Quantum Cryptanalysis on Real Hardware: Pushing Symmetric-Structure Key Recovery Beyond the Published Frontier

Community Article
Published July 5, 2026

QuantumOS Research Note · July 2026 · VIDRAFT Recovering the secret period (the key) of Even–Mansour and 3-round Feistel constructions on IBM quantum hardware (ibm_kingston) — from block size 4, where the published hardware frontier had stood, up to N = 10 for Even–Mansour and block size 8 for Feistel.

A note on honesty, up front. This is not a claim that AES is broken, that DES is broken, or that we have demonstrated a practical quantum speedup. We have been deliberately careful to state what we did, and — just as important — what we did not do. Read the "What this is not" section before drawing conclusions.


TL;DR

  • 🎯 Result. On a real IBM quantum processor, we recovered the hidden period (equivalently, the secret key) of two distinct symmetric-cipher structures: the Even–Mansour construction for secret sizes N = 5 through N = 10, and the 3-round Feistel construction (the skeleton of DES-family ciphers) for block sizes 6 and 8. To the best of our knowledge, published hardware demonstrations of these Simon-based attacks had previously topped out around N = 4.
  • 🧪 Controls. For every instance we additionally recovered a second, independently chosen secret as a control experiment — establishing that the recovery pipeline is not tuned to any particular answer.
  • ⚙️ Regime. We used standard error mitigation (dynamical decoupling, gate/measurement twirling, and readout-error correction). We did not use quantum error correction (QEC).
  • ⚠️ Honest scaling. Simon's algorithm has a proven exponential advantage in the ideal, noiseless setting [1, 6]. On today's noisy hardware and at these scales, the effective difficulty we observe degrades in step with the classical birthday bound (~2^{n/2}). So this is a demonstration that the attack runs and recovers keys at record hardware scale — not evidence of a practical quantum speedup.

Why symmetric-cipher quantum attacks deserve attention

When people talk about quantum computers breaking cryptography, they usually mean Shor's algorithm and public-key schemes like RSA. But symmetric-key cryptography has its own, less-discussed quantum story — and it does not run through Shor.

The pivotal insight is due to Kuwakado and Morii, who showed that two classically respectable constructions collapse under quantum query access: the 3-round Feistel cipher becomes distinguishable from a random permutation [3], and the Even–Mansour cipher's key can be recovered in polynomial time [2]. Both results are applications of Simon's algorithm [1] — the simplest quantum period-finding routine. Kaplan, Leurent, Leverrier, and Naya-Plasencia later unified and greatly extended this line of work in their landmark CRYPTO 2016 paper, Breaking Symmetric Cryptosystems Using Quantum Period Finding [6], showing that a whole family of modes and MACs (CBC-MAC, PMAC, GMAC, and more) fall to the same idea. Subsequent work — Grover Meets Simon [7] and the offline Simon's algorithm [8] — sharpened both the reach and the realism of these attacks.

All of that, however, is theory and simulation. It lives in proofs and in laptops. The question that motivates this note is different and, we think, more interesting:

On real, noisy quantum hardware, how large a structure can you actually break?

Physical devices suffer from gate errors, readout errors, and decoherence. A circuit only has to grow modestly before the signal drowns in noise. That is precisely why published hardware demonstrations of these attacks had remained small. Our goal was simply to find out how far the frontier could be pushed.


Background: Simon's algorithm and "the period"

Briefly, and without ceremony.

Suppose a function f(x) hides a period s: for every input, f(x) = f(x ⊕ s), with no other collisions. Classically, finding s means finding a colliding pair, which takes on the order of 2^{n/2} evaluations — the birthday bound. Simon's algorithm [1] instead uses superposition and interference so that, in the ideal case, roughly n measurements yield a system of linear equations that pin down s. That gap — polynomial versus exponential — is the theoretical prize.

Two constructions turn this into a key-recovery attack:

  • Even–Mansour [4]. The minimalist block cipher E(x) = P(x ⊕ k₁) ⊕ k₂ built from a public permutation P. Kuwakado–Morii [2] observe that f(x) = E(x) ⊕ P(x) has period exactly k₁; recovering the period recovers the key.
  • 3-round Feistel [3, 5]. Using the Kuwakado–Morii construction, one builds a function of the form f(b, x) = F₂(x ⊕ F₁(α_b)) whose period is fixed by the round-function relationship. Because Feistel networks are the backbone of DES and countless other ciphers, exercising the Feistel structure on real hardware carries symbolic weight.

What we actually did

The stage is IBM's 156-qubit ibm_kingston processor (among the backends we benchmarked, it had the lowest two-qubit error rate). Our circuits spanned roughly 15–30 qubits with up to a few hundred two-qubit gates, executed with standard error mitigation on top.

① Even–Mansour: N = 5 → N = 10

We recovered the secret key of the Even–Mansour construction on hardware for secret sizes N = 5 up to N = 10, one size at a time. At each size we ran both a target key and an independent control key, confirming that each recovers its own period. This symmetric setup is our guard against self-deception: a pipeline that only ever "recovers" one hard-coded answer would fail the control.

② Feistel (DES-family, 3-round): block 6 → block 8

We recovered the hidden period of the 3-round Feistel construction at block sizes 6 and 8, again with independent controls. Intriguingly, Feistel recovered more cleanly than Even–Mansour at comparable circuit depth. We attribute this to an algebraic property of the Feistel construction itself; a full analysis is deferred to a forthcoming paper.

The hardware frontier at a glance

Structure Theoretical character Hardware scale reached Control Notes
Linear (Bernstein–Vazirani [9]) single query n = 16 Clifford; comparatively easy
Even–Mansour [2, 4] Simon (exponential, ideal) N = 5 → 10 ✅ symmetric mitigation essential
Feistel (DES-family) [3, 5] Simon (exponential, ideal) block 6 → 8 ✅ symmetric recovers unusually cleanly

Our broader simulation suite covers five structural paradigms (linear, Even–Mansour, SPN via Grover [10], MAC, and Feistel), but the hardware frontier deliberately concentrates on the two genuinely Simon-hard constructions, where the ideal-case separation is exponential.

We are currently probing Feistel at block size 10 (21 qubits) on hardware to locate its noise ceiling; that result will be folded in when it lands.

Try it yourself

The full attack suite is live and interactive. You can enter your own secret and watch each recovery run in the browser, cross-checked against a Qiskit engine:

vidraft-quantumos.hf.space/crypto

The live QuantumOS Cryptanalysis demo, showing genuine in-browser key recovery across five symmetric-cipher structures.

Figure 1 — The live QuantumOS Cryptanalysis demo (vidraft-quantumos.hf.space/crypto). Each panel recovers a secret with a genuine quantum algorithm in-browser, cross-checked against a Qiskit engine and an independent JavaScript implementation, and spans all five structural paradigms (linear, Grover-amplified SPN, Even–Mansour, CBC-MAC, Feistel). One caveat on reading the figure: the "quantum-advantage" labels denote the ideal, noiseless algorithmic separation (Simon's exp→poly, Grover's √, one-query Bernstein–Vazirani) — the regime in which these attacks were designed. On real noisy hardware, as the next section details, the effective reduction instead tracks the classical birthday bound. The demo's own footer states the same honest limits: the Q2 oracle model, 3-round Feistel ≠ 16-round DES, reduced sizes, and simulation figures.


What this is not — an honest accounting

Credibility in this area is earned by not overstating. Here is what we did not do.

  1. We did not demonstrate a practical quantum speedup. Simon's algorithm is exponentially faster than classical period-finding in the ideal, noiseless model [1, 6]. But on today's hardware, at these scales, the effective difficulty we observe tracks the classical birthday bound (~2^{n/2}). The honest reading is that we ran the attack at record hardware scale, not that we beat classical computation in wall-clock terms.

  2. We did not break real AES or RSA. This is a proof-of-concept on cipher structures. Real AES-128/256 lives at a vastly larger scale; credible quantum resource estimates for attacking AES require thousands of logical qubits and deep Clifford+T circuits [11, 12] — far beyond any current device.

  3. We did not break 16-round DES. Our Feistel is 3 rounds at small block sizes (6 and 8). DES is 16 rounds on 64-bit blocks. We exercised a DES-family structure, not DES itself.

  4. We used a strong query model. Like the underlying attacks [2, 3, 6], our oracle is evaluated in superposition — the so-called Q2 model. Obtaining superposition access to a keyed primitive is a strong (often unrealistic) assumption in practice; the offline Simon's algorithm [8] was introduced precisely to relax it. Our contribution is on the hardware-scaling axis, not on weakening this assumption.

  5. We did not use quantum error correction. Only error mitigation — dynamical decoupling [13], randomized compiling / Pauli twirling [14], and readout-error mitigation [15]. Fault-tolerant execution of application circuits remains impractical in the current NISQ era [16].

  6. We do not assert a "world record." We believe these results exceed the largest published hardware demonstrations we are aware of, but formal record status is a matter for peer review. Until then, we claim only to have moved past the largest public demonstrations known to us.

The details of our noise-robust post-processing pipeline are reserved for a forthcoming paper; this note shares the results, not the recipe.


What's next

  • Feistel block 10 (21 qubits) — in progress on hardware, to find the Feistel noise ceiling.
  • A formal write-up — documenting the hardware-scaling behavior, the birthday-bound tracking, and the structural analysis of why some constructions resist noise better than others.
  • Reproducibility — results are reflected on our public demo and leaderboard with honest scope labels (method reserved).

Closing

We tried to hold two things at once: ambition and honesty.

On ambition: we moved the published hardware frontier for these Simon-based attacks from around N = 4 up to Even–Mansour N = 10 and 3-round Feistel block 8, on a real IBM quantum computer, each with an independent control, using error mitigation alone.

On honesty: we have been explicit that this is not a quantum speedup, not a break of AES, and not a break of DES. What today's result is is a single, careful step outward on the frontier of what actually works on noisy hardware — and how far that frontier can be pushed is exactly the question the field needs to keep answering.

Executed on real hardware — not a simulation. Proof-of-concept scale, 3-round, in a strong query model; not a break of any deployed cipher. Formal record status pending peer review.

— The QuantumOS team, VIDRAFT

Contact · reproduction · collaboration: FINAL-Bench / VIDraft on Hugging Face · Live interactive demo: vidraft-quantumos.hf.space/crypto · quantum-bench-leaderboard


References

  1. D. R. Simon. On the Power of Quantum Computation. SIAM J. Comput. 26(5), 1474–1483 (1997); FOCS 1994.
  2. H. Kuwakado, M. Morii. Security on the Quantum-type Even–Mansour Cipher. ISITA 2012, 312–316.
  3. H. Kuwakado, M. Morii. Quantum Distinguisher Between the 3-Round Feistel Cipher and the Random Permutation. IEEE ISIT 2010, 2682–2685.
  4. S. Even, Y. Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. J. Cryptology 10(3), 151–162 (1997); ASIACRYPT 1991.
  5. M. Luby, C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput. 17(2), 373–386 (1988).
  6. M. Kaplan, G. Leurent, A. Leverrier, M. Naya-Plasencia. Breaking Symmetric Cryptosystems Using Quantum Period Finding. CRYPTO 2016, LNCS 9815, 207–237. arXiv:1602.05973.
  7. G. Leander, A. May. Grover Meets Simon – Quantumly Attacking the FX-construction. ASIACRYPT 2017, LNCS 10625, 161–178.
  8. X. Bonnetain, A. Hosoyamada, M. Naya-Plasencia, Y. Sasaki, A. Schrottenloher. Quantum Attacks without Superposition Queries: The Offline Simon's Algorithm. ASIACRYPT 2019, 552–583. IACR ePrint 2019/614.
  9. E. Bernstein, U. Vazirani. Quantum Complexity Theory. SIAM J. Comput. 26(5), 1411–1473 (1997); STOC 1993.
  10. L. K. Grover. A Fast Quantum Mechanical Algorithm for Database Search. STOC 1996, 212–219.
  11. M. Grassl, B. Langenberg, M. Roetteler, R. Steinwandt. Applying Grover's Algorithm to AES: Quantum Resource Estimates. PQCrypto 2016, LNCS 9606, 29–43.
  12. X. Bonnetain, M. Naya-Plasencia, A. Schrottenloher. Quantum Security Analysis of AES. IACR ToSC 2019(2), 55–93.
  13. L. Viola, E. Knill, S. Lloyd. Dynamical Decoupling of Open Quantum Systems. Phys. Rev. Lett. 82, 2417 (1999).
  14. J. J. Wallman, J. Emerson. Noise Tailoring for Scalable Quantum Computation via Randomized Compiling. Phys. Rev. A 94, 052325 (2016).
  15. P. D. Nation, H. Kang, N. Sundaresan, J. M. Gambetta. Scalable Mitigation of Measurement Errors on Quantum Computers. PRX Quantum 2, 040326 (2021). arXiv:2108.12518.
  16. J. Preskill. Quantum Computing in the NISQ Era and Beyond. Quantum 2, 79 (2018).

Community

Sign up or log in to comment