Improvements to Quantum Search Techniques for Block-Ciphers, with Applications to AES

In this paper we demonstrate that the overheads (ancillae qubits/time/number of gates) involved with implementing quantum oracles for a generic key-recovery attack against block-ciphers using quantum search techniques can be reduced. In particular, if we require r >= 1 plaintext-ciphertext pairs to uniquely identify a user's key, then using Grover's quantum search algorithm for cryptanalysis of block-ciphers as in [2,3,9,13,18] would require a quantum circuit which requires effort (either Time x Space product or number of quantum gates) proportional to r. We demonstrate how we can reduce this by a fine-grained approach to quantum amplitude amplification [6,17] and design of the required quantum oracles. We furthermore demonstrate that this effort can be reduced to < r with respect to cryptanalysis of AES-128/192/256 and provide full quantum resource estimations for AES-128/192/256 with our methods, and code in the Q# quantum programming language that extends the work of [13].