Applying Grover s algorithm to AES: quantum resource estimates
|
|
- Garey Gregory
- 6 years ago
- Views:
Transcription
1 Applying Grover s algorithm to AES: quantum resource estimates Markus Grassl 1, Brandon Langenberg 2, Martin Roetteler 3 and Rainer Steinwandt 2 1 Universität Erlangen-Nürnberg & Max Planck Institute for the Science of Light 2 Florida Atlantic University 3 Microsoft Research February 24, 2016 BL (FAU) Quantum AES February 24, / 21
2 Overview Quantum circuits for implementing an exhaustive key search for the Advanced Encryption Standard (AES) Analyze the quantum resources required Consider the overall circuit size, number of qubits, and circuit depth Focus on the Clifford+T gate set Establish precise bounds for qubits and gates needed to implement Grover s algorithm for all three versions (128, 192, and 256 bit) that are standardized in FIPS-PUB 197 BL (FAU) Quantum AES February 24, / 21
3 1 AES: Rounds 2 AES: Key Expansion 3 Resource Estimates 4 Grover 5 Uniqueness 6 Conclusion BL (FAU) Quantum AES February 24, / 21
4 AES: Rounds 128 qubits hold the current internal state S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 S 0,0 S 1,0. S 3,3 Each round of AES applies the following four operations: SubBytes ShiftRows MixColumns AddRoundKey BL (FAU) Quantum AES February 24, / 21
5 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation BL (FAU) Quantum AES February 24, / 21
6 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table BL (FAU) Quantum AES February 24, / 21
7 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table Decided explicity calculating result was more resource friendly BL (FAU) Quantum AES February 24, / 21
8 AES: SubBytes Treat each byte as α F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) Finds α 1 (leaving 0 invariant) Applies an affine transformation Classical AES can employ a lookup table Decided explicity calculating result was more resource friendly Itoh-Tsujii inverter: α 1 = α 254 = ((α α 2 ) (α α 2 ) 4 (α α 2 ) 16 α 64 ) 2 BL (FAU) Quantum AES February 24, / 21
9 AES: SubBytes: α 1 = ((α α 2 ) (α α 2 ) 4 (α α 2 ) 16 α 64 ) 2 Qubits α α α α α α α α 2 α 2 α 2 α 2 α 2 α α 3 α 3 α α 12 α 12 α 12 α α 15 α 15 α 15 Qubits α α α 64 α 64 α 64 α α α α 127 α 254 α 254 α α 63 α 63 α 63 α 63 α 63 α α 48 α 48 α 48 α 48 α 48 α 48 α α 15 α 15 α 15 α 15 α 15 α 15 α 15 Qubits α α α α α α α α 254 α 254 α 254 α 254 α 254 α 254 α α 3 α 3 α 3 α 3 α α 48 α 12 α 12 0 α 2 α α 15 α BL (FAU) Quantum AES February 24, / 21
10 AES: SubBytes Example: Squaring in F 2 [x]/(1 + x + x 3 + x 4 + x 8 ) = BL (FAU) Quantum AES February 24, / 21
11 AES: SubBytes Multiplication: Maslov et al. s design BL (FAU) Quantum AES February 24, / 21
12 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates BL (FAU) Quantum AES February 24, / 21
13 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates 8 total mulitplications per inversion 3584 T plus 4264 Clifford gates BL (FAU) Quantum AES February 24, / 21
14 AES: SubBytes Multiplication: Maslov et al. s design 64 Toffoli and 21 CNOT gates 448 T plus 533 Clifford gates 8 total mulitplications per inversion 3584 T plus 4264 Clifford gates EXPENSIVE BL (FAU) Quantum AES February 24, / 21
15 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b BL (FAU) Quantum AES February 24, / 21
16 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: BL (FAU) Quantum AES February 24, / 21
17 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: One 8-bit S-Box 3584 T -gates and 4569 Clifford gates. BL (FAU) Quantum AES February 24, / 21
18 AES: SubBytes Final Step: Affine transformation computed, LUP decomposition used. b b b b 3 b 4 = b b b b 0 b 1 b 2 b 3 b 4 b 5 b 6 b SubBytes: One 8-bit S-Box 3584 T -gates and 4569 Clifford gates. 16 S-Boxes per round! BL (FAU) Quantum AES February 24, / 21
