Estimating the cost of generic quantum preimage attacks on SHA2 and SHA3
Abstract
We investigate the cost of Grover's quantum search algorithm when used in the context of preimage attacks on the SHA2 and SHA3 families of hash functions. Our cost model assumes that the attack is run on a surface code based faulttolerant quantum computer. Our estimates rely on a timearea metric that costs the number of logical qubits times the depth of the circuit in units of surface code cycles. As a surface code cycle involves a significant classical processing stage, our cost estimates allow for crude, but direct, comparisons of classical and quantum algorithms. We exhibit a circuit for a preimage attack on SHA256 that is approximately $2^{153.8}$ surface code cycles deep and requires approximately $2^{12.6}$ logical qubits. This yields an overall cost of $2^{166.4}$ logicalqubitcycles. Likewise we exhibit a SHA3256 circuit that is approximately $2^{146.5}$ surface code cycles deep and requires approximately $2^{20}$ logical qubits for a total cost of, again, $2^{166.5}$ logicalqubitcycles. Both attacks require on the order of $2^{128}$ queries in a quantum blackbox model, hence our results suggest that executing these attacks may be as much as $275$ billion times more expensive than one would expect from the simple query analysis.
 Publication:

arXiv eprints
 Pub Date:
 March 2016
 arXiv:
 arXiv:1603.09383
 Bibcode:
 2016arXiv160309383A
 Keywords:

 Quantum Physics
 EPrint:
 Same as the published version to appear in the Selected Areas of Cryptography (SAC) 2016. Comments are welcome!