1166 2000 235-243 235

Quantum cryptanalysis of block ciphers

Akihiro Yamamura *
Hirokazu Ishizuka \dag er

Abstract
Grover invented a quantum algorithm that finds a solution in only steps whereas the $O(\sqrt{2^{n}})$

exhaustive search algorithm needs $O(2^{n})$ steps on average. Brassard, , Tapp construct an algo- $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

rithm that counts the number of the solutions for a searching problem. We discuss two applications
of quantum algorithms to information security; the first is the cryptanalysis of block ciphers using
Grover’s algorithm and the second is the strength evaluation of block ciphers using Brassard, , $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

Tapp’s algorithm.

1 Introduction
Quantum information processing has attracted a great attention. Quantum cryptography, quantum proto-
cols, quantum teleportations and quantum computations are the core of quantum information processing.
These technologies have a huge potentiality tthat they substantially exceed the existing technologies. In
computer science, the Turing machine is considered a standard model of an algorithm. Numerous models
for an algorithm are known to be equivalent to Turing machines in computing power. In fact, Church’s
thesis claims that any algorithm is realized by a Turing machine. On the other hand, an algorithm for
practical computation does not correspond to a Turing machine. A plausible notion for realistic com-
putation is the bounded error probabilistic polynomial time algorithm (BPP). In 1982, R.Feinmann
[11] pointed out that exponential slowdown occurs when quantum physical phenomenon is simulated by
a computer. His observation caused the conjecture that quantum physical phenomena can be
$\mathrm{d}\mathrm{i}\dot{\mathrm{g}}\mathrm{i}\mathrm{t}\mathrm{a}\mathrm{l}$

employed to attain exponential speed-up in computation and many researches have been done forward
the conjecture [2, 4, 12, 17].
No probabilistic polynomial time algorithm for prime factorization and the discrete logarithm problem
is known up to date. The security of many public key cryptosystems are based on this fact. We do not
know whether or not these problems are in the class BPP, however, P.Shor [16] showed that these
problems are located in the class BQP, that is to say, these problems can be solved in polynomial time
by a quantum computer. A quantum computer is implemented if we can control the quantum physical
phenomena like superposition, interference and entanglement. The control of the quantum physical
phenomena may be plausible, and hence, BQP is probably the class of realistic computation. If this
is the case, many existing cryptosystems are vulnerable to attacks using quantum computers. We note
that BPP BQP PSPACE [5]. Nothing about the relation between NP and BQP is known.
$\subset$ $\subset$

Although the result by Bennett, Bernstein, Brassard, Vazirani [3] indicates , it does not rule $\mathrm{N}\mathrm{P}\not\subset \mathrm{B}\mathrm{Q}\mathrm{P}$

out NP BQP. Quantum physical phenomena may provide new computational complexity classes and
$\subset$

contribute substantially to information processing in the future. Surprisingly, some researchers reported
that even an NP complete problem can be solved in polynomial time by if non-linearity of quantum
physics can be employed. This implies that no public key cryptosystem is secure if this is the case.
However, the claim has not been officially accepted by researchers in the field.
In this paper, we show that for any block cipher of key size , one can mount a known-plaintext $n$

attack that finds the secret encrypting key in steps using Grover’s algorithm, that is to say, the $O(\sqrt{2^{n}})$

attacker has an arbitrary pair of a plaintext and a cipher text and then he finds the secret key using
a quantum computer with computation in steps. steps is much better than the brute $O(\sqrt{2^{n}})$ $O(\sqrt{2^{n}})$

force attack which requires $O(2^{n})$ steps.

Communications Research Laboratory, 4-2-1 Nukui-Kitamachi Koganei Tokyo, 184-8795, Japan -mail: aki@crl.go.jp $\mathrm{e}$

\dag er Mitsubishi
Electric Corp., 5-1-1 Ofuna Kamakura Kanagawa, 247-8501, Japan -mail: ishizuka@isl.melco.co.jp $\mathrm{e}$
 236

We also discuss the application of a quantum computer to the strength evaluation of a block cipher
using Br..asssard, , Tapp’s algorithm [10]. Their algorithm can be applied to compute non-uniformity
$\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

of distribution between plaintexts, cipher texts and secret keys of a block cipher.

2 Grover’s algorithm and Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

, Tapp’s algorithm
2.1 Grover’s algorithm
A. Deflnition of the problem

Suppose that there exist $N=2^{n}$ states and each state is labeled by $0,1,$ $N-1$ . We may assume $\ldots,$

that the states are represented by bit binary strings. Let $F$
be a Boolean function of the set of these $n$

states.
$2^{n}$
Suppose that there exists a state such that $w$

1 if $w=x$
$F(x)=\{$
otherwise. $0$

We suppose that is effectively computable and the functional call to $F$ is considered as an oracle call.
$F$

The searching problem is that we can call oracle calls to $F$ and find the state . Clearly the exhaustive $w$

search algorithm needs $O(2^{n})$ oracle queries on average to find the state using a conventional computer. $w$

B. Algorithm
1. Initialization: Applying Walsh-Hadamard transformation $WO(\log N)$ times to the initial state
$|00\ldots 0)$ bit by bit, we can obtain the following superposition

$|s \rangle=\frac{1}{\sqrt{N}}\sum_{x=0}^{N-1}|x)$
.

2. Iteration: Repeat the following unitary operations $M$ times.

For any states
$.(\mathrm{a})$
in the present superposition, rotate the phase by radians if $F(x)=1$ , $|x\rangle$ $\pi$

the system unaltered, otherwise. See [15] for how to realize this operation.
$\mathrm{l}\mathrm{e}\mathrm{a}\acute{\mathrm{v}}\mathrm{e}$

(b) Apply the diffusion transform $D(=D_{1j})$ defined by

$D_{1j}.=\{$
.
$\frac{2}{-N}1’+\frac{2}{N}$
$\mathrm{i}\mathrm{f}\mathrm{i}\mathrm{f}$

$i=ji\neq j$

Note that $D$ is constructed by $D=WRW$ where, $R(=R_{\dot{\iota}j})$ is the phase rotation matrix and
$W(=W_{1j}.)$ is the Walsh-Hadamard transformation. $R$
and $W$ are defined by
$0$
, $i\neq j$

$R_{ij}=\{$ 1, $i=j=0$ and $W_{1j}.=2^{-n/2}(-1)^{\overline{i}_{J}^{\neg}}$

,
$-1$ , $i=j\neq 0$

where $\overline{i}\cdot\overline{j}$

denotes the bitwise dot product.

3. Measurement: We measure the resulting superposition and get some state according to the proba-
bilities determined by the amplitudes.
Proposition 2.1 ([13]) Afler $M$ iterations of of 2 $(a),$ $(b)$ , the system is in the superposition
$\sin(2m+1)\theta|w\}+\cos(2m+1)\theta|b\rangle$ , (2.1)
is the angle satisfying
$where\cdot\theta$
and is the superposition of bad states, that is, the states $\sin\theta=\frac{1}{\sqrt{N}}$ $|b\rangle$

other than . $|w\rangle$

$\square$

See [9] for the proof. Proposition 2.1 implies the probability that we observe the state ) in the $|w$

process 3 above is $|\sin(2M+1)\theta|^{2}$ . We can estimate the proper number of iterations of the process 2 to
observe the desired state by Proposition 2.1. It is easy to see that only $O(\sqrt{N})$ iterations are needed $|w\rangle$

to observe the state ) with a probability at least . $|w$ $\frac{1}{2}$

In general, it is known that to find one of desired states out of $N$ states with a probability of at $t$

least , we need iterate the process 2 (a), (b) $O(\sqrt{N/t})$ times (see [9]).
$\frac{1}{2}$
 237

2.2 Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

, Tapp’s algorithm
The quantum algorithm proposed by Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

, Tapp [10] counts the number of desired states in

.
$O(N)$ oracle queries to on average to estimate using a conventional computer.
$F$ $t$

Shor’s algorithm computes the period of a long sequence in polynomial time. Grover’s algorithm finds
a solution of the search problem in $O(\sqrt{N}/t)$ steps. The algorithm COUNT is a combination of Shor’s
algorithm and Grover’s algorithm. The rough idea of COUNT is the following. In Grover’s algorithm,
the amplitude for the desired states and the other states have a period depending upon the number $t$

of the desired states. We simulate Grover’s algorithm and then compute the period by applying $\mathrm{S}\mathrm{h}\dot{\mathrm{o}}\mathrm{r}’ \mathrm{s}$

algorithm. Finding the period, we can compute the number . The next lemma gives the error range of $t$

. The number of trials of the processes 1 and 2 in Section 2.

$t$ $P$

Lemma 2.2 ([10]) Let $F$ : $\{0,1,2, \ldots , N-1\}arrow\{0,1\}$ be a Boolean function. COUNT calls oracle
queries to F. Suppose $t=|F^{-1}(1)| \leq\frac{N}{2}$ . Let be the output of COUNT when we the number $P$ $\overline{t}$

$inp\mathrm{u}t$

$(P\geq 4)$
of trials. Then we have
$|t- \overline{t}|<\frac{2\pi}{P}\sqrt{tN}+\frac{\pi^{2}}{P^{2}}N$
(2.2)

with $probabili\iota_{y\frac{8}{\pi}F}D$

3 Cryptanalysis using Grover’s algorithm

3.1 Simple attack scheme
We mount the known plaintext attack using Grover’s algorithm. Let be a block cipher of key and $E$

block size . Suppose that an attacker is given an arbitrary pair of a plaintext and the ciphertext
$n$ $P$ $C$

encrypted by with a certain secret key . Applying Grover’s algorithm, he can find the secret key.
$E$ $k_{j}$

For si.mplicity, we assume that there exists only one key such that $C=E(P, k_{j})$ . As a matter of fact, $k_{j}$

there exist several keys satisfying general. In the case, the same analysis works using the $C=E(P, k_{i})\mathrm{i}\acute{\mathrm{n}}$

method in [9], and so, we will not discuss it. Let us examine the details as follows.
1. Prepare a pair $(P, C)$ of a plaintext $P$
and a ciphertext $C$ , that is, $C=E(P, k_{j})$ for some secret
key . Define
$k_{j}$ $F$ by
$F(k_{i})=\{$
1 if $E(P, k_{i})=C$
$0$
if $E(P, k_{i})\neq C$

2. Initialize the system by making a superposition of all possible keys with the same amplitude. $(k_{i})$

Suppose the key length is 64 bit. There exist $N=2^{64}$ states representing $N$ keys in the superposi-
tion. So we have the superposition

$|K)= \frac{1}{\sqrt{2^{64}}}\sum_{i=0}^{2^{64}-1}|k_{i}\rangle$
.

3. Iterate 2 (a) and (b) in Section 2.1. Note that $k_{j}$

is the solution of the equation $F(k)=1$ . Possibly,
steps are needed.
$O(\sqrt{2^{32}})$

4. Measuring the system, we observe the state‘ $|k_{j}\rangle$

with a probability at least $\frac{1}{2}$

, where $k_{j}$
is the key
satisfying $E(P, k_{j})=C$ .
Iterating 2 (a) and (b) $2^{32}$
times, we have
$G^{2^{32}}|K)$

$\vdasharrow$ $\sin(2^{33}+1)\theta|k_{g})+\cos(2^{33}+1)\theta|k_{b}\rangle$

$\approx$
$\sin(\frac{2^{33}+1}{2^{32}})|k_{g}\rangle+\cos(\frac{2^{33}+1}{2^{32}})|k_{b})$

$\approx$ $0.91|k_{\mathit{9}}\rangle-0.42|k_{b}\rangle$
 238

by (2.1). Note that since $N$ is large enough, $\sin\theta$

can be approximated as , and hence, $\theta$

$\theta\simeq\sin\theta=\frac{1}{\sqrt{N}}=\frac{1}{\sqrt{2^{64}}}$

As the probability is the square of the amplitude, the algorithm outputs the desired state with 83
percent $(\approx 0.91^{2})$
.

3.2 Exact number of steps for cryptanalysis

We now evaluate the number of iteration more carefully. Recall that the probability that we observe
the desired state is given by the square of the absolute value of the amplitude for in (2.1). In our
$k_{j}$ $w$

cryptanalysis, $w=k_{j}$ . Remember that the amplitude for is given by $\sin(2M+1)\theta$ , where $w$
$\theta\approx\sin\theta$

and is defined by the equation

$\theta$

. Hence, . Solving the inequality

$\sin\theta=\frac{1}{N}$ $\theta\approx\frac{1}{N}$

$| \sin(2M+1)\theta|\geq\frac{1}{\sqrt{2}}$ $0 \leq\theta\leq\frac{\pi}{2}$ ,

we get
$M\geq\pi 2^{\frac{\mathfrak{n}}{2}-3}$
.
In the case of cryptanalysis of a 64 bit block cipher, we need iterate the algorithm times. $M=\pi 2^{\frac{64}{2}-3}$

Then the number of iterations is slightly smaller than . In the case of cryptanalysis of a 128 bit block $2^{32}$

cipher, we need steps. $M=\pi 2^{\frac{128}{2}-3}$

In [13], the amplitude for desired state and the amplitude $k$ $l$
for the other state are given by the
following recurrence formula:

$k_{1}=( \frac{2}{N}-1)k+2\frac{N-1}{N}l$ ,
(3.1)
$l_{1}=- \frac{2}{N}k+\frac{N-2}{N}l’$
’

where and are the amplitude after one iteration of 2 (a), (b). We compute the exact number of
$k_{1}$ $l_{1}$

iterations using (3.1). These are close to the estimation based on (2.1) above.
$\ovalbox{\tt\small REJECT} \mathrm{n}\mathrm{N}\mathrm{M}$

416
$4$ $16$ 1 $1$

8256
$8$ $256$ 5 $5$

12
$12$ 4096 $4096$ 20
$20$

16
$16$ 65536 $65536$ 84
$84$

20
$20$ 1048576
$1048576$ 337
$337$

24
$24$ 16777216
$16777216$ 1348
$1348$

28
$28$ 268435456
$268435456$ 5394
$5394$

36
$36$ 68719476736
$68719476736$ 86308
$86308$
$38$
$38*$
274877906944
$274877906944$ 172616
$172616$
$*$
343061989969
$343061989969$ 192840
$192840$
40
$40$ 1099511627776
$1099511627776$ 345232
$345232$
48
$48$ 281474976710656
$281474976710656$ 5523721
$5523721$
( $”*$ ” is $\# 4\mathrm{f}\mathrm{e}0168\mathrm{a}51$
by hexadecimal code)

3.3 Heuristic methods

Using a quantum computer, we break block ciphers more efficiently than the exhaustive search by con-
ventional computers. The general clock speed of a. current desktop personal computer is . Using $800\mathrm{M}\mathrm{H}\mathrm{z}$

normal integer operations and some pipelines in computing, current commercial machines can process
one clock per one operation. If 3 clocks are needed per operation, a present computer is still able to
process about hundred million times to 8 hundred million times per second. If the parallel
$\frac{8}{3}\approx 2.67$
 239

processing scheme is employed, the processing power is improved. Therefore, $2^{32}=4294967296$ steps are
manageable. About 3 $(2^{28}=268435456)$ hundred million steps are needed for brute-force attack of DES.
The computation can be carried out in one second or below.
In “DES challenge” sponsored by RSA Data Security Company, one group broke DES in only 22
hours using a brute force method distributing processes to numerous computers all over the world. They
report that the correct key was found when 22 percent of the key space was searched.
Let us now discuss how we can reduce the computational cost using the detailed information on
block ciphers. Consider searching a structured database. In a structured database, each data can be
represented by a binary sequence. To obtain information from a structured database $O(\log N)$ steps are
needed, where $N$ is the size of database. For example, we can find the
million data in a structured database because $2^{20}=1048576>1000000$ .
desired. data in 20 steps out of 1
In cryptanalysis of block ciphers, one employs the knowledge of non-uniformity of the distribution
between plaintexts, secret keys and ciphertexts. Differential cryptanalysis and linear cryptanalysis $[6, 14]$
are such cryptanalysis. Using non-uniformity of distributions, the size of key space can be reduced. If
the size can be reduced to a tractable size, one can analyze by the brute-force method.
In quantum cryptanalysis, we may do the same. First, we reduce the size of the searching space by
using the (possibly statistical) information on the searching space. Then we resort to quantum computers
to do exhaustive search. Fig.1 schematically represents the idea.

$\mathrm{O}^{\mathrm{G}}$
: Grover’s algorithm

Fig.1 Applying Grover’s algorithm partially

4 Strength evaluation using Brassard, $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

, Tapp’s algorithm
4.1 Strength evaluation of block ciphers
We discuss how to evaluate the statistical imbalance between plaintexts, secret keys and the corresponding
ciphertexts using Brassard, , Tapp’s algorithm. As we see in Section 2, COUNT algorithm estimates
$\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

given the number of trials and a Boolean function $F:Narrow\{0,1\}$ . Here, we assume $|F^{-1}(0)|<$
$\frac{1_{N}}{2}F^{-1}.(0)|$

Suppose that $E$ is a block cipher. The key and block size may be arbitrary. Let us consider the
probability defined by $\phi_{1}$

$\phi_{1}=\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{b}(P(i)\oplus K(j)=C(k))$ , (4.1)

where $P(i)$ is the bit of the plaintext $P,$ $K(j)$ is the
$i\mathrm{t}\mathrm{h}$

bit of the secret key $j\mathrm{t}\mathrm{h}$

$K,$ $C(k)$ is the $k\mathrm{t}\mathrm{h}$

bit
of the corresponding ciphertext the exclusive or. $C=E(P, K)\mathrm{a}\mathrm{n}\mathrm{d}\oplus \mathrm{i}\mathrm{s}$

Let us also consider the probability defined as follows: $\phi_{2}$

$\phi_{2}=\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{b}(\Delta P(i)\oplus K(j)=\Delta C(k))$ , (4.2)

 240

where is the difference of two plaintexts,

$\Delta P$
is the difference of two corresponding ciphertexts; that $\Delta C$

is, $\Delta P=P_{1}\oplus P_{2},$ $\Delta C=C_{1}\oplus C_{2},$ $C_{1}=E(P_{1}, K),$ $C_{2}=E(P_{2}, K)$ . The probabilities (4.1) and (4.2)
represent the non-uniformity of distribution between plaintexts, secret keys and ciphertexts. The reason
that we are interested in the evaluating the probabilities (4.1) and (4.2) is that the modern cryptanalysis
of block ciphers depend upon the statistical imbalance as we see in $[6, 14]$ .
The plausible scenario is that quantum computers will be established for billions of dollars and so
only small number of machines will exist all over the world. It is impossible that desk-top size quantum
computers will put on the commercial basis in the near future. A few quantum computers will be publicly
owned by the governments. The users of the machines are limited to authorized research institutes and
they can use the machines for only unclassified and peaceful purposes. The developers of symmetric
ciphers may rental the machine to evaluate the strength of their ciphers not for other purposes.

4.2 How to compute $\phi_{1}$

The probability is not always substantially away from 1/2, however, if it is the case then one can
$\phi_{1}$

collect sufficient amount of pairs of plaintexts and ciphertexts and mount a statistical cryptanalysis to
find the secrete key. In such a situation, the block cipher $E$ is not secure enough. Therefore, we require
any block cipher not to have large statistical imbalances between plaintexts, ciphertexts and secrete keys.
To apply the COUNT algorithm, we define a Boolean function as follows. Suppose that $E$ is a block
cipher of key and block size 64. Denote the space of plaintexts by , the space of cichertexts by and $\mathrm{P}$ $\mathrm{C}$

the space of secret keys by K. Then both and consists of binary sequences of length 64. Let $\mathrm{P}$ $\mathrm{K}$ $2^{64}$ $\mathrm{D}$

be the direct product K. Then consists of binary sequences of length 128. Define the Boolean
$\mathrm{P}\cross$ $\mathrm{D}$ $2^{128}$

function $F$ by
if $P(i)\oplus K(j)=C(k)$ $0$

$F(P, K)=\{$ (4.3)

1 otherwise,
where . Suppose that $C=E(P, K)$ . By the definition, the function
$1\leq i,j,$ $k\leq 64$ $F$
returns $0$
for a pair
$(P, K)$ of a plaintext and a secret key that satisfies. the equation
$P(i)\oplus K(j)=C(k)$ , (4.4)
otherwise it returns 1. For the function $F$ defined above, the probability $\phi_{1}$
satisfies
$\phi_{1}=\frac{|F^{-1}(0)|}{|N|}=\frac{2^{128}-t}{2^{128}}$
.
We consider finding the integer $|F^{-1}(0)|$ using COUNT algorithm.
Let be the output of COUNT algorithm given and . Then the inequality (2.2) holds with the
$\overline{t}$

$F$ $P$

probability . Therefore, repeating COUNT algorithm, we can obtain a good estimation . The error,
$8/\pi^{2}$
$t\sim$

the right hand side of (2.2), depends upon only . For example, let $P=2^{32}$ . Then we have $P$

$|t- \overline{t}|\leq\frac{2\pi}{2^{32}}\sqrt{2^{128}t}+\frac{\pi^{2}}{(2^{32})^{2}}2^{128}\leq 2^{96}\sqrt{2}\pi+2^{64}\pi^{2}$

with the probability $8/\pi^{2}$

, because $t \leq\frac{2^{128}}{2}=2^{127}$
. Hence we have

$\phi_{1}=\frac{|F^{-1}(0)|}{|N|}=\frac{|F^{-1}(0)|}{2^{128}}=\frac{2^{128}-t}{2^{128}}=1-\frac{t}{2^{128}}\approx 1-\frac{\overline{t}}{2^{128}}=\tilde{\phi}_{1}$

and the error is estimated as

$| \phi_{1}-\tilde{\phi}_{1}|=\frac{|t-t|\sim}{2^{128}}\leq\frac{2^{96}\sqrt{2}\pi+2^{64}\pi^{2}}{2^{128}}$
.
Since we have
$\frac{2^{96}\sqrt{2}\pi+2^{64}\pi^{2}}{2^{128}}<\frac{\pi}{230}$
,
the error is sufficiently small. Hence, we can estimate
$|\phi_{1}-\tilde{\phi}_{1}|$
as the relative probability of the pair $\phi_{1}$

of plaintexts and secret keys $(P, K)$ satisfying the equation (4.4) with respect to the whole space. In this
case, about iterations of COUNT algorithm is required.
$2^{32}$

Similarly, if we carry out the experiment with $P=2^{16}$ iterations of COUNT algorithm, then we can
estimate with the probability
$\phi_{1}$
within error . $\frac{8}{\pi}\tau$
$\frac{\sqrt{2}\pi}{2^{16}}+\overline{2}^{T2}\pi^{2}\approx 0.0001$
 241

4.3 How to compute $\phi_{2}$

We next estimate the probability $\phi_{2}$

. Let and be the space of plaintexts, secrete keys and
$\mathrm{P},$
$\mathrm{K}$ $\mathrm{C}$

ciphertexts, respectively. Let $\mathrm{D}=\mathrm{P}\cross \mathrm{P}\cross$

K. Then consists of binary sequences of length 192.
$\mathrm{D}$ $2^{192}$

Define $F:\mathrm{D}arrow\{0,1\}$ as follows.

$F(P_{1}, P_{2}, K)=\{$

$0$
if $\Delta P(i)\oplus K(j)=\Delta C(k)$ (4.5)
1 otherwise,

where $1\leq i,j,$ $k\leq 64,$ $\Delta P=P_{1}\oplus P_{2},$ $\Delta C=C_{1}\oplus C_{2},$ $C_{1}=E(P_{1}, K)$ and $C_{2}=E(P_{2}, K)$ .
By the definition, the function $F$ returns 1 for a triple $(P_{1}, P_{2}, K)$ satisfying
$\Delta P(i)\oplus K(j)=\Delta C(k)$ , (4.6)

oth.erwise iteturns . Let $P=2^{32}$ and $t=|F^{-1}(1)|$ . Let

$.\mathrm{r}$
$0$
$t^{\vee}$

be the output of COUNT algorithm. A

similar argument to the one above shows that

$|t- \overline{t}|\leq\frac{2\pi}{2^{32}}\sqrt{2^{192}l}+\frac{\pi^{2}=}{(2^{32})^{2}}2^{192}\leq 2^{160}\sqrt{2}\pi+2^{128}\pi^{2}$ .

Hence, we have

$\phi_{2}=\frac{|F^{-1}(0)|}{|N|}=\frac{|F^{-1}(0)|}{2^{192}}=\frac{2^{192}-t}{2^{192}}=1-\frac{t}{2^{192}}\approx 1-\frac{t\sim}{2^{192}}=\overline{\phi}_{2}$

within the error

$| \phi_{2}-\tilde{\phi}_{2}|=\frac{|t-\overline{t}|}{2^{192}}\leq\frac{2^{160}\sqrt{2}\pi+2^{128}\pi^{2}}{2^{192}}$
.
Since
$\frac{2^{160}\sqrt{2}\pi+2^{128}\pi^{2}}{2^{192}}<\frac{\pi}{2^{30}}$
,

the error is sufficiently small.

$|\phi_{2}-\tilde{\phi}_{2}|$

If we carry out the experiment with $P=2^{16}$ , then we can estimate $\phi_{2}$
with the probability $\overline{\pi}^{\mathrm{V}}8$

within
the error .
$4_{2}^{2\pi_{-}}+\overline{2}\pi^{2}\pi\approx 0.0001$

4.4 Number of trials

The error is when COUNT algorithm is applied to find $|F(1)^{-1}|$ with the probability .
$\frac{2\pi}{P}\sqrt{tN}+\frac{\pi^{2}}{P^{2}}N$
$\frac{8}{\pi}F$

It depends upon the number of trials and the cardinality $N=2^{n}$ of the domain of $F$ . We calculated the
$P$

error in cryptanalysing block ciphers of block size 64 bit as above. It is easy to see that we can estimate
the probability for 128 bit block cipher within the error
$\phi_{1}$
for the probability by iterating $P=2^{32}$ $\overline{2}^{\mathrm{F}\sigma}\pi$
$\neg_{\pi}8$

times. This indicates that the increase of the size of block does not affect the number of trials as far as
we fix the upper bound of the error. The following can be easily proved.
Theorem 4.1 For any block cipher $E$ , we have

$| \phi_{1}-\tilde{\phi}_{1}|\leq\frac{\sqrt{2}\pi}{P}+\frac{\pi^{2}}{P^{2}}$
.

4.5 Remarks
We discussed how to estimate statistical imbalances for block ciphers using quantum computers. Although
we considered probabilities given in (4.4), (4.6), statistical imbalances of block ciphers appear in various
forms. The algorithm given above does not clarify some other type of statistical imbalances. However,
combining traditional cryptanalysis technologies and quantum computers, we can estimate statistical
imbalance and evaluate the strength of block ciphers. It is desired that we can invent an algorithm that
automatically finds non-uniformity of distributions on plaintexts, secret keys and ciphertexts. A possible
approach along this line is to run Brassard, , Tapp’s algorithm in Grover’s algorithm as subroutines. $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

It is not clear whether it is possible or not without substantial speed-downs.

 242

5 Summary
We discussed how to apply quantum computers for cryptanalysis and strength evaluation of block ciphers.
The realization of quantum computers depends upon the technologies for the control of decoherence of
quantum states. We need complete understanding of the entanglement. It seems premature to discuss the
realization of quantum computers. The role of quantum physics in information and computer science gets
bigger and bigger from now on. Quantum physical concepts like interference, the uncertainty principle,
the measurement are essential in quantum information processing. In information security, quantum
physics will play a significant role in the future as we see quantum cryptography gets huge attention.
In addition, quantum cryptography [4], quantum protocols and quantum teleportation are imple-
mented using quantum phenomena such as the EPR effects, the uncertainty principle and the entangle-
ment.
Another non-classical computation device is implemented by Adleman [1] using DNA, that is, molec-
ular computing. He succeeded in finding a solution for the traveling salesman problem of small size. In
[7], cryptanalysis of DES using DNA computing is considered.
All these trials indicate that physical phenomena can be employed to create new technologies that
are not realized by traditional methods. The theory of computation is based on not only mathematical
method but physics and other natural science. In the theory of quantum computing, the realization of
quantum computers is crucial, however, developments of rigorous theory on quantum algorithms from
the point of view of computational complexity is also inevitable for good understanding and more future
applications.

References
[1] L.Adleman, “Molecular computation of solutions to combinatorial problems”, Science 266 November
(1994), 1021-1024.
[2] C.H.Bennett, “Logical reversibility of computation”, IBM J. Research and Development, 6 (1973),
525-532.
[3] C.H.Bennett, E.Bernstein, G.Brassard and U.Vazirani, “Strengths and weaknesses of quantum com-
puting”, SIAM J. Comp. (5) 26 (1997), 1510-1523.
[4] C.H.Bennett and G.Brassard, “Quantum cryptography: Public-key distribution and coin tossing”,
Proc. Int. Conf. on computers, Systems and Signal Processing, Bangalore, India (1984), 175-179.
[5] E.Bernstein and U.Vazirani, “Quantum complexity theory”, SIAM J. Comp. (5) 26 (1997), 1411-
1473.
[6] E.Biham and A.Shamir, “Differential cryptanalysis of DES-like cryptosystems”, Advances in Cryp-
tology (CRYPTO’90), LNCS 5$7 (1991), 2-21.
[7] D.Boneh, C.Dunworth and R.J.Lipton “Breaking DES using a molecular biology” in DNA Based
Computers, Proc. of DIMACS workshop, American Mathematics Society, (1995), 37-65.
[8] D.Boneh and R.J.Lipton, “Quantum Cryptanalysis of Hidden Linear Functions”, Advances in Cryp-
tology (CRYPTO’95), LNCS 921 (1995), 424-437.
[9] M.Boyer,G.Brassard,P. $\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

and A.Tapp, “Tight bounds on quantum searching”, PhysComp’96

(1996), 36-43.

[10] G.Brassard,P. and A.Tapp, “Quantum Counting”, Int. Coll. Automata, Language and Pro-
$\mathrm{H}\emptyset \mathrm{y}\mathrm{e}\mathrm{r}$

gramming (ICALP’98), LNCS 1443 (1998), 820-831.

[11] R.P.Feynmann, “Simulating physics with computers”, International J. Theoretical Phys., 21 (1982),
467-488.
[12] R.P.Feynmann, “Quantum mechanical computers”, Optics News, 11 (1985), 11-20.
 243

[13] L.K.Grover, “A fast quantum mechanical algorithm for database search”, Proc. 28th ACM Symp.
on Theory of Computation (STOC’96) (1996), 212-219.
[14] M.Matsui, “The first experimental cryptanalysis of the Data Encryption Standard”, Advances in
Cryptology (CRYPTO’94), LNCS 839 (1994), 1-11.
[15] J.Preskill, “Quantum Information and Computation”, Lecture Notes for Physics 229 California
Institute of Technology (1998).
[16] P.W.Shor, “Polynomial time algorithm for prime factorization and discrete logarithms on a quantum
computer”, SIAM J. Comp. (5) 26 (1997), 1484-1509.

[17] A.Yao, “Quantum circuit complexity”, Proc. 34th Annual Symp. on Foundation of Computer Science
(FOCS’93) (1993), 352-361.