Communication-Efficient and Privacy-Preserving Verifiable Aggregation for Federated Learning

Federated learning is a distributed machine learning framework, which allows users to save data locally for training without sharing data. Users send the trained local model to the server for aggregation. However, untrusted servers may infer users’ private information from the provided data and mistakenly execute aggregation protocols to forge aggregation results. In order to ensure the reliability of the federated learning scheme, we must protect the privacy of users’ information and ensure the integrity of the aggregation results. This paper proposes an effective secure aggregation verifiable federated learning scheme, which has both high communication efficiency and privacy protection function. The scheme encrypts the gradients with a single mask technology to securely aggregate gradients, thus ensuring that malicious servers cannot deduce users’ private information from the provided data. Then the masked gradients are hashed to verify the aggregation results. The experimental results show that our protocol is more suited for bandwidth-constraint and offline-users scenarios.


Introduction
Federated learning (FL) [1][2][3] is a distributed machine learning framework proposed by Google for privacy protection.In this framework, the involved users can conduct independent training and collaborate with the central server to obtain a high-performance shared global model.Unlike traditional distributed machine learning [4,5], users train their models locally instead of directly sharing private data.The server aggregates users' trained local parameters or gradients rather than training on their data.Therefore, FL addresses concerns related to data privacy, data ownership, and data silos [6][7][8].
However, in the federated learning framework, the central server is generally considered untrusted and may infer the private data of users.Recent research [9][10][11] shows that adversaries can directly reconstruct users' original data from the shared gradients.This means that an unreliable server can easily extract users' private information from the transmitted gradients.Additionally, a malicious central server driven by self-interest may return incorrect results to users to conserve computing resources [12,13], leading to increased training iterations and a low-precision global model.Hence, protecting user privacy and ensuring data integrity are critical concerns within federated learning training protocols.
To address the above issues, Xu et al. [14] proposed a privacy-preserving and verifiable federated learning approach using secret sharing and homomorphic signatures.However, as the dimension of the vector increases, this method will greatly increase communication costs.The method proposed in reference [15] can efficiently validate results using commitment techniques and linear homomorphic hashing.However, it requires users to share hash and commitment values, resulting in additional communication overhead.Furthermore, ref. [16] introduced a model recovery attack on shared gradients hashes and suggested using shared vectors for verification.Nonetheless, the direct sharing of a verification vector can impose a significant communication burden on resource-constrained devices such as edge devices and sensors.
In this paper, we propose a communication-efficient and privacy-preserving verifiable aggregation federated learning protocol to facilitate training on limited bandwidth devices.Specifically, we utilize a single mask mechanism [17] to encrypt the gradients, ensuring privacy-preserving gradients aggregation.Additionally, we design a verification method to authenticate the integrity of the aggregated results against malicious server attacks.Our contributions can be summarized as follows: • We propose a communication-efficient and privacy-preserving aggregation framework for the federated training process.By employing the additive homomorphism property of secret sharing, we protect the privacy of user information, while a homomorphic hash function enables verification.

•
We devise a novel strategy to counter model recovery attacks.By employing homomorphic hashing on the masked gradients rather than directly hashing the gradients, we effectively protect users' privacy against model recovery attacks on gradients hashes.

