Quantum circuit implementations of SM4 block cipher based on different gate sets

Abstract

In recent years, the quantum implementation of symmetric ciphers has received much attention. In this paper, we investigate the construction of quantum circuits based on different gate sets for the SM4 block cipher, which is the national standard of commercial cryptography of China and is standardized in ISO/IEC. First, we construct reversible circuits using Pauli-X gates, CNOT gates and Toffoli gates (i.e., the NCT gate set) for the SM4 S-box, based on which we design two circuits for the SM4 S-box with Clifford+T gates by applying the quantum And gate and existing decomposition scheme of the Toffoli gate, respectively. In addition, we propose a new in-place 1 implementation for the linear transformation in the SM4 round function. Finally, taking the qubit consumption and the \(T{\cdot } M\) value (the product of qubit consumption and nonlinear gate depth of a quantum circuit) as metrics, we investigate the application of various circuits we designed to the construction of quantum circuits for SM4. The results show that we can always construct a subroutine/stand-alone circuit based on the NCT gate set, or based on Clifford+T gates for SM4 with fewer qubits or lower \(T {\cdot } M\) value than existing state-of-the-art implementations.

Appendices

Appendix A: NCT-based circuit of the SM4 S-box

1.1 A.1 The reversible circuit of \(H_1\)

$$\begin{aligned} \begin{array}{llllll} {{\mathtt {\#Toffoli~depth~1:~step~9-12}}}\\ {1}&{}\mathtt {x_{4} = \overline{x_{4} \oplus x_{5} \oplus x_{3} \oplus x_{2}}},&{}{6}&{}\mathtt {x_{2} = \overline{x_{2} \oplus x_{7} \oplus x_{1}}},&{}{11}&{}\mathtt {a_1 = a_1 \oplus x_{3}\cdot x_{2}}\\ {2}&{}\mathtt {x_{5} = x_{5} \oplus x_{3} \oplus x_{1} \oplus x_{0}},&{}{7}&{}\mathtt {x_{0} = \overline{x_{0}}},&{}{12}&{}\mathtt {a_4 = a_4 \oplus x_{0}\cdot x_{1}},\\ {3}&{}\mathtt {x_{7} = x_{7} \oplus x_{4} \oplus x_{3} \oplus x_{1}},&{}{8}&{}\mathtt {x_{1} = x_{5} \oplus x_{1}},&{}{13}&{}\mathtt {a_2 = a_2 \oplus a_4},\\ {4}&{}\mathtt {x_{6} = \overline{x_{6} \oplus x_{7}}},&{}{9}&{}\mathtt {a_2 = a_2 \oplus x_{4}\cdot x_{5}},&{}{14}&{}\mathtt {a_3 = a_3 \oplus a_2},\\ {5}&{}\mathtt {x_{3} = x_{3} \oplus x_{5}},&{}{10}&{}\mathtt {a_3 = a_3 \oplus x_{7}\cdot x_{6}},&{}{15}&{}\mathtt {a_0 = a_0 \oplus a_3\oplus a_4},\\ {{\mathtt {\#Toffoli~depth~2:~step~7-10}}}\\ {1}&{}\mathtt {x_{4} = x_{7} \oplus x_{4} \oplus x_{3} \oplus x_{0}},&{}{5}&{}\mathtt {x_{7} = x_{7} \oplus x_{4} \oplus x_{3}},&{}{9}&{}\mathtt {a_1 = a_1 \oplus x_{7}\cdot x_{6}},\\ {2}&{}\mathtt {x_{1} = x_{6} \oplus x_{5} \oplus x_{2} \oplus x_{1}},&{}{6}&{}\mathtt {x_{6} = x_{6} \oplus x_{2} \oplus x_{1}},&{}{10}&{}\mathtt {a_3 = a_3 \oplus x_{3}\cdot x_{2}},\\ {3}&{}\mathtt {x_{0} = x_{4} \oplus x_{3} \oplus x_{0}},&{}{7}&{}\mathtt {a_0 = a_0 \oplus x_{4}\cdot x_{1}},&{}{11}&{}\mathtt {a_1 = a_1 \oplus a_2},\\ {4}&{}\mathtt {x_{5} = x_{6} \oplus x_{5}},&{}{8}&{}\mathtt {a_2 = a_2 \oplus x_{0}\cdot x_{5}},&{}&{}\\ {{\mathtt {\#Toffoli~depth~3:~step~7-10}}}\\ {1}&{}\mathtt {x_{0} = x_{4} \oplus x_{3} \oplus x_{0}},&{}{8}&{}\mathtt {a_0 = a_0 \oplus x_{7}\cdot x_{6}},&{}{15}&{}\mathtt {x_{4} = x_{5} \oplus x_{4} \oplus x_{3} \oplus x_{1}},\\ {2}&{}\mathtt {x_{2} = x_{5} \oplus x_{2} \oplus x_{1}},&{}{9}&{}\mathtt {a_1 = a_1 \oplus x_{4}\cdot x_{1}},&{}{16}&{}\mathtt {a_1 = a_1 \oplus x_{4}},\\ {3}&{}\mathtt {x_{4} = x_{7} \oplus x_{4}},&{}{10}&{}\mathtt {a_2 = a_2 \oplus x_{3}\cdot x_{5}},&{}{17}&{}\mathtt {x_{7} = x_{7} \oplus x_{5} \oplus x_{3}},\\ {4}&{}\mathtt {x_{1} = x_{6} \oplus x_{1}},&{}{11}&{}\mathtt {a_0 = a_0 \oplus a_2},&{}{18}&{}\mathtt {a_2 = a_2 \oplus x_{7}},\\ {5}&{}\mathtt {x_{3} = x_{3} \oplus x_{0}},&{}{12}&{}\mathtt {x_{7} = x_{7} \oplus x_{6} \oplus x_{5} \oplus x_{3}},&{}{19}&{}\mathtt {x_{4} = x_{4} \oplus x_{2} \oplus x_{0}},\\ {6}&{}\mathtt {x_{5} = x_{6} \oplus x_{5} \oplus x_{1}},&{}{13}&{}\mathtt {x_{7} = x_{7} \oplus x_{2} \oplus x_{0}},&{}{20}&{}\mathtt {a_3 = a_3 \oplus x_{4}}.\\ {7}&{}\mathtt {a_4 = a_4 \oplus x_{0}\cdot x_{2}},&{}{14}&{}\mathtt {a_0 = a_0 \oplus x_{7}},&{}&{}\\ \end{array} \end{aligned}$$

