Optimized quantum implementation of AES

Abstract

This work researches the implementation of the AES family with Pauli-X gates, CNOT gates and Toffoli gates as the underlying quantum logic gate set. First, the properties of quantum circuits are investigated, as well as the influence of Pauli-X gates, CNOT gates and Toffoli gates on the performance of the circuits constructed with those gates. Based on these properties and the observations on the hardware circuits built by Boyar et al. and Zou et al., it is possible to construct quantum circuits for AES’s Substitution-box (S-box) and its inverse (S-box\(^{-1}\)) by rearranging the classical implementation to three parts. Since the second part is treated as a 4-bit S-box in this paper and can be dealt with by existing tools, a heuristic is proposed to search optimized quantum circuits for the first and the third parts. In addition, considering the number of parallelly executed S-boxes, the trade-offs between the qubit consumption and \(T\cdot M\) values for the round function and key schedule of AES are studied. As a result, quantum circuits of AES-128, AES-192 and AES-256 can be constructed with 269, 333 and 397 qubits, respectively. If more qubits are allowed, quantum circuits that outperform state-of-the-art schemes in the metric of \(T\cdot M\) value for the AES family can be reported, and it needs only 474, 538 and 602 qubits for AES-128, AES-192 and AES-256, respectively.

Appendices

The Proof of Fact 1

Proof

Based on the values of a and c, the proof proceeds in two cases:

Case 1: if \(a = c\), the two operations can be rewritten as \(t_a = t_a\oplus t_b\), \(t_a=t_a\oplus t_c\), after which the value of qubit \(t_a\) is \(t_a\oplus t_b\oplus t_c\). Assuming that the operations are changed to \(t_a = t_a\oplus t_c\), \(t_a=t_a\oplus t_b\), the final value of \(t_a\) is not changed. Thus, the order of these two operations can be exchanged.

Case 2: if \(a\ne c, d\) and \(b\ne c\), it follows that a, c, d are pairwise distinct since \(a\ne b\) and \(c\ne d\). In addition, the operations have no influence on the values of \(t_b\) and \(t_d\). Therefore, exchanging the order of these two operations does not result in any change of the values stored in \(t_a\) and \(t_c\). \(\square \)

Discussion on LIGHTER and LIGHTER-R

Before illustrating the method of using LIGHTER, the following definition is introduced.

Definition 3

(odd permutation [26]) A permutation is called odd if it can be written as the product of an odd number of transpositions.

The even permutation can be defined in the similar way.

It is obviously that the 4-bit S-box shown in Table 6 is odd (as well as the one derived from the inverse of AES S-box). The studies of [26] reveal that the NCT-based circuit for an even permutation can be constructed without temporary storage, but for an odd permutation, one wire of temporary storage is required. It means that one cannot construct a quantum circuit for an odd permutation by using the tool LIGHTER-R only based on NCT gate set. To this end, the following strategies are investigated to construct an NCT-based circuit for an odd permutation.

Strategy 1 First, expand a 4-bit odd permutation to be a 5-bit one by adding one bit in the most significant bit of the inputs, whose corresponding output bit is identical to the input. There is no doubt that the resulting 5-bit permutation is even. Then, modify the code to make the tool LIGHTER-R compatible with 5-bit permutation as its input and search the NCT-based circuit for the resulting 5-bit even permutation. Unfortunately, due to the large search space, none implementation for the S-box shown in Table 6 returned.

Strategy 2 The underlying logic gate set of the tool LIGHTER can be customized as needed. Considering the relation between the NCT gate set and the classical And gate, Xor gate and Not gate, one can specify that the tool LIGHTER only uses And gates, Xor gates and Not gates to search an optimized in-place implementation for a 4-bit odd permutation. Certainly, this comes at the cost of an auxiliary variable, which means an ancilla qubit will be consumed by LIGHTER in this case.

