Grover’s search algorithm allows a quantum adversary to find a <inline-formula><tex-math notation="LaTeX">$k$</tex-math></inline-formula> -bit secret key of a block cipher by making O( <inline-formula><tex-math notation="LaTeX">$2^{k/2}$</tex-math></inline-formula> ) block cipher queries. Resistance of a block cipher to such an attack is evaluated by quantum resources required to implement Grover’s oracle for the target cipher. The quantum resources are typically estimated by the <inline-formula><tex-math notation="LaTeX">$\textit {T}$</tex-math></inline-formula> -depth of its circuit implementation and the number of qubits used by the circuit (width). Since the AES S-box is the only component which requires <inline-formula><tex-math notation="LaTeX">$\textit {T}$</tex-math></inline-formula> -gates in a quantum implementation of AES, recent research has put its focus on efficient implementation of the AES S-box. However, any efficient implementation with low <inline-formula><tex-math notation="LaTeX">$\textit {T}$</tex-math></inline-formula> -depth will not be practical in the real world without considering qubit consumption of the implementation. In this work, we propose three methods of trade-off between time and space for the quantum implementation of the AES S-box. In particular, one of our methods turns out to use the smallest number of qubits among the existing methods, significantly reducing its <inline-formula><tex-math notation="LaTeX">$\textit {T}$</tex-math></inline-formula> -depth.