1.2 A.2 The reversible circuit of \(H_2\) with Toffoli depth 6

$$\begin{aligned} \begin{array}{lll} {1}&{} \mathtt {a_1 = a_1 \oplus a_0 \cdot a_2},&{}{\mathtt {\#Toffoli~depth~1}}\\ {2}&{} \mathtt {a_0 = a_0 \oplus a_1},&{}\\ {3}&{} \mathtt {a_2 = a_2 \oplus a_0 \cdot a_3},&{}{\mathtt {\#Toffoli~depth~2}}\\ {4}&{} \mathtt {a_0 = a_0 \oplus a_1 \cdot a_2},&{}{\mathtt {\#Toffoli~depth~3}}\\ {5}&{} \mathtt {a_1 = a_1 \oplus a_0}~(t_{33}),&{}\\ {6}&{} \mathtt {a_2 = a_2 \oplus a_3}~(t_{41}),&{}\\ {7}&{} \mathtt {a_3 = a_3 \oplus a_0 \cdot a_2},&{}{\mathtt {\#Toffoli~depth~4}}\\ {8}&{} \mathtt {a_4 = a_4 \oplus a_2 \cdot a_1},&{}{\mathtt {\#Toffoli~depth~5}}\\ {9}&{} \mathtt {a_0 = a_0 \oplus a_4 \cdot a_3}~(t_{44}),&{}{\mathtt {\#Toffoli~depth~6}}\\ {10}&{} \mathtt {a_3 = a_3 \oplus a_2}~(t_{37}).&{}\\ \end{array} \end{aligned}$$

1.3 A.3 The reversible circuit of \(H_2\) with Toffoli depth 5

$$\begin{aligned} \begin{array}{lll} {1}&{}\mathtt {a_1 = a_1 \oplus a_0 \cdot a_2},&{}{\mathtt {\#Toffoli~depth~1}}\\ {2}&{}\mathtt {a_0 = a_0 \oplus a_1},&{}\\ {3}&{}\mathtt {a_2 = a_2 \oplus a_0 \cdot a_3},&{}{\mathtt {\#Toffoli~depth~2}}\\ {4}&{}\mathtt {a_0 = a_0 \oplus a_1 \cdot a_2},&{}{\mathtt {\#Toffoli~depth~3}}\\ {5}&{}\mathtt {a_1 = a_1 \oplus a_0}~(t_{33}),&{}\\ {6}&{}\mathtt {a_2 = a_2 \oplus a_3}~(t_{41}),\\ {7}&{}\mathtt {a_5 = a_5 \oplus a_2},&{}\\ {8}&{}\mathtt {a_3 = a_3 \oplus a_0 \cdot a_5},&{}{\mathtt {\#Toffoli~depth~4}}\\ {9}&{}\mathtt {a_4 = a_4 \oplus a_2 \cdot a_1},&{}{\mathtt {\#Toffoli~depth~4}}\\ {10}&{}\mathtt {a_0 = a_0 \oplus a_4 \cdot a_3}~(t_{44}),&{}{\mathtt {\#Toffoli~depth~5}}\\ {11}&{}\mathtt {a_3 = a_3 \oplus a_2}~(t_{37}).\\ \end{array} \end{aligned}$$

1.4 A.4 The reversible circuit of \(H_3\)

Appendix B: Binary matrix corresponds to L