Title:

Improvements to quantum search, with applications to cryptanalysis

The quadratic advantage in querycomplexity that Grover's algorithm offers for the unstructured search problem is wellknown by the cryptographic community and the security estimates for many cryptosystems are based upon quantum resource estimates for Grover's algorithm. In essence, Grover's algorithm consists of the repeated application of a quantum oracle, unique to the instance of the search problem, and some less costly circuitry. This quantum oracle is essentially a reversible boolean circuit, implemented via quantum gates. This thesis examines the optimisation of quantum search routines in the noisefree quantum circuit model of computation, with the goal of negating a portion of the cost associated with the necessity to implement quantum oracles in Grover's algorithm. The importance of such gains is illustrated by considering the approximate circuitsize of Grover's algorithm for the singletarget search problem, $\frac{\pi}{4} \cdot 2^{\frac{n}{2}} \cdot \text{poly}(n)$ where $\text{poly}(n)$ is the cost of implementing the quantum oracle. If $n = 100$ and $\text{poly}(n) =n^3$, then the approximate quantum circuitsize is $2^{70}$ compared to the lower bound implied by querycomplexity of $2^{50}$ and this overhead of $2^{20}$ has an associated realworld cost in terms of the number of quantum gates which must be implemented. Reduction of this overhead can therefore result in gains for any potential implementation. Optimisation of the reversible circuitry which implements the quantum oracle can achieve this and this thesis demonstrates that this can also be achieved by other methods for certain problems by using modifications of Grover's algorithm. As a motivating example throughout this thesis, we apply these techniques to lower quantum resource estimates for cryptanalysis of the {\it Multivariate Quadratic problem} over $\mathbb{F}_2$ and later in cryptanalysis of the {\it Advanced Encryption Standard} (AES).
