1 Introduction
1.1 This work
1.1.1 Precise query complexity involving parallelization
1.1.2 Depth-qubit trade-off and circuit design tuning
1.1.3 Revisiting the security levels of NIST PQC standardization
1.2 Organization
2 Backgrounds
2.1 Grover’s algorithm
2.2 Parallelization
-
\(2^{40}\): Approximate number of logical gates that presently envisioned quantum computing architectures are expected to serially perform in a year.
-
\(2^{64}\): Approximate number of logical gates that current classical computing architectures can perform serially in a decade.
-
\(2^{96}\): Approximate number of logical gates that atomic scale qubits with speed of light propagation times could perform in a millennium.
2.3 Generalizations and variants
2.3.1 QAA algorithm
2.3.2 GwDP algorithm
2.3.3 CNS algorithm
2.4 AES and SHA-2 algorithms
2.4.1 AES-128
-
ShiftRows does cyclic shifts of the last three rows of the internal state by different offsets.
-
MixColumns does a linear transformation on each column of the internal state that mixes the data.
-
AddRoundKey does an addition of the internal state and the round key by an XOR operation.
-
SubBytes does a nonlinear transformation on each byte. SubBytes works as substitution-boxes (S-box) generated by computing a multiplicative inverse, followed by a linear transformation and an addition of S-box constant.
-
RotWord does a cyclic shift on four bytes.
-
Rcon does an addition of the constant and the word by XOR operation.
-
SubWord does an S-box operation on each byte in word.
2.4.2 SHA-256
-
\(Ch(x,y,z) = (x \wedge y) \oplus (\lnot x \wedge z)\),
-
\(Maj(x,y,z) = (x \wedge y) \oplus (x \wedge z) \oplus (y \wedge z)\),
-
\(\Sigma _0(x) = ROT\!R^2(x) \oplus ROT\!R^{13}(x) \oplus ROT\!R^{22}(x)\),
-
\(\Sigma _1(x) = ROT\!R^6(x) \oplus ROT\!R^{11}(x) \oplus ROT\!R^{25}(x)\), where \(ROT\!R^n(x)\) is circular right shift of x by n positions.
-
\(\sigma _0(x) = ROT\!R^7(x) \oplus ROT\!R^{18}(x) \oplus S\!H\!R^3(x)\),
-
\(\sigma _1(x) = ROT\!R^{17}(x) \oplus ROT\!R^{19}(x) \oplus S\!H\!R^{10}(x)\), where \(S\!H\!R^n(x)\) is right shift of x by n positions.
2.5 Quantum resource estimates
2.5.1 AES key search
2.5.2 SHA-2 and SHA-3 pre-image search
3 Trade-off in query complexity
3.1 Types of search problems
3.2 Trade-off in Grover’s algorithm for Key Search
3.3 Trade-off in Grover’s algorithm for Pre-image Search
3.4 Trade-off in quantum collision finding algorithms
3.4.1 GwDP algorithm
3.4.2 CNS algorithm
4 Depth–qubit cost metric
4.1 Cost measure
4.2 Time–space trade-off
4.3 Remarks on Toffoli gate
5 Complexity of AES-128 Key Search
5.1 Circuit implementation cost
Grassl et al.’s | Almazrooie et al’s | This work | |
---|---|---|---|
Number of qubits | 40 | 48 | 40 |
Number of multiplications | 8 | 7 | 7 |
Less-qubit | Lower-depth | |||
---|---|---|---|---|
Multiplier | S-box | Multiplier | S-box | |
Toffoli-depth | 18 | 126 | 8 | 56 |
Work qubits | 8 | 32 | 27 | 108 |
5.2 Design candidates
-
AES-\(\mathcal {C}{1}\): Serial schedule-round, reverse-round, less-qubit multiplier
-
AES-\(\mathcal {C}{2}\): Serial schedule-round, reverse-round, lower-depth multiplier
-
AES-\(\mathcal {C}{3}\): Parallel schedule-round, less-qubit multiplier
-
AES-\(\mathcal {C}{4}\): Parallel schedule-round, lower-depth multiplier
-
AES-\(\mathcal {C}{5}\): Parallel schedule-round, less-qubit multiplier, S-box un-cleaning
-
AES-\(\mathcal {C}{6}\): Parallel schedule-round, lower-depth multiplier, S-box un-cleaning.
5.3 Comparison
AES-128 | Grover | |||
---|---|---|---|---|
Toffoli-depth | Qubits | Toffoli-depth | Qubits | |
AES-\(\mathcal {C}{1}\) | 11088 | 984 |
\( 1.360\ldots \times 2^{78}\)
| 985 |
AES-\(\mathcal {C}{2}\) | 4928 | 3017 |
\( 1.290\ldots \times 2^{77}\)
| 3018 |
AES-\(\mathcal {C}{3}\) | 1260 | 2208 |
\( 1.405\ldots \times 2^{75}\)
| 2209 |
AES-\(\mathcal {C}{4}\) | 560 | 7148 |
\( 1.510\ldots \times 2^{74}\)
| 7149 |
AES-\(\mathcal {C}{5}\) | 720 | 6654 |
\( 1.808\ldots \times 2^{74}\)
| 6655 |
AES-\(\mathcal {C}{6}\) | 320 | 21854 |
\( 1.064\ldots \times 2^{74}\)
| 21855 |
AES-\(\mathcal {C}{1}\) | AES-\(\mathcal {C}{2}\) | AES-\(\mathcal {C}{6}\) | AES-\(\mathcal {C}{5}\) | AES-\(\mathcal {C}{3}\) | AES-\(\mathcal {C}{4}\) | |
---|---|---|---|---|---|---|
\(c_\#^{\mathrm{KS}}/c_4^{\mathrm{KS}}\)
|
\( 28.606\ldots \)
|
\( 19.705\ldots \)
|
\( 1.519\ldots \)
|
\( 1.333\ldots \)
|
\( 1.070\ldots \)
| 1 |
5.4 Comparison to ensured single target
AES-128 | Grover | |||
---|---|---|---|---|
Toffoli-depth | Qubits | Toffoli-depth | Qubits | |
Unique Key | 560 | 14296 |
\( 1.269\ldots \times 2^{74} \)
| 14297 |
AES-\(\mathcal {C}{4}\) | 560 | 7148 |
\( 1.510\ldots \times 2^{74} \)
| 7149 |
6 Complexity of SHA-256 Pre-image Search
6.1 Circuit implementation cost
ADDER (poly) | ADDER (log) | \( \sigma _{0(1)}\), \(\Sigma _{0(1)} \) |
Ch
|
Maj
| |
---|---|---|---|---|---|
Toffoli-depth | 61 | 22 | 0 | 1 | 2 |
Work qubits | 1 | 53 | 32 | 32 | 32 |
6.2 Design candidates
-
SHA-\(\mathcal {C}{1}\): Serial schedule-round, poly-depth ADDER, less-qubit C\(^{256}\)NOT
-
SHA-\(\mathcal {C}{2}\): Serial schedule-round, log-depth ADDER, less-qubit C\(^{256}\)NOT
-
SHA-\(\mathcal {C}{3}\): Serial schedule-round, log-depth ADDER, lower-depth C\(^{256}\)NOT
-
SHA-\(\mathcal {C}{4}\): Parallel schedule-round, poly-depth ADDER, less-qubit C\(^{256}\)NOT
-
SHA-\(\mathcal {C}{5}\): Parallel schedule-round, log-depth ADDER, less-qubit C\(^{256}\)NOT
-
SHA-\(\mathcal {C}{6}\): Parallel schedule-round, log-depth ADDER, lower-depth C\(^{256}\)NOT.
