Skip to main content
Log in

Small low-depth circuits for cryptographic applications

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field G F(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components (those portions containing no AND gates). A new heuristic, DCLO (for depth-constrained linear optimization), is used to create small linear circuits given depth constraints. DCLO is repeatedly used in a See-Saw method, alternating between optimizing the upper linear component and the lower linear component. The depth constraints specify both the depth at which each input arrives and restrictions on the depth for each output. We apply our techniques to cryptographic functions, obtaining new results for the S-Box of the Advanced Encryption Standard, for multiplication of binary polynomials, and for multiplication in finite fields. Additionally, we constructed a 16-bit S-Box using inversion in GF(216) which may be significantly smaller than alternatives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. We relax this requirement in our code.

References

  1. Bernstein, D.J.: Optimizing linear maps modulo 2. Available at http://cr.yp.to/papers.html#linearmod2

  2. Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013)

    Article  MathSciNet  Google Scholar 

  3. Boyar, J., Peralta, R., Pochuev, D.: On the multiplicative complexity of Boolean functions over the basis (∧,⊕, 1). Theor. Comput. Sci. 235, 43–57 (2000)

    Article  MathSciNet  Google Scholar 

  4. Boyar, J., Find, M.G.: Cancellation-free circuits in unbounded and bounded depth. Theor. Comput. Sci. 590, 17–26 (2015)

    Article  MathSciNet  Google Scholar 

  5. Boyar, J., Peralta, R.: A small depth-16 circuit for the AES s-box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, vol. 376 of IFIP Advances in Information and Communication Technology, pp 287–298. Springer (2012)

  6. Cenk, M., Hasan, M.A.: Some new results on binary polynomial multiplication. J. Cryptogr. Eng. 5(4), 289–303 (2015)

    Article  Google Scholar 

  7. Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive, 2011:475, 2011. Appears in electronic proceedings of 2nd IMA Conference Mathematics in Defense, UK, Swindon, 2011, www.ima.org.uk/_db/_documents/Courtois.pdf

  8. Kelly, M., Kaminsky, A., Kurdziel, M.T., Lukowiak, M., Radziszowski, S.P.: Customizable sponge-based authenticated encryption using 16-bit s-boxes. In: 34th IEEE Military Communications Conference, MILCOM 2015, Tampa, FL, USA, October 26–28, 2015, pp 43–48 (2015)

  9. Lupanov, O.B.: A method of circuit synthesis. Izvestia V.U.Z. Radiofizika 1, 120–140 (1958)

    Google Scholar 

  10. Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the Limits A Very Compact and a Threshold Implementation of AES, pp 69–88. Springer, Berlin (2011)

    MATH  Google Scholar 

  11. Nechiporuk, E.I.: On the complexity of schemes in some bases containing nontrivial elements with zero weights (in Russian). Problemy Kibernetiki 8, 123–160 (1962)

    MathSciNet  MATH  Google Scholar 

  12. NIST. Advanced Encryption Standard (AES) (FIPS PUB 197). National Institute of Standards and Technology (2001)

  13. Nogami, Y., Nekado, K., Toyota, T., Hongo, N., Morikawa, Y.: Mixed bases for efficient inversion in \(\mathbb {F}(((2^{2})^{2})^{2})\) and conversion matrices of SubBytes of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, vol. 6225 of LNCS, pp 234–247. Springer (2010)

  14. Paar, C.: Optimized arithmetic for Reed-Solomon encoders. In: 1997 IEEE International Symposium on Information Theory, p 250 (1997)

  15. Peralta, R.: Circuit minimization work http://cs-www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html. Accessed 10 March 2018

  16. Shannon, C.E.: The synthesis of two-terminal switching circuits. Bell Syst. Tech. J. 28, 59–98 (1949)

    Article  MathSciNet  Google Scholar 

  17. Wood, C.A.: Large substitution boxes with efficient combinational implementations. Rochester Institute of Technology (2013)

  18. Wood, C.A., Radziszowski, S.P., Lukowiak, M.: Constructing large s-boxes with area minimized implementations. In: Military Communications Conference, MILCOM 2015-2015 IEEE, pp 49–54. IEEE (2015)

Download references

Acknowledgments

The first author was supported in part by the Independent Research Fund Denmark, Natural Sciences, grant DFF-7014-00041. The second author participated in this research while a guest researcher at the National Institute of Standards and Technology during 2015-2016.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to René Peralta.

