Compact Circuits for Efficient Mobius Transform

IACR Cryptol. ePrint Arch. Pub Date : 2024-03-12 DOI:10.46586/tches.v2024.i2.481-521

S. Banik, F. Regazzoni

{"title":"Compact Circuits for Efficient Mobius Transform","authors":"S. Banik, F. Regazzoni","doi":"10.46586/tches.v2024.i2.481-521","DOIUrl":null,"url":null,"abstract":"The Möbius transform is a linear circuit used to compute the evaluations of a Boolean function over all points on its input domain. The operation is very useful in finding the solution of a system of polynomial equations over GF(2) for obvious reasons. However the operation, although linear, needs exponential number of logic operations (around n · 2n−1 bit xors) for an n-variable Boolean function. As such, the only known hardware circuit to efficiently compute the Möbius Transform requires silicon area that is exponential in n. For Boolean functions whose algebraic degree is bound by some parameter d, recursive definitions of the Möbius Transform exist that requires only O(nd+1) space in software. However converting the mathematical definition of this space-efficient algorithm into a hardware architecture is a non-trivial task, primarily because the recursion calls notionally lead to a depth-first search in a transition graph that requires context switches at each recursion call for which straightforward mapping to hardware is difficult. In this paper we look to overcome these very challenges in an engineering sense. We propose a space efficient sequential hardware circuit for the Möbius Transform that requires only polynomial circuit area (i.e. O(nd+1)) provided the algebraic degree of the Boolean function is limited to d. We show how this circuit can be used as a component to efficiently solve polynomial equations of degree at most d by using fast exhaustive search. We propose three different circuit architectures for this, each of which uses the Möbius Transform circuit as a core component. We show that asymptotically, all the solutions of a system of m polynomials in n unknowns and algebraic degree d over GF(2) can be found using a circuit of silicon area proportional to m · nd+1 and circuit depth proportional to 2 · log2(n − d).In the second part of the paper we introduce a fourth hardware solver that additionally aims to achieve energy efficiency. The main idea is to reduce the solution space to a small enough value by parallel application of Möbius Transform circuits over the first few equations of the system. This is done so that one can check individually whether the vectors of this reduced solution space satisfy each of the remaining equations of the system using lower power consumption. The new circuit has area also bound by m · nd+1 and has circuit depth proportional to d · log2 n. We also show that further optimizations with respect to energy consumption may be obtained by using depth-bound Möbius circuits that exponentially decrease run time at the cost of additional logic area and depth.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"20 4","pages":"948"},"PeriodicalIF":0.0000,"publicationDate":"2024-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2024.i2.481-521","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The Möbius transform is a linear circuit used to compute the evaluations of a Boolean function over all points on its input domain. The operation is very useful in finding the solution of a system of polynomial equations over GF(2) for obvious reasons. However the operation, although linear, needs exponential number of logic operations (around n · 2n−1 bit xors) for an n-variable Boolean function. As such, the only known hardware circuit to efficiently compute the Möbius Transform requires silicon area that is exponential in n. For Boolean functions whose algebraic degree is bound by some parameter d, recursive definitions of the Möbius Transform exist that requires only O(nd+1) space in software. However converting the mathematical definition of this space-efficient algorithm into a hardware architecture is a non-trivial task, primarily because the recursion calls notionally lead to a depth-first search in a transition graph that requires context switches at each recursion call for which straightforward mapping to hardware is difficult. In this paper we look to overcome these very challenges in an engineering sense. We propose a space efficient sequential hardware circuit for the Möbius Transform that requires only polynomial circuit area (i.e. O(nd+1)) provided the algebraic degree of the Boolean function is limited to d. We show how this circuit can be used as a component to efficiently solve polynomial equations of degree at most d by using fast exhaustive search. We propose three different circuit architectures for this, each of which uses the Möbius Transform circuit as a core component. We show that asymptotically, all the solutions of a system of m polynomials in n unknowns and algebraic degree d over GF(2) can be found using a circuit of silicon area proportional to m · nd+1 and circuit depth proportional to 2 · log2(n − d).In the second part of the paper we introduce a fourth hardware solver that additionally aims to achieve energy efficiency. The main idea is to reduce the solution space to a small enough value by parallel application of Möbius Transform circuits over the first few equations of the system. This is done so that one can check individually whether the vectors of this reduced solution space satisfy each of the remaining equations of the system using lower power consumption. The new circuit has area also bound by m · nd+1 and has circuit depth proportional to d · log2 n. We also show that further optimizations with respect to energy consumption may be obtained by using depth-bound Möbius circuits that exponentially decrease run time at the cost of additional logic area and depth.

查看原文本刊更多论文

用于高效莫比乌斯变换的紧凑型电路

莫比乌斯变换是一种线性电路，用于计算布尔函数对其输入域上所有点的求值。由于显而易见的原因，该运算在寻找 GF(2) 上多项式方程组的解时非常有用。然而，尽管该运算是线性的，但对于一个 n 变量布尔函数来说，却需要指数数量的逻辑运算（约 n - 2n-1 位 xors）。因此，已知唯一能有效计算莫比乌斯变换的硬件电路所需的硅片面积是 n 的指数倍。对于代数阶数受某个参数 d 约束的布尔函数，莫比乌斯变换的递归定义只需要 O(nd+1) 的软件空间。然而，将这种空间高效算法的数学定义转换为硬件架构并非易事，这主要是因为递归调用在概念上导致在过渡图中进行深度优先搜索，而每次递归调用都需要进行上下文切换，这就很难直接映射到硬件上。在本文中，我们希望在工程学意义上克服这些挑战。我们为莫比乌斯变换提出了一种空间高效的顺序硬件电路，只要布尔函数的代数阶数不超过 d，它就只需要多项式电路面积（即 O(nd+1)）。为此，我们提出了三种不同的电路架构，每种架构都使用莫比乌斯变换电路作为核心组件。我们的研究表明，从渐近的角度看，使用硅面积与 m - nd+1 成比例、电路深度与 2 - log2(n - d) 成比例的电路，可以求得 GF(2) 上 n 个未知数中 m 个多项式、代数阶数为 d 的系统的所有解。其主要思路是通过并行应用莫比乌斯变换电路对系统的前几个方程进行求解，从而将求解空间缩小到足够小的数值。这样，我们就能以更低的功耗逐个检查缩小后的解空间向量是否满足系统的每个剩余方程。新电路的面积也受 m - nd+1 约束，电路深度与 d - log2 n 成正比。我们还表明，通过使用深度约束莫比乌斯电路，可以以增加逻辑面积和深度为代价，指数级缩短运行时间，从而进一步优化能耗。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量