 Research
 Open Access
 Published:
Quantum key recovery attack on SIMON32/64
Cybersecurity volume 4, Article number: 23 (2021)
Abstract
The quantum security of lightweight block ciphers is receiving more and more attention. However, the existing quantum attacks on lightweight block ciphers only focused on the quantum exhaustive search, while the quantum attacks combined with classical cryptanalysis methods haven’t been well studied. In this paper, we study quantum key recovery attack on SIMON32/64 using Quantum Amplitude Amplification algorithm in Q1 model. At first, we reanalyze the quantum circuit complexity of quantum exhaustive search on SIMON32/64. We estimate the Clifford gates count more accurately and reduce the T gate count. Also, the Tdepth and full depth is reduced due to our minor modifications. Then, using four differentials given by Biryukov in FSE 2014 as our distinguisher, we give our quantum key recovery attack on 19round SIMON32/64. We treat the two phases of key recovery attack as two QAA instances separately, and the first QAA instance consists of four subQAA instances. Then, we design the quantum circuit of these two QAA instances and estimate their corresponding quantum circuit complexity. We conclude that the quantum circuit of our quantum key recovery attack is lower than quantum exhaustive search. Our work firstly studies the quantum dedicated attack on SIMON32/64. And this is the first work to study the complexity of quantum dedicated attacks from the perspective of quantum circuit complexity, which is a more finegrained analysis of quantum dedicated attacks’ complexity.
Introduction
The devolvement of quantum computation poses a threat to classical cryptosystems. Shor’s algorithm (Shor 1994) can break the security of publickey cryptosystems based on integer factorization and discrete logarithm, which gives rise to postquantum cryptography. As for the symmetric cryptosystems, before Simon’s algorithm (Simon 1997) is applied in quantum cryptanalysis, there is only Grover’s algorithm (Grover 1997) that helps get a quadratic speedup.
Quantum cryptanalysis against block ciphers receives much attention in recent years. Following the notions for PRF security in quantum setting proposed by Zhandry et al. (Zhandry 2012), there are two security models in quantum cryptanalysis against block ciphers, called Q1 model and Q2 model by Kaplan et al. in (Kaplan et al. 2016b).
Q1 model: The adversary is only allowed to make classical online queries and do quantum offline computation.
Q2 model: The adversary is allowed to do offline quantum computation and make online quantum superposition queries. That is, the adversary could query in a superposition state to the oracle and get a superposition state as a query result.
We can observe that Q1 model is more realistic than Q2 model for the reason that it’s up to the oracle whether to allow superposition access. However, it’s still meaningful to study Q2 model to prepare for the future with highly developed quantum communication technology.
In fact, quantum cryptanalysis in Q2 model has been going on for a long time. In 2010, Kuwakado and Morii constructed a quantum distinguisher on 3round Feistel structure (Kuwakado and Morii 2010) using Simon’s algorithm in Q2 model. Then they also recovered the key of EvenMansour also using Simon’s algorithm in 2012(Kuwakado and Morii 2012). At Crypto2016, Kaplan et al. extended the result in (Kuwakado and Morii 2010; 2012) and applied Simon’s algorithm to attack a series of encryption modes and authenticated encryption such as CBCMAC, PMAC, OCB (Kaplan et al. 2016a). In Q2 model, Simon’s algorithm can be combined with Grover’s algorithm to apply in quantum cryptanalysis against block ciphers. Leander and May (2017) firstly used this idea to attack FXconstruction in Q2 model. Inspired by this work, Dong et al. (2020a) gave a quantum key recovery attack on fullround GOST also in Q2 model. Besides, BernsteinVazarani (BV) algorithm (Bernstein and Vazirani 1997) can also be applied in quantum cryptanalysis. Li and Yang (2015) proposed two methods to execute quantum differential cryptanalysis based on BV algorithm. Then, Xie and Yang extended the result in Li and Yang (2015) and present several new methods to attack block ciphers using BV algorithm (Xie and Yang 2019).
In Q1 model, it seems as if quantum cryptanalysis becomes less powerful. The most trivial quantum attack is quantum exhaustive search that defines the general security of block ciphers in quantum setting. Grassl et al. present quantum circuits to implement an exhaustive key search on AES and estimate quantum resources in Q1 model (Grassl et al. 2016). After that, there are also some other results exploring the quantum circuit design of AES (Almazrooie et al. 2018; Jaques et al. 2020; Zou et al. 2020; Langenberg et al. 2020). Besides, there are many attempts of quantum dedicated attacks combined with classical cryptanalysis methods, e.g. differential and linear cryptanalysis (Kaplan et al. 2016b), meetinthemiddle attacks (Hosoyamada and Sasaki 2018; Bonnetain et al. 2019), and rebound attacks (Hosoyamada and Sasaki 2020; Dong et al. 2020b).
The research of lightweight block ciphers has received much attention in a decade. Several lightweight primitives have been proposed by the researchers, to just name some, SIMON (Beaulieu et al. 2015), SPECK (Beaulieu et al. 2015), SKINNY (Beierle et al. 2016), PRESENT(Bogdanov et al. 2007). To prepare for the future with largescale quantum computers, it’s necessary to study the quantum security of lightweight block ciphers. There are several attempts to study the quantum generic attacks on some lightweight block ciphers (Anand et al. 2020c; Jang et al. 2020; Anand et al. 2020b). In this paper, we focus on the quantum security of SIMON. The family of SIMON algorithm (Beaulieu et al. 2015) is a lightweight block cipher proposed by NSA in 2013, which has outstanding hardware implementation performance. In classical setting, there have been many dedicated attacks aimed at SIMON. However, in quantum setting, the only quantum attack on SIMON is in Anand et al. (2020c) where Anand et al. present the quantum circuit of Grover’s algorithm on SIMON variants and give corresponding quantum resources estimate, which is a quantum generic attack. To further explore the quantum security of SIMON, we need to study the dedicated quantum attacks of SIMON. Notably, when measuring the attack complexity, the existing quantum dedicated attacks all studied the encryption complexity, while we use the quantum circuit resources cost as a measure of complexity in our study for the first time.
Attack model We consider the chosenplaintext attack to SIMON32/64 in Q1 model, where the adversary is allowed to make classical online queries of encryption oracle and can choose random message pairs with input differential Δx. To achieve such a attack, the adversary needs to implement transformation:
when given q pairs of classical plaintextciphertext pair as input. We suppose this process is efficient. Thus we can ignore the quantum resources cost of this process.
Our contribution In this paper, we study the quantum key recovery attack on SIMON32/64 using Quantum amplitude Amplification(QAA) in Q1 model. Our contributions can be summarized in the following two aspects.

1
We reanalyze the quantum circuit complexity of quantum masterkey search on SIMON32/64. On one hand, we give more accurate estimate result of Clifford gates count and reduced T gate count. We reduce the execution number of key expansion process, which brings down the number of NOT gates and CNOT gates. Besides, counting the Clifford gates decomposed by Toffoli gates into the total number of Clifford gates helped us give a more accurate estimate of Clifford gates count. And we reduce the number of T gates using the decomposition of multicontrol NOT gates with ancilla qubits. On the other hand, we give a more thorough analysis of circuits’ depth. The depth we foucs on here is the depth of such quantum circuits that only are composed of Clifford + T gates. We make some modifications to the code of implementing SIMON32/64, which reduces the Tdepth and full depth of circuits. Compared to (Anand et al. 2020c), we give a more accurate and thorough complexity analysis of \(\mathcal {QMKS}\)’s quantum circuit.

2
We present our quantum roundkey recovery attack on 19round SIMON32/64 combined with \(\mathcal {CRKR}\) in (Biryukov et al. 2014). We treat the partial key guessing phase and exhaustive search phase as two QAA instances separately and design the corresponding quantum circuit. The first QAA instance includes four subQAA instances corresponding to the four processes of key recovery using four differentials. Then we estimate the comlexity of our quantum circuits. At last, we make a a simple comparison among \(\mathcal {QMKS}\), \(\mathcal {QRKR}\) and \(\mathcal {CRKR}\). We conclude that the encryption complexity is lowest among these three attacks and the quantum circuit complexity of \(\mathcal {QRKR}\) is lower than \(\mathcal {QMKS}\). That is, we give a quantum dedicated attacks on 19round SIMON32/64 that has lower complexity than quantum generic attack both in terms of encryption complexity and quantum circuit complexity. Different from the former quantum dedicated attacks that only focused on encryption complexity, our work takes the first step of studying the quantum cirucuit complexity of quantum dedicated attacks.
Outline The rest of the paper is organized as follows. In “Preliminaries” section, we introduce the notations used in this paper and the background knowledge of SIMON block cipher, QAA algorithm and quantum circuit. In “The quantum masterkey exhaustive search attack on 19round SIMON32/64” section, we reanalyze the quantum circuit complexity of quantum exhaustive search attack on SIMON32/64. In “The quantum roundkey key recovery attack on 19round SIMON32/64” section, we describe the quantum roundkey key recovery attack on 19round SIMON32/64. In “The complexity analysis” section, we compare the complexity of our attack, quantum masterkey search attack and classical differential attack. In “Conclusion” section, we make a summary of this paper.
Preliminaries
Notations
In this section, we list the notations used in this paper in Table 1.
Brief Description of SIMON
In this section, we describe SIMON briefly. SIMON is a Feistel structure lightweight block cipher. There are many SIMON variants to adapt to different computing scenarios, the differences between which lie at block size, key size, word size and round number. The block size of SIMON is 2n bits while the key size is mn bits. We could use SIMON 2n/mn to denote all SIMON variants, where n∈{16,24,32,48,64} and m∈{2,3,4}. All the SIMON variants are summarized in Table 2.
Round function The ith iteration structure of SIMON 2n/mn is shown in Fig. 1. We can easily see that the round function of SIMON 2n/mn consists of bitwise AND, cyclic left rotation and bitwise XOR. For SIMON, f:{0,1}^{n}→{0,1}^{n} is defined as f(x)=(x⋘1)&(x⋘8)⊕(x⋘2). The round function is defined as follows:
Key schedule For rround SIMON 2n/mn, the round key SIMON is derived from primary key {K^{0},K^{1},⋯,K^{m−1}}. The specific key expansion scheme is defined as:

1.
When i=0,1,⋯,m−1, K^{i}=K^{i};

2.
When i=m,m+1,⋯,r−1, K^{i}=c⊕(z_{j})^{i−m}⊕K^{(i−m)}⊕K^{(i−m+1)}⊕(K^{(i−m+1)}⋘15)⊕(K^{(i−m+3)}⋘13)⊕(K^{(i−m+3)}⋘12);
z_{j} is a constant sequence and c=2^{n}−4. The key schedule is linear. Thus we can derive the master key from any mn independent bits of subkeys. Particularly, for SIMON32/64, as long as we get the round keys of any four adjacent rounds, the master key can be easily deduced.
Related works In classical setting, there already have been some attack results on SIMON. We make a simple summary of some attacks on SIMON32/64 in Table 3. However, in quantum setting, the only quantum attack on SIMON is the quantum exhaustive search in Anand et al. (2020c). To furthur explore the quantum security of SIMON block cipher, we study the quantum dedicated attack on SIMON32/64 in this paper. According to the analysis in "The complexity analysis", we also list the complexity of quantum generic attack and our quantum dedicated attack in Table 3 for comparison.
Brief Description of QAA algorithm
In this section, we describe QAA algorithm briefly. QAA algorithm is a natural generalization of Grover’s algorithm that searches all solutions in an unsorted database. Compared to classical algorithm, QAA algorithm can achieve quadratic speedup. According to (Brassard et al. 2002), QAA algorithm can be summarized in the following theorem.
Theorem 1
Let \(\mathcal {A}\) be any quantum algorithm that uses no measurements, and let g:{0,1}^{n}→{0,1} be any Boolean function. Let p be the initial success probability of \(\mathcal {A}\). Suppose p>0 and set \(m=\lfloor \frac {\pi }{4\theta } \rfloor \), where sin2(θ)=p. We define \(G=U_{s}U_{g}=\mathcal {A}S_{0}\mathcal {A}^{1}U_{g}\), where S_{0}=20〉〈0−I. If we compute \(G^{m} \mathcal {A}{0}\rangle \) and measure the system, the outcome is good with probability at least max(1−p,p).
The quantum circuit for QAA algorithm is displayed in Fig. 2. For simplicity, we call a search problem using QAA algorithm to settle as a QAA instance. Every iteration of a QAA instance is called QAA iteration. For a QAA instance with M solutions in N elements, we define elements that are solutions as GOOD while the elements that are not solutions as BAD. We define a function g:{0,1}^{n}→{0,1}
Based on function g, we construct an oracle U_{g}, which is defined as
The process of QAA is described as follows:

1
Apply \(\mathcal {A}\) on the initial state ψ〉=0〉, we can get \({\psi }\rangle =\mathcal {A}{0}\rangle ={GOOD}\rangle +{BAD}\rangle \).

2
Call QAA iteration \(m=\lfloor \frac {\pi }{4\theta } \rfloor \) times. In each iteration, there are two steps. The first step is to apply U_{g} to quantum state, after which we can get U_{g}ψ〉=−GOOD〉+BAD〉. The second step is to apply diffusion operator 2s〉〈s−I to ψ〉, where s〉 is the equal superposition of all elements.

