Abstract
Quantum computing is considered among the next big leaps in computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the symmetric key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover’s search on the three variants of AES (–128, –192, –256). In total, we develop a pool of 20 implementations per AES variant, by taking the state-of-the-art advancements in the relevant fields into account. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.’s Asiacrypt’20 paper by more than 98 percent for all variants of AES. We show that the qubit count–Toffoli depth product is reduced from theirs by more than 75 percent. Furthermore, we analyze the Jaques et al.’s Eurocrypt’20 implementations in details, fix the bugs (arising from some problem of the quantum computing tool used and not related to their coding) and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the Asiacrypt’22 paper by Huang and Sun) in terms of various quantum circuit complexity metrics (such as, Toffoli depth, full depth, Toffoli depth–qubit count product, and so on).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
However, it is to be mentioned that the quantum computers are the nowhere near to be considered a serious generic threat against the secret key ciphers (due to impractical resource requirement) as of yet, despite the paradigm growing in leaps and bound in the past few years.
- 2.
- 3.
Recently, we have also seen ASCON-SIGN [111], which uses hash function to provide quantum-secure signature.
- 4.
Homepage: https://projectq.ch/.
- 5.
- 6.
As far as we can tell, the authors of [29] only made some estimates but did not present any implementation.
- 7.
- 8.
As noted in [107], Gauss-Jordan reduction also finds an in-place implementation of a binary matrix, but it is probably never used as such (although it is used in [123] as the fallback algorithm of the \(\text {A}^{\star }\) search).
- 9.
In the Eurocrypt’20 paper [74], the authors remarked that they could not reproduce the result from [58] although they used same technique. The reason [74] has a higher depth (full depth: 111) in the implementation of MixColumn compared to [58] (full depth: 39), despite using same technique, is most likely because of this.
- 10.
Recent optimizations relying on multi-input XOR gates (e.g., [22]) are not quantum compatible.
- 11.
The same bug appeared in context of another cipher, as noted in [65].
- 12.
- 13.
The authors recently updated their own bug-fixing in [73].
- 14.
- 15.
One may note that the number of qubits was not included in NIST’s estimation, probably because NIST was more focused on gates and depths that increase drastically with the number of serial steps needed in the Grover’s search.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Baksi, A., Jang, K. (2024). Quantum Analysis of AES. In: Implementation and Analysis of Ciphers in Quantum Computing. Computer Architecture and Design Methodologies. Springer, Singapore. https://doi.org/10.1007/978-981-97-0025-7_6
Download citation
DOI: https://doi.org/10.1007/978-981-97-0025-7_6
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-0024-0
Online ISBN: 978-981-97-0025-7
eBook Packages: EngineeringEngineering (R0)