Quantum Resource Analysis of Low-Round Keccak/SHA-3 Preimage Attack: From Classical 2^57.8 to Quantum 2^28.9 using Qiskit Modeling

This paper presents a hardware-conscious analysis of the quantum acceleration of the classical 3-round Keccak-256 preimage attack using Grover’s Algorithm. While the theoretical quantum speed-up from T_cl=2^{57.8} (classical) to T_qu = 2^{28.9} (quantum) is mathematically sound, the practical implementation overhead is so extreme that attacks remain wholly infeasible in both resource and runtime dimensions. Using Qiskit-based circuit synthesis, we derive that a 3-round Keccak quantum oracle requires: 9,600 Toffoli gates (with uncomputation for reversibility); 3,200 logical qubits (1,600 state + 1,600 auxiliary); 7.47 * 10^{13} total 2-qubit gates (full Grover search); 3.2 million physical qubits (with quantum error correction)PROHIBITIVE; 0.12 years (43 days) to 2,365+ years execution time, depending on machine assumptions. These barriers – particularly the physical qubit requirements, circuit depth, and error accumulation – render the quantum attack infeasible for any foreseeable quantum computer. Consequently, SHA-3 security is not threatened by quantum computers for preimage attacks. We emphasize the critical importance of hardware-aware complexity analysis in quantum cryptanalysis: the elegant asymptotic theory of Grover’s Algorithm hides an engineering overhead so prohibitive that the quantum approach becomes infeasible from both resource and implementation perspectives.

💡 Research Summary

The paper conducts a hardware‑aware resource analysis of a quantum‑accelerated pre‑image attack on a three‑round reduced version of Keccak‑256 (the basis of SHA‑3). The authors start from the classical attack by Lin et al., which finds a pre‑image in about 2^57.8 operations. Applying Grover’s algorithm theoretically reduces the search complexity to roughly 2^28.9, a quadratic speed‑up. However, the paper’s central contribution is a concrete quantification of the quantum overhead required to implement the necessary oracle using Qiskit.

The Keccak round consists of five steps (θ, ρ, π, χ, ι). The linear steps (θ, ρ, π, ι) can be expressed with CNOT and single‑qubit gates, but the non‑linear χ step dominates the cost. χ is defined per row as x′i = x_i ⊕ (¬x{i+1} ∧ x_{i+2}). To make this reversible, the authors construct a Toffoli‑based sub‑circuit: for each of the 1 600 state bits they allocate an auxiliary qubit, compute the AND with a forward Toffoli, XOR the result into the target with a CNOT, then uncompute the auxiliary with a reverse Toffoli and restore the negated control. Consequently each bit requires two Toffoli gates (forward + uncompute) and one CNOT. For three rounds the total Toffoli count is 9 600, double the naïve estimate that omitted uncomputation.

Qubit accounting yields 1 600 state qubits plus 1 600 auxiliaries, i.e., 3 200 logical qubits. Translating logical qubits into physical qubits under a surface‑code error‑correction scheme (≈1 000 physical qubits per logical qubit) leads to an astronomical requirement of about 3.2 million physical qubits. The authors also estimate the total number of two‑qubit operations: each Toffoli decomposes into roughly 10–20 CNOTs, resulting in about 7.47 × 10^13 two‑qubit gates for the full Grover search.

Two runtime scenarios are examined. In an optimistic scenario—assuming a future machine with 1 GHz gate speed, highly efficient error correction, and the full 3.2 million physical qubits—the total Grover iterations would complete in roughly 0.12 years (≈43 days). In a more realistic, conservative scenario that respects current error rates and realistic gate speeds, the execution time balloons to over 2 365 years. Both estimates far exceed any practical timeframe, and the physical‑qubit demand is far beyond present or near‑future quantum hardware (which is measured in the low thousands).

The paper concludes that while Grover’s algorithm offers a mathematically sound quadratic speed‑up, the hidden constant factors—especially the cost of reversible implementation of the χ step, the need for uncomputation, and the massive error‑correction overhead—render the attack infeasible both in terms of resources and runtime. Consequently, SHA‑3’s security against quantum pre‑image attacks remains robust. The authors stress that quantum cryptanalysis must move beyond asymptotic O(√N) arguments and incorporate detailed, hardware‑aware resource estimations to assess real‑world threats.