Cryptography and Communications

, Volume 11, Issue 1, pp 109–127 | Cite as

Small low-depth circuits for cryptographic applications

  • Joan Boyar
  • Magnus Gausdal Find
  • René PeraltaEmail author
Part of the following topical collections:
  1. Special Issue on Boolean Functions and Their Applications


We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field G F(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components (those portions containing no AND gates). A new heuristic, DCLO (for depth-constrained linear optimization), is used to create small linear circuits given depth constraints. DCLO is repeatedly used in a See-Saw method, alternating between optimizing the upper linear component and the lower linear component. The depth constraints specify both the depth at which each input arrives and restrictions on the depth for each output. We apply our techniques to cryptographic functions, obtaining new results for the S-Box of the Advanced Encryption Standard, for multiplication of binary polynomials, and for multiplication in finite fields. Additionally, we constructed a 16-bit S-Box using inversion in GF(216) which may be significantly smaller than alternatives.


Circuit size Circuit depth Cryptographic functions Boolean functions See-saw method Depth-constrained circuit optimization 

Mathematics Subject Classification (2010)




The first author was supported in part by the Independent Research Fund Denmark, Natural Sciences, grant DFF-7014-00041. The second author participated in this research while a guest researcher at the National Institute of Standards and Technology during 2015-2016.


  1. 1.
    Bernstein, D.J.: Optimizing linear maps modulo 2. Available at
  2. 2.
    Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Boyar, J., Peralta, R., Pochuev, D.: On the multiplicative complexity of Boolean functions over the basis (∧,⊕, 1). Theor. Comput. Sci. 235, 43–57 (2000)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Boyar, J., Find, M.G.: Cancellation-free circuits in unbounded and bounded depth. Theor. Comput. Sci. 590, 17–26 (2015)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Boyar, J., Peralta, R.: A small depth-16 circuit for the AES s-box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, vol. 376 of IFIP Advances in Information and Communication Technology, pp 287–298. Springer (2012)Google Scholar
  6. 6.
    Cenk, M., Hasan, M.A.: Some new results on binary polynomial multiplication. J. Cryptogr. Eng. 5(4), 289–303 (2015)CrossRefGoogle Scholar
  7. 7.
    Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive, 2011:475, 2011. Appears in electronic proceedings of 2nd IMA Conference Mathematics in Defense, UK, Swindon, 2011,
  8. 8.
    Kelly, M., Kaminsky, A., Kurdziel, M.T., Lukowiak, M., Radziszowski, S.P.: Customizable sponge-based authenticated encryption using 16-bit s-boxes. In: 34th IEEE Military Communications Conference, MILCOM 2015, Tampa, FL, USA, October 26–28, 2015, pp 43–48 (2015)Google Scholar
  9. 9.
    Lupanov, O.B.: A method of circuit synthesis. Izvestia V.U.Z. Radiofizika 1, 120–140 (1958)Google Scholar
  10. 10.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the Limits A Very Compact and a Threshold Implementation of AES, pp 69–88. Springer, Berlin (2011)zbMATHGoogle Scholar
  11. 11.
    Nechiporuk, E.I.: On the complexity of schemes in some bases containing nontrivial elements with zero weights (in Russian). Problemy Kibernetiki 8, 123–160 (1962)MathSciNetzbMATHGoogle Scholar
  12. 12.
    NIST. Advanced Encryption Standard (AES) (FIPS PUB 197). National Institute of Standards and Technology (2001)Google Scholar
  13. 13.
    Nogami, Y., Nekado, K., Toyota, T., Hongo, N., Morikawa, Y.: Mixed bases for efficient inversion in \(\mathbb {F}(((2^{2})^{2})^{2})\) and conversion matrices of SubBytes of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, vol. 6225 of LNCS, pp 234–247. Springer (2010)Google Scholar
  14. 14.
    Paar, C.: Optimized arithmetic for Reed-Solomon encoders. In: 1997 IEEE International Symposium on Information Theory, p 250 (1997)Google Scholar
  15. 15.
    Peralta, R.: Circuit minimization work Accessed 10 March 2018
  16. 16.
    Shannon, C.E.: The synthesis of two-terminal switching circuits. Bell Syst. Tech. J. 28, 59–98 (1949)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Wood, C.A.: Large substitution boxes with efficient combinational implementations. Rochester Institute of Technology (2013)Google Scholar
  18. 18.
    Wood, C.A., Radziszowski, S.P., Lukowiak, M.: Constructing large s-boxes with area minimized implementations. In: Military Communications Conference, MILCOM 2015-2015 IEEE, pp 49–54. IEEE (2015)Google Scholar

Copyright information

© This is a U.S. Government work and not under copyright protection in the US; foreign copyright protection may apply 2018

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceUniversity of Southern DenmarkOdenseDenmark
  2. 2.Information Technology LaboratoryNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations