A note on secure multiparty computation via higher residue symbols

Ignacio Cascudo; Reto Schnyder

doi:10.1515/jmc-2020-0013

Open Access Published by De Gruyter January 29, 2021

A note on secure multiparty computation via higher residue symbols

Ignacio Cascudo and Reto Schnyder

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2020-0013

Abstract

We generalize a protocol by Yu for comparing two integers with relatively small difference in a secure multiparty computation setting. Yu's protocol is based on the Legendre symbol. A prime number p is found for which the Legendre symbol (· | p) agrees with the sign function for integers in a certain range {−N, . . . , N} ⊂ ℤ. This can then be computed efficiently.

We generalize this idea to higher residue symbols in cyclotomic rings ℤ[ζ_r] for r a small odd prime. We present a way to determine a prime number p such that the r-th residue symbol (· | p)_r agrees with a desired function f:A→{ζr0,…,ζrr−1} on a given small subset A ⊂ ℤ[ζ_r], when this is possible. We also explain how to efficiently compute the r-th residue symbol in a secret shared setting.

Keywords: secure multiparty computation; cyclotomic rings; power residue symbol

MSC 2010: 11T71; 94A60

1 Introduction

In secure multiparty computation (MPC), a group of parties, each of which has some secret data, wish to collaboratively compute a function on it without revealing their inputs. A common technique for this is to represent the inputs as elements of a finite field 𝔽_p and represent the function as an arithmetic circuit over that finite field, i.e. as an expression consisting of nested sums and products over 𝔽_p involving the inputs and public values, and then process this circuit gate-by-gate. For example in secret-sharing based secure multiparty computation protocols, inputs are secret shared among the parties using a linear secret sharing scheme, such as Shamir's scheme [10] or additive secret sharing. In such a scheme, addition of two secrets and multiplication of a secret by a public value can be done by simply performing the operation locally. Multiplication of two secrets can be achieved with a small amount of additional communication between the parties. See for example the book [4] for details about how this plays out in a number of secret-sharing based MPC protocols. But many other operations are more complicated to perform in a secret shared setting, especially those that do not correspond to natural operations in a finite field. Examples for this are integer comparison, integer division and modular reduction by values that are coprime to p. Protocols that compute such operations often rely on decomposing a shared value into its binary representation, after which the operation can be performed on secret shared bits [e.g. 5]. However, this decomposition involves a significant computational and communication cost, so there is much interest in more straightforward protocols for these operations. There are other protocols which do not rely on the decomposition of shared values, but still operate in a bitwise manner by using random pre-decomposed sharings [9].

An alternative idea for comparison of secret values is given in [12]. Their protocol attempts to compute the sign of a secret shared value [a]_{𝔽_p} by computing the Legendre symbol (a | p). For this to work, they must choose the prime modulus p in such a way that all values {1, . . . , N} are quadratic residues modulo p, for a relatively large N, and that −1 is a quadratic non-residue. Then, it holds that sgn(a) = (a | p) for − N ≤ a ≤ N. Two integers a and b can then be compared by computing sgn(a − b) = (a − b | p), assuming |a − b| ≤ N. The Legendre symbol can be computed relatively easily in a secret-shared setting using a few rounds of precomputation and a single online round. Yu shows that at any given order of magnitude, a prime p can be found which satisfies the desired properties with N being of size Ω(log p). The inspiration for this protocol comes from [7], where the idea is first presented for the special case N = 2, p = 7.

In [1], the authors improve on Yu's method and extend the range where the comparison is valid by a factor of roughly three, for a given modulus size. They achieve this by computing the residue symbol on a small neighbourhood of the input value and performing a majority vote. They also provide another protocol that increases the valid range by a factor of five compared to Yu, but requires an additional online round.

Our contribution

In this paper, we present a generalization of the idea of [12] by using the residue symbol in a cyclotomic ring ℤ[ζ_r], for some odd prime r. The goal is to compute a chosen function f : A → {0, . . . , r − 1} in a limited domain A ⊂ 𝔽_p[ζ_r]. We develop a method for finding a prime number p such that the r-th power residue symbol coincides with f on the domain A, when this is possible:

(ap)r=ζrf(a) for each a∈A.

As in [12], our protocol requires an offline precomputation phase, but has an online phase consisting of a single round. As an added benefit, the output of f is obtained in a one-hot encoding, which can be helpful if it is e.g. used in a condition for a branching algorithm.

Unfortunately, we are not currently aware of a practical use of our protocol, since the limitations on the size of A are too strict. However, we hope that our new ideas motivate future work that can lessen these restrictions and find applications where our idea outperforms existing solutions.

Outline of the paper

In Section 2, we present basic definitions and facts about the power residue symbol in a cyclotomic ring. We then present the idea of our protocol in Section 3, and in Section 4 we explain in detail how to compute the residue symbol. Then, in Section 5, we present a method for finding an appropriate modulus p given a desired function to compute. We give a toy example in Section 6 to illustrate our ideas. Finally, in Section 7, we compare our method to other constant-round protocols for computing arbitrary functions.

2 The power residue symbol

Let r be an odd prime. Let R = ℤ[ζ_r] be the r-th ring of cyclotomic integers, considered as a subring of ℂ. Here, ζ_r is a primitive r-th root of unity. If 𝔟 is an ideal of R, we denote by N𝔟 its norm.

Definition 1

(See [8, Prop. 14.2.1]). Let 𝔭 be a nonzero prime ideal of R such that r ∉ 𝔭, and let a ∈ R \ 𝔭. Then, there exists an integer s, unique modulo r, such that

ζrs≡aN𝔭−1r (mod 𝔭).

We define the r-th power residue symbol as

(a𝔭)r=(a | 𝔭)r=ζrs.

If a ∈ 𝔭, we define (a | 𝔭)_r = 0.

It holds that a is an r-th power modulo 𝔭 if and only if (a | 𝔭)_r = 1. Clearly, the power residue symbol is multiplicative in the first argument. That is, for a, b ∈ R, we have

(ab𝔭)r=(a𝔭)r(b𝔭)r.

If 𝔟 is any proper ideal of R coprime to r, we extend the power residue symbol multiplicatively. That is, if 𝔟 factors into prime ideals as 𝔟 = 𝔭 ₁ · · · 𝔭 _s, then

(a𝔟)r=∏i=1s(a𝔭i)r.

Finally, if b ∈ R is any non-unit coprime to r, we simply define

(ab)r=(a(b))r,

where (b) is the ideal generated by b.

Definition 2

(See [8, p. 206]). An element a ∈ R is called primary if it is coprime to r, not a unit and congruent to a rational integer modulo (1 − ζ_r)².

If a ∈ R is coprime to r and not a unit, then there is a unique k ∈ {0, . . . , r − 1} such that ζrka is primary.

Theorem 3

(Eisenstein Reciprocity, [8, Theorem 1, p. 207]). Let b ∈ ℤ be coprime to r and not a unit. Let a ∈ R be primary and coprime to b. Then,

(ab)r=(a(b))r.

Theorem 4

(See [3, Theorem 4.9]). The group of units R^* is the direct product of the group of roots of unity in R and the group of positive real units (R ∩ ℝ_>0)^*.

Lemma 5

Let a, b ∈ R, such that b is a non-unit coprime to r and a. Suppose that each of a and b is either real or purely imaginary. Then, (a | b)_r = 1.

Proof

First, note that for any prime ideal 𝔭 not containing r, we have

(−1𝔭)r≡(−1)N𝔭−1r (mod 𝔭),

which is 1 if 𝔭 lies above an odd prime number, and −1 if it lies above 2. But in the second case, −1 ≡ 1 (mod 𝔭), so either way, (−1 | 𝔭)_r = 1.

Let now c ∈ R \ 𝔭, and let (c | 𝔭)r=ζrs . We have

cN𝔭−1r=ζrs+k with k∈𝔭,c¯N𝔭−1r=ζr−s+k¯ with k¯∈𝔭¯,

where ⋅¯ denotes complex conjugation, and we see that (c¯ | 𝔭¯)r=(c | 𝔭)r¯ . By multiplicativity, these two properties apply also if we replace the lower argument 𝔭 by any b ∈ R coprime to r.

Hence, for a and b as in the statement of the lemma, we get

(ab)r¯=(a¯b¯)r=(±a±b)r=(ab)r,

which therefore has to be 1.

3 The basic idea

The basic idea of our protocol is the following. Suppose we are given a function f : A → {0, . . . , r − 1}, where A is a subset of R. We hope to find a prime number p such that the function f corresponds to the r-th power residue symbol with lower argument p on A. That is,

(1) (ab)r=ζrf(a) for each a∈A.

Then, we can securely compute f (a) by computing the residue symbol, which can hopefully be done more efficiently.

We will see in Section 5 how we can find such a prime p. Note however, that condition (1) often contains internal contradictions or other impossible requirements. It is then necessary to adapt A and f to resolve these.

Remark 6

In practice, to avoid the aforementioned internal contradictions in our requirements, the actual input values will first be encoded via some (ideally affine) function mapping to A. One can try many such encodings until one is found that is not contradictory. We will give considerations on the existence of good encodings in Section 5.3, and we will see an example in Section 6.

Let us note some initial requirements on the prime p. First, we want that (p) is a prime ideal of R, which is the case whenever p is different from r and does not split in R. We need this to be the case so that we can use basic facts about (a | p)_r, and so that F = R/(p) is a finite field of size p^r⁻¹. For reasons we will see later, we also wish for the value (ζ_r | p)_r to be ζ_r. It would be possible to fix it to another primitive root of unity, but that would complicate our analysis. We will show in Section 5 how to achieve this.

In our protocol, we will be using the fields 𝔽_p and F = R/(p). Note that an element in F can be represented by r − 1 elements of 𝔽_p via the basis {1,ζr,…,ζrr−2} . So given a linear secret sharing scheme over 𝔽_p, we can consider a sharing of an element in F as a sharing of r − 1 elements of 𝔽_p. See Section 4 for details.

Since the residue symbol (a | p)_r depends only on a modulo p, it is now possible to evaluate the function f at a ∈ A by instead evaluating (a | p)_r. We will see in Section 4 how to do this efficiently.

Remark 7

In the above, instead of getting a sharing of the result f (a) ∈ {0, . . . , r − 1} directly, we end up with the root of unity ζrf(a)∈F . If we decompose (a | p)r=a0+a1ζr+⋯+ar−2ζrr−2 with a_i ∈ 𝔽_p, this almost results in a one-hot encoding of f (a). The only difference is that r − 1 is represented by a_i = −1 for all i. A proper one-hot encoding can be computed locally by setting b_r₋₁ = (1 − a₀ − · · · − a_r₋₂)/r and b_i = a_i + b_r₋₁ for i < r − 1. If we prefer to share the result as a single value, we can then easily compute that as 0b₀ + 1b₁ + · · · + (r − 1)b_r₋₁.

