New record in the number of qubits for a quantum implementation of AES

Abstract

Optimizing the quantum circuit for implementing Advanced Encryption Standard (AES) is crucial for estimating the necessary resources in attacking AES by the Grover algorithm. Previous studies have reduced the number of qubits required for the quantum circuits of AES-128/-192/-256 from 984/1112/1336 to 270/334/398, which is close to the optimal value of 256/320/384. It becomes a challenging task to further optimize them. AimTaking aim at this task, we find a method for how the quantum circuit of AES S-box can be designed with the help of the automation tool LIGHTER-R. Particularly, the multiplicative inversion in , which is the main part of the S-box, is converted into the multiplicative inversion (and multiplication) in , then the latter can be implemented by LIGHTER-R because its search space is small enough. By this method, we construct the quantum circuits of S-box for mapping |a⟩|0⟩ to |a⟩|S(a)⟩ and |a⟩|b⟩ to |a⟩|b ⊕ S(a)⟩ with 20 qubits instead of 22 in the previous studies. In addition, we introduce new techniques to reduce the number of qubits required by the S-box circuit for mapping |a⟩ to |S(a)⟩ from 22 in the previous studies to 16. Accordingly, we synthesize the quantum circuits of AES-128/-192/-256 with 264/328/392 qubits, which implies a new record.

1 Introduction

The parallelism of quantum computing makes quantum computers have significant speed-up compared with classical computers in certain specific problems, such as solving linear systems [1–3], classification [4–8], dimensionality reduction [9–12], linear regression [13–15], association rule mining [16], anomaly detection [17,18] and so on. Quantum algorithms, such as Shor [19], Grover [20], and Simon [21], seriously threaten the security of modern cryptography. Although the scale of quantum computers is not enough to break through the cryptographic primitives so far, with the development of technology, these quantum algorithms will be realized in the future. Thus, accurately estimating the actual arrival time of quantum threats is the key to ensuring the steady renewal of the cryptosystem. With the steady development of quantum computing hardware, evaluating the minimum quantum resources required to realize Shor, Grover, Simon, and other cryptanalysis quantum algorithms has become one of the main factors affecting the actual arrival time of quantum threats. For example, because T-depth and number of qubits realized by current quantum computers are limited, they are regarded as the main optimization goal in most previous studies about the quantum circuit implementations of the above algorithms.

It is significant to estimate the cost of the Grover algorithm attacking Advanced Encryption Standard (AES) [22]. On the one hand, AES is one of the most studied and popular symmetric ciphers in the world. On the other hand, the cost was used as the benchmark to define different security levels of post-quantum public-key schemes when the National Institute of Standards and Technology (NIST) [23] called for proposals for the standardization of post-quantum cryptography. In the implementation, the quantum circuit of AES is the core of Grover oracle, which is the most complicated part of the whole algorithm. For this reason, optimizing the quantum circuit of AES becomes an important method of reducing the quantum resources required for Grover-algorithm-attacking AES. Among the tasks necessary to optimize the quantum circuit for AES, how to use fewer resources to realize the AES S-box, the only non-linear component, is one of the main influencing factors.

Some quantum circuits of AES were designed to reduce the T-depth. In 2020, Jaques et al. [24] constructed a quantum circuit of S-box for |a⟩|b⟩ → |a⟩|b ⊕ S(a)⟩ (a, b and S(a) are 8-bit vectors) with T-depth 6, and then synthesized the quantum circuit of AES-128 with a T-depth of 120. In 2022, Li et al. [25] proposed the S-box circuits for |a⟩|0⟩ → |a⟩|S(a)⟩ and |a⟩|b⟩ → |a⟩|b ⊕ S(a)⟩ with T-depth 4, and then reduced the T-depth required for the quantum circuit of AES-128 to 80. Huang et al. [26] gave the circuit for |a⟩|b⟩ → |a⟩|b ⊕ S(a)⟩ with a T-depth of 3, and then further reduced the T-depth required for the quantum circuit of AES-128 to 60. Jang et al. [27] synthesized the quantum circuit of AES-128 with a T-depth of 30 by introducing an improved pipeline method for round function iteration.

