Quantum reversible circuits for \(\mathrm{GF}(2^{8})\) multiplicative inverse

The synthesis of quantum circuits for multiplicative inverse over \(\operatorname{GF}(2^{8})\) are discussed in this paper. We first convert the multiplicative inverse operation in \(\operatorname{GF}(2^{8})\) to arithmetic operations in the composite field \(\operatorname{GF}((2^{4})^{2})\), and then discuss the expressions of the square calculation, the inversion calculation and the multiplication calculation separately in the finite field \(\operatorname{GF}(2^{4})\), where the expressions of multiplication calculation in \(\operatorname{GF}(2^{4})\) are given directly in \(\operatorname{GF}(2^{4})\) and given through being transformed into the composite field \(\operatorname{GF}((2^{2})^{2})\). Then the quantum circuits of these calculations are realized one by one. Finally, two quantum circuits for multiplicative inverse over \(\operatorname{GF}(2^{8})\) are synthesized. They both use 21 qubits, the first quantum circuit uses 55 Toffoli gates and 107 CNOT gates and the second one uses 37 Toffoli gates and 209 CNOT gates. As an example of the application of multiplication inverse, we apply these quantum circuits to the implementations of the S-box quantum circuit of the AES cryptographic algorithm. Two quantum circuits for implementing the S-box of the AES cryptographic algorithm are presented. The first quantum circuit uses 21 qubits, 55 Toffoli gates, 131 CNOT gates and 4 NOT gates and the second one uses 21 qubits, 37 Toffoli gates, 233 CNOT gates and 4 NOT gates. Through the evaluation of quantum cost, the two quantum circuits of the S-box of AES cryptographic algorithm use less quantum resources than the existing schemes.

The quantum circuit implementations of symmetric cryptographic algorithms have recently received researchers’ attention for the following two reasons. On one hand, the security analysis of a cryptographic algorithm in quantum environment needs to estimate the quantum resources used in the cryptographic algorithm. Implementing the cryptographic algorithm with quantum circuits is the most direct way to estimate the quantum resources used. On the other hand, quantum logic gates are all reversible, and cryptographic algorithms implemented by using quantum circuits to consume near zero power theoretically and resist from various side-channel attacks related to power analysis [3, 16].

In the quantum circuit realization schemes of these symmetric cryptographic algorithms, the realization or optimization of the quantum circuit of the S-box is an important research content in these schemes. In 2016, Markus et al. [6] firstly estimated the quantum resources required in the S-box in the AES encryption algorithm [5] with two schemes. The Itoh-Tsujii algorithm [7] was mainly used to estimate the resources in the first scheme, which requires a total of 40 qubits, 3584 T gates and 4569 Clifford gates. By computing the short factorizations to estimate the quantum resources in the second scheme, which needs a total of 9 qubits, no more than 9695 T gates and 12631 Clifford gates. However, the authors only estimated the quantum resources required to realize the S-box but did not give the specific quantum circuits. In 2018, Almazrooie et al. [1] implemented the quantum reversible circuit of AES-128. A total of 56 qubits, 448 Toffoli gates, 494 CNOT gates and 4 NOT gates are used in the quantum circuit of S-box. By optimizing the Boolean expressions of each output in the S-box of the AES encryption algorithm, the quantum circuit given by Langenberg et al. [8] uses a total of 32 qubits, 55 Toffoli gates, 314 CNOT gates and 4 NOT gates. By further optimizing the output Boolean expressions in the S-box of the AES encryption algorithm, the quantum circuit designed by Zou et al. [23] uses a total of 26 qubits, 46 Toffoli gates, 304 CNOT gates and 4 NOT gates. In addition to AES block cipher algorithm, Luo et al. [11] also implemented the quantum circuit of S-box of SM4 cipher algorithm [13], which uses a total of 48 qubits and 592 quantum logic gates. Soon after, Luo et al. [12] used only 21 qubits, 55 Toffoli gates, 176 CNOT gates and 10 NOT gates to realize the quantum circuit of S-box of SM4 cryptographic algorithm.

By analyzing the algebraic expressions of S-boxes of AES [5], SM4 [10] and Camellia [2] etc., it can be seen that the outputs of S-boxes of these algorithms are almost obtained by multiplicative inverse operations and affine transformations of the inputs over the finite field \(\operatorname{GF}(2^{8})\). The quantum circuit of affine transformation is easy to implement. The matrix in the affine transformation can be realized in a manner similar to Gaussian elimination, that is, the matrix is transformed into a unit matrix through row transformation, and a CNOT gate is added to the corresponding qubits when the row transformation is performed. And then these CNOT gates are arranged in reverse order, the quantum circuit of the matrix is constructed. For the column vector, it can be realized by adding NOT gates at the corresponding qubits where “1” appears. The difficulty of the problem is how to realize the quantum circuit of the multiplicative inverse over the finite field \(\operatorname{GF}(2^{8})\). In fact, Wang et al. [21] showed that the inverse of α is \(\alpha ^{-1}=\alpha ^{2^{m}-2}\) for any α in the finite field \(\operatorname{GF}(2^{m})\). This formula was used in Ref. [1, 11] to construct the quantum circuits of the multiplicative inverse in the S-boxes. However, the quantum circuits constructed in this way used too much quantum resources. In this paper, we will discuss that the quantum reversible circuits over \(\operatorname{GF}(2^{8})\) multiplicative inverse based on composite field arithmetic, which has been applied to S-box optimization using CMOS standard cell library [4, 17]. It is also helpful for constructing the quantum circuits of multiplicative inverse in finite field \(\operatorname{GF}(2^{m})\).

The rest of this paper is organized as follows. We will introduce the preliminaries in Sect. 2. In Sect. 3, the arithmetic operations over finite fields and composite fields are described. In Sect. 4, all the quantum circuits are synthesised in details. Finally, a short discussion and conclusion is given in Sect. 5.

Let \(f(x)\in \operatorname{GF}(2)[x]\) be an irreducible polynomial over binary finite field \(\operatorname{GF}(2)\) of degree 8 and let X be a root of \(f(x)\), then any element \(\alpha \in \operatorname{GF}(2^{8})\) can be represented in the polynomial basis \(\{1,X,X^{2},\ldots,X^{7}\}\) as \(\alpha =\sum_{i=0}^{7} a_{i} X^{i}\) with \(a_{i}\in \operatorname{GF}(2)\). For any \(\alpha \in \operatorname{GF}(2^{8})\), its inverse is the element \(\alpha ^{-1}\) such that \(\alpha \cdot \alpha ^{-1}\equiv 1\) mod \(f(x)\).

The main work in this paper is to construct the quantum circuits of the inverse for any given \(\alpha \in \operatorname{GF}(2^{8})\) by using quantum gates. The elementary quantum gates are used to manipulate quantum information in quantum computation [14]. Quantum gates are reversible, that is, they can be regarded as bijection. Three types of elementary quantum gates, which are quantum NOT gate, CNOT gate and Toffoli gate, will be used in this paper. The quantum NOT gate maps one qubit \(|B\rangle \) as \(|B\rangle \longrightarrow |B\oplus 1\rangle \) as shown in Fig. 1(a), where ⊕ is the \(\operatorname{GF}(2)\) addition (XOR). Since the matrix form of the quantum NOT gate is equal to the Pauli X matrix, the notation “x” for the quantum NOT gate is used for historical reasons in some literatures. The CNOT gate maps two qubits \(|B_{1}\rangle \) and \(|B_{2}\rangle \) as \(|B_{1}\rangle |B_{2}\rangle \longrightarrow |B_{1}\rangle |B_{2} \oplus B_{1}\rangle \) as shown in Fig. 1(b), where \(|B_{1}\rangle \) is control qubit and \(|B_{2}\rangle \) is target qubit. A CNOT gate has a quantum cost of 1 [20]. The Toffoli gate maps three qubits \(|B_{1}\rangle \), \(|B_{2}\rangle \) and \(|B_{3}\rangle \) as \(|B_{1}\rangle |B_{2}\rangle |B_{3}\rangle \longrightarrow |B_{1} \rangle |B_{2}\rangle |B_{3}\oplus B_{1}B_{2}\rangle \) as shown in Fig. 1 (c), where \(|B_{1}\rangle \) and \(|B_{2}\rangle \) are control qubits and \(|B_{3}\rangle \) is target qubit. The quantum cost of Toffoli gate is 5 as it needs 5 2-qubit gates to implement it [20].

