A Novel Verifiable Functional Encryption Framework for Secure and Communication-Efficient Distributed Gradient Transmission Management

Abstract

Secure and bandwidth-conscious transmission of model updates is a central bottleneck in distributed machine learning. Existing secure aggregation and homomorphic encryption pipelines either reveal more than the task requires or incur prohibitive computation and communication costs. We introduce a verifiable functional encryption (VFE) framework that releases only the intended linear functions of client gradients while providing end-to-end integrity and privacy guarantees under standard lattice assumptions. Our instantiation, FlowAgg-FE, combines two novel components. First, KS-IPFE, a key-splittable inner-product FE scheme, supports per-round weighted aggregation, vector packing, and on-the-fly function changes without client re-encryption; function keys are distributed across two non-colluding helpers, eliminating a single point of trust and enabling lightweight, homomorphically verifiable tags on decrypted outputs. Second, PaS-Stream is a rate-adaptive encryption-and-compression pipeline that couples sketch-based gradient compression with batched FE ciphertext streaming, ensuring unbiased aggregation in the presence of stragglers and dropouts. We further bind client-side clipping to zero-knowledge range proofs and offer an optional differentially private release layer that composes with FE to yield $(\epsilon ,\delta )$-privacy. A prototype based on LWE demonstrates practicality across cross-device and cross-silo training: client uplink is reduced by 1.9–3.4× and server CPU time by $1.6\times$ versus state-of-practice encrypted secure aggregation, with accuracy within $0.3\%$ of plaintext baselines and correctness preserved under up to $30\%$ client dropout. These results show that verifiable FE can make secure, communication-efficient gradient transmission viable, as appropriate for theme of security and privacy in distributed machine learning of the Special Issue.

1. Introduction

Distributed machine learning, and federated learning (FL) in particular, have emerged as central paradigms for training models over data that remains on edge devices or organizational silos [1,2,3]. In such settings, each client $C_i$ computes a local update or gradient vector ${\mathbf{v}}_{i,t}$ on its private data in round t, and an untrusted aggregator seeks only a global statistic such as the weighted sum

$${\mathbf{G}}_t=\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{v}}_{i,t},$$

where ${\mathcal{A}}_t$ is the (possibly random) set of participating clients and ${\alpha }_{i,t}$ are public aggregation weights. This pattern underlies cross-device FL in large-scale deployments [1,4], as well as cross-silo collaborations among institutions that cannot share raw data.

However, secure and communication-efficient transmission of ${\mathbf{v}}_{i,t}$ remains a key bottleneck relevant to the Special Issue’s theme of security and privacy in distributed machine learning. On the one hand, secure aggregation protocols ensure that the aggregator learns only ${\mathbf{G}}_t$ (or a related sum) and not individual ${\mathbf{v}}_{i,t}$ [5]. On the other hand, the bandwidth cost of sending dense, high-dimensional updates—together with cryptographic noise and integrity artifacts—limits the scalability of training, especially for on-device settings with constrained uplink [2,3]. Homomorphic encryption (HE) can support rich computation over encrypted updates [6,7,8], but generic HE-based pipelines incur substantial ciphertext expansion, heavy computation, and often expose the aggregation circuit and its structure to the server.

Existing systems therefore face a tension between privacy, functionality, and efficiency. Secure aggregation based on pairwise masks or additively homomorphic cryptosystems reveals the exact aggregate ${\mathbf{G}}_t$ to the server, but it does not provide function privacy: the function being computed is typically fixed (e.g., coordinate-wise sum) and known to all parties [5]. If the task owner wishes to change the function (for example, to aggregate only a subset of coordinates, or to work in a sketched space), new protocol instances or key material are required. Meanwhile, communication-efficient training methods—such as gradient quantization, sparsification, and sketching [9,10,11,12,13,14,15]—primarily address bandwidth and do not by themselves guarantee cryptographic privacy of the compressed updates. Finally, integrity mechanisms that protect against Byzantine clients often rely on heavyweight zero-knowledge proofs or verifiable computation that do not commute with the linear aggregation structure of FL [16,17].

Functional encryption (FE) offers an appealing abstraction: decryption keys reveal only the output of a specified function f on ciphertexts, while everything else about the underlying plaintexts remains hidden [18]. Inner-product FE (IPFE) schemes from LWE [19,20,21] instantiate this for linear functions, enabling one to obtain $\langle \mathbf{x},\mathbf{y}\rangle$ from an encryption of $\mathbf{x}$ and a key for $\mathbf{y}$, and nothing else. These constructions align naturally with the linear statistics used in FL, but existing FE work has not directly addressed the system-level challenges of high-dimensional gradient transmission, client dropouts, and streaming under straggler-heavy networks. Moreover, most FE designs assume a single, fully trusted key authority and do not provide practical mechanisms to split decryption capabilities across non-colluding helpers in a way that supports verifiable streaming aggregation.

1.1. Challenges

This work is motivated by the following three intertwined challenges:

(1) 

Function-private aggregation of high-dimensional updates. The server should learn only the quantities that are strictly necessary for model updates—such as selected coordinates of ${\mathbf{G}}_t$ or its image under a sketching operator—and nothing else about individual ${\mathbf{v}}_{i,t}$. Achieving this with FE requires handling vectors of dimension d in the millions, while maintaining practical key and ciphertext sizes [20,21].

(2) 

Communication and computation efficiency. Any secure transmission scheme must be competitive in both bandwidth and latency, with optimized secure aggregation pipelines deployed in practice [4,5]. This calls for integrating unbiased quantization and sketching [2,9,12,15] directly into the FE layer, preserving linearity so that the estimator of ${\mathbf{G}}_t$ remains unbiased after decryption, while keeping ciphertext expansion modest.

(3) 

Verifiable correctness under partial trust. In realistic deployments, a single aggregator or helper may be compromised. We therefore seek a design where decryption power is split across two non-colluding helpers, and where the server can verify that the decrypted aggregates genuinely reflect the sum of honestly contributed (and properly clipped) updates, without learning any intermediate plaintext. Existing linearly homomorphic authentication and MAC schemes [22,23] provide building blocks, but they need to commute with the FE aggregation path and operate efficiently at gradient scale.

1.2. Our Approach and Contributions

We propose FlowAgg-FE, a verifiable functional encryption framework for secure and communication-efficient gradient transmission in distributed machine learning. At its core are the following two novel algorithmic components:

I. 

KS-IPFE. A key-splittable, LWE-based inner-product FE scheme that supports blockwise linear aggregation over high-dimensional encoded gradients, with 2-of-2 threshold decryption across two non-colluding helpers.

II. 

PaS-Stream. A rate-adaptive, streaming transmission pipeline that combines Johnson–Lindenstrauss sketching, unbiased quantization, and blockwise FE encryption to enable straggler-tolerant, bandwidth-efficient aggregation.

Together with commuting linearly homomorphic tags and lightweight clipping proofs, these components realize an end-to-end pipeline in which the server learns only the intended linear image of client updates, and can verify aggregate integrity, while clients enjoy reduced uplink. Concretely, our contributions are as follows:

• Key-splittable inner-product FE for FL gradients. We design KS-IPFE, a dual-style LWE construction with gadget packing and explicit key splitting across two helpers. Each function key for a vector $\mathbf{y}$ is split into two individually simulatable shares; only when combined do they reveal the true inner product with the aggregated ciphertext. This enables thresholded, function-private decryption of ${\mathbf{G}}_t$ and on-the-fly function changes (e.g., different coordinate subsets or sketch spaces) without client-side re-encryption [18,20,21].
• PaS-Stream: Unbiased, streaming compression integrated with FE. We introduce PaS-Stream, which applies JL-style sketching and unbiased quantization [2,9,15] to clipped client updates, partitions the resulting compressed vectors into blocks, and encrypts each block with KS-IPFE. This preserves linearity and unbiasedness through the encoding and FE layers, yields a rate-adaptive stream that tolerates stragglers and dropouts, and lowers per-round uplink by up to $3.4\times$ compared to an optimized encrypted secure aggregation baseline.
• Commuting verifiability via linearly homomorphic tags. We co-design linearly homomorphic tags [22,23] and blockwise clipping proofs that commute with KS-IPFE aggregation. Tags are derived from encoded blocks and cross-checked with FE decryptions under a hidden selector, ensuring that the released aggregates match the sum of properly clipped client updates, even when some clients or a single helper are malicious. This yields a lightweight, scalable integrity mechanism compatible with large-scale distributed training [4].
• Implementation and empirical evaluation. We implement FlowAgg-FE with an LWE backend and efficient vector packing, and evaluate it on the CIFAR-10 and FEMNIST tasks [1,2]. Our results show that FE-based transmission can match plaintext and secure aggregation accuracy within $0.3\%$ absolute, while reducing per-client uplink by 1.9–3.4× and cutting server-side CPU time by up to $1.77\times$ under realistic participation and straggler models.

In general, FlowAgg-FE makes three conceptual contributions: (i) a key-splittable IPFE interface in which a coalition of $\mathsf{Srv}$ with at most one helper has only a simulatable view, (ii) a streaming sketch/compression path that preserves unbiasedness under value-independent dropouts, and (iii) commuting integrity checks (LHT + commitments) that bind the decrypted aggregate to authenticated client inputs.

The rest of the paper is organized as follows. Section 2 discusses related work on functional encryption, secure aggregation, compression for distributed optimization, and verifiable computation. Section 3 formalizes the distributed learning setting, adversarial model, and cryptographic tools. Section 4 presents the KS-IPFE construction and the PaS-Stream protocol in detail. Section 5 reports empirical results on vision and character recognition benchmarks. Section 6 concludes with a discussion of limitations and future directions.

