cronokirby

(2026-02) Efficient Polynomial Evaluation on Structured Space over Finite Fields

2026-02-06

Abstract

Efficient evaluation of multivariate polynomials over finite spaces is a central primitive in algebraic cryptanalysis, particularly in exhaustive search attacks against multivariate public key cryptosystems (MPKCs). For the Boolean space F2n\mathbb F_2^n, Bouillaguet et al. introduced the fast exhaustive search (FES) algorithm at CHES 2010. This line of work was further developed by Dinur at EUROCRYPT 2021 and Bouillaguet at TOMS 2024. Extending beyond the Boolean setting, Furue and Takagi proposed an algorithm at PQCrypto 2023 that generalizes FES to the finite-field space Fqn\mathbb F_q^n where qq is a prime number, achieving time complexity O(dqn)\mathcal O\big(d\cdot q^n\big) and memory complexity O(\log(qn)n(n+dd))\mathcal O\big(\log(q\cdot n)\cdot n \cdot \binom{n+d}{d}\big). However, all these algorithms operate over the full space Fqn\mathbb F_q^n, which limits their applicability in many cryptanalytic scenarios where polynomial evaluation is required only over specific subsets of Fqn\mathbb F_q^n, such as those arising in the Syndrome Decoding Problem. Recently, Liu et al. proposed a memory-efficient algorithm for evaluating polynomials over structured spaces Pnsws××Pn1w1F2nP_{n_s}^{w_s} \times \cdots \times P_{n_1}^{w_1} \subseteq \mathbb F_2^n, where i=1sni=n\sum_{i=1}^{s} n_i = n and PniwiF2niP_{n_i}^{w_i} \subseteq \mathbb F_2^{n_i} denotes the set of vectors of length nin_i with Hamming weight at most wiw_i. In this work, we extend the structured-space evaluation paradigm from the Boolean setting to arbitrary finite fields Fq\mathbb F_q. Building on the abstraction of evaluation rules and evaluation orders introduced by Liu et al., and combining it with higher-order derivative techniques over finite fields, we develop a unified theoretical framework for evaluating multivariate polynomials over structured spaces SFqnS \subseteq \mathbb F_q^n. After an initialization phase with cost O((n+dd)2)\mathcal{O} \big(\binom{n+d}{d}^2 \big), our method evaluates a degree-dd polynomial over SS using O(dS)\mathcal O\big(d \cdot |S|\big) operations and requires O(\log(q)(n+dd))\mathcal O\big(\log(q)\cdot \binom{n+d}{d}\big) memory.