Skip to content
BY 4.0 license Open Access Published by De Gruyter January 29, 2021

A note on secure multiparty computation via higher residue symbols

  • Ignacio Cascudo and Reto Schnyder EMAIL logo


We generalize a protocol by Yu for comparing two integers with relatively small difference in a secure multiparty computation setting. Yu's protocol is based on the Legendre symbol. A prime number p is found for which the Legendre symbol (· | p) agrees with the sign function for integers in a certain range {−N, . . . , N} ⊂ ℤ. This can then be computed efficiently.

We generalize this idea to higher residue symbols in cyclotomic rings ℤ[ζr] for r a small odd prime. We present a way to determine a prime number p such that the r-th residue symbol (· | p)r agrees with a desired function f:A{ζr0,,ζrr1} on a given small subset A ⊂ ℤ[ζr], when this is possible. We also explain how to efficiently compute the r-th residue symbol in a secret shared setting.

MSC 2010: 11T71; 94A60

1 Introduction

In secure multiparty computation (MPC), a group of parties, each of which has some secret data, wish to collaboratively compute a function on it without revealing their inputs. A common technique for this is to represent the inputs as elements of a finite field 𝔽p and represent the function as an arithmetic circuit over that finite field, i.e. as an expression consisting of nested sums and products over 𝔽p involving the inputs and public values, and then process this circuit gate-by-gate. For example in secret-sharing based secure multiparty computation protocols, inputs are secret shared among the parties using a linear secret sharing scheme, such as Shamir's scheme [10] or additive secret sharing. In such a scheme, addition of two secrets and multiplication of a secret by a public value can be done by simply performing the operation locally. Multiplication of two secrets can be achieved with a small amount of additional communication between the parties. See for example the book [4] for details about how this plays out in a number of secret-sharing based MPC protocols. But many other operations are more complicated to perform in a secret shared setting, especially those that do not correspond to natural operations in a finite field. Examples for this are integer comparison, integer division and modular reduction by values that are coprime to p. Protocols that compute such operations often rely on decomposing a shared value into its binary representation, after which the operation can be performed on secret shared bits [e.g. 5]. However, this decomposition involves a significant computational and communication cost, so there is much interest in more straightforward protocols for these operations. There are other protocols which do not rely on the decomposition of shared values, but still operate in a bitwise manner by using random pre-decomposed sharings [9].

An alternative idea for comparison of secret values is given in [12]. Their protocol attempts to compute the sign of a secret shared value [a]𝔽p by computing the Legendre symbol (a | p). For this to work, they must choose the prime modulus p in such a way that all values {1, . . . , N} are quadratic residues modulo p, for a relatively large N, and that −1 is a quadratic non-residue. Then, it holds that sgn(a) = (a | p) for − NaN. Two integers a and b can then be compared by computing sgn(ab) = (ab | p), assuming |ab|N. The Legendre symbol can be computed relatively easily in a secret-shared setting using a few rounds of precomputation and a single online round. Yu shows that at any given order of magnitude, a prime p can be found which satisfies the desired properties with N being of size Ω(log p). The inspiration for this protocol comes from [7], where the idea is first presented for the special case N = 2, p = 7.

In [1], the authors improve on Yu's method and extend the range where the comparison is valid by a factor of roughly three, for a given modulus size. They achieve this by computing the residue symbol on a small neighbourhood of the input value and performing a majority vote. They also provide another protocol that increases the valid range by a factor of five compared to Yu, but requires an additional online round.

Our contribution

In this paper, we present a generalization of the idea of [12] by using the residue symbol in a cyclotomic ring ℤ[ζr], for some odd prime r. The goal is to compute a chosen function f : A → {0, . . . , r − 1} in a limited domain A ⊂ 𝔽p[ζr]. We develop a method for finding a prime number p such that the r-th power residue symbol coincides with f on the domain A, when this is possible:


As in [12], our protocol requires an offline precomputation phase, but has an online phase consisting of a single round. As an added benefit, the output of f is obtained in a one-hot encoding, which can be helpful if it is e.g. used in a condition for a branching algorithm.

Unfortunately, we are not currently aware of a practical use of our protocol, since the limitations on the size of A are too strict. However, we hope that our new ideas motivate future work that can lessen these restrictions and find applications where our idea outperforms existing solutions.

Outline of the paper

In Section 2, we present basic definitions and facts about the power residue symbol in a cyclotomic ring. We then present the idea of our protocol in Section 3, and in Section 4 we explain in detail how to compute the residue symbol. Then, in Section 5, we present a method for finding an appropriate modulus p given a desired function to compute. We give a toy example in Section 6 to illustrate our ideas. Finally, in Section 7, we compare our method to other constant-round protocols for computing arbitrary functions.

