Journal of Cryptology

, Volume 26, Issue 2, pp 280–312

Logic Minimization Techniques with Applications to Cryptology

Authors

  • Joan Boyar
    • Department of Mathematics and Computer ScienceUniversity of Southern Denmark
  • Philip Matthews
    • Aarhus University
    • Information Technology LaboratoryNIST
Article

DOI: 10.1007/s00145-012-9124-7

Cite this article as:
Boyar, J., Matthews, P. & Peralta, R. J Cryptol (2013) 26: 280. doi:10.1007/s00145-012-9124-7

Abstract

A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the nonlinearity of a circuit—as measured by the number of nonlinear gates it contains—is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (FIPS in Advanced Encryption Standard (AES), National Institute of Standards and Technology, 2001).

We also show that, in the second step, one is faced with an NP-hard problem, the Shortest Linear Program (SLP) problem, which is to minimize the number of linear operations necessary to compute a set of linear forms. In addition to showing that SLP is NP-hard, we show that a special case of the corresponding decision problem is Max SNP-complete, implying limits to its approximability.

Previous algorithms for minimizing the number of gates in linear components produced cancellation-free straight-line programs, i.e., programs in which there is no cancellation of variables in GF(2). We show that such algorithms have approximation ratios of at least 3/2 and therefore cannot be expected to yield optimal solutions to nontrivial inputs. The straight-line programs produced by our techniques are not always cancellation-free. We have experimentally verified that, for randomly chosen linear transformations, they are significantly smaller than the circuits produced by previous algorithms.

Key words

Circuit complexityMultiplicative complexityLinear component minimizationShortest Linear ProgramCancellationAESS-box

Copyright information

© International Association for Cryptologic Research 2012