The quantum style circuit of \(f_2\) of AES S-box

$$\begin{aligned} \begin{array}{llll} s_{6}= s_{6} \oplus t_{44} \cdot y_{15}, &{}s_{1}= s_{1} \oplus t_{37} \cdot y_{6}, &{}s_{0}= s_{0} \oplus t_{43} \cdot y_{16}, &{}s_{4}= s_{4} \oplus t_{40} \cdot y_{1},\\ \nonumber s_{3}= s_{3} \oplus t_{44} \cdot y_{12}, &{}s_{5}= s_{5} \oplus t_{37} \cdot y_{3}, &{}s_{2}= s_{2} \oplus t_{43} \cdot y_{13}, &{}s_{7}= s_{7} \oplus t_{40} \cdot y_{5},\\ \nonumber s_{0} = s_{0} \oplus s_{4}, &{}s_{6} = s_{6} \oplus s_{0}, &{}s_{2} = s_{2} \oplus t_{42} \cdot y_{9}, &{}s_{0} = s_{0} \oplus t_{42} \cdot y_{11},\\ \nonumber s_{5} = s_{5} \oplus t_{45} \cdot y_{14}, &{}s_{0} = s_{0} \oplus t_{45} \cdot y_{17}, &{}s_{7} = s_{7} \oplus s_{2}, &{}s_{1} = s_{1} \oplus s_{6},\\ \nonumber s_{2} = s_{2} \oplus t_{29} \cdot y_{2}, &{}s_{3} = s_{3} \oplus s_{5}, &{}s_{6} = s_{6} \oplus t_{33} \cdot y_{0}, &{}s_{4} = s_{4} \oplus s_{6},\\ \nonumber s_{4} = s_{4} \oplus t_{29} \cdot y_{7}, &{}s_{5} = s_{5} \oplus t_{33} \cdot y_{4}, &{}s_{3} = s_{3} \oplus t_{42} \cdot y_{9}, &{}s_{6} = s_{6} \oplus t_{45} \cdot y_{17}, \\ \nonumber s_{6} = s_{6} \oplus t_{41} \cdot y_{10}, &{}s_{7} = s_{7} \oplus t_{45} \cdot y_{14}, &{}s_{2} = s_{2} \oplus s_{6}, &{}s_{5} = s_{5} \oplus s_{2}, \\ \nonumber s_{2} = s_{2} \oplus s_{0}, &{}s_{0} = s_{0} \oplus s_{3}, &{}s_{3} = s_{3} \oplus s_{1}, &{}s_{7} = s_{7} \oplus s_{4}, \\ \nonumber s_{2} = s_{2} \oplus t_{41} \cdot y_{8}, &{}s_{6} = s_{6} \oplus s_{7}, &{}s_{4} = s_{4} \oplus s_{3}, &{}s_{1} = s_{1} \oplus s_{0}.\\ \nonumber \end{array} \end{aligned}$$

The reversible circuit of AES S-box

1.1 The reversible circuit for generating \(t_{21}, t_{22}, t_{23}, t_{24}\)

$$\begin{aligned} \begin{array}{lll} x_{6} = x_{6} \oplus x_{5} \oplus x_{3} \oplus x_{0}, &{}x_{4} = x_{6} \oplus x_{5} \oplus x_{4}, &{}x_{1} = x_{7} \oplus x_{3} \oplus x_{2} \oplus x_{1},\\ \nonumber x_{5} = x_{5} \oplus x_{3}, &{}x_{2} = x_{5} \oplus x_{2} \oplus x_{0}, &{}x_{3} = x_{3} \oplus x_{1} \oplus x_{0},\\ \nonumber x_{0} = x_{4} \oplus x_{3} \oplus x_{2} \oplus x_{0}, &{}t_{21} = t_{21} \oplus x_{6} \cdot x_{4}, &{}t_{22} = t_{22} \oplus x_{1} \cdot x_{7},\\ \nonumber t_{23} = t_{23} \oplus x_{5} \cdot x_{2}, &{}t_{24} = t_{24} \oplus x_{3} \cdot x_{0}, &{}t_{22} = t_{22} \oplus t_{21},\\ \nonumber t_{21} = t_{21} \oplus t_{23}, &{}x_{5} = x_{6} \oplus x_{5}, &{}x_{4} = x_{4} \oplus x_{2},\\ \nonumber x_{1} = x_{6} \oplus x_{1}, &{}x_{7} = x_{7} \oplus x_{4} \oplus x_{2}, &{}x_{3} = x_{5} \oplus x_{3} \oplus x_{1},\\ \nonumber x_{0} = x_{7} \oplus x_{4} \oplus x_{0}, &{}x_{6} = x_{6} \oplus x_{5} \oplus x_{3}, &{}x_{2} = x_{2} \oplus x_{0},\\ \nonumber t_{23} = t_{23} \oplus x_{5} \cdot x_{4}, &{}t_{21} = t_{21} \oplus x_{1} \cdot x_{7}, &{}t_{24} = t_{24} \oplus x_{3} \cdot x_{0},\\ \nonumber a = a \oplus x_{6} \cdot x_{2}, &{}t_{21} = t_{21} \oplus a, &{}t_{22} = t_{22} \oplus a,\\ \nonumber t_{23} = t_{23} \oplus a, &{}t_{24} = t_{24} \oplus a, &{}x_{1} = x_{3} \oplus x_{1},\\ \nonumber x_{7} = x_{7} \oplus x_{0}, &{}t_{22} = t_{22} \oplus x_{3} \cdot x_{0}, &{}t_{23} = t_{23} \oplus x_{1} \cdot x_{7},\\ \nonumber t_{24} = t_{24} \oplus x_{5} \cdot x_{4}, &{}a = a \oplus x_{6} \cdot x_{2}, &{}x_{6} = x_{6} \oplus x_{2},\\ \nonumber t_{21} = t_{21} \oplus x_{6}, &{}x_{3} = x_{3} \oplus x_{0}, &{}t_{22} = t_{22} \oplus x_{3},\\ \nonumber x_{5} = x_{5} \oplus x_{4}, &{}t_{23} = t_{23} \oplus x_{5}, &{}x_{5} = x_{7} \oplus x_{5} \oplus x_{1},\\ \nonumber t_{24} = t_{24} \oplus x_{5}.\\ \nonumber \end{array} \end{aligned}$$