The elementary quantum gates in NCT gate library

Full size image

In fact, the NCT gate library composed only of NOT gates, CNOT gates and Toffoli gates is universal, that is, for all m and all permutations \(\pi \in S_{2^{m}}\), there exists some n such that some circuit composed of gates from NCT gate library computes π using n qubits of temporary storage [19].

The idea is to transform the calculation in the finite field \(\operatorname{GF}(2^{8})\) into the composite field arithmetic, and gradually realize the quantum circuits calculated in the composite field, so as to construct the quantum circuits for multiplicative inverse in the finite field \(\operatorname{GF}(2^{8})\).

3.1 Multiplicative inverse over \(\operatorname{GF}((2^{4})^{2})\)

Let \(g(y)=y^{2}+\mu y+\lambda \) be an irreducible polynomial over \(\operatorname{GF}((2^{4})^{2})\) and let Y be a root of \(g(y)\), where \(\mu ,\lambda \in \operatorname{GF}(2^{4})\), then for any \(\textbf{r} \in \operatorname{GF}((2^{4})^{2})\) we have \(\textbf{r}=r_{1} Y+r_{0}\), where \(r_{1}, r_{0} \in \operatorname{GF}(2^{4})\). For any \(\textbf{r}=r_{1} Y+r_{0} \in \operatorname{GF}((2^{4})^{2})\), we can compute its inverse as

We enforce the \(\mu =1\) so as to simplify arithmetic operations, then \(g(y)=y^{2}+ y+\lambda \) and the formula (1) become

We next discuss the arithmetic operations in finite field \(\operatorname{GF}(2^{4})\) because \(r_{1}, r_{0},\lambda \in \operatorname{GF}(2^{4})\) in formula (2).

3.2 \(\operatorname{GF}(2^{4})\) arithmetic

Let \(h(z)\) be an irreducible polynomial over \(\operatorname{GF}(2)\) of degree 4 and let Z be a root of \(h(z)\), then any element \(\textbf{a}\in \operatorname{GF}(2^{4})\) can be represented as \(\textbf{a}=\sum_{i=0}^{3} a_{i} Z^{i}\) with \(a_{i}\in \operatorname{GF}(2)\). Because the characteristic of the finite field \(\operatorname{GF}(2^{4})\) is 2, for any \(\textbf{a}=\sum_{i=0}^{3} a_{i} Z^{i} \in \operatorname{GF}(2^{4})\) we have

Therefore, for any \(\textbf{a} \in \operatorname{GF}(2^{4})\), there exists a matrix \(\textbf{S}\equiv [1,Z^{2},Z^{4},Z^{6}] \bmod h(z)\) over \(\operatorname{GF}(2)\) such that

For multiplication calculation, we can get the following results from Theorem 1 in Ref. [15]: for \(\textbf{a,b}\in \operatorname{GF}(2^{4})\), note that \(\textbf{c}=\textbf{a}\cdot \textbf{b}\) we have

where

and \(\textbf{Q}^{T}\) is the transpose matrix of Q over \(\operatorname{GF}(2)\) such that

For the multiplicative inverse in finite field \(\operatorname{GF}(2^{4})\), it is actually to construct a quantum circuit that maps any element \(\textbf{a}\in \operatorname{GF}(2^{4})\) to its inverse \(\textbf{a}^{-1}\), i.e. \(\sigma (\textbf{a})=\textbf{a}^{-1}\). Obviously, the mapping σ is a bijection, so it can be regarded as a 4-qubit reversible logic function. Although all 4-qubit logic functions cannot been synthesized with existing logic synthesis methods [9, 22], we can fortunately synthesize the quantum circuit for the multiplicative inverse mapping σ for some specific irreducible polynomial \(h(z)\).

