Threshold-Based Searchable Sharing Primitive
- The paper introduces a novel cryptographic primitive that combines threshold secret sharing with searchable encryption to enable controlled, coalition-based access.
- It employs multilevel access structures, CRT-based secret sharing, and techniques like proxy re-encryption and homomorphic search to secure function sharing.
- Applications span secure healthcare data sharing and decentralized threshold operations, demonstrating practical performance and leakage mitigation.
Searching arXiv for recent and foundational papers directly relevant to threshold-based searchable sharing primitives, multilevel threshold function sharing, searchable sharing systems, and threshold-protected searchable search. A threshold-based searchable sharing primitive is a cryptographic abstraction in which search capabilities, search keys, or secret function parameters are distributed across multiple parties so that only authorized coalitions can execute search-related operations, while coalitions outside the authorized access structure learn no information about the protected secret or the search result. In the literature represented here, the primitive appears in several closely related forms: multilevel threshold secret and function sharing based on the Chinese Remainder Theorem (CRT), patient-driven searchable sharing with Proxy Re-Encryption (PRE) and fully homomorphic search, searchable activation of threshold tracing via Key-Aggregate Searchable Encryption (KASE), traceable over-threshold multi-party private set intersection, and dynamic threshold-searchable vector retrieval for collaborative approximate nearest neighbor search (Ersoy et al., 2016). Taken together, these works characterize the primitive not as a single fixed syntax, but as a family of constructions that combine threshold access control, searchable or queryable cryptographic state, and controlled reconstruction or evaluation of a secret-dependent function (Costa et al., 2024).
1. Conceptual scope and defining characteristics
The common objective is to distribute a search-relevant secret so that search, retrieval, tracing, or predicate evaluation becomes possible only when a threshold policy is satisfied. In the multilevel CRT-based setting, the secret may be a function parameter such as an RSA private exponent , and function sharing means that authorized coalitions can collaboratively evaluate the function without reconstructing or exposing the global secret (Ersoy et al., 2016). In the patient-centric S3PHER system, the primitive consists of encrypted documents, encrypted searchable indexes, and consent-gated re-encryption for sharing; the system explicitly identifies this combination as a natural foundation for a searchable sharing primitive (Costa et al., 2024). In SP-ANN, the primitive is formalized directly as dynamic searchable sharing threshold, or dynamic SST, whose protocols support setup, search, and update over a collaborative encrypted database represented by secret shares (Guo, 23 Jul 2025).
Across these formulations, three features recur. First, the protected capability is not necessarily disclosure of a secret; it may instead be evaluation of a function, derivation of a token, identification of over-threshold records, or authorized activation of tracing. Second, access is governed by threshold structure, often with richer policy language than a single threshold. Third, public metadata or auxiliary information must not reveal exploitable cross-share relations. The failure mode emphasized in the CRT multilevel work is precisely that linear relations between shares modulo distinct moduli, when published without cryptographic blinding, can leak the entire secret (Ersoy et al., 2016).
A plausible implication is that “searchable sharing” is best understood as a layered construction rather than a monolithic primitive. One layer encodes the access structure and secret distribution; another layer realizes the search or function-evaluation interface; a third layer constrains public information so that the searchable interface does not undermine threshold privacy.
2. Access structures and formal models
The most explicit access-structure treatment appears in the multilevel threshold model of Simmons. The global participant set is partitioned into disjoint compartments or levels,
with the highest level and the lowest. Cumulative sets are defined by
and thresholds satisfy
A higher-level participant can replace members of lower levels, so the access structure is inherently hierarchical (Ersoy et al., 2016).
Two canonical access structures are distinguished. In a disjunctive multilevel threshold scheme, a coalition is authorized if it satisfies at least one level threshold: In a conjunctive multilevel threshold scheme, all level thresholds must hold simultaneously: The paper explicitly notes that this supports policies such as “authorization requires any two VPs and any three tellers” (Ersoy et al., 2016).
Other works instantiate different threshold semantics. The elliptic-curve threshold multi-secret sharing construction is a classical 0-threshold model in which any subset of size at least 1 reconstructs and fewer than 2 learn nothing, but a single share supports multiple secrets 3 (Binu et al., 2016). PHF-based shared-key primitives likewise adopt a 4 threshold access structure over groups of exactly 5 participants, with anonymity analyzed relative to the key used in a symmetric-key operation (Bose et al., 2011). DeTAPS layers two thresholds: a signer threshold 6 for signature generation and a notary threshold 7 for tracing activation, while keeping both thresholds private to the public (Li et al., 2023). T-OT-MP-PSI replaces unanimity by an over-threshold condition 8, where 9 is the multiplicity of an element across parties, and reveals holder identities only when that threshold is met (Yang et al., 31 Dec 2025). SP-A0NN formalizes dynamic SST through the protocol triple
1
with threshold enforcement inherited from Shamir’s 2-out-of-3 secret sharing (Guo, 23 Jul 2025).
These formal models indicate that threshold-based searchable sharing ranges from ordinary threshold control to hierarchical, dual-threshold, and multiplicity-threshold policies. This suggests that the access structure is the primary organizing principle, while the search mechanism is the operational layer built on top of it.
3. Secret-sharing and function-sharing substrates
The CRT-based multilevel construction provides a detailed threshold-sharing substrate for searchable or evaluable capabilities. The central device is a refined Asmuth–Bloom condition,
4
which yields a statistical scheme: with fewer than 5 shares, every possible secret 6 remains nearly equally likely (Ersoy et al., 2016). To support arbitrary thresholds in a multilevel hierarchy, the paper introduces the anchor Asmuth–Bloom sequence
7
such that
8
A key lemma states that an anchor sequence satisfies the Asmuth–Bloom condition for every 9, enabling a single global CRT modulus structure to serve all thresholds (Ersoy et al., 2016).
For a secret 0, the dealer computes per-level values
1
and participant shares
2
Cross-level usability is achieved through public translation values
3
with per-user hash functions 4. Reconstruction uses CRT on effective shares 5, then recovers
6
The paper’s security theorem states that, under the random oracle assumption for the hash functions, any unauthorized coalition learns no information about 7, and the scheme is statistical with respect to the secret distribution (Ersoy et al., 2016).
The same paper generalizes secret sharing to function sharing. In threshold RSA, the secret is the private exponent 8, shared with secret space modulus
9
where 0 and 1 are strong primes. Participants compute partial exponents
2
and partial signatures
3
The server combines them multiplicatively and performs a small exponent search to align the result to 4 modulo 5 (Ersoy et al., 2016). The paper explicitly states that the same pattern can be used for “multilevel function sharing,” and its discussion of searchable primitives proposes treating a search secret 6 as the shared secret or as a function parameter in an RSA-like or exponentiation-based construction (Ersoy et al., 2016).
Alternative sharing substrates appear elsewhere. The elliptic-curve and self-pairing TMSS scheme shares a master point
7
through a degree-8 polynomial
9
and derives per-secret masks via
0
Because no new shares are needed when new 1 values are published, the construction is naturally suited to threshold-controlled derivation of multiple indexed secrets (Binu et al., 2016). The PHF/BPHF framework, by contrast, distributes key components combinatorially rather than algebraically, enabling any 2-subset to reconstruct at least one key while smaller sets reconstruct none; the proportional scheme then improves anonymity by selecting groups with probability proportional to the number of keys they can recover (Bose et al., 2011).
4. Searchable sharing instantiations
A direct searchable-sharing system appears in S3PHER, a patient-centric architecture for sharing and searching health data stored in the cloud. Its principal entities are the Data Owner (patient), the Data User (healthcare practitioner), and a semi-trusted Proxy Server. The Data Owner encrypts documents under symmetric keys, encapsulates those keys using Umbral, and builds a TFHE-encrypted binary keyword-file matrix
3
The left-most column 4 stores encrypted keyword encodings, yielding an encrypted index 5 (Costa et al., 2024).
For a search query, the practitioner encrypts a bit-vector encoding of 6 under the patient’s TFHE public key: 7 The Proxy Server computes homomorphic equality tests
8
selects the matching row,
9
and then computes the encrypted result vector
0
Only the patient decrypts 1, learns the set of matching files, and decides which subset to share by generating a PRE delegation
2
The Proxy Server then re-encrypts the corresponding Umbral capsules (Costa et al., 2024). The paper explicitly states that this system already implements a searchable sharing primitive and that Umbral’s threshold PRE can be used so that re-encryption requires 3 cooperating parties. It also proposes threshold HE decryption so that even learning the result set 4 requires 5 authorities (Costa et al., 2024).
DeTAPS presents a different searchable-sharing pattern. Here the searchable component is KASE, used to “awaken” notaries who are authorized to participate in tracing a threshold signature. A combiner enclave generates an ATS signature, encrypts it under Dynamic Threshold Public-Key Encryption for notary set 6, and creates a KASE ciphertext
7
A notary with pseudo-identity 8 computes
9
and an adjusted trapdoor
0
which lets the smart contract test whether the notary belongs to the authorized set for that signature. Once 1 notaries provide valid DTPKE decryption shares, the tracer enclave reconstructs the ATS signature and runs tracing (Li et al., 2023). The searchable interface thus controls access to a threshold-shared activation capability rather than to a document corpus.
T-OT-MP-PSI instantiates searchable sharing in a set-theoretic rather than index-centric form. Each leader element 2 is embedded into a Shamir polynomial
3
with shares
4
OPPRF ensures that another party receives the correct share only if it holds the same element; otherwise it receives a pseudorandom field element. After share-update and collection phases, the leader reconstructs from subsets of 5 shares, and once a correct polynomial is found, it identifies holders by testing
6
The output is
7
which directly realizes threshold-gated searchable disclosure with traceability (Yang et al., 31 Dec 2025).
SP-A8NN extends the primitive to collaborative vector retrieval. It defines a collaborative encrypted database
9
where vectors and index state are secret-shared across parties. Search and update are carried out over a bitgraph representation of an HNSW-style index, maintaining HNSW compatibility while ensuring that fewer than 0 parties learn nothing information-theoretically (Guo, 23 Jul 2025).
5. Security properties, leakage, and anonymity
Security requirements differ across these constructions, but they converge on a small set of recurring concerns: unauthorized reconstruction, leakage through public metadata, leakage through search/index structure, collusion resistance, and in some cases anonymity.
The multilevel CRT paper is notable for first presenting an attack. In the insecure Harn–Fuyou design, public offsets of the form
1
expose linear relations between shares modulo distinct moduli. The paper shows that an unauthorized coalition of two level-2 users in a 2 setting can narrow candidates for 3 until only one remains, thereby revealing the secret 4 (Ersoy et al., 2016). The replacement construction avoids that leakage by hashing the cross-level relation, so that if the adversary does not corrupt 5, then 6 is unknown and the public 7 is indistinguishable from uniform in 8 under the random oracle assumption (Ersoy et al., 2016).
S3PHER’s security model treats the Proxy Server as semi-honest, practitioners as potentially malicious, and external attackers as network adversaries. TFHE is used to protect index and query confidentiality, Umbral protects document-key confidentiality, and only the patient can decrypt the result vector 9. The paper states that forward/backward privacy is not formally analyzed, because the index is static in the current design, and that a formal end-to-end security model for “threshold searchable PRE+FHE” remains an open research direction (Costa et al., 2024).
DeTAPS formalizes unforgeability, accountability, and privacy via experiment-based definitions. Privacy is defined against the public, signers, combiners, and tracers, and its reductions rely on PKE semantic security, strong EUF-CMA signatures, HVZK NIZKs, KASE IND-CKA security, DTPKE IND‑NAA‑NAC‑CPA security, and commitment hiding/binding (Li et al., 2023). Here the searchable-sharing problem is not secrecy of a stored file but secrecy of the threshold 0, signer quorum 1, notary threshold 2, and notary set 3, unless tracing is validly activated.