•
We give a comprehensive security analysis to prove the high security of our scheme.Besides, extensive experiments demonstrate that our scheme has high communication efficiency with a moderate increase in computational costs.
The rest of the paper is organized as follows: we provide related work in Section 2, introduce preliminaries in Section 3, and describe the system model of our scheme in Section 4. After that, we discuss the construction of our scheme in detail in Section 5.The security analysis is provided in Section 6. Experiment evaluation of the proposed scheme is presented in Section 7. Finally, we conclude our paper in Section 8. Additionally, the abbreviations are used in the paper as follows.
In DP, Abadi et al. [18] proposed a training algorithm for differential privacy protection, which can obtain a more rigorous estimate of total privacy loss through quantitative analysis of privacy.Zhou et al. [19] proposed a differential privacy federated learning approach for detecting and filtering anomalous parameters uploaded from malicious terminal devices through edge node validation.However, methods based on differential privacy can cause a loss of global model accuracy owing to the introduction of random noise.In HE, Phong et al. [9] proposed a privacy-preserving deep learning model based on additive HE, which can realize high-precision model training in asynchronous federated learning.Park et al. [21] proposed a distributed homomorphic cryptosystem for implementing a privacy-preserving federated learning scheme.However, in the HE methods, the use of the same key pair by all users can lead to severe information leakage if users collude with the server.Additionally, the computation and transmission costs of ciphertexts are significant and may not be suitable for scenarios with resource-constrained devices that may dropout.
To address the privacy and dropout concerns on resource-constrained devices, some federated learning approaches have been proposed.Zhao et al. [29] characterized the optimal communication cost for the information-theoretic secure aggregation problem.Bonawitz et al. [23] designed a double-mask mechanism using SMC techniques for implementing privacy-preserving federated learning.To mitigate the supplementary overhead introduced by handling dropped users' seeds in [23], So et al. [27] employed a oneshot aggregate-mask reconstruction approach to achieve secure aggregation in federated learning.Jahani-Nezhad et al. [30] proposed a secure aggregation protocol for federated learning systems that reduces communication overhead without compromising security.Schlegel et al. [28] proposed two privacy-preserving federated learning schemes to mitigate the impact of user dropout.Du et al. [22] proposed a threshold multi-key homomorphic encryption scheme to achieve secure, robust, and efficient federated learning training.Lu et al. [24] designed a secure aggregation protocol called Top-k SparseSecAgg to reduce communication cost and training time.

FL with Verifiable Computation
Many works have been proposed in verifiable federated learning.Xu et al. [14] proposed a privacy-preserving and verifiable federated learning scheme named VerifyNet.They used bilinear pairing and hash functions to achieve results verifiability, and used shamir secret sharing to achieve secure aggregation of gradients.However, the protocol requires users to use zero-knowledge proofs, and its communication cost increases linearly with the number of gradients.Furthermore, as mentioned in the attacks discussed in [16], the hashes allow malicious servers to infer users' private data.Guo et al. [15] proposed VerifL, a communication-efficient and fast verifiable aggregation federated learning scheme, which achieved the verification communication independent of vector dimension.They utilized linearly homomorphic hash and commitment techniques to verify the aggregation results.However, it is vulnerable to the same attacks as mentioned in [16].Zhang et al. [31] proposed a privacy-preserving and verifiable federated learning scheme that used Paillier encryption for gradients protection and bilinear aggregation signature for verification of the aggregation results.However, since users use the same encryption and decryption key, user privacy may be leaked if a malicious user colludes with the server.In the bilinear aggregation signature verification scheme, users generate signatures of gradients and send them to the server for aggregation.Users then verify whether the aggregated signature is equal to their own signature.However, a lazy server can aggregate only partial user gradients and signatures and send them to users for verification, which can pass the verification process.Additionally, the bilinear aggregation signature has a high verification cost.
Based on this, this paper aims to propose an aggregation verifiable federated learning method with efficient communication and privacy protection.Firstly, our approach can protect users' private data against attacks from malicious servers and colluding users.On the other hand, in scenarios where bandwidth is extremely limited, our approach has a small communication overhead.Specifically, we compare the features of our approach with other existing solutions in Table 1.--VerifyNet [14] VeriFL [15] Versa [16] Ours

Federated Learning
Federated learning is a distributed machine learning framework.A server and multiple users work together to train a model.Suppose there are n users and a server in federated learning, and each user locally saves the dataset Each user downloads the latest global model w t−1 from the server during an iteration.The loss function

