Maintaining Secure Level on Symmetric Encryption under Quantum Attack

: Quantum computing is currently being researched in many countries, and if implemented in the near future, it may pose a threat to existing encryption standards. In the quantum computer environment, asymmetric encryption can be solved by Shor’s Algorithm in polynomial time, and the difﬁculty of breaking symmetric encryption using brute force is reduced from N times to square root N times by Grover’s Algorithm. We take the Advanced Encryption Standard as the theme and increase the key length from the original standard 192 bits and 256 bits to 384 bits and 512 bits, respectively, in order to maintain the security level of AES 192/256 under the environment of quantum computing, so we propose the key schedule of AES 384/512, and write the software in C++ on FPGA. The experimental results show that our scheme can achieve Level III and Level V security levels in a quantum computer attack environment. In addition to increasing the length of the key, we use the LUT method in the process of writing SubBytes to replace the array and speed up the computation to optimize the execution speed. In addition, the proposed scheme is still based on 128-bit computing blocks, rather than computing blocks in larger blocks.


Introduction
Recent years have seen the continued progress of data communication and application. Therefore, security systems [1] and equipment to protect personal information [2,3] and its transmission channels are indispensable. One of the most important technologies is data encryption, which is mainly used to protect information.
Symmetric and asymmetric cryptosystems are the most widely used in data encryption and symmetric encryption techniques such as the Data Encryption Standard (DES), Triple DES, and the Advanced Encryption Standard (AES) [4]. The sender and receiver use the same key to achieve data encryption and decryption. Among them, the AES published by the National Institute of Standards and Technology (NIST) in 2001 is the most outstanding among symmetric encryption technologies. AES uses SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are the four main transformation equations, to form the main structure.
However, with the development of science and technology, at the same time, the technology of quantum computing is also constantly improving. The asymmetric encryption algorithm can be solved by Shor's algorithm [5] in polynomial time in a quantum computer environment, and its security is equivalent to direct disintegration. The difficulty of the brute force cracking of the symmetric encryption algorithm will be diminished by Grover's Algorithm [6] from N times to square root N times, and its security will also be reduced a lot. Although both algorithms will be affected by quantum computers, the AES, which is a member of symmetric encryption, will be less affected. Only the security level of the original key length will be cut in half; that is, the highest security level of AES 256 will become as low as AES 128.
In order to ensure that the AES [7] maintains the original security level in the quantum computer environment, we decided to expand according to Rijndael's theory and try to increase the encryption key to maintain the original security strength. We use Field Programmable Gate Array (FPGA) to achieve verification, and the overall algorithm acceleration and optimization to achieve the effect of hardware accelerated computing.
We propose the AES algorithm for countering quantum computing to improve the security of the algorithm. The following are the main contributions of this paper:

•
To follow the framework of the original AES algorithm, and extend the key length to 384 bits and 512 bits in order to resist the threat introduced by quantum computers, and do an avalanche test on C++ software to prove the security of the AES 384 bits and 512 bits key. • Improve the speed of AES encryption and decryption, write the AES algorithm into FPGA by using hardware description language, make use of its instruction parallelization characteristics, make parallel calculations, accelerate the encryption and decryption calculation, and achieve a hardware acceleration effect.

•
Use different calculation structures and increase the amount of calculation per unit of time by adding registers, and use the space-for-time method for optimization.
In Section 2, a literature review on the state of quantum computing, AES, etc. will be undertaken. In Section 3, the basic architecture and calculation method proposed in this paper will be described. In Section 4, it is described how to implement the proposed method on FPGA, which involves implementation performance comparison and simulation implementation screen. Finally, the conclusion of this work is stated in Section 5.