19 AES: ShiftRows S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 S 0,0 S 0,1 S 0,2 S 0,3 S 1,1 S 1,2 S 1,3 S 1,0 S 2,2 S 2,3 S 2,0 S 2,1 S 3,3 S 3,0 S 3,1 S 3,2 Permutation of current AES state Permutation of qubits Instead adjust position of subsequent gates Addressed during next SubBytes BL (FAU) Quantum AES February 24, / 21
20 AES: MixedColumns Operates on entire column (32 (qu)bits) at a time. LUP decomposition on matrix to compute in place 277 CNOT gates, depth of {02} ; {03} BL (FAU) Quantum AES February 24, / 21
21 AES: MixedColumns MixColumns: 277 CNOT gates with total depth of 39 BL (FAU) Quantum AES February 24, / 21
22 AES: AddRoundKey Bit-wise XOR of the round key with the current state 128 CNOT gates executed in parallel BL (FAU) Quantum AES February 24, / 21
23 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: BL (FAU) Quantum AES February 24, / 21
24 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action BL (FAU) Quantum AES February 24, / 21
25 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes BL (FAU) Quantum AES February 24, / 21
26 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates BL (FAU) Quantum AES February 24, / 21
27 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates XOR - XORing words - 32 controlled NOT gates executed in parallel BL (FAU) Quantum AES February 24, / 21
28 AES: Key Expansion Key Expansion employs the following to 32 bits (1 word) at a time: RotWord() - Similar to ShiftRows, requires no current action SubWord() - Applies SubBytes once to each of the 4 bytes Rcon[i/Nk] - Flip of bits - One or two uncontrolled NOT gates XOR - XORing words - 32 controlled NOT gates executed in parallel SubWord() (expensive) only applied to every 4 (AES-128, 256) or 6 (AES 192) words in key expansion. These words are treated differently. BL (FAU) Quantum AES February 24, / 21
29 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored BL (FAU) Quantum AES February 24, / 21
30 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored BL (FAU) Quantum AES February 24, / 21
31 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored AES words into use Subword() constructed & stored BL (FAU) Quantum AES February 24, / 21
32 AES: Key Expansion: SubWord() SubWord() like SubBytes was costly storing seemed cost effective AES words into use Subword(), constructed & stored AES words into use Subword(), constructed & stored AES words into use Subword() constructed & stored #gates depth #qubits NOT CNOT Toffoli T overall storage ancillae ,448 20,480 5,760 12, ,568 16,384 4,608 10, ,492 26,624 7,488 16, BL (FAU) Quantum AES February 24, / 21
33 AES: Key Expansion: Remaining words constructed only using XOR generate as needed. Example: AES word7 = word4 word3 word2 word1 BL (FAU) Quantum AES February 24, / 21
34 Resource Estimates To save and reuse qubits, cleaned up along the way (Ex. AES-192) BL (FAU) Quantum AES February 24, / 21
35 Resource Estimates AES-128 #gates depth #qubits T Clifford T overall Key Gen 143, ,464 5,760 12, Rounds 917,504 1,194,956 44,928 98, Total 1,060,864 1,380,420 50, , AES-192 #gates depth #qubits T Clifford T overall Key Gen 114, ,776 4,608 10, Rounds 1,089,536 1,418,520 39,744 86, Total 1,204,224 1,567,296 44,352 96, AES-256 #gates depth #qubits T Clifford T overall Key Gen 186, ,699 7,488 16, Rounds 1,318,912 1,715,400 52, , Total 1,505,280 1,956,099 59, , BL (FAU) Quantum AES February 24, / 21
36 Grover (a) (b) (a) Grover circuit applied π 4 2 k times for k = 128, 192, 256 (b) Shown is the circuit decomposition of G ) G = ((H k ( )H k ) 1 2 U f BL (FAU) Quantum AES February 24, / 21
37 Uniqueness Figure: Reversible implementation of U f. For k = 128, r = 3 invocations of AES suffice to make the target key unique. For k = 192 number of parallel AES boxes increases to r = 4 and for k = 256 to r = 5. Overall structure of the circuit is common to all key sizes. BL (FAU) Quantum AES February 24, / 21