Next, we discuss whether the arithmetic in \(\operatorname{GF}(2^{4})\) need to be transformed into the composite field \(\operatorname{GF}((2^{2})^{2})\), so as to further optimize the quantum circuits to be constructed? In fact, for a given invertible matrix over \(\operatorname{GF}(2)\), we can effectively construct its quantum circuit with CNOT gates, so the quantum circuit of square operation in \(\operatorname{GF}(2^{4})\) can be easily constructed by using formula (4). Because the quantum circuit that synthesizes multiplicative inverse in \(\operatorname{GF}((2^{2})^{2})\) has to use additional auxiliary qubits compared with in \(\operatorname{GF}(2^{4})\), we don’t have to convert the arithmetic to \(\operatorname{GF}((2^{2})^{2})\) to construct it. However, it is not immediately obvious whether the quantum circuit of multiplication in \(\operatorname{GF}(2^{4})\) through arithemetic in \(\operatorname{GF}((2^{2})^{2})\) can reduce the use of quantum resources, we discuss this next.

3.3 Multiplication over \(\operatorname{GF}((2^{2})^{2})\)

Let \(p(w)=w^{2}+ w+\eta \) be an irreducible polynomial over \(\operatorname{GF}(2^{2})\) and let W be a root of \(p(w)\), where \(\eta \in \operatorname{GF}(2^{2})\), then for two elements \(\textbf{s}=s_{1} W+s_{0}\), \(\textbf{t}=t_{1} W+t_{0} \in \operatorname{GF}((2^{2})^{2})\), we may compute the product \(\textbf{s}\times \textbf{t}\) as follows:

Formula (9) requires us to do multiplication in finite field \(\operatorname{GF}(2^{2})\). There is only one irreducible polynomial \(q(v)=v^{2}+v+1\) over \(\operatorname{GF}(2)\). Let V be a root of \(q(v)\), then for two elements \(\textbf{i}=i_{1} V+i_{0}\), \(\textbf{j}=j_{1} V+j_{0} \in \operatorname{GF}(2^{2})\), we have

3.4 Change of basis representations

Before constructing the quantum circuits, we need to discuss the isomorphic mappings of basis transformations. Let ϕ be the isomorphic mapping from the finite field \(\operatorname{GF}(2^{8})\) to the composite field \(\operatorname{GF}((2^{4})^{2})\), that is, \(\phi : \operatorname{GF}(2^{8}) \longmapsto \operatorname{GF}((2^{4})^{2})\), then its inverse mapping \(\phi ^{-1}\) is the isomorphic mapping from the composite field \(\operatorname{GF}((2^{4})^{2})\) to the finite field \(\operatorname{GF}(2^{8})\). Using the fact that \(\operatorname{GF}(2^{8})\) contains a subfield isomorphic to \(\operatorname{GF}((2^{4})^{2})\) as well as a subfield isomorphic to \(\operatorname{GF}(2^{4})\), we may represent both Y and Z as elements in \(\operatorname{GF}(2^{8})\). Then, the basis change mapping \(\phi ^{-1}\) can be computed as follows:

Using the fact that \((\phi ^{-1})^{-1}=\phi \), the isomorphic mapping ϕ can be computed. Similarly, the isomorphic mapping \(\psi ^{-1}\) from the composite field \(\operatorname{GF}((2^{2})^{2})\) to the finite field \(\operatorname{GF}(2^{4})\) can be computed as follows:

And the isomorphic mapping ψ from \(\operatorname{GF}(2^{4})\) to \(\operatorname{GF}((2^{2})^{2})\) can be computed by using the fact that \(\psi =(\psi ^{-1})^{-1}\).

