Paper 2021/1211

Grover on SPEEDY

Gyeongju Song, Kyungbae Jang, Hyunjun Kim, Siwoo Eum, Minjoo Sim, Hyunji Kim, Wai-Kong Lee, and Hwajeong Seo


With the advent of quantum computers, revisiting the security of cryptography has been an active research area in recent years. In this paper, we estimate the cost of applying Grover's algorithm to SPEEDY block cipher. SPEEDY is a family of ultra-low-latency block ciphers presented in CHES'21. It is ensured that the key search equipped with Grover's algorithm reduces the $n$-bit security of the block cipher to $\frac{n}{2}$-bit. The issue is how many quantum resources are required for Grover's algorithm to work. NIST estimates the post-quantum security strength for symmetric key cryptography as the cost of Grover key search algorithm. SPEEDY provides 128-bit security or 192-bit security depending on the number of rounds. Based on our estimated cost, we present that increasing the number of rounds is insufficient to satisfy the security against attacks on quantum computers. To the best of our knowledge, this is the first implementation of SPEEDY as a quantum circuit.

Available format(s)
Publication info
Preprint. MINOR revision.
Grover's Search AlgorithmQuantum ComputingSPEEDY
Contact author(s)
thdrudwn98 @ gmail com
starj1023 @ gmail com
khj930704 @ gmail com
shuraatum @ gmail com
minjoos9797 @ gmail com
khj1594012 @ gmail com
hwajeong84 @ gmail com
waikonglee @ gachon ac kr
2021-09-17: received
Short URL
Creative Commons Attribution


      author = {Gyeongju Song and Kyungbae Jang and Hyunjun Kim and Siwoo Eum and Minjoo Sim and Hyunji Kim and Wai-Kong Lee and Hwajeong Seo},
      title = {Grover on {SPEEDY}},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1211},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.