1970-01-01

(2026-01) Efficient Polynomial Evaluation over Structured Space and Application to Polynomial Method

[[Fukang Liu]]
[[Vaibhav Dixit]]
[[Daisuke Yamamoto]]
[[Wakaha Ogata]]
[[Santanu Sarkar]]
[[Willi Meier]]

2026-01-10

Abstract

It is well-known that evaluating a Boolean polynomial $f$ of any degree $d$ in $n$ variables over the full space $\mathbb F_2^n$ takes $n\cdot 2^n$ bit operations and $2^n$ bits of memory with standard Mobius transform. When $d$ is relatively small, Bouillaguet et al. proposed at CHES 2010 the fast exhaustive search (FES) algorithm. In this algorithm, by using Gray code to enumerate all elements in $\mathbb F_2^n$ , evaluating $f$ on all inputs in $\mathbb F_2^n$ takes $\big(\sum_{i=0}^{d}\binom{n}{i}\big)^2+d\cdot 2^n=\binom{n}{\leq d}^2+d\cdot 2^n$ bit operations and $\binom{n}{\leq d}$ bits of memory. The term $\binom{n}{\leq d}^2$ represents the cost of the initialization phase. This problem has received new attention in recent years, which was studied by Dinur at EUROCRYPT 2021, by Furue and Takagi at PQCrypto 2023, and by Bouillaguet at TOMS 2024. All these algorithms work on the full space, and have a similar additional phase such as the initialization phase in the FES algorithm, which takes much more than $\binom{n}{\leq d}$ bit operations. In this work, we propose a simple yet efficient algorithm to evaluate $f$ over the structured space $P_{n_s}^{w_s}\times \cdots \times P_{n_1}^{w_1}\subseteq \mathbb F_2^n$ where $\sum_{i=1}^{s}n_i=n$ and $P_{n_i}^{w_i}$ denotes the set of $n_i$ -bit binary strings with Hamming weight not larger than $w_i$ . Our algorithm is inspired by the FES algorithm and Furue-Takagi's algorithm. However, our algorithm can work on a more general space, and is also distinguished by an efficient additional phase, which is simply reading all coefficients of $f$ and thus takes only $\binom{n}{\leq d}$ bit operations. For complexity, our algorithm takes $\binom{n}{\leq d}+d\cdot \Pi_{i=1}^{s}\binom{n_i}{\leq w_i}$ bit operations and consumes $2\cdot \binom{n}{\leq d}$ bits of memory. For applications, we prove that it is either infeasible or nontrivial to adapt the FES algorithm with monotone Gray code, which somehow answers a question raised by Dinur at EUROCRYPT 2021. Moreover, our algorithm provides a proven method to solve a critical step in Dinur's algorithm for the polynomial method, without affecting its time complexity. In particular, we also address the open problem proposed at TOMS 2024, and improve the polynomial evaluation algorithms even over the full space.