2 The power residue symbol

Let r be an odd prime. Let R = ℤ[ζr] be the r-th ring of cyclotomic integers, considered as a subring of ℂ. Here, ζr is a primitive r-th root of unity. If 𝔟 is an ideal of R, we denote by N𝔟 its norm.

Definition 1

(See [8, Prop. 14.2.1]). Let 𝔭 be a nonzero prime ideal of R such that r ∉ 𝔭, and let aR \ 𝔭. Then, there exists an integer s, unique modulo r, such that


We define the r-th power residue symbol as


If a ∈ 𝔭, we define (a | 𝔭)r = 0.

It holds that a is an r-th power modulo 𝔭 if and only if (a | 𝔭)r = 1. Clearly, the power residue symbol is multiplicative in the first argument. That is, for a, bR, we have


If 𝔟 is any proper ideal of R coprime to r, we extend the power residue symbol multiplicatively. That is, if 𝔟 factors into prime ideals as 𝔟 = 𝔭 1 · · · 𝔭 s, then


Finally, if bR is any non-unit coprime to r, we simply define


where (b) is the ideal generated by b.

Definition 2

(See [8, p. 206]). An element aR is called primary if it is coprime to r, not a unit and congruent to a rational integer modulo (1 − ζr)2.

If aR is coprime to r and not a unit, then there is a unique k ∈ {0, . . . , r − 1} such that ζrka is primary.

Theorem 3

(Eisenstein Reciprocity, [8, Theorem 1, p. 207]). Let b ∈ ℤ be coprime to r and not a unit. Let aR be primary and coprime to b. Then,


Theorem 4

(See [3, Theorem 4.9]). The group of units R* is the direct product of the group of roots of unity in R and the group of positive real units (R ∩ ℝ>0)*.

Lemma 5

Let a, bR, such that b is a non-unit coprime to r and a. Suppose that each of a and b is either real or purely imaginary. Then, (a | b)r = 1.


First, note that for any prime ideal 𝔭 not containing r, we have


which is 1 if 𝔭 lies above an odd prime number, and −1 if it lies above 2. But in the second case, −1 1 (mod 𝔭), so either way, (−1 | 𝔭)r = 1.

Let now cR \ 𝔭, and let (c|𝔭)r=ζrs . We have


where ¯ denotes complex conjugation, and we see that (c¯|𝔭¯)r=(c|𝔭)r¯ . By multiplicativity, these two properties apply also if we replace the lower argument 𝔭 by any bR coprime to r.

Hence, for a and b as in the statement of the lemma, we get


which therefore has to be 1.

3 The basic idea

The basic idea of our protocol is the following. Suppose we are given a function f : A → {0, . . . , r − 1}, where A is a subset of R. We hope to find a prime number p such that the function f corresponds to the r-th power residue symbol with lower argument p on A. That is,

(1) (ab)r=ζrf(a)foreachaA.

Then, we can securely compute f (a) by computing the residue symbol, which can hopefully be done more efficiently.

We will see in Section 5 how we can find such a prime p. Note however, that condition (1) often contains internal contradictions or other impossible requirements. It is then necessary to adapt A and f to resolve these.

Remark 6

In practice, to avoid the aforementioned internal contradictions in our requirements, the actual input values will first be encoded via some (ideally affine) function mapping to A. One can try many such encodings until one is found that is not contradictory. We will give considerations on the existence of good encodings in Section 5.3, and we will see an example in Section 6.

Let us note some initial requirements on the prime p. First, we want that (p) is a prime ideal of R, which is the case whenever p is different from r and does not split in R. We need this to be the case so that we can use basic facts about (a | p)r, and so that F = R/(p) is a finite field of size pr−1. For reasons we will see later, we also wish for the value (ζr | p)r to be ζr. It would be possible to fix it to another primitive root of unity, but that would complicate our analysis. We will show in Section 5 how to achieve this.

In our protocol, we will be using the fields 𝔽p and F = R/(p). Note that an element in F can be represented by r − 1 elements of 𝔽p via the basis {1,ζr,,ζrr2} . So given a linear secret sharing scheme over 𝔽p, we can consider a sharing of an element in F as a sharing of r − 1 elements of 𝔽p. See Section 4 for details.

Since the residue symbol (a | p)r depends only on a modulo p, it is now possible to evaluate the function f at aA by instead evaluating (a | p)r. We will see in Section 4 how to do this efficiently.

Remark 7

In the above, instead of getting a sharing of the result f (a) ∈ {0, . . . , r − 1} directly, we end up with the root of unity ζrf(a)F . If we decompose (a|p)r=a0+a1ζr++ar2ζrr2 with ai ∈ 𝔽p, this almost results in a one-hot encoding of f (a). The only difference is that r − 1 is represented by ai = −1 for all i. A proper one-hot encoding can be computed locally by setting br−1 = (1 − a0 − · · · − ar−2)/r and bi = ai + br−1 for i < r − 1. If we prefer to share the result as a single value, we can then easily compute that as 0b0 + 1b1 + · · · + (r − 1)br−1.

4 Secure computation of the residue symbol

We will show how to compute the power residue symbol based on any arithmetic black-box protocol over the field 𝔽p, for example based on secret sharing. This is analogous to how the Legendre symbol is computed in [12]. We note that only the upper argument of the residue symbol is secret, whereas the lower argument p is public. In order to explain how we do this, we first need to detail the model in which we will work.

Secure computation model

We consider the usual situation in secure multiparty computation: n parties P1, . . . , Pn want to jointly compute the output of certain (public) function on private inputs which belong to some of the parties, by means of some protocol in which the parties can communicate over point-to-point secure channels between each pair of parties.

We will consider a static, semi-honest adversary, that corrupts some subset of parties at the onset of the protocol, and gets to see all communication received by these parties, but cannot make them deviate from the protocol.[1] Security in this case means the adversary cannot infer more information about non-corrupted parties’ inputs and outputs than what is already implied by the corrupted parties’ inputs and outputs.

Our techniques work in fact on top of any secure computation protocol for arithmetic operations over 𝔽p. This means that any given party can create an encoding [x]𝔽p of a value x ∈ 𝔽p known to that party, so that: the adversary cannot obtain any knowledge about x from [x]𝔽p ; there is a protocol that allows the set of all parties to recover x ∈ 𝔽p from [x]𝔽p ; and given sharings of elements x, y ∈ 𝔽p (where x, y may not be known by the same party, in fact they may not be known by anybody) there are secure computation subprotocols that allow parties to compute encodings for x + y, xy and ax for public a ∈ 𝔽p (denoted respectively [x + y]𝔽p = [x]𝔽p + [y]𝔽p, [xy]𝔽p = [x]𝔽p [y]𝔽p, [ax]𝔽p = a[x]𝔽p).

The customary example for this are secret-sharing based secure computation protocols, where the encoding [·]𝔽p is given by a secret sharing scheme. This scheme is furthermore often linear, which allows computing [x + y]𝔽p (resp. [ax]𝔽p) given [x]𝔽p, [y]𝔽p (resp. a and [x]𝔽p) by having each party operate locally on their shares, i.e., it requires no interaction among parties.

There exist many secret-sharing based arithmetic protocols which are secure against different types of adversaries, depending on which sets of parties the adversary can corrupt (the adversary structure) and whether we assume a restriction on the computational capabilities of the adversary or not (where we speak respectively of computational or information-theoretical security). For example, one can construct arithmetic black-box protocols which are information-theoretically secure against adversaries that can corrupt any set of t parties where t < n/2, and protocols which are computationally secure against adversaries corrupting any set of n − 1 parties.

Our protocols will inherit the security properties from the arithmetic black-box protocol over 𝔽p, with respect to the adversary structure and adversary computational capabilities it tolerates.


A usual resource in secure multiparty computation protocols is preprocessing: the fact that parties can initiate and typically carry out the heavy part of the secure computation protocol even before the (encoded) inputs are provided. That is, we can split the computation in two phases: a preprocessing, or offline phase, which is the phase carried out before the inputs are given and where the parties compute encodings of random correlated information; and an online phase, which uses the input and is typically much lighter. We will use this approach in our protocols too.

From encodings over 𝔽p to encodings over F

As mentioned before, an encoding (e.g. a sharing) [x]F of an element in F will simply be the encoding in 𝔽p of each of its coordinates xi ∈ 𝔽p with respect to the basis {1,ζr,,ζrr2} , i.e. ([x]0𝔽p, [x]1𝔽p, . . . , [x]r−2𝔽p). Both additions and products of F-encodings can be obtained by operating on the 𝔽p-encodings of their coordinates. Specifically, additions of two F-encodings require r − 1 additions of 𝔽p-encodings (by just adding coordinate-wise the vectors of 𝔽p-encodings), so in the case of a linear secret sharing scheme it can be done locally by the shareholders. Multiplying by a public constant in R can also be done locally, but it may involve up to O(r2) additions and multiplications of 𝔽p-encodings by 𝔽p-constants (depending on the public constant). Finally, products of two F-encodings require O(r2) products and O(r2) additions of 𝔽p-encodings.

Inversions of roots of unity

Our algorithms will also need to invert F-encodings of r-th roots of unity in R (seen as elements in F), that is the elements ζri,i=0,,r1 . Note that (ζri)1=ζrr1 . Moreover, in the basis {1,ζr,,ζrr2} , ζri is given by the i-th unit vector (numbering from 0 to r − 2) if i < r − 1, and by the vector (−1, −1, . . . , −1) if i = r − 1, since ζrr1=1ζrζrr2 .

Therefore, given [x]F = ([x]0𝔽p, [x]1𝔽p, [x]2𝔽p . . ., [xr−2]𝔽p) where x=ζri for some i, it is easy to see that


In particular, if the 𝔽p-encoding is given by a linear secret sharing scheme, these inversions can be computed locally.

Computing random elements of F

The parties can compute a uniformly random element of F in the usual way, described in Algorithm 1. Each party Pi chooses and shares a uniformly random value [xi]F. These values are then summed up: [x]F=i=0n[xi]F . In this way, the value x is uniformly random and secret.

Algorithm 1

Choosing a random element of F.

Each party Pi selects and shares a uniformly random [xi]FF
return [x]F

Arithmetic operations with random elements

Given [x]F, [r]F, where r is uniformly random in the sense above, opening [x + r]F gives no additional information about x apart from the a priori knowledge parties might have about x. If parties open [xr]F and find out that xr ≠ 0, the only new information parties may learn about x is that x ≠ 0, but all other information about x is protected.

Computing a random solved instance

In a preprocessing phase, the parties need to compute a random solved instance of the power residue symbol. That is, they want a pair of shared values ([x]F, [x′]F), where x′ = (x | p)r and x is uniformly random in F* and unknown to the parties. To do this, we proceed as in [12], and in Algorithm 2. The parties first select two uniformly random shared values [a]F and [b]F and multiply them: [d]F = [a]F[b]F. They then compute and open f = dr. If this is zero, they abort. Otherwise, they know that a and d are uniformly random and independent elements of F*, since F is a finite field. The parties then compute an r-th root d^ of f in the clear. We see that d/d^ is a uniformly random r-th root of unity. Hence,


constitute a uniformly random solved instance. Recall that we require (ζr | p)r = ζr, so that (d/d^|p)r=d/d^

Algorithm 2

Offline phase: Find a random solved instance ([x]F, [x′]F) of the residue symbol, i.e. x′ = (x | p)r

[a]FR F
[b]FR F
[d]F ← [a]F[b]F
if f = 0 then
end if
return ([x]F, [x′]F)

Computing the residue symbol

In the online phase, described in Algorithm 3, the parties then wish to compute the residue symbol of a secret shared value [a]F. We assume that a is known to be nonzero, which can be guaranteed by using a suitable encoding, as in Remark 6. Suppose we have a fresh random solved instance ([x]F, [x′]F). The parties compute and open ax, which is uniformly random in F* and hence does not reveal any information about a. They can then compute the residue symbol (ax | p)r in the clear, and finally obtain


Algorithm 3

Online phase: Compute the residue symbol of [a]F, given a solved instance ([x]F, [x′]F).

b ← [a]F[x]F
c ← (b | p)r
return c[x]F1

Computational and communication cost

The offline phase (Algorithm 2) can be optimized using the unbounded fan-in multiplication of [9], based on [2], which takes 3 rounds, 2l invocations of Algorithm 1 and 3l − 1 multiplications to secretly multiply l values. Since the first two rounds of the unbounded fan-in multiplication protocol are independent of the inputs, the values [a]F and [b]F can be generated and [d]F = [a]F[b]F computed at the same time. Then, [d]Fr and [a]Fr[d]F are computed, and [d]Fr opened, in the third round. This gives a total cost of 3 rounds, as well as 2r + 3 invocations of Algorithm 1 and 6r + 2 multiplications of elements in F.

The online phase costs a single multiplication in F and one opening, which can be done in a single round. Recall that computing the inverse of a root of unity can be done locally.

Recall that multiplication of elements in F is more expensive than multiplication in 𝔽p, a naïve implementation taking O(r2) multiplications in the base field, which however can be done in parallel in a single round. Also, unbounded fan-in multiplication precludes the use of square-and-multiply methods for exponentiation. However, since the exponent r is typically very small, that is not necessary.

5 Finding the modulus

We are looking for a suitable prime modulus p by checking the conditions (1) for many primes p. While it is possible to do this by simply computing (a | p)r for all aA, the computation of the residue symbol is relatively expensive in practice. In the following, we instead translate the conditions into equations of the form pMa (mod Na) for aA, where Ma ⊆ ℤ/Naℤ and Na > 1, which are much faster to check.

Recall from Section 3 that we want (p) to be a prime ideal of R. This is equivalent to p being a generator of the multiplicative group 𝔽r* , by [8, Theorem 2, p. 196]. Hence, this condition depends only on p modulo r. Furthermore, we wish to fix (ζr | p)r = ζr. Since


by definition, this is equivalent to having pr−1 ≡ r + 1 (mod r2). This gives us the first equation for p: let


Then, we require that pM0 (mod r2).

