How to Split a Shared Secret into Shared Bits in Constant-Round

We show that if a set of players hold shares of a value a ∈ Zp for some prime p (where the set of shares is written [a]p), it is possible to compute, in constant round and with unconditional security, sharings of the bits of a, i.e. compute sharings [a0]p, . . . , [a`−1]p such that ` = dlog 2 (p)e, a0, . . . , a`−1 ∈ {0, 1} and a = ∑`−1 i=0 ai2 . Our protocol is secure against active adversaries and works for any linear secret sharing scheme with a multiplication protocol. This result immediately implies solutions to other long-standing open problems, such as constant-round and unconditionally secure protocols for comparing shared numbers and deciding whether a shared number is zero. The complexity of our protocol is O(` log(`)) invocations of the multiplication protocol for the underlying secret sharing scheme, carried out in O(1).