Multi-Server Secure Aggregation

• Multi-server secure aggregation is a cryptographic primitive that enables distributed clients to compute aggregate functions without revealing individual inputs.
• It leverages additive secret sharing, masking, and coded aggregation to ensure robustness and collusion resistance under diverse network and failure conditions.
• Benchmark results indicate high accuracy and low communication overhead, making these protocols effective for federated learning and privacy-preserving data analysis.

Multi-server secure aggregation is a cryptographic and information-theoretic primitive enabling a set of distributed clients (users) to compute an aggregate function (typically sum, sometimes linear forms) of their private inputs under the orchestration of multiple aggregation servers, without leaking any individual input to any party or coalition below a provable security threshold. Multi-server architectures are a departure from traditional single-server secure aggregation, aiming to increase robustness, fault-tolerance, and collusion-resilience in federated learning, privacy-preserving data analysis, and secure database query systems.

1. System Models and Security Notions

Multi-server secure aggregation protocols instantiate a variety of system models, determined by the communication topology (client-server, server-server hops), collusion assumptions, data locality, and link reliability. Core participants are:

• Clients $P_i$, each with local data %%%%1%%%% or $\mathbb{R}^d$.
• $K$ (or $U$) servers $S_j$, which may be fully connected, partitioned, or organized hierarchically.

Key threat models include:

• Semi-honest and honest-but-curious servers, some of which may collude or act maliciously.
• Client collusion with servers, up to a parameter $T$.
• Byzantine clients performing arbitrary or adversarial updates.
• Straggler and unreliable links (per-client, per-server failures), requiring resiliency.

Protocols guarantee:

• Information-theoretic secrecy: no coalition below the threshold learns more than the aggregate.
• Correct aggregate computability for all non-straggler clients/servers.
• Efficiency under arbitrary dropout or link failures.

The formal security is often expressed via equations such as (from (Li et al., 11 Jan 2026)): $$I( \text{observable messages} ; \{ x_i \}_{i \notin \mathcal{T}} | f(\{x_i\}), \{x_j\}_{j \in \mathcal{T}} ) = 0,$$ where $\mathcal{T}$ indexes colluding users, and $f$ is the aggregate function.

2. Protocol Design Principles

Fundamental design building blocks in multi-server secure aggregation include:

2.1. Additive Secret Sharing and Masking

Protocols extend Shamir's secret sharing ($t$-out-of-$c$ threshold) and Lagrange polynomial interpolation to support additive masking with collusion-resilient redundancy (Gupta et al., 2020, Liang et al., 2023, Li et al., 11 Jan 2026, Herath et al., 10 Sep 2025):

• Data shares $s_j = f(j)$, for random polynomial $f$ with secret $s = f(0)$.
• Clients mask their updates with pairwise or global random pads, so that masks sum to zero over all clients, cancelling in the final aggregation.
• Servers receive coded shares, which are statistically independent of the underlying data unless a collusion threshold is reached.

2.2. Dual- and Multi-Server Architecture

DSFL (Herath et al., 10 Sep 2025) employs two non-colluding servers ("Trust Provider" and "Service Provider"), where clients generate two masked shares: $$w_i^{(1)} = w_i + \zeta_i,\quad w_i^{(2)} = w_i - \zeta_i$$ with Gaussian noise $\zeta_i \sim \mathcal{N}(0,\sigma^2 I)$, guaranteeing that no server sees both shares from any client. Multi-server systems generalize this to $K$ or $U$ servers, often using multi-secret sharing (e.g., Lagrange-coded shares at distinct server points, with masking randomness) (Huang et al., 30 Jun 2025, Li et al., 11 Jan 2026).

2.3. Coded Aggregation and Noise Alignment

Wireless multi-server secure aggregation employs code-based secret sharing and artificial-noise alignment to secure transmission across fading channels (Huang et al., 30 Jun 2025). Shares are sent in segments, with users alternating as noise providers to prevent leakage to unintended servers. This leverages secure degrees-of-freedom (DoF) results from multi-access X-channels with helpers.

2.4. Group-Based Filtering and Robustness

To address active adversaries and Byzantine participants, DSFL (Herath et al., 10 Sep 2025) introduces group-based overlap structures (Participant Combination Matrix; PCM) and filtering mechanisms. Aggregated group shares and deviation scores enable identification and isolation of malicious clients via robust statistics (e.g., Euclidean distance to global average, median splitting). This enhances resilience compared to naive secure sum protocols.

2.5. Key Rate and Communication Optimization

The optimal rate region for multi-server secure aggregation captures the minimal communication and key randomness required for security under user collusion (Li et al., 11 Jan 2026). For $U$ servers, $V$ users/server, and collusion threshold $T$: $$R_X \geq 1, \quad R_Y \geq 1, \quad R_Z \geq 1, \quad R_{Z_\Sigma} \geq \min \{ U + V + T - 2,\ UV - 1 \}$$ where $R_X$, $R_Y$ are user-to-server and server-to-server rates, $R_Z$ the individual key rate, and $R_{Z_\Sigma}$ the source key rate. Multi-server architectures are more key-efficient than single-server, especially for moderate $T$.

3. Protocol Workflows and Algorithms

3.1. DSFL Dual-Server Protocol (Herath et al., 10 Sep 2025)

Each aggregation round has:

1. Share Generation: Each client computes two masked shares, sends one to each server.
2. Byzantine Filtering: Trust Provider partitions clients into overlapping groups, computes group sums, and deviation-based client statistics using PCM and Contributed-Participant Group (CPG) matrices. Honest majority clients are selected.
3. Secure Aggregation: Each server aggregates its shares for the selected subset, with final global model reconstructed by cancellation of noise, restorative only for honest clients. No server has enough information to reconstruct any client's raw update.
4. Fairness and Incentive Mechanism: Clients maintain credits, earn rewards or penalties per round; low credit leads to exclusion.

3.2. Lagrange Coding with Mask (LCM) (Liang et al., 2023)

For unreliable links and colluder resistance:

1. Pairwise Masking: Clients exchange masks so that final aggregation cancels all pads.
2. Secret Sharing: Masked gradients are split and secret-shared using Lagrange interpolation with added random paddings for colluder privacy.
3. Grouping Servers: Servers partitioned to achieve trade-off between uplink redundancy (resilience to stragglers) and downlink broadcast cost.
4. Aggregation and Decoding: Servers aggregate, clients decode the sum from sufficiently many shares, and mask-cancellation yields the global sum.

3.3. Secure Aggregation with User Collusion (Li et al., 11 Jan 2026)

1. Source Key Generation: Global masks generated so that any linear combination observed by a colluding server (plus up to $T$ users) is perfectly hidden.
2. Encoding and Transmission: Users create masked messages sent to servers; servers aggregate and broadcast.
3. Decoding: Each server combines own and received aggregates to recover the global sum (see the proof sketch above).

4. Efficiency, Scalability, and Practical Considerations

Empirical benchmarks on MNIST, CIFAR-10, and CIFAR-100 (Herath et al., 10 Sep 2025) show DSFL achieves $97.15\%$ accuracy (CIFAR-10), $68.60\%$ (CIFAR-100) even under $30\%$ Byzantine client fraction, with runtime $55.9$ ms and $1088$ KB communication per round (FedAvg drops to $9.39\%$ accuracy under same threats). Compared to homomorphic encryption (HE)-based and differential-privacy aggregation protocols, multi-server additive-sharing protocols are significantly lighter in runtime and communication.

Communication and computation trade-offs are tunable via the group size (LCM scheme (Liang et al., 2023)), and the communication loads are provably optimal or within a constant factor of optimal (Huang et al., 30 Jun 2025, Li et al., 11 Jan 2026).

Protocols based on decentralized threshold additive homomorphic encryption (DTAHE) provide linear aggregation with flexible fault tolerance, leveraging on-chain smart contracts to audit and enforce correct server-side computation (Tian et al., 2021). Lattice-based HE schemes exhibit server-efficient decryption (FinDec), while elliptic-curve constructions minimize client-side (Share/ParDec) costs.

5. Extensions: Query Systems and Additional Functionalities

Obscure (Gupta et al., 2020) generalizes multi-server secure aggregation to privacy-preserving query processing over outsourced secret-shared data:

• Supports aggregation queries (COUNT/SUM/AVG/MAX/MIN/TOP-$k$) with complex predicates while hiding access and query patterns.
• Employs Shamir secret sharing, accumulating automata for string-matching, order-preserving SSS for numeric columns, and does not require inter-server communication.
• Optional result verifiability algorithms (e.g., checksum columns) detect server misbehavior.
• Empirically scales to millions of tuples, outperforming prior MPC-based approaches in complexity and scalability.

6. Comparisons, Limitations, and Research Directions

Multi-server secure aggregation offers improvements over single-server protocols in resilience (straggler, dropout, Byzantine protection), key-efficiency, collusion resistance, and communication scalability. Key insights:

• Additive non-cryptographic masking enables minimal cost, linear scaling, and information-theoretic privacy (Herath et al., 10 Sep 2025, Li et al., 11 Jan 2026).
• Order-optimal communication under strict security is achievable via coding/secret-sharing (Huang et al., 30 Jun 2025, Liang et al., 2023).
• Group-based filtering and incentive mechanisms provide robustness and enforce fair participation.
• Query systems such as Obscure extend aggregation to generalized database scenarios with security, obliviousness, and verifiability.
• The security/efficiency trade-offs are tightly characterized; future research includes deeper neural-network aggregation, post-quantum multi-party computation, and deployment in edge-IoT/mobile federated learning environments.

A plausible implication is that as federated learning deployments scale in participants and edge heterogeneity, multi-server secure aggregation will become the de facto primitive for robust, efficient, and provably private distributed computation.