2019
DOI: 10.46586/tosc.v2019.i2.55-93
|View full text |Cite
|
Sign up to set email alerts
|

Quantum Security Analysis of AES

Abstract: In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits. In order to determine the new security margin, i.e., the lowest number of non-attacked rounds in time less than 2128 encryptions, we first p… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

1
59
0
1

Year Published

2019
2019
2024
2024

Publication Types

Select...
3
3
3

Relationship

0
9

Authors

Journals

citations
Cited by 101 publications
(61 citation statements)
references
References 27 publications
1
59
0
1
Order By: Relevance
“…This is a strange tendency especially considering the fact that there are many attempts to speed up dedicated cryptanalysis against block ciphers e.g. differential and linear cryptanalysis [ 25 ], impossible differential cryptanalysis [ 44 ], meet-in-the-middle attacks [ 8 , 20 ], slide attacks [ 7 ], and so on. In this paper, we explore dedicated collision attacks against hash functions to find collisions faster than generic quantum attacks.…”
Section: Introductionmentioning
confidence: 99%
“…This is a strange tendency especially considering the fact that there are many attempts to speed up dedicated cryptanalysis against block ciphers e.g. differential and linear cryptanalysis [ 25 ], impossible differential cryptanalysis [ 44 ], meet-in-the-middle attacks [ 8 , 20 ], slide attacks [ 7 ], and so on. In this paper, we explore dedicated collision attacks against hash functions to find collisions faster than generic quantum attacks.…”
Section: Introductionmentioning
confidence: 99%
“…Thus, we can certainly obtain q PRP by instantiating LRWQ with AES. This means that our result enables us to directly benefit from recent efforts for quantum cryptanalysis on AES [GLRS16,BNS19b,JNRV20].…”
Section: Our Contributionsmentioning
confidence: 77%
“…At FSE 2020, Bonnetain et al [BNS19b] proposed a quantum circuit that fulfils the functionality of DDT. The cost is equivalent to 2 S-box computations and 22 ancilla qubits.…”
Section: Methods 2: Using a Dedicated Quantum Circuit For S-boxmentioning
confidence: 99%
“…In symmetric-key setting, it was generally believed that Grover's algorithm [Gro96] would provide the quadratic speedup in exhaustive search attack against the symmetric-key schemes such as block ciphers and hash functions, and thus doubling the key length addresses the concern. Interestingly, this belief has now been challenged due to several dedicated quantum attacks, such as on block ciphers [BNS19b], hash functions [HS20, DSS + 20], message authentication codes, authenticated encryption schemes [KM10, KLLN16, Bon17, LM17, HS18, BNS19a, IHM + 19, DDW20] etc. These attacks primarily rely on Simon's algorithm [Sim97] requiring online quantum superposition queries, except in [BHN + 19] where offline queries are performed.…”
Section: Introductionmentioning
confidence: 99%