2. Related Work

Functional encryption (FE) offers a paradigm in which decryption keys reveal only specified function outputs on encrypted data, rather than the data itself. The conceptual foundations and formal security notions for FE were articulated by Boneh, Sahai, and Waters [18], while predicate and attribute-focused forms (e.g., inner-product predicates) were developed via pairing-based and lattice-based techniques [20,21,24]. Our framework targets linear function evaluation over high-dimensional client updates, aligning with inner-product FE (IPFE) and its optimized instantiations from standard assumptions [20,21]. In contrast to those works, KS-IPFE introduces a two-share, non-colluding key-splitting interface that enables thresholded functional decryption and verifiable cross-checks without revealing per-client contributions. While multi-party and threshold designs are well-studied for homomorphic and public-key encryption [6,7,8], comparable key-splitting for FE targeted to streaming federated workloads has not been systematized in prior works.

2.1. Functional and Homomorphic Encryption for Linear Evaluation

IPFE constructions from LWE provide succinct linear evaluation under worst-case hardness assumptions [19,20,21]. These schemes expose only $\langle \mathbf{x},\mathbf{y}\rangle$ for chosen $\mathbf{y}$, complementing classical homomorphic encryption (HE), which permits generic circuit evaluation but with heavier ciphertext growth and resourcing [6,7,8]. Our design adopts an LWE-style dual form with gadget packing, exploiting ciphertext additivity to aggregate client streams before functional decryption, thus revealing only ${\mathbf{G}}_t$ rather than any individual ${\mathbf{v}}_{i,t}$. Compared to HE-based secure aggregation pipelines, FE avoids publishing aggregation circuits, maintains function privacy (hiding $\mathbf{y}$ unless authorized), and enables on-the-fly switching of $\mathbf{y}$ with re-keying at the helpers’ end rather than client-side re-encryption [7,20,21]. Classic IPFE gives any holder of ${\mathsf{sk}}_{\mathbf{y}}$ the ability to evaluate $\langle \mathbf{x},\mathbf{y}\rangle$ on each ciphertext, which is unsuitable for FL where no single entity should learn per-client values. Our KS-IPFE adds a 2-of-2 split with individually simulatable shares, enabling deployment where $\mathsf{Srv}$ can collude with at most one helper without breaking confidentiality [25,26].

2.2. Secure Aggregation and Federated Learning at Scale

Secure aggregation protocols compute sums of client-held vectors without disclosing the summands and are a cornerstone of federated learning deployments [4,5,27,28]. FedAvg and its communication-efficient variants established cross-device FL as a practical training modality with client-side clipping and partial participation [1,2,3]. Our FlowAgg-FE differs in two aspects. First, we cryptographically restrict disclosure to the linear image chosen by the task owner (e.g., blockwise coordinates or sketched aggregates) via FE keys rather than bespoke MPC masks [5]. Second, our PaS-Stream couples unbiased sketching with blockwise FE to make aggregation rate-adaptive and resilient to stragglers, integrating naturally with production-grade FL orchestration [4,28,29,30].

2.3. Communication Reduction: Quantization, Sparsification, and Sketching

A large section of the literature reduces uplink/round-trip costs by compressing gradients through quantization, sparsification, and randomized projections [2,9,10,11,12,13,14,15]. QSGD provides unbiased quantization with convergence guarantees [9]; 1-bit SGD and sign-based methods achieve extreme compression but may introduce bias unless error feedback is used [10,13,14]. Random projections in the Johnson–Lindenstrauss (JL) family preserve geometry with small distortion [15] and underpin sketched updates in FL [2]. PaS-Stream composes JL-type sketching with unbiased quantization while retaining linearity through the encoding and FE layers, so the estimator of ${\mathbf{G}}_t$ remains unbiased after decryption. Unlike prior compression-only methods [9,11,12], we cryptographically enforce that only the intended linear image of the compressed stream can be recovered.

2.4. Verifiability and Linearly Homomorphic Authentication

Ensuring integrity of aggregated updates is critical under Byzantine behavior. General-purpose succinct NIZKs and range proofs (e.g., Groth–Sahai and Bulletproofs) offer expressive commit-and-prove tools with lightweight verification [16,17]. Our commuting checks instantiate linearly homomorphic tags to validate blockwise sums and bind them to encoded vectors, then cross-check via an FE decryption under a hidden selector. This approach parallels linearly homomorphic authentication/signature lines for linear subspaces and network-coded data [22,23], but tailors them to the FE aggregation pathway so that tags and decryptions agree on the same encoding. The result is a verifiability layer that adds minimal overhead and composes with our thresholded FE path, unlike heavy verifiable computation that would evaluate full-model updates inside a SNARK [16,17,31].

2.5. Summary and Positioning

In summary, our contribution bridges three threads: (i) IPFE from LWE for linear function release with function privacy [18,20,21,32]; (ii) secure aggregation and FL systems engineering [1,3,4,5]; and (iii) communication-efficient compression with unbiased estimators [2,9,12,15]. KS-IPFE provides a key-splittable FE layer that preserves privacy against any single server and supports on-the-fly function changes, while PaS-Stream delivers rate-adaptive, unbiased transmission whose integrity is checked by commuting, linearly homomorphic tags [17,22,23,31]. To our knowledge, this end-to-end co-design—functional encryption + unbiased sketching/quantization + commuting verifiability—has not been previously articulated or evaluated in the FL setting.

3. Preliminaries

This section fixes notation, describes the distributed learning setting, specifies the adversarial model and security goals, and recalls cryptographic and statistical primitives used by our framework. All symbols introduced here are used consistently throughout Section 4, Section 5 and Section 6.

3.1. Notation and System Model

Let $\lambda$ be the security parameter and $\left[n\right]:=\{1,\dots ,n\}$. Vectors are bold lowercase, matrices bold uppercase, and all default norms are ${\mathcal{l}}_2$. For a real value x, let $\lfloor x\rceil$ denote rounding to the nearest integer. For modulus $q\in {\mathbb{Z}}_{>0}$ we write ${\mathbb{Z}}_q$ for integers modulo q and lift to vectors entrywise.

We consider cross-device or cross-silo training over n clients $\mathcal{C}={\left\{C_i\right\}}_{i=1}^n$ interacting with an untrusted aggregator $\mathsf{Srv}$ and two non-colluding helpers ${\mathsf{H}}_A,{\mathsf{H}}_B$. Training proceeds in rounds $t=1,\dots ,T$. The global model is ${\mathbf{w}}_t\in {\mathbb{R}}^d$. In round t, a subset ${\mathcal{A}}_t\subseteq \left[n\right]$ of available clients computes clipped gradients

$${\mathbf{v}}_{i,t}=\mathrm{clip}({\nabla }_{\mathbf{w}}{\mathcal{l}}_i\left({\mathbf{w}}_t\right),S)\mathrm{with}{\parallel {\mathbf{v}}_{i,t}\parallel }_2\le S,$$

(1)

for a fixed clipping threshold $S>0$. The task-relevant linear functional released in each round is the weighted aggregate

$${\mathbf{G}}_t=\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{v}}_{i,t}\in {\mathbb{R}}^d,$$

(2)

for public weights ${\alpha }_{i,t}\in \mathbb{R}$. Our framework reveals only ${\mathbf{G}}_t$ (or a privatized variant) to $\mathsf{Srv}$; no other function of any ${\mathbf{v}}_{i,t}$ should be learned.

To interface with lattice cryptography, clients encode ${\mathbf{v}}_{i,t}$ into ${\mathbf{x}}_{i,t}\in {\mathbb{Z}}_q^d$ via a scaling factor $\Delta >0$:

$${\mathbf{x}}_{i,t}=\lfloor \Delta {\mathbf{v}}_{i,t}\rceil \mathrm{mod}q,\mathrm{and}\mathrm{dec}\left(\mathbf{z}\right)=\mathbf{z}/\Delta .$$

(3)

All ciphertexts in round t use the same modulus q and scale $\Delta$.

Symbol	Type	Meaning
$\mathcal{C},\mathsf{Srv},{\mathsf{H}}_A,{\mathsf{H}}_B$	sets/roles	clients, aggregator, helpers
$d,T,S$	integers/real	dimension, rounds, clipping threshold
${\mathbf{w}}_t$	${\mathbb{R}}^d$	global model at round t
${\mathbf{v}}_{i,t}$	${\mathbb{R}}^d$	clipped gradient of client i
${\alpha }_{i,t}$	$\mathbb{R}$	aggregation weight for client i
${\mathbf{x}}_{i,t}$	${\mathbb{Z}}_q^d$	encoded gradient (Equation (3))
$q,\Delta$	integers/real	modulus, fixed scaling factor
${\Phi }_t,Q_b$	matrix, map	sketching matrix, b-bit unbiased quantizer

3.2. Adversarial Model and Goals

We assume an adaptive PPT adversary that may corrupt $\mathsf{Srv}$ and any strict subset of $\{{\mathsf{H}}_A,{\mathsf{H}}_B\}$, but not both helpers simultaneously. While our core model assumes that at most one of $\{{\mathsf{H}}_A,{\mathsf{H}}_B\}$ colludes with $\mathsf{Srv}$, this can be instantiated operationally by placing the helpers under independent administrative domains (e.g., distinct cloud providers) and enforcing separation via auditing/contractual controls. As a defense-in-depth option, helper execution can be confined to Trusted Execution Environments (TEEs) with remote attestation so that key shares are provisioned only to attested code and decryption shares are released only for round-labeled aggregated ciphertexts. Finally, our masking-based key splitting in Equation (12) naturally generalizes to t-of-m helpers via secret sharing, reducing reliance on any single helper at the cost of additional helper messages.

Clients can be Byzantine and may deviate from the protocol (e.g., sending malformed ciphertexts). Network scheduling can cause stragglers and dropouts. Our goals are:

• Confidentiality. No adversary controlling $\mathsf{Srv}$ and at most one helper learns anything about individual ${\mathbf{v}}_{i,t}$ beyond the value of the allowed function(s) (Equation (2)) and public metadata.
• Function privacy. The structure of the function applied to encrypted data is hidden unless explicitly revealed via function keys.
• Verifiable correctness. The value output to $\mathsf{Srv}$ equals the prescribed function of honestly contributed inputs, except with negligible probability, even if clients or a single helper are malicious.
• Robust aggregation. The protocol remains correct under client dropouts; stragglers do not block progress.

Our confidentiality and function-privacy claims are proved in a model where $\mathsf{Srv}$ may collude with at most one helper. Concretely, the view of $\mathsf{Srv}+{\mathsf{H}}_A$ (or $\mathsf{Srv}+{\mathsf{H}}_B$) can be simulated given only the authorized aggregate outputs because each helper holds only a masked key share that is individually simulatable (Equation (5)). If both helpers collude with $\mathsf{Srv}$, the system degrades to standard IPFE and confidentiality of individual contributions is no longer expected. In practice, the non-collusion assumption can be approximated by placing helpers in independent administrative domains or by confining helper logic to TEEs with attestation; we also note that the key-splitting technique extends to t-of-m helpers to reduce reliance on any single helper at the cost of extra helper messages.

3.3. Functional Encryption Background

A functional encryption (FE) scheme for a message space $\mathcal{M}$ and function family $\mathcal{F}$ consists of four PPT algorithms

$$(\mathsf{Setup},\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}),$$

where $\mathsf{Setup}\left(1^{\lambda }\right)\to \mathsf{mpk},\mathsf{msk}$; $\mathsf{KeyGen}(\mathsf{msk},f)\to {\mathsf{sk}}_f$ for $f\in \mathcal{F}$; $\mathsf{Enc}(\mathsf{mpk},m)\to ct$ for $m\in \mathcal{M}$; and $\mathsf{Dec}({\mathsf{sk}}_f,ct)\to f\left(m\right)$. The security notion guarantees that $ct$ reveals nothing about m beyond what is implied by the outputs $f\left(m\right)$; for keys ${\mathsf{sk}}_f$ the adversary holds.

Inner-Product FE (IPFE). We use a vector space $\mathcal{M}={\mathbb{Z}}_q^d$ and functions $\mathcal{F}=\{\mathbf{y}\mapsto \langle \mathbf{x},\mathbf{y}\rangle$$\mathrm{mod}q:\mathbf{y}\in {\mathbb{Z}}_q^d\}$. An IPFE scheme satisfies ciphertext additivity: for encryptions $c{t}_j\leftarrow \mathsf{Enc}(\mathsf{mpk},{\mathbf{x}}_j)$ under the same public key,

$$\mathsf{Dec}({\mathsf{sk}}_{\mathbf{y}},\sum _{j}c{t}_j)=\sum _j\langle {\mathbf{x}}_j,\mathbf{y}\rangle \mathrm{mod}q.$$

(4)

Equation (4) lets the aggregator homomorphically combine client ciphertexts before functional decryption, ensuring that only an aggregate value is ever revealed. We require a 2-of-2 threshold variant in which $\mathsf{KeyGen}$ returns a pair of shares $({\mathsf{sk}}_{\mathbf{y}}^A,{\mathsf{sk}}_{\mathbf{y}}^B)$ distributed to ${\mathsf{H}}_A$ and ${\mathsf{H}}_B$. Each helper computes a decryption share ${\sigma }^{\circ }\leftarrow \mathsf{DecShare}({\mathsf{sk}}_{\mathbf{y}}^{\circ },CT)$ on an aggregate ciphertext $CT$, and a public combiner $\mathsf{Comb}$ outputs the result

$$\mathsf{Comb}\left({\sigma }^A,{\sigma }^B\right)=\langle \sum _j{\mathbf{x}}_j,\mathbf{y}\rangle \mathrm{mod}q,\mathrm{with}\left({\sigma }^A,{\sigma }^B\right)\mathrm{individually}\mathrm{simulatable}.$$

(5)

No single helper can learn the function value alone. Classic IPFE gives any holder of ${\mathsf{sk}}_{\mathbf{y}}$ the ability to evaluate $\langle \mathbf{x},\mathbf{y}\rangle$ on each ciphertext, which is unsuitable for FL where no single entity should learn per-client values. Our KS-IPFE adds a 2-of-2 split with individually simulatable shares (Equation (5)), enabling deployment where $\mathsf{Srv}$ can collude with at most one helper without breaking confidentiality; the cost is an explicit helper-separation assumption that we analyze in Section 3.2.

3.4. LWE Tools and Encoding

Our constructions are LWE-based. Let $n_{\mathcal{l}}$ be the LWE dimension, q a prime modulus, and $\chi$ a discrete Gaussian or subgaussian error distribution over $\mathbb{Z}$. A sample $(\mathbf{a},b)\in {\mathbb{Z}}_q^{n_{\mathcal{l}}}\times {\mathbb{Z}}_q$ is drawn as $\mathbf{a}{\leftarrow }_R{\mathbb{Z}}_q^{n_{\mathcal{l}}}$, $b=\langle \mathbf{a},\mathbf{s}\rangle +e\mathrm{mod}q$ for secret $\mathbf{s}{\leftarrow }_R{\mathbb{Z}}_q^{n_{\mathcal{l}}}$ and noise $e\leftarrow \chi$. The hardness of distinguishing such samples from uniform is the LWE assumption at parameters $(n_{\mathcal{l}},q,\chi )$.

Additive homomorphism. LWE encryption of messages in ${\mathbb{Z}}_q$ is additively homomorphic: summing ciphertexts componentwise produces a valid encryption of the sum with controlled noise growth. Vector encryption follows by componentwise encoding or via gadget decomposition. With the encoding of Equation (3), the post-decryption rescaling by ${\Delta }^{-1}$ recovers real-valued aggregates with bounded rounding error.

Noise budgeting. Let $\eta$ upper bound the decryption noise after summing at most B ciphertexts in a round. We pre-allocate q and $\Delta$ so that

$$\eta \ll q/4\mathrm{and}\Delta S\ll q/8,$$

(6)

ensuring correctness for $B\le |{\mathcal{A}}_t|$. KS-IPFE decryption is exact on the encoded integers (up to negligible failure probability): LWE noise is only a correctness concern and does not introduce additional approximation error when rounding succeeds. Consequently, the total estimation error of FlowAgg-FE decomposes cleanly into (i) sketching error (zero-mean, with variance controlled by k and the choice of ${\Phi }_t$) and (ii) quantization/encoding error from $Q_b$ and scaling by $\Delta$. In particular, for any coordinate value u, the integer encoding/decoding contributes a deterministic rounding term bounded as $|{\epsilon }_{\mathrm{rnd}}| \le 1/(2\Delta )$, while the stochastic quantizer remains unbiased, $\mathbb{E}\left[{\epsilon }_q\right]=0$, with variance controlled by b. This addresses the worst-case numerical stability: no additional approximation is introduced by FE beyond the controlled quantization/sketching error.

3.5. Compression and Streaming

To reduce uplink, we use sketching and unbiased quantization before encryption. Let ${\Phi }_t\in {\{\pm 1/\sqrt{k}\}}^{k\times d}$ be a per-round public Johnson–Lindenstrauss transform and $k\ll d$. Define the sketch

$${\mathbf{s}}_{i,t}={\Phi }_t{\mathbf{v}}_{i,t}\in {\mathbb{R}}^k.$$

(7)

Let $Q_b:\mathbb{R}\to \left(2^b-\mathrm{levels}\right)$ be a stochastic quantizer with $\mathbb{E}[Q_b\left(z\right)\mid z]=z$ and bounded variance $\mathbb{V}\left[Q_b\left(z\right)\right]\le {\sigma }_b^2$ (e.g., randomized rounding with per-block scale). The transmitted payload encodes ${\mathbf{u}}_{i,t}=Q_b\left({\mathbf{s}}_{i,t}\right)$. Unbiasedness preserves aggregated expectations

$$\mathbb{E}\left[\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{u}}_{i,t}\right]=\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{s}}_{i,t}={\Phi }_t{\mathbf{G}}_t.$$

(8)

A rate-adaptive streaming interface breaks ${\mathbf{u}}_{i,t}$ into fixed-size chunks ${\mathbf{u}}_{i,t}^{\left(b\right)}$ that are each encoded to ${\mathbf{x}}_{i,t}^{\left(b\right)}$ and encrypted, enabling partial aggregation when stragglers drop.

3.6. Verifiability Primitives

We rely on two lightweight building blocks that commute with linear aggregation.

Linearly homomorphic tags (LHT). Let $\kappa {\leftarrow }_R{\mathbb{Z}}_p^d$ be a secret tag key for a large prime p. A client computes

$${\tau }_{i,t}=\langle \lfloor \Delta {\mathbf{v}}_{i,t}\rceil ,\kappa \rangle \mathrm{mod}p,$$

(9)

and sends ${\tau }_{i,t}$ alongside the FE ciphertext. Aggregation preserves linearity as follows:

$$\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\tau }_{i,t}\equiv 〈\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}\lfloor \Delta {\mathbf{v}}_{i,t}\rceil ,\kappa 〉\mathrm{mod}p.$$

(10)

Choosing $\kappa$ uniformly makes individual tags pseudorandom to $\mathsf{Srv}$. In KS-IPFE we can also decrypt the same aggregate with function vector $\kappa$ to reproduce the right-hand side of Equation (10) and cross-check consistency without revealing any per-client information.

Range and clipping proofs. Each client binds its encoded vector ${\mathbf{x}}_{i,t}$ to a commitment $\mathsf{Com}({\mathbf{x}}_{i,t};r_{i,t})$ and proves in zero-knowledge that

$$\parallel {\mathbf{v}}_{i,t}{\parallel }_2 \le S\mathrm{and}{\mathbf{x}}_{i,t}=\lfloor \Delta {\mathbf{v}}_{i,t}\rceil \mathrm{mod}q,$$

using a commit-and-prove system with linear relations. These proofs are additively aggregatable: verifier checks succeed on the sum of commitments when all individual statements hold, matching the FE aggregation path.

4. Methodology

We now instantiate FlowAgg-FE with a concrete key-splittable inner-product functional encryption (KS-IPFE) scheme and a streaming transmission pipeline (PaS-Stream) that together realize the goals set out in Section 3. Unless stated otherwise, the plaintext vectors handled by FE in this section are the encoded payloads derived from either the full clipped gradients ${\mathbf{v}}_{i,t}$ via Equation (3) or, when PaS-Stream is active, from the unbiased sketches ${\mathbf{u}}_{i,t}=Q_b\left({\Phi }_t{\mathbf{v}}_{i,t}\right)$ via the same encoding. Viewing all FE plaintexts through this encoding lens keeps Equations (4)–(10) consistent and lets us reason about correctness and security directly at the level of encoded blocks.

4.1. Architectural Overview of FlowAgg-FE

FlowAgg-FE is structured as a layered architecture that aligns the cryptographic design of KS-IPFE with the systems concerns of streaming, robustness, and verifiability. The roles are as in Section 3: a population of clients $\mathcal{C}=\left\{C_i\right\}$, an untrusted aggregator $\mathsf{Srv}$, and two non-colluding helpers ${\mathsf{H}}_A,{\mathsf{H}}_B$. All parties share public cryptographic parameters and model hyperparameters; only the helpers hold FE function key shares. At a high level, each training round t consists of three phases: (i) function selection and key materialization, (ii) client-side compression, encoding, and encryption, and (iii) server-side aggregation, threshold decryption, and verification.

In the function selection and key materialization phase, a key authority (which may be an initialization-time trusted party or a distributed setup protocol) runs the KS-IPFE setup algorithm to produce $(\mathsf{mpk},\mathsf{msk})$, as described later in detail. The public key $\mathsf{mpk}$ is disseminated to all clients and to $\mathsf{Srv}$, while the master secret key $\mathsf{msk}$ is retained solely for generating function keys. To support changing linear functions on-the-fly (e.g., per-round masks, adaptive weighting, or auditing vectors), the authority issues fresh split keys $({\mathsf{sk}}_{{\mathbf{y}}_t}^A,{\mathsf{sk}}_{{\mathbf{y}}_t}^B)$ tagged with the round identifier t. Helpers keep only the currently active shares (plus long-lived basis shares for ${\left\{{\mathbf{e}}_j\right\}}_{j\in \left[D\right]}$), which makes revocation as simple as deleting prior-round shares. Synchronization is handled by including the round id in helper responses and rejecting stale shares at $\mathsf{Srv}$. The per-round key material is $O(m+D{\mathcal{l}}_g)$ elements per helper, which is negligible compared to per-round ciphertext traffic in our regimes. For a given training regime, the task owner specifies a family of allowable linear functionals over encoded blocks, such as (i) individual coordinates ${\mathbf{e}}_j$, (ii) rows of a sketching matrix ${\Phi }_t$ used in PaS-Stream, or (iii) secret tag vectors ${\kappa }_t$ used for verifiability. For each such vector $\mathbf{y}$, the authority runs $\mathsf{KeyGen}$ to obtain a pair of key shares $({\mathsf{sk}}_{\mathbf{y}}^A,{\mathsf{sk}}_{\mathbf{y}}^B)$ and distributes them to ${\mathsf{H}}_A$ and ${\mathsf{H}}_B$, respectively. Because KS-IPFE keys are splittable and each share is individually simulatable, no single helper can recover inner products alone, yet together they can support decryption for any authorized linear functional. We note that although we model the key authority as a logical role, it is needed only at initialization (and when the authorized function set changes). To remove a single point of failure, the master secret $\mathsf{msk}$ can be generated and held by a small committee via distributed key generation/threshold secret sharing, and function-key issuance can be made auditable [33]. Alternatively, $\mathsf{msk}$ can be sealed inside an HSM/TEE so that only a rate-limited key-derivation interface is exposed and no bulk secret material is exportable.

In the client-side phase of round t, the aggregator broadcasts the current global model ${\mathbf{w}}_t$ and, when PaS-Stream is enabled, the public sketching matrix is ${\Phi }_t$ and quantization is configured (e.g., the bit-width b and scale ranges used by $Q_b$). Each client $C_i\in {\mathcal{A}}_t$ computes its clipped gradient according to Equation (1), obtaining ${\mathbf{v}}_{i,t}$ with $\parallel {\mathbf{v}}_{i,t}{\parallel }_2 \le S$. Depending on the mode, the payload prior to encryption is either the full vector ${\mathbf{v}}_{i,t}$ (KS-IPFE only) or a compressed representation ${\mathbf{u}}_{i,t}=Q_b\left({\Phi }_t{\mathbf{v}}_{i,t}\right)$ that satisfies the unbiasedness property of Equation (8). The client then maps this payload into an integer vector via Equation (3), producing ${\mathbf{x}}_{i,t}\in {\mathbb{Z}}_q^k$ for some working dimension k (equal to d in the full-precision case and to the sketch dimension in PaS-Stream). This vector is partitioned into contiguous blocks of size D, ${\mathbf{x}}_{i,t}^{\left(1\right)},\dots ,{\mathbf{x}}_{i,t}^{\left(B_t\right)}$, each of which is encrypted independently under $\mathsf{mpk}$ using the KS-IPFE encryption algorithm. For every block, the client also computes a linearly homomorphic tag and a clipping/encoding proof that binds ${\mathbf{x}}_{i,t}^{\left(b\right)}$ to a valid, correctly clipped source vector. The collection of ciphertexts, tags, and proofs for all blocks is streamed towards $\mathsf{Srv}$ using a simple, nonce-based framing that preserves block ordering.

The server-side phase begins as soon as $\mathsf{Srv}$ receives the first block ciphertexts. Rather than waiting for all clients, $\mathsf{Srv}$ incrementally forms aggregated ciphertexts for each block index b by computing weighted sums across the subset of clients whose b-th block has arrived, as in Equation (14). In parallel, $\mathsf{Srv}$ aggregates the corresponding tags, preserving linearity at the tag level. The aggregated ciphertext pair $({\mathbf{C}}_1^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)})$ and any necessary public metadata are then forwarded to both helpers. Each helper uses its share of the FE keys to compute decryption shares for the relevant function vectors (e.g., the coordinate basis vectors and the secret tag vector ${\kappa }_t$), which are then combined at $\mathsf{Srv}$ to recover (i) the blockwise sums of encoded payloads and (ii) an independently reconstructed tag. The latter is cross-checked against the aggregated tag to detect any tampering or malformed ciphertexts, while the former yields either a block of the aggregated gradient ${\sum }_{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{v}}_{i,t}$ or, in PaS-Stream mode, a block of the aggregated sketch ${\sum }_{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{u}}_{i,t}$. After rescaling and (if needed) applying ${\Phi }_t^{\top }$, $\mathsf{Srv}$ obtains an estimator of ${\mathbf{G}}_t$ and performs the model update for round t.

We note that a key feature of this architecture is that ciphertext aggregation and verification commute with functional decryption. Because KS-IPFE is additively homomorphic with respect to ciphertexts (Equation (4)) and the tags are linearly homomorphic (Equation (10)), $\mathsf{Srv}$ can aggregate encrypted blocks and tags independently, and the helpers can perform decryption on these aggregates without ever seeing per-client plaintexts. This property is crucial for scalability: it ensures that helper workload scales with the number of blocks per round, not with the number of clients, and that verification overhead remains modest.

4.2. KS-IPFE: Key-Splittable LWE-Based Construction

The KS-IPFE component of FlowAgg-FE provides the cryptographic substrate that allows the aggregator and the two helpers to recover only prescribed linear functionals of encrypted updates. It is tailored to the FL setting in Section 3 by (i) operating over high-dimensional encoded vectors arising from Equation (3), (ii) supporting ciphertext aggregation before decryption as in Equation (4), and (iii) splitting every function key into two individually simulatable shares held by non-colluding helpers. This subsection refines the construction in a more algebraic manner, explicitly tracking dimensions, noise terms, and the simulation-based security view.

We fix a block length $D\in {\mathbb{Z}}_{>0}$ and view each FE plaintext as a block $\mathbf{x}\in {\mathbb{Z}}_q^D$. A working vector of dimension k (either $k=d$ for full gradients or k equal to the sketch dimension in PaS-Stream) is partitioned into $B=\lceil k/D\rceil$ blocks, so that the b-th block is denoted ${\mathbf{x}}^{\left(b\right)}$ for $b\in \left[B\right]$. Typical choices such as $D\in \{32,64\}$ balance the amortization of gadget-based packing with the number of function keys that must be instantiated per round. All arithmetic is in the residue ring ${\mathbb{Z}}_q$, where $q\in {\mathbb{Z}}_{>0}$ is chosen together with the LWE dimension $n_{\mathcal{l}}$ and error distributions $\chi ,{\chi }^{\prime }$ to satisfy the noise budget in Equation (6). We write m for the width of the public matrix A, with $m=\mathrm{poly}\left(\lambda \right)$.

The construction follows a dual-style LWE template with gadget packing. Let $G_D\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g\times D}$ be a block-diagonal gadget matrix implementing base-2 decomposition with ${\mathcal{l}}_g$ digits per coordinate. Concretely, $G_D=\mathrm{diag}(g,\dots ,g)$ with D blocks $g={(1,2,\dots ,2^{{\mathcal{l}}_g-1})}^{\top }$, so that for any $\mathbf{x}\in {\mathbb{Z}}_q^D$, the product $\widehat{\mathbf{x}}:=G_D\mathbf{x}\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g}$ represents the expansion of each coordinate of $\mathbf{x}$ in base 2. There exists a (not necessarily unique) left inverse $G_D^{†}\in {\mathbb{Z}}_q^{D\times D{\mathcal{l}}_g}$ such that $G_D^{†}{G}_D\equiv I_D\left(\mathrm{mod}q\right)$ on the range of interest (i.e., for coefficients below the wrap-around threshold). This allows us to pass back and forth between the “digit” domain and the original coordinate domain inside the decryption algorithm.

Setup. In the setup phase, the authority samples

$$A{\leftarrow }_R{\mathbb{Z}}_q^{n_{\mathcal{l}}\times m},S\leftarrow {\chi }^{m\times D{\mathcal{l}}_g},E\leftarrow {{\chi }^{\prime }}^{n_{\mathcal{l}}\times D{\mathcal{l}}_g},$$

where the entries of S and E are independent draws from subgaussian integer distributions $\chi ,{\chi }^{\prime }$, respectively (e.g., discrete Gaussians with parameter $\sigma$ and ${\sigma }^{\prime }$). We define

$$B:=AS+E\in {\mathbb{Z}}_q^{n_{\mathcal{l}}\times D{\mathcal{l}}_g},$$

(11)

and publish the master public key $\mathsf{mpk}=(A,B,G_D)$ while retaining the master secret key $\mathsf{msk}=S$. Under the LWE assumption at parameters $(n_{\mathcal{l}},q,{\chi }^{\prime })$, the joint distribution $(A,B)$ is computationally indistinguishable from $(A,U)$, where $U{\leftarrow }_R{\mathbb{Z}}_q^{n_{\mathcal{l}}\times D{\mathcal{l}}_g}$ is uniform; consequently, $\mathsf{mpk}$ reveals no information about S beyond what is implied by the security parameter.

Key generation and splitting. To authorize decryption of inner products with a block-level function vector $\mathbf{y}\in {\mathbb{Z}}_q^D$, the authority first embeds $\mathbf{y}$ into the gadget domain by computing

$$\tilde{\mathbf{y}}:=G_D^{\top }\mathbf{y}\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g}.$$

We interpret $\tilde{\mathbf{y}}$ as the vector of “digit weights” corresponding to the functional $\langle \mathbf{x},\mathbf{y}\rangle$ acting on gadget-packed plaintexts. Using $\mathsf{msk}=S$, we compute a base key

$$K:=S\tilde{\mathbf{y}}\in {\mathbb{Z}}_q^m.$$

Intuitively, K is the dual secret associated with the function vector $\mathbf{y}$, analogous to the secret key in standard LWE decryption.

We now choose a masking vector $W{\leftarrow }_R{\mathbb{Z}}_q^m$ uniformly at random and define the two key shares as

$${\mathsf{sk}}_{\mathbf{y}}^A=(\tilde{\mathbf{y}},W),{\mathsf{sk}}_{\mathbf{y}}^B=(\tilde{\mathbf{y}},K-W\mathrm{mod}q).$$

(12)

Each helper receives only its own share. The distribution of ${\mathsf{sk}}_{\mathbf{y}}^A$ (resp. ${\mathsf{sk}}_{\mathbf{y}}^B$) is computationally indistinguishable from $(\tilde{\mathbf{y}},U_m)$, where $U_m$ is uniform in ${\mathbb{Z}}_q^m$, since W is uniform and independent of K. In particular, any PPT adversary that corrupts at most one helper learns no additional information about K beyond what is already implied by $\mathbf{y}$ and the allowed function outputs. This observation underlies the threshold property of KS-IPFE: decryption requires cooperation between ${\mathsf{H}}_A$ and ${\mathsf{H}}_B$, while each helper’s view alone can be simulated from public information and oracle access to function outputs.

Client encryption. For a single block payload $\mathbf{x}\in {\mathbb{Z}}_q^D$, derived from either ${\mathbf{v}}_{i,t}$ or its sketch as in Equation (3), client $C_i$ forms the gadget-packed vector

$$\widehat{\mathbf{x}}:=G_D\mathbf{x}\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g}.$$

We regard $\widehat{\mathbf{x}}$ as a column vector. The client then samples a fresh randomness vector $r{\leftarrow }_R{\mathbb{Z}}_q^{n_{\mathcal{l}}}$ and error terms

$$e_1\leftarrow {\chi }^m,e_2\leftarrow {{\chi }^{\prime }}^{D{\mathcal{l}}_g},$$

and computes the ciphertext components

$${\mathbf{c}}_1:=A^{\top }r+e_1\in {\mathbb{Z}}_q^m,{\mathbf{c}}_2:=B^{\top }r+\widehat{\mathbf{x}}+e_2\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g}.$$

(13)

The per-block ciphertext is the pair $ct=({\mathbf{c}}_1,{\mathbf{c}}_2)$. Note that if we define the “ideal” noiseless ciphertext as $({\overline{\mathbf{c}}}_1,{\overline{\mathbf{c}}}_2)=(A^{\top }r,B^{\top }r+\widehat{\mathbf{x}})$, then $({\mathbf{c}}_1,{\mathbf{c}}_2)$ differs from $({\overline{\mathbf{c}}}_1,{\overline{\mathbf{c}}}_2)$ by an additive error vector $(e_1,e_2)$.

Ciphertext aggregation. Once $\mathsf{Srv}$ has received ciphertexts for a given block index b from a subset ${\mathcal{A}}_t\subseteq \left[n\right]$ of clients in round t, it uses the fixed-point weights ${\tilde{\alpha }}_{i,t}\in {\mathbb{Z}}_q$ (encoding the real weights ${\alpha }_{i,t}$) to form the aggregated ciphertext

$${\mathbf{C}}_1^{\left(b\right)}:=\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\mathbf{c}}_{1,i}^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)}:=\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\mathbf{c}}_{2,i}^{\left(b\right)}.$$

(14)

Writing $r_i^{\left(b\right)}$ for the randomness used by $C_i$ on block b and ${\widehat{\mathbf{x}}}_i^{\left(b\right)}$ for its gadget-packed plaintext, we can decompose

$${\mathbf{C}}_1^{\left(b\right)}=A^{\top }\left(\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)}\right)+\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{e}_{1,i}^{\left(b\right)},$$

$${\mathbf{C}}_2^{\left(b\right)}=B^{\top }\left(\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)}\right)+\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_i^{\left(b\right)}+\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{e}_{2,i}^{\left(b\right)}.$$

The aggregated error vectors

$$E_{1,t}^{\left(b\right)}:=\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{e}_{1,i}^{\left(b\right)},E_{2,t}^{\left(b\right)}:=\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{e}_{2,i}^{\left(b\right)}+E^{\top }\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)}$$

remain subgaussian with parameter depending on $|{\mathcal{A}}_t|$; Equation (6) is chosen precisely so that their magnitude is well within the decryption margin.

Threshold decryption and correctness. For each block and each authorized function vector $\mathbf{y}\in {\mathbb{Z}}_q^D$, helper ${\mathsf{H}}_{\circ }$ with share ${\mathsf{sk}}_{\mathbf{y}}^{\circ }=(\tilde{\mathbf{y}},W^{\circ })$ computes a decryption share

$${\sigma }^{\circ }:=\langle \tilde{\mathbf{y}},{\mathbf{C}}_2^{\left(b\right)}\rangle -\langle W^{\circ },{\mathbf{C}}_1^{\left(b\right)}\rangle \in {\mathbb{Z}}_q,$$

(15)

where $W^A=W$ and $W^B=K-W$ as in Equation (12). Summing these shares yields

$$\begin{array}{cc}\hfill {\sigma }^A+{\sigma }^B& =〈\tilde{\mathbf{y}},{\mathbf{C}}_2^{\left(b\right)}〉-〈K,{\mathbf{C}}_1^{\left(b\right)}〉\hfill \\ & =〈\tilde{\mathbf{y}},B^{\top }\sum _i{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)}+\sum _i{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_i^{\left(b\right)}+E_{2,t}^{\left(b\right)}〉\hfill \\ & -〈S\tilde{\mathbf{y}},A^{\top }\sum _i{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)}+E_{1,t}^{\left(b\right)}〉\hfill \\ & =〈\sum _i{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_i^{\left(b\right)},\tilde{\mathbf{y}}〉+〈E^{\top }\sum _i{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)},\tilde{\mathbf{y}}〉\hfill \\ & +〈\tilde{\mathbf{y}},E_{2,t}^{\left(b\right)}〉-〈S\tilde{\mathbf{y}},E_{1,t}^{\left(b\right)}〉\left(\mathrm{mod}q\right).\hfill \end{array}$$

(16)

Denoting the total noise term in Equation (16) by $N_t^{\left(b\right)}\left(\mathbf{y}\right)$, we can write

$${\sigma }^A+{\sigma }^B\equiv 〈\sum _i{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_i^{\left(b\right)},\tilde{\mathbf{y}}〉+N_t^{\left(b\right)}\left(\mathbf{y}\right)\left(\mathrm{mod}q\right).$$

