Journal of Cryptology

, Volume 26, Issue 2, pp 280-312

First online:

Logic Minimization Techniques with Applications to Cryptology

  • Joan BoyarAffiliated withDepartment of Mathematics and Computer Science, University of Southern Denmark
  • , Philip MatthewsAffiliated withAarhus University
  • , René PeraltaAffiliated withInformation Technology Laboratory, NIST Email author 

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the nonlinearity of a circuit—as measured by the number of nonlinear gates it contains—is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (FIPS in Advanced Encryption Standard (AES), National Institute of Standards and Technology, 2001).

We also show that, in the second step, one is faced with an NP-hard problem, the Shortest Linear Program (SLP) problem, which is to minimize the number of linear operations necessary to compute a set of linear forms. In addition to showing that SLP is NP-hard, we show that a special case of the corresponding decision problem is Max SNP-complete, implying limits to its approximability.

Previous algorithms for minimizing the number of gates in linear components produced cancellation-free straight-line programs, i.e., programs in which there is no cancellation of variables in GF(2). We show that such algorithms have approximation ratios of at least 3/2 and therefore cannot be expected to yield optimal solutions to nontrivial inputs. The straight-line programs produced by our techniques are not always cancellation-free. We have experimentally verified that, for randomly chosen linear transformations, they are significantly smaller than the circuits produced by previous algorithms.

Key words

Circuit complexity Multiplicative complexity Linear component minimization Shortest Linear Program Cancellation AES S-box