Paper 2025/699

Threshold (Fully) Homomorphic Encryption

Carl Bootland, Zama
Kelong Cong, Zama
Daniel Demmler, Zama
Tore Kasper Frederiksen, Zama
Benoit Libert, Zama
Jean-Baptiste Orfila, Zama
Dragos Rotaru, Gateway
Nigel P. Smart, Zama, KU Leuven
Titouan Tanguy, Zama
Samuel Tap, Zama
Michael Walter, Zama
Abstract

This document is a preliminary version of what is intended to be submitted to NIST by Zama as part of their threshold call. The document also serves as partial documentation of the protocols used in the Zama MPC system for threshold TFHE. However, note that the Zama software includes many optimizations built on top of the simple specifications given here. In particular the TFHE parameters given here are larger than those used by the Zama software. This is because the Zama TFHE library contains optimizations which are beyond the scope of this document. Thus the parameters given in this document are compatible with the description of TFHE given here, and take no account of the extra optimizations in the Zama software. Also note that we describe more protocols than that provided in the Zama software. In particular this document describes BGV and BFV threshold implementations, MPC-in-the-Head based proofs of correct encryption. We present mechanisms to perform robust threshold key generation and decryption for Fully Homomorphic Encryption schemes such as BGV, BFV and TFHE, in the case of super honest majority, t < n/3, or t < n/4, in the presence of malicious adversaries. The main mechanism for threshold decryptions follow the noise flooding principle, which we argue is sufficient for BGV and BFV. For TFHE a more subtle technique is needed to apply noise flooding, since TFHE parameters are small. To deal with all three FHE scheme, and obtain a unified framework for all such schemes, we are led to consider secret sharing over Galois Rings and not just finite fields. We consider two sets of threshold profiles, depending on whether binomial(n,t) is big or small. In the small case we obtain for all schemes an asynchronous protocol for robust threshold decryption, and we obtain a robust synchronous protocol for threshold key generation; both with t < n/3. For the large case we only support TFHE, and our protocols require an “offline phase” which requires synchronous networks and can “only” tolerate t < n/4. The threshold key generation operation, and the above mentioned offline phase, require access to a generic offline MPC functionality over arbitrary Galois Rings. This functionality is fully specified here. Finally, we present Zero-Knowledge proof techniques for proving the valid encryption of an FHE ciphertext. These proofs are important in a number of application contexts.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Contact author(s)
carl bootland @ zama ai
kelong cong @ zama ai
daniel demmler @ zama ai
tore frederiksen @ zama ai
benoit libert @ zama ai
jb orfila @ zama ai
r dragos0 @ gmail com
nigel @ zama ai
titouan tanguy @ zama ai
samuel tap @ zama ai
michael walter @ zama ai
History
2025-04-18: approved
2025-04-17: received
See all versions
Short URL
https://ia.cr/2025/699
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/699,
      author = {Carl Bootland and Kelong Cong and Daniel Demmler and Tore Kasper Frederiksen and Benoit Libert and Jean-Baptiste Orfila and Dragos Rotaru and Nigel P. Smart and Titouan Tanguy and Samuel Tap and Michael Walter},
      title = {Threshold (Fully) Homomorphic Encryption},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/699},
      year = {2025},
      url = {https://eprint.iacr.org/2025/699}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.