Verifiable Threshold Multi-Party Fully Homomorphic Encryption from Share Resharing

Abstract

Threshold multi-party fully homomorphic encryption (TMFHE) schemes enable efficient computation to be performed on sensitive data while maintaining privacy. These schemes allow a subset of parties to perform threshold decryption of evaluation results via a distributed protocol without the need for a trusted dealer, and provide a degree of fault tolerance against a set of corrupted parties. However, existing TMFHE schemes can only provide correctness and security against honest-but-curious parties. We construct a compact TMFHE scheme based on the Learning with Errors (LWE) problem. The scheme applies Shamir secret sharing and share resharing to support an arbitrary t-out-of-N threshold access structure, and enables non-interactive reconstruction of secret key shares using additive shares derived from the current set of online participants. Furthermore, the scheme implements commitment and non-interactive zero-knowledge (NIZK) proof techniques to verify the TMFHE operations. Finally, our experiments demonstrate that the proposed scheme achieves active security against malicious adversaries. It overcomes the limitation of existing TMFHE schemes that can only guarantee correct computation under passive semi-honest adversaries.

1. Introduction

In the rapidly advancing information age, cloud computing has become an integral platform for consolidating vast computing resources. Many organizations and individuals choose to upload large volumes of data to cloud servers for processing and storage. However, while cloud computing provides extensive computational resources, it also faces numerous security challenges. When users transfer their data to cloud servers, they relinquish control over it, and both cloud service providers and malicious actors may exploit the cloud to steal users’ sensitive information.

Fully homomorphic encryption (FHE) [1] addresses this privacy challenge by enabling additions and multiplications to be performed directly on encrypted data, without requiring decryption. In other words, FHE can perform a series of operations on ciphertexts that directly correspond to additions and multiplications on the respective plaintexts. However, traditional (single-key) FHE [2,3,4,5] is limited to performing homomorphic operations on ciphertexts encrypted with a single key, and therefore does not support multi-party collaborative computation scenarios.

To address this problem, several generations of schemes have been proposed that allow joint computation on encrypted data from multiple users without the need for decryption. These schemes support flexible function selection and participant configuration, while ensuring that decryption of computation results can only be performed jointly. These schemes are commonly referred to as multi-party fully homomorphic encryption (MFHE) schemes [6,7]. Over the years, various multi-key and threshold variants of MFHE schemes have been proposed [8,9,10,11,12,13,14], which serve as alternatives to traditional multi-party computation (MPC) protocols in cloud-based systems. These are particularly useful in collaborative data scenarios, such as distributed training of machine learning models [15] and biomedical analysis [16,17]. For users, compact schemes are advantageous, as the number of interactions is not affected by the function being executed or the number of parties involved, and the computation remains constant regardless of the circuit depth of the function, thereby avoiding significant computational and communication costs.

Although using passively secure threshold multi-party fully homomorphic encryption (TMFHE) schemes is effective and practical in most scenarios, these schemes are extensions of traditional FHE schemes to multiple users, and can, at most, operate among honest-but-curious parties. Therefore, there is a possibility of privacy leakage when facing malicious adversaries. In TMFHE schemes, when a set of parties corrupted by a malicious adversary or a dishonest majority outputs incorrect partial decryption results, it can cause decryption failures or even leakage of private information, thereby compromising the correctness and security of the schemes.

To ensure security against malicious adversaries in TMFHE schemes, a natural and feasible approach is to introduce commitment and non-interactive zero-knowledge (NIZK) proof systems based on the Fiat–Shamir transform [18]. However, constructing an actively secure TMFHE scheme presents several difficult challenges. In one respect, the workflow of TMFHE schemes involves uncertainty in the parties and their numbers, and there are constraints such as the inability to ensure consistency of secrets between different protocols. This means that the verification mechanism based on commitment and NIZK must be specifically designed according to the characteristics of the TMFHE scheme, without affecting the execution of the primary encryption scheme. In another respect, the variable ciphertext structure dimensions and complex computation processes of the current FHE schemes result in additional computations when NIZKs are introduced into the multi-party execution of prescribed protocols. Therefore, there is an urgent need for an efficient TMFHE scheme that simultaneously supports flexible threshold structures, robust security against adversaries, and verifiability of protocol execution. Although homomorphic encryption has found increasingly widespread use in multi-party computation, existing TMFHE schemes generally suffer from structural limitations, incomplete security models, and inadequate verifiability. For instance, some schemes only support joint computation by all parties (e.g., N-out-of-N structures), which makes them unsuitable for real-world scenarios involving offline or dynamically changing participants. Others lack rigorous constraints on malicious adversaries and fail to provide effective verification mechanisms. While some improvement directions have been proposed in the literature—such as by Boneh et al. [19], who designed a universal thresholdizer without a complete verification mechanism; Chatel et al. [20], who enhanced adversarial resistance, but did not support general threshold structures; and Mouchet et al. [21], who optimized key generation without addressing verifiability—these approaches still leave important issues unresolved. In light of these limitations, this work aims to construct an efficient TMFHE scheme that supports flexible threshold access structures and incorporates robust security verification mechanisms.

The verifiable threshold multi-party fully homomorphic encryption (VTMFHE) scheme proposed in this paper is specifically designed to address the aforementioned challenges. Distinct from existing works, our approach introduces improvements and innovations in two key aspects. First, we enhance share resharing techniques to allow their seamless integration into LWE-based homomorphic encryption schemes. By combining Shamir secret sharing and share resharing, our scheme enables additive sharing of secret key shares, thereby supporting arbitrary t-out-of-N threshold structures and accommodating offline or dynamically changing participants. This significantly improves the flexibility and practicality of the protocol. Second, we introduce commitment and non-interactive zero-knowledge (NIZK) techniques to design verifiable distributed key generation and threshold decryption protocols. These mechanisms ensure the structural validity and computational consistency of key shares and partial decryption results generated by each party, thereby strengthening the scheme’s resilience against malicious adversaries. Compared with prior studies, our scheme achieves better generality in structure and functionality, while maintaining a balanced trade-off among security, verifiability, and efficiency. Therefore, this work holds both theoretical significance and practical value for advancing secure and efficient multi-party homomorphic computation protocols.

1.1. Related Work

Bendlin and Damgård [22] considered a setting where parties obtain secret shares via pseudo-random secret sharing techniques, and provided a threshold variant of a CPA-secure encryption scheme based on Regev’s work [23]. This led to a non-interactive key generation process; however, it is non-compact, as it necessitates a unique key for each possible subset of corrupted participants. Xie et al. [24] proposed a threshold CCA-secure public key encryption (PKE) scheme based on the Learning with Errors (LWE) problem [23], which incorporates lossy trapdoor functions. However, in this scheme, the size of the ciphertext and public key is at least linear with respect to the number of servers. Therefore, due to this factor’s expansion, the aforementioned two schemes are impractical for multiple parties.

López-Alt et al. [6] were the first to propose a multi-key fully homomorphic encryption (MKFHE) scheme based on the NTRU algorithm, after which MKFHE research entered a phase of rapid development. In LWE-based MKFHE schemes [7,9,10,11], each participating party encrypts its input using an FHE scheme and broadcasts the ciphertext to the others. Subsequently, each participant homomorphically evaluates the received ciphertexts from other parties and engages in a round of distributed decryption protocol. If a trusted authority thresholdizes the encryption keys during the Setup phase and distributes them to the parties, the keys can then be additively shared. However, these schemes all require a ciphertext extension step, which significantly increases the ciphertext size and makes the computational cost of homomorphic evaluation expensive. Among these, Asharov et al. [8], in their pioneering work on LWE-based multi-party homomorphic encryption, demonstrated the construction of a three-round MPC protocol using a common reference string. They achieved semi-malicious security based on the LWE problem, and further achieved full malicious security through NIZK. However, they did not specifically detail the secret share scheme employed to achieve the t-out-of-N access structure. Additionally, in practice, directly reconstructing the secret key shares is undesirable, because it reveals the shares of the failed parties to the other parties.

Boneh et al. [19] proposed a t-out-of-N universal thresholdizer based on the LWE problem, enabling threshold versions of arbitrary multi-party signature schemes. This scheme uses a TMFHE scheme constructed with secret sharing techniques to encrypt the keys of the underlying signature scheme, and uses threshold decryption to recover the signature. However, in more robust asynchronous settings, participants cannot determine which other parties are online when generating decryption shares, leading to increased complexity and performance overhead. Agrawal et al. [25] applied this method [19] to the signature scheme by Ducas et al. [26], and demonstrated how to handle adaptive corruption. Mouchet et al. [27] proposed a multi-party homomorphic encryption scheme based on the RLWE problem, which achieves linear communication complexity and non-interactive circuit evaluation through multi-party protocols such as key switching, relinearization, and public key switching. However, the scheme only provides passive security under the semi-honest model. Similarly, Mouchet et al. [21] constructed a TMFHE scheme based on the Ring-LWE problem, using share resharing techniques, which has a t-out-of-N access structure. They proposed reconstructing the secret key shares in the threshold decryption protocol without needing a trusted dealer to distribute the share. Therefore, their scheme is simpler and more compact, with good performance, but its security can only be effective against static passive semi-honest adversaries.

Baum et al. [28] provided a compact threshold cryptosystem with commitment and zero-knowledge proof protocols. However, their approach is limited by the server’s ability to perform only a predetermined number of online non-interactive decryption operations, after which an offline interactive step is required. Subsequently, Baum et al. [29] proposed an efficient homomorphic commitment scheme based on lattice hardness assumptions, and constructed the corresponding zero-knowledge proof of knowledge for opening. The scheme achieves significant compression in the sizes of commitments and proofs under the assumptions of computational hiding and binding, and it supports commitments to vectors with larger norms. This efficiency comes at the cost of the commitment size growing linearly with the dimension of the input vector. Building on Baum et al.’s scheme and its improvements, Yang et al. [30] developed an efficient zero-knowledge proof system for lattice-based matrix-vector relations, which supports the standard definition of soundness and achieves negligible soundness error. Rotaru et al. [31] proposed a distributed key generation protocol, based on the BGV scheme [3], that provides active security; however, it is limited to the full-threshold scenario. Gentry et al. [32] built verifiable secret sharing based on the LWE problem. Nevertheless, in their construction, the discrete logarithm assumption underpins the zero-knowledge proofs, giving them non-resistant quantum resilience. Viand et al. [33] constructed a threshold FHE scheme using general zero-knowledge proofs.

Gür et al. [34] constructed an MFHE scheme with threshold decryption based on the BGV [3] scheme, and implemented a verifiable distributed key generation protocol using the hash function, commitment, and NIZK. On this basis, they instantiated a variant of the signature scheme developed by Ducas et al. [26]. Chatel et al. [20] proposed a practically deployable multi-party fully homomorphic encryption scheme secure against malicious adversaries, which supports zero-knowledge verification of the correctness of key generation, decryption, and bootstrapping. However, their scheme does not support threshold settings and lacks flexibility in the configuration of participating parties. Aranha et al. [35] achieved malicious security for Bendlin and Damgård’s scheme [22] based on commitment and NIZK, and constructed a verifiable distributed decryption protocol based on the RLWE problem. Although Bendlin and Damgård’s scheme [22] supports an arbitrary threshold, Aranha et al.’s scheme [35] only supports the full-threshold setting, resulting in insufficient system reliability and flexibility, as well as higher communication overhead compared to arbitrary threshold settings.

1.2. Our Contributions

In this work, we present the first LWE-based verifiable threshold multi-party fully homomorphic encryption scheme (VTMFHE) with active security, addressing the aforementioned challenges. Our scheme builds upon the GSW encryption scheme proposed by Gentry et al. [4]. We achieve security against malicious adversaries by integrating Shamir secret sharing, share resharing, commitments, and NIZK proofs. The main contributions are summarized as follows:

• To address the high complexity and overhead in asynchronous settings of existing TMFHE schemes, as well as the rapid growth of smudging noise during decryption, we constructed an LWE-based TMFHE scheme using Shamir secret sharing. This scheme is compact, as the size of the ciphertexts or the evaluated ciphertexts remains independent of the evaluation functions and the number of parties, N. Furthermore, we propose an improved share resharing technique that transforms secret key shares in the scheme into additive shares. Each party only needs to perform the resharing protocol once to store a constant state, enabling any subset of at least t parties to locally execute precomputed additive key recombination during decryption. This supports flexible t-out-of-N threshold structures and allows non-interactive key reconstruction in the decryption phase. As a result, partial decryption results from such a subset can be combined in a single round of communication to produce the decryption of the evaluated ciphertext, enabling some parties to remain offline or to generate new keys for dynamically changing participant sets in different computation tasks.
• To address the issue of existing TMFHE schemes lacking active security, we constructed a verifiable distributed key generation encryption algorithm and threshold decryption protocols using commitment and NIZK, demonstrating how to integrate these components into our proposed VTMFHE scheme. During the implementation of the scheme, the following operations can be effectively verified for correct protocol execution and parameter usage: (a) generation of the encryption public key, (b) generation of ciphertexts by each party using the encryption algorithm, and (c) computation of partial decryption results by parties using the correct secret key shares in threshold decryption. Finally, we have demonstrated, through hybrid experiments, that our scheme is secure against malicious adversaries.

1.3. Organization

In Section 2, we present the necessary preliminaries for this work, including the foundational security assumption (the LWE problem), Shamir secret sharing, and fully homomorphic encryption, as well as the definitions and properties of commitment schemes and non-interactive zero-knowledge (NIZK) proofs. Section 3 introduces the core building blocks of our scheme, including the basic structure of TMFHE, the share resharing technique, and the oracle query. Section 4 provides a detailed description of the complete construction of the proposed VTMFHE scheme, covering the verifiable distributed key generation protocol, the distributed threshold decryption protocol, and the NP relations of NIZK. Section 5 offers a systematic analysis of the scheme’s correctness, security, and performance, and presents a simulation-based hybrid experiment proof of active security. Finally, Section 6 concludes the paper by summarizing the main contributions and discussing potential directions for future research.

2. Preliminaries

This section first defines the notation and preliminaries for the construction modules used in our scheme. Section 3 and Section 4 then demonstrate how these components are integrated into the overall scheme.

Notation. In this work, we use bold lowercase letters to denote vectors (e.g., $\mathit{s}$), and bold uppercase letters to denote matrices (e.g., $\mathit{A}$). For two vectors $\mathit{a}$ and $\mathit{b}$ of the same dimension, we use $〈\mathit{a},\mathit{b}〉$ to denote their inner product. Let $\lambda$ denote the security parameter, with other parameters depending on $\lambda$, such as $n=n\left(\lambda \right)$. If the parameter $B\left(\lambda \right)$ is asymptotically bounded by the inverse of a polynomial in $\lambda$, i.e., $B\left(\lambda \right)=1/poly\left(\lambda \right)$, we say that the parameter $B$ is negligible, denoted as $negl\left(\lambda \right)$. For a prime power $q\in \mathbb{N}$, we define integers in the range $\left(-q/2\right.,\left.q/2\right]$ as elements in the finite field ${\mathbb{Z}}_q$. For any set $S$, we let $\left|S\right|$ denote the cardinality of $S$, and for any element $a\in {\mathbb{Z}}_q$, $\left|a\right|$ denotes the absolute value of $a$. We use ${‖\mathit{x}‖}_{\infty }$ to denote the infinity norm of a vector, which is the maximum absolute value of its elements, and a similar definition applies to the infinity norm of a matrix. For any $k\in \mathbb{N}$, we use $\left[k\right]$ to denote the set $\left\{\mathrm{1,2},\dots ,k\right\}$. We use $x\stackrel{R}{\leftarrow }\mathcal{D}$ to denote that $x$ is randomly and uniformly sampled from the probability distribution $\mathcal{D}$, and $C\stackrel{R}{\leftarrow }S$ to denote that $C$ is randomly and uniformly sampled from the set $S$. For two distributions ${\mathcal{D}}_0$ and ${\mathcal{D}}_1$, we denote that they are statistically indistinguishable and computationally indistinguishable by $D_0\stackrel{S}{\approx }{D}_1$ and $D_0\stackrel{C}{\approx }{D}_1$, respectively.

