Papers
Topics
Authors
Recent
Search
2000 character limit reached

Threshold-Based Searchable Sharing Primitive

Updated 7 July 2026
  • The paper introduces a novel cryptographic primitive that combines threshold secret sharing with searchable encryption to enable controlled, coalition-based access.
  • It employs multilevel access structures, CRT-based secret sharing, and techniques like proxy re-encryption and homomorphic search to secure function sharing.
  • Applications span secure healthcare data sharing and decentralized threshold operations, demonstrating practical performance and leakage mitigation.

Searching arXiv for recent and foundational papers directly relevant to threshold-based searchable sharing primitives, multilevel threshold function sharing, searchable sharing systems, and threshold-protected searchable search. A threshold-based searchable sharing primitive is a cryptographic abstraction in which search capabilities, search keys, or secret function parameters are distributed across multiple parties so that only authorized coalitions can execute search-related operations, while coalitions outside the authorized access structure learn no information about the protected secret or the search result. In the literature represented here, the primitive appears in several closely related forms: multilevel threshold secret and function sharing based on the Chinese Remainder Theorem (CRT), patient-driven searchable sharing with Proxy Re-Encryption (PRE) and fully homomorphic search, searchable activation of threshold tracing via Key-Aggregate Searchable Encryption (KASE), traceable over-threshold multi-party private set intersection, and dynamic threshold-searchable vector retrieval for collaborative approximate nearest neighbor search (Ersoy et al., 2016). Taken together, these works characterize the primitive not as a single fixed syntax, but as a family of constructions that combine threshold access control, searchable or queryable cryptographic state, and controlled reconstruction or evaluation of a secret-dependent function (Costa et al., 2024).

1. Conceptual scope and defining characteristics

The common objective is to distribute a search-relevant secret so that search, retrieval, tracing, or predicate evaluation becomes possible only when a threshold policy is satisfied. In the multilevel CRT-based setting, the secret may be a function parameter such as an RSA private exponent dd, and function sharing means that authorized coalitions can collaboratively evaluate the function without reconstructing or exposing the global secret (Ersoy et al., 2016). In the patient-centric S3PHER system, the primitive consists of encrypted documents, encrypted searchable indexes, and consent-gated re-encryption for sharing; the system explicitly identifies this combination as a natural foundation for a searchable sharing primitive (Costa et al., 2024). In SP-A2^2NN, the primitive is formalized directly as dynamic searchable sharing threshold, or dynamic SST, whose protocols support setup, search, and update over a collaborative encrypted database represented by secret shares (Guo, 23 Jul 2025).

Across these formulations, three features recur. First, the protected capability is not necessarily disclosure of a secret; it may instead be evaluation of a function, derivation of a token, identification of over-threshold records, or authorized activation of tracing. Second, access is governed by threshold structure, often with richer policy language than a single (t,n)(t,n) threshold. Third, public metadata or auxiliary information must not reveal exploitable cross-share relations. The failure mode emphasized in the CRT multilevel work is precisely that linear relations between shares modulo distinct moduli, when published without cryptographic blinding, can leak the entire secret (Ersoy et al., 2016).

A plausible implication is that “searchable sharing” is best understood as a layered construction rather than a monolithic primitive. One layer encodes the access structure and secret distribution; another layer realizes the search or function-evaluation interface; a third layer constrains public information so that the searchable interface does not undermine threshold privacy.

2. Access structures and formal models

The most explicit access-structure treatment appears in the multilevel threshold model of Simmons. The global participant set is partitioned into disjoint compartments or levels,

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,

with L1L_1 the highest level and LmL_m the lowest. Cumulative sets are defined by

Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,

and thresholds satisfy

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.

A higher-level participant can replace members of lower levels, so the access structure is inherently hierarchical (Ersoy et al., 2016).

Two canonical access structures are distinguished. In a disjunctive multilevel threshold scheme, a coalition is authorized if it satisfies at least one level threshold: Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}. In a conjunctive multilevel threshold scheme, all level thresholds must hold simultaneously: Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}. The paper explicitly notes that this supports policies such as “authorization requires any two VPs and any three tellers” (Ersoy et al., 2016).

Other works instantiate different threshold semantics. The elliptic-curve threshold multi-secret sharing construction is a classical 2^20-threshold model in which any subset of size at least 2^21 reconstructs and fewer than 2^22 learn nothing, but a single share supports multiple secrets 2^23 (Binu et al., 2016). PHF-based shared-key primitives likewise adopt a 2^24 threshold access structure over groups of exactly 2^25 participants, with anonymity analyzed relative to the key used in a symmetric-key operation (Bose et al., 2011). DeTAPS layers two thresholds: a signer threshold 2^26 for signature generation and a notary threshold 2^27 for tracing activation, while keeping both thresholds private to the public (Li et al., 2023). T-OT-MP-PSI replaces unanimity by an over-threshold condition 2^28, where 2^29 is the multiplicity of an element across parties, and reveals holder identities only when that threshold is met (Yang et al., 31 Dec 2025). SP-A(t,n)(t,n)0NN formalizes dynamic SST through the protocol triple

(t,n)(t,n)1

with threshold enforcement inherited from Shamir’s (t,n)(t,n)2-out-of-(t,n)(t,n)3 secret sharing (Guo, 23 Jul 2025).

These formal models indicate that threshold-based searchable sharing ranges from ordinary threshold control to hierarchical, dual-threshold, and multiplicity-threshold policies. This suggests that the access structure is the primary organizing principle, while the search mechanism is the operational layer built on top of it.

3. Secret-sharing and function-sharing substrates

The CRT-based multilevel construction provides a detailed threshold-sharing substrate for searchable or evaluable capabilities. The central device is a refined Asmuth–Bloom condition,

(t,n)(t,n)4

which yields a statistical scheme: with fewer than (t,n)(t,n)5 shares, every possible secret (t,n)(t,n)6 remains nearly equally likely (Ersoy et al., 2016). To support arbitrary thresholds in a multilevel hierarchy, the paper introduces the anchor Asmuth–Bloom sequence

(t,n)(t,n)7

such that

(t,n)(t,n)8

A key lemma states that an anchor sequence satisfies the Asmuth–Bloom condition for every (t,n)(t,n)9, enabling a single global CRT modulus structure to serve all thresholds (Ersoy et al., 2016).

For a secret U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,0, the dealer computes per-level values

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,1

and participant shares

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,2

Cross-level usability is achieved through public translation values

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,3

with per-user hash functions U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,4. Reconstruction uses CRT on effective shares U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,5, then recovers

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,6

The paper’s security theorem states that, under the random oracle assumption for the hash functions, any unauthorized coalition learns no information about U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,7, and the scheme is statistical with respect to the secret distribution (Ersoy et al., 2016).

The same paper generalizes secret sharing to function sharing. In threshold RSA, the secret is the private exponent U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,8, shared with secret space modulus

U=i=1mLi,LiLj=,\mathcal{U} = \bigcup_{i=1}^m L_i,\quad L_i \cap L_j = \emptyset,9

where L1L_10 and L1L_11 are strong primes. Participants compute partial exponents

L1L_12

and partial signatures

L1L_13

The server combines them multiplicatively and performs a small exponent search to align the result to L1L_14 modulo L1L_15 (Ersoy et al., 2016). The paper explicitly states that the same pattern can be used for “multilevel function sharing,” and its discussion of searchable primitives proposes treating a search secret L1L_16 as the shared secret or as a function parameter in an RSA-like or exponentiation-based construction (Ersoy et al., 2016).

Alternative sharing substrates appear elsewhere. The elliptic-curve and self-pairing TMSS scheme shares a master point

L1L_17

through a degree-L1L_18 polynomial

L1L_19

and derives per-secret masks via

LmL_m0

Because no new shares are needed when new LmL_m1 values are published, the construction is naturally suited to threshold-controlled derivation of multiple indexed secrets (Binu et al., 2016). The PHF/BPHF framework, by contrast, distributes key components combinatorially rather than algebraically, enabling any LmL_m2-subset to reconstruct at least one key while smaller sets reconstruct none; the proportional scheme then improves anonymity by selecting groups with probability proportional to the number of keys they can recover (Bose et al., 2011).

4. Searchable sharing instantiations

A direct searchable-sharing system appears in S3PHER, a patient-centric architecture for sharing and searching health data stored in the cloud. Its principal entities are the Data Owner (patient), the Data User (healthcare practitioner), and a semi-trusted Proxy Server. The Data Owner encrypts documents under symmetric keys, encapsulates those keys using Umbral, and builds a TFHE-encrypted binary keyword-file matrix

LmL_m3

The left-most column LmL_m4 stores encrypted keyword encodings, yielding an encrypted index LmL_m5 (Costa et al., 2024).

For a search query, the practitioner encrypts a bit-vector encoding of LmL_m6 under the patient’s TFHE public key: LmL_m7 The Proxy Server computes homomorphic equality tests

LmL_m8

selects the matching row,

LmL_m9

and then computes the encrypted result vector

Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,0

Only the patient decrypts Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,1, learns the set of matching files, and decides which subset to share by generating a PRE delegation

Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,2

The Proxy Server then re-encrypts the corresponding Umbral capsules (Costa et al., 2024). The paper explicitly states that this system already implements a searchable sharing primitive and that Umbral’s threshold PRE can be used so that re-encryption requires Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,3 cooperating parties. It also proposes threshold HE decryption so that even learning the result set Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,4 requires Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,5 authorities (Costa et al., 2024).

DeTAPS presents a different searchable-sharing pattern. Here the searchable component is KASE, used to “awaken” notaries who are authorized to participate in tracing a threshold signature. A combiner enclave generates an ATS signature, encrypts it under Dynamic Threshold Public-Key Encryption for notary set Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,6, and creates a KASE ciphertext

Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,7

A notary with pseudo-identity Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,8 computes

Ui=k=1iLk,Ui=k=1ink,U_i = \bigcup_{k=1}^i L_k,\quad |U_i| = \sum_{k=1}^i n_k,9

and an adjusted trapdoor

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.0

which lets the smart contract test whether the notary belongs to the authorized set for that signature. Once 0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.1 notaries provide valid DTPKE decryption shares, the tracer enclave reconstructs the ATS signature and runs tracing (Li et al., 2023). The searchable interface thus controls access to a threshold-shared activation capability rather than to a document corpus.

T-OT-MP-PSI instantiates searchable sharing in a set-theoretic rather than index-centric form. Each leader element 0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.2 is embedded into a Shamir polynomial

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.3

with shares

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.4

OPPRF ensures that another party receives the correct share only if it holds the same element; otherwise it receives a pseudorandom field element. After share-update and collection phases, the leader reconstructs from subsets of 0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.5 shares, and once a correct polynomial is found, it identifies holders by testing

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.6

The output is

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.7

which directly realizes threshold-gated searchable disclosure with traceability (Yang et al., 31 Dec 2025).

SP-A0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.8NN extends the primitive to collaborative vector retrieval. It defines a collaborative encrypted database

0<t1<t2<<tm,tiUi.0 < t_1 < t_2 < \dots < t_m,\quad t_i \leq |U_i|.9

where vectors and index state are secret-shared across parties. Search and update are carried out over a bitgraph representation of an HNSW-style index, maintaining HNSW compatibility while ensuring that fewer than Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.0 parties learn nothing information-theoretically (Guo, 23 Jul 2025).

5. Security properties, leakage, and anonymity

Security requirements differ across these constructions, but they converge on a small set of recurring concerns: unauthorized reconstruction, leakage through public metadata, leakage through search/index structure, collusion resistance, and in some cases anonymity.

The multilevel CRT paper is notable for first presenting an attack. In the insecure Harn–Fuyou design, public offsets of the form

Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.1

expose linear relations between shares modulo distinct moduli. The paper shows that an unauthorized coalition of two level-2 users in a Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.2 setting can narrow candidates for Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.3 until only one remains, thereby revealing the secret Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.4 (Ersoy et al., 2016). The replacement construction avoids that leakage by hashing the cross-level relation, so that if the adversary does not corrupt Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.5, then Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.6 is unknown and the public Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.7 is indistinguishable from uniform in Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.8 under the random oracle assumption (Ersoy et al., 2016).

S3PHER’s security model treats the Proxy Server as semi-honest, practitioners as potentially malicious, and external attackers as network adversaries. TFHE is used to protect index and query confidentiality, Umbral protects document-key confidentiality, and only the patient can decrypt the result vector Adisj={AU  :  i{1,,m} such that AUiti}.\mathcal{A}_{\text{disj}} = \left\{ A \subseteq \mathcal{U} \;:\; \exists i \in \{1,\dots,m\} \text{ such that } |A \cap U_i| \ge t_i \right\}.9. The paper states that forward/backward privacy is not formally analyzed, because the index is static in the current design, and that a formal end-to-end security model for “threshold searchable PRE+FHE” remains an open research direction (Costa et al., 2024).

DeTAPS formalizes unforgeability, accountability, and privacy via experiment-based definitions. Privacy is defined against the public, signers, combiners, and tracers, and its reductions rely on PKE semantic security, strong EUF-CMA signatures, HVZK NIZKs, KASE IND-CKA security, DTPKE IND‑NAA‑NAC‑CPA security, and commitment hiding/binding (Li et al., 2023). Here the searchable-sharing problem is not secrecy of a stored file but secrecy of the threshold Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.0, signer quorum Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.1, notary threshold Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.2, and notary set Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.3, unless tracing is validly activated.

