A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE

Jean-François Biasse; Benjamin Pring

doi:10.1515/jmc-2020-0080

Article Open Access

A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE

Jean-François Biasse and Benjamin Pring

Published/Copyright: November 17, 2020

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information Explore this Subject

From the journal Journal of Mathematical Cryptology Volume 15 Issue 1

Abstract

In this paper we provide a framework for applying classical search and preprocessing to quantum oracles for use with Grover’s quantum search algorithm in order to lower the quantum circuit-complexity of Grover’s algorithm for single-target search problems. This has the effect (for certain problems) of reducing a portion of the polynomial overhead contributed by the implementation cost of quantum oracles and can be used to provide either strict improvements or advantageous trade-offs in circuit-complexity. Our results indicate that it is possible for quantum oracles for certain single-target preimage search problems to reduce the quantum circuit-size from O 2 n / 2 ⋅ m C (where C originates from the cost of implementing the quantum oracle) to O ( 2 n / 2 ⋅ m C ) without the use of quantum ram, whilst also slightly reducing the number of required qubits.

This framework captures a previous optimisation of Grover’s algorithm using preprocessing [21] applied to cryptanalysis, providing new asymptotic analysis. We additionally provide insights and asymptotic improvements on recent cryptanalysis [16] of SIKE [14] via Grover’s algorithm, demonstrating that the speedup applies to this attack and impacting upon quantum security estimates [16] incorporated into the SIKE specification [14].

Keywords: quantum search; reversible computation; quantum cryptanalysis

MSC 2010: 68Q12

1 Introduction

Whilst the quantum circuit-complexity of a quantum algorithm is linked to the cost of executing a quantum algorithm, this link is not yet fully understood owing to the uncertainty regarding the eventual architecture of quantum computers and the need to perform quantum error-correction to protect the state from environmental noise. The logical quantum circuit-model of computation ignores the issue of noise and has been the de-facto choice of assigning a cost to quantum algorithms for the cryptographic community as our understanding of the true costs involved with executing quantum algorithms has been evolving. In particular, there is the issue of quantum query-complexity versus quantum bit-complexity when assigning a cost to the best known quantum attack on a cryptosystem for purposes of choosing quantum-resistant cryptographic parameters in relation to it.

If a quantum search algorithm requires O 2 n / 2 calls to a particular subroutine (a quantum oracle), then it is clear that this algorithm has a cost of at least O 2 n / 2 If we assign a cost to this quantum oracle of C, then it is clear that the full cost of the algorithm is at least O O 2 n / 2 ⋅ C Whilst there are hard proofs that we cannot do better than O 2 n / 2 calls to this quantum oracle if we assume that the quantum oracle is a black-box [28] (in that we model it simply via input and output), we focus upon redefining what it means for the oracle to be called. By doing this, we note that for certain problems we can in fact increase the query-complexity but reduce the total cost of the quantum algorithm itself.

Contributions

We provide a framework for reasoning about how the quantum circuit-complexity of Grover’s algorithm can be reduced via design principles that can be applied to the quantum oracle, allowing strict gains in all metrics for certain problems. This is done via combining classical search with Grover’s algorithm, increasing the cost of the quantum oracle, but defining it over a smaller search-space. This approach allows for a balancing of the query-complexity and the cost of the quantum oracle and admits a number of benefits, such as preprocessing options which strictly improve the efficiency of Grover’s algorithm.

We demonstrate the utility of our framework by applying it to two known quantum attacks on cryptosystems using Grover’s algorithm, demonstrating that it captures and improves upon a known quantum attack on the Multivariate Quadratic problem over 𝔽₂ using Grover’s algorithm and provides new results on quantum cryptanalysis of SIKE [14], providing evidence that the cost of attacking SIKE via Grover’s algorithm is asymptotically lower than previously estimated [14, 16].

Outline of this paper

In Section 2, we review Grover’s algorithm. In Section 3 we introduce our framework. In Section 4 we examine several applications to cryptanalysis and give our conclusions in Section 5.

2 Background

Definition 2.1

(The unstructured search problem) Let χ : { 0 , 1 } n ⟶ { 0 , 1 } be such that M χ = | χ − 1 ( 1 ) | The unstructured search problem defined by χ is the problem of finding an element x ∈ { 0 , 1 } n such that χ ( x ) = 1 or proving that no such element exists, given only the ability to evaluate χ.

A classical computer requires O ( 2 n M χ ) calls to a classical circuit which evaluates χ before a solution to the unstructured search problem (Definition 2.1) is found [1]. In comparison, Grover’s algorithm requires O ( 2 n M χ ) calls to a quantum circuit which evaluates χ and terminates with a solution to the unstructured search problem with high probability. It will additionally prove useful to consider another formulation of the search problem.

Definition 2.2

(The preimage search problem) Let h : { 0 , 1 } n ⟶ { 0 , 1 } m and Y h ⊆ { 0 , 1 } m The preimage search problem is to find an x ∈ {0, 1}ⁿ such that h(x) ∈ Y_h or prove that no such x ∈ {0, 1}ⁿ exists.

Any algorithm that solves arbitrary instances of the preimage search problem can be used to solve the search problem and vice versa, but it is clear that there is more computational structure in the preimage search problem compared to the unstructured search problem which can benefit the design of of algorithms.

Quantum algorithms

Quantum states consist of qubits (quantum bits) and an n qubit quantum state relative to the computational {ⁿ} basis |x〉 : x ∈ {0, 1} can be expressed as ∑ x ∈ { 0 , 1 } n α x | x ⟩ where α_x ∈ ℂ and ∑x∈{0,1}n|αx|2=1. The α_x are the amplitudes of each computational basis state |x〉 and measurement of this quantum state results in the bitstring x ∈ {0, 1}ⁿ with probability |α_x|². Quantum algorithms therefore consist of increasing the magnitude of α_x which encode algorithmically useful information — Grover’s algorithm consists of the repeated application of a quantum circuit, each of which (up to a point) increases the magnitude of α_x which encode solutions to the search problem.

Cost models and reversibility

Quantum circuits that do not include measurement are equivalent to unitary operators (U such that there exists U^† with the property UU^† = U^†U = I) and because of this correspondence, quantum circuits which implement χ : {0, 1}ⁿ −→ {0, 1} can be designed by considering reversible classical circuits (which implement permutations and therefore all have inverses), with each reversible gate assigned a cost in terms of quantum gates.

