Threshold Fully Homomorphic Encryption

• Threshold Fully Homomorphic Encryption (ThFHE) is a cryptographic scheme that distributes decryption keys among multiple parties, requiring a threshold subset to collaboratively decrypt data securely.
• It employs approximate secret sharing to manage decryption with bounded error, ensuring that error-smudged outputs maintain data integrity under noisy conditions.
• Efficient constructions like ATASSES reduce computational and communication overhead, making ThFHE practical for federated analytics and secure multi-party computation.

Threshold Fully Homomorphic Encryption (ThFHE) enables distributed decryption of fully homomorphic ciphertexts, requiring a minimum quorum of parties to collaborate in the decryption process. Unlike standard FHE, in which a single party holds the decryption key, ThFHE splits the key among $N$ parties, and only participation by a threshold subset $T$ allows successful decryption of evaluated ciphertexts. This construction preserves data confidentiality in collaborative settings and tolerates partial participation, making it central in privacy-preserving multi-party computation.

1. Distinction Between Full-Threshold and Arbitrary-Threshold ThFHE

In a T-out-of-N ThFHE scheme, each participant $i$ receives a key share $\mathsf{sk}_i$, and ciphertexts are decryptable only if at least $T$ participants contribute. If $T = N$, all participants must collaborate for decryption; this is referred to as full-threshold ThFHE. In practical settings, especially large-scale deployments, participants may be offline, fail, or decline to participate. Arbitrary-threshold ThFHE (AThFHE) extends the primitive by allowing the threshold parameter $T \leq N$ to be flexibly chosen at decryption time, permitting any subset of size at least $T$ to reconstruct the plaintext. This robustness to non-participants is essential for federated analytics or secure aggregation under dropout scenarios (Chang et al., 20 Jan 2025).

2. Approximate Secret Sharing: Foundational Primitive

Approximate Secret Sharing (ApproxSS) is introduced as a core abstraction to capture the decryption and error-smudging process fundamental to ThFHE. In a T-out-of-N ApproxSS scheme, a message $m \in M$ is shared into $N$ shares $(s_1, ..., s_N) = \mathsf{Share}(m)$, and any subset $T$ of the parties can collaboratively approximate $m$ within a bounded error set $M_B$. The recovery protocol $\Pi_{\mathsf{ApproxRec}}(\{s_i\}_{i \in T}, \chi)$ outputs $m'$ such that $m' - m \in M_B$. Security requires that any adversary corrupting up to $T-1$ parties learns only a noisy version $m_\chi = m + x$ where $x$ is sampled from the prescribed noise distribution $\chi$, even after full transcript exposure. This abstraction allows generic reduction of the AThFHE construction to the existence of suitable ApproxSS schemes and reveals that decryption in ThFHE is fundamentally a noisy secret-sharing reconstruction problem (Chang et al., 20 Jan 2025).

3. Construction and Reduction: From ApproxSS to ThFHE

The reduction from ApproxSS to ThFHE is explicit for ring-LWE-based FHE schemes (e.g., BFV). Key generation involves each party generating a local FHE secret key $\mathsf{sk}_i$ and joint construction of public keys for homomorphic evaluation. Each $\mathsf{sk}_i$ is itself secret-shared among all parties. To decrypt a ciphertext $ct=(c_0, c_1)$, the protocol proceeds as follows:

• Each of the $T$ participants computes $b_i = c_0 + c_1 \cdot \mathsf{skShare}_i$ locally.
• The aggregator and the $T$ parties execute $\Pi_{\mathsf{ApproxRec}}$ to recover $b' \approx b = c_0 + c_1 \cdot \mathsf{sk}$ up to bounded error.
• If the cumulative noise is below the decoding threshold determined by the FHE parameters, the plaintext message can be recovered (Chang et al., 20 Jan 2025).

This approach delivers correctness (Theorem 2.4) and security (Theorem 2.5) so long as the ApproxSS primitive satisfies linearity, error-bounded correctness, and (T-1)-privacy amplified with approximate security using the noise distribution $\chi$.

4. ATASSES: Efficient Arbitrary-Threshold ApproxSS

The ATASSES scheme is introduced as an efficient ATh-ApproxSS realization that overcomes performance bottlenecks in prior constructions. Previous methods, which rely on noisy-share addition and computation of Lagrange coefficients, face share-size blowup and $O(NK)$ cost per party for large $N$ and $K$. ATASSES introduces an encrypted share approach using small-modulus BFV secret-key encryption:

• Each participant $i$ generates Shamir shares $s_i$ for the target value and random smudging noise $n_i$.
• For every block of the share/noise, two secret keys are generated, each Shamir-shared across all parties. The shares are encrypted as $CTs_{i,k} = \mathsf{Enc}(ek_{i,1}; a_k, s_{i,k})$ and $CTn_{i,k} = \mathsf{Enc}(ek_{i,2}; a_k, n_{i,k})$, where $a_k$ are public parameters.
• The aggregator reconstructs collective encryption and then decrypts to recover $m_k$ perturbed by the sum of smudging noises.

This design enables the computation (per party) and communication complexity of ATASSES to be reduced to $O(N^2 + N K)$ and $O(N + K)$, respectively, a substantial asymptotic improvement compared to the $O(N^2 K)$ and $O(N K)$ bounds of prior schemes (Chang et al., 20 Jan 2025).

Scheme	Communication per Party	Computation per Party	Rounds
{0,1}-ApproxSS	$O(N^{4.2} K)$	$O(N^{4.2} K)$	1
Type-1 Shamir	$O(N K)$	$O(N^2 K)$	1
Type-2 Shamir	$O(N K)$	$O(N^2 K)$	2
Type-3 Shamir	$O(K)$	$O(N K)$	1 (fixed $T$-set)
ATASSES	$O(N + K)$	$O(N^2 + N K)$	2

The proof of correctness leverages linearity properties of both the underlying secret sharing and the SK-encryption, while the RLWE assumption underpins security: leakage is bounded to a random noisy shift (Chang et al., 20 Jan 2025).

5. Empirical Evaluation and Performance

The empirical analysis is based on implementations using the Go Lattigo library (BFV SK-encryption) with modern hardware (Apple M2 Pro) and 98 Mbps network bandwidth. Evaluation across $N \in [10, 1000]$ and $K$ up to $20 M'$ (where $M'$ is the slot-size) demonstrates that

• The running time of ATASSES grows mildly with $N$ and is dominated by $O(N^2)$ key-share work for small $N$, or $O(NK)$ block-encryption when $K \gg N$.
• Prior one-round ApproxSS schemes become impractical for $N \gtrsim 30$, and two-round Shamir variants are infeasible beyond $N \sim 200$.
• ATASSES maintains practical running times up to $N = 1000$; observed speedups at this scale reach $3.83\times$–$15.4\times$ over prior two-round Shamir-based approaches, with the speedup increasing for larger $K$.

Sample timings for $N=1000$:

$K/M'$	5	10	15	20
Type-2	23.1s	40.7s	58.9s	76.2s
ATASSES	6.0s	10.1s	13.9s	16.4s
Speedup	3.85×	4.03×	4.24×	4.65×

Such empirical performance confirms the asymptotic improvements and scalability benefits of ATASSES, especially for large consortiums and batch sizes (Chang et al., 20 Jan 2025).

6. Applications, Limitations, and Future Directions

Scalable arbitrary-threshold ThFHE, as realized by ATASSES, unlocks use cases in federated learning, secure genomic computation, and distributed machine learning where client dropout or asynchrony is expected. The protocol's $\mathcal{O}(N^2 + N K)$ computational and $\mathcal{O}(N + K)$ communication complexity enables feasibility in deployments with thousands of participants.

ATASSES is currently semihonest-secure; the addition of verifiable secret sharing (such as via PELTA) and zero-knowledge proofs can upgrade security to the malicious model with moderate overhead. When $K \gg N$, the double encryption per block constitutes the main computational overhead; further optimizations such as batching or employing shared-key FHE could reduce constants. ApproxSS generalizations to other rings and approximate-arithmetic settings (e.g., CKKS) remain open research avenues (Chang et al., 20 Jan 2025).

7. Connections with Quantum Threshold Homomorphic Encryption

Recent research extends the threshold paradigm to quantum homomorphic encryption schemes using quantum state sharing. In this setting, a $(k, n)$-threshold quantum homomorphic encryption protocol allows any $k$ out of $n$ quantum evaluators to securely and collaboratively homomorphically evaluate a universal quantum circuit on encrypted input states. The security analysis establishes correctness, privacy against eavesdroppers, and resilience to up to $k-1$ colluding servers. The approach leverages classical and quantum secret sharing of rotation keys and partial decryptions, confirming the applicability of threshold techniques in both classical and quantum domains (Zhang et al., 26 Feb 2025).

A plausible implication is that the conceptual framework of Approximate Secret Sharing and threshold decryption—central to scalable classical ThFHE—may inform future developments in quantum homomorphic protocols, particularly where noise-tolerance or multiparty control over decryption is required.

---

References:

• "Arbitrary-Threshold Fully Homomorphic Encryption with Lower Complexity" (Chang et al., 20 Jan 2025)
• "Universal quantum homomorphic encryption based on $(k, n)$-threshold quantum state sharing" (Zhang et al., 26 Feb 2025)