Secret Sharing
Shamir secret sharing [32] divides a secret s into n secret shares, and only when the secret shares are greater than or equal to t can the secret s be reconstructed.For a Shamir (t, n) threshold scheme, let U = {u 1 , u 2 , . . ., u n } be a set of shared key users.In our scheme, u i represents the index number uniquely identifying the user.User u s represents a secret holder.The scheme is as follows: • SS.Share (s, t, U): For the secret s ∈ GF(q), q > n, the user u s selects any t − 1 positive integers to construct a polynomial f ( , the secret holder can calculate the coefficients s, a 1 , . . ., a t−1 of the polynomial f (x) using Lagrange interpolation and obtain the secret s.To reduce the computation, we adopt a simpler method of calculating the secret sum: Shamir secret sharing satisfies additive homomorphism [33].For example, suppose two users, u 1 and u 2 , possess secrets s 1 and s 2 , respectively.To secretly share the secret s 1 among n users in U, user u 1 employs the function SS.Share (s 1 , t, U) to select a polynomial f (x) = s 1 + a 1 x + a 2 x 2 + . . .+ a t−1 x t−1 (mod q) and calculates n shares of s 1 , denoted as {u i , f (u i )}, which are sent to the corresponding users u i .Similarly, user u 2 uses the function and distributes shares {u i , g(u i )} to the users u i .Consequently, each user u i can locally compute {u i , ( f (u i ) + g(u i ))}.Then, in collaboration with other users where the number of users involved is greater than t, the secret s 1 + s 2 can be reconstructed using the function SS.Recon ({u i , ( f (u i ) + g(u i ))} u i ∈U , t).Similarly, it can implement shared refactoring of any number of secrets.

•
HHF.Gen (1 k , 1 d ): This algorithm initializes the system parameters by entering a random parameter k and a dimension d.The algorithm outputs common parameters pp, including the elliptic curve group G of order q, its generator g and d distinct elements g 1 , g 2 , . . ., g m ∈ G. • HHF.Hash (x): Input a m dimension vector x, the algorithm will output the hash value Input k hash values, this algorithm calculates the combination of hashes h ← ∏ k i=1 h i .It satisfies the equation h = HHF.Hash(x 1 + x 2 + . . .+ x k ).Collision-resistant: HHF is said to be collision-resistant if there is no adversary A that can satisfy the following experiment with non-negligible advantage.
One-way: HHF is said to be one-way, if for any PPT adversary A that can satisfy the following experiment with non-negligible advantage for the security parameter k and the vector dimension m.

Adv one
A,HHF (k

Key Agreement
In our scheme, Diffie-Hellman (DH) [35] key agreement protocols allow any two users to negotiate a key.This protocol consists of three algorithms: KA.Setup, KA.Gen and KA.Agree.

•
KA.Setup (1 d ): The algorithm inputs a security parameter k and outputs a public parameter pp.• KA.Gen (pp): The algorithm will output a key pair (pk i , sk i ) for user u i as input pp.• KA.Agree (sk i , pk j ): This algorithm inputs the private key sk i of user u i and the public key pk j of user u j , and output an agreed key s ij .

System Model
In this section, we first describe our system framework and communication model, introduce the threat model of our scheme, and define the design goals.

System Framework and Communication Model
We focus on how multiple users collaborate with the server to train a model with good performance.Each user is a mobile device that stores a dataset and can connect to the server.Our model consists of three entities: a trusted third party, a central server and users, as shown in Figure 1.Trusted third party (TA): TA is mainly responsible for parameter initialization.It generates public and private key pairs and system parameters for each user participating in the training.Then it distributes these key pairs to the corresponding users and forward the general parameters.
User: Each user who stores the dataset locally can voluntarily choose whether to connect to the server and participate in model training.However, they may be due to network delay, system disconnection, system timeout, or active exit at any time [17].In each iteration, users train with their local datasets to obtain the gradients and send the encrypted gradients and verification label to the server.After the completion of serverside aggregation, users are provided with the aggregated results and the corresponding verification proofs.Then, users verify the correctness of the aggregated results.
Central server: A server with sufficient computing resources which does not have a training dataset, and needs to collaborate with users to train a global model.The central server is responsible for aggregating gradients of encryption to update the worldwide model.It sends the aggregated results and verification proofs back to each user.
The protocol of our scheme is mainly divided into five rounds.Each interaction between the server and users is recorded as a round.If any round finds that the online users are less than t, the protocol stops immediately.The detailed content is as follows: • Initialization: TA distributes system parameters to users and the public key of user will be shared.• Round 1: User shares a secret with other online users, which will be encrypted using the public key.• Round 2: User sends the encrypted model and the verification label to the server.• Round 3: User produces a share which will be used for refactoring the secrets and sends it to the server.The server calculates aggregated results and aggregate verifiable labels.• Round 4: User verifies the integrity of the aggregated results using verification proofs.

