Quantum Cryptanalysis of Affine Cipher

Quantum Algorithms reduce the computational complexity or solve certain difficult problems that were originally impossible to solve with classical computers. Grover’s search algorithm is a Quantum computation algorithm that can find target elements from a set of unstructured data with the best possible, $O(\sqrt {N})$ queries. Grover’s search Quantum circuits implemented accurately can be used to successfully search and find the keys of Symmetric ciphers. However, very few demonstrations of such practical cryptanalysis are available. In this paper, practical Quantum cryptanalysis circuits for Affine Cipher are proposed and demonstrated, that successfully break the cipher by finding the keys.


I. INTRODUCTION
Q UANTUM Computational Algorithms can solve certain classes of difficult problems that were originally impossible to solve with classical computers.This adds promising computational advantages in many fields.However, this advantage does have a destructive impact on the strength of existing classical cryptography.The security-hardness of the existing classical cryptography systems relies on problems like Factorisation, Discrete Logarithm, Exhaustive Key Search etc. that were difficult to be solved by classical computers.Quantum computational algorithms can solve these otherwise difficult problems [1], [2], [5], [6], [7], [8] and can break Asymmetric cryptosystems or reduce the complexity of Symmetric cryptosystems with efficient implementations.
Large-scale Quantum computers are definitely required for executing these attacks on cryptosystems in use today, but the resource estimation of breaking the classical cryptography systems using Quantum Computational Algorithms is very active.This is because it is very important to understand the different possibilities of Quantum based Cryptanalytic attacks and their resource requirements.Many algorithms are proposed and estimates for breaking both Asymmetric and Symmetric cipher are being done in terms of qubit count, gate counts etc.The computational complexity of breaking symmetric ciphers is shown to reduce to O( √ N ) from O(N ) using Quantum Computational Algorithms [3], [4], [9], [10], [11].The predictions of Quantum Algorithms reducing the security strength of Symmetric Ciphers, generate interest in understanding and building circuits that actually break these existing classical ciphers.However, the practical demonstrations of such cryptanalysis are very limited, especially because of the restrictions coming from qubit counts available.
This work aims to develop and practically demonstrate Quantum Cryptanalysis on simple symmetric encryption, Affine cipher.This is first attempt in of Quantum Cryptanalysis of Affine Cipher to the best of our knowledge.This paper proposes a set of four practical Affine Quantum Cryptanalysis circuits Type I, Type II, Type III and Type IV using Grover's search.The major contributions are: • Quantum cryptanalysis demonstration by successful retrieval of symmetric keys using chosen-ciphertext attack.
• Implementation and analysis of Quantum Cryptanalysis circuits constructed using 4 different approaches in simulators and real hardware.
• First three implementations demonstrate the difference in resource requirements based on component circuits in oracle, • Fourth implementation demonstrates the possibilities of improved grover implementations by reusing the qubits.
• We also demonstrate the use of parallel execution in grover based cryptanalysis reducing number of qubits required The proposed circuits successfully retrieve the Affine keys in case of single solutions and all the possible candidates for being the keys, in case of multiple solutions.The following sections explain the basic building blocks used in designing the circuit, followed by the proposed Cryptanalysis circuits and the execution results.II.LITERATURE REVIEW Symmetric Ciphers are algorithms that use the same key, K for Encryption and Decryption.They are also called, single key or secret key encryption schemes.These algorithms rely on the unpredictability of the key K for ensuring security and help in ensuring the confidentiality of the encrypted data.There are multiple attack models for Symmetric ciphers, the specific attack type on Symmetric Ciphers that is of interest in the scope of this paper is Known-plaintext and Chosenplaintext attack.
The chosen-plaintext attack is an attack where the attacker has access to view the encryption results i.e cipher text c i of any chosen plaintext P i without any knowledge of the key K .This knowledge is used to retrieve the key K .The Adaptive chosen-plaintext attack is a related technique where the attacker makes the selection of the next plaintext P i+1 inputs based on previous encryption responses i.e. previous P i − c i pairs.The Batch chosen-plaintext attack is a technique 2156-3357 © 2024 IEEE.Personal use is permitted, but republication/redistribution requires IEEE permission.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
where the attacker chooses a set of plaintexts even before any encryption is done.The known-plaintext attack is an attack where the attacker has access to the previously encrypted results i.e plaintext P i with corresponding cipher text c i pair.Having access to pairs of the previously encrypted set of plaintext-ciphertext, as in known-plaintext attack is considered more practical compared to chosen-plaintext attack even if the number of P i − c i pairs available is small.

