Quantum Security Analysis of AES

In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few...

Full description

Saved in:
Bibliographic Details
Published inIACR Transactions on Symmetric Cryptology Vol. 2019; no. 2; pp. 55 - 93
Main Authors Bonnetain, Xavier, Naya-Plasencia, María, Schrottenloher, André
Format Journal Article
LanguageEnglish
Published Ruhr Universität Bochum 11.06.2019
Ruhr-Universität Bochum
Subjects
AES
classical cryptanalysis
Computer Science
Cryptography and Security
quantum algorithms
quantum cryptanalysis
security margin
symmetric cryptanalysis
Quantum algorithms
Post-quantum security
Quantum cryptanalysis
Classical crypt-analysis
Symmetric cryptanalysis
Security margin
DS-meet-in-the-middle
Amplitude amplification
Square attack
AES
Online AccessGet full text

Cover

Abstract In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits. In order to determine the new security margin, i.e., the lowest number of non-attacked rounds in time less than 2^128 encryptions, we first provide generalized and quantized versions of the best known cryptanalysis on reduced-round AES, as well as a discussion on attacks that don't seem to benefit from a significant quantum speed-up. We propose a new framework for structured search that encompasses both the classical and quantum attacks we present, and allows to efficiently compute their complexity. We believe this framework will be useful for future analysis. Our best attack is a quantum Demirci-Selçuk meet-in-the-middle attack. Unexpectedly , using the ideas underlying its design principle also enables us to obtain new, counter-intuitive classical TMD trade-offs. In particular, we can reduce the memory in some attacks against AES-256 and AES-128. One of the building blocks of our attacks is solving efficiently the AES S-Box differential equation, with respect to the quantum cost of a reversible S-Box. We believe that this generic quantum tool will be useful for future quantum differential attacks. Judging by the results obtained so far, AES seems a resistant primitive in the post-quantum world as well as in the classical one, with a bigger security margin with respect to quantum generic attacks.
AbstractList In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits. In order to determine the new security margin, i.e., the lowest number of non-attacked rounds in time less than 2128 encryptions, we first provide generalized and quantized versions of the best known cryptanalysis on reduced-round AES, as well as a discussion on attacks that don’t seem to benefit from a significant quantum speed-up. We propose a new framework for structured search that encompasses both the classical and quantum attacks we present, and allows to efficiently compute their complexity. We believe this framework will be useful for future analysis. Our best attack is a quantum Demirci-Selçuk meet-in-the-middle attack. Unexpectedly, using the ideas underlying its design principle also enables us to obtain new, counter-intuitive classical TMD trade-offs. In particular, we can reduce the memory in some attacks against AES-256 and AES-128. One of the building blocks of our attacks is solving efficiently the AES S-Box differential equation, with respect to the quantum cost of a reversible S-Box. We believe that this generic quantum tool will be useful for future quantum differential attacks. Judging by the results obtained so far, AES seems a resistant primitive in the post-quantum world as well as in the classical one, with a bigger security margin with respect to quantum generic attacks.
In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the encryption standard by the NIST in 2001. We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits. In order to determine the new security margin, i.e., the lowest number of non-attacked rounds in time less than 2^128 encryptions, we first provide generalized and quantized versions of the best known cryptanalysis on reduced-round AES, as well as a discussion on attacks that don't seem to benefit from a significant quantum speed-up. We propose a new framework for structured search that encompasses both the classical and quantum attacks we present, and allows to efficiently compute their complexity. We believe this framework will be useful for future analysis. Our best attack is a quantum Demirci-Selçuk meet-in-the-middle attack. Unexpectedly , using the ideas underlying its design principle also enables us to obtain new, counter-intuitive classical TMD trade-offs. In particular, we can reduce the memory in some attacks against AES-256 and AES-128. One of the building blocks of our attacks is solving efficiently the AES S-Box differential equation, with respect to the quantum cost of a reversible S-Box. We believe that this generic quantum tool will be useful for future quantum differential attacks. Judging by the results obtained so far, AES seems a resistant primitive in the post-quantum world as well as in the classical one, with a bigger security margin with respect to quantum generic attacks.
Author Naya-Plasencia, María
Bonnetain, Xavier
Schrottenloher, André
Author_xml – sequence: 1
  givenname: Xavier
  surname: Bonnetain
  fullname: Bonnetain, Xavier
  organization: Security, Cryptology and Transmissions
– sequence: 2
  givenname: María
  orcidid: 0000-0002-0059-5417
  surname: Naya-Plasencia
  fullname: Naya-Plasencia, María
  organization: Security, Cryptology and Transmissions
– sequence: 3
  givenname: André
  orcidid: 0000-0002-1329-8630
  surname: Schrottenloher
  fullname: Schrottenloher, André
  organization: Security, Cryptology and Transmissions
BackLink https://inria.hal.science/hal-02397049$$DView record in HAL
BookMark eNpVzEtLw0AYheFBKlhr_4GLbF0kzjUz3zKUagsFkSq4C9_cNCVNJJdC_73VutDVObyL55pMmrYJhNwymjHBlLwf2t5lB04ZZBXPlEpBXJApVwxSpsXb5M-_IvO-31FKuQGRS5iS5HnEZhj3yTa4sauGY1I0WB_7qk_amBTL7Q25jFj3Yf67M_L6sHxZrNLN0-N6UWxSz5UaUiNMznJDrTFUBp-LCAIYdWClQ21lBO2sFrmi4D112oJXNgSMEaWjgosZWZ9d3-Ku_OyqPXbHssWq_Alt915iN1SuDqVSEcFo5Zl1Ei0YQHZihI9eKaD5ybo7Wx9Y_6NWxab8bpQL0FTCgYkvBgheiw
ContentType Journal Article
Copyright Distributed under a Creative Commons Attribution 4.0 International License
Copyright_xml – notice: Distributed under a Creative Commons Attribution 4.0 International License
DBID 1XC
VOOES
DOA
DOI 10.13154/tosc.v2019.i2.55-93
DatabaseName Hyper Article en Ligne (HAL)
Hyper Article en Ligne (HAL) (Open Access)
DOAJ Directory of Open Access Journals
DatabaseTitleList

Database_xml – sequence: 1
  dbid: DOA
  name: DOAJ Directory of Open Access Journals
  url: https://www.doaj.org/
  sourceTypes: Open Website
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 2519-173X
EndPage 93
ExternalDocumentID oai_doaj_org_article_55fa9875d1bc4ab989a1fa43dfd55906
oai_HAL_hal_02397049v1
GroupedDBID 1XC
ADBBV
ALMA_UNASSIGNED_HOLDINGS
BCNDV
GROUPED_DOAJ
VOOES
ID FETCH-LOGICAL-d255t-83861680b8804ed63f93910c9b4ca7b4f97cb736509dd0c7b9d5beeaffa4c0323
IEDL.DBID DOA
ISSN 2519-173X
IngestDate Wed Aug 27 01:27:26 EDT 2025
Wed Jul 23 06:31:48 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 2
Keywords Quantum algorithms
Post-quantum security
Quantum cryptanalysis
Classical crypt-analysis
Symmetric cryptanalysis
Security margin
DS-meet-in-the-middle
Amplitude amplification
Square attack
AES
Language English
License Distributed under a Creative Commons Attribution 4.0 International License: http://creativecommons.org/licenses/by/4.0
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-d255t-83861680b8804ed63f93910c9b4ca7b4f97cb736509dd0c7b9d5beeaffa4c0323
ORCID 0000-0002-1329-8630
0000-0002-0059-5417
OpenAccessLink https://doaj.org/article/55fa9875d1bc4ab989a1fa43dfd55906
PageCount 39
ParticipantIDs doaj_primary_oai_doaj_org_article_55fa9875d1bc4ab989a1fa43dfd55906
hal_primary_oai_HAL_hal_02397049v1
PublicationCentury 2000
PublicationDate 2019-06-11
PublicationDateYYYYMMDD 2019-06-11
PublicationDate_xml – month: 06
  year: 2019
  text: 2019-06-11
  day: 11
PublicationDecade 2010
PublicationTitle IACR Transactions on Symmetric Cryptology
PublicationYear 2019
Publisher Ruhr Universität Bochum
Ruhr-Universität Bochum
Publisher_xml – name: Ruhr Universität Bochum
– name: Ruhr-Universität Bochum
SSID ssj0002893649
Score 2.4956589
Snippet In this paper we analyze for the first time the post-quantum security of AES. AES is the most popular and widely used block cipher, established as the...
SourceID doaj
hal
SourceType Open Website
Open Access Repository
StartPage 55
SubjectTerms AES
classical cryptanalysis
Computer Science
Cryptography and Security
quantum algorithms
quantum cryptanalysis
security margin
symmetric cryptanalysis
Title Quantum Security Analysis of AES
URI https://inria.hal.science/hal-02397049
https://doaj.org/article/55fa9875d1bc4ab989a1fa43dfd55906
Volume 2019
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV1NSwMxEA3SkxdRVKxfBPGa7e5msmmOq7QUUUFqobcln6hgK3bb3-9kdwv15MXLHnJIdl4I700-3hByi0kVqm4LzEMhGIQUmAlSszzEaoVceh7ihv7TczGZwcNczHdKfcU7Ya09cAvcQIigMS8WLjMWtMEOdBY0cBcciuHWbBs5byeZ-miPz3gBqnsrx1EnDOrlyiYb5DuVvOeJECyeNTc-_Ugrb9tt1IZWxofkoNODtGz_44js-cUxoS9rDHj9SadddTm69Q6hy0DL0fSEzMaj1_sJ60oZMIeavWZDPiyyYpgaXC7gXcGD4kjUVhmwWhoISlojebSzcy610ignjPc6YKg25Tk_Jb3FcuHPCMUFlmvkFOtTDeCkMfjBvAWFQA7CqD65i0FVX61bRRX9o5sGRLXqUK3-QrVPbhCSX31MyscqtsXXsBLzik12_h8jXZD9OCfx9lWWXZJe_b32V8jztblupvQHYECjlw
linkProvider Directory of Open Access Journals
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Quantum+Security+Analysis+of+AES&rft.jtitle=IACR+Transactions+on+Symmetric+Cryptology&rft.au=Xavier+Bonnetain&rft.au=Mar%C3%ADa+Naya-Plasencia&rft.au=Andr%C3%A9+Schrottenloher&rft.date=2019-06-11&rft.pub=Ruhr-Universit%C3%A4t+Bochum&rft.eissn=2519-173X&rft.volume=2019&rft.issue=2&rft_id=info:doi/10.13154%2Ftosc.v2019.i2.55-93&rft.externalDBID=DOA&rft.externalDocID=oai_doaj_org_article_55fa9875d1bc4ab989a1fa43dfd55906
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2519-173X&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2519-173X&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2519-173X&client=summon