Because ${\widehat{\mathbf{x}}}_i^{\left(b\right)}=G_D{\mathbf{x}}_{i,t}^{\left(b\right)}$, and $G_D^{†}{G}_D\equiv I_D\left(\mathrm{mod}q\right)$ on the relevant range, we have

$$〈\sum _i{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_i^{\left(b\right)},\tilde{\mathbf{y}}〉=〈\sum _i{\tilde{\alpha }}_{i,t}{G}_D{\mathbf{x}}_{i,t}^{\left(b\right)},G_D^{\top }\mathbf{y}〉=〈\sum _i{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)},\mathbf{y}〉,$$

where we used the identity $\langle G_D\mathbf{x},G_D^{\top }\mathbf{y}\rangle =\langle \mathbf{x},\mathbf{y}\rangle$ modulo q when no wrap-around occurs. By Equation (6), the subgaussian tails of $N_t^{\left(b\right)}\left(\mathbf{y}\right)$ ensure that $|N_t^{\left(b\right)}{\left(\mathbf{y}\right)|}_{\infty }\ll q/4$ with probability at least $1-2^{-\lambda }$, so rounding to the nearest integer in the canonical interval $(-q/2,q/2]$ recovers

$$z^{\left(b\right)}\left(\mathbf{y}\right):=\mathsf{Round}\left({\sigma }^A+{\sigma }^B\right)=〈\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)},\mathbf{y}〉\in \mathbb{Z},$$

with overwhelming probability.

By choosing $\mathbf{y}={\mathbf{e}}_j$ for $j=1,\dots ,D$, the helpers can reconstruct all D coordinates of the blockwise weighted sum ${\sum }_i{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)}$ from encrypted inputs. Mapping these coordinates back through the scaling factor $\Delta$ in Equation (3) then yields the corresponding portion of ${\mathbf{G}}_t$ or of its sketched variant, up to deterministic rounding error controlled by $\Delta$ and the clipping threshold S.

Security intuition and cost. From a security perspective, KS-IPFE inherits the indistinguishability guarantees of LWE-based IPFE. An IND-style security game for KS-IPFE can be phrased as follows: An adversary chooses two message families $\left\{{\mathbf{x}}_i^{(b,0)}\right\},\left\{{\mathbf{x}}_i^{(b,1)}\right\}$ with the same values under all functions for which it holds key shares, receives encryptions of one of the two (chosen at random), along with one key share per function vector, and must guess which family was encrypted. Under the LWE assumption and the simulatable distribution of key shares in Equation (12), any PPT adversary controlling $\mathsf{Srv}$ and at most one helper has at most negligible advantage in this game. Intuitively, replacing $(A,B)$ with uniform, then replacing ciphertexts with uniform, and finally replacing the key share mask W with uniform in hybrids yields a distribution that depends only on the revealed function outputs.

On the cost side, one KS-IPFE encryption of a block requires forming $\widehat{\mathbf{x}}=G_D\mathbf{x}$ and two matrix-vector multiplications $A^{\top }r$ and $B^{\top }r$, plus additions by small error terms. With NTT-friendly moduli and a structured choice of $A,B$, these multiplications can be implemented in $O\left(n_{\mathcal{l}}m\right)$ ring operations with a modest constant. Server-side aggregation is linear in the number of ciphertexts actually received and consists of scalar additions in ${\mathbb{Z}}_q$. Helper-side decryption uses $O\left(D{\mathcal{l}}_g\right)$ ring operations per decryption share (one inner product with ${\mathbf{C}}_2^{\left(b\right)}$ and one with ${\mathbf{C}}_1^{\left(b\right)}$), so for F distinct function vectors and B blocks, the total number of decryption operations per round scales as $O\left(FBD{\mathcal{l}}_g\right)$, independent of $|{\mathcal{A}}_t|$. In the regimes we evaluate in Section 5, a configuration with $q=2^{32}$, $n_{\mathcal{l}}=1024$, ${\mathcal{l}}_g=16$, $D=64$, and carefully tuned $\chi ,{\chi }^{\prime }$ yields a per-block decryption failure probability below $2^{-40}$ and supports several thousand contributing clients per round, while keeping per-client ciphertext sizes within a small constant factor of plaintext updates. More detailed game-based proofs (including the reduction to LWE and simulation of single-helper views) are provided in Appendix B.

4.3. Verifiable Aggregation with Commuting Checks

In addition to confidentiality and function privacy, FlowAgg-FE must enforce that the decryptions released to $\mathsf{Srv}$ coincide with valid linear aggregates of correctly clipped and encoded client updates, even in the presence of Byzantine clients and a potentially adversarial single helper. The verifiability layer is engineered so that all checks commute with the KS-IPFE aggregation pipeline: every operation can be written as an $\mathbb{Z}$-linear map applied either before or after ciphertext aggregation, and the corresponding verification conditions are preserved up to negligible statistical or computational error. This section refines the informal description from Section 3 into a more algebraic treatment.

4.3.1. Linearly Homomorphic Tags as a MAC over the FE Plaintext Space

Let p be a large prime such that $p>q$ and p is co-prime with q, and let ${\mathbb{Z}}_p$ be the finite field of order p. For each round t, an authentication key space is defined as ${\mathcal{K}}_{\mathrm{LHT}}={\mathbb{Z}}_p^D$, and a tag space as ${\mathcal{T}}_{\mathrm{LHT}}={\mathbb{Z}}_p$. A per-round authentication key is sampled as

$${\kappa }_t{\leftarrow }_R{\mathbb{Z}}_p^D,$$

and is made available to all clients and to the KS-IPFE key generator (for the purpose of deriving ${\mathsf{sk}}_{{\kappa }_t}^A,{\mathsf{sk}}_{{\kappa }_t}^B$), but not to $\mathsf{Srv}$. We treat ${\kappa }_t$ as an ephemeral, per-round secret used only to authenticate that the decrypted aggregate matches the client-supplied tags in that round. ${\kappa }_t$ is generated by the same (possibly distributed) authority that issues KS-IPFE keys, is delivered to clients over an authenticated channel, and is erased after round t closes; helpers receive only FE key shares for the corresponding function vector ${\overline{\kappa }}_t$. The soundness of the LHT check requires that $\mathsf{Srv}$ does not learn ${\kappa }_t$; if a compromised client discloses ${\kappa }_t$ to $\mathsf{Srv}$, then the server could forge tags for that round. We now make this collusion caveat explicit and note that confining tag computation to client TEEs (or distributing ${\kappa }_t$ only to trusted clients) mitigates it in deployments that require strong server-verifiability even under client–server collusion.

On this basis, we define the block-level message space for tags as

$${\mathcal{M}}_{\mathrm{tag}}=\left\{\mathbf{z}\in {\mathbb{Z}}^D:{\parallel \mathbf{z}\parallel }_{\infty }\le B\right\},$$

for some bound $B>0$ that upper bounds the infinity norm of rounded, scaled blocks $\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil$ produced by Equation (3) and the clipping constraint $\parallel {\mathbf{v}}_{i,t}{\parallel }_2 \le S$. The LHT then induces an almost-linear MAC

$${\mathsf{Tag}}_{{\kappa }_t}:{\mathcal{M}}_{\mathrm{tag}}\to {\mathcal{T}}_{\mathrm{LHT}},{\mathsf{Tag}}_{{\kappa }_t}\left(\mathbf{z}\right)=\langle \mathbf{z},{\kappa }_t\rangle \mathrm{mod}p.$$

For each block b and client $C_i$, we set

$${\tau }_{i,t}^{\left(b\right)}={\mathsf{Tag}}_{{\kappa }_t}\left(\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil \right)=〈\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil ,{\kappa }_t〉\mathrm{mod}p.$$

(17)

For any finite subset of indices $J\subseteq {\mathcal{A}}_t$ and scalar weights ${\left\{{\tilde{\alpha }}_{j,t}\right\}}_{j\in J}\subseteq {\mathbb{Z}}_q$, we have the exact algebraic identity

$$\begin{array}{cc}\hfill T_{t,J}^{\left(b\right)}& :=\sum _{j\in J}{\tilde{\alpha }}_{j,t}{\tau }_{j,t}^{\left(b\right)}\mathrm{mod}p\hfill \\ & =\sum _{j\in J}{\tilde{\alpha }}_{j,t}〈\lfloor \Delta {\mathbf{a}}_{j,t}^{\left(b\right)}\rceil ,{\kappa }_t〉\mathrm{mod}p\hfill \\ & =〈\sum _{j\in J}{\tilde{\alpha }}_{j,t}\lfloor \Delta {\mathbf{a}}_{j,t}^{\left(b\right)}\rceil ,{\kappa }_t〉\mathrm{mod}p,\hfill \end{array}$$

(18)

which is the blockwise instantiation of Equation (10). In particular, define the aggregated encoded block

$${\mathbf{z}}_{t,J}^{\left(b\right)}:=\sum _{j\in J}{\tilde{\alpha }}_{j,t}\lfloor \Delta {\mathbf{a}}_{j,t}^{\left(b\right)}\rceil \in {\mathbb{Z}}^D.$$

Then $T_{t,J}^{\left(b\right)}={\mathsf{Tag}}_{{\kappa }_t}\left({\mathbf{z}}_{t,J}^{\left(b\right)}\right)$ exactly, as long as all operations are interpreted modulo p for the tag and modulo q for the encoding. When $J={\mathcal{A}}_t$, we recover the global aggregated tag $T_t^{\left(b\right)}$ used by the protocol.