The quantum circuits are mainly implemented by Python language and qiskit software package developed by IBM Corporation. We specify \(f(x)=x^{8}+x^{4}+x^{3}+x+1\) because it is also used in the algebraic expression of the S-box of AES cryptographic algorithm and \(h(z)=z^{4}+z+1\) because less quantum resources are used to synthesize the quantum circuit of multiplicative inverse in \(\operatorname{GF}(2^{4})\) by using the bidirectional synthesis method [22]. Of course, our implementation methods are also applicable for other irreducible polynomials.

4.1 Quantum circuit of square over \(\operatorname{GF}(2^{4})\)

After \(h(z)=z^{4}+z+1\) is specified, the value of S in formula (4) can be computed as

The quantum circuit of S can be synthesised by using Gaussian elimination method as Fig. 2.

The quantum circuit of square over \(\operatorname{GF}(2^{4})\)

Full size image

4.2 Quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\)

The value of \(\textbf{Q}^{T}\) can be computed by using formula (8) as

The quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\) can be synthesised with formula (5) as Fig. 3. As we discussed in Sect. 3.3, the quantum circuit of multiplication in \(\operatorname{GF}(2^{4})\) can also be synthesised by using the operations in the composite field \(\operatorname{GF}((2^{2})^{2})\). Here, we first calculate the isomorphic mappings ψ and \(\psi ^{-1}\) between finite field \(\operatorname{GF}(2^{4})\) and composite field \(\operatorname{GF}((2^{2})^{2})\). There are 2 irreducible polynomials in the form of \(p(w)=w^{2}+w+\eta \) in \(\operatorname{GF}((2^{2})^{2})\) and each polynomial has 2 roots and the irreducible polynomial \(q(v)=v^{2}+v+1\) has 2 roots. Therefore, there are 8 pairs of isomorphic mappings ψ and \(\psi ^{-1}\). In order to minimize the use of quantum gates in realizing the isomorphic mappings, we select the pair with the least number of elements “1”. By doing so, we can get \(\eta =V\) and

Then the quantum circuit of isomorphic mapping \(\psi ^{-1}\) can be synthesised as Fig. 4(a) and ψ as Fig. 4(b).

The quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\)

Full size image

Quantum circuits of isomorphic mappings between \(\operatorname{GF}(2^{4})\) and \(\operatorname{GF}((2^{2})^{2})\)

Full size image

According to Eq. (10), the quantum circuit of multiplication over \(\operatorname{GF}(2^{2})\) can be synthesised as Fig. 5. If the initial quantum state on wire \(k_{0}\) is not \(|0\rangle \) before executing the quantum circuit, we have to change the second quantum gate \(\operatorname{CNOT}(k_{0}; k_{1})\) to \(\operatorname{Toffoli}(i_{0},j_{0};k_{1})\).

The quantum circuit of multiplication over \(\operatorname{GF}(2^{2})\)

Full size image

Then, we can synthesis the quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\) according to Eq. (9) and the isomorphic mappings between \(\operatorname{GF}(2^{4})\) and \(\operatorname{GF}((2^{2})^{2})\) as Fig. 6.

The quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\) using arithmetic in \(\operatorname{GF}((2^{2})^{2})\)

Full size image

Both Fig. 3 and Fig. 6 implement the quantum circuits of multiplication over \(\operatorname{GF}(2^{4})\), but they use different quantum resources. We analyze the quantum resources by comparing the number of CNOT gates, the number of Toffoli gates and quantum cost used in the two methods as shown in Table 1. As can be seen from Table 1, the quantum circuit in Fig. 6 uses more CNOT gates and more quantum cost than those in Fig. 3, but less Toffoli gates than that in Fig. 3. However, a circuit consisting of CNOT gates and one-qubit gates which implements the 3-qubit Toffoli gate without ancillae requires at least 6 CNOT gates [18]. According to this metric, the quantum circuit in Fig. 6 use less quantum resources than the quantum circuit in Fig. 3

4.3 Quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{4})\)

After \(h(z)=z^{4}+z+1\) is specified, we can express the mapping σ that maps any element \(\textbf{a} \in \operatorname{GF}(2^{4})\) to its inverse as the permutation as \((2,9)(3,14)(4,13)(5,11)(6,7)(8,15)(10,12)\). Obviously, this is an odd permutation consisting of 7 transpositions. But the NOT gates, CNOT gates and Toffoli gates in the 4-qubit circuit are all even permutations, which means that the 4-qubit quantum circuit synthesized only by using the logic gates in the NCT library cannot realize the multiplicative inverse over \(\operatorname{GF}(2^{4})\). Our strategy is to add an auxiliary qubit and synthesize an odd permutation first. Here we first use two Toffoli gates to synthesize the permutation \((14,15)\) with the help of auxiliary qubits, and then use the bidirectional synthesis algorithm in Ref. [22] to realize the quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{4})\) as shown in Fig. 7.

The quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{4})\)

Full size image

4.4 Quantum circuits of the isomorphic mappings ϕ and \(\phi ^{-1}\)

There are 8 irreducible polynomials in the form of \(g(y)=y^{2}+y+\lambda \) in \(\operatorname{GF}((2^{4})^{2})\) and each polynomial has 2 roots and the irreducible polynomial \(h(z)=z^{4}+z+1\) has 4 roots. Therefore, there are 64 pairs of isomorphic mappings ϕ and \(\phi ^{-1}\). In order to minimize the use of quantum gates in realizing the isomorphic mappings, we select the pair with the least number of elements “1”. By doing so, we can get \(\lambda =Z^{3}+Z^{2}\) and

then the quantum circuit of isomorphic mapping \(\phi ^{-1}\) can be synthesised as Fig. 8(a) and ϕ as Fig. 8(b).

Quantum circuits of isomorphic mappings between \(\operatorname{GF}(2^{8})\) and \(\operatorname{GF}((2^{4})^{2})\)

Full size image

After \(\lambda =Z^{3}+Z^{2}\) is determined, for any \(\textbf{a} \in \operatorname{GF}(2^{4})\), calculating the value of \(\lambda \cdot \textbf{a}\) is equivalent to calculating the value of the matrix λ multiplied by a, where the matrix

The quantum circuit of the matrix λ can be synthesised as Fig. 9.

The quantum circuit of the matrix λ

Full size image

4.5 Quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{8})\)

For the convenience of description, denote S as the quantum circuit for realizing the square over \(\operatorname{GF}(2^{4})\) in Fig. 2. In the quantum circuit of multiplication over \(\operatorname{GF}(2^{4})\) in Fig. 3, denote the two multipliers as two solid circles and the result as M. Denote the symbol I as the multiplicative inverse in Fig. 7. The quantum circuits in Fig. 8(a) and Fig. 8(b) for realizing isomorphic mappings are denoted as \(\phi ^{-1}\) and ϕ respectively. The quantum circuit in Fig. 9 is denoted as λ. In addition, in order to use as few auxiliary qubits as possible, we need to restore some registers. At this time, we only need to add the original quantum circuit in reverse order. The inverse quantum circuit in Fig. 2 is recorded as \(S^{-1}\) and the inverse circuit in Fig. 9 is recorded as \(\lambda ^{-1}\). According to Eq. (2), the logic diagram of the quantum circuit for multiplicative inverse over \(\operatorname{GF}(2^{8})\) can be obtained as shown in Fig. 10 and the specific quantum circuit diagrams are shown in the appendixes.

