# Logic Minimization Techniques with Applications to Cryptology

- 885 Downloads
- 25 Citations

## Abstract

A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the nonlinearity of a circuit—as measured by the number of nonlinear gates it contains—is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (FIPS in Advanced Encryption Standard (AES), National Institute of Standards and Technology, 2001).

We also show that, in the second step, one is faced with an NP-hard problem, the Shortest Linear Program (SLP) problem, which is to minimize the number of linear operations necessary to compute a set of linear forms. In addition to showing that SLP is NP-hard, we show that a special case of the corresponding decision problem is Max SNP-complete, implying limits to its approximability.

Previous algorithms for minimizing the number of gates in linear components produced cancellation-free straight-line programs, i.e., programs in which there is no cancellation of variables in GF(2). We show that such algorithms have approximation ratios of at least 3/2 and therefore cannot be expected to yield optimal solutions to nontrivial inputs. The straight-line programs produced by our techniques are not always cancellation-free. We have experimentally verified that, for randomly chosen linear transformations, they are significantly smaller than the circuits produced by previous algorithms.

## Key words

Circuit complexity Multiplicative complexity Linear component minimization Shortest Linear Program Cancellation AES S-box## Preview

Unable to display preview. Download preview PDF.

## References

- [1]S. Arora, C. Lund, R. Motwani, M. Sudan, M. Szegedy, Proof verification and the hardness of approximation problems.
*J. Assoc. Comput. Mach.***45**, 501–555 (1998) MathSciNetzbMATHCrossRefGoogle Scholar - [2]P. Austrin, S. Khot, M. Safra, Inapproximability of vertex cover and independent set in bounded degree graphs, in
*IEEE Conference on Computational Complexity*(IEEE Computer Society, Los Alamitos, 2009), pp. 74–80 Google Scholar - [3]D.J. Bernstein, Optimizing linear maps modulo 2, in
*Workshop Record of SPEED-CC: Software Performance Enhancement for Encryption and Decryption and Cryptographic Compilers*. http://cr.yp.to/papers.html#linearmod2 - [4]L. Blum, M. Shub, S. Smale, On a theory of computation and complexity over the real numbers: NP-completeness, recursive functions and universal machines.
*Bull. Am. Math. Soc.***21**, 1–46 (1989) MathSciNetzbMATHCrossRefGoogle Scholar - [5]J. Boyar, R. Peralta, Tight bounds for the multiplicative complexity of symmetric functions.
*Theor. Comput. Sci.***396**(1–3), 223–246 (2008) MathSciNetzbMATHCrossRefGoogle Scholar - [6]J. Boyar, R. Peralta, Patent application number 61089998 filed with the U.S. Patent and Trademark Office. A new technique for combinational circuit optimization and a new circuit for the S-Box for AES, 2009 Google Scholar
- [7]J. Boyar, R. Peralta, A new combinational logic minimization technique with applications to cryptology, in
*9th International Symposium on Experimental Algorithms, SEA 2010*. Lecture Notes in Computer Science, vol. 6049 (Springer, Berlin, 2010), pp. 178–189 Google Scholar - [8]J. Boyar, R. Peralta, A depth-16 circuit for the AES S-box. Cryptology ePrint archive, report 2011/332, 2011. http://eprint.iacr.org/
- [9]J. Boyar, R. Peralta, D. Pochuev, On the multiplicative complexity of Boolean functions over the basis (∧,⊕,1).
*Theor. Comput. Sci.***235**, 43–57 (2000) MathSciNetzbMATHCrossRefGoogle Scholar - [10]J. Boyar, P. Matthews, R. Peralta, On the shortest linear straight-line program for computing linear forms, in
*33rd International Symposium on Mathematical Foundations of Computer Science, MFCS 2008*. Lecture Notes in Computer Science, vol. 5162 (Springer, Berlin, 2008), pp. 168–179 CrossRefGoogle Scholar - [11]P. Bürgisser, M. Clausen, M.A. Shokrollahi,
*Algebraic Complexity Theory*(Springer, Berlin, 1997), Chap. 13 zbMATHCrossRefGoogle Scholar - [12]D. Canright, A very compact Rijndael S-box. Technical report NPS-MA-05-001, Naval Postgraduate School, 2005 Google Scholar
- [13]D. Canright, A very compact Rijndael S-box, in
*7th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2005*. Lecture Notes in Computer Science, vol. 3659 (Springer, Berlin, 2005), pp. 441–455 CrossRefGoogle Scholar - [14]A.E.F. Clementi, L. Trevisan, Improved non-approximability results for vertex cover with density constraints, in
*Computing and Combinatorics*(1996), pp. 333–342 CrossRefGoogle Scholar - [15]J.W. Cooley, J.W. Tukey, An algorithm for the machine calculation of complex Fourier series.
*Math. Comput.***19**, 297–301 (1965) MathSciNetzbMATHCrossRefGoogle Scholar - [16]N. Courtois, D. Hulme, T. Mourouzis, Solving circuit optimisation problems in cryptography and cryptanalysis.
*IACR Cryptology ePrint Archive*, 2011:475, 2011 Google Scholar - [17]FIPS,
*Advanced Encryption Standard (AES)*(National Institute of Standards and Technology, Gaithersburg, 2001) Google Scholar - [18]C. Fuhs, P. Schneider-Kamp, Synthesizing shortest linear straight-line programs over GF(2) using SAT, in
*13th International Conference on Theory and Applications of Satisfiability Testing*. Lecture Notes in Computer Science, vol. 6175 (Springer, Berlin, 2010), pp. 71–84 Google Scholar - [19]C. Fuhs, P. Schneider-Kamp, Optimizing the AES S-Box using SAT, in
*Proceedings of the 8th International Workshop on the Implementation of Logics*(2010) Google Scholar - [20]J. Håstad, Tensor rank is NP-Complete.
*J. Algorithms***11**(4), 644–654 (1990) MathSciNetzbMATHCrossRefGoogle Scholar - [21]Y. Huang, D. Evans, J. Katz, L. Malka, Faster secure two-party computation using garbled circuits, in
*Proceedings of the 20th USENIX Security Symposium*, San Francisco, CA, August 2011 Google Scholar - [22]T. Itoh, S. Tsujii, A fast algorithm for computing multiplicative inverses in GF(2
^{m}) using normal bases.*Inf. Comput.***78**(3), 171–177 (1988) MathSciNetzbMATHCrossRefGoogle Scholar - [23]E. Käsper, P. Schwabe, Faster and timing-attack resistant AES-GCM, in
*11th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2009*. Lecture Notes in Computer Science, vol. 5747 (Springer, Berlin, 2009), pp. 1–17 CrossRefGoogle Scholar - [24]S. Khot, On the power of unique 2-prover 1-round games, in
*Proceedings of the 34th Annual ACM Symposium on Theory of Computing, STOC ’02*, New York, NY, USA (ACM, New York, 2002), pp. 767–775 Google Scholar - [25]V. Kolesnikov, T. Schneider, Improved garbled circuit: free XOR gates and applications, in
*Proceedings of Automata, Languages and Programming, 35th International Colloquium, ICALP 2008*. Lecture Notes in Computer Science, vol. 5126 (Springer, Berlin, 2008), pp. 486–498 Google Scholar - [26]O.B. Lupanov, A method of circuit synthesis.
*Izv. Vysš. Učebn. Zaved., Radiofiz.***1**, 120–140 (1958) Google Scholar - [27]E. Mastrovito, VLSI architectures for computation in Galois fields. Ph.D. thesis, Linköping University, Dept. Electr. Eng., Sweden, 1991 Google Scholar
- [28]S. Morioka, A. Satoh, An optimized S-Box circuit architecture for low power AES design, in
*Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2002*. Lecture Notes in Computer Science, vol. 2523 (Springer, Berlin, 2003), pp. 172–186 CrossRefGoogle Scholar - [29]Y. Nogami, K. Nekado, T. Toyota, N. Hongo, Y. Morikawa, Mixed bases for efficient inversion in
*f*(((2^{2})^{2})^{2}) and conversion matrices of subbytes of AES, in*12th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2010*. Lecture Notes in Computer Science, vol. 6225 (Springer, Berlin, 2010), pp. 234–247 CrossRefGoogle Scholar - [30]C. Paar, Some remarks on efficient inversion in finite fields, in
*1995 IEEE International Symposium on Information Theory*, Whistler, BC, Canada (1995), p. 58 CrossRefGoogle Scholar - [31]C. Paar, Optimized arithmetic for Reed-Solomon encoders, in
*IEEE International Symposium on Information Theory*(1997), p. 250 CrossRefGoogle Scholar - [32]C. Papadimitriou, M. Yannakakis, Optimization, approximation, and complexity classes.
*J. Comput. Syst. Sci.***43**, 425–440 (1991) MathSciNetzbMATHCrossRefGoogle Scholar - [33]A. Satoh, S. Morioka, K. Takano, S. Munetoh, A compact Rijndael hardware architecture with S-Box optimization, in
*Advances in Cryptology—Proceedings of ASIACRYPT 01*. Lecture Notes in Computer Science, vol. 2248 (Springer, Berlin, 2001), pp. 239–254 Google Scholar - [34]J.E. Savage, An algorithm for the computation of linear forms.
*SICOMP***3**(2), 150–158 (1974) MathSciNetzbMATHGoogle Scholar - [35]C. Shannon, The synthesis of two-terminal switching circuits.
*Bell Syst. Tech. J.***28**, 59–98 (1949) MathSciNetGoogle Scholar - [36]L.G. Valiant, Completeness classes in algebra, in
*Proceedings of the 11th Annual ACM Symposium on the Theory of Computing*(1979), pp. 249–261 Google Scholar - [37]R. Williams, Matrix-vector multiplication in sub-quadratic time (some preprocessing required), in
*Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms*(2007), pp. 995–1001 Google Scholar - [38]S. Winograd, On the number of multiplications necessary to compute certain functions.
*Commun. Pure Appl. Math.***23**, 165–179 (1970) MathSciNetzbMATHCrossRefGoogle Scholar - [39]J. Wolkerstorfer, E. Oswald, M. Lamberger, An ASIC implementation of AES SBoxes, in
*Topics in Cryptology—CT-RSA 2002*. Lecture Notes in Computer Science, vol. 2271 (Springer, Berlin, 2002), pp. 67–78 CrossRefGoogle Scholar