Applying Grover’s Algorithm to AES: Quantum Resource Estimates
- Cite this paper as:
- Grassl M., Langenberg B., Roetteler M., Steinwandt R. (2016) Applying Grover’s Algorithm to AES: Quantum Resource Estimates. In: Takagi T. (eds) Post-Quantum Cryptography. Lecture Notes in Computer Science, vol 9606. Springer, Cham
We present quantum circuits to implement an exhaustive key search for the Advanced Encryption Standard (AES) and analyze the quantum resources required to carry out such an attack. We consider the overall circuit size, the number of qubits, and the circuit depth as measures for the cost of the presented quantum algorithms. Throughout, we focus on Clifford\(+T\) gates as the underlying fault-tolerant logical quantum gate set. In particular, for all three variants of AES (key size 128, 192, and 256 bit) that are standardized in FIPS-PUB 197, we establish precise bounds for the number of qubits and the number of elementary logical quantum gates that are needed to implement Grover’s quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.