A. Affine Cipher
Affine Cipher is a classical mono-alphabetic substitution cipher.Each of the elements in the set of alphabets or symbols is mapped to a numeric equivalent, which results in a 1 − 1 mapping to itself.The Symmetric Affine cipher is chosen for the cryptanalysis demonstration mainly because of its structure containing multiplication and addition components.where, m = 2 n for Affine Cipher over G F(2 n ) or m = 26 for classical Affine Cipher.To ensure modular multiplicative inverse, the encryption Function E a,b (P) also comes with a restriction gcd(a, m) = 1.Affine Cipher, being a member of the family of mono-alphabetic substitution ciphers, inherits all the weakness of this family.We use plaintext-ciphertext attack to demonstrate the Cryptanalysis.Plaintext-ciphertext pair attack was chosen because this attack can be easily extended to frequency analysis based attacks also.The knowledge gcd(a, m) = 1 also helps in elimination.The tables I, II and III show the Affine substitutions for different m values.The case m = 26 shows the traditional affine cipher.However, we will be using m = 2 2 and m = 2 4 for demonstration purpose, to generate all possible key cases in 2 n Grover search.

B. Grover's Search Algorithm
Grover's search algorithm [14] is a Quantum Search Algorithm that solves the problem of unstructured data.
Definition 2: Grover's unstructured search algorithm: Given a set of unstructured N elements, } and given a oracle U f (w) : X → {0, 1} such that: the Grover's algorithm finds w ∈ X , in minimal number of steps.w can be a single element or multiple elements depending search scenario.The search data is called 'Unstructured' when there is no information on how the data is arranged.If the data is sorted, Binary search can be performed efficiently in logarithmic time, with a complexity of O(log N ).However, when the data is unstructured, the best known method for finding the target element is linear search, with a complexity of O(N ) [14].
Definition 3: Grover's unstructured search complexity: The unstructured search on N elements, can be solved in O( √ N ) queries using quantum computation.
The bounds or the best that can be done under the quantum computation model for finding the target element is shown in [13] and [15].The results show that any quantum algorithm running for N steps is sensitive only to O(N 2 ) queries.If more queries are done, then the solution to at least one can be flipped without affecting the overall behaviour of the algorithm i.e. the correct decision of answer sensitive to N queries will take a running time of ( √ N ).Furthermore, the results in [15] show that it [14] is actually the fastest possible Quantum unstructured search solution.
Grover's algorithm consists of two unitary operators which when applied successively to a uniform superposition state in a repeated fashion, facilitate the unstructured search utilizing amplitude amplification of the required states.
1) Grover Oracle: The first of the two operators and the most problem specific one, the Grover's oracle is a phase oracle and does the simple task of applying a negative phase to the search target states and maintaining any other state as it is, as shown in equation 4.
where T is the set of target elements.
2) Grover Diffuser: The diffuser operator is a unitary operator that flips the amplitudes of the states around their average, shown in equation 5.This has the effect of increasing values which have their sign reversed by the oracle and thus are the farthest from the average and decreasing the amplitudes of non-target states which have no sign reversal, thus achieving desirable amplitude amplification.
where, When applied in tandem, the two operators stretch the amplitude of the target states while diminishing those of the other elements and thus their probabilities of being measured finally.Grover's algorithm with a run-time complexity in O( √ n) queries of the oracle, is optimal over any best known classical unstructured search algorithm.

C. Quantum Modular Addition
The proposed circuits make use of two in-place Quantum Modular Adders.The first one discussed uses Binary Modular addition and the second one is a QFT based Modular Adder.A generic expression of the adders is given in equation 6.
1) Quantum Modular Binary Adder: The quantum modular binary adder used in the proposed circuits Type I and Type II is shown in figure 1.This is an improved ripple carry adder [17] that performs in-place binary modular addition on registers.Since the proposed system focuses on modular addition over G F(2 n ) the carry bits can be neglected, but it requires ancillary qubits also called as helper qubits to perform the modular addition.This adder requires 2n + 1 qubits to perform n-bit modular addition.
2) Quantum Modular Adder Using QFT: The QFT based quantum modular adder used in the proposed circuits Type III and Type IV are shown in figure 2. The circuit performs in-place addition on registers [18].Since the proposed system focuses on modular addition over G F(2 n ) the carry bits can be neglected and do not require any ancillary qubits to perform the modular addition.This adder requires 2n qubits to perform n-bit modular addition.

D. Quantum Modular Multiplication
The proposed circuits make use of three out-of-place Quantum Modular Multipliers.The first one discussed makes use of Quantum-Quantum Binary Modular Multiplication, the second one makes use of Quantum-Classical Binary Modular Multiplication and the final one is a QFT Modular Multiplier.The   generic expression of a multiplier is given in equation 7.
1) Quantum-Quantum Modular Binary Multiplier: The Quantum-Quantum(Q-Q) modular binary multiplier used in the proposed circuit Type I is shown in figure 3. The circuit works in three stages.The first step involves the qubit setting stage, the modular addition stage and finally an inverse setting stage [16].This multiplier requires 4n + 1 qubits to perform n-bit modular multiplication.
2) Quantum-Classical Modular Binary Multiplier: The Quantum-Classical(Q-C) modular binary multiplier used in the proposed circuit Type II is shown in figure 4. Figure 4 is for The first stage is the partial product setting stage, followed by modular addition stage [16].Bit shift operation on classical value is done to computer reduces partial product in the first step.This multiplier requires 3n + 1 qubits to perform n-bit modular multiplication.
3) Quantum Modular Multiplier Using QFT: The QFT based Quantum Modular Multiplier used in the proposed circuits Type III and Type IV is shown in figure 5.The circuit performs out-of-place QFT based multiplication on registers [12].The circuit performs weighted sum rotations, QFT is applied on the target register, followed by input controlled rotations.The rotations transform the target state into the product of the input resisters in QFT base.Then, inverse QFT is used to revert from the QFT base.This is the most optimal Quantum Modular Multiplier out of the three multipliers used.This multiplier requires 3n qubits to perform n-bit modular multiplication.

III. PROPOSED QUANTUM CRYPTANALYSIS METHOD
The proposed Quantum cryptanalysis algorithms are based on chosen k + 1 plaintext-ciphertext pair attack and break Affine Cipher of the form:  The proposed Affine Cryptanalysis is practical and can be used to successfully recover the keys.The demonstration is done by the execution of circuits on both real IonQ hardware and simulators, provided by IonQ and Qiskit.The quantum cryptanalysis attack is demonstrated for Affine over G F(2 n ) with n = 2 on IonQ hardware and for Affine over G F(2 n ) with n = 4 on simulators.The choice of n = 2 and 4 are made to align with the access limited to 11 qubits on IonQ hardware and resource limitations for simulators.Even though, analysis is performed on G F(2 n ) where n ≥ 1, it can be extended to classical Affine Cipher over mod 26 also.The proposed Affine Cryptanalysis circuits in this paper are as shown in table IV.
While designing the Grover oracle, multiple circuits were considered to perform modular multiplication and modular addition.Table IV gives the Resource comparison of the 4 different Affine Cryptanalysis Circuits that are discussed, along with the type of Modular Multiplier and Adders they use.This approach was used to finally propose an optimal circuit with primary focus on the minimal number of qubits.
Furthermore, it is very important to note that with parallel execution of one pair or using the concept of quantum multi-programming we can solve Affine ciphers by taking the join of individual result set, as described in section IV-A, which further reduces the number of qubits required.A generic view of the Cryptanalysis approach used

