Applying Grover s algorithm to AES: quantum resource estimates

Size: px

Start display at page:

Download "Applying Grover s algorithm to AES: quantum resource estimates"

Garey Gregory
6 years ago
Views:

1 Applying Grover s algorithm to AES: quantum resource estimates Markus Grassl 1, Brandon Langenberg 2, Martin Roetteler 3 and Rainer Steinwandt 2 1 Universität Erlangen-Nürnberg & Max Planck Institute for the Science of Light 2 Florida Atlantic University 3 Microsoft Research February 24, 2016 BL (FAU) Quantum AES February 24, / 21

2 Overview Quantum circuits for implementing an exhaustive key search for the Advanced Encryption Standard (AES) Analyze the quantum resources required Consider the overall circuit size, number of qubits, and circuit depth Focus on the Clifford+T gate set Establish precise bounds for qubits and gates needed to implement Grover s algorithm for all three versions (128, 192, and 256 bit) that are standardized in FIPS-PUB 197 BL (FAU) Quantum AES February 24, / 21

3 1 AES: Rounds 2 AES: Key Expansion 3 Resource Estimates 4 Grover 5 Uniqueness 6 Conclusion BL (FAU) Quantum AES February 24, / 21

4 AES: Rounds 128 qubits hold the current internal state S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 S 0,0 S 1,0. S 3,3 Each round of AES applies the following four operations: SubBytes ShiftRows MixColumns AddRoundKey BL (FAU) Quantum AES February 24, / 21

5 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation BL (FAU) Quantum AES February 24, / 21

6 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table BL (FAU) Quantum AES February 24, / 21

7 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table Decided explicity calculating result was more resource friendly BL (FAU) Quantum AES February 24, / 21

8 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table Decided explicity calculating result was more resource friendly Itoh-Tsujii inverter: α 1 = α 254 = ((α α 2 ) (α α 2 ) 4 (α α 2 ) 16 α 64 ) 2 BL (FAU) Quantum AES February 24, / 21

9 AES: SubBytes: α 1 = ((α α 2 ) (α α 2 ) 4 (α α 2 ) 16 α 64 ) 2 Qubits α α α α α α α α 2 α 2 α 2 α 2 α 2 α α 3 α 3 α α 12 α 12 α 12 α α 15 α 15 α 15 Qubits α α α 64 α 64 α 64 α α α α 127 α 254 α 254 α α 63 α 63 α 63 α 63 α 63 α α 48 α 48 α 48 α 48 α 48 α 48 α α 15 α 15 α 15 α 15 α 15 α 15 α 15 Qubits α α α α α α α α 254 α 254 α 254 α 254 α 254 α 254 α α 3 α 3 α 3 α 3 α α 48 α 12 α 12 0 α 2 α α 15 α BL (FAU) Quantum AES February 24, / 21

10 AES: SubBytes Example: Squaring in F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) = BL (FAU) Quantum AES February 24, / 21

11 AES: SubBytes Multiplication: Maslov et al. s design BL (FAU) Quantum AES February 24, / 21

12 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates BL (FAU) Quantum AES February 24, / 21

13 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates 8 total mulitplications per inversion 3584 T plus 4264 Clifford gates BL (FAU) Quantum AES February 24, / 21

14 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates 8 total mulitplications per inversion 3584 T plus 4264 Clifford gates EXPENSIVE BL (FAU) Quantum AES February 24, / 21

15 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b BL (FAU) Quantum AES February 24, / 21

16 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: BL (FAU) Quantum AES February 24, / 21

17 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: One 8-bit S-Box 3584 T -gates and 4569 Clifford gates. BL (FAU) Quantum AES February 24, / 21

18 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: One 8-bit S-Box 3584 T -gates and 4569 Clifford gates. 16 S-Boxes per round! BL (FAU) Quantum AES February 24, / 21