38 Conclusion #gates depth #qubits k T Clifford T overall , , ,681 Table: Resource estimates for Grover to attack AES-k, k {128, 192, 256}. Conclusion: Only SubBytes involves T -gates and called a minimum of 296 times (AES-128) and up to 420 (AES-256). Results in quantum circuits of quite moderate complexity. Seems prudent to move away from 128-bit keys. BL (FAU) Quantum AES February 24, / 21
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY
UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY Rainer Steinwandt 1,2 Florida Atlantic University, USA (joint work w/ B. Amento, M. Grassl, B. Langenberg 2, M. Roetteler) 1 supported
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationTable Of Contents. ! 1. Introduction to AES
1 Table Of Contents! 1. Introduction to AES! 2. Design Principles behind AES Linear Cryptanalysis Differential Cryptanalysis Square Attack Biclique Attack! 3. Quantum Cryptanalysis of AES Applying Grover
More informationDesign of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES
Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,
More informationProjects about Quantum adder circuits Final examination June 2018 Quirk Simulator
Projects about Quantum adder circuits Final examination June 2018 Quirk Simulator http://algassert.com/2016/05/22/quirk.html PROBLEM TO SOLVE 1. The HNG gate is described in reference: Haghparast M. and
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations
More informationAustralian Journal of Basic and Applied Sciences
AENSI Journals Australian Journal of Basic and Applied Sciences ISSN:1991-8178 Journal home page: www.ajbasweb.com of SubBytes and InvSubBytes s of AES Algorithm Using Power Analysis Attack Resistant Reversible
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More information(Solution to Odd-Numbered Problems) Number of rounds. rounds
CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys
More informationThe Classification of Clifford Gates over Qubits
The Classification of Clifford Gates over Qubits Daniel Grier, Luke Schaeffer MIT Introduction Section 1 Introduction Classification Introduction Idea Study universality by finding non-universal gate sets.
More informationLow Complexity Differential Cryptanalysis and Fault Analysis of AES
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low
More informationModule 2 Advanced Symmetric Ciphers
Module 2 Advanced Symmetric Ciphers Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University E-mail: natarajan.meghanathan@jsums.edu Data Encryption Standard (DES) The DES algorithm
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationProvably Secure Higher-Order Masking of AES
Provably Secure Higher-Order Masking of AES Matthieu Rivain 1 and Emmanuel Prouff 2 1 CryptoExperts matthieu.rivain@cryptoexperts.com 2 Oberthur Technologies e.prouff@oberthur.com Abstract. Implementations
More informationIntroduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES
CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction
More informationLOOKING INSIDE AES AND BES
23 LOOKING INSIDE AES AND BES Ilia Toli, Alberto Zanoni Università degli Studi di Pisa Dipartimento di Matematica Leonida Tonelli Via F. Buonarroti 2, 56127 Pisa, Italy {toli, zanoni}@posso.dm.unipi.it
More informationDifferential Fault Analysis on A.E.S.
Differential Fault Analysis on A.E.S. P. Dusart, G. Letourneux, O. Vivolo 01/10/2002 Abstract We explain how a differential fault analysis (DFA) works on AES 128, 192 or 256 bits. Contents 1 Introduction
More informationImproved Impossible Differential Cryptanalysis of Rijndael and Crypton
Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationarxiv: v1 [cs.cr] 13 Sep 2016
Hacking of the AES with Boolean Functions Michel Dubois Operational Cryptology and Virology Laboratory Éric Filiol Operational Cryptology and Virology Laboratory September 14, 2016 arxiv:1609.03734v1 [cs.cr]
More informationDifferential Fault Analysis of AES using a Single Multiple-Byte Fault
Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.
