Rainer Steinwandt - Workshop on Secure Implementation of Post-Quantum Cryptography in Isreal

Understanding the cost of Grover's algorithm for finding a secret key

Abstract: Assuming the presence of large-scale quantum computers, it is natural to invoke Grover's algorithm to speed up an exhaustive key search for a block cipher of interest. In order to establish a reliable estimate for the post-quantum security margin of the target cipher, pertinent resource needs (such as number of qubits and number of gates) need to be considered. This talk discusses the cost of implementing some prominent block ciphers as a quantum circuit, as needed for Grover's algorithm, using a Clifford+T gate set.

The talk is based on joint work with Brittanney Amento, Markus Grassl, Brandon Langenberg, and Martin Roetteler.