Linear Round Bit-Decomposition of Secret-Shared Values

Abstract

In the field of signal processing in the encrypted domain, linear operations are usually easy to perform, whereas multiplications, and bitwise operations like comparison, are more costly in terms of computation and communication. These bitwise operations frequently require a decomposition of the secret value into bits. To minimize the communication complexity, previous studies have focused on solutions that require a constant number of communication rounds, often at the cost of a large number of multiplications. We develop a bit-decomposition protocol within a linear secret sharing system, where sharings of the bits are computed from an integer that is secret-shared among multiple parties. We consider new solutions that require fewer multiplications, but where the number of communication rounds is linear in the input size. Although our basic solution requires m communication rounds to extract the m least significant bits, we present a way of reducing it by an arbitrary factor, using additional precomputations. Given that the best constant round solutions need at least 23 communication rounds, our solution is preferable for integers up to 165 bits, leading to fewer rounds and a smaller number of secure multiplications. In one variant, it is even possible to compute all I bits through only one opening and one additional communication round containing l multiplications, when a precomputation phase of 2 + log <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sub> I rounds and 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">I</sup> -l-1 secure multiplications has been performed.