El Bootstrap y la Eficiencia T´ecnica

We now give lower bounds on the non-linear complexity of evaluating poly- nomials over F2n. Our first lower bound result originally appeared in [RV13].

Later we improved this result significantly in [CRV14].

5.3.3.1 First Bound

Proposition 5.3. Let P (x) :=P2n−1

i=0 aixi be a polynomial in F2n[x]. Then

M(P (x)) ≥ max

0<i<2n₋₁ ai6=0

mn(i).

Proof. To prove the proposition, we just need to prove the following claim. Let σ_kn:= {α | mn(α) ≤ k}. We claim that, with at most k non-linear multi-

plications, we can evaluate only those polynomials of the formP

iaixi, where

i ∈ σn_k and ai ∈ F2n. It is easy to see that with zero non-linear multiplications,

only those polynomials of the formP

iaixi, where i ∈ σ0n= {2j|0 ≤ j ≤ n−1}.

Let us assume that the above claim is true up to k − 1 non-linear multipli- cations. Consider the set of polynomials T := p(x) | p(x) = P_jbjxj, j ∈

σ_k−1n , bj ∈ F2n . Since squaring is a linear operation in F₂n[x], the set T is

closed under additions, scalar multiplications and squaring operations. Hence if we allow only one more non-linear multiplication, then exponents in the resulting polynomial can only be from σ_kn. Note that mn(α) is defined only

for 0 < α < 2n− 1 and x2n₋₁

= 1 if x 6= 0. This proves the claim.

5.3.3.2 Improved Bound

Our technique to prove the lower bound of Ω(p2n_{/n) on the non-linear com-}

plexity is similar to the one used in the proof of [PS73, Theorem 2]. But we would like to emphasize that their result is not applicable to our setting since they work over the integers and the cost model used there is different from the one used in our case.

Proposition 5.4. There exists a polynomial P (x) ∈ F2n[x] such that M(P (x))

≥q2n

Proof. At a more abstract level, an F2n-polynomial chain evaluating P (x) ∈

F2n[x] that uses r non-linear multiplications (r ≥ 0) can be equivalently de-

scribed as a sequence Z of polynomials z−1, z0, . . ., zr, P (x), where

z−1 = 1, z0 = x, zk =  βk,−1+ k−1 X i=0 n−1 X j=0 βk,i,jz2 j i  ·  β_k,−10 + k−1 X i=0 n−1 X j=0 β_k,i,j0 z2_ij   (mod x2n+ x), (5.20) where k = 1, 2, . . . , r, βk,−1, βk,−10 , βk,i,j, βk,i,j0 ∈ F2n. Lastly,

P (x) = βr+1,−1+ r X i=0 n−1 X j=0 βr+1,i,jz2 j i (mod x2 n + x), (5.21) where again βr+1,−1, βr+1,i,j ∈ F2n .

Since the squaring operation is F2-linear in F2n, and that x2 n

= x for all x ∈ F2n, it is easy to see that any polynomial that can be evaluated using at

most r non-linear multiplications will be of the form as given in (5.21). The number of parameters βk,−1, β_k,−10 , βk,i,j, β0_k,i,j in (5.20) for a given

value of k (k = 1, . . . , r) is 2 · (k · n + 1). In (5.21), the number of parameters βr+1,−1, βr+1,i,j is (r + 1) · n + 1. Totally, the number of parameters are

(r + 1) n + 1 +

r

X

k=1

2 (kn + 1) . Since there are only |F2n|2

n

distinct polynomials in F2n[x] (i.e. up to eval-

uation), and a given set of values for the parameters enables to evaluate a single polynomial only, we get the following necessary condition to evaluate all polynomials over F2n[x]

|F2n| (r+1)n+1+ r P k=1 2(kn+1) ≥ |F2n|2 n , =⇒ (r + 1) n + 1 + r X k=1 2 (kn + 1) ≥ 2n, =⇒ n · r2+ (2n + 2) · r − (2n− n − 1) ≥ 0, =⇒ r ≥ r 2n n − 2. (5.22)

Hence there exists polynomials over F2n that require Ω(p2n/n) non-linear

multiplications to evaluate them.

Concrete Lower Bounds. In Table 5.2 we compare, for various values of n, the previously known lower bound for non-linear complexity with the new lower bound as determined by (5.22).

5.3 Evaluation of Polynomials 97

n 4 5 6 7 8 9 10 11 12

Previous/our lower bound (cf. [CGP+12], Prop. 5.3)

2 2 3 3 4 4 4 4 4

Our lower bound (cf. (5.22))

0 1 2 3 4 6 9 12 17

Table 5.2: Lower bound for non-linear complexity in F2n.

5.3.3.3 Lower Bounds for S-boxes

Though we defer the discussion on the application to S-boxes to Section 5.4, for clarity, we briefly mention the application of the above lower bound results here.

We represent the fields F24, F₂6 and F₂8 using irreducible polynomials y4 +

y3+ 1, y6+ y4+ y3+ y + 1, y8+ y4+ y3+ y + 1 ∈ F2[y], respectively. From

Theorem 5.2, we know that the masking complexity is invariant w.r.t. the field representations.

The polynomials corresponding to the eight DES S-boxes are polynomials of degree 62 in F26[x] (here the 4 bit DES S-box outputs are padded with two

leading zeroes and identified with the elements of F26). For the PRESENT S-

box, the corresponding polynomial is a polynomial of degree 14 in F24[x]. Since

m6(62) = 3 and m4(14) = 2, from Proposition 5.3 we obtain the following

corollary.

Corollary 5.1. Masking complexity of a DES S-box is at least 3, and that of the PRESENT S-box is at least 2.

The AES S-box can be written as an affine permutation composed with the polynomial x254 ∈ F28[x]. From Lemma 5.6, the masking complexity of AES

S-box is M x254
over F28. Using arguments similar to the proof of Lemma

5.3, we obtain the following corollary.

Corollary 5.2. Masking complexity of the AES S-box is at least 4. The above corollary was shown by exhaustive search in [CGP+12].