Implementing Grover oracles for quantum key search on AES and LowMC
Abstract
Grover's search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintextciphertext pairs. This attack uses $O(\sqrt{N})$ calls to the cipher to search a key space of size $N$. Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits. In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depthtimeswidth cost models. In NIST's postquantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of postquantum cryptography. As part of this work, we release Q# implementations of the full Grover oracle for AES128, 192, 256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.
 Publication:

arXiv eprints
 Pub Date:
 October 2019
 arXiv:
 arXiv:1910.01700
 Bibcode:
 2019arXiv191001700J
 Keywords:

 Quantum Physics;
 Computer Science  Emerging Technologies
 EPrint:
 36 pages, 8 figures, 14 tables