At the same time, quite a few quantum circuits of AES were designed to reduce the number of qubits (see Table 1). In 2016, Grassl et al. [28] implemented the quantum circuit of AES-128 with 984 qubits by presenting the 40 qubits quantum circuit of S-box for and introducing zig-zag method for round function iteration. In 2018, Almazrooie et al. [29] reduced the number of qubits required for the quantum circuit of AES-128 to 976 by finding an improved key expansion iteration method. In 2020, Langenberg et al., [30] constructed the S-box circuit for with 32 qubits and completed key expansion iteration by zig-zag method, then realized the quantum circuit of AES-128 with 864 qubits. Zou et al., [31] proposed a circuit for with 22 qubits and gave an improved zig-zag method for round function iteration and key expansion iteration by introducing the 23 qubits quantum circuits of S-box and its inverse for and , then used 512 qubits to construct the quantum circuit of AES-128. In 2022, Wang et al. [32] synthesized the 400 qubits quantum circuit of AES-128 by giving a straight-line method for key expansion iteration. Huang et al., [26] proposed the S-box circuit for with 22 qubits, and introduced a straight-line method for round function iteration by giving the 22 qubits quantum circuit of S-box for , then implemented the quantum circuit of AES-128 with 374 qubits. In the same period as Huang et al., Li et al. [25] synthesized the quantum circuit of AES-128 with 270 qubits by presenting the 22 qubits quantum circuits of S-box for , and as well as adopting the straight-line method for round function iteration.

The rest of this paper is organized as follows. In Section 2, we briefly review the S-box of AES. In Section 3, we use the tool LIGHTER-R to obtain the quantum circuit of implementing the multiplicative inversion in . In Section 4, our quantum circuits of the S-box are given. In Section 5, we synthesize the quantum circuit of AES. In Section 6, we conclude the paper.

2 Preliminaries

2.1 The S-box of AES

2.1.1 Algebraic structure of S-box

The non-linear transformation S-box first takes a byte input , then replaces a with its multiplicative inversion a⁻¹ (when a = 0, set a⁻¹ = 0), and finally performs an affine transformation which is composed of multiplication by an invertible matrix and the addition of a constant vector. Specifically, the S-box transformation is expressed aswhere

The computation of the S-box can be divided into two steps, i.e., computing the multiplicative inversion a⁻¹ and performing the affine transformation. The affine transformation can be implemented with CNOT and NOT gates only. Thus, how to realize the quantum circuit of finding a⁻¹ with low costs becomes one of the main factors optimizing the quantum circuit of the S-box.

2.1.2 A decomposition of S-box

Due to isomorphism, the mapping matrix and its inverse matrix are determined as

Based on the composite field , AES’s S-box can be rewritten asThe multiplication by invertible matrices M, AM⁻¹ (merging of matrices A and M⁻¹) and the addition of a constant vector c can be implemented with CNOT and NOT gates only. Thus, the key to optimizing the S-box circuit becomes how the quantum circuit of finding (Ma)⁻¹ can be implemented with low costs.

As pointed out in Ref. [34], any element can be represented as a linear polynomial with coefficients in , i.e., p = p₀ + p₁x, , and its multiplicative inversion p⁻¹ can be expressed aswhere . It is necessary for finding p⁻¹ to compute (p₀ + p₁)p₀, , and , which mainly involve the multiplication (including constant multiplication ) and multiplicative inversion operations in .

It can be seen that the implementation of the S-box can be divided into three modules, i.e., the multiplication in , the multiplicative inversion in , the multiplication by invertible matrices M, AM⁻¹ and the addition of a constant vector c.

3 Quantum circuit of implementing the multiplicative inversion in

Some quantum circuits of implementing the multiplicative inversion in have been proposed. Almazrooie et al. [35] constructed it by employing the quantum circuit of implementing the multiplication in many times. Saravanan et al. [36], Chung et al. [37] and Wang et al. [32] implemented it respectively based on a composite field . Recently, Li et al. [25] constructed it by converting its classical circuit in Ref. [38] into a quantum version. See Table 3 for specific resource estimates.

In Ref. [33], Dasu et al. presented an automation tool, namely, LIGHTER-R¹, which can give the quantum circuit implementation of any 4-bit S-box based on a lookup table. The quantum circuit given by LIGHTER-R requires the optimal number of qubits. Recently, the tool has been widely applied in the quantum circuit implementation of other cryptography, such as Present and Gift [39], RECTANGLE and KNOT [40], DEFAULT [41] and so on.

We found that the multiplicative inversion in can be seen as a 4-bit S-box, whose lookup table is shown in Table 2. Thus, to obtain the quantum circuit of implementing the multiplicative inversion in , we employ the tool LIGHTER-R directly. The resulting circuit is shown in Figure 1.

