Paper 2023/1417

Improved Quantum Circuits for AES: Reducing the Depth and the Number of Qubits

Qun Liu, Shandong University, China
Bart Preneel, imec-COSIC, KU Leuven, Belgium
Zheng Zhao, Shandong University, China
Meiqin Wang, Shandong University, China
Abstract

Quantum computers hold the potential to solve problems that are intractable for classical computers, thereby driving increased interest in the development of new cryptanalytic ciphers. In NIST's post-quantum standardization process, the security categories are defined by the costs of quantum key search against AES. However, the cost estimates provided by Grassl et al. for the search are high. NIST has acknowledged that these initial classifications should be approached cautiously, since the costs of the most advanced attacks can be significantly reduced. Therefore, accurate resource estimations are crucial for evaluating the security of ciphers against quantum adversaries. This paper presents a set of generic techniques for implementing AES quantum oracles, which are essential for quantum attacks such as Grover's algorithms. Firstly, we introduce the mixing-XOR technique to reuse the ancilla qubits. At ASIACRYPT 2022, Huang et al. proposed an S-box structure with 120 ancilla qubits. We are able to reduce the number of ancilla qubits to 83 without increasing the T-depth. Secondly, we propose the combined pipeline architecture with the share technique to combine the S-box and its reverse, which achieves it with only 98 ancilla qubits, resulting in a significant reduction of 59% compared to the independent structure. Thirdly, we use a general algorithm to determine the depth of quantum circuits, searching for the in-place circuit of AES MixColumns with depth 16. Applying these improvements, we achieve the lower quantum depth of AES circuits, obtaining more precise resource estimates for Grover's algorithm. For AES-128, -192, and -256, we only require the depth of 730, 876, and 1,018, respectively. Recently, the community has also focused on the trade-off of the time and space cost of quantum circuits for AES. In this regard, we present quantum implementations of AES circuits with a lower DW-cost on the zig-zag architecture. Compared with the circuit proposed by Huang et al., the DW-cost is reduced by 35%.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
A minor revision of an IACR publication in ASIACRYPT 2023
Keywords
Quantum CircuitGrover’s AlgorithmS-boxAES
Contact author(s)
qunliu @ mail sdu edu cn
bart preneel @ kuleuven be
zhaozheng @ mail sdu edu cn
mqwang @ sdu edu cn
History
2023-09-24: approved
2023-09-20: received
See all versions
Short URL
https://ia.cr/2023/1417
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1417,
      author = {Qun Liu and Bart Preneel and Zheng Zhao and Meiqin Wang},
      title = {Improved Quantum Circuits for AES: Reducing the Depth and the Number of Qubits},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1417},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1417}},
      url = {https://eprint.iacr.org/2023/1417}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.