Optimized Implementation and Analysis of CHAM in Quantum Computing

Abstract

A quantum computer capable of running the Grover search algorithm, which reduces the complexity of brute-force attacks by a square root, has the potential to undermine the security strength of symmetric-key cryptography and hash functions. Recently, studies on quantum approaches have proposed analyzing potential quantum attacks using the Grover search algorithm in conjunction with optimized quantum circuit implementations for symmetric-key cryptography and hash functions. Analyzing quantum attacks on a cipher (i.e., quantum cryptanalysis) and estimating the necessary quantum resources are related to evaluating post-quantum security for the target cryptography algorithms. In this paper, we revisit quantum implementations of CHAM block cipher, an ultra lightweight cipher, with a focus on optimizing the linear operations in its key schedule. We optimized the linear equations of CHAM as matrices by applying novel optimized decomposition techniques. Using the improved CHAM quantum circuits, we estimate the cost of Grover’s key search and evaluate the post-quantum security strength with further reduced costs.

1. Introduction

In the recent years, we have seen a massive interest in research and development in quantum computing technology. There are many major players in the field, including international conglomerates such as IBM and Google, as well as universities and national research centers. They have been putting a lot of effort into the development of quantum computing technology. As a result, Google’s research team, which had achieved quantum supremacy with its superconducting processor Sycamore in 2019 [1], recently demonstrated experimentally that errors can be reduced by increasing the number of logical qubits in their superconducting system [2]. In addition, the USTC research team demonstrated a quantum computational advantage with a 60-qubit superconducting quantum processor [3], and the Xanadu’s team reported quantum computational advantages by showing that Gaussian Boson Sampling (GBS) tasks can be performed via a programmable photonic processor, Borealis [4]. However, the quantum computers—if they become functional—will massively disrupt a lot of the cryptographic systems that are presently deployed in various industrial applications. There are many facets, but in particular, the Grover’s search algorithm [5] can be applied against any symmetric key ciphers [6] to reduce the security claim to the square root bound of what is expected against a classical computer. In addition to the Grover’s algorithm, there are various quantum or search optimization algorithms such as Shor [7], Simon [8], and Particle Swarm Optimization algorithm [9,10]. Other algorithms related to quantum computers include Classical-Quantum hybrid algorithms [11], which are mainly applied to quantum machine learning and quantum chemistry, unlike the quantum algorithms (i.e., Shor, Simon, and Grover) mentioned above. As such, although there are various algorithms related to quantum computers, it is common to use Grover’s algorithm in the symmetric-key cryptosystem. While it is acknowledged that a functional quantum computer has yet to see the light of the day, the researchers have been preemptively working against this emerging threat. There has also been a standardization effort by National Institute of Standards and Technology (NIST), a security organization run by the US government, to classify the quantum security level with respect of Advanced Encryption Standard (AES) for encryption and Secure Hash Algorithm (SHA) for hash [12]. In July 2022, four selected Post-Quantum Cryptography (PQC) algorithms have announced and created a new draft standard for the corresponding algorithms currently in progress [13]. Now, in order to apply the Grover’s search algorithm, one needs to implement the cipher in quantum logic—the search complexity varies based on the quantum cost of the cipher implementation. Naturally, researchers have noted this, and have been working on finding an optimized quantum implementation of symmetric key ciphers (including [14,15], etc.). In order to reduce the quantum cost, while the previous optimization research has focused only on reducing the number of qubits [16,17], more recent research has further been considering reducing the overall depth and T-depth of quantum circuits [18,19,20]. Most of these studies also deal with estimating the attack cost of recovering the secret key of a symmetric key cipher via Grover’s algorithm to assess security strength.

At the same time, we have also witnessed a new design in the symmetric key ciphers, referred to as lightweight ciphers, which are specialized to work on tightly constrained devices [21]. Since lightweight block ciphers are essential to reduce costs with similar performance, methods of optimizing and implementing symmetric keys in a linear layer for more efficient use in lightweight environments have been steadily discussed. This includes studies [22,23] that optimize methods using matrix decomposition, such as PLU factorization and Gaussian–Jordan elimination, by applying them to symmetric keys. Thus, applying various matrix decomposition methods to lightweight block cipher quantum circuit implementations could greatly help circuit optimization and the final cost savings of a key recovery attack using Grover’s algorithm.

In this paper, we optimize the quantum circuits of CHAM, one of the Korean lightweight block ciphers, by applying two linear layer optimization techniques such as matrix decomposition to its key-schedule. Then, we compare and evaluate the estimated costs of Grover’s algorithm attack for the existing research [24] and each of the methods.

Contribution

Our contributions in this work are manifold and can be summarized as follows:

1.

Optimization to the linear layer of the CHAM block cipher: To the best of our knowledge/understanding, this type of optimization has never been applied to this cipher before. We show how the optimization affects the quantum footprint, by comparing the benchmarks of the naïve versus the optimized implementation.

2.

Optimization of CHAM’s quantum circuit: Unlike classical computers, quantum computers have limited resources. For this reason, it is essential to optimize the number of qubits in optimizing quantum circuits. In addition, since the depth of a quantum circuit is related to speed and time, not only the number of qubits, but also the depth of the circuit is considered an important factor in optimizing the circuit. We apply two linear layer optimization techniques to CHAM’s key schedule to reduce common unnecessary auxiliary qubits used for round key generation in existing structures. Moreover, we also reduce the number of CNOT gates and the depth of the circuit using the second improvement method, and so satisfied two important optimization factors.

