3

I'm working on some papers (here and here) that use the Grover algorithm to crack krypto systems like AES and SHA.

I had already asked a first question here. Now, however, a new question has arisen for me.

So to my knowledge, AES uses a key and a clear text and generates a cipher from this. If AES is reversibly implemented in the paper, then one could read the plaintext and the key, because the circuit is reversible. Does it make sense? How do you prevent that? Reversible means that I can make the input from an output. In this context, that means that I could read the key directly. Why then use the Grover algorithm at all?

For example in the paper here pages 3-4 it is said:

Let $f : \{0, 1\}^k → \{0, 1\}^k$ be an efficiently function. For a fixed $y ∈ \{0, 1\}^k$, the value $x$ such that $f(x) = y$ is called a pre-image of $y$. In the worst case, the only way to compute a pre-image of $y$ is to systematically search the space of all inputs to f. A function that must be searched in this way is known as a one-way function. The Grover iteration has two subroutines. The first, $U_g$, implements the predicate $g : \{0, 1\}^k \rightarrow \{0, 1\}$ that maps $x$ to $1$ if and only if $f(x) = y$. Each call to $U_g$ involves two calls to a reversible implementation of $f$ and one call to a comparison circuit that checks whether $f(x) = y$.

Then the hash function is a sub-call of the oracle. Which means that the hash function must be reversible. But if the has-function is reversible, I can directly read the plaintext, because I have the cryptotext (the hash). Do I understand something wrong here? Why do you need the Grover algorithm at all?

I also have to ask the question, why in the first paper $AES$ and $AES^{-1}$ are executed once and in the second paper $f$ and $f^{-1}$ in the oracle part? Why is not just $AES$ and only $f$ executed as a call?

Thank you for your explanation. Can you perhaps explain to me why the authors in the article, for example, call the function AES twice (e.g. $AES, AES^{-1}$) or in the other article $f$ (e.g $f, f^{-1}$)? At least that does not seem to me from the articles. – None – 2019-04-17T15:43:24.897

2Referring to FIG. 1 of Amy, Di Matteo, Gheorghiu, Mosca, Parent, and Schanck's paper on SHA, the circuit for $U_g$ includes a first $f$, a call to a comparison circuit that checks whether $f(x)=y$, and a second $f^{-1}$ to uncompute $f$. After getting out of $U_g$, they apply the diffusion operator. They need to uncompute ($f^{-1}$) to be able to rinse and repeat. – Mark S – 2019-04-17T18:53:28.353