Zejun Xiang,Wentao Zhang,Zhenzhen Bao,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-53887-6_24

2016-01-01

Abstract:Division property is a generalized integral property proposed by Todo at EUROCRYPT 2015, and very recently, Todo et al. proposed bit-based division property and applied to SIMON32 at FSE 2016. However, this technique can only be applied to block ciphers with block size no larger than 32 due to its high time and memory complexity. In this paper, we extend Mixed Integer Linear Programming (MILP) method, which is used to search differential characteristics and linear trails of block ciphers, to search integral distinguishers of block ciphers based on division property with block size larger than 32. Firstly, we study how to model division property propagations of three basic operations (copy, bitwise AND, XOR) and an Sbox operation by linear inequalities, based on which we are able to construct a linear inequality system which can accurately describe the division property propagations of a block cipher given an initial division property. Secondly, by choosing an appropriate objective function, we convert a search algorithm under Todo's framework into an MILP problem, and we use this MILP problem appropriately to search integral distinguishers. As an application of our technique, we have searched integral distinguishers for SIMON, SIMECK, PRESENT, RECTANGLE, LBlock and TWINE. Our results show that we can find 14-, 16-, 18-, 22- and 26-round integral distinguishers for SIMON32, 48, 64, 96 and 128 respectively. Moreover, for two SP-network lightweight block ciphers PRESENT and RECTANGLE, we found 9-round integral distinguishers for both ciphers which are two more rounds than the best integral distinguishers in the literature [ 22,29]. For LBlock and TWINE, our results are consistent with the best known ones with respect to the longest distinguishers.

Qingju Wang,Zhiqiang Liu,Kerem Varici,Yu Sasaki,Vincent Rijmen,Yosuke Todo

DOI: https://doi.org/10.1007/978-3-319-13039-2_9

2014-01-01

Abstract:SIMON family is one of the recent lightweight block cipher designs introduced by NSA. So far there have been several cryptanalytic results on this cipher by means of differential, linear and impossible differential cryptanalysis. In this paper, we study the security of SIMON32, SIMON48/72 and SIMON48/96 by using integral, zero-correlation linear and impossible differential cryptanalysis. Firstly, we present a novel experimental approach to construct the best known integral distinguishers of SIMON32. The small block size, 32 bits, of SIMON32 enables us to experimentally find a 15-round integral distinguisher, based on which we present a key recovery attack on 21-round SIMON32, while previous best results only achieved 19 rounds. Moreover, we attack 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96 based on 11 and 12-round zero-correlation linear hulls of SIMON32 and SIMON48 respectively. Finally, we propose new impossible differential attacks which improve the previous impossible differential attacks. Our analysis shows that SIMON maintains enough security margin.

Yanyan Zhou,Senpeng Wang,Bin Hu

DOI: https://doi.org/10.1049/2024/8315115

2024-01-12

IET Information Security

Abstract:Differential-linear (DL) cryptanalysis is an important cryptanalytic method in cryptography and has received extensive attention from the cryptography community since its proposal by Langford and Hellman in 1994. At CT-RSA 2023, Bellini et al. introduced continuous difference propagations of XOR, rotation, and modulo-addition operations and proposed a fully automatic method using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques to search for DL distinguishers of Addition-Rotation-XOR (ARX) ciphers. In this paper, we propose continuous difference propagation of AND operation and construct an MILP/MIQCP-based fully automatic model of searching for DL distinguishers of SIMON-like ciphers. We apply the fully automatic model to all versions of SIMON and SIMECK. As a result, for SIMON, we find 13 and 14-round DL distinguishers of SIMON32, 15, 16, and 17-round DL distinguishers of SIMON48, 20-round DL distinguishers of SIMON64, 25 and 26-round DL distinguishers of SIMON96, 31 and 32-round DL distinguishers of SIMON128. For SIMECK, we find 14-round DL distinguishers of SIMECK32, 17 and 18-round DL distinguishers of SIMECK48, 22, 23, 24, and 25-round DL distinguishers of SIMECK64. As far as we know, our results are currently the best.

computer science, information systems, theory & methods

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu

DOI: https://doi.org/10.1007/s10623-023-01241-5

2023-01-01

Abstract:With the rapid evolvement of cryptanalysis, attacks with multiple distinguishers have emerged gradually. Many new cryptanalytic methods such as multiple differential cryptanalysis, multiple linear cryptanalysis, multiple impossible differential cryptanalysis, multidimensional zero correlation linear cryptanalysis have been proposed, which have greatly enhanced the efficiency of corresponding attacks. During these attacks, discovering more distinguishers has always been a trivial and manual work. Many cryptographers use their expertise and experience to achieve this goal. However, in most cases, either the length of the attack or the number of distinguishers is underestimated. This paper proposes a generic method to discover more different distinguishers based on a new property called “weak rotational property”. Block ciphers with this property can easily discover more distinguishers such as truncated differential distinguishers, impossible differential distinguishers and zero correlation linear distinguishers in a theoretical approach. Then the number of equivalent distinguishers is proved in a mathematical form. As an application, this paper focuses on SIMON family ciphers to illustrate how this property improves cryptanalysis. For the section of application, first of all, SIMON family ciphers are proved to have weak rotational property. Thus the number of corresponding discovered distinguishers can be increased for SIMON. Then, some earlier observations on SIMON are extended accordingly to this new property. Finally, based on the idea of weak rotational property and equivalent-subkey technique, an improved impossible differential cryptanalysis on SIMON is proposed. For SIMON32(64)/SIMON128(128)/SIMON128(192), the rounds attacked are all extended by one round. For other variants of SIMON, current best non full codebook impossible differential attacks are derived. The successful application of weak rotational property indicates its potential in cryptanalysis.

Kai Zhang,Jie Guan,Bin Hu,Dongdai Lin

DOI: https://doi.org/10.1109/icist.2016.7483413

2016-01-01

Abstract:Since proposed by NSA in June, 2013, SIMON and SPECK families have attracted the attention of massive cryptographers. More recently, at CHES 2015, a lightweight block cipher Simeck is proposed, which has adopted the merits from both SIMON and SPECK. However, the security level on Simeck against integral cryptanalysis has never been evaluated. This paper firstly proposes some theoretical and experimental integral distinguishes on Simeck. More specifically, 12/14/16-round theoretical integral distinguishers on Simeck32/48/64 and some 15-round experimental integral distinguishers on Simeck32 are firstly presented. With these integral distinguishers, Simeck32/48/64 reduced to 21/21/24 rounds respectively can be attacked with integral cryptanalysis.

Kai Hu,Qingju Wang,Meiqin Wang

DOI: https://doi.org/10.13154/tosc.v2020.i1.396-424

2020-01-01

Abstract:The bit-based division property (BDP) is the most effective technique for finding integral characteristics of symmetric ciphers. Recently, automatic search tools have become one of the most popular approaches to evaluating the security of designs against many attacks. Constraint-aided automatic tools for the BDP have been applied to many ciphers with simple linear layers like bit-permutation. Constructing models of complex linear layers accurately and efficiently remains hard. A straightforward method proposed by Sun et al. (called the S method), decomposes a complex linear layer into basic operations like COPY and XOR, then models them one by one. However, this method can easily insert invalid division trails into the solution pool, which results in a quicker loss of the balanced property than the cipher itself would. In order to solve this problem, Zhang and Rijmen propose the ZR method to link every valid trail with an invertible sub-matrix of the matrix corresponding to the linear layer, and then generate linear inequalities to represent all the invertible sub-matrices. Unfortunately, the ZR method is only applicable to invertible binary matrices (defined in Definition 3). To avoid generating a huge number of inequalities for all the sub-matrices, we build a new model that only includes that the sub-matrix corresponding to a valid trail should be invertible. The computing scale of our model can be tackled by most of SMT/SAT solvers, which makes our method practical. For applications, we improve the previous BDP for LED and MISTY1. We also give the 7-round BDP results for Camellia with FL/FL−1, which is the longest to date. Furthermore, we remove the restriction of the ZR method that the matrix has to be invertible, which provides more choices for future designs. Thanks to this, we also reproduce 5-round key-dependent integral distinguishers proposed at Crypto 2016 which cannot be obtained by either the S or ZR methods.

Siwei Chen,Zejun Xiang,Xiangyong Zeng,Guangxue Qin

2024-08-02

Abstract:In this paper, we propose an improved method based on Mixed-Integer Linear Programming/Mixed-Integer Quadratic Constraint Programming (MILP/MIQCP) to automatically find better differential-linear (DL) distinguishers for the all members of Simon and Simeck block cipher families. To be specific, we first give the completely precise MILP model to describe the linear part, and explain how to utilize the general expressions of \textsf{Gurobi} solver to model the propagation of continuous difference for the middle part in a quite easy way. Secondly, in order to solve the MILP/MIQCP model in a reasonable time, we propose two heuristic strategies based on the divide-and-conquer idea to speed up the search process. Thirdly, we introduce the transforming technique, which exploits the clustering effect on DL trails, to improve the estimated correlation of the DL approximation. We apply our method to Simon and Simeck block cipher families. Consequently, we find the 14/17/21/26-round theoretical DL distinguishers of Simon32/48/64/96, which extend the previous longest ones of Simon32/48/96 by one round and Simon64 by two rounds, respectively. For Simeck, we do not explore longer distinguishers compared to the currently best results, but refresh all the results of Zhou et al. (the first work to automate finding DL distinguishers for Simon-like ciphers using MILP/MIQCP). Besides, in order to validate the correctness of these distinguishers, the experimental verifications are conducted on Simon32/Simeck32 and Simon48/Simeck48. The results show that our theoretical estimations on correlations are very close to the experimental ones, which can be regarded as a concrete support for the effectiveness of our method.

Cryptography and Security

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/s00145-021-09383-2

2021-01-01

Journal of Cryptology

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

Yonglin Hao,Gregor Leander,Willi Meier,Yosuke Todo,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-45721-1_17

2020-01-01

Abstract:A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the feature of the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 841-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 841-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to distinguishing attacks. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds.

Zhihui Chu,Huaifeng Chen,Xiaoyun Wang,Xiaoyang Dong,Lu Li

DOI: https://doi.org/10.1155/2018/5160237

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic key-guessing techniques, which exploit the property of AND operation, could improve the differential and linear cryptanalytic results by reducing the number of guessed subkey bits and lead to good cryptanalytic results for SIMON. They have only been applied in differential and linear attacks as far as we know. In this paper, dynamic key-guessing techniques are first introduced in integral cryptanalysis. According to the features of integral cryptanalysis, we extend dynamic key-guessing techniques and get better integral cryptanalysis results than before. As a result, we present integral attacks on 24-round SIMON32, 24-round SIMON48/72, and 25-round SIMON48/96. In terms of the number of attacked rounds, our attack on SIMON32 is better than any previously known attacks, and our attacks on SIMON48 are the same as the best attacks.

Yiran Xing,Hailun Yan,Xuejia Lai

DOI: https://doi.org/10.1145/3207677.3278003

2018-01-01

Abstract:Division(1) property is a generalized integral property proposed by Todo at Eurocrypt 2015, which has been used in the analysis of various symmetric-key algorithms. At Asiacrypt 2017, Sun et al. proposed automatic tools based on Boolean Satisfiability Problem (SAT) to detect the division property of ARX ciphers. In this paper, we first exploit Karnaugh map to simplify the logical SAT expressions given by Sun et al., thereby reducing the number of variables and expressions used in modeling the division property propagation of Copy, AND and XOR, as well as other complicated operations based on these three basic operations. Then, we show how to model the division property propagation against the modular multiplication operation. Note that the modular multiplication operation has not been handled in previous work but used in some block ciphers like IDEA.

Huaifeng Chen,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-662-52993-5_22

2016-01-01

Abstract:SIMON is a lightweight block cipher family proposed by NSA in 2013. It has drawn many cryptanalysts' attention and varieties of cryptanalysis results have been published, including differential, linear, impossible differential, integral cryptanalysis and so on. In this paper, we give the improved linear attacks on all reduced versions of Simon with dynamic key-guessing technique, which was proposed to improve the differential attack on Simon recently. By establishing the boolean function of parity bit in the linear hull distinguisher and reducing the function according to the property of AND operation, we can guess different sub-keys (or equivalent subkeys) for different situations, which decrease the number of key bits involved in the attack and decrease the time complexity in a further step. As a result, 23-round Simon32/64, 24-round Simon48/72, 25-round Simon48/96, 30-round Simon64/96, 31-round Simon64/128, 37-round Simon96/96, 38-round Simon96/144, 49-round Simon128/128, 51-round Simon128/192 and 53-round Simon128/256 can be attacked. As far as we know, our attacks on most reduced versions of Simon are the best compared with the previous cryptanalysis results. However, this does not shake the security of Simon family with full rounds.

