Paper 2022/683

Quantum Analysis of AES

Kyungbae Jang, Hansung University, Seoul, South Korea
Anubhab Baksi, Nanyang Technological University, Singapore
Hyunji Kim, Hansung University, Seoul, South Korea
Gyeongju Song, Hansung University, Seoul, South Korea
Hwajeong Seo, Hansung University, Seoul, South Korea
Anupam Chattopadhyay, Nanyang Technological University, Singapore
Abstract

Quantum computing is considered among the next big leaps in computer science. While a fully functional quantum computer is still in the future, there is an ever-growing need to evaluate the security of the symmetric key ciphers against a potent quantum adversary. Keeping this in mind, our work explores the key recovery attack using the Grover's search on the three variants of AES (-128, -192, -256). In total, we develop a pool of 20 implementations per AES variant (thus totaling in 60), by taking the state-of-the-art advancements in the relevant fields into account. In a nutshell, we present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.'s Asiacrypt'20 paper by more than 97 percent for each variant of AES. We show that the qubit count - Toffoli depth product is reduced from theirs by more than 86 percent. Furthermore, we analyze the Jaques et al.'s Eurocrypt'20 implementations in details, fix the bugs (arising from some problem of the quantum computing tool used and not related to their coding) and report corrected benchmarks. To the best of our finding, our work improves from all the previous works (including the Asiacrypt'22 paper by Huang and Sun and the Asiacrypt'23 paper by Liu et al.) in terms of various quantum circuit complexity metrics (Toffoli depth, full depth, Toffoli/full depth - qubit count product, full depth - gate count product, etc.). Also, our bug-fixing of Jaques et al.'s Eurocrypt'20 implementations seem to improve from the authors' own bug-fixing, thanks to our architecture consideration. Equipped with the basic AES implementations, we further investigate the prospect of the Grover's search. We also propose three new implementations of the S-box, one new implementation of the MixColumn; as well as five new architecture (one is motivated by the architecture by Jaques et al. in Eurocrypt’20, and the rest four are entirely our innovation). Under the MAXDEPTH constraint (specified by NIST), the circuit depth metrics (Toffoli depth, T-depth and full depth) become crucial factors and parallelization for often becomes necessary. We provide the least depth implementation in this respect, that offers the best performance in terms of metrics for circuit complexity (like, depth-squared - qubit count product, depth - gate count product).

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Quantum ImplementationGrover's SearchAES
Contact author(s)
starj1023 @ gmail com
anubhab001 @ e ntu edu sg
khj1594012 @ gmail com
thdrudwn98 @ gmail com
hwajeong84 @ gmail com
anupam @ ntu edu sg
History
2023-11-23: last of 31 revisions
2022-05-31: received
See all versions
Short URL
https://ia.cr/2022/683
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX

@misc{cryptoeprint:2022/683,
      author = {Kyungbae Jang and Anubhab Baksi and Hyunji Kim and Gyeongju Song and Hwajeong Seo and Anupam Chattopadhyay},
      title = {Quantum Analysis of {AES}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/683},
      year = {2022},
      url = {https://eprint.iacr.org/2022/683}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.