3.

Evaluation of post-quantum security about improved quantum circuit of CHAM: NIST provides criteria for evaluating the post-quantum security strength of existing codes in preparation for quantum computers. In order to evaluate the security strength, it is necessary to implement the cipher as a quantum circuit and estimate the cost of a Grover’s algorithm attack. We estimate the cost of a Grover’s algorithm attack about an improved quantum circuit of CHAM, compare it with the results of the previous one, and then evaluate the post-quantum security strength. Additionally, circuits are implemented for Revised CHAM, and security strength evaluations are conducted together.

The organization of this paper is as follows. Section 2 presents the background of the CHAM cipher, quantum computers and quantum gates, linear layer optimization techniques, and the Grover’s algorithm. In Section 3, the proposed quantum implementation is presented. In Section 4, we evaluate the proposed quantum circuit for CHAM. Section 5 estimates the cost of Grover’s algorithm for the proposed CHAM quantum circuit, and evaluates the NIST post-quantum security level for CHAM based on the estimated cost. Finally, Section 6 concludes this article.

2. Background

2.1. Description of CHAM

CHAM [25] is a Korean lightweight block cipher that uses a stateless-based round key that targets low-end IoT platforms. It was announced at ICISC’17 and uses a stateless-based round key. This cipher uses the ARX operations (Addition, Rotation, eXclusive-or) and has advantages in a variety of resource-constrained environments. The CHAM family includes three ciphers: CHAM-64/128, CHAM-128/128, and CHAM-128/256 (here, the first parameter indicates the block size n, and the second parameter indicates the key size k). In 2019, a paper that revised CHAM [26] by increasing the number of rounds was proposed to secure a sufficient security margin for CHAM. The revised CHAM is identical to the original CHAM except for the number of rounds. The cipher is also added to the Cryptography libraries https://www.cryptopp.com/wiki/CHAM (accessed on 10 April 2023). In

Table 1. CHAM’s parameters.

Cipher	n	k	w	r
CHAM-64/128	64	128	16	80, 88
CHAM-128/128	128	128	32	80, 112
CHAM-128/256	128	256	32	96, 120

, the CHAM parameters ($n,k,w,r$) are shown. The branch(word)’s bit length and the number of rounds are denoted, respectively, by w and r. The first value of r in Table 1 represents the number of rounds in the original CHAM, while the second value represents the number of rounds in the revised CHAM.

The round key $RK=\{R{K}_0,R{K}_1,\dots ,R{K}_{2k/w-1}\}$ used in the i-th round of the key schedule is generated using the initial keyword $K_i$, where $(0\le i<k/w)$. $k/w$ is the key size k divided by word size w. In 64/128 and 128/256, $(k,w)$ is (128, 16), (256, 32), respectively, so $k/w$ is 8, and 128/128 has (128, 32), so $k/w$ is 4. In order to generate the round key $RK$ of the key schedule, the following equation is used:

$$\begin{array}{c}R{K}_i=K_i\oplus (K_i⋘1)\oplus (K_i⋘8),\\ R{K}_{(i+k/w)\oplus 1}=K_i\oplus (K_i⋘1)\oplus (K_i⋘11).\end{array}$$

(1)

In Equation (1), ⋘ indicates a left-rotation operator. The expression $⋘8$ performs an operation where bits are shifted to the left by 8 bits, and the bits that fall off at the left edge are put back on the right edge.

The n-bit block plaintext P is divided into four w-bit words and encrypted by repeating the number of rounds corresponding to the parameters in the Table 1. In this case, the operation is different depending on whether r is odd or even. More precisely, the overall structure is the same, but the number of rotations varies depending on whether it is odd or even.

$$\begin{array}{c}{X}_{i+1}\left[j\right]=X_i[j+1],(0\le j\le 2),\\ X_{i+1}\left[3\right]=((X_i\left[0\right]\oplus i)⊞((X_i\left[1\right]⋘1)\oplus R{K}_{imod2m}))⋘a.\end{array}$$

(2)

The round function is shown in Equation (2) for $0\le i<r$, and if i is even, a is 8; otherwise, a is 1. In Equation (2), $x⊞y$ means addition of $x,y$ modulo $2^w$.

Jang et al. [24] optimized quantum circuits for the Korean lightweight block ciphers CHAM, LEA, and HIGHT. In that paper [24], an improved quantum adder [27] is applied, and parallel structure is used by allocating additional (ancilla) qubits in order to reduce in terms of circuit depth. Compared to the results of a previous paper [28], which first implemented CHAM as a quantum circuit, the performance improved by 70%. Although optimized by changing the structure of CHAM to a parallel structure, the round key generation part is the same as in the previous paper [28].

2.2. Quantum Gates

This section briefly mentions what is related to quantum computing and explains the quantum gates required to implement the cryptographic operation of ciphers. In a quantum computer environment, a quantum bit (qubit) is the unit of quantum information, and has the property of being able to have both 0 and 1 at the same time. This property is called quantum superposition, and it exponentially increases the computational space of quantum computers. Gates must be used for computation, but in a quantum computer environment, logic gates such as AND, OR, and XOR used in classical computers cannot be used, so quantum gates are used as a means to replace logic gates.

There are many quantum gates, but a single-qubit gate and controlled gate are generally considered basic. Single-qubit gates that cause the spin to revolve around some axis [29] include X (NOT), H, S gates, etc. Controlled gates including CNOT, Toffoli gate, etc., affect a target qubit through one or more control qubits. Among the quantum gates, the following four quantum gates are often used to implement quantum circuits in cryptography. The four quantum gates are shown in Figure 1.

