Further insights on constructing quantum circuits for Camellia block cipher

Abstract

The rapid development of quantum technology challenges the security of modern cryptography, which causes concern from the cryptographic community about the quantum implementation of cryptographic algorithms, as it is an important component of many quantum attacks. In this paper, the construction of quantum circuits for Camellia block cipher is investigated. Firstly, a 4-bit S-box is derived from the hardware circuit of the Camellia S-box, which divides the S-box circuit into three parts. Then, based on the rearranged circuit, as well as the implementation of the CCCNOT gate, the construction of the NCT-based circuit for the Camellia S-box is researched. Meanwhile, combined with the observations on the rearranged S-box circuit and the discussion on the in-place implementation of different matrices, a quantum circuit for the Camellia S-box with lower T-depth is presented. As an application, the various S-box circuits are used to construct quantum circuits for the Camellia family. The results reveal that the memory-efficient and depth-efficient quantum circuits of Camellia can be constructed with lower T-depth and \(T\cdot M\) value. Besides, for each instance of Camellia, compared with existing state-of-the-art implementation with lowest T-depth and \(T\cdot M\) value, the depth-efficient circuit designed in this work only costs about 35% of the qubits.

Appendices

A Quantum-style circuits of \(H_1\) and \(H_3\)

Quantum-style circuit of \(H_1\)

$$\begin{aligned}{} & {} t_{20} = t_{20} \oplus y_{7} \cdot y_{3}, \quad t_{22} = t_{22} \oplus y_{17} \cdot y_{16}, \quad t_{26} = t_{26} \oplus y_{13} \cdot y_{12},\\{} & {} t_{24} = t_{24} \oplus y_{11} \cdot y_{10},\\{} & {} t_{24} = t_{24} \oplus t_{26}, \quad t_{26} = t_{26} \oplus y_{15} \cdot y_{14}, \quad t_{20} = t_{20} \oplus t_{22}, \quad t_{20} = t_{20} \oplus t_{24}, \\{} & {} t_{22} = t_{22} \oplus t_{26}, \quad t_{26} = t_{26} \oplus y_{9} \cdot y_{8}, \quad t_{24} = t_{24} \oplus y_{9} \cdot y_{8}, \quad t_{24} = t_{24} \oplus y_{5} \cdot y_{1}, \\{} & {} t_{26} = t_{26} \oplus y_{4} \cdot y_{0}, \quad t_{22} = t_{22} \oplus y_{6} \cdot y_{2}. \end{aligned}$$

Quantum-style circuit of \(H_3\)

$$\begin{aligned}{} & {} t_{43} = t_{26} \oplus t_{24}, \quad t_{44} = t_{26} \oplus t_{20}, \quad t_{45} = t_{24} \oplus t_{22}, \quad t_{46} = t_{44} \oplus t_{45},\\{} & {} t_{47} = t_{20} \oplus t_{22}, \quad s_{6} = s_{6} \oplus t_{22} \cdot y_{4}, \quad s_{1} = s_{1} \oplus t_{47} \cdot y_{9}, \quad s_{4} = s_{4} \oplus t_{44} \cdot y_{15},\\{} & {} s_{2} = s_{2} \oplus t_{45} \cdot y_{13}, \quad s_{0} = s_{0} \oplus t_{22} \cdot y_{0}, \quad s_{7} = s_{7} \oplus t_{47} \cdot y_{8}, \quad s_{3} = s_{3} \oplus t_{44} \cdot y_{14},\\{} & {} s_{5} = s_{5} \oplus t_{45} \cdot y_{12}, \quad s_{6} = s_{6} \oplus t_{20} \cdot y_{5}, \quad s_{7} = s_{7} \oplus s_{0}, \quad s_{3} = s_{3} \oplus s_{5},\\{} & {} s_{2} = s_{2} \oplus t_{43} \cdot y_{17}, \quad s_{1} = s_{1} \oplus t_{43} \cdot y_{17}, \quad s_{6} = s_{6} \oplus t_{24} \cdot y_{6}, \quad s_{4} = s_{4} \oplus t_{24} \cdot y_{6},\\{} & {} s_{3} = s_{3} \oplus s_{7}, \quad s_{7} = s_{7} \oplus t_{43} \cdot y_{16}, \quad s_{0} = s_{0} \oplus t_{24} \cdot y_{2}, \quad s_{0} = s_{0} \oplus t_{20} \cdot y_{1},\\{} & {} s_{2} = s_{2} \oplus s_{3}, \quad s_{5} = s_{5} \oplus t_{43} \cdot y_{16}, \quad s_{5} = s_{5} \oplus t_{26} \cdot y_{3}, \quad s_{2} = s_{2} \oplus s_{4},\\{} & {} s_{4} = s_{4} \oplus t_{46} \cdot y_{11}, \quad s_{1} = s_{1} \oplus s_{4}, \quad s_{4} = s_{4} \oplus s_{6}, \quad s_{7} = s_{7} \oplus t_{24} \cdot y_{2},\\{} & {} s_{6} = s_{6} \oplus t_{26} \cdot y_{7}, \quad s_{5} = s_{5} \oplus t_{46} \cdot y_{10}, \quad s_{1} = s_{1} \oplus t_{20} \cdot y_{5}, \quad s_{0} = s_{0} \oplus t_{26} \cdot y_{3},\\{} & {} s_{7} = s_{7} \oplus s_{4}, \quad s_{5} = s_{5} \oplus s_{6}, \quad s_{2} = s_{2} \oplus s_{7}, \quad s_{3} = s_{3} \oplus s_{1}, \\{} & {} s_{0} = s_{0} \oplus s_{1}, \quad s_{1} = s_{1} \oplus 1, \quad s_{2} = s_{2} \oplus 1, \quad s_{4} = s_{4} \oplus 1,\\{} & {} s_{5} = s_{5} \oplus 1, \quad s_{6} = s_{6} \oplus 1.\\ \end{aligned}$$

B NCT-based circuit of \(S_1\) with 5 ancilla qubits

Quantum-style circuit of \(H_1\)

$$\begin{aligned}{} & {} t_{20} = t_{20} \oplus y_{7} \cdot y_{3}, \quad t_{22} = t_{22} \oplus y_{17} \cdot y_{16}, \quad t_{26} = t_{26} \oplus y_{13} \cdot y_{12}, \quad t_{24} = t_{24} \oplus y_{11} \cdot y_{10},\\{} & {} t_{24} = t_{24} \oplus t_{26}, \quad t_{26} = t_{26} \oplus y_{15} \cdot y_{14}, \quad t_{20} = t_{20} \oplus t_{22}, \quad t_{20} = t_{20} \oplus t_{24}, \\{} & {} t_{22} = t_{22} \oplus t_{26}, \quad a = a \oplus y_{9} \cdot y_{8}, \quad t_{26} = t_{26} \oplus a, \quad t_{24} = t_{24} \oplus a,\\{} & {} a = a \oplus y_{9} \cdot y_{8}, \quad t_{24} = t_{24} \oplus y_{5} \cdot y_{1}, \quad t_{26} = t_{26} \oplus y_{4} \cdot y_{0}, \quad t_{22} = t_{22} \oplus y_{6} \cdot y_{2}. \end{aligned}$$

NCT-based circuit of \(H_1\)

$$\begin{aligned}{} & {} x_{2} = x_{2} \oplus x_{1} \quad x_{2} = x_{2} \oplus 1 \quad x_{5} = x_{5} \oplus x_{6} \quad x_{5} = x_{5} \oplus x_{1}\\{} & {} x_{5} = x_{5} \oplus x_{0} \quad x_{7} = x_{7} \oplus x_{4} \quad x_{7} = x_{7} \oplus x_{1} \quad x_{7} = x_{7} \oplus x_{0}\\{} & {} x_{3} = x_{3} \oplus x_{5} \quad x_{3} = x_{3} \oplus x_{7} \quad x_{3} = x_{3} \oplus x_{2} \quad x_{6} = x_{6} \oplus x_{5}\\{} & {} x_{6} = x_{6} \oplus x_{4} \quad x_{6} = x_{6} \oplus x_{3} \quad x_{6} = x_{6} \oplus x_{2} \quad x_{6} = x_{6} \oplus x_{1}\\{} & {} x_{6} = x_{6} \oplus 1 \quad x_{0} = x_{0} \oplus x_{5} \quad x_{0} = x_{0} \oplus 1 \quad x_{4} = x_{4} \oplus x_{1}\\{} & {} x_{1} = x_{1} \oplus x_{5} \quad x_{1} = x_{1} \oplus x_{3} \quad x_{1} = x_{1} \oplus x_{6} \quad t_{20} = t_{20} \oplus x_{2} \cdot x_{5}\\{} & {} t_{22} = t_{22} \oplus x_{7} \cdot x_{3} \quad t_{26} = t_{26} \oplus x_{6} \cdot x_{0} \quad t_{24} = t_{24} \oplus x_{4} \cdot x_{1} \quad t_{24} = t_{24} \oplus t_{26}\\{} & {} t_{20} = t_{20} \oplus t_{22} \quad t_{20} = t_{20} \oplus t_{24} \quad x_{6} = x_{6} \oplus x_{4} \quad x_{1} = x_{1} \oplus x_{0}\\{} & {} x_{7} = x_{7} \oplus x_{4} \quad x_{0} = x_{0} \oplus x_{1} \quad x_{0} = x_{0} \oplus x_{3} \quad x_{2} = x_{2} \oplus x_{6}\\{} & {} x_{5} = x_{5} \oplus x_{1} \quad x_{4} = x_{4} \oplus x_{6} \quad x_{4} = x_{4} \oplus x_{7} \quad x_{4} = x_{4} \oplus x_{2}\\{} & {} x_{3} = x_{3} \oplus x_{5} \quad x_{3} = x_{3} \oplus x_{1} \quad t_{26} = t_{26} \oplus x_{6} \cdot x_{1} \quad a = a \oplus x_{7} \cdot x_{0}\\{} & {} t_{24} = t_{24} \oplus x_{2} \cdot x_{5} \quad t_{22} = t_{22} \oplus x_{4} \cdot x_{3} \quad t_{22} = t_{22} \oplus t_{26} \quad t_{24} = t_{24} \oplus a\\{} & {} t_{26} = t_{26} \oplus a \quad x_{2} = x_{2} \oplus x_{7} \quad x_{5} = x_{5} \oplus x_{0} \quad a = a \oplus x_{7} \cdot x_{0}\\{} & {} t_{26} = t_{26} \oplus x_{2} \cdot x_{5} \quad x_{4} = x_{4} \oplus x_{5} \quad x_{4} = x_{4} \oplus x_{7} \quad x_{4} = x_{4} \oplus x_{3}\\{} & {} x_{4} = x_{4} \oplus x_{2} \quad x_{4} = x_{4} \oplus x_{0} \quad t_{20} = t_{20} \oplus x_{4} \quad x_{6} = x_{6} \oplus x_{5}\\{} & {} x_{6} = x_{6} \oplus x_{2} \quad x_{6} = x_{6} \oplus x_{1} \quad t_{22} = t_{22} \oplus x_{6} \quad x_{4} = x_{4} \oplus x_{5}\\{} & {} x_{4} = x_{4} \oplus x_{7} \quad x_{4} = x_{4} \oplus x_{2} \quad x_{4} = x_{4} \oplus x_{0} \quad t_{24} = t_{24} \oplus x_{4}\\{} & {} x_{6} = x_{6} \oplus x_{7} \quad x_{6} = x_{6} \oplus x_{0} \quad t_{26} = t_{26} \oplus x_{6}.\\ \end{aligned}$$

NCT-based circuit of \(H_2\)

$$\begin{aligned}{} & {} t_{22} = t_{22} \oplus 1, \quad a = a \oplus t_{26} \cdot t_{22}, \quad t_{24} = t_{24}\oplus a \cdot t_{20}, \quad t_{26} = t_{26} \oplus t_{24},\\{} & {} t_{22} = t_{22} \oplus 1, \quad t_{22} = t_{22} \oplus t_{20} \cdot t_{24}, \quad t_{24} = t_{24} \oplus t_{22} \cdot t_{26}, \quad t_{20} = t_{20} \oplus t_{22},\\{} & {} t_{22} = t_{22} \oplus t_{20} \cdot t_{24}, \quad t_{24} = t_{24} \oplus t_{26}, \quad t_{26} = t_{26} \oplus t_{22} \cdot t_{24}.\\ \end{aligned}$$

Quantum-style circuit of \(H_3\) The quantum-style circuit of \(H_3\) is the same as the one designed for the case that 4 ancilla qubits are allocated, since the \(H_3\) circuit consumes no additional ancilla qubits except \(t_{20}, t_{22}, t_{24}\) and \(t_{26}\) NCT-based circuit of \(H_3\)

$$\begin{aligned}{} & {} t_{20} = t_{20} \oplus t_{22}, \quad t_{26} = t_{26} \oplus t_{24}, \quad x_{1} = x_{1} \oplus x_{5}, \quad x_{1} = x_{1} \oplus x_{4},\\{} & {} x_{1} = x_{1} \oplus x_{3}, \quad x_{1} = x_{1} \oplus x_{6}, \quad x_{1} = x_{1} \oplus x_{0}, \quad x_{4} = x_{4} \oplus x_{3},\\{} & {} s_{6} = s_{6} \oplus t_{22}\cdot x_{2}, \quad s_{7} = s_{7} \oplus t_{20}\cdot x_{0}, \quad s_{1} = s_{1} \oplus t_{26}\cdot x_{1}, \quad s_{4} = s_{4} \oplus t_{24}\cdot x_{4},\\{} & {} t_{20} = t_{20} \oplus t_{22}, \quad t_{24} = t_{24} \oplus t_{22}, \quad x_{7} = x_{7} \oplus x_{2}, \quad x_{3} = x_{3} \oplus x_{5},\\{} & {} s_{6} = s_{6} \oplus t_{20}\cdot x_{7}, \quad s_{0} = s_{0} \oplus t_{22}\cdot x_{5}, \quad s_{2} = s_{2} \oplus t_{26}\cdot x_{1}, \quad s_{5} = s_{5} \oplus t_{24}\cdot x_{3},\\{} & {} s_{7} = s_{7} \oplus s_{0}, \quad s_{3} = s_{3} \oplus s_{5}, \quad t_{22} = t_{22} \oplus t_{24}, \quad t_{26} = t_{26} \oplus t_{22},\\{} & {} t_{20} = t_{20} \oplus t_{24}, \quad t_{20} = t_{20} \oplus t_{26}, \quad t_{24} = t_{24} \oplus t_{20}, \quad x_{1} = x_{1} \oplus x_{4},\\{} & {} x_{1} = x_{1} \oplus x_{6}, \quad x_{0} = x_{0} \oplus x_{3}, \quad x_{0} = x_{0} \oplus x_{1}, \quad x_{0} = x_{0} \oplus x_{5},\\{} & {} x_{6} = x_{6} \oplus x_{7}, \quad x_{6} = x_{6} \oplus x_{1}, \quad s_{6} = s_{6} \oplus t_{22}\cdot x_{4}, \quad s_{0} = s_{0} \oplus t_{26}\cdot x_{1},\\{} & {} s_{5} = s_{5} \oplus t_{20}\cdot x_{0}, \quad s_{4} = s_{4} \oplus t_{24}\cdot x_{6}, \quad s_{3} = s_{3} \oplus s_{7}, \quad t_{26} = t_{26} \oplus t_{22},\\{} & {} t_{20} = t_{20} \oplus t_{24}, \quad x_{5} = x_{5} \oplus x_{3}, \quad x_{1} = x_{1} \oplus x_{5}, \quad x_{4} = x_{4} \oplus x_{2},\\{} & {} x_{0} = x_{0} \oplus x_{3}, \quad s_{0} = s_{0} \oplus t_{22}\cdot x_{5}, \quad s_{7} = s_{7} \oplus t_{26}\cdot x_{1}, \quad s_{2} = s_{2} \oplus t_{20}\cdot x_{4},\\{} & {} s_{3} = s_{3} \oplus t_{24}\cdot x_{0}, \quad s_{2} = s_{2} \oplus s_{3}, \quad s_{2} = s_{2} \oplus s_{4}, \quad t_{20} = t_{20} \oplus t_{24},\\{} & {} t_{26} = t_{26} \oplus t_{22}, \quad t_{24} = t_{24} \oplus t_{26}, \quad x_{6} = x_{6} \oplus x_{4}, \quad x_{1} = x_{1} \oplus x_{5},\\{} & {} s_{4} = s_{4} \oplus t_{20}\cdot x_{6}, \quad s_{7} = s_{7} \oplus t_{22}\cdot x_{5}, \quad s_{5} = s_{5} \oplus t_{26}\cdot x_{1}, \quad s_{1} = s_{1} \oplus t_{24}\cdot x_{7}, \\{} & {} s_{1} = s_{1} \oplus s_{4}, \quad s_{4} = s_{4} \oplus s_{6}, \quad t_{22} = t_{26} \oplus t_{22}, \quad t_{20} = t_{22} \oplus t_{20},\\{} & {} x_{4} = x_{4} \oplus x_{6}, \quad x_{4} = x_{4} \oplus x_{7}, \quad x_{0} = x_{0} \oplus x_{1}, \quad x_{5} = x_{5} \oplus x_{1},\\{} & {} x_{2} = x_{2} \oplus x_{7}, \quad s_{6} = s_{6} \oplus t_{26}\cdot x_{4}, \quad s_{0} = s_{0} \oplus t_{24}\cdot x_{0}, \quad s_{5} = s_{5} \oplus t_{22}\cdot x_{5},\\{} & {} s_{1} = s_{1} \oplus t_{20}\cdot x_{2}, \quad s_{7} = s_{7} \oplus s_{4}, \quad s_{5} = s_{5} \oplus s_{6}, \quad s_{2} = s_{2} \oplus s_{7}, \\{} & {} s_{3} = s_{3} \oplus s_{1}, \quad s_{0} = s_{0} \oplus s_{1}, \quad s_{1} = s_{1} \oplus 1, \quad s_{2} = s_{2} \oplus 1,\\{} & {} s_{4} = s_{4} \oplus 1, \quad s_{5} = s_{5} \oplus 1, \quad s_{6} = s_{6} \oplus 1. \end{aligned}$$

C Matrices derived from inputs of AND gates

Matrix derived from the \(H_1/H_3\) circuit

$$\begin{aligned} \begin{bmatrix} 1&{} 1&{} 1&{} 1&{} 1&{} 1&{} 1&{} 1\\ 1&{} 1&{} 1&{} 0&{} 1&{} 0&{} 1&{} 0\\ 1&{} 0&{} 1&{} 1&{} 1&{} 0&{} 0&{} 1\\ 1&{} 1&{} 0&{} 0&{} 0&{} 1&{} 1&{} 0\\ 0&{} 0&{} 1&{} 1&{} 1&{} 0&{} 1&{} 0\\ 1&{} 0&{} 1&{} 1&{} 1&{} 0&{} 1&{} 1\\ 1&{} 0&{} 1&{} 0&{} 1&{} 0&{} 0&{} 1\\ 0&{} 1&{} 1&{} 0&{} 0&{} 0&{} 0&{} 0\\ 0&{} 0&{} 0&{} 1&{} 0&{} 1&{} 0&{} 1\\ 1&{} 0&{} 0&{} 0&{} 0&{} 0&{} 0&{} 1\\ 0&{} 1&{} 1&{} 0&{} 1&{} 0&{} 1&{} 0\\ 0&{} 1&{} 0&{} 0&{} 1&{} 0&{} 0&{} 0\\ 0&{} 1&{} 0&{} 0&{} 0&{} 1&{} 1&{} 0\\ 1&{} 0&{} 0&{} 1&{} 0&{} 0&{} 1&{} 1\\ 0&{} 0&{} 1&{} 0&{} 1&{} 1&{} 0&{} 0\\ 1&{} 1&{} 0&{} 1&{} 1&{} 0&{} 1&{} 1\\ 0&{} 1&{} 1&{} 1&{} 1&{} 1&{} 1&{} 1\\ 1&{} 1&{} 0&{} 0&{} 1&{} 0&{} 0&{} 1 \end{bmatrix} \end{aligned}$$

Matrices derived from the \(H_2\) circuit

$$\begin{aligned} M_1 = \begin{bmatrix} 0&{}1&{}1&{}1\\ 1&{}0&{}1&{}1\\ 0&{}1&{}0&{}1\\ 1&{}1&{}1&{}0\\ 1&{}0&{}1&{}0\\ 1&{}1&{}0&{}1 \end{bmatrix}, M_2 = \begin{bmatrix} 1&{}0&{}0&{}1&{}0&{}1&{}1\\ 1&{}0&{}1&{}0&{}1&{}0&{}0\\ 1&{}1&{}1&{}1&{}1&{}1&{}0\\ 1&{}0&{}0&{}0&{}1&{}1&{}0\\ 1&{}0&{}0&{}1&{}0&{}1&{}0\\ 0&{}1&{}0&{}0&{}0&{}0&{}0\\ 1&{}0&{}0&{}0&{}0&{}0&{}0\\ 0&{}0&{}1&{}1&{}0&{}0&{}1 \end{bmatrix}. \end{aligned}$$

D In-place implementation of the P-function

Denote by \((x_0,...,x_7)\) and \((y_0,...,y_7)\) the 64-bit input and output of the P-function. The calculation of \((y_0,...,y_7)\) under S-Xor metric can be completed as follows.

$$\begin{aligned} \begin{array}{llll} x_{0} = x_{0} \oplus x_{6}, &{}x_{1} = x_{1} \oplus x_{7}, &{}x_{2} = x_{2} \oplus x_{4}, &{}x_{4} = x_{4} \oplus x_{0},\\ x_{6} = x_{6} \oplus x_{1}, &{}x_{0} = x_{0} \oplus x_{5}, &{}x_{3} = x_{3} \oplus x_{4}, &{}x_{5} = x_{5} \oplus x_{3} ~(y_{7}),\\ x_{3} = x_{3} \oplus x_{1} ~(y_{1}), &{}x_{7} = x_{7} \oplus x_{2}, &{}x_{1} = x_{1} \oplus x_{0} ~(y_{4}), &{}x_{7} = x_{7} \oplus x_{5} ~(y_{0}),\\ x_{2} = x_{2} \oplus x_{6} ~(y_{5}), &{}x_{4} = x_{4} \oplus x_{7} ~(y_{6}), &{}x_{6} = x_{6} \oplus x_{4} ~(y_{3}), &{}x_{0} = x_{0} \oplus x_{2} ~(y_{2}). \end{array} \end{aligned}$$