{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T03:53:14Z","timestamp":1773201194828,"version":"3.50.1"},"reference-count":79,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,1,12]],"date-time":"2025-01-12T00:00:00Z","timestamp":1736640000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation","award":["Institute of Information & Communications Technology Planning & Evaluation (IITP)"],"award-info":[{"award-number":["Institute of Information & Communications Technology Planning & Evaluation (IITP)"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,3,11]]},"abstract":"<jats:p>Our work explores the key recovery attack using the Grover's search on the three variants of AES (-128, -192, -256). In total, we develop a pool of 26 implementations per AES variant (totaling 78), by taking the state-of-the-art advancements in the relevant fields into account.<\/jats:p>\n          <jats:p>We present the least Toffoli depth and full depth implementations of AES, thereby improving from Zou et al.'s Asiacrypt'20 paper by more than 97 percent for each variant of AES. We show that the qubit count - Toffoli depth product is reduced from theirs by more than 87 percent. Furthermore, we analyze the Jaques et al.'s Eurocrypt'20 implementations in detail, fix the bugs (arising from some problem of the quantum computing tool used), and report corrected benchmarks (which seem to improve from the authors' own bug-fixing, thanks to our architecture consideration). To the best of our finding, our work improves from all the previous works (including the Asiacrypt'22 paper by Huang and Sun, the Asiacrypt'23 paper by Liu et al. and the Asiacrypt'24 paper by Shi and Feng) in terms of various quantum circuit complexity metrics. To be more precise, we estimate the currently best-known quantum attack complexities for AES-128 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:msup>\n                  <mml:mn>2<\/mml:mn>\n                  <mml:mrow>\n                    <mml:mn>156.2630<\/mml:mn>\n                  <\/mml:mrow>\n                <\/mml:msup>\n              <\/mml:mrow>\n            <\/mml:math>), AES-192 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:msup>\n                  <mml:mn>2<\/mml:mn>\n                  <mml:mrow>\n                    <mml:mn>221.5801<\/mml:mn>\n                  <\/mml:mrow>\n                <\/mml:msup>\n              <\/mml:mrow>\n            <\/mml:math>) and AES-256 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:msup>\n                  <mml:mn>2<\/mml:mn>\n                  <mml:mrow>\n                    <mml:mn>286.0731<\/mml:mn>\n                  <\/mml:mrow>\n                <\/mml:msup>\n              <\/mml:mrow>\n            <\/mml:math>). Additionally, we achieve the least Toffoli depth - qubit count product for AES-128 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>121920<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math>, improving from <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>130720<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math> by Shi and Feng in Asiacrypt'24), AES-192 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>161664<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math>, improving from <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>188880<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math> by Liu et al. in Asiacrypt'23) and AES-256 (<mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>206528<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math>, improving from <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mn>248024<\/mml:mn>\n              <\/mml:mrow>\n            <\/mml:math> by Liu et al. in Asiacrypt'23) so far.<\/jats:p>\n          <jats:p>We further investigate the prospect of the Grover's search. We propose four new implementations of the S-box, one new implementation of the MixColumn; as well as five new architecture (one is motivated by the architecture by Jaques et al. in Eurocrypt'20, and the rest four are entirely our innovation). Under the MAXDEPTH constraint (specified by NIST), the circuit depth metrics (Toffoli depth, <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n              <mml:mrow>\n                <mml:mi>T<\/mml:mi>\n              <\/mml:mrow>\n            <\/mml:math>-depth and full depth) become crucial factors and parallelization for often becomes necessary. We provide the least depth implementation in this respect that offers the best performance in terms of metrics like depth-squared - qubit count product, depth - gate count product. <\/jats:p>","DOI":"10.62056\/ay11zo-3y","type":"journal-article","created":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:23:17Z","timestamp":1744147397000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":4,"title":["Quantum Analysis of AES"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5963-7127","authenticated-orcid":false,"given":"Kyungbae","family":"Jang","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/048m9x696","id-type":"ROR","asserted-by":"publisher"}],"name":"Hansung University","place":["Seoul, South Korea"],"department":["Division of IT Convergence Engineering"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5639-7372","authenticated-orcid":false,"given":"Anubhab","family":"Baksi","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/012a77v79","id-type":"ROR","asserted-by":"publisher"}],"name":"Lund University","place":["Lund, Sweden"],"department":["Elektro- och informationsteknik"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9828-3894","authenticated-orcid":false,"given":"Hyunji","family":"Kim","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/048m9x696","id-type":"ROR","asserted-by":"publisher"}],"name":"Hansung University","place":["Seoul, South Korea"],"department":["Division of IT Convergence Engineering"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4337-1843","authenticated-orcid":false,"given":"Gyeongju","family":"Song","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/048m9x696","id-type":"ROR","asserted-by":"publisher"}],"name":"Hansung University","place":["Seoul, South Korea"],"department":["Division of IT Convergence Engineering"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0069-9061","authenticated-orcid":false,"given":"Hwajeong","family":"Seo","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/048m9x696","id-type":"ROR","asserted-by":"publisher"}],"name":"Hansung University","place":["Seoul, South Korea"],"department":["Division of IT Convergence Engineering"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4840-9350","authenticated-orcid":false,"given":"Anupam","family":"Chattopadhyay","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Singapore"],"department":["School of Computer Science and Engineering"]}]}],"member":"48349","published-online":{"date-parts":[[2025,4,8]]},"reference":[{"key":"ref1:NAP25196","isbn-type":"print","doi-asserted-by":"crossref","DOI":"10.17226\/25196","volume-title":"Quantum Computing: Progress and Prospects","author":"Emily Grumbling","year":"2019","ISBN":"https:\/\/id.crossref.org\/isbn\/9780309479691"},{"key":"ref2:eurocrypt_aes","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-030-45724-2_10","article-title":"Implementing Grover Oracles for Quantum Key Search on AES\n  and LowMC","volume":"12106","author":"Samuel Jaques","year":"2020"},{"key":"ref3:grover_1996","doi-asserted-by":"publisher","first-page":"212","DOI":"10.1145\/237814.237866","article-title":"A fast quantum mechanical algorithm for database search","author":"Lov K Grover","year":"1996"},{"key":"ref4:aes-cipher","series-title":"Information Security and Cryptography","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-04722-4","volume-title":"The Design of Rijndael: AES - The Advanced Encryption\n  Standard","author":"Joan Daemen","year":"2002","ISBN":"https:\/\/id.crossref.org\/isbn\/3540425802"},{"key":"ref5:fse-92xor","doi-asserted-by":"publisher","first-page":"120","DOI":"10.13154\/tosc.v2020.i2.120-145","article-title":"Optimizing