-area metric that
costs the number of logical qubits times the depth of the circuit in units of
surface code cycles. As a surface code cycle involves a significant classical
processing stage, our cost estimates allow for crude, but direct, comparisons
of classical and quantum algorithms.
We exhibit a circuit for a pre-image attack on SHA-256 that is approximately
surface code cycles deep and requires approximately
logical qubits. This yields an overall cost of
logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is
approximately surface code cycles deep and requires approximately
logical qubits for a total cost of, again,
logical-qubit-cycles. Both attacks require on the order of queries in
a quantum black-box model, hence our results suggest that executing these
attacks may be as much as billion times more expensive than one would
expect from the simple query analysis.Comment: Same as the published version to appear in the Selected Areas of
Cryptography (SAC) 2016. Comments are welcome
Quantum Circuit Implementation and Resource Analysis of LBlock and LiCi
Due to Grover's algorithm, any exhaustive search attack of block ciphers can
achieve a quadratic speed-up. To implement Grover,s exhaustive search and
accurately estimate the required resources, one needs to implement the target
ciphers as quantum circuits. Recently, there has been increasing interest in
quantum circuits implementing lightweight ciphers. In this paper we present the
quantum implementations and resource estimates of the lightweight ciphers
LBlock and LiCi. We optimize the quantum circuit implementations in the number
of gates, required qubits and the circuit depth, and simulate the quantum
circuits on ProjectQ. Furthermore, based on the quantum implementations, we
analyze the resources required for exhaustive key search attacks of LBlock and
LiCi with Grover's algorithm. Finally, we compare the resources for
implementing LBlock and LiCi with those of other lightweight ciphers.Comment: 29 pages,21 figure
Improving the Efficiency of Quantum Circuits for Information Set Decoding
The NIST Post-Quantum standardization initiative, that entered its fourth round, aims to select asymmetric cryptosystems secure against attacker equipped with a quantum computer. Code-based cryptosystems are a promising option for Post-Quantum Cryptography (PQC), as neither classical nor quantum algorithms provide polynomial time solvers for its underlying hard problems. Indeed, to provide sound alternatives to lattice-based cryptosystems, NIST advanced all round 3 code-based cryptosystems to round 4. We present a complete implementation of a quantum circuit based on the Information Set Decoding (ISD) strategy, the best known one against code-based cryptosystems, providing quantitative measures for the security margin achieved with respect to the quantum-accelerated key recovery on AES, targeting both the current state-of-the-art approach and the NIST estimates. Our work improves the state-of-the-art, reducing the circuit depth from 2Âčâč to 2Âłâ° for all the parameters of the NIST selected cryptosystems. We further analyse recently proposed optimizations, showing that the overhead introduced by their implementation overcomes their asymptotic advantages. Finally, we address the concern brought forward in the latest NIST report on the parameters choice for the McEliece cryptosystem, showing that the parameter choice yields a computational effort which is slightly below the required target level
On Forging SPHINCS-Haraka Signatures on a Fault-Tolerant Quantum Computer
SPHINCS is a state-of-the-art hash based signature scheme, the security of which is either based on SHA-256, SHAKE-256 or on the Haraka hash function. In this work, we perform an in-depth analysis of how the hash functions are embedded into SPHINCS and how the quantum pre-image resistance impacts the security of the signature scheme. Subsequently, we evaluate the cost of implementing Groverâs quantum search algorithm to find a pre-image that admits a universal forgery.
In particular, we provide quantum implementations of the Haraka and SHAKE-256 hash functions in Q# and consider the efficiency of attacks in the context of fault-tolerant quantum computers. We restrict our findings to SPHINCS-128 due to the limited security margin of Haraka. Nevertheless, we present an attack that performs better, to the best of our knowledge, than previously published attacks.
We can forge a SPHINCS-128-Haraka signature in about surface code cycles and physical qubits, translating to about logical-qubit-cycles. For SHAKE-256, the same attack requires qubits and cycles resulting in about logical-qubit-cycles
Estimating the Cost of Superposition Attacks on Lightweight Cryptography on Fault-Tolerant Quantum Systems
Wir werden verschiedene Angriffe in Quantensuperposition auf sogenannte Lightweight-Kryptographie Primitive unter Verwendung von Simonâs-Algorithmus vorstellen. Drei unserer Angriffe richten sich gegen den Finalisten des NIST Lightweight Cryptography Standardization Process, Elephant. Die anderen Primitive sind LightMAC und ESTATE. Wir werden auch zeigen, dass das KĂŒrzen der Ausgabe von periodischer 2-zu-1-Funktionen Simonâs Algorithmus nicht einschrĂ€nkt. Dieses Ergebnis kann genutzt werden, um bestehende Angriffe zu beschleunigen.
Die Ressourcenkosten aller vorgestellten Angriffe werden dann unter BerĂŒcksichtigung eines fehlertoleranten, auf surface-code basierenden Quantencomputers geschĂ€tzt. Wir werden die Unterschiede zwischen einem Angreifer, der in der Lage ist, das Elephant-Primitiv in Superposition anzufragen, und einem, der nur klassische Anfragen stellen kann, demonstrieren. Selbst wenn beide Zugang zum selben lokalen Quantencomputer haben, wird derjenige, der Zugang zu Superpositionen hat, den geheimen SchlĂŒssel in etwa logischen Qubit-Zyklen und 21.2 Sekunden wiederherstellen, wĂ€hrend der andere etwa logische Qubit-Zyklen und 209.9 Jahre benötigt
- âŠ