## Quantum Curcuit for SPEEDY
> For SPEEDY-7-192

In [None]:
# @title Installing Libraries
!pip install qiskit
!pip install qiskit-aer

In [6]:
# Import necessary libraries from Qiskit
from qiskit import QuantumCircuit, QuantumRegister, ClassicalRegister
from qiskit.visualization import plot_histogram
import numpy as np

# Import the necessary functions for visualizing quantum states
from qiskit.visualization import plot_bloch_multivector

# Import the Statevector class from Qiskit's quantum information module
from qiskit.quantum_info import Statevector

In [7]:
# Defining global variables
keybits = 192 # not used exclusively
ptbits = 192 # plaintext bits, not used exclusively
num_rounds = 7
k = [0]*num_rounds 
k[0] = 0x123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
beta = 0x13
gamma = 0x257

## Defining necessary functions for SPEEDY block cipher

### Defining S-Box circuit
S-BOX(SB)
> At the input ancilla, qubit y should initially be set to zero, and at the end of the circuit, it stores the 6-bit result of the S-box

In [None]:
# @title `S-Box`
def SB(circ, start_bit):
  # circ == actual circuit with gates
  # creating ancilla qubits y, at the end of the circuit, it stores the 6-bit result of the S-box.
  y = QuantumCircuit(192)  # 6*32 = 192
  qubit_indices = [i for i in range(384, 576)]
  circ.compose(y, qubit_indices)

  for i in range(start_bit, 192+start_bit, 6):
    circ.cx(i+3, i+384)
    circ.ccx(i+5, i+3, i+384)
    circ.mcx([i+5, i+4, i+3, i+2], i+384)
    circ.mcx([i+5, i+4, i+1], i+384)
    circ.mcx([i+5, i+4, i+3, i+2, i+1], i+384)
    circ.ccx(i+1, i+0, i+384)
    circ.mcx([i+5, i+4, i+1, i+0], i+384)
    circ.mcx([i+3, i+1, i+0], i+384)
    circ.mcx([i+5, i+4, i+3, i+1, i+0], i+384)
    circ.barrier()

    # `Gates on i+385`
    circ.cx(i+3, i+385)
    circ.ccx(i+4, i+3, i+385)
    circ.mcx([i+5, i+4, i+3], i+385)
    circ.mcx([i+5, i+3, i+2], i+385)
    circ.cx(i+1, i+385)
    circ.ccx(i+3, i+1, i+385)
    circ.mcx([i+5, i+2, i+0], i+385)
    circ.ccx(i+1, i+0, i+385)
    circ.mcx([i+3, i+1, i+0], i+385)
    circ.barrier()

    # `Gates on i+386`
    circ.cx(i+5, i+386)
    circ.ccx(i+5, i+2, i+386)
    circ.ccx(i+4, i+2, i+386)
    circ.ccx(i+3, i+2, i+386)
    circ.mcx([i+4, i+3, i+2], i+386)
    circ.cx(i+0, i+386)
    circ.ccx(i+5, i+0, i+386)
    circ.ccx(i+4, i+0, i+386)
    circ.mcx([i+4, i+3, i+0], i+386)
    circ.ccx(i+2, i+0, i+386)
    circ.mcx([i+5, i+2, i+0], i+386)
    circ.mcx([i+3, i+1, i+0], i+386)
    circ.barrier()

    # `Gates on i+387`
    circ.cx(i+2, i+387)
    circ.ccx(i+3, i+2, i+387)
    circ.ccx(i+3, i+1, i+387)
    circ.ccx(i+5, i+0, i+387)
    circ.ccx(i+2, i+0, i+387)
    circ.mcx([i+5, i+2, i+0], i+387)
    circ.mcx([i+4, i+2, i+0], i+387)
    circ.mcx([i+3, i+2, i+0], i+387)
    circ.mcx([i+3, i+1, i+0], i+387)
    circ.barrier()

    # `Gates on i+388`
    circ.ccx(i+5, i+4, i+388)
    circ.cx(i+1, i+388)
    circ.ccx(i+4, i+1, i+388)
    circ.ccx(i+2, i+1, i+388)
    circ.mcx([i+4, i+2, i+1], i+388)
    circ.cx(i+0, i+388)
    circ.mcx([i+5, i+4, i+0], i+388)
    circ.mcx([i+4, i+3, i+0], i+388)
    circ.mcx([i+3, i+2, i+0], i+388)
    circ.mcx([i+4, i+3, i+2, i+0], i+388)
    circ.ccx(i+1, i+0, i+388)
    circ.mcx([i+4, i+1, i+0], i+388)
    circ.mcx([i+2, i+1, i+0], i+388)
    circ.mcx([i+4, i+2, i+1, i+0], i+388)
    circ.barrier()

