Advertisement

Estimating the Cost of Generic Quantum Pre-image Attacks on SHA-2 and SHA-3

  • Matthew Amy
  • Olivia Di Matteo
  • Vlad Gheorghiu
  • Michele Mosca
  • Alex Parent
  • John Schanck
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10532)

Abstract

We investigate the cost of Grover’s quantum search algorithm when used in the context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions. Our cost model assumes that the attack is run on a surface code based fault-tolerant quantum computer. Our estimates rely on a time-area metric that costs the number of logical qubits times the depth of the circuit in units of surface code cycles. As a surface code cycle involves a significant classical processing stage, our cost estimates allow for crude, but direct, comparisons of classical and quantum algorithms.

We exhibit a circuit for a pre-image attack on SHA-256 that is approximately \(2^{153.8}\) surface code cycles deep and requires approximately \(2^{12.6}\) logical qubits. This yields an overall cost of \(2^{166.4}\) logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is approximately \(2^{146.5}\) surface code cycles deep and requires approximately \(2^{20}\) logical qubits for a total cost of, again, \(2^{166.5}\) logical-qubit-cycles. Both attacks require on the order of \(2^{128}\) queries in a quantum black-box model, hence our results suggest that executing these attacks may be as much as 275 billion times more expensive than one would expect from the simple query analysis.

Keywords

Post-quantum cryptography Hash functions Pre-image attacks Symmetric cryptographic primitives 

Notes

Acknowledgments

We acknowledge support from NSERC and CIFAR. IQC and PI are supported in part by the Government of Canada and the Province of Ontario.