Quantum Computer
Quantum computing is a method that uses a quantum as the basic computing [8] unit and operates with quantum algorithms. As long as a quantum reaches the quantum superposition state and the quantum entanglement state at the same time, it becomes a qubit, providing a calculation. The reading and writing of qubits can be done using laser or microwave techniques. The current mainstream quantum computing methods are divided into five types: silicon-based spin qubits, ion traps, diamond nitrogen vacancy centers, topological qubits, and superconducting rings. In 2021, IBM released Eagle with 127 bits, and it is expected for this to increase to 433 bits in 2022.
The difference between a quantum computer and a conventional computer is that quantum computers exploit the properties of quantum entanglement and superposition. Because of this unique property, computers made of qubits can process large amounts of data in parallel.
However, the computing power of current quantum computers is not sufficiently strong [9,10], therefore there are still has many problems to overcome.

Advanced Encryption Standard
This algorithm is a NIST-approved symmetric encryption block encryption method, also known as the Rijndael algorithm. In 1997, NIST announced that it would choose a better algorithm to replace the DES algorithm that was widely used at that time. The biggest disadvantage of DES is that the key is only 56 bits, which is relatively small, and it is more and more vulnerable to attack. In 2001, the Rijndael algorithm was selected as the AES [4], because the Rijndael encryption method can support a wider range of block and key lengths.
AES is encrypted and decrypted in units of blocks, each block is fixed at 128 bits, and the key has three lengths of 128 bits, 192 bits, and 256 bits to choose from. According to the key length, the encryption rounds are also divided into 10, 12, and 14 rounds. The AES encryption workflow of each round includes the following four steps: AddRoundKey, SubBytes, ShiftRows, and MixColumns.
AddRoundKey: Each byte in the matrix is XORed with the round key, and each sub-key is generated by the key generation scheme.
SubBytes: Each byte is replaced with the corresponding byte using a lookup table through a non-linear replacement function.
ShiftRows: A circular shift is applied to each row in the matrix. MixColumns: In order to fully mix the operations of each column in the matrix, this step uses a linear transformation to mix the four bytes within each row. The MixColumns step in the last encryption loop is omitted and replaced with another AddRoundKey.
After 10 to 14 rounds of repeated calculations, the complexity of the brute force cracking method can reach up to 2 256 times, which ensures the security strength of the AES on traditional computers.

Finite Field
Also called the Galois field, it is based on the Galois finite field theorem [11]; if it a positive prime number and a positive integer, then there is a finite field containing elements, and the structure of the finite fields with elements is absolutely isomorphic.
Finite fields are widely used in modern coding, theoretical computer science, combinatorics, and cryptography. The AES algorithm proposed in this paper uses the Galois field for calculation, and the finite field calculation is divided into two types.
The first type is finite field addition, where adding a finite field is a simplification of a polynomial modulo, and its eigenvalues ensure that the result of the computation stays in the finite field. AES uses the Galois field, and its eigenvalue is 2, so the addition needs to be modulo 2, which can be simplified to the XOR equivalent to the logical operation. The second type is finite field multiplication, and like finite field addition, when the result of multiplying two polynomials may be larger than nth power, the value will exceed the range of finite field, so the finite field multiplication also needs to go through the modulo operations. The modulus used by finite field multiplication must be an integrable polynomial, while the AES algorithm uses AND, which is equivalent to the logical operation.

Avalanche Effect
This term was first used by Horst Feistel [12], and the origin of the concept can be traced back to the dissemination by Claude Shannon. The term diffusion refers to the redundancy of plain text in cryptography to spread the effects of a single key to as many ciphertexts as possible and avoid the possibility of deciphering the input from the output using brute force methods.
The avalanche effect is designed to do the same, and is considered an important metric in cryptographic security to ensure that text or keys cannot be corrupted by statistical analysis.
The Strict Avalanche Criterion [13] was proposed by Webster and Tavares as a formalization of the avalanche effect. If the encryption method meets the strict avalanche criteria, when any input bit is inverted, there is a 50% chance that each bit of the output will change.

Parallel Computing
Parallel computing refers to the use of multiple computing resources to improve the efficiency of data processing, and parallel computing can be broadly divided into spatial and temporal parallelism. Time parallelism refers to pipelining, which is splitting instructions into multiple steps so that they can be processed in parallel to speed up instruction execution; spatial parallelism involves the use of multiple computing resources at the same time to improve computation speed. In this case, we programmed the AES C++ code into a hardware description language [14] in a pipelined manner so that it can be executed on FPGAs to achieve hardware acceleration.

Field Programmable Gate Array (FPGA)
A Field Programmable Gate Array (FPGA) [14] is a logic circuit written in a hardware description language and is an actual parallel architecture. Generally speaking, FPGA is slower than ASIC and is not suitable for designing very complex circuit structures. At the same time, the power consumed by FPGA is larger than that of ASIC. However, the biggest advantage of FPGAs is that they can be manufactured quickly, and the internal logic can be modified repeatedly, making debugging costs lower. In addition, FPGAs can perform a task at exactly the same speed over and over again, making them suitable for developing low-latency specialized chips.

Abidalrahman Moh'd Proposed AES-512 Bits Method
Abidalrahman Moh'd et al. [15] proposed the AES enhanced algorithm for quantum computing, and the length of the original encrypted key was increased from 256 bits to 512 bits. In order to be able to decrypt it, the original length of 128 bits was changed to 512 bits on the FPGA, but there are several disadvantages involved with this method.
First, unlike the original AES architecture, the security cannot be compared. Second, since each block expands in length, the overall space complexity is greatly increased. Third, since the block length is at least 512 bits, security from Level-1 to Level-3 cannot be achieved.

AES Algorithm Parameters
The AES algorithm has the following three parameters: 1.
The number of encrypted blocks (Nb): The input plaintext, in 32 bits, is 1 word, because the AES plaintext block is fixed at 128 bits, which is the state matrix composed of four words.

2.
Number of key segments (Nk): The length of the key is 32 bits for one word, and is divided into four words, six words, and eight words according to the key length of 128 bits, 192 bits, and 256 bits. 3.
Number of encryption rounds (Nr): This is the number of iterations required for encryption and decryption, which is related to the key length. The number of rounds from short to long key length is 10, 12 and 14 rounds, respectively. The relationship between the number of encryption rounds and the number of key segments can be calculated as follows: The above parameters, according to the different key lengths, can be organized as shown in Table 1:

AES-384, AES-512 Concept and Software Implementation
In order to maintain the security level of AES in a quantum computer environment, it is necessary to extend the length of the original key, and this paper proposes two versions of AES-384 and AES-512 with an extended key. The proposed new schedule must conform to the security framework of the Rijndael algorithm, so we extend it based on the original framework [16]. The differences between the two new key schedules and the original architecture are only the number of cryptographic rounds and the key expansion steps, except for the key length.
Both AES-384 and AES-512 execute only AddRoundKey in the first round, and execute SubBytes, ShiftRows, MixColumns and AddroundKey in the second round to the Nr − 1 round In the final round, it executes SubBytes, ShiftRows and AddRoundKey. We then calculate the number of needed rounds by the formula: Nr = 6 + bits of key/32. The results are shown in Table 2. Turning now to the key expansion, the first step is calculating the needed words by using the formula i = Nb * (Nr + 1). Note whether the number of subkeys is correct. The results of the calculations are presented in Table 3 sketch pictures of key expansions according to calculations. The figures make it easy to understand the work. Figures 1 and 2 illustrate the process of key expansion for AES-384 and AES-512. steps, except for the key length. Both AES-384 and AES-512 execute only AddRoundKey in the first round cute SubBytes, ShiftRows, MixColumns and AddroundKey in the second rou − 1 round In the final round, it executes SubBytes, ShiftRows and AddRoun then calculate the number of needed rounds by the formula: = 6 + bits o The results are shown in Table 2.
Turning now to the key expansion, the first step is calculating the needed using the formula = * ( + 1). Note whether the number of subkeys The results of the calculations are presented in Table 3 sketch pictures of key ex according to calculations. The figures make it easy to understand the work. Figu 2 illustrate the process of key expansion for AES-384 and AES-512.      Table 5. key expansion of AES 512.   Table 5. Key expansion of AES 512.

Experimental Environment
The development kit used was a Xilinx Vivado 2020.2 for coding and simulation, while the hardware system was a Zynq 7000 series: SoC XC7Z7100 FPGA development board. Table 6 summarizes the number of hardware objects used to implement AES-384/512. According to the original theory, in AES-384, the number of Slices should be approximately 4900 and 6500; the number of Slices FF should be about 2900 and 3800; the number of four-input LUTs should be about 9100 and 12,100; the number of bonded IOBs should be about 500 and 660, but because of the implementation, we will not need the unit or reuse the unit, so it will be less than that indicated by the theory.

Software Avalanche Test
In order to ensure the security of AES-384 and AES-512, two scheduled avalanche tests will be conducted in this section. First, the former will be shown and explained, and the latter will only include the execution process [18].
The avalanche test of AES-384 uses two strings with a difference of only one character. Table 9 presents the input and output of two plaintexts.
Finally, Table 10 shows the results of two kinds of plaintext encryption, including hexadecimal and binary demonstrations. This test has a total of 128 bits, and the two strings of very similar plaintexts have changed by 64 bits, which is exactly 50%, which meets the conditions of the avalanche test. Table 9. AES-384 input plaintext.

Plaintext 1 Plaintext 2
Output ASCII   8c  09  93  51  a6  3e  92  8e  f2  99  04  96  69  31  36  b1  d6  99  ba  2f  ae  53  6f  b6  55  98  13  b1  4a  77  33  9b Next is the AES-512 avalanche test process and results, and the test data used in AES-512. Table 11 shows the input information of two different plaintext encryptions. Table 12 shows the two kinds of plaintext output results. According to the actual measurement of the encryption results, the two gaps between the latter accounted for 53.9% of the total number of bits which also passed the avalanche test.  Table 12. AES-512 output plaintext.

Hardware Description Language Simulation
This section will show the AES-384 and AES-512 hardware description language [19][20][21][22] simulation process, mainly AES-384/512 for explanation, only with AES-384/512 attached to each process of the demonstration diagram [23][24][25], and not attached versions of AES-128, AES-192, or AES-384. The test content is "Learn to walk before you run". Figure 3 shows the complete information and results of the AES-384 encryption and decryption, including the parameters used in AES, standard S-box [26][27][28][29], inverse S-box, Mixcolumns and InvMixColumns, as well as the input plaintext, encrypted ciphertext, key expansion, and ETC.

Hardware Description Language Simulation
This section will show the AES-384 and AES-512 hardware description language [19][20][21][22] simulation process, mainly AES-384/512 for explanation, only with AES-384/512 attached to each process of the demonstration diagram [23][24][25], and not attached versions of AES-128, AES-192, or AES-384. The test content is "Learn to walk before you run". Figure 3 shows the complete information and results of the AES-384 encryption and decryption, including the parameters used in AES, standard S-box [26][27][28][29], inverse S-box, Mixcolumns and InvMixColumns, as well as the input plaintext, encrypted ciphertext, key expansion, and ETC.  Figure 4 shows the results of each round of AES-384 key expansion, and it can be seen that the value of each round key and the simulated time delay are step by step. Each round needs to wait for the execution result provided by the previous round, and it proceeds to  Figure 4 shows the results of each round of AES-384 key expansion, and it can be seen that the value of each round key and the simulated time delay are step by step. Each round needs to wait for the execution result provided by the previous round, and it proceeds to the next round immediately after some results are outputted.  Figure 5 shows a series of AES-512 encryption and decryption simulations and results. The most obvious difference between AES-512 and AES-384 is that AES-512 performs more rounds, and Figure 6 shows the results of each round of the AES-512 key expansion.    Figure 5 shows a series of AES-512 encryption and decryption simulations and results. The most obvious difference between AES-512 and AES-384 is that AES-512 performs more rounds, and Figure 6 shows the results of each round of the AES-512 key expansion.      Table 13 compares the proposed AES-384 and AES-512 with the original AES function of the paper [15].

