Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes

Quantum algorithms can break factoring and discrete logarithm based cryptography and weaken symmetric cryptography and hash functions.

In order to estimate the real-world impact of these attacks, apart from tracking the development of fault-tolerant quantum computers it is important to have an estimate of the resources needed to implement these quantum attacks.

For attacking symmetric cryptography and hash functions, generic quantum attacks are substantially less powerful than they are for today’s public-key cryptography. So security will degrade gradually as quantum computing resources increase. At present, there is a substantial resource overhead due to the cost of fault-tolerant quantum error correction. We provide estimates of this overhead using state-of-the-art methods in quantum fault-tolerance. For example, recent lattice surgery methods reduced memory costs by roughly a factor of 5 over previous methods. Future advances in fault-tolerance and in the quality of quantum hardware may reduce this overhead further. Another part of the cost of implementing generic quantum attacks is the cost of implementing the cryptographic functions. We use state-of-the-art optimized circuits, though further improvements in their implementation would also reduce the resources needed to implement these attacks. To bound the potential impact of further circuit optimizations we provide cost estimates assuming trivial-cost implementations of these functions. These figures indicate the effective bit-strength of the various symmetric schemes and hash functions based on what we know today (and with various assumptions on the quantum hardware), and frame the various potential improvements that should continue to be tracked. As an example, we also look at the implications for Bitcoin’s proof-of-work system.

For many of the currently used asymmetric (public-key) cryptographic schemes based on RSA and elliptic curve discrete logarithms, we again provide cost estimates based on the latest advances in cryptanalysis, circuit compilation and quantum fault-tolerance theory. These allow, for example, a direct comparison of the quantum vulnerability of RSA and elliptic curve cryptography for a fixed classical bit strength.

This analysis provides state-of-the art snap-shot estimates of the realistic costs of implementing quantum attacks on these important cryptographic algorithms, assuming quantum fault-tolerance is achieved using surface code methods, and spanning a range of potential error rates. These estimates serve as a guide for gauging the realistic impact of these algorithms and for benchmarking the impact of future advances in quantum algorithms, circuit synthesis and optimization, fault-tolerance methods and physical error rates.

TABLE OF CONTENTS

I. Introduction 2

II. Methodology 3 A. Symmetric cryptography and hash functions 3 B. Public-key cryptography 4

III. Symmetric ciphers 4 A. AES-128 5 B. AES-192 6 C. AES-256 6

IV. Hash functions 7 A. SHA-256 7 B. SHA3-256 8

V. Bitcoin 8

VI. Intrinsic cost of parallelized Grover’s algorithm 9 A. Searching space of size $2^{56}$ 9 B. Searching space of size $2^{64}$ 10 C. Searching space of size $2^{128}$ 11 D. Searching space of size $2^{256}$ 12

VII. RSA schemes 12 A. RSA-1024 12 B. RSA-2048 13 C. RSA-3072 13 D. RSA-4096 14 E. RSA-7680 14 F. RSA-15360 14

VIII. Elliptic curve schemes 15 A. NIST P-160 15 B. NIST P-192 15 C. NIST P-224 16 D. NIST P-256 16

I. INTRODUCTION

Symmetric, public-key (asymmetric) and hash-based cryptography constitute a fundamental pillar of modern cryptography. Symmetric cryptography includes symmetric-key encryption, where a shared secret key is used for both encryption and decryption. Cryptographic hash functions map arbitrarily long strings to strings of a fixed finite length. Currently deployed public-key schemes are used to establish a common secret key between two remote parties. They are based on factoring large numbers or solving the discrete logarithm problem over a finite group. For more details about modern cryptography the interested reader can consult one of the many excellent references on the topic, e.g. [1].

