On Hardware Implementation of Tang-Maitra Boolean Functions

Abstract

In this paper, we investigate the hardware circuit complexity of the class of Boolean functions recently introduced by Tang and Maitra (IEEE-TIT 64(1): 393–402, 2018). While this class of functions has very good cryptographic properties, the exact hardware requirement is an immediate concern as noted in the paper itself. In this direction, we consider different circuit architectures based on finite field arithmetic and Boolean optimization. An estimation of the circuit complexity is provided for such functions given any input size n. We study different candidate architectures for implementing these functions, all based on the finite field arithmetic. We also show different implementations for both ASIC and FPGA, providing further analysis on the practical aspects of the functions in question and the relation between these implementations and the theoretical bound. The practical results show that the Tang-Maitra functions are quite competitive in terms of area, while still maintaining an acceptable level of throughput performance for both ASIC and FPGA implementations.

Appendices

A Discrete-Log Representation of \(\mathbb {F}_{2^n}\) Arithmetic

The Discrete-Log representation is described in Sect. 2.3. Multiplication can be defined as

$$\begin{aligned} x_1 \odot x_2 = {\left\{ \begin{array}{ll} 2^n-1 &{}\text { if } x_1 = 2^n-1\text { or }x_2 = 2^n-1 \\ x_1 + x_2\pmod {2^n-1} &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

(8)

While inversion can be defined as

$$\begin{aligned} x^{-1} = {\left\{ \begin{array}{ll} 2^n-1 &{}\text { if } x = 2^n-1 \\ -x\pmod {2^n-1} &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

(9)

Both operations require circuit complexity of \(\mathcal {O}(n)\), which is smaller than the corresponding circuits for both normal and polynomial bases. While the same can be said about squaring, we show now that it can be implemented as a cyclic shift operation (similar to the case of normal basis). Squaring can be written in terms of multiplication as follows, where \(\times \) is used for integer multiplications as opposed to finite field multiplication \(\odot \),

$$\begin{aligned} x^{2} = {\left\{ \begin{array}{ll} 2^n-1 &{}\text {if } x = 2^n-1 \\ 2\times x\pmod {2^n-1} &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

(10)

and

$$\begin{aligned} 2\times x\pmod {2^n-1} = {\left\{ \begin{array}{ll} x \ll 1 &{}\text { if } 2\times x < 2^n-1 \\ (x \ll 1) - (2^n-1) &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

(11)

Using the two’s complement representation of integer arithmetic, Eq. (11) can be written as

$$\begin{aligned} 2\times x\pmod {2^n-1} = {\left\{ \begin{array}{ll} x \ll 1 &{}\text { if } 2\times x < 2^n-1 \\ (x \ll 1) + 2^n + 1\pmod {2^n} &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

(12)

Equation (12) means that the squaring operation in the discrete-log representation is a left shift operation with the most significant bit of x becoming the least significant bit, i.e., a cyclic shift of x.

In addition, however, in the discrete-log representation is complicated. It can be implemented by using look-up tables or by conversion to another representation. Hence, studying the complexity of trace function is this representation without using addition is an interesting problem. Using property 2 of trace function in Sect. 2.1 and Eq. (12), we can conclude, as in the case of normal basis, that trace function is a Rotation Symmetric Boolean Function (RSBF). Now we define the rotation symmetric Boolean functions. Let \(x_i\in \mathbb F_2\) for \(0\le i\le n-1\). We define

$$\begin{aligned} \rho _n^r(x_i)=x_{(i+r) \bmod n}= \left\{ \begin{array}{ll} x_{i+r}, &{} \text { if } i+r\le n-1;\\ x_{i+r-n}, &{} \text { if } i+r\ge n.\\ \end{array} \right. \end{aligned}$$

Let \(P_n=\{\rho _n^0,\rho _n^1,\ldots ,\rho _n^{n-1}\}\) be the permutation group which contains the rotations of n symbols, defined as

$$\begin{aligned} \rho _n^i(x)=\rho _n^i(x_{n-1},x_{n-2},\ldots ,x_{0})=(x_{(n-1+i) \bmod n},x_{(n-2+i) \bmod n},\ldots ,x_{(i) \bmod n}). \end{aligned}$$

Definition 1

A Boolean function f in n variables is said to be rotation symmetric if and only if for any \(x\in \mathbb {F}_2^n\), \(f(\rho _n^i(x))=f(x), \,{ for}\,\, {all } \,\,0\le i\le n-1\).

