# Small low-depth circuits for cryptographic applications

- 78 Downloads
- 1 Citations

**Part of the following topical collections:**

## Abstract

We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field *G* *F*(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components (those portions containing no AND gates). A new heuristic, DCLO (for depth-constrained linear optimization), is used to create small linear circuits given depth constraints. DCLO is repeatedly used in a See-Saw method, alternating between optimizing the upper linear component and the lower linear component. The depth constraints specify both the depth at which each input arrives and restrictions on the depth for each output. We apply our techniques to cryptographic functions, obtaining new results for the S-Box of the Advanced Encryption Standard, for multiplication of binary polynomials, and for multiplication in finite fields. Additionally, we constructed a 16-bit S-Box using inversion in *G**F*(2^{16}) which may be significantly smaller than alternatives.

## Keywords

Circuit size Circuit depth Cryptographic functions Boolean functions See-saw method Depth-constrained circuit optimization## Mathematics Subject Classification (2010)

94C10## Notes

### Acknowledgments

The first author was supported in part by the Independent Research Fund Denmark, Natural Sciences, grant DFF-7014-00041. The second author participated in this research while a guest researcher at the National Institute of Standards and Technology during 2015-2016.

## References

- 1.Bernstein, D.J.: Optimizing linear maps modulo 2. Available at http://cr.yp.to/papers.html#linearmod2
- 2.Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol.
**26**(2), 280–312 (2013)MathSciNetCrossRefGoogle Scholar - 3.Boyar, J., Peralta, R., Pochuev, D.: On the multiplicative complexity of Boolean functions over the basis (∧,⊕, 1). Theor. Comput. Sci.
**235**, 43–57 (2000)MathSciNetCrossRefGoogle Scholar - 4.Boyar, J., Find, M.G.: Cancellation-free circuits in unbounded and bounded depth. Theor. Comput. Sci.
**590**, 17–26 (2015)MathSciNetCrossRefGoogle Scholar - 5.Boyar, J., Peralta, R.: A small depth-16 circuit for the AES s-box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, vol. 376 of IFIP Advances in Information and Communication Technology, pp 287–298. Springer (2012)Google Scholar
- 6.Cenk, M., Hasan, M.A.: Some new results on binary polynomial multiplication. J. Cryptogr. Eng.
**5**(4), 289–303 (2015)CrossRefGoogle Scholar - 7.Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive, 2011:475, 2011. Appears in electronic proceedings of 2nd IMA Conference Mathematics in Defense, UK, Swindon, 2011, www.ima.org.uk/_db/_documents/Courtois.pdf
- 8.Kelly, M., Kaminsky, A., Kurdziel, M.T., Lukowiak, M., Radziszowski, S.P.: Customizable sponge-based authenticated encryption using 16-bit s-boxes. In: 34th IEEE Military Communications Conference, MILCOM 2015, Tampa, FL, USA, October 26–28, 2015, pp 43–48 (2015)Google Scholar
- 9.Lupanov, O.B.: A method of circuit synthesis. Izvestia V.U.Z. Radiofizika
**1**, 120–140 (1958)Google Scholar - 10.Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the Limits A Very Compact and a Threshold Implementation of AES, pp 69–88. Springer, Berlin (2011)zbMATHGoogle Scholar
- 11.Nechiporuk, E.I.: On the complexity of schemes in some bases containing nontrivial elements with zero weights (in Russian). Problemy Kibernetiki
**8**, 123–160 (1962)MathSciNetzbMATHGoogle Scholar - 12.NIST. Advanced Encryption Standard (AES) (FIPS PUB 197). National Institute of Standards and Technology (2001)Google Scholar
- 13.Nogami, Y., Nekado, K., Toyota, T., Hongo, N., Morikawa, Y.: Mixed bases for efficient inversion in \(\mathbb {F}(((2^{2})^{2})^{2})\) and conversion matrices of SubBytes of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, vol. 6225 of LNCS, pp 234–247. Springer (2010)Google Scholar
- 14.Paar, C.: Optimized arithmetic for Reed-Solomon encoders. In: 1997 IEEE International Symposium on Information Theory, p 250 (1997)Google Scholar
- 15.Peralta, R.: Circuit minimization work http://cs-www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html. Accessed 10 March 2018
- 16.Shannon, C.E.: The synthesis of two-terminal switching circuits. Bell Syst. Tech. J.
**28**, 59–98 (1949)MathSciNetCrossRefGoogle Scholar - 17.Wood, C.A.: Large substitution boxes with efficient combinational implementations. Rochester Institute of Technology (2013)Google Scholar
- 18.Wood, C.A., Radziszowski, S.P., Lukowiak, M.: Constructing large s-boxes with area minimized implementations. In: Military Communications Conference, MILCOM 2015-2015 IEEE, pp 49–54. IEEE (2015)Google Scholar