In a threshold public key encryption scheme, the secret (decryption) key is split into a number of secret shares, and distributed to independent servers, so that any *t* shares can be used for decryption, but ciphertexts retain security against any collusion of *t-1* servers, holding less that *t* shares. Lattice-based threshold encryption schemes were first considered by Bendling and Damgard.

**Threshold Decryption and Zero-Knowledge Proofs for Lattice-Based Cryptosystems**

(*Bendlin & Damgard*- TCC 2010)

The notion of threshold public key encryption extends to homomorphic encryption schemes, and has applications to multiparty computation, e.g., see (2) and (5). Techniques for sharing lattice trapdoors and add threshold features to general cryptographic primitives are explored in (3) and (4)

**Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE**

(*Asharov, Jain, Lopez-Alt, Tromer, Vaikuntanathan & Wichs*- Eurocrypt 2012)**How to share a lattice trapdoor: Threshold protocols for signatures and (H)IBE**

(*Bendlin, Krehbiel & Peikert*- ACNS 2013)**Threshold Cryptosystems from Threshold Fully Homomorphic Encryption**

(*Boneh, Gennaro, Goldfeder, Jain, Kim, Rasmussen & Sahai*- Crypto 2019)**Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority**

(*Chen, Hazay, Ishai, Kashnikov, Micciancio, Riviere, Shelat, Venkitasubramaniam & Wang*- S&P 2021)

Other papers

**Lattice Based Efficient Threshold Public Key Encryption Scheme**

(*Singh, Rangan & Banerjee*- JWMNUCDA 2013)**Identity-Based Threshold Encryption on Lattices with Application to Searchable Encryption**

(*Kuchta & Markowitch*- ATIS 2016)**Lattice-based identity-based resplittable threshold public key encryption scheme**

(*Singh, Rangan & Banerjee*- IJCM 2016)