A. Grover's Search for Affine Cryptanalysis
The Grover oracle and Grover diffuser are the major components in designing Grover's search circuits.The Grover oracle and Grover diffuser used in the proposed Grover's search based affine quantum cryptanalysis is discussed here.
1) Grover Oracle: The proposed oracle follows the general layout of [19] where additional qubits are used to compute the ciphertext from the plaintext using the values in the |a⟩ and |b⟩ registers, initially in superposition.The result is then uncomputed after a set of multi-controlled gates are used to induce a phase kickback that flips the sign in the amplitude of only the states containing the values of a and b that match our plaintext ciphertext pair.
The entire sequence of operations leaves all the auxiliary qubits as they were before the oracle is applied while inducing the necessary phase changes in the a and b qubits that store the results that we require.
The overall procedure can be summarised as: • Initialisation of qubits: The registers |a⟩ and |b⟩ are initialized to a uniform superposition.The method makes use of at least one plaintext ciphertext pair and can use more pairs to augment in The qubit registers |a⟩ and |b⟩ are initialised to a uniform superposition by applying Hadamard gates to all a and b registers.Ancillary qubits P is set to the known plaintext value and any additional pairs, denoted P k are also initialized.
• Grover Oracle: Out of place modular multiplication between the registers and the plaintext registers P and P k is performed and the result is stored in registers |c⟩ and |c⟩ k .This is followed by applying in place modular addition between the c and the b registers, storing the result in c again.Now, the c register contains a superposition of all possible affine values for the ciphertext 2) Grover Diffuser: This paper follows the traditional design for diffusers that uses an array of Hadamard, H gates and X gates on all key registers, a and b in our case, followed by a multi-qubit controlled-Z gate to apply the required phase inversion as shown in figure 6.However, we have used a constant X gate optimisation as utilised in [19], by applying an initial set of X gates in the initialisation state and only applying H gates in the diffuser to achieve the same effect.The algorithm 1 the detailed steps used in creating the diffuser.
3) Grover Search Iterations: The number of iterations of Grover Operator is an important factor while implementing Grover's search.If the number of Affine Solutions is not known, the algorithm can try different iterations until the amplitude of the solution(s) is amplified enough.If the number

Algorithm 3 Type I Affine Cryptanalysis
end if 26: if c k i val = 0 then 28: end if 30: end if GroverDiffuser(a n , b n ) 38: end for 39: Perform measurement on |ab⟩ 2n of Affine solutions is known, the below equation 10 can be used [14].Number of Grover Iterations, r = cos(z) 2 * sin(z) (10) where z = S 2 n , S = Number of solutions, n = Number of Qubits.For demonstration of results cases with S = 1, 2, 4 etc is chosen.

B. Affine Quantum Cryptanalysis Circuits
This paper proposes a set of four Affine Quantum Cryptanalysis Circuits Type I, Type II, Type III and Type IV that QC-BinaryModularMultiplier(a n , h k n , c k n , anc) 11: QQ-BinaryModularAdder(b n , c k n , anc) 13: if c i val = 0 then 15: if c k i val = 0 then 18: end if 20: end if GroverDiffuser(a n , b n ) 32: end for 33: Perform measurement on |ab⟩ 2n uses different types of Quantum Adder, Multipliers and algorithmic approaches as described in Table IV.This approach helped in studying the resource requirement and behaviour of the four types of circuits, that uses various combinations of adders and multipliers.
1) Affine Cryptanalysis -Type I: Affine Quantum Cryptanalysis Circuit -Type I makes use of Quantum-Quantum(Q-Q) modular multiplier and Quantum-Quantum (Q-Q) modular adder.Figure 7 shows the Type I circuit for n = 2 with k = 0 and figure 8 shows the Type I circuit for n = 4 with k = 1.The figure 7 circuit is executed in actual Quantum hardware.Type I is a very simple and direct circuit that uses a binary operation based adder and multiplier.Algorithm 3 explains the working of Type I circuit in detail.
2) Affine Cryptanalysis -Type II: Affine Quantum Cryptanalysis Circuit -Type II makes use of Quantum-Classical(Q-C) modular multiplier and Quantum-Quantum (Q-Q) modular adder.The figure 9 shows the Type II circuit for n = 2 with k = 0 and figure 10 shows the Type II circuit for n = 4 with k = 1. Figure 9 circuit is executed in actual Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.3) Affine Cryptanalysis -Type III: Affine Quantum Cryptanalysis Circuit -Type III makes use of QFT based modular multiplier and QFT based modular adder.Figure 11 shows the Type III circuit for n = 2 with k = 0 and figure 12 shows the Type III circuit for n = 4 with k = 1.The figure 11 circuit is executed in actual Quantum hardware.Algorithm 5 explains the working of the Type III circuit in detail.This is most efficient circuit model without any qubit reuse.4) Affine Cryptanalysis -Type IV: Affine Quantum Cryptanalysis Circuit -Type IV makes use of QFT based modular multiplier and QFT based modular adder.Figure 13 shows the Type IV circuit for n = 2 with k = 1 and figure 14 shows Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.This approach can be utilised to solve Affine cipher with reduced number of qubits.Furthermore, with multi-programming approach search can be done on each individual execution outputs and fine tune the result counts to be the intersection of both.It is important to note that the results are obtained correctly in both simulators and actual hardware.

B. k + 1-Pair Affine Cryptanalysis
The k +1 pair Affine Cryptanalysis is executed using Type I, Type II, Type III and Type IV circuits with n = 4, m = 16 and k = 1.The selection of the two P − c pairs used should be done carefully to ensure that the execution results in a single a, b prediction.If the selection goes wrong, a few sets of intersections using the brute-force or parallel execution Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

Algorithm 5 Type III Affine Cryptanalysis
if c k i val = 0 then 28: QFTModularMultiplier † (a n , p n , c n ) 37: GroverDiffuser(a n , b n ) 38: end for 39: Perform measurement on |ab⟩ 2n methods as described in section IV-A can be used to get pairs with exactly one solution.This proves the importance of the selection of P−c pairs for cryptanalysis.The figures 17 and 18 show the execution result of P − c pair circuit with S = 1. Figure 19 shows the execution result of P − c pair circuit with S = 2. Figure 20 shows the execution result of P − c pair circuit with S = 4. Equation 10 can be used to find the required r for each value of S.
Figure 21 shows the execution result of same P − c pair Type IV circuit with S = 1, k = 1 in three environments.Figure 21a of simulator I refers to Qiskit simulator results, Figure 21b simulator II refers to IonQ simulator results and Figure 21c shows results from IonQ hardware.Affine keys.Important inferences from the results of this work are:

Algorithm 6 Type IV Affine Cryptanalysis
• Single-Pair Affine Cryptanalysis can effectively break n-bit Affine Cipher using a Quantum-Classical computational approach.The minimum number of qubits required for the Single-Pair n-bit Affine Cryptanalysis approach is 4n using actual Quantum hardware.
• Carefully chosen k + 1 pairs can effectively break nbit Affine Cipher with only k = 1.Thus, the minimum number of qubits required for n-bit Affine Cryptanalysis approach is 5n.
• The execution time of Type II circuit is higher compared to others on simulators.Typer II circuit uses Quantum classical Binary Modular Multiplier.
• Affine Cryptanalysis -Type IV that reuses input qubits and has the optimum number of qubits tends to have great execution speed and gives correct results on simulators.
• Affine Cryptanalysis -Type III is seen to have the best execution speed along with accuracy and optimal resource requirements making it the best approach until we have noise-free qubits that can be reused.In this work, we implemented only one variant of the algorithms on physical hardware, constrained by the current qubit limitations.Additionally, the performance of circuits with noise models was not included in this study.In future work, we are eager to further explore this area by incorporating noise models and using quantum hardware with higher qubit capacities.

