Representing (masked) bits in rings
In cryptography it is often useful to represent bits in algebraic objects. I will specifically consider rings of integers modulo . If is a prime number this happens to also be a field, but the difference is not very important here.
Bits are elements of , i.e. true and false, with the usual operations of not , and , or and xor .
Given bit vectors let the function return the number of values in a vector. We can then define the hamming distance function as .
Masked bits are elements of , i.e. true, false, and unavailable. The operations are the same as for binary, except when one of the arguments is , the result is always .
We take to count the number of 's and introduce to count the number of available entries i.e. either or but not . We can then define a fractional hamming distance as
The representation of bits
We represent as respectively. The usual binary operations of not , and , or , xor , can respectively be represented using ring operations as
If we have a vector we can represent it element wise in . This allows us to represent the function:
Observing that the sum over elementwise products is the dot product, we obtain the following useful identity:
This representation is reversible for any , except for which need .
The representation of bits
We represent as respectively. The usual binary operations of not , and , or , xor , can respectively be represented using ring operations as
If we have a vector we can represent it element wise in . This allows us to represent the function:
Given a bit vectors we can construct a matrix such tht . If we have a second matrix of hamming distances such that then the following holds:
Where is the matrix of all ones. Suppose we are given , we can compute and solve the following quadratic system:
The representation of masked bits
We represent as respectively. The binary operations become
Note that the formulas for can be evaluated using two multiplies in a depth-2 circuit.
Given a masked bitvector , we can define
We can represent this on a suitably large (Q how large?) ring as for respectively.
Note that squaring, , produces a regular bitvector that is whenever the value is and otherwise, i.e. it allows us to extract the mask as a regular bitvector. Similarly extracts the data bits: for and otherwise. The reverse mapping, converting data bits and mask bits to a masked bitvector is . If the data bits are known to be in the in the unavailable region, then it simplifies to .
In this representation and and or have awkward fourth degree expressions, though they can be evaluated using only two multiplies. The expressions for xor, and are quite nice considering that they correctly account for masks. This makes it a suitable system for computing fractional hamming distances.
This representation is reversible for any , except for which need .
Fractional hamming distance
The fractional hamming weight of a masked bitvector is defined as
and the fractional hamming distance between two masked bitvectors and as
In the ring representation these can be computed as
Note that and thus depends only on the masks of and . Given the masks and it can be computed in binary as