Abstract
We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field G F(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components (those portions containing no AND gates). A new heuristic, DCLO (for depth-constrained linear optimization), is used to create small linear circuits given depth constraints. DCLO is repeatedly used in a See-Saw method, alternating between optimizing the upper linear component and the lower linear component. The depth constraints specify both the depth at which each input arrives and restrictions on the depth for each output. We apply our techniques to cryptographic functions, obtaining new results for the S-Box of the Advanced Encryption Standard, for multiplication of binary polynomials, and for multiplication in finite fields. Additionally, we constructed a 16-bit S-Box using inversion in GF(216) which may be significantly smaller than alternatives.
Similar content being viewed by others
Notes
We relax this requirement in our code.
References
Bernstein, D.J.: Optimizing linear maps modulo 2. Available at http://cr.yp.to/papers.html#linearmod2
Boyar, J., Matthews, P., Peralta, R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013)
Boyar, J., Peralta, R., Pochuev, D.: On the multiplicative complexity of Boolean functions over the basis (∧,⊕, 1). Theor. Comput. Sci. 235, 43–57 (2000)
Boyar, J., Find, M.G.: Cancellation-free circuits in unbounded and bounded depth. Theor. Comput. Sci. 590, 17–26 (2015)
Boyar, J., Peralta, R.: A small depth-16 circuit for the AES s-box. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012, vol. 376 of IFIP Advances in Information and Communication Technology, pp 287–298. Springer (2012)
Cenk, M., Hasan, M.A.: Some new results on binary polynomial multiplication. J. Cryptogr. Eng. 5(4), 289–303 (2015)
Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive, 2011:475, 2011. Appears in electronic proceedings of 2nd IMA Conference Mathematics in Defense, UK, Swindon, 2011, www.ima.org.uk/_db/_documents/Courtois.pdf
Kelly, M., Kaminsky, A., Kurdziel, M.T., Lukowiak, M., Radziszowski, S.P.: Customizable sponge-based authenticated encryption using 16-bit s-boxes. In: 34th IEEE Military Communications Conference, MILCOM 2015, Tampa, FL, USA, October 26–28, 2015, pp 43–48 (2015)
Lupanov, O.B.: A method of circuit synthesis. Izvestia V.U.Z. Radiofizika 1, 120–140 (1958)
Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the Limits A Very Compact and a Threshold Implementation of AES, pp 69–88. Springer, Berlin (2011)
Nechiporuk, E.I.: On the complexity of schemes in some bases containing nontrivial elements with zero weights (in Russian). Problemy Kibernetiki 8, 123–160 (1962)
NIST. Advanced Encryption Standard (AES) (FIPS PUB 197). National Institute of Standards and Technology (2001)
Nogami, Y., Nekado, K., Toyota, T., Hongo, N., Morikawa, Y.: Mixed bases for efficient inversion in \(\mathbb {F}(((2^{2})^{2})^{2})\) and conversion matrices of SubBytes of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, vol. 6225 of LNCS, pp 234–247. Springer (2010)
Paar, C.: Optimized arithmetic for Reed-Solomon encoders. In: 1997 IEEE International Symposium on Information Theory, p 250 (1997)
Peralta, R.: Circuit minimization work http://cs-www.cs.yale.edu/homes/peralta/CircuitStuff/CMT.html. Accessed 10 March 2018
Shannon, C.E.: The synthesis of two-terminal switching circuits. Bell Syst. Tech. J. 28, 59–98 (1949)
Wood, C.A.: Large substitution boxes with efficient combinational implementations. Rochester Institute of Technology (2013)
Wood, C.A., Radziszowski, S.P., Lukowiak, M.: Constructing large s-boxes with area minimized implementations. In: Military Communications Conference, MILCOM 2015-2015 IEEE, pp 49–54. IEEE (2015)
Acknowledgments
The first author was supported in part by the Independent Research Fund Denmark, Natural Sciences, grant DFF-7014-00041. The second author participated in this research while a guest researcher at the National Institute of Standards and Technology during 2015-2016.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Special Issue on Boolean Functions and Their Applications
Appendices
Appendix A: Inversion in GF(24)
Figure 6 demonstrates that if NAND gates are allowed in addition to AND and XOR gates, then there is a circuit with depth 4 and only 15 gates computing inversion in GF(24). This is the same depth, but two fewer gates than we used for this work. It also has one less gate than was used in [2], where depth 9 was acceptable.
Appendix B: Tower field construction up to GF(216)
In the following, bases will be defined for each of the finite fields. Each base (b1,b2) will be such that b1 + b2 = 1. This identity can be verified by repeated squaring of the defining irreducible polynomial and adding a telescoping sequence (verify GF(2k) before GF(22k)). For each k, the irreducible polynomial for GF(22k) was found using the circuits for multiplication and addition in GF(2k) to compute the range of x2 + x. Then x2 + x + α is irreducible for any α not in the range of x2 + x.
-
GF(22) is built from GF2 by adjoining a root W of x2 + x + 1. A basis for GF(22) is (W,W2)
-
GF(24) is built from GF(22) by adjoining a root Z of x2 + x + W2. A basis for GF(24) is (Z2,Z8).
-
GF(28) is built from GF(24) by adjoining a root V of x2 + x + WZ2. A basis for GF(28) is (V,V16).
-
GF(216) is built from GF(28) by adjoining a root T of x2 + x + WZ2V. A basis for GF(216) is (T,T256).
B.1 Multiplication and inversion in GF(216)
Let Θ = WZ2V. Multiplication is given by
We now derive efficient equations for inversion in GF(216). The identity element is 1 ⋅ T + 1 ⋅ T256.
From the multiplication formulas we get
Setting μ = Θ(a + b) and summing yields
Equate the c coefficients
Summing them
yields
Therefore
and
The operation (a + b)2Θ is usually referred to as “square-scaling”. Both square-scaling and inversion in the equations for c,d are operations in the lower field GF(28).
Rights and permissions
About this article
Cite this article
Boyar, J., Find, M.G. & Peralta, R. Small low-depth circuits for cryptographic applications. Cryptogr. Commun. 11, 109–127 (2019). https://doi.org/10.1007/s12095-018-0296-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-018-0296-3
Keywords
- Circuit size
- Circuit depth
- Cryptographic functions
- Boolean functions
- See-saw method
- Depth-constrained circuit optimization