Implementing Grover Oracle for Lightweight Block Ciphers Under Depth Constraints

Grover’s search algorithm allows a quantum attack against block ciphers by searching for an n-bit secret key in time O(2 n/2). In the PQC standardization process, NIST defined the security categories by imposing the upper bound on the depth of the quantum circuit of the Grover oracle. In this work, we study quantum key search attacks on lightweight block ciphers under depth constraints. We design optimized quantum circuits for GIFT, SKINNY, and SATURNIN and enumerate the quantum resources to implement the Grover oracle in terms of the number of qubits, Clifford+T gates, and circuit depth. We also give the concrete cost of Grover oracle for these ciphers in both the gate-count and depth-times-width cost models. We then present the cost estimates of Grover-based key search attacks on these ciphers under NIST’s depth constraints. We also release Q# implementations of the full Grover oracle for all the variants of GIFT, SKINNY, and SATURNIN to automatically reproduce our quantum resource estimates.