In contrast to asymmetric schemes based on factoring or solving the discrete logarithm problem and which are completely broken by a quantum adversary via Shor’s algorithm [2], symmetric schemes and hash functions are less vulnerable to quantum attacks. The best known quantum attacks against them are based on Grover’s quantum search algorithm [3], which offers a quadratic speedup compared to classical brute force searching. Given a search space of size $N$, Grover’s algorithm finds, with high probability, an element $x$ for which a certain property such as $f(x) = 1$ holds, for some function $f$ we know how to evaluate (assuming such a solution exists). The algorithm evaluates $f$ a total of $O(\sqrt{N})$ times. It applies a simple operation in between the evaluations of $f$, so the $O(\sqrt{N})$ evaluations of $f$ account for most of the complexity. In contrast, any classical algorithm that evaluates $f$ in a similar “black-box” way requires on the order of $N$ evaluations of $f$ to find such an element.

Any quantum algorithm can be mapped to a quantum circuit, which can be implemented on a quantum computer. The quantum circuit represents what we call the “logical layer”. Such a circuit can always be decomposed in a sequence of “elementary gates”, such as Clifford gates (CNOT, Hadamard etc. [4]) augmented by a non-Clifford gate such as the T gate.

Running a logical circuit on a full fault-tolerant quantum computer is highly non-trivial. The sequence of logical gates have to be mapped to sequences of surface code measurement cycles (see e.g. [5] for extensive details). By far, the most resource-consuming (in terms of number of qubits required and time) is the T gate. In comparison with surface code defects and braiding techniques [5], novel lattice surgery techniques [6, 8, 9] reduce the spatial overhead required for implementing T gates via magic state distillation by approximately a factor of 5, while also modestly improving the running time.

In this paper we first analyze the security of symmetric schemes and hash functions against large-scale fault-tolerant quantum adversaries, using surface code defects and braiding techniques. We take into account the time-space trade-offs with parallelizing quantum search, down to the fault-tolerant layer. Naively, one might hope that $K$ quantum computers (or quantum “processors”, as we will call them later in the paper) running in parallel reduce the number the circuit depth down to $O(\sqrt{N}/K)$ steps, similar to the classical case of distributing a search space across $K$ classical processors. However quantum searching does not parallelize so well, and the required number of steps for parallel quantum searching is of the order $O(\sqrt{N}/K)$ [10]. This is a factor of $\sqrt{K}$ larger than $O(\sqrt{N}/K)$. As shown in [10], the optimal way of doing parallel quantum search is to partition the search space into $N/K$ parts, and to perform independent quantum searches on each part.

Secondly, we investigate the security of public-key cryptographic schemes such as RSA and ECC against quantum attacks, using the latest developments in theory of fault-tolerant quantum error correction, i.e. novel lattice surgery techniques [6, 8, 9].

The remainder of this paper is organized as follows. In Sec. II, we provide an overview of the methodology used in our analysis. In Sec. III we investigate the security of the AES family of modern symmetric ciphers. In Sec. IV we analyze the security of the SHA family of hash functions. In Sec. V we investigate the security of Bitcoin’s [11] proof-of-work consensus mechanism. We conclude our investigation of symmetric and hash-based cryptographic schemes in Sec. VI, where we evaluate the intrinsic cost of running the Grover algorithm with a trivial oracle (i.e., an oracle with a unit cost of 1 for each invocation).

In the subsequent sections we analyze public-key cryptographic schemes. In Sec. VII and Sec. VIII we examine the most common public-key establishment schemes, such as RSA and ECC, respectively. In the subsequent sections we analyze public-key cryptographic schemes. In Sec. VII and Sec. VIII we examine the most common public-key establishment schemes, such as RSA and ECC, respectively. Finally we summarize our findings and conclude in Sec. IX.

1 Clifford gates are “cheap”, i.e. they require relatively small overhead for implementation in the surface code, but are not universals, hence a non-Clifford gate is required. One such gate is the T gate. There are other possible choices, however all of the non-Clifford gates require special techniques such as magic state distillation [6, 7] and significant overhead (order of magnitudes higher than Clifford gates) to be implemented in the surface code. In fact, to a first order approximation, for the purpose of resource estimation, one can simply ignore the overhead introduced by the Clifford gates and simply focus only on the T gate.

II. METHODOLOGY

A. Symmetric cryptography and hash functions

The methodology, sketched in Fig. 1 and Fig. 2, follows the same lines as the one described in great detail in our earlier paper [12], which we refer the interested reader to for more details.

![Diagram of methodology]

FIG. 1. Analyzing an attack against a symmetric cryptographic function with a fault-tolerant quantum adversary. Our resource estimation methodology takes into account several of the layers between the high level description of an algorithm and the physical hardware required for its execution. Our approach is modular should assumptions about any of these layers change, and hence it allows one to calculate the impact of improvements in any particular layer.

We assume a surface-code based fault-tolerant architecture [5], using Reed-Muller distillation schemes [13]. For each scheme we vary the possible physical error rates per gate from $10^{-4}$ to $10^{-7}$. We believe that this range of physical error rates is wide enough to cover both first generation quantum computers as well as more advanced future machines. In comparison to surface code defects and braiding methods [5], lattice surgery techniques [6, 8, 9] mostly impact the physical footprint of the fault-tolerant layer required to run a specific quantum algorithm, reducing the distillation overhead by approximately a factor of 5. The temporal overhead (i.e. the number of surface code cycles) is reduced less drastically. For this reason, lattice surgery has less significant effects in estimating the security of symmetric schemes or hash functions.

![Diagram of Grover’s algorithm]

FIG. 2. Grover searching with an oracle for $f : {0, 1}^k \rightarrow {0, 1}^k$. The algorithm makes $\left\lfloor \frac{\pi}{4} \frac{2^{N/2}}{2} \right\rfloor$ calls to $G$, the Grover iteration, or, if parallelized on $K$ processors, $\left\lfloor \frac{\pi}{4} \frac{2^{N/(2K)}}{2} \right\rfloor$ calls to $G$. The Grover iteration has two subroutines. The first, $U_g$, implements the predicate $g : {0, 1}^k \rightarrow {0, 1}$ that maps $x$ to 1 if and only if $f(x) = y$. Each call to $U_g$ involves two calls to a reversible implementation of $f$ and one call to a comparison circuit that checks whether $f(x) = y$.

reducing the security parameter(^2) by at most 1 and decreasing the spatial overhead by at most a factor of 5. Therefore when estimating the security of symmetric and hash-based cryptographic schemes we use surface code defects and braiding techniques.

For each cryptographic primitive, we display four plots, in the following order:

We plot the total number of surface code cycles per CPU (where a CPU is a quantum computer capable of executing a single instance of Grover’s quantum search algorithm) as a function of the number of CPUs. We directly tie the quantum security parameter to the total number of surface code cycles (see [12] for more details). We also add to the plot the theoretical lower bound achievable by quantum search in the cases of: a) considering the oracle a black box of unit cost (lower line), and b) considering the oracle as composed of ideal quantum gates, each of unit cost (upper line). Note that the difference between b) and a) represents the intrinsic cost of logical overhead (i.e. the overhead introduced by treating the oracle as a logical circuit and not a blackbox), whereas the difference between the upper lines and b) represents the intrinsic cost introduced by the fault-tolerant layer.
We plot the total wall-time per CPU (i.e. how long will

(^2)The security parameter is defined as the logarithm base two of the number of fundamental operations (in our case surface code cycles) required to break the scheme.

the whole computation take on a parallel quantum architecture) as a function of the number of CPUs. The horizontal dashed line represents the one-year time line, i.e., the $x$ coordinate of the intersection point between the “Total time per CPU” line and the one-year time line provides the number of processors required to break the system within one year (in $\log_2$ units).

We plot the total physical footprint (number of qubits) per CPU, as a function of the number of CPUs.
Finally we plot the total physical footprint (number of qubits) of all quantum search machines (CPUs) running in parallel.

In the following sections we proceed to analyze symmetric ciphers (AES, Sec. III), hash functions (SHA-256, SHA3-256, Sec. IV, Bitcoin’s hash function, Sec. V), and finally the minimal resources required for running Grover’s algorithm with a trivial oracle VI (e.g., the identity gate) on search spaces of various sizes.

