Quantum-enhanced symmetric cryptanalysis for S-AES

Advanced Encryption Standard is one of the most widely used and important symmetric ciphers for today. It well known, that it can be subjected to the quantum Grover's attack that twice reduces its key strength. But full AES attack requires hundreds of qubits and circuit depth of thousands, that makes impossible not only experimental research but also numerical simulations of this algorithm. Here we present an algorithm for optimized Grover's attack on downscaled Simplifed-AES cipher. Besides full attack we present several approaches that allows to reduce number of required qubits if some nibbles of the key are known as a result of side-channel attack. For 16-bit S-AES the proposed attack requires 23 qubits in general case and 19, 15 or 11 if 4, 8 or 12 bits were leaked in specifc confguration. Comparing to previously known 32-qubits algorithm this approach potentially allows to run the attack on today's NISQ-devices and perform numerical simulations with GPU, that may be useful for further research of problem-specifc error mitigation and error correction techniques.Comment: 15 pages, 7 figure