FIGURE 1

The Tof₄/C³(X)/CCCNOT gate² in the dashed box of Figure 2 realizes the function of |a⟩|b⟩|c⟩|d⟩ → |a⟩|b⟩|c⟩|d ⊕ abc⟩ and can be decomposed by some Toffoli gates with an ancilla qubit (see Figure 2). Specifically, if the ancilla qubit is an unknown quantum state |g⟩, the CCCNOT gate can be decomposed by using the circuit in Figure 2A. If the state of |g⟩ is known to be |0⟩, the last Toffoli gate in Figure 2A is unnecessary which corresponds to Figure 2B. Thus, according to Figures 1, 2, we can obtain two quantum circuits of implementing the multiplicative inversion in for and . These two quantum circuits will be used to implement the quantum circuit of the AES (8-bit) S-box. In the process, if there is an idle quantum state |0⟩, we use . Otherwise, we use .

FIGURE 2

The resource estimates of these two quantum circuits for and are given in Table 3. Compared with the previous studies, our quantum circuits require fewer qubits.

4 Quantum circuits of S-box

4.1 Quantum circuit of S-box for

In order to implement the quantum circuit of S-box for , we first propose a quantum circuit of finding p⁻¹ for |p⟩|0⟩ → |p⟩|p⁻¹⟩. Here and its multiplicative inversion is .

We divide into four steps, i.e., computing p¹⁷, calculating the multiplicative inversion of p¹⁷, obtaining p⁻¹ and uncomputation (i.e., clear up ancilla qubits), to construct the quantum circuit for |p⟩|0⟩ → |p⟩|p⁻¹⟩. Specifically, we first give the quantum circuit for . According to , can be realized by performing Mul, (take q≔p₁) and some CNOT gates (see the red box in Figure 3). Then is obtained by performing on |p¹⁷⟩|0⟩. Here, instead of adding a new qubit, we use an idle quantum state |0⟩ from output qubits as an ancilla qubit. Next is obtained in output qubits by performing Mul two times. At this time, the circuit is in state . In the end, in ancilla qubits has to be removed for reuse, i.e., completing uncomputation. As mentioned in Ref. [25], the general idea of completing the uncomputation is to perform (since there is no idle quantum state |0⟩) and on . However, due to , can also be expressed as . Therefore, we only apply (the inverse circuit of ) to implement . The resulting quantum circuit, as shown in Figure 3, requires 20 qubits instead of 22 in a previous study [25].

FIGURE 3

By combining the quantum circuit in Figure 3 with U_M and , we obtain the quantum circuit of S-box for in Figure 4, which requires 20 qubits.

FIGURE 4

The quantum resource estimates of are shown in Table 4. Compared with the previous studies, our S-box circuit for requires fewer quantum resources including the number of qubits.

Our results show that uncomputation for removing ancilla qubits (i.e., reinstate the initial state |0⟩) can be optimized when the algebraic relationship between the value in ancilla qubits and f(x) is simpler than that between x and the value in ancilla qubits. Here, assume that f(x) is an arbitrary invertible non-linear transformation, the goal circuit U_f: |x⟩|0⟩ → |x⟩|f(x)⟩ is implemented by introducing some ancilla qubits. For example, in Figure 4, x≔p, f(x)≔p⁻¹, after getting the output information p⁻¹, as analyzed above, the value in ancilla qubits has simpler algebraic relationship with p⁻¹ than with p.

4.2 Quantum circuit of S-box for

In order to implement the quantum circuit of S-box for , we first proposed an improved quantum circuit for |p⟩|h⟩ → |p⟩|h ⊕p⁻¹⟩.

Similar to Figure 3, we divide into four steps to implement |p⟩|h⟩ → |p⟩|h ⊕p⁻¹⟩. First, |p¹⁷⟩ is obtained by performing on |p⟩|0⁴⟩. However, unlike Figure 3, we only use to compute since there is no idle quantum state |0⟩. The input state in output qubits is |h⟩ = |h₀⟩|h₁⟩ instead of |0⁸⟩. Next, |h ⊕p⁻¹⟩ = |h₀ ⊕n₀⟩|h₁ ⊕n₁⟩ is obtained by using B₋Mul twice instead of Mul. In the end, we need to clean up . Unfortunately, the removal has to be completed by and because the output qubits are in state |h ⊕p⁻¹⟩ instead of |p⟩. Note that because of the same function, we only use instead of (i.e., |b⁻¹⟩|g⟩ → |b⟩|g⟩, ). The resulting quantum circuit, as shown in Figure 5, requires 20 qubits instead of 22 in a previous study [25].