Much as the universal boolean gate set {¬, ⊕, ∧} can implement arbitrary classical circuits, quantum algorithms can be implemented (up to an arbitrary level of precision) by a universal quantum gate set. For reasons of space we deal only with asymptotics in this paper, but illustrate the above in terms of the Clifford+T universal quantum gate which consists of the Clifford gate set (the Hadamard, Phase and CNOT gates) and the single T gate. By fixing a universal quantum gate set we can reason about the quantum circuit-complexity (cost) of a quantum algorithm which consists of the quantum circuit-size (number of quantum gates), quantum circuit-depth (timesteps taken) and quantum circuit-width (quantum bits required). It is plain that the set of quantum gates {X, ∧₁(X), ∧₂(X)} and more generally ∧_k(X) for k ≥ 1 acting upon computational basis states defined by

(1) X | x 1 ⟩ ↦ | x 1 ⊕ 1 , ∧ k ( X ) | x 1 … x k | x k + 1 ↦ | x 1 … x k | x k + 1 ⊕ ( x 1 ∧ ⋯ ∧ x k ) ⟩

where ∧₀(X) := X is sufficient to implement all reversible classical circuits on computational basis states, if we have sufficient ancilla qubits as this gate set corresponds to the universal boolean gate set {¬, ⊕, ∧}. The ∧_k(X) for k ≥ 2 is simply a useful abstraction. The X and ∧₁(X) gate each require one Clifford gate to implement, whilst the ∧₂(X) (Toffoli gate) can be implemented using 17 Clifford+T gates [2, 24] and the ∧_k(X) gate to require at most 40k − 64 Clifford gates for k > 2 [17] if we have a single ancilla qubit, which can be in any state.

Definition 2.3

(Cost notation) If 𝒜 is any quantum algorithm or quantum gate, we denote the execution cost of 𝒜 by the notation C_𝒜. Costs will be provided in terms of components that are executed in serial, so that C_𝒜 can be substituted for circuit-size, circuit-depth or either metric applied to a subset of quantum gates.

2.1 Quantum oracles and Grover’s algorithm

Definition 2.4

(Quantum bit oracle) The quantum bit oracle O χ ( b ) acting upon n+1 qubit computational basis states |x₁ . . . x_n〉 |b〉, where b ∈ {0, 1}, maps

(2) O χ ( b ) | x 1 … x n | b ↦ | x 1 … x n | b ⊕ χ ( x 1 … x n ) .

Quantum oracles will be used in conjunction with Grover’s algorithm, which we state and provide a cost for without proof. Our modifications will simply be alterations of the quantum bit oracle and are used with Grover’s algorithm.

Theorem 2.5

(Grover’s algorithm [4, 12]) Let χ : { 0 , 1 } n ⟶ { 0 , 1 } define the search problem where M = |χ⁻¹(1)| is known. Then there exists a quantum algorithm that solves the search problem defined by χ with probability at least max { 1 − M 2 n , M 2 n } and which has a cost of C H ⊗ n + π 4 ⋅ 2 n / 2 M ⋅ C χ + C D n where C H ⊗ n , C χ C_χ and C D n are respectively the cost of implementing the Hadamard transform on n qubits, the quantum bit oracle O χ ( b ) and the diffusion operator D_n on n qubits, where cost is either quantum circuit-size or quantum circuit-depth. H^⊗n is the parallel application of n Hadamard gates, each of which cost 1 Clifford gate and the diffusion operator on n qubits is can be assigned a circuit-size of 44n − 105 Clifford+T gates for n ≥ 7 [17, 18] and circuit-depth of 44n − 103. Our framework will enable the cost expressed in Theorem 2.5 to be optimised by trading off between the cost C χ + C D n and the query-complexity term π 4 ⋅ 2 n / 2 M . Much as we require memory to implement classical functions efficiently, we often require ancilla qubits to implement the action of quantum bit oracle. In this paper we use a decomposition of the quantum bit oracle that captures this fact.

Definition 2.6

(Bitwise decomposition of the oracle) A bitwise decomposition of quantum bit oracle O χ ( b ) consists of the n +1 unitary operators U χ ∗ , U χ n , … , U χ 1 acting upon n +w+1 qubits, such that for any x₁ . . . x_n ∈ {0, 1}ⁿ and b ∈ {0, 1}

(3) U χ 1 † ⋯ U χ n † U χ ∗ U χ n ⋯ U χ 1 | g 0 ⟩ | x 1 … x n | b ⟩ ↦ | g 0 ⟩ | x 1 … x n ⟩ | b ⊕ χ ( x 1 … x n ) ⟩

where U χ i = U χ i ′ ⊗ I ⊗ n − i + 1 so that U χ i ′ acts upon w + i qubits, with

(4) U χ 1 † | g i − 1 ( ( x 1 , ⋯ , x i − 1 ) ⟩ | ( x 1 , ⋯ , x i ⟩ | ↦ | g i ( ( x 1 , ⋯ , x 1 ) ⟩ | ( x 1 , ⋯ , x i ⟩

with g i ( x 1 , … , x i ) ∈ { 0 , 1 } w derived from x₁, ..., x_i only, g 0 ∈ { 0 , 1 } w and

(5) U χ ∗ | g n ( x 1 , … , x n ) ⟩ | x 1 … x n ⟩ | b ↦ | g n ( x 1 , … , x n ) ⟩ | x 1 … x n ⟩ | b ⊕ χ ( x 1 … x n ) ⟩

We there have that I ⊗ w ⊗ O χ ( b ) = U χ 1 † ⋯ U χ n † U χ ∗ U χ n ⋯ U χ 1 and that U χ i should be interpreted as producing a memory state g i ( x 1 , … , x i ) ∈ { 0 , 1 } w computed using only the first i bits of a possible solution to the search problem. The memory state g₀ ∈ {0, 1}^w can be considered as an initial memory-state which does not depend upon any of the bits x₁, ... , x_n. Typically, we can take g₀ = 0^w. This decomposition applies trivially to quantum bit oracles constructed using only reversible boolean primitives (we define U χ ∗ = O χ ( b ) and U χ ∗ = O χ ( b ) but non-trivial decompositions may require special design. The single-target preimage search problem (see Definition 2.2) can be modelled by simply by setting U χ n ⋯ U χ 1 to compute | h ( x 1 … x n ) ⊕ 1 m and setting U χ ∗ := ∧ m ( X )

3 A framework for preprocessing

In this section we present our framework for optimising applications of Grover’s algorithm via modifying quantum bit oracles to take advantage of classical search and preprocessing. Computational gains will be made possible via examining the role of memory in implementing the action of the quantum bit oracle and trading off between query-complexity and computational effort required to implement the action of the quantum bit oracle. With this in mind we can choose an integer 0 ≤ k ≤ n that defines a cut of the bitwise decomposition of the quantum bit oracle (see Definition 2.6), splitting it into three separate components so that

(6) U n − k := U χ n − k ⋯ U χ 1 , U k := U χ n ⋯ U χ n − k + 1 and U ∗ := U χ ∗ .

