This article was co-authored by Kelong Cong, Morten Dahl, Daniel Demmler, Frederic Egmorte, Tore Frederiksen, Nigel Smart, Maksym Surzhynskyi, and Titouan Tanguy.
Zama's technology enables private computing on encrypted data through Fully Homomorphic Encryption(FHE). However, a major issue in any application is key management – specifically, how to secure and manage the secret keys used to decrypt data.
To address this, our team at Zama has built a Threshold Key Management System (TKMS) powered by threshold cryptography. Namely, instead of relying on a single party to hold a full decryption key, the key is split into shares, which are generated during a threshold key generation ceremony and distributed among multiple parties. These shares are never recombined during cryptographic operations and meaningful operations with them can only be carried out if more than a threshold number of parties agree to it — similar to how Multi-Party Computation (MPC) wallets work in the blockchain world.
The TKMS is built on top of a secure and robust MPC protocol that supports key management of virtually any FHE scheme. While our implementation is optimized for TFHE (to be used with the fhEVM for private smart contracts), the underlying MPC system is general enough to be adjusted to work for other types of FHE keys, such as those used in the BGV and BFV schemes.
This week, Zama is making available three key resources which underpin our TKMS technology:
The KMS is a Rust library which implements the MPC algorithms for the TFHE scheme used in Zama products, covering:
Additionally, it includes the code to implement a protocol for common-reference string (CRS) generation, for the CRS used in the zero-knowledge proofs of knowledge (ZKPoKs) within Zama’s TFHE-rs library, and the code for threshold decryption and key generation for simple versions of the BGV and BFV encryption schemes — even if those are not used in Zama’s products.
Alongside, the repository contains a service wrapper around the core MPC primitives, providing management capabilities of key material and rate limiting of accesses via a gRPC interface.
Adaptability & Performance
The library implements various options (for both feasibility and efficiency reasons) for this MPC system, depending on the number of parties and the associated threshold:
Here, [.c-inline-code]t[.c-inline-code] represents the number of bad players which the protocol can tolerate.
The MPC protocols are based on Shamir Secret Sharing over Galois Rings, and provide robust protocols, i.e. ones which provide Guaranteed Output Delivery. In layman's terms, if less than or equal to [.c-inline-code]t[.c-inline-code] parties are malicious, a correct output result will always be recovered by the other honest parties.
Interestingly, when the total number of parties is small, our threshold decryption protocol requires a single round of communication, making it suitable to work over a wide-area network (WAN) where the round trip time between parties may be significant. For example, threshold decrypting up to 2048 ciphertexts takes less than a second when the protocol is run with ten parties.
The most expensive part of the entire protocol suite is, by far, the key generation, which only occurs once during the protocol setup phase. However, Zama's implementation is highly parallelized such that it can be scaled horizontally if needed.
Finally, the different building blocks that make up the threshold key generation and threshold decryption can be reused independently, such as for research purposes. In the repository, users will find instructions on how to run our software and produce benchmarks for their own installation.
Alongside the library, we’re releasing a 250+ page technical report that formally describes the mathematics and protocols behind our MPC stack. This includes:
To keep the document approachable, we’ve focused on simplified versions of the TFHE, BGV and BFV schemes.
At Zama, we strongly believe in open source innovation. By sharing both our code and research, we aim to foster collaboration, transparency and progress in the field of FHE.
We invite researchers, developers and cryptographers to explore and experiment with these resources, and share with us any feedback:
News, research and product releases