Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 73 tok/s

Gemini 2.5 Pro 40 tok/s Pro

GPT-5 Medium 32 tok/s Pro

GPT-5 High 28 tok/s Pro

GPT-4o 75 tok/s Pro

Kimi K2 184 tok/s Pro

GPT OSS 120B 466 tok/s Pro

Claude Sonnet 4.5 35 tok/s Pro

2000 character limit reached

Threshold Homomorphic Encryption

Updated 23 September 2025

Threshold homomorphic encryption is a cryptographic technique that enables computations on encrypted data while requiring a minimum number of parties for decryption.
It integrates secret sharing with homomorphic evaluation, allowing distributed decryption that is resistant to collusions and enhanced by error-correction mechanisms.
Applications include federated learning, secure multiparty computation, and biometric authentication, which benefit from its robust privacy and fault-tolerance features.

Threshold homomorphic encryption enables computations on encrypted data with decryption distributed among multiple parties so that only a specified subset (“threshold”) of participants can reconstruct the plaintext or computed result. This approach provides robustness, collusion resistance, and broader conditional access in privacy-sensitive applications ranging from federated learning to secure multiparty computation.

1. Foundational Principles

Threshold homomorphic encryption generalizes conventional homomorphic encryption (HE), introducing distributed decryption via secret sharing techniques to achieve threshold access semantics. The core requirements are:

Homomorphism: Arithmetic or logical operations performed on ciphertexts yield ciphertexts that decrypt to the result of those operations on the underlying plaintexts.
Threshold Decryption: A secret key is split among $N$ parties such that any $T$ (the threshold, $1 < T \leq N$ ) can combine their shares to decrypt, but fewer than $T$ learn no information.
Security: Even coalitions of up to $T-1$ parties are unable to recover the plaintext or secret key information.

In classical threshold HE schemes, the secret-sharing mechanism is tightly integrated with the underlying cryptosystem. Early examples based on partially homomorphic encryption (PHE)—such as threshold variants of Goldwasser-Micali—were later extended to FHE constructions over lattices and codes, often using Shamir secret sharing, replicated secret sharing, or custom “approximate secret sharing” primitives (Chang et al., 20 Jan 2025, Karabat et al., 2014).

Quantum threshold homomorphic encryption adapts these principles by distributing quantum decryption keys, often via quantum state sharing and suitably masked operators, e.g., $(k,n)$ -threshold protocols for quantum gates (Zhang et al., 26 Feb 2025, Yu et al., 2014).

2. Scheme Construction and Key Distribution

Threshold HE schemes differ by their key generation, encryption, evaluation, and decryption procedures:

Key Generation: A trusted dealer or distributed key generation protocol splits the secret key among $N$ parties. Classical schemes typically use distributed polynomial-based sharing (e.g., Shamir), while quantum protocols encode decryption parameters as quantum states distributed among evaluators.
Encryption: A sender uses the public key—usually derived from the shares or their aggregation—to encrypt data. In code-based constructions, the encryption encodes messages as affine shifts with noise applied to specific coordinates (Bogdanov et al., 2011). In multi-recipient settings, per-party keys allow for dynamic threshold configurations (Roman'kov, 2022).
Evaluation: Homomorphic operations—additions, multiplications, boolean circuits—are performed directly on ciphertexts, often via pointwise vector operations (in code-based schemes), modular arithmetic, or circuit transformations (in quantum schemes).
Decryption: Parties holding key shares generate partial decryptions, which are combined (sometimes interactively) to recover the result. When noise is present (as in lattice/coding/FHE), small decryption error is tolerated if it does not exceed the scheme’s correctness threshold; advanced schemes employ error correcting/boosting steps (Bogdanov et al., 2011).

Key management protocols must ensure that key shares remain reusable, support dynamic user addition/removal (see hidden-multiplier schemes (Roman'kov, 2022)), and provide resistance to collusion, as well as efficient recovery when parties drop out or fail (Chang et al., 20 Jan 2025, Tian et al., 2021).

3. Correctness, Error Handling, and Performance Analysis

Correctness in threshold HE requires that, for any allowed coalition of $T$ or more parties, decryption succeeds (up to correctness thresholds determined by noise bounds, if applicable), and for fewer than $T$ , decryption fails or reveals no information.

Error Correction/Boosting: Some code-based FHE systems support arbitrary noise magnitude as long as its Hamming weight remains bounded and coordinates are independent (Bogdanov et al., 2011). In these constructions, boosting mechanisms (expander graphs and approximate majority circuits) are used for error reduction, enabling reliable multi-party decryption over noisy ciphertexts.
Approximate Secret Sharing: For large-scale, arbitrary-threshold FHE (AThFHE), approximate recovery via the ApproxSS primitive allows parties to recover the ciphertext with controllable bounded noise, reducing the computation and communication complexity from $\mathcal{O}(N^2K)$ to $\mathcal{O}(N^2+K)$ and $\mathcal{O}(NK)$ to $\mathcal{O}(N+K)$ , respectively, where $N$ is the number of parties and $K$ the data size (Chang et al., 20 Jan 2025).
Bootstrapping and Reencryption: After homomorphic operations, ciphertexts may leave the normal encryption domain (especially after multiplication on noisy or coded data). Bootstrapping refreshes these via homomorphic evaluation of the decryption circuit, sometimes requiring additional auxiliary encrypted key material (Bogdanov et al., 2011).
Performance: Practical threshold HE systems (e.g., THRIVE (Karabat et al., 2014)) report connection times in the hundreds of milliseconds for biohash vectors of several hundred bits, with computational and communication overhead scaling with share size and threshold. Empirical evaluations of ATASSES show speedups of $3.83\times$ to $15.4\times$ relative to baseline schemes with $N=1000$ (Chang et al., 20 Jan 2025).

