Grover on Korean Block Ciphers

Abstract

The Grover search algorithm reduces the security level of symmetric key cryptography with n-bit security level to $O\left(2^{n/2}\right)$. In order to evaluate the Grover search algorithm, the target block cipher should be efficiently implemented in quantum circuits. Recently, many research works evaluated required quantum resources of AES block ciphers by optimizing the expensive substitute layer. However, few works were devoted to the lightweight block ciphers, even though it is an active research area, nowadays. In this paper, we present optimized implementations of every Korean made lightweight block ciphers for quantum computers, which include HIGHT, CHAM, and LEA, and NSA made lightweight block ciphers, namely SPECK. Primitive operations for block ciphers, including addition, rotation, and exclusive-or, are finely optimized to achieve the optimal quantum circuit, in terms of qubits, Toffoli gate, CNOT gate, and X gate. To the best of our knowledge, this is the first implementation of ARX-based Korean lightweight block ciphers in quantum circuits.

1. Introduction

As the Internet of Things (IoT) technology gets developed, a number of wearable and smart devices are gradually spreading through people’s life [1]. Between these IoT devices, abundant data, from simple sensor data to even sensitive personal data, are being exchanged and processed. In order to protect these sensitive data, the exchange process of the data must be secured properly. To achieve the security, cryptographic algorithms must be applied to the data. However, applying the cryptographic algorithm requires resources, including computational power and memory. Most of the IoT devices do not have enough resources in order to apply cryptographic algorithms of conventional computers since most of them are equipped with low computational power and small memory footprint.

In order to resolve this hard condition, lightweight cryptography has been actively studied [2]. Unlike classical cryptography, a lightweight cryptography is designed for low-end devices. Most lightweight cryptography focuses on using resources efficiently to operate in the resource-constrained devices. However, as a cryptography, it is still important to maintain security even from the potential attacks using not only conventional computers, but also the upcoming quantum computers.

The advent of quantum computers and quantum algorithms has dramatically changed the cryptography community. The most well-known modern public key cryptography, such as RSA and Elliptic Curve Cryptography (ECC), are based on the difficulties of factorization and discrete algebra problem [3]. However, Shor’s algorithm can perform prime number factorization efficiently, making RSA and ECC vulnerable [4].

In the field of symmetric key cryptography, the impact of quantum computers is not as critical as the case of the public key cryptography. The Grover search algorithm can be used to find the n-bit secret key at the speed of $\sqrt{n}$, which is the most effective quantum attack method for block ciphers [5]. Applying the Grover search algorithm to block ciphers is the most efficient way to measure the security level of block ciphers against attacks from quantum computers. For this reason, not only the Grover’s algorithm but also the cryptography must be implemented with a quantum circuit for cryptanalysis. Since the development of quantum computer is a rudimentary stage, finding the optimal quantum resource for the target algorithm is one of the most important research fields.

In order to estimate the quantum resources, a number of block cipher implementations have been investigated [6,7,8,9]. Grassl et al. estimated the quantum resource required for AES block cipher to apply the Grover search algorithm [6]. Afterward, Langenberg et al. and Jaques et al. found more optimal substitute layer design in quantum circuits than Grassl et al. [7,8]. Recently, Anand et al. implemented the SIMON in quantum gates [9], which is a block cipher developed by the National Security Agency (NSA) to support the hardware environment [10].

In this paper, we implemented SPECK and every Korean lightweight block cipher for the quantum resource estimation. To optimize the quantum circuit, functions, such as the key scheduling and the round functions, were optimized by simultaneously calculating results. In addition, the number of qubits was reduced by efficiently arranging the order of operations and the order of objects. Target ciphers are ARX-based structures designed with Addition, Rotation, and XOR operations.

1.1. Contribution

1.1.1. Optimized Implementation of ARX-Based Block Ciphers in Quantum Gates

Quantum gates for AES block ciphers have been actively studied. However, only a few works were devoted to lightweight ARX-based block ciphers. In this paper, we implemented four different ARX-based block ciphers and presented optimized implementations to reduce required qubits.

1.1.2. First Quantum Implementation of ARX-Based All Korean Block Ciphers and In-Depth Analysis

Korean block ciphers, such as LEA, HIGHT, and CHAM are efficiently implemented in quantum gates. This is the first implementation of Korean block ciphers in quantum gates. We analyzed the implementations and show the security against the quantum computer and their features.

1.1.3. Quantum Resource Estimation between Software-Oriented and Hardware-Oriented Block Ciphers

The architecture of block cipher is largely divided into software-oriented (i.e., SPECK) and hardware-oriented (i.e., SIMON). We compared both block ciphers in quantum gates and estimated the quantum security.

The remainder of this paper is organized as follows. In Section 2, target block ciphers, quantum implementations, and quantum algorithms are given. In Section 3, proposed quantum implementations for block ciphers are given. In Section 4, the evaluation of proposed quantum implementation is presented. Finally, Section 5 concludes the paper.

2. Related Works

2.1. Notation

In this paper, the following notations are commonly used, and

Table 1. Notations.

Notation	Meaning
K	Initial keywords
$RK$	Round key
⊕	XOR operation
⊞	Modular addition operation
ROL${}_i$	Rotation left operation (i-bit)
ROR${}_i$	Rotation right operation (i-bit)

explains its meaning.

2.2. Target Block Ciphers

2.2.1. Hight

In CHES’06, ultra lightweight block cipher HIGHT was presented [11]. HIGHT is a 64-bit block cipher with 128-bit keys. Eight whitening keys and 128 subkeys, 8-bit respectively, are generated from the 128-bit key. HIGHT block cipher performs 8-bit wise ARX operations and the encryption/decryption operation consists of 32 rounds. In each round, a 64-bit round key is required, and, in total, 2048-bit of round keys are needed to process a 64-bit block. The parameters for the HIGHT block cipher are shown in

Table 2. Parameters of HIGHT.

Cipher	Block Size (Bits)	Key Size (Bits)	Word Size (Bits)	Keywords	Rounds
HIGHT	64	128	8	16	32

.

The key schedule of HIGHT uses the initial key words K to generate whitening keys $WK$ and round keys $RK$. The whitening key is used for initial conversion of plain text and final conversion for cipher text. The whitening key is generated as follows:

$$\begin{array}{c}WK\left[i\right]=K[i+12],0\le i\le 3\hfill \\ WK\left[i\right]=K[i-4],4\le i\le 7\hfill \end{array}$$

(1)

The connection polynomial of LFSR h is $x^7+x^3+1$. The initial internal state value of h is ${\delta }_0=(s_6,s_5,s_4,s_3,s_2,s_1,s_0)=(1,0,1,1,0,1,0)$. For $1\le i\le 127$, ${\delta }_i$ is generated as follows and used for round key generation:

$$\begin{array}{c}{s}_{i+6}=s_{i+2}\oplus s_{i-1}\hfill \\ {\delta }_i=(s_{i+6},s_{i+5},s_{i+4},s_{i+3},s_{i+2},s_{i+1},s_i)\hfill \end{array}$$

(2)

Round key RK is generated as follows:

$$\begin{array}{c}\mathrm{for}i=0\mathrm{to}7:\hfill \\ \mathrm{for}j=0\mathrm{to}7:\hfill \\ RK[16·i+j]=K[j-i\mathrm{mod}8]⊞{\delta }_{16·i+j}\hfill \\ \mathrm{for}j=0\mathrm{to}7:\hfill \\ RK[16·i+j+8]=K[(j-i\mathrm{mod}8)+8]⊞{\delta }_{16·i+j+8}\hfill \end{array}$$

(3)

Before performing the round function, the initial conversion of plaintext T using four whitening keys $WK$ is performed in the encryption process, as follows:

$$\begin{array}{c}{X}_0\left[i\right]=T\left[i\right],i=1,3,5,7\hfill \\ X_0\left[0\right]=T\left[0\right]⊞WK\left[0\right]\hfill \\ X_0\left[2\right]=T\left[2\right]\oplus WK\left[1\right]\hfill \\ X_0\left[4\right]=T\left[4\right]⊞WK\left[2\right]\hfill \\ X_0\left[6\right]=T\left[6\right]\oplus WK\left[3\right]\hfill \end{array}$$

(4)

In the round function of HIGHT, auxiliary functions $F_0\left(X\right)$ and $F_1\left(X\right)$ using left rotation operation are used, and, for $1\le i<32$, the round function is shown in Equation (6):

$$\begin{array}{c}{F}_0\left(X\right)={\mathrm{ROL}}_1\left(X\right)\oplus {\mathrm{ROL}}_2\left(X\right)\oplus {\mathrm{ROL}}_7\left(X\right)\hfill \\ F_1\left(X\right)={\mathrm{ROL}}_3\left(X\right)\oplus {\mathrm{ROL}}_4\left(X\right)\oplus {\mathrm{ROL}}_6\left(X\right)\hfill \end{array}$$

(5)

$$\begin{array}{c}{X}_i\left[j\right]=X_{i-1}[j-1],j=1,3,5,7\hfill \\ X_i\left[0\right]=X_{i-1}\left[7\right]\oplus (F_0\left(X_{i-1}\left[6\right]\right)⊞RK[4i-1])\hfill \\ X_i\left[2\right]=X_{i-1}\left[1\right]⊞(F_0\left(X_{i-1}\left[0\right]\right)\oplus RK[4i-4])\hfill \\ X_i\left[4\right]=X_{i-1}\left[3\right]\oplus (F_0\left(X_{i-1}\left[2\right]\right)⊞RK[4i-3])\hfill \\ X_i\left[6\right]=X_{i-1}\left[5\right]⊞(F_0\left(X_{i-1}\left[4\right]\right)\oplus RK[4i-2])\hfill \end{array}$$

(6)

In the last round $i=32$, the $F_1\left(X\right)$ is also used, and the output positions of the input values are not changed as follows:

$$\begin{array}{c}{X}_{32}\left[i\right]=X_{31}\left[i\right],i=0,2,4,6\hfill \\ X_{32}\left[1\right]=X_{31}\left[1\right]⊞(F_1\left(X_{31}\left[0\right]\right)\oplus RK\left[124\right])\hfill \\ X_{32}\left[3\right]=X_{31}\left[3\right]\oplus (F_0\left(X_{31}\left[2\right]\right)⊞RK\left[125\right])\hfill \\ X_{32}\left[5\right]=X_{31}\left[5\right]⊞(F_1\left(X_{31}\left[4\right]\right)\oplus RK\left[126\right])\hfill \\ X_{32}\left[7\right]=X_{31}\left[7\right]\oplus (F_0\left(X_{31}\left[6\right]\right)⊞RK\left[127\right])\hfill \end{array}$$

(7)

After executing all round functions, the ciphertext C is generated by the final conversion using the whitening key, and the final conversion is shown in Equation (8):

$$\begin{array}{c}C\left[i\right]=X_{32}\left[i\right],i=1,3,5,7\hfill \\ C\left[0\right]=X_{32}\left[0\right]⊞WK\left[4\right]\hfill \\ C\left[2\right]=X_{32}\left[2\right]\oplus WK\left[5\right]\hfill \\ C\left[4\right]=X_{32}\left[4\right]⊞WK\left[6\right]\hfill \\ C\left[6\right]=X_{32}\left[6\right]\oplus WK\left[7\right]\hfill \end{array}$$

(8)

Key schedule and round function structure of HIGHT are shown in Figure 1.

2.2.2. CHAM

In ICISC’17, a family of lightweight block ciphers CHAM was announced by the Attached Institute of ETRI [12]. The family consists of three ciphers: including CHAM-64/128, CHAM-128/128, and CHAM-128/256. The CHAM block ciphers are of the generalized 4-branch Feistel structure based on ARX operations.

In ICISC’19, the revised version of CHAM block cipher was presented [13]. In order to prevent new related-key differential characteristics and differentials of CHAM using a SAT solver, the numbers of rounds of CHAM-64/128, CHAM-128/128, and CHAM-128/256 are increased from 80 to 88, 80 to 112, and 96 to 120, respectively.

Table 3. Parameters of CHAM.

Cipher	Block Size (bits)	Key Size (bits)	Word Size (Bbits)	Keywords	Rounds
CHAM-64/128	64	128	16	8	80
CHAM-128/128	128	128	32	4	80
CHAM-128/256	128	256	32	8	96

shows the parameters of the block ciphers CHAM.

By performing the key schedule on the initial key words $K=\left\{K\right[0],K[1],\cdots ,K[m-1\left]\right\}$, generates round key $RK=\left\{RK\right[0],RK[1],\cdots ,RK[2m-1\left]\right\}$ for use in the i-th round for $0\le i<r$. The key schedule is shown in Equation (9) below, where $0\le i<m$:

$$\begin{array}{c}RK\left[i\right]=K\left[i\right]\oplus {\mathrm{ROL}}_1\left(K\left[i\right]\right)\oplus {\mathrm{ROL}}_8\left(K\left[i\right]\right)\hfill \\ RK[(i+m)\oplus 1]=K\left[i\right]\oplus {\mathrm{ROL}}_1\left(K\left[i\right]\right)\oplus {\mathrm{ROL}}_{11}\left(K\left[i\right]\right)\hfill \end{array}$$

(9)

If the round key $RK$ is generated through key scheduling, the plaintext $T=\{X_0\left[0\right],X_0\left[1\right],X_0\left[2\right],X_0\left[3\right]\}$ is encrypted by repeating the round function in the following two cases.

If i from the i-th round for $0\le i<r$ is odd, the upper function is called. If the i is even, then the lower function is called:

$$\begin{array}{c}{X}_{i+1}\left[j\right]=X_i[j+1],(0\le j\le 2)\hfill \\ X_{i+1}\left[3\right]={\mathrm{ROL}}_8((X_i\left[0\right]\oplus i)⊞({\mathrm{ROL}}_1\left(X_i\left[1\right]\right)\oplus RK\left[i\mathrm{mod}2m\right]))\hfill \end{array}$$

(10)

In the rest of the cases, the following function applies:

$$\begin{array}{c}{X}_{i+1}\left[j\right]=X_i[j+1],(0\le j\le 2)\hfill \\ X_{i+1}\left[3\right]={\mathrm{ROL}}_1((X_i\left[0\right]\oplus i)⊞({\mathrm{ROL}}_8\left(X_i\left[1\right]\right)\oplus RK\left[i\mathrm{mod}2m\right]))\hfill \end{array}$$

(11)

Key schedule and round function structure of CHAM are shown in Figure 2 and Figure 3.

2.2.3. LEA

In WISA’13, a lightweight block cipher LEA was presented [14]. LEA is a 128-bit block cipher supporting three key lengths, i.e., 128-bit, 192-bit, and 256-bit. LEA–128, LEA-192, and LEA-256 require 24, 28, and 32 rounds, respectively. In each round, 192-bit round keys are required. The word size is 32-bit and primitive operations are 32-bit wise addition, rotation, and exclusive-or. The parameters for the LEA block cipher are shown in

Table 4. Parameters of LEA.

Cipher	Block Size (bits)	Key Size (bits)	Word Size (bits)	Keywords	Rounds
LEA-128	128	128	32	4	24
LEA-192	128	192	32	6	28
LEA-256	128	256	32	8	32

.

The key schedule of the LEA uses constant value $\delta$ representing the ASCII codes of ‘L,’ ‘E,’ and ‘A’, and the key schedule is slightly different depending on the parameters. The key schedule of LEA-128 for $0\le i<24$ is as follows:

$$\begin{array}{c}\delta \left[0\right]=0xc3efe9db,\delta \left[1\right]=0x44626b02\hfill \\ \delta \left[2\right]=0x79e27c8a,\delta \left[3\right]=0x78df30ec\hfill \\ \delta \left[4\right]=0x715ea49e,\delta \left[5\right]=0xc785da0a\hfill \\ \delta \left[6\right]=0xe04ef22a,\delta \left[7\right]=0xe5c40957\hfill \end{array}$$

(12)

$$\begin{array}{c}K\left[0\right]={\mathrm{ROL}}_1(K\left[0\right]⊞{\mathrm{ROL}}_i\left(\delta \left[i\mathrm{mod}4\right]\right))\hfill \\ K\left[1\right]={\mathrm{ROL}}_3(K\left[1\right]⊞{\mathrm{ROL}}_{i+1}\left(\delta \left[i\mathrm{mod}4\right]\right))\hfill \\ K\left[2\right]={\mathrm{ROL}}_6(K\left[2\right]⊞{\mathrm{ROL}}_{i+2}\left(\delta \left[i\mathrm{mod}4\right]\right))\hfill \\ K\left[3\right]={\mathrm{ROL}}_{11}(K\left[3\right]⊞{\mathrm{ROL}}_{i+3}\left(\delta \left[i\mathrm{mod}4\right]\right))\hfill \\ R{K}_i=(K\left[0\right],K\left[1\right],K\left[2\right],K\left[1\right],K\left[3\right],K\left[1\right])\hfill \end{array}$$

(13)

Unlike the key schedule, the round function is performed as follows for $0\le i<r$ regardless of the parameter for the plaintext $P=\{X_0\left[0\right],X_0\left[1\right],X_0\left[2\right],X_0\left[3\right]\}$:

$$\begin{array}{c}{X}_{i+1}\left[0\right]={\mathrm{ROL}}_9((X_i\left[0\right]\oplus R{K}_i\left[0\right])⊞(X_i\left[1\right]\oplus R{K}_i\left[1\right]))\hfill \\ X_{i+1}\left[1\right]={\mathrm{ROL}}_5((X_i\left[1\right]\oplus R{K}_i\left[2\right])⊞(X_i\left[2\right]\oplus R{K}_i\left[3\right]))\hfill \\ X_{i+1}\left[2\right]={\mathrm{ROL}}_3((X_i\left[2\right]\oplus R{K}_i\left[4\right])⊞(X_i\left[3\right]\oplus R{K}_i\left[5\right]))\hfill \\ X_{i+1}\left[3\right]=X_i\left[0\right]\hfill \end{array}$$

(14)

Key schedule and round function structure of LEA are shown in Figure 4 and Figure 5.