Threat Model
We adopted a threat model similar to reference [16], in which TA is a fully trusted entity that does not engage in any collusion.In this model, the server is considered malicious and attempts to deduce users' training data.In addition, the server may manipulate the aggregation results to deceive users for unlawful purposes.We assume that users are honest-but-curious entities who correctly perform the training process and upload the masked gradients and verification label.However, users may try to deduce other users' private data from the server's returned results.Moreover, we consider the potential collusion between users and the server in practical federated learning scenarios, and the number of colluding users does not exceed the threshold value t in the context of secretsharing.We exclude the scenario where users and the server collude to pass the verification process in our work.This is because multi-client verifiable computations fail to attain verifiability when the user colludes with the server, as demonstrated in [37].

Design Goals
In the system model, our work needs to meet the following two design objectives: • Privacy-preserving: Privacy preservation is an essential part of federated learning.Therefore, our scheme must ensure that users' private data can resist the adversaries' attacks.

•
Integrity verification: In federated learning, each user's data are stored locally and trained locally.They can get a high-quality model by receiving the aggregated results returned by the server.If the server manipulates the aggregation results to deceive users, it could significantly impact their training.Therefore, our scheme ensures that the server cannot forge the aggregation results to deceive users into passing the verification process.

Overview
In this section, we provide a detailed description of the structure of our proposed solution.We will focus on addressing two issues: (1) how to securely aggregate without disclosing users' sensitive information, (2) how to perform aggregation results' integrity verification more efficiently in the context of limited bandwidth.
Before the system iteration training begins, the server will select a certain proportion of users to participate.The chosen users engage in five rounds of interactions with the server, as depicted in Figure 2.During these five rounds of interactions, users may exit the training protocol at any time due to network latency or other issues.We establish in Theorem 2 that even if some users prematurely terminate the training protocol, our proposed approach can still proceed without disruption.Each selected user possesses a unique and valid identity ID, denoted as i or j.Each user gets its local gradients after each round of training.Then each user adopts the single mask mechanism to encrypt gradients to obtain [[x i ]] and hash function to calculate the verification label T i at the same time.Each user will upload [[x i ]] and T i to the central server.After receiving the data uploaded by users, the central server aggregates the encrypted gradients and verification labels.Then it returns the aggregated results and verification proofs to users.Finally, each user will verify the correctness of the aggregation results.If the verification passes, the aggregation results will be used for the next round of local training.Otherwise, users will exit the training protocol.

Initialization
The initialization phase of the system is mainly guided by TA, which generates system parameters and public private key pairs for each user before training the model.First, TA generates public/secret keys (u pk i , u sk i ) for each user and distributes them.In addition, a random seed s and hash parameters g 1 , g 2 , . . ., g m are also generated and forwarded to all users.Before users start training, the server randomly generates the learning rate α and initializes the model parameter w and sends them to users.Upon receiving these parameters, each user shares its public key with other users through the server to establish a shared encryption key for exchanging secrets.

