Efficient Bit-Decomposition and Modulus Conversion Protocols

with an Honest Majority

Ryo Kikuchi1 , Dai Ikarashi1 , Takahiro Matsuda2 , Koki Hamada1 , and Koji Chida1
1
NTT Corporation,
{kikuchi.ryo, ikarashi.dai, hamada.koki, chida.koji}@lab.ntt.co.jp
2
National Institute of Advanced Industrial Science and Technology (AIST),
[email protected]

1.

Abstract. We propose secret-sharing-based bit-decomposition and modulus conversion protocols

for a prime order ring Zp with an honest majority: an adversary can corrupt k − 1 parties of n
parties and 2k − 1 ≤ n. Our protocols are secure against passive and active adversaries depending
on the components of our protocols. We assume(a secret ) is an ℓ-bit element and 2ℓ+⌈log m⌉ < p,
n
where m = k in the passive security and m = k−1 in the active security. The outputs of our
bit-decomposition and modulus-conversion protocols are ℓ tuple of shares in Z2 and a share in Zp′ ,
respectively, where p′ is the modulus to be converted. If k and n are small, the communication
complexity of our passively secure bit-decomposition and modulus-conversion protocols are O(ℓ)
bits and O(⌈log p′ ⌉) bits, respectively. Our key observation is that a quotient of additive shares can
be computed from the least∑ significant ⌈log m⌉ bits. If a secret a is “shifted” and additively
∑shared
by xi in Zp as 2⌈log m⌉ a = m−1 i=0 xi = 2
⌈log m⌉
a + qp, the least significant ⌈log m⌉ bits of m−1
i=0 xi
determines q since p is an odd prime and the least significant ⌈log m⌉ bits of 2⌈log m⌉ a are 0s.

Keywords: bit-decomposition, modulus conversion, secure computation, secret sharing

1 Introduction

Secure computation enables parties with inputs to compute a function on the inputs while keeping
them secret. There are security notions that secure computation should satisfy, e.g., privacy, meaning
the protocol reveals nothing except the output, and correctness, meaning the protocol computes the
desired function. These notions should be satisfied in the presence of an adversary, and there are two
classical adversary models according to adversaries’ behaviors: passive (i.e., semi-honest) and active (i.e.,
malicious). Passive security means an adversary follows the protocol but may try to learn something
from the protocol transcript, and active security means the adversary tries to cheat with an arbitrary
strategy including deviating from the protocol. Active security provides stronger security guarantee but
passive security is sufficient in some cases, e.g., each party somewhat trusts each other but cannot share
their information due to privacy regulations, parties cannot tamper with an installed program of secure
computation, and the only thing they can do is seeing the input and output.
An adversary can corrupt a party to see its input and output and control its behavior. There are two
major settings specifying the number of parties the adversary can corrupt. Honest majority means an
adversary can corrupt less than half the parties, and dishonest majority means it can corrupt more than
half. Security with a dishonest majority provides stronger security guarantee but security with an honest
majority is sufficient in some cases, for example, each party is a “somewhat” trusted authority, such as
a government agency of a different country that may not collude with other agencies.
Secure computation can accelerate an application of sensitive data since one can analyze data while
they are secret by using secure computation, e.g., detecting tax fraud [3] and aggregating clinical infor-
mation [17]. Despite the advantage of secure computation, it has not been widely used in practice. One
of main reasons is its inefficiency. Secure computation tends to require heavy computations and commu-
nication; thus, its performance is typically much lower than that of local computation when the same
function is computed. Therefore, to achieve better performance is one of the main challenges in secure
computation.
1.1 Bit decomposition and modulus conversion

When we are interested in secure computation on an integer input a ∈ Zp , there are two major repre-
sentations to describe an intended function: an arithmetic circuit and a Boolean circuit. An input and
output of an arithmetic circuit are represented as elements in Zp , while those of a Boolean circuit are in
Z2 .
Secure computation in better suited representation provides better performance. For example, addition
and multiplication (in Zp ) can be computed efficiently by an arithmetic circuit, while not by a Boolean
circuit. In contrast, bit-operations, such as comparison and Hamming weight, can be computed efficiently
by a Boolean circuit, while those operations are non-trivial tasks for an arithmetic circuit.
To bridge these two representations, Damgård et al. [9] and Schoenmakers and Tuyls [23] proposed
bit-decomposition protocols to convert the integer representation into the binary one. The former is a
secret-sharing (SS)-based protocol and unconditionally secure with an honest majority, while the latter
is a homomorphic-encryption-based protocol and computationally secure without an honest majority. In
the honest majority case, several subsequent works have improved the efficiency [21,10,22,25,4].
There are two types in SS-based bit-decomposition protocols based on whether each bit of the bit-
decomposition result of an original secret is in Zp or in Z2 . If these bits are shared in Zp , it is easy to
convert the bit representation into an integer representation after computations with a Boolean circuit.
In contrast, if these bits are shared in Z2 , a Boolean circuit can be computed efficiently since the parties
can locally compute an XOR gate. In this paper, we focus on the latter type of output; the output of the
bit-decomposition protocol is shares in Z2 .
A modulus-conversion protocol is a related protocol that converts a share in Zp into that in Zp′ (with
p ̸= p′ ) without changing an original secret. This protocol corresponds to a type-casting operation (i.e.,
type conversion) for ordinary computers. In many applications, a user of secure computation may want
to obtain values that are not∑reduced by ∑modulus. For example, if we intend to obtain the sum of shared
secrets, we want to obtain ai , not ai mod p. In this case, we have to manage the shared values
not to exceed the modulus p. However, if we do not know which function will be computed with shared
secrets, we cannot determine beforehand how large p should be. Even if we use a large enough p for
most functions, the communication complexity of secure computation is at least proportional to log p and
the efficiency therefore decreases. The modulus-conversion protocol can be a solution of this problem;
namely, when an output of secure computation will exceed p, we can change p into p′ , which is large
enough to represent the output. Another application of a modulus-conversion protocol is the inverse of a
bit-decomposition protocol by setting p = 2.

1.2 Our contribution

We propose an SS-based bit-decomposition protocol for Zp and modulus-conversion protocol from Zp to

Zp′ with low communication complexity and an honest majority, where p and p′ are prime numbers. Our
basic protocols are passively secure, but can be made actively secure if the number of parties is small.
In this paper, we consider active security with abort in which an honest party will abort if an adversary
cheats. In our protocols, it is assumed that the parties know the bit-length ℓ of a secret, i.e., a secret a
satisfies a < 2ℓ+1 . Therefore, the output of our bit-decomposition protocol is ℓ shares( n in) Z2 . We also
3

assume ℓ + ⌈log m⌉ < ⌈log p⌉, where m = k in the passive security case and m = k−1 in the active
security case, where k is the number of parties who can reconstruct the secret and n is the number of
all parties. It seems natural that ⌈log p⌉ is somewhat larger than ℓ and the parties know ℓ to prevent an
output of secure computation from exceeding p; nevertheless, our protocol supports neither
( n ) full extraction
of the bits of secret nor too many parties in which ℓ + ⌈log m⌉ ≥ ⌈log p⌉. In addition, k−1 is exponential
in n so our actively secure protocol is only for small number of parties.
Our protocols consist of bit-wise share generation, random share generation, and Boolean circuit
evaluation. If p is a Merssene prime, both of our protocols can be simplified and their communication
complexity is improved in a constant factor. By using ordinary circuits and regarding k and n as constants,
the communication complexity of our bit-decomposition protocol is O(ℓ) bits, which seems optimal since
the output is an ℓ-tuple of Z2 . For the specific parameters of (k, n) = (2, 3) and when p is a Merssene
3
If one wants to use Shamir’s SS scheme, GF(2⌈log n⌉+1 ) can be an alternative option.

2
prime, the communication complexity is 10ℓ + 4 bits, which is smaller than the best known result [4] of
17⌈log p⌉+12⌈log⌈log p⌉⌉ bits, while [4] supports full extraction of bits and uses a different ring p = 2d . Our
modulus-conversion protocol has a similar structure, and the communication complexity is O(⌈log p′ ⌉)
bits, which seems also optimal since the output of the protocol is a share in Zp′ . We note that out
protocols are not constant-round protocols. Nonetheless, the round complexity is comparable to that of
constant-round protocols when (k, n) = (2, 3).

1.3 Technical overview

A common difficulty in constructing bit-decomposition and modulus-conversion protocols is secure com-

∑m−1
putation of a quotient. Let a ∈ Zp be a secret and assume a is additively shared as a = i=0 xi mod p.
When we intend to ∑ obtain a share of a in Z2 , one may try to replace xi with xi mod 2. However, it
m−1
does not work since i=0 xi mod 2 = a + qp mod 2 = a + (q mod 2)(p mod 2) ̸= a. Here, p is public,
but q∑ is unknown and thus q should be securely computed.
∑m−1 A naı̈ve way to obtain q is to securely com-
m−1
pute i=0 xi by a Boolean circuit and compare i=0 xi with p. However, this naı̈ve method requires
∑m−1
O(⌈log p⌉)-bit communication to compute i=0 xi by a Boolean circuit.
Our key observation is that a quotient of additive shares can be computed from the least significant u
bits, and we call this property the quotient transfer. In both of our protocols, we first additively share 2u a
∑m−1
rather than a, i.e., i=0 xi = 2u a+qp. Recall that we assume ℓ+u ≤ ⌈log p⌉, and thus 2u a mod p = 2u a.
∑m−1
We observe that the least significant u bits of i=0 xi represents q since p is an odd prime and the least
significant
∑m−1u bits of 2u a are 0s. Therefore, we can obtain q by securely computing ∑ the least significant u
bits of i=0 xi . By using the quotient transfer, ℓ + u bits and ⌈log p′ ⌉ + u bits of i=0 xi are sufficient
m−1

for our bit-decomposition and modulus-conversion protocols, respectively.

1.4 Related work

Damgård et al. [9] proposed a constant round bit-decomposition protocol, which were simplified by Nishide
and Ohta [21]. Toft proposed another bit-decomposition protocol [25] with almost linear communication
complexity, and Reistad and Toft [22] proposed a bit-decomposition protocol with linear communica-
tion complexity while admitting statistical privacy. In these works, the output of a bit-decomposition
protocol is shares in Zp , and linear communication complexity means that the number of invocations of
a multiplication protocol is linear in ⌈log p⌉. In this paper, we measure the communication complexity
in bits among the all parties. With respect to the communication complexity in bits, the above men-
tioned existing protocols incur at least O(⌈log p⌉2 ) since a multiplication protocol requires O(⌈log p⌉)-bit
communication.
A bit-decomposition protocol that outputs XOR-free shares was proposed by From and Jakobson [10].
They use a share in GF(2256 ) as an output. Bogdanov et al. [4] proposed a bit-decomposition protocol
that is dedicated to the replicated SS scheme [8,16] in (k, n) = (2, 3) and p = 2d for some positive integer
d. The output of their bit-decomposition protocol is ⌈log p⌉ shares in Z2 since they support full extraction.
Regarding modulus conversion, Bogdanov et al. [4] proposed a specific case of a modulus-conversion
⌈log p⌉
protocol from Z2 into Zp . This protocol is also dedicated to the replicated SS scheme in (k, n) = (2, 3)
d
and p = 2 for some positive integer d. This protocol is the inverse of a bit-decomposition protocol.

2 Preliminaries

Let a := b denote that a is defined by b, and a||b denote the concatenation of a and b. If a is an ℓ-bit
element, a(i) denotes the i-th bit of a, where we count the indices in the right-to-left order with 0 being
the initial index, i.e., a := a(ℓ−1) || · · · ||a(0) . If A is a probabilistic algorithm, a ← A(b) means a is the
output of A on input b. The notations R, Z, Zp , and Zm p denote a ring, the set of integers, Z/pZ, and
m-tuple of the elements in Zp , respectively. For a relation R, ⟨R⟩ denotes 1 if R is true and 0 otherwise.
For example, ⟨a <? b⟩ denotes 1 if a < b and 0 otherwise.

3
2.1 Mersenne prime

A Mersenne prime is a prime number of the form p = 2e −1 for some integer e. It provides efficient modular
arithmetic, e.g., [5], since modulo a Mersenne prime can be computed by bit-shifting and addition: If
a = a0 2e + a1 , then a mod p = a0 2e + a1 mod p = a0 + a1 mod p holds since 2e − 1 = 0 mod p.

2.2 Security model and definition

We consider SS-based secure computation with an honest majority. In this setting, there are n parties
P0 , . . . , Pn−1 , a secret is shared among the n parties via SS, any k parties can reconstruct the secret
from their shares, and an adversary corrupts up to k − 1 parties at the beginning of the protocol, where
2k − 1 ≤ n.
We consider the client/server model. This model is used to outsource secure computation, where any
number of clients send shares of their inputs to the servers. Therefore, both the input and output of the
servers are shares, and both of our protocols are therefore share-input and share-output protocols.
Regarding adversarial behaviors, we consider two security models: passive and active security with
abort. We give a brief explanation here and the formal definitions of security appear in Appendix A.

Passive security. In passive security, corrupted parties follow a protocol. Therefore, a passive adversary
tries to obtain information about a secret from transcripts that the corrupted parties have. Formally, we
say that a protocol is passively secure if there is a simulator that simulates the view of the corrupted
parties from the inputs and outputs of the protocol [13].

Active security with abort. In this paper, an actively secure protocol is a secure computation with abort.
This means that if an adversary cheats, an honest party will abort. This security model does not guarantee
fairness: An adversary may obtain the outputs of corrupted parties while the honest parties do not.4 Note
that we do not care about fairness even it is possible with an honest majority. This is because efficient
circuit evaluation protocols are known [11,12] in this security model, and it may be difficult to reveal a
secret without abort efficiently. From here on, in this paper, active security means active security with
abort.

2.3 Secret sharing

We use an unconditionally secure linear SS scheme [2] that supports the following algorithms, protocols,
and local operations.

– Share: On input a ∈ R, this algorithm outputs shares of a. The notation [a]i denotes Pi ’s share
and [a] denotes a sharing, which is a tuple of all shares. Several rings will appear, and thus we
explicitly indicate the ring to which shares/sharings belong. For example, [a]Zp denotes a sharing
of a in Zp , while [a]Z2 denotes a sharing of a in Z2 . In addition, [a]Z2 denotes a tuple of sharings
m

∑
([a0 ]Z2 , . . . , [am−1 ]Z2 ), where a = i=0 2i ai .
m−1

– Reconstruction: On input k shares, this algorithm outputs a secret. For any linear SS scheme, a
secret can be reconstructed by a linear combination of k shares. For example, we denote the linear
∑k−1
combination of the shares of P0 , . . . , Pk−1 as a = i=0 λi [a]i for some λi .5
– Reveal: This is a protocol for reconstructing a secret from its shares. The requirements of this protocol
are different depending on considered security models. In the presence of a passive adversary, given a
sharing of a, this protocol guarantees that at the end of the execution, all the parties obtain a. When
we consider an active adversary, this protocol guarantees that at the end of the execution, if [a] is
not correct, i.e., either a secret reconstructed from some k shares is ⊥ or does not equal to that from
other k shares, then all the honest parties will abort. Otherwise, if [a] is correct, then each party will
either output a or abort.
4
In our protocols, the output of our protocols are shares, so the adversary cannot obtain any secret information.
5
This is a slightly small class of SS schemes compared to [2] with respect that each party has a single share.

4
Protocol 1 Share conversion from a linear SS scheme into the replicated SS scheme
Input: [a]Zp
Output: [[a]]Zp
1: The parties call Frand and receive [[r]]Zp .
2: The parties locally convert [[r]]Zp into [r]Zp .
3: The parties reveal [a − r]Zp and obtain a − r.
4: [[a]]Zp := (a − r) + [[r]].
5: The parties output [[a]]Zp .

– Local operations: Given sharings [a] and [b] and a scalar α ∈ R, the parties can generate sharings of
[a + b], [αa], and [α + a] using only local operations. The notations [a] + [b], α[a], and α + [a] denote
these local operations, respectively.
– Multiplication protocol and secure circuit evaluation: Given sharings [a] and [b], the parties can gen-
erate [ab] by the multiplication protocol. Combining local operations with the multiplication protocol,
we can compute any Boolean circuit over shared data.
Concrete examples of a linear SS scheme is Shamir’s scheme [24] and the replicated SS scheme [8,16].
In this paper, we use Zp , Zp′ , and Z2 as instantiations of a ring, where p and p′ are prime numbers.
∑m−1
We especially say that a is additively shared in Zp if a = i=0 xi mod p for some m, and we call xi a
sub-share.
Although an input and output of our protocols can be shares of any linear SS scheme, the shares have
to be converted into one of the replicated SS scheme in our actively secure protocols. The share size of
the replicated SS scheme is exponential in n; therefore, our protocols with active security are for a small
number of parties, whereas our protocols with passive security do not have this restriction.

Replicated secret sharing scheme. The replicated SS scheme [8,16] is an SS scheme in which a secret is
represented as an addition of sub-shares and each sub-share corresponds to a maximal unqualified set of
parties. ( n )
Let m := k−1 and T = {T0 , . . . , Tm−1 } be a family of all (k − 1)-subsets of {0, . . . , n − 1}. We
especially use the notation [[·]]i (resp. [[·]]) for a share (resp. a sharing) of the replicated SS scheme. Shares
of the replicated SS scheme in Zp are generated as follows. A secret a is additively shared into m sub-
∑m−1
shares as a = i=0 xi mod p, and a share for Pi is [[a]]i = {xj | i ∈ / Tj , Tj ∈ T}. Here, k − 1 parties
cannot obtain any information about a since there exists Tj that contains all the corrupted parties, and
an adversary cannot know xj .
The size of a( share
) of the replicated SS scheme becomes very large for a large number of parties since
each party has n−1k−1 sub-shares. However, the replicated SS scheme has an attractive property that the
parties can generate a share of a random number without interaction, which is called pseudo-random
secret sharing (PRSS) [8]. Formally, PRSS securely computes the following functionality Frand .

FUNCTIONALITY 2.1 (Frand – Generating a share of a random value)

Z
Upon receiving id from Pi for 0 ≤ i < n, r ← Zp , generate [[r]]Zp by the sharing algorithm, and send [[r]]i p
to Pi

Share conversion among SS schemes. It is known that shares can be converted among additive shares, a
linear SS scheme, and the replicated SS scheme.
A share of a linear SS scheme [a]i can be locally converted to additive shares with k sub-shares by
setting xi := λi [a]i , where Pi has xi for 0 ≤ i < k. On the contrary, when Pi for 0 ≤ i < k has an additive
share xi , the shares can be converted by sharing all the sub-shares xi via a linear SS scheme and adding
them all.
A share of the replicated SS scheme can be locally converted into that of a linear SS scheme [8]. On
the contrary, a share of a linear SS scheme can be converted into that of the replicated SS scheme by
using Protocol 1. This protocol is actively secure in the Frand -hybrid model since we assume that the
reveal protocol is actively secure.

5
Secure circuit evaluation on linear SS. In our protocols, several circuits are securely computed. We
consider the sum, carryless-sum, and zero-test circuits. The sum circuit on input m ℓ-bit elements,
outputs ⌈log m⌉ + ℓ-bit element that is the sum of the inputs. The carryless-sum circuit is the same as
the sum circuit except the output is ℓ-bit element by discarding the most significant ⌈log m⌉ bits. The
zero-test circuit on input m 1-bit elements, outputs 0 if all the inputs are 0, and 1 otherwise. We construct
our protocols in a modular way using the functionalities Fsum , Fclsum , and Fzero that correspond to the
sum, carryless-sum, and zero-test circuits, respectively. Formal description of those functionalities appear
in Appendix C.

3 Quotient transfer

In this section, we show our key observation that we call quotient

∑m−1 transfer. Informally, quotient transfer
means that, if “shifted” secret 2u a is additively shared as i=0 xi = 2u a + qp, the parties can compute
∑m−1
the quotient q from the least significant u bits of i=0 xi , where u = ⌈log m⌉.

Theorem 3.1. Let m be a positive integer, u = ⌈log m⌉, and 2u < p. Let (x0 , . . . , xm−1 ) be a tuple of
∑m−1
elements in Zp satisfying i=0 xi = 2u a + qp. Then, the quotient q satisfies

∑
m−1
q = (p mod 2u )−1 xi mod 2u . (1)
i=0

[Proof] We observe

∑
m−1
xi mod 2u = 2u a + qp mod 2u = q(p mod 2u ) mod 2u
i=0

since q ≤ m − 1 < 2u . In addition, 2u and (p mod 2u ) are co-prime, and thus (p mod 2u )−1 exists.
The prime number p is public, and thus (p mod 2u )−1 can be computed by every party. Therefore,
∑m−1
Equation 1 means that the quotient q can be computed from the least significant u bits of i=0 xi .
For practical applications, protocols with a small number of parties may be used, and we will later
consider the case m = 2 (i.e. three-party case). Furthermore, for performance reasons, a Mersenne prime
is used for p. Therefore, in the following, we give specific cases of Theorem 3.1 for these cases. The second
∑m−1
equation below shows that the parties can compute the quotient q from the LSB of i=0 xi in a secure
three-party computation when p is a Mersenne prime.

Corollary 3.2. If p is a Mersenne prime, i.e., p = 2e − 1, Equation (1) is

∑
m−1
q=− xi mod 2u
i=0

since p mod 2u = −1. Furthermore, when m = 2,

q = x0 + x1 mod 2.

4 Bit-decomposition protocol

In this section, we first show a useful equation for our proposed protocols, then show our passively secure
bit-decomposition protocol. After that, we discuss a technique to obtain active security. Here, we show
the protocol in which p is a Mersenne prime, and will give a general protocol in Appendix B.1.

6
4.1 Equation for Bit-decomposition
The following equation can be derived from quotient transfer.

Theorem 4.1. Let m, u, p, a, (x0 , . . . , xm−1 ) be the same as Theorem 3.1, and ℓ be a positive integer such
∑m−1
that ℓ + u ≤ |p| and a < 2ℓ+1 . Let ru = i=0 xi mod 2u , p̃ = (p mod 2u )−1 mod 2u , and qu , z, and
∑ ∑
z ′ be the quotients of i=0 xi /2u , p̃ i=0 xi /2u , and pp̃/2u in modulo 2ℓ+u , respectively. Then,
m−1 m−1

a = qu − z ′ ru − zp
mod 2ℓ .
∑m−1 ∑m−1 ∑m−1
[Proof] Let q be a quotient of i=0 xi divided by p, i.e., i=0 xi = qp + 2u a. Here, 2u a = i=0 xi − qp
∑m−1
in Z, therefore, 2u a = −qp + i=0 xi mod 2ℓ+u . Recall that p̃ = (p mod 2u )−1 in modulo 2u . From
Theorem 3.1,

∑
m−1 ∑
m−1 ∑
m−1
−qp + xi mod 2ℓ+u = −(p̃ xi mod 2u )(p mod 2ℓ+u ) + xi mod 2ℓ+u . (2)
i=0 i=0 i=0
∑m−1 ∑m−1
Recall that ru = i=0 xi mod 2u and z is the quotient of p̃ i=0 xi /2u mod 2ℓ+u . Then, Equation (2)
is equal to

∑
m−1
−(p̃ru mod 2u )(p mod 2ℓ+u ) + xi mod 2ℓ+u
i=0
∑
m−1
= −(p̃ru − z2u mod 2ℓ+u )(p mod 2ℓ+u ) + xi mod 2ℓ+u
i=0
∑
m−1
= −pp̃ru − zp2u + xi mod 2ℓ+u (3)
i=0
∑m−1
Recall that qu and z ′ are the quotients of i=0 xi /2u mod 2ℓ+u and pp̃/2u mod 2ℓ+u , respectively. In
addition, pp̃ = 1 mod 2u . Then, Equation (3) is equal to

−(z ′ 2u + 1)ru − zp2u + qu 2u + ru mod 2ℓ+u = (qu − z ′ ru − zp)2u mod 2ℓ+u .

Consequently, we obtain 2u a = (qu − z ′ ru − zp)2u mod 2ℓ+u . By by dividing both sides by 2u , We finally
obtain
a = qu − z ′ ru − zp mod 2ℓ .
This concludes the proof.

We give a specific case of Theorem 4.1 in which p is a Mersenne prime as follows.

Corollary 4.2. Under the same setting as in Theorem 4.1, if p is a Mersenne prime, i.e., p = 2e − 1
for some integer e, it holds that

a = qu + ⟨ru ̸=? 0 mod 2u ⟩ mod 2ℓ . (4)

[Proof] If p = 2e − 1, then p̃ = 2u − 1 mod 2ℓ+u . In addition, z ′ = −1 mod 2ℓ+u holds since pp̃ =
(2e − 1)(2u − 1) mod 2ℓ+u = −2u + 1 mod 2ℓ+u .
Recall that z satisfies p̃ru mod 2u = p̃ru − z2u mod 2ℓ+u . By substituting p̃ = 2e − 1 mod 2ℓ+u ,

−ru mod 2u = (2u − 1)ru − z2u mod 2ℓ+u

z2u mod 2ℓ+u = ru 2u − (−ru mod 2u ) − ru mod 2ℓ+u

Here, {
∑
m−1 ∑m−1
0 if i=0 xi mod 2u = 0
−ru mod 2 = −
u
xi mod 2 = u

i=0
2u − 1 otherwise

7
Therefore, if ru = 0, then z = ru ; otherwise, z = ru − 1. This is equivalent to z = ru − ⟨ru ̸=? 0⟩. By
substituting the above into Theorem 4.1, we conclude the proof.
∑m−1
Theorem 4.1 and Corollary 4.2 show that a can be represented from the ℓ + u bits of i=0 xi .
We further obtain the following corollary since it is convenient that an equation is represented by bit-
operations of sub-shares. The following corollary is in fact securely computed in our bit-decomposition
protocol.

Corollary 4.3. Let m, u, p, a, (x0 , . . . , xm−1 ) be the same as Theorem 4.1. Let qi and ri be the bits of
∑m−1
xi larger than u − 1 bit and those smaller than u bit, respectively, and qu and ru be the bits of i=0 ri
larger than u − 1 bit and those smaller than u bit, respectively. Then,

∑
m−1
a= qi + qu + ⟨ru ̸=? 0⟩ mod 2ℓ .
i=0

4.2 Passively secure bit-decomposition protocol

Our passively secure bit-decomposition protocol for Zp with a Mersenne prime p, is derived from Corol-
lary 4.3 as Protocol 2.

Protocol 2 Passively secure bit-decomposition protocol

Input: [a]Zp
ℓ
Output: [a]Z2
(j)
1: Pi computes xi := 2u λi [a]i mod p for u = ⌈log k⌉ and 0 ≤ i < k, and let the j-th bit of xi be xi .
2: for 0 ≤ i < k do
u
bit-by-bit in Z2 , and the parties regard them as [ri ]Z2 .
(0) (u−1)
3: Pi shares xi , . . . , xi
ℓ
bit-by-bit in Z2 , and the parties regard them as [qi ]Z2 .
(u) (ℓ+u−1)
4: Pi shares xi , . . . , xi
u ∑ 2u
5: The parties call Fsum on input [ri ]Z2 for 0 ≤ i < k, and receive [ i=0k−1
ri ]Z2 . (k additions yield 2u-bit output).
∑ Z2u u u
6: The parties regard the least u bits of [ k−1 i=0 ri ]
2 as [ru ]Z2 , and the others as [qu ]Z2 .
Zu Z
7: The parties call Fzero on input [ru ] 2 , and receive [⟨ru ̸=? 0⟩] 2 .
ℓ ℓ u ℓ ∑
8: The parties call Fclsum on input [q0 ]Z2 , . . . , [qk−1 ]Z2 , [qu ]Z2 , and [⟨ru ̸=? 0⟩]Z2 , and receive [a]Z2 := [ k−1
i=0 qi +
ℓ
qu + ⟨ru ̸=? 0⟩]Z2 .
ℓ
9: The parties output [a]Z2 .

Security against a passive adversary. Protocol 2 consists of share generation and circuit evaluation, and
the security of the protocol is therefore directly reduced to them. Informally, share generation does not
reveal any information about a secret since SS is unconditionally secure. Therefore, Protocol 2 is passively
secure in the (Fsum , Fclsum , Fzero )-hybrid model.

4.3 Efficiency

The communication complexity of our bit-decomposition protocol is k(ℓ+u)shareZ2 +sumu,k +clsumℓ,k+2 +

zerotestu bits, where shareZ2 denotes the communication complexity to share a bit, sumu denotes that
to securely compute the sum on input k u-bit elements, clsumℓ,k+2 denotes that to securely compute the
carryless-sum circuit on input k + 2 ℓ-bit elements6 , and zerotestu denotes that to securely compute
the zero-test circuit on input u 1-bit elements. If k (and u) is regarded as a constant, the communication
complexity is O(ℓ) bits since shareZ2 is constant, clsumℓ,k+2 invokes O(ℓ) multiplication protocols in Z2 ,
and a multiplication protocol in Z2 requires O(1)-bits communication per invocation.
6
Precisely, k ℓ-bit elements, a u-bit element, and a 1-bit element are summed up.

8
 For concrete comparison in a specific parameter, we give a precise communication complexity when
(k, n) = (2, 3) and use the replicated SS scheme to share Z2 . We assume that sum and carryless-sum
circuits compute a full adder sequentially, and zerotest circuit computes an AND gate sequentially. Here,
u = ⌈log k⌉ = 1, share = 2 by using communication-efficient sharing in Appendix D.1, sum1,2 is MultZ2 ,
clsumℓ,4 is (ℓ − 1)MultZ2 , and zerotestu requires no communication since [⟨ru ̸=? 0⟩]Z2 = [ru ]Z2 + [qu ]Z2 ,
where MultZ2 denotes the communication complexity of a multiplication protocol in Z2 . If we use the
replicated SS scheme, MultZ2 = 6 per invocation [15]. Therefore, the communication complexity is 4(ℓ +
1) + 6 + 6(ℓ − 1) = 10ℓ + 4 bits. This means that, if ℓ ≈ ⌈log p⌉/2, the communication complexity of our
bit-decomposition protocol is as large as that of a multiplication protocol in Zp , which is 6⌈log p⌉.
There is no bit-decomposition protocol in which ℓ+u < ⌈log p⌉ is assumed and which outputs [a]Z2 , and
ℓ

thus our protocol is formally incomparable to existing bit-decomposition protocols. If we try to compare
our bit-decomposition protocol with existing ones, the most efficient bit-decomposition protocol is [4] and
its communication complexity is 5⌈log p⌉ + 12(⌈log⌈log p⌉⌉ + 1)⌈log p⌉ = 17⌈log p⌉ + 12⌈log⌈log p⌉⌉ bits.
Even regarding ⌈log p⌉ = ℓ, and thus our protocol is about three times faster. However, [4] supports full
extraction and p = 2m , and thus it is difficult to simply compare with ours.
The round complexity of our bit-decomposition protocol is 1 + sumu,k + clsumℓ,k+2 + zerotestu ,
where sumu,k , clsumℓ,k+2 , and zerotestu are the round complexities of protocols instantiating Fsum ,
Fzero , and Fzero , respectively. If (k, n) = (2, 3), the round complexity of our bit-decomposition protocol
is 1 + 1 + (ℓ − 1) + 0 = ℓ + 1 if we use the same circuits in evaluating the communication complexity.

4.4 Achieving active security using replicated SS

We show how to make Protocol 2 secure against an active adversary. Step 1 of the protocol is local
computation; therefore, it is secure even against an active adversary. In addition, the steps from Step 5
are secure circuit evaluation. Therefore, if we use an actively secure circuit evaluation protocol, such as
[1,19,15,12], these steps are secure against an active adversary, as desired.
The remaining steps are Steps 2, 3, and 4. In general, an adversary may corrupt Pi and share an
incorrect x̃i , and it is difficult to detect it. Therefore, we prevent the adversary from mounting such an
attack by making these steps consist only of local computations. We show that if a secret is shared via
the replicated SS scheme, we can generate a bit-wise share of sub-shares by local computations.
Consequently, our bit-decomposition protocol can be actively secure in the (Fsum , Fzero , Fclsum )-hybrid
model by converting a share by Protocol 1 at first, and then performing local share generation of sub-
shares.
The communication complexity of the actively secure version of our protocol is at least O(⌈log p⌉) bits
since revealing in Protocol 1 incurs this amount of communication. Therefore, only if a secret is shared
via the replicated SS scheme from the beginning, the communication complexity of our actively secure
bit-decomposition protocol is O(ℓ) bits, while O(⌈log p⌉) for a general linear SS scheme.

Local share generation of sub-shares in replicated SS. In the replicated SS scheme, each sub-share xi is
held by n − k + 1 parties. To obtain a share of the j-th bit of xi , each of the n − k + 1 parties sets his
sub-share x′ as the j-th bit of xi , and the parties set all the other sub-shares as 0. It trivially holds that
∑m−1 ′ i ′
i=0 xi = xi . In general, the parties can locally generate an additive share of f (xi ) mod p . We give
the algorithm in Algorithm 3.

Algorithm 3 Local share generation of sub-shares in replicated SS

Input: The n − k + 1 parties have xi ∈ Zp
Z ′
Output: Each Pi has [[f (x)]]i p
1: The n − k + 1 parties who have xi compute x′i = f (xi ) mod p′ .
2: The parties set the all sub-shares x′j as 0 except x′i .
3: Each Pi outputs [[f (x)]]i = {x′j | i ∈
/ Tj , Tj ∈ T}.

We give an example to obtain a bit-wise share of sub-shares in the case of (k, n) = (2, 3) and p′ = 2:
Before starting the protocol, P0 has (x0 , x1 ), P1 has (x1 , x2 ), and P2 has (x2 , x0 ), where a = x0 + x1 + x2

9
 (0) (0) (0)
mod p. The parties P0 , P1 , and P2 regard (x0 , 0), (0, 0), (0, x0 ) as their shares of x0 , respectively. By
recursively doing the same procedure for the other bits, the parties obtain the bit-by-bit shares of x0 , x1 ,
and x2 .

5 Modulus-conversion protocol

When we consider modulus conversion, computing the quotient also has an important role. Let us consider
the case in which we want to convert a share of a in Zp into a share of a in Zp′ , and a is additively shared,
∑m−1 ∑m−1
i.e., a := i=0 xi mod p. In this case, i=0 xi mod p′ = qp + a mod p′ = (q mod p′ )(p mod p′ ) + (a
mod p′ ). Here, p mod p′ can be computed from the public modulus so q mod p′ is the only unknown
value. Therefore, by computing q using quotient transfer, we can obtain an efficient modulus-conversion
protocol.
In this section, we first give a definition and instantiation of functionality we use in our modulus-
conversion protocols. We then propose a special case of our modulus-conversion protocol from Zu2 to Zp′ .
After that, we propose our modulus-conversion protocol from Zp to Zp′ .

5.1 Generating a pair of random shares

In our modulus-conversion protocol, we have to generate ([r]Z2 , [r]Zp′ ) for r ← Z2 . The functionality that
should be realized by such a protocol is defined as Fdoublerand described below. This can be instantiated
with O(⌈log p′ ⌉) bits communication by combining a protocol generating [r]Zp (ran2 () in [9]) and our
bit-decomposition protocol. We further give a more efficient and actively secure version of our modulus-
conversion protocol for a number of parties in Appendix D.3.

FUNCTIONALITY 5.1 (Fdoublerand – Generating pair of random shares)

Upon receiving id from each party Pi , sample r ← Z2 , generate ([r]Z2 , [r]Zp′ ) via the sharing algorithms,
Z ′
and send ([r]Zi 2 , [r]i p ) to each party Pi .

5.2 Modulus-conversion protocol from Zu

2 to Zp

We now give the formal description of Protocol 4, which is a special case of modulus conversion in which
shares [a]Z2 can be converted to [a]Zp′ .
u

Protocol 4 modulus-conversion protocol from Zu2 to Zp′

u
Input: [a]Z2
Output: [a]Zp′
1: for 0 ≤ i < u do
2: The parties call Fdoublerand and receive ([r(i) ]Z2 , [r(i) ]Zp′ ).
3: The parties reveal [a(i) − r(i) ]Z2 = [a(i) ]Z2 − [r(i) ]Z2 to obtain a(i) − r(i) .
4: if a(i) − r(i) = 0 then
5: The parties set [a(i) ]Zp′ = [r(i) ]Zp′ .
6: else
7: parties set [a(i) ]Zp′ = (1 − [r(i) ]Zp′ ).
The ∑
Zp′ i (i) Zp′
8: [a] := u−1
i=0 2 [a ] mod p′ .
Zp′
9: The parties output [a] .

Protocol 4 consists of local operations, revealing, and Fdoublerand . Recall that we assume revealing
is secure against active adversary. Therefore, Protocol 4 is also actively secure in the Fdoublerand -hybrid
model.

10
 The communication complexity is u(drandZp′ + revealZ2 ), where drandZp′ and revealZ2 are the
communication complexities of generating ([r]Z2 , [r]Zp′ ) for r ← Z2 and revealing a share in Z2 . If we
regard the number of parties as a constant, it is O(log ⌈p′ ⌉) bits. The round complexity is drand + 1,
where drand is that of generating ([r]Z2 , [r]Zp′ ).

5.3 Equation for modulus conversion

Similarly to our bit-decomposition protocol, we first show a useful equation for our protocol.

Theorem 5.2. Let m, p, a, (x0 , . . . , xm−1 ), p̃ be the same as Theorem 3.1, p′ is a prime number, and ℓ
be a positive integer such that ℓ + u ≤ |p|. Then,
(m−1 )
∑ ∑
m−1
−u
a=2 xi − (p̃ u
xi mod 2 )p mod p′ .
i=0 i=0

[Proof] It directly follows from Theorem 3.1 and the fact that 2u and p′ are co-prime.

∑
m−1 ∑
m−1 ∑
m−1
xi − (p̃ xi mod 2u )p = xi − qp = (2u a + qp) − qp = 2u a.
i=0 i=0 i=0

We obtain the following corollary when p is a Mersenne prime.

Corollary 5.3. Let m, u, p, a, (x0 , . . . , xm−1 ) be the same as Corollary 4.3. Let ri be the bits of −xi
mod 2u smaller than u bit and a be an ℓ-bit input and â := a2ℓ . Then,
(m−1 )
∑ ∑
m−1
−u
a=2 xi − p( u
ri mod 2 ) mod p′ .
i=0 i=0

5.4 Our modulus-conversion protocol

In this subsection, we give two modulus-conversion protocols with a Mersenne prime p. The first protocol
is passively secure, and the second one is actively secure if the components are actively secure, while the
latter assumes the small number of parties due to the use of the replicated SS scheme. A protocol for a
general prime appears at Appendix B.2.
The first protocol is as described in Protocol 5. The protocol uses Protocol 4 and share conversion from
additive shares to a linear SS scheme. Protocol 5 is passively secure in the (Fclsum , Fdoublerand )-hybrid
model since the protocol consists of sharing and Fclsum , and Protocol 5 uses Fdoublerand .

Protocol 5 Passively secure modulus-conversion protocol

Input: [a]Zp
Output: [a]Zp′
1: Pi computes xi := 2u λi [a]i mod p for u = ⌈log k⌉ and 0 ≤ i < k.
(j)
2: x̂i := −xi mod 2u and let the j-th bit of x̂i be x̂i .
3: for 0 ≤ i < k do
u
bit-by-bit in Z2 , and the parties regard them as [ri ]Z2 .
(0) (u−1)
4: Pi shares x̂i , . . . , x̂i ∑k−1 Zu
u u
5: The parties call Fclsum on input [ri ]Z2 for 0 ≤ i < k, and regard the received value as [q]Z2 := [ i=0 ri ] 2 .
Z2u Zp′
6: The parties convert [q] into [q] via Protocol 4.
7: Pi computes xi := xi mod p′ and shares xi via sharing algorithm of a linear SS scheme in Zp′ for 0 ≤ i < k.
∑ ∑
8: The parties add the received shares as [ k−1 xi ]Zp′ = k−1 i=0 [xi ]
Zp′
.
Zp′ ∑
i=0
Zp′ Zp′
9: The parties locally compute [a] := 2 ([ i=0 xi ] − p[q] ) mod p′ .
−u k−1

Z ′
10: Each Pi outputs [a]i p .

11
 The second protocol is as described in Protocol 6. This protocol uses the same idea as our bit-
decomposition protocol. We first convert [a]Zp into [[a]]Zp , and locally generate bit-wise shares. Protocol 6
is passively/actively secure in (Fclsum , Fdoublerand , Frand )-hybrid model since Protocol 1 and Protocol 4
use Frand and Fdoublerand .

Protocol 6 Modulus-conversion protocol for small number of parties

Input: [a]Zp
Output: [a]Zp′ ( n ) ∑
1: The parties invoke Protocol 1 on input [a]Zp and receive [[a]]Zp , where m = k−1 and a = m−1
i=0 xi mod p.
(j)
2: The parties set x̂i := −xi mod 2u and let the j-th bit of x̂i be x̂i .
u
3: The parties obtain [[x̂i ]]Z2 for 0 ≤ i < m by Algorithm 3. ∑
u u
Zu
4: The parties call Fclsum on input [[ri ]]Z2 for 0 ≤ i < m, and regard the received value as [[q]]Z2 := [[ m−1
i=0 ri ]]
2.
u
Z2 Zp′
5: The parties convert [q] into [q] via Protocol 4. ∑ Zp′
6: The parties locally compute xj := xj mod p′ for all their own sub-shares, and regard them as [[ m−1 i=0 xi ]] .
Zp′ −u ∑ Zp′ Zp′ ′
7: The parties compute [[a]] := 2 ([[ i=0 xi ]] − p[[q]] ) mod p .
m−1

8: The parties locally convert [[a]]Zp′ into [a]Zp′ .

9: The parties output [a]Zp′ .

5.5 Efficiency

The communication complexity of Protocol 5 is u shareZ2 + clsumu,k + u(drandZp′ + revealZ2 ) +

k shareZp′ . If the number of parties is small and regarded as a constant, the communication complexity
of u shareZ2 , clsumu,k , and revealZ2 are O(1), drandZp′ is O(⌈log p′ ⌉), and shareZp′ is O(⌈log p′ ⌉),
respectively. Therefore, the total communication complexity is O(⌈log p′ ⌉).
The communication complexity of Protocol 6 is toRepZp + clsumu,m + u(drandZp′ + revealZ2 ), where
toRepZp is that of Protocol 1. If the number of parties is regarded as a constant, the total communication
complexity is O(⌈log p⌉ + ⌈log p′ ⌉) due to toRepZp . However, if p′ > p, Protocol 6 can be more efficient
than Protocol 5. The number of rounds is (rand + 1) + 1 + (1 + drand) + 1 = 4 + rand + drand, where
rand is the number of rounds to instantiate Frand .

6 Experiments

We implemented our bit-decomposition and modulus-conversion protocols and compare their efficiency
with existing results. As we stated, to the best of our knowledge, there is no bit-decomposition protocol
in which ℓ + u < ⌈log p⌉ is assumed and which outputs [a]Z2 . Therefore, our bit-decomposition protocols
ℓ

are formally incomparable to existing ones. In this paper, we compare experimental results with those
of [4] as reference, since it is the most efficient bit-decomposition protocol. We implemented our bit-
decomposition protocol with optimizations described in Appendix D. These optimizations only affect the
constant factor of the communication complexity.
The details of the machines and network environments used in the experiment are as follows. Each
machine had an Intel⃝ R CoreTM i7 6900K 3.2 GHz × 8 cores. For a gigabit network, we used Intel⃝ R
I218-LM star network via an L2 Gigabit hub. The ping latency was 0.19 ms.
The experimental results are listed in Table 1. It shows the experimental result of passively secure bit-
decomposition protocols in a gigabit network. We measured the processing time of the bit-decomposition
protocol of 107 ℓ-bit elements. To align the setting to [4]. we used (k, n) = (2, 3). Our protocol uses
p = 261 − 1, and ℓ = 32, 20, and 2. The setting of ℓ = 32 is the same message space as [4], while ℓ = 20
and 2 are favorable for our bit-decomposition protocol. The input and output of our protocol were shares
of Shamir’s scheme, while those of [4] were shares of the replicated SS scheme.
As shown in Table 1, our bit-decomposition protocol achieves higher performance than that of [4].
Further experiments including modular-conversion protocols appear in Appendix E.

12
 Modulus (p) Bit-length of secret (ℓ) Processing time (ms)
[4] 232 32 200,000
261 − 1 32 1,194
Our bit-decomposition protocol 261 − 1 20 759
261 − 1 2 123

Table 1. Processing time (ms) for 107 records in passively secure bit-decomposition protocols in Gigabit network

7 Conclusion

We proposed secret-sharing-based bit-decomposition and modulus-conversion protocols for Zp with an

honest majority. Our protocols are secure against passive and active adversaries depending on the com-
ponents of our protocols. If k and n are small, the communication complexity of our passively secure
bit-decomposition and modulus conversion protocols are O(ℓ) bits and O(⌈log p′ ⌉) bits. While some set-
tings are different from existing works, the communication complexity is smaller than the current best
result [4]. Furthermore, we also confirmed with the experimental results that our protocols are highly
efficient.

References

1. T. Araki, J. Furukawa, Y. Lindell, A. Nof, and K. Ohara. High-throughput semi-honest secure three-party
computation with an honest majority. In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and
S. Halevi, editors, ACM CCS, pages 805–817. ACM, 2016.
2. A. Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Israel Institute of Technology,
1996.
3. D. Bogdanov, M. Jõemets, S. Siim, and M. Vaht. Privacy-preserving tax fraud detection in the cloud with
realistic data volumes. Cybernetica research report, 2016.
4. D. Bogdanov, M. Niitsoo, T. Toft, and J. Willemson. High-performance secure multi-party computation for
data mining applications. Int. J. Inf. Sec., 11(6):403–418, 2012.
5. J. W. Bos, T. Kleinjung, A. K. Lenstra, and P. L. Montgomery. Efficient SIMD arithmetic modulo a mersenne
number. In E. Antelo, D. Hough, and P. Ienne, editors, 20th IEEE Symposium on Computer Arithmetic,
ARITH 2011, Tübingen, Germany, 25-27 July 2011, pages 213–221. IEEE Computer Society, 2011.
6. R. Canetti. Security and composition of multiparty cryptographic protocols. J. Cryptology, 13(1):143–202,
2000.
7. R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In FOCS, pages
136–145. IEEE Computer Society, 2001.
8. R. Cramer, I. Damgård, and Y. Ishai. Share conversion, pseudorandom secret-sharing and applications to
secure computation. In J. Kilian, editor, TCC, volume 3378 of Lecture Notes in Computer Science, pages
342–362. Springer, 2005.
9. I. Damgård, M. Fitzi, E. Kiltz, J. B. Nielsen, and T. Toft. Unconditionally secure constant-rounds multi-
party computation for equality, comparison, bits and exponentiation. In S. Halevi and T. Rabin, editors,
TCC, volume 3876 of Lecture Notes in Computer Science, pages 285–304. Springer, 2006.
10. S. L. From and T. Jakobsen. Secure Multi-Party Computation on Integers. PhD thesis, University of Aarhus,
2006.
11. J. Furukawa, Y. Lindell, A. Nof, and O. Weinstein. High-throughput secure three-party computation for
malicious adversaries and an honest majority. In EUROCRYPT 2017, pages 225–255, 2017.
12. D. Genkin, Y. Ishai, M. Prabhakaran, A. Sahai, and E. Tromer. Circuits resilient to additive attacks with
applications to secure computation. In D. B. Shmoys, editor, STOC, pages 495–504. ACM, 2014.
13. O. Goldreich. The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press,
2004.
14. S. Goldwasser and Y. Lindell. Secure multi-party computation without agreement. J. Cryptology, 18(3):247–
287, 2005.
15. D. Ikarashi, R. Kikuchi, K. Hamada, and K. Chida. Actively private and correct MPC scheme in t < n/2
from passively secure schemes with small overhead. IACR Cryptology ePrint Archive, 2014:304, 2014.
16. M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. IEICE Transac-
tions, 72:56–64, 1989.

13
17. E. Kimura, K. Hamada, R. Kikuchi, K. Chida, K. Okamoto, S. Manabe, T. Kuroda, Y. Matsumura, T. Takeda,
and N. Mihara. Evaluation of secure computation in a distributed healthcare setting. In Proceedings of
MIE2016 at HEC2016, pages 152–156, 2016.
18. E. Kushilevitz, Y. Lindell, and T. Rabin. Information-theoretically secure protocols and security under
composition. SIAM J. Comput., 39(5):2090–2112, 2010.
19. Y. Lindell and A. Nof. A framework for constructing fast MPC over arithmetic circuits with malicious
adversaries and an honest-majority. In B. M. Thuraisingham, D. Evans, T. Malkin, and D. Xu, editors, ACM
CCS 2017, pages 259–276. ACM, 2017.
20. Y. Lindell and B. Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. In Y. Ishai,
editor, Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011, volume 6597 of Lecture
Notes in Computer Science, pages 329–346. Springer, 2011.
21. T. Nishide and K. Ohta. Multiparty computation for interval, equality, and comparison without bit-
decomposition protocol. In Public Key Cryptography, pages 343–360, 2007.
22. T. I. Reistad and T. Toft. Linear, constant-rounds bit-decomposition. In Information, Security and Cryptology
- ICISC 2009, pages 245–257, 2009.
23. B. Schoenmakers and P. Tuyls. Efficient binary conversion for paillier encrypted values. In S. Vaudenay,
editor, Advances in Cryptology - EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science,
pages 522–537. Springer, 2006.
24. A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
25. T. Toft. Constant-rounds, almost-linear bit-decomposition of secret shared values. In Topics in Cryptology -
CT-RSA 2009, pages 357–371, 2009.

A Definition of Security
A.1 Passive security
Most of the contents in this section are taken verbatim from [1, Section 3.1].
A protocol is secure in the presence of k − 1 corrupted parties if the view of the corrupted party in
a real protocol execution can be generated by a simulator given only the corrupted parties input and
output. The view of Pi during an execution of a protocol π on inputs − →
x , denoted Viewπi (− →
x ), consists
of its input xi , its internal random coins ri and the messages that were received by Pi in the execution.
The output of all parties from an execution of π is denoted by Outputπ (− →
x ). Let I ⊂ {0, . . . , n − 1} be
the set of indices of the corrupted parties controlled by the adversary.
Definition A.1. Let f : ({0, 1}∗ )n → ({0, 1}∗ )n be a probabilistic n-ary functionality and let π be a
protocol. We say that π computes f with perfect security in the presence of k − 1 passive corrupted party
for f if there exists a probabilistic polynomial-time algorithm S such that for every k − 1 corrupted parties
Pi such that i ∈ I and |I| = k − 1, and every − →x ∈ ({0, 1})n , where |x0 | = |x1 | = . . . = |xn−1 |:

{(S(xI , fI (−
→ x )))} ≡ {(ViewπI (−
x )), f (−
→ →
x ), Outputπ (−
→
x ))} (5)

If Equation (5) holds with perfect/computational indistinguishability, then we say that π computes f
with perfect/computational security in the presence of k − 1 passive corrupted parties.

A.2 Active security

Most of the contents in this section are taken verbatim from [19, Appendix A].
The security parameter is denoted κ; negligible functions and computational indistinguishability are
defined in the standard way, with respect to non-uniform polynomial-time distinguishers.

Ideal versus real model definition. We use the ideal/real simulation paradigm in order to define security,
where an execution in the real world is compared to an execution in the ideal world where an incorruptible
trusted party computes the functionality for the parties [6,13]. We define security with abort (and without
fairness), meaning that the corrupted parties may receive output while the honest parties do not. Our
definition does not guarantee unanimous abort, meaning that some honest party may receive output while
the other does not. It is easy to modify our protocols so that the honest parties unanimously abort by
running a single (weak) Byzantine agreement at the end of the execution [14]; we therefore omit this step
for simplicity.

14
The real model. In the real model, an n-party protocol π is executed by the parties. For simplicity,
we consider a synchronous network that proceeds in rounds and a rushing adversary, meaning that the
adversary receives its incoming messages in a round before it sends its outgoing message. The adversary
A can be active; it sends all messages in place of the corrupted parties, and can follow any arbitrary
strategy. The honest parties follow the instructions of the protocol.
Let A be a non-uniform probabilistic polynomial-time adversary controlling k − 1 < n2 parties. Let
Real π,A(z),I (x0 , . . . , xn−1 , κ) denote the output of the honest parties and A in the real execution of π,
with inputs x0 , . . . , xn−1 , auxiliary-input z for A, and security parameter κ.

The ideal model. We define the ideal model, for any (possibly reactive) functionality F, receiving inputs
from P0 , . . . , Pn−1 and providing them with outputs. Let I ⊂ {0, . . . , n − 1} be the set of indices of the
corrupted parties controlled by the adversary. The ideal execution proceeds as follows:
– Send inputs to the trusted party: Each honest party Pj sends its specified input xj to the trusted
party. A corrupted party Pi controlled by the adversary may either send its specified input xi , some
other x′i or an abort message.
– Early abort option: If the trusted party received abort from the adversary A, it sends ⊥ to all
parties and terminates. Otherwise, it proceeds to the next step.
– Trusted party sends output to the adversary: The trusted party computes each party’s output
as specified by the functionality F based on the inputs received; denote the output of Pj by yj . The
trusted party then sends {yi }i∈I to the corrupted parties.
– Adversary instructs trusted party to continue or halt: For each j ∈ {0, . . . , n − 1} with j ∈ / I,
the adversary sends the trusted party either abortj or continuej . For each j ∈/ I:
• If the trusted party received abortj then it sends Pj the abort value ⊥ for output.
• If the trusted party received continuej then it sends Pj its output value yj .
– Outputs: The honest parties always output the output value they obtained from the trusted party,
and the corrupted parties outputs nothing.
Let S be a non-uniform probabilistic polynomial-time adversary controlling parties Pi for i ∈ I. Let
Ideal F ,S(z),I (x0 , . . . , xn−1 , κ) denote the output of the honest parties and S in an ideal execution with
the functionality F, inputs x0 , . . . , xn−1 to the parties, auxiliary-input z to S, and security parameter κ.

Security. Informally speaking, the definition says that protocol π securely computes f if adversaries in
the ideal world can simulate executions of the real world protocol. In some of our protocols there is a
statistical error that is not dependent on the computational security parameter. As in [20], we formalize
security in this model by saying that the distinguisher can distinguish with probability at most this error
plus some factor that is negligible in the security parameter. This is formally different from the standard
definition of security since the statistical error does not decrease as the security parameter increases.
Definition A.2. Let F be a n-party functionality, and let π be a n-party protocol. We say that π securely
computes f with abort in the presence of an adversary controlling k − 1 < n2 parties, if for every
non-uniform probabilistic polynomial-time adversary A in the real world, there exists a non-uniform
probabilistic polynomial-time simulator/adversary S in the ideal model with F, such that for every I ⊂
{0, . . . , n − 1},
{ } c { }
Ideal F,S(z),I (x1 , . . . , xn , κ) ≈ Real π,A(z),I (x1 , . . . , xn , κ)

where x0 , . . . , xn−1 ∈ F∗ under the constraint that |x1 | = · · · = |xn |, z ∈ F∗ and κ ∈ N . We say that π
securely computes f with abort in the presence of one active party with statistical error 2−σ if there exists
a negligible function µ(·) such that the distinguishing probability of the adversary is less than 2−σ + µ(κ).

The hybrid model. We prove the security of our protocols in a hybrid model, where parties run a protocol
with real messages and also have access to a trusted party computing a subfunctionality for them. The
modular sequential composition theorem of [6] states that one can replace the trusted party computing the
subfunctionality with a real secure protocol computing the subfunctionality. When the subfunctionality
is g, we say that the protocol works in the g-hybrid model.

15
Universal Composability [7]. Protocols that are proven secure in the universal composability framework
have the property that they maintain their security when run in parallel and concurrently with other
secure and insecure protocols. In [18, Theorem 1.5], it was shown that any protocol that is proven
secure with a black-box non-rewinding simulator and also has the property that the inputs of all parties
are fixed before the execution begins (called input availability or start synchronization in [18]), is also
secure under universal composability. Since the input availability property holds for all of our protocols
and subprotocols, it is sufficient to prove security in the classic stand-alone setting and automatically
derive universal composability from [18]. We remark that this also enables us to call the protocol and
subprotocols that we use in parallel and concurrently (and not just sequentially), enabling us to achieve
more efficient computation (e.g., by running many executions in parallel or running each layer of a
circuit in parallel).

B Protocols for a general prime number p

B.1 Bit-decomposition protocol
ℓ+⌈log p⌉
Let z ′ , p̃ be the same as Theorem 4.1. Notice that we can compute [ab]Z2 from a ∈ Zp and [b]Z2 by
ℓ

circuit evaluation.

Protocol 7 Bit-decomposition protocol for a general prime

Input: [a]Zp
ℓ
Output: [a]Z2
(j)
1: Pi computes xi := 2u λi [a]i mod p for u = ⌈log k⌉ and 0 ≤ i < k, and let the j-th bit of xi be xi .
2: for 0 ≤ i < k do
u
bit-by-bit in Z2 , and the parties regard them as [ri ]Z2 .
(0) (u−1)
3: Pi shares xi , . . . , xi
ℓ
bit-by-bit in Z2 , and the parties regard them as [qi ]Z2 .
(u) (ℓ+u−1)
4: Pi shares xi , . . . , xi
u ∑ 2u
5: The parties call Fsum on input [ri ]Z2 for 0 ≤ i < m, and receive [ i=0 ri ]Z2 . (m additions yield 2u-bit
m−1

output)
∑ Z2u u u
6: The parties regard the least u-bit of [ m−1 i=0 ri ]
2 as [ru ]Z2 , and the others as [qu ]Z2 .
ℓ+u ℓ+u u
7: The parties compute [z ′ ru ]Z2 and [pru ]Z2 from z ′ , p′ , and [ru ]Z2 .
ℓ+u ℓ
8: The parties regard the most significant ℓ bits of [pru ]Z2 as [z]Z2 .
ℓ+2u u
9: The parties compute [zp]Z2 from p mod 2ℓ+u and [z]Z2 , and regard the least significant ℓ + u bits as
Zℓ+u
[zp] 2 .
ℓ ℓ u ℓ+u ℓ+2u ℓ
10: The parties call Fclsum on input [q0 ]Z2 , . . . , [qk−1 ]Z2 , [qu ]Z2 , −[z ′ ru ]Z2 , and [zp]Z2 , and receive [a]Z2 :=
∑m−1 ℓ
[ i=0 qi + qu − z ′ ru + zp]Z2 .
Zℓ
11: Each Pi outputs [a]i 2 .

B.2 Modulus-conversion protocol

The difference is just x̂i := −xi mod 2u is replaced by x̂i := p̃xi mod 2u .

C Functionalities of circuit evaluation

In this section, we give the formal descriptions of Fsum , Fclsum , and Fzero as Functionalities C.1, C.2, and
C.3, respectively.

D Optimizations
In this section, we show several optimizations to improve the communication complexity. Some of opti-
mizations use PRSS, and PRSS requires a pseudo-random function. Therefore, if we use those optimiza-
tions, the whole protocol will be computationally secure.

16
Protocol 8 Modulus conversion protocol for a general prime p
Input: [a]Zp
Output: [a]Zp′
1: Pi computes xi := 2u λi [a]i mod p for u = ⌈log k⌉ and 0 ≤ i < k
(j)
2: x̂i := p̃xi mod 2u and let the j-th bit of x̂i be x̂i .
3: for 0 ≤ i < k do
u
bit-by-bit in Z2 , and the parties regard them as [q]Z2 .
(0) (u−1)
4: Pi shares x̂i , . . . , x̂i ∑
u u
Zu
5: The parties call Fclsum on input [ri ]Z2 for 0 ≤ i < k, and regard the received value as [q]Z2 := [ m−1
i=0 ri ]
2.

Z2u Zp′
6: The parties convert [q] into [q] via Protocol 4.
7: Pi computes xi := xi mod p′ for 0 ≤ i < k. ∑k−1 Z ′
8: The parties call F2lin on inputs xi for Pi , 0 ≤ i < k, and receives [ i=0 xi ] p .
∑
9: The parties locally compute [a]Zp′ := 2−u ([ k−1 i=0 x i ]Zp′
− p[q]Zp′
) mod p ′
.
Z ′
10: Each Pi outputs [a]i p .

FUNCTIONALITY C.1 (Fsum – Summation circuit)

Zℓ Zℓ
Upon receiving [a0 ]i 2 , . . . , [am−1 ]i 2 from each party Pi , check the correctness of shares and output ⊥ if the
∑ Z22ℓ
shares are incorrect. If not, reconstruct the secrets, compute a = m−1 i=0 ai , generate [a] via the sharing
Z2ℓ
algorithm, and send [a]i 2 to each party Pi .

First example of optimizations is to a multiplication protocol. If we use PRSS, a multiplication protocol

of the replicated SS scheme requires 3 elements per invocation [15], while 6 elements without PRSS.

D.1 Communication-efficient sharing for the replicated secret-sharing scheme

When P0 tries to share a in the setting of (k, n) = (2, 3), a trivial way is to generate a share of a and
distribute it. In this trivial way, P0 has to send 4 elements. Instead, there is a communication-efficient
sharing that reduces the communication complexity by half. Let (x0 , x1 ), (x1 , x2 ), and (x2 , x0 ) be shares
of a for P0 , P1 , and P2 , respectively. P0 sends x0 := a − r to P2 and x1 := r to P1 for a random number
r, and x2 is set as 0. In the above, P0 sends only 2 elements. Furthermore, if P0 and P1 share a key of
a pseudorandom function for PRSS, r can be generated by the pseudorandom function, and P0 has to
send only a single element to P2 .

D.2 Communication-efficient multiplication for locally generated shares

If we multiply three shares generated by the local share generation, we can multiply three shares with
the same communication complexity as a single execution of a multiplication protocol. Let r0 , r1 ,
and r2 be elements in Zp . Assume P0 has (r0 , 0), (0, r1 ), (0, 0), P1 has (0, 0), (r1 , 0), (0, r2 ), and P2 has
(0, r0 ), (0, 0), (r2 , 0), which are shares of r0 , r1 , and r2 , respectively. To multiply these three shares, the
three parties proceed as follows.

1. P0 chooses s0 ← Zp , and sends r0 r1 − s0 to P1 and s0 to P2 .

2. P0 , P1 , and P2 regard (s0 , r0 r1 − s0 ), (r0 r1 − s0 , 0), and (0, s0 ) as their shares of r0 r1 , respectively.
3. P1 chooses s1 ← Zp , and sends s1 to P0 and r2 (r0 r1 − s0 ) − s1 to P1 .
4. P2 chooses s2 ← Zp , and sends s2 to P1 and r2 s0 − s2 to P0 .
5. P0 , P1 , and P2 regard (r2 s0 − s2 , s1 ), (s1 , r2 (r0 r1 − s0 ) − s1 + s2 ), and (r2 (r0 r1 − s0 ) − s1 + s2 , r2 s0 − s2 )
as their shares of r0 r1 r2 , respectively.

FUNCTIONALITY C.2 (Fclsum – Carryless-sum circuit)

Zℓ Zℓ
Upon receiving [a0 ]i 2 , . . . , [am−1 ]i 2 from each party Pi , check the correctness
∑ of shares and output ⊥ if the
shares are incorrect. If not, reconstruct the secrets, compute a = m−1 ℓ
i=0 ai mod 2 (and discard bits after
ℓ Zℓ
the ℓ-th bit), generate [a]Z2 via the sharing algorithm, and send [a]i 2 to each party Pi .

17
 FUNCTIONALITY C.3 (Fzero – Zero-test circuit)
Upon receiving [a0 ]Zi 2 , . . . , [am−1 ]Zi 2 from each party Pi , check the correctness
∏ of shares and output ⊥ if
Z2
the shares are incorrect. If not, reconstruct the secrets, compute a = m−1 i=0 (1 − ai ), generate [a] via the
Zℓ
sharing algorithm, and send [a]i 2 to each party Pi .

In the above, 6 elements are sent among the parties, which is the communication complexity of a multi-
plication protocol. If each pair of the parties shares a key of a pseudorandom function for PRSS, s0 , s1 ,
and s2 can be generated by the pseudorandom function and 3 elements are sent among the parties, which
is also the same communication complexity of a multiplication protocol with PRSS.

D.3 Efficient generation of a pair of random shares for small number of parties
Protocol 9 shows an efficient protocol to generate [r]Z2 and [r]Zp′ for r ← Z2 for a small number of
parties. Here, Fxor is the functionality of circuit evaluation that computes exclusive-or (addition in Z2 )
of the inputs. An XOR gate of two inputs in Zp can be computed by a single multiplication as r0 + r1
mod 2 = r0 + r1 − r0 r1 mod p.
If we use PRSS, only a protocol instantiating Fxor requires communication. An ordinary circuit that
computes an XOR gate sequentially requires m multiplication. However, the optimization in Appendix D.2
can be used so the communication complexity is the same as ⌈ m 3 ⌉ invocations of a multiplication protocol.

Protocol 9 Generating [r]Z2 and [r]Zp′ for small number of parties

Input: nothing
Output: ([r]Z2 , [r]Zp′ ) ∑
1: The parties obtain Frand and receive [[r]]Z2 , where the sub-shares are r0 , . . . , rm−1 , i.e., r = m−1 i=0 ri mod 2.
Zp Zp
2: The parties use Algorithm 3 and obtain [[r0 ]] , . . . , [[rm−1 ]] . ∑
3: The parties call Fxor on input [[r0 ]]Zp , . . . , [[rm−1 ]]Zp , and receives [[r]]Zp = [[ m−1
i=0 xi mod 2]].
4: The parties convert ([[r]]Z2 , [[r]]Zp′ ) into ([r]Z2 , [r]Zp′ ) using the local conversion technique.
5: The parties output ([r]Z2 , [r]Zp′ ).

E Experimental results in various settings

Tables 2, 3, and 4 list the experimental results of our both protocols in 10G, 1G, and (simulated)
Internet connections. Machine environment is the same as Section 6. For any experiment, (k, n) = (2, 3)
and 107 records are decomposed/converted. For a 10 Gigabit network, we used Intel⃝ R X550T 10G-
Ether ring network with 0.055 ms of ping (roundtrip) latency. For Internet simulation, we limit the
network connection by 50 Mbps with 20 ms of roundtrip latency. For the experiment of an actively secure
protocol, we use the technique of [15] to securely compute circuit evaluation with statistical error κ = 8.
We implemented Protocol 6 as a modulus-conversion protocol, and set p = 261 − 1 and p′ = 2127 − 1.

Bit-length (ℓ) Passive security Active security with abort

32 364 5334
Bit-decomposition 20 234 3446
2 62 761
Modulus-conversion - 1,684 4,094
Table 2. Processing time (ms) in 10G network

18
 Bit-length (ℓ) Passive security Active security with abort
32 1,194 1,878
Bit-decomposition 20 759 12,258
2 123 486
Modulus-conversion - 6,189 15,298
Table 3. Processing time (ms) in Gigabit network

Bit-length (ℓ) Passive security Active security with abort

32 13,572 286,812
Bit-decomposition 20 8,538 184,108
2 977 36,684
Modulus-conversion - 73,162 234,805
Table 4. Processing time (ms) in (simulated) Internet

19