Generalized Polynomial Decomposition For S-Boxes With Application To Side-Channel Countermeasures

Masking is a widespread countermeasure to protect implementations of block-ciphers against side-channel attacks. Several masking schemes have been proposed in the literature that rely on the efficient decomposition of the underlying s-box(es). We propose a generalized decomposition method for s-boxes that encompasses several previously proposed methods while providing new trade-offs. It allows to evaluate n lambda-bit to m lambda-bit s-boxes for any integers n, m, lambda >= 1 by seeing it a sequence of m n-variate polynomials over F-2 lambda and by trying to minimize the number of multiplications over F-2 lambda.