Hong-Wei Sun,Bin-Bin Cai,Su-Juan Qin,Qiao-Yan Wen,Fei Gao

DOI: https://doi.org/10.1016/j.physa.2023.129047

2023-07-18

Abstract:In this paper, we investigate the security of several recent MAC constructions with provable security beyond the birthday bound (called BBB MACs) in the quantum setting. On the one hand, we give periodic functions corresponding to targeted MACs (including PMACX, PMAC with parity, HPxHP, and HPxNP), and we can recover secret states using Simon algorithm, leading to forgery attacks with complexity O(n) . This implies our results realize an exponential speedup compared with the classical algorithm. Note that our attacks can even break some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, mPMAC+-p2, mLightMAC+-f, etc. On the other hand, we construct new hidden periodic functions based on SUM-ECBC-like MACs: SUM-ECBC, PolyMAC, GCM-SIV2, and 2K-ECBC − Plus, where periods reveal the information of the secret key. Then, by applying Grover-meets-Simon algorithm to specially constructed functions, we can recover full keys with O(2n/2n) or O(2m/2n) quantum queries, where n is the message block size and m is the length of the key. Considering the previous best quantum attack, our key-recovery attacks achieve a quadratic speedup.

physics, multidisciplinary

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.

Jiehui Nan,Honggang Hu,Ping Zhang,Yiyuan Luo

DOI: https://doi.org/10.1007/s11128-022-03774-5

IF: 1.965

2022-01-01

Quantum Information Processing

Abstract:Since the seminal work of Chen et al. to construct pseudorandom functions (PRFs) from the public random permutations, a series of designs of beyond-birthday-bound secure PRFs or message authentication codes(MACs) have been proposed, like $$\textsf{pEDM}$$ , $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ , $$\textsf{PDM}\text {* }\textsf{MAC}$$ , and $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ , etc. These constructions were classically proved to be secure at least up to $$O(2^{2n/3})$$ queries. In this paper, we consider to attack these constructions in the quantum setting. In particular, we show the key-recovery attack against $$\textsf{pEDM}$$ and $$\textsf{pPMAC}$$ _ $$\textsf{Plus}$$ with $$O(n\cdot 2^{n/2})$$ quantum queries by using Grover-meets-Simon algorithm. Moreover, a forgery attack is given against the constructions $$\textsf{PDM}\text {* }\textsf{MAC}$$ and $$\textsf{nEHtM}_p$$ with O(n) quantum complexity, and under the same query complexity, we can even recover the key of $$\textsf{1K}\text {-}\textsf{PDM}\text {* }\textsf{MAC}$$ .

Wei Jie Ng,Chik How Tan

DOI: https://doi.org/10.1007/s11128-024-04359-0

IF: 1.965

2024-04-18

Quantum Information Processing

Abstract:Grover's algorithm has been widely used for quantum key search to attack block ciphers with a quadratic speedup as compared to classical brute-force attacks and also used for evaluating the post-quantum security of block ciphers against quantum computer attack. But, this quantum key search on block ciphers has a high quantum circuit depth and AES-128 is still secure against such attack. In this paper, we introduce a method called the depth–measurement trade-off method that reduces the overall quantum circuit depth of quantum key search to attack block ciphers by increasing the number of measurements of the circuit. This method is to introduce dummy keys in the quantum circuit as part of the correct key. This will reduce both quantum circuit resource and quantum circuit depth. Based on this technique, the quantum circuit depth of AES-128 is less than , while NIST suggested circuit depth should be greater than MAXDEPTH, which is , and in order to resist the respective attacks. In addition, we also simulated the depth–measurement trade-off method on the reduced SIMON block cipher algorithm as a proof of concept. Furthermore, we also apply the depth–measurement technique on various block ciphers, for example AES, PRESENT, SIMON, GIFT, SPECK, RECTANGLE, LowMC, KNOT, PIPO, etc.

physics, multidisciplinary,quantum science & technology, mathematical

Surajit Mandal,Ravi Anand,Mostafizar Rahman,Santanu Sarkar,Takanori Isobe

DOI: https://doi.org/10.1038/s41598-024-69188-8

IF: 4.6

2024-09-11

Scientific Reports

Abstract:Extensive research is currently underway to determine the security of existing ciphers in light of the advancements in quantum computing. Against symmetric key cryptography, Grover's search algorithm is a prominent attack, capable of reducing search costs to the square root. For using Grover's algorithm, it is imperative to embed the target cipher into a quantum circuit. Even so, this area of research is relatively new; it has garnered significant attention from the research community. In this study, we provide the first estimation of the cost of Grover's key search attack against the AES-based AEAD schemes Rocca-S , AEGIS-128 , and Tiaoxin-346 . Our analysis considers circuit depth restrictions specified in NIST's PQC standardization process. Considering NIST's maximum depth constraints, We present the overall cost of these attacks using gate count and depth-times-width metrics. We observed that for , Rocca-S , AEGIS-128 , and Tiaoxin-346 can be retrieved using Grover's search algorithm with gate count of 1.09 × 2 253 , 1.14 × 2 124 , and 1.22 × 2 124 respectively. Concerning the current updated values by NIST, these ciphers are secure in terms of the cost of implementing Grover's attack for key recovery. The quantum circuits of these ciphers are implemented using QISKIT, an open-source software development kit (SDK) designed for working with quantum computers running on the IBM Quantum Experience platform.

multidisciplinary sciences

Alexey Moiseevskiy

2023-04-12

Abstract:Advanced Encryption Standard is one of the most widely used and important symmetric ciphers for today. It well known, that it can be subjected to the quantum Grover's attack that twice reduces its key strength. But full AES attack requires hundreds of qubits and circuit depth of thousands, that makes impossible not only experimental research but also numerical simulations of this algorithm. Here we present an algorithm for optimized Grover's attack on downscaled Simplifed-AES cipher. Besides full attack we present several approaches that allows to reduce number of required qubits if some nibbles of the key are known as a result of side-channel attack. For 16-bit S-AES the proposed attack requires 23 qubits in general case and 19, 15 or 11 if 4, 8 or 12 bits were leaked in specifc confguration. Comparing to previously known 32-qubits algorithm this approach potentially allows to run the attack on today's NISQ-devices and perform numerical simulations with GPU, that may be useful for further research of problem-specifc error mitigation and error correction techniques.

Quantum Physics

XiaoYu Jing,YanJu Li,GuangYue Zhao,Huiqin Xie

2023-05-02

Abstract:Due to Grover's algorithm, any exhaustive search attack of block ciphers can achieve a quadratic speed-up. To implement Grover,s exhaustive search and accurately estimate the required resources, one needs to implement the target ciphers as quantum circuits. Recently, there has been increasing interest in quantum circuits implementing lightweight ciphers. In this paper we present the quantum implementations and resource estimates of the lightweight ciphers LBlock and LiCi. We optimize the quantum circuit implementations in the number of gates, required qubits and the circuit depth, and simulate the quantum circuits on ProjectQ. Furthermore, based on the quantum implementations, we analyze the resources required for exhaustive key search attacks of LBlock and LiCi with Grover's algorithm. Finally, we compare the resources for implementing LBlock and LiCi with those of other lightweight ciphers.

Quantum Physics,Cryptography and Security

DOI: https://doi.org/10.1007/s11128-024-04424-8

IF: 1.965

2024-06-15

Quantum Information Processing

Abstract:Quantum computing has made many important achievements in the field of cryptanalysis. However, due to the limitations of current physical system and technology, the realization of large-scale universal quantum computers is a long way off. Currently, small-scale quantum computers are easier to implement than large-scale universal quantum computers. Distributed quantum computing proposes an implementation architecture, which attempts to break down large-scale tasks into many sub-tasks distributed across multiple small-scale quantum computers. How to use small-scale quantum computers with fewer qubits and shallower quantum depths to complete large-scale tasks and improve the success rate of attacking symmetric cryptosystems is our concern. In this paper, we propose a distributed exact Simon's algorithm, apply it to achieve quantum key recovery attacks on single-permutation-based pseudorandom cryptographic schemes with classical birthday bound security, and estimate the quantum resources of quantum circuits. Furthermore, we combine distributed exact Grover's algorithm and distributed exact Simon's algorithm to achieve quantum key recovery attacks on two-permutation-based pseudorandom cryptographic schemes with classical beyond birthday bound security and estimate the corresponding quantum resources. Our results show that (1) our algorithms are exact which means that the theoretical success probability of attacking pseudorandom cryptographic schemes is 100%; (2) the depth of circuit is in polynomial time which means that the theoretical depth of attacking symmetric cryptosystems is exponentially accelerated relative to the previous results; (3) the qubits of circuit don't increase significantly. Our work is of great importance. It could lead to the rapid realization of effective quantum attacks against symmetric cryptosystems on small-scale quantum computers.

physics, multidisciplinary,quantum science & technology, mathematical

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

Bo Yu,Tairong Shi,Xiaoyang Dong,Xuan Shen,Yiyuan Luo,Bing Sun

DOI: https://doi.org/10.1007/978-981-97-0945-8_19

2024-01-01

Abstract:Simon's algorithm has shown a threat to block ciphers in the quantum setting, especially accelerating attacks with superposition queries. Sometimes it is difficult for attackers to make superposition queries, while an easier way is to use classical data then process them on quantum computers. At ASIACRYPT 2019, Bonnetain et al. proposed the offline Simon's algorithm. But there is a gap between the classical queries and a quantum database in their work. In this paper, we propose an algorithm involving polynomial qubits that can transform a classical database into a quantum superposition state without using QRAM. What's more, we analyze the influence of two approaches called pre- and post-distinguisher methods for Simon's algorithm attack. Then we run a quantum key recovery attack on Feistel structure in the Q1 model. For attacking r-round Feistel structure with n-bit block size and n/2-bit subkey, the time complexity of our attack is O(l center dot 2(n/2+2) + 2((r-3)n/4)) (where l is a constant), and the classical data complexity is always O(2(n/2+1)), which is much better than the classical attacks especially for r > 5.

Da Lin,Zejun Xiang,Runqing Xu,Shasha Zhang,Xiangyong Zeng

DOI: https://doi.org/10.1007/s11128-023-04043-9

IF: 1.965

2023-09-23

Quantum Information Processing

Abstract:This work researches the implementation of the AES family with Pauli-X gates, CNOT gates and Toffoli gates as the underlying quantum logic gate set. First, the properties of quantum circuits are investigated, as well as the influence of Pauli-X gates, CNOT gates and Toffoli gates on the performance of the circuits constructed with those gates. Based on these properties and the observations on the hardware circuits built by Boyar et al. and Zou et al., it is possible to construct quantum circuits for AES's Substitution-box (S-box) and its inverse (S-box ) by rearranging the classical implementation to three parts. Since the second part is treated as a 4-bit S-box in this paper and can be dealt with by existing tools, a heuristic is proposed to search optimized quantum circuits for the first and the third parts. In addition, considering the number of parallelly executed S-boxes, the trade-offs between the qubit consumption and values for the round function and key schedule of AES are studied. As a result, quantum circuits of AES-128, AES-192 and AES-256 can be constructed with 269, 333 and 397 qubits, respectively. If more qubits are allowed, quantum circuits that outperform state-of-the-art schemes in the metric of value for the AES family can be reported, and it needs only 474, 538 and 602 qubits for AES-128, AES-192 and AES-256, respectively.

physics, multidisciplinary,quantum science & technology, mathematical

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.06.001

2012-01-01

Abstract:The security of EPCBC,a lightweight block cipher proposed in CANS 2011,against the side-channel cube attack is evaluated by combining cube cryptanalysis with side-channel attack under the 8-bit Hamming weight leakage model.Under the black-box attack scenario,the adversary firstly generates random cube and superpoly.Then the cube is used to generate chosen plaintexts.The adversary deduces one bit of the intermediate state from the side-channel attack for each chosen plaintext and computes the high order differences of these one bit values to verify the relations between the cube and superpoly.Simulation experiments are launched on two variants of EPCBC with different block lengths.The results demonstrate that the unprotected implementation of EPCBC is vulnerable to side-channel cube attacks.If the adversary can accurately deduce the Hamming weight of the intermediate states from the side-channel leakages,many cubes and superpolys can be extracted and used for key recovery.372 chosen plaintexts can recover 48-bit of the master key for EPCBC(48,96) and reduce the key search space to 248.610 chosen plaintexts can recover full 96-bit of the master key for EPCBC(96,96) directly.The techniques of this paper can provide certain references to black-box side-channel cube attacks on other block ciphers.

Bin-Bin Cai,Yusen Wu,Jing Dong,Su-Juan Qin,Fei Gao,Qiao-Yan Wen

DOI: https://doi.org/10.1093/comjnl/bxab216

2022-02-01

The Computer Journal

Abstract:Abstract By introducing the BHT algorithm into the slide attack on 1K-AES and the related-key attack on PRINCE, we present the corresponding quantum attacks in this paper. In the proposed quantum attacks, we generalize the BHT algorithm to the situation where the number of marked items is unknown ahead of time. Moreover, we give an implementation scheme of classifier oracle based on Quantum Phase Estimation algorithm in presented quantum attacks. The complexity analysis shows that the query complexity, time complexity and memory complexity of the presented quantum attacks are all $\mathcal{O}(2^{n/3})$ when the success probability is about $63\%$, where $n$ is the block size. Compared with the corresponding classical attacks, the proposed quantum attacks can achieve subquadratic speed-up under the same success probability no matter on query complexity, time complexity or memory complexity. Furthermore, the query complexity of the proposed quantum slide attack on 1K-AES is less than Grover search on 1K-AES by a factor of $2^{n/6}.$ When compared with the Grover search on PRINCE, the query complexity of the presented quantum attack on PRINCE is reduced from $\mathcal{O}(2^{n})$ to $\mathcal{O}(2^{n/2}).$ When compared with the combination of Grover and Simon’s algorithms on PRINCE, the query complexity of our quantum attack on PRINCE is reduced from $\mathcal{O}(n\cdot 2^{n/2})$ to $\mathcal{O}(2^{n/2}).$ Besides, the proposed quantum slide attack on 1K-AES indicates that the quantum slide attack could also be applied on Substitution-Permutation Network construction, apart from the iterated Even-Mansour cipher and Feistel constructions.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Borja Aizpurua,Pablo Bermejo,Josu Etxezarreta Martinez,Roman Orus

