Blog
 / 
Announcements
Research

Introducing Zama’s Threshold Key Management System (TKMS)

April 17, 2025
  -  
The Zama Team

This article was co-authored by Kelong Cong, Morten Dahl, Daniel Demmler, Frederic Egmorte, Tore Frederiksen, Nigel Smart, Maksym Surzhynskyi, and Titouan Tanguy.


Zama's technology enables private computing on encrypted data through Fully Homomorphic Encryption(FHE). However, a major issue in any application is key management – specifically, how to secure and manage the secret keys used to decrypt data. 

To address this, our team at Zama has built a Threshold Key Management System (TKMS) powered by threshold cryptography. Namely, instead of relying on a single party to hold a full decryption key, the key is split into fragments and distributed among multiple parties. These fragments are never recombined during cryptographic operations—similar to how Multi-Party Computation (MPC) wallets work in the blockchain world.

What Is TKMS?

TKMS is built on top of a secure MPC protocol that supports key management of virtually any FHE scheme. While our implementation is optimized for TFHE (to be used with the fhEVM for private smart contracts), the underlying MPC system is general enough to be adjusted to work for other types of FHE keys, such as those used in the BGV and BFV schemes. 

This week, Zama is making available two key resources which underpin our TKMS technology:

  • An open source MPC library which implements all of the threshold operations within the Zama TKMS. 
  • A comprehensive cryptographic report which gives a formal description of the various cryptographic protocols underlying the MPC technology implemented. This document is a draft version of what the Zama team intends to submit to NIST as part of their future threshold cryptography call.

About the library

The threshold-fhe repository is a Rust library which implements the MPC algorithms for the TFHE scheme used in Zama products, covering:

  • Threshold decryption
  • Threshold key generation
  • Key resharing 

Additionally, it includes the code to implement a protocol for common-reference string (CRS) generation, for the CRS used in the zero-knowledge proofs of knowledge (ZKPoKs) within Zama’s TFHE-rs library, and the code for threshold decryption and key generation for simple versions of the BGV and BFV encryption schemes  — even if it’s not used in Zama’s products.

Adaptability & Performance

The library implements various options (for both feasibility and efficiency reasons) for this MPC system, depending on the number of parties and the associated threshold: 

  • When the number of players is small (roughly less than 18) we use a protocol which requires a threshold of [.c-inline-code]t<n/3[.c-inline-code];
  • When the number of players is larger, we use a protocol which requires a threshold of [.c-inline-code]t<n/4[.c-inline-code]; 

Here, [.c-inline-code]t[.c-inline-code] represents the number of bad players which the protocol can tolerate. 

The MPC protocols are based on Shamir Secret Sharing over Galois Rings, and provide robust protocols, i.e. ones which provide Guaranteed Output Deliver. In layman terms, if less than or equal to [.c-inline-code]t[.c-inline-code] parties are malicious, a correct output result will always be recovered by the other honest parties. 

Interestingly, when the total number of parties is small, our threshold decryption protocol requires a single round of communication, making it suitable to work over a wide-area network (WAN) where the round trip time between parties may be significant. For example, threshold decrypting up to 2048 ciphertexts takes less than a second when the protocol is run with ten parties. 

The most expensive part of the entire protocol suite is, by far, the key generation (which only occurs once during the protocol setup phase). However, Zama's implementation is highly parallelized such that it can be scaled horizontally if needed. 

Finally, the different building blocks that make up the threshold key generation and threshold decryption can be re-used independently, such as for research purposes. In the repository, users will find instructions on how to run our software and produce benchmarks for their own installation.

The protocol report: A deep dive in MPC

Alongside the library, we’re releasing a 250+ page technical report that formally describes the mathematics and protocols behind our MPC stack. This includes: 

  • Implementation of threshold cryptography for TFHE, which is supported in Zama products. 
  • Implementation of threshold versions of two other popular FHE schemes – BGV and BFV. (Note that these two schemes are currently only experimentally supported in our code base.)
  • The explanation of how threshold decryption and key generation are performed, as well as key resharing. 
  • Description of three different Zero-Knowledge Proof techniques verifying that a given fresh FHE ciphertext has been correctly encrypted (only two of these techniques are currently implemented in the TFHE-rs library).
  • Protocols for the CRS generation needed to implement the vector-commitment based ZKPoKs.

To keep the document approachable, we’ve focused on simplified versions of the THFE, BGV and BFV schemes. 

A call to the community

At Zama, we strongly believe in open source innovation. By sharing both our code and research, we aim to foster collaboration, transparency and progress in the field of FHE. 

We invite researchers, developers and cryptographers to explore and experiment with these resources, and share with us any feedback: 

Read more related posts

No items found.
Libraries
Concrete Concrete ML FHEVM TFHE-rs
Products & Services
Privacy-preserving Machine learningConfidential blockchainThreshold key management SYSTEM
Developers
BlogDOCUMENTATION GITHUB FHE resources Research papers Bounty Program FHE STATE OS
Company
Aboutintroduction to fheEventsMediaCareers Legal
Contact
Talk to an expertCONTACT USXDiscordTelegramALL community channels
Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to.Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy.Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one's identity with assurance when the default is anonymity requires the cryptographic signature.We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor's younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor.We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation's border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one's fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals.The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.Onward. By Eric Hughes. 9 March 1993.