Alternative Tower Field Construction for Quantum Implementation of the AES S-Box

Grover’s search algorithm allows a quantum adversary to find a $k$ -bit secret key of a block cipher by making O( $2^{k/2}$ ) block cipher queries. Resistance of a block cipher to such an attack is evaluated by quantum resources required to implement Grover’s oracle for the target cipher. The quantum resources are typically estimated by the $\textit {T}$ -depth of its circuit implementation and the number of qubits used by the circuit (width). Since the AES S-box is the only component which requires $\textit {T}$ -gates in a quantum implementation of AES, recent research has put its focus on efficient implementation of the AES S-box. However, any efficient implementation with low $\textit {T}$ -depth will not be practical in the real world without considering qubit consumption of the implementation. In this work, we propose three methods of trade-off between time and space for the quantum implementation of the AES S-box. In particular, one of our methods turns out to use the smallest number of qubits among the existing methods, significantly reducing its $\textit {T}$ -depth.