Research on Centralized Operation of S-Box Parameter Integration Method
Based on the known S-box output truth table, the vector representation of the algebraic polynomial for y1 can be derived by XORing the corresponding terms from the minimal term expression of y1. This optimized method requires pre-storing a table of 2m bits, and the time complexity for computing the algebraic polynomial of the S-box output is O(n·2m). Polynomial interpolation for a function f works by finding, for each possible input value xi, a polynomial fi(x) such that fi(xi) = 1 and fi(xj) = 0 for all other xj. Then, the function f(x) can be expressed as the sum: f(x) = ∑f(xi)fi(x). This approach is also applicable to Boolean functions.
The specific process involves, for each of the 2m possible input combinations of the S-box, finding a polynomial that evaluates to 1 at that particular input and 0 elsewhere. For an input x1x2...xm = a1a2...am, the required polynomial is (x1 - a1 - 1)(x2 - a2 - 1)...(xm - am - 1). Thus, the algebraic expression for any output bit of the S-box can be written as the sum of f(a1, a2, ..., am) multiplied by this product, which is then expanded and simplified to obtain the final polynomial.
The implementation of the polynomial interpolation method aligns closely with the minimal term logical expression conversion technique. Similarly, reference <3> uses Lagrange interpolation to derive the Boolean expression of the S-box. The algebraic polynomial item-by-item accumulation method, based on the minimal term conversion, allows the minimal term logical expression to be represented as an algebraic expression over GF(2). Each minimal term may not be fully expanded, but the presence of each m-th degree term in the expansion is checked. If it appears in an odd number of minimal term expansions, it contributes to the final algebraic polynomial; otherwise, it does not. This method enables identifying whether each of the 2m possible terms belongs to the m-variable m-degree algebraic polynomial, thus forming the desired expression for the S-box.
The time complexity for calculating the algebraic polynomial of each S-box output using the item-by-item accumulation method is O(n·2m). However, the accumulation process can be replaced with XOR operations. Since most CPUs support at least 16-bit parallel bit-OR operations, and S-box outputs typically do not exceed 16 bits, each output can be computed in parallel during implementation, reducing the total number of operations to O(2m).
The minimal term accumulation method follows a similar logic to the minimal term conversion approach. Once the minimal term expression is translated into an algebraic form over GF(2), each minimal algebraic expression is applied to all 2m input combinations. A count is made for each term—adding 1 if the term is present in the expanded polynomial, and 0 otherwise. After processing all 2m minimal expressions, the resulting coefficients determine the final algebraic polynomial, where odd counts correspond to a coefficient of 1 and even counts to 0.
In practice, the algebraic polynomial item-by-item accumulation method is very similar to the minimal term accumulation method. Both methods involve counting 2m times for each output, but they differ in their implementation. By analyzing the term x1a1x2a2...xmam in an m-variable m-degree polynomial, we find that only those minimal terms that match the pattern xi1xi2...xiu can contain this term. Therefore, there's no need to check all 2m minimal expressions sequentially.
The number of minimal expressions to evaluate depends on the number of variables in the term, denoted by t (the number of 1s in a1, a2, ..., am). This reduces the computational load, and the overall time complexity becomes O(n·3m). The method proposed by Wei Baodian <2> shares similarities with this approach, as does the Möbius transformation used by Liu Jia et al. <6>.
WENZHOU FOREVER CLASSIC TECHNOLOGY CO.,LTD , https://www.fosicvalve.com