A Logic Synthesis Toolbox for Reducing the Multiplicative Complexity in Logic Networks
Total Page:16
File Type:pdf, Size:1020Kb
A Logic Synthesis Toolbox for Reducing the Multiplicative Complexity in Logic Networks Eleonora Testa∗, Mathias Soekeny, Heinz Riener∗, Luca Amaruz and Giovanni De Micheli∗ ∗Integrated Systems Laboratory, EPFL, Lausanne, Switzerland yMicrosoft, Switzerland zSynopsys Inc., Design Group, Sunnyvale, California, USA Abstract—Logic synthesis is a fundamental step in the real- correlates to the resistance of the function against algebraic ization of modern integrated circuits. It has traditionally been attacks [10], while the multiplicative complexity of a logic employed for the optimization of CMOS-based designs, as well network implementing that function only provides an upper as for emerging technologies and quantum computing. Recently, bound. Consequently, minimizing the multiplicative complexity it found application in minimizing the number of AND gates in of a network is important to assess the real multiplicative cryptography benchmarks represented as xor-and graphs (XAGs). complexity of the function, and therefore its vulnerability. The number of AND gates in an XAG, which is called the logic net- work’s multiplicative complexity, plays a critical role in various Second, the number of AND gates plays an important role cryptography and security protocols such as fully homomorphic in high-level cryptography protocols such as zero-knowledge encryption (FHE) and secure multi-party computation (MPC). protocols, fully homomorphic encryption (FHE), and secure Further, the number of AND gates is also important to assess multi-party computation (MPC) [11], [12], [6]. For example, the the degree of vulnerability of a Boolean function, and influences size of the signature in post-quantum zero-knowledge signatures the cost of techniques to protect against side-channel attacks. based on “MPC-in-the-head” [13] depends on the multiplicative However, so far a complete logic synthesis flow for reducing the complexity in the underlying block cipher [12]. Moreover, the multiplicative complexity in logic networks did not exist or relied number of computations in MPC protocols based on Yao’s heavily on manual manipulations. In this paper, we present a garbled circuits [14] with the free XOR technique [15] is logic synthesis toolbox for cryptography and security applications. proportional to the number of AND gates. Regarding FHE, The proposed tool consists of powerful transformations, namely resubstitution, refactoring, and rewriting, specifically designed XOR gates are considered cheaper and less noisy compared to to minimize the multiplicative complexity of an XAG. Our flow AND gates. To further motivate our work, it is worth mentioning is fully automatic and achieves significant results over both that in techniques to protect against side-channel attacks, the EPFL benchmarks and cryptography circuits. We improve the cost of general-purpose protections grows with the number best-known results for cryptography up to 59%, resulting in a of AND gates [10]. Moreover, the work in [16] has recently normalized geometric mean of 0.82. demonstrated the positive effect of the minimization of AND gates on the number of qubits and expensive quantum operations I. INTRODUCTION (T gates) in fault-tolerant quantum circuits. While it is clear that the multiplicative complexity has a Logic synthesis is an essential part of modern EDA flows key role in cryptography and that logic synthesis can have a for the realization and optimization of integrated circuits strong impact in its optimization, so far, there are no fully targeting area, delay, and power. For this purpose, logic automatic logic synthesis tools able to address the optimization synthesis abstracts circuits using compact data structures, and of the number of AND gates in a network as their main goal manipulates them making use of both exact and heuristic for optimization. The work in [5] has recently presented a algorithms [1], [2], [3]. In the past, logic synthesis mainly logic synthesis algorithm for cryptography, but it is limited to a focused on the optimization of CMOS circuits, while today it rewriting algorithm. On the other hand, state-of-the-art tools [2], considers different objectives and fields of application, such [17] automatically address size optimization, without precisely as emerging technologies or quantum computers [3]. More minimizing the number of ANDs, and methods from the crypto- recently, the works in [4], [5], [6], [7] have started a new domain graphy community rely heavily on manual decomposition and of application for logic synthesis, addressing cryptography and optimization strategies [4]. security applications. In this scenario, logic synthesis makes use In this paper, we propose a fully automatic logic synthesis of xor-and graphs (XAGs, [5]) as data structure for optimization, toolbox for cryptography applications. The proposed tool because they efficiently