SP-A4NN provides the most explicit leakage analysis. Rather than a conventional coin-toss indistinguishability game, it introduces a leakage-guessing proof system based on an interactive “chess game,” together with a privacy triplet that measures three interfaces: data-to-index, index-to-index, and index-to-data leakage (Guo, 23 Jul 2025). For a vector 5, the bitgraph-HNSW leakage terms include
6
and
7
This makes structural leakage part of the primitive’s formal specification rather than an informal side note (Guo, 23 Jul 2025).
Anonymity is the dominant criterion in PHF-based shared-key primitives. For the proportional scheme, if 8 is the set of groups that can recover key 9, then
00
and if the underlying PHF is balanced, participant anonymity becomes equitable with
01
When 02, this yields the optimal participant anonymity 03 (Bose et al., 2011). Although this work is about shared symmetric-key operations rather than search specifically, it shows that threshold-based sharing may be required to hide not only data but also which coalition executed the shared operation.
6. Applications, limitations, and design implications
The application spectrum is broad. In multilevel threshold function sharing, the intended use is threshold cryptography, exemplified by RSA signing and decryption, but the paper explicitly argues that the same access-control and key/function-splitting mechanisms can serve multilevel threshold searchable encryption, including cases where a search token is derived from a search secret 04 or where search is implemented as a function evaluation over exponentiation-based structures (Ersoy et al., 2016). S3PHER places the primitive in regulated healthcare, with patient-driven consent over encrypted search and sharing (Costa et al., 2024). DeTAPS uses searchable sharing to control the activation of tracing in decentralized threshold signatures (Li et al., 2023). T-OT-MP-PSI targets digital forensics, collaborative threat intelligence, and anti-money-laundering, where only items present in at least 05 datasets should be disclosed together with their holders (Yang et al., 31 Dec 2025). SP-A06NN targets collaborative RAG, where multiple organizations jointly maintain a privacy-preserving aggregated approximate nearest neighbor index while keeping embeddings locally protected by threshold shares (Guo, 23 Jul 2025).
Several limitations recur. Random oracle assumptions appear in the CRT multilevel scheme (Ersoy et al., 2016). S3PHER notes that thresholding at the PRE layer is cheap and practical, whereas threshold FHE decryption adds overhead and the dominant cost remains TFHE evaluation of the search circuit (Costa et al., 2024). SP-A07NN explicitly assumes honest-but-curious parties, fully specifies insertion but not deletion, and provides analytic rather than empirical performance evaluation (Guo, 23 Jul 2025). T-OT-MP-PSI distinguishes between an efficient protocol secure against up to 08 colluding semi-honest parties and a security-enhanced protocol secure against up to 09, with the latter incurring OLE overhead (Yang et al., 31 Dec 2025). DeTAPS, although decentralized, depends operationally on SGX2 enclaves and a consortium blockchain (Li et al., 2023).
From the collected works, a consistent design pattern emerges. A threshold-based searchable sharing primitive is built by combining: a threshold sharing layer for the secret or capability; a search, retrieval, activation, or evaluation layer; and an auxiliary-data discipline that prevents public metadata from re-linking hidden shares. In the CRT hierarchy, that discipline is the hashed translation value; in S3PHER, it is encrypted search plus consent-gated PRE; in DeTAPS, KASE and DTPKE bind searchable authorization to threshold activation; in T-OT-MP-PSI, OPPRF and Shamir shares turn multiplicity testing into threshold-gated disclosure; and in SP-A10NN, the bitgraph and privacy-triplet framework make index leakage explicit while preserving threshold protection of vector data (Ersoy et al., 2016). This suggests that the modern notion of threshold-based searchable sharing is not confined to keyword search: it encompasses any searchable or query-driven capability whose execution, disclosure, or activation must be mediated by a threshold access structure.