Quantum attacks on two-round even-mansour

Even-Mansour is one of the most important constructions in symmetric cryptography, both from a theoretical and practical perspective. With the rapid development of quantum computing, the security of Even-Mansour construction in quantum setting needs to be considered. For one round Even-Mansour construction, it is well settled by classical and quantum attacks. While for the iterated scheme, the situation is much more complex. In this paper, we study the next case in line in detail and depth: quantum attacks against two rounds case. We first make an asymptotic comparison with existing classical and quantum attacks. Then we give concrete resource estimation for the proposed quantum attacks on round reduced LED cipher and AES². The resource estimation allows to deduce the most efficient attacks based on the trade-off of the number of qubits and Toffoli depth.

1 Introduction

The Even-Mansour (EM) construction [1] is a minimal block cipher that has been widely studied since its outstanding simplicity and provable classical security [1, 2]. It is made up of a n-bit public permutation P and two n-bit secret subkeys K₁ and K₂, i.e., E(x) = P (x ⊕ K₁) ⊕ K₂, where n is the block size. When P is a public random permutation, EM construction has been proven to be indistinguishable from a random permutation when D ⋅ T = Ω(2ⁿ), where D and T are the number of queries to the encryption oracle E(x) and permutation oracle P respectively. At EUROCRYPT 2012, Bogdanov et al. [3] studied EM construction into an r-round iterated EM scheme, which is defined as

$E\left(x\right)=P_r\left(\cdots P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_3\cdots \oplus K_r\right)\oplus K_{r+1},$

where P₁, … , P_r are r independent permutations and K₁, … , K_r+1 are (r + 1) n-bit subkeys. This construction was proven to be secure up to 2^2n/3 queries against distinguishing attack for r ≥ 2 [3] and subsequently improved to 2^rn/(r+1) queries [4, 5].

Recently, the security analysis of symmetric cryptography in quantum setting has also become a hot issue in cryptography research [6], in addition to quantum cryptography [7–10]. There are two different models for quantum cryptanalysis against symmetric cipher based on the notions for pseudorandom function security in quantum setting, standard security and quantum security [11]. The standard security and quantum security are also denoted as Q1 model and Q2 model respectively by Kaplan et al. [12]. In Q1 model, the adversaries could only access the encryption oracle classically but process data with quantum operations. While in Q2 model, the adversaries could query the encryption oracle with quantum superpositions and process data with quantum operations.

In 2012, Kuwakado and Morri [13] proposed a quantum key-recovery attack against EM construction in Q2 model. Compared with the classical key-recovery attack, the quantum attack can attain exponential acceleration. In other words, the EM construction has been broken in Q2 model. Very recently, at EUROCRYPT 2022, Alagic et al. [14] proved a lower bound that $\approx 2^{n/3}$ queries are necessary for attacking EM construction in Q1 model. In 2014, Kaplan [15] gave the quantum meet-in-the-middle attack (QMITM attack) against iterated block ciphers in Q1 model. For two-round iterated EM (2EM) construction with two alternating subkeys and 2EM construction with independent subkeys, the attack requires the time and memory complexities of $\mathcal{O}(2^n)$ and Ω(2ⁿ) quantum queries to permutation oracle to recover all subkeys. However, the QMITM attack which reduces key-recovery to claw finding problem [16] is a general attack that may not be as effective for 2EM constructions. Therefore, we aim at investigating more efficient quantum key-recovery attacks on 2EM constructions in this paper. The constructions we focused on are 2EM construction with identical subkeys, 2EM construction with two alternating subkeys and 2EM construction with independent subkeys which we refer as

$\begin{array}{ccc}\hfill & \hfill & {\mathbf{2}\mathbf{E}\mathbf{M}}_{\mathbf{1}}:E_1\left(x\right)=P_2\left(P_1\left(x\oplus K\right)\oplus K\right)\oplus K,\hfill \\ \hfill & \hfill & {\mathbf{2}\mathbf{E}\mathbf{M}}_{\mathbf{2}}:E_2\left(x\right)=P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_1,\hfill \\ \hfill & \hfill & {\mathbf{2}\mathbf{E}\mathbf{M}}_{\mathbf{3}}:E_3\left(x\right)=P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_3.\hfill \end{array}$

At FSE 2013, Nikolić et al. [17] proposed the first nontrivial classical attack on 2EM₁ construction which requires the time complexity of 2ⁿ ln n/n with 2ⁿ ln n/n known plaintexts. Later, Dinur et al. [18] improved this attack to reduce the data complexity to 2^λn known plaintexts, where 0 < λ < 1. Meanwhile, they also presented an attack against 2EM₃ construction with the time complexity of $\mathcal{O}(2^n\sqrt{\ln n/n})$ and $2^n\sqrt{\ln n/n}$ chosen plaintexts. However, the above attacks against 2EM₁ construction are based on multi-collisions techniques, which require time and memory complexities close to 2ⁿ. In 2016, Dinur et al. [19] presented an alternative attack on 2EM₁ construction with linear algebra techniques. This attack requires a time complexity of 2ⁿ/λn and memory complexity of 2^λn, but with 2ⁿ/λn chosen plaintexts. Subsequently, Isobe et al. [20] introduced meet-in-the-middle techniques into the attack against 2EM₁ construction which requires the time and memory complexities of 2ⁿ ln n/n with 2ⁿ ln n/n chosen plaintexts. Furthermore, they also described a low data-complexity and a time-optimized variant attacks. The low data-complexity attack requires the time and memory complexities of 2ⁿ ln n/n with 2^λn chosen plaintexts. The time-optimized one requires the time complexity of 2ⁿβ/n and memory complexity of 2ⁿ/2^β with 2ⁿβ/n chosen plaintexts, where log  n ≤ β ⋘ n. More recently, Leurent et al. [21] proposed three key-recovery attacks on 2EM₁ construction which are related to the 3-XOR problem. The basic attack requires the time complexity of 2ⁿ/n and memory complexity of 2^2n/3 with 2^2n/3 known plaintexts in a balanced case. The variant attack based on 3-SUM algorithm requires the time complexity of 2ⁿ ln²n/n² and memory complexity of 2^2n/3 with 2^2n/3 known plaintexts, but it is unpractical for realistic block size. The low data-complexity attack requires the time complexity of 2ⁿ/λn and memory complexity of 2^λn with λn known plaintexts.

Besides, there are also other quantum attacks against iterated EM construction such as the quantum slide attack on iterated EM construction with identical permutations and subkeys in Q2 model [12] and the quantum related-key attack against iterated EM cipher with identical permutations and independent subkeys in Q2 model [22]. However, these quantum attacks are in Q2 model and only consider iterated EM construction with identical permutations.

Contributions. in this paper, we study quantum key-recovery attacks against 2EM constructions. The main contributions of this paper include the following two aspects.

First, we consider the security of two-round Even-Mansour constructions with independent permutations in quantum setting. Several quantum key-recovery attacks on 2EM constructions are proposed. For 2EM₁ construction, the presented quantum key-recovery attack adopts Grover algorithm [23] directly. Compared with the classical attack with optimal query complexity (including the queries to cipher and permutation), i.e., the observed by Leurent et al. [21], our attack reduces the query complexity by a factor of 2^n/6. For 2EM₂ and 2EM₃ constructions, we consider Grover-meets-Simon algorithm [24] (GMS algorithm) and Offline Simon algorithm [25] (OS algorithm) on constructed functions. The proposed quantum attacks against 2EM₂ and 2EM₃ constructions require $\tilde{\mathcal{O}}(2^{2n/3})$ and $\tilde{\mathcal{O}}(2^{n/2})$ queries in Q1 and Q2 model, where $\tilde{\mathcal{O}}$ means ignoring logarithmic factors. In the case of 2EM₂ construction, the query complexity of our attacks is less than Grover search by a factor of 2^n/3 and 2^n/2 in Q1 and Q2 model respectively. In the case of 2EM₃ construction, the query complexity of our attacks is better than Grover search by a factor of 2^5n/6 and 2ⁿ in Q1 and Q2 model. When compared with the QMITM attack against 2EM₂ and 2EM₃ constructions, the query complexity of our attacks is reduced by a factor of 2^n/3 and 2^n/2 in Q1 and Q2 model. Besides, the classical memory complexity of our attacks can attain exponential acceleration compared with the QMITM attack on 2EM₂ and 2EM₃ constructions. It is worth noting that the presented quantum attacks could break 2EM₃ construction with $\mathcal{O}(n\cdot 2^{n/2})$ queries in Q2 model, which is less than the classical indistinguishable bound for 2EM₃ construction, i.e., 2^2n/3 queries. The comparison of previous quantum attacks and our attacks on 2EM₂ and 2EM₃ constructions is shown in Table 1.

TABLE 1

TABLE 1. Comparison of previous quantum attacks and our attacks on 2EM₂ and 2EM₃ constructions, where “Data” represents encryption queries, “Queries” signifies calls to P_i, “Q-memory” and “C-memory” denote quantum memory and classical memory respectively.

Second, we apply the presented quantum attacks on 2-step LED-64, 2-step LED-128 and full AES². Then we design the quantum circuits for proposed attacks and give the corresponding resource estimation. According to the result of resource estimation, the cost imposed by the attacks based on GMS algorithm and attacks with OS algorithm in Q2 model is close. The extra overhead generated by the attacks based on GMS algorithm is mainly due to their more complex classifier oracles. Besides, the attacks based on OS algorithm in Q1 model cost more resources than corresponding attacks in Q2 model since the attacks in Q1 model require more iterations to search more bits exhaustively. Moreover, there is no doubt that the presented quantum attacks on 2-step LED-128 and AES² cost much less than the corresponding Grover attacks, except for the number of qubits.

Organization. The rest of the paper is organized as follows. In the next section, some essential preliminaries are introduced. The quantum attacks on 2EM constructions and their application to specific ciphers are presented in Sect. 3. In Sect. 4, we give the quantum resource estimation of the proposed quantum attacks on corresponding ciphers. Finally, a short conclusion is given in Sect. 5.

2 Preliminaries

In this section, some relevant preliminaries are given.

2.1 Quantum algorithms

2.1.1 Grover algorithm

Problem 1. (Grover [23]). Assume that there exists only one marked item x′ in the N-scale unstructured datasets, the goal is to find x′, where N = 2ⁿ. In other words, let f: {0,1}ⁿ → {0, 1} be a function such that f(x) = 0 for all 0 ≤ x < 2ⁿ except x′, for which f(x′) = 1, find x′.To solve this problem, any deterministic classical algorithms need to make $\mathcal{O}(2^n)$ queries to f(x). However, Grover algorithm can solve this problem with a probability close to 1 by performing Grover iteration about $\frac{\pi }{4}\sqrt{2^n}$ times. Therefore, the query complexity of Grover algorithm is $\mathcal{O}(\sqrt{2^n})$, which is a square speed-up compared to the classical counterpart. Furthermore, the generalization of Grover algorithm (i.e., Quantum Amplitude Amplification, QAA) is given in the following theorem.

Theorem 1. (Brassard et al. [26]). Let $\mathcal{A}$ be any quantum algorithm performed on q qubits without measurement. Let $\mathcal{B}:{\mathbb{F}}_2^q\to \{\mathrm{0,1}\}$ be a function that classifies the outcomes of $\mathcal{A}$ as good or bad and p > 0 be the initial success probability that a measurement of $\mathcal{A}|0\rangle$ is good. Set $k=\lceil \frac{\pi }{4\theta }\rceil$, where θ is defined as sin²(θ) = p. Besides, define the unitary operator $Q=-\mathcal{A}{S}_0{\mathcal{A}}^{-1}{S}_{\mathcal{B}}$, where $S_{\mathcal{B}}$ changes the sign of the good state

$|x\rangle =\left\{\begin{array}{cc}-|x\rangle ,\hfill & \mathrm{i}\mathrm{f}\mathcal{B}\left(x\right)=1\hfill \\ |x\rangle ,\hfill & \mathrm{i}\mathrm{f}\mathcal{B}\left(x\right)=0\hfill \end{array}\right.,$

while S₀ changes the sign of zero state |0⟩ only. Finally, the measurement after the operation of $Q^k\mathcal{A}|0\rangle$ will obtain the good state with probability at least max{1 − p, p}.

ALGORITHM 1

Algorithm 1. Grover algorithm [23]

2.1.2 Simon algorithm

Problem 2. (Simon [27]). Let f: {0,1}ⁿ → {0,1}ⁿ be a function. Promise that there exists s ∈ {0,1}ⁿ such that for any (x, y) ∈ {0,1}ⁿ, $\left[f(x)=f(y)\right]\iff \left[x\oplus y\in \{0^n,s\}\right]$ is satisfied. The goal is to find the period s.By performing Simon algorithm, one can obtain a random vector y such that y ⋅ s = 0. Therefore, (n − 1) independent vectors orthogonal to period s can be obtained by repeating Simon algorithm for $\mathcal{O}(n)$ times. Then one can recover the period s with linear algebra classically. Thus, the query complexity of Simon algorithm is $\mathcal{O}(n)$.According to EM construction, Kuwakado and Morri [13] introduce the function f(x) = E(x) ⊕ P(x) = P (x ⊕ K₁) ⊕ K₂ ⊕ P(x). It is obvious that f(x) = f (x ⊕ K₁) and the period s is K₁. Hence, they can recover the subkey K₁ with Simon algorithm and then obtain the value of K₂ easily.

2.1.3 Grover-meets-simon algorithm

Problem 3. (Leander et al. [24]). Let f: {0,1}^m ×{0,1}ⁿ → {0,1}ⁱ be a function, where m is in $\mathcal{O}(n)$. There exists a unique i₀ ∈ {0,1}^m such that for any x ∈ {0,1}ⁿ, f(i₀, x) = f(i₀, x ⊕ s) is satisfied, where s ∈ {0,1}ⁿ. The goal is to find the unique i₀ and the period s.The problem can be solved by GMS algorithm which requires the query complexity of $\mathcal{O}(n\cdot 2^{m/2})$ and time complexity of $\mathcal{O}(n^3\cdot 2^{m/2})$.At Asiacrypt 2017, Leander and May [24] proposed GMS algorithm to attack the FX construction [28] that $Enc(x)=E_{K_0}(x\oplus K_1)\oplus K_2$. They consider the function $f(k,x)=Enc(x)\oplus E_k(x)=E_{K_0}(x\oplus K_1)\oplus K_2\oplus E_k(x)$. Obviously, the function f (k, x) is periodic with period K₁ for all x when k = K₀. Otherwise f (k, x) is not periodic. In such a case, they design the following GMS algorithm to recover all subkeys of FX construction.

2.1.4 Offline Simon algorithm

Problem 4. (Bonnetain et al. [25]). Let f: {0,1}^m ×{0,1}ⁿ → {0,1}^l and g: {0,1}ⁿ → {0,1}^l be functions, where m is in $\mathcal{O}(n)$. There exists a unique i₀ ∈ {0,1}^m such that for any x ∈ {0,1}ⁿ, f(i₀, x) ⊕ g(x) = f(i₀, x ⊕ s) ⊕ g(x ⊕ s) is satisfied, where s ∈ {0,1}ⁿ. The goal is to find the unique i₀ and the period s.

ALGORITHM 2

Algorithm 2. Simon algorithm [27]

To solve this problem, we can adopt OS algorithm. The OS algorithm requires $\mathcal{O}(n)$ quantum queries to g, $\mathcal{O}(n\cdot 2^{m/2})$ quantum queries to f and the time complexity of $\mathcal{O}(n^3\cdot 2^{m/2})$.Furthermore, we can also solve this problem with OS algorithm in Q1 model if the function g can be only queried classically. Concretely, it is similar to executing OS algorithm in Q2 model except that the quantum state |ψ_g⟩ in steps 2 and 6 now should be prepared by querying the whole codebook of g. Hence, it requires $\mathcal{O}(2^n)$ classical queries to g, $\mathcal{O}(n\cdot 2^{m/2})$ quantum queries to f and the time complexity of $\mathcal{O}(n^3\cdot 2^{m/2})$.

