Tight Analysis of Grover-Meets-Simon and Alg-PolyQ2 Attacks via Formalizing Quantum Rank-Solving under Deferred Measurement

Qiqing Xia; Qianru Zhu; Huiqin Xie; Li Yang

doi:10.2478/qic-2025-0024

Full Article

1.

Introduction

The development of large-scale quantum computers will have a significant impact on the security of many cryptographic schemes currently in use [1]. In particular, the introduction of Shor’s algorithm [2,3] can solve factorization and discrete logarithm problems in polynomial time. Since almost all current public key schemes are built on the assumption of these computationally difficult problems, this will have a devastating impact on asymmetric cryptographic schemes. This situation has triggered a new line of research, namely post-quantum cryptography, which aims to develop new cryptographic primitives in the hope of resisting attackers equipped with quantum computers. NIST has proposed the post-quantum asymmetric scheme project [4–7] to standardize several quantum-resistant publickey cryptographic algorithms. It is crucial to start the transition to quantum-resistant cryptography before quantum computers are truly available. Fully exploring the potential of quantum algorithms to attack cryptographic schemes and effectively assessing the quantum security of existing schemes under quantum computing will help better design cryptographic algorithms to resist attacks from future quantum computers.

However, the situation for symmetric cryptographic schemes is less clear: universal attacks define the security of ideal symmetric primitives and will achieve a quadratic speed-up through Grover’s algorithm [8,9], implying that in a post-quantum world, doubling the key length can restore equivalent ideal security. For nearly 20 years, it was believed that Grover’s algorithm was the only advantage attackers had when attacking symmetric cryptography using quantum computers. Although the community seems to think that this solution [10,11] has solved the problem, knowledge about practical attacks is still very limited. At present, the impact of many quantum attacks on symmetric cryptography remains unclear, and potential threats need to be explored. The National Academy of Sciences report on the rise of quantum computing [12] also pointed out that there may be some currently unknown clever quantum attacks, such as Simon’s algorithm. Indeed, cryptographers have made significant progress against quantum attackers using superposition queries, which can break many symmetric key schemes in polynomial time.

Quantum algorithms have become a central focus in the field of symmetric cryptanalysis. Grover’s algorithm is one of the most widely applied algorithms in this field, as it can speed up the search efficiency in an unstructured database of size 2ⁿ, reducing the complexity of exhaustive search attacks from 𝒪(2ⁿ) to $𝒪 (\sqrt{2^{n}})$ {\cal O}\left( {\sqrt {{2^n}} } \right). Then, Brassard et al. generalized Grover’s algorithm and developed the famous quantum amplitude amplification (QAA) algorithm [13]. Compared with Grover’s algorithm, the QAA algorithm extends the preparation of the initial state from the n Hadamard gates to any quantum algorithm 𝒜, thus expanding the application range. Based on Grover’s algorithm, Brassard et al. [14] proposed a quantum collision search algorithm (BHT algorithm) for the 2-to-1 function over a domain of size 2ⁿ, which can find a set of collisions with high probability through $𝒪 (2^{\frac{n}{3}})$ {\cal O}\left( {{2^{{n \over 3}}}} \right) queries. Ambainis [15] extends this result to arbitrary functions, showing that $𝒪 (2^{\frac{2 n}{3}})$ {\cal O}\left( {{2^{{{2n} \over 3}}}} \right) queries suffice to find a set of collisions. Furthermore, Aaronson and Shi [16] established a lower bound of $𝒪 (2^{\frac{n}{3}})$ {\cal O}\left( {{2^{{n \over 3}}}} \right) for the BHT algorithm, which is lower than the original optimal lower bound. Zhandry [17] proved that the probability of finding a collision after performing q queries is at most $\frac{q^{3}}{2^{n}}$ {{{q^3}} \over {{2^n}}}. Additionally, Hosoyamada et al. [18] explored multiple collisions and proposed a new quantum algorithm that, for l-collisions with small l, gets collisions in $2^{\frac{n \times (3^{l - 1} - 1)}{2 \times 3^{l - 1}}}$ {2^{{{n \times \left( {{3^{l - 1}} - 1} \right)} \over {2 \times {3^{l - 1}}}}}} queries. Apart from Grover’s algorithm, Simon’s algorithm [19] is also the current research focus in symmetric cryptanalysis. Kuwakado and Morii [20] proved that Simon’s algorithm can distinguish a three-round Feistel structure from a random permutation using the parallelism of quantum computation—an impossible task for classical computers. Similarly, many quantum cryptanalysis works [21–23] are carried out based on the periodicity-finding feature of Simon’s algorithm. These include attacks on working modes such as CBC-MAC, PMAC, GMAC, GCM, OCB, and constructions like LRW, etc. Many common quantum attack methods [24–27] are also built upon or inspired by Simon’s algorithm.

In recent years, a significant focus of research has been the development of new quantum attack algorithms targeting cryptographic schemes. One popular approach involves combining different quantum algorithms to achieve more efficient attacks, such as Grover-meets-Kuperberg algorithm [28], Bernstein–Vazirani-meets-Grover algorithm [29], etc. The Grover-meets-Simon algorithm proposed by Leander and May [30] is the most widely applied among them, where Grover’s algorithm serves as the outer structure and Simon’s algorithm as the inner structure. The period identified by Simon’s algorithm is used as the decision condition of Grover’s search. The introduction of the Grover-meets-Simon has enabled its application to search for two keys in function structures that can be modeled as periodic functions [31–33]. Building on this idea, Bonnetain [34] proposed two improved combinations of Grover’s algorithm and Simon’s algorithm under the Q1 model (attackers perform offline quantum computations but make only classical online queries) and Q2 model (attackers can make superposition queries to a quantum oracle), where the one in the Q2 model is called Alg-PolyQ2 algorithm. This Alg-PolyQ2 algorithm leverages a combination of online queries and offline computation to achieve an exponential reduction in quantum query complexity.

Despite the promising structure of these combined quantum algorithms, the actual attack success probability and the required number of iterations, especially under practical constraints such as deferred measurement, remain insufficiently characterized. This motivates our work: to analyze in detail how the internal structure of these algorithms affects their success probability under deferred measurement, and to derive tight bounds on the attack success probability and the required number of iterations. Through this analysis, we aim to better understand the real-world effectiveness of such combined quantum attacks, going beyond asymptotic query complexity and providing quantitative insight into their feasibility.

Our contributions In this paper, we mainly study the Grover-meets-Simon and Alg-PolyQ2 algorithms in detail under deferred measurement. We analyze the generalized success probability of these two algorithms in detail from a novel perspective based on the initial amplitude, thereby confirming their effectiveness. To the best of our knowledge, such a detailed analysis has not been done before. In more detail, our main contributions are as follows:

Since both algorithms involve the rank-solving problem of a system of linear equations, we provide a formal analysis of the generalized quantum Gauss-Jordan elimination. Through the formal description, we discuss the situation (quantum state form) of obtaining the reduced row echelon form matrix based on this method, demonstrate the necessity of auxiliary qubits, and provide its formal proof. Based on the deferred measurement principle to solve the rank, we further analyze the rank-solving process and provide the number of matrices with rank-(n – 1) in both n-dimensional and (n – 1)-dimensional linear spaces, respectively, along with the corresponding proofs. This is the first time to consider in detail the formal analysis of quantum Gauss–Jordan elimination as a subroutine to solve the rank in the parallel Simon’s algorithms under deferred measurement.
We provide a tight analysis of the Grover-meets-Simon and Alg-PolyQ2 algorithms under deferred measurement in detail. Specifically, considering that when Simon’s algorithm is used as the internal structure, the key space will collapse if the intermediate measurements are made. Therefore, combined with the deferred measurement principle, we examine the challenges arising from deferring all measurements in Simon’s algorithm to the end of the entire computation during the iteration process. Based on the oscillation amplitude of the initial state, the tight bounds of the generalized success probability and the optimal number of iterations of the Grover-meets-Simon algorithm are analyzed in detail. Similarly, we also provide a tight analysis of the Alg-PolyQ2 algorithm to demonstrate its effectiveness as a quantum attack. This paper provides a novel perspective for assessing the practical effectiveness of quantum algorithms—one that does not rely on assumptions about quantum input length, such as the number of parallel instances of Simon’s algorithm and the choice of plaintext pairs in the classifier of the Grover-meets-Simon algorithm.

Outline The rest of the paper is organized as follows: Section 2 introduces the relevant knowledge of quantum circuit models and quantum algorithms; Section 3 provides a formal analysis of the generalized quantum Gauss-Jordan elimination; Section 4 provides a tight analysis of the Grover-meets-Simon and Alg-PolyQ2 algorithms under deferred measurement via formalizing quantum rank-solving; Section 5 discusses some future research directions; Section 6 summarizes this paper.

2.

Preliminaries

In this section, we introduce some concepts of quantum computation and review Simon’s and Grover’s algorithms.

2.1.

Quantum Circuit Model

A circuit consisting of a series of quantum gates applied to a group of qubits is called a quantum circuit, which can be used to describe the change of quantum state in Hilbert space. Each quantum logic gate can be represented by a unitary matrix. These unitary operators in Hilbert space are all invertible, and it may be necessary to use enough auxiliary qubits to achieve the required goal. A single qubit has two quantum ground states |0〉, |1〉. If the quantum state |φ〉 can be linearly represented by |0〉, |1〉, then this state is called a superposition state |φ〉 = α|0〉 + β|1〉. Among them, the probability amplitudes α and β are complex numbers, and |α|² + |β|² = 1. When an n-qubit is given, the computational basis has 2ⁿ vectors. After applying a series of quantum gates to the initial state, the original superposition state changes. Finally, the system is measured and some n-qubit vectors are obtained on the computational basis to get the desired result.

Quantum computing takes advantage of parallel computing by utilizing quantum phenomena such as quantum superposition and entanglement, allowing multiple computable states to be processed simultaneously, thereby improving efficiency and speed. The unique capabilities of quantum computers enable them to surpass classical computers in certain computing tasks.

Principle of quantum parallel computing

Assume f(x) : {0,1}ⁿ → {0,1}^m, the mapping of this function in the quantum setting can be used as an oracle U_f : |x, y〉 → |x, y ⊕ f(x)〉. When the initial state |0〉^⊗n|0〉^⊗m is input, $H^{\otimes n} | 0 〉^{\otimes n} | 0 〉^{\otimes m} \overset{U_{f}}{\to} \frac{1}{\sqrt{2^{n}}} \sum_{x} | x 〉 | f (x) 〉$ {H^{ \otimes n}}|0{\rangle ^{ \otimes n}}|0{\rangle ^{ \otimes m}}{1 \over {\sqrt {{2^n}} }}\sum\limits_x | \;x\rangle |f(x)\rangle , which can calculate all values of this function f. This oracle U_f is widely used in various quantum algorithms.

In addition, the following two important principles regarding quantum circuits are very practical. For detailed proof, refer to [35].

Principle of deferred measurement

Measurements can always be moved from the intermediate stage of a quantum circuit to the end of the circuit. Any measurement that occurs inside a quantum circuit can be deferred to the end of the circuit.

Principle of implicit measurement

Any unmeasured qubit at the end of a quantum circuit can be assumed to be measured.

2.2.

Parallel Simon’s Algorithm

Simon’s algorithm [19] aims to solve the periodic problem of hidden subgroups, which can be described as follows:

Simon’s Problem with promise: suppose there is a quantum oracle to a function f: {0,1}ⁿ → {0,1}^m such that ∃ s ∈ {0,1}ⁿ, ∀ x ∈ {0,1}ⁿ, f(x) = f(x ⊕ s). The goal is to find the period s.

An individual Simon’s algorithm can be performed by the following steps, with the corresponding quantum circuit shown in Figure 1.