4 Secure computation of the residue symbol

We will show how to compute the power residue symbol based on any arithmetic black-box protocol over the field 𝔽_p, for example based on secret sharing. This is analogous to how the Legendre symbol is computed in [12]. We note that only the upper argument of the residue symbol is secret, whereas the lower argument p is public. In order to explain how we do this, we first need to detail the model in which we will work.

Secure computation model

We consider the usual situation in secure multiparty computation: n parties P₁, . . . , P_n want to jointly compute the output of certain (public) function on private inputs which belong to some of the parties, by means of some protocol in which the parties can communicate over point-to-point secure channels between each pair of parties.

We will consider a static, semi-honest adversary, that corrupts some subset of parties at the onset of the protocol, and gets to see all communication received by these parties, but cannot make them deviate from the protocol.^[1] Security in this case means the adversary cannot infer more information about non-corrupted parties’ inputs and outputs than what is already implied by the corrupted parties’ inputs and outputs.

Our techniques work in fact on top of any secure computation protocol for arithmetic operations over 𝔽_p. This means that any given party can create an encoding [x]_{𝔽_p} of a value x ∈ 𝔽_p known to that party, so that: the adversary cannot obtain any knowledge about x from [x]_{𝔽_p} ; there is a protocol that allows the set of all parties to recover x ∈ 𝔽_p from [x]_{𝔽_p} ; and given sharings of elements x, y ∈ 𝔽_p (where x, y may not be known by the same party, in fact they may not be known by anybody) there are secure computation subprotocols that allow parties to compute encodings for x + y, xy and ax for public a ∈ 𝔽_p (denoted respectively [x + y]_{𝔽_p} = [x]_{𝔽_p} + [y]_{𝔽_p}, [xy]_{𝔽_p} = [x]_{𝔽_p} [y]_{𝔽_p}, [ax]_{𝔽_p} = a[x]_{𝔽_p}).

The customary example for this are secret-sharing based secure computation protocols, where the encoding [·]_{𝔽_p} is given by a secret sharing scheme. This scheme is furthermore often linear, which allows computing [x + y]_{𝔽_p} (resp. [ax]_{𝔽_p}) given [x]_{𝔽_p}, [y]_{𝔽_p} (resp. a and [x]_{𝔽_p}) by having each party operate locally on their shares, i.e., it requires no interaction among parties.

There exist many secret-sharing based arithmetic protocols which are secure against different types of adversaries, depending on which sets of parties the adversary can corrupt (the adversary structure) and whether we assume a restriction on the computational capabilities of the adversary or not (where we speak respectively of computational or information-theoretical security). For example, one can construct arithmetic black-box protocols which are information-theoretically secure against adversaries that can corrupt any set of t parties where t < n/2, and protocols which are computationally secure against adversaries corrupting any set of n − 1 parties.

Our protocols will inherit the security properties from the arithmetic black-box protocol over 𝔽_p, with respect to the adversary structure and adversary computational capabilities it tolerates.

Preprocessing

A usual resource in secure multiparty computation protocols is preprocessing: the fact that parties can initiate and typically carry out the heavy part of the secure computation protocol even before the (encoded) inputs are provided. That is, we can split the computation in two phases: a preprocessing, or offline phase, which is the phase carried out before the inputs are given and where the parties compute encodings of random correlated information; and an online phase, which uses the input and is typically much lighter. We will use this approach in our protocols too.

From encodings over 𝔽_p to encodings over F

As mentioned before, an encoding (e.g. a sharing) [x]_F of an element in F will simply be the encoding in 𝔽_p of each of its coordinates x_i ∈ 𝔽_p with respect to the basis {1,ζr,…,ζrr−2} , i.e. ([x]_{0𝔽_p}, [x]_{1𝔽_p}, . . . , [x]_{r−2𝔽_p}). Both additions and products of F-encodings can be obtained by operating on the 𝔽_p-encodings of their coordinates. Specifically, additions of two F-encodings require r − 1 additions of 𝔽_p-encodings (by just adding coordinate-wise the vectors of 𝔽_p-encodings), so in the case of a linear secret sharing scheme it can be done locally by the shareholders. Multiplying by a public constant in R can also be done locally, but it may involve up to O(r²) additions and multiplications of 𝔽_p-encodings by 𝔽_p-constants (depending on the public constant). Finally, products of two F-encodings require O(r²) products and O(r²) additions of 𝔽_p-encodings.

Inversions of roots of unity

Our algorithms will also need to invert F-encodings of r-th roots of unity in R (seen as elements in F), that is the elements ζri, i=0,…,r−1 . Note that (ζri)−1=ζrr−1 . Moreover, in the basis {1,ζr,…,ζrr−2} , ζri is given by the i-th unit vector (numbering from 0 to r − 2) if i < r − 1, and by the vector (−1, −1, . . . , −1) if i = r − 1, since ζrr−1=−1−ζr−⋯−ζrr−2 .

Therefore, given [x]_F = ([x]_{0𝔽_p}, [x]_{1𝔽_p}, [x]_{2𝔽_p} . . ., [x_r₋₂]_{𝔽_p}) where x=ζri for some i, it is easy to see that

[x]F−1:=[x−1]F=([x0−x1]𝔽p,[−x1]𝔽p,[xr−2−x1]𝔽p,…,[x2−x1]𝔽p).

In particular, if the 𝔽_p-encoding is given by a linear secret sharing scheme, these inversions can be computed locally.

Computing random elements of F

The parties can compute a uniformly random element of F in the usual way, described in Algorithm 1. Each party P_i chooses and shares a uniformly random value [x_i]_F. These values are then summed up: [x]F=∑i=0n[xi]F . In this way, the value x is uniformly random and secret.

Algorithm 1

Choosing a random element of F.

Each party P_i selects and shares a uniformly random [x_i]_F ∈ F

[x]F←∑i=1n[xi]F

return [x]_F

Arithmetic operations with random elements

Given [x]_F, [r]_F, where r is uniformly random in the sense above, opening [x + r]_F gives no additional information about x apart from the a priori knowledge parties might have about x. If parties open [xr]_F and find out that xr ≠ 0, the only new information parties may learn about x is that x ≠ 0, but all other information about x is protected.

Computing a random solved instance

In a preprocessing phase, the parties need to compute a random solved instance of the power residue symbol. That is, they want a pair of shared values ([x]_F, [x′]_F), where x′ = (x | p)_r and x is uniformly random in F^* and unknown to the parties. To do this, we proceed as in [12], and in Algorithm 2. The parties first select two uniformly random shared values [a]_F and [b]_F and multiply them: [d]_F = [a]_F[b]_F. They then compute and open f = d^r. If this is zero, they abort. Otherwise, they know that a and d are uniformly random and independent elements of F^*, since F is a finite field. The parties then compute an r-th root d^ of f in the clear. We see that d/d^ is a uniformly random r-th root of unity. Hence,

[x]F=[a]Fr[d]Fd^, [x′]F=[(xp)r]F=[d]Fd^

constitute a uniformly random solved instance. Recall that we require (ζ_r | p)_r = ζ_r, so that (d/d^ | p)r=d/d^

Algorithm 2

Offline phase: Find a random solved instance ([x]_F, [x′]_F) of the residue symbol, i.e. x′ = (x | p)_r

[a]_F ←_R F

[b]_F ←_R F

[d]_F ← [a]_F[b]_F

f←[d]Fr

if f = 0 then

abort

end if

d^←fr

[x′]F←[d]F/d^

[x]F←[a]Fr[x′]F

return ([x]_F, [x′]_F)

Computing the residue symbol

In the online phase, described in Algorithm 3, the parties then wish to compute the residue symbol of a secret shared value [a]_F. We assume that a is known to be nonzero, which can be guaranteed by using a suitable encoding, as in Remark 6. Suppose we have a fresh random solved instance ([x]_F, [x′]_F). The parties compute and open ax, which is uniformly random in F^* and hence does not reveal any information about a. They can then compute the residue symbol (ax | p)_r in the clear, and finally obtain

[(ap)r]F=(axp)r⋅[x′]F−1.

Algorithm 3

Online phase: Compute the residue symbol of [a]_F, given a solved instance ([x]_F, [x′]_F).

b ← [a]_F[x]_F

c ← (b | p)_r

return c⋅[x′]F−1

Computational and communication cost

The offline phase (Algorithm 2) can be optimized using the unbounded fan-in multiplication of [9], based on [2], which takes 3 rounds, 2l invocations of Algorithm 1 and 3l − 1 multiplications to secretly multiply l values. Since the first two rounds of the unbounded fan-in multiplication protocol are independent of the inputs, the values [a]_F and [b]_F can be generated and [d]_F = [a]_F[b]_F computed at the same time. Then, [d]Fr and [a]Fr[d]F are computed, and [d]Fr opened, in the third round. This gives a total cost of 3 rounds, as well as 2r + 3 invocations of Algorithm 1 and 6r + 2 multiplications of elements in F.

The online phase costs a single multiplication in F and one opening, which can be done in a single round. Recall that computing the inverse of a root of unity can be done locally.

Recall that multiplication of elements in F is more expensive than multiplication in 𝔽_p, a naïve implementation taking O(r²) multiplications in the base field, which however can be done in parallel in a single round. Also, unbounded fan-in multiplication precludes the use of square-and-multiply methods for exponentiation. However, since the exponent r is typically very small, that is not necessary.

5 Finding the modulus

We are looking for a suitable prime modulus p by checking the conditions (1) for many primes p. While it is possible to do this by simply computing (a | p)_r for all a ∈ A, the computation of the residue symbol is relatively expensive in practice. In the following, we instead translate the conditions into equations of the form p ∈ M_a (mod N_a) for a ∈ A, where M_a ⊆ ℤ/N_aℤ and N_a > 1, which are much faster to check.

Recall from Section 3 that we want (p) to be a prime ideal of R. This is equivalent to p being a generator of the multiplicative group 𝔽r* , by [8, Theorem 2, p. 196]. Hence, this condition depends only on p modulo r. Furthermore, we wish to fix (ζ_r | p)_r = ζ_r. Since

(ζrp)r=ζrpr−1−1r,

by definition, this is equivalent to having p^r⁻¹ ≡ r + 1 (mod r²). This gives us the first equation for p: let

M0={q∈ℤ/r2ℤ | q is a generator of 𝔽r* and qr−1=r+1}.

Then, we require that p ∈ M₀ (mod r²).

We now wish to impose a condition of the form (a | p)r=ζrℓ for some a ∈ R \ {0} and ℓ ∈ ℤ. We need to distinguish multiple cases.

Case 1: a is a unit

By Theorem 4, we can write a=±ζrku , where k ∈ ℤ and u is a positive real unit. Applying Lemma 5, we see that

(ap)r=(±up)r(ζrkp)r=ζrk,

which is independent of p. Requirements of this form are hence satisfied either for all primes under consideration or for none. If it is never satisfied, the requirements need to be adjusted by choosing a new encoding as in Remark 6.

Case 2: a is coprime to r and not a unit

There is some k ∈ ℤ such that a^=ζrka is primary. So we want that p is coprime to a and

ζrℓ=!(ap)r=(ζrp)r−k(a^p)r=ζr−k(pa^)r=ζr−k(p mod N(a^)a^)r,

the last equation holds because the value of the residue symbol (p | â)_r depends only on p modulo N(â). This gives us another modular equation for p: let

Ma={q∈ℤ/N(a^)ℤ | (qa^)r=ζrℓ+k}.

Then, we require that p ∈ M_a (mod N(â)).

Case 3: a is not coprime to r

Let first μ=1−ζr2 , which is a prime element of R. Note that

(μp)r=(ζrp)r(ζr−1−ζrp)r=ζr

by Lemma 5, since ζr−1−ζr is purely imaginary. The ideal (r) factors as (μ)^r−1 in R, so we can write a = μ^m ã for some m > 0 and ã coprime to r. (m is the valuation of a at (μ).) We proceed as before with ã instead of a. If ã is a unit, then as in Case 1, the requirement is either always satisfied or never. If ã is not a unit, let k ∈ ℤ such that a^=ζrka˜ is primary. We end up with the set

Ma={q∈ℤ/N(a^)ℤ | (qa^)r=ζrℓ+k−m},

and we require that p ∈ M_a (mod N(â)).

5.1 Computing the conditions

How do we find the elements of the set M_a? First, we note that M_a is contained in (ℤ/N(â)ℤ)^*. Since it appears inevitable that our procedure takes at least polynomial time in N(â), the brute force method of simply computing (q | â)_r for each q ∈ (ℤ/N(â)ℤ)^* seems viable. However, computation of the residue symbol is relatively expensive in practice, so we use a method that requires only few invocations of the residue symbol.

Since the residue symbol is multiplicative, the set

Ha={q∈(ℤ/N(a^)ℤ)* | (aa^)r=1}

is a subgroup of (ℤ/N(â)ℤ)^*. If H_a is the entirety of (ℤ/N(â)ℤ)^*, the condition p ∈ M_a (mod N(â)) is satisfied for all values or no value of p. In the latter case, we need to start over with a new encoding of the inputs (see Remark 6).

If however H_a is a proper subgroup, it follows that it has index r, and that the set M_a is a coset of H_a. We use the fact that the index is known to efficiently find a set of generators for H_a, after which the entirety of M_a can easily be computed.

For this, we first need to find a set of generators g₁, . . . , g_n of (ℤ/N(â)ℤ)^*, of orders k₁, . . . , k_n, which induce an isomorphism

ℤ/k1ℤ×⋯×ℤ/knℤ→∼(ℤ/N(a^)ℤ)*.

The Sage computer algebra system [11] contains a function that provides these generators, with the same complexity as factoring N(â).

We describe the algorithm for computing a set of generators for the subgroup H_a in the following setting, which is related to the hidden subgroup problem.

Finding a subgroup with known index

Suppose we are given an abelian group of the form G = ℤ/k₁ℤ × · · · × ℤ/k_nℤ, where k₁, . . . , k_n ∈ ℤ_>1. Suppose furthermore that we have access to the characteristic function χ: G → {0, 1} of a subgroup H ⊆ G of index dividing r, where r is a known prime number. That is, χ(x) = 1 if and only if x ∈ H. The goal is to find a set of generators of H, using only a small number of invocations of χ.

First, we note that by pulling H back along the projection homomorphism π : ℤⁿ → G, we get a lattice H̃ containing k₁ℤ × · · · × k_nℤ. Let χ˜=χ∘π be the characteristic function of H̃. We now find a basis for H̃, which maps to a set of generators of H. Every full rank lattice contained in ℤⁿ has a unique basis given by the columns of a full rank n × n integer matrix B in Hermite normal form [6]. That is, B = (B_ij) satisfies

Bij=0 for 1≤i<j≤n, Bii>0 for 1≤i≤n,0≤Bij<Bii for 1≤j<i≤n.

Let B now be such a basis matrix for the lattice H̃. The determinant of B is equal to the index of the subgroup H in G, and hence divides the prime r by assumption. This means that B has at most one diagonal entry equal to r, with all others being 1.

For example, the matrix B might look like this:

B=(10000100a1a2r00001),

with 0 ≤ a₁, a₂ < r.

To find the basis h₁, . . . , h_n of H̃, we now proceed as in Algorithm 4. Let e₁, . . . , e_n be the standard basis vectors of ℤⁿ. We let i decrease from n to 1, and so go through the columns of B from right to left.

For as long as χ˜(ei)=1 , we simply set h_i = e_i.
If χ˜(ei)=0 , we know that we have reached the column with r in the diagonal, so we set h_i = re_i and fix J = i.
For each of the remaining values of i, we search for the unique a ∈ {0, . . . , r−1} such that χ˜(ei+aeJ)=1 , and set h_i = e_i + ae_J.

Algorithm 4

Computing a basis of a sublattice H̃ ⊆ ℤⁿ of prime index r, given the characteristic function χ˜ of H̃.

J ←0

for i from n to 1 do

if J = 0 then

if χ˜(ei)=1 then

h_i ← e_i

else

h_i ← r · e_i

J ← i

end if

else

for a from 0 to r − 1 do

if χ˜(ei+aeJ)=1 then

h_i ← e_i + ae_J

end if

end for

end if

end for

This way, we can compute the basis of H̃ using at most (n − 1)r + 1 invocations of χ. Note that if the index of H is 1, the algorithm simply returns the original basis e₁, . . . , e_n.

Remark 8

In the case relevant to this paper, χ is given by the residue symbol, which not only tells us whether an element is in H, but in which coset of H it lies. In this case, the value a in step 3 above can be computed with a single invocation of χ, which reduces the total number of invocations needed to just n.

Remark 9

The algorithm can easily be generalized to the case where r is not prime, in which case there may be multiple diagonal entries not equal to 1. It requires at most nr invocations of χ.

5.2 Complexity of finding the modulus

Given the equations we determined above, what size can we expect for the smallest prime p that satisfies them, assuming that they are indeed satisfiable? We have seen in Section 5.1 that M_a for a ∈ A is a subset of (ℤ/N(â)ℤ)^* of size at least ϕ(N(â))/r, if it is not empty, where ϕ is the Euler phi function. Since in practice p is a prime larger than any N(â), its reduction modulo N(â) will always lie in (ℤ/N(â)ℤ)^*. Let us assume that the reductions of p in (ℤ/N(â)ℤ)^* for a ∈ A and in (ℤ/r²ℤ)^* are uniformly random and independent, for random p.^[2] Then we have p ∈ M_a (mod N(â)) with probability at least 1/r. Further, p ∈ M₀ is satisfied with probability ϕ(r − 1)/ϕ(r²) > 1/r². We can hence estimate the smallest prime satisfying the equations to have size at most O(r^|A|⁺²(|A| + 2) log r) by the prime number theorem.

To check if a given prime integer p satisfies the conditions (1), we could simply compute (a | p)_r for all a ∈ A. A single such test can be done by raising a to the (N(p) − 1)/r-th power in R/(p), which takes O(log N(p)) = O(r log p) multiplications in R/(p), or O(r³ log p) multiplications in 𝔽_p, giving a time complexity of Õ(r³ log² p) using Schönhage-Strassen multiplication. By the previous paragraph, we expect that we need to test around Õ(r^|A|⁺²) primes, taking time around Õ(r^|A|⁺² · |A| · r³ log²(r^|A|⁺²)) = Õ(r^|A|⁺⁵|A|³). We also need to test Õ(r^|A|⁺²|A|) integers for primality, which takes time Õ(r^|A|⁺²|A| log² r^|A|) = Õ(r^|A|⁺²|A|³) using Miller-Rabin.

Instead, in the method described in the beginning of Section 5, we first list the sets M_a for all a ∈ A. Using the idea described in Section 5.1, we expect the dominating cost to be the enumeration of M_a after the generators have been found. If n is an upper bound on the norms of the elements of A, we can then estimate the time and memory cost of the first step to be Õ(n|A|). Then, checking a single condition from (1) consists of a modular reduction of integers and a set membership test, taking time Õ(log p). In this case the cost of the Miller-Rabin primality test dominates, giving an estimated total time complexity for the second step of Õ(r^|A|⁺²|A|³). Alternatively, the Sieve of Eratosthenes can be used to reduce this to Õ(r^|A|⁺²|A|²) at the cost of Õ(r^|A|⁺²|A|) memory.

Although the asymptotic estimates for the two methods are quite similar, our experiments indicate that the second method is significantly faster when the norms of the elements of A are not too large. However, we will see in Section 5.3 that the case of large norms is interesting as well.

5.3 Existence of a good encoding

As mentioned in and before Remark 6, for a given choice of A and f: A → {0, . . . , r − 1} it is often impossible to satisfy (1) due to internal contradictions. So in order to compute a desired function f′ : A′ → {0, . . . , r − 1}, we need to find some values of A and f that do not lead to such contradictions, together with an encoding (an affine map) E : A′ → A satisfying f ○ E = f′.

For small choices of A′, it may be possible to find an encoding using trial and error, as we have done in the example of Section 6. We do not know of a guaranteed way to find good encodings, but we give some considerations on the matter.

One common cause of contradictions is that different elements of A can have prime factors in common (or prime factors that are conjugates of each other under an automorphism of R). Trying to satisfy some of the requirements in (1) can fix the residue symbol on the prime factors, which may end up fixing the residue symbol of some other element of A to an undesirable value. To avoid this, we could try to find an encoding such that no two distinct elements of A have prime factors that are conjugates of each other.

Proposition 10

Let A′ ⊂ R be a finite subset containing no two distinct elements that are conjugate to each other under an automorphism of R.

Let s′ be the product of all nonzero elements of the form a − σ(b) for a, b ∈ A′ and σ ∈ Aut(R). Define s ∈ ℤ as the product of all (integer) prime numbers dividing N(s′), and let q ∈ ℤ be coprime to s.

Then, no two distinct elements of A = {q + as | a ∈ A′} have prime factors that are conjugate under an automorphism of R.

Proof

Let p be a prime element of R dividing s. Since p does not divide q, it cannot divide q + as for any a ∈ A′.

Suppose now that we have a, b ∈ A′, σ ∈ Aut(R) and a prime element p ∤ s such that p | q + as and σ(p) | q + bs. Hence,

p | (q+as)−σ−1(q+bs)=(a−σ−1(b))s.