Note that in some ranges of the plots from sections III, IV, VI and V the total physical footprint increases slightly with the number of processors, which may seem counter-intuitive. This happens due to the fact that with more processors the required code distances decrease, and in some instances one can pipeline more magic states factories in parallel into the surface code, which in effect causes an increase in the overall physical footprint. Note that the total time per CPU is monotonically decreasing, as parallelizing distilleries does not increase the wall time. For more details see [12].

B. Public-key cryptography

Most of the recent progress in quantum cryptanalysis is related to the fault-tolerant layer in Fig. 1. New methods and techniques based on surface code lattice surgery [6, 8, 9] allow a significant decrease of the overall footprint (number of qubits, or space) taken by the quantum computation, and also a relatively modest decrease in time, in comparison with methods based on surface code defects and braiding [5, 13].

We consider the best up-to-date optimized logical quantum circuits for attacking RSA and ECC public-key schemes [14–17] then perform a physical footprint resource estimation analysis using lattice surgery techniques. We remark that the overall time required to run the algorithm depends on the level of parallelization for the magic state factories $^3$.

For each public-key cryptographic scheme, we analyze the space/time tradeoffs and plot the results on a double logarithmic scale. We fit the data using a third degree polynomial$^4$ and obtain an analytical closed-form formula for the relation between the time and the number of qubits required to attack the scheme, in the form

$$y(x) = \alpha x^3 + \beta x^2 + \gamma x + \delta,$$

(1)

where $y$ represents logarithm base 2 of the number of qubits and $x$ represents the logarithm base 2 of the time (in seconds). For example, the quantity

$$y \left( \log_2 (24 \times 3600) \right) \approx y(16.3987)$$

(2)

represents how many qubits are required to break the scheme in one day (24 hours) for a fixed physical error rate per gate $p_g$, assuming a surface code cycle time of 200ns. Note that the computation time scales linearly with the surface code cycle time, e.g., a 1000ns surface code cycle time will result in a computation that is 5 times longer than a 200ns surface code cycle time. Therefore, for a specific cryptographic scheme for which we plotted the space/time tradeoffs using a surface code cycle time of 200ns and a fixed physical error rate per gate $p_g$, the number of qubits required to break a specific scheme in a time $t$ using an alternative surface code cycle time $t_c$ is given by

$$y \left( \log_2 \left( \frac{200\text{ns}}{t_c-t} \right) \right),$$

(3)

where $t$ is expressed in seconds and $t_c$ is expressed in nanoseconds.

We assume a surface code cycle time of 200ns, in conformance with [5]. For each scheme we analyze, we compare its security using the more conservative (and realistic in the short term) $p_g = 10^{-3}$ and also the more optimistic $p_g = 10^{-5}$. Note that assuming the more optimistic assumption from a quantum computing perspective is the more conservative assumption from a cybersecurity perspective.

Furthermore, in this analysis, we are reporting the full physical footprint, including the memory required for magic state distillation. Using present-day techniques, the memory required for generating these generic input states accounts for a substantial fraction of the total memory cost and thus we are including these in the total cost estimate and will track the impact of improved methods.

III. SYMMETRIC CIPHERS

Below we analyze the security of AES family of symmetric ciphers against large-scale fault-tolerant quantum adversaries. We used the highly optimized logical circuits produced in [18].

$^3$ Every T gate in the circuit must be implemented by a specialized magic state factory, each of which occupies a significant physical footprint. One can implement more magic states in parallel if one is willing to increase the physical footprint of the computation.

$^4$ A third degree polynomial fits the data very precisely, providing a coefficient of determination $R^2$ greater than 0.997.

A. AES-128

FIG. 3. AES-128 block cipher. Required surface clock cycles per processor, as a function of the number of processors (log₂ scale). The bottom brown line (theoretical lower bound, black box) represents the minimal number of queries required by Grover’s algorithm, the cost function being the total number of queries to a black-box oracle, each query assumed to have unit cost, and a completely error-free circuit. The purple line (ideal grover, non-black-box) takes into consideration the structure of the oracle, the cost function being the total number of gates in the circuit, each gate having unit cost; the quantum circuit is assumed error-free as well. Both brown and magenta lines are displayed only for comparisons; for both of them, the y axis should be interpreted as number of logical queries (operations, respectively). The curves above the purple line show the overhead introduced by fault tolerance (in terms of required surface code cycles, each surface code cycle assumed to have unit cost). More optimization at the logical layer will shift the purple line down, whereas more optimization at the fault-tolerant layer will move the upper curves closer to the purple line. Similar remarks to the above hold for the remaining plots in this manuscript.

