Logic Minimization Techniques with Applications to Cryptology

A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the nonlinearity of a circuit—as measured by the number of nonlinear gates it contains—is reduced. The second step reduces the number of gates in the linear components of the already reduced circuit. The technique can be applied to arbitrary combinational logic problems, and often yields improvements even after optimization by standard methods has been performed. In this paper we show the results of our technique when applied to the S-box of the Advanced Encryption Standard (FIPS in Advanced Encryption Standard (AES), National Institute of Standards and Technology, 2001).We also show that, in the second step, one is faced with an NP-hard problem, the Shortest Linear Program (SLP) problem, which is to minimize the number of linear operations necessary to compute a set of linear forms. In addition to showing that SLP is NP-hard, we show that a special case of the corresponding decision problem is Max SNP-complete, implying limits to its approximability.Previous algorithms for minimizing the number of gates in linear components produced cancellation-free straight-line programs, i.e., programs in which there is no cancellation of variables in GF(2). We show that such algorithms have approximation ratios of at least 3/2 and therefore cannot be expected to yield optimal solutions to nontrivial inputs. The straight-line programs produced by our techniques are not always cancellation-free. We have experimentally verified that, for randomly chosen linear transformations, they are significantly smaller than the circuits produced by previous algorithms.

[1]  Ryan Williams,et al.  Matrix-vector multiplication in sub-quadratic time: (some preprocessing required) , 2007, SODA '07.

[2]  Joan Boyar,et al.  A New Combinational Logic Minimization Technique with Applications to Cryptology , 2010, SEA.

[3]  Elisabeth Oswald,et al.  An ASIC Implementation of the AES SBoxes , 2002, CT-RSA.

[4]  Peter Schneider-Kamp,et al.  Optimizing the AES S-Box using SAT , 2010, IWIL@LPAR.

[5]  T. Itoh,et al.  A Fast Algorithm for Computing Multiplicative Inverses in GF(2^m) Using Normal Bases , 1988, Inf. Comput..

[6]  Yasuyuki Nogami,et al.  Mixed Bases for Efficient Inversion in F((22)2)2 and Conversion Matrices of SubBytes of AES , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[7]  Peter Schneider-Kamp,et al.  Synthesizing Shortest Linear Straight-Line Programs over GF(2) Using SAT , 2010, SAT.

[8]  Christof Paar,et al.  Some remarks on efficient inversion in finite fields , 1995, Proceedings of 1995 IEEE International Symposium on Information Theory.

[9]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[10]  David Canright,et al.  A Very Compact S-Box for AES , 2005, CHES.

[11]  Joan Boyar,et al.  A depth-16 circuit for the AES S-box , 2011, IACR Cryptol. ePrint Arch..

[12]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[13]  Joan Boyar,et al.  A Small Depth-16 Circuit for the AES S-Box , 2012, SEC.

[14]  Joan Boyar,et al.  On the multiplicative complexity of Boolean functions over the basis (cap, +, 1) , 2000, Theor. Comput. Sci..

[15]  Mihalis Yannakakis,et al.  Optimization, approximation, and complexity classes , 1991, STOC '88.

[16]  Theodosis Mourouzis,et al.  Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis , 2011, IACR Cryptol. ePrint Arch..

[17]  Akashi Satoh,et al.  A Compact Rijndael Hardware Architecture with S-Box Optimization , 2001, ASIACRYPT.

[18]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[19]  David R. Canright,et al.  A very compact Rijndael S-box , 2005 .

[20]  Han Wei-wei ASIC implementation of AES SBoxes , 2008 .

[21]  S. Smale,et al.  On a theory of computation and complexity over the real numbers; np-completeness , 1989 .

[22]  Claude E. Shannon,et al.  The synthesis of two-terminal switching circuits , 1949, Bell Syst. Tech. J..

[23]  Bart Preneel,et al.  Topics in Cryptology — CT-RSA 2002 , 2002, Lecture Notes in Computer Science.

[24]  Johan Håstad,et al.  Tensor Rank is NP-Complete , 1989, ICALP.

[25]  Yasuyuki Nogami,et al.  Mixed Bases for Efficient Inversion in \mathbb F((22)2) and Conversion Matrices of SubBytes of AES , 2010, CHES.

[26]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[27]  Akashi Satoh,et al.  An Optimized S-Box Circuit Architecture for Low Power AES Design , 2002, CHES.

[28]  Christof Paar,et al.  Optimized arithmetic for Reed-Solomon encoders , 1997, Proceedings of IEEE International Symposium on Information Theory.

[29]  S. Winograd On the number of multiplications necessary to compute certain functions , 1970 .

[30]  Michael Clausen,et al.  Algebraic complexity theory , 1997, Grundlehren der mathematischen Wissenschaften.

[31]  Anthony Widjaja To Review of "Algebraic Complexity Theory by Peter Bürgisser, Michael Clausen and Amin Shokrollahi", Springer 1997 , 2006 .

[32]  Joan Boyar,et al.  Tight bounds for the multiplicative complexity of symmetric functions , 2008, Theor. Comput. Sci..

[33]  Subhash Khot,et al.  Inapproximability of Vertex Cover and Independent Set in Bounded Degree Graphs , 2009, Computational Complexity Conference.

[34]  John E. Savage,et al.  An Algorithm for the Computation of Linear Forms , 1974, SIAM J. Comput..

[35]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[36]  Luca Trevisan,et al.  Improved Non-approximability Results for Vertex Cover with Density Constraints , 1996, COCOON.

[37]  R. Steele Optimization , 2005 .

[38]  Carsten Lund,et al.  Proof verification and the hardness of approximation problems , 1998, JACM.

[39]  Subhash Khot On the power of unique 2-prover 1-round games , 2002, STOC '02.

[40]  S. Smale,et al.  On a theory of computation and complexity over the real numbers; np-completeness , 1989 .

[41]  Joan Boyar,et al.  On the Shortest Linear Straight-Line Program for Computing Linear Forms , 2008, MFCS.

[42]  Leslie G. Valiant,et al.  Completeness classes in algebra , 1979, STOC.

[43]  Daniel Page,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005 , 2004 .