3.1 Combining classical search with Grover’s algorithm

Theorem 3.1

(Secondary classical search) Given a cut of a quantum oracle parameterised by 0 < k < n, we can implement a modified quantum bit oracle

(7) O χ ′ ( b ) | ∗ 0 w | x 1 … x n − k | ∗ 0 k | c ↦ | ∗ 0 w | x 1 … x n − k | ∗ 0 k | ∗ c ⨁ z 1 … z k ∈ { 0 , 1 } k χ ( x 1 … x n − k z 1 … z k )

and whose cost is

(8) C O χ ′ ( b ) = 2 ⋅ ∑ i = 1 n − k C U χ i + 2 ⋅ 2 k ∑ i = 1 k C U χ n − k + i + 2 k ⋅ C U ∗ + 2 k ⋅ C X .

Proof. We first execute U_n_−kto compute

(9) U n − k | 0 w | x 1 … x n − k | ∗ 0 k ↦ | g ( x 1 , … , x n − k ) | x 1 … x n | ∗ 0 k ⟩

then simply follow the procedure of executing the sequence U k † U ∗ U k on all possible assignments of the final k values of the search-space. This can be performed efficiently via using the k qubits following the register |x₁ . . . x_n_−k〉 as additional input z₁ . . . z_k ∈ {0, 1}^k for U k † U ∗ U k and simply cycling through all possible values of z₁ . . . z_k ∈ {0, 1}^k. If we use a binary reflected Gray Code [11], we can start in the state 0^k and cycle through all 2^k elements of {0, 1}^k, ending in the state 10^k⁻¹ by flipping only a single bit at a time, which can be accomplished via using an X gate on the relevant qubit and if we wish to return the state to |0^k〉, then we need only execute an additional X gate for a total cost of 2^k X gates. After this, we simply execute the unitary U n − k † leaving us with the computational basis state

(10) | 0 w | ∗ x 1 … x n − k | ∗ 0 k | ∗ c ⨁ z 1 … z k ∈ { 0 , 1 } k χ ( x 1 … x n − k z 1 … z k ) .

□

Corollary 3.2

The modified quantum bit oracle O χ ′ ( b ) as described in Theorem 3.1 can be used with Grover’s algorithm defined on the search-space of n−k qubits and terminates with an x ∈ {0, 1}ⁿ^−k that can be extended to a full solution with probability at least x ∈ { 0 , 1 } n − k if 1 ≤ M ≤ 2 ( n − k ) / 2

Proof. This can easily be seen as the modified quantum oracle will mark any element x 1 … x n − k ∈ { 0 , 1 } n − k such that x 1 … x n − k ∈ { 0 , 1 } n − k can be extended to a full solution for some z 1 … z k ∈ { 0 , 1 } k Hence M^′ = z 1 … z k ∈ { 0 , 1 } k if there are no collisions on the first n − k bits of solutions, for which a standard lower bound exists. If M = 1, then there can obviously be no such collision.□

Such stategies are possible with classical computation, but require state to be stored. By their nature, reversible logic circuits store state implicitly and by using this fact we avoid increasing the number of qubits. There is no guarantee that a non-trivial advantageous cut will be possible, but we can simply follow a design heuristic where as much cost as possible is shifted towards U_n_−k. As we can simply compute the costs C U n − k C_Uk and C_U_* as a function of k, we can easily find an optimal k via numerical simulation of the costs involved (often a simple formula) on all values of 0 ≤ k ≤ n, which is a negligible classical computation.

Example 3.3

We consider the case where C U χ 1 = ⋯ = C U χ n = C U χ ∗ and these costs dominate that of the diffusion step, so that C U n − k = ( n − k ) D , C U k = k D and C U ∗ = D for some constant D. Choosing k = log₂ n and using Equation (8) in conjunction with the Theorem 2.5 gives us a cost of

(11) π 4 ⋅ 2 n / 2 ⋅ 1 n ⋅ ( 2 ( n − log 2 ⁡ n ) + n ( 2 log 2 ⁡ n + 1 ) ) ⋅ D

which gives us an asymptotic cost of ( O 2 n / 2 ⋅ n 1 / 2 ( log 2 ⁡ n ) D compared to using Grover with the unmodified oracle for an asymptotic cost of O 2_n^/2 · nD.

Corollary 3.4 (Evaluation via backtracking) Let the conditions be as in Theorem 3.1. The same procedure can be implemented for a cost of

(12) C O χ ′ ( b ) = 2 ⋅ ∑ i = 1 n − k C U χ i + 2 ⋅ ∑ i = 1 k ( 2 i ⋅ C U n − k + i ) + 2 k ⋅ C U χ ∗ + 2 k ⋅ C X .

Proof. This can be easily seen as if we denote via X_i the application of an X gate to the i^th qubit of the search-space then each subsequence of unitary operators

(13) U ∗ U χ n ⋯ U χ n − k + 1 X n − k + i U χ n − k + 1 † ⋯ U χ n † U ∗

that appears in the unitary U_k can be replaced by the subsequence

(14) U ∗ U χ n ⋯ U χ n − k + i X n − k + i U χ n − k + i † ⋯ U χ n † U ∗ .

Corollary 3.5

(Commuting bitwise invariant components) Given a modified quantum bit oracle Oχ′(b) parameterised by 0 ≤ k ≤ n as in Theorem 3.1 such that Uχn−k+1,…,Uχn all commute and the action of each Uχi is invariant upon any choice of z_j ≠ z_i, the cost of Oχ′(b) can be reduced to

(15) C O χ ′ ( b ) = 2 ⋅ ∑ i = 1 n C U χ i + ∑ i = 1 k ( 2 i ⋅ C U χ n − k + i ) + 2 k ⋅ C U χ ∗ + 2 k C X .