3
Measure the first register and obtain one of all solutions.
We can observe that compared to the original Grover’s algorithm, the operator H is replaced by a random unitary operator \(\mathcal {A}\). We must carry out plenty of measurements to get all solutions because the output of QAA algorithm is the superposition of M solutions.
Quantum circuit
In this section, we introduce the related knowledge of quantum circuits briefly. Quantum logic gates are the foundation of quantum circuits. A quantum circuit can be seen as a sequence of quantum logic gates. In order to measure the complexity of a quantum circuit, we should consider the number of gates, and the number of qubits and the depth. When computating the depth of a quantum circuit, we also adopt the full parrellism assumption as in Jaques et al. (2020), which means a quantum circuit can apply any number of gates simultaneously so long as these gates act on disjoint sets of qubits.
The Clifford + T gate set form a set of universal quantum gates. The Clifford group is defined as the group of unitary operators that map the group of Pauli operators to itself under conjugation. The Clifford gates are then defined as elements in the Clifford group. The basic Clifford gates includes H gate, S gate and CNOT gate. However, we cannot achieve universal quantum computation only with Clifford gates. This is, nonClifford gate should be added into the gate set. And T gate is ususlly the choice to be added in. The matrix representations of Clifford + T gate set in shown in Eq.(1).
According to (Amy et al. 2013), all Clifford group operations have transversal implementations and thus are relatively simple to implement while nonClifford gates require much more sophisticated and costly techniques to implement. The surface codes, which promise higher thresholds than concatenated code schemes, also have a significantly more complicated T gate implementation than any of the Clifford group generators. As a result, it’s significant to study the number of T gate in a quantum circuit in order to measure the complexity of quantum computation. Besides, Amy et al. proposed Tdepth as a cost function of quantum circuits in Amy et al. (2013). We can observe that the research on reducing the T depth of quantum circuits has been paid more and more attention.
In classical computation, the Toffoli gate is a universal classical reversible logic gate, while for quantum computation it needs to be decomposed into Clifford + T gates for real implementation. According to (Nielsen and Chuang 2001), the decomposition of Toffoli gate is shown in Fig. 3. That is, a Toffoli gate can be decomposed into 7 T gates, 6 CNOT gates, 2 H gates and 1 S gate with Tdepth 7 and full depth 13. Then, to reduce Tdepth, Amy et al. proposed a decomposition scheme of Toffoli gate in Amy et al. (2013) with Tdepth 3 and full depth 10, shown in Fig. 4. And Amy et al. conjectured that this Tdepth is optimal for circuits without ancillas. Although Tdepth could be reduced to 1 further with ancilla qubits according to the Figure 1 in Selinger (2013), the number of CNOT gates increases much. After a overall consideration of gate counts and Tdepth of quantum circuits, we adpot the method in Fig. 4 to decompose Toffoli gate in this paper.
In QAA iterator G, there two multi controlledNOT gates. For the real implementation of QAA algorithm, we need to decompose the mutli controlledNOT gate into a series of Toffoli gates. Then we need to decompose the Toffoli gate into Clifford + T gates. According to (Nielsen and Chuang 2001), the nfold controlledNOT could be decomposed into 2n−3 Toffoli gates using n−2 ancilla qubits. We show the decomposition of nfold controlledNOT in Fig. 5. Here, we offer a concept, Toffolidepth, which is similar to Tdepth, meaning the number of stages in the circuit involving Toffoli gates. In our analysis, computing the Toffolidepth is the first step to compute the Tdepth and full depth of quantum circuits. We can observe that the Toffolidepth of Fig. 5 is 2n−3. Thus the full depth of implementing a nfold controlledNOT is 20n−30,and the Tdepth is 6n−9. It is worth noting that the depth we’re talking about refers to the depth of the quantum circuits only containing Clifford gates and T gates. This is, we need to decompose all Toffoli gates into Clifford + T gates before computing the depth of quantum circuits.
The quantum masterkey exhaustive search attack on 19round SIMON32/64
In this section, to put the comparison standard on the same scale, we reanalyze the quantum circuit complexity of \(\mathcal {QMKS}\) using QAA algorithm based on the result in Anand et al. (2020c) where Anand et al. present Grover’s search algorithm on SIMON variants and estimate the quantum resources to implement such attack.
At first, we present the quantum circuit complexity of implementing 19round SIMON32/64. From Table 3 in Anand et al. (2020c), we can easily derive the gate count of implementing 19round SIMON32/64. However, when computing the circuit depth, we got different results from (Anand et al. 2020c). Anand et al. implemented all SIMON variants in QISKIT(Koch et al. 2019). The circuit depth can be calculated using the Qiskit function. After running the code of implementing SIMON32/64 given by Anand et al. (2020c) in Anand et al. (2020a), we found that the Qiskit function computes the the depth of quantum circuit without decomposing Toffoli gate which leads to the incompleteness of the circuit depth calculation. In our estimate, Toffoli gates should be decomposed into Clifford + T gates before computing the circuit depth. Besides, we made some small modifications to the code of implementing SIMON32/64, which brought in reduction of full depth and Tdepth. We performed one operation on all bits firstly, and then performed the next operation on all bits, instead of performing all operations on each bit one by one in our modifications. We gave our modified code in (Lau I 2021). We list the quantum circuit complexity of implementing SIMON32/64 in Table. 4.
Then we reanalyze the quantum circuit complexity of \(\mathcal {QMKS}\)’s quantum circuit, shown in Fig. 6. To implement the circuit in Fig. 6, we need to implement the QAA iterator G=U_{s}U_{g}. The implementation of U_{g} is in Fig. 7, in which 3 plaintextciphertext pairs are chosen for the uniqueness of solution. The operator U_{s} consists of two 64fold Hardmard gates and one 64fold controlledNOT gate. Here, we reanlyze the quantum circuit complexity of quantum exhaustive search on SIMON32/64 from the following three points.

1
It is enough to perform key expansion in U_{g} twice, one computation and one uncomputation. In Anand et al.’s estimate, six key expansion processes for six SIMON instances were performed separately in U_{g}, which made the number of NOT gates and CNOT gates were overestimated. There are 448 NOT gates and 1792 CNOT gates during a key expansion process. It’s easy to derive that #NOT= 448×2=896. Besides, the CNOT gates come from two key expansion processes and implementation of six SIMON instances. That is, #CNOT= 28×64×2+32×32×6=9728.

2
The Clifford gates decomposed by Toffoli gates should be taken into account in resources estimate. Anand et al. ignored the Clifford gates decomposed by Toffoli gates. The Toffoli gates of quantum circuit in Fig. 6 come from implementation of SIMON and the decomposition of two multi controlledNOT gates. There are 512×6=3072 Toffoli gates in six SIMON instances. Besides, according to the decomposition of Toffoli gate in Fig. 5, 96fold controlledNOT gate in U_{g} and 64fold controlledNOT gate in U_{s} can be decomposed into 2×96−3+2×64−3=314 Toffoli gates using 94 ancilla qubits at most. So we have #ToffC= (3072+314)×7=23702, #ToffH= (3072+314)×2=6772. Anand et al. adopted the result in (Roetteler and Wiebe 2016) to estimate the number of T gates while we use Fig. 5 to estimate the number of T gates, which reduces the number of T gates via increasing the number of qubits.

3
The circuit depth estimate result should be more thorough, and the Tdepth and full depth of QAA iterator G could be reduced. We decompose the two multicontrol NOT gates in operator G into Toffoli gates, and then decompose all Toffoli gates into Clifford + T gates. We consider the circuit depth of this circuit with only Clifford + T gates. Although there are six SIMON instances in U_{g}, since three SIMON instances are executed in parallel, we only need to consider the depth of two SIMON instances. However, we found that Anand et al. counted the depth of the six SIMON instances into the total depth of G in Anand et al. (2020c), which overestimated the full depth and Tdepth of G. We estimated that the Toffolidepth of QAA iterator G is 96. Then we can easily get the full depth and Tdepth of G, as shown in the second line of Table 4. We can observe that our estimated depth are smaller than the results in Anand et al. (2020c). This is due to the slight modification we made to the circuit implementation of SIMON32/64. In addition, we didn’t ignore the depth of implementing the two multicontrol NOT gates, which makes our estimate more accurate and thorough.
Through the above analysis, we present our more accurate estimate results of QAA iterator G in Table 5. To find the master key in the key space {0,1}^{64}, we need to iterate QAA iterator G=U_{s}U_{g} for \(\lfloor \frac {\pi }{4}2^{32} \rfloor \) times. From the result in Table 5, we can easily get the quantum circuit complexity of quantum exhaustive search on SIMON32/64 in Table 6. In our estimate results, the number of Clifford gates is a little higher than that in Anand et al. (2020c) because we consider the number of Clifford gates decomposed by Toffoli gates. Besides, we reduce the number of T gates by adopting the decomposition of multi controlledNOT gate, which also increases the number of qubits. Also we reduced the Tdepth and full depth because of small modifications to the implementation of SIMON32/64. In summary, our estimate result is more accurate and detailed.
The quantum roundkey key recovery attack on 19round SIMON32/64
In this section, we describe the quantum roundkey key recovery attack on 19round SIMON32/64 and give the corresponding quantum circuit as well as its quantum resources estimate. At first, we recall the classical key recovery attack on 19round SIMON32/64 in Biryukov et al. (2014) where Biryukov et al. present four 13round differentials with which they recovered the round keys from Round16 to Round19. Then we use the four 13round differentials in Biryukov et al. (2014) as our distinguisher and apply QAA algorithm into the two phases of key recovery attack on 19round SIMON32/64. At last, we compare the complexity of our key recovery attack and exhaustive search on 19round SIMON32/64 in terms of encryption complexity and quantum resources separately.
The classical key recovery attack on SIMON 32/64
In this section, we describe the key recovery attack in Biryukov et al. (2014).
At first, we list the four 13round differentials given by Biryukov et al. as follows:
Then we add two rounds on the top and append four rounds on the bottom to carry out the key recovery attack on 19round SIMON 32/64. The input truncated differential at the beginning of Rould1 should be
Then, we describe the process of key recovery process in Biryukov et al. (2014).

1
Plaintexts Collecting: Similar to (Biryukov et al. 2014), we construct a set \(\mathcal {P}\) with 2^{23} plaintexts with 9 bits fixed. While different from (Biryukov et al. 2014), we just need one right pair. By varying some fixed bits of plaintexts in \(\mathcal {P}\) and guessing 2 bits of the round key K^{0}, we can identify 2^{28.5} pairs which satisfy the input difference Δx_{i} to Round3 for each \(\mathcal {D}_{i}\) and for each guessed two bits of K^{0}. In total we can get a set with 2^{30.5} plaintext pairs for each \(\mathcal {D}_{i}\) and there must be a right pair in this set.

2
Filtering: 2^{30.5} pairs of plaintexts is filtered by verifying the fixed 14 bits of the corresponding difference Δ^{18}. After filtering, the number of plaintext pairs can be reduced to 2^{30.5−18}=2^{12.5} for each differential.

3
Partial key guessing: For each differential, we need to recover the following 25 key bits.
$$\begin{aligned} &\mathcal{D}^{K}_{1}=\{K^{18},K^{17}[3,58,12,14],K^{16}[6]\oplus K^{17}[4],K^{16}\oplus K^{17}[2]\}\\ &\mathcal{D}_{2}^{K}=\{K^{18},K^{17}[4,69,13,15],K^{16}[7]\oplus K^{17}[5],K^{16}[5]\oplus K^{17}[3]\}\\ &\mathcal{D}_{3}^{K}=\{K^{18},K^{17}[8,1013,1,3],K^{16}[11]\oplus K^{17}[9],K^{16}[9]\oplus K^{17}[7]\}\\ &\mathcal{D}_{4}^{K}=\{K^{18},K^{17}[9,1114,2,4],K^{16}[12]\oplus K^{17}[10],K^{16}[10]\oplus K^{17}[8]\}\\ \end{aligned} $$The key recovery process of using four differentials is quite similiar. So we only describe the key recovery process using \(\mathcal {D}_{2}\). We denote all the key bits in \(\mathcal {D}^{K}_{2}\) by k_{1} and denote the input ciphertext pair by C=(L^{19},R^{19}),C^{′}=((L^{19})^{′},(R^{19})^{′}). The keys that satisfy Eq.(2) are called candidate keys.
$$ D_{k_{1}}^{4}(C)\oplus D_{k_{1}}^{4}(C^{\prime})=\Delta_{out}^{2} $$(2)Eq.(2) holds with probability 2^{−14}, which means there are 2^{25}×2^{12.5}/2^{14}=2^{23.5} plaintextkey pairs that satisfy Eq.(2). In expectation, we can get 2^{23.5} candidate keys for \(\mathcal {D}^{K}_{2}\). Then we use the other three differentials to carry out the similiar key recovery process and can get 2^{23.5} candidate keys for \(\mathcal {D}^{K}_{1},\mathcal {D}_{3}^{K},\mathcal {D}_{4}^{K}\) separately. Because there are some common bits among \(\mathcal {D}^{K}_{1},\mathcal {D}_{2}^{K},\mathcal {D}_{3}^{K},\mathcal {D}_{4}^{K}\), we can obtain (2^{23.5})^{4}/(2^{19}×2^{20}×2^{22})=2^{33} candidate keys for 39 key bits in last 3 roundkeys, i.e. \(\mathcal {D}^{c}=\{K^{18},K^{17}[115],K^{16}[6]\oplus K^{17}[4],K^{16}\oplus K^{17}[2],K^{17}[4,69,13,15],K^{16}[7]\oplus K^{17}[5],K^{16}[5]\oplus K^{17}[3],K^{16}[11] \oplus K^{17}[9],K^{16}[9]\oplus K^{17}[7],K^{16}[12]\oplus K^{17}[10], K^{16}[10]\oplus K^{17}[8]\}\). For simplicity, we denote the 39 key bits by \(k_{1}^{\prime }\).

4
Exhaustive search: We randomly pick two plaintexts m_{1},m_{2} and get its corresponding ciphertext c_{1},c_{2}. We run an exhaustive search on 2^{33} candidate keys for 39 key bits in \(\mathcal {D}^{c}\) denoted by \(k_{1}^{\prime }\) and 2^{25} remaining 25 key bits denoted by k_{2} to get the unique and correct key that satisfies \(E_{k_{1}^{\prime }k_{2}}(m_{1})=c_{1} \land E_{k_{1}^{\prime }k_{2}}(m_{2})=c_{2}\).
The quantum partial key guessing phase in \(\mathcal {QRKR}\)
In this section, we give the quantum circuit of Step 3 and the corresponding quantum resources estimate. We consider Q1 model as our attack model where both Step 1 and Step 2 are classical processes. Thus to design the quantum circuit of quantum key recovery, we only need to regard Step 3 and Step 4 as two QAA instances separately.
In Step 3, four differentials are used to get candidate keys for 39 key bits in \(\mathcal {D}_{c}\). So the QAA instance of Step 3 is actually the combination of four subQAA instances corresponding to the four processes of partial key guessing using four differentials. The input of every subQAA instance is 2^{25} partial keys and 2^{12.5} plaintext pairs, while the output is a superposition state of 2^{23.5} plaintextkey pairs. We need to design quantum circuit for each subQAA instance. Once we have the quantum circuit of one subQAA instance using one differential, we can easily design the other three quantum circuits for the other three subQAA instances because the four key recovery processes using four differentials are quite similar. Besides, after our analysis, the cost of these four quantum circuits are totally the same. Thus here we only provide the quantum circuit of key recovery process using \(\mathcal {D}_{2}\).
Our subQAA instance searches the keyplaintext pairs that satisfy Eq. (2). The quantum circuit of this subQAA instance is in Fig. 8. To achieve our attack, we need to implement two operators C_{1} and C_{2} when given classical tuples (m_{i},E(m_{i}),E(m_{i}⊕Δx_{2})),i=1,⋯,2^{12.5}. The operator C_{1} is defined as \(C_{1}{0}\rangle =\sum _{i=1}^{2^{12.5}}{m_{i}}\rangle \). And the operator C_{2} is defined as \(C_{2}\sum _{i=1}^{2^{12.5}}{m_{i}}\rangle {0}\rangle {0}\rangle =\sum _{i=1}^{2^{12.5}}{m_{i}}\rangle {E(m_{i})\rangle }{E(m_{i}\oplus \Delta {x_{2}})}\rangle \). We suppose the implementation of operator C_{1} and C_{2} is efficient so that the cost of operator C_{1} and C_{2} can be ignored. To implement the quantum circuit in Fig. 8, we need to implement U_{g} and U_{s} separately. The main cost of operator U_{s} comes from one 57fold controlledNOT gate. The main cost of operator U_{g} comes from the computation of h and one 32fold controlledNOT gate. The operator h corresponds to the process of computing Δ^{15} from given ciphertext pairs, denoted by (E(m),E(m⊕Δx_{2})) and 25 key bits in \(\mathcal {D}^{K}_{2}\), denoted by k_{1}.
Here, we describe the implementation of U_{g}. At first, we define a function h as follows.
Then we define a function g as follows based on h.
Naturally, the operator U_{g} is defined as follows:
Next, we describe the computation process of h. We denote the input ciphertext pair by E(m)=(L^{19},R^{19}),E(m⊕Δx_{2})=((L^{19})^{′},(R^{19})^{′}). The computation process to get Δ^{15} using \(\mathcal {D}_{2}\) is as follows:

1.
From the given ciphertext pair, we can easily get Δ^{19}=(L^{19}⊕(L^{19})^{′},R^{19}⊕(R^{19})^{′}).

2.
With guessed 16 bits of K^{18}, we can get L^{18}=L^{19},R^{18}=f(L^{18})⊕K^{18}⊕R^{19} and Δ^{18}=(L^{18}⊕(L^{18})^{′},R^{18}⊕(R^{18})^{′}).

3.
On one hand, we compute Δ^{17} in Eq.(3).
$$ {}\left\{\!\!\! \begin{array}{ll} \Delta L^{17}=\Delta R^{18}, \\ \Delta R^{17}[i]\,=\,\Delta And^{17}[\!i]\oplus \Delta Rot^{17}[i], &\!\!\! i=0,1,2,4,6,8,9,15\\ \begin{aligned} \Delta R^{17}[3]&=L^{17}[11]\oplus \Delta Rot^{17}[3]\\&=(L^{17})^{\prime}[11]\oplus \Delta Rot^{17}[3] \end{aligned} \\ \begin{aligned} \Delta R^{17}[10]&=L^{17}[9]\oplus \Delta Rot^{17}[10]\\&=(L^{17})^{\prime}[9]\oplus \Delta Rot^{17}[10] \end{aligned} \\ \end{array} \right. $$(3)On the other hand, we can get R^{16}[4,6−9,13,15] and (R^{16})^{′}[4,6−9,13,15] with guessed K^{17}[4,6−9,13,15] for the computation in the following Step.

4.
On one hand, we compute Δ^{16} in Eq.(4).
$$ {}\left\{ \begin{array}{ll} \Delta L^{16}=\Delta R^{17} \\ \Delta R^{16}[i]=\Delta And^{16}[i],\quad \quad &i=0,7,14\\ \begin{aligned} \Delta R^{16}[1]&=L^{16}[9]\oplus \Delta Rot^{16}[1]\\&=(L^{16})^{\prime}[11]\oplus \Delta Rot^{16}[1] \end{aligned} \\ \Delta R^{16}[2]=\Delta Rot^{16}[2]\\ \begin{aligned} \Delta R^{16}[8]&=L^{16}[7]\oplus \Delta Rot^{16}[8]\\ &=(L^{16})^{\prime}[7]\oplus \Delta Rot^{16}[8] \end{aligned} \\ \end{array} \right. $$(4)On the other hand, we compute the R^{15}[7] and \(\phantom {\dot {i}\!}(R^{15})^{'}[5]\) with guessed K^{16}[7]⊕K^{17}[5],K^{16}[5]⊕K^{17}[3].