Secure Aggregation
This section aims to protect users' training model information from leakage.We use a single mask protocol to encrypt the gradients of users.Single mask mainly utilizes the homomorphism of secret sharing to achieve secure aggregation.The single mask method has stronger user dropout robustness than the double mask method.
We simply use a single mask to encrypt the gradients.Each user generates a mask r i and calculates If the server wants to get the aggregated results ∑ u i ∈U x i , it must know the aggregated mask R = ∑ u i ∈U r i .However, the server cannot ask users to send r i , as this would directly disclose the values x i .A way of the server refactoring R is to utilize the homomorphism of secret sharing R = Share ∑ r i = ∑ Share r i , so the server only needs to get all the shares of r i to reconstruct R. User i generates n secret shares of r i before sending the encrypted gradients.One share of r i is represented by r j i , which represents the share of the secret r i sent by user i to user j.Thus, each user can obtain r i j from other users.The r i j is only part of the information held by the user i about r j .The server will ask the online users i to send R i = ∑ u j ∈U r i j , then the server calculates ∑ u j ∈U R i = R. Since user i only knows r i j but not r j , and the server only knows R i but not r i , they cannot learn anything about x i .This single mask mechanism is much more robust against user dropout.If some users drop out of the protocol during the aggregation phase, then the server does not receive any model information for these users.The server only needs to send the set of online users during the aggregation phase to each user.Each user will then aggregate the r i j value of the online users set.So long as the number of users online exceeds the threshold value t, the server can reconstruct R. So, the aggregation results can be calculated correctly.As mentioned above, we have designed a simple protocol for secure summation on the server side.However, the effectiveness of our approach is wider than summation alone; it can also support weighted average aggregation.As shown in [38], a method is proposed to enhance models' convergence speed and accuracy in a federated learning setting with noni.i.d.data distribution by employing unbiased gradients aggregation.In this context, the server needs to aggregate To accommodate weighted average aggregation in this manner, we utilize two masks, r i and r i , to encrypt the users' weighted gradients and data size.r i is shared among users in the same way as r i .The encrypted data are represented as y i = |D i |x i + r i and c i = |D i | + r i .Afterwards, these encrypted data are sent to the server.The server can decode to obtain the sum without knowing the individual values of |D i |x i and |D i |, thus achieving effective and secure weighted aggregation.

Verification Phase
In this section, we will describe the verifiability of the protocol for the aggregated results.It is mentioned in [16] that if the value of the gradients hash is sent to the server as a verification label, the gradient entries generated by SGD rules form a bell-shaped distribution around zero because the values of the model parameters (gradients) are highly partial.In addition, since all users share the same private key, this is susceptible to bruteforce attacks by malicious users in collusion with the server, so that the encoded gradients can be recovered in a brute-force attack on the victim's homomorphic hash output in a relatively short time.
First, TA will send system parameters to users, including homomorphic hash parameters and a random number.The function of the random number s is to mask the gradients of the previous section twice, to prevent the server from forging the aggregation results and then taking the hash of the aggregation results as proof to deceive the user into passing the verification.User i encrypts the gradients as follows: where PRG is the pseudorandom generator.The user then utilizes the homomorphic hash function to generate a verification label: The user uploads [[x i ]], T i to the server.
Once the server receives encrypted gradients and verification labels, it performs two aggregations.The first aggregation is to calculate the aggregation results: And the second aggregation is to calculate verification labels to generate the aggregation results' proof as follows: Then the server returns the aggregation results X and the verification proofs T, R.
After receiving the aggregation results and verification proofs from the server, the user checks the following: HHF.Hash(X − nPRG(s) + R) = T. (5) If the equation is true, it represents that the server returns the correct aggregation results, and the user will use the aggregation results for the next round of training.Otherwise, the verification fails, and the user exits the protocol.