2.2.4. SPECK

In 2013, NSA released two lightweight block ciphers, SPECK and SIMON, for the low-end devices [10]. SPECK has been implemented in order to perform efficiently in the software environment. The SIMON, on the other hand, has been implemented and optimized for hardware. Although these two ciphers are considered sisters, SIMON has already been designed as quantum circuit [9]. For this reason, this paper only covers quantum circuit implementation and optimization for SPECK.

SPECK takes the form of block cipher and is implemented with an ARX structure that consists of simple operations such as addition, rotation, and bit-wise exclusive operation. SPECK is also implemented in various parameters to provide different levels of security, which are shown in

Table 5. Parameters of SPECK.

Block Size (bits)	Key Size (bits)	Word Size (bits)	Keywords	Rounds
32	64	16	4	22
48	72, 96	24	3, 4	22, 23
64	96, 128	32	3, 4	26, 27
96	96, 144	48	2, 3	28, 29
128	128, 192, 256	64	2, 3, 4	32, 33, 34

.

A key schedule gets processed in order to generate a round key $RK$, which will be used in each round. The initial key words are $K=\left\{K\right[0],l[0],\dots ,l[m-2\left]\right\}$, and the following key schedule is performed for $0\le i<r$, and the new key value $RK=\left\{K\right[0],K[1],\dots ,K[r-1\left]\right\}$ is used as the round key. $\alpha$ and $\beta$ are 7 and 2 when the size of the block is 32-bit, respectively. For the rest of the block size, $\alpha$ and $\beta$ are 8 and 3, respectively:

$$\begin{array}{c}l[i+m-1]=(K\left[i\right]⊞{\mathrm{ROR}}_{\alpha }\left(l\left[i\right]\right))\oplus i\hfill \\ K[i+1]={\mathrm{ROL}}_{\beta }\left(K\left[i\right]\right)\oplus l[i+m-1]\hfill \end{array}$$

(15)

During the round function of SPECK with the block size of $2n$, for $0\le i<r$, a $2n$-bit ciphertext word is generated using an n-bit round key for a 2n-bit ($X\left[0\right]$, $X\left[1\right]$) input word:

$$\begin{array}{c}X\left[1\right]=({\mathrm{ROR}}_{\alpha }\left(X\left[1\right]\right)⊞X\left[0\right])\oplus RK\left[i\right]\hfill \\ X\left[0\right]={\mathrm{ROL}}_{\beta }\left(X\left[0\right]\right)\oplus X\left[1\right]\hfill \end{array}$$

(16)

Key schedule and encryption of SPECK in case of m = 2 are shown in Figure 6.

2.3. Quantum Implementations and Algorithms

2.3.1. Quantum Gates

Quantum computers have several gates that can emulate the classical gates. The two most representative gates are CNOT and Toffoli gates. The CNOT gate performs a NOT gate operation on the second qubit when the first input qubit of the two input qubits is set as one. The NOT gate (i.e., X gate) inverts the state of the qubit. This gate performs the same role as the addition operation on the binary field. The circuit configuration is shown on the left side of Figure 7. The Toffoli gate takes three qubits as input. When the first and second qubits are set to one, the gate performs a NOT gate operation on the last qubit. This serves as an AND operation on the binary field. The circuit configuration for Toffoli gate is shown on the right side of Figure 7.

A lot of works have been done on the addition operation in quantum computers [15,16,17,18]. Among them, Cuccaro et al. suggested the riple-carry addition circuit to achieve the most optimal design by using only one ancillary qubit [15]. For n-bit addition operation, $2n+2$ qubits, $2n$ Toffoli gates, and $4n$ CNOT gates are used.

2.3.2. Grover Search Algorithm

The Grover search algorithm is a quantum algorithm that finds specific data for n unsorted data. The classic method requires $O\left(2^n\right)$ searches in brute force attack. However, this can be found within $O\left(2^{n/2}\right)$ times with the Grover search algorithm. The Grover search algorithm consists of an oracle function and a diffusion operator, as shown in Figure 8.

The oracle function $f\left(x\right)$ returns 1 if input x is the solution to the search. Otherwise, it returns 0. When $f\left(x\right)=1$, the sign of the state x is flipped. It then proceeds to the diffusion operator step, which increases the amplitude of the solution. The searching step is as follows: First, the average amplitude is calculated for all data. Second, the difference between the amplitude and the average amplitude of each data are calculated. If the answer to find in the 2-bit input is 10, the status after these two steps is as shown in Figure 9.

After performing the oracle function, the amplitude of the solution has a different sign from other amplitudes. The difference from the average amplitude increases and the difference between the non-answer amplitudes decreases. The Grover search algorithm increases the amplitude probability of the solution by repeating the oracle function and diffusion operators. The status after diffusion operations is given in Figure 10.

2.3.3. Previous Quantum Implementations

Advanced Encryption Standard (AES) is the international block cipher standard [19] and the block cipher is widely used in practice, such as database encryption and network security. For this reason, a number of works focused on quantum resource estimation for the AES block cipher.

Grassl et al. have presented first quantum circuits to implement an exhaustive key search for the AES and analyzed the quantum resources required to carry out such attacks [6]. All three variants of AES (key size 128, 192, and 256 bit) are implemented for the Grover’s quantum algorithm with optimal operations for each layer.

Langenberg et al. presented new quantum circuits for all three AES key lengths. For AES-128, the number of Toffoli gates can be reduced by more than 88% compared to Grassl et al.’s estimates [6], while simultaneously reducing the number of qubits [20].

Previous works of AES have derived the full gate cost by analyzing quantum circuits for the cipher but focused on minimizing the number of qubits. In [8], they have studied the cost of quantum key search attacks under a depth restriction and introduced techniques that reduce the oracle depth, even if it requires more qubits. As part of this work, they released Q# implementations of the full Grover oracle for AES-128, AES-192, and AES-256, including unit tests and code to reproduce their quantum resource estimates.

In [9], the reversible implementation of SIMON block cipher was presented. This block cipher is hardware-oriented suggested by NSA. They have successfully implemented the Grover oracle and Grover diffusion for key search. They have estimated the resources in terms of CNOT, Toffoli, and X gates, which are required to carry out the quantum attack on the block cipher.

3. Proposed Method

In this chapter, we describe the optimized quantum circuit for applying the Grover’s algorithm to HIGHT, CHAM, LEA, and SPECK block ciphers.

All block ciphers implemented in this paper are composed of modular addition, rotation, and XOR operations based on ARX. In the quantum circuit, the rotation operation can be designed without using any gates by changing the order of qubits. Given $a=\{a_0,a_1,a_2,a_3\}$ and $b=\{b_0,b_1,b_2,b_3\}$, the operation $a⋙1$ is performed. Then, the XOR operation $b=b\oplus a$ is performed on the elements of b and the elements of a changed in order by rotation. In this case, since a is $\{a_1,a_2,a_3,a_0\}$ after $a⋙1$, it is completed by performing CNOT($a_1,b_0$), CNOT($a_2,b_1$), CNOT($a_3,b_2$), and CNOT($a_0,b_3$). In this way, there is no cost for the rotation operation, and the XOR operation can be performed simply with a CNOT gate.

However, for addition operation, Toffoli gates are required, so a more complex circuit is needed than the previous two cases. We used the method of Cuccaro et. al’s ripple carry addition [15]. In order to use the ripple-carry addition circuit, not only the qubits of the calculation target, but also two additional qubits for carry calculation are required. Since the addition of block cipher is the modular addition, the value of highest carry qubit can be ignored. Therefore, the addition operation can be performed only with the initial carry qubit of $c_0$. Since this $c_0$ qubit is initialized to 0 after addition operation, it can be recycled at any time.

The block cipher is largely divided into two steps, including key schedule and round function. In order to reduce the required qubit, an on-the-fly approach is utilized.

3.1. HIGHT

In this section, we describe the proposed HIGHT block cipher in the quantum circuit to apply the Grover search algorithm.

3.1.1. Key Schedule

In order to reduce the use of qubits in HIGHT, rather than generating all the round keys in advance, the key schedule is performed simultaneously during the round. In the key schedule, the ${\delta }_0=\{s_6,s_5,s_4,s_3,s_2,s_1,s_0\}$ is used first, and then a new ${\delta }_i$ must be generated for $1\le i\le 127$. At this time, the number of qubits can be saved by recycling the existing qubits. For example, when creating a ${\delta }_1$ in Equation (2), a new $s_7$ is generated, and the $s_0$ is not included in new ${\delta }_i$. Therefore, we do not allocate a new qubit for $s_7$, but operate on the existing $s_0$ and treat it as a new value. The detailed process for this is shown in Algorithm 1.

Algorithm 1 Generate ${\delta }_i$ of HIGHT.

Input:${\delta }_{i-1}=\{s_{(i+5)\%7},s_{(i+4)\%7},s_{(i+3)\%7},s_{(i+2)\%7},s_{(i+1)\%7},s_{i\%7},s_{(i-1)\%7}\}$

Output:${\delta }_i$

1: $s_{(i-1)\%7}\leftarrow$ CNOT($s_{(i+2)\%7},s_{(i-1)\%7}$)

2: return${\delta }_i=\{s_{(i-1)\%7},s_{(i+5)\%7},s_{(i+4)\%7},s_{(i+3)\%7},s_{(i+2)\%7},s_{(i+1)\%7},s_{i\%7}\}$

As mentioned earlier, to reduce the number of qubits, the key schedule is performed simultaneously with the function of the round. Rather than generating all round keys at once, the key schedule is performed in units of 16 keywords. Instead of generating a round key in new qubits, the operation is performed on the initial key $K=\left\{K\right[0],K[1],\dots ,K[15\left]\right\}$ to convert it to round key $RK=\left\{RK\right[0],RK[1],\dots ,RK[15\left]\right\}$. The detailed process for this is described in Algorithm 2.

Algorithm 2i-th key schedule of HIGHT.

Input:${\delta }_{16·(i-1)}$, K

Output:K

1: for $j=0$ to 7 do

2:  Generate ${\delta }_{16·(i-1)+j}$

3:  $RK[16·(i-1)+j]\leftarrow$ ADD(${\delta }_{16·(i-1)+j},K[j-i+1\mathrm{mod}8]$)

4:  Use $RK[16·(i-1)+j]$ in round function

5:  Reverse: ADD(${\delta }_{16·(i-1)+j},K[j-i+1\mathrm{mod}8]$)

6: end for

7: for $j=0$ to 7 do

8:  Generate ${\delta }_{16·(i-1)+j+8}$

9:  $RK[16·(i-1)+j+8]\leftarrow$ ADD(${\delta }_{16·(i-1)+j+8},K[(j-i+1\mathrm{mod}8)+8]$)

10:  Use $RK[16·(i-1)+j+8]$ in round function

11:  Reverse: ADD(${\delta }_{16·(i-1)+j+8},K[(j-i+1\mathrm{mod}8)+8]$)

12: end for

13: return $K=\left\{K\right[0],K[1],\cdots ,K[15\left]\right\}$

The $RK$ of 16 keywords is used for 4 rounds. After use, $RK$ is initialized to K by reverse operation. In addition, again, the key schedule is performed to generate the round key $RK=\left\{RK\right[16],RK[17],\dots ,RK[31\left]\right\}$ to be used for the next four rounds.

3.1.2. Round Function

In HIGHT, before proceeding to the round function, the plaintext T is initially converted using the whitening key as shown in Equation (4). The quantum circuit design for this is in Algorithm 3.

Algorithm 3 Initial conversion of HIGHT.

Input:$T,K$

Output:$X_0$

1:$X_0\left[i\right]\leftarrow T\left[i\right],i=1,3,5,7$

2: $X_0\left[0\right]\leftarrow$ ADD($K\left[12\right],T\left[0\right]$)

3:$X_0\left[2\right]\leftarrow$ CNOT($K\left[13\right],T\left[2\right]$)

4:$X_0\left[4\right]\leftarrow$ ADD($K\left[14\right],T\left[4\right]$)

5:$X_0\left[6\right]\leftarrow$ CNOT($K\left[15\right],T\left[6\right]$)

6: return $X=\{X_0\left[0\right],X_0\left[1\right],\cdots ,X_0\left[7\right]\}$

We optimized the round function by properly specifying the operation target and order in the round function. The detailed process for this is described in Algorithm 4 and explained in detail.

Algorithm 4 Round function of HIGHT.

Input: Round i, $X_{i-1},RK$

Output:$X_i$

1: First, operation:

2:  $X_{i-1}\left[0\right]\leftarrow F_0\left(X_{i-1}\left[0\right]\right)$

3:  $X_{i-1}\left[0\right]\leftarrow$ CNOT($RK[4i-4],X_{i-1}\left[0\right]$)

4:  $X_i\left[2\right]\leftarrow$ ADD($X_{i-1}\left[0\right],X_{i-1}\left[1\right]$)

5:   $X_{i-1}\left[0\right]\leftarrow$ CNOT($RK[4i-4],X_{i-1}\left[0\right]$) (reverse)

6:   $X_{i-1}\left[0\right]\leftarrow F_0$_reverse$\left(X_{i-1}\left[0\right]\right)$

7: Second operation:

8:   $X_{i-1}\left[2\right]\leftarrow F_0\left(X_{i-1}\left[2\right]\right)$

9:   $X_{i-1}\left[2\right]\leftarrow$ ADD($RK[4i-3],X_{i-1}\left[2\right]$)

10:   $X_i\left[4\right]\leftarrow$ CNOT($X_{i-1}\left[2\right],X_{i-1}\left[3\right]$)

11:   $X_{i-1}\left[2\right]\leftarrow$ ADD($RK[4i-3],X_{i-1}\left[2\right]$) (reverse)

12:   $X_{i-1}\left[2\right]\leftarrow F_0$_reverse$\left(X_{i-1}\left[2\right]\right)$

13: Third operation:

14:   $X_{i-1}\left[4\right]\leftarrow F_0\left(X_{i-1}\left[4\right]\right)$

15:  $X_{i-1}\left[4\right]\leftarrow$ CNOT($RK[4i-2],X_{i-1}\left[4\right]$)

16:  $X_i\left[6\right]\leftarrow$ ADD($X_{i-1}\left[4\right],X_{i-1}\left[5\right]$)

17:   $X_{i-1}\left[4\right]\leftarrow$ CNOT($RK[4i-2],X_{i-1}\left[4\right]$) (reverse)

18:  $X_{i-1}\left[4\right]\leftarrow F_0$_reverse$\left(X_{i-1}\left[4\right]\right)$

19: Fourth operation:

20:  $X_{i-1}\left[6\right]\leftarrow F_0\left(X_{i-1}\left[6\right]\right)$

21:   $X_{i-1}\left[6\right]\leftarrow$ ADD($RK[4i-1],X_{i-1}\left[6\right]$)

22:   $X_i\left[0\right]\leftarrow$ CNOT($X_{i-1}\left[6\right],X_{i-1}\left[7\right]$)

23:   $X_{i-1}\left[6\right]\leftarrow$ ADD($RK[4i-1],X_{i-1}\left[6\right]$) (reverse)

24:   $X_{i-1}\left[6\right]\leftarrow F_0$_reverse$\left(X_{i-1}\left[6\right]\right)$

25: Last operation:

26:  $X_i\left[j\right]=X_{i-1}[j-1],j=1,3,5,7$

27: return $X_i=\{X_i\left[0\right],X_i\left[1\right],\cdots ,X_i\left[7\right]\}$

In particular, through the optimization of the auxiliary function $F_0$ and $F_1$, no additional qubit was used, and the use of the CNOT gate was also reduced. First, since the $RK$ must be used immediately after generation, and then returned to the initial K by a reverse operation, the operation of the round function proceeds in the order of generation of the $RK$.

Second, in order not to use additional qubits, the new $X_i$ must operate on the existing $X_{i-1}$. However, if you look at the first and third lines of Equation (6) and second line of Algorithm 4, you can see that the value of $X_{(i-1)}$[0], which is first calculated in the round function, is used again. Thus, $X_{i-1}\left[0\right]$ value should not be changed. However, $X_{i-1}\left[1\right]$ is no longer used after calculation. Therefore, by calculating the value of $X_i\left[2\right]$ in $X_{i-1}\left[1\right]$, no additional qubits were required. The rest of the round function follows the similar procedure. The specific process is presented in Algorithm 4.