We now wish to impose a condition of the form (a|p)r=ζr for some aR \ {0} and ∈ ℤ. We need to distinguish multiple cases.

Case 1: a is a unit

By Theorem 4, we can write a=±ζrku , where k ∈ ℤ and u is a positive real unit. Applying Lemma 5, we see that


which is independent of p. Requirements of this form are hence satisfied either for all primes under consideration or for none. If it is never satisfied, the requirements need to be adjusted by choosing a new encoding as in Remark 6.

Case 2: a is coprime to r and not a unit

There is some k ∈ ℤ such that a^=ζrka is primary. So we want that p is coprime to a and


the last equation holds because the value of the residue symbol (p | â)r depends only on p modulo N(â). This gives us another modular equation for p: let


Then, we require that pMa (mod N(â)).

Case 3: a is not coprime to r

Let first μ=1ζr2 , which is a prime element of R. Note that


by Lemma 5, since ζr1ζr is purely imaginary. The ideal (r) factors as (μ)r−1 in R, so we can write a = μm ã for some m > 0 and ã coprime to r. (m is the valuation of a at (μ).) We proceed as before with ã instead of a. If ã is a unit, then as in Case 1, the requirement is either always satisfied or never. If ã is not a unit, let k ∈ ℤ such that a^=ζrka˜ is primary. We end up with the set


and we require that pMa (mod N(â)).

5.1 Computing the conditions

How do we find the elements of the set Ma? First, we note that Ma is contained in (ℤ/N(â)ℤ)*. Since it appears inevitable that our procedure takes at least polynomial time in N(â), the brute force method of simply computing (q | â)r for each q ∈ (ℤ/N(â)ℤ)* seems viable. However, computation of the residue symbol is relatively expensive in practice, so we use a method that requires only few invocations of the residue symbol.

Since the residue symbol is multiplicative, the set


is a subgroup of (ℤ/N(â)ℤ)*. If Ha is the entirety of (ℤ/N(â)ℤ)*, the condition pMa (mod N(â)) is satisfied for all values or no value of p. In the latter case, we need to start over with a new encoding of the inputs (see Remark 6).

If however Ha is a proper subgroup, it follows that it has index r, and that the set Ma is a coset of Ha. We use the fact that the index is known to efficiently find a set of generators for Ha, after which the entirety of Ma can easily be computed.

For this, we first need to find a set of generators g1, . . . , gn of (ℤ/N(â)ℤ)*, of orders k1, . . . , kn, which induce an isomorphism


The Sage computer algebra system [11] contains a function that provides these generators, with the same complexity as factoring N(â).

We describe the algorithm for computing a set of generators for the subgroup Ha in the following setting, which is related to the hidden subgroup problem.

Finding a subgroup with known index

Suppose we are given an abelian group of the form G = ℤ/k1ℤ × · · · × ℤ/knℤ, where k1, . . . , kn ∈ ℤ>1. Suppose furthermore that we have access to the characteristic function χ: G → {0, 1} of a subgroup HG of index dividing r, where r is a known prime number. That is, χ(x) = 1 if and only if xH. The goal is to find a set of generators of H, using only a small number of invocations of χ.

First, we note that by pulling H back along the projection homomorphism π : ℤnG, we get a lattice containing k1ℤ × · · · × knℤ. Let χ˜=χπ be the characteristic function of . We now find a basis for , which maps to a set of generators of H. Every full rank lattice contained in ℤn has a unique basis given by the columns of a full rank n × n integer matrix B in Hermite normal form [6]. That is, B = (Bij) satisfies


Let B now be such a basis matrix for the lattice . The determinant of B is equal to the index of the subgroup H in G, and hence divides the prime r by assumption. This means that B has at most one diagonal entry equal to r, with all others being 1.

For example, the matrix B might look like this:


with 0 ≤ a1, a2 < r.

To find the basis h1, . . . , hn of , we now proceed as in Algorithm 4. Let e1, . . . , en be the standard basis vectors of ℤn. We let i decrease from n to 1, and so go through the columns of B from right to left.

  1. For as long as χ˜(ei)=1 , we simply set hi = ei.

  2. If χ˜(ei)=0 , we know that we have reached the column with r in the diagonal, so we set hi = rei and fix J = i.

  3. For each of the remaining values of i, we search for the unique a ∈ {0, . . . , r−1} such that χ˜(ei+aeJ)=1 , and set hi = ei + aeJ.

Algorithm 4

Computing a basis of a sublattice ⊆ ℤn of prime index r, given the characteristic function χ˜ of .

J ←0
for i from n to 1 do
    if J = 0 then
      if χ˜(ei)=1 then
        hir · ei
      end if
      for a from 0 to r − 1 do
        if χ˜(ei+aeJ)=1 then
          hiei + aeJ
        end if
      end for
    end if
end for

This way, we can compute the basis of using at most (n − 1)r + 1 invocations of χ. Note that if the index of H is 1, the algorithm simply returns the original basis e1, . . . , en.

Remark 8

In the case relevant to this paper, χ is given by the residue symbol, which not only tells us whether an element is in H, but in which coset of H it lies. In this case, the value a in step 3 above can be computed with a single invocation of χ, which reduces the total number of invocations needed to just n.

Remark 9

The algorithm can easily be generalized to the case where r is not prime, in which case there may be multiple diagonal entries not equal to 1. It requires at most nr invocations of χ.

5.2 Complexity of finding the modulus

Given the equations we determined above, what size can we expect for the smallest prime p that satisfies them, assuming that they are indeed satisfiable? We have seen in Section 5.1 that Ma for aA is a subset of (ℤ/N(â)ℤ)* of size at least ϕ(N(â))/r, if it is not empty, where ϕ is the Euler phi function. Since in practice p is a prime larger than any N(â), its reduction modulo N(â) will always lie in (ℤ/N(â)ℤ)*. Let us assume that the reductions of p in (ℤ/N(â)ℤ)* for aA and in (ℤ/r2ℤ)* are uniformly random and independent, for random p.[2] Then we have pMa (mod N(â)) with probability at least 1/r. Further, pM0 is satisfied with probability ϕ(r − 1)/ϕ(r2) > 1/r2. We can hence estimate the smallest prime satisfying the equations to have size at most O(r|A|+2(|A| + 2) log r) by the prime number theorem.

To check if a given prime integer p satisfies the conditions (1), we could simply compute (a | p)r for all aA. A single such test can be done by raising a to the (N(p) − 1)/r-th power in R/(p), which takes O(log N(p)) = O(r log p) multiplications in R/(p), or O(r3 log p) multiplications in 𝔽p, giving a time complexity of Õ(r3 log2 p) using Schönhage-Strassen multiplication. By the previous paragraph, we expect that we need to test around Õ(r|A|+2) primes, taking time around Õ(r|A|+2 · |A| · r3 log2(r|A|+2)) = Õ(r|A|+5|A|3). We also need to test Õ(r|A|+2|A|) integers for primality, which takes time Õ(r|A|+2|A| log2 r|A|) = Õ(r|A|+2|A|3) using Miller-Rabin.

Instead, in the method described in the beginning of Section 5, we first list the sets Ma for all aA. Using the idea described in Section 5.1, we expect the dominating cost to be the enumeration of Ma after the generators have been found. If n is an upper bound on the norms of the elements of A, we can then estimate the time and memory cost of the first step to be Õ(n|A|). Then, checking a single condition from (1) consists of a modular reduction of integers and a set membership test, taking time Õ(log p). In this case the cost of the Miller-Rabin primality test dominates, giving an estimated total time complexity for the second step of Õ(r|A|+2|A|3). Alternatively, the Sieve of Eratosthenes can be used to reduce this to Õ(r|A|+2|A|2) at the cost of Õ(r|A|+2|A|) memory.

Although the asymptotic estimates for the two methods are quite similar, our experiments indicate that the second method is significantly faster when the norms of the elements of A are not too large. However, we will see in Section 5.3 that the case of large norms is interesting as well.

5.3 Existence of a good encoding

As mentioned in and before Remark 6, for a given choice of A and f: A → {0, . . . , r − 1} it is often impossible to satisfy (1) due to internal contradictions. So in order to compute a desired function f′ : A′ → {0, . . . , r − 1}, we need to find some values of A and f that do not lead to such contradictions, together with an encoding (an affine map) E : A′A satisfying f ○ E = f′.

For small choices of A′, it may be possible to find an encoding using trial and error, as we have done in the example of Section 6. We do not know of a guaranteed way to find good encodings, but we give some considerations on the matter.

One common cause of contradictions is that different elements of A can have prime factors in common (or prime factors that are conjugates of each other under an automorphism of R). Trying to satisfy some of the requirements in (1) can fix the residue symbol on the prime factors, which may end up fixing the residue symbol of some other element of A to an undesirable value. To avoid this, we could try to find an encoding such that no two distinct elements of A have prime factors that are conjugates of each other.

Proposition 10

Let A′R be a finite subset containing no two distinct elements that are conjugate to each other under an automorphism of R.

Let s′ be the product of all nonzero elements of the form aσ(b) for a, bA′ and σ ∈ Aut(R). Define s ∈ ℤ as the product of all (integer) prime numbers dividing N(s′), and let q ∈ ℤ be coprime to s.

Then, no two distinct elements of A = {q + as | aA′} have prime factors that are conjugate under an automorphism of R.


Let p be a prime element of R dividing s. Since p does not divide q, it cannot divide q + as for any aA′.

Suppose now that we have a, bA′, σ ∈ Aut(R) and a prime element ps such that p | q + as and σ(p) | q + bs. Hence,


Since p is prime and does not divide s, it must divide aσ−1(b). However, if aσ−1(b) is nonzero, its prime factors are also factors of s by definition. Hence a = σ−1(b), and so a = b by the condition on A′.

In this case, the norms N(a) for aA are pairwise coprime. The norms N(â) are furthermore coprime to r by construction of â (see Section 5). Under the assumption that the equations qMa (mod N(â)) and qM0 (mod r2) are individually satisfiable, it then follows by the Chinese remainder theorem and Dirichlet's prime number theorem that a prime solution p exists that satisfies all at once.

However, it is not guaranteed that the individual equations are satisfiable. For example, the residue symbol (â | p)r for â a unit, or an r-th power, or real or purely imaginary is independent of p, so Ma may be empty. Since these types of elements are relatively uncommon, it may nonetheless be possible to avoid them with a good choice of A. In fact, if A′ is chosen as a subset of ℤ, the construction in Proposition 10 will always result in A ⊂ ℤ. It is therefore necessary to choose an A′ that does not consist of integers, for example by finding a suitable “pre-encoding” E′ : A″A′.

The downside of this approach is that it results in aA of very large norm, which can make the sets Ma unmanageably large. It may therefore be preferable to simply test the conditions (1) directly instead of applying the method described in the beginning of Section 5.

When the norms N(â), aA, and r are pairwise coprime, there is another approach to finding a solution p that does not require enumerating Ma: Let N = r2aA N(â), and pick a random element baMa for each aA, as well as b0M0. It should be feasible to find these if they exist, since at least one in r elements of (ℤ/N(â)ℤ)* is in Ma. Then, use the Chinese remainder theorem to translate (ba)aA∪{0} to b ∈ (ℤ/Nℤ)*, and test if b is prime. If not, multiply b by a random r-th power in (ℤ/Nℤ)* congruent to 1 modulo r2 and test again. This way, we expect to find a prime in around log(N) steps. Unfortunately, the resulting prime will be of size O(N), which may be too large for practical purposes.

6 Toy example

We present an example, in which we compute reduction modulo 3 for integers x ∈ {0, . . . , n} for some small n. We pick r = 3. This example was constructed with the help of the Sage computer algebra system [11].

Setting A = {0, . . . , n} and f (x) = x mod 3 cannot work for this, since (x | p)r = 1 for all valid primes p and x ∈ ℤ with px, by Lemma 5. Instead, we encode the problem as follows. Let n = 18, and


This encoding was found by trial and error. Then, following our procedure from Section 5, we get


For e.g. a = 11 + 5ζr, we have f (a) = = 2, so we want (a|p)r=ζr2 . We have N(a) = 91, so a is coprime to 3. Furthermore, â = ζra = 6ζr − 5 is primary, so k = 1. We hence get


Similarly, we find Ma for all other aA.

Finally, we use brute force to find a prime p which lies in M0 and in each Ma after the appropriate modular reduction. The smallest one is


We conclude that


for 0 ≤ x ≤ 18.

One can show that it is not possible to extend the example above to a = 11 + 19ζr.

7 Alternatives

There are several alternatives for computing an arbitrary function f : A → {0, . . . , r − 1} in a secret shared manner using a constant number of rounds.[3]

For example, one may use Lagrange interpolation to find a degree |A| − 1 polynomial FR[x] that agrees with f on A. The polynomial can then be evaluated in three rounds using unbounded fan-in multiplication [2, 9], the first two of which can be done in precomputation. This compares favourably to our protocol, which has three offline and one online round. Furthermore, polynomial interpolation works for any prime modulus larger than max{|A|, r}, whereas our protocol requires a specific and much larger prime modulus. On the other hand, our protocol has the advantage of requiring fewer multiplications, namely O(r) instead of O(|A|).

One could also consider decomposing f into a sequence of two-valued functions f1, . . . , fk : A → {0, 1} and computing each using the Legendre symbol. It would then be necessary to find k different (affine) encodings Ei : A → ℤ, 1 ≤ ik, and a prime p such that fi(a) agrees with 2(Ei(a) | p) − 1 simultaneously for all i. Such encodings could be found using similar ideas to those presented in Section 5.3 and [12]. If we assume that the Ei have disjoint images, and that the residue symbol on the elements of these images are uniformly random and independent, this would give us a p of expected size O(2k|A|k|A|). If we use a one-hot encoding to represent f (x) = 1f1(x) + · · · + (r − 1)fr−1(x), we get k = r − 1, which results in a much larger estimate for p than in our method. One could instead choose k = ⌈log2 r⌉ and encode f as a Boolean circuit in the fi. This would result in a similar expected size for p as in our protocol, but may require extra rounds to evaluate the circuit, especially if a one-hot encoding of the output is desired. Compared to our protocol, this method takes the same number of offline rounds, but either gives a larger expected p or requires extra online rounds. In some cases, the estimate for p can be improved by choosing Ei with overlapping images. For example, using a one-hot encoding for the function f (x) = x mod 3 of our toy example, one may notice that f2(x) = f1(x − 1) and so use two mostly overlapping encodings.

8 Conclusion

We have introduced a protocol for secure multiparty computation which allows the evaluation of certain desired functions f : A → {0, . . . , r − 1} on secret shared values, for a small subset A ⊂ ℤ[ζr] of the r-th cyclotomic ring, where r is a small prime. Our protocol is a generalization of a protocol by Yu [12], and makes use of the residue symbol of ℤ[ζr], by getting it to agree with the desired function on A. It uses only a single round in the online phase, and a constant number of offline preprocessing rounds.

We can then use this idea to compute a function g over a more “natural” domain, like A′ ⊂ ℤ, by first encoding it as a function f : A → {0, . . . , r − 1} in a suitable way. As we have shown in the example, there may be different ways of doing this encoding, and the feasibility and performance of our technique may depend on the chosen encoding.

It is an open question to find concrete applications where our protocol has significant advantages over alternative solutions, such as polynomial interpolation. It is also of interest to improve and formalize the methods of encoding a desired function in such a way as to be compatible with the residue symbol, and so that p remains reasonably small, which so far we have mostly done by trial and error.


This work is supported by Aalborg University under the SECURE project.

We wish to thank an anonymous reviewer for the alternative idea of encoding a function in terms of several two-valued functions, see Section 7.


[1] M. Abspoel, N. J. Bouman, B. Schoenmakers and N. de Vreede, Fast Secure Comparison for Medium-Sized Integers and Its Application in Binarized Neural Networks, in: Topics in Cryptology – CT-RSA 2019 (M. Matsui, ed.), Springer, Cham, pp. 453–472, 2019.10.1007/978-3-030-12612-4_23Search in Google Scholar

[2] J. Bar-Ilan and D. Beaver, Non-Cryptographic Fault-Tolerant Computing in Constant Number of Rounds of Interaction, in: Proc. 8th ACM Symp. on Principles of Distributed Computing, PODC ’89, pp. 201–209, ACM, New York, 1989.10.1145/72981.72995Search in Google Scholar

[3] Y. F. Bilu, Y. Bugeaud and M. Mignotte, The Problem of Catalan, Springer, Cham, 2014.10.1007/978-3-319-10094-4Search in Google Scholar

[4] R. Cramer, I. B. Damgård and J. B. Nielsen, Secure Multiparty Computation and Secret Sharing, Cambridge University Press, New York, 2015.10.1017/CBO9781107337756Search in Google Scholar

[5] I. Damgård, M. Fitzi, E. Kiltz, J. B. Nielsen and T. Toft, Unconditionally Secure Constant-Rounds Multi-party Computation for Equality, Comparison, Bits and Exponentiation, in: Theory of Cryptography (S. Halevi and T. Rabin, eds.), Springer, Berlin, Heidelberg, pp. 285–304, 2006.10.1007/11681878_15Search in Google Scholar

[6] C. Dwork, Lattices and Their Application to Cryptography, Lecture Notes, Stanford University, 1998.Search in Google Scholar

[7] U. Feige, J. Killian and M. Naor, A Minimal Model for Secure Computation, in: Proc. 26th ACM Symp. on Theory of Computing, STOC ’94, pp. 554–563, ACM, New York, 1994.10.1145/195058.195408Search in Google Scholar

[8] K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, 2nd ed, Graduate Texts in Mathematics 84, Springer-Verlag, New York, 1990.10.1007/978-1-4757-2103-4Search in Google Scholar

[9] T. Nishide and K. Ohta, Multiparty Computation for Interval, Equality, and Comparison Without Bit-Decomposition Protocol, in: Public Key Cryptography – PKC 2007 (T. Okamoto and X. Wang, eds.), pp. 343–360, Springer, Berlin, Heidelberg, 2007.10.1007/978-3-540-71677-8_23Search in Google Scholar

[10] A. Shamir, How to Share a Secret, Commun. ACM 22 (1979), 612–613.10.1145/359168.359176Search in Google Scholar

[11] W. A. Stein et al., Sage Mathematics Software (Version 9.1), The Sage Development Team, 2020.Search in Google Scholar

[12] C.-H. Yu, Sign Modules in Secure Arithmetic Circuits., Cryptology ePrint Archive, Report 2011/539, 2011.Search in Google Scholar

Received: 2020-03-17
Accepted: 2020-12-07
Published Online: 2021-01-29

© 2021 Ignacio Cascudo et al., published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 5.6.2023 from
Scroll to top button