19 AES: ShiftRows S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 S 0,0 S 0,1 S 0,2 S 0,3 S 1,1 S 1,2 S 1,3 S 1,0 S 2,2 S 2,3 S 2,0 S 2,1 S 3,3 S 3,0 S 3,1 S 3,2 Permutation of current AES state Permutation of qubits Instead adjust position of subsequent gates Addressed during next SubBytes BL (FAU) Quantum AES February 24, / 21

20 AES: MixedColumns Operates on entire column (32 (qu)bits) at a time. LUP decomposition on matrix to compute in place 277 CNOT gates, depth of {02} ; {03} BL (FAU) Quantum AES February 24, / 21

21 AES: MixedColumns MixColumns: 277 CNOT gates with total depth of 39 BL (FAU) Quantum AES February 24, / 21

22 AES: AddRoundKey Bit-wise XOR of the round key with the current state 128 CNOT gates executed in parallel BL (FAU) Quantum AES February 24, / 21

23 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: BL (FAU) Quantum AES February 24, / 21

24 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action BL (FAU) Quantum AES February 24, / 21

25 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes BL (FAU) Quantum AES February 24, / 21

26 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates BL (FAU) Quantum AES February 24, / 21

27 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates XOR - XORing words - 32 controlled NOT gates executed in parallel BL (FAU) Quantum AES February 24, / 21

28 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates XOR - XORing words - 32 controlled NOT gates executed in parallel SubWord() (expensive) only applied to every 4 (AES-128, 256) or 6 (AES 192) words in key expansion. These words are treated differently. BL (FAU) Quantum AES February 24, / 21

29 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored BL (FAU) Quantum AES February 24, / 21

30 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored BL (FAU) Quantum AES February 24, / 21

31 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored AES words into use Subword() constructed & stored BL (FAU) Quantum AES February 24, / 21

32 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored AES words into use Subword() constructed & stored #gates depth #qubits NOT CNOT Toffoli T overall storage ancillae ,448 20,480 5,760 12, ,568 16,384 4,608 10, ,492 26,624 7,488 16, BL (FAU) Quantum AES February 24, / 21

33 AES: Key Expansion: Remaining words constructed only using XOR generate as needed. Example: AES word7 = word4 word3 word2 word1 BL (FAU) Quantum AES February 24, / 21

34 Resource Estimates To save and reuse qubits, cleaned up along the way (Ex. AES-192) BL (FAU) Quantum AES February 24, / 21

35 Resource Estimates AES-128 #gates depth #qubits T Clifford T overall Key Gen 143, ,464 5,760 12, Rounds 917,504 1,194,956 44,928 98, Total 1,060,864 1,380,420 50, , AES-192 #gates depth #qubits T Clifford T overall Key Gen 114, ,776 4,608 10, Rounds 1,089,536 1,418,520 39,744 86, Total 1,204,224 1,567,296 44,352 96, AES-256 #gates depth #qubits T Clifford T overall Key Gen 186, ,699 7,488 16, Rounds 1,318,912 1,715,400 52, , Total 1,505,280 1,956,099 59, , BL (FAU) Quantum AES February 24, / 21

36 Grover (a) (b) (a) Grover circuit applied π 4 2 k times for k = 128, 192, 256 (b) Shown is the circuit decomposition of G ) G = ((H k ( )H k ) 1 2 U f BL (FAU) Quantum AES February 24, / 21

37 Uniqueness Figure: Reversible implementation of U f. For k = 128, r = 3 invocations of AES suffice to make the target key unique. For k = 192 number of parallel AES boxes increases to r = 4 and for k = 256 to r = 5. Overall structure of the circuit is common to all key sizes. BL (FAU) Quantum AES February 24, / 21

38 Conclusion #gates depth #qubits k T Clifford T overall , , ,681 Table: Resource estimates for Grover to attack AES-k, k {128, 192, 256}. Conclusion: Only SubBytes involves T -gates and called a minimum of 296 times (AES-128) and up to 420 (AES-256). Results in quantum circuits of quite moderate complexity. Seems prudent to move away from 128-bit keys. BL (FAU) Quantum AES February 24, / 21

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported