Secure Multiplicative Aggregation and Key-Reuse Optimization: Achieving Dropout Resilience with Amortized Efficiency

Abstract

We present the first secure multiplicative aggregation protocol as a variant of secure aggregation. In this case, a server can compute the component-wise product of the input vectors of users while handling the possible dropout of users during protocol execution. Using pairwise masks, threshold secret sharing and the secure aggregation protocol itself, our construction is correct and secure against semi-honest adversaries. We also consider secure aggregation protocols for the case in which fixed users can reuse their private keys to do aggregation many times, and we propose key reusable secure aggregation protocols. Our protocols have an overhead polynomial in the number of users. We conduct a comprehensive evaluation of our proposed protocols. For multiplicative aggregation protocol, experiments varying the number of users (K) from 50 to 300 (with fixed input size $X_u=100$ KB) demonstrate that user computation scales monotonically with K and is largely insensitive to dropout rates. In contrast, server computation is highly dropout-sensitive and exhibits a steeper growth rate with respect to K. When varying the input size (10–250 KB) with a fixed K, both user and server communication overheads increase linearly, while server computation remains the primary bottleneck affected by dropouts. We compare reusable and non-reusable secure aggregation protocol over repeated interactions $q\in \{1,\dots ,10\}$ at $X_u=100$ KB and $K=100$, showing that reusing Round 1 reduces the cumulative user computation time by about 2.5 times and reduces the cumulative server computation overhead by about 1.2 times at $q=10$ while leaving the server communication overhead nearly unchanged, which indicates that the overall communication overhead is dominated by the non-reused rounds.

1. Introduction

Secure aggregation is a kind of specific secure multiparty computation, which enables a server to interact with a number of parties who each have a private information vector and finally output the sum of these parties’ private vector while, during the process, no private information is revealed except for the output. Secure aggregation can be used in the federated learning setting of a machine learning model [1], wherein each user maintains the private database locally on his device, the server computes the sum of users’ local updates by secure aggregation to get an updated global model and pushes back the global update to realize updates for each user.

Secure aggregation has been widely studied in recent years, various cryptographic approaches have been proposed to solve it, and its different model variants have been discussed. Major approaches are multiparty computation (MPC), homomorphic encryption (HE) and differential privacy (DP).

MPC-based techniques for secure aggregation mainly utilize Yao’s garbled circuit [2], homomorphic encryption or secret sharing [3]. Generic secure multiparty computation is in such a setting, where parties with private inputs want to collaborate with each other to compute some functionality of their inputs, while keeping their inputs unknown to others. The fundamental results of MPC include BGW protocol [4], Yao’s garbled circuit [2], the GMW protocol [5], the SPDZ protocol [6], homomorphic encryption-based tiny OT protocol [7], BMR protocol [8], etc. When applying generic secure multiparty computation protocols to solve secure aggregation, all that is needed is to take the functionality as a summation function; thus, it is also easy to solve different kinds of variants of secure aggregation (such as computing a weighted sum); however, these protocols commonly have high communication costs, and communication-efficient variants require extensive offline computation [9], especially when the number of users is large and private vectors are high-dimensional. Additionally, these protocols cannot handle the possible dropout of users during the execution.

Secure aggregation protocols based on threshold homomorphic encryption systems (such as Paillier encryption system) allow aggregation to be performed on encrypted information and can solve the secure aggregation variant that users may dropout at any time of the protocol execution. Joye et al. have proposed a HE-based secure aggregation protocol [10], but it is in need of a trusted server to distribute and update keys. Leontiadis et al. have done some improvement to it [11], so that users are able to join in and dropout without having to update keys. Halevi, Lindell and Pinkas presented a protocol [12] to securely compute the sum in one round of interaction between the server and each user using homomorphic encryption. They require the communication between user and server to be carried out sequentially (thus no need for users to be online simultaneously) and cannot handle a dropout case. The privacy security guarantees of HE-based protocols depend on the size of the encrypted data, so the computation cost in the encrypted domain could be very expensive [13], and computation-efficient variants always need additional trust assumption, such as the existence of a trusted third party.

Secure aggregation protocols based on differential privacy (DP), which is a noise release mechanism, add virtual noise to each user’s private information locally to protect privacy. Differential privacy makes sure that the removal of any single element from the database will not affect the computation output significantly; as such, the output cannot be used to infer any single private information [14]. In the context of federated learning, users add artificial noise to their own local updates, so that any local update will not be identified by the server [15,16,17]. Shi et al. presented a secure aggregation protocol based on differential privacy and homomorphic encryption [18], and they have given a rigorous analysis of distributed noise generation. Chan et al. extend the result to provide robustness against user dropouts [19]. The DP approach entails a trade-off between convergence performance and privacy protection, as stronger privacy guarantees lead to a degradation in the convergence performance.

Moreover, there are secure aggregation protocols based on Dining Cryptographers Networks. DC-net is a type of communication network that provides anonymity by using pairwise masking of inputs. One user sends one anonymous message at a time that can be viewed as the restricted case of secure aggregation. Corrigan et al. increased the efficiency of DC-net protocols [20], but it is not robust to user dropout and involves expensive overhead [21].

Pairwise additive masking can also be used to construct a secure aggregation protocol. In the work of Asc and Castelluccia [22], pairs of users use a Diffie–Hellman key exchange [23] to agree on pairwise masks; each user computes the sum of their private data, pairwise masks and a self-mask and then sends it to the server. As the summation of the additive masks will cancel out, the server can sum up the masked data it has received to obtain the result. If some users drop out, the server asks the remaining users to send the sum of the pairwise masks associated with the dropped users, added to their self-mask, and thereby subtracts them to obtain the correct sum. The protocol needs only constant rounds of interaction, but the communication overhead of the recovery phase is the limitation; also, if additional users drop out during this phase, the protocol has to abort. A protocol more robust to users’ dropout is proposed by Bonawitz et al. [24] that can efficiently compute the sum of high-dimensional vectors from a large number of users. The protocol makes use of threshold secret sharing; thus, when reconstructing masks in the recovery phase, the server has an overhead quadratic to the number of users. So et el. have described a protocol robust to users dropout that users interact with, server group by group [25]; the overhead is poly-logarithmic to the number of users, but the number of interaction rounds turns into ${\displaystyle \frac{n}{logn}}$. By changing the complete communication graph in the protocol of Bonawitz et al. [24] to a k-regular graph, Bell et al. [26] realized a secure aggregation protocol with a poly-logarithm overhead and constant rounds of interaction, which is also robust to user dropout.

Due to the extensive research on secure aggregation, it is natural to think about a variant of secure aggregation, secure multiplicative aggregation. We consider a model similar to the protocol of Bonawitz et al. [24], in which multiple users, each holding a high-dimensional private vector, interact with a central server, such that the server finally obtains the component-wise product of input vectors. The users cannot communicate with each other directly and may drop out at any time during the protocol execution. Once a user has dropped out, they cannot go back to the protocol again. The server knows the identity of dropout users, and the output of the server is the component-wise product of private input vectors of some users who have not dropped out before sending the message related to their private vector to the server. In this paper, we present a secure multiplicative aggregation protocol. We point out that the main challenge of constructing a secure multiplicative aggregation protocol is dealing with the possible 0 components in input vectors, and we introduce auxiliary vectors to solve the problem.

Moreover, in the scenarios of federated learning [1], multiple rounds of training are needed until the model converges. Therefore, we consider a multi-time setting where the set of initial users is fixed, each user has some private inputs, and they are willing to perform secure additive/multiplicative aggregation many times on different inputs. Utilizing secure additive aggregation protocols [24,26] or the secure multiplicative protocol that we have proposed multiple times is a natural way to solve the problem. However, it turns out that the public–private key pairs of users are unreusable in these protocols for security concerns since the server may obtain some users’ private keys in the protocol execution. In this paper, we construct additive/multiplicative aggregation protocols that allow users to reuse their public–private key pairs during multiple executions, so as to reduce costs.

Our Main Contribution

Our contribution to secure aggregation mainly contains:

(1) Based on a practical secure aggregation protocol [24], we propose a secure multiplicative aggregation protocol. The protocol defines the interaction between a server and n users who each have an m-dimension private vector with a component belonging to ${\mathbb{Z}}_R$ as the input, and finally, the server outputs the component-wise product of online users’ private vector (on some finite field). The protocol allows users to drop out at any time, and once the number of online users is less than the secret sharing threshold parameter t, the protocol will abort with no output. When a server obtains the output, the protocol guarantees the correctness of the output with a probability of more than $1-{\displaystyle \frac{1}{2^{\eta }}}$, where $\eta$ represents the correctness parameter. For privacy, our secure multiplicative aggregation protocol is secure against a semi-honest adversary who controls less than or equal to t parties (the parties can be users or the server), where t is the threshold parameter of secret sharing.

It can be noted that, when the input vectors have no 0 components, secure multiplicative aggregation can be reduced to secure additive aggregation by processing the components with a logarithm. Therefore, the main challenge is to deal with possible 0 components in input vectors. Our key observation is that, when R is a prime number, the indices of 0 components in input vectors fully determine the indices of 0 components in the output result of secure multiplicative aggregation. To leverage the property, we introduce auxiliary vectors that contain the information about the indices of 0 components in input vectors. A secure additive aggregation protocol is executed on auxiliary vectors to ensure that the server only learns information about the indices of 0 components in the output result of secure multiplicative aggregation; thus, security is guaranteed.

(2) We consider a case adapted to federated learning [1], where some fixed set of users want to perform secure additive/multiplicative aggregation many times. Based on the construction of Bonawitz et al. [24] and our secure multiplicative aggregation protocol, we propose a key reusable secure additive aggregation protocol and a key reusable secure multiplicative aggregation protocol.

We have observed that the reason why the public–private key pairs of users cannot be reused in the construction of Bonawitz et al. [24] and our secure multiplicative aggregation is that the server will reconstruct the private keys of some users, which are then used to compute the pairwise masks to be removed from the masked inputs. To maintain the privacy of the long-term private keys and make them reusable, we leverage one-time private keys for each aggregation execution and use a bilinear map, rather than key agreement, to compute pairwise masks while avoiding the appearance of one-time public keys.

(3) We implement secure multiplicative aggregation and reusable aggregation protocols and evaluate their performance. We benchmark a secure multiplicative aggregation protocol under different user sizes and different dropout rates to evaluate the computational and communication overhead for users and the server. When a user’s input is fixed at $X_u=100$ KB, with the number of users, K, increasing from 100 to 500, the average per-user computation time increases by about 14.2–14.5 times, while the total server computation time increases by about 27.7–69.5 times, depending on the dropout rate. When the dropout rate increases from 0% to 30% at $K=500$, the total server computation time increases by about 1.61 times, whereas the user’s computation time remains essentially unchanged. From the communication perspective, increasing the number of users, K, from 100 to 500 enlarges the average per-user communication overhead by about 3 times while leaving the total server communication overhead almost unaffected by the dropout rate.

For the reusable secure aggregation protocol, increasing the input size from 100 KB to 500 KB increases the communication overhead nearly proportionally, by about 4.8 times on the server side and about 1.5 times on the user side, while dropout impacts are mainly reflected in computation. Moreover, across repeated interactions, $q\in \{1,\dots ,10\}$, reusing Round 1 yields clear computational savings while leaving the communication overhead nearly unchanged. At $q=10$, it reduces the cumulative user and server computation time by about 2.49 times and 1.18 times, respectively, indicating that reuse is particularly effective in amortizing user-side computation, whereas the overall communication cost remains dominated by the non-reused rounds.

2. Preliminaries

We introduce the main cryptographic primitives in this section and refer to Appendix A for the description of Authenticated Encryption (AE) and Pseudorandom Generator (PRG). We denote as $\lambda$ and $\eta$ the security and correctness parameters, respectively.

2.1. Secret Sharing

What we rely on is Shamir’s threshold t secret sharing [3], which allows a user to split a secret, s, into n parts, such that any more than or equal to t shares can be used to reconstruct s, while any less than or equal to $t-1$ shares give no information about s.

Shamir’s secret sharing scheme is defined over a finite field, $\mathbb{F}$; for the sake of security, the size of field $\mathbb{F}$ should satisfy $l>2^{\lambda }$ (here, $\lambda$ is a security parameter), so we might take $\mathbb{F}={\mathbb{Z}}_p$, where $p>2^{\lambda }$ is a public big prime number. The scheme is performed between a dealer and n users; assume that n users can be identified with distinct field elements in $\mathbb{F}$ (it has an implicit requirement, $p>n$), and denote the set of identities of users as $U\subseteq \mathbb{F}$. Given these parameters, Shamir’s t-out-of-n secret sharing scheme consists of two algorithms. The sharing algorithm $\mathbf{SS}.\mathbf{share}(s,t,U)\to {\left\{(u,s_u)\right\}}_{u\in U}$ takes as input a secret, $s\in \mathbb{F}$, a set of users’ identities, U, and a threshold, $t\le \left|U\right|$; it outputs a set of shares, $s_u$, each of which is associated with a user, $u\in U$. The reconstruction algorithm $\mathbf{SS}.\mathbf{recon}({\left\{(u,s_u)\right\}}_{u\in V},t)\to s$ takes as input a subset, $V\subseteq U$, such that $\left|V\right|\ge t$, the shares corresponding to subset V and threshold t; it outputs an element, s, in field $\mathbb{F}$.

The above algorithms can be achieved using Lagrange interpolation. For the sharing algorithm $\mathbf{SS}.\mathbf{share}(s,t,U)\to {\left\{(u,s_u)\right\}}_{u\in U}$, the dealer chooses independently and uniformly distributed elements, $a_1,\dots ,a_{t-1}$, from $\mathbb{F}$, defines a polynomial of degree $t-1$ in $\mathbb{F}\left[x\right]$ as $p_s\left(x\right)=s+a_{1}x+\dots +a_{t-1}{x}^{t-1}$, and then takes $s_u=p_s\left(u\right)$ to be the share corresponding to user u. For the reconstruction algorithm $\mathbf{SS}.\mathbf{recon}({\left\{(u,s_u)\right\}}_{u\in V},t)\to s$, as $\left|V\right|\ge t$, for all users in V, they have at least t points on the polynomial $p_s\left(x\right)$; through Lagrange interpolation, they can reconstruct the polynomial and output $s=p_s\left(0\right)$.

The correctness of the scheme requires that, for any $s\in \mathbb{F}$, any $t,n$ with $1\le t\le n$, and any $U\subseteq \mathbb{F}$, where $\left|U\right|=n$, if ${\left\{(u,s_u)\right\}}_{u\in U}$ is the output of algorithm $\mathbf{SS}.\mathbf{share}(s,t,U)$, $V\subseteq U$ and $\left|V\right|\ge t$, then $\mathbf{SS}.\mathbf{recon}({\left\{(u,s_u)\right\}}_{u\in V},t)=s$ holds.

The security (against a semi-honest adversary) of the scheme requires that, for any $s,s^{\prime }\in \mathbb{F}$, and any $V\subseteq U$, such that $\left|V\right|<t$, we have $\{{\left\{(u,s_u)\right\}}_{u\in U}\leftarrow \mathbf{SS}.\mathbf{share}(s,t,U):{\left\{(u,s_u)\right\}}_{u\in V}\}\equiv \{{\left\{(u,s_u)\right\}}_{u\in U}\leftarrow \mathbf{SS}.\mathbf{share}(s^{\prime },t,U):{\left\{(u,s_u)\right\}}_{u\in V}\}$ holding, where ≡ represents the fact that the two distributions are identical. In other words, any less than t shares of a secret, s, contain no information about s, as the distribution of these shares is indistinguishable from the distribution of the corresponding shares of any element $s^{\prime }\in \mathbb{F}$.

Shamir’s t-out-of-n secret sharing can be proven to be correct and semi-honestly secure. We specify that, when a user wants to share their secret with other users, this user plays the role of the dealer in a secret sharing scheme; the secret sharing polynomial (coefficients) is chosen by this user.

2.2. Key Agreement

A key agreement scheme consists of three algorithms, which are the parameterization algorithm, the generating algorithm and the agreement algorithm. The parameterization algorithm $\mathbf{KA}.\mathbf{param}\left(\lambda \right)\to pp$ takes security parameter $\lambda$ as input and outputs some public parameters, $pp$, for the scheme. The generating algorithm $\mathbf{KA}.\mathbf{gen}\left(pp\right)\to (s_u^{sk},s_u^{pk})$ takes as input the public parameters $pp$ and allows any user, u, to generate a private–public key pair. The agreement algorithm $\mathbf{KA}.\mathbf{agree}(s_u^{sk},s_v^{pk})\to s_{u,v}$ allows user u to combine his private key $s_u^{sk}$ with the other user v’s private key $s_v^{pk}$ (generated by the same public parameter $pp$) to obtain a private shared key $s_{u,v}$ between u and v.

More specifically, we will use the Diffie–Hellman key agreement scheme [23]. The public parameter that the parameterization algorithm outputs is $pp=(\mathbb{G},p,g,H)$, where $\mathbb{G}$ is a cyclic group with prime order p and a generator, g, and H is a hash function. The generating algorithm $\mathbf{KA}.\mathbf{gen}(\mathbb{G},p,g,H)\to (a_u,g^{a_u})$ samples a random element, $a_u$, in ${\mathbb{Z}}_p$ as the private key of user u, and the corresponding public key is $g^{a_u}$. The agreement algorithm is then as $\mathbf{KA}.\mathbf{agree}(a_u,g^{a_v})\to s_{u,v}=H\left({\left(g^{a_v}\right)}^{a_u}\right)$.

The correctness of the scheme requires that, for any users u and v, and for any key pairs generated by the same public parameter, we have $\mathbf{KA}.\mathbf{agree}(s_u^{sk},s_v^{pk})=\mathbf{KA}.\mathbf{agree}(s_v^{sk},s_u^{pk})$. That is, $s_{u,v}=s_{v,u}$ is the private shared key between u and v.

The security of the scheme is based on the hardness of decisional Diffie–Hellman(DDH) problem.

Definition 1.

$(\mathbb{G},p,g)$ is a triple, and $\mathbb{G}$ is a cyclic group of order p with generator g. We say the DDH problem is hard relative to $(\mathbb{G},p,g)$ if, for all probabilistic, polynomial-time algorithms $\mathcal{A}$, there exists a negligible function, $negl$, such that

$$|\mathit{Pr}[\mathcal{A}(\mathbb{G},p,g,g^x,g^y,g^z)=1]-\mathit{Pr}[\mathcal{A}(\mathbb{G},p,g,g^x,g^y,g^{xy})=1]| \le negl\left(\lambda \right)$$

where $x,y,z$ are random elements in ${\mathbb{Z}}_p$.

That is to say that, in the case in which $g^x,g^y\in \mathbb{G}$ are known, but $x,y\in {\mathbb{Z}}_p$ is kept unknown, it is impossible to distinguish $g^{xy}$ and a random element in $\mathbb{G}$. For the triple of the prime order cyclic group, the DDH problem can be proven to be hard.

Definition 2.

Consider a probabilistic experiment below, where $\mathcal{M}$ is a probabilistic polynomial-time algorithm, b is a randomly chosen bit, $\mathit{KA}.\mathit{param}\left(\lambda \right)\to (\mathbb{G},p,g,H)$ is a parameterization algorithm, $H:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$ is a hash function, and λ is the security parameter.

Diffie–Hellman key agreement experiment ${\mathrm{DH}-\mathrm{EXP}}_{\mathcal{G},\mathcal{M}}\left(\lambda \right)$:

1. $(\mathbb{G},p,g,H)\leftarrow \mathit{KA}.\mathit{param}\left(\lambda \right)$.

2. Randomly choose $x,y\in {\mathbb{Z}}_p$

3. If $b=0$, then let $s=H\left(g^{xy}\right)$; if $b=1$, then take s as a random element in ${\{0,1\}}^{\lambda }$.

4. $\mathcal{M}(\mathcal{G},p,g,H,g^x,g^y,s)\to b^{\prime }$.

5. If $b=b^{\prime }$, outputs 1; if $b\ne b^{\prime }$, outputs 0.

The Diffie–Hellman key exchange scheme is secure in the presence of semi-honest adversaries if, for any probabilistic polynomial-time algorithm, $\mathcal{M}$, there exists a negligible function, $negl$, such that

$$|\mathit{Pr}[{\mathit{DH-EXP}}_{\mathcal{G},\mathcal{M}}\left(\lambda \right)=1]-{\displaystyle \frac{1}{2}}| \le negl\left(\lambda \right)$$

In other words, in the case in which the public keys $g^{a_u}$ and $g^{a_v}$ of users u and v are known, but their private keys $a_u$ and $a_v$ are kept unknown, the shared key $s_{u,v}=s_{v,u}$ that they have agreed on is indistinguishable from a uniformly distributed random string.

Theorem 1.

When the DDH problem is hard relative to the output triple $(\mathbb{G},p,g)$ of the algorithm $\mathit{KA}.\mathit{param}\left(\lambda \right)$, the Diffie–Hellman key agreement scheme is secure in the presence of semi-honest adversaries.

2.3. Bilinear Map

Bilinear maps based on Weil pairing [27] are used as cryptographic primitives. A bilinear map can be represented as a map, $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where both $\mathbb{G}$ and ${\mathbb{G}}_T$ are multiplicative cyclic groups with the same prime order p. The generator of group $\mathbb{G}$ is g. Bilinear map e has the following properties:

(1) Computability: for any $g_1,g_2\in \mathbb{G}$, $e(g_1,g_2)$ can be computed efficiently.

(2) Bilinearity: for any $a,b\in {\mathbb{Z}}_p^{*}$, and any $g_1,g_2\in \mathbb{G}$, we have

$$e(g_1^a,g_2^b)=e{(g_1^a,g_2)}^b=e{(g_1,g_2^b)}^a=e{(g_1,g_2)}^{ab}$$

(3) Non-degeneracy: for the generator g of group $\mathbb{G}$, $e(g,g)\ne 1$.

3. Model Statement

The model of the secure aggregation problem that we want to discuss consists of a trusted authority (TA), a central server (S) and a large number of users. The communication model of secure aggregation is shown in Figure 1. The trusted authority only produces and broadcasts the public parameter of the protocol but will not participate in the subsequent interactions between server and users. Every user has a private authenticated communication channel with the server, while users are not able to communicate directly. Each user has a high-dimensional private vector that belongs to ${\mathbb{Z}}_R^m$. Users are allowed to drop out at any time of the protocol execution, but once a user has dropped out, they cannot go back to the protocol again. The server can always see who has dropped out. The dropout set is assumed to be exogenous and cannot be adversarially influenced. Whenever the number of online users is less than the secret sharing threshold parameter t, the protocol will abort with no output.

Correctness requires that the final output of the server is the additive/multiplicative aggregation result (sum/component-wise product) of some users’ private vector, as these users have not dropped out before they send the message related to private vector to the server. On account of correctness parameter $\eta$, we only need to guarantee that the output equals the correct product with probability $\ge 1-{\displaystyle \frac{1}{2^{\eta }}}$.

For security, we only consider the case against semi-honest adversaries. Semi-honest adversaries are among the participants in the protocol, who strictly follow the protocol, and meanwhile observe what they have sent and received in the execution, and interflow with each other, hoping to get information about honest users’ private vector. We will give a general definition of the security of the protocol against semi-honest adversaries in the following. Loosely speaking, the definition states that a protocol is $\Delta$-private if the view of up to $\Delta$ corrupted parties in a real protocol execution can be generated by a simulator given only the corrupted parties’ inputs and outputs.

For a general n-ary function, $f:{\left({\{0,1\}}^{*}\right)}^n\to {\left({\{0,1\}}^{*}\right)}^n$, to be securely computed by n parties $P_1,\dots ,P_n$, assume that $\pi$ is a protocol that achieves secure computation of f. During an execution of the protocol $\pi$ on inputs $\overrightarrow{x}=(x_1,\dots ,x_n)$, the view of the ith party $P_i$, denoted as ${\mathrm{VIEW}}_i^{\pi }\left(\overrightarrow{x}\right)$, is defined to be $(x_i,r_i;m_{i,1},\dots ,m_{i,k})$, where $x_i$ is $P_i$’s private input, $r_i$ is the internal coin tosses generated by $P_i$, and $m_{i,j}$ is the jth message that was received by $P_i$ in the protocol execution. For every $I=\{i_1,\dots ,i_l\}\subset \{1,\dots ,n\}$, denote ${\mathrm{VIEW}}_I^{\pi }\left(\overrightarrow{x}\right)=({\mathrm{VIEW}}_{i_1}^{\pi }\left(\overrightarrow{x}\right),\dots ,{\mathrm{VIEW}}_{i_l}^{\pi }\left(\overrightarrow{x}\right))$. The output of all parties from an execution of $\pi$ on inputs $\overrightarrow{x}$ is denoted as ${\mathrm{OUTPUT}}^{\pi }\left(\overrightarrow{x}\right)$; observe that the output of each party can be computed from its own (private) view of the execution.

Definition 3.

Let $f:{\left({\{0,1\}}^{*}\right)}^n\to {\left({\{0,1\}}^{*}\right)}^n$ be a deterministic n-ary functionality, and let π be a protocol. We say that π is Δ-private for computing f if, for every $\overrightarrow{x}\in {\left({\{0,1\}}^{*}\right)}^n$, we have

$${\mathit{OUTPUT}}^{\pi }(x_1,\dots ,x_n)=f(x_1,\dots ,x_n)$$

and there exists a probabilistic polynomial-time algorithm, $\mathit{SIM}$, such that, for every $I\subset \left[n\right]$ with $\left|I\right|\le \Delta$ and every $\overrightarrow{x}\in {\left({\{0,1\}}^{*}\right)}^n$, it holds that

$$\left\{\mathit{SIM}(I,{\overrightarrow{x}}_I,f_I\left(\overrightarrow{x}\right))\right\}{\equiv }_c\left\{{\mathrm{VIEW}}_I^{\pi }\left(\overrightarrow{x}\right)\right\}$$

where ${\equiv }_c$ represents the fact that two random variables are computationally indistinguishable.

