Journal of Cryptographic Engineering

, Volume 5, Issue 2, pp 73–83 | Cite as

Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures

  • Jean-Sébastien Coron
  • Arnab Roy
  • Srinivas Vivek
CHES 2014


We describe a new technique for evaluating polynomials over binary finite fields. This is useful in the context of anti-DPA countermeasures when an S-box is expressed as a polynomial over a binary finite field. For \(n\)-bit S-boxes, our new technique has heuristic complexity \({\fancyscript{O}}(2^{n/2}/\sqrt{n})\) instead of \({\fancyscript{O}}(2^{n/2})\) proven complexity for the Parity-Split method. We also prove a lower bound of \({{\varOmega }}(2^{n/2}/\sqrt{n})\) on the complexity of any method to evaluate \(n\)-bit S-boxes; this shows that our method is asymptotically optimal. Here, complexity refers to the number of non-linear multiplications required to evaluate the polynomial corresponding to an S-box. In practice, we can evaluate any 8-bit S-box in 10 non-linear multiplications instead of 16 in the Roy–Vivek paper from CHES 2013, and the DES S-boxes in 4 non-linear multiplications instead of 7. We also evaluate any 4-bit S-box in 2 non-linear multiplications instead of 3. Hence our method achieves optimal complexity for the PRESENT S-box.


Side-channel countermeasure Masking Polynomial evaluation Finite field 



We would like to thank Matthieu Rivain for suggesting us the technique of tabulating linear polynomials described in Remark 3.


  1. 1.
    FIPS 46–3: Data Encryption Standard. National Institute of Standards and Technology. (1993)
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds) CHES, Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer, Berlin (2007)Google Scholar
  3. 3.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES, Lecture Notes in Computer Science, vol. 3156, pp. 16–29. Springer, Berlin (2004)Google Scholar
  4. 4.
    Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-Boxes. In: Canteaut, A. (ed.) FSE, Lecture Notes in Computer Science, vol. 7549, pp. 366–384. Springer, Berlin (2012)Google Scholar
  5. 5.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Çetin Kaya Koç, B.S.K. Jr., Paar, C. (eds.) CHES, Lecture Notes in Computer Science, vol. 2523, pp. 13–28. Springer, Berlin (2002)Google Scholar
  6. 6.
  7. 7.
    Coron, J.S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology—EUROCRYPT 2014–33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, Lecture Notes in Computer Science, vol. 8441, pp. 441–458. Springer, Berlin (2014). doi: 10.1007/978-3-642-55220-5_25
  8. 8.
    Coron, J.S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: FSE (2013) (to appear)Google Scholar
  9. 9.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. IACR Cryptol. 2013, 857 (2013). (ePrint Archive)Google Scholar
  10. 10.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 2729, pp. 463–481. Springer, Berlin (2003)Google Scholar
  11. 11.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, Berlin (1999)Google Scholar
  12. 12.
    Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Çetin Kaya Koç, Paar, C. (eds.) CHES, Lecture Notes in Computer Science, vol. 1965, pp. 238–251. Springer, Berlin (2000)Google Scholar
  13. 13.
    Paterson, M., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.X. (eds.) CHES, Lecture Notes in Computer Science, vol. 6225, pp. 413–427. Springer, Berlin (2010)Google Scholar
  15. 15.
    Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of FSE 2012. In: Bertoni, G., Coron, J.S. (eds.) CHES, Lecture Notes in Computer Science, vol. 8086, pp. 417–434. Springer, Berlin (2013)Google Scholar
  16. 16.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE, Lecture Notes in Computer Science, vol. 4593, pp. 181–195. Springer, Berlin (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.University of Luxembourg, FSTCLuxembourgLuxembourg
  2. 2.Technical University of DenmarkCopenhagenDenmark

Personalised recommendations