This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the ...This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.展开更多
This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far....This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.展开更多
SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theo...SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Next, by these relationships, we clarify the minimum number of active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about 2^14 differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with 2^118 chosen plaintexts and 2^126.7 encryptions.展开更多
The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanal...The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanalysis attack after 5 rounds while IDEA(8) needs 7 rounds for the same level of security. The transition matrix for IDEA(16) and its eigenvalue of second largest magnitude are computed. The storage method for the transition matrix has been optimized to speed up file I/O. The emphasis of the work lies in finding out an effective way of computing the eigenvalue of the matrix. To lower time complexity, three mature algorithms in finding eigenvalues are compared from one another and subspace iteration algorithm is employed to compute the eigenvalue of second largest module, with a precision of 0.001.展开更多
Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis ...Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.展开更多
Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential ch...Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential characteristics of block ciphers, with the use of particular intermediate difference state expression, UID gets the same or better results compared with other present cryptanalysis results. ARIA is a Korean block cipher expecting that there are no impossible differentials on four or rmre rounds. Based on a property of the Diffusion layer (DL) of ARIA, a specific selection is used before conflict searching to optimize. UID is applied to ARIA, and 6 721 impossible differential chains are found. The length of those chains is four rounds, the same as eisting results, but more varied in form Moreover, ARIA is a Substitution-Penmtation Network (SPN), not a Feistel structure or generalized Feistel structure as UID was applied to before.展开更多
Data Encryption Standard(DES)is a symmetric key cryptosystem that is applied in different cryptosystems of recent times.However,researchers found defects in the main assembling of the DES and declared it insecure agai...Data Encryption Standard(DES)is a symmetric key cryptosystem that is applied in different cryptosystems of recent times.However,researchers found defects in the main assembling of the DES and declared it insecure against linear and differential cryptanalysis.In this paper,we have studied the faults and made improvements in their internal structure and get the new algorithm for Improved DES.The improvement is being made in the substitution step,which is the only nonlinear component of the algorithm.This alteration provided us with great outcomes and increase the strength of DES.Accordingly,a novel 6×6 good quality S-box construction scheme has been hired in the substitution phase of the DES.The construction involves the Galois field method and generates robust S-boxes that are used to secure the scheme against linear and differential attacks.Then again,the key space of the improved DES has been enhanced against the brute force attack.The out-comes of different performance analyses depict the strength of our proposed substitution boxes which also guarantees the strength of the overall DES.展开更多
In recent years,with the rapid development of the Internet of Things(IoT),RFID tags,industrial controllers,sensor nodes,smart cards and other small computing devices are increasingly widely deployed.In order to help p...In recent years,with the rapid development of the Internet of Things(IoT),RFID tags,industrial controllers,sensor nodes,smart cards and other small computing devices are increasingly widely deployed.In order to help protect low-power,low-cost Internet of things devices,lightweight cryptography came into being.In order to launch the standard of cryptographic algorithm suitable for constrained environment,NIST started the process of lightweight cryptography standardization in 2016,and published the second round of candidate cryptographic algorithms in August2019.SKINNY-Hash in the sponge construction is one of the second round candidates,as well as SKINNY-AEAD.The tweakable block cipher SKINNY is the basic component for both of them.Although cryptanalysts have proposed several cryptanalysis results on SKINNY and SKINNY-AEAD,there is no cryptanalysis results on SKINNY-Hash.Based on the differential cryptanalysis and the method of mixed integer programming(MELP),we perform differential cryptanalysis on SKINNY-Hash.The core is to set up the inequations of the MILP model.Actually,it is hard to obtain the inequations of the substitution(i.e.S-box)obeying the previous method.By a careful study of the permutation,we partition the substitution into a nonlinear part and a linear part,then a series of inequations in the MILP model is obtained to describe the differentials with high possibilities.As a result,we propose a differential hash collision path of 3-round SKINNY-tk3-Hash.By adjusting the bit rate of SKINNY-tk3-Hash,we propose a 7-round collision path for the simplified algorithm.The cryptanalysis in this paper will help to promote the NIST Lightweight Crypto Standardization process.展开更多