The X gate shown in Figure 1a is the simplest reversible flip gate among the basic gates. The X gate performs an operation that inverts a single qubit that comes as an input. It has the same operation as a classical bit flip and can be matched with a NOT gate among logic gates.

The CNOT gate shown in Figure 1b stands for a Controlled-NOT gate. It inverts the target qubit only when the state of the control qubit is $|1\rangle$. CNOT gates are often used when performing an in-place XOR operation between two inputs.

The Toffoli gate shown in Figure 1c stands for a Controlled–Controlled–NOT gate and is also called CCNOT. It can be seen as a CNOT gate with two control qubits, and the target qubit can be inverted only when both control qubits are $|1\rangle$. The Toffoli gate is not a universal quantum gate, and it can be implemented by a combination of Clifford +T gates. Here, Clifford +T gates are a set of universal quantum gates consisting of Clifford, which includes H gate, S gate, and CNOT gate, and a single T gate, which is non-Clifford. By fixing this set of gates, we can estimate the number of quantum gates, circuit depth, cost, etc. We adopt the method of decomposing Toffoli gates into 8 Clifford + 7T gates from [30]. In this case, the full depth is 8 and the T-depth is 4. The Toffoli gate has the highest quantum cost among the four basic quantum gates of Figure 1.

The Swap Gate shown in Figure 1d exchanges the states of two qubits that come in as inputs. Unlike the previous gates, the SWAP gate does not use quantum resources. Except for the SWAP gate, the quantum resource cost of other gates increases in the mentioned order.

While NAND or NOR gates are universal gates in classical computing, universal quantum gate sets include Clifford gates (X, CNOT, H, S) +T gate, rotation gates, and others. By using these universal quantum gate sets, it is possible to perform any quantum operation. In this paper, we estimate the complexity of total quantum gates at the Clifford + T level.

2.3. Linear Layer Optimization

Linear equations can be expressed as matrices.

$$\begin{array}{c}a{x}_1+b{x}_2=y_1\\ c{x}_1+d{x}_2=y_2\end{array}$$

(3)

$$\left[\begin{array}{cc}a& b\\ c& d\end{array}\right]\left[\begin{array}{c}{x}_1\\ x_2\end{array}\right]=\left[\begin{array}{c}{y}_1\\ y_2\end{array}\right]$$

(4)

For example, when there are two linear equations such as Equation (3), converting them into matrices can be expressed as Equation (4).

2.3.1. PLU Factorization

The PLU factorization allows us an easy way to implement a binary matrix. Given a square matrix M; the algorithm funds a permutation matrix P, a lower triangular matrix L, and an upper triangular matrix U; such that $M=PLU$. The matrix L has a value of 0 except for the lower triangular matrix, and on the contrary, matrix U has 0 except for the upper triangular matrix.

$$M=\left[\begin{array}{cccc}1& 0& 1& 0\\ 1& 0& 1& 0\\ 0& 1& 1& 0\\ 0& 1& 1& 0\end{array}\right]=P·L·U=\left[\begin{array}{cccc}1& 0& 0& 0\\ 0& 0& 1& 0\\ 0& 1& 0& 0\\ 0& 0& 0& 1\end{array}\right]·\left[\begin{array}{cccc}1& 0& 0& 0\\ 0& 1& 0& 0\\ 1& 0& 1& 0\\ 0& 1& 0& 1\end{array}\right]·\left[\begin{array}{cccc}1& 0& 1& 1\\ 0& 1& 1& 0\\ 0& 0& 0& 0\\ 0& 0& 0& 0\end{array}\right]$$

(5)

In Equation (5), the first matrix is arbitrary square matrix M, the second one is matrix P, the third one is matrix L, and the last one is matrix U. In our case, the PLU matrices were obtained utilizing SageMath 9.8 https://www.sagemath.org/ (accessed on 10 April 2023), which is an open-source programming tool for multiple Python-based mathematics. PLU factorization can be used to find the inverse of a non-singular matrix or a solution to a row-linear equation. Applying this method to ciphers can reduce the number of XOR2s in a general circuit and CNOT gates in a quantum circuit.

In the past, PLU factorization was used in various contexts. For instance, the $32\times 32$ binary matrix of AES  (the MixColumn  matrix) [16,20,22,31] or the implementation of an elliptic curve [32].

2.3.2. FSE’20 (Xiang et al. [33])

The work by Xiang et al. [33] was published in the FSE’20, where the authors proposed an in-place algorithm to optimize the implementation of binary matrices. To the best of our finding, this is the first-of-its-kind.

Because of the in-place nature of the implementation (i.e., $x_i\leftarrow x_i\oplus x_j$), it becomes possible to update the same qubits (thus, we do not need ancilla/garbage qubits). At the same time, the algorithm is quite efficient, as the state-of-the-art results for in-place implementation of several binary matrices (including that of the $32\times 32$ MixColumn  matrix of AES, which takes 92 XOR2/CNOT gates) are reported in this paper.

2.4. Grover’s Algorithm (for Key Search)

Grover’s algorithm [5] is a quantum search algorithm that derives the desired answer using the superposition and entanglement principles of quantum mechanics. When the function domain size is n, using the Grover’s algorithm reduces the computational complexity to $\sqrt{n}$.

