Paper 2019/272

Quantum Security Analysis of AES

Xavier Bonnetain, María Naya-Plasencia, and André Schrottenloher


In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits. In order to determine the new security margin, i.e., the lowest number of non-attacked rounds in time less than $2^{128}$ encryptions, we first provide generalized and quantized versions of the best known cryptanalysis on reduced-round AES, as well as a discussion on attacks that don't seem to benefit from a significant quantum speed-up. We propose a new framework for structured search that encompasses both the classical and quantum attacks we present, and allows to efficiently compute their complexity. We believe this framework will be useful for future analysis. Our best attack is a quantum Demirci-Selçuk meet-in-the-middle attack. Unexpectedly, using the ideas underlying its design principle also enables us to obtain new, counter-intuitive classical TMD trade-offs. In particular, we can reduce the memory in some attacks against AES-256 and AES-128. One of the building blocks of our attacks is solving efficiently the AES S-Box differential equation, with respect to the quantum cost of a reversible S-Box. We believe that this generic quantum tool will be useful for future quantum differential attacks. Judging by the results obtained so far, AES seems a resistant primitive in the post-quantum world as well as in the classical one, with a bigger security margin with respect to quantum generic attacks.

Available format(s)
Secret-key cryptography
Publication info
Published by the IACR in FSE 2020
AESsymmetric cryptanalysisquantum cryptanalysisclassical cryptanalysisquantum algorithmssecurity marginamplitude amplificationpost-quantum securityDS meet-in-the-middlesquare attack
Contact author(s)
andre schrottenloher @ inria fr
2019-06-07: revised
2019-03-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Xavier Bonnetain and María Naya-Plasencia and André Schrottenloher},
      title = {Quantum Security Analysis of AES},
      howpublished = {Cryptology ePrint Archive, Paper 2019/272},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.