References

  1. 1.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). http://link.aip.org/link/?SMJ/26/1484/1 CrossRefMATHMathSciNetGoogle Scholar
  2. 2.
    Boneh, D., Lipton, R.J.: Quantum cryptanalysis of hidden linear functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 424–437. Springer, Heidelberg (1995). doi: 10.1007/3-540-44750-4_34 CrossRefGoogle Scholar
  3. 3.
    Grover, L.K.: Quantum mechanics helps in searching for a needle in a haystack. Phys. Rev. Lett. 79, 325–328 (1997). http://link.aps.org/doi/10.1103/PhysRevLett.79.325 CrossRefGoogle Scholar
  4. 4.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte der Physik 46(4–5), 493–505 (1998). http://dx.doi.org/10.1002/(SICI)1521--3978(199806)46:4/5<493::AID-PROP493>3.0.CO;2-P
  5. 5.
    Gilles, B., Peter, H., Michele, M., Alain, T.: Quantum amplitude amplification and estimation. Quantum Comput. Quantum Inf. 305, 53–74 (2002). e-print arXiv:quant-ph/0005055. Lomonaco Jr., S.J. (ed.) AMS Contemporary Mathematics
  6. 6.
    U.S. National Security Agency: NSA Suite B Cryptography - NSA/CSS. NSA. https://www.nsa.gov/ia/programs/suiteb_cryptography/
  7. 7.
    Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. National Institute of Standards and Technology Internal Report 8105, February 2016Google Scholar
  8. 8.
    Lenstra, A.K.: Key lengths. In: Handbook of Information Security. Wiley (2004)Google Scholar
  9. 9.
    Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)CrossRefMATHMathSciNetGoogle Scholar
  10. 10.
    Blaze, M., Diffie, W., Rivest, R., Schneier, B., Shimomura, T., Thompson, E., Weiner, M.: Minimal key lengths for symmetric ciphers to provide adequate commercial security. Technical report, An ad hoc group of cryptographers and computer scientists (1996)Google Scholar
  11. 11.
    Amy, M., Maslov, D., Mosca, M.: Polynomial-time t-depth optimization of Clifford+T circuits via matroid partitioning. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 33(10), 1476–1489 (2014)CrossRefGoogle Scholar
  12. 12.
    Grassl, M., Langenberg, B., Roetteler, M., Steinwandt, R.: Applying Grover’s algorithm to AES: quantum resource estimates, e-print arXiv:1512.04965 [quant-ph]
  13. 13.
    Fowler, A.G., Mariantoni, M., Martinis, J.M., Cleland, A.N.: Surface codes: towards practical large-scale quantum computation. Phys. Rev. A 86, 032324 (2012). http://link.aps.org/doi/10.1103/PhysRevA.86.032324 CrossRefGoogle Scholar
  14. 14.
    Fowler, A.G., Whiteside, A.C., Hollenberg, L.C.L.: Towards practical classical processing for the surface code: timing analysis. Phys. Rev. A 86(4), 042313 (2012). http://link.aps.org/doi/10.1103/PhysRevA.86.042313 CrossRefGoogle Scholar
  15. 15.
    Fowler, A.G., Mariantoni, M., Martinis, J.M., Cleland, A.N.: Surface codes: towards practical large-scale quantum computation. Phys. Rev. A 86(3), 032324 (2012). http://link.aps.org/doi/10.1103/PhysRevA.86.032324 CrossRefGoogle Scholar
  16. 16.
    Fowler, A.G., Whiteside, A.C., Hollenberg, L.C.L.: Towards practical classical processing for the surface code. Phys. Rev. Lett. 108(18), 180501 (2012). http://link.aps.org/doi/10.1103/PhysRevLett.108.180501 CrossRefGoogle Scholar
  17. 17.
    Fowler, A.G.: Minimum weight perfect matching of fault-tolerant topological quantum error correction in average $O(1)$ parallel time. arXiv:1307.1740 [quant-ph], July 2013
  18. 18.
    Mining hardware comparison. Bitcoin Wiki, September 2015. https://en.bitcoin.it/wiki/Mining_hardware_comparison. Accessed 30 Mar 2016
  19. 19.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems. http://bench.cr.yp.to. Accessed 30 Mar 2016
  20. 20.
    Selinger, P.: Quantum circuits of \(T\)-depth one. Phys. Rev. A, 87, 042302 (2013). http://link.aps.org/doi/10.1103/PhysRevA.87.042302
  21. 21.
    NIST: Federal information processing standards publication 180–2 (2002). See also the Wikipedia entry http://en.wikipedia.org/wiki/SHA-2
  22. 22.
    Parent, A., Roetteler, M., Svore, K.M.: Reversible circuit compilation with space constraints. arXiv preprint arXiv:1510.00377 (2015)
  23. 23.
    Cuccaro, S.A., Draper, T.G., Kutin, S.A., Moulton, D.P.: A new quantum ripple-carry addition circuit. arXiv preprint arXiv:quant-ph/0410184 (2004)
  24. 24.
    Amy, M., Maslov, D., Mosca, M., Roetteler, M.: A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 32(6), 818–830 (2013)CrossRefGoogle Scholar
  25. 25.
    NIST: Federal information processing standards publication 202 (2015). See also the Wikipedia entry http://en.wikipedia.org/wiki/SHA-3
  26. 26.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Sponge functions. In: Ecrypt Hash Workshop 2007, May 2007Google Scholar
  27. 27.
    Bennett, C.H.: Logical reversibility of computation. IBM J. Res. Dev. 17, 525–532 (1973)CrossRefMATHMathSciNetGoogle Scholar
  28. 28.
    Bennett, C.H.: Time/space trade-offs for reversible computation. SIAM J. Comput. 18, 766–776 (1989)CrossRefMATHMathSciNetGoogle Scholar
  29. 29.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: KeccakTools software, April 2012. http://keccak.noekeon.org/
  30. 30.
    Amy, M., Parent, A., Roetteler, M.: ReVerC software, September 2016. https://github.com/msr-quarc/ReVerC
  31. 31.
    Amy, M., Roetteler, M., Svore, K.M.: Verified compilation of space-efficient reversible circuits. arXiv preprint arXiv:1603.01635 (2016)
  32. 32.
    Bravyi, S., Kitaev, A.: Universal quantum computation with ideal Clifford gates and noisy Ancillas. Phys. Rev. A 71, 022316 (2005). http://link.aps.org/doi/10.1103/PhysRevA.71.022316 CrossRefMATHMathSciNetGoogle Scholar
  33. 33.
    Fowler, A.G., Devitt, S.J., Jones, C.: Surface code implementation of block code state distillation. Scientific Reports 3, 1939 EP - (2013). http://dx.doi.org/10.1038/srep.01939

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Matthew Amy
    • 1
    • 4
  • Olivia Di Matteo
    • 2
    • 4
  • Vlad Gheorghiu
    • 3
    • 4
  • Michele Mosca
    • 3
    • 4
    • 5
    • 6
  • Alex Parent
    • 2
    • 4
  • John Schanck
    • 3
    • 4
  1. 1.David R. Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada
  2. 2.Department of Physics and AstronomyUniversity of WaterlooWaterlooCanada
  3. 3.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  4. 4.Institute for Quantum ComputingUniversity of WaterlooWaterlooCanada
  5. 5.Perimeter Institute for Theoretical PhysicsWaterlooCanada
  6. 6.Canadian Institute for Advanced ResearchTorontoCanada

Personalised recommendations