The Grover’s algorithm consists of an oracle and a diffusion operator. Among these, the oracle operator is a key component in the algorithm as it has a direct relationship with the overall performance of the algorithm. Namely, it is essential to implement oracle efficiently to optimize the performance of the algorithm.

1.

In order to make the key of n-qubit superposition states $|\psi \rangle$, the Hadamard gates are applied to k of n-qubit. This ensures that all states of the qubits have the same amplitude:

$$|\psi \rangle =H^{\otimes n}{|0\rangle }^{\otimes n}=\left(\frac{|0\rangle +|1\rangle }{\sqrt{2}}\right)=\frac{1}{2^{n/2}}\sum _{k=0}^{2^n-1}|k\rangle$$

(6)

2.

The attack-target cipher is implemented as a quantum circuit and arranged in oracle $f\left(k\right)$. Encrypting the known plaintexts of the superpositioned key produces ciphertexts c for all key values. Afterwards, if the ciphertext matches the known ciphertext, $f\left(k\right)=1$ and ${(-1)}^{f\left(k\right)}|k\rangle |-\rangle$, so the sign of the solution key value is reversed.

$$f\left(k\right)=\left\{\begin{array}{c}\hfill 1\mathrm{if}Enc\left(key\right)=c\\ \hfill 0\mathrm{if}Enc\left(key\right)\ne c\end{array}\right.$$

(7)

$$U_f(|\psi \rangle |-\rangle )=\frac{1}{2^{n/2}}\sum _{k=0}^{2^n-1}{(-1)}^{f\left(k\right)}|k\rangle |-\rangle$$

(8)

3.

In the final step, the diffusion operator amplifies the amplitude of the negative-signed solution key returned by the oracle. Usually, diffusion operators do not require special skills to implement because their design is general.

3. Quantum Implementation of CHAM

In our implementation, the key-schedule of [24] is improved to optimize the quantum circuit of CHAM. Since the calculation processes between the parameters are similar, CHAM 64/128 will be used as an example.

3.1. Binary Matrix in Key Schedule

The round key $RK$ matrix of CHAM is generated using Equation (1) of Section 2.1. The i range of CHAM 64-128 is $(0\le i<r)$, so CHAM 64-128 exists from $R{K}_0$ to $R{K}_{15}$. For $RK$, indices 0 to 7 use the first formula in Equation (1) and 8 to 15 use the second formula, resulting in a total of two $RK$ matrices. In the case of CHAM-64/128, since the word size w is 16, the matrix obtained through the above process has a size of 16 × 16. The following is the $R{K}_{0\sim 7}$ matrix of CAHM 64-128:

$$\left[\begin{array}{cccccccccccccccc}1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1\\ 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1\\ 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1& \begin{array}{c}\hfill 0\end{array}\\ \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& \begin{array}{c}\hfill 0\end{array}& 1& 1\end{array}\right]$$

(9)

The row of the matrix $RK$ shows the result of each rotation operation when i is applied to the key-schedule equation. For example, the second row of $R{K}_{0\sim 7}$ is composed of $(1,1,\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},1,\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array},\begin{array}{c}\hfill 0\end{array})$, according to Equation (9). When $K_i$ is in column 2, 1 in column 1 is a value of $Ro{L}_1$, and 1 in column 10 is a value of $RO{L}_8$. The matrices of the remaining parameters including CHAM-64/128 are generated using sage math tool.

3.2. PLU Factorization

In order to generate $RK$ using PLU factorization [23], $P,L$, and U matrices are to be obtained, respectively, as mentioned in Section 2.3. This can also be easily obtained by using the LU() https://doc.sagemath.org/html/en/reference/matrices/sage/matrix/matrix2.html#sage.matrix.matrix2.Matrix.LU (accessed on 10 April 2023) function of SageMath.

Algorithm 1 is a quantum circuit implementation of applying $U,L$. In each matrix, column n represents $k[n-1]$. One thing to note is that the P, L, and U matrices are constants, which classifies Algorithm 1 as a classical-quantum implementation. The condition values ($U,L$) used in the if statements in Algorithm 1 are all classical. Thus, the if statements used in Algorithm 1 are for designing the quantum circuit (i.e., programming related), not for internal if statements based on the measurement values of qubits within the quantum circuit. Conceptually, the role of the if statements is similar to that of a for the loop.

In the algorithms, not all matrices consist of qubits.The U process proceeds from 1 to 16 rows of the matrix U (i.e., from top to bottom). In a row, it is meaningful because only the upper terms of the diagonal term in the matrix U have non-zero values based on the main diagonal line due to the characteristics of the upper triangular matrix. Therefore, if it searches in the right direction based on the main diagonal line, and if the value is 1, the corresponding element $k[1+i+j]$ is set as the control qubit and the main diagonal element $k\left[i\right]$ is set as the target qubit and then CNOT gates are applied.

The L process as opposed to U proceeds in the first row direction in row 16 of the matrix L, i.e., from bottom to top. L is also meaningful only for the left value of the main diagonal due to the characteristics of the lower triangular matrix. Similar to U, we search the left side of the main diagonal reference, and if the value is 1, CNOT gates are applied to the corresponding element $k[w-1-j]$ and the main diagonal element $k[w-1-i]$.

In the P process, the permutation is performed according to the matrix P. Only CNOT gates are used for U and L processes, whereas only SWAP gates are used for P processes, which rearrange the order. In the $LU$ factorization, only the input matrix is different according to the $RK$ index (Section 2.1), but the algorithm is the same, so one operation is used. On the other hand, in the permutation step, it is not easy to define an algorithm for the P matrix for each $RK$ index, so different SWAP gates are applied each time according to the P matrix.