abstract cryptography circuits over the presents a complete synthesis flow that interchanges various basis fAND, XOR, NOTg [4]. Further, logic synthesis focuses logic synthesis techniques able to find different optimization on the minimization of the number of AND gates as its main opportunities on the same network. This overcomes the main target metric for optimization. limitation of the work presented in [5], which focuses instead The minimization of the number of AND gates for crypto- on rewriting small 6-input subnetworks with their optimum rep- graphy is fundamental for two main reasons. First, the number resentations. The tool uses XAGs as underlying data structures of AND gates correlates to the degree of vulnerability of a to represent functions and consists of three main optimizations, circuit [8]. The minimum number of AND gates sufficient to namely rewriting, refactoring, and resubstitution, which are implement a Boolean function as an XAG is called multiplica- specifically implemented to minimize the number of AND tive complexity of the function [8], while the multiplicative gates. These three transformations are the most common and complexity of the logic network is defined as the actual number powerful optimizations involved in modern synthesis flows [18], of AND gates used in the network representation of the func- and allow us to obtain significant improvements over previous tion [9], [5]. The multiplicative complexity of a function directly Algorithm 1 Resubstitution to reduce the number of ANDs c sum c sum out out Input: Logic network N, cut-size, max div Output: Resynthesized logic network ⊕ ⊕ 1: list topological-sort-network(N) 2: for each node n in list do ⊕ ^ ⊕ ^ ⊕ 3: cut find-reconvergent-cut(n, cut-size) 4: mffc computeMFFC(n) ^ ⊕ ⊕ ⊕ 5: if jmffcj > 0 then 6: div collect-divisors(list, n, max div) a b cin a b cin 7: compute-truth-tables(cut) 8: compute-satisfiability-DC(cut) (a) XAG for the full adder (b) Rewriting example [5] 9: if n0 0-resub(list, n, div) then Fig. 1: XAG of the full adder (a), and its implementation (b) 10: continue 11: end if with optimum multiplicative complexity after rewriting 12: and mffc AND-in-MFFC(mffc) 13: if and mffc = 0 then 14: continue 15: end if best results. We test our flow on best-known results coming 16: if and mffc > 0 then 17: if n0 xor-resub(list, n, div) then from [5] and [6] for both EPFL benchmarks and circuits for 18: continue MPC and FHE applications. The complete flow optimizes the 19: end if best results for EPFL benchmarks up to 47%, and achieves 20: if n0 xx-resub(list, n, div) then a normalized geometric mean of 0.82 for the cryptography 21: continue 59% 22: end if benchmarks from [5]. For instance, it obtains a reduction 23: if n0 and-resub(list, n, div, and mffc) then in the number of AND gates for a 32×32-bit multiplier. 24: continue 25: end if II. BACKGROUND 26: if n0 aa-resub(list, n, div, and mffc) then In this section, we provide some details on xor-and 27: continue graphs (XAGs, [5]), as they are used as data structure to 28: end if 29: if n0 ao-resub(list, n, div, and mffc) then represent Boolean functions. Further, a rewriting algorithm for 30: continue reducing the multiplicative complexity in logic networks is 31: end if described. This algorithm was first presented in [5] and it has 32: end if been implemented as part of our logic synthesis tool. 33: end if 34: end for A. XAGs and Multiplicative Complexity 35: network-cleanup-and-sweeping(N) In analogy to the work in [5], we select XAGs as data structure for the optimization flow. An XAG is a logic network in which each node is a 2-input AND or a 2-input XOR The algorithm in [5] presents a generalization of DAG-aware operation, and edges to connect the gates can be both regular AIG rewriting [20], modified to focus on the minimization of and complemented, where a complemented edge indicates the the number of AND gates. It makes use of cut enumeration [22], inversion of the signal. Fig. 1(a) presents an XAG for the full with adjusted cost computation, and affine functions classifi- adder: XOR gates are labeled with ‘⊕’, AND gates are labeled cation [23] to replace 6-input XAG cuts with their optimum with ‘^’, and the complemented edges are denoted by dashed (i.e., having minimum multiplicative complexity) subnetworks. lines. Note that complemented x is equivalent to 1 ⊕ x, thus, The algorithm is based on two major considerations, being an XAG without complemented edges can be easily obtained (i) the multiplicative complexity of a Boolean function is by replacing each inverter by an XOR gate. The multiplicative unchanged by affine operations, and (ii) the optimum XAG complexity of a Boolean function is given by the minimum is known [8], [24] for each affine class representative up to number of AND gates needed to represent the function over the 6-input functions. We refer the reader to [5] for more details basis fAND, XOR, NOTg [8], [4]. On the other hand, we refer on the implementation of the algorithm.