More informationExtended Criterion for Absence of Fixed Points
Extended Criterion for Absence of Fixed Points Oleksandr Kazymyrov, Valentyna Kazymyrova Abstract One of the criteria for substitutions used in block ciphers is the absence of fixed points. In this paper
More informationResource Efficient Design of Quantum Circuits for Quantum Algorithms
Resource Efficient Design of Quantum Circuits for Quantum Algorithms Himanshu Thapliyal Department of Electrical and Computer Engineering University of Kentucky, Lexington, KY hthapliyal@uky.edu Quantum
More informationBlock ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit
Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption
More informationLow-communication parallel quantum multi-target preimage search
Low-communication parallel quantum multi-target preimage search Gustavo Banegas 1 and Daniel J. Bernstein 2 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513,
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationAn Analytical Approach to S-Box Generation
An Analytical Approach to Generation K. J. Jegadish Kumar 1, K. Hariprakash 2, A.Karunakaran 3 1 (Department of ECE, SSNCE, India) 2 (Department of ECE, SSNCE, India) 3 (Department of ECE, SSNCE, India)
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationIntroduction to Quantum Algorithms Part I: Quantum Gates and Simon s Algorithm
Part I: Quantum Gates and Simon s Algorithm Martin Rötteler NEC Laboratories America, Inc. 4 Independence Way, Suite 00 Princeton, NJ 08540, U.S.A. International Summer School on Quantum Information, Max-Planck-Institut
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationSimulating classical circuits with quantum circuits. The complexity class Reversible-P. Universal gate set for reversible circuits P = Reversible-P
Quantum Circuits Based on notes by John Watrous and also Sco8 Aaronson: www.sco8aaronson.com/democritus/ John Preskill: www.theory.caltech.edu/people/preskill/ph229 Outline Simulating classical circuits
More informationHighly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design
Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF(2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1, Naofumi
More informationFirst-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure
Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US
More information2.2 Classical circuit model of computation
Chapter 2 Classical Circuit Models for Computation 2. Introduction A computation is ultimately performed by a physical device. Thus it is a natural question to ask what are the fundamental limitations
More informationON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD
ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD Paul D. Yacoumis Supervisor: Dr. Robert Clarke November 2005 Thesis submitted for the degree of Honours in Pure Mathematics Contents 1 Introduction
More informationThe XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty
The XL and XSL attacks on Baby Rijndael by Elizabeth Kleiman A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics
More information18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers Online Cryptography Course What is a block cipher? Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationGrover s algorithm. We want to find aa. Search in an unordered database. QC oracle (as usual) Usual trick
Grover s algorithm Search in an unordered database Example: phonebook, need to find a person from a phone number Actually, something else, like hard (e.g., NP-complete) problem 0, xx aa Black box ff xx
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationStructural Evaluation by Generalized Integral Property
Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against
More informationExtended Superposed Quantum State Initialization Using Disjoint Prime Implicants
Extended Superposed Quantum State Initialization Using Disjoint Prime Implicants David Rosenbaum, Marek Perkowski Portland State University, Department of Computer Science Portland State University, Department
More informationLecture 2: From Classical to Quantum Model of Computation
CS 880: Quantum Information Processing 9/7/10 Lecture : From Classical to Quantum Model of Computation Instructor: Dieter van Melkebeek Scribe: Tyson Williams Last class we introduced two models for deterministic
More informationQuantum exhaustive key search with simplified DES as a case study
Almazrooie et al SpringerPlus (2016) 5:1494 DOI 101186/s40064-016-3159-4 RESEARCH Quantum exhaustive key search with simplified DES as a case study Open Access Mishal Almazrooie 1, Azman Samsudin 1*, Rosni
More informationLecture 12: Block ciphers
Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Part II Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 13, 2011 Overview Outline Grover s Algorithm Quantum search A worked example Simon s algorithm
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationarxiv: v1 [quant-ph] 5 Jul 2018
Quantum circuits for floating-point arithmetic Thomas Haener 1,3, Mathias Soeken 2, Martin Roetteler 3, and Krysta M. Svore 3 1 ETH Zürich, Zürich, Switzerland 2 EPFL, Lausanne, Switzerland 3 Microsoft,
More information2.0 Basic Elements of a Quantum Information Processor. 2.1 Classical information processing The carrier of information
QSIT09.L03 Page 1 2.0 Basic Elements of a Quantum Information Processor 2.1 Classical information processing 2.1.1 The carrier of information - binary representation of information as bits (Binary digits).