5.
We compute Δ^{15} in Eq.(5).
$$ \left\{ \begin{array}{ll} \Delta L^{15}=\Delta R^{16},\\ \Delta R^{15}[0]=\Delta L^{15}[14]\\ \Delta R^{15}[15]=L^{15}[7]=(L^{15})^{\prime}[7]\\ \Delta R^{15}[6]=L^{15}[5]=(L^{15})^{\prime}[5]\\ \end{array} \right. $$(5)
According to the above process, we provide our quantum circuit of h in Fig. 9. After a simple analysis of the circuit, we can easily get there are 232 CNOT gates and 60 Toffoli gates in the implementation of h. As for the circuit depth, the total depth of h is 99 and the Tdepth of h is 24.
Having the quantum circuit of h, we could easily estimate the cost of quantum partial key guessing using differential \(\mathcal {D}_{2}\) in Table 7. Following the same process, we can easily design the quantum circuit of the other three subQAA instances using \(\mathcal {D}_{1},\mathcal {D}_{3},\mathcal {D}_{4}\) separately. And the cost of other three subQAA instances can also be seen in Table 7.
At last, we describe our method of generating candidate keys. Our defined subQAA instance of Step 3 outputs a superposition state of 2^{23.5} plaintextkey pair that satisfies Eq. (2) among 2^{12.5} plaintext pairs and 2^{25} partial keys after \(\lfloor \frac {\pi }{4}\sqrt {2^{14}}\rfloor \) iterations. To get candidate keys, we measure the key register many times. The probability of measuring right partial key is 2^{−23.5}. That is, we expect that we can get the right partial key after running this subQAA instance for 2^{23.5} times. And in expectation, we can get \(2^{23.5}[1(1\frac {1}{2^{23.5}})^{23.5}]\approx 2^{22.8}\) different candidate keys for 25 key bits in \(\mathcal {D}^{K}_{2}\) from 2^{23.5} measurements. After combining the results of the other three subQAA instances, we can get (2^{22.8})^{4}/(2^{19}×2^{20}×2^{22})=2^{30.2} candidate keys for 39 key bits in \(\mathcal {D}^{c}\). Despite that the cost of the process is a little high, we failed to find more efficient ways to get all candidate keys. Actually, Kaplen et al. also adopted a similar method to generate all candidate keys by measuring the key register for many times in Kaplan et al. (2016b). However, in their method, they ensured that the new gotten candidate key was different from the ones gotten before by excluding the keys that had been gotten in the QAA oracle. To implement their method using quantum circuit, a sequence of multi controlledNOT gates need to be added in QAA oracle. That is, for every run, we need to design a new quantum circuit, which would greatly increase the quantum resources. Besides, the number of iteration increases with the increase of the number of elements needed to be excluded, which makes their encryption complexity also high. In our method, despite that we need to measure many times, we do not need to design a new quantum circuit in each run, which saves quantum resources.
Remark 1
We consider a practical model, Q1 model. In Fig. 8, the operator C_{1} achieves the process of preparing a superposition of 2^{12.5} classical plaintexts m_{i},i=1,2,⋯,2^{12.5}. And the operator C_{2} achieves the process of preparing a superposition of 2^{12.5} classical tuples (m_{i},E(m_{i}),E(m_{i}⊕Δx_{2})). Actually, it’s not known whether there exists such operators that could achieve such transformation, the difficulty of which is equal to preparing the superposition of random states. The choice of classical tuples may influence the efficiency of operator C_{1} and C_{2}. If there are structures in the classical tuples, it may be efficient to get the target superposition state.
The quantum exhaustive key search phase in \(\mathcal {QRKR}\)
In this section, we give the quantum circuit of Step 4 and estimate its quantum resources.
We define another QAA instance in search space of 2^{30.2} candidate keys for 39 key bits in \(\mathcal {D}^{c}\) denoted by \(k_{1}^{\prime }\) and 2^{25} remaining 25 key bits denoted by k_{2}. According to (Jaques et al. 2020), we need to choose two plaintexts m_{1},m_{2} and get their corresponding ciphertexts c_{1},c_{2} in QAA oracle to ensure the uniqueness of solution. The quantum circuit of Step 4 is in Fig. 10. The C operator is a creation operator, which creates the superposition state of 2^{30.2} candidate keys for 39 key bits in \(\mathcal {D}^{c}\) from the allzero state, which is defined as \(C{0}\rangle =\sum _{i=1}^{i=2^{30.2}}{(k_{1}^{\prime })^{i}}\rangle \). As previously assumed, we also assume that this process is efficient so that the cost of operator C could be ignored. Then, we need to implement the quantum circuit of U_{g} and U_{s} separately. The main cost of U_{s} is one 64fold controlledNOT gate. The main cost of U_{g} is four SIMON instances, and the circuit of U_{g} is shown in Fig. 11.
At first, we define a function h as follows, which corresponds to the encryption process of m_{1},m_{2} with given \(k_{1}^{\prime }k_{2}\).
Then based on h, we define a function g as follows:
Naturally, the operator U_{g} is defined as follows:
We need to iterate the QAA operator G=U_{s}U_{g} for \(\lfloor \frac {\pi }{4}\sqrt {2^{55.2}}\rfloor \) times. We can easily deduce the cost of Step 4 in Table 8.
The complexity analysis
Our research is related to three attacks, \(\mathcal {QMKS}\), \(\mathcal {QRKR}\), \(\mathcal {CRKR}\). In this section, we compare the complexity of these three attacks. On one hand, we compare the encryption complexity and data complexity of \(\mathcal {QMKS}\), \(\mathcal {QRKR}\) and \(\mathcal {CRKR}\). On the other hand, we compare the quantum circuit complexity of \(\mathcal {QMKS}\) and \(\mathcal {QRKR}\).
Encryption complexity and data complexity comparison
In this section, we compare the complexity of \(\mathcal {QMKS}\), \(\mathcal {QRKR}\) and \(\mathcal {CRKR}\) in terms of encryption complexity and data complexity.
In \(\mathcal {QMKS}\), to recover the master key, we need to carry out \(\lfloor \frac {\pi }{4}2^{32}\rfloor \times \frac {19}{32}\times 6\approx 2^{33.5}\) encryptions, where 6 represents six SIMON instances in one QAA iteration. In our \(\mathcal {QRKR}\), \(4\times 2^{23.5}\times \lfloor \frac {\pi }{4}2^{\sqrt {14}}\rfloor \times \frac {4}{19}\times 2 + \lfloor \frac {\pi }{4}2^{\sqrt {55.2}}\rfloor \times 4 \approx 2^{31.3}\) encryptions are needed. In the first term, 4 represents four subQAA instances using four differentials, and \(\frac {4}{19}\) represents the complexity of 4round decryption. In the second term, 4 represents four SIMON instances. On the whole, the encryption complexity of \(\mathcal {QRKR}\) is slightly lower than \(\mathcal {QMKS}\). Besides, the encryption complexity of \(\mathcal {CRKR}\) is 2^{34} from Table 3. That is, the encryption complexity of \(\mathcal {QRKR}\) is also lower than \(\mathcal {CRKR}\). We can observe that the main encryption complexity comes from Step 3, generating candidate keys. As a result, if the complexity of Step 3 could be reduced further, \(\mathcal {QRKR}\) could achieve much lower encryption complexity.
Although the data complexity isn’t our focus, we still offer the comparison here for completeness. In \(\mathcal {QMKS}\), 3 plaintexts are enough for the uniqueness of solution. In \(\mathcal {CRKR}\), the data complexity is 2^{31} to get 4 right pairs in expectation. However, in our \(\mathcal {QRKR}\), we only need to get one right pair in expectation. So the data complexity of \(\mathcal {QRKR}\) is 2^{30}. That is, the data complexity of \(\mathcal {QRKR}\) is lower than \(\mathcal {CRKR}\).
Quantum circuit complexity comparison
In this section, we compare the complexity of \(\mathcal {QMKS}\) and \(\mathcal {QRKR}\) in terms of quantum circuit complexity.
We need to run four subQAA instances in Step 3. So multiplying the gate count in Table 7 by 4, we can get the quantum resources of Step 3 in the second line of Table 9. And the cost of Step 4 is listed in the third line of Table 9. From Table 9, we can observe that the cost of Step 3 in \(\mathcal {QRKR}\) is far lower than that of Step 4 so that it can be omitted. The main cost of \(\mathcal {QRKR}\) comes from Step 4 and it is lower than that of \(\mathcal {QMKS}\). Thus we have that the quantum circuit complexity of \(\mathcal {QRKR}\) is lower than that of \(\mathcal {QMKS}\).
In summary, we gain a quantum dedicated attack that has lower encryption complexity and quantum circuit complexity than quantum generic attack on SIMON32/64. Besides, both the encryption complexity and data complexity of our attack are lower than the classical keyrecovery attack in (Biryukov et al. 2014). However, we find it’s not a big complexity gap between our attack and exhaustive search in quantum setting due to the big complexity of generating candidate keys.
Conclusion
In this paper, we studied the quantum key recovery attack on SIMON32/64 using QAA algorithm in Q1 model. We reanalyzed the quantum circuit complexity of quantum exhaustive search on SIMON32/64 and firstly offered a quantum dedicated attacks on SIMON32/64. And our work studied quantum dedicated attacks from the perspective of quantum circuit complexity for the first time, which can provide a research basis for performing real attacks on quantum computers in the future. On one hand, we gave more accurate estimate results of the quantum circuit complexity of quantum exhaustive search on SIMON32/64 than the results in (Anand et al. 2020c). We considered the number of Clifford gates more comprehensively and reduced the number of T gates. And we reduced the Tdepth and full depth via small modifications. On the other hand, using the four differentials in (Biryukov et al. 2014) as our differential distinguisher, we gave our quantum key recovery attack on 19round SIMON32/64. We treated the two phases of key recovery attack as two QAA instances separately and gave their corresponding quantum circuits, as well as quantum circuit complexity analysis separately. And the first QAA instance is composed of four subQAA instances corresponding to four differentials. At last, we compare the complexity of our quantum key recovery attack, quantum exhaustive search attack and classical key recovery attack. We found our attack has lowest encryption complexity and the quantum circuit complexity of our attack is lower than quantum exhaustive search attck. However, we used the method of measuring many times to generate all the candidate keys and failed to find a better way to generate candidate keys, which is the bottleneck of reducing complexity. In the following work, we may try to combine other key recovery techniques with our quantum dedicated attack, such as the dynamic keyguessing techniques proposed by Wang et al. (Wang et al. 2018). Besides, more efforts should be made to study how to reduce the complexity of generating candidate keys. Further, we could investigate the physical feasibility of our attack by considering the decoherence time of quantum computers and the time of CNOT operation because the twoqubit operation takes a longer time than singlequbit operations.
Availability of data and materials
All data and materials are included in this article.
Declarations
References
Abed, F, List E, Lucks S, Wenzel J (2014). International Workshop on Fast Software Encryption. https://doi.org/10.1109/access.2019.2894337.
Almazrooie, M, Samsudin A, Abdullah R, Mutter KN (2018) Quantum reversible circuit of aes128. Quantum Inform Process 17:112.
Amy, M, Maslov D, Mosca M, Roetteler M (2013) A meetinthemiddle algorithm for fast synthesis of depthoptimal quantum circuits. IEEE Trans ComputAided Des Integr Circ Syst 32:818–830.
Anand, R, Maitra A, Mukhopadhyay S (2020a). https://github.com/raviro/quantsimon. Accessed 05 March 2021.
Anand, R, Maitra A, Mukhopadhyay S (2020b) Evaluation of quantum cryptanalysis on speck. International Conference on Cryptology in India. https://doi.org/10.1007/9783030652777_18.
Anand, R, Maitra A, Mukhopadhyay S (2020c) Grover on simon. arXiv preprint arXiv:200410686.
Beaulieu, R, Shors D, Smith J, TreatmanClark S, Weeks B, Wingers L (2015) Simon and speck: Block ciphers for the internet of things. IACR Cryptol ePrint Arch 2015:585.
Beierle, C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sasdrich P, Sim SM (2016) The skinny family of block ciphers and its lowlatency variant mantis In: Annual International Cryptology Conference, 123–153. https://doi.org/10.1007/9783662530085_5.
Bernstein, E, Vazirani U (1997) Quantum complexity theory. SIAM J Comput 26(5):1411–1473.
Biryukov, A, Roy A, Velichkov V (2014) Differential analysis of block ciphers simon and speck, 546–570.. International Workshop on Fast Software Encryption. https://doi.org/10.1007/9783662467060_28.
Bogdanov, A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJ, Seurin Y, Vikkelsoe C (2007) Present: An ultralightweight block cipher, 450–466.. Springer, Berlin.
Bonnetain, X, NayaPlasencia M, Schrottenloher A (2019) Quantum security analysis of AES. IACR Trans Symmetric Cryptol:55–93. https://doi.org/10.46586/tosc.v2019.i2.5593.
Brassard, G, Hoyer P, Mosca M, Tapp A (2002) Quantum amplitude amplification and estimation. Contemp Math 305:53–74.