For example, the plots in Fig. 3 tells us that if we have $2^{50}$ quantum computers running Grover’s algorithm in parallel, with no physical errors, then it would take about $2^{63}$ gate calls (where the purple line intersects the vertical line at 50), where we assume each gate to have unit cost. Still with no errors, a trivial cost for implementing the cryptographic function (oracle) would bring the cost down to about $2^{38}$ oracle calls per quantum computer. Keeping the actual function implementation, but adding the fault-tolerant layer with a physical error rate of $10^{-7}$ (with appropriate assumptions and using state-of-the-art quantum error correction) pushes the cost up to around $2^{76}$ surface code cycles per quantum computer (where now each code cycle is assumed to have unit cost). Similar remarks hold for the remaining plots in this manuscript.

FIG. 4. AES-128 block cipher. Required time per processor, as a function of the number of processors (log₂ scale). The horizontal dotted line indicates one year. The x-axis is deliberately extended to show the necessary number of CPUs for a total time of one year. Thus the figure shows that it would take, with the stated assumptions, over $2^{80}$ parallel quantum searches to break AES-128 in a year. Similar remarks to the above hold for the remaining plots in this manuscript.

FIG. 5. AES-128 block cipher. Physical footprint (physical qubits) per processor, as a function of the number of processors (log₂ scale).

FIG. 6. AES-128 block cipher. Total physical footprint (physical qubits), as a function of the number of processors (log₂ scale). Note that the qubits are not correlated across processors.

B. AES-192

FIG. 7. AES-192 block cipher. Required surface clock cycles per processor, as a function of the number of processors ((\log_2 n)) scale.

FIG. 8. AES-192 block cipher. Required time per processor, as a function of the number of processors ((\log_2 n)) scale.

FIG. 9. AES-192 block cipher. Physical footprint (physical qubits) per processor, as a function of the number of processors ((\log_2 n)) scale.

FIG. 10. AES-192 block cipher. Total physical footprint (physical qubits), as a function of the number of processors ((\log_2 n)) scale. Note that the qubits are not correlated across processors.

C. AES-256

FIG. 11. AES-256 block cipher. Required surface clock cycles per processor, as a function of the number of processors ((\log_2 n)) scale.

FIG. 12. AES-256 block cipher. Required time per processor, as a function of the number of processors ((\log_2 n)) scale.

FIG. 13. AES-256 block cipher. Physical footprint (physical qubits) per processor, as a function of the number of processors (log(_2) scale).

FIG. 14. AES-256 block cipher. Total physical footprint (physical qubits), as a function of the number of processors (log(_2) scale). Note that the qubits are not correlated across processors.

IV. HASH FUNCTIONS

In this section we study the effect of parallelized Grover attacks on the SHA-256 [19] and SHA3-256 [20] family of hash functions. We used the highly optimized logical circuits produced in [12].

A. SHA-256

FIG. 15. SHA-256 cryptographic hash function. Required surface clock cycles per processor, as a function of the number of processors (log(_2) scale).

FIG. 16. SHA-256 cryptographic hash function. Required time per processor, as a function of the number of processors (log(_2) scale).

FIG. 17. SHA-256 cryptographic hash function. Physical footprint (physical qubits) per processor, as a function of the number of processors (log(_2) scale).

FIG. 18. SHA-256 cryptographic hash function. Total physical foot- print (physical qubits), as a function of the number of processors ((\log_2\text{scale})). Note that the qubits are not correlated across proces- sors.

B. SHA3-256

FIG. 19. SHA3-256 cryptographic hash function. Required surface clock cycles per processor, as a function of the number of processors ((\log_2\text{scale})).

FIG. 20. SHA3-256 cryptographic hash function. Required time per processor, as a function of the number of processors ((\log_2\text{scale})).