Correctness of the Scheme
In order to verify the correctness of our scheme, we prove the following theorems.
Theorem 1.If all users and the central server honestly execute our proposed protocol, the users can obtain the correct aggregation results, and the central server can pass the verification.
Proof.The central server aggregates all the encryption gradients as follows: Next, the server calculates the aggregation results: After receiving the aggregate results, the user calculates as follows: So, the user obtains the correct aggregation results and then performs the following hash calculation: If the server executes the protocol correctly, the aggregated hash is: = HHF.Hash( ∑ So, the server will pass the verification if Equation ( 9) equals Equation (10).
Theorem 2. Although some users may drop out of the training protocol, our proposed approach can still be effectively executed as long as the number of dropouts remains below the predefined threshold t.
Proof.(Outline) In our proposed scheme, the impact of user dropout is limited to rounds 2 or 3. Let U 2 be the set of online users in round 2, from whom the server receives only the encryption gradients and verification labels.The server then performs an aggregation operation to eliminate ∑ u i ∈U 2 r i , and sends U 2 to the users in round 3. Users in round 3, who have saved the secret shares of U 2 , send the sum of these user shares to the server.If the number of users in round 3 is greater than or equal to t (i.e., the server has received at least t shares of R), the server can reconstruct R = ∑ u i ∈U 2 r i .The verification process follows a similar approach as the aggregation process.
Theorem 3. The homomorphic hash function used in our approach can effectively verify the result of gradients aggregation.
Proof.Each user computes a verification label, the hash of masked gradients , where m is the gradients' size.The server aggregates the verification labels as follows: Based on homomorphic properties, we can derive the following: HHF.Hash(y i ) = HHF.Hash(y 1 + y 2 + ... + y n ) = HHF.Hash(X + R). (12) From this, we can conclude that the server can perform another form of aggregation on the y i without knowing its specific value, thus achieving effective verification of the system.

Security Analysis
In this section, we demonstrate the security of our scheme in terms of users' data privacy and integrity verification.

User Privacy
This section provides a demonstration that user privacy is protected.We use a similar proof method as that in [17].We use Lemma 1 to prove that the encryption gradients of user uploads are secure.Theorem 4. Fix n, s, U, r i with |U| = n and {x i } u i ∈U , where ∀u i ∈ U, x i ∈ Z m R , there is : where "≡" means having the same distribution, we have omitted this proof as it is simple.
We use Theorem 4 to prove the privacy of the encrypted gradients uploaded by users.The encrypted gradients consist of x i , r i and PRG(s).According to Theorem 4, the distribution of [[x i ]] is the same as I i .If an adversary possesses the sum of r i and PRG(s), he/she can obtain x i from [[x i ]] due to the random distribution of I i .However, the adversary must acquire at least t shares to reconstruct r i and obtain the sum of r i and PRG(s).Thus, the adversary cannot obtain any information about x i , indicating that our scheme maintains the security of the encrypted gradients during transmission, thereby ensuring user privacy.Since the encrypted gradients are not highly partial for the hash value uploaded by users, the encrypted gradients are hashed and then uploaded to the server.So, a malicious server cannot infer users' private data according to the uploaded results, and it will not lead to the model recovery attacks like the one mentioned in [16].

Integrity Verification
Theorem 5.According to the collision resistance and one way of HHF, a server cannot forge the aggregation results to pass the verification.The server returns the aggregation results X and the verification proofs T, R. Assume V = X + R; the result returned by the server is represented by V, T. We assume that the server is the adversary.There are only two ways for the server to falsify results, and we will show that falsifying proofs in either of these ways will not pass verification.
(1) The server tries to forge V or T to pass the verification: In this case, the server forges V or T in round 3. We denote the forged results as V f , T f and the correct ones as V, T. Assume that the server only forges V to pass the verification, so V = V f and T = T f .Let H denote the correct hash value computed by the user and H f represent the falsified hash value.We can obtain that from the third section: Since T = T f , we can get H = H f according to Equation (14).However, According to the collision resistance of HHF, we can conclude that H = H f , since V = V f .This contradicts our previous assumption.The same argument holds true if the server forges T instead.Therefore, the server cannot pass the verification by forging V or T.
(2) The server tries to forge V and T to pass the verification: In this case, since the server can pass the verification, the following equation that users calculate holds: The adversary did not know s and V = V f because the adversary did not execute the aggregation protocol correctly.So, where s ∈ Z * q is a random vector guessed by the adversary.According to the one way of HHF, the probability of making Equation ( 16) valid is negligible.Therefore, the probability that the server wants to falsify the proofs to pass the verification is also negligible.

Experimental Setup
We executed our experiment on a workstation with Java1.8 running Windows 11, equipped with an IntelCore i7-11700K 3.6GHz CPU and 16.0GB of RAM.We used elliptic curve Diffie-Hellman, standard Shamir's t-out-of-N secret sharing and advanced encryption standard galois to implement KA, SS and AE, respectively.In our scheme and the other two schemes, we compared the computational costs at different stages, as shown in Table 2.We omitted the comparison of the server overhead because the server is typically a powerful entity with negligible aggregation costs.Additionally, we omitted the consideration of round 0 as it does not incur any computation overhead.The underlined figures represent the verification costs.We fix the gradients' size to 10,000.The table shows that our aggregation cost is slightly lower than the other two approaches, while the verification cost is significantly higher.Our approach's lower aggregation cost is attributed to the fact that we only use a single mask for aggregation.In contrast, the other two approaches employ double-mask encrypted gradients, requiring each user to compute the shared value ciphertext of two masks.The higher verification cost is due to adopting a more secure hash value to counter model recovery attacks from the adversary.In Versa, shared vector computation is used for verification labels.In VeriFL, each user employs linear homomorphic hashing and commitment for generating verification labels, which can lead to model recovery attacks, posing a significant privacy risk to users.
In the federated learning of privacy protection, user privacy, communication costs and the verifiability of the aggregated results are key issues during training, considering that modern edge mobile devices are typically equipped with high-performance processors but limited network bandwidth.Research [7,39] optimize the performance and efficiency of federated learning systems by increasing local computations and minimizing communication volumes.Furthermore, when it comes to transmitting sensitive data, a more cautious approach is required.It is essential to leverage local computational resources to minimize the transmission of private data.As seen in Section 7.2.2, the communication cost of our verification transmission is minimal, indicating that our approach is meant to reduce communication costs by increasing local computation overhead on edge mobile devices.

Communication Overhead
We also compared the other two schemes in terms of the communication overhead for aggregation and verification.
Figure 3 depicts the aggregated communication cost between each user and the server.It demonstrates that our proposed approach, and the other two increase linearly with the gradients' size and the number of users in outgoing communication costs.Moreover, our protocol exhibits lower costs than the other two approaches.This discrepancy arises from using a single masking technique for aggregation in our scheme, whereas the other two employ double masking techniques.In the double-mask scheme, users must share two mask values to ensure the security of the aggregation.Figure 4 illustrates the outgoing communication costs for verification between each user and the server.It shows that our proposed verification approach exhibits the lowest outgoing communication costs for both the user and the server, independent of the gradients's size or the number of users.This advantage stems from transmitting only a single hash value for verification.However, in VeriFL, these two metrics are of the gradients' size and increase linearly with the number of users.This is due to the necessity of users sharing their hash and commitment values.In contrast, these two metrics are independent of the number of users in Versa and increase linearly with the gradients' size.In their approach, users must send a verification vector of the same dimensions as the gradients.Therefore, our verification method is particularly suitable for scenarios with multiple participating users and high-dimensional gradients.

Other Experiments of Our Scheme
This section analyzes our scheme's computational and communication costs under different user dropout rates.In our experiment, we set the number of users n = 500, and the gradients' size m = 10, 000.

Computation Overhead
From Figure 5a,c, it can be seen that the running time of the server decreases as the user dropout rate increases.The main reason is that the server only needs to aggregate gradients and tags and recover shares of online users.As shown in Figure 5b, the dropout rate does not affect the computational cost, as most of the time is spent on computing hashes, while the decryption time of ciphertext for online users can be ignored.Figure 5d indicates that the user's computational cost of dropout is lower than that without dropout.This is because, in round 3, the user decrypts the online users' ciphertext.Based on the experimental results, our scheme exhibits stronger user dropout robustness, as evidenced by a decrease in its running time with an increase in the dropout rate.

