【摘要】 Camellia是继AES后最具有竞争优势的分组密码算法之一,它在信息安全的很多领域已经有了广泛的应用. S盒是Camellia算法中唯一的非线性组件.本文研究如何用较少的资源实现Camellia算法S盒的量子电路.首先通过映射矩阵使得有限域F_2⁸的乘法逆可以通过F_2⁴的（乘法和）乘法逆运算得到,进而以更少的量子比特给出实现后者的量子电路.然后应用PLU分解和消元法,通过CNOT门和NOT门实现S盒的仿射变换.最后,结合所提出的量子电路,给出需要20个量子比特、54个Toffoli门、196个CNOT门以及Toffoli门深度为42的实现S盒的量子电路.与之前需要23个量子比特、67个Toffoli门、308个CNOT门以及Toffoli门深度为53的研究相比,本文S盒量子电路需要的资源更少.此外,本文的S盒量子电路可减少实现Camellia时所需的资源,进而降低Grover算法对其攻击时所需的量子电路规模.更多还原

【Abstract】 Camellia, after AES, is one of the most competitive block cipher algorithms. It has been widely used in many fields of information security. Camellia’s distinctive nonlinear component is the S-box. This paper studies how to build the quantum circuit of the Camellia S-box at lower costs. First, the multiplicative inversion in F_2⁸ can be obtained by the multiplicative inversion（and multiplication） in F_2⁴ via a mapping matrix, and the latter can be implemented by the automation tool LIGHTER-R. The affine transformation of the S-box is then implemented with CNOT and NOT gates using the PLU decomposition and elimination approach. Finally, the Camellia S-box quantum circuit is built with 20 qubits, 54 Toffoli gates, 196 CNOT gates, 13 NOT gates, and a Toffoli depth of 42. In comparison with the previous study, which required 23 qubits, 67 Toffoli, and 38 CNOT gates, and a Toffoli depth of 53, the S-box quantum circuit in this paper requires fewer resources. Furthermore, the S-box quantum circuit used in the study can reduce the quantum resources in implementing Camellia, reducing the quantum circuit scale required to attack Camellia by the Grover algorithm.更多还原