1.2 The reversible circuit for \(S_4\) with Toffoli Depth 6

$$\begin{aligned} \begin{array}{lll} t_{23} = t_{23} \oplus t_{22} \cdot t_{24}, &{}t_{24} = t_{24} \oplus t_{23}, &{}t_{22} = t_{22} \oplus t_{21} \cdot t_{24},\\ \nonumber t_{24} = t_{24} \oplus t_{22} \cdot t_{23}, &{}t_{23} = t_{23} \oplus t_{24}~(t_{33}), &{}t_{22} = t_{22} \oplus t_{21}~(t_{40}),\\ \nonumber t_{21} = t_{21} \oplus t_{22} \cdot t_{24}, &{}a = a \oplus t_{23} \cdot t_{22}, &{}t_{24} = t_{24} \oplus a \cdot t_{21}~(t_{37}),\\ \nonumber t_{21} = t_{21} \oplus t_{22}~(t_{29}).&{}&{}\\ \nonumber \end{array} \end{aligned}$$

1.3 The reversible circuit for \(S_4\) with Toffoli Depth 5

$$\begin{aligned} \begin{array}{lll} t_{23} = t_{23} \oplus t_{22} \cdot t_{24}, &{}t_{24} = t_{24} \oplus t_{23}, &{}t_{22} = t_{22} \oplus t_{21} \cdot t_{24},\\ \nonumber t_{24} = t_{24} \oplus t_{22} \cdot t_{23}, &{}t_{23} = t_{23} \oplus t_{24}~(t_{33}), &{}t_{22} = t_{22} \oplus t_{21}~(t_{40}),\\ \nonumber b = b \oplus t_{22}, &{}a = a \oplus t_{23} \cdot t_{22}, &{}t_{21} = t_{21} \oplus b \cdot t_{24},\\ \nonumber t_{24} = t_{24} \oplus a \cdot t_{21}~(t_{37}), &{}t_{21} = t_{21} \oplus t_{22}~(t_{29}).&{}\\ \nonumber \end{array} \end{aligned}$$

1.4 The reversible circuit for the outputs of AES S-box

$$\begin{aligned} \begin{array}{llll} x_{3} = x_{3} \oplus x_{1} \oplus x_{0}, &{}x_{0} = x_{4} \oplus x_{2} \oplus x_{0}, &{}x_{6} = x_{6} \oplus x_{2},\\ \nonumber t_{22} = t_{22} \oplus t_{21}, &{}t_{23} = t_{24} \oplus t_{23}, &{}t_{21} = t_{24} \oplus t_{23} \oplus t_{21},\\ \nonumber s_{0} = s_{0} \oplus t_{22} \cdot x_{4}, &{}s_{5} = s_{5} \oplus t_{24} \cdot x_{3}, &{}s_{6} = s_{6} \oplus t_{23} \cdot x_{0},\\ \nonumber s_{2} = s_{2} \oplus t_{21} \cdot x_{6}, &{}x_{5} = x_{7} \oplus x_{5} \oplus x_{4} \oplus x_{1}, &{}x_{3} = x_{6} \oplus x_{3} \oplus x_{1},\\ \nonumber t_{23} = t_{23} \oplus t_{22}, &{}t_{24} = t_{24} \oplus t_{23} \oplus t_{21}, &{}s_{2} = s_{2} \oplus t_{22} \cdot x_{5},\\ \nonumber s_{5} = s_{5} \oplus t_{23} \cdot x_{3}, &{}s_{4} = s_{4} \oplus t_{24} \cdot x_{7}, &{}s_{0} = s_{0} \oplus s_{4},\\ \nonumber s_{6} = s_{6} \oplus s_{0}, &{}s_{7} = s_{7} \oplus s_{2}, &{}s_{1} = s_{1} \oplus s_{6},\\ \nonumber s_{3} = s_{3} \oplus s_{5}, &{}x_{7} = x_{7} \oplus x_{4} \oplus x_{2}, &{}x_{4} = x_{4} \oplus x_{0},\\ \nonumber t_{22} = t_{24} \oplus t_{22} \oplus t_{21}, &{}s_{6} = s_{6} \oplus t_{22} \cdot x_{7}, &{}s_{3} = s_{3} \oplus t_{21} \cdot x_{6},\\ \nonumber s_{0} = s_{0} \oplus t_{23} \cdot x_{4}, &{}s_{4} = s_{4} \oplus s_{6}, &{}x_{5} = x_{5} \oplus x_{1},\\ \nonumber t_{22} = t_{22} \oplus t_{21}, &{}s_{6} = s_{6} \oplus t_{23} \cdot x_{4}, &{}s_{0} = s_{0} \oplus t_{21} \cdot x_{2},\\ \nonumber s_{7} = s_{7} \oplus t_{24} \cdot x_{1}, &{}s_{2} = s_{2} \oplus t_{22} \cdot x_{5}, &{}x_{4} = x_{4} \oplus x_{2},\\ \nonumber x_{0} = x_{7} \oplus x_{0}, &{}x_{7} = x_{7} \oplus x_{2}, &{}x_{1} = x_{5} \oplus x_{3} \oplus x_{1},\\ \nonumber t_{23} = t_{23} \oplus t_{21}, &{}t_{24} = t_{24} \oplus t_{23}, &{}t_{21} = t_{24} \oplus t_{22} \oplus t_{21},\\ \nonumber s_{6} = s_{6} \oplus t_{23} \cdot x_{4}, &{}s_{1} = s_{1} \oplus t_{24} \cdot x_{0}, &{}s_{4} = s_{4} \oplus t_{22} \cdot x_{7},\\ \nonumber s_{3} = s_{3} \oplus t_{21} \cdot x_{1}, &{}s_{2} = s_{2} \oplus s_{6}, &{}s_{5} = s_{5} \oplus s_{2},\\ \nonumber s_{2} = s_{2} \oplus s_{0}, &{}s_{0} = s_{0} \oplus s_{3}, &{}s_{3} = s_{3} \oplus s_{1},\\ \nonumber s_{7} = s_{7} \oplus s_{4}, &{}x_{6} = x_{6} \oplus x_{3}, &{}x_{5} = x_{6} \oplus x_{5} \oplus x_{3},\\ \nonumber t_{22} = t_{24} \oplus t_{23} \oplus t_{22} \oplus t_{21}, &{}t_{21} = t_{24} \oplus t_{21}, &{}s_{2} = s_{2} \oplus t_{23} \cdot x_{6},\\ \nonumber s_{7} = s_{7} \oplus t_{22} \cdot x_{3}, &{}s_{5} = s_{5} \oplus t_{21} \cdot x_{5}, &{}s_{6} = s_{6} \oplus s_{7}, \\ \nonumber s_{4} = s_{4} \oplus s_{3}, &{}s_{1} = s_{1} \oplus s_{0}, &{}s_{6} = s_{6} \oplus 1,\\ \nonumber s_{7} = s_{7} \oplus 1, &{}s_{1} = s_{1} \oplus 1, &{}s_{2} = s_{2} \oplus 1.\\ \nonumber \end{array} \end{aligned}$$