Chen, H, Wang X (2016) Improved linear hull attack on roundreduced simon with dynamic keyguessing techniques In: International Conference on Fast Software Encryption, 428–449.. Springer, Berlin.
Chu, Z, Chen H, Wang X, Dong X, Li L (2018) Improved integral attacks on simon32 and simon48 with dynamic keyguessing techniques. Secur Commun Netw:2018. https://doi.org/10.1155/2018/5160237.
Dong, X, Dong B, Wang X (2020a) Quantum attacks on some feistel block ciphers. Designs. Codes Crypt 88:1–25.
Dong, X, Sun S, Shi D, Gao F, Wang X, Hu L (2020b) Quantum collision attacks on aeslike hashing with low quantum random access memories In: International Conference on the Theory and Application of Cryptology and Information Security, 727–757.. Springer. https://doi.org/10.1007/9783030648343_25.
Grassl, M, Langenberg B, Roetteler M, Steinwandt R (2016) Applying grover’s algorithm to AES: quantum resource estimates. PostQuantum Cryptography. https://doi.org/10.1007/9783319293608_3.
Grover, LK (1997) Quantum mechanics helps in searching for a needle in a haystack. Phys Rev Lett 79:325.
Hosoyamada, A, Sasaki Y (2018) Quantum demiricselçuk meetinthemiddle attacks: applications to 6round generic feistel constructions In: International Conference on Security and Cryptography for Networks, 386–403.. Springer, Cham.
Hosoyamada, A, Sasaki Y (2020) Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, 249–279.. Springer.
Jang, K, Choi S, Kwon H, Kim H, Park J, Seo H (2020) Grover on korean block ciphers. Appl Sci 10:6407.
Jaques, S, Naehrig M, Roetteler M, Virdia F (2020) Implementing grover oracles for quantum key search on AES and lowmc In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, 280–310. https://doi.org/10.1007/9783030457242_10.
Kaplan, M, Leurent G, Leverrier A, NayaPlasencia M (2016a) Breaking symmetric cryptosystems using quantum period finding In: Annual International Cryptology Conference, 207–237. https://doi.org/10.1007/9783662530085_8.
Kaplan, M, Leurent G, Leverrier A, NayaPlasencia M (2016b) Quantum differential and linear cryptanalysis. IACR Trans Symmetric Cryptol:71–94. https://doi.org/10.46586/tosc.v2016.i1.7194.
Koch, D, Wessing L, Alsing PM (2019) Introduction to coding quantum algorithms: A tutorial series using pyquil. arXiv preprint arXiv:190305195.
Kuwakado, H, Morii M (2010) Quantum distinguisher between the 3round feistel cipher and the random permutation In: 2010 IEEE International Symposium on Information Theory, 2682–2685. https://doi.org/10.1109/isit.2010.5513654.
Kuwakado, H, Morii M (2012) Security on the quantumtype evenmansour cipher In: 2012 International Symposium on Information Theory and its Applications, 312–316.. IEEE, New York.
Langenberg, B, Pham H, Steinwandt R (2020) Reducing the cost of implementing the advanced encryption standard as a quantum circuit. IEEE Trans Quantum Eng 1:1–12.
Lau I (2021). https://github.com/aliceQuantum/SIMONQ. Accessed 05 March 2021.
Leander, G, May A (2017) Grover meets simon–quantumly attacking the fxconstruction In: International Conference on the Theory and Application of Cryptology and Information Security, 161–178.. Springer, Cham.
Li, H, Yang L (2015) Quantum differential cryptanalysis to the block ciphers In: International Conference on Applications and Techniques in Information Security, 44–51. https://doi.org/10.1007/9783662486832_5.
Nielsen, MA, Chuang IL (2001) Quantum computation and quantum information. Phys Today 54(2):60.
Roetteler, M, Wiebe N (2016) Quantum arithmetic and numerical analysis using repeatuntilsuccess circuits. Quantum Inform Comput 16:134–178.
Selinger, P (2013) Quantum circuits of tdepth one. Phys Rev A 87(4):042,302.
Shi, D, Hu L, Sun S, Song L, Qiao K, Ma X (2017). Improved linear (hull) cryptanalysis of roundreduced versions of simon. ence China(Information ences) 60(3):1–3.
Shor, PW (1994) Algorithms for quantum computation: discrete logarithms and factoring In: Proceedings 35th annual symposium on foundations of computer science, 124–134. https://doi.org/10.1109/sfcs.1994.365700.
Simon, DR (1997) On the power of quantum computation. SIAM J Comput 26:1474–1483.
Sun, L, Fu K, Wang M (2015) Improved zerocorrelation cryptanalysis on simon In: International Conference on Information Security and Cryptology, 125–143.. Springer. https://doi.org/10.1007/9783319388984_8.
Wang, N, Wang X, Jia K, Zhao J (2018) Differential attacks on reduced simon versions with dynamic keyguessing techniques. Sci China Inform Sci 61:098,103.
Wang, Q, Liu Z, Varıcı K, Sasaki Y, Rijmen V, Todo Y (2014) Cryptanalysis of reducedround simon32 and simon48 In: International Conference on Cryptology in India, 143–160. https://doi.org/10.1007/9783319130392_9.
Xie, H, Yang L (2019) Using bernstein–vazirani algorithm to attack block ciphers. Designs. Codes Crypt 87:1161–1182.
Zhandry, M (2012) How to construct quantum random functions In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, 679–687. https://doi.org/10.1109/focs.2012.37.
Zou, J, Wei Z, Sun S, Liu X, Wu W (2020) Quantum circuit implementations of AES with fewer qubits In: International Conference on the Theory and Application of Cryptology and Information Security, 697–726.. Springer. https://doi.org/10.1007/9783030648343_24.
Acknowledgements
Not applicable.
Funding
This work was supported by National Natural Science Foundation of China (Grant No. 61672517), National Natural Foundation of China (Key program, Grant No. 61732021), National Cyrptography Development Fund (Grant No. MMJJ20170108) and Beijing Municipal Science & Technology Commission (Grant No. Z191100007119006).
Author information
Affiliations
Contributions
This work was done by Hui Liu under the supervision of Prof. Li Yang. The initial idea of measuring quantum attack complexity from quantum resources cost was proposed Yang. Liu developed the original idea and implemented an attack in this paper. The calculations and drawing work were done by Liu. Yang offered some meaningful guidance and modifications. The author(s) read and approved the final mauscript.
Corresponding author
Ethics declarations
Competing interests
Not applicable.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Liu, H., Yang, L. Quantum key recovery attack on SIMON32/64. Cybersecur 4, 23 (2021). https://doi.org/10.1186/s42400021000893
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400021000893
Keywords
 Quantum cryptanalysis
 Lightweight block ciphers
 Quantum amplitude amplification
 Differential cryptanalysis
 Key recovery attack
 SIMON32/64