Proof. Again using the notation X_i for the application of an X gate to the i^th, we can adapt Theorem 3.1 by simply replacing any subsequence

(16) U ∗ U χ n ⋯ U χ i ⋯ U χ n − k + 1 X n − k + i U χ n − k + 1 † ⋯ U χ i † ⋯ U χ n † U ∗

that appears in the unitary U_k by

(17) U ∗ U χ i X n − k + i U χ n ⋯ U χ n − k + 1 U χ n − k + 1 † ⋯ U χ n † U χ i † U ∗

by the commuting property of each U χ n ⋯ U χ n − k + 1 and invariance of the unitary sequence U χ n ⋯ U χ n − k + 1 upon the variable z_i. From there it is a simple matter to note that the inner unitaries cancel each other out and we must first fully compute the sequence U χ n ⋯ U χ 1 and end with the sequence U χ 1 † ⋯ U χ n †

Example 3.6

We again consider the case where each unitary operator a cost of D as in Example 3.3, but where we can instead apply Theorem 3.5. The choice of k = log₂ n can now be seen to be optimal if we take the derivative of the full cost equation for Grover’s algorithm with the modified quantum bit oracle. This gives an asymptotic cost for Grover’s algorithm with this modified quantum bit oracle of O 2 n / 2 ⋅ n 1 / 2 D whereas

Theorem 3.1 gave us a cost of O 2 n / 2 ⋅ n 1 / 2 log 2 ⁡ n D and the unmodified quantum bit oracle with Grover was O 2 n / 2 ⋅ n D

3.2 Preprocessing the classical secondary-search procedure

We now turn to the benefits of preprocessing any of the previously described methods of secondary classical search.

Theorem 3.7

(Ancilla qubits allow shifting of unitary costs) Any component of the circuit that computes U χ n − k + i for 1 ≤ i ≤ k that is dependent solely on | x 1 … x n − k | z 1 … z j | g n − k + j ( x 1 , … , x n − k , z 1 , … , z j ) for 0 ≤ j ≤ i can be computed and stored on ancilla qubits during the computation of U χ n − k + j

Proof. The proof of this is trivial and relies solely upon the definition of the bitwise decomposition of the quantum bit oracle. □

In an ideal situation, the unitary costs will be shifted as much as possible to U_n_−k.

Theorem 3.8

(Classical preprocessing allows strict gains) Let O χ ′ ( b ) be a modified quantum bit oracle parameterised by 0 < k < n as in Theorem 3.1. Then at the cost of classical storage space and/or classical preprocessing and without affecting the correctness of this algorithm, the quantum cost of O χ ′ ( b ) can be reduced and is at worst unchanged, whilst we reduce the number of qubits required by k.

Proof. We will create 2ⁱ circuits for each U χ n − k + i each of which are hardcoded to assume that the bits z₁ . . . z_i ∈ {0, 1}ⁱ are fixed. The first benefit is that as we are implicitly creating a circuit which is hardcoded with a choice of z₁ . . . z_i, we need not include these qubits or any qubits which interact only with them (and not x₁ . . . x_n_−k by any circuit-path) in the search-space or the w-bit memory-state.

The second benefit is in a reduction in the complexity of the individual circuits themselves. Ifwe consider purely reversible circuits, then for any unitary U we have that if any z_i appears in the control qubits for ∧_k(U), then this can be hardcoded as a either a ∧ k − 1 ( U ) (U) gate if z_i = 1 or removed completely if z_i = 0.

The third benefit is that further optimisations are possible in the sequence of hardcoded circuits U χ n − k + 1 ⋯ U χ n as a whole. If we consider a simple circuit constructed of multiple ∧ k ( X ) gates, all of which write to the same target qubit and where no cancellation is posible, then any hardcoding of these ∧_k(X) gates that results in a circuit with ∧ k ′ (X) for (k^′ < k) gates with identical controls allows them to be removed if r is even or replaced with a single gate if r is odd.

Thus if we allow for the preprocessing and additional storage or alternatively online computation then these hardcoded quantum circuits are no more expensive to execute and we can always reduce the number of qubits by k.

We briefly mention that we could employ parallelism (communication costs allowing), whereby we compute U_n_−k, then create 2^k copies of the resulting state and execute the sequence of unitaries U k † U ∗ U k upon each one. This strategy allows us to bypass some of the increase in circuit-size that is a hard-limit if we treat the quantum oracle as a black-box [28] as this increase only applies to C_Uk and C_U_*.

4 Applications to Cryptanalysis

In this section we demonstrate that our framework captures one previously proposed attack using Grover’s algorithm on Multivariate Quadratic cryptosystems, provides missing asymptotic analysis on its results and improves upon it. We conclude with demonstrating our methodology can be applied to recent quantum cryptanalysis [16] of the proposed quantum resistant cryptosystem SIKE [14].

4.1 The Multivariate Quadratic problem over 𝔽₂

Definition 4.1

(The Multivariate Quadratic (𝓜𝓠) problem over 𝔽₂) We define f ( 1 ) ( x 1 , … , x n ) , … , f ( m ) … , x n ) ∈ F 2 [ x 1 , … , x n ] be m equations of degree two in n variables over the finite field of size 2. The Multivariate Quadratic (𝓜𝓠) problem over 𝔽₂ is to find a solution vector ( x 1 , … , x n ) ∈ F 2 n such that

(18) f ( 1 ) ( x 1 , … , x n ) = ⋯ = f ( m ) ( x 1 , … , x n ) = 0.

Several quantum resistant signature schemes [13, 20] have been published which rely upon the hardness of solving the Multivariate Quadratic problem over F₂. Whilst asymptotically more efficient algorithms exist [3, 9], a basic attack [23] using Grover’s algorithm that was later optimised via preprocessing [21] is both captured and improved upon by our framework. We leave explicit details to Appendix A for reasons of space and to avoid duplication of preexisting work [21, 23].

This case-study provides important commentary upon the difficulty in choosing quantum resistant parameters in relation to Grover’s algorithm as the initial quantum resistant parameters were suggested [20] in relation to the query-complexity of O 2 n / 2 for Grover’s algorithm to solve the 𝒨𝒬 problem over 𝔽₂. After publication of an explicit design for a quantum bit oracle to use in conjunction with Grover’s algorithm for this problem [23] which gave the quantum circuit-size O 2 n / 2 ⋅ m n 2 for Grover’s algorithm, new parameters were suggested in a subsequent paper [19] in relation to this cost. These costs were also quoted in several specifications for quantum-resistant cryptosystems in the NIST competition [6, 8]. Our framework demonstrates that one optimisation [21] using preprocessing lowers the cost to O2n/2⋅mn3/2 and that by using our framework this improves to O 2 n / 2 ⋅ m n by using an additional O(m log₂ n) ancilla qubits. We discuss the problem of choosing quantum-resistant cryptographic parameters in relation to anything but the query-complexity of Grover’s algorithm further in Section 5.

4.2 The Computational SuperSingular Isogeny (CSSI) problem

In this section we reexamine the cost of a Grover-based attack upon the quantum-resistant key encapsulation method SIKE [14], whereby Grover is used to attack the CSSI problem (see Definition 4.2) via searching for a unique collision between two functions. We demonstrate how this attack fits into, and can be improved upon by, our framework. We provide an asymptotically better attack using Grover’s algorithm and new estimates for the hardness of solving the CSSI problem via Grover’s algorithm under various constraints (see Appendix B). These results impact upon the estimates in [16] which are quoted in the SIKE specification [14].

This problem has previously studied in [16] where the authors argue that whilst Tani’s algorithm [25] may be the most asymptotically efficient method to solve this problem in terms of query-complexity, once the implementation of the underlying quantum data structure and memory is taken into account, Grover’s algorithm may be competitive with Tani’s algorithm.

On the cost of computing an isogeny-path

Isogenies are morphisms that are rational maps between groups of points of elliptic curves. Their degree is that of their rational map structure, and they are uniquely determined by their kernel. Given the 2^e-torsion E[2^e] of E, a degree-2^e isogeny uniquely corresponds to a x 1 … x e ∈ { 0 , 1 } e via a choice of a (cyclic) kernel in E[2^e]. Given a kernel, the total cost of computing the corresponding 2^e-isogenous curve is in O (e log₂ e) elliptic curve operations [10].

Definition 4.2

(The Computational SuperSingular Isogeny problem¹[15])

Let E₁, E₂ be two supersingular elliptic curves defined over F p 2 such that there is a degree 2^e isogeny ϕ : E 1 ⟶ E 2 (up to isomorphism) with e ≈ log 2 ⁡ p 2 Given E₁, E₂, p and e, the Computational SuperSingular Isogeny (CSSI) problem is to find an isogeny between E₁ and E₂.

Finding (up to isomorphism) a degree-2^e isogeny ϕ : E 1 ⟶ E 2 can be solved by finding one degree- 2 e 1 isogeny ϕ 1 : E 1 → E ′ and one degree- 2 e 2 isogeny ϕ 2 : E 2 → E ″ such that e = e 1 + e 2 and E^′ is isomorphic to E^′′. The composition of isogenies ϕ 2 ¯ (where ϕ 2 is the dual-isogeny of ϕ₂) is then the degree-2^e isogeny we are searching for. Isomorphic classes of curves are identified by their j-invariant in F p 2 Hence we define h i : { 0 , 1 } e i ⟶ F p 2 for i = 1, 2 so that h 1 ( x 1 … x e 1 ) and h 2 ( x 1 … x e 2 ) are the respective j-invariants of E^′ where ϕ_i : E_i → E^′ corresponds to the kernel defined by x 1 … x e i ∈ { 0 , 1 } e i Thus, if we find the collision ( x 1 … x e 1 , z 1 … z e 2 ) ∈ { 0 , 1 } e 1 × { 0 , 1 } e 2 such that h 1 ( x 1 … x e 1 ) = h 2 ( z 1 … z e 2 ) then we have solved the CSSI problem. As in [16] we work under the assumption that there is a single such isogeny ϕ : E 1 ⟶ E 2 (hence there is one target in our search-space), which is justified under the arguments of [26].

Fitting the attack to our framework

When e 1 ≈ e 2 ≈ e / 2 as suggested in [16], we obtain a constant time saving over the simple search case e₁ = e, e₂ = 0 as 2 ⋅ e 2 ⋅ log 2 ⁡ ( e / 2 ) = e ( log 2 ⁡ e − 1 ) . This does not impact the asymptotic complexity of the search procedure. In our framework, we define the initial unitary U_n_−k (in this scenario n = e and k = e₂) to compute (where g^e1(x1,…,xe1) is the intermediate memory-state required to compute the j-invariant h₁(x₁ . . . x_e1 ))

(19) | g ^ e 1 ( x 1 , … , x e 1 ) ⟩ | ∗ 0 w 2 ⟩ | h 1 ( x 1 … x e 1 ) ⟩ | x 1 … x e 1 ⟩ | z 1 … z e 2 ⟩

where | g e 1 ( x 1 , … , x e 1 ) ⟩ = | g ^ e 1 ( x 1 , … , x e 1 ) | 0 w 2 ⟩ | h e 1 ( x 1 … x e 1 ) ⟩ in our framework and the unitary U_k (where k = e₂) is defined to map this state to

(20) | g ^ e 1 ( x 1 , … , x e 1 ) ⟩ | g ^ e 2 ( z 1 , … , z e 2 ) ⟩ | h 1 ( x 1 … x e 1 ) ⊕ h 2 ( z 1 … z e 2 ¯ ) ⟩ | x 1 … x e 1 ⟩ | z 1 … z e 2 ⟩ ,

where h 2 ( z 1 … z e 2 ¯ ) := h 2 ( z 1 … z k ) ⊕ 1 2 ⌈ log 2 ⁡ p ⌉ Theorem 3.1 therefore gives us that we can perform a secondary classical search procedure and we can use preprocessing as described in Theorem 3.8 to reduce the cost of the circuit. As | g 2 ( z 1 , … , z e 2 ) ⟩ depends solely upon z₁ . . . z_e2 at all times, after hardcoding is completed, the qubits required to represent it can be removed in addition to the e₂ qubits of the search-space Grover is defined upon. After cancellations of layers of X gates, the 2^k applications of U k † U ∗ U k is then simply 2^k + 1 layers of 2⌈log₂ p⌉ X gates executed in parallel with ∧ 2 ⌈ log 2 ⁡ p ⌉ ( X ) gates in between each layer.

In relation to the CSSI problem, the security level of SIKE [14] is parameterised by a prime p of the form 2 e 3 f − 1 where 2 e ≈ 3 f so that e ≈ p 1 / 2 The problem of breaking an instance of SIKE-p is then equivalent to finding the unique degree 2^e isogeny defined by the public-parameters of SIKE-p.

Theorem 4.3

(Grover vs CSSI) Let C_e be the cost (either quantum circuit-size or quantum circuit-depth) of evaluating a degree 2^e isogeny as a reversible quantum circuit. Solving the CSSI problem via Grover’s algorithm then has a cost of

(21) O p 1 / 4 ⋅ C e 1 / 2 ( log 2 ⁡ p ) 1 / 2 .

Proof. We can express the asymptotic cost of our attack parameterised by our choice of e₂ (where we recall e₁ + e₂ = e) as

(22) O p 1 / 4 2 − e 2 / 2 ⋅ [ 2 C e ⋅ log 2 ⁡ p log 2 ⁡ p + 2 e 2 ⋅ 2 log 2 ⁡ p ]

if we assume C e 1 ≤ C e if all other parameters are fixed and the secondary classical-search procedure is in O 2 e 2 ⋅ log 2 ⁡ p gates as discussed on the previous page. Taking the derivative of (22) gives our optimal value of e 2 = log 2 C e log 2 ⁡ p

This is in comparison to simply using the oracle with Grover’s algorithm for a circuit-size of O ( p 1 / 4 C e ) takes O (e log₂ e) curve operations [10], each of which can be assumed to cost O ((log₂ p)² log₂ log₂ p) quantum gates [22, Table 1] (this may be an underestimate). Thus C_e ∈ O (e(log₂ e)(log₂ p)₂(log₂ log₂ p)) and our asymptotic speedup is in O ((log₂ p) · (log₂ log₂ p)). In [16], Grover’s algorithm is used to derive estimates on the cost of attacking SIKE for specific security parameters and in Appendix B, we use our result with their methodology.

5 Conclusions

The extent to which the overhead of the quantum oracle can be reduced is clearly an important issue if the cryptographic community is choosing parameters relative to a costing of Grover’s algorithm which takes into account both the query-complexity and the cost of the queries themselves. The safest route is of course to simply choose the query-complexity as a lower-bound on the circuit-size for such Grover-based attacks and this protects against our optimisation as we only increase the total number of queries.

Our gains have instead been enabled via better use of intermediate computations and exploiting classical computation to create efficient hardcoded circuits, both of which can then be used find an optimal balance between the cost of the quantum oracle and the query-complexity. Whilst our methods are obviously not applicable to all quantum oracles, a cautionary half-way measure between using the lower-bound of query-complexity and the current methodology may be to produce a conservative quantum resource estimate for the cost of the quantum oracle and use the square root of this for the overhead of the quantum oracle when choosing cryptographic parameters relative to Grover’s algorithm.

Acknowledgement

This research was supported by funding from EPRSC grant EP/M50645X/1, National Science Foundation grant 183980, National Science Foundation grant 1846166, National Institute of Standards and Technology grant 60NANB17D184, CyberFlorida Collaborative Seed Grant Program and the CyberFlorida Capacity Building Program.

References

[1] John Ahlgren, The Probability Distribution for Draws Until First Success Without Replacement, arXiv preprint arXiv:1404.1161 (2014).Search in Google Scholar

[2] M. Amy, D. Maslov, M. Mosca and M. Roetteler, A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits, IEEE Trans. on Computer-Aided Design of Integrated Circuits and Systems 32 (2013), 818–830.10.1109/TCAD.2013.2244643Search in Google Scholar

[3] D. Bernstein and B.-Y. Yang, Asymptotically faster quantum algorithms to solve multivariate quadratic equations, in: International Conference on Post-Quantum Cryptography, Springer, pp. 487–506, 2018.10.1007/978-3-319-79063-3_23Search in Google Scholar

[4] M. Boyer, G. Brassard, P. Høyer and A. Tapp, Tight bounds on quantum searching, arXiv quant-ph/9605034 (1996).Search in Google Scholar

[5] Denis Xavier Charles, Kristin E. Lauter and Eyal Z. Goren, Cryptographic Hash Functions from Expander Graphs, J. Cryptology 22 (2009), 93–113.10.1007/s00145-007-9002-xSearch in Google Scholar

[6] Ming-Shing Chen, Andreas Hülsing, Joost Rijneveld, Simona Samardjiska and Peter Schwabe, MQDSS—Submission to the NIST post-quantum cryptography project., 2017.Search in Google Scholar

[7] Anamaria Costache, Brooke Feigon, Kristin E. Lauter, Maike Massierer and Anna Puskás, Ramanujan graphs in cryptography, CoRR abs/1806.05709 (2018).10.1007/978-3-030-19478-9_1Search in Google Scholar

[8] Jintai Ding, Ming-Shen Chen, Albrecht Petzoldt, Dieter Schmidt and Bo-Yin Yang, Gui—Submission to the NIST post-quantum cryptography project. Specification, 2017.Search in Google Scholar

[9] Jean-Charles Faugere, Kelsey Horan, Delaram Kahrobaei, Marc Kaplan, Elham Kashefi and Ludovic Perret, Fast Quantum Algorithm for Solving Multivariate Quadratic Equations, arXiv preprint arXiv:1712.07211 (2017).Search in Google Scholar

[10] L. De Feo, D. Jao and J. Plût, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, J. Mathematical Cryptology 8 (2014), 209–247.10.1515/jmc-2012-0015Search in Google Scholar

[11] Gray Frank, Pulse code communication, March 17 1953, US Patent 2,632,058.Search in Google Scholar

[12] L. Grover, A fast quantum mechanical algorithm for database search, in: Proc. of the 28th annual ACM symp. on Theory of computing, ACM, pp. 212–219, 1996.10.1145/237814.237866Search in Google Scholar

[13] Andreas Hülsing, Joost Rijneveld, Simona Samardjiska and Peter Schwabe, From 5-pass MQ-based identification to MQ-based signatures., IACR Cryptology ePrint Archive 2016 (2016), 708.Search in Google Scholar

[14] D. Jao, R. Azarderakhsh, M. Campagna, C. Costello, L. De Feo, Ba. Hess, A. Jalali, B. Koziel, B. LaMacchia, P. Longa, M. Naehrig, G. Pereira, J. Renes, V. Soukharev and D. Urbanik, SIKE, https://sike.org, 2017, Round 2 NIST submission for the standardisation of Post Quantum Crypptography.Search in Google Scholar

[15] D. Jao and L. De Feo, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, in: International Workshop on Post-Quantum Cryptography, Springer, pp. 19–34, 2011.10.1007/978-3-642-25405-5_2Search in Google Scholar

[16] S. Jaques and J. Schanck, Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE, University of Waterloo, Report, 2019, To appear in the proceedings of CRYPTO 2019.10.1007/978-3-030-26948-7_2Search in Google Scholar

[17] D. Maslov, Advantages of using relative-phase Toffoli gates with an application to multiple control Toffoli optimization, Physical Review A 93 (2016), 022311.10.1103/PhysRevA.93.022311Search in Google Scholar

[18] M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, 2010.10.1017/CBO9780511976667Search in Google Scholar

[19] A. Petzoldt, M.-S. Chen, J. Ding and B.-Y. Yang, HMFEV- an efficient multivariate signature scheme, in: International workshop on post-quantum cryptography, Springer, pp. 205–223, 2017.10.1007/978-3-319-59879-6_12Search in Google Scholar

[20] A. Petzoldt, M.-S. Chen, B.-Y. Yang, C. Tao and J. Ding, Design principles for HFEv-based multivariate signature schemes, in: Int. Conference on the Theory and Application of Cryptology and Information Security, Springer, pp. 311–334, 2015.10.1007/978-3-662-48797-6_14Search in Google Scholar

[21] Benjamin Pring, Exploiting preprocessing for quantum search to break parameters for MQ cryptosystems, in: Arithmetic of Finite Fields-7th International Workshop, WAIFI 2018, Revised Selected Papers., WAIFI, 2018.10.1007/978-3-030-05153-2_17Search in Google Scholar

[22] M. Roetteler, M. Naehrig, K. Svore and K. Lauter, Quantum resource estimates for computing elliptic curve discrete logarithms, in: International Conference on the Theory and Application of Cryptology and Information Security, Springer, pp. 241–270, 2017.10.1007/978-3-319-70697-9_9Search in Google Scholar

[23] P. Schwabe and B. Westerbaan, Solving Binary ^MQ with Grover’s Algorithm, in: SPACE 2016, Springer, pp. 303–322, 2016.10.1007/978-3-319-49445-6_17Search in Google Scholar

[24] P. Selinger, Quantum circuits of T-depth one, Phys. Rev. A 87 (2013), 042302.10.1103/PhysRevA.87.042302Search in Google Scholar

[25] Seiichiro Tani, An improved claw finding algorithm using quantum walk, in: International Symposium on Mathematical Foundations of Computer Science, Springer, pp. 536–547, 2007.Search in Google Scholar

[26] David Urbanik and David Jao, SoK: The problem landscape of SIDH, in: Proceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, ACM, pp. 53–60, 2018.10.1145/3197507.3197516Search in Google Scholar

[27] Paul C Van Oorschot and Michael JWiener, Parallel collision search with application to hash functions and discrete logarithms, in: Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM, pp. 210–218, 1994.10.1145/191177.191231Search in Google Scholar

[28] C. Zalka, Grover’s quantum searching algorithm is optimal, Physical Review A 60 (1999), 2746.10.1103/PhysRevA.60.2746Search in Google Scholar

A Adapting a quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂

In this Section we study how an existing quantum oracle design [23] can be modified to fit under our frame-work. We first describe the original oracle design [23], how a previous optimisation [21] falls under our framework and how this preexisting method can be improved via our framework to reduce the total circuit-size via use of additional ancilla qubits. We first recall Definition 4.1

Definition 4.1

(The Multivariate Quadratic (𝓜𝓠 problem over 𝔽₂) We define f ( 1 ) ( x 1 , … , x n ) , … , f ( m ) ( x 1 , … , x n ) ∈ F 2 [ x 1 , … , x n ] be m equations of degree two in n variables over the finite field of size 2. The Multivariate Quadratic (𝓜𝓠 problem over 𝔽₂ is to find a solution vector ( x 1 , … , x n ) ∈ F 2 n such that

(A.1) f ( 1 ) ( x 1 , … , x n ) = ⋯ = f ( m ) ( x 1 , … , x n ) = 0.

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂

We first describe a quantum bit oracle to solve this problem proposed by Schwabe and Westerbaan [23]. They first perform a classical preprocessing so that 1 is added to each f ( k ) ( x 1 , … , x n ) In this way the original system of equations is satisfied when we find an element x₁ . . . x_n such that f^(k)(x₁, . . . , x_n) = 1 for k = 1, . . . , m. Their quantum bit oracle evaluates each multivariate polynomial in a separate register and then uses a single ∧_m(X) gate to and check if they are satisfied. By noting x_ix_j = x_jx_i and xi2=xi each multivariate polynomial can be written

(A.2) f(k)(x1,…,xn)=∑1≤i<j≤nai,j(k)xixj⊕∑i=1nbi(k)xi⊕c(k),

where ai,j(k),bi(k),c(k)∈F2 Schwabe and Westerbaan define the quantum bit oracle as acting upon n + m + 2 qubits, so that it uses n qubits for Grover’s search-space, m qubits to store the evaluated equations, 1 ancilla qubit to allow the efficient evaluation equations and 1 qubit for the output of the quantum bit oracle. The evaluation of each f^(k) is performed via successively adding the sums

(A.3) xi⋅ai,i+1(k)xi+1⊕⋯⊕ai,n(k)xn⊕bi(k)

onto the m equation registers, one equation at a time. Each step for i = 1, . . . , n (via an ancilla qubit starting and ending in |0〉) can be accomplished using at most 1 X gate, n − i ∧₁(X) gates and a single ∧₂(X) gate. A single ∧_m(X) gate is used after all equations are evaluated on the m registers and used to write the output of the quantum bit oracle, which will be 1 if all of the original equations are satisfied.

Applying our framework

A previously published use of preprocessing exploits only a basic form of secondary classical-search (Theorem 3.1) combined with preprocessing (Theorem 3.8), which under our framework can be interpreted by defining U_n_−k to evaluate m equations of the form

(A.4) f ( k ) ( x 1 , … , x n − k ) = ∑ 1 ≤ i < j ≤ n − k a i , j ( k ) x i x j ⊕ ∑ i = 1 n − k b i ( k ) x i ,

which is possible as they are simply m equations in n − k variables. U_k is then the addition of

(A.5) f ( k ) ( x 1 , … , x n − k , z 1 , … , z k ) ⊕ f ( k ) ( x 1 , … , x n − k )

to each equation register,whilst U_* is a ∧_m(X) gate as before. It is easily seen that C ∧ m ( X ) is O(m), that the O ( m ⋅ ( n − k ) 2 ) is O(m · (n − k)²) by the discussion on the previous page that C U k as hardcoding collapses sums involving x_iz_j to either 0 or x_i and interactions between z_iz_j or z_k to a single bit. The asymptotic cost of Grover’s algorithm with the modified quantum bit oracle using secondary classical search and hardcoded bits is therefore

(A.6) O 2 n / 2 2 − k / 2 ⋅ m ( n − k ) 2 + 2 k ⋅ m ( n − k )

and by taking the derivative and we find that the optimal k ≈ log₂ (n) so that the asymptotic quantum circuit-size of Grover using approximately n−log₂ n+m+2 qubits and the method described in [21] is O 2 n / 2 ⋅ m n 3 / 2 This asymptotic analysis was not performed in the original paper.

