Comparison of bit and word level algorithms for evaluating unstructured functions over finite rings

Abstract

We study the problem of implementing multivariate functions defined over finite rings or fields as parallel circuits. Such functions are essential for building cryptographic substitution boxes and hash functions. We present a modification to Horner's algorithm for evaluating arbitrary n-variate functions defined over finite rings and fields. Our modification is based on eliminating redundancies in the multivariate version of Horner's algorithm which occur when the evaluation takes place over a small finite mathematical structure and may be considered as a generalization of Shannon's lower bound and Muller's algorithm to word level circuits. If the domain is a finite field GF(p) the complexity of multivariate Horner polynomial evaluation is improved from O(pn) to O(p/2nn). We prove the optimality of the presented algorithm. Our comparison of the bit level approach to the optimized word level approach yields an interesting result. The bit level algorithm is more efficient in both area consumption and time delay. This suggests that unstructured functions over finite rings or fields should be implemented using the bit-level approach and not the commonly used word level implementation style. © International Association for Cryptologic Research 2005.