Paper 2023/948

Compact Circuits for Efficient Mobius Transform

Subhadeep Banik, Universita della Svizzera Italiana
Francesco Regazzoni, University of Amsterdam, Universita della Svizzera Italiana

The Mobius transform is a linear circuit used to compute the evaluations of a Boolean function over all points on its input domain. The operation is very useful in finding the solution of a system of polynomial equations over GF(2) for obvious reasons. However the operation, although linear, needs exponential number of logic operations (around $n\cdot 2^{n-1}$ bit xors) for an $n$-variable Boolean function. As such, the only known hardware circuit to efficiently compute the Mobius transform requires silicon area that is exponential in $n$. For Boolean functions whose algebraic degree is bound by some parameter $d$, recursive definitions of the Mobius transform exist that requires only $O(n^{d+1})$ space in software. However converting the mathematical definition of this space-efficient algorithm into a hardware architecture is a non-trivial task, primarily because the recursion calls notionally lead to a depth-first search in a transition graph that requires context switches at each recursion call for which straightforward mapping to hardware is difficult. In this paper we look to overcome these very challenges in an engineering sense. We propose a space efficient sequential hardware circuit for the Mobius transform that requires only polynomial circuit area (i.e. $O(n^{d+1})$) provided the algebraic degree of the Boolean function is limited to $d$. We show how this circuit can be used as a component to efficiently solve polynomial equations of degree at most $d$ by using fast exhaustive search. We propose three different circuit architectures for this, each of which uses the Mobius transform circuit as a core component. We show that asymptotically, all the solutions of a system of $m$ polynomials in $n$ unknowns and algebraic degree $d$ over GF(2) can be found using a circuit of silicon area proportional to $m\cdot n^{d+1}$ and circuit depth proportional to $2\cdot\log_2(n-d)$. In the second part of the paper we introduce a fourth hardware solver that additionally aims to achieve energy efficiency. The main idea is to reduce the solution space to a small enough value by parallel application of Mobius transform circuits over the first few equations of the system. This is done so that one can check individually whether the vectors of this reduced solution space satisfy each of the remaining equations of the system using lower power consumption. The new circuit has area also bound by $m\cdot n^{d+1}$ and has circuit depth proportional to $d\cdot \log_2 n$. We also show that further optimizations with respect to energy consumption may be obtained by using depth-bound Mobius circuits that exponentially decrease run time at the cost of additional logic area and depth.

Available format(s)
Publication info
Published by the IACR in TCHES 2024
Boolean FunctionsMobius transformSolution of Equation System
Contact author(s)
subhadeep banik @ usi ch
f regazzoni @ uva nl
2024-01-12: revised
2023-06-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Subhadeep Banik and Francesco Regazzoni},
      title = {Compact Circuits for Efficient Mobius Transform},
      howpublished = {Cryptology ePrint Archive, Paper 2023/948},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.