Quantum Key Recovery Attack on SIMON Block Cipher

The quantum security of lightweight block ciphers is receiving more and more attention. However, the existing quantum attacks on lightweight block ciphers mainly focused on the quantum exhaustive search, while the quantum dedicated attacks combined with classical cryptanalysis methods haven't been well studied. In this paper, we study quantum key recovery attack on SIMON block cipher using Quantum Amplitude Amplification algorithm in Q1 model. At first, we reanalyze the quantum circuit complexity of quantum master key exhaustive search on SIMON block cipher. The Clifford gates count is estimated more accurately and the T gate count is reduced. We also reduce the T-depth and Full-depth due to some minor modifications to the circuit. Then, based on the differential cryptanalysis on SIMON32, SIMON48 and SIMON64 given by Biryukov et al. in FSE 2014, we give quantum round key recovery attacks on these SIMON variants and analyze quantum circuit complexity separately. We take the quantum attack on 19-round SIMON32/64 for an example and design the quantum circuit of the key recovery process. The two phases of this attack could be regarded as two QAA instances separately, and the first QAA instance consists of four sub-QAA instances. We conclude that the encryption complexity and circuit complexity of quantum dedicated attacks on 19-round SIMON32/64, 19-round SIMON 48 and 26-round SIMON64/128 are both lower than those of the quantum exhaustive search on these variants separately. Our work firstly studies the quantum dedicated attack on SIMON block cipher from the perspective of quantum circuit complexity, which is a more fine-grained analysis of quantum dedicated attacks' complexity.