Definition 1 (B-bounded Distribution). 

If an ensemble of distributions ${\left\{{\chi }_n\right\}}_{n\in \mathbb{N}}$ on integers is called B-bounded distribution for an integer bound $B=B\left(\lambda \right)$, it satisfies the following condition:

$${Pr}_{e\stackrel{R}{\leftarrow }{\chi }_n}\left[\left|e\right|>B\left(\lambda \right)\right]=negl\left(\lambda \right).$$

The technique of “smudging out”, proposed by Asharov et al. [8], seeks to render ciphertext noise unusable by overwhelming it with newly sampled noise from a distribution with larger variance. We depend on the following lemma, which describes introducing large noise to “smudge out” or conceal the small noise.

Lemma 1 ([8]). 

Let $B_1=B_1\left(\lambda \right)$ and $B_2=B_2\left(\lambda \right)$ be positive integers, with $e_1\in \left[-B_1, B_1\right]$ being a fixed integer. Let the integer $e_2\stackrel{R}{\leftarrow }\left[-B_2, B_2\right]$ be uniformly randomly sampled. Then, provided that $B_1/B_2=negl\left(\lambda \right)$, the distribution of $e_2$ is statistically indistinguishable from the distribution of $e_2+e_1$, i.e., $e_2\stackrel{S}{\approx }\left(e_2+e_1\right)$.

For the short preimage matrix $\mathit{G}$, proposed by Micciancio and Peikert [36], multiplying by $\mathit{G}$ can be viewed as executing the ${\mathrm{B}\mathrm{i}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}}^{-1}$ function in the GSW scheme, while the function ${\mathit{G}}^{-1}\left(·\right)$ corresponds to the $\mathrm{B}\mathrm{i}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{o}\mathrm{m}\mathrm{p}$ function. The low-level details of this implementation can be omitted (see [7,9] for more details). Note that ${\mathit{G}}^{-1}\left(·\right)$ is not a matrix, but an efficiently computable function.

Lemma 2 ([36]). 

For any $m\ge n⌈\mathit{log}q⌉$, there exists a fixed and efficiently computable matrix $\mathit{G}\in {\mathbb{Z}}_q^{m\times n}$ and an efficiently computable deterministic short preimage function ${\mathit{G}}^{-1}\left(·\right)$ satisfying the following property: for any $m\prime$, given an input matrix $\mathit{M}\in {\mathbb{Z}}_q^{m\prime \times n}$, the function ${\mathit{G}}^{-1}\left(\mathit{M}\right)$ outputs a bit-matrix ${\mathit{G}}^{-1}\left(\mathit{M}\right)\in {\left\{\mathrm{0,1}\right\}}^{m\prime \times m}$, such that $\mathit{G}{\mathit{G}}^{-1}\left(\mathit{M}\right)=\mathit{M}$.

2.1. The Learning with Errors (LWE) Problem

Our scheme is based on the hardness of the LWE problem. The LWE problem, introduced by Regev [23], is a well-known lattice-based hard problem that provides security against quantum attacks and allows for efficient implementation. In lattice-based public key cryptosystems, solving the average-case LWE problem is at least as hard as solving certain well-known worst-case lattice approximation problems.

Definition 2 (LWE Problem). 

Given a security parameter $\lambda$, let the lattice dimension $n=n\left(\lambda \right)$, let the prime $q=q\left(\lambda \right)$ be integers, and let $\chi =\chi \left(\lambda \right)$ be an error distribution over $\mathbb{Z}$. Let $\mathit{A}$ be a uniformly sampled matrix, $\mathit{A}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{m\times \left(n-1\right)}$. The goal of the ${LWE}_{n,q,\chi }$ problem is to distinguish between the two distributions as follows:

• ${\mathcal{D}}_0$: Uniformly randomly sample $\mathit{s}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n-1}$ and $\mathit{e}\stackrel{R}{\leftarrow }{\chi }^m$, and let $\mathit{b}=〈\mathit{A},\mathit{s}〉+\mathit{e}$. Then $\left(\mathit{A},\mathit{b}\right)\in {\mathbb{Z}}_q^{m\times n}$.
• ${\mathcal{D}}_1$: Uniformly randomly sample $\mathit{b}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^m$. Then $\left(\mathit{A},\mathit{b}\right)\in {\mathbb{Z}}_q^{m\times n}$.

Then, for any probabilistic polynomial time (PPT) adversary $\mathcal{A}$, the probability of solving the ${LWE}_{n,q,\chi }$ problem (i.e., distinguishing between these two distributions) is negligible:

$$Pr\left[\begin{array}{c}\mathcal{A}\left(\mathit{A},\mathit{b}\right)\to {\mathcal{D}}_{b\prime }\\ b\prime =b\end{array}:\begin{array}{c}\left(\mathit{A},\mathit{b}\right)\leftarrow {\mathcal{D}}_0\\ \left(\mathit{A},\mathit{b}\right)\leftarrow {\mathcal{D}}_1\\ b\in \left\{\mathrm{0,1}\right\}\end{array}\right]\le {\displaystyle \frac{1}{2}}+negl\left(\lambda \right).$$

Lemma 3 ([23]). 

Regev [23] proposed a reduction of the LWE problem from the worst case to the average case. For any integer lattice dimension $n$, integer prime $q=q\left(n\right)$, and bound $B=B\left(n\right)\ge 2n$, there exists a B-bounded distribution ${\chi }_B$ that can be efficiently uniformly sampled. Therefore, if a quantum algorithm exists that can efficiently solve the ${LWE}_{n,q,\chi }$ problem, then a quantum algorithm also exists that can efficiently solve the $\tilde{O}\left(q{n}^{1.5}/B\right)$-approximate worst-case problems SIVP and GapSVP on the lattice.

2.2. Shamir Secret Sharing

In this section, we will introduce the standard definitions of the threshold access structures and the Shamir secret sharing used in this work.

Definition 3 (Threshold Access Structure). 

Let the set of parties be $P=\left\{P_1,\dots ,P_N\right\}$. A threshold access structure (TAS), denoted as ${\mathbb{A}}_t$, is defined such that for any subset of parties $S\subseteq P$, $S\in {\mathbb{A}}_t$ if and only if $\left|S\right|\ge t$. Furthermore, let $S\subseteq P$ be a subset of the party set $P$. If $S\notin {\mathbb{A}}_t$, but for any party $P_i\in P\backslash S$, it holds that $S\cup \left\{P_i\right\}\in {\mathbb{A}}_t$, then $S$ is called a maximal invalid set. We categorize the TAS as the collection of access structures ${\mathbb{A}}_t$ for all $t\in \mathbb{N}$.

Next, we review the Shamir secret sharing scheme [37], which uses polynomial interpolation over a finite field to implement a t-out-of-N threshold access structure. In Shamir’s scheme, a secret $s\in {\mathbb{Z}}_q$ from the secret space $\mathcal{K}$ is divided into $n$ shares, ensuring that at least $t$ shares are needed to reconstruct the secret $s$. For simplicity, we consider reconstructing the secret using the first $t$ shares.

Definition 4 (Shamir Secret Sharing Scheme). 

Let the set of parties be $P=\left\{P_1,\dots ,P_N\right\}$, and let ${\mathbb{A}}_t$ represent a class of threshold access structures on $P$. A secret space $\mathcal{K}={\mathbb{Z}}_q$ exists. Then, Shamir secret sharing is a PPT algorithm Shamir = (S.Setup, S.Share, S.Combine), defined as follows:

• S.Setup: Determine the threshold access structure ${\mathbb{A}}_t$ for the set of parties $P$, and ensure the parties concur on a field ${\mathbb{Z}}_q^{*}$. Each party $P_i\in P$ is associated with an element $x_i\in {\mathbb{Z}}_q^{*}$, which is a non-zero value, and if $i\ne j$, then $x_i\ne x_j$. This sequence of public points $\left(x_1,\dots ,x_N\right)$ is referred to as the Shamir public points.
• S.Share $\left(s,{\mathbb{A}}_t,x_1,\dots ,x_N\right)\to \left(s_1,\dots ,s_N\right)$: To share a secret $s\in {\mathbb{Z}}_q$ among $N$ parties and ensure that at least $t$ shares are required to recover the secret, the algorithm uniformly samples $t-1$ elements $\left(c_1,\dots ,c_{t-1}\right)\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{*}$. It then defines a polynomial of degree $\left(t-1\right)$: $P\left(X\right)=s+c_{1}X+c_2{X}^2+\dots +c_{t-1}{X}^{t-1}=s+{\sum }_{k=1}^{t-1}{c}_k{X}^k\in {\mathbb{Z}}_q\left[X\right]$. Thus, $P\left(0\right)=s$. The value $P\left(x_i\right)=s_i$ is then sent to party $P_i$.
• S.Combine$\left(s_1,\dots ,s_t,x_1,\dots ,x_t\right)\to s$ : Any subset of shares from at least $t$ parties can reconstruct the secret $s$ , while no subset of fewer than $t$ parties can learn any information about the secret $s$ . The secret $s$ can be computed as $s={\sum }_{i=1}^t{s}_i{\prod }_{j=1,j\ne i}^t{\displaystyle \frac{x_j}{x_j-x_i}}={\sum }_{i=1}^t{s}_i{\lambda }_i$ , where ${\lambda }_i={\prod }_{j=1,j\ne i}^t{\displaystyle \frac{x_j}{x_j-x_i}}$are the Lagrange coefficients.

For a prime q, the Shamir secret sharing scheme satisfies the following properties of correctness and privacy:

Definition 5 (Correctness). 

For any valid subset of parties $S\in {\mathbb{A}}_t$, and any secret $s\in \mathcal{K}$, the Shamir secret sharing scheme can correctly recover the secret $s$:

$${Pr}_{S\in {\mathbb{A}}_t}\left\{\begin{array}{c}s\leftarrow \\ S.Combine\left({{\{s}_i\}}_{i\in S},{\left\{x_i\right\}}_{i\in S}\right)\end{array}|\begin{array}{c}\left(s_1,\dots ,s_N\right)\leftarrow \\ S.Share\left(s,{\mathbb{A}}_t,x_1,\dots ,x_N\right)\end{array}\right\}=1.$$

Definition 6 (Privacy). 

For any subset of parties $S\notin {\mathbb{A}}_t$ and secret $s_b\in \mathcal{K}$, where $b\in \left\{\mathrm{0,1}\right\}$, if $\left(s_{b,1},\dots ,s_{b,N}\right)\leftarrow S.Share\left(s_b,{\mathbb{A}}_t,x_1,\dots ,x_N\right)$, then the two distributions ${\left\{s_{0,i}\right\}}_{i\in S}$ and ${\left\{s_{1,i}\right\}}_{i\in S}$ are indistinguishable, i.e.:

$$\left\{{\left\{s_{0,i}\right\}}_{i\in S}|\begin{array}{c}\left(s_{\mathrm{0,1}},\dots ,s_{0,N}\right)\leftarrow \\ S.Share\left(s_0,{\mathbb{A}}_t,x_1,\dots ,x_N\right)\end{array}\right\} \equiv \left\{{\left\{s_{1,i}\right\}}_{i\in S}|\begin{array}{c}\left(s_{\mathrm{1,1}},\dots ,s_{1,N}\right)\leftarrow \\ S.Share\left(s_1,{\mathbb{A}}_t,x_1,\dots ,x_N\right)\end{array}\right\}.$$

In our scheme, secret sharing is consistently applied to a vector (the secret key) $\mathit{v}\in {\mathbb{Z}}_q^n$ rather than a single scalar $s\in {\mathbb{Z}}_q$. We can directly apply the $\mathrm{S}.\mathrm{S}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}$ function to each component of the vector using $\mathit{v}$ randomly sampled values $\left(c_1,\dots ,c_{t-1}\right)\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\mathrm{*}}$, resulting in shares ${\mathit{v}}_1,\dots ,{\mathit{v}}_N\in {\mathbb{Z}}_q^n$. Similarly, by executing the $\mathrm{S}.\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{b}\mathrm{i}\mathrm{n}\mathrm{e}$ function, we can reconstruct the secret $\mathit{v}\in {\mathbb{Z}}_q^n$ as a linear combination of the shares ${\mathit{v}}_i$, using the same coefficients as for a single scalar element. This approach ensures that the privacy property of the scheme is preserved.

2.3. Fully Homomorphic Encryption

Our scheme is built upon FHE schemes based on the standard LWE problem, such as the GSW scheme [4]. FHE enables computation directly on encrypted data, without the need for decryption.

Definition 7 (FHE Scheme). 

FHE = (F.Setup, F.SecKeyGen, F.PubKeyGen, F.Enc, F.Eval, F.Dec) is a tuple of PPT algorithms, defined as follows:

• F.Setup$\left(1^{\lambda },1^l\right)\to params$: Given a security parameter $\lambda$ and a circuit depth bound $l$, compute the lattice dimension $n=n\left(\lambda ,l\right)$, the modulus $q=q\left(\lambda ,l\right)$, and the error distribution ${\chi }_B={\chi }_B\left(\lambda ,l\right)$ as a B-bounded distribution, where the bound is $B=B\left(\lambda ,l\right)$. Let $m=m\left(\lambda ,l\right)=O\left(n\mathit{log}q\right)$, and $\mathcal{l}=⌊\mathit{log}q⌋+1$. Output $params=\left(n, q, \chi , m,\mathcal{l}\right)$; use the $params$ as implicit input for other algorithms.
• F.SecKeyGen$\left(params\right)\to sk$: Given the $params$, uniformly sample $\mathit{t}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n-1}$, and output the secret key $sk=\mathit{v}=\left(\begin{array}{c}1\\ -\mathit{t}\end{array}\right)$, where $\mathit{v}\in {\mathbb{Z}}_q^n$.
• F.PubKeyGen$\left(sk\right)\to pk$: Given the secret key $sk$, uniformly sample the matrix $\mathit{B}\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{m\times \left(n-1\right)}$ and the error vector $\mathit{e}\stackrel{R}{\leftarrow }{\chi }_B^m$. Let $\mathit{b}=\mathit{B}·\mathit{t}+\mathit{e}$. Output the public key $pk=\mathit{A}=\left(\mathit{b}, \mathit{B}\right)$, where $\mathit{A}\in {\mathbb{Z}}_q^{m\times n}$.
• F.Enc$\left(pk, \mu \right)\to ctx$ : Given the public key $pk$ and the message $\mu \in \left\{0, 1\right\}$ , uniformly sample a random matrix $\mathit{R}\in {\left\{0, 1\right\}}^{m\times m}$ . Output the ciphertext $ctx=\mathit{R}\mathit{A}+\mu \mathit{G}$ corresponding to the message $\mu$ , where $ctx\in {\mathbb{Z}}_q^{m\times n}$ and $\mathit{G}\in {\mathbb{Z}}_q^{m\times n}$ is the short preimage matrix (Lemma 2).
• F.Eval$\left( F, {ctx}_1,\dots ,{ctx}_k\right)\to \widehat{ctx}$: Given a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with a depth bound $l$ and a set of ciphertexts ${ctx}_1,\dots ,{ctx}_k$, output the evaluated ciphertext $\widehat{ctx}$.
• F.Dec$\left(sk, \widehat{ctx}\right)\to ptx$: Given the secret key $sk$ and the ciphertext $\widehat{ctx}$, compute $\mathit{x}=〈\widehat{ctx}, sk〉=\mathit{R}·\mathit{e}+\mu \prime ·\mathit{v}$, where $\mu \prime =F\left({\mu }_1,\dots ,{\mu }_k\right)$. Output $ptx=⌊\mathit{x}/\mathit{v}⌉$ as the decryption result, where $ptx\in \left\{0, 1, \perp \right\}$.