Additional information

This article is part of the Topical Collection on Special Issue on Boolean Functions and Their Applications

Appendices

Appendix A: Inversion in GF(24)

Figure 6 demonstrates that if NAND gates are allowed in addition to AND and XOR gates, then there is a circuit with depth 4 and only 15 gates computing inversion in GF(24). This is the same depth, but two fewer gates than we used for this work. It also has one less gate than was used in [2], where depth 9 was acceptable.

Fig. 6
figure 6

Inversion in GF(24) using NAND gates. Input is (x0,x1,x2,x3) and output is (y0,y1,y2,y3)

Appendix B: Tower field construction up to GF(216)

In the following, bases will be defined for each of the finite fields. Each base (b1,b2) will be such that b1 + b2 = 1. This identity can be verified by repeated squaring of the defining irreducible polynomial and adding a telescoping sequence (verify GF(2k) before GF(22k)). For each k, the irreducible polynomial for GF(22k) was found using the circuits for multiplication and addition in GF(2k) to compute the range of x2 + x. Then x2 + x + α is irreducible for any α not in the range of x2 + x.

  • GF(22) is built from GF2 by adjoining a root W of x2 + x + 1. A basis for GF(22) is (W,W2)

  • GF(24) is built from GF(22) by adjoining a root Z of x2 + x + W2. A basis for GF(24) is (Z2,Z8).

  • GF(28) is built from GF(24) by adjoining a root V of x2 + x + WZ2. A basis for GF(28) is (V,V16).

  • GF(216) is built from GF(28) by adjoining a root T of x2 + x + WZ2V. A basis for GF(216) is (T,T256).

B.1 Multiplication and inversion in GF(216)

Let Θ = WZ2V. Multiplication is given by

$$(a T + b T^{256})(c T + d T^{256}) = (a c + {\Theta} (a+b)(c+d)) T + (b d + {\Theta} (a+b)(c+d)) T^{256}. $$

We now derive efficient equations for inversion in GF(216). The identity element is 1 ⋅ T + 1 ⋅ T256.

From the multiplication formulas we get

$$1 = a c + {\Theta} (a+b)(c+d) \qquad 1 = b d + {\Theta} (a+b)(c+d) . $$

Setting μ = Θ(a + b) and summing yields

$$1 = c (a + \mu) + d \mu \qquad 0 = a c + b d . $$

Equate the c coefficients

$$a = c a (a + \mu) + d a \mu \qquad 0 = a c (a + \mu) + b d (a + \mu). $$

Summing them

$$a = d (b (a + \mu) + a \mu ) \Rightarrow d = (b (a + \mu) + a \mu )^{-1} a $$

yields

$$c = b d a^{-1} = b (b (a + \mu) + a \mu )^{-1} \qquad d = a (b (a + \mu) + a \mu )^{-1} . $$

Therefore

$$c = b (b a + (a+b) \mu )^{-1} \qquad d = a (b a + (a+b) \mu )^{-1}. $$

and

$$c = b (b a + (a+b)^{2} {\Theta} )^{-1} \qquad d = a (b a + (a+b)^{2} {\Theta} )^{-1} . $$

The operation (a + b)2Θ is usually referred to as “square-scaling”. Both square-scaling and inversion in the equations for c,d are operations in the lower field GF(28).

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Boyar, J., Find, M.G. & Peralta, R. Small low-depth circuits for cryptographic applications. Cryptogr. Commun. 11, 109–127 (2019). https://doi.org/10.1007/s12095-018-0296-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-018-0296-3

Keywords

Mathematics Subject Classification (2010)

Navigation