Paper 2025/1691
Pilvi: Lattice Threshold PKE with Small Decryption Shares and Improved Security
Abstract
Threshold public-key encryption (tPKE) enables any subset of $t$ out of $K$ parties to decrypt non-interactively, while any ciphertext remain secure if less that $t$ decryption shares are known. Despite recent progress, existing lattice-based tPKEs face at least one of the following drawbacks: (1) having large decryption share size -- polynomial in $K$ and some even exponential in $t$, (2) proven secure only against relaxed security models where the adversary is not allowed to see decryption shares of challenge ciphertexts, and (3) lack of concrete efficiency, in particular due to the requirement of super-polynomial modulus for noise flooding. We present $\mathsf{Pilvi}$, a new thresholdised variant of Regev’s public-key encryption scheme, which achieves both small decryption shares and a strong form of simulation-based security under the Learning with Errors (LWE) assumption. Our construction has decryption share size $t \cdot \log K \cdot \mathsf{poly}(\lambda)$ and allows the use of a polynomial-size modulus assuming an a priori bound on the number of queries $Q$. It remains secure even when an adaptive adversary requests partial decryptions of both challenge and non-challenge ciphertexts, as long as for each ciphertext the number of corrupt parties plus the number of shares obtained is less than $t$. We provide concrete parameter suggestions for 128-bit security for a wide range of $(t,K,Q)$, including cases where $t \approx K/2$ for up to $K \leq 32$ users and $Q \leq 2^{60}$ partial decryption queries. The ciphertext size ranges from $14$ to $58$ KB and the partial decryption share size ranges from $1$ to $4$ KB. Along the way, we abstract out a general purpose tool called the threshold-LWE assumption, which we prove to follow from LWE. The threshold-LWE assumption captures the core steps in security proofs of schemes involving Shamir's secret-sharing the LWE secret with carefully chosen evaluation points, the algebraic structures from the latter being what enabling the efficiency of our tPKE scheme. As an additional application, we also show how to construct distributed pseudorandom functions (dPRFs) from the threshold-LWE assumption.
Note: An extended abstract of this work is published at ASIACRYPT'25. This is the full version, containing proofs in the appendix.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- A major revision of an IACR publication in ASIACRYPT 2025
- Keywords
- threshold encryptionlatticesShamir's secret sharingsubtractive setsdistributed PRF
- Contact author(s)
-
valerio cini @ unibocconi it
russell lai @ aalto fi
ivy woo @ aalto fi - History
- 2025-09-18: approved
- 2025-09-17: received
- See all versions
- Short URL
- https://ia.cr/2025/1691
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/1691,
author = {Valerio Cini and Russell W. F. Lai and Ivy K. Y. Woo},
title = {Pilvi: Lattice Threshold {PKE} with Small Decryption Shares and Improved Security},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1691},
year = {2025},
url = {https://eprint.iacr.org/2025/1691}
}