The properties of compactness, correctness, and security, as defined below, should be satisfied by an FHE scheme.

Definition 8 (Compactness). 

If there exists a polynomial function $p\left(·\right)$ such that for arbitrary security parameters $\lambda$, a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with circuit depth bound $l$, and ${\left\{{\mu }_i\right\}}_{i\in \left[k\right]}\in \left\{0, 1\right\}$, the FHE scheme satisfies the following: for $sk\leftarrow F.SecKeyGen\left(params\right)$, $pk\leftarrow F.PubKeyGen\left(sk\right)$, ${\left\{{ctx}_i\leftarrow F.Enc\left(pk, {\mu }_i\right)\right\}}_{i\in \left[k\right]}$, and $\widehat{ctx}\leftarrow F.Eval\left( F, {ctx}_1,\dots ,{ctx}_k\right)$, the size of the ciphertext $\widehat{ctx}$ is only polynomially related to $\lambda$ and $l$, and at most, $p\left(\lambda ,l\right)$; therefore, the FHE scheme satisfies compactness, i.e., $\left|\widehat{ctx}\right|\le p\left(\lambda ,l\right)$.

Definition 9 (Correctness). 

For all security parameters $\lambda$, a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with circuit depth bound $l$, and ${\left\{{\mu }_i\right\}}_{i\in \left[k\right]}\in \left\{0, 1\right\}$, the FHE scheme satisfies the following: for $sk\leftarrow F.SecKeyGen\left(params\right)$, $pk\leftarrow F.PubKeyGen\left(sk\right)$, ${\left\{{ctx}_i\leftarrow F.Enc\left(pk, {\mu }_i\right)\right\}}_{i\in \left[k\right]}$, $\widehat{ctx}\leftarrow F.Eval\left( F, {ctx}_1,\dots ,{ctx}_k\right)$, and $〈\widehat{ctx}, sk〉=\mathit{R}·\mathit{e}+\mu \prime ·\mathit{v}$, if the infinity norm condition ${‖\mathit{R}\mathit{e}‖}_{\infty }=mB\le {\displaystyle \frac{q}{4}}$ holds, then the ciphertext can be correctly decrypted. Thus, the FHE scheme satisfies correctness, i.e.:

$$Pr\left[F.Dec\left(sk, \widehat{ctx}\right)\ne F\left({\mu }_1,\dots ,{\mu }_k\right)\right]=negl\left(\lambda \right).$$

Definition 10 (IND-CPA Security). 

For all security parameters $\lambda$ and a circuit depth bound $l$, an FHE scheme that relies on the ${LWE}_{n,q,\chi }$ problem satisfies the following: for $sk\leftarrow F.SecKeyGen\left(params\right)$, $pk\leftarrow F.PubKeyGen\left(sk\right)$, and ${ctx}_b\leftarrow F.Enc\left(pk, {\mu }_b\right)$ for ${\mu }_b\in \left\{0, 1\right\}$, where $b\in \left\{\mathrm{0,1}\right\}$, if any adversary $\mathcal{A}$ can distinguish between the two ciphertexts with a negligible probability, then the FHE scheme satisfies IND-CPA security, i.e.:

$$Pr\left[\begin{array}{c}\mathcal{A}\left(pk,{ctx}_b\right)\to b\prime \\ b\prime =b\end{array}:\begin{array}{c}\left(pk,{\mu }_0\right)\to {ctx}_0\\ \left(pk,{\mu }_1\right)\to {ctx}_1\\ b\in \left\{\mathrm{0,1}\right\}\end{array}\right]\le {\displaystyle \frac{1}{2}}+negl\left(\lambda \right).$$

2.4. Commitments

We begin by reviewing the definition of commitment schemes. The first commitment scheme was introduced by Blum [38]. In this work, commitment schemes are employed to ensure the verifiability of modules such as key generation and distributed decryption. They bind secret key shares and intermediate computation results, providing a secure basis for subsequent non-interactive zero-knowledge (NIZK) proofs. Our scheme incorporates ideas from the lattice-based commitment scheme by Baum et al. [29], which constructs a structured commitment matrix allowing a commitment to a vector message to be expressed as a linear combination $Com\left(\mathit{x},r\right)=\mathit{B}r+\mathit{M}\mathit{x}$, where $\mathit{x}$ is the committed message, $\mathit{r}$ is the randomness, and $\mathit{B},\mathit{M}$ are public matrices. Compared to earlier SIS-based commitment schemes, this approach removes the restriction that messages must be small-norm vectors, and instead allows for committing to arbitrary vectors, making it more suitable for binding intermediate states in multi-party encryption and zero-knowledge protocols. Moreover, this commitment scheme supports a “relaxed opening” strategy, which permits the use of a non-zero polynomial coefficient $f$ to scale both the commitment and the message simultaneously during validity verification, thus enhancing compatibility with subsequent NIZK proofs.

Definition 11 (Commitment Scheme). 

Let $l_1$ and $l_2$ be positive integers that are polynomial in the security parameter $\lambda$. Let $\sigma$ be a small positive integer, such that $\sigma \ge \sqrt{2l_2/\pi }$. The public parameters of the commitment scheme include a matrix $\mathit{B}\in {\mathbb{Z}}_q^{(l_1+n)\times (l_1+n+l_2)}$, structured as $\mathit{B}=\left(\begin{array}{c}{\mathit{I}}_{l_1}\\ 0^{n\times l_1}\end{array}|\begin{array}{c}{\mathit{B}}_1\\ {\mathit{I}}_n {\mathit{B}}_2\end{array}\right)$, where ${\mathit{I}}_{l_1}$ and ${\mathit{I}}_n$ are identity matrices, and ${\mathit{B}}_1$ and ${\mathit{B}}_2$ are random matrices sampled from ${\mathbb{Z}}_q^{l_1\times (n+l_2)}$ and ${\mathbb{Z}}_q^{n\times l_2}$, respectively. Let the above public parameters (denoted as $params$) be provided as implicit input. The message space is defined over a set $S_{\mathit{x}}\subseteq {\mathbb{Z}}_q^n$, and the randomness $\mathit{r}$ is drawn from a set $S_{\mathit{r}}\subseteq {\mathbb{Z}}_q^{l_1+n+l_2}$ according to the distribution ${\mathcal{D}}_{\sigma }^{l_1+n+l_2}$. A commitment scheme is defined as a tuple of two PPT algorithms C = (C.Com, C.Open), as follows:

• C.Com$\left(\mathit{x},\mathit{r}\right)\to com$: Given a message $\mathit{x}\in {\mathbb{Z}}_q^n$, sample a random value $\mathit{r}\stackrel{R}{\leftarrow }{\mathcal{D}}_{\sigma }^{l_1+n+l_2}$. Construct the concatenated vector ${(0^T\Vert {\mathit{x}}^T)}^T\in {\mathbb{Z}}_q^{l_1+n}$, compute the commitment value $com=\mathit{B}·\mathit{r}+{(0^T\Vert {\mathit{x}}^T)}^T$, and output $com$.
• C.Open$\left(com,\mathit{x},\mathit{r}\right)\to \left\{\mathrm{0,1}\right\}$: Given a commitment $com$, the committed message $\mathit{x}$, and the randomness $\mathit{r}$ used in the commitment, the verifier reconstructs the vector ${(0^T\Vert {\mathit{x}}^T)}^T\in {\mathbb{Z}}_q^{l_1+n}$and checks whether $om=\mathit{B}·\mathit{r}+{(0^T\Vert {\mathit{x}}^T)}^T$and whether $\mathit{r}$ is bounded by a specified norm. If the check passes, the verifier outputs 1, indicating that the commitment is valid; otherwise, it outputs 0.

The properties of correctness, binding, and hiding, as defined below, should be satisfied by the commitment scheme:

Definition 12 (Correctness). 

A commitment scheme satisfies correctness if the $C.Open$ algorithm always accepts an honestly generated commitment for any $x\in S_x$, i.e.:

$$Pr\left[C.Open\left(com,\mathit{x},\mathit{r}\right)=1:\begin{array}{c}\mathit{r}\stackrel{R}{\leftarrow }{\mathcal{D}}_r\\ com\leftarrow C.Com\left(\mathit{x},\mathit{r}\right)\end{array}\right]=1.$$

Definition 13 (Binding). 

A commitment scheme satisfies the binding property if any PPT adversary $\mathcal{A}$ cannot find two valid random values $r_0,r_1$ that create the same valid commitment $com$ for two different messages $x_0,x_1$, i.e.:

$$Pr\left[\begin{array}{c}{\mathit{x}}_0\ne {\mathit{x}}_1\\ C.Open\left(com,{\mathit{x}}_0,{\mathit{r}}_0\right)=1\\ C.Open\left(com,{\mathit{x}}_1,{\mathit{r}}_1\right)=1\end{array}:\left(com,{\mathit{x}}_0,{\mathit{r}}_0,{\mathit{x}}_1,{\mathit{r}}_1\right)\leftarrow \mathcal{A}\left(params\right)\right]\le negl\left(\lambda \right).$$

Definition 14 (Hiding). 

A commitment scheme satisfies the hiding property if any PPT adversary $\mathcal{A}$, given two messages $x_0$ and $x_1$, cannot distinguish which message the given commitment $com$ corresponds to (the commitments are indistinguishable), i.e.:

$$Pr\left[b=\mathcal{A}\left(com\right):\begin{array}{c}\left({\mathit{x}}_0,{\mathit{x}}_1\right)\leftarrow \mathcal{A}\left(params\right)\\ b\stackrel{R}{\leftarrow }\left\{\mathrm{0,1}\right\},\mathit{r}\stackrel{R}{\leftarrow }{\mathcal{D}}_r\\ com\leftarrow C.Com\left({\mathit{x}}_b,\mathit{r}\right)\end{array}\right]\le {\displaystyle \frac{1}{2}}+negl\left(\lambda \right).$$

2.5. Non-Interactive Zero-Knowledge Proof

A zero-knowledge (ZK) proof system allows a prover to convince a verifier of the truth of a certain statement without disclosing any knowledge of privacy. In this work, we adopt the standard definition of non-interactive zero-knowledge (NIZK) proofs [39] to ensure the verifiability of key components. This ensures that, even in the presence of malicious adversaries, the involved parties follow the protocol correctly, the data satisfy structural and bounded constraints, and no secrets or randomness are leaked. An NIZK proof can be derived from an interactive ZK proof system using the Fiat–Shamir transform [18], which allows messages as inputs and enables non-interactive proof generation under a common reference string, thereby improving efficiency. We adopt a non-interactive variant of the zero-knowledge proof by Yang et al. [30], which supports the verification of witnesses with complex constraints in the random oracle model (ROM). In this construction, the prover commits to the witness and auxiliary vectors, hashes an initial transcript to generate a challenge, and computes response values as linear combinations. The final proof consists of the responses along with the auxiliary commitments. The verifier checks the witness’s validity with respect to the relation by verifying linear and multiplicative constraints, and ensuring commitment consistency and norm bounds. This construction supports vector arithmetic verification with polynomial complexity. We now provide the definition of the non-interactive zero-knowledge proof required in this work:

Definition 15 (NIZK). 

Consider ${\mathcal{R}}_L$ to be an NP relation on the language $L$, with $x$ being an element of $L$. A witness $w$ exists such that ${\mathcal{R}}_L=\left\{\left(x,w\right)\right\}$ forms the statement–witness set for the NP relation. NIZK = (N.Setup, N.Prove, N.Verify) is a tuple of polynomial-time algorithms, defined as follows:

• N.Setup$\left(params\right)\to crs$: Given the public parameters $params$, output the common reference string $crs$, which includes the public matrices ${\mathit{B}}_1\in {\mathbb{Z}}_q^{(l_1+n)\times (l_1+n+l_2)}$, ${\mathit{B}}_2\in {\mathbb{Z}}_q^{(l_1+\mathcal{l})\times (l_1+\mathcal{l}+l_2)}$, and $\mathit{A}\in {\mathbb{Z}}_q^{m\times n}$, two auxiliary vectors $\mathit{u}\in {\mathbb{Z}}_q^n$ and $\mathit{v}\in {\mathbb{Z}}_q^m$, and a set $\mathcal{M}$ consisting of $\mathcal{l}$ triplets of the form $(h,i,j)$. These elements satisfy the following conditions: $\mathit{A}\cdot \mathit{u}=\mathit{v}$, and for all $(h,i,j)\in M$, it holds that $\mathit{u}\left[h\right]=\mathit{u}\left[i\right]\cdot \mathit{u}\left[j\right]$.
• N.Prove$\left(x,w,crs\right)\to \pi$: Given$\left(x,w\right)\in {\mathcal{R}}_L$ and the $crs$, the prover commits to the witness $w$ using the commitment scheme to obtain $c_1={\mathit{B}}_1\cdot {\mathit{s}}_1+{(0^T\Vert w^T)}^T$. The following steps are then repeated for $N$ rounds with fixed parameters:
  • Generate a random vector ${\mathit{r}}_i$ and compute ${\mathit{t}}_i=\mathit{A}\cdot {\mathit{r}}_i$;
    Construct the intermediate multiplication vectors ${\mathit{a}}_i\left[k\right]={\mathit{r}}_i\left[h\right]-{\mathit{r}}_i\left[i\right]\cdot \mathit{u}\left[j\right]-{\mathit{r}}_i\left[j\right]\cdot \mathit{u}\left[i\right]$ and ${\mathit{b}}_i\left[k\right]={\mathit{r}}_i\left[i\right]\cdot {\mathit{r}}_i\left[j\right]$;
  • Use the public matrix ${\mathit{B}}_2$ to generate commitments $c_{2,i},c_{3,i}$, and $c_{4,i}$ for ${\mathit{r}}_i,{\mathit{a}}_i$, and ${\mathit{b}}_i$, respectively;
  • Sample ${\mathit{\rho }}_i\stackrel{R}{\leftarrow }{\left\{\mathrm{0,1}\right\}}^k$ uniformly at random and construct the auxiliary commitment $C_{\mathit{aux},i}=\mathsf{a}\mathsf{C}\mathsf{o}\mathsf{m}\mathsf{m}\mathsf{i}\mathsf{t}({\mathit{t}}_i\Vert c_1\Vert c_{2,i}\Vert c_{3,i}\Vert c_{4,i};{\mathit{\rho }}_i)$.

• For each $i\in \left[1,N\right]$, compute ${\alpha }_i=H(\mathit{A},\mathit{v},\mathcal{M},{\left\{C_{\mathit{aux},i}\right\}}_{i\in \left[1,N\right]})$, and then compute ${\mathit{z}}_{0,i}={\alpha }_i\cdot \mathit{u}+{\mathit{r}}_i$, ${\mathit{z}}_{1,i}={\alpha }_i\cdot {\mathit{s}}_1+{\mathit{s}}_{2,i}$, and ${\mathit{z}}_{2,i}={\alpha }_i\cdot {\mathit{s}}_{3,i}-{\mathit{s}}_{4,i}$, where ${\mathit{s}}_1,{\mathit{s}}_{2,i},{\mathit{s}}_{3,i}$, and ${\mathit{s}}_{4,i}$ are the randomness used during the commitment procedures. Finally, output the proof $\pi =\left(c_1,{\left\{{\alpha }_i,{\mathit{\rho }}_i,c_{3,i},{\mathit{z}}_{0,i},{\mathit{z}}_{1,i},{\mathit{z}}_{2,i}\right\}}_{i\in \left[1,N\right]}\right)$.

• N.Verify$\left(x,\pi ,crs\right)\to \left\{\mathrm{0,1}\right\}$: Given the element $x$ to be proven, the proof $\pi$, and the  $crs$, for each $i\in \left[1,N\right]$, perform the following checks:
  • $\mathit{A}\cdot {\mathit{z}}_{0,i}={\alpha }_i\cdot \mathit{v}+{\mathit{t}}_i$;
  • ${\mathit{d}}_i\left[k\right]={\alpha }_i\cdot z_{0,i}\left[h\right]-z_{0,i}\left[i\right]\cdot z_{0,i}\left[j\right]$;
  • $c_{2,i}={\mathit{B}}_1\cdot {\mathit{z}}_{1,i}+{(0^T\Vert {z_{0,i}}^T)}^T-{\alpha }_i\cdot c_1$;
  • $c_{4,i}={\alpha }_i\cdot c_{3,i}-{\mathit{B}}_2\cdot z_{2,i}-{(0^T\Vert {{\mathit{d}}_i}^T)}^T$;
  • $C_{\mathit{aux},i}=\mathsf{a}\mathsf{C}\mathsf{o}\mathsf{m}\mathsf{m}\mathsf{i}\mathsf{t}({\mathit{t}}_i\Vert c_1\Vert c_{2,i}\Vert c_{3,i}\Vert c_{4,i};{\mathit{\rho }}_i)$.
    If all the above checks pass and the norms of all vectors are within the prescribed bounds, then the proof $\pi$ is valid and the verifier outputs 1; otherwise, it outputs 0.

An NIZK system should satisfy the following properties, as defined:

Definition 16 (Completeness). 

An NIZK protocol satisfies completeness if, for arbitrary $\left(x,w\right)\in R_L$, the verifier will accept the proof $\pi$ generated by the prover using the N.Prove algorithm, where this probability exceeds the randomness in the NIZK algorithm, i.e.:

$$Pr\left[N.Verify\left(x,\pi ,crs\right)=1:\begin{array}{c}crs\leftarrow N.Setup\left(params\right)\\ \left(x,w\right)\in {\mathcal{R}}_L\\ \pi \leftarrow N.Prove\left(x,w,crs\right)\end{array}\right]=1.$$

Definition 17 (Knowledge Soundness). 

An NIZK protocol satisfies knowledge soundness if for any malicious prover $P*$ running N.Prove without knowing a witness $w*$, there is a sufficiently high probability that the honest verifier will accept the statement $x$. In this case, an extractor exists that, through black-box access to $P*$, can extract a valid witness $w*$ such that $\left(x,w*\right)\in {\mathcal{R}}_L$, i.e.:

$$Pr\left[\begin{array}{c}N.Verify\left(x,\pi *,crs\right)=1\\ \wedge \left(x,w*\right)\in {\mathcal{R}}_L\end{array}:\begin{array}{c}crs\leftarrow N.Setup\left(params\right)\\ \pi *\leftarrow N.Prove\left(x,w,crs\right)\\ w*\leftarrow Extractor\left(x,\pi *,crs\right)\end{array}\right]\ge 1-negl\left(\lambda \right).$$

Definition 18 (Honest Verifier Zero-Knowledge). 

An NIZK protocol satisfies the honest verifier zero-knowledge property if, for any PPT adversary $\mathcal{A}$, a simulator algorithm $Sim$ exists that can simulate and output a proof such that the transcript produced by the $Sim$ given $x$ is computationally indistinguishable from the transcript produced by the honest prover, i.e.:

$$\left\{\left(x,\pi ,crs\right):\begin{array}{c}crs\leftarrow N.Setup\left(params\right)\\ \left(x,w\right)\leftarrow \mathcal{A}\left(crs\right)\\ \pi \leftarrow N.Prove\left(x,w,crs\right)\end{array}\right\}\stackrel{C}{\approx }\left\{\left(x,\pi *,crs\right):\begin{array}{c}crs\leftarrow N.Setup\left(params\right)\\ \left(x,w\right)\leftarrow \mathcal{A}\left(crs\right)\\ \pi *\leftarrow Sim\left(x,crs\right)\end{array}\right\}.$$

Our scheme relies on three main NP relations: ${\mathcal{R}}_{DKG}$ for proving the correctness of the distributed key generation protocol, ${\mathcal{R}}_{ENC}$ for the encryption algorithm, and ${\mathcal{R}}_{TD}$ for the threshold decryption process. The detailed definitions of these relations will be formally presented in Section 4.

3. Module Construction

This section introduces the core construction modules of our scheme, which are later integrated in Section 4. In Section 3.1, we outline the basic ideas of the TMFHE scheme and define the required properties. Section 3.2 introduces the share resharing mechanism, and Section 3.3 describes the oracle query method and the error-handling strategy.

3.1. Threshold Multi-Party Fully Homomorphic Encryption

We define a multi-party FHE scheme based on the LWE problem that incorporates the distributed threshold decryption protocol (TMFHE). The scheme is similar to the lattice-based threshold scheme by Agrawal et al. [25] and the threshold PKE scheme proposed by Aranha et al. [35]. In our construction, the decryption secret key is distributed to all parties via secret sharing, and all parties use the same public key for encryption. This enables ciphertexts generated by each party to be directly evaluated homomorphically, without requiring complex and costly ciphertext extension steps (compared to MW16 [9]). The final distributed threshold decryption can be achieved through the threshold properties of secret reconstruction in secret sharing.

Definition 19 (TMFHE). 

Let $P=\left\{P_1,\dots ,P_N\right\}$ be a set of parties, and let $B_{smdg}$ be the bound for the smudging noise (Lemma 1). TMFHE = (T.Setup, T.KeyGen, T.Enc, T.Eval, T.PartDec, T.FinDec) is a tuple of algorithms, defined as follows:

• T.Setup$\left(1^{\lambda }, 1^l,{\mathbb{A}}_t\right)\to params$: Given the security parameter $\lambda$, the circuit depth bound $l$, and the threshold $t$ access structure ${\mathbb{A}}_t$, run $params\leftarrow F.Setup\left(1^{\lambda }, 1^l\right)$. Execute S.Setup to associate each party $P_i\in P$ with a non-zero element $x_i\in {\mathbb{Z}}_q^{*}$, and incorporate the sequence of public points $\left(x_1,\dots ,x_N\right)$ into $params$. Use $params$ and ${\mathbb{A}}_t$ as public parameters, serving as implicit inputs for other algorithms.
• T.KeyGen$\left(params, {\mathbb{A}}_t\right)\to \left(pk, {sk}_1,\dots ,{sk}_N\right)$: Given the public parameters, run the algorithms $sk\leftarrow F.SecKeyGen\left(params\right)$ and $pk\leftarrow F.PubKeyGen\left(sk\right)$ to output a key pair $\left(pk, sk\right)$. Then, run the algorithm $\left({sk}_1,\dots ,{sk}_N\right)\leftarrow S.Share\left(sk,{\mathbb{A}}_t,x_1,\dots ,x_N\right)$ to distribute a secret key share ${sk}_i$ to each party $P_i\in P$.
• T.Enc$\left(pk,{\mu }_i\right)\to {ctx}_i$: Each party $P_i$ uses the public key $pk$ and its own message ${\mu }_i$ as input, executes the ${ctx}_i\leftarrow F.Enc\left(pk,{\mu }_i\right)$ algorithm, and then outputs the ciphertext ${ctx}_i$.
• T.Eval$\left( F, {ctx}_1,\dots ,{ctx}_k\right)\to \widehat{ctx}$: Given a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with a depth bound $l$ and a set of ciphertexts ${\left\{{ctx}_i\right\}}_{i\in \left[k\right]}$, execute the $\widehat{ctx}\leftarrow F.Eval\left( F, {ctx}_1,\dots ,{ctx}_k\right)$ algorithm and output the evaluated ciphertext $\widehat{ctx}$.
• T.PartDec$\left({sk}_{i, }\widehat{ctx}\right)\to p_i$: Each party $P_i$ in the subset $S\in {\mathbb{A}}_t$ takes its own secret key share ${sk}_i$ and the ciphertext $\widehat{ctx}$ as input, computes $p_i=〈\widehat{ctx}, {sk}_i〉+{\mathit{e}}_i^{sm}$, and then outputs the partial decryption result $p_i$, where ${\mathit{e}}_i^{sm}\stackrel{R}{\leftarrow }{\left[-B_{smdg},B_{smdg}\right]}^m$ is the added “smudging” noise vector. Note that this operation on ${sk}_i$ is linear.
• T.FinFec$\left(D,\widehat{ctx}\right)\to ptx$: Given a set of partial decryption results $D={\left\{p_i\right\}}_{i\in S}$and the corresponding ciphertext $\widehat{ctx}$, select any $t$ partial decryption results from the parties and reconstruct the plaintext using the combination algorithm of the secret sharing scheme:

$$\begin{array}{cc}\mathrm{S}.\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{b}\mathrm{i}\mathrm{n}\mathrm{e}\left(p_1,\dots ,p_t,x_1,\dots ,x_t\right)\hfill & ={\sum }_{i=1}^t{p}_i{\prod }_{j=1,j\ne i}^t{\displaystyle \frac{x_j}{x_j-x_i}}\hfill \\ & =〈\widehat{ctx},\mathrm{}{\sum }_{i=1}^t{sk}_i{\lambda }_i〉+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}\hfill \\ & =〈\widehat{ctx},\mathrm{}sk〉+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}\hfill \\ & =\mu \prime ·\mathit{v}+\mathit{R}·\mathit{e}+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}.\hfill \end{array}$$

where $ptx=\mu \prime =F\left({\mu }_1,\dots ,{\mu }_k\right)$, and output the plaintext $ptx\in \left\{0, 1, \perp \right\}$.

Similarly to FHE schemes, the TMFHE scheme needs to satisfy the properties of compactness, correctness, and semantic security, as defined below.

Definition 20 (Compactness). 

If there exists a polynomial function $p\left(·\right)$ such that for all security parameters $\lambda$, circuit depth bound $l$, threshold access structure ${\mathbb{A}}_t$, number of parties $N$, and a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with depth at most $l$, and ${\left\{{\mu }_i\right\}}_{i\in \left[k\right]}\in \left\{0, 1\right\}$, the TMFHE scheme satisfies the following: for $\left(pk, {sk}_1,\dots ,{sk}_N\right)\leftarrow T.KeyGen\left(params, {\mathbb{A}}_t\right)$, ${\left\{{ctx}_i\leftarrow T.Enc\left(pk, {\mu }_i\right)\right\}}_{i\in \left[k\right]}$, $\widehat{ctx}\leftarrow T.Eval\left( F, {ctx}_1,\dots ,{ctx}_k\right)$, $p_i\leftarrow T.PartDec\left({sk}_{i, }\widehat{ctx}\right)$, the size of the ciphertext $\widehat{ctx}$ is only polynomially related to $\lambda$ and $l$, and does not depend on the number of parties $N$. The size of any partial decryption result ${\left\{p_i\right\}}_{i\in \left[N\right]}$ is only polynomially related to $\lambda$, $l$, and $N$, i.e., $\left|\widehat{ctx}\right|\le p\left(\lambda ,l\right)$ and $\left|p_i\right|\le ploy\left(\lambda , l, N\right)$; therefore, the TMFHE scheme satisfies compactness.

Definition 21 (Correctness). 

For all security parameters $\lambda$, circuit depth bound $l$, threshold access structure ${\mathbb{A}}_t$, number of parties $N$, a circuit $F: {\left\{0, 1\right\}}^k\to \left\{0, 1\right\}$ with depth at most $l$, and ${\left\{{\mu }_i\right\}}_{i\in \left[k\right]}\in \left\{0, 1\right\}$, the TMFHE scheme satisfies the following: for $\left(pk, {sk}_1,\dots ,{sk}_N\right)\leftarrow T.KeyGen\left(params, {\mathbb{A}}_t\right)$, ${\left\{{ctx}_i\leftarrow T.Enc\left(pk, {\mu }_i\right)\right\}}_{i\in \left[k\right]}$, $\widehat{ctx}\leftarrow T.Eval\left( F, {ctx}_1,\dots ,{ctx}_k\right)$, and $p_i\leftarrow T.PartDec\left({sk}_{i, }\widehat{ctx}\right)$, the output of the combination algorithm executed in the final decryption algorithm T.FinDec is given by $S.Combine\left(p_1,\dots ,p_t,x_1,\dots ,x_t\right)=\mu \prime ·\mathit{v}+\mathit{R}·\mathit{e}+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}$. If the infinity norm condition ${‖\mathit{R}·\mathit{e}+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}‖}_{\infty }=mB+t{B}_{smdg}\le {\displaystyle \frac{q}{4}}$ holds, then the ciphertext $\widehat{ctx}$ can be correctly decrypted in a threshold manner. Thus, the TMFHE scheme satisfies correctness, i.e.:

$$Pr\left[T.FinDec\left(D,\widehat{ctx}\right)=F\left({\mu }_1,\dots ,{\mu }_k\right)\right]=1-negl\left(\lambda \right),$$

where $D={\left\{p_i\right\}}_{i\in \left[k\right]}$ is a set of partial decryption results, and $k\ge t$.

Definition 22 (IND-CPA Security). 

The TMFHE scheme’s semantic security is directly derived from the FHE scheme (Definition 10). For all security parameters $\lambda$, circuit depth bound $l$, threshold access structure ${\mathbb{A}}_t$, and number of parties $N$, the TMFHE scheme satisfies the following: for $\left(pk, {sk}_1,\dots ,{sk}_N\right)\leftarrow T.KeyGen\left(params, {\mathbb{A}}_t\right)$ and ${\mu }_b\in \left\{\mathrm{0,1}\right\}$, the ciphertext ${\left\{{ctx}_b\leftarrow T.Enc\left(pk, {\mu }_b\right)\right\}}_{b\in \left\{\mathrm{0,1}\right\}}$, and the ciphertexts ${ctx}_0$ and ${ctx}_1$ are computationally indistinguishable $\left({ctx}_0\stackrel{C}{\approx }{ctx}_1\right)$. This implies that for any PPT adversary $\mathcal{A}$, the probability of distinguishing between these two ciphertexts is negligible. Thus, the TMFHE scheme is considered IND-CPA-secure, i.e.:

$$Pr\left[\begin{array}{c}\mathcal{A}\left(pk,{ctx}_b\right)\to b\prime \\ b\prime =b\end{array}:\begin{array}{c}\left(pk,{\mu }_0\right)\to {ctx}_0\\ \left(pk,{\mu }_1\right)\to {ctx}_1\\ b\in \left\{\mathrm{0,1}\right\}\end{array}\right]\le {\displaystyle \frac{1}{2}}+negl\left(\lambda \right).$$

Next, we extend the key generation method of this scheme to a distributed key generation protocol, which is an interactive process jointly run by all parties. In this protocol, all parties use the same matrix $\mathit{B}$ sampled from the common reference string (CRS) to generate the public key, with noise $\mathit{e}\leftarrow {\chi }^m$. In subsequent chapters, our construction follows a similar approach. We begin with a brief description of the modified TMFHE scheme:

• T.SecKeyGen$\left(params\right)\to {sk}_i$: Each party $P_i$ samples ${\mathit{s}}_i\leftarrow {\mathbb{Z}}_q^{n-1}$ and sets the secret key share ${sk}_i=\left(\begin{array}{c}1\\ -{\mathit{s}}_{\mathit{i}}\end{array}\right)$.
• T.PubKeyGen$\left({sk}_1,\dots ,{sk}_n\right)\to pk$: Each party samples a matrix $\mathit{B}\leftarrow CRS\left({\mathbb{Z}}_q^{m\times \left(n-1\right)}\right)$ and computes ${\mathit{b}}_i=\mathit{B}·{\mathit{s}}_i+\mathit{e}$. Then, $\mathit{b}=\sum {\mathit{b}}_i$. The public key is set as $pk=\left(\mathit{b},\mathit{B}\right)$.
• T.PartDec$\left({sk}_i,\widehat{ctx}\right)\to p_i$: Each party $P_i$ inputs its own secret key share ${sk}_i$ and the ciphertext $\widehat{ctx}$, computes $p_i=〈\widehat{ctx},{sk}_i〉+{\mathit{e}}_i^{sm}$, and then outputs the partial decryption result $p_i$, where ${\mathit{e}}_i^{sm}\stackrel{R}{\leftarrow }{\left[-B_{smdg},B_{smdg}\right]}^m$.
• T.FinDec$\left(D,\widehat{ctx}\right)\to ptx$: Input all the partial decryption results $D={\left\{p_i\right\}}_{i\in N}$ and the ciphertext $\widehat{ctx}$, and then combine them to compute the plaintext result $ptx$.

In the basic TMFHE scheme, when each party executes the T.PartDec algorithm, the smudging noise (Lemma 1) is added to the partial decryption result. This step prevents the leakage of information about the secret key share ${sk}_i$ through the simple inner product of ${sk}_i$ and the public value $\widehat{ctx}$. This converts the simple computation into a difficult problem, where ${\chi }^m/B_{smdg}=negl\left(\lambda \right)$. However, ensuring that this added noise does not impact the correctness of the decryption is crucial. During the reconstruction of the secret from the partial decryption results, the noise is multiplied by the Lagrange coefficients, and the smudging noise term becomes ${\sum }_{i=1}^t{\mathit{e}}_i^{sm}{\lambda }_i$. This can cause the noise to grow too quickly, affecting the scheme’s correct decryption and reducing its practicality, i.e.:

$$\begin{gathered} S.Combine\left({\left\{p_i\right\}}_{i\in S},{\left\{x_i\right\}}_{i\in S}\right)={\sum }_{i=1}^t{p}_i{\lambda }_i=\widehat{ctx}·{\sum }_{i=1}^t{sk}_i{\lambda }_i+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}{\lambda }_i=\widehat{ctx}· \\ sk+{\sum }_{i=1}^t{\mathit{e}}_i^{sm}{\lambda }_i \end{gathered}$$

3.2. Share Resharing

In this scheme, we employ an “ideal secret key” generation process, where each party independently samples its own ideal secret key share ${\mathit{s}}_i\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n-1}$. The decryption key shares are generated in the subsequent distributed key generation protocol, which introduces the necessity of the secure channels between parties. We note that the ideal secret key satisfies the property $\mathit{s}={\sum }_{i=1}^N{\mathit{s}}_i$, meaning that complete knowledge of $sk=\mathit{s}$ is required for the final ciphertext decryption. This restricts the scheme to an N-out-of-N access structure, preventing support for arbitrary threshold settings. To address this limitation, we propose share resharing to support a t-out-of-N threshold access structure.

We mitigate the rapid growth of smudging noise in partial decryption by applying share resharing techniques in the TMFHE scheme. This approach avoids the method used by Boneh et al. [19], which scales to eliminate denominators by considering Lagrange coefficients as rational numbers, thereby violating compactness requirements where the size of ciphertext is no longer a polynomial in the number of parties $N$, but rather a polynomial of $N^2$. In the share resharing process, each party interactively runs the protocol to achieve the ideal secret key additive sharing for the TMFHE scheme. This allows any subset of at least $t$ parties to reconstruct the secret during decryption—even if they differ from those in the key generation phase—while requiring each party to maintain a constant-size state.

Share resharing techniques leverage ideal secret keys and the linearity of resharing schemes to achieve more compact and communication-efficient schemes. Additionally, share resharing techniques allow for generating keys based on the set of parties currently online or flexibly updating keys for new computations. Specifically, let the set of parties be $P=\left\{P_1,\dots ,P_N\right\}$, and let ${\mathbb{A}}_t$ be a threshold access structure on $P$, with $\mathcal{K}={\mathbb{Z}}_q$ as the secret sharing space. As mentioned in Definition 6 of Section 2.2, each party $P_i$ uniformly samples a Shamir public point $x_i$ and distributes the secret shares of a polynomial of degree $\left(t-1\right)$, $P\left(x_i\right)$, to party $P_i$ through the S.Share algorithm. The Lagrange coefficient for the secret reconstruction computation is ${\lambda }_i={\prod }_{j=1,j\ne i}^t{\displaystyle \frac{x_j}{x_j-x_i}}$.

Definition 23 (Share Resharing). 

Share resharing is the process where each party redistributes their own secret key share ${sk}_i$ through a t-out-of-N Shamir secret sharing scheme among themselves. This enables the secret key to be reconstructed in the threshold decryption phase through simple linear addition, thereby avoiding the rapid growth of smudging noise $e_i^{sm}$ when multiplied by the Lagrange coefficient ${\lambda }_i$. The process for each party to run the share resharing protocol is as follows:

• RS.Rshare$\left({sk}_i,{\mathbb{A}}_t,x_1,\dots ,x_N\right)\to \left({sk}_{i,1},\dots ,{sk}_{i,j}\right)$: Given the shared secret key share ${sk}_i$, the threshold access structure ${\mathbb{A}}_t$, and the public point sequence $\left(x_1,\dots ,x_N\right)$ of all parties, each party $P_i$ uniformly samples $t-1$ elements $\left(c_1,\dots ,c_{t-1}\right)\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{*}$. Then, using the S.Share algorithm, $P_i$ computes $P_i\left(x_j\right)={sk}_{i,j}={sk}_i+{\sum }_{k=1}^{t-1}{c}_{i,k}{x}_j^k$ and sends ${sk}_{i,j}$ to party $P_j$ for all $j\in \left[N\right],j\ne i$.
• RS.Receive$\left({\left\{{sk}_{j,i}\right\}}_{j\in \left[N\right],j\ne i}\right)\to {\widetilde{sk}}_i$: Each party $P_i$ receives the secret key shares from the other parties $P_j$ and computes ${\widetilde{sk}}_i={\sum }_{j=1,j\ne i}^N{sk}_{j,i}$.
• RS.Combine$\left({\widetilde{sk}}_i,x_1,\dots ,x_t\right)\to {sk}_i^{\prime }$: For the subset of parties $P\prime \subseteq P$ with $\left|P\prime \right|\ge t$, each party $P_i\in P\prime$ computes ${sk}_i^{\prime }={\widetilde{sk}}_i{\prod }_{j=1.j\ne i}^t{\displaystyle \frac{x_j}{x_j-x_i}}={\widetilde{sk}}_i{\lambda }_i$.

In Section 2.2, we thoroughly explained the definition of the Shamir secret sharing scheme and demonstrated its properties. Building on this, we prove that the additive secret key shares ${sk}_i^{\prime }$ obtained through share resharing can meet the correctness requirements for reconstructing the ideal secret key $sk$ during threshold decryption.

For a subset of parties $P\prime$ in the threshold access structure ${\mathbb{A}}_t$, each party $P_i\in P\prime$ can locally precompute its secret key share ${sk}_i^{\prime }$ and use it to compute partial decryption results during the threshold decryption phase. By summing the partial decryption results, the secret key $sk$ can be reconstructed. The proof of the computation process is as follows:

$${\sum }_{i=1}^t{sk}_i^{\prime }={\sum }_{i=1}^t{\lambda }_i{\sum }_{j=1}^N{P}_j\left(x_i\right)={\sum }_{j=1}^N{\sum }_{i=1}^t{P}_j\left(x_i\right){\lambda }_i={\sum }_{j=1}^N{sk}_j=sk.$$

3.3. Oracle Query

The share resharing proposed in Section 3.2 requires each party to store a constant-sized state ${sk}_i^{\prime }$ locally, and it must be aggregatable. During the key reconstruction process, each party can precompute ${\widetilde{sk}}_i$ and store it locally by running the RS.Receive algorithm after receiving ${\left\{{sk}_{j,i}\right\}}_{j\in \left[N\right],j\ne i}$ from other parties. After this, any subset of at least $t$ parties in the set $P$ can use the RS.Combine algorithm to compute the additive share of the secret key $sk$, denoted as ${sk}_i^{\prime }$. This ${sk}_i^{\prime }$ will serve as the secret key share for threshold decryption in the final scheme. In dynamic participant settings, when new parties join the computation, the secret resharing process can be re-executed among all current participants to generate updated secret key shares. If some parties go offline or leave the computation after executing the RS.Receive algorithm, as long as the number of remaining online parties exceeds the threshold t, the decryption secret key can still be reconstructed by executing the RS.Combine algorithm, without affecting the correctness of the scheme.

To accommodate dynamic settings where the set of participating parties may change across computation rounds or differ between key generation and decryption phases, we provide each party with an oracle query interface to determine the set of currently online parties. The oracle determines the online parties via a round of broadcast communication.

We use $P_{online}\leftarrow Q\left(Env\right)$ to denote querying the set of online parties in the current environment, and $P_{online}\subseteq P$ to denote the query result given by the oracle. As long as the set of online parties is valid, i.e., $\left|P_{online}\right|\ge t$, it will be broadcast to all parties as a common result; otherwise, it will return $\perp$. Note that different stages may involve different parties, requiring fresh queries at each stage. However, after the broadcast query, some parties may crash or go offline, causing the secret key shares at the threshold decryption stage to fall short of the threshold requirement, and thus leading to decryption failure. Therefore, we refer to solutions used in practical applications. The decryption protocol sets a maximum time limit for all parties to return partial decryption results, and stipulates that parties handle the situation as follows after timeout, to ensure successful decryption:

• Set a timeout for each party, marking the parties that fail to return partial decryption results within the threshold decryption stage as the failed set $P_{fault}$.
• Excluding the set $P_{fault}$, re-execute the oracle query. If the number of remaining online parties does not meet the threshold $t$, return $\perp$; otherwise, re-execute the threshold decryption.
• Before re-executing the threshold decryption stage, add an encryption of 0 to the resulting ciphertext to ensure the security of the decryption process. This prevents the re-decryption from leaking information about the secret key $sk$ while not changing the decryption result.

4. Verifiable Threshold Multi-Party Fully Homomorphic Encryption

This section presents our proposed verifiable threshold multi-party fully homomorphic encryption scheme (VTMFHE). Section 4.1 defines a verifiable distributed key generation protocol. Section 4.2 presents the complete construction of the scheme. Section 4.3 describes the threshold decryption process in detail. Finally, Section 4.4 defines the NP relations required for the NIZK proofs used in the scheme.

4.1. Verifiable Distributed Key Generation Protocol

We propose a new verifiable distributed key generation protocol (VDKeyGen) based on the LWE problem and Shamir secret sharing. The protocol employs commitments and NIZK proofs to secure against active attacks from malicious adversaries and to verify both the correctness of secret key shares and the validity of parameters used by the parties. Unlike traditional MFHE key generation methods, our protocol does not distribute a uniformly generated pair of public and secret keys. Instead, each party uniformly randomly samples from the secret key space and generates a locally stored secret key state through mutual share resharing. According to the results of the oracle query, the secret key share ${sk}_i$ is determined through the secret reconstruction algorithm in secret sharing, and the public key $pk$ for the current round of encryption is computed based on it.

Building on the previous chapters, for the set of parties $P=\left\{P_1,\dots ,P_N\right\}$, the implicit parameters $params$, the threshold access structure ${\mathbb{A}}_t$, and $crs\leftarrow \mathrm{N}.\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}\left(params\right)$, the detailed process of the VDKeyGen protocol is as follows:

• Each party $P_i$ uniformly randomly samples ${\mathit{s}}_i\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{n-1}$ from the ideal secret key space and commits to ${\mathit{s}}_i$ using a random value ${\mathit{r}}_{{\mathit{s}}_i}$, resulting in ${com}_{{\mathit{s}}_i}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({\mathit{s}}_i,{\mathit{r}}_{{\mathit{s}}_i}\right)$. Then, party $P_i$ runs $\left({\mathit{s}}_{i.1},\dots ,{\mathit{s}}_{i,j}\right)\leftarrow \mathrm{R}\mathrm{S}.\mathrm{S}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\left({\mathit{s}}_i,{\mathbb{A}}_t,x_1,\dots ,x_N\right)$, where $j\in \left[N\right] \mathrm{a}\mathrm{n}\mathrm{d} j\ne i$. Before sending the shares to other parties $P_j$, $P_i$ commits to each share ${\mathit{s}}_{i,j}$ using a random value ${\mathit{r}}_{{\mathit{s}}_{i,j}}\stackrel{R}{\leftarrow }{\mathcal{D}}_r$, resulting in ${com}_{{\mathit{s}}_{i,j}}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({\mathit{s}}_{i,j},{\mathit{r}}_{{\mathit{s}}_{i,j}}\right)$. In this step, each commitment generated by the participating parties must be bound to the randomly sampled value used in the current round, ensuring that the committed value cannot be altered or forged afterward. Moreover, the structure of the commitment must satisfy the correctness requirement defined in Definition 12.
• Each party $P_i$ broadcasts the verification information $\left({com}_{{\mathit{s}}_i},{\left\{{com}_{{\mathit{s}}_{i,j}}\right\}}_{j\in \left[N\right],j\ne i}\right)$ and securely sends $\left({\mathit{s}}_{i,j},{\mathit{r}}_{{\mathit{s}}_{i,j}}\right)$ individually to the corresponding party $P_j$ through a secure channel. Party $P_i$ simultaneously receives shares ${\left\{{\mathit{s}}_{j,i},{\mathit{r}}_{j,i}\right\}}_{j\in \left[N\right],j\ne i}$ from all other parties $P_j$.
• After receiving the verification information from other parties, party $P_i$ verifies the consistency of all commitments by running the C.Open$\left({com}_{{\mathit{s}}_{j,i}},{\mathit{s}}_{j,i},{\mathit{r}}_{{\mathit{s}}_{j,i}}\right)$ algorithm to check whether each share and its randomness satisfy the required constraints. If any commitment fails verification, the corresponding party is marked as invalid, and its share is excluded from key reconstruction and local state generation. Otherwise, $P_i$ proceeds with secret resharing by computing ${\mathit{s}}_i^{\prime }\leftarrow \mathrm{R}\mathrm{S}.\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{e}\mathrm{i}\mathrm{v}\mathrm{e}\left({\left\{{\mathit{s}}_{j,i}\right\}}_{j\in \left[N\right],j\ne i}\right)$, and stores ${\mathit{s}}_i^{\prime }$ as the fixed local state for computing the secret key share ${sk}_i$.
• Before starting a round of computation, the public key for encryption in this round needs to be generated based on the set of parties that will remain online for this round of computation. First, the oracle is queried to obtain the set of online participants, $P_{online}\leftarrow Q\left(Env\right)$. If $\left|P_{online}\right|\le t$, it indicates that the current set of online parties does not meet the threshold requirement and is considered an invalid set. In this case, Step 4 of the protocol should be re-executed to ensure the correctness of key generation. If $\left|P_{online}\right|\ge t$, then $t$ parties are selected from $P_{online}$ to execute the algorithm ${sk}_i\leftarrow \mathrm{R}\mathrm{S}.\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{b}\mathrm{i}\mathrm{n}\mathrm{e}\left({\mathit{s}}_i^{\prime },x_1,\dots ,x_t\right)$. Then, these parties sample the common matrix $\mathit{B}\leftarrow CRS\left({\mathbb{Z}}_q^{m\times \left(n-1\right)}\right)$ and the noise $\mathit{e}\leftarrow CRS\left({\chi }^m\right)$, computing ${\mathit{b}}_i=\mathit{B}·{\mathit{s}}_i^{\prime }+\mathit{e}$. After computing the key share, each party must generate an NIZK proof to ensure that other parties can verify the structural correctness, sampling validity, and source consistency of the share. The proof must satisfy the public NP relation ${\mathcal{R}}_{DKG}$, and is computed as ${\pi }_{{\mathit{b}}_i}\leftarrow \mathrm{N}.\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{v}\mathrm{e}\left(x,w,crs\right)$, where $x=\left({\mathit{b}}_i,{com}_{{\mathit{s}}_i},{\left\{{com}_{{\mathit{s}}_{j,i}}\right\}}_{j\in \left[N\right],j\ne i}\right)$ and $w=\left({\mathit{s}}_i,{\mathit{r}}_{{\mathit{s}}_i},{\left\{{\mathit{s}}_{j,i},{\mathit{r}}_{{\mathit{s}}_{j,i}}\right\}}_{j\in \left[N\right],j\ne i}\right)$. The construction details of this relation will be explained in Section 4.4.
• Finally, party $P_i$ broadcasts $\left({\mathit{b}}_i,{\pi }_{{\mathit{b}}_i}\right)$. Upon receiving it, each party verifies the proof $\left\{\mathrm{0,1}\right\}\leftarrow \mathrm{N}.\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}\left(x,{\pi }_{{\mathit{b}}_i},crs\right)$. This ensures that each participant’s share satisfies the structural constraints defined in Definition 16. If any verification fails, the corresponding user is regarded as an abnormal participant, and their share is excluded from the public key aggregation process. This guarantees that the public key is formed only from valid data. If the number of shares that pass verification still satisfies the threshold access structure (allowing some public key shares to be invalid), then compute $\mathit{b}={\sum }_t{\mathit{b}}_i$ and output $pk=\left(\mathit{b},\mathit{B}\right)$ as the public key. Otherwise, re-execute Step 4 of the protocol.

