1.1 Motivation

Given the transient nature of RFID-based identification information and the Q-Day approaching faster than anticipated, evaluating the quantum resilience of UMAPs is a pressing need. Since these ciphers are symmetric, their quantum resistance is assessed by checking the protocol’s response to Grover’s search model.

1.2 Contribution

A systematic literature review reveals that quantum cryptanalysis has not yet been applied to UMAP protocols. The proposed study aims to fill this unexplored area by presenting a functional model to evaluate the strength of UMAPs in the post-quantum era. Three non-triangular UMAPs, i.e., Ultra-Lightweight RFID Authentication and Renewal Protocol (ULRARP+) [12], Lightweight RFID Authentication Protocol (LRAP) [13], and Ultra-lightweight RFID Authentication Protocol (URAP) [14], have been analyzed in conjunction with Grover’s algorithm for the proof of concept. The following is the list of contributions presented in the paper:

1. Functional analysis of selected UMAPs to model cryptanalysis as an unsorted search problem.
2. Full disclosure attack using Grover’s algorithm to retrieve the attributes encrypted by each protocol.
3. Insights for designing future ultra-lightweight ciphers with quantum resistance.

1.3 Organization

The paper is organized as follows: Section 2 provides a comprehensive overview of Grover’s algorithm and its application as a brute force attack model. Section 3 evaluates the quantum vulnerability of three UMAPs—ULRARP + , LRAP, and URAP—using a combination of functional and quantum cryptanalysis techniques. Section 4 discusses the results and explores their implications for designing quantum-resilient UMAPs. Finally, Section 5 summarizes the key findings and outlines directions for future research.

2.1 Grover’s search algorithm

Grover’s search is a quantum algorithm for unsorted search problems that offers quadratic speedup over classical approaches. Its applications span optimization problems, pattern matching, cryptanalysis of block ciphers, and testing pre-images in cryptographic hash functions.

Given the current limitations in error-free quantum computation, the practical advantage of Grover’s algorithm remains unrealizable. However, with the ongoing global efforts to achieve advanced quantum computing capabilities, the potential of Grover’s algorithm—especially for brute-force cryptanalysis—remains highly significant.

Grover’s algorithm adopts a query-based approach, modeling classical problems as phase oracles that invert the amplitude of target states. The design steps for constructing a phase oracle are as follows:

1. 1. Define the classical problem as a function with L-bit domain and 1-bit range:

1. 2. Express the function using basic logic gates, i.e., AND, XOR, OR, and NOT.
2. 3. Construct a quantum circuit implementing the Boolean function using quantum analogs of classical gates. Table 1 defines the quantum gate analogs [15].

Download:

• PNG
  larger image
• TIFF
  original image

Table 1. Mapping of Boolean logic gates to quantum gate analogues.

https://doi.org/10.1371/journal.pone.0347296.t001

1. 4. Transform the quantum circuit into a query model:

The unitary operator U_f is designed using the reversible nature of quantum gates. The operations applied to input qubits are reversed in the oracle to restore the original input x. At the same time, the output is transferred to the ancilla qubit , which acts as the target.

1. 5. Design the phase query gate:

The oracle U_f maps the input and ancilla to , maintaining reversibility. To transform this into a phase oracle Z_f, the ancilla is initialized in the state. Through the phase kickback mechanism, the phase of the target state is flipped, resulting in

Grover’s algorithm is applied to input qubits and amplifies those inputs for which f(x) = 1. The phase oracle Z_f identifies such inputs by inverting their phase. The flow of Grover’s algorithm comprises of the following steps:

1. 1. Superposition: The algorithm begins by initializing L qubits representing input x to the state, then applying Hadamard gates to create a uniform superposition:

(1)

This superposition allows the quantum system to explore all states simultaneously.

1. 2. Oracle: The phase oracle (Z_f) defined in the subsequent discussion is connected with uniformly superposed qubits. This black-box function flags the marked state, i.e., f(x)=1, by flipping its phase
2. 3. Amplitude Amplification: Following the oracle, the diffusion operator is applied to amplify the amplitude of the marked (i.e., correct) state. This process increases the probability of measuring the desired solution from a superposition of all possible states. The diffusion operator is mathematically defined as:

(2)

where is the uniform superposition state and I is the identity matrix.

To determine how many times the oracle and diffusion operator should be applied, we calculate the optimal number of iterations using Grover’s formula:

(3)

Here, s is the number of marked states (typically s = 1 for a single solution), and L is the number of qubits involved in the search space (i.e., those initialized into superposition and acted upon by the oracle and diffuser), so N = 2^L is the total number of possible states being searched.