    #`Gates on i+389`
    circ.cx(i+4, i+5)
    circ.ccx(i+5, i+2, i+389)
    circ.ccx(i+4, i+2, i+389)
    circ.ccx(i+4, i+1, i+389)
    circ.mcx([i+4, i+2, i+1], i+389)
    circ.ccx(i+3, i+0, i+389)
    circ.mcx([i+4, i+3, i+0], i+389)
    circ.mcx([i+5, i+3, i+2, i+0], i+389)
    circ.mcx([i+4, i+3, i+2, i+0], i+389)
    circ.mcx([i+3, i+1, i+0], i+389)
    circ.mcx([i+4, i+3, i+1, i+0], i+389)
    circ.mcx([i+2, i+1, i+0], i+389)
    circ.mcx([i+5, i+2, i+1, i+0], i+389)
    circ.mcx([i+5, i+3, i+2, i+1, i+0], i+389)
    circ.mcx([i+4, i+3, i+2, i+1, i+0], i+389)
    circ.barrier()

### ShiftColumns (SC)
> Input x is the result of ShiftColumn and is the target of the S-box operation.

It changes the index of the input as arranged in new_array

In [9]:
# fucntion to copy state of a qubit, used to shift column values
def teleport1(circ, q0, q1, q2, c0, c1): # q1 == 960 --> teleport bit
  circ.h(q1)
  circ.cx(q1,q2)
  circ.cx(q0, q1)
  circ.h(q0)
  circ.measure([q0, q1], [c0, c1])
  circ.cx(q1, q2)
  circ.cz(q0, q2)
  circ.reset(q1)
"""
new_array[(6*i+j+6)%192] # --> circ[(6*i+j+6)%192 + 768]
circ[6*i+j+start_bit] # --> to copy
q0 = circ[6*i+j+start_bit]
q1 = circ[960] # teleport
q2 = circ[(6*i+j+6)%192 + 768]
"""
# Quantum circuit of ShiftColumns
def SC(circ, start_bit): 
  new_array = QuantumRegister(192, 'new_array')
  new_array_circ = QuantumCircuit(192) # by default, initialized to |0>
  qubit_indices = [i for i in range(768, 960)]
  circ.compose(new_array_circ, qubit_indices)
  for i in range(32):
    for j in range(6):
      teleport1(circ, 6*i+j+start_bit, 960, (6*i+j+6)%192 + 768, cbits[0], cbits[1])
  # reassigning the values of new_array qubits to qubits on which SC/oracle is applied
  for i in range(32):
    for j in range(6):
      teleport1(circ, 6*i+j + 768, 960, 6*i+j+start_bit, cbits[0], cbits[1])

### MixColumns (MC)


In [10]:
# Quantum circuit of MixColumns
# two arrays of 192 size are needed so in total, 384 qubits are required for MC

def MC(circ, start_bit): 
  temp = QuantumRegister(192, 'temp')
  # these qubits after compose can be accessed with temp[i] bcz the original register name is also temp
  # for this, 'temp' == name should also be same in both cells
  qc_temp = QuantumCircuit(temp)
  qubit_indices = [i for i in range(576, 768)]
  circ.compose(qc_temp, qubit_indices)
  a = [1, 5, 9, 15, 21, 26] # given in research paper
  for i in range(192):
    circ.cx(i+start_bit, i+576)  # copy target qubit(k) to temporary qubit(temp)

  # The standard shift
  for i in range(32):
    for j in range(6):
      circ.cx(6*(i+a[0])+j+576, 6*i+j+start_bit)
      circ.cx(6*(i+a[1])+j+576, 6*i+j+start_bit)
      circ.cx(6*(i+a[2])+j+576, 6*i+j+start_bit)
      circ.cx(6*(i+a[3])+j+576, 6*i+j+start_bit)
      circ.cx(6*(i+a[4])+j+576, 6*i+j+start_bit)
      circ.cx(6*(i+a[5])+j+576, 6*i+j+start_bit)


### Key Schedule (KS)
> The kr uses the permutation P to change the bit position.

kr+1[i',j' ] = kr[i,j]
(i', j') := P(i, j) with (6 · i' + j') ≡ (β · (6 · i + j) + γ) mod 6

Instead of changing the bit position, we can create a new `k` value for each round.

Same value of k[r] need to be used in corresponding encryption and decryption rounds.