FIGURE 5

By combining the quantum circuit in Figure 5 with U_M and , we construct the quantum circuit of S-box for in Figure 6, whose number of qubits is 20.

FIGURE 6

Table 5 summarizes the quantum resources needed to realize . Compared with previous studies, our S-box circuit for requires fewer qubits.

4.3 Quantum circuit of S-box for

Based on the idea mentioned in Ref. [42], Li et al [25] and Huang et al. [26] realized the goal by connecting two quantum circuits for |a⟩|0⟩ → |a⟩|S(a)⟩ and |a⟩|S(a)⟩ → |0⟩|S(a)⟩. Here, different from the previous method, we realize the goal by proposing a quantum circuit for |p⟩ → |p⁻¹⟩.

Similar to Figure 3, we first obtain |p¹⁷⟩ by performing on |p⟩|0⁴⟩, and then compute by performing on |p¹⁷⟩|0⟩ (since there is idle quantum state |0⟩). Next, we perform the circuit In₋Mul in Eq. 5 of Observation 1 twice to obtain |n₀⟩ and |n₁⟩ respectively, i.e., the circuit is in state . Along the way, instead of adding additional qubits, |p₀⟩ is removed for gaining storage space to place n₁ after obtaining |n₀⟩. In the end, is removed by executing on . The resulting quantum circuit, as shown in Figure 7, requires 16 qubits.

FIGURE 7

By combining the quantum circuit in Figure 7 with U_M and , we obtain the S-box circuit for : |a⟩|0⁸⟩ → |S(a)⟩|0⁸⟩ in Figure 8, which requires 16 qubits.

FIGURE 8

Table 6 summarizes the quantum resources needed to implement the S-box circuit for . Compared with previous studies, our S-box circuit for requires fewer qubits.

In order to reduce the number of qubits, we often would like to compute f(x) with an in-place circuit, i.e., |x⟩ → |f(x)⟩. For example, we directly obtain the in-place quantum circuit by the tool LIGHTER-R. However, for some complex functions f(x) (e.g., the multiplicative inversion in ), directly designing an in-place quantum circuit is difficult. As mentioned in Ref. (Huang and Sun, 2022), a natural idea is to construct an in-place circuit based on out-of-place sub-circuits. Huang et al. (Huang and Sun, 2022) proposed an in-place quantum circuit for |x⟩ → |f(x)⟩ by connecting two out-of-place circuit |x⟩|0⟩ → |x⟩|f(x)⟩ and |f⁻¹(y)⟩|y⟩ → |0⟩|y⟩ (f⁻¹ is invertible function of f). Thus, their in-place circuit requires at least 4n qubits if f(x): {0,1}²ⁿ → {0,1}²ⁿ is an arbitrary invertible non-linear transformation. By connecting |a⟩|0⟩ → |a⟩|S(a)⟩ and |a⟩|S(a)⟩ → |0⟩|S(a)⟩, Huang et al. (Huang and Sun, 2022) and Li et al. (Li et al., 2022b) gave the quantum circuit of S-box for , whose cost estimates can be found in Table 6.

5 Quantum circuit implementations of AES

AES is a family of iterative block ciphers, which encrypts 16 bytes (i.e., 128 bits) of plaintexts and consists of a round function and key expansion. The subroutines of the round function include SubBytes, ShiftRows, MixColumns, and AddRoundKey (note the last round does not perform the MixColumns). The subroutines of key expansion include SubWord, RotWord, and Rcon. AES’s three instances AES-128 (10 iterations), AES-192 (12 iterations), and AES-256 (14 iterations) correspond to the key lengths of 128, 192, and 256 bits respectively. The full specification of AES can be found in Ref. [22].

In the present study, we implement the SubBytes (applying 16 S-box substitutions) and SubWord (applying 4 S-box substitutions) by the S-box circuits in Section 4. For other linear operations, the ShiftRows and Rotword can be implemented by appropriate rewiring. The MixColumns can be implemented with 368 CNOT gates [43]. The AddRoundKey is implemented with 128 CNOT gates. The Rcon is implemented by applying NOT gates.