The auxiliary functions $F_0$ and $F_1$ rotate the input value and then XOR-ing them all. Since input value is 8-bit, if qubits for the generated value are allocated and then XOR-ing the rotation value of input, this requires $8\times 3=24$ CNOT gates and 8 new qubits. We efficiently optimized this auxiliary function. The desired output was generated by mixing the input values without allocating the qubits for the outputs of $F_0$ and $F_1$. As a result, 21 CNOT gates in $F_0$ and 24 CNOT gates in $F_1$ were implemented without additional qubits. The detailed process for $F_0$ and $F_1$ functions is presented in Algorithms 5 and 6.

Algorithm 5$F_0\left(X\left[i\right]\right)$ of HIGHT.

Input:$X\left[i\right]$

Output:$X_{new}\left[i\right]$

1: CNOT($X\left[i\right]\left[4\right],X\left[i\right]\left[5\right])$, CNOT($X\left[i\right]\left[3\right],X\left[i\right]\left[4\right])$

2: CNOT($X\left[i\right]\left[2\right],X\left[i\right]\left[3\right])$, CNOT($X\left[i\right]\left[2\right],X\left[i\right]\left[0\right])$

3: CNOT($X\left[i\right]\left[4\right],X\left[i\right]\left[2\right])$, CNOT($X\left[i\right]\left[5\right],X\left[i\right]\left[2\right])$

4: $X_{new}\left[i\right]\left[4\right]\leftarrow X\left[i\right]\left[2\right]$

5: CNOT($X\left[i\right]\left[7\right],X\left[i\right]\left[5\right])$

6: $X_{new}\left[i\right]\left[6\right]\leftarrow X\left[i\right]\left[5\right]$

7: CNOT($X\left[i\right]\left[6\right],X\left[i\right]\left[4\right])$

8: $X_{new}\left[i\right]\left[5\right]\leftarrow X\left[i\right]\left[4\right]$

9: CNOT($X\left[i\right]\left[0\right],X\left[i\right]\left[3\right])$, CNOT($X\left[i\right]\left[1\right],X\left[i\right]\left[3\right])$

10: $X_{new}\left[i\right]\left[2\right]\leftarrow X\left[i\right]\left[3\right]$

11: CNOT($X\left[i\right]\left[6\right],X\left[i\right]\left[1\right])$, CNOT($X\left[i\right]\left[7\right],X\left[i\right]\left[1\right])$

12: $X_{new}\left[i\right]\left[0\right]\leftarrow X\left[i\right]\left[1\right]$

13: CNOT($X\left[i\right]\left[7\right],X\left[i\right]\left[0\right])$

14: $X_{new}\left[i\right]\left[1\right]\leftarrow X\left[i\right]\left[0\right]$

15: CNOT($X\left[i\right]\left[5\right],X\left[i\right]\left[6\right])$, CNOT($X\left[i\right]\left[4\right],X\left[i\right]\left[6\right])$

16: CNOT($X\left[i\right]\left[3\right],X\left[i\right]\left[6\right])$, CNOT($X\left[i\right]\left[1\right],X\left[i\right]\left[6\right])$

17: $X_{new}\left[i\right]\left[7\right]\leftarrow X\left[i\right]\left[6\right]$

18: CNOT($X\left[i\right]\left[6\right],X\left[i\right]\left[7\right])$, CNOT($X\left[i\right]\left[5\right],X\left[i\right]\left[7\right])$

19: CNOT($X\left[i\right]\left[1\right],X\left[i\right]\left[7\right])$, CNOT($X\left[i\right]\left[0\right],X\left[i\right]\left[7\right])$

20: $X_{new}\left[i\right]\left[3\right]\leftarrow X\left[i\right]\left[7\right]$

21: return $X_{new}=\{X_{new}\left[0\right],X_{new}\left[1\right],\cdots ,X_{new}\left[7\right]\}$

In the round function, after using $F_0$ and $F_1$, it should be returned to the original input value. For this, the $F_0$_reverse and $F_1$_reverse functions should be executed in reverse order of calculation of the $F_0$ and $F_1$ functions.

Algorithm 6$F_1\left(X\right)$ of HIGHT.

Input:X

Output:$X_{new}$

1: CNOT($X\left[3\right],X\left[4\right])$, CNOT($X\left[1\right],X\left[4\right])$

2: $X_{new}\left[7\right]\leftarrow X\left[4\right]$

3: CNOT($X\left[2\right],X\left[3\right])$, CNOT($X\left[0\right],X\left[3\right])$

4: $X_{new}\left[6\right]\leftarrow X\left[3\right]$

5: CNOT($X\left[1\right],X\left[2\right])$, CNOT($X\left[7\right],X\left[2\right])$

6: $X_{new}\left[5\right]\leftarrow X\left[2\right]$

7: CNOT($X\left[0\right],X\left[1\right])$, CNOT($X\left[6\right],X\left[1\right])$

8: $X_{new}\left[4\right]\leftarrow X\left[1\right]$

9:b CNOT($X\left[7\right],X\left[0\right])$, CNOT($X\left[5\right],X\left[0\right])$

10: $X_{new}\left[3\right]\leftarrow X\left[0\right]$

11: CNOT($X\left[6\right],X\left[7\right])$, CNOT($X\left[4\right],X\left[7\right])$

12: CNOT($X\left[3\right],X\left[7\right])$, CNOT($X\left[2\right],X\left[7\right])$

13: CNOT($X\left[0\right],X\left[7\right])$, CNOT($X\left[5\right],X\left[7\right])$

14: $X_{new}\left[2\right]\leftarrow X\left[7\right]$

15: CNOT($X\left[0\right],X\left[6\right])$, CNOT($X\left[7\right],X\left[6\right])$

16: CNOT($X\left[4\right],X\left[6\right])$, CNOT($X\left[1\right],X\left[6\right])$

17: $X_{new}\left[1\right]\leftarrow X\left[6\right]$

18: CNOT($X\left[7\right],X\left[5\right])$, CNOT($X\left[6\right],X\left[5\right])$

19: CNOT($X\left[3\right],X\left[5\right])$, CNOT($X\left[0\right],X\left[5\right])$

20: $X_{new}\left[0\right]\leftarrow X\left[5\right]$

21: return $X_{new}=\{X_{new}\left[0\right],X_{new}\left[1\right],\cdots ,X_{new}\left[7\right]\}$

In the last 32nd round, the round function from Equation (7) is performed. Compared to the previous round functions, shown in Algorithm 4, the biggest difference is that the last round uses auxiliary function, $F_1$, while calculating. Therefore, we have omitted the quantum circuit design for the last round since the overall structure is almost identical.

After all the round functions have been performed, the final conversion from Equation (8) gets performed and encryption gets completed. The quantum circuit design for final conversion is also omitted because it is almost identical to the initial conversion from Algorithm 3. The overall quantum circuit for HIGHT is shown in Figure 11.

3.2. CHAM

In this section, we describe the proposed CHAM block cipher in the quantum circuit to apply the Grover search algorithm.

3.2.1. Key Schedule

The key schedule of CHAM has the same structure as the auxiliary functions $F_0$ and $F_1$ of HIGHT. It performs ROL${}_1$, ROL${}_8$ or ROL${}_1$, ROL${}_{11}$ operations on initial keywords K, and XOR-ing them all on the K. Therefore, the method of optimizing the auxiliary function of HIGHT was applied to the key schedule of CHAM. The CNOT gate is performed between the qubits storing K to generate an output in which both the K and rotation values of K are XOR-ed. In the key schedule from Equation (9), the first line operation is well optimized without any additional qubits. The detailed process of the first line in Equation (9) is described in Algorithm 7. Not as much as first line operation, the second line operation in Equation (9) has been optimized for using three temporary qubits. The detailed process of key schedule is described in Algorithm 8.

After performing Algorithms 7 or 8 to use $RK$ generated from K, K is required again when generating another round key $RK$. Therefore, after using the round key, it is necessary to perform a reverse key schedule operation as done in HIGHT.

Algorithm 7$RK\left[i\right]$ key schedule of CHAM.

