Algebraic Attacks on Block Ciphers Using Quantum Annealing

This paper presents the transformation method of the system of algebraic equations describing the symmetric cipher into the QUBO problem. After transformation of given equations f(0), f(1), . . . , f(n-1) to equations over integers f(0)', f(1)', . . . , f(n-1)', one can linearize each, obtaining f(lini)' = lin(f(i)'), for i = 0, n - 1, where lin denotes linearization operation. Finally, one can obtain problem in the QUBO form as (f(lin0)')(2) + . . . + (f(linn-1)')(2) + Pen - C, where Pen denotes penalties obtained during linearization of equations, n is the number of equations and C is constant appearing in the polynomial (f(lin0)')(2) + . . . + (f(linn-1)')(2) + Pen. This paper presents the transformation method of SPN block ciphers to the QUBO problem. What is more, we present the results of the transformation of the complete AES-128 cipher to the QUBO problem, where the number of variables of the equivalent QUBO problem equals approximately 30,026. It is worth noting that AES-128 is much easier to solve using quantum annealing than the factorization problem and the discrete logarithm problem of a similar level of security. For example, factorizing a 3072 bit long RSA integer using quantum annealing requires a QUBO problem of about 2,360,000 variables.