Implementations of Linear Layers","volume":"2020","author":"Zejun Xiang","year":"2020","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref6:ctrsa-91xor","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"609","DOI":"10.1007\/978-3-030-75539-3_25","article-title":"A Framework to Optimize Implementations of Matrices","volume":"12704","author":"Da Lin","year":"2021"},{"key":"ref7:fse_mc_2019","doi-asserted-by":"publisher","first-page":"84","DOI":"10.13154\/tosc.v2019.i1.84-117","article-title":"Constructing Low-latency Involutory MDS Matrices with\n  Lightweight Circuits","volume":"2019","author":"Shun Li","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref8:fse-depth3","doi-asserted-by":"publisher","first-page":"158","DOI":"10.46586\/tosc.v2022.i1.158-182","article-title":"Towards Low-Latency Implementation of Linear Layers","volume":"2022","author":"Qun Liu","year":"2022","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref9:zhenyu-28qdepth-inscript","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-031-26553-2_7","article-title":"Optimizing the Depth of Quantum Implementations of Linear\n  Layers","volume":"13837","author":"Chengkai Zhu","year":"2022"},{"key":"ref10:aes-dalin","doi-asserted-by":"publisher","first-page":"352","DOI":"10.1007\/s11128-023-04043-9","article-title":"Optimized quantum implementation of AES","volume":"22","author":"Da Lin","year":"2023","journal-title":"Quantum Information Processing"},{"key":"ref11:asia23aes","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-981-99-8727-6_3","article-title":"Improved quantum circuits for AES: Reducing the depth and\n  the number of qubits","author":"Qun Liu","year":"2023"},{"key":"ref12:aes91cnot","doi-asserted-by":"publisher","first-page":"322","DOI":"10.46586\/tosc.v2024.i2.322-347","article-title":"A Framework to Improve the Implementations of Linear\n  Layers","volume":"2024","author":"Yufei Yuan","year":"2024","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref13:asiacrypt_aes","isbn-type":"print","doi-asserted-by":"publisher","first-page":"697","DOI":"10.1007\/978-3-030-64834-3_24","article-title":"Quantum Circuit Implementations of AES with Fewer Qubits","author":"Jian Zou","year":"2020","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030648343"},{"key":"ref14:aes_eprint","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"614","DOI":"10.1007\/978-3-031-22969-5_21","article-title":"Synthesizing Quantum Circuits of AES with Lower T-depth\n  and Less Qubits","volume":"13793","author":"Zhenyu Huang","year":"2022"},{"key":"ref15:indo22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"517","DOI":"10.1007\/978-3-031-22912-1_23","article-title":"Improved Quantum Analysis of SPECK and LowMC","volume":"13774","author":"Kyungbae Jang","year":"2022"},{"key":"ref16:asia24_aes","doi-asserted-by":"publisher","first-page":"358","DOI":"10.1007\/978-981-96-0944-4_12","article-title":"Quantum circuits of AES with a low-depth linear layer and a\n  new structure","author":"Haotian Shi","year":"2024"},{"key":"ref17:jang-aes-ep","volume-title":"Quantum Analysis of AES","author":"Kyungbae Jang","year":"2022"},{"key":"ref18:eurocrypt20-bugfix","volume-title":"Implementing Grover oracles for quantum key search on AES\n  and LowMC","author":"Samuel Jaques","year":"2019"},{"key":"ref19:maximov-92xor","volume-title":"AES MixColumn with 92 XOR gates","author":"Alexander Maximov","year":"2019"},{"key":"ref20:bp12_sbox","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/978-3-642-30436-1_24","article-title":"A small depth-16 circuit for the AES S-box","author":"Joan Boyar","year":"2012"},{"key":"ref21:grassl","isbn-type":"print","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1007\/978-3-319-29360-8_3","article-title":"Applying Grover's Algorithm to AES: Quantum Resource\n  Estimates","author":"Markus