Multiparty Homomorphic Encryption (MPHE)

Updated 17 February 2026

MPHE is a cryptographic framework that splits decryption keys among parties to allow secure, distributed computation without exposing individual inputs.
It employs techniques like threshold key generation, homomorphic evaluation, and verifiable decryption to support complex operations in cloud and federated settings.
MPHE protocols balance security and efficiency using methods such as Shamir sharing, proxy re-encryption, and vectorized packing to scale multiparty operations.

Multiparty Homomorphic Encryption (MPHE) enables distributed parties to jointly compute on confidential data using homomorphic encryption, such that neither individual inputs nor intermediate values are disclosed except the final (possibly aggregate) output, and no single party possesses the full decryption key. MPHE addresses secure computation in distributed, federated, and cloud environments, supporting additive, multiplicative, and full circuit evaluation under cryptographic hardness assumptions such as RLWE, LPN, or bilinear-group DDH. Schemes differ in their homomorphic capacity (additive-only, somewhat, leveled, or fully homomorphic), key management (threshold secret sharing, collective key generation, proxy re-encryption), decryption thresholds, and support for dynamic participation or circuit verifiability.

1. Formal Cryptographic Models and Primitives

MPHE designs generalize standard homomorphic encryption by splitting the secret key among $n$ parties and often defining a collective public key for evaluation. Let $\mathcal{P}_1,\ldots,\mathcal{P}_n$ denote parties, $(\mathsf{sk}_i, \mathsf{pk}_i)$ their individual keypairs, and $\mathsf{cpk}$ the collective public key: $\mathsf{cpk} = \sum_{i=1}^n \mathsf{pk}_i \quad \text{with} \quad \mathsf{csk} = \sum_{i=1}^n \mathsf{sk}_i$ as instantiated in CKKS/BFV-based MPHE protocols (Chen et al., 2024, Veeraragavan et al., 2024, Xu et al., 2022).

The multiparty setup guarantees that:

Encryption/evaluation: All parties can encrypt to and evaluate circuits under $\mathsf{cpk}$ (or a multi-key generalization), supporting CKKS (approximate arithmetic), BFV (modular arithmetic), or custom post-quantum primitives (Bitzer et al., 19 Jan 2026).
Threshold decryption: Decryption of a ciphertext requires contributions from $t \leq n$ parties; with additive or Shamir secret sharing (e.g., BFV/CKKS or LPN-based MPHE) (Hosseini et al., 1 Mar 2025, Veeraragavan et al., 2024, Chen et al., 2024).
Security: The view of any strict subset of shares reveals nothing about plaintexts (standard for RLWE/LPN-based settings, supported by formal simulation-based proofs) (Chen et al., 2024, Bitzer et al., 19 Jan 2026).

Verifiable MPHE adds homomorphic authenticators (replication-encoding, PRF/CRHF-based) to ensure correctness and detect malicious servers (Fernàndez-València, 2023).

2. Protocol Workflows and Key Algorithms

MPHE schemes typically involve the following phases:

A. Setup/Key Generation

Each party computes their local secret $\mathsf{sk}_i$ and public $\mathsf{pk}_i$ .
The collective public key is computed and distributed to all (or to the computation server).
(Threshold) shares of the decryption key are created, often using Shamir or additive sharing (Hosseini et al., 1 Mar 2025, Veeraragavan et al., 2024, Chen et al., 2024).
In some settings, proxy re-encryption keys or gadget-based structures are established (Zheng et al., 2012, Fernàndez-València, 2023).

B. Encryption/Encoding

Each party encodes and encrypts their data using a vector packing scheme (e.g., V-Pack for vertically-partitioned data) to align with SIMD slots (Chen et al., 2024), or using code/polar-based encodings in LPN-based constructs (Bitzer et al., 19 Jan 2026).

C. Homomorphic Computation

The (untrusted) server receives ciphertexts and evaluates circuits using supported gates (add, multiply, rotate). Full circuit evaluation (FHE) is achievable in recent RLWE-based and multikey FHE instantiations; add-only or leveled homomorphism in constrained (e.g., LPN, HTPRE) realizations (Bitzer et al., 19 Jan 2026, Zheng et al., 2012).

D. Threshold Decryption

Each party contributes a partial decryption share; a coordinator or designated party combines at least $t$ shares to recover the result. Protocols may support key-switching to a user-held key for output protection (Chen et al., 2024, Veeraragavan et al., 2024).

Protocol Component	Example Instantiation	Reference
Key Share Distribution	Additive, Shamir-(n,k)	(Hosseini et al., 1 Mar 2025, Veeraragavan et al., 2024)
Packing/Encoding	V-Pack, Alternating SIMDs, Code-based	(Chen et al., 2024, Bitzer et al., 19 Jan 2026)
Threshold Decryption	Partial shares, Lagrange recombination	(Veeraragavan et al., 2024, Hosseini et al., 1 Mar 2025)

3. Instantiations and Cryptographic Foundations

Ring-LWE-based MPHE: CKKS and BFV support arbitrary-depth or leveled arithmetic, with key aggregation and additive/shared secret splitting. Wide adoption in federated learning, decentralized SGD, and privacy-preserving inference (Xu et al., 2022, Hosseini et al., 1 Mar 2025, Chen et al., 2024).
Code/LPN-based MPHE: Schemes use a message-additive, key-additive homomorphic structure secure under the LPN assumption, with high-rate polar codes for error resilience and a committee-based threshold decryption (Bitzer et al., 19 Jan 2026).
Proxy re-encryption HTPRE: Bilinear group setting with proxy re-encryption permits client-key encrypted data to be re-encrypted for collective computation and subsequently threshold-decrypted (Zheng et al., 2012).
Verifiable/Authenticated MPHE: Augments BFV/CKKS multiparty FHE with replication encoding, PRF/CRHF labels, permitting homomorphic authentication and public verifiability (Fernàndez-València, 2023).
Multi-key Homomorphic Encryption: CKKS/BFV generalization supports evaluation across multiple public keys, but basic protocols (CDKS) are susceptible to plaintext leakage unless enhanced with masking as in SMHE (Wu et al., 25 Jun 2025).

Construction Class	Security Foundation	Native Arithmetics
BFV/CKKS	RLWE, polynomial modulus	Integer, float (approx.)
LPN/Code-based	Hamming-LPN, Hint-LPN	Mod- $q$ , integer
HTPRE	DDH, Shamir sharing, pairings	Group exponentials

4. Security Models and Formal Guarantees

Semantic security: All schemes invoke the underlying primitive’s IND-CPA security (RLWE, LPN, DCRA, DDH, as applicable).
Threshold/Resilience: Up to $t-1$ shares (or colluding clients) reveal no information. Some schemes support any- $k$ -of- $n$ decryption and accommodate dynamic participation (late join/join/leave) via Lagrange interpolation (Hosseini et al., 1 Mar 2025).
Simulation-based proofs: Security in the semi-honest (honest-but-curious) model is established via hybrids relying on the indistinguishability of the underlying homomorphic ciphertexts and secret shares (Chen et al., 2024, Bitzer et al., 19 Jan 2026, Veeraragavan et al., 2024).
Leakage/Robustness: SMHE blocks partial-decryption plaintext leakage, a known vulnerability in CDKS multi-key HE (Wu et al., 25 Jun 2025).

A typical formal claim (Theorem 1 from (Chen et al., 2024)): for any two plaintexts $m_0,m_1$ and any coalition of up to $N-1$ clients, their aggregated view of all protocol messages is indistinguishable between encryptions of $m_0$ and $m_1$ under the collective public key, given RLWE hardness.

5. Communication and Computational Complexity

MPHE protocols balance computation, bandwidth, and security (summarized with data from (Chen et al., 2024, Veeraragavan et al., 2024, Bitzer et al., 19 Jan 2026, Hosseini et al., 1 Mar 2025)):

Ciphertext size: RLWE/CKKS ciphertexts with $n=8192$ have two ring elements, $\sim$ 1.5 MB in practical security settings (Chen et al., 2024); LPN-based protocols require $n\sim 10^6$ and $k \sim 10^5$ for 128-bit security (Bitzer et al., 19 Jan 2026).
Communication: Linear in the number of parties for batch encryptions and homomorphic additions; CRT and SIMD/packing reduce per-party communication.
Computation: Owed to ring operations and code-based encoding; decryption is offloaded to a partial subset (threshold), reducing bottlenecks.
Empirical results: End-to-end overheads are on the order of $8$– $19\times$ (HE vs. unencrypted) for CKKS-based analytics; post-quantum (LPN-based) protocols are competitive with information-theoretically secure alternatives for higher collusion thresholds (Veeraragavan et al., 2024, Bitzer et al., 19 Jan 2026).

