Threshold MPC: Secure Multi-Party Computation

Updated 4 December 2025

Threshold Multi-Party Computation is a protocol that enables distributed parties to jointly compute functions on private inputs while tolerating up to t malicious participants.
It leverages secret sharing, quorum formation, and coded computation to achieve scalability, robust network resilience, and efficient load balancing.
Threshold MPC supports both classical and quantum settings, providing strong privacy, optimal communication trade-offs, and adaptive committees for enhanced security.

Threshold Multi-Party Computation (MPC) enables a set of $n$ distributed, mutually distrustful parties to jointly evaluate a function $f(x_1, \ldots, x_n)$ of their private inputs while protecting correctness and privacy even in the presence of up to $t$ actively malicious participants. The “threshold” property stipulates that any coalition of up to $t$ corrupted parties learns nothing beyond the output and cannot disrupt correctness for honest majorities. Protocols realizing this paradigm are foundational in distributed cryptography, encompassing unconditional (information-theoretic) and computational (cryptographic) security, with both classical and quantum realizations, comprehensive adversary models, and a diversity of architectures and cost regimes.

1. Adversarial Thresholds and Security Models

Threshold MPC protocols are parameterized by the resilience threshold $t$ and the nature of adversarial control. In standard synchronous models with broadcast, perfect security is achievable if and only if $t < n/3$ for active (Byzantine) adversaries; for asynchronous networks, the resilience drops to $t < n/4$ for perfect security (Appan et al., 2022). Modern scalable protocols achieve these thresholds with tight complexity bounds, even in the presence of a static adversary controlling a $t$ -subset of parties a priori (Dani et al., 2012, Dani et al., 2013):

In synchronous communication, $t < \frac{1}{3} n$ is tolerable.
In fully asynchronous protocols, scalable MPC is realizable for $t < \frac{1}{4} n$ (Dani et al., 2013).
For protocols with abort (where output delivery is not guaranteed for corrupt majorities), the threshold can be as high as $t < n$ , making MPC with abort (a.k.a. “selective abort”) feasible for any $n-t \ge 1$ honest parties (Bartusek et al., 11 Jun 2024).
In quantum settings, $(t, n)$ -threshold MPC offers secrecy against any subset of $t-1$ quantum-passive (or active) adversaries and reconstructibility by any $t$ -subset (Sutradhar, 17 Jan 2025).

The universal composability (UC) framework and strong forms of perfect or statistical privacy are realized by simulating ideal-world functionality for all protocol components, including VSS, secret sharing, and critical subroutines like threshold counting (Dani et al., 2012).

2. Core Protocol Techniques: Quorum-Based and Coded Architectures

Efficient threshold MPC protocols employ compositional, distributed architectures to achieve scalability and resilience:

Quorum Formation: A set of $n$ disjoint quorums $Q_1, \ldots, Q_n$ of polylogarithmic size ( $N=\Theta(\log n)$ ) is formed so that each quorum contains an honest majority, even under adversarial choices. Layered “semi-random string” agreements and bipartite expander constructions ensure balanced partitioning while keeping the fraction of corrupt players per quorum below the critical threshold (Dani et al., 2013, Dani et al., 2012).
Secret Sharing and Masking: Inputs are additively masked ( $\hat{x}_i = x_i + r_i$ ), and masks $r_i$ are VSS-shared or committed via robust protocols, preventing input privacy breaches and equivocation.
Gate Assignment and Local MPC: Each gate in the evaluated arithmetic circuit is assigned to a unique quorum. Gate-by-gate evaluation proceeds with local MPC among the associated input and output quorums using short, load-balanced “heavy-weight” protocols, ensuring per-gate complexity that scales only polylogarithmically in $n$ (Dani et al., 2013).
Coded MPC and Polynomial Sharing: For large-scale data (e.g., massive matrices), information-theoretic security and threshold robustness are achieved via (b, t, k)-polynomial sharing of inputs and coded computation, with operations such as addition, multiplication, and transposition performed directly on shares (Nodehi et al., 2019, Najarkolaei et al., 2020). This reduces required worker counts (recovery threshold $N$ ) to $O(t + m)$ , where $m$ is the number of blocks per matrix, an improvement over naive BGW partitioning which requires $O(t m)$ .

The following table summarizes core methodologies:

Method	Security Threshold	Core Primitive
Quorum (Shamir + VSS)	$t < n/3$ (sync); $< n/4$ (async)	Masked input + quorum VSS/MPC
Polynomial/Coded	$t$ -private ( $< N/3$ adversaries)	Polynomial sharing/coded ops
Quantum Threshold	$t$ -private $(t < n)$	QFT + Shamir sharing

3. Threshold Counting: Scalability and Load Balancing

A critical subroutine in scalable threshold MPC is distributed threshold counting: robustly signaling when a certain number of parties (at least $\tau = n-t$ ) have committed to a step, despite asynchrony and adversarial interference. Asynchronous protocols solve this via a carefully designed “count tree,” wherein:

Each participant sends a notification (“FLAG”) to a random collection node at the bottom level.
Internal nodes aggregate, forward, or upward-propagate these counts when thresholds are reached.
The root triggers a notification back to all parties once the global threshold is satisfied (Dani et al., 2013, Dani et al., 2012).

These constructions balance local load ( $O(\log n)$ messages per node w.h.p.) and guarantee $O(\log n)$ latency, providing a scalable and attack-resistant threshold detection mechanism.

4. Complexity Bounds, Communication, and Locality Trade-offs

Advanced threshold MPC achieves near-optimal per-party effort and global communication:

Per-Party Complexity: $\tilde{O}(m/n + \sqrt{n})$ field operations and communication per party for an $m$ -gate function, a dramatic improvement over classical $\Omega(nm)$ protocols (Dani et al., 2013, Dani et al., 2012).
Quorum and Gate Load-Balancing: Each quorum participates in $O(m/n)$ gates; Chernoff-style arguments guarantee balanced assignments (Dani et al., 2012).
Communication and Locality: MPC with abort (where output delivery may fail for corrupt majorities) admits tight lower and upper bounds:
- Minimum total communication is $\Omega(n^2/h)$ , where $h = n-t$ is the number of honest parties (Bartusek et al., 11 Jun 2024).
- Protocol families interpolate between “all-to-all” ( $O(n^2/h)$ bits, maximal locality), sparse-gossip ( $O(n^3/h)$ bits, minimal locality $O(n/h)$ ), and committee-based tradeoffs ( $O(n^3/h^{3/2})$ bits) (Bartusek et al., 11 Jun 2024).
Coded MPC for Matrix Functions: Worker count for perfect security shrinks to $N = 3t + 2m - 1$ or $N = \min \{2k^2 + 2t - 3, k^2 + kt + t - 2\}$ , compared to $O(tm)$ for BGW, and does not grow with the polynomial degree (Nodehi et al., 2019, Najarkolaei et al., 2020).

5. Protocols with Best-of-Both-Worlds Guarantees

Hybrid protocols deliver optimal resilience and security even when the network type (synchronous/asynchronous) is unknown:

Best-of-Both-Worlds: A single MPC protocol achieves perfect security— $t_s < n/3$ in synchrony, $t_a < n/4$ in asynchrony—if $3 t_s + t_a < n$ (Appan et al., 2022). This relies on composite Byzantine agreement and VSS primitives that fall back from synchronous to asynchronous operation as required.
Adaptive Committees: Committee-based compilers upgrade fair (abort-resilient) MPC protocols to full, guaranteed-output security using random committee election and recursive elimination of corrupted committee members. For constant adversarial fractions, this reduces the number of iterations from linear in $n$ to $O(\log n)$ (or even $O(1)$ ) in the security parameter (Cohen et al., 2021).

6. Quantum Threshold MPC

Threshold quantum MPC protocols extend classical security notions into the quantum domain:

(t, n)-Threshold Quantum Secure Summation: Combines classical Shamir secret sharing (for $t$ -threshold secrecy and reconstruction) with quantum primitives: QFT, Pauli shifts, and distributed entanglement (Sutradhar, 17 Jan 2025). Only $t$ honest players are needed for quantum aggregation and reconstruction—a significant reduction in quantum resource demand compared to $(n, n)$ -threshold schemes.
Security: Protocols remain unconditionally secret against up to $t-1$ quantum or classical adversaries, benefiting from quantum phase randomization and the classical secrecy guarantees of Shamir sharing. This approach is shown to be economical and more resilient to faults in the reconstruction phase than prior quantum protocols.

7. Comparison with Classical and Prior Methods

Threshold MPC protocols, as surveyed in seminal protocols and modern scalable variants, uniformly improve on classical constructions in three central respects:

Resilience and Scalability: By leveraging quorums, coded computation, and decentralized counting, large $n$ can be handled efficiently, with per-party costs sublinear or polylogarithmic in $n$ (Dani et al., 2013, Dani et al., 2012).
Robustness to Network and Adversarial Models: Best-of-both-worlds protocols guarantee correct operation under the strongest feasible adversarial and network assumptions, and selective abort models provide security “up to any $t$ ” when guaranteed output delivery is impossible (Bartusek et al., 11 Jun 2024, Appan et al., 2022).
Communication and Computation Efficiency: Achieving amortized costs of $\tilde{O}(m/n + \sqrt{n})$ and minimal worker-to-output ratios for massive data evaluation, threshold MPC continues to drive practical applications in privacy-preserving distributed computation (Nodehi et al., 2019, Najarkolaei et al., 2020).

In summary, the threshold MPC paradigm encompasses an evolving family of protocols delivering robust, efficient, and scalable secure computation under sharp adversary bounds, with both classical and quantum realizations, and a richly developed suite of supporting primitives and architectonics.