Algorithm 1: Quantum implementation of $LU$ factorization.

Input: Word size w, w-qubit Key $k_{0\sim 7}$, Upper triangular matrix U, Lower triangular matrix L Output: w-qubit key $k_{0\sim 7}$ 1: // Applying U 2: for$i=0$ to $w-2$ do 3:     for $j=0$ to $w-i-2$ do 4:         if $U\left[\right(i\ast w)+1+i+j]==1$ then 5:            $k\left[i\right]\leftarrow$$CNOT\left(k\right[i+j+1],k[i\left]\right)$ 6:         end if 7:     end for 8: end for 9: // Applying L 10: for$i=0$ to $w-2$ do 11:     for $j=w-1$ to $i+1$ step $-1$ do 12:         if $L[w\ast (w-1-i)+w-1-j]==1$ then 13:            $k[w-1-i]\leftarrow$$CNOT\left(k\right[w-1-j],k[w-1-i\left]\right)$ 14:         end if 15:     end for 16: end for 17: return$k_{0\sim 7}$

Algorithm 2 describes a quantum implementation of the CHAM-64/128 Key schedule applying $PLU$ factorization. In order to recycle $k_{0\sim 7}$, a reverse operation is performed on quantum gates included in the Transform range at Reverse (transform $k_{0\sim 7}$). This part is implemented using ProjectQ’s Compute() and Uncompute() commands. Transform corresponds to Compute() and Reverse corresponds to Uncompute(). Since this paper is about key-schedule optimization, only the location where the encryption step is performed is mentioned as a comment, and the implementation algorithm is omitted.

Figure 2 and Figure 3 represent quantum circuit diagrams of CHAM-64/128 key schedule with PLU factorization for $R{K}_{0\sim 7}$. These diagrams aim to illustrate the quantum operations actually performed when Apply L, U, and permutations are executed. These circuits are only valid for $R{K}_{0\sim 7}$, and the circuit diagram differs for $R{K}_{8\sim 15}$ due to the use of different applied matrices.

Algorithm 2: Quantum implementation of CHAM-64/128 key-schedule with PLU factorization.

Input: 16-qubit Key $k_{0\sim 7}$, Upper triangular matrices $U_{1,2}$, Lower triangular matrices $L_{1,2}$ Output: Round key $R{K}_{0\sim 15}$ 1: Transform$k_{0\sim 7}$: 2:     for $i=0$ to 7 do 3:         $k_i\leftarrow$ Apply LU($k_i,16,U_1,L_1$) 4:         $(k_i\left[12\right],k_i\left[11\right])\leftarrow$ SWAP$(k_i\left[11\right],k_i\left[12\right])$ 5:         $(k_i\left[11\right],k_i\left[13\right])\leftarrow$ SWAP$(k_i\left[13\right],k_i\left[11\right])$ 6:         $(k_i\left[11\right],k_i\left[10\right])\leftarrow$ SWAP$(k_i\left[10\right],k_i\left[11\right])$ 7:         $(k_i\left[10\right],k_i\left[14\right])\leftarrow$ SWAP$(k_i\left[14\right],k_i\left[10\right])$ 8:         $(k_i\left[10\right],k_i\left[9\right])\leftarrow$ SWAP$(k_i\left[9\right],k_i\left[10\right])$ 9:         $(k_i\left[9\right],k_i\left[15\right])\leftarrow$ SWAP$(k_i\left[15\right],k_i\left[9\right])$ 10:     end for 11: return$k_{0\sim 7}$                             ▹$R{K}_{0\sim 7}$                          ▹ After performing encryption 12: Reverse (transform $k_{0\sim 7}$) 13: Transform$k_{0\sim 7}$: 14:     for $i=0$ to 7 do 15:         $k_i\leftarrow$ Apply LU($k_i,16,U_2,L_2$) 16:         $(k_i\left[13\right],k_i\left[11\right])\leftarrow$ SWAP$(k_i\left[11\right],k_i\left[13\right])$ 17:         $(k_i\left[10\right],k_i\left[9\right])\leftarrow$ SWAP$(k_i\left[9\right],k_i\left[10\right])$ 18:         $(k_i\left[8\right],k_i\left[7\right])\leftarrow$ SWAP$(k_i\left[7\right],k_i\left[8\right])$ 19:         $(k_i\left[6\right],k_i\left[5\right])\leftarrow$ SWAP$(k_i\left[5\right],k_i\left[6\right])$ 20:     end for 21: return$k_{0\sim 7}$                             ▹$R{K}_{8\sim 15}$                          ▹ After performing encryption 22: Reverse (transform $k_{0\sim 7}$) 23: return$k_{0\sim 7}$

3.3. FSE’20

The second improvement method is the application of FSE’20 to the key-schedule. The method of applying PLU factorization uses CNOT and SWAP gates, while the method of applying FSE’20 uses only CNOT gates. The SWAP part uses a logical swap method that can include values to Python’s list in the order you want them to. Since the process is too complicated to use the SWAP gate, a logical swap is used to intuitively know. Since the logical swap method does not use quantum gates, the reverse operation is not applied immediately. Therefore, it is necessary to make an operation that performs the opposite process of the logical swap so that it can be put back in the original order in the list.

The generation of round keys $R{K}_{0\sim 7}$ with FSE’20 is described in Algorithm 3. If the reverse operation is performed in Algorithm 3, the reverse function can be applied to lines 1 to 14 in the same way as PLU factorization. Then, k has the original value if the same operation of line 16 to 19 is performed one more time. The reverse operation proceeds in the same way as the aforementioned PLU algorithm.

Algorithm 3: Quantum implementation of CHAM-64/128 Key Schedule applying FSE’20.

Input: 16-qubit Key $k_{0\sim 7}$ Output: Round key$R{K}_{0\sim 7}$ 1: Transform$k_{0\sim 7}$: 2:     for $i=0$ to 7 do 3:         $k_i\left[5\right]\leftarrow$ CNOT16$(k_i\left[13\right],k_i\left[5\right])$,    $k_i\left[2\right]\leftarrow$ CNOT16$(k_i\left[10\right],k_i\left[2\right])$ 4:         $k_i\left[15\right]\leftarrow$ CNOT16$(\left[k7\right],k_i\left[15\right])$,    $k_i\left[8\right]\leftarrow$ CNOT16$(k_i\left[0\right],k_i\left[8\right])$ 5:         $k_i\left[7\right]\leftarrow$ CNOT16$(k_i\left[6\right],k_i\left[7\right])$,    $k_i\left[7\right]\leftarrow$ CNOT16$(k_i\left[14\right],k_i\left[7\right])$ 6:         $k_i\left[4\right]\leftarrow$ CNOT16$(k_i\left[12\right],k_i\left[4\right])$,    $k_i\left[14\right]\leftarrow$ CNOT16$(k_i\left[5\right],k_i\left[14\right])$ 7:         $k_i\left[12\right]\leftarrow$ CNOT16$(k_i\left[11\right],k_i\left[12\right])$,    $k_i\left[10\right]\leftarrow$ CNOT16$(k_i\left[9\right],k_i\left[10\right])$ 8:         $k_i\left[13\right]\leftarrow$ CNOT16$(k_i\left[4\right],k_i\left[13\right])$,    $k_i\left[10\right]\leftarrow$ CNOT16$(k_i\left[1\right],k_i\left[10\right])$ 9:         $k_i\left[12\right]\leftarrow$ CNOT16$(k_i\left[3\right],k_i\left[12\right])$,    $k_i\left[9\right]\leftarrow$ CNOT16$(k_i\left[8\right],k_i\left[9\right])$ 10:         $k_i\left[1\right]\leftarrow$ CNOT16$(k_i\left[8\right],k_i\left[1\right])$,    $k_i\left[0\right]\leftarrow$ CNOT16$(k_i\left[15\right],k_i\left[0\right])$ 11:         $k_i\left[8\right]\leftarrow$ CNOT16$(k_i\left[0\right],k_i\left[8\right])$,    $k_i\left[3\right]\leftarrow$ CNOT16$(k_i\left[2\right],k_i\left[3\right])$ 12:         $k_i\left[6\right]\leftarrow$ CNOT16$(k_i\left[5\right],k_i\left[6\right])$,    $k_i\left[4\right]\leftarrow$ CNOT16$(k_i\left[12\right],k_i\left[4\right])$ 13:         $k_i\left[11\right]\leftarrow$ CNOT16$(k_i\left[2\right],k_i\left[11\right])$,    $k_i\left[15\right]\leftarrow$ CNOT16$(k_i\left[7\right],k_i\left[15\right])$ 14:         $k_i\left[2\right]\leftarrow$ CNOT16$(k_i\left[10\right],k_i\left[2\right])$,    $k_i\left[5\right]\leftarrow$ CNOT16$(k_i\left[13\right],k_i\left[5\right])$                                   ▹ logical swap 15:         $R{K}_i\left[0\right]\leftarrow k_i\left[0\right]$ 16:         for $j=15$ to 1 step -1 do 17:            $R{K}_i[j-(\lceil j/2\rceil -1)\ast 2]\leftarrow k_i\left[j\right]$ 18:         end for 19:     end for 20:     return $R{K}_{0\sim 7}$                            ▹ After performing encryption 21:     Reverse (transform $k_{0\sim 7}$) 22:     return $k_{0\sim 7}$

4. Performance

In this section, we evaluate and compare the performance of proposed CHAM quantum circuits by estimating the quantum resources. However, the proposed quantum circuits cannot yet run in current quantum computers because the size of our circuits are too large. We use ProjectQ, a quantum programming tool provided by IBM, on classical computers to implement and simulate quantum circuits. Thus, the quantum circuits in our work are implemented and simulated at an error-free environment (i.e., logical level). A large number of qubits can be simulated using ProjectQ’s own library, ClassicalSimulator, which is limited to boolean quantum gates such as X, CNOT, and Toffoli. Quantum gates that affect the phase such as S and H gates cannot be used. ClassicalSimulator allows us to validate the implementation by classical calculation of the output of the implemented quantum circuit. To verify the proposed quantum circuits, the test vector provided in [25] (Appendix A) is used for the plaintext, ciphertext, and secret key. If the output of running our quantum circuits in ClassicalSimulator matches the ciphertext of the test-vector, we can be confident that the circuits have been implemented correctly. To estimate the detailed quantum resources, we use another internal library called ResourceCounter. Unlike the ClassicalSimulator, the ResourceCounter does not compute values that are affected by quantum gates. It only calculates the depth of the circuit, and the number of allocated quantum gates and qubits.

The quantum resources needed to implement CHAM quantum circuits at the NCT (NOT(X), CNOT, and Toffoli) level are shown in

Table 2. Quantum resources required for previous CHAM implementation (JSKKKS’20).

