The most important pre-quantum threat to AES-128 is the 1994 van Oorschot–Wiener parallel rho method, a low-communication parallel pre-quantum multi-target preimage-search algorithm. This algorithm uses a mesh of p small processors, each running for approximately $2^{128}/pt$ fast steps, to find one of $t$ independent AES keys $k_1$, …, $k_t$, given the ciphertexts AES_k_1(0), …,AES_k_t(0) for a shared plaintext $0$. NIST has claimed a high post-quantum security level for AES-128, starting from the following rationale: Grover’s algorithm requires a long-running serial computation, which is difficult to implement in practice. In a realistic attack, one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic. NIST has also stated that resistance to multi-key attacks is desirable; but, in a realistic parallel setting, a straightforward multi-key application of Grover’s algorithm costs more than targeting one key at a time. This paper introduces a different quantum algorithm for multi-target preimage search. This algorithm shows, in the same realistic parallel setting, that quantum preimage search benefits asymptotically from having multiple targets. The new algorithm requires a revision of NIST’s AES-128, AES-192, and AES-256 security claims.

Type

Publication

In *Selected Areas in Cryptography*.