Algorithm 2 2 : 3 : 4 : 9 :
Affine Cipher Quantum Cryptanalysis -Generic Algorithm Require: k + 1 P − c pair(s), n ≥ 1, m = 2 n 1: Build superposition of states, |s⟩ = 1 Perform Grover operator r times; r as obtained using Equation 10 Apply Grover Oracle, U c Phase inversion on the target state, |ab⟩ 5: U c |s⟩ = −|ab⟩ c = ((a * P) + b) mod m |ab⟩ c ̸ = ((a * P) + b) mod m Perform measurement on states and the superposition of a and b.Apply a series of X gates to the |c⟩ registers where the actual cipher text is 0. This forces the states within the superposition that have the accurate c value, that is the result of the result a and b values to flip to all ones while all other values in the superposition maintain other values.A multi-control Z gate flips the phase only for the states which are all 1 and thus only the correct values of a and b.The addition and multiplication operations are uncomputed by using the inverse multiplication and addition operators.The result of this sequence of gates is a superposition of a and b with sign flipped for the states with the target values of a and b.

15 .
Affine Cryptanalysis Execution -Single Pair n = 2, m = 4, p = 1, c = 1, k = 0, S = 4, r = 1 Actual_Solution:{a = 3, b = 2}.the Type IV circuit for n = 4 with k = 1.It is the same as Type III, but with input qubit re-use.Figure 13 circuit is executed in actual Quantum hardware.Algorithm 6 explains the working of the Type IV circuit in detail.
a n , p n , c n ) 39: GroverDiffuser(a n , b n ) 40: end for 41: Perform measurement on |ab⟩ 2n V. CONCLUSIONThe paper aimed at proposing a practical implementation of Quantum Cryptanalysis for Affine Ciphers.The circuits and execution results were presented that successfully retrieved the Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE
Setting known plaintext states on | p⟩ 3: end if 4: if P k i val = 1 then ▷ Repeating the steps for each k |a⟩ n −→ X |a⟩ n 8: |a⟩ n −→ H |a⟩ n 9: |b⟩ n −→ X |b⟩ n 10: |b⟩ n −→ H |b⟩ n 11: for r ounds ← 0 to r do 12: QQ-BinaryModularMultiplier(a n , p n , h n , c n , anc) BinaryModularMultiplier(a n , p k n , h k n , c k n , anc)

TABLE V BREAKUP
OF NUMBER OF QUBITS

TABLE VI QUANTUM
RESOURCE ESTIMATION FOR TYPE I CIRCUIT Quantum hardware.Algorithm 4 explains the working of the Type II circuit in detail.

TABLE VII QUANTUM
RESOURCE ESTIMATION FOR TYPE II CIRCUIT

TABLE VIII QUANTUM
RESOURCE ESTIMATION FOR TYPE III CIRCUIT

TABLE IX QUANTUM
RESOURCE ESTIMATION FOR TYPE IV CIRCUIT Setting known plaintext states on | p⟩ 3: end if 4: if P k i val = 1 then ▷ Repeating the steps for each k |a⟩ n −→ X |a⟩ n 8: |a⟩ n −→ H |a⟩ n 9: |b⟩ n −→ X |b⟩ n 10: |b⟩ n −→ H |b⟩ n 11: for r ounds ← 0 to r do Setting plaintext states on | p⟩| p i ⟩ −→ X | p i ⟩ ▷ Clearing plaintext states on | p⟩ if P k i val = 1 then ▷ Setting plaintext states on | p k ⟩ 12: | p k i ⟩ −→ X | p k i ⟩ 13: end if ▷ Clearing-Setting repeated until the last | p k ⟩ 14: QFTModularMultiplier(a n , p k n , c k n ), |c k ⟩ n −→ |a * p k mod m⟩ n 15: QFTModularAdder(b n , c k n ), |c k ⟩ n −→ |(a * p k ) + b mod m⟩ n 17: |c i ⟩ −→ X |c i ⟩ ▷ Setting ciphertext states on |c⟩ for phase inversion 18: end if 19:if c k i val = 0 then 20:|c k i ⟩ −→ X |c k i ⟩ † (a n , p k n , c k n ) 31: if P k i val = 1 then ▷ Clearing plaintext states on | p k ⟩