The reversible circuit of AES S-box\(^{-1}\)

1.1 The reversible circuit for generating \(t_{21}, t_{22}, t_{23}, t_{24}\)

$$\begin{aligned} \begin{array}{lll} x_{6} = x_{7} \oplus x_{6} \oplus x_{1} \oplus x_{0} \oplus 1, &{}x_{1} = x_{5} \oplus x_{3} \oplus x_{2} \oplus x_{1}, &{}x_{3} = x_{6} \oplus x_{3} \oplus x_{0},\\ \nonumber x_{0} = x_{5} \oplus x_{2} \oplus x_{0} \oplus 1, &{}x_{4} = x_{4} \oplus x_{1} \oplus x_{0}, &{}x_{5} = x_{7} \oplus x_{6} \oplus x_{5} \oplus x_{4} \oplus 1,\\ \nonumber x_{7} = x_{7} \oplus x_{5} \oplus x_{2} \oplus x_{1}, &{}x_{2} = x_{3} \oplus x_{2} \oplus 1, &{}t_{21} = t_{21} \oplus x_{6} \cdot x_{1},\\ \nonumber t_{22} = t_{22} \oplus x_{3} \cdot x_{0}, &{}t_{23} = t_{23} \oplus x_{4} \cdot x_{5}, &{}t_{24} = t_{24} \oplus x_{7} \cdot x_{2},\\ \nonumber x_{6} = x_{6} \oplus x_{4}, &{}x_{5} = x_{5} \oplus x_{1}, &{}x_{3} = x_{6} \oplus x_{4} \oplus x_{3},\\ \nonumber x_{0} = x_{1} \oplus x_{0}, &{}x_{7} = x_{7} \oplus x_{6} \oplus x_{3}, &{}x_{2} = x_{5} \oplus x_{2} \oplus x_{0},\\ \nonumber x_{4} = x_{7} \oplus x_{4}, &{}x_{1} = x_{5} \oplus x_{2} \oplus x_{1}, &{}t_{22} = t_{22} \oplus t_{21},\\ \nonumber t_{21} = t_{21} \oplus t_{23}, &{}t_{23} = t_{23} \oplus x_{6} \cdot x_{5}, &{}t_{21} = t_{21} \oplus x_{3} \cdot x_{0},\\ \nonumber t_{24} = t_{24} \oplus x_{7} \cdot x_{2}, &{}a = a \oplus x_{4} \cdot x_{1}, &{}t_{21} = t_{21} \oplus a,\\ \nonumber t_{22} = t_{22} \oplus a, &{}t_{23} = t_{23} \oplus a, &{}t_{24} = t_{24} \oplus a,\\ \nonumber x_{3} = x_{7} \oplus x_{3}, &{}x_{0} = x_{2} \oplus x_{0}, &{}a = a \oplus x_{4} \cdot x_{1},\\ \nonumber t_{22} = t_{22} \oplus x_{7} \cdot x_{2}, &{}t_{23} = t_{23} \oplus x_{3} \cdot x_{0}, &{}t_{24} = t_{24} \oplus x_{6} \cdot x_{5},\\ \nonumber x_{4} = x_{4} \oplus x_{1}, &{}t_{21} = t_{21} \oplus x_{4}, &{}x_{2} = x_{7} \oplus x_{2},\\ \nonumber t_{22} = t_{22} \oplus x_{2}, &{}x_{5} = x_{6} \oplus x_{5}, &{}t_{23} = t_{23} \oplus x_{5},\\ \nonumber x_{5} = x_{5} \oplus x_{3} \oplus x_{0}, &{}t_{24} = t_{24} \oplus x_{5}.\\ \nonumber \end{array} \end{aligned}$$

1.2 The reversible circuit for the outputs of AES S-box\(^{-1}\)

$$\begin{aligned} \begin{array}{llll} t_{22} = t_{22} \oplus t_{21}, &{}t_{21} = t_{23} \oplus t_{21}, &{}t_{23} = t_{24} \oplus t_{23},\\ \nonumber x_{5} = x_{6} \oplus x_{5} \oplus x_{3} \oplus x_{0}, &{}x_{4} = x_{4} \oplus x_{1}, &{}x_{2} = x_{7} \oplus x_{5} \oplus x_{2} \oplus x_{1},\\ \nonumber x_{7} = x_{7} \oplus x_{3}, &{}s_{2} = s_{2} \oplus t_{22} \cdot x_{5}, &{}s_{4} = s_{4} \oplus t_{21} \cdot x_{4},\\ \nonumber s_{3} = s_{3} \oplus t_{23} \cdot x_{2}, &{}s_{7} = s_{7} \oplus t_{24} \cdot x_{7}, &{}t_{24} = t_{24} \oplus t_{23} \oplus t_{22} \oplus t_{21},\\ \nonumber t_{23} = t_{23} \oplus t_{22}, &{}x_{7} = x_{7} \oplus x_{4} \oplus x_{3}, &{}s_{4} = s_{4} \oplus t_{22} \cdot x_{6},\\ \nonumber s_{1} = s_{1} \oplus t_{21} \cdot x_{4}, &{}s_{0} = s_{0} \oplus t_{24} \cdot x_{0}, &{}s_{7} = s_{7} \oplus t_{23} \cdot x_{7},\\ \nonumber s_{2} = s_{2} \oplus s_{0}, &{}s_{3} = s_{3} \oplus s_{2}, &{}s_{6} = s_{6} \oplus s_{4},\\ \nonumber s_{5} = s_{5} \oplus s_{3}, &{}s_{1} = s_{1} \oplus s_{7}, &{}t_{24} = t_{24} \oplus t_{22} \oplus t_{21},\\ \nonumber t_{22} = t_{23} \oplus t_{22}, &{}t_{21} = t_{24} \oplus t_{21}, &{}x_{0} = x_{5} \oplus x_{1} \oplus x_{0},\\ \nonumber x_{7} = x_{7} \oplus x_{6}, &{}x_{5} = x_{5} \oplus x_{2}, &{}x_{6} = x_{6} \oplus x_{3},\\ \nonumber s_{3} = s_{3} \oplus t_{24} \cdot x_{0}, &{}s_{1} = s_{1} \oplus t_{22} \cdot x_{7}, &{}s_{2} = s_{2} \oplus t_{23} \cdot x_{5},\\ \nonumber s_{4} = s_{4} \oplus t_{21} \cdot x_{6}, &{}s_{0} = s_{0} \oplus s_{3}, &{}t_{22} = t_{24} \oplus t_{22},\\ \nonumber t_{24} = t_{24} \oplus t_{21}, &{}x_{0} = x_{1} \oplus x_{0}, &{}x_{2} = x_{2} \oplus x_{1} \oplus x_{0},\\ \nonumber s_{3} = s_{3} \oplus t_{23} \cdot x_{5}, &{}s_{0} = s_{0} \oplus t_{21} \cdot x_{0}, &{}s_{5} = s_{5} \oplus t_{22} \cdot x_{2},\\ \nonumber s_{2} = s_{2} \oplus t_{24} \cdot x_{1}, &{}t_{24} = t_{24} \oplus t_{23}, &{}x_{1} = x_{5} \oplus x_{1},\\ \nonumber x_{7} = x_{7} \oplus x_{6} \oplus x_{3}, &{}s_{3} = s_{3} \oplus t_{24} \cdot x_{1}, &{}s_{6} = s_{6} \oplus t_{23} \cdot x_{7},\\ \nonumber s_{4} = s_{4} \oplus s_{3}, &{}s_{7} = s_{7} \oplus s_{4}, &{}t_{22} = t_{24} \oplus t_{22},\\ \nonumber t_{21} = t_{24} \oplus t_{23} \oplus t_{21}, &{}x_{7} = x_{7} \oplus x_{4}, &{}x_{6} = x_{6} \oplus x_{4},\\ \nonumber \end{array} \end{aligned}$$

$$\begin{aligned} \begin{array}{llll} s_{4} = s_{4} \oplus t_{24} \cdot x_{7}, &{}s_{6} = s_{6} \oplus t_{22} \cdot x_{3}, &{}s_{7} = s_{7} \oplus t_{21} \cdot x_{6},\\ \nonumber s_{6} = s_{6} \oplus s_{2}, &{}s_{0} = s_{0} \oplus s_{6}, &{}s_{1} = s_{1} \oplus s_{4},\\ \nonumber s_{4} = s_{4} \oplus s_{0}, &{}s_{2} = s_{2} \oplus s_{5}, &{}s_{0} = s_{0} \oplus s_{3},\\ \nonumber s_{4} = s_{4} \oplus s_{7}, &{}s_{2} = s_{2} \oplus s_{7}, &{}s_{7} = s_{7} \oplus s_{1},\\ \nonumber s_{1} = s_{1} \oplus s_{6}, &{}s_{1} = s_{1} \oplus s_{5}, &{}s_{3} = s_{3} \oplus s_{6},\\ \nonumber s_{5} = s_{5} \oplus s_{0}.\\ \nonumber \end{array} \end{aligned}$$

The reversible circuit added if not all output qubits are 0s

$$\begin{aligned} \begin{array}{lllll} s_{5} = s_{5} \oplus s_{0}, &{}s_{3} = s_{3} \oplus s_{6}, &{}s_{1} = s_{1} \oplus s_{5}, &{}s_{1} = s_{1} \oplus s_{6}, &{}s_{7} = s_{7} \oplus s_{1},\\ \nonumber s_{2} = s_{2} \oplus s_{7}, &{}s_{4} = s_{4} \oplus s_{7}, &{}s_{0} = s_{0} \oplus s_{3}, &{}s_{2} = s_{2} \oplus s_{5}, &{}s_{4} = s_{4} \oplus s_{0},\\ \nonumber s_{1} = s_{1} \oplus s_{4}, &{}s_{0} = s_{0} \oplus s_{6}, &{}s_{6} = s_{6} \oplus s_{2}, &{}s_{7} = s_{7} \oplus s_{4}, &{}s_{4} = s_{4} \oplus s_{3},\\ \nonumber s_{0} = s_{0} \oplus s_{3}, &{}s_{1} = s_{1} \oplus s_{7}, &{}s_{5} = s_{5} \oplus s_{3}, &{}s_{6} = s_{6} \oplus s_{4}, &{}s_{3} = s_{3} \oplus s_{2},\\ \nonumber s_{2} = s_{2} \oplus s_{0}.\\ \nonumber \end{array} \end{aligned}$$

An example of calculating the CNOT gate consumption of AES-128

For the NCT-based circuit of AES-128, the number of CNOT gates consumed by the AddRoundKey and the MixColumns is \(128\times r\) and \(4\times 92\times (r-1)\), respectively, where r is the round number. Supposing that 5 ancilla qubits are allocated for each of the m parallel S-boxes in the round function, one can also use the S-box\(^{-1}\) circuit that consumes 5 ancilla qubits to remove the previous round, after which there are \(8\times m + 5\times m\) qubits with value zero available for the S-boxes in the key schedule. For the case that \(\frac{16}{m}\in \mathbb {Z}_{+}\), \(8\times m+5\times m > 6\) always hold. It follows that the S-boxes in the key schedule can be implemented with the circuit that consumes 6 ancilla qubits. In each round of AES-128, it requires 16 S-boxes to implement the SubBytes in the round function, 16 S-box\(^{-1}\)es to remove the previous round and 4 S-boxes for the key schedule. Denote by \(Cnot_{S_5^{*}}\), \(Cnot_{S_{5}^{-1*}}\), \(Cnot_{S_6^{*}}\) the CNOT gate count of the S-box circuit that consumes 5 ancilla qubits, the CNOT gate count of the S-box\(^{-1}\) circuit that consumes 5 ancilla qubits and the CNOT gate count of the S-box circuit that consumes 6 ancilla qubits, respectively. The CNOT consumption of the nonlinear components except the first round can be calculated as \((16\times Cnot_{S_5{^*}}+16\times Cnot_{S_5^{-1*}})\times (r-1)+4\times Cnot_{S_6^{*}}\times w{'}\), where \(w^{'}\) is the number of SubWord operations used in the key schedule except the first round and equals 9 for AES-128. In addition, word-wise Xor is applied in the key schedule to implement \(W_{i} = W_{i-4}\oplus W_{i-1}\), which means \(3\times 32\times w\) CNOT gates are required, where w is the number of SubWord operations used in the key schedule and equals 10 for AES-128.