2.2 Target ciphers

Next, we introduce three ciphers that belong to 2EM₁, 2EM₂ and 2EM₃ constructions respectively.

2.2.1 LED

At CHES 2011, Guo et al. [29] proposed a 64-bit resource-constrained block cipher named LED. The step function F_i of LED is a 4-round AES-like permutation where the addition of the subkeys is replaced with addition of constants. There are two primary variants of LED.LED − 64 uses a 64-bit key in each step as a subkey and the number of steps is 8. It is clear that 2-step LED-64 belongs to 2EM₁ construction.LED − 128 divides a 128-bit key into K₁‖K₂ as the subkeys alternatively and the number of steps is 12. Obviously, 2-step LED-128 belongs to 2EM₂ construction.

ALGORITHM 3

Algorithm 3. Grover-meets-Simon algorithm [24]

2.2.2 AES²

AES² is a 128-bit cipher designed by Bogdanov et al. [3] at EUROCRYPT 2012. It belongs to 2EM₃ construction, where each of the public permutations P₁ and P₂ is based on an invocation of full AES-128 with a pre-fix and publicly known key. The subkeys are composed of three independently chosen 128-bit secret subkeys K₁, K₂ and K₃.

3 Quantum attacks

In this section, several quantum key-recovery attacks on 2EM₁, 2EM₂ and 2EM₃ constructions and the corresponding applications are given.

3.1 Quantum key-recovery Attack on 2EM₁ construction

Based on 2EM₁ construction, the function E₁(x) = P₂ (P₁(x ⊕ K) ⊕ K) ⊕ K is obtained. In such a case, we adopt Grover algorithm on this function directly. Therefore, the query complexity and time complexity of this attack are both $\mathcal{O}(2^{n/2})$ .

ALGORITHM 4

Algorithm 4. Offline Simon algorithm [25]

3.1.1 The Application to 2-step LED-64

We can attack 2-step LED-64 by applying Grover algorithm on E(x) = F₂(F₁(x ⊕ K) ⊕ K) ⊕ K directly, where the block size is 64. Thus, the attack requires the query and time complexities of 2³². The comparison of attacks against 2-step LED-64 is summarized in Table 2.

TABLE 2

TABLE 2. Comparison of attacks against 2-step LED-64. Assume that one evaluation of the cipher as one complexity unit and the evaluation of one permutation costs 1/2 unit.

3.2 Quantum key-recovery Attacks on 2EM₂ and 2EM₃ constructions

For 2EM₂ construction, we consider the function

$\begin{array}{ccc}\hfill f\left(i,x\right)& \hfill & =E_2\left(x\right)\oplus P_2\left(P_1\left(x\right)\oplus i\right)\hfill \\ \hfill & \hfill & =P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_1\oplus P_2\left(P_1\left(x\right)\oplus i\right).\hfill \end{array}$

It is easily seen that f (i, x) has the period K₁ when i = K₂ since

$\begin{array}{ccc}\hfill f\left(K_2,x\oplus K_1\right)& \hfill & =P_2\left(P_1\left(x\oplus K_1\oplus K_1\right)\oplus K_2\right)\oplus K_1\oplus P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\hfill \\ \hfill & \hfill & =P_2\left(P_1\left(x\right)\oplus K_2\right)\oplus K_1\oplus P_2\left(P_1\left(x\oplus K_1\right)\oplus K_2\right)\hfill \\ \hfill & \hfill & =f\left(K_2,x\right).\hfill \end{array}$

Therefore, we can employ GMS algorithm on f (i, x) to recover K₁ and K₂ which requires the query complexity of $\mathcal{O}(n\cdot 2^{n/2})$ and time complexity of $\mathcal{O}(n^3\cdot 2^{n/2})$.

Furthermore, the recovery of subkeys K₁ and K₂ can also be reduced to Problem 4 by defining functions f: {0,1}ⁿ ×{0,1}ⁿ → {0,1}ⁿ and g: {0,1}ⁿ → {0,1}ⁿ as

$\begin{array}{ccc}\hfill & \hfill & f\left(i,x\right)=P_2\left(P_1\left(x\right)\oplus i\right),\hfill \\ \hfill & \hfill & g\left(x\right)=E_2\left(x\right).\hfill \end{array}$

Similarly, we can obtain that

$f\left(K_2,x\oplus K_1\right)\oplus g\left(x\oplus K_1\right)=f\left(K_2,x\right)\oplus g\left(x\right)$

when i = K₂. Then we can recover all subkeys with OS algorithm. In such a case, the quantum attack requires $\mathcal{O}(n)$ queries to g(x), $\mathcal{O}(n\cdot 2^{n/2})$ queries to f (i, x) and the time complexity of $\mathcal{O}(n^3\cdot 2^{n/2})$.

On the other hand, we can also solve this problem with OS algorithm in Q1 model if the cryptographic function E₂(x) can be accessed only classically. Now the functions f: {0,1}^n+(n−u) ×{0,1}^u → {0,1}ⁿ (0 ≤ u ≤ n) and g: {0,1}^u → {0,1}ⁿ are defined as

$\begin{array}{ccc}\hfill & \hfill & f\left(i\Vert j,x\right)=P_2\left(P_1\left(x\Vert j\right)\oplus i\right)\left(j\in {\left\{\mathrm{0,1}\right\}}^{n-u}\right),\hfill \\ \hfill & \hfill & g\left(x\right)=E_2\left(x\Vert 0^{n-u}\right).\hfill \end{array}$

obviously, $f(K_2\Vert K_1^2,x)\oplus g(x)$ has the period $K_1^1$ when $i\Vert j=\left(K_2\Vert K_1^2,x\oplus K_1^1\right)\oplus g\left(x\oplus K_1^1\right)K_2\Vert K_1^2$ since

$\begin{array}{ccc}\hfill & \hfill & f\left(K_2\Vert K_1^2,x\oplus K_1^1\right)\oplus g\left(x\oplus K_1^1\right)\hfill \\ \hfill & \hfill & =P_2\left(P_1\left(\left(x\oplus K_1^1\right)\Vert K_1^2\right)\oplus K_2\right)\oplus P_2\left(P_1\left(\left(x\oplus K_1^1\Vert 0^{n-u}\right)\oplus K_1\right)\oplus K_2\right)\oplus K_1\hfill \\ \hfill & \hfill & =P_2\left(P_1\left(\left(x\Vert 0^{n-u}\right)\oplus K_1\right)\oplus K_2\right)\oplus P_2\left(P_1\left(x\Vert K_1^2\right)\oplus K_2\right)\oplus K_1\hfill \\ \hfill & \hfill & =f\left(K_2\Vert K_1^2,x\right)\oplus g\left(x\right),\hfill \end{array}$

where the subkey $K_1=K_1^1\Vert K_1^2$ and $|K_1^1|=u$, $|K_1^2|=n-u$. Therefore, we can apply OS algorithm on above functions in Q1 model to recover subkeys K₁ and K₂. Then, the attack requires $\mathcal{O}(2^u)$ classical queries to g(x), $\mathcal{O}(n\cdot 2^{(2n-u)/2})$ quantum queries to f (i‖j, x) and the time complexity of $\mathcal{O}(n^3\cdot 2^{(2n-u)/2})$. Specially, the number of classical queries to g(x) and quantum queries to f (i‖j, x) are balanced when $u=\frac{2n}{3}$.

The quantum key-recovery attack against 2EM₃ construction is similar to the case of 2EM₂ construction, except that the functions we considered here are

$\left\{\begin{array}{cc}f\left(i,x\right)=E_3\left(x\right)\oplus P_2\left(P_1\left(x\right)\oplus i\right),\hfill & \mathbf{P}\mathbf{r}\mathbf{o}\mathbf{b}\mathbf{l}\mathbf{e}\mathbf{m}\mathbf{3}\hfill \\ f\left(i,x\right)=P_2\left(P_1\left(x\right)\oplus i\right),g\left(x\right)=E_3\left(x\right),\hfill & \mathbf{P}\mathbf{r}\mathbf{o}\mathbf{b}\mathbf{l}\mathbf{e}\mathbf{m}\mathbf{4}\mathbf{i}\mathbf{n}\mathbf{Q}\mathbf{2}\mathbf{m}\mathbf{o}\mathbf{d}\mathbf{e}\mathbf{l}\hfill \\ f\left(i\Vert j,x\right)=P_2\left(P_1\left(x\Vert j\right)\oplus i\right),g\left(x\right)=E_3\left(x\Vert 0^{n-u}\right),\hfill & \mathbf{P}\mathbf{r}\mathbf{o}\mathbf{b}\mathbf{l}\mathbf{e}\mathbf{m}\mathbf{4}\mathbf{i}\mathbf{n}\mathbf{Q}\mathbf{1}\mathbf{m}\mathbf{o}\mathbf{d}\mathbf{e}\mathbf{l}\hfill \end{array}\right..$

Finally, we can easily obtain the value of K₃ with additional encryption after recovering subkeys K₁ and K₂. Hence, the query and time complexities of the quantum attacks on 2EM₃ construction are the same as the case of 2EM₂ construction.

3.2.1 The applications to 2-step LED-128 and AES₂

According to the structure of 2-step LED-128, we can obtain the cryptographic function

$E\left(x\right)=F_2\left(F_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_1,$

where |K₁| = |K₂| = 64. In order to attack 2-step LED-128, we consider the function

$f\left(i,x\right)=E\left(x\right)\oplus F_2\left(F_1\left(x\right)\oplus i\right)=F_2\left(F_1\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_1\oplus F_2\left(F_1\left(x\right)\oplus i\right)$

in Problem 3. Now, we can adopt GMS algorithm on f (i, x) directly. Hence, this attack requires the query complexity of 2³⁹ and time complexity of 2⁵⁰.

Furthermore, we can also utilize OS algorithm to recover K₁ and K₂ of 2-step LED-128. First, we define the functions

$\begin{array}{ccc}\hfill & \hfill & f\left(i,x\right)=F_2\left(F_1\left(x\right)\oplus i\right),\hfill \\ \hfill & \hfill & g\left(x\right)=E\left(x\right).\hfill \end{array}$

Then the subkeys can be recovered with OS algorithm on f (i, x) and g(x). The quantum attack requires 2⁶ quantum queries to E(x), 2³⁸ quantum queries to f (i, x) and time complexity of 2⁵⁰. On the other hand, we can also consider functions

$\begin{array}{ccc}\hfill & \hfill & f\left(i\Vert j,x\right)=F_2\left(F_1\left(x\Vert j\right)\oplus i\right),\hfill \\ \hfill & \hfill & g\left(x\right)=E\left(x\Vert 0^{n-u}\right)\hfill \end{array}$

and apply OS algorithm on f (i‖j, x) and g(x) in Q1 model when E(x) can be queried only classically. In such a case, the quantum attack requires 2⁴⁷ classical queries to E(x), 2^46.5 quantum queries to f (i‖j, x) and time complexity of 2^58.5 when u = 47. The comparison of quantum attacks against 2-step LED-128 is summarized in Table 3.

TABLE 3

TABLE 3. Comparison of quantum attacks against 2-step LED-128.

In order to attack AES₂, we need to construct functions in the case of 2EM₃ construction described in Section 3.2 with block size 128. Thus, the subkeys of AES² can be recovered by GMS algorithm with the query complexity of 2⁷² and time complexity of 2⁸⁵. Furthermore, we can also attack AES² with OS algorithm in Q1 and Q2 model respectively. In Q1 model, the attack requires 2⁹⁰ classical queries to E(x), 2⁹⁰ quantum queries to f (i‖j, x) and the time complexity of 2¹⁰⁴ when u = 90. In Q2 model, the attack requires 2⁷ quantum queries to E(x), 2⁷¹ queries to f (i, x) and the time complexity of 2⁸⁵. The comparison of attacks against AES² is summarized in Table 4.

TABLE 4

TABLE 4. Comparison of attacks against AES².

Tables 3 and 4 show that the quantum attacks we proposed in Q1 and Q2 models are more efficient than existing classical and quantum attacks in time complexity and query complexity when we consider queries of cryptographic function and public permutations, except that more qubits are needed.

4 Resource estimation

We first give some quantum gates that are used in quantum implementations of classical circuits in Figure 1. Note that the last qubit is target qubit and other qubits are control qubits in CNOT and Toffoli gates.

FIGURE 1

FIGURE 1. Quantum gates of (A) NOT gate, (B) CNOT gate and (C) Toffoli gate.

4.1 Resource estimation of target ciphers

Next, we give the quantum resource estimation of 2-step LED-64, 2-step LED-128 and AES² respectively.

4.1.1 Resource estimation of 2-step LED-64 and 2-step LED-128

The internal state of LED contains 64 bits, arranged in 16 nibbles. Each nibble represents an element from GF(2⁴) with the underlying polynomial for field multiplication given by X⁴ + X + 1. The step function F_i of LED cipher is a 4-round AES-like permutation. Each of these four rounds consists of operations AddConstants, SubCells, ShiftRows and MixColumnsSerial.

AddConstants. The operation consists of XOR-ing of a 32-bit round constant to the internal state of LED. Thus, it can be realized by using 32 NOT gates in quantum circuit.

SubCells. LED cipher uses a 4-bit to 4-bit S-box of PRESENT [30], which is applied in parallel 16 times to the internal state of LED. According to Algorithm 3 of Ref. [31], the quantum circuit of the S-box is redesigned in Figure 2, which requires Toffoli depth 19, 19 Toffoli gates, 5 CNOT gates, 2 NOT gates and 5 qubits. Therefore, we can obtain the resource estimation of SubCells by multiplying the resources of the S-box by 16, except for the Toffoli depth since that these 16 S-boxes are applied in parallel.

FIGURE 2

FIGURE 2. Quantum circuit of S-box used in SubCells: |a⟩|0⟩ → |S(a)⟩|0⟩, where |a₃⟩ is the most significant qubit.

ShiftRows. After the operation ShiftRows, the internal state is changed into a special permutation. Hence, we do not have to perform any operation for the quantum circuit of ShiftRows since it corresponds to a permutation of qubits. In this case, we only need to adjust the position of subsequent operations to ensure that the correct input wire is used.

MixColumnsSerial. The MixColumnsSerial performs four applications of matrix A, which is equivalent to matrix M:

${\left(A\right)}^4={\left(\begin{array}{cccc}\hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill \\ \hfill 4\hfill & \hfill 1\hfill & \hfill 2\hfill & \hfill 2\hfill \end{array}\right)}^4=\left(\begin{array}{cccc}\hfill 4\hfill & \hfill 1\hfill & \hfill 2\hfill & \hfill 2\hfill \\ \hfill 8\hfill & \hfill 6\hfill & \hfill 5\hfill & \hfill 6\hfill \\ \hfill B\hfill & \hfill E\hfill & \hfill A\hfill & \hfill 9\hfill \\ \hfill 2\hfill & \hfill 2\hfill & \hfill F\hfill & \hfill B\hfill \end{array}\right)=M.$

The first scheme of implementing MixColumnsSerial is to realize matrix A. In order to design the quantum circuit of matrix A, the quantum circuit of operations 2 and 4 in A should be considered first. It is easy to obtain that 2 ⋅ (a₃, a₂, a₁, a₀) = (a₂, a₁, a₃ ⊕ a₀, a₃) and 4 ⋅ (a₃, a₂, a₁, a₀) = (a₁, a₃ ⊕ a₀, a₃ ⊕ a₂, a₂). Hence, the implementation of operations 2 and 4 cost 1 and 2 CNOT gates respectively. Now, we can design the quantum circuit of matrix A based on operations 2 and 4 in Figure 3.

FIGURE 3

FIGURE 3. Quantum circuit of matrix A, where U₂ and U₄ are quantum circuits of operations 2 and 4 respectively. $U_2^{†}$ represents the inverse quantum circuit of U₂. Each m_j and t_j contains four qubits, where j = 0, 1, … , 15.

According to Figure 3, we can derive that the quantum circuit of matrix A requires (2 + 4 + 6 + 6) × 4 = 72 CNOT gates. Thus, the resource estimation for operation MixColumnsSerial is 72 × 4 = 288 CNOT gates.

The second scheme is to consider the matrix M directly. From SageMath [32], we can obtain the PLU decomposition

$M=\left(\begin{array}{cccc}\hfill 4\hfill & \hfill 1\hfill & \hfill 2\hfill & \hfill 2\hfill \\ \hfill 8\hfill & \hfill 6\hfill & \hfill 5\hfill & \hfill 6\hfill \\ \hfill B\hfill & \hfill E\hfill & \hfill A\hfill & \hfill 9\hfill \\ \hfill 2\hfill & \hfill 2\hfill & \hfill F\hfill & \hfill B\hfill \end{array}\right)=\left(\begin{array}{cccc}\hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill \end{array}\right)\cdot \left(\begin{array}{cccc}\hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 2\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 6\hfill & \hfill 2\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 9\hfill & \hfill 6\hfill & \hfill 2\hfill & \hfill 1\hfill \end{array}\right)\cdot \left(\begin{array}{cccc}\hfill 4\hfill & \hfill 1\hfill & \hfill 2\hfill & \hfill 2\hfill \\ \hfill 0\hfill & \hfill 4\hfill & \hfill 1\hfill & \hfill 2\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 4\hfill & \hfill 1\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 4\hfill \end{array}\right).$

Similarly, we can easily obtain that 6 ⋅ (a₃, a₂, a₁, a₀) = (a₂ ⊕ a₁, a₃ ⊕ a₁ ⊕ a₀, a₂ ⊕ a₀, a₃ ⊕ a₂) and 9 ⋅ (a₃, a₂, a₁, a₀) = (a₀, a₃, a₂, a₁ ⊕ a₀), which can be achieved with 5 and 1 CNOT gates respectively. Then, we can know that the matrix L and U require 4×([(1 + 4 + 1) + (5 + 4 + 5) + (1 + 4 + 1)] + [(5 + 4 + 5) + (1 + 4 + 1)] + (1 + 4 + 1)) = 208 and 4 × ([2 + 4 + (1 + 4 + 1) + (1 + 4 + 1)] + [2 + 4 + (1 + 4 + 1)] + (2 + 4) + 2) = 152 CNOT gates respectively. Therefore, the resource estimation for operation MixColumnsSerial is 208 + 152 = 360 CNOT gates in second scheme. Comparing these two schemes, we adopt first one to implement the operation MixColumnsSerial since it requires fewer CNOT gates.

Taking all these into consideration, we can derive that the resource estimation of one round AES-like permutation costs Toffoli depth 19, 304 Toffoli gates, 368 CNOT gates, 64 NOT gates and 80 qubits. Then the quantum circuits of 2-step LED-64 and 2-step LED-128 are presented in Figure 4. In such a case, the quantum circuit of 2-step LED-64 requires Toffoli depth 152, 2432 Toffoli gates, 3136 CNOT gates, 512 NOT gates and 144 qubits. The quantum circuit of 2-step LED-128 costs Toffoli depth 152, 2432 Toffoli gates, 3136 CNOT gates, 512 NOT gates and 208 qubits.

FIGURE 4

FIGURE 4. Quantum circuit of (A) 2-step LED-64 and (B) 2-step LED-128, here ancilla qubits are not represented.

4.1.2 Resource estimation of AES²

The construction of AES² is defined by fixing two randomly chosen 128-bit AES-128 keys, which specify the permutations P₁ and P₂. The subkeys are comprised of three independently chosen 128-bit secret keys K₁, K₂ and K₃. Let AES[K] denotes the whole AES-128 encryption with the 128-bit key K. Hence, the encryption of AES² is defined as

${\mathrm{A}\mathrm{E}\mathrm{S}}^2\left(x\right)=\mathrm{A}\mathrm{E}\mathrm{S}\left[{\pi }_2\right]\left(\mathrm{A}\mathrm{E}\mathrm{S}\left[{\pi }_1\right]\left(x\oplus K_1\right)\oplus K_2\right)\oplus K_3,$

where two 128-bit keys π₁ and π₂ are defined based on the first 256 bits of the binary digit expansion of π. Recently, the implementation of AES quantum circuit received more and more attention [33–35]. Based on the fewer qubits principle, we take the quantum circuit of AES-128 from Ref. [35] for quntum circuit design of AES². As shown in Figure 5A, this quantum circuit costs Toffoli depth 11008, 16508 Toffoli gates, 81652 CNOT gates, 1072 NOT gates and 270 qubits. In Ref. [35], the XOR of a 128-bit plaintext in first round of AES-128 is considered as XOR-ing of a 128-bit constant, which is achieved by performing 128 NOT gates on the key of AES-128 first and then canceled by 128 NOT gates again. However, the 128-bit plaintext is a quantum superposition in our proposed quantum attacks. Hence, we need to adopt 128 × 2 CNOT gates instead of 128 × 2 NOT gates here. Therefore, the quantum circuit of AES-128 used in the quantum circuit design of AES² requires Toffoli depth 11008, 16508 Toffoli gates, 81908 CNOT gates, 816 NOT gates and 270 qubits. In such a case, we can easily design the quantum circuit of AES² in Figure 5B and obtain the resource estimation of AES² with Toffoli depth 22016, 33016 Toffoli gates, 164328 CNOT gates, 1632 NOT gates and 1038 qubits. Note that the ancilla qubits involved in first AES quantum circuit can be reused in second AES quantum circuit.

FIGURE 5

FIGURE 5. Quantum circuit of (A) AES, where the box of AES means the quantum circuit of AES-128 in Ref. [35], K′ is the subkey of the 10th round in AES and c is the ciphertext; (B) AES², where the vertical line above the AES box indicates that 128 × 2 CNOT gates are performed instead of 128 × 2 NOT gates in the quantum circuit of AES-128. The ancilla qubits and unused outputs are not represented.

4.2 Resource estimation of Grover algorithm on 2-step LED-64

In order to adopt Grover algorithm on 2-step LED-64, we need to design the Grover oracle for 2-step LED-64 first. When designing the Grover oracle, the number of plaintext-ciphertext pairs required to recover the correct key uniquely should be considered. At EUROCRYPT 2020, Jaques et al. [34] stated that when the number of required plaintext-ciphertext pairs $\nu \ge ⌈\frac{m}{n}⌉$, the probability of uniquely recovering the correct key is about $e^{-2^{m-\nu n}}$, where n and m are block size and key size for a block cipher respectively.

Hence, the number of required plaintext-ciphertext pairs for 2-step LED-64 should be ν ≥ 1 since m = n = 64. Then the probability of finding a unique key is around 0.37 for ν = 1. For ν = 2, the probability is about 0.99. Thus, we consider the case of ν = 2 when designing the Grover oracle for 2-step LED-64. Therefore, the quantum circuit of the Grover oracle for 2-step LED-64 is illustrated in Figure 6, which requires Toffoli depth 317, 9981 Toffoli gates, 12672 CNOT gates, 2304 NOT gates and 383 qubits. In the quantum circuit of Grover oracle for 2-step LED-64, each comparison of n-bit known ciphertext and n-qubit output of 2-step LED-64 oracle requires Toffoli depth $2⌈{\log }_{2}n⌉$, 2 (n − 1) Toffoli gates, 2n NOT gates and (n − 1) ancilla qubits.

FIGURE 6

FIGURE 6. Grover oracle for 2-step LED-64.

In the process of Grover algorithm, $⌊\frac{\pi }{4}{2}^{m/2}⌋$ iterations of Grover operator are performed. While estimating the resources, we only consider the cost incurred by Grover oracle. Since compared with the cost incurred by Grover oracle, the cost imposed by other operations in Grover operator is relatively small in terms of magnitude and can be ignored. In such a case, the resources of Grover oracle for 2-step LED-64 are multiplied by $⌊\frac{\pi }{4}{2}^{m/2}⌋$ for estimating the resources of Grover algorithm on 2-step LED-64, which costs Toffoli depth 2^40.0, 2^44.9 Toffoli gates, 2^45.3 CNOT gates, 2^42.8 NOT gates and 2^8.6 qubits. Note that the width is still the same as in Grover oracle since we assume that no parallelization is involved.