FIG. 21. SHA3-256 cryptographic hash function. Physical footprint (physical qubits) per processor, as a function of the number of pro- cessors ((\log_2\text{scale})). Note that the qubits are not correlated across processors.

FIG. 22. SHA3-256 cryptographic hash function. Total physical footprint (physical qubits), as a function of the number of processors ((\log_2\text{scale})).

V. BITCOIN

In this section we analyze the security of Bitcoin’s [11] proof-of-work protocol, which is based on finding a hash(^5) pre-image which that starts with a certain number of zeros. The latter is dynamically adjusted by the protocol so that the problem is on average solved by the whole network in 10 minutes. Currently, it takes around (2^{75}) classical hash- ing operations [21] for finding a desired hash pre-image suc- cessfully via brute-force search with specialized hardware.

(^5) The hash function being used by the protocol is (H(x) := \text{SHA-256}( ext{SHA-} 256(x)).)

FIG. 23. Bitcoin’s cryptographic hash function $H(x) := \text{SHA-256}(\text{SHA-256}(x))$. Required surface clock cycles per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 24. Bitcoin’s cryptographic hash function $H(x) := \text{SHA-256}(\text{SHA-256}(x))$. Required time per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 25. Bitcoin’s cryptographic hash function $H(x) := \text{SHA-256}(\text{SHA-256}(x))$. Physical footprint (physical qubits) per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 26. Bitcoin’s cryptographic hash function $H(x) := \text{SHA-256}(\text{SHA-256}(x))$. Total physical footprint (physical qubits), as a function of the number of processors ($\log_2$ scale). Note that the qubits are not correlated across processors.

VI. INTRINSIC COST OF PARALLELIZED GROVER’S ALGORITHM

More efficient quantum implementations of AES and SHA imply more efficient cryptanalysis. In this section, we aim to bound how much further optimized implementations of these cryptographic functions could help. We do so by assuming a trivial cost of 1 for each function evaluation.

A. Searching space of size $2^{56}$

FIG. 27. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{56}$. Required surface clock cycles per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 28. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{56}$. Required time per processor, as a function of the number of processors ($\log_2$ scale). The dotted horizontal line indicates one year.

FIG. 29. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{56}$. Physical footprint (physical qubits) per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 30. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{56}$. Total physical footprint (physical qubits), as a function of the number of processors ($\log_2$ scale). Note that the qubits are not correlated across processors.

B. Searching space of size $2^{64}$

FIG. 31. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{64}$. Required surface clock cycles per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 32. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{64}$. Required time per processor, as a function of the number of processors ($\log_2$ scale).

FIG. 33. Running Grover’s algorithm with a trivial oracle, for a searching space of size $2^{64}$. Physical footprint (physical qubits) per processor, as a function of the number of processors ($\log_2$ scale).

Useful information for enthusiasts:

[1]YouTube Channel CryptoDeepTech
[2]Telegram Channel CryptoDeepTech
[3]GitHub Repositories CryptoDeepTools
[4]Telegram: ExploitDarlenePRO
[5]YouTube Channel ExploitDarlenePRO
[6]GitHub Repositories Keyhunters
[7]Telegram: Bitcoin ChatGPT
[8]YouTube Channel BitcoinChatGPT
[9] Bitcoin Core Wallet Vulnerability
[10] BTC PAYS DOCKEYHUNT
[11] DOCKEYHUNT
[12]Telegram: DocKeyHunt
[13]ExploitDarlenePRO.com
[14]DUST ATTACK
[15]Vulnerable Bitcoin Wallets
[16] ATTACKSAFE SOFTWARE
[17] LATTICE ATTACK
[18] RangeNonce
[19] BitcoinWhosWho
[20] Bitcoin Wallet by Coinbin
[21] POLYNONCE ATTACK
[22] Cold Wallet Vulnerability
[23] Trezor Hardware Wallet Vulnerability
[24] Exodus Wallet Vulnerability
[25] BITCOIN DOCKEYHUNT

Contact me via Telegram: @ExploitDarlenePRO