Grover’s search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses calls to the cipher to search a key space of size N . Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits. In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depth-times-width cost models. In NIST’s post-quantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of post-quantum cryptography. As part of this work, we release Q# implementations of the full Grover oracle for AES-128, -192, -256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.
We present improved quantum circuits for elliptic curve scalar multiplication, the most costly component in Shor's algorithm to compute discrete logarithms in elliptic curve groups. We optimize low-level components such as reversible integer and modular arithmetic through windowing techniques and more adaptive placement of uncomputing steps, and improve over previous quantum circuits for modular inversion by reformulating the binary Euclidean algorithm. Overall, we obtain an affine Weierstrass point addition circuit that has lower depth and uses fewer T gates than previous circuits. While previous work mostly focuses on minimizing the total number of qubits, we present various trade-offs between different cost metrics including the number of qubits, circuit depth and T -gate count. Finally, we provide a full implementation of point addition in the Q# quantum programming language that allows unit tests and automatic quantum resource estimation for all components.curve. Under plausible assumptions about physical error rates, this could translate into 6.77 · 10 7 physical qubits [11]. But the number of logical qubits is not the only important cost metric, and one might prioritize others such as circuit depth, the total number of gates, or the total number of likely expensive gates such as the Toffoli gate or the T gate.Our goal in this work is not only to improve the circuits proposed by RNSL [27], but also to explore different trade-offs favoring different cost metrics. To this end, we provide resource estimates for point addition circuits optimized for depth, T gate count, and width, respectively. We also report on initial experiments with automatic optimization for T -depth and T gate count. By using the automatic compilation techniques presented in [19], we find low T -depth and low T -count circuits for a modular multiplication component and show significant improvements compared to their manually designed counterparts, however, at a very high cost to the number of qubits.Beyond alternative choices for low-level arithmetic components, we also improve the higherlevel structure of RNSL's circuit. While many components stay the same, the most dramatic improvements come from windowing techniques similar to those proposed by Gidney and Ekerå in [14] and a better memory management via pebbling. For example, instead of copying out the result in an out-of-place circuit that uses Bennett's method for embedding an irreversible function in a reversible computation, the result can be used for the next operation before it is uncomputed. This technique does not treat modular operations merely as black boxes, but can adaptively reduce the cost of the higher-level circuit they are used in. Along with a reformulation of the binary extended Euclidean algorithm, it significantly reduces costs for the modular inversion circuit.One of our main contributions is a modular, testable library 4 of functions for elliptic curve arithmetic in the Q# programming language for quantum computing [31]. These incorporate different possible choic...
We analyze linear maps on matrix algebras that become entanglement breaking after composing a finite or infinite number of times with themselves. This means that the Choi matrix of the iterated linear map becomes separable in the tensor product space. If a linear map becomes entanglement breaking after finitely many iterations, we say the map has a finite index of separability. In particular we show that every unital PPT-channel has a finite index of separability and that the class of unital channels that have finite index of separability is a dense subset of the unital channels. We construct concrete examples of maps which are not PPT but have finite index of separability. We prove that there is a large class of unital channels that are asymptotically entanglement breaking. This analysis is motivated by the PPT-squared conjecture made by M. Christandl that says every PPT channel, when composed with itself, becomes entanglement breaking.
Recent independent analyses by Bonnetain–Schrottenloher and Peikert in Eurocrypt 2020 significantly reduced the estimated quantum security of the isogeny-based commutative group action key-exchange protocol CSIDH. This paper refines the estimates of a resource-constrained quantum collimation sieve attack to give a precise quantum security to CSIDH. Furthermore, we optimize large CSIDH parameters for performance while still achieving the NIST security levels 1, 2, and 3. Finally, we provide a C-code constant-time implementation of those CSIDH large instantiations using the square-root-complexity Vélu’s formulas recently proposed by Bernstein, De Feo, Leroux and Smith.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.