pith. sign in

arxiv: 2604.25509 · v1 · submitted 2026-04-28 · 🪐 quant-ph

Simon's Algorithm for the Even-Mansour Cipher on Quantum Hardware

Anina K\"ohler , Jakob Murauer , Tim Heine , Stefan Rosemann , Tobias Hemmert This is my paper

Pith reviewed 2026-05-07 16:56 UTC · model grok-4.3

classification 🪐 quant-ph
keywords Simon's algorithmEven-Mansour cipherquantum cryptanalysisNISQ hardwareperiod findingkey recoverycircuit optimization
0
0 comments X

The pith

Simon's algorithm recovers secret keys from the Even-Mansour cipher on real NISQ hardware for 3-bit and 4-bit keys.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper implements Simon's period-finding algorithm as a quantum attack on the Even-Mansour cipher, a simple symmetric encryption construction. The authors run the full attack on the ibm_miami processor and extract the secret key for N=3 and N=4 after preparing optimized quantum circuits. They also report that the classical DORCIS optimizer runs out of memory at N=5, blocking larger tests. A reader would care because the work moves a known theoretical quantum cryptanalysis method from paper to working hardware experiment, showing that current noisy processors can already break toy versions of this cipher.

Core claim

For N=3 and N=4, the secret key of the Even-Mansour construction is recovered by executing Simon's algorithm on the ibm_miami quantum processor using circuits optimized by DORCIS.

What carries the argument

Simon's algorithm applied to an oracle that encodes the Even-Mansour encryption function, which returns a period revealing the secret key after a polynomial number of queries.

If this is right

  • The Even-Mansour cipher with small key lengths can be broken in polynomial time on current quantum processors.
  • Circuit optimization tools limit scaling of the attack beyond N=4 for this construction.
  • Quantum period finding provides a practical route to attack symmetric ciphers whose structure hides a linear relation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Improvements in quantum error rates or better error correction would be needed to test the attack on keys larger than 4 bits.
  • The same oracle-construction approach could be tried on other block ciphers that admit a hidden period or linear structure.
  • New classical synthesis methods are required before the quantum attack can be prepared for ciphers using larger permutations.

Load-bearing premise

The noise levels and circuit depths on the ibm_miami processor allow reliable extraction of the period that encodes the secret key.

What would settle it

Repeated runs of the N=4 circuit on ibm_miami that fail to output the correct secret key with high probability would show the attack does not succeed on the hardware as claimed.

Figures

Figures reproduced from arXiv: 2604.25509 by Anina K\"ohler, Jakob Murauer, Stefan Rosemann, Tim Heine, Tobias Hemmert.

Figure 1
Figure 1. Figure 1: Schema of the 2N-qubit quantum circuit for Simon’s algorithm used to solve the hidden period problem of Uf . symmetric Even-Mansour (EM) cipher using Simon’s algo￾rithm [3] on quantum hardware. Since EM is underlying many block cipher constructions, including 1-round AES, and the application of Simon’s algorithm is the core idea in all related attacks, we believe that a practical evaluation of concrete exa… view at source ↗
Figure 4
Figure 4. Figure 4: Mean relative distribution of five independent 3 and 4-bit trials on ibm view at source ↗
Figure 6
Figure 6. Figure 6: Quantum circuit for the 4-qubit permutation. view at source ↗
Figure 7
Figure 7. Figure 7: Schematic result of Simon’s circuit for the 3-bit case. (a) No noise for view at source ↗
read the original abstract

Simon's algorithm is a polynomial period-finding algorithm that has been used to exploit the algebraic structure of specific symmetric ciphers, showing that exponential speedups in their cryptanalysis are theoretically possible. While the theoretical framework for an attack using Simon's algorithm on the Even-Mansour cipher is well-established, practical implementations on noisy intermediate-scale quantum (NISQ) hardware remain limited. This paper presents a proof of concept quantum cryptanalysis of the Even-Mansour cipher using Simon's period-finding algorithm on NISQ hardware. For N = 3 and N = 4, we successfully demonstrate secret key recovery for N-bit constructions on the ibm_miami processor. Our experiments also identify a scaling limitation in the classical pre-processing stage: The DORCIS circuit optimization tool encountered a memory bottleneck at N = 5, preventing the generation of optimized circuits for larger key lengths. Our results suggest firstly that Simon's algorithm is effective for the Even-Mansour cipher for short bit lengths on current quantum hardware. Secondly, while DORCIS is effective for the small-scale S-boxes for which it was designed, there remains a need for the investigation of more scalable and efficient synthesis tools capable of handling larger and more general permutations in the context of Even-Mansour ciphers.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript presents a proof-of-concept experimental demonstration of Simon's algorithm applied to recover the secret key of the Even-Mansour cipher on NISQ hardware. It reports successful key recovery for N=3 and N=4 constructions on the ibm_miami processor and identifies a memory bottleneck in the DORCIS classical circuit optimizer that prevents scaling to N=5.

Significance. If the experimental results hold, the work provides concrete evidence that Simon's period-finding can be executed on current quantum processors to attack small instances of a symmetric cipher, illustrating both the theoretical exponential speedup in cryptanalysis and the immediate practical barriers posed by classical preprocessing tools. This is relevant for assessing the near-term feasibility of quantum attacks on Even-Mansour-like constructions.

major comments (2)
  1. [Abstract] Abstract: the assertion of successful secret key recovery for N=3 and N=4 supplies no quantitative data on success rates, shot counts, error mitigation techniques, or the verification method used to confirm the recovered key matches the secret. This information is load-bearing for substantiating the central experimental claim on noisy hardware.
  2. [Results] Results (or equivalent experimental section): without reported details on how the period was extracted from measurement outcomes, how many runs were performed, or how the key was reconstructed, it is impossible to evaluate whether the DORCIS-optimized circuits actually enabled reliable period finding or whether noise on ibm_miami invalidated the attack for these small N.
minor comments (1)
  1. [Abstract] The abstract could briefly note the qubit count or post-optimization gate depth for the N=3 and N=4 cases to give immediate scale context.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their careful review and constructive feedback. We agree that the experimental claims require additional quantitative and methodological details to be fully substantiated. We respond to each major comment below and will revise the manuscript to address them.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the assertion of successful secret key recovery for N=3 and N=4 supplies no quantitative data on success rates, shot counts, error mitigation techniques, or the verification method used to confirm the recovered key matches the secret. This information is load-bearing for substantiating the central experimental claim on noisy hardware.

    Authors: We agree that the abstract would be strengthened by including quantitative indicators of experimental success. In the revised manuscript we will update the abstract to report the observed success rates for key recovery at N=3 and N=4, the number of shots used per experiment, and a concise statement of the error-mitigation and verification procedures employed. These additions will make the central claim more transparent while remaining within abstract length constraints. revision: yes

  2. Referee: [Results] Results (or equivalent experimental section): without reported details on how the period was extracted from measurement outcomes, how many runs were performed, or how the key was reconstructed, it is impossible to evaluate whether the DORCIS-optimized circuits actually enabled reliable period finding or whether noise on ibm_miami invalidated the attack for these small N.

    Authors: The referee is correct that the current manuscript omits essential procedural details. We will expand the Results section to describe: (i) the precise method used to extract the period from the measurement histogram, (ii) the total number of circuit executions (shots) performed for each N, (iii) any error-mitigation techniques applied, and (iv) the step-by-step reconstruction of the secret key from the recovered period together with the verification against the known secret. These clarifications will allow readers to assess the reliability of the period-finding step on the hardware. revision: yes

Circularity Check

0 steps flagged

No significant circularity in experimental demonstration

full rationale

The paper is a proof-of-concept experimental demonstration of Simon's algorithm applied to the Even-Mansour cipher on NISQ hardware (ibm_miami) for N=3 and N=4, with explicit reporting of failure at N=5 due to classical optimizer limits. No mathematical derivation chain, predictions, or first-principles results are claimed that could reduce to inputs by construction. The theoretical attack framework is described as well-established (external citations), and results consist of direct hardware measurements rather than fitted parameters or self-referential equations. No self-citation load-bearing steps, ansatzes, or renamings appear in the central claims.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper relies on the established correctness of Simon's algorithm and standard NISQ hardware assumptions; no new free parameters, axioms beyond standard quantum computing, or invented entities are introduced.

axioms (2)
  • standard math Simon's algorithm correctly finds the period of the function defined by the Even-Mansour construction
    Invoked implicitly when claiming key recovery from period-finding results.
  • domain assumption The ibm_miami processor can execute the generated circuits with sufficient fidelity for N=3 and N=4
    Required for the experimental success claim.

pith-pipeline@v0.9.0 · 5537 in / 1334 out tokens · 42422 ms · 2026-05-07T16:56:30.858742+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages

  1. [1]

    A fast quantum mechanical algorithm for database search,

    L. K. Grover, “A fast quantum mechanical algorithm for database search,” inProceedings of the 28th Annual ACM Symposium on Theory of Computing, ser. STOC ’96. New York, NY , USA: Association for Computing Machinery, 1996, p. 212–219

    work page 1996

  2. [2]

    Quantum distinguisher between the 3-round feistel cipher and the random permutation,

    H. Kuwakado and M. Morii, “Quantum distinguisher between the 3-round feistel cipher and the random permutation,” in2010 IEEE International Symposium on Information Theory, 2010, pp. 2682–2685

    work page 2010

  3. [3]

    Security on the quantum-type even-mansour cipher,

    ——, “Security on the quantum-type even-mansour cipher,” in2012 International Symposium on Information Theory and its Applications, 2012, pp. 312–316

    work page 2012

  4. [4]

    Breaking symmetric cryptosystems using quantum period finding,

    M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-Plasencia, “Breaking symmetric cryptosystems using quantum period finding,” inAdvances in Cryptology – CRYPTO 2016. Berlin, Heidelberg: Springer Berlin Heidelberg, 2016, pp. 207–237

    work page 2016

  5. [5]

    Using simon’s algorithm to attack symmetric-key cryptographic primitives,

    T. Santoli and C. Schaffner, “Using simon’s algorithm to attack symmetric-key cryptographic primitives,”Quantum Info. Comput., vol. 17, no. 1–2, p. 65–78, 2017

    work page 2017

  6. [6]

    On quantum related-key attacks on iterated even-mansour ciphers,

    A. Hosoyamada and A. K., “On quantum related-key attacks on iterated even-mansour ciphers,”IEICE Transactions on Fundamentals of Elec- tronics, Communications and Computer Sciences, vol. E102.A, no. 1, pp. 27–34, 2019

    work page 2019

  7. [7]

    Secure signatures and chosen ciphertext security in a quantum computing world,

    D. Boneh and M. Zhandry, “Secure signatures and chosen ciphertext security in a quantum computing world,” inAdvances in Cryptology – CRYPTO 2013. Springer Berlin Heidelberg, 2013, pp. 361–379

    work page 2013

  8. [8]

    Post-quantum security of the cbc, cfb, ofb, ctr, and xts modes of operation,

    M. V . Anand, E. E. Targhi, G. N. Tabia, and D. Unruh, “Post-quantum security of the cbc, cfb, ofb, ctr, and xts modes of operation,” inPost- Quantum Cryptography. Cham: Springer International Publishing, 2016, pp. 44–63

    work page 2016

  9. [9]

    Grover meets simon – quantumly attacking the fx-construction,

    G. Leander and A. May, “Grover meets simon – quantumly attacking the fx-construction,” inAdvances in Cryptology – ASIACRYPT 2017. Springer International Publishing, 2017, pp. 161–178

    work page 2017

  10. [10]

    Quantum attacks without superposition queries: The offline simon’s algorithm,

    X. Bonnetain, A. Hosoyamada, M. Naya-Plasencia, Y . Sasaki, and A. Schrottenloher, “Quantum attacks without superposition queries: The offline simon’s algorithm,” inAdvances in Cryptology – ASIACRYPT

    work page

  11. [11]

    Springer International Publishing, 2019, pp. 552–583

    work page 2019

  12. [12]

    Quantum period finding against symmetric primitives in practice,

    X. Bonnetain and S. Jaques, “Quantum period finding against symmetric primitives in practice,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 1–27, 2022

    work page 2022

  13. [13]

    Beyond quadratic speedups in quantum attacks on symmetric schemes,

    X. Bonnetain, A. Schrottenloher, and F. Sibleyras, “Beyond quadratic speedups in quantum attacks on symmetric schemes,” inAdvances in Cryptology – EUROCRYPT 2022. Springer International Publishing, 2022, pp. 315–344

    work page 2022

  14. [14]

    On the power of quantum computation,

    D. R. Simon, “On the power of quantum computation,” inProceedings 35th Annual Symposium on F oundations of Computer Science, 1994, pp. 116–123

    work page 1994

  15. [15]

    On the power of quantum computation,

    ——, “On the power of quantum computation,”SIAM Journal on Computing, vol. 26, no. 5, pp. 1474–1483, 1997

    work page 1997

  16. [16]

    A construction of a cipher from a single pseudorandom permutation,

    S. Even and Y . Mansour, “A construction of a cipher from a single pseudorandom permutation,” inAdvances in Cryptology — ASIACRYPT ’91. Berlin, Heidelberg: Springer Berlin Heidelberg, 1993, pp. 210–224

    work page 1993

  17. [17]

    A construction of a cipher from a single pseudorandom permu- tation,

    ——, “A construction of a cipher from a single pseudorandom permu- tation,”J. Cryptology, vol. 10, p. 151–161, 1997

    work page 1997

  18. [18]

    Minimalism in cryptography: The even-mansour scheme revisited,

    O. Dunkelman, N. Keller, and A. Shamir, “Minimalism in cryptography: The even-mansour scheme revisited,” inAdvances in Cryptology – EUROCRYPT 2012. Springer Berlin Heidelberg, 2012, pp. 336–354

    work page 2012

  19. [19]

    Advanced encryption standard (aes),

    NIST, “Advanced encryption standard (aes),” FIPS 197, 2001

    work page 2001

  20. [20]

    Dorcis: Depth optimized quantum implementation of substitution boxes,

    M. Chun, A. Baksi, and A. Chattopadhyay, “Dorcis: Depth optimized quantum implementation of substitution boxes,” Cryptology ePrint Archive, Paper 2023/286, 2023

    work page 2023

  21. [21]

    Quantum computing with Qiskit,

    A. Javadi-Abhari, M. Treinish, K. Krsulich, C. J. Wood, J. Lishman, J. Gacon, S. Martiel, P. D. Nation, L. S. Bishop, A. W. Cross, B. R. Johnson, and J. M. Gambetta, “Quantum computing with Qiskit,” 2024

    work page 2024

  22. [22]

    Dynamical suppression of decoherence in two- state quantum systems,

    L. Viola and S. Lloyd, “Dynamical suppression of decoherence in two- state quantum systems,”Phys. Rev. A, vol. 58, no. 4, pp. 2733–2744, oct 1998

    work page 1998

  23. [23]

    Dy- namical decoupling for superconducting qubits: A performance survey,

    N. Ezzell, B. Pokharel, L. Tewala, G. Quiroz, and D. A. Lidar, “Dy- namical decoupling for superconducting qubits: A performance survey,” Phys. Rev. Appl., vol. 20, no. 6, dec 2023

    work page 2023

  24. [24]

    Noise tailoring for scalable quantum computation via randomized compiling,

    J. J. Wallman and J. Emerson, “Noise tailoring for scalable quantum computation via randomized compiling,”Phys. Rev. A, vol. 94, no. 5, nov 2016

    work page 2016

  25. [25]

    Twiddle: Twirling and dynamical decoupling, and crosstalk noise modeling,

    H. Safi, C. Niedermeier, and W. Mauerer, “Twiddle: Twirling and dynamical decoupling, and crosstalk noise modeling,” in2025 IEEE International Conference on Quantum Computing and Engineering (QCE), vol. 02, 2025, pp. 162–168

    work page 2025

  26. [26]

    Modeling and simulating the noisy behavior of near-term quantum computers,

    K. Georgopoulos, C. Emary, and P. Zuliani, “Modeling and simulating the noisy behavior of near-term quantum computers,”Physical Review A, vol. 104, no. 6, p. 062432, 2021

    work page 2021

  27. [27]

    M. A. Nielsen and I. L. Chuang,Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge University Press, 2010

    work page 2010