Prepare the initial state $| 0 〉_{I}^{\otimes n} | 0 〉_{I I}^{\otimes m}$ |0\rangle _I^{ \otimes n}|0\rangle _{II}^{ \otimes m} and perform the Hadamard transform H^⊗n on the first register. The following quantum states can be obtained: $\frac{1}{\sqrt{2^{n}}} \sum_{x \in {0, 1}^{n}} | x 〉_{I} | 0 〉_{I I} .$ {1 \over {\sqrt {{2^n}} }}\sum\limits_{x \in {{\{ 0,1\} }^n}} | \;x{\rangle _I}|0{\rangle _{II}}.
Perform a quantum query on the function f, mapping to the following quantum state: $\frac{1}{\sqrt{2^{n}}} \sum_{x \in {0, 1}^{n}} | x 〉_{I} | f (x) 〉_{I I} .$ {1 \over {\sqrt {{2^n}} }}\sum\limits_{x \in {{\{ 0,1\} }^n}} | \;x{\rangle _I}|f(x){\rangle _{II}}.
Perform the Hadamard transform H^⊗n on the first register, and the following quantum state can be obtained: $\frac{1}{2^{n}} \sum_{y \in {0, 1}^{n}} \sum_{x \in {0, 1}^{n}} {(- 1)}^{x \cdot y} | y 〉_{I} | f (x) 〉_{I I} .$ {1 \over {{2^n}}}\sum\limits_{y \in {{\{ 0,1\} }^n}} {\sum\limits_{x \in {{\{ 0,1\} }^n}} {{{( - 1)}^{x\;\cdoty}}} } |y{\rangle _I}|f(x){\rangle _{II}}.

Suppose there is some s ≠ 0, for each y, then |y, f(x)〉 = |y, f(x ⊕ s〉, and the amplitude of this configuration is: 1 $α (x, y) = \frac{1}{2^{n}} [{(- 1)}^{x \cdot y} + {(- 1)}^{(x \oplus s) \cdot y}] = \frac{1}{2^{n}} {(- 1)}^{x \cdot y} [(1 + {(- 1)}^{s \cdot y}] .$ \alpha (x,y) = {1 \over {{2^n}}}\left[ {{{( - 1)}^{x\;\cdoty}} + {{( - 1)}^{(x \oplus s)\cdoty}}} \right] = {1 \over {{2^n}}}{( - 1)^{x\;\cdoty}}\left[ {\left( {1 + {{( - 1)}^{s\;\cdoty}}} \right].} \right.

Let X₁ be an ((n – 1)-dimensional subspace of $F_{2}^{n}$ _2^n, and divide $F_{2}^{n}$ _2^n into coset X₁ and X₁ + s, $s \in F_{2}^{n} \ X_{1}$ s \in _2^n\backslash {X_1}. In this setting, we assume x ∈ X₁.
Measure the first register, and it will collapse to a value that satisfies y · s = 0.

When y · s = 1, the amplitude of α(x, y) is 0. Hence, we can only get the vector y orthogonal to period s. The parallel Simon’s algorithms under deferred measurement only need 𝒪(n) oracle queries, n – 1 linearly independent values of y are obtained with high probability, then s can be obtained by solving the following linear equations: 2 ${\begin{array}{l} y_{1} \cdot s = 0 \\ y_{2} \cdot s = 0 \\ ⋮ \\ y_{n} \cdot s = 0. \end{array}$ \left\{ {\matrix{ {{y_1}\;\cdot\;s = 0} \hfill \cr {{y_2}\;\cdot\;s = 0} \hfill \cr {\;\;\; \vdots } \hfill \cr {{y_n}\;\cdot\;s = 0.} \hfill \cr } } \right.

Simon’s algorithm is a probabilistic algorithm, and the promise of Simon’s problem is not always fully satisfied in cryptanalysis. We introduce a theorem to quantify the relationship between the number of parallel instances of Simon’s algorithm and the success probability. The proof can be found in [23]:

Theorem 1.

Given f : {0,1}ⁿ → {0,1}^m and s as an actual period of f, ∃ t ∈ {0,1}ⁿ\{0, s} such that the input x ∈ {0,1}ⁿ satisfies f(x ⊕ t) = f(x). Define 3 $ε (f) = \max_{t \in {0, 1}^{n} \ {0, s}} P r_{x} [f (x) = f (x \oplus t)] .$ \varepsilon (f) = \mathop {\max }\limits_{t \in {{\{ 0,1\} }^n}\backslash \{ 0,{\rm{s}}\} } P{r_x}[f(x) = f(x \oplus t)].

If ε(f) ≤ p₀ < 1, after performing l instances of Simon’s algorithm in parallel, the success probability of outputting the actual period s is at least $1 - 2^{n} {(\frac{1 + p_{0}}{2})}^{l}$ 1 - {2^n}{\left( {{{1 + {p_0}} \over 2}} \right)^l}. Choosing l ≥ 3n/(1 – p₀), ε(f) is far enough away from 1.

2.3.

Generalized Grover’s Algorithm

Grover’s algorithm [8,9] aims to quickly search for r marked solution elements in an unstructured database of size N, which can achieve a quadratic speedup compared to the time complexity of classical exhaustive algorithms. It can be described as follows:

Grover’s problem: given a search space N whose elements are represented on n = log₂ N qubits, suppose there is a quantum oracle to a function f: {0,1}ⁿ → {0,1} such that x ∈ N, f(x) = 1. The goal is to find these r marked solution elements.

Amplitude amplification is a natural generalization of the original Grover’s algorithm. The result of amplitude amplification is described in the following theorem [13], with the corresponding quantum circuit shown in Figure 2.

Here, 𝒜 is the Hadamard transform H^⊗n in the original Grover’s algorithm.

Theorem 2.

Let 𝒜 be any quantum algorithm without measurement, and let f: {0, 1}_n → {0, 1} be a Boolean function that distinguishes between good and bad states from the output of the algorithm 𝒜. Let p > 0 be the initial success probability of 𝒜|0〉. We define 𝒬 = –𝒜U₀𝒜⁻¹U_f, where U₀ = 2|0〉^⊗n〈0|^⊗n – I, U_f is performed: $U_{f} | x 〉 = {\begin{matrix} - | x 〉, i f f (x) = 1 \\ | x 〉, i f f (x) = 0, \end{matrix}$ {U_f}|x\rangle = \left\{ {\matrix{ { - |x\rangle,{\rm{ }}if{\rm{ }}f(x) = 1} \cr {|x\rangle,{\rm{ }}if{\rm{ }}f(x) = 0,} \cr } } \right. if the state is good, then the phase is reversed.

After T iterations 𝒬^T 𝒜|0〉, the outcome is good with probability at least max {p, 1 – p} under deferred measurement, where $T = ⌊ \frac{π}{4 θ} ⌋$ T = \left\lfloor {{\pi \over {4\theta }}} \right\rfloor and sin²(θ) = p.

3.

Formal Analysis of Generalized Quantum Gauss-Jordan Elimination

Quantum Gauss-Jordan elimination (QGJE) was first proposed by Do et al. [36] to solve the linear system of n equations on n variables AX = b, a_ij ∈ A, with the goal of achieving a speedup over classical computing techniques. However, no formal proof has been provided yet. In this section, we provide a formal analysis of the generalized QGJE, in particular the existence of a full rank or rank-(n – 1) check in a quantum oracle of cryptographic algorithms. The following are the formal steps to perform it. For detailed quantum gate operations of the generalized QGJE, please refer to [37,38].

Formal description of the generalized QGJE

Given a quantum coefficient matrix $| A 〉_{m \otimes n} = \sum_{i} α_{i} {| A_{i} 〉}_{m \otimes n}$ |A{\rangle _{m \otimes n}} = \sum\nolimits_i {{\alpha _i}{{\left| {{A_i}} \right\rangle }_{m \otimes n}}} of linear systems of equations, there exists a unitary operator U_QGJE such that $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \overset{U_{QGJE}}{\to} \sum_{i} α_{i} | A_{i}^{'} 〉 | ε_{i} 〉$ \sum\nolimits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}}\buildrel {{U_{{\rm{QGJE}}}}} \over \longrightarrow \sum\nolimits_i {{\alpha _i}} \left| {A_i^\prime } \right\rangle \left| {{\varepsilon _i}} \right\rangle , where $| A_{i}^{'} 〉$ \left| {A_i^\prime } \right\rangle is the reduced row echelon form (RREF) matrix corresponding to different |A_i〉, and |ε_i〉 corresponding to each superposition component are auxiliary qubits after applying the generalized QGJE.

Quantum Gauss-Jordan Elimination (QGJE) [36]

Step 1: First, find out the first non-zero |a_i,1〉 ≠ 0 using Grover’s Search algorithm.

Step 2: If successful, take the first leading |1〉 in the first position as |a_1,1〉, otherwise change to the next column and repeat step 1.

Step 3: Eliminate all other elements |a_2,1〉, ⋯, |a_n,1〉, in the first column.

Step 4: Change n to n – 1, control if still n > 0, repeat step 1.

Step 5 In backward eliminate all |a_n–1,n〉, ⋯, |a_1,n〉.

Step 6: Check if n > 0, change n to n – 1, and repeat step 5.

Remark 1.

The QGJE is chosen because it is a generalized quantum extension of the classical Gauss-Jordan elimination, which serves as the foundational algorithm for rank-solving problems. The algorithm proposed by Bonnetain and Jaques is specifically tailored to determine the full-rank property of certain structured matrices derived from symmetric cryptographic primitives and its core technique still relies on Gauss-Jordan elimination to transform the matrix into an upper triangular form. The quantum algorithms proposed by Xia et al. are universal and can compute both the rank and the general solution of arbitrary quantum linear systems with a single measurement. Therefore, for the detailed steps of quantum rank-solving, please refer to [37,38].

In brief, if the rank is required through deferred measurement, then these auxiliary qubits $| ε 〉 = \sum_{i} | ε_{i} 〉$ |\varepsilon \rangle = \sum\nolimits_i {\left| {{\varepsilon _i}} \right\rangle } can contain the solution of the rank corresponding to $\sum_{i} α_{i} A_{i}$ \sum\nolimits_i {{\alpha _i}} {A_i}. The rank of a linear system of equations is solved without any intermediate measurement that would cause superposition state collapse. The specific operation is as follows: the pivot $| a_{i i}^{'} 〉$ \left| {a_{ii}^\prime } \right\rangle , i ≤ min {m, n} in $| A_{i}^{'} 〉$ \left| {A_i^\prime } \right\rangle is used as the control qubit of the CNOT gate, XORed to these all-zero auxiliary qubit inputs, and finally the rank is obtained by measuring these auxiliary qubits after the operation.

In formal description of the generalized QGJE, auxiliary qubits |0〉^⊗num are necessary to complete the generalized QGJE. Next, we provide a lemma to prove its necessity.

Lemma 1.

There exists a unitary operation U_QGJE such that U_QGJE(|A〉|0〉^⊗num) = |A′〉|ε〉. Then it always holds that num > 0.

Proof.

Consider the first non-zero element |a_k,j〉 in the column as a pivot and an element |a_i,j〉(i > k) of its column. In the generalized QGJE, these two elements not only serve as control qubits but must also be transformed as target qubits during the elimination process.

Assume for contradiction that there exists a unitary operator U without auxiliary qubits such that U|00〉 = |00〉,U|01〉 = |10〉,U|10〉 = |10〉,U|11〉 = |11〉. From this, we can find that ${\begin{array}{l} U | 01 〉 = | 10 〉 \\ U | 10 〉 = | 10 〉 \end{array} \Rightarrow {\begin{matrix} U {(0, 0, 1, 0)}^{T} = {(0, 1, 0, 0)}^{T} (i) \\ U {(0, 1, 0, 0)}^{T} = {(0, 1, 0, 0)}^{T} (i i) . \end{matrix}$ \left\{ {\matrix{ {U|01\rangle = \;|10\rangle } \hfill \cr {U|10\rangle = \;|10\rangle } \hfill \cr } \Rightarrow \left\{ {\matrix{ {U{{(0,0,1,0)}^T} = {{(0,1,0,0)}^T}\;(i)} \cr {U{{(0,1,0,0)}^T} = {{(0,1,0,0)}^T}\;(ii).} \cr } } \right.} \right.

If we do (i) – (ii), we get U(0, –1, 1, 0)^T = (0,0,0,0)^T, violating unitarity since U⁻¹ cannot recover the original state, contradicts! There is no inverse operator such that U⁻¹ (0,0,0,0)^T = (0, –1,1,0)^T. As a result, there exists no such unitary operator U. Thus, the assumption does not hold.

It can be seen that auxiliary qubits are necessary to store the values of data qubits to control the transformation.

Lemma 1 demonstrates the necessity of auxiliary qubits in the generalized QGJE. This naturally raises an important question: we need to consider whether the auxiliary qubits can be disentangled. Next, we provide a theorem to state the issue and show the form of the quantum state after the generalized QGJE.

Theorem 3.

There is no operator U = U′ · U_QGJE such that $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \overset{U}{\to} (\sum_{j} β_{j} | B_{j} 〉) \otimes (\sum_{k} γ_{k} | c_{k} 〉),$ \sum\limits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}}\buildrel U \over \longrightarrow \left( {\sum\limits_j {{\beta _j}} \left| {{B_j}} \right\rangle } \right) \otimes \left( {\sum\limits_k {{\gamma _k}} \left| {{c_k}} \right\rangle } \right), where B_j is the same RREF matrix corresponding to multiple different A_i. The coefficient β_j is the probability amplitude associated with |B_j〉 and γ_k is the probability amplitude associated with |c_k〉, where |c_k〉 are different auxiliary states for different k.

Proof.

This means that the auxiliary qubits cannot be disentangle with other registers and thus $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \overset{U_{QGJE}}{\to} \sum_{i} α_{i} | A_{i}^{'} 〉 | ε_{i} 〉$ \sum\nolimits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}}\buildrel {{U_{{\rm{QGJE}}}}} \over \longrightarrow \sum\nolimits_i {{\alpha _i}} \left| {A_i^\prime } \right\rangle \left| {{\varepsilon _i}} \right\rangle .

Next, we use the method of contradiction. Suppose that there is an operator U such that $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \to (\sum_{j} β_{j} | B_{j} 〉) \otimes (\sum_{k} γ_{k} | c_{k} 〉)$ \sum\nolimits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}} \to \;\left( {\sum\nolimits_j {{\beta _j}} \left| {{B_j}} \right\rangle } \right) \otimes \left( {\sum\nolimits_k {{\gamma _k}\left| {{c_k}} \right\rangle } } \right). We divide U into the product of two unitary operators U_QGJE and U′.

4

\begin{array}{l} U_{QGJE} (\sum_{i} α_{i} | A_{i} 〉 \otimes | 0 〉^{\otimes n u m}) & = \sum_{i} α_{i} (| A_{i}^{'} 〉 \otimes | ε_{i} 〉) \\ \underset{\to}{U^{'}} (\sum_{j} β_{j} | B_{j} 〉) \otimes (\sum_{k} γ_{k} | c_{k} 〉) \\ = \sum_{j, k} β_{j} γ_{k} (| B_{j} 〉 \otimes | c_{k} 〉) . \end{array}

\matrix{ {{U_{{\rm{QGJE}}}}\left( {\sum\limits_i {{\alpha _i}} \left| {{A_i}} \right\rangle \otimes |0{\rangle ^{ \otimes num}}} \right)} \hfill & { = \sum\limits_i {{\alpha _i}} \left( {\left| {A_i^\prime } \right\rangle \otimes \left| {{\varepsilon _i}} \right\rangle } \right)} \hfill \cr {} \hfill & {\left( {\sum\limits_j {{\beta _j}} \left| {{B_j}} \right\rangle } \right) \otimes \left( {\sum\limits_k {{\gamma _k}} \left| {{c_k}} \right\rangle } \right)} \hfill \cr {} \hfill & { = \sum\limits_{j,k} {{\beta _j}} {\gamma _k}\left( {\left| {{B_j}} \right\rangle \otimes \left| {{c_k}} \right\rangle } \right).} \hfill \cr }

While the RREF of a matrix is unique, the reduction process may not be, which results in different auxiliary states. Multiple different A_i may correspond to the same RREF matrix B_j. Hence, j ≤ i always holds. The original problem can be reduced to whether the auxiliary states added during the operation can be disentangled through U′. If both $Σ_{j} = 1$ {\Sigma _j} = 1 and $Σ_{k} = 1$ {\Sigma _k} = 1, then the space containing $\sum_{i} α_{i} (| A_{i}^{'} 〉 \otimes | ε_{i} 〉)$ \sum\nolimits_i {{\alpha _i}} \left( {\left| {A_i^\prime } \right\rangle \otimes \left| {{\varepsilon _i}} \right\rangle } \right) has the same dimension as that of $\sum_{j, k} β_{j} γ_{k} | B_{j} \otimes c_{k} 〉$ \sum\nolimits_{j,k} {{\beta _j}} {\gamma _k}\left| {{B_j} \otimes {c_k}} \right\rangle since U′ is a unitary operator and they are both one-dimensional, which contradicts the fact that multiple |A_i〉 map to the same |B_j〉. Thus, it is evident that the case satisfying both $Σ_{j} = 1$ {\Sigma _j} = 1 and $Σ_{k} = 1$ {\Sigma _k} = 1 clearly cannot hold. There may exist the following cases:

Case 1:
$Σ_{j} = 1$ {\Sigma _j} = 1 and $\sum_{k} \neq 1$ \sum\nolimits_k \ne 1.

Since auxiliary qubits record the information of |A_i〉, it is generally the case that |ε_i〉 ≠ |ε_i′〉 when i ≠ i′. However, due to $Σ_{j} = 1$ {\Sigma _j} = 1, all different |A_i〉 correspond to the same RREF matrix |B₁〉, which is clearly not the case.
Case 2:
$Σ_{j} \neq 1$ {\Sigma _j} \ne 1 and $Σ_{k} = 1$ {\Sigma _k} = 1.

According to Formula (4), when k = 1, that is, auxiliary qubits are disentangled and can return to all-zero states |0 〉^⊗num. Thus, we can get that $\sum_{i} α_{i} | A_{i} 〉 \underset{\to}{U} \sum_{j} β_{j} | B_{j} 〉$ \sum\nolimits_i {{\alpha _i}} \left| {{A_i}} \right\rangle \sum\nolimits_j {{\beta _j}} \left| {{B_j}} \right\rangle . Different matrices may get the same RREF matrix after the generalized QGJE, that is |{A_i}| > |{B_j}|. Suppose that |B₁〉 is the RREF matrix corresponding to |A₁₁}, |A₁₂〉. And |B₂〉 is the RREF matrix corresponding to |A₂₁〉, |A₂₂〉. There are superposition states $\frac{1}{\sqrt{2}} | A_{11} 〉 + \frac{1}{\sqrt{2}} | A_{21} 〉$ {1 \over {\sqrt 2 }}\left| {{A_{11}}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{A_{21}}} \right\rangle and $\frac{1}{\sqrt{2}} | A_{12} 〉 + \frac{1}{\sqrt{2}} | A_{22} 〉$ {1 \over {\sqrt 2 }}\left| {{A_{12}}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{A_{22}}} \right\rangle . We get that 5 $U (\frac{1}{\sqrt{2}} | A_{11} 〉 + \frac{1}{\sqrt{2}} | A_{21} 〉) = U (\frac{1}{\sqrt{2}} | A_{12} 〉 + \frac{1}{\sqrt{2}} | A_{22} 〉) = \frac{1}{\sqrt{2}} | B_{1} 〉 + \frac{1}{\sqrt{2}} | B_{2} 〉 .$ U\left( {{1 \over {\sqrt 2 }}\left| {{A_{11}}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{A_{21}}} \right\rangle } \right) = U\left( {{1 \over {\sqrt 2 }}\left| {{A_{12}}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{A_{22}}} \right\rangle } \right) = {1 \over {\sqrt 2 }}\left| {{B_1}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{B_2}} \right\rangle.

Consider the invertibility of the unitary operator U, $U^{- 1} (\frac{1}{\sqrt{2}} | B_{1} 〉 + \frac{1}{\sqrt{2}} | B_{2} 〉)$ {U^{ - 1}}\left( {{1 \over {\sqrt 2 }}\left| {{B_1}} \right\rangle + {1 \over {\sqrt 2 }}\left| {{B_2}} \right\rangle } \right) must have only unique preimage. Contradicting with the above Formula (5), this case does not hold.
Case 3:
$\sum_{j} \neq 1$ \sum\nolimits_j \ne \;1 and $\sum_{k} \neq 1$ \sum\nolimits_k \ne \;1.

In this case, suppose that there are k₁ original matrices |A_i₁〉 corresponding to the same RREF matrix |B₁〉 and there are k₂ original matrices |A_i₂〉 corresponding to the same RREF matrix |B₂〉. Since the inputs are distinct and unitary operators are invertible, we have 6 ${\begin{array}{l} U_{QGJE} (| A_{i_{1}} \otimes 0^{n u m} 〉) = | B_{1} \otimes ε_{i_{1}} 〉, & i_{1} \in {1, 2, \dots k_{1}} \\ U_{QGJE} (| A_{i_{2}} \otimes 0^{n u m} 〉) = | B_{2} \otimes ε_{i_{2}} 〉, & i_{2} \in {1, 2, \dots k_{2}} . \end{array}$ \left\{ {\matrix{ {{U_{{\rm{QGJE}}}}\left( {\left| {{A_{{i_1}}} \otimes {0^{num}}} \right\rangle } \right) = \left| {{B_1} \otimes {\varepsilon _{{i_1}}}} \right\rangle,} \hfill & {{i_1} \in \left\{ {1,2, \cdots {k_1}} \right\}} \hfill \cr {{U_{{\rm{QGJE}}}}\left( {\left| {{A_{{i_2}}} \otimes {0^{num}}} \right\rangle } \right) = \left| {{B_2} \otimes {\varepsilon _{{i_2}}}} \right\rangle,} \hfill & {{i_2} \in \left\{ {1,2, \cdots {k_2}} \right\}.} \hfill \cr } } \right.

According to Formula (6), the number of original matrices corresponding to different RREF matrices may be different. Hence, there is no such unitary operation U’ that $\sum_{i} α_{i} (| A_{i}^{'} 〉 \otimes | ε_{i} 〉) \underset{\to}{U^{'}} \sum_{j, k} β_{j} γ_{k} (| B_{j} 〉 \otimes | c_{k} 〉)$ \sum\nolimits_i {{\alpha _i}} \left( {\left| {A_i^\prime } \right\rangle \otimes \left| {{\varepsilon _i}} \right\rangle } \right)\sum\nolimits_{j,k} {{\beta _j}} {\gamma _k}\left( {\left| {{B_j}} \right\rangle \otimes \left| {{c_k}} \right\rangle } \right).

Besides, if $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \overset{U}{\to} (\sum_{j} β_{j} | B_{j} 〉) \otimes (\sum_{k} γ_{k} | c_{k} 〉)$ \sum\limits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}}\buildrel U \over \longrightarrow \left( {\sum\nolimits_j {{\beta _j}} \left| {{B_j}} \right\rangle } \right) \otimes \left( {\sum\nolimits_k {{\gamma _k}} \left| {{c_k}} \right\rangle } \right) holds, then there is always a unitary transformation that changes auxiliary qubits $\sum_{k} γ_{k} | c_{k} 〉$ \sum\nolimits_k {{\gamma _k}} \left| {{c_k}} \right\rangle into all-zero states. As in case 2, this case does not hold. In summary, there is no unitary transformation U’, equivalent to this theorem, which does not hold. Thus, the generalized QGJE can only realize $\sum_{i} α_{i} | A_{i} 〉 | 0 〉^{\otimes n u m} \overset{U_{QGJE}}{\to} \sum_{i} α_{i} | A_{i}^{'} 〉 | ε_{i} 〉$ \sum\nolimits_i {{\alpha _i}} \left| {{A_i}} \right\rangle |0{\rangle ^{ \otimes num}}\buildrel {{U_{{\rm{QGJE}}}}} \over \longrightarrow \sum\nolimits_i {{\alpha _i}} \left| {A_i^\prime } \right\rangle \left| {{\varepsilon _i}} \right\rangle .

According to the above analysis, we provide a formal description and analysis of the generalized QGJE, demonstrating that it can serve as a subroutine for determining whether a matrix is of full rank or rank-(n – 1) in the quantum setting (see Remark 1).

In particular, since the registers of multiple instances of Simon’s algorithm form a tensor product, the resulting matrix is randomly generated. If Simon’s promise holds—i.e., there exists a hidden period, and then the rank of the resulting matrix is at most n – 1. In the following, we consider these cases and express them as a lemma.

Lemma 2.

Let l, n be integers such that l ≥ n, and consider matrices over the binary field 𝔽₂ Then, the number of l × n matrices with rank-(n – 1) is given by $N_{F_{2}^{n}} (n - 1) = (2^{n} - 1) \prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ {N_{_2^n}}(n - 1) = \left( {{2^n} - 1} \right)\prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} over $F_{2}^{n}$ _2^n and $N_{F_{2}^{n - 1}} (n - 1) = \prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ {N_{_2^{n - 1}}}(n - 1) = \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} over $F_{2}^{n - 1}$ _2^{n - 1}.

Proof

Let us consider the set of all l × n matrices over 𝔽₂ whose rank is exactly n – 1. The idea is to count the number of such matrices using a combinatorial argument based on matrix factorizations and properties of linear independence over finite fields. A matrix $A \in F_{2}^{l \times n}$ A \in _2^{l \times n} has rank-(n – 1) if and only if:

The row space of A has dimension n – 1 (i.e., n – 1 linearly independent rows);
The column space of A has dimension n – 1 (i.e., n – 1 linearly independent columns).

Every rank-(n – 1) matrix A can be written as a product A = UV, where:

$U \in F_{2}^{l \times (n - 1)}$ U \in _2^{l \times (n - 1)} is a full-rank matrix (its columns span a rank-(n – 1) subspace of $F_{2}^{l}$ _2^l);
$V \in F_{2}^{(n - 1) \times n}$ V \in _2^{(n - 1) \times n} is a full-rank matrix (its rows span a rank-(n – 1) subspace of $F_{2}^{n}$ _2^n).

Tight Bounds and Approximation

Let $P = \prod_{i = 0}^{n - 2} (2^{l} - 2^{i}) = 2^{\sum_{i = 0}^{n - 2} i} \cdot \prod_{i = 0}^{n - 2} (2^{l - i} - 1)$ P = \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} = {2^{\sum\nolimits_{i = 0}^{n - 2} i }}\;\cdot\;\prod\nolimits_{i = 0}^{n - 2} {\left( {{2^{l - i}} - 1} \right)} , $Q = \prod_{i = 0}^{n - 2} (2^{l - i} - 1)$ Q = \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^{l - i}} - 1} \right)} and thus $P = 2^{\frac{(n - 2) (n - 1)}{2}} \cdot Q$ P = {2^{{{(n - 2)(n - 1)} \over 2}}}\cdot\;Q

Lower Bound: Since 2^l–i – 1 ≥ 2^l–i–1 for l – i ≥ 1, we have $\begin{matrix} Q \geq \prod_{i = 0}^{n - 2} 2^{l - i - 1} = 2^{\sum_{i = 0}^{n - 2} (l - i - 1)} = 2^{(n - 1) (l - 1) - \frac{(n - 2) (n - 1)}{2}}, \\ P \geq 2^{\frac{(n - 2) (n - 1)}{2}} \cdot 2^{(n - 1) (l - 1) - \frac{(n - 2) (n - 1)}{2}} = 2^{(n - 1) (l - 1)} . \end{matrix}$ \matrix{ {Q \ge \prod\limits_{i = 0}^{n - 2} {{2^{l - i - 1}}} = {2^{\sum\limits_{i = 0}^{n - 2} {(l - i - 1)} }} = {2^{(n - 1)(l - 1) - {{(n - 2)(n - 1)} \over 2}}},} \cr {P \ge {2^{{{(n - 2)(n - 1)} \over 2}}}\cdot\;{2^{(n - 1)(l - 1) - {{(n - 2)(n - 1)} \over 2}}} = {2^{(n - 1)(l - 1)}}.} \cr }

Upper Bound: Since 2^l–i – 1 ≤ 2^l–i, we have $\begin{matrix} Q \leq \prod_{i = 0}^{n - 2} 2^{l - i} = 2^{\sum_{i = 0}^{n - 2} (l - i)} = 2^{(n - 1) l - \frac{(n - 2) (n - 1)}{2}}, \\ P \leq 2^{\frac{(n - 2) (n - 1)}{2}} \cdot 2^{(n - 1) l - \frac{(n - 2) (n - 1)}{2}} = 2^{(n - 1) l} . \end{matrix}$ \matrix{ {Q \le \prod\limits_{i = 0}^{n - 2} {{2^{l - i}}} = {2^{\sum\nolimits_{i = 0}^{n - 2} {(l - i)} }} = {2^{(n - 1)l - {{(n - 2)(n - 1)} \over 2}}},} \cr {P \le {2^{{{(n - 2)(n - 1)} \over 2}}}\cdot\;{2^{(n - 1)l - {{(n - 2)(n - 1)} \over 2}}} = {2^{(n - 1)l}}.} \cr }

Summary of Bounds: 2^{(n – 1)(l – 1)} ≤ P ≤ 2^{(n – 1)l}.

Asymptotic Approximation: For large l ≫ n, the terms 2^–(l–i) become negligible. Rewrite P as $P = 2^{(n - 1) l} \prod_{i = 0}^{n - 2} (1 - 2^{- (l - i)}) .$ P = {2^{(n - 1)l}}\prod\limits_{i = 0}^{n - 2} {\left( {1 - {2^{ - (l - i)}}} \right)}.

Taking the logarithm: $ln P = (n - 1) l \cdot \ln 2 + \sum_{i = 0}^{n - 2} \ln (1 - 2^{- (l - i)})$ P = (n - 1)l\;\cdot\;\ln 2 + \sum\nolimits_{i = 0}^{n - 2} {\ln } \left( {1 - {2^{ - (l - i)}}} \right). For l ≫ n, 2^–(l–i) ≈ 0, so ln(1 – 2^–(l–i)) ≈ –2^–(l–i). Thus, $\sum_{i = 0}^{n - 2} \ln (1 - 2^{- (l - i)}) \approx - \sum_{i = 0}^{n - 2} 2^{- (l - i)} = - 2^{- l} (2^{n - 1} - 1) .$ \sum\nolimits_{i = 0}^{n - 2} {\ln } \left( {1 - {2^{ - (l - i)}}} \right) \approx - \sum\limits_{i = 0}^{n - 2} {{2^{ - (l - i)}}} = - {2^{ - l}}\left( {{2^{n - 1}} - 1} \right).

Exponentiating: P ≈ 2^(n–1)l exp(–2^–(l–n+1)) ≈ 2^(n–1)l (1 – 2^–(l–n+1)).

Final Results

Tight Bounds: 7 $2^{(n - 1) (l - 1)} \leq \prod_{i = 0}^{n - 2} (2^{l} - 2^{i}) \leq 2^{(n - 1) l} .$ {2^{(n - 1)(l - 1)}} \le \prod\limits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} \le {2^{(n - 1)l}}.
Approximation (for l ≫ n): 8 $\prod_{i = 0}^{n - 2} (2^{l} - 2^{i}) \approx 2^{(n - 1) l} (1 - 2^{- (l - n + 1)}) .$ \prod\limits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} \approx {2^{(n - 1)l}}\left( {1 - {2^{ - (l - n + 1)}}} \right).

However, this factorization is not unique because different pairs (U, V) can give rise to the same matrix A. Specifically, for any invertible matrix T ∈ GL_n–1 (𝔽₂), we have A = UV = (UT)(T⁻¹V), and both UT and T⁻¹V are still full-rank. Therefore, to avoid overcounting, we divide by the number of invertible (n – 1) × (n – 1) matrices over 𝔽₂. We proceed as follows:

First, we count the number of full-rank (n – 1)-dimensional column spaces over $F_{2}^{l}$ _2^l. This is the number of ordered sets of (n – 1) linearly independent column vectors over $F_{2}^{l}$ _2^l, which is $\prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} .
Next, we proceed to count the number of full-rank (n – 1)-dimensional row spaces over $F_{2}^{n}$ _2^n, which is $\prod_{i = 0}^{n - 2} (2^{n} - 2^{i})$ \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^n} - {2^i}} \right)} .
Finally, we divide by the number of invertible (n – 1) × (n – 1) matrices over 𝔽₂, which is $| {GL}_{n - 1} (F_{2}) | = \prod_{i = 0}^{n - 2} (2^{n - 1} - 2^{i})$ \left| {{\rm{G}}{{\rm{L}}_{n - 1}}\left( {{_2}} \right)} \right| = \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^{n - 1}} - {2^i}} \right)} .

Combining all the above parts, we can obtain: $N_{F_{2}^{n}} (n - 1) = \prod_{i = 0}^{n - 2} \frac{(2^{l} - 2^{i}) (2^{n} - 2^{i})}{2^{n - 1} - 2^{i}} = (2^{n} - 1) \prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ {N_{_2^n}}(n - 1) = \prod\nolimits_{i = 0}^{n - 2} {{{\left( {{2^l} - {2^i}} \right)\left( {{2^n} - {2^i}} \right)} \over {{2^{n - 1}} - {2^i}}}} = \left( {{2^n} - 1} \right)\prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} .

Consider the set of all l × n matrices over 𝔽₂ whose rank is exactly n – 1, and it is equivalent to a full-rank matrix associated with a homogeneous system of linear equations, i.e., the number of ordered sets of (n – 1) linearly independent column vectors over $F_{2}^{l}$ _2^l, which is $N_{F_{2}^{n - 1}} (n - 1) = \prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ {N_{_2^{n - 1}}}(n - 1) = \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} .

For subsequent calculations, we provide the tight bound and approximation on this value of $\prod_{i = 0}^{n - 2} (2^{l} - 2^{i})$ \prod\nolimits_{i = 0}^{n - 2} {\left( {{2^l} - {2^i}} \right)} , as summarized in Tight Bounds and Approximation.

4.

Tight Analysis of Grover-Meets-Simon and Alg-PolyQ2 under Deferred Measurement

In this section, we analyze and discuss the generalized success probability of the Grover-meets-Simon and Alg-PolyQ2 algorithms without relying on assumptions about quantum input length under deferred measurement. Both quantum algorithms can be applicable to the FX construction Enc (k, x) = E (k, x ⊕ k₁) ⊕ k₂ shown in Figure 3, where k ∈ {0,1 }^m, k₁,k₂ ∈ { 0,1 }ⁿ. The key k₂ is independent of the keys k,k₁. Once the keys k and k₁ are recovered, the key k₂ can be naturally derived. Hence, the attack goal is to focus on recovering the keys k, k₁.

Previous works In the Grover-meets-Simon algorithm [30], assuming that the periodic function has been sampled uniformly at random, the success probability is shown to be at least $\frac{2}{5}$ {2 \over 5}, using $m + 4 n (n + \sqrt{n})$ m + 4n(n + \sqrt n ) qubits and $2^{\frac{m}{2}} 𝒪 (m + n)$ {2^{{m \over 2}}}{\cal O}(m + n) oracle queries; in the Alg-PolyQ2 algorithm [34], it shows that the error produced in each iteration of this algorithm, i.e., the function has a period but does not return the actual period, is bounded by the maximum on the index i of p⁽ⁱ⁾ ≤ 2⁽ⁿ⁺¹⁾ ((1 + p₀)/2)l only using 𝒪(n) oracle queries, where l is the number of parallel Simon’s algorithms and p₀ is the upper bound of ϵ (f) in Theorem 1.

Our work Our work begins with a formal analysis of the generalized quantum Gauss–Jordan elimination method for the rank problem in Section 3. From a novel perspective that does not rely on assumptions about quantum input length, we provide a tight analysis of the generalized success probability and the optimal number of iterations for the Grover-meets-Simon and Alg-PolyQ2 algorithms, based on the amplitudes of their initial states. The results demonstrate that both algorithms are effective quantum attacks, with generalized success probabilities close to 1.

4.1.

Generalized Success Probability of Grover-Meets-Simon

Leander and May [30] proposed a key-recovery attack leveraging a combination of Grover’s algorithm and Simon’s algorithm. The method embeds Simon’s algorithm within the iterations of Grover’s search, using Simon’s algorithm as the internal decision function and Grover’s algorithm as the outer search procedure. They also provided a relatively loose success probability of $\frac{2}{5}$ {2 \over 5} by choosing a specific quantum input length, such as the number of parallel instances of Simon’s algorithm. In this subsection, we provide the generalized success probability and the optimal number of iterations of the Grover-meets-Simon algorithm, along with their proofs.

Indeed, the Grover-meets-Simon algorithm is the generalized Grover’s algorithm shown in Figure 2, where 𝒜 is l(≥ n) parallel Simon’s algorithms, U_f is used to determine whether the rank is n – 1 by applying the generalized QGJE, and U₀ changes the phase of the amplitude only for the zero state.

Let f : { 0,1 }^m × { 0,1 }ⁿ → { 0,1 }ⁿ be a function such that $f (k^{'}, x) = E n c (k^{'}, x) + E (k^{'}, x)$ f\left( {k',x} \right) = Enc\left( {k',x} \right) + E\left( {k',x} \right). It is evident that f (k′,x) has the period s = k₁ when k′ = k. Applying algorithm 𝒜 on |0〉^⊗m+2nl, the initial input state of Grover-meets-Simon algorithm is 9 $| φ 〉 = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n}})}^{l} \sum_{\begin{matrix} k^{'} \in F_{2}^{m} \\ x_{1}, \dots, x_{1} \in F_{2}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, y_{2} \dots, y_{l} 〉 | f (k^{'}, x_{1}), \dots, f (k^{'}, x_{l}) 〉 | k^{'} 〉 .$ |\varphi \rangle = {1 \over {\sqrt {{2^m}} }}{\left( {{1 \over {{2^n}}}} \right)^l}\sum\limits_{\scriptstyle k' \in _2^m \atop {\scriptstyle {x_1}, \cdots,{x_1} \in _2^n \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n}} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}\left| {{y_1},{y_2} \cdots,{y_l}} \right\rangle \left| {f\left( {k',{x_1}} \right), \cdots,f\left( {k',{x_l}} \right)} \right\rangle \left| {k'} \right\rangle.

Next, we analyze the initial state |φ〉 in detail. The key space $\sum_{k^{'} \in F_{2}^{n}} | k^{'} 〉$ \sum\nolimits_{k' \in _2^n} {\left| {k'} \right\rangle } to be searched is entangled with the superposition state of the matrices $\sum_{y_{1}, \dots, y_{l} \in F_{2}^{n}} | y_{1}, \dots, y_{l} 〉$ \sum\nolimits_{{y_1}, \cdots,{y_l} \in _2^n} {\left| {{y_1}, \cdots,{y_l}} \right\rangle } generated in parallel multiple Simon’s registers. Suppose that $ϒ_{1} = {(y_{1}, y_{2}, \dots, y_{l}) \in F_{2}^{n l} ∣ y_{i} ⊥ s, s \neq 0}$ {Y_1} = \left\{ {\left( {{y_1},{y_2}, \cdots,{y_l}} \right) \in _2^{nl}\mid {y_i} \bot s,s \ne 0} \right\} and $ϒ_{2} = {(y_{1}, y_{2}, \dots, y_{l}) \in F_{2}^{n l} ∣ y_{i} \in F_{2}^{n}}$ {Y_2} = \left\{ {\left( {{y_1},{y_2}, \cdots,{y_l}} \right) \in _2^{nl}\mid {y_i} \in F_2^n} \right\}. When |k′〉 is the correct key |k〉, the row vector |y₁〉 (i ∈ 1,2 ⋯ l) of the corresponding matrix |y₁, y₂, ⋯, y₁ satisfies that y_i ∈ ϒ¹. Otherwise, the row vector |y_i〉 (i ∈ 1,2 ⋯ l) only satisfies y₁ ∈ ϒ₂. If we consider the intermediate measurement in the original Simon’s algorithm, the key space $\sum_{k^{'} \in F_{2}^{n}} | k^{'} 〉$ \sum\nolimits_{k' \in _2^n} {\left| {k'} \right\rangle } will collapse so that we cannot search for the correct key |k〉. Therefore, we can measure only at the end of the algorithm according to the principle of deferred measurement.

In addition, when l = 𝒪(n), Simon’s algorithms are executed in parallel, the linear systems of equations generated are different from the linear systems of equations generated by a single Simon’s algorithm running 𝒪 (n) times. After O (n) Simon’s algorithms via measurement, we can obtain a determined classical matrix. Whereas as the number of parallel instances increases, the dimension of the span dim(span(( y₁, y₂, ⋯, y_l))) = n – 1 can be obtained with a high probability [23], enabling recovery of the period s. However, without intermediate measurement after 𝒪(n) Simon’s algorithms in parallel, the resulting superposition state of matrices $\sum_{y_{1}, y_{2}, \dots, y_{l} \in F_{2}^{n}} | y_{1}, y_{2}, \dots, y_{l} 〉$ \sum\nolimits_{{y_1},{y_2}, \cdots,{y_l} \in _2^n} {\left| {{y_1},{y_2}, \cdots,{y_l}} \right\rangle } would contain all matrices generated by a row vector y that satisfies the promise. That is, the matrix components with rank less than n – 1 will inevitably be present in the superposition. For example, one of the components of the superposition state is |y₁, y₂, ⋯,y₁〉, that is, all row vectors are the same and dim((y₁, y₁ ⋯ y₁)) = 1. Therefore, under this deferred measurement setting, one must not only search for the correct key |k〉, but also identify and extract the appropriate components |y₁, y₂, ⋯,y_l〉 by applying the generalized QGJE.

Consider that if k is the correct key, then the function f (k, x) has a non-zero period s such that f (k, x) = f (k, x ⊕ s). To simplify the representation, we define a set X₁ that is the n – 1 dimensional subspace of $F_{2}^{n}$ _2^n and divide $F_{2}^{n}$ {\left( {{1 \over {{2^{n - 1}}}}} \right)^l}\sum\limits_{\scriptstyle x \in {X_1} \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n,y \bot s} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}\left| {{y_1},{y_2}, \cdots,{y_l}} \right\rangle \left| {f\left( {k',{x_1}} \right), \cdots,f\left( {k',{x_l}} \right)} \right\rangle. into cosets X₁ and X₁ + s. We suppose that the ground states can be combined to obtain the following result by applying parallel Simon’s algorithms: 10 ${(\frac{1}{2^{n - 1}})}^{l} \sum_{\begin{matrix} x \in X_{1} \\ y_{1}, \dots, y_{l} \in F_{2}^{n}, y ⊥ s \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, y_{2}, \dots, y_{l} 〉 | f (k^{'}, x_{1}), \dots, f (k^{'}, x_{l}) 〉 .$ {\left( {{1 \over {{2^{n - 1}}}}} \right)^l}\sum\limits_{\scriptstyle x \in {X_1} \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n,y \bot s} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}\left| {{y_1},{y_2}, \cdots,{y_l}} \right\rangle \left| {f\left( {k',{x_1}} \right), \cdots,f\left( {k',{x_l}} \right)} \right\rangle.

Suppose that k is the correct key for the function f (k′, x).If k′ = k, the period s is not 0; if k′ ≠ k, the function f (k′, x) has no period. Then the initial state can be further written as 11 $\begin{array}{l} | φ 〉 = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n}})}^{l} \sum_{\begin{matrix} k^{'} \in F_{2}^{m}, k^{'} \neq k \\ x_{1}, \dots, x_{l} \in F_{n}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, y_{2}, \dots, y_{l} 〉 | f (k^{'}, x_{1}), \dots, f (k^{'}, x_{l}) 〉 | k^{'} 〉 \\ + \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n - 1}})}^{l} \sum_{\begin{matrix} x_{1}, \dots, x_{l} \in X_{1} \\ y_{1}, \dots, y_{l} ⊥ s, s \neq 0 \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, y_{2} \dots, y_{l} 〉 | f (k, x_{1}), \dots, f (k, x_{l}) 〉 | k 〉 . \end{array}$ \matrix{ {|\varphi \rangle = {1 \over {\sqrt {{2^m}} }}{{\left( {{1 \over {{2^n}}}} \right)}^l}\sum\limits_{\scriptstyle k' \in _2^m,k' \ne k \atop {\scriptstyle {x_1}, \cdots,{x_l} \in _n^n \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n}} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {{( - 1)}^{{x_l}\cdot{y_l}}}\left| {{y_1},{y_2}, \cdots,{y_l}} \right\rangle \left| {f\left( {k',{x_1}} \right), \cdots,f\left( {k',{x_l}} \right)} \right\rangle \left| {k'} \right\rangle } \hfill \cr { + {1 \over {\sqrt {{2^m}} }}{{\left( {{1 \over {{2^{n - 1}}}}} \right)}^l}\sum\limits_{\scriptstyle {x_1}, \cdots,{x_l} \in {X_1} \atop \scriptstyle {y_1}, \cdots,{y_l} \bot s,s \ne 0} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {{( - 1)}^{{x_l}\cdot{y_l}}}\left| {{y_1},{y_2} \cdots,{y_l}} \right\rangle \left| {f\left( {k,{x_1}} \right), \cdots,f\left( {k,{x_l}} \right)} \right\rangle |k\rangle.} \hfill \cr }

In the Grover-meets-Simon algorithm, the above process is equivalent to moving all the measurements of the parallel Simon’s algorithms during the iteration process to the end of the entire algorithm, satisfying the principle of deferred measurement.

Here, the quantum classifier U_f is defined as follows: $U_{f} : F_{2}^{m} \times {(F_{2}^{n})}^{l} \to {0, 1} w i t h (k^{'}, y_{1}, \dots, y_{l}) \to {0, 1} .$ {U_f}:_2^m \times {\left( {_2^n} \right)^l} \to \{ 0,1\} {\rm{ }}with{\rm{ }}\left( {k',{y_1}, \cdots,{y_l}} \right) \to \{ 0,1\}.

(1)
If dim(y₁, y₂, ⋯, y_l) = n ≠ 1, the output will be 0. Otherwise compute a basis of |y₁, y₂, ⋯, y_l〉 by applying the generalized QGJE and the unique vector $k_{1}^{'} \in F_{2}^{n} \ {0}$ k_1^\prime \in _2^n\backslash \{ {\bf{0}}\} orthogonal to y.
(2)
Check $(k^{'}, k_{1}^{'}) \overset{?}{=} (k, k_{1})$ \left( {{k^\prime },k_1^\prime } \right)\mathop = \limits^? \left( {k,{k_1}} \right) for arbitrary provided plaintext pairs $(m_{i}, m_{i}^{'}) \in_{R} F_{2}^{n}$ \left( {{m_i},m_i^\prime } \right){ \in _R}_2^n. If all identities hold, the output will be 1, otherwise it will be 0.

Therefore, the operator U_f can be defined like: 12 $| φ^{'} 〉 \to {\begin{matrix} - | φ^{'} 〉, i f U_{f} | φ^{'} 〉 = 1 \\ | φ^{'} 〉, i f U_{f} | φ^{'} 〉 = 0, \end{matrix}$ \left| {\varphi '} \right\rangle \to \left\{ {\matrix{ { - \left| {\varphi '} \right\rangle,{\rm{ }}if{\rm{ }}{U_f}\left| {\varphi '} \right\rangle = 1} \cr {\left| {\varphi '} \right\rangle,{\rm{ }}if{\rm{ }}{U_f}\left| {\varphi '} \right\rangle = 0,} \cr } } \right. where |φ′〉 is the component of the superposition state |φ〉.

From Formula (11), we know that the initial state of the Grover-meets-Simon algorithm is not a uniform superposition and there is an amplitude of oscillation due to the entanglement between the key space |k′〉 and Simon’s registers |y₁, ⋯, y_l). Specifically, amplitudes for k′ = k (correct key) scale as 1/2^{(m+2(n–1)l)/2}, while others scale as 1/2^(m+2nl)/2, creating an oscillating imbalance.

