Alternative Tower Field Construction for Quantum Implementation of the AES S-Box.

Grover’s search algorithm allows a quantum adversary to find a $k$ k -bit secret key of a block cipher by making O($2^{k/2}$ 2 k / 2 ) block cipher queries. Resistance of a block cipher to such an attack is evaluated by quantum resources required to implement Grover’s oracle for the target cipher. The quantum resources are typically estimated by the $\textit {T}$ T -depth of its circuit implementation and the number of qubits used by the circuit (width). Since the AES S-box is the only component which requires $\textit {T}$ T -gates in a quantum implementation of AES, recent research has put its focus on efficient implementation of the AES S-box. However, any efficient implementation with low $\textit {T}$ T -depth will not be practical in the real world without considering qubit consumption of the implementation. In this work, we propose three methods of trade-off between time and space for the quantum implementation of the AES S-box. In particular, one of our methods turns out to use the smallest number of qubits among the existing methods, significantly reducing its $\textit {T}$ T -depth. [ABSTRACT FROM AUTHOR]