More informationC/CS/Phys C191 Quantum Gates, Universality and Solovay-Kitaev 9/25/07 Fall 2007 Lecture 9
C/CS/Phys C191 Quantum Gates, Universality and Solovay-Kitaev 9/25/07 Fall 2007 Lecture 9 1 Readings Benenti, Casati, and Strini: Quantum Gates Ch. 3.2-3.4 Universality Ch. 3.5-3.6 2 Quantum Gates Continuing
More informationPrinciples of Quantum Mechanics Pt. 2
Principles of Quantum Mechanics Pt. 2 PHYS 500 - Southern Illinois University February 9, 2017 PHYS 500 - Southern Illinois University Principles of Quantum Mechanics Pt. 2 February 9, 2017 1 / 13 The
More informationCryptography: Key Issues in Security
L. Babinkostova J. Keller B. Schreiner J. Schreiner-McGraw K. Stubbs August 1, 2014 Introduction Motivation Group Generated Questions and Notation Translation Based Ciphers Previous Results Definitions
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More informationSome integral properties of Rijndael, Grøstl-512 and LANE-256
Some integral properties of Rijndael, Grøstl-512 and LANE-256 Marine Minier 1, Raphael C.-W. Phan 2, and Benjamin Pousse 3 1 Universit de Lyon, INRIA, INSA-Lyon, CITI, 2 Electronic & Electrical Engineering,
More informationAffine equivalence in the AES round function
Discrete Applied Mathematics 148 (2005) 161 170 www.elsevier.com/locate/dam Affine equivalence in the AES round function A.M. Youssef a, S.E. Tavares b a Concordia Institute for Information Systems Engineering,
More informationQuantum Phase Estimation using Multivalued Logic
Quantum Phase Estimation using Multivalued Logic Agenda Importance of Quantum Phase Estimation (QPE) QPE using binary logic QPE using MVL Performance Requirements Salient features Conclusion Introduction
More informationSymmetric Cryptography
Symmetric Cryptography Stanislav Palúch Fakula riadenia a informatiky, Žilinská univerzita 25. októbra 2017 Stanislav Palúch, Fakula riadenia a informatiky, Žilinská univerzita Symmetric Cryptography 1/54
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationReassessing Grover s Algorithm
Reassessing Grover s Algorithm Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We note that Grover s algorithm (and any other quantum algorithm that does a search using an oracle) does not
More informationM. Grassl, Grundlagen der Quantenfehlerkorrektur, Universität Innsbruck, WS 2007/ , Folie 127
M Grassl, Grundlagen der Quantenfehlerkorrektur, Universität Innsbruck, WS 2007/2008 2008-01-11, Folie 127 M Grassl, Grundlagen der Quantenfehlerkorrektur, Universität Innsbruck, WS 2007/2008 2008-01-11,
More informationBlock Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3
Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack
More informationIntroduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography
Outline CSC/ECE 574 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 CSC/ECE 574 Dr. Peng Ning 2 Secret
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationPARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM
PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM Nabihah Ahmad Department of Electronic Engineering, Faculty of Electrical and Electronic Engineering, Universiti
More informationIs Quantum Search Practical?