In the following, we introduce the methods of round function iteration and key expansion iteration, then synthesize the quantum circuit of AES.

5.1 Method of round function iteration

As shown in Table 1, quite a few round function iteration methods were introduced. Grassl et al. [28] proposed the zig-zag method, which requires 512 + 24 = 536 qubits (24 is the number of ancilla qubits required by their S-box circuit for ), to implement the round function iteration of AES-128. Almazrooie et al. [29] and Langenberg et al., [30] employed the zig-zag method to complete the iteration. Zou et al., [31] proposed an improved zig-zag method that requires at least 256 qubits. Wang et al., [32] realized the iteration by the improved zig-zag method. Recently, Li et al., [25] presented a straight-line method, which requires 128 + 14 = 142 qubits (14 is the number of ancilla qubits required by their S-box circuit for ). To make a tradeoff between the number of qubits and Toffoli depth, Huang et al. [26] completed the iteration by the straight-line method with 128 + 8 × 14 = 240 qubits (i.e., running S-box circuit for eight-time simultaneously in constructing the SubBytes of ith iteration R_i).

We also apply Li et al.’s straight-line method to realize the round function iteration of AES-128. From Figure 8, we can see that our S-box circuit for reduces the number of ancilla qubits from 14 in the previous studies [25, 26] to 8. As a result, the number of qubits required to implement the round function iteration of AES-128 becomes 128 + 8 = 136. Similarly, the round function iteration of AES-192/-256 can also be implemented with 136/136 qubits.

5.2 Method of key expansion iteration

Some key expansion iteration methods were proposed. Grassl et al. [28] proposed the pipeline method, which requires at least 448 + 24 = 472 qubits (24 is the number of ancilla qubits required by their S-box circuit for ), to implement the key expansion iteration of AES-128. Then Almazrooie et al. [29] presented an improved pipeline method that requires at least 416 + 48 = 464 qubits. Langenberg et al., [30] found that the zig-zag method can be used to complete the key expansion iteration, which requires 352 + 16 = 368 qubits. Zou et al., [31] proposed an improved zig-zag method to realize the iteration, which requires 256 + 7 = 263 (7 is the number of ancilla qubits required by Zou et al.’s S-box circuit for ). Wang et al. [32] presented a straight-line method to implement the key expansion iteration, which requires 128 + 16 qubits. To make a tradeoff between the number of qubits and Toffoli depth, Jaques et al. [24] completed the iteration by the straight-line method with 128 + 4 × 121 = 612 qubits (i.e., running S-box circuit for four-time simultaneously in constructing the SubWord of key K_i in the ith iteration). Li et al. [25] and Huang et al. [26] adopted the straight-line method to complete the iteration.

Here, we apply the straight-line method to implement the key expansion iteration of AES-128. Because our S-box circuit for requires 4 ancilla qubits (see Figure 6), the key expansion iteration of AES-128 can be realized with 128 + 4 = 132 qubits. Similarly, we perform the key expansion iteration of AES-192/-256 with 196/260 qubits. Of course, as a trade-off between the number of qubits and Toffoli depth, the number of qubits can also be 128 + 4h/192 + 4h/256 + 4h for the key expansion iteration of AES-128/-192/-256 (h is the number of running S-box circuit for in parallel when the SubWord is constructed).

5.3 Quantum circuits for implementing AES

Based on the straight-line method above, we synthesize the quantum circuit of AES-128 with 264 qubits, where 136 qubits and 128 qubits are used to complete the round function iteration and key expansion iteration. Note that 8 ancilla qubits in round function iteration are reused to implement the key expansion iteration.

First, as mentioned in the previous studies [25, 26, 28, 31], to save qubits, R₀ which adds the key K₀ on plaintext m (whitening step) is implemented by apply NOT gates on some specific qubits of |K₀⟩ (at most 128 NOT gates). Then when |R₀⟩ is used to compute the SubBytes in R₁ later, |R₀⟩ is reinstated |K₀⟩ by applying NOT gates (at most 128 NOT gates). Particularly, the SubBytes in R₁ are constructed by running our S-box circuit for sixteen times. The depth of is 3. The SubWord in K₁ is constructed by running the S-box circuit for four times. The depth of is 2. After realizing the SubWord, we perform the Rotword and Rcon to obtain K₁ while ShiftRows and MixColumns are implemented. At last, the AddRoundKey is implemented by performing 128 CNOT in parallel. Therefore, realizing R₀ and R₁ require Toffoli depth 3 × 32 + 2 × 42 = 180. Besides, these two rounds require 16 × 44 + 4 × 54 = 920 Toffoli gates, 197 × 16 + 238 × 4 + 96 + 368 + 128 = 4696 CNOT gates, and 256 + 4 × 20 + 1 = 337 NOT gates.

Then, we implement R_i (i > 1). Because requires 8 ancilla qubits (see Figure 8), we run the S-box circuit for sixteen times in order to construct the SubBytes. The depth of is 16, i.e., the Toffoli-depth is 78 × 16 = 1,248. Similarly, because requires 4 ancilla qubits (see Figure 6), two S-box transformations in SubWord of K_i can be implemented in parallel. Thus, the depth of required for constructing the SubWord is 2, i.e., the Toffoli-depth is 42 × 2 = 84. After realizing the SubWord, we perform the Rotword and Rcon to obtain K_i while ShiftRows and MixColumns are implemented. The AddRoundKey is implemented last, by performing 128 CNOT in parallel. As a result, R_i can be constructed with Toffoli depth 1,248 + 84 = 1,332 since the SubBytes and SubWord cannot be implemented in parallel. Besides, R_i requires 16 × 96 + 4 × 54 = 1752 Toffoli gates, 244 × 16 + 238 × 4 + 96 + 368 + 128 = 5448 CNOT gates (R₁₀ does not perform the MixColumns and requires 244 × 16 + 238 × 4 + 96 + 128 = 5080 CNOT gates) and 4 × 20 + 1 = 81 NOT gates (R₉ and R₁₀ require 4 × 20 + 4 = 84 NOT gates).

At last, by combining these quantum circuits above, we can obtain the quantum circuit for implementing AES-128. Similarly, the quantum circuit of AES-192/-256 can be implemented with 334/398 qubits, respectively. Table 7 gives the quantum resources required for implementing AES. Obviously, our improved quantum circuits of S-box result in a reduction of the number of qubits.

6 Conclusion

In this study, we set a new record of the number of qubits required to synthesize the quantum circuit of AES. First, we find a method to realize the quantum circuit of the AES S-box with the help of the automation tool LIGHTER-R. Specifically, the main part of the S-box, i.e., the multiplicative inversion in , is computed through the multiplicative inversion (and multiplication) in , then the quantum circuit implementation of the latter is obtained by the tool LIGHTER-R. Based on this, the quantum circuits of S-box for and are constructed with 20 qubits instead of 22 in the previous studies respectively. Second, by introducing new techniques, we reduce the number of qubits required by the S-box circuit for from 22 in the previous studies to 16. At last, by applying these S-box circuits for , and , we synthesize the quantum circuits of AES-128/-192/-256 with 264/328/392 qubits instead of 270/334/398 in the previous studies.

Some inspirations can be drawn from our results. On the one hand, automated tools, for example, the LIGHTER-R, should be fully utilized. On the other hand, similar to our circuit for |a⟩ → |S(a)⟩, we should design the goal circuit directly as far as possible instead of using the previous trivial method, i.e., connecting two circuits. Particularly, since other symmetric ciphers (such as SM4 and Camellia) also use a similar S-box, their quantum circuits might be optimized by our methods.

References

• 1.

  HarrowAWHassidimALloydS. Quantum algorithm for linear systems of equations. Phys Rev Lett (2009) 103:150502. 10.1103/physrevlett.103.150502

  • CrossRef
  • Google Scholar

• 2.

  WanLYuCPanSGaoFWenQQinS. Asymptotic quantum algorithm for the toeplitz systems. Phys Rev A (2018) 97:062322. 10.1103/physreva.97.062322

  • CrossRef
  • Google Scholar

• 3.

  LiuHWuYWanLPanSQinSGaoFet alVariational quantum algorithm for the Poisson equation. Phys Rev A (2021) 104:022418. 10.1103/physreva.104.022418

  • CrossRef
  • Google Scholar

• 4.

  LloydSMohseniMRebentrostP. Quantum algorithms for supervised and unsupervised machine learning (2013). arXiv preprint arXiv:1307.0411.

  • Google Scholar

• 5.

  WiebeNBraunDLloydS. Quantum algorithm for data fitting. Phys Rev Lett (2012) 109:050505. 10.1103/physrevlett.109.050505

  • CrossRef
  • Google Scholar

• 6.

