Journal of Cryptology

, Volume 26, Issue 2, pp 280–312 | Cite as

Logic Minimization Techniques with Applications to Cryptology

  • Joan Boyar
  • Philip Matthews
  • René Peralta


A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the nonlinearity of a circuit—as measured by the number of nonlinear gates it contains—is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (FIPS in Advanced Encryption Standard (AES), National Institute of Standards and Technology, 2001).

We also show that, in the second step, one is faced with an NP-hard problem, the Shortest Linear Program (SLP) problem, which is to minimize the number of linear operations necessary to compute a set of linear forms. In addition to showing that SLP is NP-hard, we show that a special case of the corresponding decision problem is Max SNP-complete, implying limits to its approximability.

Previous algorithms for minimizing the number of gates in linear components produced cancellation-free straight-line programs, i.e., programs in which there is no cancellation of variables in GF(2). We show that such algorithms have approximation ratios of at least 3/2 and therefore cannot be expected to yield optimal solutions to nontrivial inputs. The straight-line programs produced by our techniques are not always cancellation-free. We have experimentally verified that, for randomly chosen linear transformations, they are significantly smaller than the circuits produced by previous algorithms.

Key words

Circuit complexity Multiplicative complexity Linear component minimization Shortest Linear Program Cancellation AES S-box 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    S. Arora, C. Lund, R. Motwani, M. Sudan, M. Szegedy, Proof verification and the hardness of approximation problems. J. Assoc. Comput. Mach. 45, 501–555 (1998) MathSciNetzbMATHCrossRefGoogle Scholar
  2. [2]
    P. Austrin, S. Khot, M. Safra, Inapproximability of vertex cover and independent set in bounded degree graphs, in IEEE Conference on Computational Complexity (IEEE Computer Society, Los Alamitos, 2009), pp. 74–80 Google Scholar
  3. [3]
    D.J. Bernstein, Optimizing linear maps modulo 2, in Workshop Record of SPEED-CC: Software Performance Enhancement for Encryption and Decryption and Cryptographic Compilers.
  4. [4]
    L. Blum, M. Shub, S. Smale, On a theory of computation and complexity over the real numbers: NP-completeness, recursive functions and universal machines. Bull. Am. Math. Soc. 21, 1–46 (1989) MathSciNetzbMATHCrossRefGoogle Scholar
  5. [5]
    J. Boyar, R. Peralta, Tight bounds for the multiplicative complexity of symmetric functions. Theor. Comput. Sci. 396(1–3), 223–246 (2008) MathSciNetzbMATHCrossRefGoogle Scholar
  6. [6]
    J. Boyar, R. Peralta, Patent application number 61089998 filed with the U.S. Patent and Trademark Office. A new technique for combinational circuit optimization and a new circuit for the S-Box for AES, 2009 Google Scholar
  7. [7]
    J. Boyar, R. Peralta, A new combinational logic minimization technique with applications to cryptology, in 9th International Symposium on Experimental Algorithms, SEA 2010. Lecture Notes in Computer Science, vol. 6049 (Springer, Berlin, 2010), pp. 178–189 Google Scholar
  8. [8]
    J. Boyar, R. Peralta, A depth-16 circuit for the AES S-box. Cryptology ePrint archive, report 2011/332, 2011.
  9. [9]
    J. Boyar, R. Peralta, D. Pochuev, On the multiplicative complexity of Boolean functions over the basis (∧,⊕,1). Theor. Comput. Sci. 235, 43–57 (2000) MathSciNetzbMATHCrossRefGoogle Scholar
  10. [10]
    J. Boyar, P. Matthews, R. Peralta, On the shortest linear straight-line program for computing linear forms, in 33rd International Symposium on Mathematical Foundations of Computer Science, MFCS 2008. Lecture Notes in Computer Science, vol. 5162 (Springer, Berlin, 2008), pp. 168–179 CrossRefGoogle Scholar
  11. [11]
    P. Bürgisser, M. Clausen, M.A. Shokrollahi, Algebraic Complexity Theory (Springer, Berlin, 1997), Chap. 13 zbMATHCrossRefGoogle Scholar
  12. [12]
    D. Canright, A very compact Rijndael S-box. Technical report NPS-MA-05-001, Naval Postgraduate School, 2005 Google Scholar
  13. [13]
    D. Canright, A very compact Rijndael S-box, in 7th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2005. Lecture Notes in Computer Science, vol. 3659 (Springer, Berlin, 2005), pp. 441–455 CrossRefGoogle Scholar
  14. [14]
    A.E.F. Clementi, L. Trevisan, Improved non-approximability results for vertex cover with density constraints, in Computing and Combinatorics (1996), pp. 333–342 CrossRefGoogle Scholar
  15. [15]
    J.W. Cooley, J.W. Tukey, An algorithm for the machine calculation of complex Fourier series. Math. Comput. 19, 297–301 (1965) MathSciNetzbMATHCrossRefGoogle Scholar
  16. [16]
    N. Courtois, D. Hulme, T. Mourouzis, Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive, 2011:475, 2011 Google Scholar