Input:$K\left[i\right]$

Output:$RK\left[i\right]$

1: CNOT($K\left[i\right]\left[0\right],K\left[i\right]\left[8\right])$, CNOT($K\left[i\right]\left[1\right],K\left[i\right]\left[9\right])$

2: CNOT($K\left[i\right]\left[2\right],K\left[i\right]\left[10\right])$, CNOT($K\left[i\right]\left[3\right],K\left[i\right]\left[11\right])$

3: CNOT($K\left[i\right]\left[4\right],K\left[i\right]\left[12\right])$, CNOT($K\left[i\right]\left[5\right],K\left[i\right]\left[13\right])$

4: CNOT($K\left[i\right]\left[6\right],K\left[i\right]\left[14\right])$, CNOT($K\left[i\right]\left[15\right],K\left[i\right]\left[6\right]$

5: for$j=0$ to 5 do

6:  CNOT($K\left[i\right][j+9],K\left[i\right]\left[j\right]),RK\left[i\right][j+1]\leftarrow K\left[i\right]\left[j\right]$

7: end for

8: CNOT($K\left[i\right]\left[7\right],K\left[i\right]\left[6\right]),RK\left[i\right]\left[7\right]\leftarrow K\left[i\right]\left[6\right]$

9: CNOT($K\left[i\right]\left[8\right],K\left[i\right]\left[15\right]),RK\left[i\right]\left[0\right]\leftarrow K\left[i\right]\left[15\right]$

10: CNOT($K\left[i\right]\left[8\right],K\left[i\right]\left[7\right]),RK\left[i\right]\left[8\right]\leftarrow K\left[i\right]\left[7\right]$

11: for $j=0$ to 6 do

12:  CNOT($K\left[i\right]\left[j\right],K\left[i\right][j+8]),RK\left[i\right][j+9]\leftarrow K\left[i\right][j+8]$

13: end for

14: return $RK\left[i\right]=\left\{RK\right[i\left]\right[0],RK[i\left]\right[1],\cdots ,RK[i\left]\right[15\left]\right\}$

Algorithm 8$RK[i+8\oplus 1]$ key schedule of CHAM.

Input:$K\left[i\right]$

Output:$RK[i+8\oplus 1]$

1: CNOT($K\left[i\right]\left[15\right],$ temp$\left[0\right])$, CNOT($K\left[i\right]\left[9\right],$ temp$\left[0\right])$

2: CNOT($K\left[i\right]\left[5\right],$ temp$\left[1\right])$, CNOT($K\left[i\right]\left[15\right],$ temp$\left[1\right])$

3: CNOT($K\left[i\right]\left[4\right],$ temp$\left[2\right])$, CNOT($K\left[i\right]\left[10\right],$ temp$\left[2\right])$

4: CNOT($K\left[i\right]\left[14\right],K\left[i\right]\left[15\right])$, CNOT($K\left[i\right]\left[4\right],K\left[i\right]\left[15\right]$

5: CNOT($K\left[i\right]\left[9\right],K\left[i\right]\left[4\right])$, CNOT($K\left[i\right]\left[3\right],K\left[i\right]\left[4\right]$

6: $RK[i+8\oplus 1]\left[15\right]\leftarrow K\left[i\right]\left[15\right],RK[i+8\oplus 1]\left[4\right]\leftarrow K\left[i\right]\left[4\right]$

7: CNOT($K\left[i\right]\left[14\right],K\left[i\right]\left[9\right])$, CNOT($K\left[i\right]\left[8\right],K\left[i\right]\left[9\right]$

8: CNOT($K\left[i\right]\left[13\right],K\left[i\right]\left[14\right])$, CNOT($K\left[i\right]\left[3\right],K\left[i\right]\left[14\right]$

9: $RK[i+8\oplus 1]\left[9\right]\leftarrow K\left[i\right]\left[9\right],RK[i+8\oplus 1]\left[14\right]\leftarrow K\left[i\right]\left[14\right]$

10: CNOT($K\left[i\right]\left[8\right],K\left[i\right]\left[3\right])$, CNOT($K\left[i\right]\left[2\right],K\left[i\right]\left[3\right]$

11: CNOT($K\left[i\right]\left[13\right],K\left[i\right]\left[8\right])$, CNOT($K\left[i\right]\left[7\right],K\left[i\right]\left[8\right]$

12: $RK[i+8\oplus 1]\left[3\right]\leftarrow K\left[i\right]\left[3\right],RK[i+8\oplus 1]\left[8\right]\leftarrow K\left[i\right]\left[8\right]$

13: CNOT($K\left[i\right]\left[12\right],K\left[i\right]\left[13\right])$, CNOT($K\left[i\right]\left[2\right],K\left[i\right]\left[13\right]$

14: CNOT($K\left[i\right]\left[7\right],K\left[i\right]\left[2\right])$, CNOT($K\left[i\right]\left[1\right],K\left[i\right]\left[2\right]$

15: $RK[i+8\oplus 1]\left[13\right]\leftarrow K\left[i\right]\left[13\right],RK[i+8\oplus 1]\left[2\right]\leftarrow K\left[i\right]\left[2\right]$

16: CNOT($K\left[i\right]\left[12\right],K\left[i\right]\left[7\right])$, CNOT($K\left[i\right]\left[6\right],K\left[i\right]\left[7\right]$

17: CNOT($K\left[i\right]\left[1\right],K\left[i\right]\left[12\right])$, CNOT($K\left[i\right]\left[1\right],K\left[i\right]\left[12\right]$

18: $RK[i+8\oplus 1]\left[7\right]\leftarrow K\left[i\right]\left[7\right],RK[i+8\oplus 1]\left[12\right]\leftarrow K\left[i\right]\left[12\right]$

19: CNOT($K\left[i\right]\left[6\right],K\left[i\right]\left[1\right])$, CNOT($K\left[i\right]\left[0\right],K\left[i\right]\left[1\right]$

20: CNOT($K\left[i\right]\left[11\right],K\left[i\right]\left[6\right])$, CNOT($K\left[i\right]\left[5\right],K\left[i\right]\left[6\right]$

21: $RK[i+8\oplus 1]\left[1\right]\leftarrow K\left[i\right]\left[1\right],RK[i+8\oplus 1]\left[6\right]\leftarrow K\left[i\right]\left[6\right]$

22: CNOT($K\left[i\right]\left[10\right],K\left[i\right]\left[11\right])$, CNOT($K\left[i\right]\left[0\right],K\left[i\right]\left[11\right]$

23: $RK[i+8\oplus 1]\left[11\right]\leftarrow K\left[i\right]\left[11\right]$

24: CNOT(temp$\left[0\right],K\left[i\right]\left[10\right])$, CNOT(temp$\left[1\right],K\left[i\right]\left[0\right])$

25: $RK[i+8\oplus 1]\left[10\right]\leftarrow K\left[i\right]\left[10\right],RK\left[i\right]\left[0\right]\leftarrow K\left[i\right]\left[0\right]$

26: CNOT(temp$\left[2\right],K\left[i\right]\left[5\right])$

27: $RK[i+8\oplus 1]\left[5\right]\leftarrow K\left[i\right]\left[5\right]$

28: return $RK[i+8\oplus 1]=\left\{RK\right[i+8\oplus 1\left]\right[0],RK[i+8\oplus 1\left]\right[1],\cdots ,RK[i+8\oplus 1\left]\right[15\left]\right\}$

3.2.2. Round Function

In the second line of the round function from Equation (10), among the input $X_i$ values, the values of $X_i\left[1\right],X_i\left[2\right],$ and $X_i\left[3\right]$ are used as new values of $X_{i+1}$, but $X_i\left[0\right]$ is not used after calculation. Therefore, the value of $X_i\left[0\right]$ in the second line can be used by computing $X_{i+1}\left[3\right]$ to save the qubits for a new value.

In the second line of the round function, the constant i is XOR-ed to $X_i\left[0\right]$. This is done by performing the X gate on the qubit according to the position where the bit of i is 1 in $X_i\left[0\right]$. For example, if $i=3=(1,1,0,0,\cdots ,0)$, X gate is performed on the qubits $X_3\left[0\right]\left[0\right]$ and $X_3\left[0\right]\left[1\right]$.

The round function of CHAM is expressed in Equations (10) and (11). The detailed circuit design process is shown in Algorithm 9, and the overall quantum circuit for CHAM-64/128 is shown in Figure 12.

Algorithm 9 Round function of CHAM.

Input:$RK,X_i$, Round i

Output:$X_{i+1}$

1: if i is odd then

2:   $X_i\left[1\right]\leftarrow X_i\left[1\right]⋘1$

3:  $X_i\left[1\right]\leftarrow$ CNOT$(RK\left[i\mathrm{mod}2m\right],X_i\left[1\right]$)

4:  $X_i\left[0\right]\leftarrow$ X gate$(i,X_i\left[0\right])$

5:  $X_i\left[0\right]\leftarrow$ ADD$(X_i\left[1\right],X_i\left[0\right]$)

6:  $X_i\left[1\right]\leftarrow$ CNOT$(RK\left[i\mathrm{mod}2m\right],X_i\left[1\right]$) (reverse)

7:  $X_i\left[1\right]\leftarrow X_i\left[1\right]⋙1$ (reverse)

8:  $X_{i+1}\left[3\right]\leftarrow X_i\left[0\right]⋘8$

9:  $X_{i+1}\left[j\right]\leftarrow X_i[j+1],j=0,1,2$

10: else

11:  $X_i\left[1\right]\leftarrow X_i\left[1\right]⋘8$

12:  $X_i\left[1\right]\leftarrow$ CNOT$(RK\left[i\mathrm{mod}2m\right],X_i\left[1\right]$)

13:  $X_i\left[0\right]\leftarrow$ X gate$(i,X_i\left[0\right]$)

14:  $X_i\left[0\right]\leftarrow$ ADD$(X_i\left[1\right],X_i\left[0\right]$)

15:  $X_i\left[1\right]\leftarrow$ CNOT$(RK\left[i\mathrm{mod}2m\right],X_i\left[1\right]$) (reverse)

16:  $X_i\left[1\right]\leftarrow X_i\left[1\right]⋙8$ (reverse)

17:   $X_{i+1}\left[3\right]\leftarrow X_i\left[0\right]⋘1$

18:   $X_{i+1}\left[j\right]\leftarrow X_i[j+1],j=0,1,2$

19: end if

20: return $X_{i+1}=\{X_{i+1}\left[0\right],X_{i+1}\left[1\right],X_{i+1}\left[2\right],X_{i+1}\left[3\right]$}

3.3. LEA

In this section, we describe the proposed LEA block cipher in the quantum circuit to apply the Grover search algorithm.