In [39], Biron et al. discussed the maximum success probability and the optimal number of iterations of Grover’s algorithm in an arbitrary initial state. They depend only on the standard deviation of the initial amplitude distributions of the marked or unmarked states. Hence, we can provide a tight bound of the generalized success probability of the Grover-meets-Simon algorithm based on the initial amplitude from a novel perspective without considering quantum input length.

Biron et al. [39] obtained first-order linear difference equations for the time evolution of the amplitudes of r marked states and N – r unmarked states and solved them exactly. The results of the maximum success probability and the optimal number of iterations are summarized in the following theorem.

Theorem 4 ([39]).

Suppose that the number of correct solutions is r and the size of the database searched is N. When r / N ≪ 1, the optimal number of iterations T of the search and the success probability of these marked states in the measurement at time t at the end satisfy $\begin{matrix} T = - \frac{1}{2} \frac{\bar{k (0)}}{\bar{l (0)}} + \frac{π}{4} \sqrt{N / r} - \frac{π}{24} \sqrt{r / N} + O (r / N), \\ P (t) = P_{\max} - (N - r) | \bar{l (0)} |^{2}, P_{\max} = 1 - (N - r) σ_{l}^{2}, \end{matrix}$ \matrix{ T & { = - {1 \over 2}{{\overline {k(0)} } \over {\overline {l(0)} }} + {\pi \over 4}\sqrt {N/r} - {\pi \over {24}}\sqrt {r/N} + {\cal O}(r/N),} \cr {P(t)} & { = {P_{max}} - (N - r)|\overline {l(0)} {|^2},{P_{max}} = 1 - (N - r)\sigma _l^2,} \cr } where $\bar{k (0)}$ \overline {k(0)} represents the average of the initial amplitude of the marked states (i.e., correct solutions), $\bar{l (0)}$ \overline {l(0)} represents the average of the initial amplitude of the unmarked states, $σ_{l}^{2}$ \sigma _l^2 is the variance of the initial amplitude of the unmarked states, and P_max is a time-independent quantity that serves as a tight bound on the success probability.

As shown in Formula (11), when k′ is the correct key k, the matrices generated by them contain cases with rank less than or equal to n – 1. We can calculate the number of marked correct solutions r (matrices with rank-(n – 1)) according to Lemma 2. For l parallel instances of Simon’s algorithm, the size of the overall state space is 2^2(n–1)l.

Then, we discuss the initial success probability based on the initial amplitudes. According to the calculation method of the maximum success probability in [39,40], we can get that the maximum success probability in the initial state is $P_{m a x} = 1 - (N - r) σ_{l}^{2},$ {P_{max}} = 1 - (N - r)\sigma _l^2,, where the variance $σ_{l}^{2} = \frac{1}{N - r} \sum_{i = 1}^{N - r} {| l_{i} (0) - \bar{l (0)} |}^{2} = \frac{1}{N - r} \sum_{i} {(l_{i} (0))}^{2} - {(\frac{1}{N - r} \sum_{i} l_{i} (0))}^{2}$ \sigma _l^2 = {1 \over {N - r}}\sum\nolimits_{i = 1}^{N - r} {{{\left| {{l_i}(0) - \overline {l(0)} } \right|}^2}} = {1 \over {N - r}}\sum\limits_i {{{\left( {{l_i}(0)} \right)}^2}} - {\left( {{1 \over {N - r}}\sum\limits_i {{l_i}} (0)} \right)^2}. From Formula (11), we can know that $l_{i} {(0)}^{2} = {\begin{array}{l} \frac{1}{2^{m}} (\frac{1}{2^{2 n l}}), k^{'} \neq k \\ \frac{1}{2^{m}} (\frac{1}{2^{2 (n - 1) l}}), k^{'} = k . \end{array}$ {l_i}{(0)^2} = \left\{ {\matrix{ {{1 \over {{2^m}}}\left( {{1 \over {{2^{2nl}}}}} \right),\quad k' \ne k} \hfill \cr {{1 \over {{2^m}}}\left( {{1 \over {{2^{2(n - 1)l}}}}} \right),\quad k' = k.} \hfill \cr } } \right.

Note that k′ = k but dim(span(y₁, y₂, ⋯, y_l)) < n – 1 are unmarked states. In unmarked states, when k′ ≠ k, the number is (2^m – 1)2^2nl and when k′ = k, the number is 2^2(n–1)l – r. Hence, we can get 13 $\sum_{i} {(l_{i} (0))}^{2} = \frac{(2^{m} - 1) 2^{2 n l}}{2^{m} 2^{2 n l}} + \frac{2^{2 (n - 1) l} - r}{2^{m} 2^{2 (n - 1) l)}} = 1 - \frac{r}{2^{m} 2^{2 (n - 1) l)}} .$ \sum\limits_i {{{\left( {{l_i}(0)} \right)}^2}} = {{\left( {{2^m} - 1} \right){2^{2nl}}} \over {{2^m}{2^{2nl}}}} + {{{2^{2(n - 1)l}} - r} \over {{2^m}{2^{2(n - 1)l)}}}} = 1 - {r \over {{2^m}{2^{2(n - 1)l)}}}}.

Then, we show $\sum_{i} l_{i} (0) = \sum_{k^{'} = k, \dim (span (y_{1}, \dots, y_{l})) < n - 1} l_{i} (0) + \sum_{k^{'} \neq k} l_{i} (0)$ \sum\nolimits_i {{l_i}} (0) = {\sum _{k' = k}}, where $\sum_{\begin{matrix} k^{'} = k \\ \dim (s p a n (y_{1}, \dots, y_{l})) < n - 1 \end{matrix}} l_{i} (0) = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n - 1}})}^{l} \sum_{\begin{matrix} x_{1}, \dots, x_{l} \in X_{1} \\ \dim (s p a n (y_{1}, \dots, y_{l})) < n - 1 \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}}$ \left. {\left( {{y_1}, \cdots,{y_l}} \right)} \right) < n - {1^{{l_i}}}(0) + \sum\nolimits_{k' \ne k} {{l_i}} (0) and $\sum_{k^{'} \neq k} l_{i} (0) = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n - 1}})}^{l} \sum_{\begin{matrix} x_{1}, \dots, x_{l} \in F_{n}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} .$ \sum\limits_{\scriptstyle k' = k \atop \scriptstyle \dim \left( {{\mathop{\rm span}\nolimits} \left( {{y_1}, \cdots,{y_l}} \right)} \right) < n - 1} {{l_i}} (0) = {1 \over {\sqrt {{2^m}} }}{\left( {{1 \over {{2^{n - 1}}}}} \right)^l}\sum\limits_{\scriptstyle {x_1}, \cdots,{x_l} \in {X_1} \atop \scriptstyle \dim \left( {{\mathop{\rm span}\nolimits} \left( {{y_1}, \cdots,{y_l}} \right)} \right) < n - 1} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}

When computing the value of $\sum_{i} l_{i} (0)$ \sum\limits_{\scriptstyle {x_1}, \cdots,{x_1} \in _2^n \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}, we need to get the value of $\sum_{\begin{matrix} x_{1}, \dots, x_{1} \in F_{2}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}}$ \sum\limits_{x \in _2^n} {{{( - 1)}^{x\cdoty}}} = \sum\limits_{x \in {X_1}} {{{( - 1)}^{x\cdoty}}} + \sum\limits_{x \oplus s \in _2^n/{X_1}} {{{( - 1)}^{(x \oplus s)\cdoty}}} = \left\{ {\matrix{ {0,} \hfill & {y \ne 0} \hfill \cr {{2^n},} \hfill & {y = 0.} \hfill \cr } } \right.. According to theorem in [35], we know that $\sum_{x \in F_{2}^{n}} {(- 1)}^{x \cdot y} = \sum_{x \in X_{1}} {(- 1)}^{x \cdot y} + \sum_{x \oplus s \in F_{2}^{n} / X_{1}} {(- 1)}^{(x \oplus s) \cdot y} = {\begin{array}{l} 0, & y \neq 0 \\ 2^{n}, & y = 0. \end{array}$ \sum\nolimits_{x \in _2^n} {{{( - 1)}^{x\cdoty}}} = 2\sum\nolimits_{x \in {X_1}} {{{( - 1)}^{x\cdoty}}}

Because of y ⊥ s, we can get $\sum_{x \in F_{2}^{n}} {(- 1)}^{x \cdot y} = 2 \sum_{x \in X_{1}} {(- 1)}^{x \cdot y}$ \sum\nolimits_{x \in _2^n} {{{( - 1)}^{x\cdoty}}} = 2\sum\nolimits_{x \in {X_1}} {{{( - 1)}^{x\cdoty}}} . Thus, we can get 14 $\sum_{x \in X_{1}} {(- 1)}^{x \cdot y} = {\begin{array}{l} 0, y \neq 0 \\ 2^{n - 1}, y = 0. \end{array}$ \sum\limits_{x \in {X_1}} {{{( - 1)}^{x\cdoty}}} = \left\{ {\matrix{ {0,y \ne 0} \hfill \cr {{2^{n - 1}},y = 0.} \hfill \cr } } \right.

According to the implementation of U_f, we know that x ∈ X₁, only when y₁, y₂, ⋯, y_l are all 0, the value of $\sum_{k^{'} = k, \dim (span (y_{1}, \dots, y_{l})) < n - 1} l_{i} (0) \neq 0$ {\sum _{k' = k,\dim \left( {{\mathop{\rm span}\nolimits} \left( {{y_1}, \cdots,{y_l}} \right)} \right) < n - 1}}{l_i}(0) \ne 0; otherwise, it is 0. Likewise, $\sum_{k^{'} \neq k} l_{i} (0)$ \sum\nolimits_{k' \ne k} {{l_i}} (0) is the same. According to Formula (14), $\sum_{k^{'} = k, \dim (span (y_{1}, \dots, y_{l})) < n - 1} l_{i} (0) = \frac{2^{(n - 1) l}}{\sqrt{2^{m}} 2^{(n - 1) l}}$ \sum\nolimits_{k' = k,\dim \left( {{\mathop{\rm span}\nolimits} \left( {{y_1}, \cdots,{y_l}} \right)} \right) < n - 1} {{l_i}(0) = {{{2^{(n - 1)l}}} \over {\sqrt {{2^m}} {2^{(n - 1)l}}}}} and $\sum_{k^{'} \neq k} l_{i} (0) = \frac{(2^{m} - 1) 2^{n l}}{\sqrt{2^{m}} 2^{n l}}$ \sum\nolimits_{k' \ne k} {{l_i}} (0) = {{\left( {{2^m} - 1} \right){2^{nl}}} \over {\sqrt {{2^m}} {2^{nl}}}}. Hence, 15 ${(\frac{1}{N - r} \sum_{i} l_{i} (0))}^{2} = {(\frac{1}{N - r} (\frac{(2^{m} - 1) 2^{n l}}{\sqrt{2^{m}} 2^{n l}} + \frac{2^{(n - 1) l}}{\sqrt{2^{m}} 2^{(n - 1) l}}))}^{2} = \frac{2^{m}}{{(N - r)}^{2}} .$ {\left( {{1 \over {N - r}}\sum\limits_i {{l_i}} (0)} \right)^2} = {\left( {{1 \over {N - r}}\left( {{{\left( {{2^m} - 1} \right){2^{nl}}} \over {\sqrt {{2^m}} {2^{nl}}}} + {{{2^{(n - 1)l}}} \over {\sqrt {{2^m}} {2^{(n - 1)l}}}}} \right)} \right)^2} = {{{2^m}} \over {{{(N - r)}^2}}}.

By calculation, we can get the time-independent quantity P_max and the initial success probability P(0) based on the initial amplitudes as follows: 16 $P_{m a x} = 1 - (N - r) σ_{l}^{2} = \frac{r}{2^{m} 2^{2 (n - 1) l}} + \frac{2^{m}}{N - r},$ {P_{max}} = 1 - (N - r)\sigma _l^2 = {r \over {{2^m}{2^{2(n - 1)l}}}} + {{{2^m}} \over {N - r}}, 17 $P (0) = P_{m a x} - (N - r) | \bar{l (0)} |^{2} = \frac{r}{2^{m} 2^{2 (n - 1) l}} .$ P(0) = {P_{max}} - (N - r)|\overline {l(0)} {|^2} = {r \over {{2^m}{2^{2(n - 1)l}}}}.