Grassl","year":"2016","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319293608"},{"key":"ref22:Langenberg_aes","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TQE.2020.2965697","article-title":"Reducing the Cost of Implementing the Advanced Encryption\n  Standard as a Quantum Circuit","volume":"1","author":"Brandon Langenberg","year":"2020","journal-title":"IEEE Transactions on Quantum Engineering"},{"key":"ref23:nist_maxdepth","volume-title":"Submission Requirements and Evaluation Criteria for the\n  Post-Quantum Cryptography Standardization Process","author":"NIST.","year":"2016"},{"key":"ref24:quantum_book","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-97-0025-7","volume-title":"Implementation and Analysis of Ciphers in Quantum\n  Computing","author":"Anubhab Baksi","year":"2024"},{"key":"ref25:clifford_t_depth_one","doi-asserted-by":"publisher","first-page":"42302","DOI":"10.1103\/PhysRevA.87.042302","article-title":"Quantum circuits of T-depth one","volume":"87","author":"Peter Selinger","year":"2013","journal-title":"Physical Review A"},{"key":"ref26:clifford","doi-asserted-by":"publisher","first-page":"818","DOI":"10.1109\/tcad.2013.2244643","article-title":"A Meet-in-the-Middle Algorithm for Fast Synthesis of\n  Depth-Optimal Quantum Circuits","volume":"32","author":"Matthew Amy","year":"2013","journal-title":"IEEE Transactions on Computer-Aided Design of Integrated\n  Circuits and Systems","ISSN":"https:\/\/id.crossref.org\/issn\/1937-4151","issn-type":"electronic"},{"key":"ref27:clifford2","doi-asserted-by":"publisher","first-page":"2350","DOI":"10.1007\/s10773-017-3389-4","article-title":"Decompositions of n-qubit Toffoli gates with linear circuit\n  complexity","volume":"56","author":"Yong He","year":"2017","journal-title":"International Journal of Theoretical Physics"},{"key":"ref28:chun2023dorcis","first-page":"286","article-title":"DORCIS: Depth Optimized Quantum Implementation of\n  Substitution Boxes","author":"Matthew Chun","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref29:gidney2018","doi-asserted-by":"publisher","first-page":"74","DOI":"10.22331\/q-2018-06-18-74","article-title":"Halving the cost of quantum addition","volume":"2","author":"Craig Gidney","year":"2018","journal-title":"Quantum","ISSN":"https:\/\/id.crossref.org\/issn\/2521-327X","issn-type":"electronic"},{"key":"ref30:depth_execution_time","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1703.08540","volume-title":"Depth-Optimal Quantum Circuit Placement for Arbitrary\n  Topologies","author":"Debjyoti Bhattacharjee","year":"2017"},{"key":"ref31:grover_trick","volume-title":"Design and development of a quantum circuit to solve the\n  Information Set Decoding problem","author":"Simone Perriello","year":"2019"},{"key":"ref32:Boyer_1998","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1002\/3527603093.ch10","article-title":"Tight bounds on quantum searching","volume":"46","author":"Michel Boyer","year":"1998","journal-title":"Fortschritte der Physik: Progress of Physics"},{"key":"ref33:Bonnetain19aes","doi-asserted-by":"publisher","first-page":"55","DOI":"10.13154\/tosc.v2019.i2.55-93","article-title":"Quantum Security Analysis of AES","volume":"2019","author":"Xavier Bonnetain","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref34:app10186407","doi-asserted-by":"publisher","DOI":"10.3390\/app10186407","article-title":"Grover on Korean Block Ciphers","volume":"10","author":"Kyoungbae Jang","year":"2020","journal-title":"Applied Sciences","ISSN":"https:\/\/id.crossref.org\/issn\/2076-3417","issn-type":"electronic"},{"key":"ref35:present_gift","doi-asserted-by":"publisher","DOI":"10.3390\/app11114776","article-title":"Efficient Implementation of PRESENT and GIFT on Quantum\n  Computers","volume":"11","author":"Kyungbae Jang","year":"2021","journal-title":"Applied Sciences","ISSN":"https:\/\/id.crossref.org\/issn\/2076-3417","issn-type":"electronic"},{"key":"ref36:sha-grover","isbn-type":"print","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1007\/978-3-319-69453-5_18","article-title":"Estimating the Cost of Generic Quantum Pre-image Attacks on\n  SHA-2 and SHA-3","author":"Matthew Amy","year":"2017","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319694535"},{"key":"ref37:q-sm3","doi-asserted-by":"publisher","first-page":"421","DOI":"10.1007\/978-3-031-08896-4_22","article-title":"Grover on SM3","author":"Gyeongju Song","year":"2021"},{"key":"ref38:zou_new_sm3","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11128-022-03518-5","article-title":"New quantum circuit implementations of SM4 and SM3","volume":"21","author":"Jian Zou","year":"2022","journal-title":"Quantum Information Processing"},{"key":"ref39:q-rectangle-knot-d","doi-asserted-by":"publisher","DOI":"10.1007\/s11128-021-03307-6","article-title":"Quantum Implementation and Resource Estimates for Rectangle\n  and Knot","volume":"20","author":"Anubhab Baksi","year":"2021","journal-title":"Quantum Information Processing","ISSN":"https:\/\/id.crossref.org\/issn\/1570-0755","issn-type":"electronic"},{"key":"ref40:quantum-default","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s12095-023-00666-y","article-title":"Quantum implementation and analysis of default","author":"Kyungbae Jang","year":"2023","journal-title":"Cryptography and Communications"},{"key":"ref41:grover-aria","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1007\/978-3-030-66626-2_13","article-title":"Quantum resource estimates of grover\u2019s key search on\n  aria","author":"Amit Kumar Chauhan","year":"2020"},{"key":"ref42:q-korean","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1007\/s11128-022-03714-3","article-title":"Parallel quantum addition for Korean block ciphers","volume":"21","author":"Kyungbae Jang","year":"2022","journal-title":"Quantum Information Processing"},{"key":"ref43:grover-pipo","doi-asserted-by":"publisher","first-page":"1194","DOI":"10.3390\/electronics10101194","article-title":"Grover on PIPO","volume":"10","author":"Kyungbae Jang","year":"2021","journal-title":"Electronics"},{"key":"ref44:yang-cham-q","doi-asserted-by":"publisher","DOI":"10.3390\/app13085156","article-title":"Optimized Implementation and Analysis of CHAM in Quantum\n  Computing","volume":"13","author":"Yujin Yang","year":"2023","journal-title":"Applied Sciences","ISSN":"https:\/\/id.crossref.org\/issn\/2076-3417","issn-type":"electronic"},{"key":"ref45:ascon-llq","volume-title":"Quantum Implementation of ASCON Linear Layer","author":"Soham Roy","year":"2023"},{"key":"ref46:oh-ascon-q","volume-title":"Depth-Optimized Implementation of ASCON Quantum Circuit","author":"Yujin Oh","year":"2023"},{"key":"ref47:oh2025quantum","volume-title":"Quantum Security Evaluation of ASCON","author":"Yujin Oh","year":"2025"},{"key":"ref48:nist_maxdepth2","volume-title":"Call for Additional Digital Signature Schemes for the\n  Post-Quantum Cryptography Standardization Process","author":"NIST.","year":"2022"},{"key":"ref49:kim_aes_analysis","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11128-018-2107-3","article-title":"Time\u2013space complexity of quantum search algorithms in\n  symmetric cryptanalysis: applying to AES and SHA-2","volume":"17","author":"Panjin Kim","year":"2018","journal-title":"Quantum Information Processing"},{"key":"ref50:almazrooie_aes","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11128-018-1864-3","article-title":"Quantum Reversible Circuit of AES-128","volume":"17","author":"Mishal Almazrooie","year":"2018","journal-title":"Quantum Information Processing","ISSN":"https:\/\/id.crossref.org\/issn\/1570-0755","issn-type":"electronic"},{"key":"ref51:grover_analysis","doi-asserted-by":"publisher","first-page":"2746","DOI":"10.1103\/PhysRevA.60.2746","article-title":"Grover\u2019s quantum searching algorithm is optimal","volume":"60","author":"Christof Zalka","year":"1999","journal-title":"Physical Review A"},{"key":"ref52:wang_aes","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11467-021-1141-2","article-title":"A quantum circuit design of AES requiring fewer quantum\n  qubits and gate operations","volume":"17","author":"Ze-Guo Wang","year":"2022","journal-title":"Frontiers of Physics"},{"key":"ref53:bp10_sbox","isbn-type":"print","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/978-3-642-13193-6_16","article-title":"A New Combinational Logic Minimization Technique with\n  Applications to Cryptology","author":"Joan Boyar","year":"2010","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642131936"},{"key":"ref54:cryptoeprint:2019:1245","volume-title":"Observations on the Quantum Circuit of the SBox of AES","author":"Jian Zou","year":"2019"},{"key":"ref55:Jeon_Baek_Kim_Kim_2024","doi-asserted-by":"publisher","first-page":"586","DOI":"10.46586\/tches.v2025.i1.586-631","article-title":"A Framework for Generating S-Box Circuits with\n  Boyar\u2013Peralta Algorithm-Based Heuristics, and Its Applications to AES,\n  SNOW3G, and Saturnin","volume":"2025","author":"Yongjin Jeon","year":"2024","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref56:hadvzic2025efficient","doi-asserted-by":"publisher","first-page":"656","DOI":"10.46586\/tches.v2025.i1.656-683","article-title":"Efficient and Composable Masked AES S-Box Designs Using\n  Optimized Inverters","volume":"2025","author":"Vedad Had\u017eic","year":"2024","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref57:marcus-thesis","volume-title":"Cryptanalysis of the SoDark family of cipher algorithms","author":"Marcus Dansarie","year":"2017"},{"key":"ref58:marcus-sboxgates","doi-asserted-by":"publisher","first-page":"2946","DOI":"10.21105\/joss.02946","article-title":"sboxgates: A program for finding low gate count\n  implementations of S-boxes","volume":"6","author":"Marcus Dansarie","year":"2021","journal-title":"Journal of Open Source Software"},{"key":"ref59:lighterr","doi-asserted-by":"publisher","first-page":"260","DOI":"10.1109\/SOCC46988.2019.1570548320","article-title":"LIGHTER-R: Optimized Reversible Circuit Implementation For\n  SBoxes","author":"Vishnu Asutosh Dasu","year":"2019"},{"key":"ref60:socc-2","doi-asserted-by":"publisher","DOI":"10.1109\/SOCC62300.2024.10737862","article-title":"Quantum Implementation of Linear and Non-Linear Layers","author":"Anubhab Baksi","year":"2024","journal-title":"IEEE International System-on-Chip Conference (SOCC)"},{"key":"ref61:zhenqiang-aes-sbox","doi-asserted-by":"publisher","DOI":"10.3389\/fphy.2023.1171753","volume-title":"New record in the number of qubits for a quantum\n  implementation of AES","volume":"11","author":"Zhenqiang Li","year":"2023","journal-title":"Frontiers in Physics"},{"key":"ref62:luo-yang-sbox","doi-asserted-by":"publisher","DOI":"10.1140\/epjqt\/s40507-022-00144-z","article-title":"Quantum reversible circuits for\n  $\\mathrm{GF}(2^{8})$multiplicative inverse","author":"Qing-bin Luo","year":"2022","journal-title":"EPJ Quantum Technology"},{"key":"ref63:97xor_depth8","doi-asserted-by":"publisher","first-page":"188","DOI":"10.13154\/tosc.v2017.i4.188-211","article-title":"Shorter Linear Straight-Line Programs for MDS Matrices","volume":"2017","author":"Thorsten Kranz","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref64:thomas-94xor-ches","doi-asserted-by":"publisher","first-page":"203","DOI":"10.13154\/tches.v2020.i1.203-230","article-title":"Improved Heuristics for Short Linear Programs","volume":"2020","author":"Quan Quan Tan","year":"2019","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n  Systems"},{"key":"ref65:liu2023improved","doi-asserted-by":"publisher","first-page":"524","DOI":"10.1007\/978-3-031-30872-7_20","article-title":"Improved Heuristics for Low-Latency Implementations of\n  Linear Layers","author":"Qun Liu","year":"2023"},{"key":"ref66:pehlivanouglu2024optimizing","doi-asserted-by":"publisher","DOI":"10.7717\/peerj-cs.1820","article-title":"Optimizing implementations of linear layers using two and\n  higher input XOR gates","volume":"10","author":"Meltem Kurt Pehlivano\u011flu","year":"2024","journal-title":"PeerJ Computer Science"},{"key":"ref67:xor34-fse","doi-asserted-by":"publisher","first-page":"351","DOI":"10.46586\/tosc.v2022.i2.351-378","article-title":"More Inputs Makes Difference: Implementations of Linear\n  Layers Using Gates with More Than Two Inputs","volume":"2022","author":"Qun Liu","year":"2022","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref68:indo21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1007\/978-3-030-92518-5_7","article-title":"Three Input Exclusive-OR Gate Support for Boyar-Peralta's\n  Algorithm","volume":"13143","author":"Anubhab Baksi","year":"2021"},{"key":"ref69:jstage","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1587\/transfun.2020CIP0013","article-title":"Further results on efficient implementations of block cipher\n  linear layers","volume":"104","author":"Subhadeep Banik","year":"2021","journal-title":"IEICE Transactions on Fundamentals of Electronics,\n  Communications and Computer Sciences"},{"key":"ref70:shi2023framework","doi-asserted-by":"publisher","first-page":"489","DOI":"10.46586\/tosc.v2023.i4.489-510","article-title":"A Framework with Improved Heuristics to Optimize Low-Latency\n  Implementations of Linear Layers","volume":"2023","author":"Haotian Shi","year":"2023","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref71:jang-becc-ep","volume-title":"New Quantum Cryptanalysis of Binary Elliptic Curves\n  (Extended Version)","author":"Kyungbae Jang","year":"2025"},{"key":"ref72:smt-milp-xor","isbn-type":"print","doi-asserted-by":"publisher","first-page":"500","DOI":"10.1007\/978-3-030-81645-2_30","article-title":"POSTER: Optimizing Device Implementation of Linear Layers\n  with Automated Tools","author":"Anubhab Baksi","year":"2021","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030816452"},{"key":"ref73:wiebe2014quantum","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1406.2040","volume-title":"Quantum arithmetic and numerical analysis using\n  Repeat-Until-Success circuits","author":"Nathan Wiebe","year":"2014"},{"key":"ref74:davenport-print-sac20","isbn-type":"print","doi-asserted-by":"publisher","first-page":"360","DOI":"10.1007\/978-3-030-81652-0_14","article-title":"Improvements to Quantum Search Techniques for Block-Ciphers,\n  with Applications to AES","author":"James H. Davenport","year":"2021","ISBN":"https:\/\/id.crossref.org\/isbn\/9783030816520"},{"key":"ref75:anubhab","volume-title":"Classical and Physical Security of Symmetric Key\n  Cryptographic Algorithms","author":"Anubhab Baksi","year":"2021"},{"key":"ref76:aead-q","doi-asserted-by":"publisher","DOI":"10.1038\/s41598-024-69188-8","article-title":"Implementing Grover\u2019s on AES-based AEAD schemes","volume":"14","author":"Surajit Mandal","year":"2024","journal-title":"Scientific Reports"},{"key":"ref77:sha2-3-tetc","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TETC.2025.3546648","article-title":"Quantum Implementation and Analysis of SHA-2 and SHA-3","author":"Kyungbae Jang","year":"2025","journal-title":"IEEE Transactions on Emerging Topics in Computing"},{"key":"ref78:kim-nv-sieve-ep","volume-title":"Concrete Quantum Cryptanalysis of Shortest Vector Problem","author":"Hyunji Kim","year":"2024"},{"key":"ref79:siyi-led","volume-title":"New Results in Quantum Analysis of LED: Featuring One and\n  Two Oracle Attacks","author":"Siyi Wang","year":"2024"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:24:53Z","timestamp":1744147493000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/1\/25"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,8]]},"references-count":79,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,4,8]]}},"URL":"https:\/\/doi.org\/10.62056\/ay11zo-3y","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4,8]]},"assertion":[{"value":"2025-01-12","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-11","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-1-36"}}