This equation ensures that the amplitude of the correct (marked) state is maximally amplified without overshooting. If fewer iterations are executed, the amplitude may not reach its peak, reducing the success probability. Conversely, if the algorithm is iterated beyond the optimal number of steps, the amplitude begins to decrease again due to the sinusoidal nature of amplitude evolution. Therefore, r is chosen as the integer closest to the peak of the amplification curve to maximize the probability of measuring the correct state.

1. 4. Measurement: After the required iterations, a measurement in the computational basis will yield the marked state with high probability.

Grover’s search amplifies the measurement probability of input values x for which f(x) = 1, achieving optimal success probability in approximately queries, where N = 2ⁿ is the total number of states in the search space defined by the n qubits involved, and s is the number of marked solutions. Fig 1 presents the block diagram of Grover’s algorithm for n = 2, so N = 4 and s = 1.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 1. Block diagram of Grover’s search algorithm.

https://doi.org/10.1371/journal.pone.0347296.g001

2.2 Quantum brute force attack

In quantum cryptanalysis of symmetric ciphers, the traditional brute-force attack is presented as a search problem with a single solution, i.e., s = 1. The description of the search function for the attack model is

(4)

Where PT and CT refer to the known Plain Text and Cipher Text pair, the oracle defines a function that flips the phase of the correct key, i.e., the Key where E(PT_known, Key) = CT_known. The value of Key is then amplified iteratively through the diffusion function before generating the required output with the highest measurement probability.

NIST quantifies the complexity of quantum cryptanalysis using the logical cost (C_total) [16]. Given the sequential iterations of the quantum oracle, the resource requirements for a quantum brute-force attack are determined by the expression provided in Equation 5.

(5)

The details of variables used in the expression 5 are as follows:

• Key Size(k):The size of unique key being searched against (PT_known, CT_known) pair.
• Width(W): The total number of qubits utilized.
• Depth(D): The number of gate layers, representing the sequential unitary operations applied.

Through this framework, quantum vulnerability becomes inversely proportional to ; as the total cost of implementing the quantum circuit increases, the inherent resilience of the symmetric cipher against Grover-based attacks is strengthened. ‘Fig 2 presents the generalized block diagram for the quantum cryptanalysis of symmetric ciphers.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 2. Block diagram for Grover’s search-based cryptanalysis.

https://doi.org/10.1371/journal.pone.0347296.g002

NIST characterizes the security of symmetric primitives in terms of security strength, measured in bits and reflecting resistance to brute-force attacks, including those enabled by quantum algorithms [17]. Based on this characterization, the symmetric ciphers can be broadly categorized as follows.

1. Traditional ciphers provide security strengths of at least 128 bits through key sizes ≥128 bits and are designed for general-purpose platforms supporting complex cryptographic structures. Common examples are AES-192 and AES 256.
2. Lightweight ciphers typically retain a 128-bit key size while reducing implementation complexity to suit constrained environments such as IoT devices. Standard ciphers include AES-128 and ASCON.
3. Ultralightweight ciphers target severely constrained or passive devices and often employ key sizes below 128 bits, i.e., PRESENT, GIFT, and SIMON. In addition, all ultralightweight mutual-authentication ciphers designed to ensure access control for passive RFID systems fall under this category.

Table 2 presents an overview of the quantum strength of symmetric ciphers in terms of cost, i.e., C = D × W. A systematic review shows that the UMAP category remains unexplored mainly from a quantum-cryptanalysis perspective, with the existing literature predominantly focusing on classical threat models.

Download:

• PNG
  larger image
• TIFF
  original image

Table 2. Overview of quantum cryptanalytic cost metrics for symmetric ciphers.

https://doi.org/10.1371/journal.pone.0347296.t002

UMAPs portfolio includes tag/reader authentication and ID encryption. These services are performed using tag dynamic identities, i.e., Indexpseudonym (IDS), Key (K), and random numbers (n). These values are updated after every successful authentication session to ensure the freshness of public messages. For a confidentiality breach, such as tag cloning, the adversary must gain access to all the identifiers and static ID associated with the tag. Following is the general framework that maps quantum cryptanalysis to full disclosure attack for UMAPs:

1. Enlist the identifiers (static or dynamic) utilized for identification and authentication by the UMAP under analysis.
2. Analyze the protocol for differentiating the identifiers communicated between a tag/reader pair as plain text or as encrypted text. Once the list of confidential values associated with the tag is shortlisted, the following techniques are used in combination for the execution of a full disclosure attack:
   1. Utilize classical functional cryptanalysis techniques to extract identifiers concealed as ciphertext using primitives with weak confusion and diffusion capabilities.
   2. Use Grover’s search-based brute force attack to extract information encrypted using the functions that claim to be computationally infeasible to reverse.

In the subsequent section, three prominent non-triangular UMAPs along with their quantum cryptanalysis are discussed in detail.