In [11]:
from functools import reduce
def xor(a, b):
    return a ^ b
def rotate_left(a, b):
    return (a << b) | (a >> (192 - b))
def permute(x, beta, gamma):
    return rotate_left(reduce(xor, [x, beta, gamma]), 1)
def KS(k_0, num_rounds, beta, gamma): # k_0 is known/set already, k_0 == k[0]
    # Break 192-bit k0 into 6 32-bit values
    k_0 = 0x123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    k0_1 = k_0 & 0xFFFFFFFF
    k0_2 = (k_0 >> 32) & 0xFFFFFFFF
    k0_3 = (k_0 >> 64) & 0xFFFFFFFF
    k0_4 = (k_0 >> 96) & 0xFFFFFFFF
    k0_5 = (k_0 >> 128) & 0xFFFFFFFF
    k0_6 = (k_0 >> 160) & 0xFFFFFFFF

    k[0] = (k0_1, k0_2, k0_3, k0_4, k0_5, k0_6)

    for r in range(1, num_rounds):
        kr_1 = permute(k[r-1][0], beta, gamma)
        kr_2 = permute(k[r-1][1], beta, gamma)
        kr_3 = permute(k[r-1][2], beta, gamma)
        kr_4 = permute(k[r-1][3], beta, gamma)
        kr_5 = permute(k[r-1][4], beta, gamma)
        kr_6 = permute(k[r-1][5], beta, gamma)

        k[r] = (kr_1, kr_2, kr_3, kr_4, kr_5, kr_6)
    return k # a list of tuples

### AddRoundKey ($A_{k_{r}}$)
Instead of working with 2-D array, we can XOR the qubit array against linear `k`.
> Each round start with Akr, so it would get k[r] in each round.

In [12]:
def Akr(circ, round_num, start_bit):
  # KS is to be called before Akr
  k_r = KS(k[0], num_rounds, beta, gamma)[round_num]
  k0, k1, k2, k3, k4, k5 = k_r
  for i in range(32):
    for j in range(6):
      idx = 6*i + j + start_bit
      # Check each 32-bit value
      if (k0 >> j) & 1 == 1:
        circ.x(idx)
      if (k1 >> j) & 1 == 1:
        circ.x(idx+32)
      if (k2 >> j) & 1 == 1:
        circ.x(idx+64)
      if (k3 >> j) & 1 == 1:
        circ.x(idx+96)
      if (k4 >> j) & 1 == 1:
        circ.x(idx+128)
      if (k5 >> j) & 1 == 1:
        circ.x(idx+160)

### AddRoundConstant ($A_{c_{r}}$)
X gate is used as much as the Hamming weight.

In [13]:
def Acr(circ, start_bit):
  # constant = binary(pi - 3) --> used in SPEEDY block cipher by researchers
  constant = 0xb001001000011111101101010100010001000010110100011000010001101001100010011000110011000101000101110000000110111000001110011010001001010010000001001001110000010001000101001100111110011000111010000
  for i in range(start_bit, 192+start_bit): # this will allow as to modify only first 192 (k) bits
    if (constant & 1 == 1):
      circ.x(i)
      # circ[i] = circ.x(circ[i]) <-- isn't the way in qiskit
    constant = constant >> 1

### Round Function $R_n$

> Enc -- encryption step

In [14]:
def roundFunction_enc(circ, nqubits, start_bit, num_rounds): 
  # calling the functions in sequence given in research paper
  # k = KS(k[0], num_rounds, beta, gamma) # KS is to be called before Akr
  for round_num in range(num_rounds-1):
    Akr(circ, round_num, start_bit)
    SB(circ, start_bit)  # 32 times
    SC(circ, start_bit) # done
    MC(circ, start_bit)
    Acr(circ, start_bit) # done
  Akr(circ, num_rounds-1, start_bit)
  SB(circ, start_bit)
  SC(circ, start_bit)
  SB(circ, start_bit)
  Akr(circ, num_rounds-1, start_bit)


> Dec -- decryption step

In [15]:
def roundFunction_dec(circ, nqubits, start_bit, num_rounds):
    # calling the functions in reverse of the sequence given in research paper
  # no need of KS as KS list is already generated in encryption step
  Akr(circ, num_rounds-1, start_bit)
  SB(circ, start_bit)  # 32 times
  SC(circ, start_bit)
  SB(circ, start_bit)
  Akr(circ, num_rounds-1, start_bit)
  for round_num in range(num_rounds-1):
    Acr(circ, start_bit)
    MC(circ, start_bit)
    SC(circ, start_bit)
    SB(circ, start_bit)
    Akr(circ, round_num, start_bit)


## Grover's Algo

### Oracle

In [16]:
def oracle(circ):
  roundFunction_enc(circ, 192, 0, 7) # encryption on keybit bits
  roundFunction_enc(circ, 192, 192, 7) # encryption on ptbit bits