SP-AAconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.4NN provides the most explicit leakage analysis. Rather than a conventional coin-toss indistinguishability game, it introduces a leakage-guessing proof system based on an interactive “chess game,” together with a privacy triplet that measures three interfaces: data-to-index, index-to-index, and index-to-data leakage (Guo, 23 Jul 2025). For a vector Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.5, the bitgraph-HNSW leakage terms include

Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.6

and

Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.7

This makes structural leakage part of the primitive’s formal specification rather than an informal side note (Guo, 23 Jul 2025).

Anonymity is the dominant criterion in PHF-based shared-key primitives. For the proportional scheme, if Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.8 is the set of groups that can recover key Aconj={AU  :  i{1,,m}, AUiti}.\mathcal{A}_{\text{conj}} = \left\{ A \subseteq \mathcal{U} \;:\; \forall i \in \{1,\dots,m\},\ |A \cap U_i| \ge t_i \right\}.9, then

2^200

and if the underlying PHF is balanced, participant anonymity becomes equitable with

2^201

When 2^202, this yields the optimal participant anonymity 2^203 (Bose et al., 2011). Although this work is about shared symmetric-key operations rather than search specifically, it shows that threshold-based sharing may be required to hide not only data but also which coalition executed the shared operation.

6. Applications, limitations, and design implications

The application spectrum is broad. In multilevel threshold function sharing, the intended use is threshold cryptography, exemplified by RSA signing and decryption, but the paper explicitly argues that the same access-control and key/function-splitting mechanisms can serve multilevel threshold searchable encryption, including cases where a search token is derived from a search secret 2^204 or where search is implemented as a function evaluation over exponentiation-based structures (Ersoy et al., 2016). S3PHER places the primitive in regulated healthcare, with patient-driven consent over encrypted search and sharing (Costa et al., 2024). DeTAPS uses searchable sharing to control the activation of tracing in decentralized threshold signatures (Li et al., 2023). T-OT-MP-PSI targets digital forensics, collaborative threat intelligence, and anti-money-laundering, where only items present in at least 2^205 datasets should be disclosed together with their holders (Yang et al., 31 Dec 2025). SP-A2^206NN targets collaborative RAG, where multiple organizations jointly maintain a privacy-preserving aggregated approximate nearest neighbor index while keeping embeddings locally protected by threshold shares (Guo, 23 Jul 2025).

Several limitations recur. Random oracle assumptions appear in the CRT multilevel scheme (Ersoy et al., 2016). S3PHER notes that thresholding at the PRE layer is cheap and practical, whereas threshold FHE decryption adds overhead and the dominant cost remains TFHE evaluation of the search circuit (Costa et al., 2024). SP-A2^207NN explicitly assumes honest-but-curious parties, fully specifies insertion but not deletion, and provides analytic rather than empirical performance evaluation (Guo, 23 Jul 2025). T-OT-MP-PSI distinguishes between an efficient protocol secure against up to 2^208 colluding semi-honest parties and a security-enhanced protocol secure against up to 2^209, with the latter incurring OLE overhead (Yang et al., 31 Dec 2025). DeTAPS, although decentralized, depends operationally on SGX2 enclaves and a consortium blockchain (Li et al., 2023).

From the collected works, a consistent design pattern emerges. A threshold-based searchable sharing primitive is built by combining: a threshold sharing layer for the secret or capability; a search, retrieval, activation, or evaluation layer; and an auxiliary-data discipline that prevents public metadata from re-linking hidden shares. In the CRT hierarchy, that discipline is the hashed translation value; in S3PHER, it is encrypted search plus consent-gated PRE; in DeTAPS, KASE and DTPKE bind searchable authorization to threshold activation; in T-OT-MP-PSI, OPPRF and Shamir shares turn multiplicity testing into threshold-gated disclosure; and in SP-A2^210NN, the bitgraph and privacy-triplet framework make index leakage explicit while preserving threshold protection of vector data (Ersoy et al., 2016). This suggests that the modern notion of threshold-based searchable sharing is not confined to keyword search: it encompasses any searchable or query-driven capability whose execution, disclosure, or activation must be mediated by a threshold access structure.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Threshold-Based Searchable Sharing Primitive.