Remark 2.

When dim(spa(y₁, ⋯, y_l)) = n – 1, the vector (y₁, ⋯, y_l) is not the all-zero vector. It follows from Formula (14) that $\sum_{k^{'} = k, \dim (span (y_{1}, \dots, y_{l})) = n - 1} k_{i} (0) = 0$ \sum\nolimits_{k' = k,\dim \left( {{\mathop{\rm span}\nolimits} \left( {{y_1}, \cdots,{y_l}} \right)} \right) = n - 1} {{k_i}(0) = 0} , and thus the initial average amplitude of the marked states $\bar{k (0)} = 0$ \overline {k(0)} = 0. Therefore, the optimal number $T = ⌊ \frac{π}{4} \sqrt{N / r} ⌋$ T = \left\lfloor {{\pi \over 4}\sqrt {N/r} } \right\rfloor of iterations has nothing to do with the initial state.

The size of the database searched is N = (2^m – 1)2^2nl + 2^2(n–1)l. The number of marked correct solutions is r = 2^(n–1)lP = Ω(2^{(n–1)(2l–1)}), where the scaling behavior of P is given in Formula (7). According to Theorem 4, we can compute the optimal number of iterations as follows: 18 $T = ⌊ \frac{π}{4} \sqrt{N / r} ⌋ ~ 𝒪 (\sqrt{N / r}) = 𝒪 (2^{\frac{m + n + 2 l}{2}}) .$ T = \left\lfloor {{\pi \over 4}\sqrt {N/r} } \right\rfloor \~{\cal O}(\sqrt {N/r} ) = {\cal O}\left( {{2^{{{m + n + 2l} \over 2}}}} \right).

The initial angle $θ = \arcsin (\sqrt{P (0)}) \approx \sqrt{P (0)}$ \theta = \arcsin (\sqrt {P(0)} ) \approx \sqrt {P(0)} for small values of P(0), where $P (0) = \frac{r}{2^{m} 2^{2 (n - 1) l}}$ P(0) = {r \over {{2^m}{2^{2(n - 1)l}}}}. Each iteration of Grover’s algorithm increases the angle by 2θ, reaching (2T + 1)θ after T iterations. Therefore, the generalized success probability is 19 $p_{s u c c e s s} = \sin^{2} ((2 T + 1) θ) \approx Θ (1) .$ {p_{success}} = {\sin ^2}((2T + 1)\theta ) \approx \Theta (1).

Therefore, we can obtain (k,y₁, ⋯, y_l) with the probability of Θ(1), where dim(span(y₁, ⋯, y_l)) = n – 1, thereby recovering the keys k, k₁.

When considering the amplitude of the initial state, the initial amplitude is not a uniform superposition state, and there is an oscillation in the amplitude. After analyzing the Grover-meets-Simon algorithm in detail, we know that the Grover-meets-Simon algorithm is an effective algorithm to obtain the correct key with the generalized success probability close to 1 under deferred measurement when moving the measurement of all parallel Simon’s algorithms during the iterative process to the end of the entire algorithm. Specifically, we provide a generalized success probability of the Grover-meets-Simon algorithm, which is independent of the length of the key of the block cipher and the number of parallel Simon’s algorithms. The advantage of the above analysis is that the generalized success probability in any different cases can be calculated without relying on assumptions about the number of plaintext pairs in the classifier or the number of parallel Simon’s algorithms.

4.2.

Generalized Success Probability of Alg-PolyQ2

Bonnetain et al. [34] proposed a new algorithm that also uses a combination of Grover’s algorithm and Simon’s algorithm for solving the asymmetric search problem of a period. This method can also be applied to the FX construction and can exponentially reduce query complexity. However, they do not provide a tight analysis of the generalized success probability of this algorithm.

Asymmetric Search of a Period. There are two functions F : {0,1}^m × {0,1}ⁿ → {0,1}ⁿ and g : {0,1}ⁿ → {0,1}ⁿ. F is a family of functions and can be written F(i, ·) = f_i(). There exists a unique i₀ ∈ {0,1}^m such that $\forall x \in {0, 1}^{n}, f_{i_{0}} (x) \oplus g (x) = f_{i_{0}} (x \oplus s) \oplus g (x \oplus s) .$ \forall x \in {\{ 0,1\} ^n},{f_{{i_0}}}(x) \oplus g(x) = {f_{{i_0}}}(x \oplus s) \oplus g(x \oplus s)..

In the FX construction shown in Figure 3, g = Enc(i, x) is a secret key function that the adversary can query online to evaluate it, while f_i(x) = E(i, x) is a function that the adversary can evaluate it offline. Then, the function f_i ⊕ g has a period k₁ if i = k, whereas it does not have any period if i ≠ k. Therefore, we can guess whether i is equal to the key k by testing whether f_i ⊕ g has a period. The index i can be tested in superposition due to quantum queries to F and g. Thus, the uniform superposition over indices is created as follows: $\sum_{i \in {0, 1}^{m}} | i 〉 \otimes | ψ_{g} 〉$ \sum\limits_{i \in {{\{ 0,1\} }^m}} | \;i\rangle \otimes \left| {{\psi _g}} \right\rangle , where $| ψ_{g} 〉 = \overset{l}{\otimes} (\sum_{x \in {0, 1}^{n}} | x 〉 | g (x) 〉) .$ \left| {{\psi _g}} \right\rangle = \mathop \otimes \limits^l \left( {\sum\limits_{x \in {{\{ 0,1\} }^n}} | \;x\rangle |g(x)\rangle } \right).

Similar to the Grover-meets-Simon algorithm, the Alg-PolyQ2 algorithm is also a generalized Grover’s algorithm shown in Figure 2, where 𝒜 is l(≥ n) parallel Simon’s algorithms for solving the asymmetric search of a period, U_f is used to determine whether the rank is n by applying the generalized QGJE, and U₀ changes the phase of the amplitude only for the zero state. Applying 𝒜 ⊗ I₁ on |0〉^⊗m+2nl+1, the initial input state of Alg-PolyQ2 algorithm is 20 $| φ 〉 = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n}})}^{l} \sum_{\begin{matrix} i \in {0, 1}^{m} \\ x_{1}, \dots, x_{l} \in F_{n}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} | i 〉 {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, \dots, y_{l} 〉 \otimes | (f_{i} \oplus g) (x_{1}), \dots, (f_{i} \oplus g) (x_{l}) 〉 | b 〉 .$ |\varphi \rangle = {1 \over {\sqrt {{2^m}} }}{\left( {{1 \over {{2^n}}}} \right)^l}\sum\limits_{\scriptstyle i \in {\{ 0,1\} ^m} \atop {\scriptstyle {x_1}, \ldots,{x_l} \in _n^n \atop \scriptstyle {y_1}, \ldots,{y_l} \in _2^n}} | \;i\rangle {( - 1)^{{x_1}\cdot{y_1}}} \cdots {( - 1)^{{x_l}\cdot{y_l}}}\left| {{y_1}, \ldots,{y_l}} \right\rangle \otimes \left| {\left( {{f_i} \oplus g} \right)\left( {{x_1}} \right), \ldots,\left( {{f_i} \oplus g} \right)\left( {{x_l}} \right)} \right\rangle |b\rangle.

Suppose that k is the correct key for the function (f_i ⊕ g)(x).If i = k, the period s is not 0; if i ≠ k, there may be values that are not actual non-zero periods t. For b ∈ {0,1}, compute |b ⊕ 1〉 if dim(span(y₁, ⋯, y_l)) < n; otherwise |b〉 if dim(span(y₁, ⋯, y_l)) = n. Then the initial state can be further written as 21 $\begin{array}{l} | φ 〉 = α (\sum_{\begin{matrix} i \in F_{2}^{m}, i \neq k \\ x_{1}, \dots, x_{l} \in F_{2}^{n} \\ y_{1}, \dots, y_{l} \in F_{2}^{n} \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, \dots, y_{l} 〉 | (f_{i} \oplus g) (x_{1}), \dots, (f_{i} \oplus g) (x_{l}) 〉 | i 〉 | b 〉) \\ + β (\sum_{\begin{matrix} x_{1}, \dots, x_{l} \in X_{1} \\ y_{1}, \dots, y_{l} ⊥ s, s \neq 0 \end{matrix}} {(- 1)}^{x_{1} \cdot y_{1}} \dots {(- 1)}^{x_{l} \cdot y_{l}} | y_{1}, \dots, y_{l} 〉 | (f_{i} \oplus g) (x_{1}), \dots, (f_{i} \oplus g) (x_{l}) 〉 | k 〉 | b \oplus 1 〉), \end{array}$ \matrix{ {|\varphi \rangle = \alpha \left( {\sum\limits_{\scriptstyle i \in _2^m,i \ne k \atop {\scriptstyle {x_1}, \cdots,{x_l} \in _2^n \atop \scriptstyle {y_1}, \cdots,{y_l} \in _2^n}} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {{( - 1)}^{{x_l}\cdot{y_l}}}\left| {{y_1}, \cdots,{y_l}} \right\rangle \left| {\left( {{f_i} \oplus g} \right)\left( {{x_1}} \right), \cdots,\left( {{f_i} \oplus g} \right)\left( {{x_l}} \right)} \right\rangle |i\rangle |b\rangle } \right)} \hfill \cr { + \beta \left( {\sum\limits_{\scriptstyle {x_1}, \cdots,{x_l} \in {X_1} \atop \scriptstyle {y_1}, \cdots,{y_l} \bot s,s \ne 0} {{{( - 1)}^{{x_1}\cdot{y_1}}}} \cdots {{( - 1)}^{{x_l}\cdot{y_l}}}\left| {{y_1}, \cdots,{y_l}} \right\rangle \left| {\left( {{f_i} \oplus g} \right)\left( {{x_1}} \right), \cdots,\left( {{f_i} \oplus g} \right)\left( {{x_l}} \right)} \right\rangle |k\rangle |b \oplus 1\rangle } \right),} \hfill \cr } where $α = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n}})}^{l}$ \alpha = {1 \over {\sqrt {{2^m}} }}{\left( {{1 \over {{2^n}}}} \right)^l} and $β = \frac{1}{\sqrt{2^{m}}} {(\frac{1}{2^{n - 1}})}^{l}$ \beta = {1 \over {\sqrt {{2^m}} }}{\left( {{1 \over {{2^{n - 1}}}}} \right)^l}.

In the Alg-PolyQ2 algorithm, the above process also satisfies the principle of deferred measurement.

Here, the quantum oracle U_f is defined as follows: $U_{f} : i \in F_{2}^{m} \to {0, 1} .$ {U_f}:i \in _2^m \to \{ 0,1\}.

Once we have the superposition |ψ_g〉 and given a quantum oracle access to U_f, we can know if f_i ⊕ g has a period or not without making new queries to g by the test oracle. This test oracle is a subroutine of the quantum oracle U_f. Next, the test oracle can be defined as follows:

| i 〉 ψ_{g} | b 〉 \overset{t e s t}{\to} {\begin{array}{l} | i 〉 ψ_{g} 〉 | b 〉, i f (f_{i} \oplus g) has no period \\ | i 〉 ψ_{g} 〉 | b \oplus 1 〉, i f (f_{i} \oplus g) has a period . \end{array}

\left\langle {|i\rangle {\psi _g}} \right.|b\rangle \buildrel {{\bf{test}}} \over \longrightarrow \left\{ {\matrix{ {\left\langle {|i\rangle {\psi _g}} \right.|b\rangle,\quad {\rm{ }}if{\rm{ }}\left( {{f_i} \oplus g} \right){\rm{ has no period}}} \hfill \cr {\left\langle {|i\rangle {\psi _g}} \right.|b \oplus 1\rangle,{\rm{ }}if{\rm{ }}\left( {{f_i} \oplus g} \right){\rm{ has a period}}{\rm{.}}} \hfill \cr } } \right.

If we obtain |b⊕1〉 for b ∈ {0,1}, the output will be 1. Otherwise, the output will be 0. Therefore, the unitary operator U_f can be defined as in Formula (12). Note that even if f_i ⊕ g has no period, it is not necessarily equal to |i〉ψ_g〉|b〉 and Formula (3) holds when i ≠ k are almost random according to Theorem 1. However, we expect that test|i〉ψ_g〉|b〉 = |i〉ψ_g〉|b〉 + |δ〉 holds for small error |δ〉.

Next, we provide a tight analysis of the generalized success probability of the Alg-PolyQ2 algorithm. According to the above analysis, test|k〉ψ_g〉|b〉 = |k〉ψ_g〉|b ⊕ 1〉 always holds when i = k, showing that there must be a nonzero period in the case. Thus, dim(span(y₁, y₂, ⋯, y_l)) < n always holds when i = k and (k, y₁, y₂, ⋯, y_l) are marked states only in the case; all other states are unmarked states.

It follows from Formula (21) that there must be a non-zero period when i = k. As a result of executing the parallel Simon’s algorithms, the quantum states in the overall state space are marked states. Consequently, we have r = 2^2(n–1)l. From the perspective of the time evolution of the amplitude of the initial state, similar to the initial success probability analysis in the Grover-meets-Simon algorithm, the sum of the initial probability of the unmarked states is $\sum_{i} {(l_{i} (0))}^{2} = 1 - \frac{1}{2^{m}}$ \sum\nolimits_i {{{\left( {{l_i}(0)} \right)}^2}} = 1 - {1 \over {{2^m}}} and the sum of their initial amplitude is $\sum_{i \neq k} (0) = \frac{(2^{m} - 1) 2^{n l}}{\sqrt{2^{m}} 2^{n l}}$ \sum\nolimits_{i \ne k} {(0) = {{\left( {{2^m} - 1} \right){2^{nl}}} \over {\sqrt {{2^m}} {2^{nl}}}}} . Thus, according to the definitions in Formulas (16) and (17), we obtain $P (0) = \frac{1}{2^{m}}$ P(0) = {1 \over {{2^m}}}. This verifies that this algorithm essentially applies Grover’s algorithm only on the index i. After an optimal number of iterations $T = 𝒪 (\sqrt{N / r}) = 𝒪 (2^{\frac{m + 2 l}{2}})$ T = {\cal O}(\sqrt {N/r} ) = {\cal O}\left( {{2^{{{m + 2l} \over 2}}}} \right), the key k can be recovered with the probability of Θ(1). We will further interpret the results using joint and conditional probabilities in the following discussion.

Let this event i = k be represented as A and this event dim(span(y₁, y₂, ⋯, y_l)) = n as B. We divide the discussion into three points as follows:

The event (i = k) ⋂ (dim(span(y₁, y₂, ⋯, y_l)) < n) by applying Grover’s search can be represented as $A \cap \bar{B}$ A \cap \bar B and its probability is $P r [A \cap \bar{B}] = Θ (1)$ Pr[A \cap \bar B] = \Theta (1) according to the above analysis. Due to the property of conditional probability $P r [A \cap \bar{B}] = P r [\bar{B} ∣ A] \cdot P r [A]$ Pr[A \cap \bar B] = Pr[\bar B\mid A]\cdotPr[A], then $P r [\bar{B} ∣ A] = \Pr [A] = Θ (1)$ Pr[\bar B\mid A] = \Pr [A] = \Theta (1). This again illustrates that Grover’s algorithm, as a subroutine of Alg-PolyQ2, is essentially just a search for index i with the probability of Θ(1).
The initial state can be written as $\sum_{i \neq k} α_{i} | i 〉 | ψ_{g} 〉 | b 〉 + \sum_{i = k} β_{i} | i 〉 | ψ_{g} 〉 | b 〉$ \sum\nolimits_{i \ne k} {{\alpha _i}} |i\rangle \left| {{\psi _g}} \right\rangle |b\rangle + \sum\nolimits_{i = k} {{\beta _i}} |i\rangle \left| {{\psi _g}} \right\rangle |b\rangle , it changes to $\sum_{i \neq k} α_{i} | i 〉 | ψ_{g} 〉 | b 〉 + \sum_{i = k} β_{i} | i 〉 | ψ_{g} 〉 | b \oplus 1 〉$ \sum\nolimits_{i \ne k} {{\alpha _i}} |i\rangle \left| {{\psi _g}} \right\rangle |b\rangle + \sum\nolimits_{i = k} {{\beta _i}} |i\rangle \left| {{\psi _g}} \right\rangle |b \oplus 1\rangle after applying the test oracle. Due to $P r [\bar{B} ∣ A] = Θ (1)$ Pr[\bar B\mid A] = \Theta (1) at point 1, then Pr[B|A] ≈ 0, showing that when i = k, f_i ⊕ g have a non-zero period with the probability of Θ(1).
The event (i ≠ k) ⋂ (dim(span(y₁, y₂, ⋯, y_l)) < n) by applying Grover’s search can be represented as $\bar{A} \cap \bar{B}$ \bar A \cap \bar B and its probability is $P r [\bar{A} \cap \bar{B}] = \Pr [\bar{B} ∣ \bar{A}] \cdot P r [\bar{A}]$ Pr[\bar A \cap \bar B] = \Pr [\bar B\mid \bar A]\cdotPr[\bar A]. According to Lemma 1 in [34], $‖ δ ‖^{2} = P r [\bar{B} ∣ \bar{A}] \leq 2^{n + 1} {(\frac{1 + p_{0}}{2})}^{l}$ \delta {^2} = Pr[\bar B\mid \bar A] \le {2^{n + 1}}{\left( {{{1 + {p_0}} \over 2}} \right)^l}, it follows that the probability of returning the incorrect period is far enough away from 1 by choosing l ≥ 3n/(1 – p₀) according to Theorem 1. Due to Pr[A] = Θ(1) at point 1, hence $P r [\bar{A} \cap \bar{B}] \approx 0$ Pr[\bar A \cap \bar B] \approx 0. Similarly, $P r [\bar{A} \cap B] \approx 0$ Pr[\bar A \cap B] \approx 0. Thus, $P r [\bar{A} \cap (B \cup \bar{B})] \approx 0$ Pr[\bar A \cap (B \cup \bar B)] \approx 0. This shows that the event i ≠ k independent of this event that dim(span(y₁, y₂, ⋯, y_l)) returns a certain answer.

The above analysis indicates that k can be searched and f_i ⊕ g have a non-zero period with the probability of Θ(1) when i = k; otherwise (y₁, y₂, ⋯, y_l) are almost random and return incorrect answers when i ≠ k. However, the ultimate goal of applying the Alg-PolyQ2 algorithm to the FX construction is to recover not only the key k but also the key k₁. This algorithm indicates that, once k has been obtained, if the hidden shift is still required, one instance of Simon’s algorithm may be applied to obtain k₁.

Let this event dim(span(y₁, y₂, ⋯, y_l)) = n – 1 as $\bar{B_{1}}$ \overline {{B_1}} and the event dim(span(y₁, y₂, ⋯, y_l)) < n – 1 as $\bar{B_{2}} (\bar{B} = \bar{B_{1}} \cup \bar{B_{2}})$ \overline {{B_2}} \left( {\bar B = \overline {{B_1}} \cup \overline {{B_2}} } \right). Then $P r [\bar{B} ∣ A] = P r [\bar{B_{1}} ∣ A] + P r [\bar{B_{2}} ∣ A]$ Pr[\bar B\mid A] = Pr\left[ {\overline {{B_1}} \mid A} \right] + Pr\left[ {\overline {{B_2}} \mid A} \right], where $P r [\bar{B_{1}} ∣ A] \geq 1 - 2^{n} {(\frac{1 + p_{0}}{2})}^{l}$ Pr\left[ {\overline {{B_1}} \mid A} \right] \ge 1 - {2^n}{\left( {{{1 + {p_0}} \over 2}} \right)^l} and $P r [\bar{B_{2}} ∣ A] \leq 2^{n} {(\frac{1 + p_{0}}{2})}^{l}$ Pr\left[ {\overline {{B_2}} \mid A} \right] \le {2^n}{\left( {{{1 + {p_0}} \over 2}} \right)^l} according to Theorem 1. This shows that the Alg-PolyQ2 is an effective algorithm that can solve the keys k, k₁ with the probability of Θ(1).

5.

Discussion

When analyzing quantum algorithms related to cryptanalysis, it is crucial to evaluate their practical effectiveness in real-world quantum computing environments. While theoretical constructions often assume idealized quantum systems, practical quantum computing must cope with issues such as the complexity of quantum measurements. These practical issues are particularly prominent when considering combinations of different quantum algorithms—for example, when other quantum algorithms are embedded in Grover’s algorithm or when integrating multiple quantum subroutines into a composite algorithm.

We emphasize the role of measurement in such combinatorial algorithms. The interaction between Grover’s amplitude amplification and other quantum components introduces subtle constraints and design considerations. Specifically, we analyze existing algorithms, including the Grover-meets-Simon algorithm and the Alg-PolyQ2 algorithm, from the perspective of initial state success probability under deferred measurement. This provides a unified approach to understanding how to defer intermediate measurements, which is particularly important for preserving quantum superpositions between algorithmic modules. Our analysis highlights that deferred measurement is an important principle in quantum algorithm design.

This research inspires two promising directions. First, inspired by our analysis of the combination of Grover’s and Simon’s algorithms from a novel perspective, we believe that further investigation of the effectiveness of other quantum cryptanalysis techniques is warranted. Many classical cryptanalysis strategies (e.g., differential and linear cryptanalysis) have been partially applied to the quantum realm, but a comprehensive evaluation of them remains incomplete. By leveraging insights from deferred measurement and algorithm decomposition, we can better understand which classical strategies are amenable to efficient quantum implementations to analyze the security of key alternation ciphers against quantum-CPA attacks (quantum chosen-plaintext attack, where the adversary has superposition access to the encryption oracle). Second, our discussion of rank problems and linear algebraic structures focuses on quantum Gauss-Jordan elimination. Future research could revisit the basic assumptions behind the classical methods and explore whether similar algorithmic primitives can be constructed or optimized in a quantum setting. A deeper understanding of the structure and algebraic foundations of these problems will help develop more efficient and general quantum solvers.

6.

Conclusion

In this paper, we mainly study the Grover-meets-Simon and Alg-PolyQ2 Attacks via formalizing quantum ranksolving under deferred measurement in detail. First, we provide a formal analysis of the generalized quantum Gauss-Jordan elimination for the rank problem. In the formal description under deferred measurement, we discuss the situation of obtaining the reduced row echelon form matrix based on this method, including the form of the resulting quantum state and entanglement characteristics. Then, we apply it as a subroutine to the Grover-meets-Simon algorithm and the Alg-PolyQ2 algorithm, achieving full quantum treatment and ensuring its theoretical feasibility in a quantum environment.

In these two original algorithms, each Grover’s iteration involves the rank-solving process. The core of these two algorithms lies in the relationship between the two keys, that is, the periodic relationship. The output of multiple Simon’s registers is a superposition state of the matrix in the non-measurement state. If the measurement operation in Simon’s algorithm is considered, the search space will change due to collapse, which will affect the search of Grover’s algorithm. Based on the formal analysis of the generalized quantum Gauss-Jordan elimination, only the parallel Simon’s algorithms are considered, and their measurement can be postponed to the end according to the principle of deferred measurement. From a novel perspective without relying on assumptions about quantum input length, we analyze the tight bounds of the generalized success probability and the optimal number of iterations of the Grover-meets-Simon algorithm and the Alg-PolyQ2 algorithm in detail based on the initial state amplitude, showing that they are effective attack algorithms with the generalized success probability close to 1.

Tight Analysis of Grover-Meets-Simon and Alg-PolyQ2 Attacks via Formalizing Quantum Rank-Solving under Deferred Measurement

Full Article

Paradigm

My account