Cipher	#CNOT	#X	#Toffoli	#qubits	Depth
CHAM-64/128	13,200	2320	2320	204	2615
CHAM-128/128	28,760	4880	4880	292	5307
CHAM-128/256	34,944	5872	5856	420	6594

and

Table 3. Quantum resources required for proposed CHAM implementations.

Method	Cipher	#CNOT	#X	#Toffoli	#qubits	Depth
PLU [23] (this work)	CHAM-64/128	21,360	2320	2320	195	2673
	CHAM-128/128	52,000	4880	4880	259	6431
	CHAM-128/256	62,400	5872	5856	387	6356
FSE’20 [33] (this work)	CHAM-64/128	13,040	2320	2320	195	2612
	CHAM-128/128	28,800	4880	4880	259	5240
	CHAM-128/256	34,560	5872	5856	387	6249

.

As mentioned in Section 2.2, the Toffoli gate consists of a combination of Clifford and T gates. We decompose one Toffoli gate into 7 T gates, 8 Clifford gates with T depth 4, full depth 8 using the [30] method, which is widely used in related to quantum studies.

Table 4. CHAM quantum resources comparison by methods applied to key-schedule in detail.

CHAM	Methods	#CNOT	#1qCliff	#T	T-Depth	#qubits	Full Depth
64/128	Previous [24]	27,120	6960	16,240	9280	204	17,035
	PLU [23] (this work)	35,280				195	17,092
	FSE’20 [33] (this work)	29,960				195	17,031
128/128	Previous [24]	58,040	14,640	34,160	19,520	292	37,766
	PLU [23] (this work)	81,280				259	37,878
	FSE’20 [33] (this work)	58,080				259	37,768
128/256	Previous [24]	70,080	17,584	40,992	23,424	420	45,252
	PLU [23] (this work)	97,536				387	45,014
	FSE’20 [33] (this work)	69,696				387	44,904

shows a comparison of the detailed quantum resources required for quantum circuits of the previous and the proposed structure at the Clifford + T level.

Compared to the existing CHAM implementation, Jang et al. [24] used auxiliary qubits in the key-schedule process for generating a round key. These dedicated qubits are used solely for generating a round key and can be sufficiently saved through optimizing. Both PLU factorization and FSE’20 eliminate the need for additional auxiliary qubits by implementing the key-schedule circuit in-place, resulting in a reduction in the number of qubits.

In the case of PLU factorization, the circuit depth of parameters 64/128 and 128/128 increase, but the depth of 128/256 decreases. Since the overall change in the depth of the circuit is insignificant, this modulation can be ignored, and it can be considered that the number of qubits is saved while maintaining the circuit depth to some extent. However, the number of CNOT gates increased by about $40\%$, which can be seen as a trade-off with qubits.

FSE’20 overall reduce the number of qubits, CNOT gates, and full depth of the circuit. Comparing Table 2 and Table 3, FSE’20 shows improvements in qubits by 7.9%, depth by 2.2%, and number of CNOT gates by 0.7%. When considering the maintenance of the number of #lqCliffod, #T, and T-depth, it can be observed that the FSE’20 method significantly conserves quantum resources. Comparing the two methods, PLU factorization shows an increase in the values of the rest of the indicators except for qubits, while most of the values in FSE’20 decrease, and shows improvement. Based on these results, FSE’20 can be considered as the most optimal method. Since circuit depth is related to speed and time, the reduction in circuit depth in FSE’20 suggests an improvement in the execution speed of CHAM. In addition, considering a low-power environment with limited quantum computers and resources, reducing the number of gates and qubits through FSE’20 increases the feasibility of the circuit by correspondingly reducing the demand on resources. However, FSE’20 has a limitation that it cannot be used for linear layer matrices larger than 32 × 32. For CHAM, the matrix for the largest instances (i.e., CHAM-128/256) is 32 × 32, so we could have used this method, but we cannot use this method for ciphers with matrices larger than this.

T-counts and T-depth are related to the Toffoli gate used in the quantum circuit of CHAM for the adder. The adder is not used in the key-schedule step that we optimized; therefore, all three methods have the same values for T-counts and T-depth in Table 4. Furthermore, #lqCliff also has the same value for all three methods as only the CNOT gate is utilized in the key-schedule phase.

5. Cost Estimate for Grover Key Search

The two components of Grover’s algorithm are the oracle, which finds a solution, and the diffusion operator, which increases the amplitude of the solution. The diffusion operator has a very low overhead and doesn’t require any special implementation methods. So, the cost for the Grover’s algorithm is estimated using just the quantum resources needed for the oracle in the majority of cases [14,16,20,22,34]. The efficiency of the implemented quantum circuit determines the quantum resources of the oracle.

The oracle operates encryption and reverse operations sequentially. Since the CHAM quantum circuit is applied to each operation, the cost of using the oracle once is (Table 4 × 2) when $R=\lceil k/n\rceil$ (key size/block size) is 1 except for qubits. If R is 2, since there are 2 encryption and reverse operation pairs, there are 4 operations in total, so it is multiplied by 4. The effectiveness of the quantum circuit determines the performance of the Grover key search. Although it is well known that the Grover’s algorithm needs to be iterated $\sqrt{2^n}$ times to recover the n-bit key, a detailed analysis of [35] suggests that it is optimal to repeat the Grover’s algorithm $\lfloor \frac{\pi }{4}·\sqrt{2^n}\rfloor$ times. Thus, the cost of the Grover key search is calculated as (Table 4$\times 2\times \lfloor \frac{\pi }{4}·\sqrt{2^n}\rfloor )$ without the number of qubits. This means repeating Oracle by $\lfloor \frac{\pi }{4}·\sqrt{2^n}\rfloor$.

