Protecting AES via Shamir Secret Sharing

There are in fact two separate things to be discussed w.r.t. the paper:

1. The details of how to apply a $\text{GF}(2)$-affine function to an SSS-shared variable.

2. The correctness of the new SSS-multiplication scheme proposed in the paper.

The paper On the Use of Shamir’s Secret Sharing Against Side-Channel Analysis mentioned by Kodlu suggests that there is a flaw in 2. Thanks for finding that, Kodlu!

Regarding the original question about 1., the paper Higher-Order Glitches Free Implementation of the AES using Secure Multi-Party Computation Protocols by Roche and Prouff explains how to apply a $\text{GF}(2)$-affine function in the context of SSS over $\text{GF}(2^8)$. For convenience, and because it's elegant, I'll reproduce it here with some filled-in details:

The crucial observation is the following:

Claim: Any $\text{GF}(2)$-affine function on $\text{GF}(2^n)$ is uniquely of the form $a_{-1} + \sum_{k=0}^{n-1} a_k \text{Frob}^k$, where $\text{Frob}: y\mapsto y^2$ is the Frobenius, and $a_k\in\text{GF}(2^n)$.

Proof: Since $\text{Gal}(\text{GF}(2^n)/\text{GF}(2))=\{\text{Frob}^k\}_{k=0,\ldots,n-1}$, this is a special case of the fact that for any Galois extension $L/K$, $\text{Gal}(L/K)$ is an $L$-basis of $\text{End}_K(L)$. This in turn follows from (a) the fact that $\text{dim}_K(L)=|\text{Gal}(L/K)|$, hence $\dim_L\text{Hom}_K(L,L)=\text{dim}_L\text{Hom}_K(K^{|\text{Gal}(L/K)|},L)=|\text{Gal}(L/K)|$, and (b) the fact that the elements of $\text{Gal}(L/K)$ are $L$-linear independent, which is a special case of the linear independence of characters.

With the claim, the application of $\text{GF}(2)$-affine functions on $\text{GF}(2^n)$ to SSS-shares reduces to the application of functions of the form $y\mapsto b y^{2^k}$ for some $b\in \text{GF}(2^n)$. Here, it is observed that things get simpler by assuming the set of public SSS evaluation points $\{\alpha_i\}$ to be stable under $\text{Frob}$, in which case an SSS-sharing $(\alpha_i, y_i)$ of $x$ transforms into an SSS-sharing $(\alpha_{\pi^k(i)}, b y_i^{2^k})=(\alpha_i, b y_{\pi^{-k}(i)}^{2^k})$ of $b x^{2^k}$ for the permutation $\pi$ determined by $\text{Frob}(\alpha_i) = \alpha_{\pi(i)}$. Such $\text{Frob}$-stable subsets of $\text{GF}(2^n)$ can be constructed based on the observation that $\text{GF}(2^n)\setminus\bigcup_{k|n}\text{GF}(2^k)$ decomposes into $\text{Frob}$-orbits of size $n$, so inductively there are $\text{Frob}$-orbits of size $k|n$ for all $k|n$.

So, putting it all together, applying $a_{-1} + \sum_{k=0}^{n-1} a_k \text{Frob}^k$ to an SSS-shared variable $(\alpha_i,y_i)$ with $\text{Frob}$-stable $\{\alpha_i\}$ is algebraically similar to applying it share-wise, but one has to add a permutation to the shares: The new $i$-th share $a_{-1} + \sum_{k=0}^{n-1} a_{k} \text{Frob}^k(y_{\pi^{-k}(i)})$, where $\pi$ is the permutation on $\{\alpha_i\}$ induced by $\text{Frob}$.