6.3 Comparison
SHA-256 | Grover | |||
---|---|---|---|---|
Toffoli-depth | Qubits | Toffoli-depth | Qubits | |
SHA-\(\mathcal {C}{1}\) | 36368 | 801 |
\( 1.586\ldots \times 2^{143}\)
| 802 |
SHA-\(\mathcal {C}{2}\) | 13280 | 853 |
\( 1.227\ldots \times 2^{142}\)
| 854 |
SHA-\(\mathcal {C}{3}\) | 13280 | 853 |
\( 1.163\ldots \times 2^{142}\)
| 1023 |
SHA-\(\mathcal {C}{4}\) | 27584 | 834 |
\( 1.216\ldots \times 2^{143}\)
| 835 |
SHA-\(\mathcal {C}{5}\) | 10112 | 938 |
\( 1.919\ldots \times 2^{141}\)
| 939 |
SHA-\(\mathcal {C}{6}\) | 10112 | 938 |
\( 1.792\ldots \times 2^{141}\)
| 1023 |
SHA-\(\mathcal {C}{1}\) | SHA-\(\mathcal {C}{4}\) | SHA-\(\mathcal {C}{3}\) | SHA-\(\mathcal {C}{2}\) | SHA-\(\mathcal {C}{5}\) | SHA-\(\mathcal {C}{6}\) | |
---|---|---|---|---|---|---|
\(c_\#^\mathrm{PS}/c_6^\mathrm{PS}\)
|
\( 9.830\ldots \)
|
\( 6.015\ldots \)
|
\( 1.685\ldots \)
|
\( 1.565\ldots \)
|
\( 1.053\ldots \)
| 1 |
7 Complexity of SHA-256 Collision Finding
7.1 GwDP algorithm
\(S_q\)
| Toffoli-depth | Qubits |
---|---|---|
\(2^2\)
|
\(1.986\ldots \times 2^{141}\)
| 4084 |
\(2^4\)
|
\(1.985\ldots \times 2^{139}\)
| 16272 |
\(2^8\)
|
\(1.984\ldots \times 2^{135}\)
| 258304 |
\(2^{16}\)
|
\(1.981\ldots \times 2^{127}\)
|
\( 6.508\ldots \times 10^7 \)
|
\(2^{32}\)
|
\(1.975\ldots \times 2^{111}\)
|
\( 4.127\ldots \times 10^{12} \)
|
\(2^{64}\)
|
\(1.963\ldots \times 2^{79} \)
|
\( 1.732\ldots \times 10^{22} \)
|
7.2 CNS algorithm
\(S_q\)
|
l
|
d
|
\(t_L\)
| Toffoli-depth | Qubits |
---|---|---|---|---|---|
\(2^2\)
|
\(55.155\ldots \)
| 97 |
\(0.015064\ldots \)
|
\(1.353\ldots \times 2^{116}\)
| 3756 |
\(2^4\)
|
\(55.558\ldots \)
| 98 |
\(0.014987\ldots \)
|
\(1.203\ldots \times 2^{115}\)
| 15024 |
\(2^8\)
|
\(56.364\ldots \)
| 99 |
\(0.014834\ldots \)
|
\(1.729\ldots \times 2^{112}\)
| 240384 |
\(2^{16}\)
|
\(57.976\ldots \)
| 102 |
\(0.014527\ldots \)
|
\(1.960\ldots \times 2^{107}\)
|
\( 6.154\ldots \times 10^{7} \)
|
\(2^{32}\)
|
\(61.201\ldots \)
| 109 |
\(0.013914\ldots \)
|
\(1.352\ldots \times 2^{98} \)
|
\( 4.033\ldots \times 10^{12} \)
|
\(2^{64}\)
|
\(67.654\ldots \)
| 121 |
\(0.012692\ldots \)
|
\(1.100\ldots \times 2^{79} \)
|
\( 1.732\ldots \times 10^{22} \)
|
8 Security strengths of AES and SHA-2
AES-128 | AES-192 | AES-256 | |
---|---|---|---|
\(c_k^\mathrm{KS}/c_{128}^\mathrm{KS}\)
| 1 |
\( 1.560\ldots \)
|
\( 2.586\ldots \)
|
SHA-256 | SHA-384 | SHA-512 | |
---|---|---|---|
\(c_m^{\mathrm{CF}}/c_{256}^\mathrm{CF}\)
| 1 |
\( 3.837\ldots \)
|
\( 3.940\ldots \)
|