Table 5. Comparison of cost of Grover’s key search by methods applied to key-schedule for CHAM.

CHAM	Methods	Total Gates	Total Depth	Cost	Security [12]
64/128	PLU	$1.456\times 2^{81}$	$1.025\times 2^{76}$	$1.462\times 2^{157}$	$2^{170}$ (Level 1)
	FSE’20	$1.226\times 2^{81}$	$1.002\times 2^{76}$	$1.228\times 2^{157}$
	PLU (revision)	$1.568\times 2^{81}$	$1.119\times 2^{76}$	$1.755\times 2^{157}$
	FSE’20 (revision)	$1.345\times 2^{81}$	$1.094\times 2^{76}$	$1.471\times 2^{157}$
128/128	PLU	$1.583\times 2^{81}$	$1.233\times 2^{77}$	$1.952\times 2^{158}$	$2^{170}$ (Level 1)
	FSE’20	$1.305\times 2^{81}$	$1.005\times 2^{77}$	$1.311\times 2^{158}$
	PLU (revision)	$1.103\times 2^{82}$	$1.716\times 2^{77}$	$1.894\times 2^{159}$
	FSE’20 (revision)	$1.818\times 2^{81}$	$1.400\times 2^{77}$	$1.273\times 2^{159}$
128/256	PLU	$1.895\times 2^{146}$	$1.219\times 2^{141}$	$1.155\times 2^{288}$	$2^{333}$ (Level 3)
	FSE’20	$1.562\times 2^{146}$	$1.198\times 2^{141}$	$1.871\times 2^{287}$
	PLU (revision)	$1.179\times 2^{147}$	$1.511\times 2^{141}$	$1.781\times 2^{288}$
	FSE’20 (revision)	$1.946\times 2^{146}$	$1.491\times 2^{141}$	$1.450\times 2^{288}$

shows the quantum resources required for Grover key search for CHAM with various methods applied. That is, the costs shown in Table 5 represent the resources needed for a Grover’s key search attack, and this resource requirement depends on the complexity of the oracle. The costs in Table 5 are used to determine how secure a CHAM cipher is in a quantum computing environment.

NIST security is based on the post-quantum security strength specified by NIST, and the Grover attack costs of AES-128, -192, and -256 are $2^{170},2^{233},$ and $2^{298}$, respectively. The lowest security level for encryption algorithms is 1 (corresponds to that of AES-128), and the level increases as the key size increases. According to the post-quantum security strength criteria provided by NIST [12], 128/256 satisfies Level 3, but 64/128 and 128/128 do not exceed Level 1. NIST’s post-quantum security requirements specify that the cipher should be similar to or higher than the Grover attack cost for AES to ensure security on quantum computers. Accordingly, it may be considered that 64/128 and 128/128 do not achieve an appropriate security level.

However, a document provided by NIST [12] states that the estimated costs should be conservatively evaluated if a quantum attack with a significantly reduced attack cost later appears. The AES attack cost estimated by NIST is cited in a 2016 paper by Grassl et al. [16], and implementations that further optimize AES quantum circuits have been recently proposed. A recent Grover attack cost estimation study on AES [20] shows that since Level 1 is $2^{157}$, it can be seen that parameters with key size $k=$128 also satisfy the security strength.

6. Conclusions

In this paper, we present optimizing quantum circuit implementations of the CHAM ciphers. We apply linear layer optimization techniques such as PLU factorization and FSE’20 to CHAM’s key-schedule to eliminate additional qubits, saving the number of qubits without significantly increasing the depth of the circuit. In particular, in the case of FSE’20, not only the number of qubits but also the number of CNOT gates and the depth of the circuit are reduced. However, the PLU factorization method has limitations as it leads to an increase in both the number of CNOT gates and the depth of the circuit. While the change in depth is trivial, less than 1%, the increase in the number of CNOT gates is not negligible, ranging from 3 to 40%. In our work, we considered this as a trade-off with qubit. In the case of the FSE’20 method, we concluded that it is the most optimal method in terms of reducing the number of qubits, the number of gates, and the depth. Currently, according to Xiang et al. [33], this method has a limitation that it can only be used for linear layer matrices of size 32 or less.

The performance of future quantum computers is not yet known accurately, and for this reason, it is difficult to predict how secure the existing cryptography will be in the quantum computing environment. Accordingly, NIST proposed to measure security strength through computation resource estimation. The value provided as a security level in this standard is the cost estimated to be incurred when attacking AES through a Grover attack. Evaluating what level of security the ciphers has in the post-quantum environment through this criterion and whether it can be used is a very important task as it prevents attacks that may occur in the future. So, we estimate the quantum circuit cost required for Grover attacks and evaluate the security level. As a result, it can be considered that all methods satisfy the security strength by satisfying the cost presented in the recently proposed paper on optimized quantum circuits in AES [20].

In future studies, in addition to PLU factorization and FSE’20, we will find a way to optimize the circuit, apply it to lightweight block ciphers such as CHAM, and compare these and then try to find an optimal method. In addition, if the two techniques applied in the thesis are applied to other ciphers (e.g., SPECK, SIMON, and LEA block ciphers), a new optimization study will be able to proceed.