This paper presents a new method for resynchronization attack, which is the combination of the differential cryptanalysis and algebraic attack. By using the new method one gets a system of linear equations or low-degr...This paper presents a new method for resynchronization attack, which is the combination of the differential cryptanalysis and algebraic attack. By using the new method one gets a system of linear equations or low-degree equations about initial keys, and the solution of the system of equations results in the recovery of the initial keys. This method has a lower computational complexity and better performance of attack in contrast to the known methods. Accordingly, the design of the resynchronization stream generators should be reconsidered to make them strong enough to avoid our attacks. When implemented to the Toyocrypt, our method gains the computational complexity of O(2^17), and that of 0(2^67) for LILI-128.展开更多
In this paper, we survey a number of studies in the literature on improving lightweight systems in the Internet of Things (IoT). The paper illustrates recent development of Boolean cryptographic function Application a...In this paper, we survey a number of studies in the literature on improving lightweight systems in the Internet of Things (IoT). The paper illustrates recent development of Boolean cryptographic function Application and how it assists in using hardware such as the internet of things. For a long time there seems to be little progress in applying pure mathematics in providing security since the wide progress made by George Boole and Shannon. We discuss cryptanalysis of Boolean functions to avoid trapdoors and vulnerabilities in the development of block ciphers. It appears that there is significant progress. A comparative analysis of lightweight cryptographic schemes is reported in terms of execution time, code size and throughput. Depending on the schemes and the structure of the algorithms, these parameters change but remain within reasonable values making them suited for Internet of things applications. The driving force of lightweight cryptography (LWC) stems mainly from its direct applications in the real world since it provides solutions to actual problems faced by designers of IoT systems. Broadly speaking, lightweight cryptographic algorithms are designed to achieve two main goals. The first goal of a cryptographic algorithm is to withstand all known cryptanalytic attacks and thus to be secure in the black-box model. The second goal is to build the cryptographic primitive in such a way that its implementations satisfy a clearly specified set of constraints that depend on a case-by-case basis.展开更多
At the Annual International Cryptology Conference in 2019,Gohr introduced a deep learning based cryptanalysis technique applicable to the reduced-round lightweight block ciphers with a short block of SPECK32/64.One si...At the Annual International Cryptology Conference in 2019,Gohr introduced a deep learning based cryptanalysis technique applicable to the reduced-round lightweight block ciphers with a short block of SPECK32/64.One significant challenge left unstudied by Gohr's work is the implementation of key recovery attacks on large-state block ciphers based on deep learning.The purpose of this paper is to present an improved deep learning based framework for recovering keys for large-state block ciphers.First,we propose a key bit sensitivity test(KBST)based on deep learning to divide the key space objectively.Second,we propose a new method for constructing neural distinguisher combinations to improve a deep learning based key recovery framework for large-state block ciphers and demonstrate its rationality and effectiveness from the perspective of cryptanalysis.Under the improved key recovery framework,we train an efficient neural distinguisher combination for each large-state member of SIMON and SPECK and finally carry out a practical key recovery attack on the large-state members of SIMON and SPECK.Furthermore,we propose that the 13-round SIMON64 attack is the most effective approach for practical key recovery to date.Noteworthly,this is the first attempt to propose deep learning based practical key recovery attacks on18-round SIMON128,19-round SIMON128,14-round SIMON96,and 14-round SIMON64.Additionally,we enhance the outcomes of the practical key recovery attack on SPECK large-state members,which amplifies the success rate of the key recovery attack in comparison to existing results.展开更多
The SC2000 block cipher has a 128-bit block size and a user key of 128, 192 or 256 bits, which employs a total of 6.5 rounds if a 128-bit user key is used. It is a CRYPTREC recommended e-government cipher in Japan. In...The SC2000 block cipher has a 128-bit block size and a user key of 128, 192 or 256 bits, which employs a total of 6.5 rounds if a 128-bit user key is used. It is a CRYPTREC recommended e-government cipher in Japan. In this paper we address how to recover the user key from a few subkey bits of SC2000, and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127. Finally, we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key; the attack requires 21256s chosen plaintexts and has a time complexity of 212575 5-round SC2000 encryptions. The attack does not threat the security of the full SC2000 cipher, but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.展开更多
The quantum security of lightweight block ciphers is receiving more and more attention.However,the existing quantum attacks on lightweight block ciphers only focused on the quantum exhaustive search,while the quantum ...The quantum security of lightweight block ciphers is receiving more and more attention.However,the existing quantum attacks on lightweight block ciphers only focused on the quantum exhaustive search,while the quantum attacks combined with classical cryptanalysis methods haven’t been well studied.In this paper,we study quantum key recovery attack on SIMON32/64 using Quantum Amplitude Amplification algorithm in Q1 model.At first,we reanalyze the quantum circuit complexity of quantum exhaustive search on SIMON32/64.We estimate the Clifford gates count more accurately and reduce the T gate count.Also,the T-depth and full depth is reduced due to our minor modifications.Then,using four differentials given by Biryukov in FSE 2014 as our distinguisher,we give our quantum key recovery attack on 19-round SIMON32/64.We treat the two phases of key recovery attack as two QAA instances separately,and the first QAA instance consists of four sub-QAA instances.Then,we design the quantum circuit of these two QAA instances and estimate their corresponding quantum circuit complexity.We conclude that the quantum circuit of our quantum key recovery attack is lower than quantum exhaustive search.Our work firstly studies the quantum dedicated attack on SIMON32/64.And this is the first work to study the complexity of quantum dedicated attacks from the perspective of quantum circuit complexity,which is a more fine-grained analysis of quantum dedicated attacks’complexity.展开更多
基金Supported by the Foundation of National Labora-tory for Modern Communications (51436030105DZ0105)
文摘This paper first presents an impossible differential property for 5-round Advanced Encryption Standard (AES) with high probability. Based on the property and the impossible differential cryptanalytic method for the 5-round AES, a new method is proposed for cryptanalyzing the 8-round AES-192 and AES-256. This attack on the reduced 8-round AES-192 demands 2^121 words of memory, and performs 2^148 8-round AES-192 encryptions. This attack on the reduced 8-round AES-256 demands 2^153 words of memory, and performs 2^180 8-round AES-256 encryptions. Furthermore, both AES-192 and AES-256 require about 2^98 chosen plaintexts for this attack, and have the same probability that is only 2^-3 to fail to recover the secret key.
基金This work is supported by the National Natural Science Foundation of China under Grant No.90604036the National Grand Fundamental Research 973 Program of China under Grant No.2004CB318004.
文摘This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible attack on 6-round ARIA. Moreover, we found some nontrivial 8-round impossible differentials for Camellia, whereas only 7-round impossible differentials were previously known. By using the 8-round impossible differentials, we presented an attack on 12-round Camellia without FL/FL^-1 layers.
基金supported by the National Natural Science Foundation of China under Grant Nos.60873259 and 60903212the Knowledge Innovation Project of the Chinese Academy of Sciences
文摘SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of the SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Next, by these relationships, we clarify the minimum number of active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about 2^14 differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with 2^118 chosen plaintexts and 2^126.7 encryptions.
基金Supported by the National Natural Science Foundation of China (60573032, 90604036)Participation in Research Project of Shanghai Jiao Tong University
文摘The security of international date encryption algorithm (IDEA(16)), a mini IDEA cipher, against differential cryptanalysis is investigated. The results show that [DEA(16) is secure against differential cryptanalysis attack after 5 rounds while IDEA(8) needs 7 rounds for the same level of security. The transition matrix for IDEA(16) and its eigenvalue of second largest magnitude are computed. The storage method for the transition matrix has been optimized to speed up file I/O. The emphasis of the work lies in finding out an effective way of computing the eigenvalue of the matrix. To lower time complexity, three mature algorithms in finding eigenvalues are compared from one another and subspace iteration algorithm is employed to compute the eigenvalue of second largest module, with a precision of 0.001.
基金the National Natural Science Foundation of China (Grant No. 60673072)Foundation of National Laboratory for Modern Communications (Grant No. 51436030105DZ0105)
文摘Impossible differential cryptanalysis is a method recovering secret key, which gets rid of the keys that satisfy impossible differential relations. This paper concentrates on the impossible differential cryptanalysis of Advanced Encryption Standard (AES) and presents two methods for impossible differential cryptanalysis of 7-round AES-192 and 8-round AES-256 combined with time-memory trade-off by exploiting weaknesses in their key schedule. This attack on the reduced to 7-round AES-192 requires about 294.5 chosen plaintexts, demands 2129 words of memory, and performs 2157 7-round AES-192 encryptions. Furthermore, this attack on the reduced to 8-round AES-256 requires about 2^101 chosen plaintexts, demands 2^201 words of memory, and performs 2^228 8-round AES-256 encryptions.
基金Acknowledgements This paper was supported by the National Natural Science Foundation of China under Ccant No.61073149 the Research Fund for the Doctoral Program of Higher Education of China under Grant No. 20090073110027.
文摘Unified Irrpossible Differential (UID) cryptanalysis is a systeimtic method for finding impossible differentials for block ciphers. Regarding to the problem of automatically retrieving the impossible differential characteristics of block ciphers, with the use of particular intermediate difference state expression, UID gets the same or better results compared with other present cryptanalysis results. ARIA is a Korean block cipher expecting that there are no impossible differentials on four or rmre rounds. Based on a property of the Diffusion layer (DL) of ARIA, a specific selection is used before conflict searching to optimize. UID is applied to ARIA, and 6 721 impossible differential chains are found. The length of those chains is four rounds, the same as eisting results, but more varied in form Moreover, ARIA is a Substitution-Penmtation Network (SPN), not a Feistel structure or generalized Feistel structure as UID was applied to before.
文摘Data Encryption Standard(DES)is a symmetric key cryptosystem that is applied in different cryptosystems of recent times.However,researchers found defects in the main assembling of the DES and declared it insecure against linear and differential cryptanalysis.In this paper,we have studied the faults and made improvements in their internal structure and get the new algorithm for Improved DES.The improvement is being made in the substitution step,which is the only nonlinear component of the algorithm.This alteration provided us with great outcomes and increase the strength of DES.Accordingly,a novel 6×6 good quality S-box construction scheme has been hired in the substitution phase of the DES.The construction involves the Galois field method and generates robust S-boxes that are used to secure the scheme against linear and differential attacks.Then again,the key space of the improved DES has been enhanced against the brute force attack.The out-comes of different performance analyses depict the strength of our proposed substitution boxes which also guarantees the strength of the overall DES.
基金supported by the Natural Science Foundation of Beijing,China(Grant No.4172006)Beijing Municipal Education Commission of China(Grant No.km201410005012)。
文摘In recent years,with the rapid development of the Internet of Things(IoT),RFID tags,industrial controllers,sensor nodes,smart cards and other small computing devices are increasingly widely deployed.In order to help protect low-power,low-cost Internet of things devices,lightweight cryptography came into being.In order to launch the standard of cryptographic algorithm suitable for constrained environment,NIST started the process of lightweight cryptography standardization in 2016,and published the second round of candidate cryptographic algorithms in August2019.SKINNY-Hash in the sponge construction is one of the second round candidates,as well as SKINNY-AEAD.The tweakable block cipher SKINNY is the basic component for both of them.Although cryptanalysts have proposed several cryptanalysis results on SKINNY and SKINNY-AEAD,there is no cryptanalysis results on SKINNY-Hash.Based on the differential cryptanalysis and the method of mixed integer programming(MELP),we perform differential cryptanalysis on SKINNY-Hash.The core is to set up the inequations of the MILP model.Actually,it is hard to obtain the inequations of the substitution(i.e.S-box)obeying the previous method.By a careful study of the permutation,we partition the substitution into a nonlinear part and a linear part,then a series of inequations in the MILP model is obtained to describe the differentials with high possibilities.As a result,we propose a differential hash collision path of 3-round SKINNY-tk3-Hash.By adjusting the bit rate of SKINNY-tk3-Hash,we propose a 7-round collision path for the simplified algorithm.The cryptanalysis in this paper will help to promote the NIST Lightweight Crypto Standardization process.
基金Supported in part by the National Natural Science Foundation of China (No.60273084)the National Laboratory for Modern Communications Foundation of China (No.51436030105DZ0105).
文摘This paper presents a new method for resynchronization attack, which is the combination of the differential cryptanalysis and algebraic attack. By using the new method one gets a system of linear equations or low-degree equations about initial keys, and the solution of the system of equations results in the recovery of the initial keys. This method has a lower computational complexity and better performance of attack in contrast to the known methods. Accordingly, the design of the resynchronization stream generators should be reconsidered to make them strong enough to avoid our attacks. When implemented to the Toyocrypt, our method gains the computational complexity of O(2^17), and that of 0(2^67) for LILI-128.
文摘In this paper, we survey a number of studies in the literature on improving lightweight systems in the Internet of Things (IoT). The paper illustrates recent development of Boolean cryptographic function Application and how it assists in using hardware such as the internet of things. For a long time there seems to be little progress in applying pure mathematics in providing security since the wide progress made by George Boole and Shannon. We discuss cryptanalysis of Boolean functions to avoid trapdoors and vulnerabilities in the development of block ciphers. It appears that there is significant progress. A comparative analysis of lightweight cryptographic schemes is reported in terms of execution time, code size and throughput. Depending on the schemes and the structure of the algorithms, these parameters change but remain within reasonable values making them suited for Internet of things applications. The driving force of lightweight cryptography (LWC) stems mainly from its direct applications in the real world since it provides solutions to actual problems faced by designers of IoT systems. Broadly speaking, lightweight cryptographic algorithms are designed to achieve two main goals. The first goal of a cryptographic algorithm is to withstand all known cryptanalytic attacks and thus to be secure in the black-box model. The second goal is to build the cryptographic primitive in such a way that its implementations satisfy a clearly specified set of constraints that depend on a case-by-case basis.
基金Project supported by the National Natural Science Foundation of China(No.62206312)。
文摘At the Annual International Cryptology Conference in 2019,Gohr introduced a deep learning based cryptanalysis technique applicable to the reduced-round lightweight block ciphers with a short block of SPECK32/64.One significant challenge left unstudied by Gohr's work is the implementation of key recovery attacks on large-state block ciphers based on deep learning.The purpose of this paper is to present an improved deep learning based framework for recovering keys for large-state block ciphers.First,we propose a key bit sensitivity test(KBST)based on deep learning to divide the key space objectively.Second,we propose a new method for constructing neural distinguisher combinations to improve a deep learning based key recovery framework for large-state block ciphers and demonstrate its rationality and effectiveness from the perspective of cryptanalysis.Under the improved key recovery framework,we train an efficient neural distinguisher combination for each large-state member of SIMON and SPECK and finally carry out a practical key recovery attack on the large-state members of SIMON and SPECK.Furthermore,we propose that the 13-round SIMON64 attack is the most effective approach for practical key recovery to date.Noteworthly,this is the first attempt to propose deep learning based practical key recovery attacks on18-round SIMON128,19-round SIMON128,14-round SIMON96,and 14-round SIMON64.Additionally,we enhance the outcomes of the practical key recovery attack on SPECK large-state members,which amplifies the success rate of the key recovery attack in comparison to existing results.
文摘The SC2000 block cipher has a 128-bit block size and a user key of 128, 192 or 256 bits, which employs a total of 6.5 rounds if a 128-bit user key is used. It is a CRYPTREC recommended e-government cipher in Japan. In this paper we address how to recover the user key from a few subkey bits of SC2000, and describe two 4.75-round differential characteristics with probability 2-126 of SC2000 and seventy-six 4.75-round differential characteristics with probability 2-127. Finally, we present a differential cryptanalysis attack on a 5-round reduced version of SC2000 when used with a 128-bit key; the attack requires 21256s chosen plaintexts and has a time complexity of 212575 5-round SC2000 encryptions. The attack does not threat the security of the full SC2000 cipher, but it suggests for the first time that the safety margin of SC2000 with a 128-bit key decreases below one and a half rounds.
基金National Natural Science Foundation of China(Grant No.61672517)National Natural Foundation of China(Key program,Grant No.61732021)+1 种基金National Cyrptography Development Fund(Grant No.MMJJ20170108)Beijing Municipal Science&Technology Commission(Grant No.Z191100007119006).
文摘The quantum security of lightweight block ciphers is receiving more and more attention.However,the existing quantum attacks on lightweight block ciphers only focused on the quantum exhaustive search,while the quantum attacks combined with classical cryptanalysis methods haven’t been well studied.In this paper,we study quantum key recovery attack on SIMON32/64 using Quantum Amplitude Amplification algorithm in Q1 model.At first,we reanalyze the quantum circuit complexity of quantum exhaustive search on SIMON32/64.We estimate the Clifford gates count more accurately and reduce the T gate count.Also,the T-depth and full depth is reduced due to our minor modifications.Then,using four differentials given by Biryukov in FSE 2014 as our distinguisher,we give our quantum key recovery attack on 19-round SIMON32/64.We treat the two phases of key recovery attack as two QAA instances separately,and the first QAA instance consists of four sub-QAA instances.Then,we design the quantum circuit of these two QAA instances and estimate their corresponding quantum circuit complexity.We conclude that the quantum circuit of our quantum key recovery attack is lower than quantum exhaustive search.Our work firstly studies the quantum dedicated attack on SIMON32/64.And this is the first work to study the complexity of quantum dedicated attacks from the perspective of quantum circuit complexity,which is a more fine-grained analysis of quantum dedicated attacks’complexity.