Kai Hu,Siwei Sun,Meiqin Wang,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_15

2020-01-01

Abstract:Since it was proposed in 2015 as a generalization of integral properties, the division property has evolved into a powerful tool for probing the structures of Boolean functions whose algebraic normal forms are not available. We capture the most essential elements for the detection of division properties from a pure algebraic perspective, proposing a technique named as monomial prediction , which can be employed to determine the presence or absence of a monomial in any product of the coordinate functions of a vectorial Boolean function f by counting the number of the so-called monomial trails across a sequence of simpler functions whose composition is f . Under the framework of the monomial prediction, we formally prove that most algorithms for detecting division properties in literature raise no false alarms but may miss. We also establish the equivalence between the monomial prediction and the three-subset bit-based division property without unknown subset presented at EUROCRYPT 2020, and show that these two techniques are perfectly accurate. The monomial prediction technique can be regarded as a purification of the definitions of the division properties without resorting to external multisets. This algebraic formulation gives more insights into division properties and inspires new search strategies. With the monomial prediction, we obtain the exact algebraic degrees of Trivium up to 834 rounds for the first time. In the context of cube attacks, we are able to explore a larger search space in limited time and recover the exact algebraic normal forms of complex superpolies with the help of a divide-and-conquer strategy. As a result, we identify more cubes with smaller dimensions, leading to improvements of some near-optimal attacks against 840-, 841- and 842-round Trivium.

Kai Zhang,Senpeng Wang,Xuejia Lai,Lei Wang,Jie Guan,Bin Hu,Tairong Shi

DOI: https://doi.org/10.1109/tit.2023.3292241

IF: 2.5

2023-01-01

IEEE Transactions on Information Theory

Abstract:In this paper, a security evaluation framework for AND-RX ciphers against impossible differential cryptanalysis is proposed. This framework is constructed based on three different methods towards finding the theoretical upper boundary, theoretical lower boundary, and practical boundary of impossible differential distinguishers (short for ID) respectively. The provable security boundary (upper boundary) can be calculated with two round-function-related matrices through a few matrix multiplications, this calculation is beyond actual input and output differences. For searching longer IDs (lower boundary), an automatic method is proposed. With this method, given the input and output difference, all the possible direct and indirect contradictions are detected. For the practical boundary, a method of approximating all the potential longest IDs with concrete differential trails is introduced. The three boundaries validate the correctness from each other. According to our result, on the one hand, the boundaries derived with well-designed ID-construction methods can already reach the practical boundary for some block ciphers and it is unlikely to be improved based on known construction methods or future unknown construction methods. On the other hand, for those ciphers whose current best result does not reach our boundary, longer IDs can be discovered with this framework. The correctness is validated by a series of applications. For the provable security boundary, four family ciphers-SIMON, Simeck, Friet-PC and SAND are investigated. For SIMON and Simeck, the lengths of current longest IDs have reached their provable security boundaries. For Friet-PC and SAND, there is a gap between the provable security boundary and current best results. With the automatic searching method, some longer IDs on Friet-PC and SAND are discovered. For Friet-PC, 128 11-round IDs are discovered, while the previous best differential distinguisher is 9-round. For SAND64, 256 11-round IDs are proposed. For SAND128, 456 14-round IDs are presented. Both results extend previous longest IDs by one round and all these newly proposed distinguishers reached corresponding provable security boundaries. For Simeck, the length of longest IDs has not been improved. However, more distinguishers of the same length are discovered. For Simeck64, the increased ratio for the quantity can reach 300%. Besides, the practical boundary of SIMON is investigated, the results indicate that for SIMON, the practical boundary is identical with the provable security boundary or the boundary derived with the automatic searching method.

Kai Zhang,Xuejia Lai,Jie Guan,Bin Hu

DOI: https://doi.org/10.4018/JDM.318452

IF: 2.656

2023-01-01

Journal of Database Management

Abstract:In 2013, a lightweight block cipher SIMON is proposed by NSA. This paper tries to investigate this design criterion in terms of resisting against impossible differential cryptanalysis. On one hand, starting from all the possible rotation constants, this paper sieves those "bad parameters" step by step, for each step, the regular patterns for those "bad parameters" are deduced. Accordingly, basic rules for selecting rotation constants on SIMON-type ciphers to construct shorter longest impossible differentials are proposed. On the other hand, the authors categorize the optimal parameters proposed in CRYPTO 2015, according to these results, some "good parameters" in terms of differential cryptanalysis may be rather "bad parameters" while considering impossible differential cryptanalysis. Finally, a concrete attack on 26-round SIMON(13,0,10) is proposed, which is a suggested SIMON variant in CRYPTO 2015 against differential cryptanalysis and linear cryptanalysis. The result in this paper indicates that it is very important to choose appropriate rotation constants when designing a new block cipher.

Zehan Wu,Kexin Qiao,Zhaoyang WangÂ,Junjie ChengÂ,Liehuang ZhuÂ

DOI: https://doi.org/10.3390/math12091401

IF: 2.4

2024-05-03

Mathematics

Abstract:With the development of artificial intelligence (AI), deep learning is widely used in various industries. At CRYPTO 2019, researchers used deep learning to analyze the block cipher for the first time and constructed a differential neural network distinguisher to meet a certain accuracy. In this paper, a mixture differential neural network distinguisher using ResNet is proposed to further improve the accuracy by exploring the mixture differential properties. Experiments are conducted on SIMON32/64, and the accuracy of the 8-round mixture differential neural network distinguisher is improved from 74.7% to 92.3%, compared with that of the previous differential neural network distinguisher. The prediction accuracy of the differential neural network distinguisher is susceptible to the choice of the specified input differentials, whereas the mixture differential neural network distinguisher is less affected by the input difference and has greater robustness. Furthermore, by combining the probabilistic expansion of rounds and the neutral bit, the obtained mixture differential neural network distinguisher is extended to 11 rounds, which can realize the 12-round actual key recovery attack on SIMON32/64. With an appropriate increase in the time complexity and data complexity, the key recovery accuracy of the mixture differential neural network distinguisher can be improved to 55% as compared to 52% of the differential neural network distinguisher. The mixture differential neural network distinguisher proposed in this paper can also be applied to other lightweight block ciphers.

mathematics

Hailun Yan,Xuejia Lai,Lei Wang,Yu,Yiran Xing

DOI: https://doi.org/10.1049/iet-ifs.2018.5263

2019-01-01

IET Information Security

Abstract:The authors analyse the security of Keccak (the winner in SHA-3 competition) by focusing on the zero-sum distinguishers of its underlying permutation (named Keccak-f). The authors' analyses are developed by using the division property, a generalised integral property that was initially used in the integral cryptanalysis of symmetric-key algorithms. Following the work pioneered by Todo at CRYPTO 2015, they first formalise and prove a more delicate propagation rule of the division property under the assumption that the S-box's specification is known to attackers. Then, they apply this rule to the inverse S-box in Keccak-f with a further study on properties of its algebraic degree. They find that the rate of decline in the division property is gentler than that of a randomly chosen S-box. Meanwhile, they get the same results for the S-box in Ascon permutation. Thanks to this vulnerable property, they can improve the higher-order differential characteristics against the inverse of Keccak-f in terms of the required number of chosen plaintexts. As an application, they give new zero-sum distinguishers on full 24-round Keccak-f of size 2(1573). To the authors' knowledge, this is currently the best zero-sum distinguishers of full-round Keccak-f permutation. Incidentally, they give the corresponding results for 12-round Ascon permutation.

Siyi Wang,Eugene Lim,Anupam Chattopadhyay

2024-03-02

Abstract:Rapid progress in the design of scalable, robust quantum computing necessitates efficient quantum circuit implementation for algorithms with practical relevance. For several algorithms, arithmetic kernels, in particular, division plays an important role. In this manuscript, we focus on enhancing the performance of quantum slow dividers by exploring the design choices of its sub-blocks, such as, adders. Through comprehensive design space exploration of state-of-the-art quantum addition building blocks, our work have resulted in an impressive achievement: a reduction in Toffoli Depth of up to 94.06%, accompanied by substantial reductions in both Toffoli and Qubit Count of up to 91.98% and 99.37%, respectively. This paper offers crucial perspectives on efficient design of quantum dividers, and emphasizes the importance of adopting a systematic design space exploration approach.

Quantum Physics,Emerging Technologies

W. Yang,L. S. Huang,Y. W. Zhu,Y. Ye,P. Meng,F. Song,Q. Y. Wang

DOI: https://doi.org/10.1140/epjd/e2010-00210-9

2010-01-01

The European Physical Journal D

Abstract:Secure division serves as an important primitive for secure multi-party computation and has wide applications in many fields, such as data mining,statistical analysis, collaborative benchmarking, etc. How to collaboratively compute the correct division result without leaking any participants’sprivate data becomes the primary goal of secure division schemes. In this paper, we present a quantum secure division scheme via quantum discrete Fourier transform and quantum measurement. The scheme is proven to be secure against semi-honest parties and colluding parties. Furthermore,under the rational assumption that the first priority for every party is to learn the correct result, our scheme is shown to be incentive compatible.