Observations on the Quantum Circuit of the SBox of AES

In this paper, we propose some improved quantum circuits to implement the Sbox of AES. Our improved quantum circuits are based on the following strategies. First, we try to find the minimum set of the intermediate variables that can be used to compute the 8-bit output of the Sbox. Second, we check whether some wires store intermediate variables and remain idle until the end. And we can reduce the number of qubit by reusing some certain wires. Third, we try to compute the output of the Sbox without ancillas qubits, because we do not need to be clean up the wires storing the output of the Sbox. This operation will reduce the number of Toffoli gates. Our first quantum circuit only needs 26 qubits and 46 Toffoli gates, while quantum circuit proposed by Langenberg \emph{et al.} required 32 qubits and 55 Toffoli gates. Furthermore, we can also construct our second quantum circuit with 22 qubits and 60 Toffoli gates

Quantum Search for Scaled Hash Function Preimages

We present the implementation of Grover's algorithm in a quantum simulator to perform a quantum search for preimages of two scaled hash functions, whose design only uses modular addition, word rotation, and bitwise exclusive or. Our implementation provides the means to assess with precision the scaling of the number of gates and depth of a full-fledged quantum circuit designed to find the preimages of a given hash digest. The detailed construction of the quantum oracle shows that the presence of AND gates, OR gates, shifts of bits and the reuse of the initial state along the computation, require extra quantum resources as compared with other hash functions based on modular additions, XOR gates and rotations. We also track the entanglement entropy present in the quantum register at every step along the computation, showing that it becomes maximal at the inner core of the first action of the quantum oracle, which implies that no classical simulation based on Tensor Networks would be of relevance. Finally, we show that strategies that suggest a shortcut based on sampling the quantum register after a few steps of Grover's algorithm can only provide some marginal practical advantage in terms of error mitigation.Comment: 24 pages, 14 figure

Reducing the Cost of Implementing AES as a Quantum Circuit

To quantify security levels in a post-quantum scenario, it is common to use the quantum resources needed to attack AES as a reference value. Specifically, in NIST’s ongoing post-quantum standardization effort, different security categories are defined that reflect the quantum resources needed to attack AES-128, AES-192, and AES-256. This paper presents a quantum circuit to implement the S-box of AES. Leveraging also an improved implementation of the key expansion, we identify new quantum circuits for all three AES key lengths. For AES-128, the number of Toffoli gates can be reduced by more than 88% compared to Almazrooie et al.\u27s and Grassl et al.\u27s estimates, while simultaneously reducing the number of qubits. Our circuits can be used to simplify a Grover-based key search for AES

Improved Quantum Analysis of SPECK and LowMC (Full Version)

As the prevalence of quantum computing is growing in leaps and bounds over the past few years, there is an ever-growing need to analyze the symmetric-key ciphers against the upcoming threat. Indeed, we have seen a number of research works dedicated to this. Our work delves into this aspect of block ciphers, with respect to the SPECK family and LowMC family. The SPECK family received two quantum analysis till date (Jang et al., Applied Sciences, 2020; Anand et al., Indocrypt, 2020). We revisit these two works, and present improved benchmarks SPECK (all 10 variants). Our implementations incur lower full depth compared to the previous works. On the other hand, the quantum circuit of LowMC was explored earlier in Jaques et al.\u27s Eurocrypt 2020 paper. However, there is an already known bug in their paper, which we patch. On top of that, we present two versions of LowMC (on L1, L3 and L5 variants) in quantum, both of which incur significantly less full depth than the bug-fixed implementation

Квантовий криптоаналiз геш-функцiї «Купина»

Об’єктом дослiдження є iнформацiйнi процеси в системах криптографiчного захисту iнформацiї. Предметом дослiдження є складнiсть застосування алгоритму Гровера до геш-функцiї «Купина» у квантовiй моделi обчислень. Метою роботи є побудова атаки з використанням алгоритму квантового пошуку (алгоритму Гровера) на криптографiчну геш-функцiю «Купина» у квантовiй моделi обчислень.The object of research is information processes in systems of cryptographic protection of information. The subject of the research is the complexity of applying Grover’s algorithm to the hash function «Kupyna» in the quantum model of calculations

Synthesizing Quantum Circuits of AES with Lower T-depth and Less Qubits

The significant progress in the development of quantum computers has made the study of cryptanalysis based on quantum computing an active topic. To accurately estimate the resources required to carry out quantum attacks, the involved quantum algorithms have to be synthesized into quantum circuits with basic quantum gates. In this work, we present several generic synthesis and optimization techniques for circuits implementing the quantum oracles of iterative symmetric-key ciphers that are commonly employed in quantum attacks based on Grover and Simon’s algorithms. Firstly, a general structure for implementing the round functions of block ciphers in-place is proposed. Then, we present some novel techniques for synthesizing efficient quantum circuits of linear and non-linear cryptographic building blocks. We apply these techniques to AES and systematically investigate the strategies for depth-width trade-offs. Along the way, we derive a quantum circuit for the AES S-box with provably minimal T-depth based on some new observations on its classical circuit. As a result, the T-depth and width (number of qubits) required for implementing the quantum circuits of AES are significantly reduced. Compared with the circuit proposed in EUROCRYPT 2020, the T-depth is reduced from 60 to 40 without increasing the width or 30 with a slight increase in width. These circuits are fully implemented in Microsoft Q# and the source code is publicly available. Compared with the circuit proposed in ASIACRYPT 2020, the width of one of our circuits is reduced from 512 to 371, and the Toffoli-depth is reduced from 2016 to 1558 at the same time. Actually, we can reduce the width to 270 at the cost of increased depth. Moreover, a full spectrum of depth-width trade-offs is provided, setting new records for the synthesis and optimization of quantum circuits of AES

Квантовий криптоаналіз потокового шифру "Струмок"

В роботi побудовано квантову реалiзацiю потокового шифру «Струмок», знайдено вентильну складнiсть отриманих процедур. Дослiджено стiйкiсть шифру до методiв квантового диференцiального криптоаналiзу за допомогою алгоритму Гровера, знайдено загальнi атаки вiдновлення ключа та вiдновлення стану шифру, проведено аналiз складностi (вентильна, часова та просторова складностi) цих атак. Об’єктом дослiдження є iнформацiйнi процеси в системах криптографiчного захисту iнформацiї. Предметом дослiдження є стiйкiсть потокового шифру «Струмок» до методiв квантового криптоаналiзу. Задачею роботи є побудова атак на потоковий шифр «Струмок» методами квантового криптоаналiзу на основi квантових алгоритмiв Гровера, побудова оцiнок складностi цих атак. Методами дослiдження є методи квантового диференцiального криптоаналiзу, теорiї складностi, комп’ютерного моделювання, теорiї ймовiрностi. Завдання роботи: побудувати квантову реалiзацiю шифру «Струмок» та дослiдити складнiсть цiєї реалiзацiї, дослiдити атаки перебору ключiв та вiдновлення стану шифру за допомогою алгоритму Гровера вiдповiдно до вимог NIST, дослiдити можливiсть побудови спецiальних атак на основi обчислення шифру як суперпозицiї вектора iнiцiалiзацiї.The quantum implementation of the stream cipher «Strumok» is constructed as a result of this work, the gate complexity of cipher procedures is found. The cipher’s resistance to the methods of quantum differential cryptoanalysis using the Grover algorithm is investigated, the general attacks of key recovery and cipher state recovery are found, the complexity (valve, temporal and spatial complexity) of these attacks is analyzed. The object of research is information processes in systems of cryptographic protection of information. The study’s subject is the resistance of the stream cipher «Strumok» to the methods of quantum cryptanalysis. The work tasks are to build attacks on the stream cipher «Strumok» using quantum cryptanalysis methods based on quantum Grover algorithms and obtain complexity estimates of these attacks. During the research, such methods are used: quantum differential cryptanalysis, complexity theory, computer modeling, probability theory. Objective: build a quantum implementation of the cipher «Strumok» and investigate the complexity of its implementation, build exhaustive key search and cipher state recovery attacks using the Grover algorithm following NIST requirements, explore the possibility of constructing special attacks based on cipher evaluation as a superposition from the initialization vector

Time-space complexity of quantum search algorithms in symmetric cryptanalysis: applying to AES and SHA-2

Performance of cryptanalytic quantum search algorithms is mainly inferred from query complexity which hides overhead induced by an implementation. To shed light on quantitative complexity analysis removing hidden factors, we provide a framework for estimating time-space complexity, with carefully accounting for characteristics of target cryptographic functions. Processor and circuit parallelization methods are taken into account, resulting in the time-space trade-off curves in terms of depth and qubit. The method guides howto rank different circuit designs in order of their efficiency. The framework is applied to representative cryptosystems NIST referred to as a guideline for security parameters, reassessing the security strengths of AES and SHA-2

Оцінка кількості вентилів для реалізації шифру Калина в квантовій моделі обчислень

Кваліфікаційна робота містить: 94 сторінок, 12 рисунків, 22 таблиці, 31 джерело,1 додаток. Мета роботи: Визначення кількості необхідних ресурсів, таких як квантові вентилі, на реалізацію шифру Калина. Об’єкт дослідження: Інформаційні процеси в системах криптографічного захисту в квантовій моделі обчислень. Предмет дослідження: Складність реалізації шифру Калина в квантовій моделі обчислень. У результаті цієї роботи було отримано оцінку кількості вентилів Тоффолі, необхідних для реалізації шифру Калина в квантовій моделі обчислень. Спочатку було оцінено кількості вентилів, необхідних для виконання підстановок, операції AddRoundKey та раундів шифру. Отримано, що для одного виконання операції AddRoundKey необхідно близько 12.737 вентилів Тоффолі, а для одного раунду шифрування – близько 17.832 вентилів Тоффолі. Для реалізації підстановок шифру Калина нуобхідно 1278, 1273, 1252 та 1262 вентилів Тоффолі, для π0, π1, π2 та π3 відповідно. А для повної реалізації шифру Калина-k/k необхідно близько 202.600, 273.510 та 344.420 вентилів Тоффолі, для k = 128, 256, 512 відповідно.The work contains 94 pages, 12 illustrations, 22 tables, 1 appendices, 31 sources of literature. The aim of work: Estimation of the amount of necessary resources, such as quantum gates, for the implementation of the Kalyna cipher. Object of research: Information processes in cryptographic protection systems in a quantum computing model. Subject of research: The complexity of the implementation of the Kalyna cipher in the quantum model of computing. As a result of this work, an estimate was obtained of the number of Toffoli gates needed to implement the Kalyna cipher in the quantum computing model. First, the number of gates needed to perform the substitutions, the AddRoundKey operation, and the cipher rounds was estimated. It was found that for one execution of the AddRoundKey operation, 12.737 Toffoli gates are needed, and for one round of encryption, about 17.832 Toffoli gates. To implement Kalyna cipher permutations, needed 1278, 1273,1252 та 1262 Toffoli gates, for π0, π1, π2 and π3 And for the full implementation of the Kalyna-k/k cipher about 202.600, 273.510 and 344.420 Toffoli gates are needed, for k = 128, 256, 512