DARPA Is Quantum Search Practical? George F. Viamontes Igor L. Markov John P. Hayes University of Michigan, EECS Outline Motivation Background Quantum search Practical Requirements Quantum search versus
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationarxiv: v1 [quant-ph] 27 Sep 2012
Efficient quantum circuits for binary elliptic curve arithmetic: reducingt -gate complexity arxiv:1209.6348v1 [quant-ph] 27 Sep 2012 Brittanney Amento Florida Atlantic University Department of Mathematical
More informationBoolean State Transformation
Quantum Computing Boolean State Transformation Quantum Computing 2 Boolean Gates Boolean gates transform the state of a Boolean system. Conventionally a Boolean gate is a map f : {,} n {,}, where n is
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES
CS355: Cryptography Lecture 9: Encryption modes. AES Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately.
More informationHigh Performance Computing techniques for attacking reduced version of AES using XL and XSL methods
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods Elizabeth
More informationQuantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms
Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms Martin Roetteler, Michael Naehrig, Krysta M Svore, and Kristin Lauter Microsoft Research, USA Abstract We give precise quantum
More informationSecurity of the AES with a Secret S-box
Security of the AES with a Secret S-box Tyge Tiessen, Lars R Knudsen, Stefan Kölbl, and Martin M Lauridsen {tyti,lrkn,stek,mmeh}@dtudk DTU Compute, Technical University of Denmark, Denmark Abstract How
More informationActively secure two-party evaluation of any quantum operation
Actively secure two-party evaluation of any quantum operation Frédéric Dupuis ETH Zürich Joint work with Louis Salvail (Université de Montréal) Jesper Buus Nielsen (Aarhus Universitet) August 23, 2012
More informationQuantum gate. Contents. Commonly used gates
Quantum gate From Wikipedia, the free encyclopedia In quantum computing and specifically the quantum circuit model of computation, a quantum gate (or quantum logic gate) is a basic quantum circuit operating
More informationarxiv: v2 [quant-ph] 1 Jun 2017
arxiv:1611.07995v2 [quant-ph] 1 Jun 2017 FACTOING USING 2n + 2 QUBITS WITH TOFFOLI BASED MODULA MULTIPLICATION THOMAS HÄNEa Station Q Quantum Architectures and Computation Group, Microsoft esearch edmond,
More informationarxiv: v3 [quant-ph] 2 Apr 2013
Exact synthesis of multiqubit Clifford+T circuits Brett Giles Department of Computer Science University of Calgary Peter Selinger Department of Mathematics and Statistics Dalhousie University arxiv:110506v3
More informationSmashing the Implementation Records of AES S-box
Smashing the Implementation Records of AES S-box Arash Reyhani-Masoleh, Mostafa Taha and Doaa Ashmawy Department of Electrical and Computer Engineering Western University, London, Ontario, Canada {areyhani,mtaha9,dashmawy}@uwo.ca
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationQuantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity
Quantum Computing 1. Quantum States and Quantum Gates 2. Multiple Qubits and Entangled States 3. Quantum Gate Arrays 4. Quantum Parallelism 5. Examples of Quantum Algorithms 1. Grover s Unstructured Search
More informationInstitutionen för systemteknik
Institutionen för systemteknik Department of Electrical Engineering Examensarbete Power Analysis of the Advanced Encryption Standard Attacks and Countermeasures for 8-bit Microcontrollers Examensarbete
More informationSingle qubit + CNOT gates
Lecture 6 Universal quantum gates Single qubit + CNOT gates Single qubit and CNOT gates together can be used to implement an arbitrary twolevel unitary operation on the state space of n qubits. Suppose
More informationSome attacks against block ciphers
Some attacks against block ciphers hristina Boura École de printemps en codage et cryptographie May 19, 2016 1 / 59 Last-round attacks Outline 1 Last-round attacks 2 Higher-order differential attacks 3
More informationA Novel Synthesis Algorithm for Reversible Circuits
A Novel Synthesis Algorithm for Reversible Circuits Mehdi Saeedi, Mehdi Sedighi*, Morteza Saheb Zamani Email: {msaeedi, msedighi, szamani}@ aut.ac.ir Quantum Design Automation Lab, Computer Engineering
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationLecture 3: Constructing a Quantum Model
CS 880: Quantum Information Processing 9/9/010 Lecture 3: Constructing a Quantum Model Instructor: Dieter van Melkebeek Scribe: Brian Nixon This lecture focuses on quantum computation by contrasting it
More informationInvestigating the Complexity of Various Quantum Incrementer Circuits. Presented by: Carlos Manuel Torres Jr. Mentor: Dr.