2023-11-06

Abstract:Here we introduce an improved approach to Variational Quantum Attack Algorithms (VQAA) on crytographic protocols. Our methods provide robust quantum attacks to well-known cryptographic algorithms, more efficiently and with remarkably fewer qubits than previous approaches. We implement simulations of our attacks for symmetric-key protocols such as S-DES, S-AES and Blowfish. For instance, we show how our attack allows a classical simulation of a small 8-qubit quantum computer to find the secret key of one 32-bit Blowfish instance with 24 times fewer number of iterations than a brute-force attack. Our work also shows improvements in attack success rates for lightweight ciphers such as S-DES and S-AES. Further applications beyond symmetric-key cryptography are also discussed, including asymmetric-key protocols and hash functions. In addition, we also comment on potential future improvements of our methods. Our results bring one step closer assessing the vulnerability of large-size classical cryptographic protocols with Noisy Intermediate-Scale Quantum (NISQ) devices, and set the stage for future research in quantum cybersecurity.

Quantum Physics,Cryptography and Security,Machine Learning

Huiqin Xie,Zhangmei Zhao,Ke Wang,Yanjun Li,Hongcai Xin

DOI: https://doi.org/10.3390/math12172678

IF: 2.4

2024-08-31

Mathematics

Abstract:Because of the substantial progress in quantum computing technology, the safety of traditional cryptologic schemes is facing serious challenges. In this study, we explore the quantum safety of the lightweight cipher MIBS and propose quantum key-recovery attacks on the MIBS cipher by utilizing Grover's algorithm and Bernstein–Vazirani algorithm. We first construct linear-structure functions based on the 5-round MIBS cipher according to the characteristics of the linear transformations, and then we obtain a quantum distinguisher of the 5-round MIBS cipher by applying Bernstein–Vazirani algorithm to the constructed functions. Finally, utilizing this distinguisher and Grover's algorithm, we realize a 7-round key-recovery attack on the MIBS cipher, and then we expand the attack to more rounds of MIBS based on a similar idea. The quantum attack on the 7-round MIBS requires 156 qubits and has a time complexity of 210.5. An 8-round attack requires 179 qubits and has a time complexity of 222. Compared with existing quantum attacks, our attacks have better time complexity when attacking the same number of rounds.

mathematics

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security

Mengyuan Zhang,Tairong Shi,Wenling Wu,Han Sui

DOI: https://doi.org/10.1109/tc.2024.3449094

IF: 3.183

2024-10-12

IEEE Transactions on Computers

Abstract:In the post-quantum era, the security level of encryption algorithms is often evaluated based on the quantum resources required to attack AES. In this work, we make thoroughly estimations on various performance metrics of the quantum circuit of AES-128/192/256. Firstly, we introduce a generic round structure for in-place implementation of the AES algorithm, maximizing the parallelism between nonlinear components. Specifically, when employed as an encryption oracle, our structure reduces the T-depth from 2rd to (r+1)d. Furthermore, by leveraging the properties of block-cyclic matrices, we present an in-place implementation circuit for MixColumn with depth 10, utilizing 105 CNOT gates. In relation to the S-box, we have assessed its minimum circuit width at different T-depths and provide multiple versions of circuit implementations for a depth-width trade-off. Finally, based on our optimized S-box circuit, we conduct a comprehensive analysis of the implementation complexity of different round structures, where our structure exhibits significant advantages in terms of low T-depth.

engineering, electrical & electronic,computer science, hardware & architecture

Olgierd Żołnierczyk

2024-10-07

Abstract:This work focuses on quantum methods for cryptanalysis of schemes based on the integer factorization problem and the discrete logarithm problem. We demonstrate how to practically solve the largest instances of the factorization problem by improving an approach that combines quantum and classical computations, assuming the use of the best publicly available special-class quantum computer: the quantum annealer. We achieve new computational experiment results by solving the largest instance of the factorization problem ever announced as solved using quantum annealing, with a size of 29 bits. The core idea of the improved approach is to leverage known sub-exponential classical method to break the problem down into many smaller computations and perform the most critical ones on a quantum computer. This approach does not reduce the complexity class, but it assesses the pragmatic capabilities of an attacker. It also marks a step forward in the development of hybrid methods, which in practice may surpass classical methods in terms of efficiency sooner than purely quantum computations will.

Cryptography and Security