Generalized Polynomial Decomposition for S-boxes with Application to Side-Channel Countermeasures

Masking is a widespread countermeasure to protect implementations of block-ciphers against side-channel attacks. Several masking schemes have been proposed in the literature that rely on the efficient decomposition of the underlying s-box(es). We propose a generalized decomposition method for s-boxes that encompasses several previously proposed methods while providing new trade-offs. It allows to evaluate \(n\lambda \)-bit to \(m\lambda \)-bit s-boxes for any integers \(n,m,\lambda \ge 1\) by seeing it a sequence of m n-variate polynomials over \(\mathbb {F}_{2^{\lambda }}\) and by trying to minimize the number of multiplications over \(\mathbb {F}_{2^{\lambda }}\).