2-out-of-3 SS-MPC: Secure Computation

Updated 31 January 2026

2-out-of-3 SS-MPC is a cryptographic scheme that splits a secret among three parties, requiring any two to reconstruct the secret while protecting individual inputs.
The scheme underpins advanced threshold decryption, including Fully Homomorphic Encryption, ensuring secure operations despite participant dropout or adversarial behavior.
Recent advances like ApproxSS and ATASSES reduce computational and communication overhead, demonstrating practical scalability in both classical and quantum implementations.

A 2-out-of-3 Secret-Sharing Multiparty Computation (SS-MPC) scheme is a cryptographic primitive enabling three parties to jointly compute functions on private inputs such that any two out of the three can reconstruct the computed result or secret, while single-party coalitions learn negligible information. This approach is foundational in both classical and quantum settings, underpins threshold encryption, and supports robust, privacy-preserving computation despite partial participation or adversarial dropout. Recent advances emphasize arbitrary-threshold generalizations, particularly within practical fully homomorphic encryption (FHE) systems and universal protocols for quantum circuits, as surveyed in both the Approximate Secret Sharing (ApproxSS) ThFHE paradigm (Chang et al., 20 Jan 2025) and quantum threshold homomorphic encryption (Zhang et al., 26 Feb 2025).

Secret sharing divides a secret $m$ into $N$ shares $(s_1, ..., s_N)$ such that only qualified subsets of shares enable reconstruction. In a $(T,N)$ -threshold scheme (with $T=2$ , $N=3$ ), any two shares suffice for recovery; one alone leaks (almost) nothing. For $2$-out-of-$3$ SS-MPC, classical Shamir secret sharing is typical, leveraging interpolation over finite fields: for a secret $m$ , a random polynomial $f(x)$ of degree $1$ with $f(0)=m$ is constructed, and each party receives an evaluation $s_i=f(i)$ . This ensures secrecy against single-party adversaries and efficient linearity, a property essential for multiparty computation.

Contextually, such schemes are also realized in quantum settings: quantum state sharing generalizes secret sharing, encoding qubit states such that any two out of three evaluators can jointly perform operations or recover the state, while one alone accesses only maximal entropy (Zhang et al., 26 Feb 2025).

2. Threshold FHE and Application to Secure MPC

Threshold Fully Homomorphic Encryption (ThFHE) generalizes classical secret sharing to encrypted domains. Here, the secret decryption key $sk$ is distributed so that decryption requires at least $T$ of $N$ participants. Historically, most ThFHE constructions have relied on the full threshold ( $T=N$ ), resulting in rigid protocols prone to failures under party dropout. In 2-out-of-3 settings, the threshold decryption mapping is configured so that any pair among the three can jointly recover computation results on encrypted data, implementing fault tolerance and asynchronicity.

Arbitrary-threshold FHE (AThFHE) schemes, as introduced in (Chang et al., 20 Jan 2025), extend threshold flexibility. At the core, these protocols depend on a T-out-of-N Approximate Secret Sharing (ApproxSS) primitive, enabling threshold decryption with noise-robustness and adaptability to non-participation. The 2-out-of-3 case is thus a direct instantiation where the protocol's communication and computation complexity are drastically reduced by the "encrypted shares" technique.

The ApproxSS primitive (Chang et al., 20 Jan 2025) advances secret sharing by permitting approximate reconstruction—injecting bounded "smudging" noise to obfuscate the secret from any coalition of up to $T-1$ parties. Specifically, a 2-out-of-3 ApproxSS scheme consists of:

Share Generation: On input $m$ from message space $\mathcal{M}$ , compute $s_1, s_2, s_3 \leftarrow \text{Share}(m)$ .
Approximate Recovery: Any two parties use a protocol $\Pi_{\text{ApproxRec}}$ with their shares and a noise distribution $\chi$ to recover $m'$ , such that $m'-m$ is bounded (e.g., $\|m'-m\|\leq B$ ).
Security: For adversary corrupting one party, shares reveal at most $m+x$ for uniform $x\sim\chi$ .

This structure enables SS-MPC protocols where evaluation and decryption tolerate non-participation and depend only on two of three parties, without full coalition involvement.

