Optimizing the AES S-Box using SAT

In this paper we describe the implementation of a technique for minimizing XOR circuits used in cryptographic algorithms. More precisely, we present our work from [4] for encoding this synthesis problem to SAT with a focus on the case study of optimizing an important component of the Advanced Encryption Standard (AES) [8]. In addition to these previously published contributions, we report on novel encouraging experimental results that allow us to actually prove optimality of the results obtained. The AES algorithm consists of the (repeated) application of four steps. The main step for introducing non-linearity is the SubBytes step that is based on a so-called S-box. This S-box is a transformation based on multiplicative inverses in GF(2) combined with an invertible affine transformation. This step can be decomposed into two linear parts and a minimal non-linear part. We focus on the optimization of the linear parts, in particular the first one (called the “top matrix” in [2]). In this paper, we assume that we have n inputs x1, . . . , xn and m outputs y1, . . . , ym. Then the linear function to be computed can be specified by m equations of the form y` = a`,1 · x1 ⊕ a`,2 · x2 ⊕ . . . ⊕ a`,n · xn for 1 ≤ ` ≤ m. We call each equation a linear form. Note that each a`,j is a constant from GF(2) = {0, 1}, each xj is a variable over GF(2), and ⊕ and · denote standard addition and multiplication on GF(2). Our goal is to come up with an algorithm that computes these linear forms given x1, . . . , xn as inputs. More specifically, we would like to express this algorithm via a linear straightline program (or, for brevity, just program). Here, every line of the program has the shape u := e · v ⊕ f · w with e, f ∈ GF(2) and v, w variables. Some lines of the program will contain the output, i.e., assign the value of one of the desired linear forms to a variable. The length of a program is the number of lines the program contains. A program is optimal if there is no shorter program that computes the same linear forms.