Following a heuristic design pattern with our framework

We use our framework to improve upon this result, obtaining a quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂ that uses n + km+m+ 2 qubits and enables Grover’s algorithm to be implemented with a quantum circuit-size of O 2 n / 2 ⋅ m n This can be done via simply redefining the unitary operators to use Theorem 3.5 in conjunction with Theorem 3.7. By keeping U_n_−k as before, but defining each unitary U χ n − k + i for 1 ≤ i ≤ k by the action of adding only the component

(A.7) z i ⋅ a 1 , i ( k ) x 1 ⊕ ⋯ ⊕ a n − k , i ( k ) x n − k ⊕ b i ( k ) .

It is clear that these linear sums can be computed and stored on ancilla qubits via Theorem 3.7 and that this cost can be shifted to U_n_−k. We then have these unitary operator fulfil Theorem 3.5 and that after the shifting of costs to U_n_−k,we have that U_i consists of simple one ∧₁(X) gate. We can then define U_* to add the component which only involves the bits z₁ . . . z_k (which collapse to a hardcoded bit and at most m X gates), execute a ∧_m(X) gate and uncompute the hardcoded bit again via at most one X gate. In this way the cost for Grover’s algorithm (see Theorem 3.5) using this quantum bit oracle becomes

(A.8) O 2 n / 2 2 − k / 2 m n 2 + 2 k m ,

hence after optimisation via taking the derivative again with respect to k and simplifying we obtain that the optimal cut to choose is k ≈ log₂ (n²). This gives us the result that if we allow n + m(2 log₂ n + 1) + 2 qubits then we have that Grover’s algorithm requires a quantum circuit-size of O 2 n / 2 ⋅ m n

B Cost estimates of the attacks against SIKE

The authors of [16] consider two cost-metrics which are grounded in real-world concerns. They consider both the total quantum circuit-size (# gates) the algorithm requires and consider a new metric consisting of the product of the quantum circuit-Depth and ththe quantum circuit-Width (D × W). The D × W metric stems from considering the problems of implementing quantum error-correction and posits that this is a sensible metric as the cost of performing quantum error-correction will be a dominating factor in terms of real-world costs and it must be performed upon qubits which are both idle and being acted upon by quantum gates. Both are important metrics at the current time owing to uncertainty about the eventual architecture of quantum computers.

Figure 1 gives a table of the costs that we have derived using our preprocessing improvements upon Grover-based SIKE attack as given in [16]. The first three rows gives the quantum circuit-complexity for Grover’s algorithm and are optimal in terms of both the circuit-size and the D × W metric, whilst the last four rows give both the optimal circuit-size and D × W versions of both Tani’s algorithm [25] and the van Oorschot-Wiener approach [27]. We do not examine the issue of constraints as in [16], but note that our comments about parallelism strategies may allows gains in this area.

Figure 1

Comparison between conservative estimations (in log₂) for quantum-circuit-complexity (Gates, Depth,Width) in log₂ required for various approaches to cryptanalysis of SIKE-p, including the proposed Depth×Width cost-metric [16].

The first row details the quantum circuit-complexity of Grover from [16] using the assumption that the cost of the quantum oracle is derived from computing one degree-2^e^/2 isogeny for a cost of e/2 log₂(e/2) elliptic curve operations and that these elliptic curve operations cost 4 log₂ p log₂ log₂ p quantum gates, which they state is a conservative estimate and hence useful to derive security estimates from.

The second row uses our optimisation, but with the cost of computing our degree-2e1 isogeny as e log₂ e elliptic curve operations (recall e₁ + e₂ = e) and assumes these elliptic curve operations again cost 4 log₂ p log₂ log₂ p quantum gates.

The third row uses our optimisation and the assumption that the degree- 2 e 1 isogeny costs e log₂ e elliptic curve operations but assumes these curve operations cost 4(log₂ p)² log₂ log₂ p quantum gates. This estimate, whilst perhaps still conservative is perhaps more realistic [22]. We note that even though we have increased the costs, our optimisation still has a lower quantum-circuit complexity and note that row 2 implies that Grover may be comparable with Tani’s algorithm in the gate-based metric and has the potential to beat Tani’s algorithm in the D × W metric. This stems from the fact that even though we are assuming higher individual cost components (row 3), the algorithmic advantages are such that we have a O (log₂ log₂ p) advantage in circuit-size over that described in row 1 from [16].

Grover may be superior in the Depth × Width-cost metric. For SIKE-434 we have a cost of 2¹²⁶ for Grover’s algorithm compared to 2¹³² for Tani’s algorithm and for SIKE-610, the cost is 2¹⁷⁰ compared to Tani’s cost of 2176.
Grover may be competitive in the gate based metric. For SIKE-434 this translates into a cost of 2¹²⁶ for Grover’s algorithm compared to 2¹²⁴ for Tani’s algorithm and for SIKE-610, a cost of 2¹⁷¹ compared to Tani’s cost of 2169.

Received: 2019-06-05

Accepted: 2019-07-01

Published Online: 2020-11-17

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/jmc-2020-0080

Keywords for this article

quantum search; reversible computation; quantum cryptanalysis

Creative Commons

BY 4.0

A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE

Article

Abstract

1 Introduction

Contributions

Outline of this paper

2 Background

Definition 2.1

Definition 2.2

Quantum algorithms

Cost models and reversibility

Definition 2.3

2.1 Quantum oracles and Grover’s algorithm

Definition 2.4

Theorem 2.5

Definition 2.6

3 A framework for preprocessing

3.1 Combining classical search with Grover’s algorithm

Theorem 3.1

Corollary 3.2

Example 3.3

Corollary 3.5

Example 3.6

3.2 Preprocessing the classical secondary-search procedure

Theorem 3.7

Theorem 3.8

4 Applications to Cryptanalysis

4.1 The Multivariate Quadratic problem over 𝔽2

Definition 4.1

4.2 The Computational SuperSingular Isogeny (CSSI) problem

On the cost of computing an isogeny-path

Definition 4.2

Fitting the attack to our framework

Theorem 4.3

5 Conclusions

Acknowledgement

References

A Adapting a quantum bit oracle for the 𝓜𝓠 problem over 𝔽2

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽2

Definition 4.1

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽2

Applying our framework

Following a heuristic design pattern with our framework

B Cost estimates of the attacks against SIKE

Articles in the same Issue

Articles in the same Issue

Articles in the same Issue

4.1 The Multivariate Quadratic problem over 𝔽₂

A Adapting a quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂

A quantum bit oracle for the 𝓜𝓠 problem over 𝔽₂