Since p is prime and does not divide s, it must divide a − σ⁻¹(b). However, if a − σ⁻¹(b) is nonzero, its prime factors are also factors of s by definition. Hence a = σ⁻¹(b), and so a = b by the condition on A′.

In this case, the norms N(a) for a ∈ A are pairwise coprime. The norms N(â) are furthermore coprime to r by construction of â (see Section 5). Under the assumption that the equations q ∈ M_a (mod N(â)) and q ∈ M₀ (mod r²) are individually satisfiable, it then follows by the Chinese remainder theorem and Dirichlet's prime number theorem that a prime solution p exists that satisfies all at once.

However, it is not guaranteed that the individual equations are satisfiable. For example, the residue symbol (â | p)_r for â a unit, or an r-th power, or real or purely imaginary is independent of p, so M_a may be empty. Since these types of elements are relatively uncommon, it may nonetheless be possible to avoid them with a good choice of A. In fact, if A′ is chosen as a subset of ℤ, the construction in Proposition 10 will always result in A ⊂ ℤ. It is therefore necessary to choose an A′ that does not consist of integers, for example by finding a suitable “pre-encoding” E′ : A″ → A′.

The downside of this approach is that it results in a ∈ A of very large norm, which can make the sets M_a unmanageably large. It may therefore be preferable to simply test the conditions (1) directly instead of applying the method described in the beginning of Section 5.

When the norms N(â), a ∈ A, and r are pairwise coprime, there is another approach to finding a solution p that does not require enumerating M_a: Let N = r²∏_a∈A N(â), and pick a random element b_a ∈ M_a for each a ∈ A, as well as b₀ ∈ M₀. It should be feasible to find these if they exist, since at least one in r elements of (ℤ/N(â)ℤ)^* is in M_a. Then, use the Chinese remainder theorem to translate (b_a)_a∈A∪{0} to b ∈ (ℤ/Nℤ)^*, and test if b is prime. If not, multiply b by a random r-th power in (ℤ/Nℤ)^* congruent to 1 modulo r² and test again. This way, we expect to find a prime in around log(N) steps. Unfortunately, the resulting prime will be of size O(N), which may be too large for practical purposes.

6 Toy example

We present an example, in which we compute reduction modulo 3 for integers x ∈ {0, . . . , n} for some small n. We pick r = 3. This example was constructed with the help of the Sage computer algebra system [11].

Setting A = {0, . . . , n} and f (x) = x mod 3 cannot work for this, since (x | p)_r = 1 for all valid primes p and x ∈ ℤ with p ∤ x, by Lemma 5. Instead, we encode the problem as follows. Let n = 18, and

A={11+xζr | 0≤x≤18}f(11+xζr)=x mod 3.

This encoding was found by trial and error. Then, following our procedure from Section 5, we get

M0={q∈ℤ/9ℤ | q is a generator of 𝔽3* and q2≡4}={2}.

For e.g. a = 11 + 5ζ_r, we have f (a) = ℓ = 2, so we want (a | p)r=ζr2 . We have N(a) = 91, so a is coprime to 3. Furthermore, â = ζ_ra = 6ζ_r − 5 is primary, so k = 1. We hence get

Ma={q∈ℤ/91ℤ | (qa^)r=ζrℓ+k=ζr3=1}={1,2,4,8,16,17,23,27,32,34,37,45,46, 54,57,59,64,68,74,75,83,87,89,90}.

Similarly, we find M_a for all other a ∈ A.

Finally, we use brute force to find a prime p which lies in M₀ and in each M_a after the appropriate modular reduction. The smallest one is

p=26 403 527.

We conclude that

(11+xζrp)r=ζrx mod 3

for 0 ≤ x ≤ 18.

One can show that it is not possible to extend the example above to a = 11 + 19ζ_r.

7 Alternatives

There are several alternatives for computing an arbitrary function f : A → {0, . . . , r − 1} in a secret shared manner using a constant number of rounds.^[3]

For example, one may use Lagrange interpolation to find a degree |A| − 1 polynomial F ∈ R[x] that agrees with f on A. The polynomial can then be evaluated in three rounds using unbounded fan-in multiplication [2, 9], the first two of which can be done in precomputation. This compares favourably to our protocol, which has three offline and one online round. Furthermore, polynomial interpolation works for any prime modulus larger than max{|A|, r}, whereas our protocol requires a specific and much larger prime modulus. On the other hand, our protocol has the advantage of requiring fewer multiplications, namely O(r) instead of O(|A|).

One could also consider decomposing f into a sequence of two-valued functions f₁, . . . , f_k : A → {0, 1} and computing each using the Legendre symbol. It would then be necessary to find k different (affine) encodings E_i : A → ℤ, 1 ≤ i ≤ k, and a prime p such that f_i(a) agrees with 2(E_i(a) | p) − 1 simultaneously for all i. Such encodings could be found using similar ideas to those presented in Section 5.3 and [12]. If we assume that the E_i have disjoint images, and that the residue symbol on the elements of these images are uniformly random and independent, this would give us a p of expected size O(2^k|A|k|A|). If we use a one-hot encoding to represent f (x) = 1f₁(x) + · · · + (r − 1)f_r₋₁(x), we get k = r − 1, which results in a much larger estimate for p than in our method. One could instead choose k = ⌈log₂ r⌉ and encode f as a Boolean circuit in the f_i. This would result in a similar expected size for p as in our protocol, but may require extra rounds to evaluate the circuit, especially if a one-hot encoding of the output is desired. Compared to our protocol, this method takes the same number of offline rounds, but either gives a larger expected p or requires extra online rounds. In some cases, the estimate for p can be improved by choosing E_i with overlapping images. For example, using a one-hot encoding for the function f (x) = x mod 3 of our toy example, one may notice that f₂(x) = f₁(x − 1) and so use two mostly overlapping encodings.

8 Conclusion

We have introduced a protocol for secure multiparty computation which allows the evaluation of certain desired functions f : A → {0, . . . , r − 1} on secret shared values, for a small subset A ⊂ ℤ[ζ_r] of the r-th cyclotomic ring, where r is a small prime. Our protocol is a generalization of a protocol by Yu [12], and makes use of the residue symbol of ℤ[ζ_r], by getting it to agree with the desired function on A. It uses only a single round in the online phase, and a constant number of offline preprocessing rounds.

We can then use this idea to compute a function g over a more “natural” domain, like A′ ⊂ ℤ, by first encoding it as a function f : A → {0, . . . , r − 1} in a suitable way. As we have shown in the example, there may be different ways of doing this encoding, and the feasibility and performance of our technique may depend on the chosen encoding.

It is an open question to find concrete applications where our protocol has significant advantages over alternative solutions, such as polynomial interpolation. It is also of interest to improve and formalize the methods of encoding a desired function in such a way as to be compatible with the residue symbol, and so that p remains reasonably small, which so far we have mostly done by trial and error.

Acknowledgement

This work is supported by Aalborg University under the SECURE project.

We wish to thank an anonymous reviewer for the alternative idea of encoding a function in terms of several two-valued functions, see Section 7.

References

[1] M. Abspoel, N. J. Bouman, B. Schoenmakers and N. de Vreede, Fast Secure Comparison for Medium-Sized Integers and Its Application in Binarized Neural Networks, in: Topics in Cryptology – CT-RSA 2019 (M. Matsui, ed.), Springer, Cham, pp. 453–472, 2019.10.1007/978-3-030-12612-4_23Search in Google Scholar

[2] J. Bar-Ilan and D. Beaver, Non-Cryptographic Fault-Tolerant Computing in Constant Number of Rounds of Interaction, in: Proc. 8th ACM Symp. on Principles of Distributed Computing, PODC ’89, pp. 201–209, ACM, New York, 1989.10.1145/72981.72995Search in Google Scholar

[3] Y. F. Bilu, Y. Bugeaud and M. Mignotte, The Problem of Catalan, Springer, Cham, 2014.10.1007/978-3-319-10094-4Search in Google Scholar

[4] R. Cramer, I. B. Damgård and J. B. Nielsen, Secure Multiparty Computation and Secret Sharing, Cambridge University Press, New York, 2015.10.1017/CBO9781107337756Search in Google Scholar

[5] I. Damgård, M. Fitzi, E. Kiltz, J. B. Nielsen and T. Toft, Unconditionally Secure Constant-Rounds Multi-party Computation for Equality, Comparison, Bits and Exponentiation, in: Theory of Cryptography (S. Halevi and T. Rabin, eds.), Springer, Berlin, Heidelberg, pp. 285–304, 2006.10.1007/11681878_15Search in Google Scholar

[6] C. Dwork, Lattices and Their Application to Cryptography, Lecture Notes, Stanford University, 1998.Search in Google Scholar

[7] U. Feige, J. Killian and M. Naor, A Minimal Model for Secure Computation, in: Proc. 26th ACM Symp. on Theory of Computing, STOC ’94, pp. 554–563, ACM, New York, 1994.10.1145/195058.195408Search in Google Scholar

[8] K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed, Graduate Texts in Mathematics 84, Springer-Verlag, New York, 1990.10.1007/978-1-4757-2103-4Search in Google Scholar

[9] T. Nishide and K. Ohta, Multiparty Computation for Interval, Equality, and Comparison Without Bit-Decomposition Protocol, in: Public Key Cryptography – PKC 2007 (T. Okamoto and X. Wang, eds.), pp. 343–360, Springer, Berlin, Heidelberg, 2007.10.1007/978-3-540-71677-8_23Search in Google Scholar

[10] A. Shamir, How to Share a Secret, Commun. ACM 22 (1979), 612–613.10.1145/359168.359176Search in Google Scholar

[11] W. A. Stein et al., Sage Mathematics Software (Version 9.1), The Sage Development Team, 2020.Search in Google Scholar

[12] C.-H. Yu, Sign Modules in Secure Arithmetic Circuits., Cryptology ePrint Archive, Report 2011/539, 2011.Search in Google Scholar

Received: 2020-03-17

Accepted: 2020-12-07

Published Online: 2021-01-29

This work is licensed under the Creative Commons Attribution 4.0 International License.

A note on secure multiparty computation via higher residue symbols

Abstract

1 Introduction

2 The power residue symbol

Definition 1

Definition 2

Theorem 3

Theorem 4

Lemma 5

Proof

3 The basic idea

Remark 6

Remark 7

4 Secure computation of the residue symbol

5 Finding the modulus

5.1 Computing the conditions

Remark 8

Remark 9

5.2 Complexity of finding the modulus

5.3 Existence of a good encoding

Proposition 10

Proof

6 Toy example

7 Alternatives

8 Conclusion

Acknowledgement

References

Journal and Issue

Articles in the same Issue