4.3 Resource estimation of proposed quantum attacks on 2-step LED-128 and AES²

The resource estimation of proposed quantum attacks on 2-step LED-128 and AES² can be considered in a similar way as Grover algorithm since that Grover algorithm, GMS algorithm and OS algorithm all need to perform an iterative operator. Thus, we should consider the resource estimation of iterative oracle for target ciphers first. Here, the resource estimation of constructed functions for target ciphers in proposed quantum attacks is given in Table 5 and the corresponding quantum circuits see Supplementary A.

TABLE 5

TABLE 5. Resource estimation for constructed functions of target ciphers, where #Toffoli/CNOT/NOT represents the number of Toffoli gates, CNOT gates and NOT gates respectively.

Now, the quantum circuits of iterative oracle for GMS algorithm and OS algorithm are designed in Figure 7 and Figure 8 respectively.

FIGURE 7

FIGURE 7. Iterative oracle for GMS algorithm, the quantum circuit for classifier β is given in Supplementary Figure S5 of Supplementary B.

FIGURE 8

FIGURE 8. Iterative oracle for OS algorithm, the quantum circuit for classifier is provided in Supplementary Figure S6 of Supplementary B.

In Figure 7, the classifier β for GMS algorithm contains Test 1 and Test 2 (see also Supplementary Figure S5 of Supplementary B). When both two test conditions are satisfied, the phase of target qubit will be flipped. Test 1 of classifier β. The Test 1 of classifier β includes the checking of dim (⟨u₁, … , u_ℓ⟩) and the calculation of candidate period s′. The first phase includes the computation of triangular basis and the rank checking of triangular basis. Based on Algorithm 4 of Ref. [36], we can obtain that the computation of triangular basis requires Toffoli depth $\ell (4+⌈{\log }_{2}n⌉)+{\sum }_{i=2}^n(4+⌈{\log }_2(n-i+1)⌉)$, ℓn² + ℓn Toffoli gates and ℓ + n (n + 1)/2 + n (n − 1) ancilla qubits, where the value of ℓ is $2(n+\sqrt{n})$ [24]. For the rank checking of triangular basis, it requires Toffoli depth $2⌈{\log }_{2}n⌉$, 2 (n − 1) Toffoli gates, 2n NOT gates and (n − 1) ancilla qubits. The second phase is the calculation of the candidate period. Bonnetain et al. [36] showed that the realizing of computing orthogonal vectors (i.e., Algorithm 5 in Ref. [36]) costs Toffoli depth n(n − 1), n(n − 1) Toffoli gates, n CNOT gates and n ancilla qubits. However, there is a mistake that the Toffoli depth and Toffoli gates should be n (n − 1)/2. Thus, we can obtain that the resource estimation for Test 1 of classifier β requires Toffoli depth $\ell (4+⌈{\log }_{2}n⌉)+{\sum }_{i=2}^n(4+⌈{\log }_2(n-i+1)⌉)+2⌈{\log }_{2}n⌉+n(n-1)/2$, ℓn² + ℓn + 2 (n − 1) + n (n − 1)/2 Toffoli gates, n CNOT gates, 2n NOT gates and ℓ + n (n + 1)/2 + n (n − 1) + n ancilla qubits by combining all these terms. Note that there are (n − 1) ancilla qubits missing since the ancilla qubits in the process of rank checking can be reused in the computation of orthogonal vectors. In this case, we only need max{n − 1, n} ancilla qubits in these two processes. Test 2 of classifier β. The quantum circuit of Test 2 of classifier β for 2-step LED-128 is given in Supplementary Figure S7 of Supplementary B, which costs

$\left\{\begin{array}{c}\mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{d}\mathrm{e}\mathrm{p}\mathrm{t}\mathrm{h}147\times \left(76\times 4+2{\log }_{2}64+49\right)+5=53660\hfill \\ 147\times \left[1216\times 8+2\times \left(64-1\right)+49\right]+13=1455754\hfill & \mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 147\times \left(1472\times 8+64\times 10+1\right)=1825299\hfill & \mathrm{C}\mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 147\times \left(256\times 8+64\times 2\right)+8=319880\hfill & \mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 64\times 2+63+6+8+1=206\hfill & \mathrm{q}\mathrm{u}\mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}\hfill \end{array}\right.,$

since $t=\mathrm{1,2},\dots ,147(\mathrm{i.e.,}\frac{3n+n\ell }{n})$ [24] in Supplementary Figure S7. Here |i⟩ and the candidate period |s′⟩ are not included in the qubits. The quantum circuit of Test 2 of classifier β for AES² is provided in Supplementary Figure S8 of Supplementary B, which requires

$\left\{\begin{array}{c}\mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{d}\mathrm{e}\mathrm{p}\mathrm{t}\mathrm{h}282\times \left(11008\times 4+2{\log }_{2}128+64\right)+7=12439027\hfill \\ 282\times \left[16508\times 8+2\times \left(128-1\right)+64\right]+15=37331739\hfill & \mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 282\times \left(81908\times 8+128\times 10+1\right)=185145690\hfill & \mathrm{C}\mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 282\times \left(816\times 8+128\times 2\right)+10=1913098\hfill & \mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 128\times 10+127+9+7+1=1424\hfill & \mathrm{q}\mathrm{u}\mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}\hfill \end{array}\right.,$

where t = 1, 2, … , 282 in Supplementary Figure S8. Here |i⟩ and |s′⟩ are not included in the qubits.

Hence, the classifier β for 2-step LED-128 costs

$\left\{\begin{array}{c}\mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{d}\mathrm{e}\mathrm{p}\mathrm{t}\mathrm{h}2\times \left(2007+6+2016\right)+53660+1=61719\hfill \\ 2\times \left(599040+63+2016\right)+1455754+1=2657993\hfill & \mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 2\times 64+1825299+1=1825428\hfill & \mathrm{C}\mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 2\times 64+319880=320008\hfill & \mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 6256+64+206+1+1=6528\hfill & \mathrm{q}\mathrm{u}\mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}\hfill \end{array}\right.,$

where |u₁⟩, |u₂⟩, ⋯ , |u_ℓ⟩ and |i⟩ are not included in the qubits. The classifier β for AES² costs

$\left\{\begin{array}{c}\mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{d}\mathrm{e}\mathrm{p}\mathrm{t}\mathrm{h}2\times \left(4339+7+8128\right)+12439027+1=12463976\hfill \\ 2\times \left(4606848+127+8128\right)+37331739+1=46561946\hfill & \mathrm{T}\mathrm{o}\mathrm{ff}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 2\times 128+185145690+1=185145947\hfill & \mathrm{C}\mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 2\times 128+1913098=1913354\hfill & \mathrm{N}\mathrm{O}\mathrm{T}\mathrm{g}\mathrm{a}\mathrm{t}\mathrm{e}\mathrm{s}\hfill \\ 24791+128+1424+1+1=26345\hfill & \mathrm{q}\mathrm{u}\mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}\hfill \end{array}\right..$

Altogether, the resource estimation for iterative oracle of GMS algorithm is summarized in Table 6.

TABLE 6

TABLE 6. Resource estimation for iterative oracle of GMS algorithm and OS algorithm, where Clifford gate denotes the CNOT gate and Hadamard gate.

In Supplementary Figure S6 of Supplementary B, the classifier oracle of OS algorithm consists of the computation of triangular basis and rank checking. Therefore, the classifier oracle costs Toffoli depth $2*[cn*(4+⌈{\log }_{2}n⌉)+{\sum }_{i=2}^n(4+⌈{\log }_2(n-i+1)⌉)+⌈{\log }_{2}n⌉]$, $2*$[$cn*$n² + $cn*$n + (n − 1)] Toffoli gates, 1 CNOT gates, 2n + 1 NOT gates and cn + n (n + 1)/2 + n (n − 1) + (n − 1) + 1 ancilla qubits, where cn ≃ 2.5n [25]. Then, the corresponding resource estimation for iterative oracle of OS algorithm is listed in Table 6. Here, the resource estimation for iterative oracle of OS algorithm in Q1 model is same as the case of OS algorithm in Q2 model, except that the width in Q1 model should consider extra (n − u) qubits.

