Quantum exhaustive key search with simplifiedDES as a case study
 Mishal Almazrooie^{1},
 Azman Samsudin^{1}Email author,
 Rosni Abdullah^{1} and
 Kussay N. Mutter^{2}
Received: 17 May 2016
Accepted: 25 August 2016
Published: 6 September 2016
Abstract
To evaluate the security of a symmetric cryptosystem against any quantum attack, the symmetric algorithm must be first implemented on a quantum platform. In this study, a quantum implementation of a classical block cipher is presented. A quantum circuit for a classical block cipher of a polynomial size of quantum gates is proposed. The entire work has been tested on a quantum mechanics simulator called libquantum. First, the functionality of the proposed quantum cipher is verified and the experimental results are compared with those of the original classical version. Then, quantum attacks are conducted by using Grover’s algorithm to recover the secret key. The proposed quantum cipher is used as a black box for the quantum search. The quantum oracle is then queried over the produced ciphertext to mark the quantum state, which consists of plaintext and key qubits. The experimental results show that for a key of nbit size and key space of N such that \(N=2^n\), the key can be recovered in \(\mathcal {O} \left(\frac{\pi }{4}\sqrt{N} \right)\) computational steps.
Keywords
Background
Information security heavily relies on modern cryptography. Most of the cryptographic algorithms are designed to be resistant against attacks. Asymmetric cryptography or publickey cryptography is one of the cryptographic primitives based on computationally hard problems. For instance, the RSA algorithm (Rivest et al. 1978) in asymmetric cryptography, a large integer number N of more than 300 digits is given, and the task is to factorize N to its product of two big prime numbers p and q. This computationally hard problem, which RSA is based on, is called factoring problem, which protects the system from attacks by adversaries. Using General Number Field Sieve (GNFS) algorithm in asymptotic time of \(\mathcal {O} \left(exp \left(\left(\frac{64}{9}b \right)^\frac{1}{2}(\log b)^\frac{2}{3} \right)\right)\) (Wiener 1990), that can factor large integers, is the most efficient attack on a classical computer. Although asymmetric cryptosystems that are based on hard problems have been proven secure, they are not efficient for the use in realtime encryption of large messages. Thus, one of the main uses of RSA is to distribute the secret key shared by two parties that are communicating in a secure channel; in this task, the second primitive of cryptography (symmetric cryptography or privatekey cryptography) performs the realtime encryption.
In symmetric cryptography, when the symmetric cryptosystem exhibits a good randomness level and the exhaustive search for the secret key is the only attack that can break the cryptosystem, the hardness or strength of the cryptosystem is determined by the size of the encryption key. A key with n bits size has \(2^n\) possibilities of keys and therefore \(\mathcal {O}(2^n)\) steps are needed to try all of these possibilities. For example, \(2^{128}\) operations are required to try all the possibilities of a 128bit key, which cannot be achieved using conventional or classical computing techniques. Advanced Encryption Standard (AES; Stallings 2002) and Data Encryption Standard (DES; Coppersmith et al. 1997) are wellknown symmetric cryptographic algorithms.
Asymmetric and symmetric cryptography are believed to be secure against any attack using classical computers. Unfortunately, this view is no longer valid in the present of the quantum mechanics where the calculations are performed based on the behavior of particles at subatomic levels. Thus, quantum computing poses threats to asymmetric and symmetric cryptography. Regarding asymmetric cryptography, in the presence of scalable quantum computers, the cryptographic algorithm based on the factoring problem would be completely jeopardized (Shor 1997). Various studies have been published on quantum number factorization (Lanyon et al. 2007; Markov and Saeedi 2013; MartínLópez et al. 2012; Lucero et al. 2012). Consequently, other alternative solutions besides the factoring problem are investigated, such as codebased cryptography and latticebased cryptography (Bernstein et al. 2008). Moreover, some solutions to the key distribution problem have come from quantum mechanics and opened the field of quantum cryptography (Nicolas et al. 2002; Cláudio and Viana 2010; Mihara 2007; Jeong and Kim 2015).
In the scope of this study concerning symmetric cryptography, the situation remains doubtful compared with the clear impact of quantum computing on asymmetric cryptography. The only known and clear quantum threat to symmetric algorithms is that the exhaustive key search can be performed more efficiently on the quantum platform with quadratic speedup using Grover’s algorithm (Grover 1996). However, the quantum exhaustive search attack cannot be applied unless the symmetric algorithm is implemented on the quantum platform. Few studies have been published on quantum symmetric cryptanalysis whereas a large number of studies has focused on asymmetric cryptography.
One of the first papers on quantum cryptanalysis of block ciphers is by Akihiro (2000), who discussed the effect of Grover’s algorithm when used to recover the secret key of block ciphers based on the assumption that the block cipher was already implemented on quantum and used the block cipher as a black box for Grover’s algorithm. The researchers discussed that the security of a block cipher could be evaluated by using Prassarad, Høyer, and Tapp’s quantum algorithm (Brassard et al. 1998).
Roetteler et al. (2015) published a note on quantumrelated key attacks based on three assumptions: the secret key can be found with a small number of plaintext/ciphertext pairs, the block cipher can be implemented efficiently as a quantum circuit, and the related keys can be queried in superpositions. The researchers stated that even though the attack is powerful, it is unlikely to pose a practical threat because of the difficulties in querying the secret keys in superpositions.
In quantum asymmetric cryptanalysis such as RSA, when factoring an integer number N into its two prime numbers p and q, implementing the RSA algorithm on a quantum platform is unnecessary. By contrast, when applying a quantum attack on a symmetric cipher to determine the secret key, the cipher algorithm must be first implemented on a quantum platform. We claim that this is one of the main reasons for the small number of published papers on quantum symmetric cryptography compared with asymmetric cryptography. Moreover, the few published studies are based on the assumption that the symmetric cryptosystem algorithm is implemented efficiently on a quantum platform. In this study, a quantum circuit for a classical symmetric cryptosystem is introduced.
This paper is organized as follows: the simplifiedDES cryptosystem is introduced in second section. A preview on Grover’s algorithm is presented on third section. The proposed quantum circuit is explained in detail in fourth section. The complexity analysis is conducted in fifth section. The experimental results are presented and discussed in sixth section. Finally, seventh section provides the conclusion and suggestions for future research.
SimplifiedDES
SimplifiedDES (SDES) is a simple version of the wellknown cipher DES developed by Schaefer (1996). With small parameters, SDES has similar properties and structure to DES (Stallings 2010). The small structure of SDES represents accurately the structure of the original DES. Subsequently, SDES is a good case study to represent Feistel class block ciphers. It is highly likely that if SDES can be coded into a quantum circuit, then a good number of Feistel class block ciphers can be coded into quantum circuit as well. The SDES algorithm consists of key generation and encryption function \(f_k\) as shown in Fig. 1.
Grover’s algorithm
This section presents a view of quantum bits (qubits) and the quantum search algorithm (Grover’s algorithm). As a reference, quantum information and unitary transformation are discussed in quantum computing introductory books such as David Mermin (2007).
Problem definition
SDES quantum circuit
Initial permutation and expansion
First subkey generation and key mixing
The quantum substitution boxes
The quantum Sboxes (QSboxes) are the most complicated parts of the entire circuit of QSDES and they require a larger number of quantum gates. The quantum gates are still considered to be a polynomial circuits, as discussed in the complexity analysis section. In general, Sboxes are essential components in symmetric algorithm because they satisfy the Shannon property of confusion (Shannon 1949). The confusion property hides the relation between the secret key and the ciphertext; this property has to be achieved even in the quantum platform when the key is in a superposition.
The Sboxes can be categorized into two types: statistically defined Sboxes and dynamically keydependent generated Sboxes. Moreover, the statistically defined Sboxes can be generated dynamically by different methods such as hand crafted, mathematically generated data dependent, etc. (Stallings 2002). Concerning memory space, the Sboxes can be generated dynamically at the run time or can be predefined statistically. Conversely, the keydependent dynamically generated Sboxes, such as Blowfish (Schneier 1993) and Twofish (Schneier et al. 1999) ciphers, as well as the elements of the Sboxes, continue changing in accordance with the secret key.
QS_{0} lookup table
Input  0010  0111  1000  0000  0101  1011  1100  0011  0110  1010  1111  0001  0100  1001  1101  1110 
Output  00  00  00  01  01  01  01  10  10  10  10  11  11  11  11  11 
XORing the right half of the plaintext
The output four qubits from QS_{0} and QS_{1} are permuted through P4 as in the original classical algorithm. The output after the quantum permutation of P4, is XORed with the right half of the plaintext by using four CNOT gates. P4 is performed in a similar way as in the previous subsections. All of the steps in the previous subsections, from plaintext expansion to the last process, are reversed, as shown in Fig. 4. In this proposed design, no garbage qubits hold states. All of the ancilla qubits will be reused in the next encryption round. Therefore, those qubits must be returned to their initial states.
The switch function
The first round of SDES alters the left half of the plaintext, whereas the right half is untouched. The switching function is constructed using four quantum SWAP gates to interchange the four qubits on the left with the four qubits on the right. A quantum SWAP gate can be constructed from three CNOT gates, which means that 12 CNOT gates are needed for the switch function.
The second encryption round
Because of the reversal process, all of the work space ancilla qubits are set to their initial states, which make them reusable for the second round of encryption. Only ancilla qubits that hold the produced ciphertext of the first round cannot be used. The second encryption round is performed similarly to the first round. It takes the input qubits after SW and produces the output ciphertext in the last ancilla qubits. In contrast to the first round, no IP involved in this round; thus, the round starts with plaintext expansion function E/P.
The last function in classical SDES is the permutation function IP\(^{1}\), which is the inverse of the IP function. This function is integrated within the second round in the same way as the IP is integrated in the first round. Finally, all the steps involved in this round are inversed, as shown in Fig. 3. For instance, the key qubits are \(\vert K \rangle ^{\otimes 10}\), the plaintext qubits are \(\vert P \rangle ^{\otimes 8}\), and the ciphertext are in the last ancilla qubits \(\vert C \rangle ^{\otimes 4}\) and \(\vert C \rangle ^{\otimes 4}\).
Black box of quantum search
The QSDES circuit is designed with consideration of the fact that the entire circuit will be used as a black box or Oracle for Grover’s quantum search. Thus, no garbage qubits are involved in the circuit such that for every iteration of Grover’s algorithm, all the qubits return to their initial states, resulting in multiple levels of reversibility in the circuit. The first reversibility level is within the quantum Sboxes where the processes are reversed. The second reversibility level is within every encryption round, and the third level of reversibility is when the complete round is reversed (in case of the first round).
Grover operator or the inversion about the mean is also called Conditional Phase Flip (CPF). CPF circuit which shown in Fig. 10, is illustrated in detail in Fig. 12. At this phase, the marked state in the quantum register, which has a different phase from other states, is constructively interfered, whereas all other states in the quantum register are distractively interfered.
Complexity analysis
The complexity analysis is conducted in term of computing the size of the quantum gates used in the proposed circuit (size of the circuit). The calculations are performed with respect to subkey size (\(K_s\)), plaintext size (\(P_s\)), number of rounds (\(R_n\)), number of permutation functions (\(P_n\)), input size of Sbox (\(S_{in}\)), and output size of Sbox (\(S_{out}\)). Regarding the key generation process for SDES, since all steps of generating one subkey are integrated in one step then 8 CNOT gates are needed corresponds to the size of the subkey. Since there are two encryption rounds then the number of CNOT gates = \(R_n \times K_s\).
The encryption function of QSDES consists of four permutation steps (XORing left half of PTXT, E/P, P4, and XORing the right half of PTXT), key XORing, and two substitution processes (S_{0} and S_{1}). The key XORing is already calculated when computed the circuit size of the key generation which is 8 CONT gates. The E/P permutation function needs 8 CNOT gates. Each of the other permutation functions needs 4 CNOT gates corresponds to the half of the plaintext size. Therefore, the circuit size of the permutation functions can be expressed as number of CNOTs = \((P_n \times P_s)/2\).

number of X Pauli gates = \(2^{S_{in}} \times 2 = 16 \times 2\),

number of Toffoli gates = \(2^{S_{in}} \times S_{in} 1 = 16 \times 3\), and

number of CNOT gates = \(2^{S_{in}} \times S_{out} = 16 \times 2\).
Experiments and results
In this section, the quantum simulation used in this study is briefly introduced and the simulation results are interpreted. Then, the functionality of the proposed QSDES is verified and compared with SDES. The quantum exhaustive search results are shown in the last subsection.
Simulation of quantum mechanics
 1.This is the probability amplitude of the states of the quantum register. It is a complex number in Hilbert space. It is also used to calculate the probabilities regarding the state in which the quantum system will settle.
 (a)
The real part of the complex number,
 (b)
The imaginary part.
 (a)
 2.
This is the integer representation of the qubits states. For example \(\vert 16 \rangle =\vert 000000000000010000 \rangle\). In this simulation, the ancilla qubits will appear in this number.
 3.
These are the calculated probabilities of the qubit states by making use of the amplitude in 1.
 4.These are the qubits being defined in the quantum register. In contrast to 2, this is the binary representation of the qubits. Ancilla qubits (if any), do not appear in this part of the result. This part also shows that the register width is the number of qubits.
 (a)
Key qubits,
 (b)
Plaintext qubits.
 (a)
QSDES functionality
QSDES functionality test
Plaintext  Classical  Quantum  

Key  Ciphertext  Key and ciphertext  Probability  
0001 0000  11 0001 0011  0011 0011  \(\vert 11 0001 0011\,0011 0011 \rangle\)  1 
1110 1100  00 1110 1100  1110 0000  \(\vert 00 1110 1100\,1110 0000 \rangle\)  1 
1011 0001  10 0111 1001  0001 1100  \(\vert 10 0111 1001\,0001 1100 \rangle\)  1 
QSDES results when key is in superposition
Plaintext  Key and ciphertext  Probability  

0  1001 1010  \(\vert 0000000000\,11111001 \rangle\)  \(9.765623\times 10^{04}\) 
1  1001 1010  \(\vert 0000000001\,01010001 \rangle\)  \(9.765623\times 10^{04}\) 
2  1001 1010  \(\vert 0000000010\,01101001 \rangle\)  \(9.765623\times 10^{04}\) 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
1022  1001 1010  \(\vert 1111111110\,11100110 \rangle\)  \(9.765623\times 10^{04}\) 
1023  1001 1010  \(\vert 1111111111\,00001011 \rangle\)  \(9.765623\times 10^{04}\) 
Quantum exhaustive key search
Quantum exhaustive key search
Ciphertext  Oracle qubit and key and plaintext  Probability  

0  0011 0011  \(\vert 1\,0000000000\,00010000 \rangle\)  \(5.266659\times 10^{07}\) 
1  0011 0011  \(\vert 1\,0000000001\,00010000 \rangle\)  \(5.266659\times 10^{07}\) 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
787  0011 0011  \(\vert 1\,1100010011\,00010000 \rangle\)  0.9994553 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
1022  0011 0011  \(\vert 1\,1111111110\,00010000 \rangle\)  \(5.266659\times 10^{07}\) 
1023  0011 0011  \(\vert 1\,1111111111\,00010000 \rangle\)  \(5.266659\times 10^{07}\) 
Quantum exhaustive key search when there are multiple solutions
Ciphertext  Oracle qubit and key and plaintext  Probability  

0  0011 0110  \(\vert 1\,0000000000\,10100101 \rangle\)  \(4.118168\times 10^{06}\) 
1  0011 0110  \(\vert 1\,0000000001\,10100101 \rangle\)  \(4.118168\times 10^{06}\) 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
151  0011 0110  \(\vert 1\,0010010111\,10100101 \rangle\)  0.4978935 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
223  0011 0110  \(\vert 1\,0011011111\,10100101 \rangle\)  0.4978935 
\(\vdots\)  \(\vdots\)  \(\vdots\)  \(\vdots\) 
1022  0011 0110  \(\vert 1\,1111111110\,10100101 \rangle\)  \(4.118168\times 10^{06}\) 
1023  0011 0110  \(\vert 1\,1111111111\,10100101 \rangle\)  \(4.118168\times 10^{06}\) 
Conclusion and future works
Quantum computing has rendered most of the classical asymmetric cryptosystems unsafe. However, the quantum threats to symmetric cryptosystems have not been investigated thoroughly compared with the asymmetric y cryptography. We claim that one of the reasons for the lack of studies on quantum cryptanalysis is that the symmetric algorithm must be implemented first on a quantum platform before the security strength of such a cryptosystem against any quantum attack can be evaluated. In this study, we proposed a method to fill the research gap between quantum computing and symmetric cryptography by presenting for the first time a quantum circuit for a classical symmetric cipher. The simplified DES cipher is used as a case study. The SDES is implemented on a quantum platform as a quantum circuit of a polynomial number of quantum gates. The entire study was tested on the quantum mechanics simulator libquantum. The functionality of the proposed design has been examined and proven by comparing the experimental results of the quantum SDES with that of the classical SDES. In addition, a quantum attack using Grover’s search algorithm has been conducted. The experimental results shows that the key can be recovered in \(\frac{\pi }{4}\sqrt{N}\) computational steps.
The Sboxes of SDES and other ciphers are the most complicated components. In SDES, the Sboxes are statically predefined and implemented in this study as quantum circuits. The other types of Sboxes, specifically keydependent dynamically generated ones, are interesting subjects to be investigated in the future.
Declarations
Authors' contributions
The work reported in this paper is a team efforts. All authors read and approved the final manuscript.
Acknowledgements
The authors would like to thank Hendrik Weimer and Björn Butscher for the valuable discussions about libquantum.
Competing interests
The authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
 Akihiro Y (2000) Ishizuka Hirokazu quantum cryptanalysis of block ciphers. Algebraic systems, formal languages and computations. RIMS Kokyuroku 1166:235–243Google Scholar
 Bernstein DJ, Buchmann J, Dahmen E (2008) Post quantum cryptography, 1st edn. Springer, New YorkGoogle Scholar
 Boyer M, Brassard G, Høyer P, Tapp A (1998) Tight bounds on quantum searching. Fortschritte der Physik 46:493–505View ArticleGoogle Scholar
 Brassard G, Høyer P, Tapp A (1998) Quantum counting. In: International collection of automata, language and programming (ICALP’98), LNCS 1443, pp 820–831Google Scholar
 Christof Z (1999) Grover’s quantum searching algorithm is optimal. Phys Rev A 60(4):2746View ArticleGoogle Scholar
 Cláudio Do Nascimento José, Viana Ramos Rubens (2010) Quantum protocols for zeroknowledge systems. Quantum Inf Process 9(1):37–46. doi:10.1007/s1112800901278 View ArticleGoogle Scholar
 Coppersmith D, Holloway C, Matyas SM, Zunic N (1997) The data encryption standard. Information security technical report, vol 2(2), pp 22–24. ISSN:13634127, doi:10.1016/S13634127(97)813258
 Grover LK (1996) A fast quatum mechanical algorithm for database search. In: Proceedings of the 28th annual ACM symposium on theory of computing (STOC), pp 212–219 (1996)Google Scholar
 Høyer P, Ŝpalek R (2005) Quantum fanout is powerful. Theory Comput 1(5):81–103. ISSN:15572862Google Scholar
 Kabgyun J, Jaewan K (2015) Secure sequential transmission of quantum information. Quantum Inf Process. doi:10.1007/s1112801510545 Google Scholar
 Lanyon BP, Weinhold TJ, Langford NK, Barbieri M, James DFV, Gilchrist A, White AG (2007) Experimental demonstration of a compiled version of Shor’s algorithm with quantum entanglement. Phys Rev Lett 99(25):250505View ArticleGoogle Scholar
 Lucero E, Barends R, Chen Y, Kelly J, Mariantoni M, Megrant A, White T (2012) Computing prime factors with a Josephson phase qubit quantum processor. Nat Phys 8(10):719–723View ArticleGoogle Scholar
 Markov IL, Saeedi M (2013) Faster quantum number factoring via circuit synthesis. Phys Rev A 87(1):012310View ArticleGoogle Scholar
 MartínLópez E, Laing A, Lawson T, Alvarez R, Zhou XQ, O’Brien JL (2012) Experimental realization of Shor’s quantum factoring algorithm using qubit recycling. Nat Photonics 6:773–776. doi:10.1038/nphoton.2012.259 View ArticleGoogle Scholar
 Mermin ND (2007) Quantum computer science: an introduction. Cambridge University Press, New YorkView ArticleGoogle Scholar
 Mihara T (2007) Quantum protocols for untrusted computations. J Discrete Algorithms 5(1):65–72. doi:10.1016/j.jda.2006.03.007 View ArticleGoogle Scholar
 Nicolas G, Grégoire R, Wolfgang T, Hugo Z (2002) Quantum cryptography. Rev Mod Phys 74(1):145–195. doi:10.1103/RevModPhys.74.145 View ArticleGoogle Scholar
 Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and publickey cryptosystems. Commun ACM 21(2):120–126. doi:10.1145/359340.359342 View ArticleGoogle Scholar
 Roetteler M, Steinwandt R (2015) A note on quantum relatedkey attacks. Inf Process Lett 115(1):40–44. ISSN: 00200190, doi:10.1016/j.ipl.2014.08.009, (http://www.sciencedirect.com/science/article/pii/S0020019014001719)
 Schaefer EF (1996) A simplified data encryption standard algorithm. Cryptologia 20(1):77–84View ArticleGoogle Scholar
 Schneier B (1993) Description of a new variablelength key, 64bit block cipher (Blowfish). In: Fast software encryption, cambridge security workshop, Springer, London, UK, pp 191–204. http://dl.acm.org/citation.cfm?id=647930.740558
 Schneier B, Kelsey J, Whiting D, Wagner D, Hall C, Ferguson N (1999) The Twofish encryption algorithm: a 128bit block cipher. Wiley, New YorkGoogle Scholar
 Shannon C (1949) Communication theory of secrecy systems. Bell Syst Tech J 28(4):656–715View ArticleGoogle Scholar
 Shor PW (1997) Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput 26(5):1484–1509. doi:10.1137/S0097539795293172 View ArticleGoogle Scholar
 Simulation of quantum mechanics, http://www.libquantum.de/. Retrieved 3 August 2015
 Stallings W (2002) The advanced encryption standard. Cryptologia 26(3):165–188. doi:10.1080/0161110291890876 View ArticleGoogle Scholar
 Stallings W (2010) Cryptography and network security: principles and practice, 5th edn. Prentice Hall Press, Upper Saddle RiverGoogle Scholar
 Wiener MJ (1990) Cryptanalysis of short RSA secret exponents. IEEE Trans Inf Theory 36(3):553–558. doi:10.1109/18.54902 View ArticleGoogle Scholar