Could quantum circuit depth or gate count for MixColumns implementation affect practical attack feasibility more than diffusion strength?

This question asks about cryptographic implementation details in a quantum-computing context, but the provided preprints don't actually address MixColumns—the linear diffusion layer in AES—or compare it directly to quantum circuit overhead as a limiting factor in attack feasibility.

Here's what the archive *does* cover:

The preprints show that quantum cryptanalysis tools (truncated differentials, boomerang attacks, impossible differentials) can be implemented with polynomial-depth quantum circuits [AG-2024.07-2243, AG-2024.07-1997], meaning they don't require exponential resources. This is significant for threat assessment: if a quantum adversary can search for differential properties efficiently, then the *quality* of diffusion (how well MixColumns spreads changes across the state) becomes the primary defense, not the circuit cost of implementing the search itself.

However, none of these preprints examine MixColumns specifically, nor do they compare diffusion strength against quantum implementation costs as competing constraints on practical attacks. The quantum circuit efficiency papers [AG-2024.04-2284, AG-2024.05-1701, AG-2024.03-1393] focus on arithmetic (adders, dividers) rather than cryptographic S-boxes or mixing layers.

To properly answer your question, the archive would need papers that explicitly model the quantum circuit depth of cryptographic primitives (like MixColumns) and weigh that against the algebraic complexity of the cipher itself.