Asymptotic yet practical optimization of quantum circuits implementing GF($2^m$) multiplication and division operations

TL;DR

This paper introduces asymptotically efficient quantum circuits for GF(2^m) multiplication and division, significantly reducing gate counts and improving practical implementation for cryptographic applications.

Contribution

It develops asymptotically optimal quantum circuits for GF(2^m) multiplication and division, with substantial gate count reductions over previous methods.

Findings

Gate count for GF multiplication reduced from O(m^2) to O(m^{log_2 3})

Division gate complexity decreased from O(m^2 log m) to O(m^2 log log m / log m)

Practical advantages demonstrated for cryptographically relevant values of m

Abstract

We present optimized quantum circuits for GF$(2^m)$ multiplication and division operations, which are essential computing primitives in various quantum algorithms. Our ancilla-free GF multiplication circuit has the gate count complexity of $O(m^{\log_2{3}})$, an improvement over the previous best bound of $O(m^2)$. This was achieved by developing an efficient $O(m)$ circuit for multiplication by the constant polynomial $1+x^{\lceil{m/2}\rceil}$, a key component of Van Hoof's construction. This asymptotic reduction translates to a factor of 100+ improvement of the CNOT gate counts in the implementation of the multiplication by the constant for parameters $m$ of practical importance. For the GF division, we reduce gate count complexity from $O(m^2 \log(m))$ to $O(m^2 \log \log(m)/\log(m))$ by selecting irreducible polynomials that enable efficient implementation of both the constant polynomial multiplication and field squaring operations. We demonstrate practical advantages for cryptographically relevant values of $m$, including reductions in both CNOT and Toffoli gate counts. Additionally, we explore the complexity of implementing square roots of linear reversible unitaries and demonstrate that a root, although itself still a linear reversible transformation, can require asymptotically deeper circuit implementations than the original unitary.