The logic diagram of the quantum circuit for multiplicative inverse over \(\operatorname{GF}(2^{8})\)

Full size image

In this diagram, a, b, c and d are all 4-qubit registers, and e is a 5-qubit register. Except that the multiplicative inverse over \(\operatorname{GF}(2^{4})\) needs to use the 5th qubit of register e, other operations only use the first 4 qubits. During initialization, the value of register a is the lower 4 qubits of the input, b is the upper 4 qubits of the input, and the value of each qubit of c, d, and e is \(|0\rangle \). After the operation of this circuit diagram, register c is the lower 4 qubits of the output, and d is the upper 4 qubits of the output. The quantum circuit in Fig. 10, which is verified by the Aer simulator of the IBM quantum platform, is completely correct. If we want to use fewer Toffoli gates, the quantum circuit of the multiplication over \(\operatorname{GF}(2^{4})\) in Appendix A can be replaced with Fig. 6, see Appendix B for the specific quantum circuit. We can analyze the quantum resources used by them as shown in Table 2.

4.6 Quantum circuit of S-box of AES cryptographic algorithm

As an example of the application of quantum circuit for \(\operatorname{GF}(2^{8})\) multiplicative inverse, we will apply them to the implementations of quantum circuit of the S-box of AES cryptographic algorithm. The S-box function of an input α is defined as

where \(\alpha ^{-1}\) is the multiplicative inverse in \(\operatorname{GF}(2^{8})\) with the irreducible polynomial \(f(x)=x^{8}+x^{4}+x^{3}+x+1\), ν is the column vector over \(\operatorname{GF}(2)\), that is, \(\nu =(0,1,1,0,0,0,1,1)^{T}\), and

Then the quantum circuit of the affine transformation A can be synthesised as Fig. 11.

The quantum circuit of the affine transformation A

Full size image

After the quantum circuit of the affine transformation A is realized, we only need to add it to the output of the inverse quantum circuit in Fig. 10 to synthesize the quantum circuit of the S-box. We denote the quantum circuit of the affine transformation A in Fig. 11 as A for the convenience of description, the logic diagram of the quantum circuit for S-box of AES cryptographic algorithm as shown in Fig. 12.

The logic diagram of the quantum circuit for S-box of AES cryptographic algorithm

Full size image

When synthesizing the quantum circuit of S-box, if the value of \(F\cdot \phi ^{-1}\) is calculated first and then their calculation results are synthesized, the quantum circuit will use fewer CNOT gates than by synthesizing the two matrices respectively. Therefore, this strategy is adopted in our specific implementation scheme. The quantum circuit in Appendix A is used as the multiplicative inverse over \(\operatorname{GF}(2^{8})\) to realize the specific quantum circuit of the S-box of AES, see Appendix C, and the quantum circuit in Appendix B as the multiplicative inverse to realize the specific quantum circuit of the S-box of AES, see Appendix D. Next, we compare the quantum resources used by our works and the existing quantum circuits that implement the S-box of the AES cryptographic algorithm, as shown in Table 3.

As can be seen from Table 3, 4 NOT gates need to be used in all the quantum circuits to realize the S-box of AES. We only need 21 qubits in both the two schemes, which is less than the existing schemes. The quantum circuit in Appendix C uses the lowest CNOT gates and quantum cost among the existing schemes. The Toffoli gates used in the quantum circuit in Appendix D is the lowest among the existing schemes. It uses only slightly more quantum cost than the quantum circuit in Appendix C, and less than other existing schemes.

