Quantum Software Engineering uantum Transactions on IEEE Received August 13, 2019; revised December 10, 2019; accepted December 13, 2019; date of publication January 16, 2020; date of current version February 14, 2020. Digital Object Identifier 10.1109/TQE.2020.2965697 Reducing the Cost of Implementing the Advanced Encryption Standard as a Quantum Circuit BRANDON LANGENBERG 1,2 , HAI PHAM 3 , AND RAINER STEINWANDT 4 1 PQSecure Technologies, Boca Raton, FL 33431 USA 2 Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL 33431 USA 3 West Campus Math Department Valencia College, Orlando, FL 32811 USA 4 Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431 USA The work of R.Steinwandt was supported in part by NATO SPS Project G5448 and in part by NIST awards 60NANB18D216 and 60NANB18D217. International Workshop on Quantum Resource Estimation, Phoenix, Arizona, USA, 22 June 2019. Corresponding author: Hai Pham (hpham29@valenciacollege.edu) ABSTRACT To quantify security levels in a postquantum scenario, it is common to use the quantum resources needed to attack the Advanced Encryption Standard (AES) as a reference value. Specifcally, in the National Institute of Standards and Technology’s ongoing postquantum standardization effort, different security categories are defned that refect the quantum resources needed to attack AES-128, AES-192, and AES-256. This article presents a quantum circuit to implement the S-box of AES. Also, leveraging an improved implementation of the key expansion, we identify new quantum circuits for all three AES key lengths. For AES-128, the number of Toffoli gates can be reduced by more than 88% compared to Almazrooie et al.’s and Grassl et al.’s estimates while simultaneously reducing the number of qubits. Our circuits can be used to simplify a Grover-based key search for AES. INDEX TERMS Advanced Encryption Standard (AES), Grover’s algorithm, quantum circuit, quantum cryptanalysis, quantum engineering. I. INTRODUCTION Reacting to progress in the development of quantum com- puters, the National Institute of Standards and Technology (NIST) has initiated a process to standardize cryptographic primitives that are designed to remain secure in the pres- ence of large-scale quantum computers [15]. To fx security categories, NIST’s call for proposals offers the quantum re- sources for an exhaustive key search in the case of AES-128, AES-192, and AES-256 as a reference point. Relevant cost measures include the number of qubits, the number of T - and Clifford gates, and the T -depth. It is not hard to see that with exception of the highly structured S-box—the SubByte transform—all of the Advanced Encryption Standards (AES) can be implemented by means of not and cnot gates. A. CONTRIBUTIONS In the following, we present a new quantum circuit to im- plement SubByte , which builds on a result by Boyar and Peralta [7]. This approach allows a substantial reduction in the number of T -gates compared to the quantum circuits pro- posed by Grassl et al. [9] and, more recently, by Almazrooie et al. [1]. Our circuit requires 32 qubits, 55 Toffoli gates, 314 cnot gates, 4 not gates, Toffoli depth 40, and a total [neutral current transformer (NCT)] depth of 298, including “clean- ing up” ancillas—a reduction of the Toffoli count by more than 88%. There are different options to compile Toffoli gates into Clifford and T -gates, and the common quantum crypt- analytic approach is to frst express AES as an NCT circuit, i.e., with not, cnot, and Toffoli gates. Consequently, in this article, we stay at the NCT level, leaving the choice of a par- ticular decomposition of Toffoli gates into more elementary building blocks to a subsequent synthesis step. Moreover, building on [1] and [9], we present new quantum circuits for all three standardized key lengths of AES, which simultaneously offer savings in the number of qubits, the number of Toffoli gates, and the number of Clifford gates. B. ORGANIZATION First, we briefy recall the structure of the S-box of AES and survey prior work to express this functionality as a quantum circuit. Thereafter, we present our design for implementing SubByte in the NCT gate set and integrate it into quantum circuits for AES-128, AES-192, and AES-256. We conclude This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ VOLUME 1, 2020 2500112