Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures

Abstract

We describe a new technique for evaluating polynomials over binary finite fields. This is useful in the context of anti-DPA counter-measures when an S-box is expressed as a polynomial over a binary finite field. For n-bit S-boxes our new technique has heuristic complexity (Formula presented.) instead of (Formula presented.) proven complexity for the Parity-Split method. We also prove a lower bound of (Formula presented.) on the complexity of any method to evaluate n-bit S-boxes; this shows that our method is asymptotically optimal. Here, complexity refers to the number of nonlinear multiplications required to evaluate the polynomial corresponding to an S-box. In practice we can evaluate any 8-bit S-box in 10 non-linear multiplications instead of 16 in the Roy-Vivek paper from CHES 2013, and the DES S-boxes in 4 non-linear multiplications instead of 7. We also evaluate any 4-bit S-box in 2 non-linear multiplications instead of 3. Hence our method achieves optimal complexity for the PRESENT S-box.