In other words, for any set, I, of corrupt parties (adversaries), except their inputs and outputs, they could not obtain any information from what they have sent and received in the protocol execution; in particular, they have no information about honest users’ private vector.

For secure additive/multiplicative aggregation, the n-ary function f is restricted to a special form. The server and users are the participants of the protocol, users only input their private vector but have no outputs, and the server has no input but outputs the sum/component-wise product of online users’ private vector. Our protocols achieve t-privacy, where t is the threshold parameter of secret sharing.

4. Secure Multiplicative Aggregation

In this section, we will first present the high-level idea of our secure multiplicative aggregation protocol and then give a full description of the protocol and prove its correctness and security. Finally, we will analyze the theoretical overhead of our secure multiplicative aggregation protocol.

4.1. Intuition

We provide the framework of the secure multiplicative aggregation protocol in Figure 2. A promising idea that realizes secure multiplicative aggregation using the secure additive aggregation protocol is to process each component of each input vector with a logarithm to obtain the inputs of secure aggregation and compute the exponentiation of the output of secure aggregation to get the final output. However, as the space of users’ private input vectors is ${\mathbb{Z}}_R^m$, the components of input vectors may be 0 components, leading to failures when taking the logarithm. Therefore, we mainly focus on dealing with possible 0 components in input vectors of secure multiplicative aggregation.

One important fact is that, for a fixed component with index $j\in \left[m\right]$ in m-dimension vectors, if there exists one of n private input vectors from n users, such that its component with index j is equal to 0, then the jth component of final output must be 0; conversely, when R is a prime number, if all n private input vectors from n users have their components with index j to be nonzero, then the jth component of final output must be nonzero. This means that the indices of 0 components in input vectors fully determine the indices of 0 components in the output result. We leverage the property to design a secure multiplicative aggregation protocol. On the one hand, each user is allowed to obtain a new input vector by replacing 0 components in its input vectors with uniformly random non-zero elements from ${\mathbb{Z}}_R^{*}$. Secure multiplicative aggregation with new input vectors as inputs can be realized using the idea of taking a logarithm, as well as the secure aggregation protocol, since new input vectors have no 0 components. On the other hand, users have to provide information about the indices of 0 components in their input vectors to the server, which can be used to identify the indices of 0 components in the server’s final output.

To keep the indices of 0 components in users’ inputs unknown to the server (otherwise, the server learns extra information about honest users’ private input), while letting the server learn the indices of 0 components in the component-wise product result, we exploit the secure aggregation protocol with auxiliary vectors as inputs. Specifically, each user initializes an auxiliary vector that belong to ${\mathbb{Z}}_q^m$, with all components being 0. For each index of 0 component in the user’s input, the component in the auxiliary vector with the same index is replaced by a non-zero uniformly random element from ${\mathbb{Z}}_q$. In this way, we store the information about the index of the 0 component in the initial input into the auxiliary vector. The server obtains the output of the secure aggregation of auxiliary vectors that belongs to ${\mathbb{Z}}_q^m$. For a fixed component with index $j\in \left[m\right]$ in m-dimension vectors, if the jth component in the secure aggregation result is non-zero, then the jth component of the secure multiplicative aggregation output must be 0; conversely, if the secure aggregation result has a 0 component with index j, then the jth component of the secure multiplicative aggregation output is non-zero with high probability. Finally, the output is obtained with 0 components from the secure aggregation result of auxiliary vectors and non-zero components from the secure multiplicative aggregation of new input vectors that replace 0 components with uniformly random non-zero elements from ${\mathbb{Z}}_R^{*}$. According to the security of secure additive aggregation, the server learns nothing about honest users’ auxiliary vectors; thus, the indices of 0 components in honest users’ inputs are kept private to the server.

Here, we give a toy example in Figure 3 to help explain our main intuition more clearly (for simplicity, we assume that there is no dropout). Consider three input vectors, $x_1,x_2,x_3$, of dimension 6, where 0 only appears in the third component of $x_1$ and the fifth component of $x_2$. On the one hand, the appearance of 0 results in the failure of taking the logarithm, which directly turns secure multiplicative aggregation into secure additive aggregation; on the other hand, since R is a prime number, it is clear that 0 will appear in the third and the fifth components of the final result. Therefore, we construct new input vectors, ${\tilde{x}}_1,{\tilde{x}}_2,{\tilde{x}}_3$, from $x_1,x_2,x_3$ in such a way that each 0 component is replaced by a uniform random element from ${\mathbb{Z}}_R^{*}$, and each non-zero component remains the same to store the information about non-zero components; and we construct auxiliary vectors, $z_1,z_2,z_3$, in such a way that each 0 component is replaced by a uniform random element from ${\mathbb{Z}}_q^{*}$, and each non-zero component is replaced by 0 to store the information about the indices of 0 components in input vectors. Now that we execute secure multiplicative aggregation to ${\tilde{x}}_1,{\tilde{x}}_2,{\tilde{x}}_3$ (since there is no 0 component in ${\tilde{x}}_1,{\tilde{x}}_2,{\tilde{x}}_3$, it can be reduced to secure additive aggregation by taking the logarithm) and secure additive aggregation to $z_1,z_2,z_3$ simultaneously. The indices of non-zero components $z_1+z_2+z_3$ shows the indices of 0 in the result of $x_1·x_2·x_3$, which is 3 and 5 in the example. For other non-zero components, the result of $x_1·x_2·x_3$ is exactly the same as that of ${\tilde{x}}_1·{\tilde{x}}_2·{\tilde{x}}_3$. The security of secure aggregation guarantees that the server learns nothing about ${\tilde{x}}_1,{\tilde{x}}_2,{\tilde{x}}_3$ and $z_1,z_2,z_3$ except ${\tilde{x}}_1·{\tilde{x}}_2·{\tilde{x}}_3$ and $z_1+z_2+z_3$; thus, the non-zero components and the indices of the 0 component in input vectors are hidden from the server.

4.2. Secure Multiplicative Aggregation Protocol

Before giving the construction, we provide in

Table 1. Summary of parameters used throughout the protocols.

Parameters	Description
n	the number of online users at the beginning of protocol execution
t	threshold parameter of secret sharing
$\lambda$	security parameter
$\eta$	correctness parameter
${\mathbb{Z}}_R^m$	the space of users’ private input vectors
${\mathbb{Z}}_p$	the field of secret sharing, the space of secret keys in key agreement scheme
${\mathbb{Z}}_q$	the space of auxiliary vectors (which are used as inputs in secure aggregation)
$\mathbb{G}$	a cyclic group with order p and a generator g, the space of public keys in key agreement scheme
${\mathbb{G}}_T$	a cyclic group with order p and a generator $g_T$, the output space of bilinear map
U	the set of original users
$U_i$	the set of users whose message has been received by the server in ith round of the aggregation protocol
$U_i^{\left(j\right)}$	the set of users whose message has been received by the server in ith round of jth secure additive/multiplicative aggregation protocol

the parameters we will use throughout the protocols. We have to point out that, in our constructions, the threshold parameter of the number of online users and the threshold parameter of the number of parties corrupted by a semi-honest adversary (the parties can be users or the server) are required to be the same as the secret sharing threshold parameter t, since we use secret sharing as a building block.

A complete description of the secure multiplicative aggregation protocol is as follows.

Theorem 2 (Correctness of the protocol ${\Pi }_{\mathsf{MulAgg}}$).

If the protocol ${\Pi }_{\mathsf{MulAgg}}$ has an output, then the output will equal the correct product of private vectors with probability $\ge 1-{\displaystyle \frac{1}{2^{\eta }}}$.

The proof of the theorem is given in Appendix C.

Next, we talk about the security of the protocol ${\Pi }_{\mathsf{MulAgg}}$. We will prove that the protocol is secure against semi-honest adversaries, no matter when the users drop out during the protocol execution. In other words, for the protocol ${\Pi }_{\mathsf{MulAgg}}$ with threshold parameter t, the joint view of at most t participants in the protocol (participants including the server and all users) does not leak any information about the other users’ private inputs, where these parties are called semi-honest parties.

In the secure multiplicative aggregation protocol, there is a central server, $\mathcal{S}$, a set of initial users U with $\left|U\right|=n$, and a threshold parameter, t. Users are allowed to drop out at any time during the protocol execution; denote the set of users whose message has been received by the server in Round i as $U_i$. We have $U\supseteq U_1\supseteq U_2\supseteq U_3\supseteq U_4$. Each user, u, has a private input vector, $x_u$; denote $x_{U^{\prime }}={\left\{x_u\right\}}_{u\in U^{\prime }}$, where $U^{\prime }$ can be any subset of users. The same as the definition in the model statement, ${\mathrm{VIEW}}_u\left(x_U\right)$ represents the view of party $u\in U\cup \left\{\mathcal{S}\right\}$ when the protocol runs with inputs $x_U$. Define $\mathcal{C}\subset U\cup \left\{\mathcal{S}\right\}$ as the set of semi-honest parties, and then ${\mathrm{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)$ is the joint view of semi-honest adversaries during the protocol execution.

Firstly, we will consider the case where semi-honest parties are a set of users, that is, $\mathcal{C}\subset U$.

Theorem 3 (Security of the protocol ${\Pi }_{\mathsf{MulAgg}}$ against semi-honest users).

There exists a probabilistic polynomial-time simulator, $\mathit{SIM}$, such that for any security parameter λ, threshold parameter t, set of users U with $\left|U\right|\ge t$, input vectors $x_U$, sets of online users $U\supseteq U_1\supseteq U_2\supseteq U_3\supseteq U_4$ and set of semi-honest parties $C\subseteq U$ with $\left|\mathcal{C}\right|\le t$, the output of $\mathit{SIM}$ is perfectly indistinguishable from ${\mathit{VIEW}}_{\mathcal{C}}$ as random variables; that is,

$${\mathit{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)\equiv {\mathit{SIM}}_{\mathcal{C}}(x_{\mathcal{C}},U_1,U_2,U_3,U_4)$$

Proof. 

For any user $u\in \mathcal{C}$, all they have received during the protocol execution are public keys ${\{c_v^{pk},s_v^{pk}\}}_{v\in U_1\setminus \left\{u\right\}}$, ciphertexts ${\left\{e_{v,u}\right\}}_{v\in U_2\setminus \left\{u\right\}}$ and a list of $U_3$. Note that these messages do not depend on the inputs of the honest users. In fact, the only values sent by each honest user v that depend on their private input are $y_v$ and $l_v$, which they sent to the server in Round 3, but the server is honest. So, when knowing the inputs $x_{\mathcal{C}}$ of user set $\mathcal{C}$, the simulator $\mathit{SIM}$ can be defined to use zero vectors for the inputs of all honest users and to use $x_u(u\in \mathcal{C})$ for the inputs of semi-honest users u and then to simulate the execution of the secure multiplicative aggregation protocol. The simulator outputs the joint view of users in $\mathcal{C}$ in the simulation process, which is perfectly indistinguishable from ${\mathit{VIEW}}_{\mathcal{C}}$. □

When the server is semi-honest, it can share what it has received in the protocol execution with other semi-honest users. We show that the view of any such group of semi-honest parties can be simulated by a simulator, which is given the inputs of the users in that group and the final output of the server.

Theorem 4 (Security of the protocol ${\Pi }_{\mathsf{MulAgg}}$ against semi-honest server and users).

There exists a probability polynomial-time simulator, $\mathit{SIM}$, such that, for any security parameter λ, threshold parameter t, set of users U with $\left|U\right|\ge t$, input vectors $x_U$, sets of online users $U\supseteq U_1\supseteq U_2\supseteq U_3\supseteq U_4$ and set of semi-honest parties $C\subseteq U\cup \left\{\mathcal{S}\right\}$ with $|\mathcal{C}\setminus \{\mathcal{S}\left\}\right|<t$, the output of $\mathit{SIM}$ is perfectly indistinguishable from ${\mathit{VIEW}}_{\mathcal{C}}$ as random variables; that is,

$${\mathit{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)\equiv {\mathit{SIM}}_{\mathcal{C}}(x_{\mathcal{C}},X,U_1,U_2,U_3,U_4)$$

where

$$X=\left\{\begin{array}{cc}\hfill (X^1,\dots ,X^m)\hfill & \hfill \mathrm{if}\left|U_3\right|\ge t\\ \hfill \perp \hfill & \hfill \mathrm{otherwise}\end{array}\right.$$

The proof of the Theorem is based on the security of the Diffie–Hellman key agreement, the IND-CPA security of the authenticated encryption scheme, the security of secret sharing and the security of the pseudorandom generator. It is given in Appendix D.

4.3. Analysis of Theoretical Overhead

The theoretical overhead of our protocol will be analyzed in terms of computational, communication, and storage costs.

–

The computation cost for a user, u, of our ${\Pi }_{\mathsf{MulAgg}}$ protocol contains: (i) computing two vectors $z_u$ and ${\tilde{x}}_u$ associated with a private input vector, (ii) performing $2(n-1)$ key agreements with other users, (iii) creating t-out-of-n secret sharing of $s_u^{sk}$ and $b_u$, (iv) generating $t_u,t_{u,v}$ and $k_u,k_{u,v}$ using ${\mathbf{PRG}}_1$ and ${\mathbf{PRG}}_2$, and also computing $y_u$ and $l_u$. Each user’s total computation cost is $O(n^2+nmlogm)$.

–

The communication cost for a user u contains: (i) sending their public keys, $s_u^{pk},c_u^{pk}$, and receiving (from the server) other users’ public keys, (ii) sending encrypted secret shares, $e_{u,v}$, and receiving $e_{v,u}$ from the server, (iii) sending masked input vectors, $y_u$ and $l_u$, to the server, and (iv) sending the server decrypted secret shares $s_{v,u}^{sk}$ and $b_{v,u}$. Each user’s total communication cost is $O(n+mlogm)$.

–

The storage cost for a user u contains: (i) storing private input vector $x_u$ and two vectors $z_u,{\tilde{x}}_u$ derived from it and (ii) storing all users’ public keys, their own private keys and encrypted secret shares $e_{v,u}$. Each user’s total storage cost is $O(n+mlogm)$.

–

The computation cost for the server of our ${\Pi }_{\mathsf{MulAgg}}$ protocol contains: (i) reconstructing t-out-of-n secrets (one for each user) using Lagrange interpolation, (ii) computing the masks $t_u,t_{u,v}$ and $k_u,k_{u,v}$, obtaining ${\prod }_{u\in U_3}{\tilde{x}}_u$ and ${\sum }_{u\in U_3}{z}_u$, and finally outputting $(X^1,\dots ,X^m)$. The server’s total computation cost is $O(n^{2}mlogm)$. Note that, in general, the reconstructions of $O\left(n\right)$ secrets by Lagrange interpolation require $O\left(n^3\right)$ computation, as, for any secret reconstruction $\mathbf{SS}.\mathbf{recon}({\left\{(u,s_u)\right\}}_{u\in U^{\prime }},t)\to s$, the server needs to compute

$$s=L\left(0\right)=\sum _{u\in U^{\prime }}{s}_u\prod _{v\in U^{\prime }\setminus \left\{u\right\}}{\displaystyle \frac{v}{v-u}}\left(\mathrm{mod}q\right)$$

which costs $O\left(n^2\right)$ computation. Actually, in our ${\Pi }_{\mathsf{MulAgg}}$ protocol, where every user has identity fixed at the very beginning, the total time to reconstruct all secrets can be reduced, as the set $U^{\prime }$ is always $U_4$. The server only needs to precompute the Lagrange basis polynomials (values at 0 of the polynomials)

$$L_u=\prod _{v\in U_4\setminus \left\{u\right\}}{\displaystyle \frac{v}{v-u}}\left(\mathrm{mod}q\right)$$

which costs $O\left(n^2\right)$ in computation, and then perform linear computation $L\left(0\right)={\sum }_{u\in U_4}{s}_u{L}_u\left(\mathrm{mod}q\right)$ to reconstruct secrets. In this way, $O\left(n\right)$ reconstructions take $O\left(n^2\right)$ time.

–

The communication cost for the server contains: (i) sending and receiving messages between users as the mediation, (ii) receiving the masked input vectors $y_u$ and $l_u$ sent by user u, and also the decrypted secret shares. The server’s total communication cost is $O(n^2+nmlogm)$.

–

The storage cost for the server contains: (i) storing all users’ public keys, (ii) storing decrypted secret shares sent by users, and (iii) storing masked input vectors $y_u$ and $l_u$, so as to do addition or multiplication. The server’s total storage cost is $O(n^2+mlogm)$.

5. Key Reusable Secure Aggregation

Consider the case in which the set U of initial users is fixed, each user has some private inputs, and they are willing to perform secure additive/multiplicative aggregation many times on different inputs. Such a multi-round setting can be adapted to federated learning [1], where multiple rounds of training are needed until the model converges.

It is clear that using a state-of-the-art secure additive aggregation protocol [24] or the secure multiplicative aggregation protocol ${\Pi }_{\mathsf{MulAgg}}$ multiple times can solve the problem naively. For both of the protocols, to guarantee the security, all users $u\in U$ have to generate a new public–private key pair, $(s_u^{sk},s_u^{pk})$, again in Round 1 every time they perform the secure additive/multiplicative aggregation execution. This is because, if $(s_u^{sk},s_u^{pk})$ is reused, it is possible that u is in the set $U_2\setminus U_3$ defined by the additive/multiplicative aggregation execution last time, and so, according to the protocol, the server has reconstructed this private key $s_u^{sk}$ in Round 4; therefore, the server has all the pairwise masks of u. It is also possible that u is in the set $U_3$ defined by the additive/multiplicative aggregation execution this time; so, according to the protocol, the server is able to know the self masks of u. With pairwise masks and self masks of u, the server can obtain the private input of user u from the masked input, which breaks the security.

Therefore, what we accept is to construct additive/multiplicative aggregation protocols that allow users to reuse their public–private key pairs generated in Round 1. In this section, we will present a key reusable secure additive aggregation protocol based on the construction of Bonawitz et al. [24] and a key reusable multiplicative aggregation protocol based on the construction of ${\Pi }_{\mathsf{MulAgg}}$ in Section 4.

5.1. Key Reusable Secure Additive Aggregation

As mentioned above, the reason why the public–private key pairs $(s_u^{sk},s_u^{pk})$ generated in Round 1 of the protocol of Bonawitz et al. [24] cannot be reused is that the server will reconstruct the private key $s_u^{sk}$ for $u\in U_2\setminus U_3$ in Round 4, which is then used to compute the pairwise masks to be removed from ${\sum }_{u\in U_3}{y}_u$.

To maintain the privacy of the long-term private key $s_u^{sk}$, we construct a one-time private key, $s_{u,j}^{sk}$, for jth additive aggregation execution using $s_u^{sk}$ and the index j as $s_{u,j}^{sk}=H{\left(j\right)}^{s_u^{sk}}$. The one-time private key $s_{u,j}^{sk}$ is shared among users, and the pairwise masks are now computed using a bilinear map, rather than key agreement, to avoid the use of a one-time public key. The bilinearity of the bilinear map ensures that both users u and v can compute the pairwise mask $e(s_{u,j}^{sk},s_v^{pk})=e(s_{v,j}^{sk},s_u^{pk})$ using their one-time private keys and the long-term public keys. For user $u\in U_2\setminus U_3$ in jth execution, the server will reconstruct their one-time private key $s_{u,j}^{sk}$ in Round 4 to obtain the pairwise masks to be removed. Under the DDH assumption, the server with one-time private key $s_{u,j}^{sk}$ learns nothing about the long-term private key $s_u^{sk}$; thus, $s_u^{sk}$ can be reused. We provide the framework of our key reusable secure additive aggregation protocol in Figure 4.

A complete description of the key reusable secure additive aggregation protocol is as follows.

Theorem 5 (Correctness of the protocol ${\Pi }_{\mathsf{ReAgg}}$).

In the protocol ${\Pi }_{\mathsf{ReAgg}}$, for each additive aggregation execution, if it has an output, then the output will be equal to the correct sum of private input vectors.

The proof of the Theorem is given in Appendix E.

Next, we talk about the security of the protocol ${\Pi }_{\mathsf{ReAgg}}$. We will prove that the protocol is secure against static semi-honest adversaries, no matter when the users drop out during the protocol execution.

In the key reusable secure additive aggregation protocol, there is a central server, $\mathcal{S}$, a set of initial users, U, with $\left|U\right|=n$, and a threshold parameter, t. Users are allowed to drop out at any time of the entire protocol and rejoin the protocol for a new additive aggregation execution; denote the set of users whose message has been received by the server in Round i of jth secure additive aggregation as $U_i^{\left(j\right)}$. We have $U\supseteq U_1\supseteq U_2^{\left(j\right)}\supseteq U_3^{\left(j\right)}\supseteq U_4^{\left(j\right)}$. Denote $U_r(r=2,3,4)$ as the set composed of $U_r^{\left(j\right)}$ for all j. Each user u has a private input vector, $x_{u,j}$, for the jth secure additive aggregation; denote $x_{U^{\prime }}={\left\{x_{u,j}\mathrm{for}\mathrm{all}j\right\}}_{u\in U^{\prime }}$, where $U^{\prime }$ can be any subset of users. The same as the definition in the model statement, ${\mathrm{VIEW}}_u\left(x_U\right)$ represents the view of party $u\in U\cup \left\{\mathcal{S}\right\}$ when the protocol runs with inputs $x_U$. Define $\mathcal{C}\subset U\cup \left\{\mathcal{S}\right\}$ as the set of semi-honest parties, and then ${\mathrm{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)$ is the joint view of semi-honest adversaries during the entire protocol.

Firstly, we will consider the case in which semi-honest parties are a set of users, that is, $\mathcal{C}\subset U$.

Theorem 6 (Security of the protocol ${\Pi }_{\mathsf{ReAgg}}$ against semi-honest users).

There exists a probabilistic polynomial-time simulator, $\mathit{SIM}$, such that, for any security parameter λ, threshold parameter t, set of users U with $\left|U\right|\ge t$, input vectors $x_U$, sets of online users $U\supseteq U_1\supseteq U_2^{\left(j\right)}\supseteq U_3^{\left(j\right)}\supseteq U_4^{\left(j\right)}$ for all j and set of semi-honest parties $\mathcal{C}\subseteq U$ with $\left|\mathcal{C}\right|\le t$, the output of $\mathit{SIM}$ is perfectly indistinguishable from ${\mathit{VIEW}}_{\mathcal{C}}$ as random variables; that is,

$${\mathit{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)\equiv {\mathit{SIM}}_{\mathcal{C}}(x_{\mathcal{C}},U_1,U_2,U_3,U_4)$$

Proof. 

For any user $u\in \mathcal{C}$, all they have received during the entire protocol execution are public keys ${\{c_v^{pk},s_v^{pk}\}}_{v\in U_1\setminus \left\{u\right\}}$, ciphertexts ${\left\{e_{v,j,u}\right\}}_{v\in U_2^{\left(j\right)}\setminus \left\{u\right\}}$ for all j and a set of $U_3={\left\{U_3^{\left(j\right)}\right\}}_j$. Note that these messages do not depend on the inputs of the honest users. In fact, the only value sent by each honest user v that depend on their private input is $y_{v,j}$, which they sent to the server in Round 3 of the jth execution, but the server is honest. So, when knowing the inputs $x_{\mathcal{C}}$ of user set $\mathcal{C}$, the simulator $\mathit{SIM}$ can be defined to use zero vectors for the inputs of all honest users and to use $x_{u,j}(u\in \mathcal{C})$ for the inputs of semi-honest users u in jth additive aggregation and then to simulate the execution of jth secure additive aggregation protocol. The simulator outputs the joint view of users in $\mathcal{C}$ in the simulation process, which is perfectly indistinguishable from ${\mathrm{VIEW}}_{\mathcal{C}}$. □

When the server is semi-honest, it can share what it has received in the protocol execution with other semi-honest users. We show that the view of any such group of semi-honest parties can be simulated by a simulator, who is given the inputs of the users in that group and the final outputs of the server.

Theorem 7 (Security of protocol ${\Pi }_{\mathsf{ReAgg}}$ against semi-honest server and users).

There exists a probability polynomial-time simulator, $\mathit{SIM}$, such that for any security parameter λ, threshold parameter t, set of users U with $\left|U\right|\ge t$, input vectors $x_U$, sets of online users $U\supseteq U_1\supseteq U_2^{\left(j\right)}\supseteq U_3^{\left(j\right)}\supseteq U_4^{\left(j\right)}$ for all j and set of semi-honest parties $\mathcal{C}\subseteq U\cup \left\{\mathcal{S}\right\}$ with $|\mathcal{C}\setminus \{\mathcal{S}\left\}\right|<t$, the output of $\mathit{SIM}$ is perfectly indistinguishable from ${\mathit{VIEW}}_{\mathcal{C}}$ as random variables; that is,

$${\mathit{VIEW}}_{\mathcal{C}}(x_U,U_1,U_2,U_3,U_4)\equiv {\mathit{SIM}}_{\mathcal{C}}(x_{\mathcal{C}},X={\left\{X_j\right\}}_j,U_1,U_2,U_3,U_4)$$

where

$$X_j=\left\{\begin{array}{c}\hfill (X_j^1,\dots ,X_j^m)\mathrm{if}\left|U_3^{\left(j\right)}\right|\ge t\\ \hfill \perp \mathrm{otherwise}\end{array}\right.$$

The proof of the theorem is based on the security of Diffie–Hellman key agreement, the IND-CPA security of the authenticated encryption scheme, the security of secret sharing, the security of pseudorandom generator and the property of the bilinear map. It is given in Appendix F.

Finally, we show that the long-term keys of honest users remain safe during multiple aggregation executions. For the case where $\mathcal{C}\subseteq U$ with $\left|\mathcal{C}\right|<t$, for any honest user $u\in U$, the adversary cannot reconstruct the one-time private key $s_{u,j}^{sk}$ for any j, since the number of shares it holds is less than the secret sharing threshold t. Therefore, the adversary learns nothing about the long-term private key $s_u^{sk}$. For the case where $\mathcal{C}\subseteq U$ with $\left|\mathcal{C}\right|=t$, for any honest user $u\in U$, the adversary can reconstruct the one-time private key $s_{u,j}^{sk}=H{\left(j\right)}^{s_u^{sk}}$ for any j. According to the hardness assumption of a discrete logarithm, the adversary learns nothing about the long-term private key $s_u^{sk}$. For the case where the server is semi-honest, that is, $\mathcal{C}\subseteq U\cup \left\{\mathcal{S}\right\}$ with $|\mathcal{C}\setminus \{\mathcal{S}\left\}\right|<t$, for any honest user $u\in U$, the adversary can learn the one-time private key $s_{u,j}^{sk}=H{\left(j\right)}^{s_u^{sk}}$ only when $u\in U_2^{\left(j\right)}\setminus U_3^{\left(j\right)}$. According to the hardness assumption of the discrete logarithm, the adversary learns nothing about the long-term private key $s_u^{sk}$.

5.2. Key Reusable Secure Multiplicative Aggregation

Similarly, a key reusable secure multiplicative aggregation protocol can be constructed from the protocol ${\Pi }_{\mathsf{MulAgg}}$ using the idea of one-time private keys and the bilinearity of the bilinear map. In Appendix G, we provide a complete description of key reusable secure multiplicative protocol, together with its correctness and security proofs.

5.3. Discussion

The key reusable secure additive/multiplicative aggregation protocol allows users to reuse their public–private key pairs generated in Round 1, so it reduces the cost of broadcasting new public keys and conducting key agreement to obtain the keys of authenticated encryption in the multi-time secure additive/multiplicative aggregation process.

Moreover, all protocols we proposed can be further improved by changing their complete communication graph into a sparse k-regular communication graph [26], where $k=O(logn)$. In this way, the overhead of polynomial magnitude for users and the server can be reduced to poly-logarithm.

6. Experimental

The performance evaluation of our proposed secure multiplication protocol was conducted using a Go implementation. The experimental testbed comprised one server node and two User nodes. The server was a Dell PowerEdge R760 (Dell, Round Rock, TX, USA) equipped with two Intel Xeon Platinum 8470 processors (52 cores/104 threads at 2.0 GHz) and 1024 GB of RAM. Both User nodes were identical Dell PowerEdge R750 systems (Dell, Round Rock, TX, USA), each configured with two Intel Xeon Gold 6338 CPUs (32 cores/64 threads at 2.0 GHz) and 256 GB of RAM. All machines ran the Ubuntu 22.04 operating system. The network connectivity between nodes was configured with a bandwidth of 80 Mb/s and a round-trip time (RTT) of 80 ms to simulate wide-area network conditions.

The experimental setup comprised the following parameters:

• Key Agreement: The Elliptic Curve Diffie–Hellman (ECDH) protocol was implemented using the NIST P-256 curve.
• Hash Function: SHA-256 was employed to hash the shared key.
• Secret Sharing Scheme: A t-out-of-n Shamir Secret Sharing scheme was utilized, where $t⩾⌊{\displaystyle \frac{2n}{3}}⌋+1$.
• Authenticated Encryption: AES-GCM with 128-bit keys was applied.
• Pseudo-Random Number Generator: AES-128 in counter mode was used.
• Bilinear map: Type A pairing implemented in the PBC library (https://pkg.go.dev/github.com/nik-u/pbc, accessed date 3 February 2026).
• User Data: Each user’s private data $X_u$ was represented as a vector of dimension m.
• Module: The modulus R is defined as the smallest prime greater than $2^{20}$, which is 1,048,583, and the modulus q is the smallest prime greater than $2^{40}$, namely 1,099,511,627,791.

6.1. Secure Multiplicative Aggregation Protocol ${\Pi }_{\mathsf{MulAgg}}$

To comprehensively analyze the performance of the secure multiplicative aggregation protocol ${\Pi }_{\mathsf{MulAgg}}$, we conducted experiments under two scenarios. All experimental data presented are the averages from ten experimental runs:

Scenario 1:

In this scenario, the size of the user input privacy data is fixed at $100\mathrm{KB}$ while the number of users increases. We measured the average computation time overhead and communication overhead for each user and server, with the number of users set to $\{50,100,150,200,250,300\}$ and user dropout rate to $\{0\%,10\%,20\%,30\%\}$.

Scenario 2:

In this scenario, the number of users was fixed at 300. We evaluated the average computation time and communication overhead for each user and the server by varying the size of privacy-sensitive data inputs. The input sizes were set to $\{10\mathrm{KB},50\mathrm{KB},100\mathrm{KB},150\mathrm{KB},200\mathrm{KB},250\mathrm{KB}\}$, and the user dropout rates were set to $\{0\%,10\%,20\%,30\%\}$.

Figure 5 shows the experimental results for scenario 1. Figure 5a,b report the average per-user computation time and the total server computation time, respectively. As the number of users increases, the average computation time per user increases accordingly and is only slightly affected by the dropout rate. By contrast, the total computation time of the server increases significantly as the dropout rate rises, because a higher dropout rate requires the server to recover the private keys of more dropped-out users. Figure 5c,d report the average per-user communication overhead and the total server communication overhead, respectively. Both quantities increase approximately linearly with the number of users. In addition, a higher dropout rate leads to lower average communication overhead per user, while the total communication overhead of the server remains almost unaffected by the dropout rate.

In Scenario 2, we evaluate how varying the per-user private input size affects the computation and communication overhead of users and the server. The results are shown in Figure 6; the overall trends are consistent with those observed in Scenario 1.

Figure 5b and Figure 6b show that, in both scenarios, the total server computation time grows more rapidly under higher dropout rates. In Scenario 1, as the number of users grows from 50 to 300, the server time increases by 15.32 times, 15.92 times, 18.71 times, and 19.11 times under dropout rates $\{0\%,10\%,20\%,30\%\}$, respectively. In Scenario 2, when the per-user private input increases from $10\mathrm{KB}$ to $250\mathrm{KB}$, the corresponding growth factors are 1.60 times, 4.49 times, 6.50 times, and 8.14 times, respectively. This growth is dominated by Round 4, where the main cost comes from ${\mathrm{PRG}}_1(·)$ and ${\mathrm{PRG}}_2(·)$ for mask recovery. Although higher dropout reduces the number of $t_v$ and $k_v$ computations, the server must spend substantially more effort reconstructing $s_v^{sk}$ and derive $t_{v,u}$ and $k_{v,u}$ via ${\mathrm{PRG}}_1(·)$ and ${\mathrm{PRG}}_2(·)$, thereby increasing the total server overhead.

Figure 5a and Figure 6a show that the average per-user computation time is largely insensitive to the dropout rate. In Scenario 1, increasing the number of users from 50 to 300 increases the average per-user computation time by 4.85 times, 4.75 times, 4.82 times, and 4.81 times under dropout rates of $\{0\%,10\%,20\%,30\%\}$, respectively. In Scenario 2, increasing the per-user private input from $10\mathrm{KB}$ to $250\mathrm{KB}$ increases the average per-user computation time by 8.11 times, 8.26 times, 8.17 times, and 8.16 times, respectively. Rounds 1–3 incur fixed-cost operations (key generation, ciphertext computation, and masked-data generation), while Round 4 decryption is performed only by online users; thus, higher dropout slightly increases Round 4 time but has a negligible impact on the total. Overall, Round 3 dominates the average user time, mainly due to ${\mathrm{PRG}}_1(·)$ and ${\mathrm{PRG}}_2(·)$ for mask generation, followed by computing the obfuscated private data.

Figure 5c,d and Figure 6c,d exhibit similar communication patterns in both scenarios. The average per-user communication overhead grows nearly linearly with the number of users or the input size, and decreases slightly as the dropout rate increases. In contrast, the total server communication overhead is largely insensitive to the dropout rate and is mainly determined by the number of users and the input size.

6.2. Key Reusable Secure Additive Aggregation ${\Pi }_{\mathsf{ReAgg}}$

To evaluate the performance of the reusable secure additive aggregation protocol ${\Pi }_{\mathsf{ReAgg}}$, experiments were conducted under two scenarios, as follows. In the second scenario, we implemented the non-reusable secure additive aggregation protocol from [24] and compared it on the same server. All results represent the average of ten independent runs.

Scenario 1:

Each user’s private input was fixed at $100\mathrm{KB}$. The number of users ranged from 100 to 500 in increments of 50, under dropout rates of $\{0\%,10\%,20\%,30\%\}$. We measured the average computation time and communication overhead per-user and server.

Scenario 2:

In this scenario, the number of users is fixed at 100, with each input again sized at $100\mathrm{KB}$. Dropout rates were set to $\{0\%,10\%,20\%,30\%\}$. We conducted a comparative experiment between reusable and non-reusable additive aggregation protocols, with each protocol performing $q=\{1,\cdots ,10\}$ secure aggregation iterations. The reusable protocol executes Round 1 only once in the first iteration (i.e., $q=1$) and reuses subsequent Round 2–4 in the remaining iterations (i.e., $q=\{2,\cdots ,10\}$), whereas the non-reusable protocol repeats the full protocol each iteration. We also evaluated the average computation time and communication overhead for per-user and server.

Figure 7a shows that the average per-user computation time increases monotonically with the number of users K and is almost unaffected by the dropout rate. When K increases from 100 to 500, the average per-user computation time increases by 14.47 times, 14.19 times, 14.30 times, and 14.25 times under dropout rates of $0\%$, $10\%$, $20\%$, and $30\%$, respectively. In contrast, Figure 7b indicates that the server computation overhead is sensitive to the dropout rate: at $K=100$ the total server time increases to 2.36 times, 3.32 times, and 4.04 times that of the no-dropout case. This consistent gap indicates that user dropouts mainly introduce additional recovery and reconstruction work on the server side, whereas the user-side cost remains dominated by fixed per-round operations.

Figure 7c reports the average per-user communication overhead. It increases with K and also increases mildly with the dropout rate. For instance, at $K=500$, the average per-user communication overhead under a dropout rate of 30% is 1.07 times that of the no-dropout case. Figure 7d shows that the server total communication grows rapidly with K, when K increases from 100 to 500, it grows by about 25.16 times while remaining almost unaffected by the dropout rate. At $K=500$, the total server communication overhead under a dropout rate of $30\%$ is essentially 1.00 times that of the no-dropout case. A round-level breakdown further shows that the server communication is dominated by the Round 2 broadcast of aggregated ciphertexts; for example, at $K=500$, the Round 2 communication accounts for about 1.00 times the total server communication overhead, whereas the Round 1 key broadcast and the Round 3 UserNameList contribute only a negligible fraction of the total. These results indicate that dropouts mainly impact the server computation overhead, rather than the total communication overhead.

Figure 8a,b report the average cumulative computation time of the user and the server when the input size is fixed at 100 KB and q increases from 1 to 10. For the user side, the computation time is largely insensitive to the dropout rate. As q increases, the gap between the reusable and non-reusable schemes widens, because the non-reusable scheme scales approximately linearly with q, whereas the reusable scheme amortizes Round 1 over repeated interactions. For example, at $q=10$, the average per-user computation time of the reusable scheme is about 0.40 times and 0.41 times that of the non-reusable scheme under dropout rates of $0\%$ and $30\%$, respectively. In contrast, the total server computation time is clearly sensitive to the dropout rate in both schemes. Under the non-reusable scheme, the server computation time at $q=1$ increases to 2.18 times, 2.63 times, and 3.89 times, when $q=10$ the corresponding factors remain 2.18 times, 2.63 times, and 3.89 times. The reusable scheme consistently reduces the total server computation time but less significantly than on the user side. At $q=10$, it reduces the total server computation time by about 16% and 12% compared with the non-reusable scheme under dropout rates of 0% and 30%, respectively. This indicates that the server-side cost is still dominated by the non-reused rounds and the dropout-driven recovery operations.

Figure 8c,d report the cumulative communication overhead for the user and the server. The average per-user communication overhead grows close to linearly with q and increases with the dropout rate. Concretely, under the non-reusable scheme, when $q=10$, the average per-user communication overhead at a dropout rate of 30% is about 1.20 times that at a dropout rate of 0%. Comparing the two schemes reveals that the reusable and non-reusable curves remain very close. For example, at $q=10$, the average per-user communication overhead of the reusable scheme is reduced to 0.99 times and 1.00 times that of the non-reusable scheme under dropout rates of 0% and 30%, respectively, indicating that Round 1 reuse provides only marginal communication savings on the user side. On the server side, the communication overhead curves for the reusable and non-reusable schemes are nearly indistinguishable over $q=1,\dots ,10$, and the gap increases only slightly with q. Under the non-reusable scheme, when $q=10$, the total server communication overhead at a dropout rate of 30% is essentially 1.00 times that at a dropout rate of 0%, showing that the server communication overhead is almost unaffected by the dropout rate. Moreover, the reusable scheme provides only a marginal reduction in total server communication overhead. For instance, at $q=10$ and a dropout rate of 0%, the total server communication overhead of the reusable scheme is reduced to 0.99 times that of the non-reusable scheme. This indicates that reusing Round 1 has a limited impact on communication overhead, and that the overall communication cost is mainly determined by the non-reusable rounds.

6.3. Practical Implications and Applicability

While the present work is primarily a cryptographic and protocol-level contribution, its evaluated parameter regimes are also relevant to practical federated learning deployments. The considered user scale $K\in [100,500]$ is representative of the number of clients often sampled in one federated learning round from a much larger population, especially in cross-device settings. Similarly, private input sizes ranging from tens to hundreds of kilobytes are consistent with compressed model updates, partial gradient vectors, or feature statistics by mobile devices and edge clients. The dropout regimes considered in our experiments, from 0% to 30%, also match realistic federated learning conditions, where client availability is affected by device mobility, battery level, network instability, and intermittent participation. Under such conditions, our experimental results suggest that the protocol remains practical on the user side, while the main computational burden caused by dropouts is concentrated at the server, which is consistent with the resource asymmetry between mobile clients and aggregation servers.

The proposed multiplicative aggregation protocol is particularly beneficial when the target quantity is multiplicative in nature or depends on interaction terms that cannot be captured by standard secure summation alone. In such cases, the goal is not simply to securely sum local updates but to privately compute product-type statistics or interaction-dependent quantities across users. Typical examples include multiplicative feature interactions, product-based statistics, geometric-mean-style aggregates, likelihood-related terms, and privacy-preserving analytics in which correlations or joint effects among local inputs are important. From this perspective, multiplicative aggregation should be viewed not as a replacement for conventional secure summation, but as a complementary primitive that enables a richer class of privacy-preserving computations beyond additive aggregation.

The advantage of key reuse becomes more pronounced in repeated-training or repeated-query settings, which are typical in federated learning. In practical federated learning systems, the same client cohort may participate in multiple consecutive rounds, local retraining sessions, or repeated secure analytics tasks over related data distributions. In such cases, amortizing the one-time cost of Round 1 across repeated interactions can significantly reduce cumulative computation, especially on the user side, as confirmed by our experiments. Therefore, the practical benefit of reuse is strongest in long-running federated learning with repeated rounds and relatively stable participation patterns.

7. Conclusions

In this paper, we have proposed a secure multiplicative aggregation protocol. The protocol defines the interaction between the server and users who each have a high-dimensional private vector, and finally, the server outputs the component-wise product of online users’ input vectors. The execution process guarantees that no private information of honest users will be revealed. Users are allowed to drop out at any time of the protocol execution, and constant rounds of the protocol can remove the dropout users’ information from the product. We have proven that the protocol is correct and secure against semi-honest adversaries under correctness and security parameters.

We also discussed the case in which a fixed set of users want to perform secure additive/multiplicative aggregation together many times. By using one-time private keys for each aggregation execution and the bilinearity of a bilinear map, we constructed a key reusable secure additive aggregation protocol and a key reusable secure multiplicative aggregation protocol. All three protocols we presented have an overhead of polynomial magnitude with regard to the number of users n and the length of private vectors m by theoretical analysis.

It can be noted that we have only considered secure aggregation in the semi-honest security model, and a trusted authority is needed in the setup phase of our protocols. We will leave the construction of a malicious secure multiplicative aggregation protocol for future work.

Finally, we implement the secure multiplicative aggregation protocol and the key-reusable secure additive aggregation protocol and KB, increasing the number of users from $K=100$ to 500, the average per-user computation time increases by about 14.2–14.5 times, while the total server computation time increases by about 27.7–69.5 times, depending on the dropout rate. When the dropout rate increases from 0% to 30% at $K=500$, the total server computation time increases by about 1.61 times, whereas the average per-user computation time remains essentially unchanged. From the communication perspective, increasing K from 100 to 500 enlarges the average per-user communication overhead by about 2.9–3.2 times while leaving the total server communication overhead almost unaffected by the dropout rate. Moreover, across repeated interactions $q\in \{1,\dots ,10\}$, reusing Round 1 reduces the cumulative user and server computation time by about 2.49 times and 1.18 times at $q=10$, respectively, while the cumulative communication overhead changes only marginally, indicating that communication is dominated by the non-reused rounds.