3.1 Ultra-lightweight RFID authentication and renewal protocol (ULRARP+)

The ULRARP+ addresses the security vulnerabilities identified in prior UMAPs, i.e., LRSAS + , LRARP, and LRARP+ [12]. The protocol claims to achieve mutual authentication and confidentiality using a combination of three lightweight primitives: bitwise XOR, circular rotation (Rot(a,b)), and Permutation (Perm(a,b)). The Rot(a,b)) refers to circular left shift of operand a by the hamming weight of b whereas Perm(a,b) shuffles a in the bit-wise fashion based on the value of b. Given and , algorithm 1 defines the mechanism of the permutation function:

Algorithm 1 Permutation Function Mechanism c = Perm(a,b)

p_lsb = 0

p = L − 1

for do

 if b[p] = 1 then

  c[p_msb] = a[p]

 else

  c[p_lsb] = a[p]

 end if

 p = p − 1

end for

return c

ULRARP+ identifies the tag using static ID and dynamic pseudonyms, i.e., IDS and Key K. Table 3 presents the memory architecture of the protocol. The following steps outline the protocol’s operation.

Download:

• PNG
  larger image
• TIFF
  original image

Table 3. Memory architecture for ULRARP⁺ protocol.

https://doi.org/10.1371/journal.pone.0347296.t003

1. 1. The reader generates a random number m and sends it to the tag.
2. 2. The tag generates another random number n and computes authentication parameters:

(6)

(7)

The tag then transmits to the reader.

1. 3. The reader retrieves tags’ identifiers from the database to compute local values of A_TH for tag authentication. In the event of successful verification, the reader generates a challenge message P₂ for the reader authentication.

(8)

1. 4. The tag verifies the reader by generating the response for message P₂. After successful authentication, the dynamic variable phase initiates.
2. 5. The tag and reader update their values using:

(9)

(10)

If authentication fails, no updates occur.

Fig 3 shows the block diagram of ULRARP + .

Download:

• PNG
  larger image
• TIFF
  original image

Fig 3. Ultra-lightweight RFID Authentication and Renewal Protocol (ULRARP+) flow.

https://doi.org/10.1371/journal.pone.0347296.g003

3.1.1 Cryptanalysis of ULRARP+.

The quantum full-disclosure attack aims to retrieve the values associated with the RFID tags, i.e., ID, IDS, K, n, and m, which can be further exploited for tag cloning. Protocol analysis reveals that three out of five identifiers, namely n, m, and IDS, are transmitted between the tag and reader as plain text. These values, when eavesdropped during an active authentication session, serve as an anchor for the full disclosure attack.

The proposed model constitutes an active attack that involves eavesdropping on data from two valid authentication sessions and blocking the challenge messages during the second session. This approach exposes the tag’s most recent memory state, i.e., IDS₂, K₂, n₂, m₂, ID. Replicating these values onto a blank tag results in a successful tag cloning attack. Following is the step-by-step elaboration of the proposed attack:

1. 1. Record public messages of an authentication session 1. These messages include m₁, n₁, IDS₁, A_TH1, .
2. 2. In the subsequent session, record public messages, i.e., m₂, n₂, IDS₂, A_TH2, and block the challenge messages from the reader (n₂, IDS₂, A_TH2) to halt the session.

This step increases the database for cryptanalysis without updating the tag’s dynamic memory, i.e., the tag’s latest pseudonyms remain IDS₂ and K₂.

1. 3. Functional cryptanalysis extracts the value of K₁ by exploiting the reversible nature of equation 11. The details for the calculation of the Key value are as follows:

(11)(12)

Given that all the variables on the right-hand side of equation 12 are known, K₁ can be calculated deterministically in a single iteration.

1. 4. The value of K₂ is calculated using equation 13 with all the variables known at the right-hand side.

(13)

1. 5. To recover the secret identifier ID, Grover’s algorithm is applied to the IDS update function shown in equation 14:

(14)

This equation is modeled as a key search problem, where , CT = IDS₂, and . The search is then framed using the oracle function defined as equation 15:

(15)

The Boolean function is implemented using quantum logic gates, where the XOR operation is mapped to a CNOT gate, and the permutation function is realized through a sequence of SWAP gates. The oracle is constructed to induce a phase flip on the Key qubits via phase kickback for those inputs satisfying f(Key) = 1. The complete quantum circuit implementing this oracle is illustrated in Fig 4.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 4. Quantum oracle for the ULRARP⁺ protocol.

https://doi.org/10.1371/journal.pone.0347296.g004

Grover’s search procedure begins by encoding the known plaintext–ciphertext pair (PT, CT), followed by the application of Hadamard gates to the Key qubits to generate a uniform superposition across all possible key values. The oracle is then applied, followed by the Grover diffusion operator.

