Quantum reversible circuit of AES-128

Abstract

An explicit quantum design of AES-128 is presented in this paper. The design is structured to utilize the lowest number of qubits. First, the main components of AES-128 are designed as quantum circuits and then combined to construct the quantum version of AES-128. Some of the most efficient approaches in classical hardware implementations are adopted to construct the circuits of the multiplier and multiplicative inverse in \({\mathbb {F}}_{2}[x]/(x^8+x^4+x^3+x+1)\). The results show that 928 qubits are sufficient to implement AES-128 as a quantum circuit. Moreover, to maintain the key uniqueness when the quantum AES-128 is employed as a Boolean function within a Black-box in other key searching quantum algorithms, a method with a cost of 930 qubits is also proposed.

Appendices

Appendix A: Synthesis of linear reversible circuits

An efficient synthesis of linear reversible n-wire circuit of C-NOT was presented by Patel et al. [26]. The circuit synthesis algorithm yields circuits with \({\mathcal {O}}(n^2/\log n)\) C-NOTgates compared to \({\mathcal {O}}(n^2)\) gates for those algorithms based on Gaussian estimation and LU-decomposition. We slightly modified on the Patel et al.’s algorithm such that the accuracy of the decomposition results can be verified (see Algorithm 2). The algorithm works as follows:

• Partition the columns of \(n\times n\) matrix to sections of m columns each.

• For each section, eliminate the duplicate patterns:

  • Generate all possible patterns (lines 4 to 5 in Algorithm 2),

  • Check for duplicates and eliminate (lines 8 to lines 19).

• Set the diagonal qubits to 1 in each section (lines 21 to 31),

• Remove ones below the diagonal (lines 32 to 38).

First, the algorithm works on the lower triangular of the matrix to be decomposed. Then, after reducing the matrix to an upper triangular matrix, the output is transposed. After that, Algorithm 2 is applied again to further reduction to the identity matrix. For more details about the algorithm and the arrangement of the C-NOT gates before and after transpose, the reader is referred to [26].

Appendix B: Decomposition verification

Remark 1

Let C be a linear reversible circuit of n qubits, and let s be a set of C-NOT gates (G), then \(\forall ~G_i \in s\), \(G_i\) is represented by a \(n \times n\) matrix M such that M is a unity elementary matrix with one entry (off-diagonal) being set to one. This entry is specified as \(M_{c,t}\) where c is the control of the C-NOT (\(G_i\)) and t is the target of \(G_i\).

Theorem 2

([26]) Let A be an elementary matrix representing a linear transformation over \({\mathbb {F}}_2\) which is modeled as a reversible circuit C of s number of C-NOT gates (G), and from Remark 1, \(G_i\) is represented as a matrix \(M_i\), then:

In Remark 1, each single C-NOT gate is represented by an elementary matrix. Since, the output results in Algorithm 2 are a series of C-NOT gates, the correctness of the results can be verified by applying Theorem 2. First, we combined all the C-NOT matrices into one big matrix M of \(g\times n\) rows and n columns. Each \(n\times n\) submatrix set to identity matrix and with one entry off-diagonal set to one according to the C (control) and T (target) lists as mentioned in Remark 1. This step can be seen in lines 2 to 6 in Algorithm 3. Then, all the submatrices are multiplied by each other (lines 7 to 15).

Appendix C: Detailed quantum circuit of AES-128

See Fig. 12.

Fig. 12

Detailed circuit of the proposed quantum AES-128