3.3.1. Key Schedule

In the LEA-128 key schedule from Equation (13), the first round key $R{K}_0$ is generated using the initial keywords K and a constant value $\delta$. In addition, the next round key $R{K}_1$ generation requires $R{K}_0$ and $\delta$. Therefore, in order not to use additional qubits in the key schedule of the LEA, the key schedule and the round function are performed simultaneously by using the round key in the corresponding round function and generating the next round key. The detailed process for this is in Algorithm 10.

Algorithm 10i-th key schedule of LEA-128.

Input:$\delta$, $K(i=1)$ or $R{K}_{i-2}(i>1)$

Output:$R{K}_{i-1}$

1:$K\left[0\right]\leftarrow$ ADD$\left(\delta \right[(i-1)\mathrm{mod}4]⋘(i-1),K[0\left]\right)$

2: $K\left[0\right]\leftarrow K\left[0\right]⋘1$

3:$K\left[1\right]\leftarrow$ ADD$\left(\delta \right[(i-1)\mathrm{mod}4]⋘(i),K[1\left]\right)$

4: $K\left[1\right]\leftarrow K\left[1\right]⋘3$

5:$K\left[2\right]\leftarrow$ ADD$\left(\delta \right[(i-1)\mathrm{mod}4]⋘(i+1),K[2\left]\right)$

6: $K\left[2\right]\leftarrow K\left[2\right]⋘6$

7:$K\left[3\right]\leftarrow$ ADD$\left(\delta \right[(i-1)\mathrm{mod}4]⋘(i+2),K[3\left]\right)$

8: $K\left[3\right]\leftarrow K\left[3\right]⋘11$

9: return $R{K}_{i-1}=\{K\left[0\right],K\left[1\right],K\left[2\right],K\left[1\right],K\left[3\right],K\left[1\right]\}$

3.3.2. Round Function

In the round function, additional qubits were not used by appropriately specifying the operation order and target. New qubits for $X_{i+1}$ from Equation (14) are not allocated, and it is calculated in the $X_i$ and treated as a new value $X_{i+1}$. The operation starts from the third line of Equation (14). $X_i\left[3\right]$ is used as the value of $X_{i+1}\left[2\right]$ because $X_i\left[3\right]$ is no longer used. After the third line operation is finished, the value of $X_i\left[2\right]$ in the second line is no longer used, so it is used as the new value $X_{i+1}\left[1\right]$. The detailed process for this is in Algorithm 11. The overall quantum circuit for LEA-128 is shown in Figure 13.

Algorithm 11 Round function of LEA-128.

Input:$X_i$, $RK$, Round i

Output:$X_{i+1}$

1:$X_i\left[3\right]\leftarrow$ CNOT$(R{K}_i\left[5\right],X_i\left[3\right])$

2:$X_i\left[2\right]\leftarrow$ CNOT$(R{K}_i\left[4\right],X_i\left[2\right])$

3:$X_i\left[3\right]\leftarrow$ ADD$(X_i\left[2\right],X_i\left[3\right])$

4:$X_i\left[2\right]\leftarrow$ CNOT$(R{K}_i\left[4\right],X_i\left[2\right])$ (reverse)

5: $X_{i+1}\left[2\right]\leftarrow X_i\left[3\right]⋘3$

6:$X_i\left[2\right]\leftarrow$ CNOT$(R{K}_i\left[3\right],X_i\left[2\right])$

7:$X_i\left[1\right]\leftarrow$ CNOT$(R{K}_i\left[2\right],X_i\left[1\right])$

8:$X_i\left[2\right]\leftarrow$ ADD$(X_i\left[1\right],X_i\left[2\right])$

9:$X_i\left[1\right]\leftarrow$ CNOT$(R{K}_i\left[2\right],X_i\left[1\right])$ (reverse)

10:$X_{i+1}\left[1\right]\leftarrow X_i\left[2\right]⋘5$

11:$X_i\left[1\right]\leftarrow$ CNOT$(R{K}_i\left[1\right],X_i\left[1\right])$

12: $X_i\left[0\right]\leftarrow$ CNOT$(R{K}_i\left[0\right],X_i\left[0\right])$

13:$X_i\left[1\right]\leftarrow$ ADD$(X_i\left[0\right],X_i\left[1\right])$

14:$X_i\left[0\right]\leftarrow$ CNOT$(R{K}_i\left[0\right],X_i\left[0\right])$ (reverse)

15: $X_{i+1}\left[0\right]\leftarrow X_i\left[1\right]⋘9$

16:$X_{i+1}\left[3\right]\leftarrow X_i\left[0\right]$

17: return $X_{i+1}=\{X_{i+1}\left[0\right],X_{i+1}\left[1\right],X_{i+1}\left[2\right],X_{i+1}\left[3\right]\}$

3.4. SPECK

In this section, we describe the proposed SPECK block cipher in the quantum circuit to apply the Grover search algorithm.

3.4.1. Key Schedule

Looking at Equation (15), key words $K=\left\{K\right[0],l[0],\dots ,l[m-2\left]\right\}$ are extended to key $K=\left\{K\right[0],K[1],\dots ,K[r-1\left]\right\}$ through key schedule. To save the use of qubits, we update the qubits of $K\left[0\right]$ used in the first round and use it as the next round key instead of generating all round key $RK$. As a result, $K\left[0\right]$ is used as a round key from start to finish. Qubits assigned to the initial keywords K, an element of the key schedule for updating the round key $K\left[0\right]$, are reused to the end. By recycling the qubits in this way, all round functions can be completed with only the initial keyword qubits. If a round key is generated in $K\left[0\right]$, the next round key must be generated after executing the round function. For $1\le i<r$, the detailed process for the key schedule is in Algorithm 12.

Algorithm 12 RK[i] key schedule of SPECK.

Input:$K=\left\{K\right[0],l[0],\dots ,l[m-2\left]\right\}$

Output:$RK\left[i\right]$

1:$l\left[\right(i-1)\%(m-1\left)\right]\leftarrow l\left[\right(i-1)\%(m-1\left)\right]⋙\alpha$

2:$l\left[\right(i-1)\%(m-1\left)\right]\leftarrow$ ADD($K\left[0\right],l\left[\right(i-1)\%(m-1\left)\right]$)

3:$l\left[\right(i-1)\%(m-1\left)\right]\leftarrow$ X gate($(i-1),l\left[\right(i-1)\%(m-1\left)\right]$)

4: $K\left[0\right]\leftarrow K\left[0\right]⋘\beta$

5:$K\left[0\right]\leftarrow$ CNOT($l\left[\right(i-1)\%(m-1\left)\right],K\left[0\right]$)

6:$RK\left[i\right]\leftarrow K\left[0\right]$)

7: return $RK\left[i\right]$

3.4.2. Round Function

Round function of SPECK from Equation (16) uses only input plaintext X and round key $RK$. It proceeds by updating the input X, and encryption is completed when all round functions are performed. The detailed process for this is described in Algorithm 13. The overall quantum circuit for SPECK-32/64 is shown in Figure 14.

Algorithm 13 Round function of SPECK.

Input:X, $RK$, Round i

Output:$X_{i+1}$

1:$X_i\left[1\right]\leftarrow X_i\left[1\right]⋙\alpha$

2:$X_i\left[1\right]\leftarrow$ ADD($X_i\left[0\right],X_i\left[1\right]$)

3:$X_{i+1}\left[1\right]\leftarrow$ CNOT($R{K}_i\left[i\right],X_i\left[1\right]$)

4:$X_i\left[0\right]\leftarrow X_i\left[0\right]⋘\beta$

5:$X_{i+1}\left[0\right]\leftarrow$ CNOT($X_{i+1}\left[1\right],X_i\left[0\right]$)

6: return $X_{i+1}=\{X_{i+1}\left[0\right],X_{i+1}\left[1\right]\}$

4. Evaluation

In order to evaluate quantum gates, we utilized the quantum computer emulator. We utilized the well-known IBM’s ProjectQ framework for evaluation of the proposed method (https://github.com/ProjectQ-Framework/ProjectQ). The framework provides quantum computer compiler and quantum resource estimator. This is useful for accurate evaluation. Proposed quantum gates are written in Python and follow the ProjectQ grammar.

4.1. Cost of Quantum Gates

The most expensive of the quantum gates used in the implementation is the Toffoli gate. Toffoli gate consists of six CNOT gates + seven T gates. In other words, Toffoli gate costs more than six CNOT gates. Therefore, the number of Toffoli gates is the most important factor in evaluating quantum resources. On the other hand, the cost of an X gate is the cheapest and the number used for implementation is overall negligibly low.

4.2. Korean Block Ciphers in Quantum Gates

Korean block ciphers, such as CHAM, LEA, and HIGHT, are based on the ARX architecture. However, the primitive operations for each block cipher are totally different, in terms of word size and the number of operations. In

Table 6. Comparison between Korean block ciphers in terms of quantum resources.

Block Cipher	Plaintext (bit)	Key (bit)	Qubits Used	Toffoli Gates	CNOT Gates	X Gates
CHAM	64	128	196	2400	12,285	240
	128	128	268	4960	26,885	240
	128	256	396	5952	32,277	304
HIGHT	64	128	201	6272	20,523	4
LEA	128	128	385	10,416	28,080	68
	128	192	513	15,624	39,816	100
	128	256	641	17,856	45,504	130

, the quantum resource estimates for each block cipher, and the higher cost is shown in red and the lower cost is shown in green. The detailed comparison is as follows.

4.2.1. Case 1: 64-Bit Plaintext & 128-Bit Key

First, we compared CHAM-64/128 and HIGHT-64/128 block ciphers in terms of quantum resources. The number of qubit, Toffoli gate, and CNOT gate for CHAM-64/128 is lower than HIGHT-64/128 by 5, 3872, and 8203, respectively. In CHAM-64/128, it is all about performing a 16-bit Addition operation once in the round function. However, in HIGHT, 8-bit addition operations are performed 14 times in the round function, including the reverse operation. As a result, the circuit complexity of HIGHT is higher, even though CHAM performs more round functions. Only the number of X gates for HIGHT-64/128 is lower than CHAM-64/128 by 236. This is because CHAM performs an operation that XOR-ing constant i.

4.2.2. Case 2: 128-Bit Plaintext & 128-Bit Key

Second, we compared CHAM-128/128 and LEA-128/128 block ciphers in terms of quantum resources. The number of qubit, Toffoli gate, and CNOT gate for CHAM-128/128 is lower than LEA-128/128 by 117, 5456, and 1120, respectively. From the qubit point of view, LEA adds the constant $\delta$ to the key value in the key schedule. If it was an XOR operation, it can be solved only by an X gate without an additional qubit like CHAM. However, because it is an addition operation, setting the value of $\delta$ requires 128 qubits, so LEA uses more qubits. As you can see intuitively, the key schedule and round function of the LEA consist mostly of addition. Therefore, LEA has the high complexity among the block ciphers in this paper. Only the number of X gates for LEA-128/128 is lower than CHAM-128/128 by 172. This is because, unlike CHAM, LEA does not use the X gate during the round function, but uses the X gate only when initially setting the $\delta$ value. The number of X gates is equal to the $\delta$’s hamming weight.

4.2.3. Case 3: 128-Bit Plaintext & 256-Bit Key

Third, we compared CHAM-128/256 and LEA-128/256 block ciphers. The number of qubit, Toffoli gate, and CNOT gate for CHAM-128/256 is lower than LEA-128/256 by 245, 11,904, and 13,152, respectively. Only the number of X gate for LEA-128/256 is lower than CHAM-128/256 by 174. This result also shows that, even in large-scale parameters, CHAM has lower complexity in quantum gates than LEA.

4.2.4. CASE 4: Addition of LEA and HIGHT

Lastly, we compared addition of LEA and HIGHT. LEA-128 performs addition operations four times in the key schedule, three times in the round function, a total of seven, whereas HIGHT performs addition operations four times in the key schedule, four times in the round function, a total of eight. Unlike a classic computer, on a quantum computer, initializing qubits to its previous value requires a reverse operation that iterates over what was done. Since the result of the addition operation of the LEA gets used continuously, the reverse operation is not required. On the other hand, in HIGHT, in order to minimize the usage of the qubit, it is necessary to perform the reverse operation after using the addition result. Therefore, a total of six reverse operations are added, resulting in increased circuit complexity.

Overall, the CHAM block cipher requires the lowest quantum resources. This result introduces the fact that classical security level is not directly related to quantum attack efforts. The lesson is that modern lightweight block ciphers are not good options against quantum computers.

4.3. Software-Oriented and Hardware-Oriented Block Ciphers

We also evaluated the quantum resources for software-oriented block cipher (i.e., SPECK) and hardware-oriented block cipher (i.e., SIMON). SPECK consists of addition, XOR, and rotation, while SIMON consists of logical-and, XOR, and rotation. The main difference is addition (i.e., SPECK) and logical-and operation (i.e., SIMON). In

Table 7. Comparison between SPECK and SIMON in terms of quantum resources.

Plaintext (bit)	Key (bit)	Qubits Used		Toffoli Gates		CNOT Gates		X Gates
		SPECK	SIMON [9]	SPECK	SIMON [9]	SPECK	SIMON [9]	SPECK	SIMON [9]
32	64	97	96	1290	512	3706	2816	42	448
48	72	121	120	1982	864	5606	3312	42	792
48	96	145	144	2074	864	5866	4800	45	768
64	96	161	160	3162	1344	8890	5184	54	1248
64	128	193	192	3286	1408	9238	7396	57	1216
96	96	193	192	5172	2496	14,436	9792	60	2400
96	144	241	240	5360	2592	14,960	10,080	64	2448
128	128	257	256	7942	4352	22,086	17,152	75	4224
128	192	321	320	8192	4416	22,784	17,472	80	4224
128	256	385	384	8444	4608	23,484	26,624	81	4352

, the comparison between SPECK and SIMON in terms of quantum resources is given. The result shows that the number of qubit, toffoli gate, and CNOT gate for SIMON is lower than SPECK. Only the number of X gate for SPECK is lower than SIMON. For this reason, we can conclude that hardware oriented block cipher is more vulnerable than software-oriented block cipher in terms of Grover search algorithm.

4.4. SPN and ARX Based Block Ciphers

AES is based on SPN structure composed of AddRoundkey, ShiftRows, SubBytes, and MixColumn.

AddRoundkey is an operation that XOR-ing a key value to data, and can be implemented relatively simple by using only CNOT gates. ShiftRows is free because it uses only rotation operations.

On the other hand, MixColumn requires a (complicated) multiplication circuit, which uses more Toffoli gate than addition circuit, and generic n-bit multiplication requires at least an additional n qubits. Some multiplication works using the Karatsuba algorithm have been performed, which can reduce the number of Toffoli gates, but this requires extra qubits. SubBytes is an operation for substituting data in 8-bit units, and the actual operation is an operation for affine conversion after obtaining an inverse on $GF\left(2^8\right)$ for one byte. For inversion operation, squaring and multiplication are performed together. Squaring can be performed with only 19 CNOT gates on an 8-bit basis without additional qubits, but, as mentioned earlier, inversion is a complex circuit because of multiplication. That is, in the SPN structure, the complexity of the circuit is greatly increased compared to the ARX structure due to SubBytes of substitution and MixCoulmn of permutation.

Several studies with quantum resource estimation required for AES block ciphers are presented in

Table 8. Quantum resources to implement AES-128.

Block Cipher	Qubits Used	Toffoli Gates	CNOT Gates	X Gates
Grassl et al. [6]	984	151,552	166,548	1456
Almazrooie et al. [21]	976	150,528	192,832	1370
Langenberg et al. [20]	864	16,940	107,960	1507

. The implementation of Langenberg et al. [7] is relatively well optimized because the S-box operation is optimized efficiently.

5. Conclusions

In this paper, we presented the optimized implementation of ARX-based Korean block ciphers in quantum gates. The proposed implementation achieved the optimal number of qubit and quantum gates by carefully designing the adder circuit and its reversible gates. This is the first implementation of Korean block ciphers in quantum gates. The result shows that the CHAM block cipher requires the lowest quantum resources, which means the CHAM block cipher is the most vulnerable towards the Grover search algorithm. We also evaluated the SPECK and SIMON on quantum gates. The result shows that hardware-oriented block cipher (i.e., SIMON) shows the lower quantum resources than SPECK.