  17. [17]
    FIPS, Advanced Encryption Standard (AES) (National Institute of Standards and Technology, Gaithersburg, 2001) Google Scholar
  18. [18]
    C. Fuhs, P. Schneider-Kamp, Synthesizing shortest linear straight-line programs over GF(2) using SAT, in 13th International Conference on Theory and Applications of Satisfiability Testing. Lecture Notes in Computer Science, vol. 6175 (Springer, Berlin, 2010), pp. 71–84 Google Scholar
  19. [19]
    C. Fuhs, P. Schneider-Kamp, Optimizing the AES S-Box using SAT, in Proceedings of the 8th International Workshop on the Implementation of Logics (2010) Google Scholar
  20. [20]
    J. Håstad, Tensor rank is NP-Complete. J. Algorithms 11(4), 644–654 (1990) MathSciNetzbMATHCrossRefGoogle Scholar
  21. [21]
    Y. Huang, D. Evans, J. Katz, L. Malka, Faster secure two-party computation using garbled circuits, in Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, August 2011 Google Scholar
  22. [22]
    T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF(2m) using normal bases. Inf. Comput. 78(3), 171–177 (1988) MathSciNetzbMATHCrossRefGoogle Scholar
  23. [23]
    E. Käsper, P. Schwabe, Faster and timing-attack resistant AES-GCM, in 11th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2009. Lecture Notes in Computer Science, vol. 5747 (Springer, Berlin, 2009), pp. 1–17 CrossRefGoogle Scholar
  24. [24]
    S. Khot, On the power of unique 2-prover 1-round games, in Proceedings of the 34th Annual ACM Symposium on Theory of Computing, STOC ’02, New York, NY, USA (ACM, New York, 2002), pp. 767–775 Google Scholar
  25. [25]
    V. Kolesnikov, T. Schneider, Improved garbled circuit: free XOR gates and applications, in Proceedings of Automata, Languages and Programming, 35th International Colloquium, ICALP 2008. Lecture Notes in Computer Science, vol. 5126 (Springer, Berlin, 2008), pp. 486–498 Google Scholar
  26. [26]
    O.B. Lupanov, A method of circuit synthesis. Izv. Vysš. Učebn. Zaved., Radiofiz. 1, 120–140 (1958) Google Scholar
  27. [27]
    E. Mastrovito, VLSI architectures for computation in Galois fields. Ph.D. thesis, Linköping University, Dept. Electr. Eng., Sweden, 1991 Google Scholar
  28. [28]
    S. Morioka, A. Satoh, An optimized S-Box circuit architecture for low power AES design, in Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2002. Lecture Notes in Computer Science, vol. 2523 (Springer, Berlin, 2003), pp. 172–186 CrossRefGoogle Scholar
  29. [29]
    Y. Nogami, K. Nekado, T. Toyota, N. Hongo, Y. Morikawa, Mixed bases for efficient inversion in f(((22)2)2) and conversion matrices of subbytes of AES, in 12th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2010. Lecture Notes in Computer Science, vol. 6225 (Springer, Berlin, 2010), pp. 234–247 CrossRefGoogle Scholar
  30. [30]
    C. Paar, Some remarks on efficient inversion in finite fields, in 1995 IEEE International Symposium on Information Theory, Whistler, BC, Canada (1995), p. 58 CrossRefGoogle Scholar
  31. [31]
    C. Paar, Optimized arithmetic for Reed-Solomon encoders, in IEEE International Symposium on Information Theory (1997), p. 250 CrossRefGoogle Scholar
  32. [32]
    C. Papadimitriou, M. Yannakakis, Optimization, approximation, and complexity classes. J. Comput. Syst. Sci. 43, 425–440 (1991) MathSciNetzbMATHCrossRefGoogle Scholar
  33. [33]
    A. Satoh, S. Morioka, K. Takano, S. Munetoh, A compact Rijndael hardware architecture with S-Box optimization, in Advances in Cryptology—Proceedings of ASIACRYPT 01. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 239–254 Google Scholar
  34. [34]
    J.E. Savage, An algorithm for the computation of linear forms. SICOMP 3(2), 150–158 (1974) MathSciNetzbMATHGoogle Scholar
  35. [35]
    C. Shannon, The synthesis of two-terminal switching circuits. Bell Syst. Tech. J. 28, 59–98 (1949) MathSciNetGoogle Scholar
  36. [36]
    L.G. Valiant, Completeness classes in algebra, in Proceedings of the 11th Annual ACM Symposium on the Theory of Computing (1979), pp. 249–261 Google Scholar
  37. [37]
    R. Williams, Matrix-vector multiplication in sub-quadratic time (some preprocessing required), in Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms (2007), pp. 995–1001 Google Scholar
  38. [38]
    S. Winograd, On the number of multiplications necessary to compute certain functions. Commun. Pure Appl. Math. 23, 165–179 (1970) MathSciNetzbMATHCrossRefGoogle Scholar
  39. [39]
    J. Wolkerstorfer, E. Oswald, M. Lamberger, An ASIC implementation of AES SBoxes, in Topics in Cryptology—CT-RSA 2002. Lecture Notes in Computer Science, vol. 2271 (Springer, Berlin, 2002), pp. 67–78 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceUniversity of Southern DenmarkOdenseDenmark
  2. 2.Aarhus UniversityAarhusDenmark
  3. 3.Information Technology LaboratoryNISTGaithersburgUSA

Personalised recommendations