4. Protocols for Collaborative and Distributed Evaluation

Threshold HE is central to privacy-preserving protocols in collaborative learning, database aggregation, and authentication:

Federated Learning: DTAHE protocols with fault-tolerance (Bonawitz-type frameworks) allow linear aggregation of encrypted gradients/model parameters without exposing individual data, even supporting arbitrary weighted linear operations vital for convolution and fully connected layers (Tian et al., 2021).
Secure Multiparty Computation: By enabling joint evaluation over encrypted data with distributed decryption, threshold HE is a foundational primitive for secure sum, majority, and comparison operations, with applications in distributed control and financial analytics (Roman'kov, 2022, Aloufi et al., 2019).
Biometric Authentication: The THRIVE system applies (2,2)-threshold XOR-homomorphic Goldwasser-Micali encryption to biometric templates, preventing both client and server from unilaterally compromising user privacy (Karabat et al., 2014).

In quantum threshold HE, $k$ out of $n$ servers collaborate to evaluate universal gate sets (Clifford plus $T$ ) on encrypted quantum states, while only the client can recover the evaluated plaintext (Zhang et al., 26 Feb 2025). Channel integrity is maintained via check states and security confirmed by density matrix mixing arguments.

5. Security Guarantees, Limitations, and Tradeoffs

Security proofs for threshold HE schemes rely on hardness assumptions tailored to the underlying cryptosystem:

Computational Security: Lattice-based and code-based schemes invoke RLWE/LWE or decoding-hardness, with semantic security and simulation security formally demonstrated (Tian et al., 2021, Chang et al., 20 Jan 2025).
Information Theoretic Security Limits: For quantum threshold FHE, any scheme with perfect information theoretic security and deterministic evaluation incurs exponential overhead in encoding size, scaling with the number of permissible circuits. Key theorems show that the dimension of the encrypted Hilbert space must scale as $\log_2|S|$ , where $|S|$ is the number of reversible circuits, making full quantum threshold FHE impractical for large $n$ (Yu et al., 2014).
Collusion Resistance: Proper share construction and booster/error correction mechanisms (via expander wiring or noncommutative mappings) ensure that coalitions of fewer than $T$ cannot recover the plaintext or key material.

Tradeoffs must be considered regarding error-correcting mechanisms, efficiency (complexity reductions via encrypted shares (Chang et al., 20 Jan 2025)), and the flexibility of threshold selection (dynamic thresholds (Roman'kov, 2022)). Quantum schemes offer additional avenues for security via randomized rotations, Pauli maskings, and maximally mixed density matrices (Zhang et al., 26 Feb 2025).

6. Applications, Implementation Challenges, and Future Directions

Threshold homomorphic encryption is currently applied in privacy-preserving federated learning, biometric authentication, secure database queries, quantum delegated computation, and distributed digital signatures. Implementation challenges include:

Scalability: Efficient aggregation and partial decryption protocols must support high $N$ and large $K$ ; encrypted share and approximate recovery primitives (e.g., ATASSES) are now available (Chang et al., 20 Jan 2025).
Usability: Modular open-source implementations for FHE (HElib, TFHE, SEAL, OpenFHE) are increasingly incorporating threshold primitives (Jain et al., 2023), especially as performance optimizations (e.g., neural-network polynomial approximations minimizing multiplicative depth (Chiang, 24 May 2024)) allow deployment in constrained edge environments (Matsumoto et al., 4 Mar 2025).
Dynamic Membership: Schemes based on hidden multipliers or adaptive key assignment can manage joining/leaving parties without reinitialization (Roman'kov, 2022).
Quantum Extensions: Ongoing research explores hybrid quantum–classical protocols and distributed quantum state sharing for robust, threshold-secure computation (Zhang et al., 26 Feb 2025, Yu et al., 2014).

Open directions include improving efficiency for arbitrary-threshold schemes, developing booster/correction techniques for high-noise environments, providing enhanced security proofs for quantum threshold HE, and refining integration with modern multiparty computation frameworks.

Threshold homomorphic encryption represents a general and powerful cryptographic primitive for securely distributing computational authority, enabling privacy-preserving collaborative and delegated computation across classical and quantum domains. Recent advances in coding-based, lattice-based, and quantum circuit-based schemes offer efficiency and flexibility improvements, with explicit constructions, security proofs, and empirical evaluations demonstrating practical viability (Bogdanov et al., 2011, Roman'kov, 2022, Tian et al., 2021, Chang et al., 20 Jan 2025, Zhang et al., 26 Feb 2025, Karabat et al., 2014, Jain et al., 2023).