Compatibility of Rijndael
The experimental results include three methods: the method proposed in this article, the method of Rijndael, and [15]. The proposed method and the Rijndael method can reach FIPS security levels Ι, Ш, and Ⅴ under normal computer attacks, while [15] is a special architecture with a minimum key length of 512 bits, such that it cannot support any level other than level V. Under the FIPS security level of a quantum computer attack, the proposed method can still maintain level Ι, Ш, and Ⅴ, while Rijndael can only maintain level Ι, and [15] can only maintain level Ⅴ.
Finally, the authors' scheme obtains the calculation function of AES-128/192/256/384/512 bits, Rijndael obtains the calculation function of AES-128/192/256 bits, and [15] only obtains the calculation function of AES-512 bits.   Table 13 compares the proposed AES-384 and AES-512 with the original AES function of the paper [15]. The experimental results include three methods: the method proposed in this article, the method of Rijndael, and [15]. The proposed method and the Rijndael method can reach FIPS security levels I, III, and V under normal computer attacks, while [15] is a special architecture with a minimum key length of 512 bits, such that it cannot support any level other than level V. Under the FIPS security level of a quantum computer attack, the proposed method can still maintain level I, III, and V, while Rijndael can only maintain level I, and [15] can only maintain level V.

Compatibility of Rijndael
Finally, the authors' scheme obtains the calculation function of AES-128/192/256/384/ 512 bits, Rijndael obtains the calculation function of AES-128/192/256 bits, and [15] only obtains the calculation function of AES-512 bits. Figure 8 demonstrates the time comparison of the general calculation of AES-384 and the parallel calculation of AES-384, while Figure 9 shows the time comparison of the general calculation of AES-512 and the parallel calculation of AES-512 under CTR mode.

Parallel Computing Performance
From the above results, it can be seen that in the original normal calculation, when the file size is 1762 bits, the execution time of AES-384 is 18.74 ms, and the execution time of AES-512 is 23.14 ms. With the addition of parallel calculations, it can be accelerated to 0.008927 ms and 0.009378 ms; when the file size is 56384 bits, the execution time of AES-384 is 554.50 ms, and the execution time of AES-512 is 682.62 ms. After a parallel calculation, it can be completed within 0.008239 ms and 0.010082 ms. We know from the experimental results that we can speed up this process by parallelizing the overall computing speed.  From the above results, it can be seen that in the original normal calculation, when the file size is 1762 bits, the execution time of AES-384 is 18.74 ms, and the execution time of AES-512 is 23.14 ms. With the addition of parallel calculations, it can be accelerated to 0.008927 ms and 0.009378 ms; when the file size is 56384 bits, the execution time of AES-384  From the above results, it can be seen that in the original normal calculation, when the file size is 1762 bits, the execution time of AES-384 is 18.74 ms, and the execution time of AES-512 is 23.14 ms. With the addition of parallel calculations, it can be accelerated to 0.008927 ms and 0.009378 ms; when the file size is 56384 bits, the execution time of AES-384

Conclusions
In order to make AES resistant to the threat of the quantum computer environment, this project implemented the key scheduling extension. In addition to software implementation, we hope to speed up the calculation speed of encryption and decryption. Therefore, we also implemented the hardware description language of AES-384 and AES-512 so that they can run smoothly on FPGA and achieve the effect of hardware acceleration.
In addition to basic hardware acceleration, we have also been working hard to optimize the hardware description language. By increasing the memory and cutting smaller input segments, parallel computing can be more complete, and the amount of computation per unit time can be increased.
Given the final experimental results shown in Table 12, our proposed method successfully integrates the original AES-128, AES-192, and AES-256 architectures with the newly arranged AES-384 and AES-512 in both hardware and software. This integration allows for the utilization of the complete set of advanced encryption algorithms. The standard still maintains the Level III and Level V levels in the secure quantum computer attack environment, and there is no need to change the original encryption architecture of Rijndael, as [10] did, which successfully achieves the purpose of this research project. Funding: This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.