4. Protocol Realizations: ATASSES and Optimized 2-of-3 Threshold MPC

Classical 2-out-of-3 SS-MPC protocols can utilize the ATASSES construction, which implements ApproxSS with "encrypted shares" using linearly homomorphic encryption. For generic $T$ and $N$ , ATASSES reduces computational complexity to $\mathcal{O}(N^2+K)$ and communication to $\mathcal{O}(N+K)$ , outperforming classical noisy-share Shamir approaches. In the 2-out-of-3 case, the protocol involves two rounds:

Each of three parties encrypts and shares sub-shares using BFV secret-key encryption.
Upon receiving encrypted shares from any pair, an aggregator reconstructs the key by Lagrange interpolation, decrypts the aggregate, and obtains an approximation to the secret or the FHE decryption component.

Empirical results demonstrate scalability and practical efficiency even as $N$ grows, suggesting high practicality for 2-out-of-3 configurations (Chang et al., 20 Jan 2025).

5. Security Notions and Guarantees

Correctness in 2-out-of-3 ApproxSS (and derived MPC protocols) is based on the guarantee that any qualifying pair reconstructs the secret within a tight noise bound. Simulation-based security is achieved: no adversary controlling a single party can distinguish between the real protocol and an ideal execution, except for learning a smudged (uniformly noise-padded) secret.

In quantum settings, similar guarantees hold: $(2,3)$ -threshold quantum secret sharing ensures that any two servers, by combining their quantum/classical information, recover the intended computation, while any single server observes only a maximally mixed state (Zhang et al., 26 Feb 2025).

6. Applications and Implementation Results

2-out-of-3 SS-MPC schemes are foundational in distributed secure computation, privacy-preserving analytics, and cloud aggregation. In federated learning and secure multi-client environments, lower-threshold protocols admit arbitrary non-participants and enhance robustness to dropout and DoS scenarios.

Benchmarks with ATASSES (Go/Lattigo, $N=3$ and up) illustrate order-wise efficiency improvements: O( $N^2K$ ) is reduced to O( $N^2+K$ ), and communication is sublinear in $K$ for large data payloads. Even with only three participants, these improvements translate to lower latency and bandwidth usage—critical in practical SS-MPC deployments (Chang et al., 20 Jan 2025).

7. Extensions: Quantum Threshold Homomorphic Encryption

Quantum generalizations of 2-out-of-3 SS-MPC appear in $(k,n)$ -threshold quantum state sharing (Zhang et al., 26 Feb 2025). Here, three quantum servers collaborate to realize universal quantum circuit evaluation on shared quantum data. The secret sharing structure leverages entanglement and linear algebraic constraints such that only two of three servers can jointly decrypt or evaluate—ensuring that any single party alone learns nothing beyond a randomization.

The classical key-distribution protocol is replaced by quantum authentication and encrypted rotations; the general structure, however, mirrors the classical secret sharing paradigm. This demonstrates that the design principles of 2-out-of-3 SS-MPC persist and generalize to the quantum regime, accommodating both arithmetic and entangled quantum data, and supporting arbitrary function evaluation by authorized subsets.

Table 1. Comparative Computation and Communication Complexities in Threshold Secret Sharing Protocols (N=3, T=2)

Protocol	Computation	Communication
Noisy-share Shamir [C]	$\mathcal{O}(N^2 K)$	$\mathcal{O}(N K)$
ATASSES (encrypted share)	$\mathcal{O}(N^2+K)$	$\mathcal{O}(N+K)$

For classical settings, the ATASSES protocol yields significant improvements. Quantum protocols maintain similar asymptotics with additional quantum channel requirements (Chang et al., 20 Jan 2025, Zhang et al., 26 Feb 2025).

2-out-of-3 SS-MPC schemes thus provide a secure and efficient foundation for threshold-based secure computation in both classical and quantum models, with clear security proofs, robust against participant failure, and scalability to large message sizes or participant counts. The reduction in computational and communication overhead via ApproxSS and ATASSES marks a substantial advance in multiparty cryptography and its practical realization.

Markdown Report Issue Upgrade to Chat

References (2)

Arbitrary-Threshold Fully Homomorphic Encryption with Lower Complexity (2025)

Universal quantum homomorphic encryption based on $(k, n)$-threshold quantum state sharing (2025)

Topic to Video (Beta)

Whiteboard

Follow Topic

Get notified by email when new papers are published related to 2-out-of-3 Secret-Sharing Multiparty Computation (SS-MPC).