Investigating the Complexity of Various Quantum Incrementer Circuits Presented by: Carlos Manuel Torres Jr. Mentor: Dr. Selman Hershfield Department of Physics University of Florida Gainesville, FL Abstract:
More informationA SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES
A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES MOHAMMAD MUSA, EDWARD F SCHAEFER, AND STEPHEN WEDIG Abstract In this paper, we describe a simplified version of the Rijndael
More information. Here we are using the standard inner-product over C k to define orthogonality. Recall that the inner-product of two vectors φ = i α i.
CS 94- Hilbert Spaces, Tensor Products, Quantum Gates, Bell States 1//07 Spring 007 Lecture 01 Hilbert Spaces Consider a discrete quantum system that has k distinguishable states (eg k distinct energy
More informationQuantum Computing Lecture 6. Quantum Search
Quantum Computing Lecture 6 Quantum Search Maris Ozols Grover s search problem One of the two most important algorithms in quantum computing is Grover s search algorithm (invented by Lov Grover in 1996)
More informationExample: sending one bit of information across noisy channel. Effects of the noise: flip the bit with probability p.
Lecture 20 Page 1 Lecture 20 Quantum error correction Classical error correction Modern computers: failure rate is below one error in 10 17 operations Data transmission and storage (file transfers, cell
More informationHow Often Must We Apply Syndrome Measurements?
How Often Must We Apply Syndrome Measurements? Y. S. Weinstein Quantum Information Science Group, MITRE, 200 Forrestal Rd., Princeton, NJ 08540 ABSTRACT Quantum error correction requires encoding quantum
More informationSubspace Trail Cryptanalysis and its Applications to AES
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi 1, Christian Rechberger 1,3 and Sondre Rønjom 2,4 1 IAIK, Graz University of Technology, Austria 2 Nasjonal sikkerhetsmyndighet,
More informationBernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p
Unit 20 February 25, 2011 1 Bernoulli variables Let X be a random variable such that { 1 with probability p X = 0 with probability q = 1 p Such an X is called a Bernoulli random variable Unit 20 February
More informationQuantum parity algorithms as oracle calls, and application in Grover Database search
Abstract Quantum parity algorithms as oracle calls, and application in Grover Database search M. Z. Rashad Faculty of Computers and Information sciences, Mansoura University, Egypt Magdi_z2011@yahoo.com
More informationCS120, Quantum Cryptography, Fall 2016
CS10, Quantum Cryptography, Fall 016 Homework # due: 10:9AM, October 18th, 016 Ground rules: Your homework should be submitted to the marked bins that will be by Annenberg 41. Please format your solutions
More informationWhite Box Cryptography: Another Attempt
White Box Cryptography: Another Attempt Julien Bringer 1, Hervé Chabanne 1, and Emmanuelle Dottax 1 Sagem Défense Sécurité Abstract. At CMS 2006 Bringer et al. show how to conceal the algebraic structure
More informationLimitations on transversal gates
Limitations on transversal gates Michael Newman 1 and Yaoyun Shi 1,2 University of Michigan 1, Alibaba Group 2 February 6, 2018 Quantum fault-tolerance Quantum fault-tolerance Quantum fault-tolerance Quantum
More informationQuantum computing! quantum gates! Fisica dell Energia!
Quantum computing! quantum gates! Fisica dell Energia! What is Quantum Computing?! Calculation based on the laws of Quantum Mechanics.! Uses Quantum Mechanical Phenomena to perform operations on data.!
More information