Implementing Grover Oracles for Quantum Key Search on AES and LowMC

Grover's search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses $O(\sqrt{N})$ calls to the cipher to search a key space of size $N$. Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits. In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depth-times-width cost models. In NIST's post-quantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of post-quantum cryptography. As part of this work, we release Q# implementations of the full Grover oracle for AES-128, -192, -256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.Comment: 36 pages, 8 figures, 14 table

New Low-Area Designs for the AES Forward, Inverse and Combined S-boxes

The implementation of AES S-boxes is one of the most extensively studied areas of cryptography. In this paper, we propose three new hardware designs for the AES S-box that can serve in the forward, inverse and combined data paths. Each of these designs represents the smallest AES S-box ever proposed in its respective category. We achieve this goal by using new tower field representation over normal bases and optimizing each and every block inside the three proposed architectures. Our complexity analysis and ASIC synthesis results in the CMOS STM 65nm, as well as the NanGate 15nm technologies, show that our designs outperform their counterparts in terms of area and power