  # XOR plaintext_bits with key_bits
  for i in range(192): # 192 == len(plaintext_bits)
      circ.cx(ptbit[i], keybit[i])

  # Flip ancilla if plaintext_bits xor key_bits = 0
  circ.h(ancilla_qubit)
  circ.mct(list(ptbit) + list(keybit), ancilla_qubit)
  circ.h(ancilla_qubit)

  # Undo XOR
  for i in range(192):
      circ.cx(ptbit[i], keybit[i])

  roundFunction_dec(circ, 192, 0, 7) # decryption on keybit bits
  roundFunction_dec(circ, 192, 192, 7) # decryption on ptbit bits

  # print(np.array(Statevector(circ)))
  # Error: maximum allowed dimensions exceeded

### Diffusor

In [17]:
def diffuser(qc, nqubits):
    for qubit in range(nqubits):
        qc.h(qubit)
    for qubit in range(nqubits):
        qc.x(qubit)
    qc.h(nqubits-1)
    qc.mct(list(range(nqubits-1)), nqubits-1)  # multi-controlled-toffoli
    qc.h(nqubits-1)
    for qubit in range(nqubits):
        qc.x(qubit)
    for qubit in range(nqubits):
        qc.h(qubit)


### Initializer

In [18]:
def initialize_s(circ, nqubits):
    for i in range(nqubits):
        circ.h(i)
    circ.barrier()

## Main

In [None]:
# keybits = 192
# ptbits = 192
# num_rounds = 7
# k = [0]*num_rounds
# k[0] = 0x123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
# beta = 0x13
# gamma = 0x257

keybit = QuantumRegister(keybits, 'keybit')
ptbit = QuantumRegister(ptbits, 'ptbit')
y = QuantumRegister(192, 'y')
temp = QuantumRegister(192, 'temp')  # used in MC, to compose temp of MC
new_array = QuantumRegister(192, 'new_array_SC')
teleport = QuantumRegister(1, 'teleport') # to copy qubits --> at index 960
ancilla_qubit = QuantumRegister(1, 'ancilla qubit') # for the oracle operation
cbits = ClassicalRegister(2, 'teleport_c')

grover_circuit = QuantumCircuit(keybit, ptbit, y, temp, new_array, teleport, ancilla_qubit, cbits)

initialize_s(grover_circuit, keybits)  # applying Hadamard on 192 keybits-qubits
# When run on actual hardware(when enough resources are available), use --
# for _ in range((np.pi/4)*2**(keybits/2)):
#   oracle(grover_circuit)
#   diffuser(grover_circuit, keybits)

oracle(grover_circuit)
diffuser(grover_circuit, keybits)

grover_circuit.measure_all()
# grover_circuit.decompose().draw()

### Checking which simulator the program is using.

In [None]:
# !pip install qiskit-ibmq-provider

In [None]:
# from qiskit import IBMQ
# from qiskit import Aer, transpile
# from qiskit_aer import AerSimulator
# extended_stabilizer_simulator = AerSimulator(method='stabilizer')
# IBMQ.load_account()
# provider = IBMQ.get_provider()
# provider.get_backend(extended_stabilizer_simulator)

# --> currently not working on my system

### Running on IBM Simulator

In [24]:
from qiskit import Aer, transpile, execute
from qiskit_aer import AerSimulator

# Create extended stabilizer method simulator
# extended_stabilizer_simulator = AerSimulator(method='extended_stabilizer')
# --> TranspilerError: 'Number of qubits (962) in circuit-563 is greater than maximum (63) in the coupling_map'
stabilizer_simulator = AerSimulator(method='stabilizer')

> Program crashed due to full use of memory!

In [None]:
# # Transpile circuit for backend
# tcirc = transpile(grover_circuit, stabilizer_simulator)

# result = stabilizer_simulator.run(tcirc, shots=1).result()
# print('This succeeded?: {}'.format(result.success))
# print('1 shot in {}s'.format(result.time_taken))

# # Extract the counts of different measurement outcomes
# counts = result.get_counts(0)

# # Plot a histogram to visualize the measurement outcomes
# plot_histogram(counts)

## Evaluation

In [None]:
# Execute circuit
job = execute(grover_circuit, stabilizer_simulator)
result = job.result()

# Get counts
counts = result.get_counts()

# Estimate number of CNOTs
num_cnots = grover_circuit.count_ops()['cx']

# Estimate T-depth
depth = grover_circuit.depth()
depth_per_round = depth / num_rounds
t_depth = depth_per_round * 1 # 1 == rounds in grover algorithm

# Estimate T count
t_count = stabilizer_simulator.configuration().basis_gates['t'].coupling_map.size()

# Calculate cost
cost = (num_cnots + t_count) * t_depth
print(cost)