Among the basic arithmetic operations over finite fields, the computation of multiplicative inverse is the most time consuming operation. In this paper, we mainly discuss the synthesis of quantum circuits for multiplicative inverse over \(\operatorname{GF}(2^{8})\). We first convert the multiplicative inverse operation in \(\operatorname{GF}(2^{8})\) to arithmetic operations in the composite field \(\operatorname{GF}((2^{4})^{2})\), and then discuss the expressions of the square calculation, the inversion calculation and the multiplication calculation separately in the finite field \(\operatorname{GF}(2^{4})\), where the expressions of multiplication calculation in \(\operatorname{GF}(2^{4})\) are given directly in \(\operatorname{GF}(2^{4})\) and given through being transformed into the composite field \(\operatorname{GF}((2^{2})^{2})\). Then the quantum circuits of these calculations are realized one by one. Finally, two quantum circuits for multiplicative inverse over \(\operatorname{GF}(2^{8})\) are synthesized. They both use 21 qubits, the first quantum circuit uses 55 Toffoli gates and 107 CNOT gates and the second one uses 37 Toffoli gates and 209 CNOT gates. As an example of the application of multiplication inverse, we apply these quantum circuits to the implementations of the S-box quantum circuit of the AES cryptographic algorithm. Two quantum circuits for implementing the S-box of the AES cryptographic algorithm are presented. The first quantum circuit uses 21 qubits, 55 Toffoli gates, 131 CNOT gates and 4 NOT gates and the second one uses 21 qubits, 37 Toffoli gates, 233 CNOT gates and 4 NOT gates. Through the evaluation of quantum cost, the two quantum circuits of the S-box of AES cryptographic algorithm use less quantum resources than the existing schemes.

The work that can be done next: on one hand, the optimization of the implementation method of the linear transformation quantum circuit represented by a matrix, we use the Gaussian elimination method in this paper to achieve it, and whether there are other better methods is worth discussing. On the other hand, whether the normal basis representation can reduce the use of quantum resources? In this paper, all the elements in finite fields are represented by polynomial basis. The normal basis representation can indeed optimize the classical circuit of S-box [4], and it is also worth investigating whether this representation can optimize quantum circuit of S-box.

All data generated or analysed during this study are included in this published article.

The authors would like to thank the editor and the referees for carefully reading the paper, and for their useful comments which helped improve the paper.

This work is supported by the Natural Sciences Foundation of Hubei Province (Grant No. 2020CFB326), the Natural Science Foundation of Fujian Province (Grant No. 2020J01812),the National Key R&D Program of China (Grant No. 2018YFA0306703), Chengdu Innovation and Technology Project(Grant No.2021-YF05-02414-GX), and the Open Fund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province (Grant No. SKLACSS-202105).

Authors and Affiliations

1. Department of Computer Science and Technology, School of Information Engineering, Hubei Minzu University, Enshi, 44500, China

   Qing-bin Luo & Qiang Li

2. School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu, 610054, China

   Qing-bin Luo & Xiao-yu Li

3. Big data research Center & School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 611731, China

   Guo-wu Yang

4. Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu University of Information Technology, Chengdu, Sichuan, 610225, China

   Guo-wu Yang

Contributions

The original idea to this paper came from Qing-bin Luo. All authors contributed to the preparation of the manuscript. All authors read and approved the final manuscript.

Corresponding authors

Correspondence to Qing-bin Luo or Guo-wu Yang.

Ethics approval and consent to participate

Not applicable.

Consent for publication

We give our consent for the publication of identifiable details within the text to be published in EPJ Quantum Technology.

Competing interests

The authors declare no competing interests.

Abbreviations

Not applicable.

Appendix A: The quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{8})\) where multiplication in \(\operatorname{GF}(2^{4})\) realized by using Fig. 3

Appendix B: The quantum circuit of multiplicative inverse over \(\operatorname{GF}(2^{8})\) where multiplication in \(\operatorname{GF}(2^{4})\) realized by using Fig. 6

Appendix C: The quantum circuit of the S-box of AES cryptographic algorithm where multiplicative inverse over \(\operatorname{GF}(2^{8})\) realized by using Appendix A

Appendix D: The quantum circuit of the S-box of AES cryptographic algorithm where multiplicative inverse over \(\operatorname{GF}(2^{8})\) realized by using Appendix B

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions