Score:0

# Multiplicative inverse protocol for MPC that outputs 0 when input is 0

Setting: Shamir secret-sharing over the field $$GF(p)$$, $$p$$ a prime.

For $$a\in GF(p)$$, I would like a protocol that takes a sharing $$[a]$$ as input, and outputs: $$[a^{-1}]$$ if $$a\neq 0$$, and $$[0]$$ if $$a=0$$.

I cannot think of an easy way to modify the well-known protocol that computes $$a^{-1}$$ using a multiplicative mask, and cannot think of another approach.

Any ideas are welcome!

What about turning the exponent to positive in $a^{-1}$ using Fermat's little theorem?
I think fgrieu's suggestion is the best choice here, unless $p$ is extremely large. Given a secure multiplication protocol that computes $[xy]$ from $[x]$ and $[y]$, compute $[a^{p-2}]$ via the square-and-multiply protocol, in about $1.5\log p$ invocations of the secure multiplication. This will be $a^{-1}$ if $a$ is nonzero, and zero otherwise.
Thanks for the responses! I like the idea, but $p$ may be quite large ($\approx 2000$ bits).
Ok then, how many parties do you have? What is the corruption threshold used for the Shamir secret sharing? I assume semi-honest security is enough? In the two party setting I can think of much more efficient solutions, but in the multiparty setting, it requires a bit of thinking, though there might be solutions.
Currently, $3$ parties with threshold $2$, and semi-honest security. I'd be curious to hear any solutions requiring 2PC.
I sit in a Tesla and translated this thread with Ai: