up:: Foundations MOC
Secure Multi-Party Computation and Threshold Cryptography
Secure multi-party computation (MPC) and threshold cryptography split a secret or a computation across many parties so that no single one holds the whole thing, which removes the single point of failure that a lone private key represents. A threshold signature lets any t of n servers jointly sign without ever assembling the full key in one place, and MPC lets several parties compute a function of their combined inputs while each keeps its own input private.
The quantum answer for this area is a split that tracks the building block underneath. The secret-sharing core, Shamir’s scheme, is information-theoretically secure, meaning unbreakable regardless of computing power, quantum or otherwise. The exposure enters through the public-key primitives layered on top: a threshold scheme built on ECDSA or discrete-log signatures inherits exactly the quantum break that ends the underlying algorithm.
Source: NIST, “Threshold Schemes for Cryptographic Primitives,” NIST IR 8214, March 2019, NIST.
The short version:
- MPC lets several parties jointly compute on their private inputs without revealing them; threshold cryptography splits a key across parties so that a threshold
tofnis needed to use it, and no single party ever holds it whole. - The foundation of both is secret sharing, and Shamir’s secret sharing is information-theoretically secure: with fewer than
tshares an attacker learns nothing, no matter how much computing power they have. - Information-theoretic security is unconditional, so it is quantum-safe by default. A quantum computer offers no advantage against a scheme that reveals no information to break.
- The exposure sits in the public-key primitives built on top. Threshold ECDSA and other discrete-log threshold signatures inherit the Shor break of the algorithm they distribute.
- Lattice-based and hash-based threshold schemes are the post-quantum path, and NIST is running a standardization effort for exactly this multi-party, post-quantum threshold space.
Picture a bank vault that opens only when three of its five managers turn their keys at the same time. No single manager can open it, no lost or stolen key compromises it, and the vault’s contents stay sealed until enough of them cooperate. That splitting of authority is the whole idea of threshold cryptography, and if the keys themselves are simple physical keys, no amount of computing power picks a lock that was never a math problem. The vulnerability creeps in only when the “keys” are public-key signatures on a curve, because then a quantum computer can compute the master key from the public information, and the three-of-five rule protects nothing it could not already bypass.
What are MPC and threshold cryptography?
Secure multi-party computation and threshold cryptography are two closely related answers to the same problem: how to let a group of parties use a secret or run a computation together without any one of them holding the full secret or seeing the others’ inputs. They overlap heavily in practice, and the clean way to hold them apart is by what they distribute:
- Secure multi-party computation (MPC). A set of parties jointly evaluate a function of their private inputs, learning only the output and nothing about each other’s inputs. The textbook example is two millionaires learning who is richer without either revealing their net worth.
- Threshold cryptography. A single cryptographic operation, signing or decrypting, is distributed so that any
tout ofnparties can perform it together, while fewer thantcannot. The private key is split into shares and never reconstructed in one place. - Threshold signatures. The most deployed case of threshold cryptography, where
tofnparties jointly produce one signature that verifies against a single public key, used to protect high-value keys in custody and blockchain systems.
Source: NIST, “Threshold Schemes for Cryptographic Primitives,” NIST IR 8214, March 2019, NIST.
The shared engine underneath most of this is secret sharing, the technique of splitting a secret into shares so that a threshold number of them reconstructs it and any smaller set reveals nothing. Threshold cryptography uses secret sharing to split a key; MPC uses it, along with related tools, to keep inputs hidden during a joint computation. Because secret sharing is the common core, its security properties largely decide the quantum standing of the whole area, which is where the analysis starts.
Is secret sharing quantum-safe?
Yes, and it is quantum-safe in the strongest sense available in cryptography. Shamir’s secret sharing, introduced by Adi Shamir in 1979, is information-theoretically secure, which means its security does not rest on any computational assumption at all. An attacker holding fewer than the threshold number of shares learns literally nothing about the secret, and that guarantee holds against an adversary with unlimited computing power, including a quantum computer.
Source: A. Shamir, “How to Share a Secret,” Communications of the ACM, 1979, ACM.
The mechanism is why this holds. Shamir’s scheme hides the secret as the constant term of a random polynomial of degree t-1, and each share is one point on that polynomial. Recovering a degree t-1 polynomial needs t points, so with t-1 shares the remaining possibilities for the secret are all equally likely, and the missing share contributes irreducible randomness that no computation can resolve. There is no hard problem here for Shor’s algorithm or Grover’s algorithm to attack, because the security comes from a genuine absence of information rather than from a computation being expensive. This is a fundamentally different guarantee from RSA or ECC, whose security is only computational and therefore vulnerable to a fast enough algorithm.
Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, NIST.
So the secret-sharing core of MPC and threshold cryptography carries into the quantum era untouched. The quantum question for the field is entirely about what gets layered on top of that core.
Which parts of MPC and threshold cryptography are quantum-exposed?
The exposure comes from the public-key primitives that threshold schemes and MPC protocols are built to distribute, not from the secret sharing itself. A threshold scheme inherits the quantum verdict of whatever cryptographic operation it splits, so the classification runs cleanly along the same public-key-versus-symmetric line as the rest of the field:
- Threshold ECDSA and discrete-log threshold signatures are quantum-broken. BLS threshold signatures, threshold ECDSA, and threshold Schnorr all distribute a signature whose security is the elliptic-curve discrete logarithm problem. Splitting the key across parties does nothing against Shor’s algorithm, which recovers the whole secret from the single public key the scheme verifies against. The threshold protects against a corrupt insider, and it offers no defense against a quantum attacker who reads the master secret off the public key.
- The MPC protocol’s own building blocks matter too. Many MPC constructions use public-key tools like oblivious transfer or pairing-based commitments internally, and where those rest on discrete-log or factoring assumptions they carry a quantum exposure of their own that has to be checked separately from the secret sharing.
- Information-theoretic and symmetric building blocks are safe. Shamir secret sharing, information-theoretic MACs, and constructions built only on lattice or hash hardness carry forward, the same way AES-256 and SHA-256 do.
Source: NIST, “Threshold Schemes for Cryptographic Primitives,” NIST IR 8214, March 2019, NIST.
The practical trap here is a false sense of safety. A team can look at a threshold-signature deployment, see that no single server ever holds the key, and conclude the design is robust, which it is against insider compromise. That robustness says nothing about quantum resistance, because the shared public key still exposes the secret to Shor’s algorithm regardless of how many pieces the private key was split into. Splitting a quantum-broken key is still a quantum-broken key.
What replaces the quantum-exposed parts?
The replacement is to rebuild the threshold and MPC constructions on post-quantum foundations, which is an active standardization effort rather than a finished catalog. The path by piece:
- Move threshold signatures onto post-quantum bases. Threshold versions of lattice-based and hash-based signatures are the successors to threshold ECDSA and BLS. NIST is running a dedicated Multi-Party Threshold Cryptography effort to standardize exactly these post-quantum, multi-party schemes.
- Keep the information-theoretic core as is. Shamir secret sharing and other information-theoretic components need no change, because they were never resting on a computational assumption a quantum computer could break.
- Audit the MPC internals against quantum-hard assumptions. Any oblivious transfer, commitment, or key-agreement step inside an MPC protocol that leans on discrete-log or factoring gets swapped for a lattice-based or hash-based equivalent, the same swap the rest of the public-key layer undergoes.
Source: NIST, “NIST First Call for Multi-Party Threshold Schemes,” NIST IR 8214C, January 2026, NIST.
The migration lesson is that threshold cryptography and MPC are neither uniformly safe nor uniformly broken, so they demand a component-level look rather than a single verdict. The secret-sharing skeleton is unconditionally safe, and the public-key muscle bolted onto it is exactly as quantum-exposed as it would be standing alone. Sorting one from the other in a real deployment is the job of a cryptographic inventory, and swapping the exposed pieces cleanly is what crypto-agility is for. The comparison across the building blocks:
| Building block | Security type | Rests on | Quantum verdict |
|---|---|---|---|
| Shamir secret sharing | Information-theoretic | Nothing computational | Unconditionally safe |
| Threshold ECDSA / BLS | Computational | EC discrete log | Broken by Shor’s |
| Threshold Schnorr | Computational | Discrete log | Broken by Shor’s |
| Lattice / hash threshold signatures | Computational | Lattice or hash hardness | Post-quantum secure |
| Information-theoretic MACs | Information-theoretic | Nothing computational | Unconditionally safe |
Common misconceptions
- “Splitting a key across many parties makes it quantum-safe.” Splitting protects against a corrupt insider holding the whole key, and it does nothing against Shor’s algorithm, which recovers the secret from the shared public key however many shares the private key was split into.
- “MPC and threshold cryptography are all information-theoretically secure.” Only the secret-sharing core is. Threshold schemes built on ECDSA or discrete-log signatures are computationally secure and inherit the quantum break of the algorithm they distribute.
- “Shamir secret sharing needs a post-quantum upgrade.” It does not. Its security is information-theoretic, so it holds against an attacker with unlimited computing power and needs no change for the quantum era.
- “A threshold signature is safe because no server ever sees the full key.” That property defends against insider compromise. Quantum safety depends on the signature’s underlying math, and a threshold ECDSA scheme rests on the quantum-broken elliptic-curve discrete logarithm.
- “If secret sharing is quantum-safe, my whole MPC system is quantum-safe.” The secret sharing is safe, and the public-key building blocks inside the protocol (oblivious transfer, pairing commitments, key agreement) may not be, so the system needs a component-level audit.
Questions people ask
Is secure multi-party computation quantum-safe? It depends on the building blocks. The secret-sharing core (Shamir’s scheme) is information-theoretically secure and therefore unconditionally quantum-safe, while any public-key primitives inside the protocol that rest on discrete log or factoring inherit the Shor break.
Are threshold signatures quantum-safe? Not if they distribute a quantum-broken algorithm. Threshold ECDSA, threshold Schnorr, and BLS threshold signatures all rest on the elliptic-curve discrete logarithm problem, so Shor’s algorithm breaks them despite the key being split. Lattice-based and hash-based threshold signatures are the post-quantum successors.
Is Shamir secret sharing post-quantum secure? Yes, unconditionally. It is information-theoretically secure, so with fewer than the threshold number of shares an attacker learns nothing regardless of computing power. There is no hard problem for a quantum computer to attack.
Why doesn’t splitting a key protect it from quantum attack? Because a threshold scheme still verifies against a single public key, and Shor’s algorithm recovers the secret from that public key directly. The split defends against a corrupt insider assembling the key, which is a different threat from a quantum attacker computing it from public information.
What does information-theoretic security mean? It means security that holds against an attacker with unlimited computing power, because the scheme reveals no information to break rather than relying on a computation being too expensive. Shamir secret sharing has it, which is why it is quantum-safe by default while RSA and ECDSA, which are only computationally secure, are not.
What is NIST doing about post-quantum threshold cryptography? NIST is running a Multi-Party Threshold Cryptography effort, with its first call for post-quantum, multi-party threshold schemes published in NIST IR 8214C, aimed at standardizing threshold constructions that rest on quantum-hard foundations rather than the discrete logarithm.
Everything here is the map, given freely. When your team needs its own MPC and threshold deployments sorted into the parts that already survive the quantum transition and the discrete-log pieces that have to move, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.