Applying Grover's algorithm to AES: quantum resource estimates
This work addresses the practical feasibility of quantum attacks on widely used encryption standards, providing incremental resource estimates for cryptographers and security experts.
The paper tackles the problem of estimating quantum resources needed to break AES encryption using Grover's algorithm, establishing precise bounds for qubit counts and gate numbers for all standardized AES key sizes.
We present quantum circuits to implement an exhaustive key search for the Advanced Encryption Standard (AES) and analyze the quantum resources required to carry out such an attack. We consider the overall circuit size, the number of qubits, and the circuit depth as measures for the cost of the presented quantum algorithms. Throughout, we focus on Clifford$+T$ gates as the underlying fault-tolerant logical quantum gate set. In particular, for all three variants of AES (key size 128, 192, and 256 bit) that are standardized in FIPS-PUB 197, we establish precise bounds for the number of qubits and the number of elementary logical quantum gates that are needed to implement Grover's quantum algorithm to extract the key from a small number of AES plaintext-ciphertext pairs.