The Grover-based quantum search operates over a 13-qubit space to amplify the probability of a marked state. The oracle and diffusion operations are applied iteratively to increase the likelihood of measuring the correct solution. After these iterations, the qubits are measured. The measurement results—presented in Fig 5—reveal the most probable value of the Key, which is then used to compute the identifier via .

Download:

• PNG
  larger image
• TIFF
  original image

Fig 5. Measurement results for ULRARP⁺.

https://doi.org/10.1371/journal.pone.0347296.g005

The correctness of this quantum-classical cryptanalysis workflow is validated through the protocol structure and state transitions summarized in S1 Appendix.

3.2 Lightweight RFID authentication protocol (LRAP)

The Lightweight RFID Authentication Protocol (LRAP) is designed to secure access of RFID-based healthcare devices to the IoT network [13]. The protocol primitives include XOR, circular rotation (Rot(a,b)) and Crossover function (Cro(x,y)). The crossover function takes two L-bit inputs to generate a 2L-bit output. Given that the msb resides at the highest indexed bit position, i.e., (L − 1), algorithm 2 defines the pseudocode for (Cro(x,y)).

Algorithm 2 Crossover Function: c = Cro(x, y)

Require: Bitstrings x, y of equal length L

Ensure: Bitstring c of length 2n

▷ (Concatenate and y)

▷ (Concatenate and x)

Initialize c as an empty bitstring of length 2n

for to 2n − 1 do

 if then

   ▷ (Even-indexed bit)

 else

   ▷ (Odd-indexed bit)

 end if

end for

return c

LRAP has three communicating parties, i.e., the tag, the reader, and the server. The tag assigns a virtual identity to physical objects; the reader acts as a gateway to connect the tag to the network, and the server stores the verification details of all tags associated with the system. All the entities participate in an authentication session using a set of dynamic and static identifiers. Table 4 defines the memory architecture of LRAP.

Download:

• PNG
  larger image
• TIFF
  original image

Table 4. Memory architecture for LRAP.

https://doi.org/10.1371/journal.pone.0347296.t004

Given an L bit identification system, the bit length of the server’s index value and K is 2n bits owing to the property of the cross function to double the bit length of the output. However, the value of K is truncated to L bits after the update. This step is essential because skipping this step will exponentially increase the Key length with an increasing number of authentication sessions. Additionally, the index value and the public messages involving cross-function are also of size 2n, due to the preservation of bit length. The authentication follows a stepwise challenge-response mechanism as follows:

1. 1. The reader generates a random number N_R to initializes the query message for the tag.
2. 2. The tag receives N_R and sets the variable Mark to 00, indicating a new session. It then computes:

(16)

The tag sends P₁ along with a newly generated random number N_T to the reader, which forwards to the server.

1. 3. The server receives the message and searches for the index entry that matches P₁ to retrieve the tag database. If a match exists, the server generates a new random number N_S and computes:

(17)

(18)

(19)

The server then sends to the reader.

1. 4. The reader extracts TID from P_3a, N_S from P_3b and verifies server through message P₂. After successful server authentication, the reader sends to the tag.

(20)

1. 5. The tag verifies the reader by generating a local copy of P₄. Successful reader authentication results in an updated value of K and the generation of a tag authentication phalange message P₅ for the reader.

(21)

(22)

1. 6. The reader validates the tag by generating a local response for P₅. Successful tag verification results in an updated K at the reader and server side through equation 21. Finally, the reader sends message P₆ to the tag, initializing the announcement of the session’s successful completion. Verification of P₆ at the tag’s side updates variable Mark to 01, identifying the pending status of server dynamic memory.

(23)

1. 7. Next, the tag sends to the server through reader. The server then updates the index value and associated data, i.e., K.
2. 8. Confirmation of update traverses through the reader and updates Mark to 10 at the tag’s side.

Fig 6 illustrates the flow of the LRAP.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 6. Lightweight RFID Authentication Protocol(LRAP) flow.

https://doi.org/10.1371/journal.pone.0347296.g006

3.2.1 Cryptanalysis of LRAP.

The proposed confidentiality breach requires calculating all the variables, i.e., RID, TID, K, K_new, N_S, N_R, and N_T, associated with the authentication session. All the random numbers (N_S, N_R, N_T) are transmitted as plain text, which reduces the problem to estimating RID, TID, K, and K_new.

The proposed attack is passive; therefore, it requires eavesdropping on all public messages from a single session among the tag, reader, and server, followed by exploitation of the reversible nature of the XOR function and execution of Grover’s algorithm-based brute-force attack.

1. 1. Message P₄ and P₆ is used for the deterministic calculation of TID and K_new respectively.

(24)(25)

calculation of RID and K requires quantum cryptanalysis.

1. 2. For RID, the target equation is presented as equation 26:

(26)

The quantum circuit initialization begins with assigning the known values as follows: PT = {K_new}, CT = {P₅}, and . The phase oracle for identifying the correct reader identifier RID is defined by Equation 27:

(27)(28)

The Boolean function is implemented using a combination of CNOT gates to realize the crossover function Cro(x, y). The quantum states involved in evaluating f(x) are initialized using Hadamard gates, enabling superposition over all possible inputs and facilitating the discovery of unknowns. The complete oracle circuit corresponding to Equation 28 is shown in Fig 7.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 7. Quantum oracle for Cro(x,y).

https://doi.org/10.1371/journal.pone.0347296.g007

The oracle, once constructed, is integrated with the Grover diffusion operator to amplify the amplitude of the correct solution. This oracle-diffusion process is applied iteratively to enhance the probability of observing the desired result. After these iterations, measurement is performed, and the most probable Key is extracted from the results, as shown in Fig 8.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 8. Measured output of Cro(x, y) oracle to evaluate in LRAP.

https://doi.org/10.1371/journal.pone.0347296.g008

The final step involves computing the original reader identifier using the retrieved key, as shown in Equation 29:

(29)

1. 3. To estimate the unknown key K, the following values are defined: PT = {TID ⊕ RID}, CT = {P₁}, and Key = {K}. The phase oracle employed to identify the correct key is characterized by Equation 30:

(30)(31)

The Boolean function f(x) is implemented using a quantum oracle that encodes the crossover function Cro(x, y). To enable the discovery of unknowns, the inputs are initialized using Hadamard gates, placing the system into a superposition over all possible key states. This allows quantum interference to guide the search toward the correct solution. The corresponding oracle circuit is shown in Fig 7.

Grover’s algorithm proceeds by applying the oracle to mark the solution state—where f(K) = 1 —through a conditional phase inversion. This is followed by the diffusion operator, which amplifies the probability amplitude of the correct key. These steps are repeated iteratively to increase the likelihood of observing the desired result upon measurement.

Once the iterative amplification process is complete, the quantum circuit is measured, and the most probable key candidate is extracted, as illustrated in Fig 9.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 9. Measured output of Cro(x, y) oracle to evaluate f(K) in LRAP.

https://doi.org/10.1371/journal.pone.0347296.g009

The effectiveness of this quantum-classical cryptanalysis process is corroborated by the protocol cryptanalysis summary S2 Appendix.

3.3 Ultra-lightweight RFID authentication protocol (URAP)

The Ultra-lightweight RFID Authentication Protocol (URAP) facilitates secure communication among the reader, tag, and server using minimalist cryptographic operations  [14]. It is proposed as a secure alternative to LRAP, utilizing the same set of primitives: bitwise XOR, circular rotation Rot(a,b), and the crossover function Cro(x,y). Table 5 summarizes the memory architecture of the protocol.

Download:

• PNG
  larger image
• TIFF
  original image

Table 5. Memory architecture for URAP.

https://doi.org/10.1371/journal.pone.0347296.t005

The protocol operates through the following eleven steps:

1. 1. The reader generates a random number R_R and encrypts it using the pre-shared key K_RT:

(32)

It sends a message to the tag over a public channel.

1. 2. The tag extracst R_R from M₁, generates a random number R_T, sets the Mark to 00, and computes:

(33)

(34)

The tag sends M₂ and to the reader.

1. 3. The reader decrypts R_T from and encrypts both nonce using K_SR:

(35)

and computes:

(36)

Moreover, it sends it to the server.

1. 4. The server extracts R_R, R_T, identifies tag through M₃, generates R_S and computes:

(37)

(38)

It sends M₄ to the reader.

1. 5. The reader extracts R_S, verifies server and send to the tag. The equations of these public messages are as follows:

(39)

(40)

1. 6. The tag computes:

(41)

(42)

It then sends:

(43)

to the reader.

1. 7. The reader computes K_new using equation 42, after verifying message M₆. It then sends M₇ to the server.

(44)

1. 8. The server verifies the reader, updates K and sends message M₈ to the tag via reader:

(45)

1. 9. The tag retrieves K_new, if verified, it sets mark = 01, indicating synchronization.
2. 10. The tag notifies the reader and the server to update the record through M₉:

(46)

1. 11. The server receives mark = 01 and updates the index table with:

The tag sets mark = 10 after confirmation.

A block diagram of the protocol is presented in Fig 10.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 10. Ultra-lightweight RFID Authentication Protocol (URAP) flow.

https://doi.org/10.1371/journal.pone.0347296.g010

3.3.1 Cryptanalysis of URAP.

For tag cloning, the adversary needs to retrieve all the variables associated with the tag. The set of tag authentication session identifiers is given in equation 47.

(47)

The conjecture of the above-elaborated values requires a combination of classical functional and quantum cryptanalysis. The nature of the attack is passive, as the adversary only needs to eavesdrop on a single session. The details of the full disclosure attack are as follows:

1. 1. Calculate by taking XOR of public messages 32 and 33.

(48)

The value of K_new is retrieved using the expression 49.

(49)

1. 2. R_S is retrieved using public message M₉. Since the value of Mark = 01 after key update at the tag’s side, the random number is calculated as:

(50)

Equation 50 is valid for full-scale URAP cryptanalysis. In that case, the variable Mark will be extended by appending zeros at the most significant end of the variable to ensure output conformity.

1. 3. K_RT is calculated from equation 39.

(51)

1. 4. The random numbers associated with the tag and the reader are calculated as follows:

(52)

1. 5. TID is retrieved from the equation 40.

(53)

1. 6. K_SR is calculated using equation:

(54)

1. 7. Calculate using the estimated values of random numbers:

(55)

The value is used with equation 42 to retrieve the value of K.

(56)

The Grover oracle of this equation becomes:

(57)

where, , CT = K_new, and Key = K. This relationship can be generalized as shown in Equation 31, whose corresponding quantum oracle is illustrated in Fig 7. The measurement outcomes for the numerical cryptanalysis example applied to URAP are presented in Fig 11.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 11. Measured output of Cro(x, y) oracle to evaluate f(K) in URAP.

https://doi.org/10.1371/journal.pone.0347296.g011

1. 8. Finally, the value of RID is estimated through equation 34.

(58)

For the given equation, PT = K, CT = M₂ and . The output of the circuit is then processed for the value of RID, i.e., . The given equation is equivalent to equation 28, hence its oracle is defined in Fig 7 and the measurement results for the test example are given in Fig 12.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 12. Measured output of Cro(x, y) oracle to evaluate in URAP.

https://doi.org/10.1371/journal.pone.0347296.g012

The experimental results presented in this S3 Appendix proved that the simplified versions of selected URAP is vulnerable to quantum cryptanalysis.

The subsequent section demonstrates that the proposed framework is feasible for full-scale UMAPs, provided that adequate quantum resources are available.

4.1 Assessment of confidentiality threats on UMAPS

The quantum cryptanalysis framework for UMAPs presented in Section 2.2 consists of functional cryptanalysis followed by Grover’s search. As Grover’s algorithm requires a known plaintext–ciphertext (PT, CT) pair, any equation subjected to quantum attack must be structured such that a single variable remains unknown, i.e., treated as the key. At the same time, all other parameters are initialized with known plaintext or ciphertext values.

The non-triangle UMAPs discussed in the paper, i.e., ULRARP + , LRAP, and URAP, exhibit information leakage through their public messages, which ultimately leads to a full disclosure attack. The following are the key weaknesses due to which the protocol becomes vulnerable to functional cryptanalysis:

1. In ULRARP + , three out of five tag identifiers are communicated as plaintext, which facilitates the estimation of K and ID.
2. In LRAP, the random nonce generated and transmitted by each entity is further exploited to complete the confidentiality breach.
3. In the case of URAP, none of the identifiers is communicated as plaintext, making the cryptanalysis elaborate. However, the predictable value of Mark in equation 46 acts as a domino effect in breaking the protocol.

Another design weakness observed in LRAP and URAP was in the key K update function that used a cross primitive. Due to the primitive’s property of doubling the output to the input, the bit length of the key is theoretically expected to increase exponentially, i.e., from 8 to 16, 32, and beyond—leading to a rapid escalation in memory demands. This growth affects not only temporary storage (buffers) but also fixed hardware parameters such as register widths and memory allocation units. In practical deployments involving RFID tags or embedded devices, where strict limits on memory and computation exist, such unbounded growth may result in exhaustion of system resources. Absent a well-defined mechanism to bound or compress the key size, the protocol becomes increasingly untenable for long-term use, ultimately risking operational failures due to memory overflows or degraded performance. Alternatively. truncation of the updated key increases the likelihood of false positives in identification since multiple tags will have similar key values.

The aforementioned weaknesses are leveraged to model the attack as a search problem. The vulnerable primitives of ULRARP + , LRAP, and URAP are permutation (P er(a, b)) and cross (Cro(a, b)) functions, respectively. In the permutation function, a is shuffled as per the bit value of b. This requires measuring the corresponding qubits that represent b. Since measurement is an irreversible function, Grover’s search is not feasible in a permutation function when the unknown key assumes the operand b position. Fig 4 presents the oracle for the permutation function that can effectively retrieve the key only when Key assumes the position of operand a. The key qubits are initialized using Hadamard gates to enable search over all possible values. Since the crossover function performs index-based shuffling, the correct key can be retrieved regardless of the input configuration. The oracle implementing this function is shown in Fig 7.

Due to the current limitations in quantum simulators, this study focuses on demonstrating full disclosure attacks on 4-bit reduced versions of selected UMAPs. Despite the reduced scope, the implementation captures the complete theoretical framework for scaling the attack to full-size versions under more capable quantum platforms.

For all UMAP implementations presented in this work, the Grover’s search algorithm operates with n = 4 qubits and assuming a single valid solution (s = 1). Based on the optimal iteration formula provided in Equation 3, the number of Grover iterations required for each Grover search is 3. A comprehensive resource summary of the Grover circuits corresponding to the implemented search equations is provided in Table 6.

Download:

• PNG
  larger image
• TIFF
  original image

Table 6. Oracle metrics for key search functions using Grover’s algorithm.

https://doi.org/10.1371/journal.pone.0347296.t006

The oracle constructions of the analyzed UMAPs can, in principle, be scaled to enable Grover’s search–based recovery of 128-bit keys, given the availability of large, fault-tolerant quantum computers. For quantitative context, the quantum resources required to implement the higher-order oracles defined in Equations 15 and 28 are summarized in Table 7.

Download:

• PNG
  larger image
• TIFF
  original image

Table 7. Scaled oracle metrics for key search functions using Grover’s algorithm.

https://doi.org/10.1371/journal.pone.0347296.t007

Since the non-triangular primitives operate at the bit level, increasing the tag’s identifier bit length—i.e., the Grover’s search Key size—inevitably leads to greater circuit depth and width. For a Key of L bits, the quantum circuit must perform a bitwise comparison between the known ciphertext CT_known and the calculated ciphertext E(Key, PT_known). This comparison is implemented using n CNOT gates followed by Pauli-X gates to emulate the effect of bitwise XNOR.

To mark the correct key state within Grover’s algorithm, the output of the XNOR operation must indicate a complete bitwise match—that is, all output bits must be 1. This condition is verified by computing the logical AND of all comparison bits, typically implemented using a cascade of Toffoli gates and ancillary qubits. If the comparison evaluates to true (i.e., all bits match), the oracle applies a phase inversion to the corresponding key state.

The subsequent application of the Grover diffusion operator amplifies the amplitude of this marked key state, increasing its probability upon measurement. This linear increase in circuit complexity with respect to key size highlights the growing resource demands of Grover’s search and reinforces the necessity of using larger symmetric keys to maintain post-quantum security. Building on the insights gained from the proposed cryptanalysis, the following section outlines key design principles for UMAPs in the post-quantum era.

4.2 Toward quantum-resilient design of future UMAPs

The IoT sensing layer is crucial since it collects user-specific data in real-time. Despite its transient nature, such data often drives immediate decisions, whether in access control, supply chain logistics, or health monitoring, making it a high-value target for adversaries. Therefore, lightweight yet robust security mechanisms are essential to ensure confidentiality, authenticity, and integrity without compromising system responsiveness. Since 2006, more than 1000 UMAPs have been proposed, but the optimal balance between security and minimalism remains a challenge. Now, with the standardization of post-quantum ciphers, the challenge has evolved into a new dimension of quantum resilience.

Since UMAPs are symmetric-key protocols, their quantum robustness is determined by resistance to Grover’s search-based key-recovery attacks under known (PT,CT) pairs. This robustness can be quantified in terms of NIST-specified logical cost, as defined in Equation 5. Accordingly, achieving quantum resilience in UMAPs requires increasing the logical cost associated with Grover’s search-based attacks, as outlined below.

• Availability of a (PT,CT) pair is a necessary condition for a quantum cryptanalysis since the search attacks are based on the database of these pairs.
  In UMAP, challenge-response-based authentication occurs, resulting in a series of public messages per session. A larger number of public messages per session increases the exposure of the tag’s attributes, thus making the protocol vulnerable to brute-force attacks. Therefore, according to the ISO 9798 standard, for an L-bit tag identifier, a set of three L-bit public messages is sufficient for mutual authentication. These messages are used for reader authentication, tag authentication, and the transmission of the tag’s ID.
• The primitives of a cipher play an important role in defining the confusion and diffusion capabilities of public messages. Weak primitives lead to information leakage, which in turn facilitates functional analysis. This functional analysis can then be further accelerated using Grover’s search algorithm, which complements the process by significantly reducing the time complexity of key recovery. Therefore, identifying primitives that resist Grover’s search is essential. Such quantum-resilient primitives may incorporate operations that are not efficiently realizable as reversible unitary circuits, or oracle constructions whose required circuit depth exceeds practical quantum limits. In particular, a lower bound on the order of 2⁴0 quantum gates has been suggested as a meaningful threshold, as it approximately corresponds to the number of serial quantum gate operations that near-term quantum computing architectures could be expected to execute over the course of one year [16]. Table 8 presents a comprehensive summary of the ciphers used in prominent UMAPs, along with their responses to quantum brute force attacks.

Download:

• PNG
  larger image
• TIFF
  original image

Table 8. Assessment of ultralightweight primitives under quantum attacks.

https://doi.org/10.1371/journal.pone.0347296.t008

Quantum cryptanalysis of bit-wise AND and OR does not yield a deterministic measurement peak due to the imbalanced nature of these functions. Therefore, for the triangular functions, multiple pairs of (PT, CT) pairs are required for the successful estimation of identifiers. The use of Grover’s search for bit-wise XOR is an overkill of resources due to its simplistic nature. The conventional computation of is far more resource-efficient. The shuffle-based functions, i.e., , can only retrieve the key value when Key = a and PT = b, not the over way round because the hamming weight function requires measurement of qubits and that is an irreversible process, making the design of the oracle infeasible. Primitives that do not involve the calculation of the hamming weight of operands, i.e., Cro(a,b) and Mixbit(a,b), can extract the information in any setting of the operand as key, making these protocols vulnerable to Grover’s search attacks. Analysis of ultralightweight primitives shows that the Conversion function (Con(a,b)) used in SLAP is resilient to quantum cryptanalysis since it shuffles both operands based on their Hamming weight.

• An increase in the bit length of the tag’s identifiers will inherently increase the size of the quantum circuit of the phase oracle, making the search algorithm quantum resource-intensive.

This principle builds on a foundational approach to quantum resilience by increasing the key size, thereby increasing the number of Grover iterations and the required circuit width, thereby improving resistance to quantum-enabled key-search attacks [27,28].

Therefore, in the post-quantum era, the UMAP protocol should use minimal public messages, primitives that involve Hamming weights of operands, and longer tag identifiers. The subsequent section presents a case study on quantum-safe UMAPs in light of the aforementioned principles.

4.3 A quantum-safe UMAP case study

Quantum computing speeds up the brute force technique. Any UMAP that offers resistance to classical brute force attack inherently follows the principles defined in the preceding section and are quantum resilient.

One such example is Succinct and Lightweight Authentication Protocol (SLAP), an ultra-lightweight mutual authentication scheme designed for low-cost passive RFID systems [26]. The protocol relies exclusively on simple bitwise operations, namely bitwise XOR, circular left rotation (Rot(a,b)), and a lightweight conversion function (Con(a,b)), making it feasible for deployment on tags with limited computational resources. The pseudocode of the conversion function is given as Algorithm 3 and elaborated in [26].

Algorithm 3 Conversion Function: c = Con(a, b)

Require: Bitstrings a, b of equal length L, threshold T

Ensure: Bitstring c of length L

Phase 1: Recursively divide a and b based on their Hamming weights until substrings are < T

Phase 2: Rearrangement

▷(Regroup a using b’s structure)

▷ (Regroup b using a’s structure)

for each block a_j in do

end for

for each block b_k in do

end for

Phase 3: Composition

▷ (Bitwise XOR operation)

return c

The protocol employs a static identifier ID, a dynamic pseudonym IDS, and two secret keys K₁ and K₂ shared between the tag and the backend server (accessed via the reader). All parameters are L-bit strings. Table 9 summarizes the memory requirements of the protocol.

Download:

• PNG
  larger image
• TIFF
  original image

Table 9. Memory architecture for SLAP protocol.

https://doi.org/10.1371/journal.pone.0347296.t009

The operation of SLAP proceeds as follows:

1. 1. The reader initiates the authentication session by sending a query message to the tag.
2. 2. The tag responds with its current pseudonym IDS. If no response is received in a previous session, the tag retransmits the old pseudonym.
3. 3. Upon receiving IDS, the reader searches its database for a matching entry. If a match is found, the reader generates a random nonce n and computes authentication messages A and B using equations 59 and 60.

(59)

(60)

The reader sends message to the reader. Left half (B_L) or right half (B_R) of string B will be transmitted to the tag depending on the Hamming weight of B (if wt(B) is odd sent B_L, otherwise sent B_R).

1. 4. The tag extracts the nonce n using its stored secrets and locally recomputes the authentication value () to verify the legitimacy of the reader. If verification succeeds, the reader is authenticated and the dynamic variables are updated at the tag’s side using equations 61–63.

(61)

(62)

(63)

1. 5. The tag then generates a response message C for it’s authentication.

(64)

Public message sent to the reader is based on the hamming weight of C.

1. 6. Finally, reader on successful tag authentication updates the dynamic memory using equations 61–63.

Fig 13 illustrates the flow of the protocol.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 13. SLAP authentication protocol.

https://doi.org/10.1371/journal.pone.0347296.g013