Note that the VDKeyGen protocol is an interactive process in which shares ${\mathit{s}}_{i,j}$ are exchanged pairwise between parties via secure channels during the resharing phase. This allows each party to store a state ${\mathit{s}}_i^{\prime }$ locally, which can be used by a set of parties (at least $t$ parties) to compute the secret key share for generating the public key. Thus, any qualified subset of parties can generate new secret key shares ${sk}_i$ for use in later decryption phases. During the execution of the scheme, if new participants dynamically join the computation, the VDKeyGen protocol must be rerun among all current parties to regenerate secret shares and a new public key, ensuring the correctness of homomorphic evaluation and decryption. If some participants go offline after key generation, the protocol proceeds as long as the remaining online parties meet the threshold requirement. Otherwise, execution is halted and resumed only when the number of active participants meets the minimum threshold $t$, as specified in the timeout handling of Section 3.3.

Moreover, to provide active security, we incorporate commitment schemes and NIZK proofs to prevent corrupted parties from submitting forged or incorrect key shares during key generation. These mechanisms verify that each party follows the protocol correctly and that submitted data are well formed. If any commitment or proof fails, the corresponding share is marked invalid, the sender is treated as an abnormal participant, and their data are excluded from key aggregation. If the threshold condition is still met, the protocol proceeds with the remaining valid parties; otherwise, it must be re-executed. This ensures all inputs are structurally bound (via commitments) and relation-consistent (via NIZK) before key reconstruction, preventing malicious parties from submitting invalid inputs or tampering with data, while not relying on a trusted third party.

4.2. Construction of the VTMFHE Scheme

In this section, we define the construction of our VTMFHE scheme. The scheme is based on the LWE problem, and leverages Shamir secret sharing and share resharing to distribute secret key shares among the parties. It ensures that the computation process is honestly and correctly executed by all parties and against active malicious adversaries through commitment and NIZK proof.

Briefly, after the Setup, the scheme executes a verifiable distributed key generation protocol. Then, the current parties encrypt their plaintext using a common public key, send the ciphertexts, and perform homomorphic evaluation. Finally, a distributed threshold decryption process is performed to obtain the final plaintext result.

Let $P=\left\{P_1,\dots ,P_N\right\}$ be a set of parties, and let $B_{smdg}$ be the bound for the smudging noise. We construct the scheme VTMFHE = (V.Setup, V.KeyGen, V.Enc, V.Eval, V.TDec) as follows:

• V.Setup$\left(1^{\lambda },1^l,{\mathbb{A}}_t\right)\to params$: Given the security parameter $\lambda$, the circuit depth bound $l$, and the threshold $t$ access structure ${\mathbb{A}}_t$, $params\leftarrow T.Setup\left(1^{\lambda }, 1^l, {\mathbb{A}}_t\right)$ is output as the implicit input for other algorithms, and each party $P_i\in P$ is associated with a non-zero element $x_i\in {\mathbb{Z}}_q^{\mathrm{*}}$.
• V.KeyGen$\left(params\right)\to \left({\left\{{\mathit{s}}_i^{\prime }\right\}}_{i\in \left[N\right]},pk\right)$: The VDKeyGen protocol is executed, where each party stores the ${\mathit{s}}_i^{\prime }$ used to compute the secret key share locally. Then, based on the results of the oracle query, the public key $pk$ is computed for encryption.
• V.Enc$\left(pk,{\mu }_i\right)\to {ct}_i$: The parties involved in this round of computation uniformly sample a random matrix ${\mathit{R}}_i\in {\left\{\mathrm{0,1}\right\}}^{m\times m}$ and use the public key $pk$ to encrypt their own message ${\mu }_i$, outputting the ciphertext ${ctx}_i={\mathit{R}}_i\mathit{A}+{\mu }_i\mathit{G}$, where ${ctx}_i\in {\mathbb{Z}}_q^{m\times n}$ and $\mathit{G}\in {\mathbb{Z}}_q^{m\times n}$ is the short preimage matrix. To prevent malicious participants from forging ciphertexts or submitting malformed data, each party commits to the encryption-related variables (e.g., ${\mathit{R}}_i$ and ${\mu }_i$) and computes an NIZK proof ${\pi }_{{ctx}_i}$ under the encryption NP relation ${\mathcal{R}}_{Enc}$ to prove the ciphertext’s correctness and structural validity. The ciphertext and associated verification data are sent together, and must be verified before any homomorphic evaluation. Specifically, each party samples ${\mathit{r}}_{{\mathit{R}}_i}\stackrel{R}{\leftarrow }{S}_{\mathit{r}}$ and ${\mathit{r}}_{{\mu }_i}\stackrel{R}{\leftarrow }{S}_{\mathit{r}}$, then computes ${com}_{{\mathit{R}}_i}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({\mathit{R}}_i,{\mathit{r}}_{{\mathit{R}}_i}\right)$ and ${com}_{{\mu }_i}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({\mu }_i,{\mathit{r}}_{{\mu }_i}\right)$. The proof is computed as ${\pi }_{{ctx}_i}\leftarrow \mathrm{N}.\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{v}\mathrm{e}\left(x,w,crs\right)$, where $x=\left({ctx}_i, {com}_{{\mathit{R}}_i},{com}_{{\mu }_i}\right)$ and $w=\left({\mathit{R}}_i,{\mathit{r}}_{{\mathit{R}}_i},{\mu }_i,{\mathit{r}}_{{\mu }_i}\right)$. The final output is ${ct}_i=\left({ctx}_i,{\pi }_{{ctx}_i},{com}_{{\mathit{R}}_i},{com}_{{\mu }_i}\right)$.
• V.Eval$\left(F,{\left\{{ct}_i\right\}}_{i\in \left[k\right]}\right)\to \widehat{ct}$: Given a Boolean circuit $F:{\left\{\mathrm{0,1}\right\}}^k\to \left\{\mathrm{0,1}\right\}$ with a computation depth bound $l$ and a set of ciphertexts ${\left\{{ct}_i\right\}}_{i\in \left[k\right]}$, before performing homomorphic evaluation, each ciphertext ${ct}_i$ is parsed and verified using the proof ${\pi }_{{ctx}_i}$ via the NIZK verification algorithm: $\left\{\mathrm{0,1}\right\}\leftarrow \mathrm{N}.\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}\left(x,{\pi }_{{ctx}_i},crs\right)$. If any ciphertext fails verification, it is discarded, and its sender is marked as an invalid participant, and thus excluded from this round of homomorphic evaluation. This process effectively isolates incorrect inputs and prevents invalid data from affecting the correctness of the system. If all proofs pass, the evaluation proceeds with $\widehat{ct}\leftarrow \mathrm{F}.\mathrm{E}\mathrm{v}\mathrm{a}\mathrm{l}\left(F,{\left\{{ct}_i\right\}}_{i\in \left[k\right]}\right)$, and the resulting ciphertext $\widehat{ct}$ is returned.
• V.TDec$\left(\widehat{ct},P_{online}\right)\to \mu$: Before decrypting $\widehat{ct}$, the oracle query is executed again to obtain the set of online parties $P_{online}$. If $\left|P_{online}\right|<t$, $\perp$ is returned; otherwise, the threshold decryption protocol is executed and the decryption result $\mu$ is output.

We will provide a detailed analysis of the security and performance of this scheme in Section 5. Before that, we will explain the specific process of the distributed threshold decryption result in detail.

4.3. Distributed Threshold Decryption

In this section, we will present the complete process of the decryption phase in the VTMFHE scheme. Similarly to the verification mechanism of the VDKeyGen protocol, our scheme’s threshold decryption also achieves active security through commitment and NIZK. We will now define the process of the distributed threshold decryption protocol:

• After the homomorphic evaluations are completed, query the current set of online parties $P_{online}\leftarrow Q\left(Env\right)$. If $\left|P_{online}\right|<t$, this step is re-executed. Otherwise, each party in $P_{online}$ locally executes the algorithm ${sk}_i\leftarrow \mathrm{R}\mathrm{S}.\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{b}\mathrm{i}\mathrm{n}\mathrm{e}\left({\mathit{s}}_i^{\prime },x_1,\dots ,x_t\right)$, and uses ${sk}_i$ as its secret key share for decryption.
• The parties in $P_{online}$ execute the algorithm $p_i\leftarrow \mathrm{T}.\mathrm{P}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\left({sk}_i,\widehat{ct}\right)$ from TMHE. In this process, party $P_i$ needs to sample a smudging noise ${\mathit{e}}_i^{sm}\stackrel{R}{\leftarrow }{\left[-B_{smdg},B_{smdg}\right]}^m$ and add it to the partial decryption result to prevent privacy leakage. Additionally, to achieve verifiability of the decryption result, the party needs to sample random values ${\mathit{r}}_{{sk}_i}\stackrel{R}{\leftarrow }{\mathcal{D}}_r$ and ${\mathit{r}}_{{\mathit{e}}_i^{sm}}\stackrel{R}{\leftarrow }{\mathcal{D}}_r$ to commit to ${sk}_i$ and ${\mathit{e}}_i^{sm}$, resulting in ${com}_{{sk}_i}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({sk}_i,{\mathit{r}}_{{sk}_i}\right)$ and ${com}_{{\mathit{e}}_i^{sm}}\leftarrow \mathrm{C}.\mathrm{C}\mathrm{o}\mathrm{m}\left({\mathit{e}}_i^{sm},{\mathit{r}}_{{\mathit{e}}_i^{sm}}\right)$. They then compute the proof ${\pi }_{p_i}\leftarrow \mathrm{N}.\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{v}\mathrm{e}\left(x,w,crs\right)$ according to the NP relation ${\mathcal{R}}_{TDec}$, where $x=\left(p_i,\widehat{ct},{com}_{{sk}_i},{com}_{{\mathit{e}}_i^{sm}}\right)$ and $w=\left({sk}_i,{\mathit{r}}_{{sk}_i},{\mathit{e}}_i^{sm},{\mathit{r}}_{{\mathit{e}}_i^{sm}}\right)$. Together with the dimensions and format of the partial decryption results, this information serves as the sole basis for verifying data integrity during the decryption phase. Finally, the partial decryption result $p_i$ and its corresponding proof ${\pi }_{p_i}$ are output.
• Given the input ciphertext $\widehat{ct}$, a set of partial decryption results $D={\left\{p_i\right\}}_{i\in P_{online}}$, and the corresponding proofs ${\left\{{\pi }_{p_i}\right\}}_{i\in P_{online}}$, each proof is first verified against the relation ${\mathcal{R}}_{TDec}$: $\left\{\mathrm{0,1}\right\}\leftarrow \mathrm{N}.\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}\left(x,{\pi }_{p_i},crs\right)$. If any proof fails verification, the corresponding party is treated as an abnormal participant, and its partial decryption result is discarded. If the number of remaining valid partial decryption results exceeds $t$, the algorithm $\mu \leftarrow \mathrm{T},\mathrm{F}\mathrm{i}\mathrm{n}\mathrm{D}\mathrm{e}\mathrm{c}\left(D,\widehat{ct}\right)$ is executed to combine them and obtain the final decryption result $\mu$. Otherwise, the decryption process is aborted, and all valid participants are required to re-execute the distributed decryption protocol and submit new partial decryption results.

The distributed threshold decryption protocol is secure against malicious adversaries through the combined use of commitments and NIZK proofs. In summary, after reconstructing their decryption key shares, the current online participants perform partial decryption on the evaluated ciphertext and compute a proof ${\pi }_{p_i}$ based on the ${\mathcal{R}}_{TDec}$ relation in the NIZK system, to prove that $p_i$ is a correctly computed partial decryption result obtained by following the protocol steps, using valid parameters and the corresponding secret key share on $\widehat{ct}$. This prevents the final ciphertext from being incorrectly decrypted or leaking sensitive information under malicious attacks. Moreover, with the proposed share resharing technique, any t partial decryption results can be aggregated to obtain the final decryption, thus providing threshold fault tolerance: decryption can still proceed correctly even if some participants are corrupted. We define the maximum fault tolerance as $\left|P_{online}\right|-t$. Therefore, this mechanism does not rely on a trusted third party, and ensures the reliability and active security of the decryption protocol, even in asynchronous and dynamic environments.

4.4. NP Relations of NIZK

To ensure security against active malicious adversaries, this scheme employs a verification mechanism based on commitments and NIZK, as formally defined in Section 2.4 and Section 2.5. In NIZK, proofs are generated based on the following NP relations over a language $L$, covering distributed key generation, encryption, and threshold decryption. These proofs are used to demonstrate the correct execution of the corresponding algorithms. The NP relations are formally defined as follows:

Definition 24 (${\mathcal{R}}_{\mathit{D}\mathit{K}\mathit{G}}$). 

During the distributed key generation protocol, the relation ${\mathcal{R}}_{DKG}$ defines the correctness of the secret key share generation and proves this knowledge through the proof ${\pi }_{{\mathit{b}}_i}$. The relation ${\mathcal{R}}_{DKG}$ demonstrates that ${\mathit{s}}_i$ is correctly sampled from the specified distribution, ${\mathit{s}}_i^{\prime }$ is obtained through the share resharing process, and ${\mathit{b}}_i$ is correctly computed. The relation ${\mathcal{R}}_{DKG}$ can be expressed as follows:

$${\mathcal{R}}_{DKG}=\left\{\left(x,w\right)|\begin{array}{c}x=\left({\mathit{b}}_i,{com}_{{\mathit{s}}_i},{\left\{{com}_{{\mathit{s}}_{j,i}}\right\}}_{j\in \left[N\right],j\ne i}\right)\wedge \\ w=\left({\mathit{s}}_i,r_{{\mathit{s}}_i},{\left\{{\mathit{s}}_{j,i}\right\}}_{j\in \left[N\right],j\ne i},{\left\{r_{{\mathit{s}}_{j,i}}\right\}}_{j\in \left[N\right],j\ne i}\right):\\ {\forall i \mathit{s}}_i\in {\mathbb{Z}}_q^n\wedge \forall i C.Open\left({com}_{{\mathit{s}}_{j,i}},{\mathit{s}}_{j,i},r_{{\mathit{s}}_{j,i}}\right)\\ \wedge {\mathit{s}}_i^{\prime }=RS.Receive\left({\left\{{\mathit{s}}_{j,i}\right\}}_{j\in \left[N\right],j\ne i}\right)\wedge \\ {\mathit{b}}_i=\mathit{B}·{\mathit{s}}_i^{\mathit{\prime }}+\mathit{e}\end{array}\right\}.$$

Definition 25 (${\mathcal{R}}_{\mathit{E}\mathit{n}\mathit{c}}$). 

During the encryption phase of each party, the relation ${\mathcal{R}}_{Enc}$ proves through the proof ${\pi }_{{ctx}_i}$ that the ciphertext ${ctx}_i$ is correctly computed by party $P_i$ with the use of the given public key $pk$ to encrypt the message ${\mu }_i$, and that the sampled random matrix ${\mathit{R}}_i$ meets the encryption scheme requirements. The relation ${\mathcal{R}}_{Enc}$ can be expressed as follows:

$${\mathcal{R}}_{Enc}=\left\{\left(x,w\right)|\begin{array}{c}x=\left({ctx}_i,{com}_{{\mathit{R}}_i},{com}_{{\mu }_i}\right)\wedge \\ w=\left({\mathit{R}}_i,r_{{\mathit{R}}_i},{\mu }_i,r_{{\mu }_i}\right):\\ {\forall i \mu }_i\in \left\{\mathrm{0,1}\right\}\wedge \forall i {\mathit{R}}_i\in {\left\{0,1\right\}}^{m\times m}\\ \wedge {ctx}_i=\mathit{R}\left(\mathit{b},\mathit{B}\right)+{\mu }_i\mathit{G}\end{array}\right\}.$$

Definition 26 (${\mathcal{R}}_{\mathit{T}\mathit{D}\mathit{e}\mathit{c}}$). 

During the threshold decryption phase, the relation ${\mathcal{R}}_{TDec}$ proves through the proof ${\pi }_{p_i}$ that the partial decryption result $p_i$ provided by party $P_i$ is correctly computed with the use of the appropriate secret key share ${sk}_i$ to decrypt the ciphertext $\widehat{ct}$ through the decryption algorithm, and that the smudging noise ${\mathit{e}}_i^{sm}$ within the specified range is added to the result. The relation ${\mathcal{R}}_{TDec}$ can be expressed as follows:

$${\mathcal{R}}_{TDec}=\left\{\left(x,w\right)|\begin{array}{c}x=\left(p_i,\widehat{ct},{com}_{{sk}_i},{com}_{{\mathit{e}}_i^{sm}}\right)\wedge \\ w=\left({sk}_i,r_{{sk}_i},{\mathit{e}}_i^{sm},r_{{\mathit{e}}_i^{sm}}\right):\\ {\forall i sk}_i=RS.Combine\left({\mathit{s}}_i^{\prime },x_1,\dots ,x_t\right)\\ \wedge {\forall i ‖{\mathit{e}}_i^{sm}‖}_{\infty }\le B_{smdg}\wedge \\ \forall i p_i=T.PartDec\left({sk}_i,\widehat{ct}\right)\end{array}\right\}.$$

5. Correctness, Security, and Performance Analysis

This section provides a detailed analysis of the VTMFHE scheme, focusing on three aspects: correctness, security, and performance.

5.1. Correctness

We begin by analyzing the correctness of the VTMFHE scheme in homomorphic evaluation and decryption, focusing on homomorphic addition, homomorphic multiplication, and distributed decryption. Since all parties in our scheme use a shared public key for encryption, the correctness analysis of homomorphic evaluation is similar to that of single-key FHE schemes based on the LWE problem.

As defined in Section 2.3, the VTMFHE scheme relies on the correctness of the underlying FHE scheme. We first prove the correctness of homomorphic addition and homomorphic multiplication:

For the security parameter $\lambda$ and the circuit depth bound $l$, let the lattice dimension $n=n\left(\lambda ,l\right)$, modulus $q=q\left(\lambda ,l\right)$, and error distribution ${\chi }_B={\chi }_B\left(\lambda ,l\right)$ be B-bounded distributions. In our scheme, $pk=\mathit{A}=\left(\mathit{b},\mathit{B}\right)$ is the public key determined by the parties after executing the VDKeyGen protocol. The ciphertext ${ct}_i\leftarrow \mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_i\right)$ is obtained by party $P_i$ encrypting the plaintext ${\mu }_i\in \left\{\mathrm{0,1}\right\}$ using the public key $pk$, where ${ctx}_i={\mathit{R}}_i\mathit{A}+{\mu }_i\mathit{G}$. The plaintext result obtained during decryption is computed as $ptx\leftarrow 〈ctx,sk〉=\mathit{R}·\mathit{e}+\mu \prime ·\mathit{v}$. We assume that ${ctx}_1$ and ${ctx}_2$ are encryptions of ${\mu }_1$ and ${\mu }_2$, respectively. The following properties hold in our scheme:

• Homomorphic Addition: Let ${ctx}^{\prime }={ctx}_1+{ctx}_2$. Then, $〈ctx\prime ,sk〉=\left({\mathit{R}}_1{\mathit{e}}_1+{\mathit{R}}_2{\mathit{e}}_2\right)+\left({\mu }_1+{\mu }_2\right)\mathit{v}$, i.e., ${ctx}_1+{ctx}_2=\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_1+{\mu }_2\right)$.
• Homomorphic Multiplication: Let $ctx\prime ={ctx}_1\times {ctx}_2$. Then, $〈ctx\prime ,sk〉={ctx}_1\left({\mathit{R}}_2{\mathit{e}}_2+{\mu }_2\mathit{v}\right)={ctx}_1{\mathit{R}}_2{\mathit{e}}_2+{\mu }_2\left({\mathit{R}}_1{\mathit{e}}_1+{\mu }_1\mathit{v}\right)={\mu }_1{\mu }_2\mathit{v}+\mathit{e}\mathbf{\prime }$, i.e., ${ctx}_1\times {ctx}_2=\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_1\times {\mu }_2\right)$, where $\mathit{e}\mathbf{\prime }={ctx}_1{\mathit{R}}_2{\mathit{e}}_2+{\mu }_2{\mathit{R}}_1{\mathit{e}}_1$ is the resulting error vector. According to the definition of the GSW scheme [4], its size will not disrupt the essential form of the ciphertext.

For the correctness of the distributed threshold decryption process, after completing the homomorphic evaluation $\widehat{ct}\leftarrow \mathrm{V}.\mathrm{E}\mathrm{v}\mathrm{a}\mathrm{l}\left(F,{\left\{{ct}_i\right\}}_{i\in \left[k\right]}\right)$, the parties generate the secret key shares for decryption according to the share resharing algorithm ${sk}_i\leftarrow \mathrm{R}\mathrm{S}.\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{b}\mathrm{i}\mathrm{n}\mathrm{e}\left({\mathit{s}}_i^{\prime },x_1,\dots ,x_t\right)$. They then compute the partial decryption results ${\left\{p_i\leftarrow \mathrm{P}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\left({sk}_i,\widehat{ct}\right)\right\}}_{i\in {\mathcal{P}}_{online}}$. The decryption process of the VTMFHE scheme has the following correctness:

$$\mathrm{F}\mathrm{i}\mathrm{n}\mathrm{D}\mathrm{e}\mathrm{c}\left({\left\{p_i\right\}}_{i\in {\mathcal{P}}_{online}},\widehat{ct}\right)=F\left({\mu }_1,\dots ,{\mu }_k\right)=ptx.$$

Ultimately, we rely on the correctness of the underlying FHE scheme and the TMFHE scheme to prove the correctness of our scheme. Additionally, consistency checks through the commitment and the NIZK system further ensure that the actively secure scheme is correct.

From a structural perspective, the proposed scheme offers good compactness and scalability. In terms of ciphertext and key sizes, the ciphertext size in our scheme is fixed, independent of the original plaintext length and the number of participants $N$, and does not grow with the data volume or system scale. Additionally, since the proposed share resharing mechanism allows secret key shares to be randomly restructured into new sharing formats, the key size remains constant regardless of the number of parties or ciphertexts, providing better scalability than classical multi-party FHE schemes (e.g., Mukherjee and Wichs [9], Aranha et al. [35]), where ciphertext and key sizes depend on $N$. However, we note that introducing commitment and NIZK proofs for security verification, although one-time and binding, leads to communication and computation costs that grow linearly with $N$, as each party must broadcast verification data; this may impose a communication burden in large-scale deployments. For complex computations, our scheme supports Boolean circuits $F$ composed of addition and multiplication gates with fan-in 2, allowing multiple ciphertexts to be jointly evaluated, thereby offering strong computational expressiveness. Nonetheless, once the circuit depth exceeds the predefined limit, ciphertext noise will surpass the decryption bound, making correct decryption unreliable. Thus, homomorphic evaluation remains constrained by the circuit depth parameter $l$.

5.2. Security

This section discusses the security of the VTMFHE scheme. To formally model and prove security, we define the corresponding adversarial model. We begin with a static passive adversary model (i.e., semi-honest, as defined by Mouchet et al. [21]), where the adversary $\mathcal{A}$ can corrupt up to $t-1$ parties before the protocol starts. In the passive setting, corrupted parties follow the protocol honestly, and $\mathcal{A}$ is allowed to access their internal state. However, existing TMFHE schemes typically provide security only under semi-honest adversaries. When facing malicious adversaries, a corrupted group may disrupt correctness or privacy by submitting invalid outputs (e.g., incorrect partial decryption results) or performing biased decryption. Therefore, we extend the model to an active malicious adversary setting, where corrupted parties are allowed to behave arbitrarily, such as going offline, submitting malformed data, or sending invalid verification messages at any point in time. Moreover, the adversary may observe and interfere with protocol interactions, or attempt to forge valid outputs. Compared to the scheme by Mouchet et al. [21], our approach significantly improves security by incorporating a verification mechanism based on commitments and NIZK in key generation, encryption, and threshold decryption. We prove that the scheme achieves IND-CPA security and is secure against active attacks from malicious adversaries.

In terms of semantic security, for the security parameter $\lambda$, the circuit depth bound $l$, and the set of parties $P=\left\{P_1,\dots ,P_N\right\}$ in the VTMFHE scheme, a PPT simulator $Sim$ exists, such that for a static and passive PPT adversary $\mathcal{A}$, the hybrid experiments in the following real world and ideal world are indistinguishable, where the adversary $\mathcal{A}$ can corrupt up to $t-1$ parties:

• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathit{r}\mathit{e}\mathit{a}\mathit{l}}$: This is a real-world IND-CPA game between a challenger and the adversary $\mathcal{A}$.

• Input $\left(1^{\lambda },1^l\right)$; the adversary $\mathcal{A}$ outputs the threshold access structure ${\mathbb{A}}_t$.
• The challenger runs $params\leftarrow \mathrm{V}.\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}\left(1^{\lambda },1^l,{\mathbb{A}}_t\right)$ and $\left({\left\{{\mathit{s}}_i^{\prime }\right\}}_{i\in \left[N\right]},pk\right)\leftarrow \mathrm{V}.\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}\left(params\right)$, and sends the public key $pk$ to $\mathcal{A}$.
• $\mathcal{A}$ outputs a maximal invalid set $S\subseteq P$ (Definition 3) and messages ${\mu }_1,\dots ,{\mu }_k\in \left\{\mathrm{0,1}\right\}$.
• The challenger executes the share resharing protocol, and then sends ${\left\{{sk}_i\right\}}_{i\in S}$ and the challenge ciphertexts ${\left\{\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_i\right)\right\}}_{i\in \left[k\right]}$ to the adversary $\mathcal{A}$.
• $\mathcal{A}$ issues polynomial adaptive queries in the form of $\left(S\subseteq P,F\right)$, where $F:{\left\{\mathrm{0,1}\right\}}^k\to \left\{\mathrm{0,1}\right\}$ is a circuit with depth bound $l$. For each query, the challenger executes $\widehat{ct}\leftarrow \mathrm{V}.\mathrm{E}\mathrm{v}\mathrm{a}\mathrm{l}\left(F,{\left\{{ct}_i\right\}}_{i\in S}\right)$ and sends ${\left\{\mathrm{T}.\mathrm{P}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\left({sk}_i,\widehat{ct}\right)\right\}}_{i\in S}$ to $\mathcal{A}$.
• At last, $\mathcal{A}$ guesses the bit $b$ as $b\prime$ within polynomial time and sends the bit $b\prime$ to the challenger.

• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathit{i}\mathit{d}\mathit{e}\mathit{a}\mathit{l}}$: This is an ideal-world game between a challenger and the adversary $\mathcal{A}$.

• Input $\left(1^{\lambda },1^l\right)$; the adversary $\mathcal{A}$ outputs the threshold access structure ${\mathbb{A}}_t$.
• The challenger runs $params\leftarrow Sim.\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{p}\left(1^{\lambda },1^l,{\mathbb{A}}_t\right)$ and $\left({\left\{{\mathit{s}}_i^{\prime }\right\}}_{i\in \left[N\right]},pk\right)\leftarrow Sim.\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}\left(params\right)$, and sends the public key $pk$ to $\mathcal{A}$.
• $\mathcal{A}$ outputs a maximal invalid set $S\subseteq P$ (Definition 3) and messages ${\mu }_1,\dots ,{\mu }_k\in \left\{\mathrm{0,1}\right\}$.
• The challenger executes the share resharing protocol, and then sends ${\left\{{sk}_i\right\}}_{i\in S}$ and the challenge ciphertexts ${\left\{\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_i\right)\right\}}_{i\in \left[k\right]}$ to $\mathcal{A}$.
• $\mathcal{A}$ issues polynomial adaptive queries in the form of $\left(S\subseteq P,F\right)$, where $F:{\left\{\mathrm{0,1}\right\}}^k\to \left\{\mathrm{0,1}\right\}$ is a circuit with depth bound $l$. For each query, the challenger executes the simulator algorithm ${\left\{p_i\right\}}_{i\in S}\leftarrow Sim\left(F,{\left\{\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_i\right)\right\}}_{i\in \left[k\right]},F\left({\mu }_1,\dots ,{\mu }_k\right),S\right)$ and sends the simulated partial decryption results ${\left\{p_i\right\}}_{i\in S}$ to the adversary $\mathcal{A}$.
• At last, $\mathcal{A}$ guesses the bit $b$ as $b\prime$ within polynomial time and sends the bit $b\prime$ to the challenger.

Under the LWE problem, ciphertext matrices are indistinguishable from random matrices. According to the smudging lemma (Lemma 1), the information of the secret key shares included in the partial decryption results $p_i$ is computationally hidden by the smudging noise ${\mathit{e}}_i^{sm}$. This means that the public key, ciphertexts, and partial decryption results are computationally indistinguishable from random values and unrelated to the messages. Therefore, our VTMFHE scheme is IND-CPA-secure.

The execution of the protocol should not disclose any knowledge about the secret key shares or the messages ${\mu }_1,\dots ,{\mu }_k$ through the partial decryption results beyond what is already included in the homomorphic evaluation result. Additionally, corrupted parties should be unable to send incorrect information that leads to the leakage of privacy or decryption failure. Next, we further set up an active malicious adversary to verify that our scheme is actively secure.

To verify the source of information, prevent the adversary from forging legitimate information, and ensure that ciphertexts are not tampered with during transmission, we construct a verification mechanism through commitment and NIZK. This verifies the correctness of the scheme’s execution process, including distributed key generation, encryption, and threshold decryption. We simulate proofs through a series of hybrid experiments:

• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{0}}$: This is the execution of our scheme in the real world with a malicious adversary $\mathcal{A}$.

• Input $\left(1^{\lambda },1^l\right)$; the adversary $\mathcal{A}$ sends a set of corrupted parties $\mathcal{C}$, where $\left|\mathcal{C}\right|\le t-1$. The parties interact according to the VDKeyGen protocol in Section 4.1, generating the corresponding commitments and proofs ${\left\{{com}_{{\mathit{s}}_i},{\left\{{com}_{{\mathit{s}}_{i,j}}\right\}}_{j\in \left[N\right],j\ne i},{\pi }_{{\mathit{b}}_i}\right\}}_{i\in P}$. After completing the verification, they generate the public key $pk$ and ${\left\{{\mathit{s}}_i^{\prime }\right\}}_{i\in P}$ through share resharing and oracle query.
• $\mathcal{A}$ issues encryption queries by choosing plaintexts ${\mu }_1,\dots ,{\mu }_k\in \left\{\mathrm{0,1}\right\}$ and obtaining the ciphertexts ${\left\{{ct}_i\right\}}_{i\in \left[k\right]}={\left\{\mathrm{V}.\mathrm{E}\mathrm{n}\mathrm{c}\left(pk,{\mu }_i\right)\right\}}_{i\in \left[k\right]}$ through the encryption algorithm.
• $\mathcal{A}$ issues polynomial adaptive queries in the form of $\left(\mathcal{C}\subseteq P,F\right)$, where $F:{\left\{\mathrm{0,1}\right\}}^k\to \left\{\mathrm{0,1}\right\}$ is a circuit with depth bound $l$. For each query, the scheme executes $\widehat{ct}\leftarrow \mathrm{V}.\mathrm{E}\mathrm{v}\mathrm{a}\mathrm{l}\left(F,{\left\{{ct}_i\right\}}_{i\in P\backslash \mathcal{C}}\right)$ and sends the partial decryption results ${\left\{\mathrm{T}.\mathrm{P}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\left({sk}_i,\widehat{ct}\right)\right\}}_{i\in P\backslash \mathcal{C}}$ to the adversary $\mathcal{A}$. These partial decryption results include the information used for verification: $\left({com}_{{sk}_i},{com}_{{\mathit{e}}_i^{sm}},{\pi }_{p_i}\right)$.
• The corrupted parties controlled by the adversary $\mathcal{A}$ compute the partial decryption results ${\left\{p_j\right\}}_{j\in \mathcal{C}}$, according to the protocol, and send them. If any proof ${\pi }_{p_j}$ in the partial decryption results ${\left\{p_j\right\}}_{j\in \mathcal{C}}$ fails verification, $\perp$ is output; otherwise, the plaintext result $\mu$ is computed according to the threshold decryption protocol.
• Finally, the adversary $\mathcal{A}$ determines the value of the bit $b$ through decryption queries and other information. Based to the previous IND-CPA security proof, the probability that $\mathcal{A}$ can successfully distinguish $b$ is no more than 1/2.

• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{1}}$: We introduce the first change, using the simulator $Sim$ to generate proofs. In the third step of ${Game}_0$, when honest users perform partial decryption, the proofs generated by the simulator are used to prove that these partial decryption results ${\left\{p_i\right\}}_{i\in P\backslash \mathcal{C}}$ are correct, with the rest remaining unchanged. According to the honest verifier zero-knowledge property defined in Definition 18, the proofs generated by the simulator are computationally indistinguishable from those generated by an honest prover. Therefore, the experiments ${Game}_0$ and ${Game}_1$ are indistinguishable.
• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{2}}$: Furthermore, we replace the commitments that do not need to be opened during the threshold decryption process, such as ${com}_{{sk}_i}$ and ${com}_{{\mathit{e}}_i^{sm}}$. These commitments are only used for computing and verifying proofs, with the rest of the experiment remaining unchanged. According to the commitment hiding property defined in Definition 14, $\mathcal{A}$ cannot obtain any information about the committed values from the commitments themselves. Therefore, the experiments ${Game}_1$ and ${Game}_2$ are indistinguishable.
• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{3}}$: During the VDKeyGen protocol, we extract the secret key shares from the corrupted parties using a knowledge extractor, and then derive ${\left\{{sk}_j\right\}}_{j\in \mathcal{C}}$ and simulate the behavior of these parts, with the rest of the experiment remaining unchanged. According to the knowledge soundness property defined in Definition 17, $\mathcal{A}$ can accept the proofs generated using the witnesses provided by the knowledge extractor. Therefore, the experiments ${Game}_2$ and ${Game}_3$ are indistinguishable.
• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{4}}$: Now, we replace the partial decryption results of each honest party during the threshold decryption process. Instead of honestly computing $p_i\leftarrow \mathrm{T}.\mathrm{P}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{D}\mathrm{e}\mathrm{c}\left({sk}_i,\widehat{ct}\right)$, the simulator uniformly samples $p_i^{\prime }\stackrel{R}{\leftarrow }{\mathbb{Z}}_q$ under the condition that the final decryption result remains unchanged, i.e., ${\sum }_{i\in P\backslash \mathcal{C}}{p}_i^{\prime }=\mu -{\sum }_{j\in \mathcal{C}}{p}_j$. Since $p_i^{\prime }$ is randomly sampled from a uniform distribution, according to the definition of the LWE problem, $p_i^{\prime }$ is indistinguishable from $p_i=〈\widehat{ct},{sk}_i〉+{\mathit{e}}_i^{sm}$, and the decryption result is not affected by the introduced randomness. Therefore, ${Game}_3$ and ${Game}_4$ are indistinguishable.
• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{5}}$: Based on ${Game}_4$, all partial decryption results of honest parties no longer depend on the secret key shares ${sk}_i$. Therefore, we replace the zero-knowledge proofs ${\pi }_{{\mathit{b}}_i}$ generated by honest parties during the VDKeyGen process with proofs generated by the simulator $Sim$. Similarly to ${Game}_1$, the proofs generated by the simulator are computationally indistinguishable from those generated by an honest prover. Therefore, the experiments ${Game}_4$ and ${Game}_5$ are indistinguishable.
• ${\mathit{G}\mathit{a}\mathit{m}\mathit{e}}_{\mathbf{6}}$: Similarly to ${Game}_2$, we replace the commitments in the VDKeyGen protocol that do not need to be opened, such as ${com}_{{\mathit{s}}_i}$. Since we have already replaced the proofs in the key generation process in ${Game}_5$, replacing these commitments will not affect the protocol. According to the commitment hiding property defined in Definition 14, the adversary $\mathcal{A}$ cannot obtain any information about the committed values from the commitments themselves. Therefore, the experiments ${Game}_5$ and ${Game}_6$ are indistinguishable.

We now prove that ${Game}_6$ is indistinguishable from the ideal world simulated by $Sim$. If the adversary $\mathcal{A}$ wins ${Game}_6$, then $\mathcal{A}$ can break the LWE problem, i.e., it can effectively solve the hard lattice problems SVP and GapSVP. Ultimately, ${Game}_6$ is clearly secure, because all components are generated by the simulator $Sim$ and no private information is leaked. By proving step by step the indistinguishability between each pair of adjacent experiments, we can conclude that the initial experiment and the final experiment are statistically indistinguishable, thereby proving the security of the VTMFHE scheme against active malicious adversaries. This concludes the proof.

We observe that most existing TMFHE schemes still rely on the semi-honest adversary model for their security guarantees. This assumption often lacks robustness against malicious adversaries or execution faults, where collusion, input forgery, or deliberately incorrect partial decryption by corrupted parties can threaten the data security of honest participants, particularly in the key sharing and threshold decryption processes. Moreover, traditional mechanisms generally lack systematic verification structures. Compared with representative TMFHE schemes, such as those by Mouchet et al. [27], Agrawal et al. [25], and Mouchet et al. [21], our proposed VTMFHE scheme achieves multi-dimensional improvements in security. In particular, we construct a verifiable framework for key generation and threshold decryption that addresses the need to prove complex structural constraints and maintain secret consistency across protocol phases, all without relying on a trusted third party.

5.3. Performance

To simplify the performance analysis and maintain consistency with prior studies, we adopt a symbolic-level theoretical complexity model to evaluate the computational and communication overhead of our scheme. The analysis is based on symbolic expressions involving key parameters such as the number of participants $N$, the modulus $q$, and the threshold $t$, without assigning specific numerical values. The parameter settings and analytical methodology follow the typical models used in related works by Mukherjee and Wichs [9], Boneh et al. [19], Mouchet et al. [21], and Aranha et al. [35], ensuring both comparability and theoretical representativeness.

Our performance analysis begins with the study of the underlying FHE scheme. We adopt the GSW scheme [4] as the underlying encryption scheme. Unlike the BGV scheme [3], the GSW scheme evaluates on ciphertexts in matrix form with constant dimensions, thereby avoiding the need for key-switching and an evaluation key. This makes the scheme logically simple and clear. Secondly, to allow multiple parties to perform secure computations jointly, we use share resharing techniques to enable the parties to collaboratively generate a public key, with the secret key distributed and shared among them. This allows each party to encrypt using the same public key. Unlike the currently popular multi-key fully homomorphic encryption (MKFHE) schemes, ciphertexts under the same public key can directly execute homomorphic evaluation, avoiding the complex ciphertext extension steps in MKFHE schemes. This significantly reduces the size of ciphertexts involved in the evaluation. Thus, the VTMFHE scheme is compact, and the number of interactions between parties during the execution of our scheme is not affected by the function being executed or the number of parties $N$. This reduces both the computational complexity and communication complexity of the scheme.

It must be acknowledged that to make sure that the scheme is effective against malicious adversaries, we have included commitment and NIZK to construct a verification mechanism. This slightly increases the computational and communication overhead of our scheme. Specifically, according to the commitment scheme defined in Definition 11, each commitment corresponding to a submitted key share or intermediate value is a vector over ${\mathbb{Z}}_q$ of dimension $l_1+n$, where $l_1$ is much less than $n$. Thus, the communication cost of each commitment is $O\left(n\log q\right)$. For computation, both commitment generation and verification require a matrix-vector multiplication, resulting in a complexity of $O\left(n^2\log q\right)$. In the VDKeyGen protocol of our scheme, each party generates and sends $N$ commitments and verifies the commitments received from others, yielding a total communication cost of $O\left(Nn\log q\right)$ and computation cost of $O\left({Nn}^2\log q\right)$ per party. In the encryption and decryption algorithms, each party only needs to generate two commitments, each with a cost of $O\left(n^2\log q\right)$. For NIZK, according to the construction in Definition 15, each proof $\pi$ consists of $s$ commitments and responses. Its communication cost, based on Yang et al. [30] (Appendix F.3), is given by the following:

$$‖\pi ‖=\left(\log \left({\displaystyle \frac{q}{8}}+1\right)+n+\left(3l_1+2l_2+4n\right)\log q\right)\mathrm{Nlog}q+sn\log q.$$

In our scheme, each proof contains a constant number of commitments. Therefore, the communication complexity per participant for each proof is $O\left(nN{⌈\log q⌉}^2+n\log q\right)=O\left(nN{⌈\log q⌉}^2\right)$. In terms of computation, generating the NIZK proof involves multiple commitments and multiplication relation checks, resulting in a complexity of $O\left(N\left(n{l}_1+n{l}_2+n\right)\log q\right)=O\left(N{n}^2\log q\right)$. The corresponding verification includes checks for linear relations, multiplication relations, and commitment consistency, and requires the same complexity of $O\left(N{n}^2\log q\right)$. During the VDKeyGen process, share resharing requires each party to store an additional state ${\mathit{s}}_i^{\prime }$, which is a polynomial of degree $t-1$, incurring a space complexity of $O\left(t\right)$. Additionally, the protocol requires each party to send and receive $N-1$ Shamir secret shares, resulting in a communication overhead of $O\left(Nt\right)$. The computational overhead for executing the combination algorithm when generating the public key $pk$ and secret key shares ${sk}_i$ is $O\left(t\right)$. It is important to emphasize that the total overhead in the VDKeyGen protocol can be regarded as a one-time cost related to the security level. The commitments and proofs are only executed once during system initialization, and can be reused across multiple homomorphic computations without impacting subsequent rounds. Therefore, the overall impact of this verification mechanism on system performance is limited. Its communication and computation costs can be effectively amortized across many tasks, especially in scenarios involving long-term key sharing or multi-round collaborative computation. Overall, this overhead is both necessary for enhancing active security and acceptable in practice.

During the encryption phase, the ciphertext size for each party is ${\left(n+1\right)}^2{⌈\log q⌉}^2$. The size of an individual commitment is $n\log q$, and a proof consists of s commitments each of size $n\log q$. In our scheme, the final ciphertext output by each party is ${ct}_i=\left({ctx}_i,{\pi }_{{ctx}_i},{com}_{{\mathit{R}}_i},{com}_{{\mu }_i}\right)$. Therefore, the total size of the final output ciphertext is ${\left(n+1\right)}^2{⌈\log q⌉}^2+\left(\log q+n+9n\log q\right)N\log q+\left(s+2\right)n\log q$.

A comparison of our scheme with several other typical fully homomorphic encryption schemes that allow multi-user joint computation includes aspects such as security, adversary model, public key size, evaluation key size, and compactness, as shown in

Table 1. Performance comparison of multi-user FHE schemes.

Scheme	Threshold Setting	Adversary Model	Public Key Size	Evaluation Key Size	Compactness
Mukherjee and Wichs [9]	N-out-of-N	Passive semi-honest adversary	$2\mathrm{N}\mathrm{n}\left(\mathrm{n}+1\right){⌈\log \mathrm{q}⌉}^2$	0	Non-compact
Boneh et al. [19]	t-out-of-N	Passive semi-honest adversary	$2\mathrm{n}\left(\mathrm{n}+1\right){⌈\log \mathrm{q}⌉}^2$	0	Partially compact
Mouchet et al. [21]	t-out-of-N	Passive semi-honest adversary	$2\mathrm{n}⌈\log \mathrm{q}⌉$	$6\mathrm{L}\mathrm{n}{⌈\log \mathrm{q}⌉}^2$	Compact
Aranha et al. [35]	N-out-of-N	Active malicious adversary	$\left(\mathrm{n}+2\right)N⌈\log \mathrm{q}⌉$	0	Non-compact
Ours	t-out-of-N	Active malicious adversary	$2\mathrm{n}\left(\mathrm{n}+1\right){⌈\log \mathrm{q}⌉}^2$	0	Compact

.

6. Conclusions

This work proposes a verifiable threshold multi-party fully homomorphic encryption (VTMFHE) scheme based on the LWE problem, addressing the high complexity and expense issues of existing TMFHE schemes in asynchronous settings, as well as their insufficient security against malicious adversaries. Our scheme features a t-out-of-N threshold access structure, making it more compact than multi-key FHE schemes, and utilizes Shamir secret sharing and share resharing techniques for key generation. Compared to traditional TMFHE schemes, our scheme only introduces additional interactions during the key generation, and allows any user set above the threshold $t$ to jointly perform decryption without causing the smudging noise to grow too quickly. This balances user overhead and makes it more flexible for practical applications. Additionally, we introduced commitments and NIZK to construct an effective verification mechanism. This mechanism proves the correctness and validity of the actions of each party during the execution of the scheme, addressing the issue of TMFHE schemes being insecure against malicious adversaries. Finally, we demonstrated, through hybrid experiments, that the VTMFHE scheme is secure against malicious adversaries.

Outlook. The proposed VTMFHE scheme offers strong structural generality and security, making it particularly suitable for low-latency, communication-efficient environments, where multiple parties can efficiently perform joint homomorphic computation over ciphertexts. However, since each party must generate and transmit verification information (e.g., commitments and NIZK proofs), the scheme’s performance may degrade in high-communication-cost settings or large-scale systems, as the communication overhead grows linearly with the number of parties N. Furthermore, the scheme’s homomorphic evaluation capability is constrained by the circuit depth bound $l$, which depends on the underlying LWE parameter settings, especially when handling complex computations. To address these limitations, future work will focus on optimizing the LWE parameters using techniques such as modulus-dimension switching and binary secret reduction, aiming to achieve smaller moduli and larger circuit depth bounds. Additionally, it is worth exploring the application of this scheme in broader cryptographic settings, such as constructing threshold signature schemes with active security to support joint signing and decentralized systems.