Communication Overhead
Figure 6 shows the comparison of communication overhead and dropout rate between the server and each user.Specifically, Figure 6a and Figure 6c respectively demonstrate that the server's communication overhead increases linearly with the number of users and gradients' size and is independent of the dropout rates since the data sent by the server to each user remain constant regardless of the dropout rate.Additionally, Figure 6b,d show that the communication overhead per user under different dropout rates is uniform.Table 3 presents the outgoing communication overhead between the server and per user during different phases of our protocol.The underlined figures highlight the additional communication overhead associated with verification.Based on the table, we infer that the additional communication overhead caused by our verification process is minimal.This further confirms that our scheme is suitable for limited communication bandwidth settings.

Conclusions
This paper proposed a secure aggregation method that utilizes a single mask to encrypt gradients, providing a high level of privacy protection for users' local gradients and allowing them to dropout.In addition, we devised a novel approach to verify the integrity of the aggregation results by hashing the masked value, capable of resisting the adversary's attacks on the hash value in the federated learning framework.The experimental results demonstrate the efficiency of our approach in terms of communication costs for aggregation and verification.Therefore, our approach is effective in scenarios with limited bandwidth resources, solid computational capabilities, and frequent dropout of mobile devices.
However, our method also has some limitations.Firstly, the computational overhead of our scheme validation may be higher, which may not be suitable for devices with lower computing power, such as IoT devices and edge computing nodes.Secondly, our scheme requires five rounds of interaction to complete one iteration of training, leading to significant communication latency that hampers model training.Thirdly, in the event of incorrect results returned by the server, users cannot correct the aggregated results through available means.Therefore, it is necessary to further study the methods of reducing communication times and computing costs to achieve verifiable aggregation in federated learning training protocols.

•
AE.Gen (pp): The algorithm inputs a security parameter pp and outputs the secret symmetric key k.• AE.Enc (k, m): The algorithm inputs a symmetric key k and a message m, outputs ciphertext c. • AE.Dec (k, c): The algorithm inputs a symmetric key k and a ciphertext c, outputs plaintext m of c.

Figure 1 .
Figure 1.The system model of our scheme.

Figure 2 .
Figure 2. Our protocol in detail.

Figure 3 .
Figure 3.Comparison of outgoing communication overhead of our scheme with Versa and Verifl for aggregation.(a) Outgoing communication overhead of the server as the gradients' size increases for aggregation.(b) Outgoing communication overhead per user as the gradients' size increases for aggregation.(c) Outgoing communication overhead of the server compared to the different number of users for aggregation.(d) Outgoing communication overhead per user compared to the different number of users for aggregation.

Figure 4 .
Figure 4. Comparison of outgoing communication overhead of our scheme with Versa and Verifl for verification.(a) Outgoing communication overhead of the server as the gradients' size increases for verification.(b) Outgoing communication overhead per user as the gradients' size increases for verification.(c) Outgoing communication overhead of the server compared to the different number of users for verification.(d) Outgoing communication overhead per user compared to the different number of users for verification.

Figure 5 .
Figure 5. Thetotal computational overhead of the server and each user (a) computational overhead of the server versus different gradients' size and dropout rates (b) computational overhead of each user versus different gradients' size and dropout rates (c) computational overhead of the server versus different user numbers and dropout rates (d) computational overhead of each user versus different user numbers and dropout rates.

Figure 6 .
Figure 6.Total communication overhead between the server and each user (a) The communication overhead of the server versus different gradients' size and dropout rates (b) the communication overhead per user versus different gradients' size and dropout rates (c) The communication overhead of the server versus a different number of users and dropout rates (d) the communication overhead per user versus a different number of users and dropout rates.
w is calculated by using the local dataset.|D i | represents the size of D i .f (d ij , w) denotes the predicted result and w denotes model parameters.l(o ij ; f (d ij , w)) represents the loss result obtained by predicting the sample (d ij , o ij ) on the given model parameters.To expedite model training, stochastic

Table 2 .
Comparison of computation overhead with Versa and Verifl.

Table 3 .
Outgoing communication overhead per user and server at different phases.