FINAL-Bench Quantum Leaderboard
Neutral quantum-method benchmark — QEC decoders & more
QuantumOS Research Note · July 2026 · VIDRAFT Recovering the secret period (the key) of Even–Mansour and 3-round Feistel constructions on IBM quantum hardware (ibm_kingston) — from block size 4, where the published hardware frontier had stood, up to N = 10 for Even–Mansour and block size 8 for Feistel.A note on honesty, up front. This is not a claim that AES is broken, that DES is broken, or that we have demonstrated a practical quantum speedup. We have been deliberately careful to state what we did, and — just as important — what we did not do. Read the "What this is not" section before drawing conclusions.
When people talk about quantum computers breaking cryptography, they usually mean Shor's algorithm and public-key schemes like RSA. But symmetric-key cryptography has its own, less-discussed quantum story — and it does not run through Shor.
The pivotal insight is due to Kuwakado and Morii, who showed that two classically respectable constructions collapse under quantum query access: the 3-round Feistel cipher becomes distinguishable from a random permutation [3], and the Even–Mansour cipher's key can be recovered in polynomial time [2]. Both results are applications of Simon's algorithm [1] — the simplest quantum period-finding routine. Kaplan, Leurent, Leverrier, and Naya-Plasencia later unified and greatly extended this line of work in their landmark CRYPTO 2016 paper, Breaking Symmetric Cryptosystems Using Quantum Period Finding [6], showing that a whole family of modes and MACs (CBC-MAC, PMAC, GMAC, and more) fall to the same idea. Subsequent work — Grover Meets Simon [7] and the offline Simon's algorithm [8] — sharpened both the reach and the realism of these attacks.
All of that, however, is theory and simulation. It lives in proofs and in laptops. The question that motivates this note is different and, we think, more interesting:
On real, noisy quantum hardware, how large a structure can you actually break?
Physical devices suffer from gate errors, readout errors, and decoherence. A circuit only has to grow modestly before the signal drowns in noise. That is precisely why published hardware demonstrations of these attacks had remained small. Our goal was simply to find out how far the frontier could be pushed.
Briefly, and without ceremony.
Suppose a function f(x) hides a period s: for every input, f(x) = f(x ⊕ s), with no other collisions. Classically, finding s means finding a colliding pair, which takes on the order of 2^{n/2} evaluations — the birthday bound. Simon's algorithm [1] instead uses superposition and interference so that, in the ideal case, roughly n measurements yield a system of linear equations that pin down s. That gap — polynomial versus exponential — is the theoretical prize.
Two constructions turn this into a key-recovery attack:
E(x) = P(x ⊕ k₁) ⊕ k₂ built from a public permutation P. Kuwakado–Morii [2] observe that f(x) = E(x) ⊕ P(x) has period exactly k₁; recovering the period recovers the key.f(b, x) = F₂(x ⊕ F₁(α_b)) whose period is fixed by the round-function relationship. Because Feistel networks are the backbone of DES and countless other ciphers, exercising the Feistel structure on real hardware carries symbolic weight.The stage is IBM's 156-qubit ibm_kingston processor (among the backends we benchmarked, it had the lowest two-qubit error rate). Our circuits spanned roughly 15–30 qubits with up to a few hundred two-qubit gates, executed with standard error mitigation on top.
We recovered the secret key of the Even–Mansour construction on hardware for secret sizes N = 5 up to N = 10, one size at a time. At each size we ran both a target key and an independent control key, confirming that each recovers its own period. This symmetric setup is our guard against self-deception: a pipeline that only ever "recovers" one hard-coded answer would fail the control.
We recovered the hidden period of the 3-round Feistel construction at block sizes 6 and 8, again with independent controls. Intriguingly, Feistel recovered more cleanly than Even–Mansour at comparable circuit depth. We attribute this to an algebraic property of the Feistel construction itself; a full analysis is deferred to a forthcoming paper.
| Structure | Theoretical character | Hardware scale reached | Control | Notes |
|---|---|---|---|---|
| Linear (Bernstein–Vazirani [9]) | single query | n = 16 | — | Clifford; comparatively easy |
| Even–Mansour [2, 4] | Simon (exponential, ideal) | N = 5 → 10 | ✅ symmetric | mitigation essential |
| Feistel (DES-family) [3, 5] | Simon (exponential, ideal) | block 6 → 8 | ✅ symmetric | recovers unusually cleanly |
Our broader simulation suite covers five structural paradigms (linear, Even–Mansour, SPN via Grover [10], MAC, and Feistel), but the hardware frontier deliberately concentrates on the two genuinely Simon-hard constructions, where the ideal-case separation is exponential.
We are currently probing Feistel at block size 10 (21 qubits) on hardware to locate its noise ceiling; that result will be folded in when it lands.
The full attack suite is live and interactive. You can enter your own secret and watch each recovery run in the browser, cross-checked against a Qiskit engine:
▶ vidraft-quantumos.hf.space/crypto
Figure 1 — The live QuantumOS Cryptanalysis demo (vidraft-quantumos.hf.space/crypto). Each panel recovers a secret with a genuine quantum algorithm in-browser, cross-checked against a Qiskit engine and an independent JavaScript implementation, and spans all five structural paradigms (linear, Grover-amplified SPN, Even–Mansour, CBC-MAC, Feistel). One caveat on reading the figure: the "quantum-advantage" labels denote the ideal, noiseless algorithmic separation (Simon's exp→poly, Grover's √, one-query Bernstein–Vazirani) — the regime in which these attacks were designed. On real noisy hardware, as the next section details, the effective reduction instead tracks the classical birthday bound. The demo's own footer states the same honest limits: the Q2 oracle model, 3-round Feistel ≠ 16-round DES, reduced sizes, and simulation figures.
Credibility in this area is earned by not overstating. Here is what we did not do.
We did not demonstrate a practical quantum speedup. Simon's algorithm is exponentially faster than classical period-finding in the ideal, noiseless model [1, 6]. But on today's hardware, at these scales, the effective difficulty we observe tracks the classical birthday bound (~2^{n/2}). The honest reading is that we ran the attack at record hardware scale, not that we beat classical computation in wall-clock terms.
We did not break real AES or RSA. This is a proof-of-concept on cipher structures. Real AES-128/256 lives at a vastly larger scale; credible quantum resource estimates for attacking AES require thousands of logical qubits and deep Clifford+T circuits [11, 12] — far beyond any current device.
We did not break 16-round DES. Our Feistel is 3 rounds at small block sizes (6 and 8). DES is 16 rounds on 64-bit blocks. We exercised a DES-family structure, not DES itself.
We used a strong query model. Like the underlying attacks [2, 3, 6], our oracle is evaluated in superposition — the so-called Q2 model. Obtaining superposition access to a keyed primitive is a strong (often unrealistic) assumption in practice; the offline Simon's algorithm [8] was introduced precisely to relax it. Our contribution is on the hardware-scaling axis, not on weakening this assumption.
We did not use quantum error correction. Only error mitigation — dynamical decoupling [13], randomized compiling / Pauli twirling [14], and readout-error mitigation [15]. Fault-tolerant execution of application circuits remains impractical in the current NISQ era [16].
We do not assert a "world record." We believe these results exceed the largest published hardware demonstrations we are aware of, but formal record status is a matter for peer review. Until then, we claim only to have moved past the largest public demonstrations known to us.
The details of our noise-robust post-processing pipeline are reserved for a forthcoming paper; this note shares the results, not the recipe.
We tried to hold two things at once: ambition and honesty.
On ambition: we moved the published hardware frontier for these Simon-based attacks from around N = 4 up to Even–Mansour N = 10 and 3-round Feistel block 8, on a real IBM quantum computer, each with an independent control, using error mitigation alone.
On honesty: we have been explicit that this is not a quantum speedup, not a break of AES, and not a break of DES. What today's result is is a single, careful step outward on the frontier of what actually works on noisy hardware — and how far that frontier can be pushed is exactly the question the field needs to keep answering.
Executed on real hardware — not a simulation. Proof-of-concept scale, 3-round, in a strong query model; not a break of any deployed cipher. Formal record status pending peer review.
— The QuantumOS team, VIDRAFT
Contact · reproduction · collaboration: FINAL-Bench / VIDraft on Hugging Face · Live interactive demo: vidraft-quantumos.hf.space/crypto · quantum-bench-leaderboard
Neutral quantum-method benchmark — QEC decoders & more