Similarly, $⌈\frac{\pi }{4}{2}^{n/2}⌉$ iterations for the iterative operator of proposed quantum attacks are required. Here, we only consider the cost incurred by the iterative oracle and assume that the iterative oracle is applied in serial. Hence, the resources (except the number of qubits) in Table 6 are multiplied by $⌈\frac{\pi }{4}{2}^{n/2}⌉$ for estimating the resources of mounting presented quantum attacks on 2-step LED-128 and AES². The resource estimation is summarized in Table 7. From Table 7, it is obvious that the proposed quantum attacks based on GMS algorithm cost more than ones with OS algorithm in Q2 model. The main reason for this is caused by Test 2 of classifier β in GMS algorithm, which needs to check whether f (i, z) = f (i, z ⊕ s′) for fixed i, the given t pairs of z and thus requires more resources. Note that the cost incurred by proposed quantum attacks with OS algorithm in Q1 model is more than the ones in Q2 model because guessing the value of j requires another 2^(n−u)/2 iterations. Moreover, we also give the resource estimation for Grover algorithm on 2-step LED-128 and AES² in Supplementary C. Compared with the proposed quantum attacks on 2-step LED-128 and AES², the corresponding Grover algorithm costs much more since the Grover algorithm requires more iterations, except for the width.

TABLE 7

TABLE 7. Resource estimation for proposed quantum attacks on target ciphers, where all figures are in log base 2. The values of u of OS algorithm in Q1 model for 2-step LED-128 and AES² are 47 and 90, respectively.

Besides, it is worth noting that the resource estimation for OS algorithm in Q1 model should also consider the cost of preparing the quantum state $|{\psi }_g\rangle ={\otimes }^{cn}\left({\sum }_{x\in {\{\mathrm{0,1}\}}^n}|x\rangle |g(x)\rangle \right)$ with quantum read-only memory (QROM). According to Theorem 2 of Ref. [37], we can obtain that the transform

$\sum _{x\in {\left\{\mathrm{0,1}\right\}}^u}|x\rangle |0\rangle \mapsto \sum _{x\in {\left\{\mathrm{0,1}\right\}}^u}|x\rangle |g\left(x\right)\rangle$

costs Toffoli depth $⌈2^u/\omega ⌉+n(\omega -1)$, $⌈2^u/\omega ⌉+n(\omega -1)$ Toffoli gates and $\left.n(\omega -1)+⌈\log (2^u/\omega )⌉\right)$ ancilla qubits, where ω is a power of 2 such that 1 < ω < 2^u. Therefore, the preparing of the quantum state |ψ_g⟩ in OS algorithm for 2-step LED-128 requires Toffoli depth 2⁴⁶, 2^53.3 Toffoli gates and 2^14.1 ancilla qubits when ω = 2. The preparing of the quantum state |ψ_g⟩ in OS algorithm for AES² costs Toffoli depth 2⁸⁸, 2^96.3 Toffoli gates and 2^17.2 ancilla qubits when ω = 4. In such a case, we can easily prepare the quantum state |ψ_g⟩ under the resources of the iteration in OS algorithm. Therefore, the cost incurred by preparing the quantum state |ψ_g⟩ of OS algorithm in Q1 model can be ignored. Similarly, the cost imposed by recovering the period K₁ of GMS and OS algorithms can also be ignored since it is relatively small in terms of magnitude compared with the iteration in GMS and OS algorithms.

5 Conclusion

In this study, we consider the security of two-round Even-Mansour constructions in quantum setting. Compared with the classical attack with optimal query complexity, the presented quantum key-recovery attack on 2EM₁ construction reduces the query complexity by a factor of 2^n/6. For 2EM₂ and 2EM₃ constructions, we design quantum key-recovery attacks in Q1 and Q2 model respectively. The comparison in Table 2 shows that our attacks are more efficient than Grover search and QMITM attack no matter in Q1 or Q2 model. Furthermore, we also give the applications of proposed quantum attacks and analyze the corresponding resource estimation.

Data availability statement

The original contributions presented in the study are included in the article/Supplementary Material, further inquiries can be directed to the corresponding author.

Author contributions

These authors contributed equally to this work.

Funding

This work was supported by National Natural Science Foundation of China (Grant Numbers 61972048, 61976024), Henan Key Laboratory of Network Cryptography Technology (LNCT2021-A10), BUPT Excellent Ph.D. Students Foundation (Grant Number CX2019207) and China Scholarship Council (Grant Number 202006470082).

Conflict of interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

Publisher’s note

All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.

Supplementary material

The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fphy.2022.1028014/full#supplementary-material

References

1. Even S, Mansour Y. A construction of a cipher from a single pseudorandom permutation. J Cryptology (1997) 10(3):151–61. doi:10.1007/s001459900025

CrossRef Full Text | Google Scholar

2. Orr D, Keller N, Shamir A. Minimalism in cryptography: The even-mansour scheme revisited. In: D Pointcheval, and T Johansson, editors. Advances in cryptology - EUROCRYPT 2012 - 31st annual international conference on the theory and applications of cryptographic techniques. Cambridge, UK: Springer (2012). p. 336–54. April 15-19, 2012. Proceedings, volume 7237 of Lecture Notes in Computer Science.

Google Scholar

3. Bogdanov A, Knudsen LR, Leander G, Standaert F-X, Steinberger JP, Tischhauser E. Key-alternating ciphers in a provable setting: Encryption using a small number of public permutations - (extended abstract). In: D Pointcheval, and T Johansson, editors. Advances in cryptology - EUROCRYPT 2012 - 31st annual international conference on the theory and applications of cryptographic techniques. Cambridge, UK: Springer (2012). p. 45–62. April 15-19, 2012. Proceedings, volume 7237 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

4. Lampe R, Patarin J, Seurin Y. An asymptotically tight security analysis of the iterated even-mansour cipher. In: X Wang, and K Sako, editors. Advances in cryptology - ASIACRYPT 2012 - 18th international conference on the theory and application of cryptology and information security. Beijing, China: Springer (2012). p. 278–95. December 2-6, 2012. Proceedings, volume 7658 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

5. Chen S, Steinberger JP. Tight security bounds for key-alternating ciphers. In: PQ Nguyen, and E Oswald, editors. Advances in cryptology - EUROCRYPT 2014 - 33rd annual international conference on the theory and applications of cryptographic techniques. Copenhagen, Denmark: Springer (2014). p. 327–50. May 11-15, 2014. Proceedings, volume 8441 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

6. Jordan SP, Liu Y-K. Quantum cryptanalysis: Shor, grover, and beyond. IEEE Secur Priv (2018) 16(5):14–21. doi:10.1109/msp.2018.3761719

CrossRef Full Text | Google Scholar

7. Bennett CH, Brassard G. Quantum cryptography: Public key distribution and coin tossing (2020). arXiv preprint arXiv:2003.06557.

Google Scholar

8. Deng FG, Long GL. Bidirectional quantum key distribution protocol with practical faint laser pulses. Phys Rev A (2004) 70(1):012311. doi:10.1103/PhysRevA.70.012311

CrossRef Full Text | Google Scholar

9. Ye T-Y, Li H-K, Hu J-L. Semi-quantum key distribution with single photons in both polarization and spatial-mode degrees of freedom. Int J Theor Phys (Dordr) (2020) 59(9):2807–15. doi:10.1007/s10773-020-04540-y

CrossRef Full Text | Google Scholar

10. Ye T-Y, Geng M-J, Xu T-J, Chen Y. Efficient semiquantum key distribution based on single photons in both polarization and spatial-mode degrees of freedom. Quan Inf Process (2022) 21(4):123–1. doi:10.1007/s11128-022-03457-1

CrossRef Full Text | Google Scholar

11. Zhandry M. How to construct quantum random functions. In: 53rd annual IEEE symposium on foundations of computer science. New Brunswick, NJ, USA: FOCSIEEE Computer Society (2012). p. 679–87. October 20-23, 2012.

CrossRef Full Text | Google Scholar

12. Kaplan M, Leurent G, Anthony L, Naya-Plasencia M. Breaking symmetric cryptosystems using quantum period finding. In: M Robshaw, and J Katz, editors. Advances in cryptology - CRYPTO 2016 - 36th annual international cryptology conference. Santa Barbara, CA, USA: Springer (2016). p. 207–37. August 14-18, 2016, Proceedings, Part II, volume 9815 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

13. Kuwakado H, Morii M. Security on the quantum-type even-mansour cipher. In: Proceedings of the international symposium on information theory and its applications, ISITA 2012. Honolulu, HI, USA: IEEE (2012). p. 312–6. October 28-31, 2012.

Google Scholar

14. Alagic G, Chen B, Katz J, Majenz C. Post-quantum security of the even-mansour cipher. In: Orr dunkelman and stefan DziembowskiAdvances in cryptology - EUROCRYPT 2022 - 41st annual international conference on the theory and applications of cryptographic techniques. Trondheim, Norway: Springer (2022). p. 458–87. May 30 - June 3, 2022, Proceedings, Part III, volume 13277 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

15. Kaplan M. Quantum attacks against iterated block ciphers. CoRR abs (2014) 1410–34.

Google Scholar

16. Brassard G, Høyer P, Tapp A. Quantum cryptanalysis of hash and claw-free functions. In: CL Lucchesi, and AV Moura, editors. Latin ’98: Theoretical informatics, third Latin American symposium. Campinas, Brazil: Springer (1998). p. 163–9. April, 20-24, 1998, Proceedings, volume 1380 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

17. Nikolic I, Wang L, Wu S. Cryptanalysis of round-reduced LED. IACR Cryptol Eprint Arch (2015) 429.

Google Scholar

18. Dinur I, Orr D, Keller N, Shamir A. Key recovery attacks on 3-round even-mansour, 8-step led-128, and full AES2. In: K Sako, and P Sarkar, editors. Advances in cryptology - ASIACRYPT 2013 - 19th international Conference on the Theory and Application of Cryptology and information security. Bengaluru, India: Springer (2013). p. 337–56. December 1-5, 2013, Proceedings, Part I, volume 8269 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

19. Dinur I, Orr D, Keller N, Shamir A. Key recovery attacks on iterated even-mansour encryption schemes. J Cryptol (2016) 29(4):697–728. doi:10.1007/s00145-015-9207-3

CrossRef Full Text | Google Scholar

20. Isobe T, Shibutani K. New key recovery attacks on minimal two-round even-mansour ciphers. In: T Takagi, and T Peyrin, editors. Advances in cryptology - ASIACRYPT 2017 - 23rd international Conference on the Theory and Applications of Cryptology and information security. Hong Kong, China: Springer (2017). p. 244–63. December 3-7, 2017, Proceedings, Part I, volume 10624 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

21. Leurent G, Sibleyras F. Low-memory attacks against two-round even-mansour using the 3-xor problem. In: S Barbara, editor. Alexandra boldyreva and daniele MicciancioAdvances in cryptology - CRYPTO 2019 - 39th annual international cryptology conference. CA, USA: Springer (2019). p. 210–35. August 18-22, 2019, Proceedings, Part II, volume 11693 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

22. Hosoyamada A, Aoki K. On quantum related-key attacks on iterated even-mansour ciphers. IEICE Trans Fundamentals (2019) 102(1):27–34. doi:10.1587/transfun.e102.a.27

CrossRef Full Text | Google Scholar

23. Grover LK. A fast quantum mechanical algorithm for database search. In: GL Miller, editor. Proceedings of the twenty-eighth annual ACM symposium on the theory of computing. Philadelphia, Pennsylvania, USA: ACM (1996). p. 212–9. May 22-24, 1996.

CrossRef Full Text | Google Scholar

24. Leander G, May A. Grover meets simon - quantumly attacking the fx-construction. In: T Takagi, and T Peyrin, editors. Advances in cryptology - ASIACRYPT 2017 - 23rd international Conference on the Theory and Applications of Cryptology and information security. Hong Kong, China: Springer (2017). p. 161–78. December 3-7, 2017, Proceedings, Part II, volume 10625 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

25. Bonnetain X, Hosoyamada A, Naya-Plasencia M, Sasaki Y, Schrottenloher A. Quantum attacks without superposition queries: The offline simon’s algorithm. In: SD Galbraith, and S Moriai, editors. Advances in cryptology - ASIACRYPT 2019 - 25th international Conference on the Theory and Application of Cryptology and information security. Kobe, Japan: Springer (2019). p. 552–83. December 8-12, 2019, Proceedings, Part I, volume 11921 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

26. Brassard G, Hoyer P, Mosca M, Tapp A. Quantum amplitude amplification and estimation. Contemp Math (2002) 305:53–74. doi:10.1090/conm/305/05215

CrossRef Full Text | Google Scholar

27. Simon DR. On the power of quantum computation. SIAM J Comput (1997) 26(5):1474–83. doi:10.1137/s0097539796298637

CrossRef Full Text | Google Scholar

28. Kilian J, Rogaway P. How to protect DES against exhaustive key search. In: K Neal, editor. Advances in cryptology - CRYPTO ’96, 16th annual international cryptology conference. Santa Barbara, California, USA: Springer (1996). p. 252–67. August 18-22, 1996, Proceedings, volume 1109 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

29. Guo J, Peyrin T, Poschmann A, Matthew JB. Robshaw. The LED block cipher. In: Bart preneel and tsuyoshi TakagiCryptographic hardware and embedded systems - CHES 2011 - 13th international workshop. Nara, Japan: Springer (2011). p. 326–41. September 28 - October 1, 2011, Proceedings, volume 6917 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

30. Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Matthew J, et al. Present: An ultra-lightweight block cipher. In: Pascal paillier and ingrid VerbauwhedeCryptographic hardware and embedded systems - CHES 2007, 9th international workshop. Vienna, Austria: Springer (2007). p. 450–66. September 10-13, 2007, Proceedings, volume 4727 of Lecture Notes in Computer Science.

Google Scholar

31. Rahman M, Paul G. Grover on present: Quantum resource estimation. In: IACR cryptol. ePrint arch. (2021). p. 1655.

Google Scholar

32. Stein W. Sage mathematics software (2007). Available at: http://www. sagemath//org.

Google Scholar

33. Zou J, Wei Z, Sun S, Liu X, Wu W. Quantum circuit implementations of AES with fewer qubits. In: S Moriai, and H Wang, editors. Advances in cryptology - ASIACRYPT 2020 - 26th international Conference on the Theory and Application of Cryptology and information security, daejeon. South Korea: Springer (2020). p. 697–726. December 7-11, 2020, Proceedings, Part II, volume 12492 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

34. Jaques S, Naehrig M, Roetteler M, Virdia F. Implementing grover oracles for quantum key search on AES and lowmc. In: A Canteaut, and Y Ishai, editors. Advances in cryptology - EUROCRYPT 2020 - 39th annual international conference on the theory and applications of cryptographic techniques. Zagreb, Croatia: Springer (2020). p. 280–310. May 10-14, 2020, Proceedings, Part II, volume 12106 of Lecture Notes in Computer Science.

CrossRef Full Text | Google Scholar

35. Li ZQ, Cai BB, Sun HW, Liu HL, Wan LC, Qin SJ, et al. Novel quantum circuit implementation of advanced encryption standard with low costs. Sci China Phys Mech Astron (2022) 65(9):290311–6. doi:10.1007/s11433-022-1921-y

CrossRef Full Text | Google Scholar

36. Bonnetain X, Jaques S. Quantum period finding against symmetric primitives in practice. IACR Trans Cryptogr Hardw Embed Syst (2022) 2022(1):1–27. doi:10.46586/tches.v2022.i1.1-27

CrossRef Full Text | Google Scholar

37. Berry DW, Craig G, Motta M, McClean JR, Ryan B. Qubitization of arbitrary basis quantum chemistry leveraging sparsity and low rank factorization. Quantum (2019) 3:208. doi:10.22331/q-2019-12-02-208

CrossRef Full Text | Google Scholar