3
$\begingroup$

In cryptography, one approach to writing an implementation which is secure against differential power analysis is to use something called masking. With masking, the idea is to convert logical gates from e.g. doing $c = a \oplus b$ to operating on shares such that one has inputs $(a_1,a_2)$ and $(b_1,b_2)$, such that $a = a_1 \oplus a_2$ and $b = b_1 \oplus b_2$, and then computes $(c_1,c_2)$ such that $c_1 \oplus c_2 = OP(a,b)$, where $OP$ is some Boolean operation.

Take the example of $OP(a,b) = a \oplus b$, then we compute $c_1 = a_1 \oplus b_1$ and $c_2 = a_2 \oplus b_2$, because then $c_1 \oplus c_2 = a \oplus b$.

My question is now, how can I compute $(c_1,c_2)$ when $OP(a,b) = a \vee b$?

So, to summarize, given is:

$a = a_1 \oplus a_2$

$b = b_1 \oplus b_2$

And I want to compute $c_1,c_2$ such that

$c_1 \oplus c_2 = a \vee b$

but without ever computing directly using $a$ nor $b$.

  • 0
    Is XOR the only logical operation you can use? Can you invert (negate) as well?2017-01-05
  • 0
    I can use other logical operations, but I want to avoid actually computing $a_1 \oplus a_2$ and $b_1 \oplus b_2$, because those are secret values so they must never be combined.2017-01-05
  • 0
    Using AND is much easier than using XOR for to construct OR.2017-01-05
  • 0
    The requirement is just that $c_1 \oplus c_2 = a \vee b$2017-01-05
  • 0
    @Paul I am really confused about your question and your requirements .... Can you maybe just at the end sum up and list all the variables and how they are to relate or not relate to each other?2017-01-05

1 Answers 1

2

The simplest way to do this is to make a truth table of your expressions, and arbitrarily add values to $c_1$ (excluding all zeros or ones). Next choose values of $c_2$ that make $a+b=c_1$ $\oplus$ $c_2$ true. I did this myself and used a Karnaugh Map at the end to simplify. I obtained the expressions:

$$c_1=a_1\bar a_2 + b_1\bar b_2 + \bar a_1 a_2 (\bar b_2 + b_1) + \bar b_1 b_2 (a_1 + \bar a_2)$$

and

$$c_2=\bar a_1 a_2\bar b_1 b_2$$

for the case when

$$a=a_1\oplus a_2 \ ,\ b=b_1\oplus b_2$$

and

$$c_1\oplus c_2=a+b$$

Note that the method outlined above could be used to create any operation, without directly computing a or b.

Also note that mine is not the only expression you could obtain. When making expressions, be wary of the case in which either $c_1$ or $c_2$ equal the whole expression OP(a,b). This is just a relabeled expression. To avoid this; make sure that within your truth table, you do not make any of $c_1$ or $c_2$ all zeros or ones.

Interesting Question

  • 0
    Thanks for your answer. I want to add a follow up question: What if I wanted to express $c_1,c_2$ using only XOR and the OR operation?2017-01-09