Scheme	Ciphertext Size	Time/Phase (s)	Linearity in $N$
CKKS (Chen et al., 2024)	$\sim$ 1.5 MB	KeyGen: 54.45, Inference: 31	Yes
LPN-based (Bitzer et al., 19 Jan 2026)	$n \cdot \log_2 q$	See paper's Table 1	Yes (per phase)
RSA (Hosseini et al., 1 Mar 2025)	See Table V	$6\times$ to $3\times$ over plain SGD	Yes

6. Applications and Extensions

Secure Distributed Machine Learning and Inference

Vertically partitioned inference: MPHE realizes privacy-preserving deep learning inference where data is distributed column-wise across clients and the model remains on a server. Clients encrypt padded local slices, server aggregates via SIMD-addition (V-Pack), evaluates the model, and result is revealed through threshold key-switching (Chen et al., 2024).
Federated learning aggregation: Secure aggregation of gradients using BFV/CKKS-based MPHE is robust to dropout and late-join, supports compression and maintains convergence guarantees (Hosseini et al., 1 Mar 2025, Xu et al., 2022).
Federated survival analysis: CKKS-based MPHE supports accurate, privacy-preserving federated estimation (e.g., Kaplan-Meier curves) with formal noise/utility bounds and explicit mitigation of reconstruction attacks (Veeraragavan et al., 2024).
Secure aggregation under post-quantum assumptions: MPHE instantiated under LPN/code-based assumptions, committee decryption, and CRT batching achieves information-theoretic aggregation resilience with post-quantum security (Bitzer et al., 19 Jan 2026).

Cloud and IoT Offloading

Multiparty cloud computation (MCC/HTPRE): Proxy re-encryption and threshold decryption offload both storage and computation to the cloud; arbitrary additions and a single multiplication are feasible (Zheng et al., 2012).
Hybrid IoT scenarios: Verifiable MPHE supports a combination of symmetric-key and homomorphic encryption, enabling confidentiality and outsourceable circuit verification in constrained-resource environments (Fernàndez-València, 2023).

7. Enhancements, Limitations, and Open Directions

Major enhancements in recent MPHE protocols include:

Packing for vertical federated data (V-Pack): enables ciphertext-level concatenation of partitioned inputs (Chen et al., 2024).
Support for threshold and dynamic participation: Shamir sharing and flexible recombination allow users to join/leave without protocol reset (Hosseini et al., 1 Mar 2025).
Verifiability and malleability resistance: Homomorphic authenticators protect against driver misbehavior or cloud-side tampering (Fernàndez-València, 2023).
Post-quantum security: LPN/code-based schemes with committee decryption, CRT batching for communication savings, and Hint-LPN-based leakage resilience (Bitzer et al., 19 Jan 2026).

Limitations and open questions:

Depth constraints in some post-quantum schemes (one homomorphic multiplication).
Overhead remains significant (factor $8$–$20$) compared to cleartext protocols, but linearity in scale achieved.
Open research in deep circuit bootstrapping under LPN/Code-based assumptions (Bitzer et al., 19 Jan 2026).
Addressing active (malicious) adversaries and membership churn for robust, dynamic systems (Veeraragavan et al., 2024).

MPHE stands as a foundational cryptographic technology for privacy-preserving computation in multi-institutional data analytics, federated learning, secure inference, and cloud/decentralized computation, rigorously combining threshold control, provable confidentiality, and practical scalability (Chen et al., 2024, Veeraragavan et al., 2024, Hosseini et al., 1 Mar 2025, Bitzer et al., 19 Jan 2026, Fernàndez-València, 2023, Zheng et al., 2012, Xu et al., 2022).