  RebentrostPMohseniMLloydS. Quantum support vector machine for big data classification. Phys Rev Lett (2014) 113:130503. 10.1103/physrevlett.113.130503

  • CrossRef
  • Google Scholar

• 7.

  YeZLiLSituHWangY. Quantum speedup for twin support vector machines (2019). arXiv preprint arXiv:1902.08907.

  • Google Scholar

• 8.

  LiQHuangYJinSHouXWangX. Quantum spectral clustering algorithm for unsupervised learning (2022). arXiv preprint arXiv:2203.03132.

  • Google Scholar

• 9.

  LloydSMohseniMRebentrostP. Quantum principal component analysis. Nat Phys (2014) 10:631–3. 10.1038/nphys3029

  • CrossRef
  • Google Scholar

• 10.

  CongIDuanL. Quantum discriminant analysis for dimensionality reduction and classification. New J Phys (2016) 18:073011. 10.1088/1367-2630/18/7/073011

  • CrossRef
  • Google Scholar

• 11.

  PanSWanLLiuHWangQQinSWenQet alImproved quantum algorithm for a-optimal projection. Phys Rev A (2020) 102:052402. 10.1103/physreva.102.052402

  • CrossRef
  • Google Scholar

• 12.

  YuCGaoFLinSWangJ. Quantum data compression by principal component analysis. Quan Inf Process (2019) 18:249–20. 10.1007/s11128-019-2364-9

  • CrossRef
  • Google Scholar

• 13.

  WangG. Quantum algorithm for linear regression. Phys Rev A (2017) 96:012335. 10.1103/physreva.96.012335

  • CrossRef
  • Google Scholar

• 14.

  YuCGaoFWenQ. An improved quantum algorithm for ridge regression. IEEE Trans Knowledge Data Eng (2019) 33:1–866. 10.1109/tkde.2019.2937491

  • CrossRef
  • Google Scholar

• 15.

  YuCGaoFLiuCHuynhDReynoldsMWangJ. Quantum algorithm for visual tracking. Phys Rev A (2019) 99:022301. 10.1103/physreva.99.022301

  • CrossRef
  • Google Scholar

• 16.

  YuCGaoFWangQWenQ. Quantum algorithm for association rules mining. Phys Rev A (2016) 94:042311. 10.1103/physreva.94.042311

  • CrossRef
  • Google Scholar

• 17.

  LiuNRebentrostP. Quantum machine learning for quantum anomaly detection. Phys Rev A (2018) 97:042315. 10.1103/physreva.97.042315

  • CrossRef
  • Google Scholar

• 18.

  GuoMLiuHLiYLiWGaoFQinSet alQuantum algorithms for anomaly detection using amplitude estimation. Physica A: Stat Mech its Appl (2022) 604:127936. 10.1016/j.physa.2022.127936

  • CrossRef
  • Google Scholar

• 19.

  ShorPW. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput (1997) 26:1484–509. 10.1137/s0097539795293172

  • CrossRef
  • Google Scholar

• 20.

  GroverLK. A fast quantum mechanical algorithm for database search. In: MillerGL, editor. Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. New York, NY, USA: ACM (1996). p. 212–9.

  • Google Scholar

• 21.

  SimonDR. On the power of quantum computation. SIAM J Comput (1997) 26:1474–83. 10.1137/s0097539796298637

  • CrossRef
  • Google Scholar

• 22.

  JoanDVincentR. Specification for the advanced encryption standard (aes). Springfield: FIPS 197 (2001).

  • Google Scholar

• 23.

  NIST. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process (2016).

  • Google Scholar

• 24.

  JaquesSNaehrigMRoettelerMVirdiaF. Implementing grover oracles for quantum key search on aes and lowmc. In: Canteaut,AIshaiY, editors. Advances in cryptology – eurocrypt 2020. Cham: Springer (2020). p. 280–310.

  • Google Scholar

• 25.

  LiZCaiBSunHLiuHWanLQinSet alNovel quantum circuit implementation of advanced encryption standard with low costs. Sci China Phys Mech Astron (2022) 65:290311. 10.1007/s11433-022-1921-y

  • CrossRef
  • Google Scholar

• 26.

  HuangZSunS. Synthesizing quantum circuits of aes with lower t-depth and less qubits (2022). Cryptology ePrint Archive, Paper 2022/620.

  • Google Scholar

• 27.

  JangKBaksiAKimHSongGSeoHChattopadhyayA. Quantum analysis of aes (2022). Cryptology ePrint Archive, Paper 2022/683.

  • Google Scholar

• 28.

  GrasslMLangenbergBRoettelerMSteinwandtR. Applying grover’s algorithm to aes: Quantum resource estimates. In: TakagiT, editor. Post-quantum cryptography. Cham: Springer (2016). p. 29–43.

  • Google Scholar

• 29.

  AlmazrooieMSamsudinAAbdullahRMutterKN. Quantum reversible circuit of aes-128. Quan Inf Process (2018) 17:112–30. 10.1007/s11128-018-1864-3

  • CrossRef
  • Google Scholar

• 30.

  LangenbergBPhamHSteinwandtR. Reducing the cost of implementing the advanced encryption standard as a quantum circuit. IEEE Trans Quan Eng (2020) 1:1–12. 10.1109/tqe.2020.2965697

  • CrossRef
  • Google Scholar

• 31.

  ZouJWeiZSunSLiuXWuW. Quantum circuit implementations of aes with fewer qubits. In: Moriai,SWangH, editors. Advances in cryptology – asiacrypt 2020. Cham: Springer (2020). p. 697–726.

  • Google Scholar

• 32.

  WangZWeiSLongG. A quantum circuit design of aes requiring fewer quantum qubits and gate operations. Front Phys (2022) 17:41501–7. 10.1007/s11467-021-1141-2

  • CrossRef
  • Google Scholar

• 33.

  DasuVABaksiASarkarSChattopadhyayA. Lighter-r: Optimized reversible circuit implementation for sboxes. In: 2019 32nd IEEE International System-on-Chip Conference (SOCC). Singapore: IEEE (2019). p. 260–5. 10.1109/SOCC46988.2019.1570548320

  • CrossRef
  • Google Scholar

• 34.

  WolkerstorferJOswaldELambergerM. An asic implementation of the aes sboxes. In: PreneelB, editor. Topics in cryptology - CT-RSA 2002. Berlin, Heidelberg: Springer (2002). p. 67–78.

  • Google Scholar

• 35.

  AlmazrooieMAbdullahRSamsudinAMutterKN. Quantum grover attack on the simplified-aes. In: Proceedings of the 2018 7th International Conference on Software and Computer Applications. New York, NY, USA: ACM (2018). p. 204–11. 10.1145/3185089.3185122

  • CrossRef
  • Google Scholar

• 36.

  SaravananPKalpanaP. Novel reversible design of advanced encryption standard cryptographic algorithm for wireless sensor networks. Wireless Personal Commun (2018) 100:1427–58. 10.1007/s11277-018-5647-z

  • CrossRef
  • Google Scholar

• 37.

  ChungDLeeSChoiDLeeJ. Alternative tower field construction for quantum implementation of the aes s-box. IEEE Trans Comput (2022) 71:2553–64. 10.1109/tc.2021.3135759

  • CrossRef
  • Google Scholar

• 38.

  BoyarJPeraltaR. A new combinational logic minimization technique with applications to cryptology. In: FestaP, editor. Experimental algorithms. Berlin, Heidelberg: Springer (2010). p. 178–89.

  • Google Scholar

• 39.

  JangKSongGKimHKwonHKimHSeoH. Efficient implementation of present and gift on quantum computers. Appl Sci (2021) 11:4776. 10.3390/app11114776

  • CrossRef
  • Google Scholar

• 40.

  BaksiAJangKSongGSeoHXiangZ. Quantum implementation and resource estimates for rectangle and knot. Quan Inf Process (2021) 20:395–24. 10.1007/s11128-021-03307-6

  • CrossRef
  • Google Scholar

• 41.

  JangKBaksiABreierJSeoHChattopadhyayA. Quantum implementation and analysis of default (2022). Cryptology ePrint Archive.

  • Google Scholar

• 42.

  AmyMDi MatteoOGheorghiuVMoscaMParentASchanckJ. Estimating the cost of generic quantum pre-image attacks on sha-2 and sha-3. In: Avanzi,RHeysH, editors. Selected areas in cryptography – SAC 2016. Cham: Springer (2017). p. 317–37.

  • Google Scholar

• 43.

  XiangZZengXLinDBaoZZhangS. Optimizing implementations of linear layers. IACR Trans Symmetric Cryptology (2020) 2020:120–45. 10.46586/tosc.v2020.i2.120-145

  • CrossRef
  • Google Scholar