The problem of defining an RSBF is related to the problem of necklace equivalence in combinatorics. This helps to derive an upper bound on the circuit complexity of a trace function in the discrete-log representation.

Definition 2

A binary necklace of length n is an equivalence class of n-character strings over the alphabet \(\{0,1\}\), where two arrangements are equivalent if one can be obtained from the other by applying cyclic rotations.

Definition 3

The lexicographical representation of a binary necklace N is the member of [N] with the maximum number of leading 0’s.

B Circuit for the Tang-Maitra Functions Based on Discrete-Log Representation

The circuit in Fig. 3 can be used to compute the Tang-Maitra function when the inputs are in the discrete-log representation. The operation \(\frac{x}{y}\) is computed as \(x-y \pmod {2^k-1}\), with complexity \(\mathcal {O}(k)\). After that, \(\mathrm{Tr}^k_1\) is computed as an RSBF. In this Section, we give a circuit for any RSBF, with sub-exponential complexity \(\mathcal {O}(k^2+2^k/k^2)\).

Fig. 3.

Discrete-log circuit for a Tang-Maitra function

Rotation Symmetric Boolean Function Circuits. Let f be a rotation symmetric Boolean function in k variables, i.e., \(f(\rho _k^i(x))=f(x)\), for all \(0\le i\le k-1\). Hence, [x] is an equivalence class (orbit) that includes all the rotations of x, i.e., \([x]=\{\rho _k^i(x)| 0\le i\le k-1\}\). We choose the representative of that class to be \(\rho _k^r(x)\), such that \(\rho _k^r(x) \ge \rho _k^i(x)\), for all \(0\le i\le k-1\). In other words, it is the rotation of x that has the maximum integer value. For more details of rotation symmetric Boolean function we refer to [FF98, Fon99]. This is the lexicographical representation of [x] based on the alphabet \(\{0,1\}\).

Lemma 3

A rotation symmetric Boolean function (RSBF) of k variables has a circuit complexity bounded by \(\mathcal {O}(k^2+2^k/k^2)\).

Lemma 4

The discrete-log implementation of the Tang-Maitra function of n variables, where n is even, has a circuit complexity bounded by \(\mathcal {O}(2^{k}+k^2+2^k/k^2)\), where \(n = 2k\).

Proof

In order to convert any x to its lexicographical orbit representation, the orbit detection circuit generates all the k rotations of x, then chooses the value of x that has the maximum integer value using a selection tree that consists of \(k-1\) two-input MAX circuits. Every two-input MAX circuit consists of \(k+1\) integer subtractor (\(6k+6\) gates) and k \(2\times 1\) MUXes, 3K gates. Hence, the orbit detection circuit has a complexity of around \(9k^2-3k-6\) gates. After the lexicographical orbit representation has been detected, a circuit decides whether the given orbit functional value is 0 or 1. This circuit expects only 1 of the lexicographical representations, which, according to Burnside’s Lemma and [SM08, Theorem 3], are \(N_O = \frac{1}{k}\sum _{d|k}\phi (d)2^{\frac{k}{d}}\), where \(\phi \) is Euler’s phi-function. Hence, \(n_x=2^k-N_O\) values in the Truth table of such circuit can be set as DON’T CARES ‘X’. In [Spi80], the author gave an analysis of the circuit complexity of combinational circuits with a large number of DON’T CARES. The number of AND/OR/NOT gates was given by

$$\begin{aligned} L_\infty = (1-d)H(p)L_\infty (G), \end{aligned}$$

where \(d=\frac{n_x}{2^k}\), \(p=\frac{n_1}{(1-d)2^k}\), \(H(p)=-p\log (p) - (1-p)\log (1-p)\) and \(L_\infty (G)=\frac{2^k}{k}\). By substitution for the case of the trace circuit, the number of gates is \(\frac{N_O}{n}H(p)\), where \(H(p)\le 1\). Hence, the circuit complexity is \(\mathcal {O}(\frac{N_O}{n})\), and from Burnside’s Lemma, it can be expressed as \(\mathcal {O}(\frac{2^k}{k})\). Hence, the overall complexity of this construction is \(\mathcal {O}(k^2+2^k/k^2)\).    \(\square \)