Viewed as a MAC, the unforgeability of this LHT against an adversary not knowing ${\kappa }_t$ reduces to the hardness of guessing a non-trivial linear relation over ${\mathbb{Z}}_p$ on authenticated messages. More precisely, if an adversary outputs $({\mathbf{z}}^{\star },{\tau }^{\star })$ such that ${\mathbf{z}}^{\star }$ is not in the $\mathbb{Z}$-span of previously authenticated messages and ${\tau }^{\star }={\mathsf{Tag}}_{{\kappa }_t}\left({\mathbf{z}}^{\star }\right)$, then under the random choice of ${\kappa }_t$, the probability of success is at most $1/p$.

Lemma 1 

(LHT statistical hiding). Fix any $\mathbf{z}\in {\mathcal{M}}_{\mathrm{tag}}$ and sample $\kappa {\leftarrow }_R{\mathbb{Z}}_p^D$. Let $\tau =\langle \mathbf{z},\kappa \rangle$$\mathrm{mod}p$. If $\mathbf{z}\ne \mathbf{0}$ then τ is uniform over ${\mathbb{Z}}_p$; if $\mathbf{z}=\mathbf{0}$ then $\tau =0$. In particular, when ${\kappa }_t$ is hidden from $\mathsf{Srv}$, the tag does not leak the gradient norm or other distributional statistics beyond the degenerate event $\mathbf{z}=\mathbf{0}$.

4.3.2. FE-Based Cross-Checking of Aggregates

The LHT alone only ensures that tags are consistent with the sum of messages within the tag domain; it does not bind tags to the KS-IPFE ciphertexts. To couple tags to ciphertexts, we reuse the FE plaintext space and instantiate an additional FE key for the same vector ${\kappa }_t$.

Let ${\kappa }_t\in {\mathbb{Z}}_p^D$ be as above and let ${\overline{\kappa }}_t\in {\mathbb{Z}}_q^D$ denote its canonical embedding into ${\mathbb{Z}}_q^D$ (e.g., by interpreting ${\kappa }_t$ as integers in $[0,p)$ and viewing them modulo q). The KS-IPFE key generator computes

$$({\mathsf{sk}}_{{\overline{\kappa }}_t}^A,{\mathsf{sk}}_{{\overline{\kappa }}_t}^B)\leftarrow \mathsf{KeyGen}(\mathsf{msk},{\overline{\kappa }}_t),$$

with internal gadget expansion ${\tilde{\kappa }}_t=G_D^{\top }{\overline{\kappa }}_t$ as in Equation (12). These key shares are distributed to ${\mathsf{H}}_A$ and ${\mathsf{H}}_B$.

Given the aggregated ciphertext $({\mathbf{C}}_1^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)})$ for block b in round t as in Equation (14) (so $J={\mathcal{A}}_t$), helper ${\mathsf{H}}_{\circ }$ computes the decryption share for function vector ${\overline{\kappa }}_t$ as follows:

$${\sigma }_{{\kappa }_t}^{\circ }:=〈{\tilde{\kappa }}_t,{\mathbf{C}}_2^{\left(b\right)}〉-〈W_{{\kappa }_t}^{\circ },{\mathbf{C}}_1^{\left(b\right)}〉\mathrm{mod}q,$$

and transmits it to $\mathsf{Srv}$. By the correctness analysis in Equation (16), their sum

$$\begin{array}{cc}\hfill {\Sigma }_{{\kappa }_t}^{\left(b\right)}& :={\sigma }_{{\kappa }_t}^A+{\sigma }_{{\kappa }_t}^B\hfill \\ & \equiv 〈\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\widehat{\mathbf{x}}}_{i,t}^{\left(b\right)},{\tilde{\kappa }}_t〉+〈E^{\top }\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{r}_i^{\left(b\right)},{\tilde{\kappa }}_t〉+\mathrm{noise}\left(\mathrm{mod}q\right),\hfill \end{array}$$

and after gadget inversion and rounding we have, with probability at least $1-2^{-\lambda }$,

$${\mathrm{dec}}_{{\kappa }_t}^{\left(b\right)}:=\mathsf{Round}\left({\Sigma }_{{\kappa }_t}^{\left(b\right)}\right)=〈\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)},{\overline{\kappa }}_t〉\mathrm{mod}q.$$

Since ${\mathbf{x}}_{i,t}^{\left(b\right)}=\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil \mathrm{mod}q$ and the magnitude of $\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil$ is bounded by B, the reduction modulo q is injective on the relevant range, enabling a well-defined lifting to $\mathbb{Z}$ as follows:

$${\tilde{z}}_t^{\left(b\right)}:=〈\sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil ,{\overline{\kappa }}_t〉\in \mathbb{Z},$$

with ${\mathrm{dec}}_{{\kappa }_t}^{\left(b\right)}$ representing ${\tilde{z}}_t^{\left(b\right)}\mathrm{mod}q$. We then project ${\mathrm{dec}}_{{\kappa }_t}^{\left(b\right)}$ into ${\mathbb{Z}}_p$ via the canonical map $\varphi :{\mathbb{Z}}_q\to {\mathbb{Z}}_p$ (e.g., reduction modulo p) to obtain

$${\tilde{T}}_t^{\left(b\right)}:=\varphi \left({\mathrm{dec}}_{{\kappa }_t}^{\left(b\right)}\right)\in {\mathbb{Z}}_p.$$

Under the consistency of parameters (specifically, p and q sufficiently large relative to B and the number of clients), we have

$${\tilde{T}}_t^{\left(b\right)}=T_t^{\left(b\right)}$$

with all but negligible probability. Hence the equality

$${\tilde{T}}_t^{\left(b\right)}\stackrel{?}{=}{T}_t^{\left(b\right)}$$

serves as a soundness check tying the FE-decrypted aggregate to the aggregated tags. Any deviation that changes ciphertext contents (e.g., adversarial modification by a client or by a compromised helper) while leaving client-generated tags untouched will, with high probability, violate this equality.

4.3.3. Commit-and-Prove for Clipping and Encoding

The consistency of tags and FE decryptions guarantees that the aggregator recovers a sum of certain integer vectors, but it does not by itself ensure that those integers arise from correctly clipped and scaled real-valued updates. To enforce semantic correctness of the encoding, each client engages in a commit-and-prove protocol.

Let $\mathbb{G}$ be a cyclic group of prime order p with generators $g,h\in \mathbb{G}$ such that the discrete logarithm ${\log }_g\left(h\right)$ is unknown. For a block index b, client $C_i$ defines a bit-decomposition of ${\mathbf{x}}_{i,t}^{\left(b\right)}=(x_{i,t,1}^{\left(b\right)},\dots ,x_{i,t,D}^{\left(b\right)})\in {\mathbb{Z}}_q^D$ into ${\mathcal{l}}_{\mathrm{enc}}$-bit chunks per coordinate (with ${\mathcal{l}}_{\mathrm{enc}}\approx {\log }_{2}q$), and commits to each coordinate using a Pedersen-style vector commitment as follows:

$$\mathsf{Com}({\mathbf{x}}_{i,t}^{\left(b\right)};r_{i,t}^{\left(b\right)})=g^{{\sum }_{j=1}^D{x}_{i,t,j}^{\left(b\right)}{\gamma }_j}{h}^{r_{i,t}^{\left(b\right)}}\in \mathbb{G},$$

where $({\gamma }_1,\dots ,{\gamma }_D)\in {\mathbb{Z}}_p^D$ are fixed, publicly known generators for the message space. The commitment is additively homomorphic as follows:

$$\prod _{i\in J}\mathsf{Com}{({\mathbf{x}}_{i,t}^{\left(b\right)};r_{i,t}^{\left(b\right)})}^{{\tilde{\alpha }}_{i,t}}=\mathsf{Com}\left(\sum _{i\in J}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)};\sum _{i\in J}{\tilde{\alpha }}_{i,t}{r}_{i,t}^{\left(b\right)}\right),$$

for any index set J. This algebra exactly mirrors the linear aggregation in Equation (14) and the tag aggregation above.

Client $C_i$ supplies, for each round, a non-interactive zero-knowledge proof ${\pi }_{i,t}^{\left(b\right)}$ of the following composite statement:

• There exists ${\mathbf{v}}_{i,t}\in {\mathbb{R}}^d$ and randomness $r_{i,t}^{\left(1\right)},\dots ,r_{i,t}^{\left(B_t\right)}$ such that (a) $\parallel {\mathbf{v}}_{i,t}{\parallel }_2 \le S$, (b) the blocks ${\mathbf{a}}_{i,t}^{\left(b\right)}$ are consecutive slices of either ${\mathbf{v}}_{i,t}$ or $Q_b\left({\Phi }_t{\mathbf{v}}_{i,t}\right)$, and (c) for each b we have ${\mathbf{x}}_{i,t}^{\left(b\right)}=\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil \mathrm{mod}q$ and the corresponding commitment equals $\mathsf{Com}({\mathbf{x}}_{i,t}^{\left(b\right)};r_{i,t}^{\left(b\right)})$.

Such proofs can be realized using standard inner-product arguments and range proofs (e.g., Bulletproofs-style constructions) that express the clipping condition as a quadratic constraint on the coordinates and the encoding relation as a bounded difference between $\Delta {\mathbf{a}}_{i,t}^{\left(b\right)}$ and ${\mathbf{x}}_{i,t}^{\left(b\right)}$. Verification of ${\pi }_{i,t}^{\left(b\right)}$ is achieved by $\mathsf{Srv}$ before aggregation, but thanks to homomorphism, commitments may also be aggregated and verified in batch with auxiliary information provided by helpers after decryption.

4.3.4. Commutativity and Asymptotic Overheads

Summarizing the algebraic structure, for each block b and round t we have three parallel linear maps as follows:

$${\mathcal{L}}_{\mathrm{FE}}:{\left\{{\mathbf{x}}_{i,t}^{\left(b\right)}\right\}}_{i\in {\mathcal{A}}_t}\mapsto \sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)},$$

$${\mathcal{L}}_{\mathrm{tag}}:{\left\{\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil \right\}}_{i\in {\mathcal{A}}_t}\mapsto \sum _{i\in {\mathcal{A}}_t}{\tilde{\alpha }}_{i,t}{\tau }_{i,t}^{\left(b\right)},$$

$${\mathcal{L}}_{\mathrm{com}}:{\left\{\mathsf{Com}({\mathbf{x}}_{i,t}^{\left(b\right)};r_{i,t}^{\left(b\right)})\right\}}_{i\in {\mathcal{A}}_t}\mapsto \prod _{i\in {\mathcal{A}}_t}\mathsf{Com}{({\mathbf{x}}_{i,t}^{\left(b\right)};r_{i,t}^{\left(b\right)})}^{{\tilde{\alpha }}_{i,t}}.$$

Each of these maps is $\mathbb{Z}$-linear in the sense that the image of the aggregated objects is equal to the aggregation of the images. Consequently, the following diagram commutes (up to negligible decryption error and modulo reductions):

$$\begin{array}{ccc}{\left\{{\mathbf{a}}_{i,t}^{\left(b\right)}\right\}}_i& \stackrel{\mathrm{encode}+\mathrm{encrypt}}{\to }& {\left\{({\mathbf{c}}_{1,i}^{\left(b\right)},{\mathbf{c}}_{2,i}^{\left(b\right)})\right\}}_i\\ \downarrow {\mathcal{L}}_{\mathrm{tag}}& & \downarrow {\mathcal{L}}_{\mathrm{FE}}\\ T_t^{\left(b\right)}& \stackrel{\mathrm{FE}-\mathrm{decrypt}\mathrm{under}{\kappa }_t}{\leftarrow }& {\sum }_i{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)}.\end{array}$$

A similar commuting diagram holds for commitments. Our commuting checks enforce that each accepted ciphertext/tag/commitment tuple is well-formed and that the server’s decrypted output equals the linear aggregate of the submitted (bounded, encoded) client updates. This provides an auditable enforcement point for bounded-energy (e.g., clipped) updates, but it does not, by itself, prevent within-bound model-poisoning attacks. In practice, monitoring can be done via (i) per-round rejection/abort rates from failed checks, (ii) aggregate statistics that are safe to reveal (e.g., the number of clipped updates, which can be reported by clients as a single bit), and (iii) standard training diagnostics (loss/accuracy curves) to flag anomalous rounds; robust aggregation or anomaly detection can be layered on top without changing the cryptographic core. This commutativity is the main reason the verification overhead scales with the number of blocks and not with the number of clients: $\mathsf{Srv}$ can aggregate ciphertexts, tags, and commitments using the same coefficients and rely on a constant number of FE decryptions and aggregate-proof verifications per block.

From an asymptotic viewpoint, if $B_t$ denotes the number of blocks per client in round t and F the number of distinct function vectors used for verification (coordinate basis plus ${\kappa }_t$ and possibly a small number of additional selectors), then:

• The number of FE decryptions per round is $O\left(F{B}_t\right)$, independent of $|{\mathcal{A}}_t|$.
• The number of scalar LHT evaluations per client is $O\left(B_{t}D\right)$, and the communication cost of tags is $O\left(B_t\log p\right)$ bits.
• The size of commitments and their proofs grows as $O\left(B_t\log q\right)$ group elements per client, which is dominated by the KS-IPFE ciphertexts for typical parameter regimes.

Section 5 confirms empirically that, under realistic choices of D, $B_t$, p, and q, the verifiability layer adds only a low single-digit percentage to overall runtime and communication while significantly strengthening the integrity guarantees of FlowAgg-FE.

4.4. PaS-Stream: Rate-Adaptive Streaming Without Accuracy Bias

PaS-Stream instantiates a rate-adaptive transmission layer that composes Johnson–Lindenstrauss sketching, stochastic quantization, and KS-IPFE encryption into a single linear operator acting on client updates. Its design is such that (i) the estimator of the target aggregate ${\mathbf{G}}_t$ remains unbiased in the sense of Equation (8), (ii) the variance introduced by quantization is explicitly controlled, and (iii) partial receipt of blocks and client dropouts manifest as structured linear perturbations rather than protocol failures.

We consider a per-round sketching dimension k (either fixed or adapted over time) and a public sketching matrix ${\Phi }_t\in {\mathbb{R}}^{k\times d}$. For concreteness, one may view ${\Phi }_t$ as a subsampled randomized orthonormal transform with entries in $\{\pm 1/\sqrt{k}\}$, as in Equation (7), although the analysis below only requires a Johnson–Lindenstrauss-type concentration property. Let $Q_b:\mathbb{R}\to {\mathcal{A}}_b$ be a stochastic quantizer with $2^b$ output levels satisfying

$$\mathbb{E}[Q_b\left(z\right)\mid z]=z,\mathbb{V}[Q_b\left(z\right)\mid z]\le {\sigma }_b^2$$

for all $z\in \mathbb{R}$, where ${\sigma }_b^2=O\left(2^{-2b}\right)$ is a variance parameter. We lift $Q_b$ to act componentwise on vectors.

Client pipeline (round t). For each client $C_i\in {\mathcal{A}}_t$, define the linear compression operator

$${\mathcal{C}}_t:{\mathbb{R}}^d\to {\mathbb{R}}^k,{\mathcal{C}}_t\left(\mathbf{v}\right):={\Phi }_t\mathbf{v}.$$

Client $C_i$ first computes its clipped gradient ${\mathbf{v}}_{i,t}$ according to Equation (1) and then its sketch

$${\mathbf{s}}_{i,t}:={\mathcal{C}}_t\left({\mathbf{v}}_{i,t}\right)={\Phi }_t{\mathbf{v}}_{i,t}\in {\mathbb{R}}^k.$$

Next, it applies $Q_b$ to obtain a random quantized sketch

$${\mathbf{u}}_{i,t}:=Q_b\left({\mathbf{s}}_{i,t}\right)\in {\mathcal{A}}_b^k$$

with the property that $\mathbb{E}[{\mathbf{u}}_{i,t}\mid {\mathbf{s}}_{i,t}]={\mathbf{s}}_{i,t}$ and $\mathbb{V}[{\mathbf{u}}_{i,t}\mid {\mathbf{s}}_{i,t}]⪯{\sigma }_b^2{\mathbf{I}}_k$. Combining this with Equations (2) and (8), we have

$$\mathbb{E}\left[\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{u}}_{i,t}|{\left\{{\mathbf{v}}_{i,t}\right\}}_i\right]={\Phi }_t\sum _{i\in {\mathcal{A}}_t}{\alpha }_{i,t}{\mathbf{v}}_{i,t}={\Phi }_t{\mathbf{G}}_t,$$

so the compressed aggregate is an unbiased estimator of the sketched target ${\Phi }_t{\mathbf{G}}_t$. We now partition the k-dimensional vector ${\mathbf{u}}_{i,t}$ into $B_t:=\lceil k/D\rceil$ contiguous blocks via a family of deterministic selection matrices ${\{P^{\left(b\right)}\in {\{0,1\}}^{D\times k}\}}_{b=1}^{B_t}$, each extracting D coordinates

$${\mathbf{u}}_{i,t}^{\left(b\right)}:=P^{\left(b\right)}{\mathbf{u}}_{i,t}\in {\mathbb{R}}^D,{\mathbf{s}}_{i,t}^{\left(b\right)}:=P^{\left(b\right)}{\mathbf{s}}_{i,t},\forall b\in \left[B_t\right].$$

By construction, ${\sum }_b{\left(P^{\left(b\right)}\right)}^{\top }{P}^{\left(b\right)}$ is the $k\times k$ identity, and thus ${\mathbf{u}}_{i,t}={\sum }_b{\left(P^{\left(b\right)}\right)}^{\top }{\mathbf{u}}_{i,t}^{\left(b\right)}$. We write ${\mathbf{a}}_{i,t}^{\left(b\right)}:={\mathbf{u}}_{i,t}^{\left(b\right)}$ to emphasize that this is the real-valued payload block for KS-IPFE and the tag layer.

Each block ${\mathbf{a}}_{i,t}^{\left(b\right)}$ is then encoded into an integer vector and packed using the KS-IPFE plaintext map as follows:

$${\mathbf{x}}_{i,t}^{\left(b\right)}:=\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil \mathrm{mod}q\in {\mathbb{Z}}_q^D,{\widehat{\mathbf{x}}}_{i,t}^{\left(b\right)}:=G_D{\mathbf{x}}_{i,t}^{\left(b\right)}\in {\mathbb{Z}}_q^{D{\mathcal{l}}_g},$$

and encrypted into a block ciphertext $({\mathbf{c}}_{1,i}^{\left(b\right)},{\mathbf{c}}_{2,i}^{\left(b\right)})$ according to Equation (13). In parallel, $C_i$ computes the linearly homomorphic tag

$${\tau }_{i,t}^{\left(b\right)}=〈\lfloor \Delta {\mathbf{a}}_{i,t}^{\left(b\right)}\rceil ,{\kappa }_t〉\mathrm{mod}p$$

and then produces the clipping/encoding proof for this block. Each triple

$$\left(n_{i,t}^{\left(b\right)},c{t}_{i,t}^{\left(b\right)},{\tau }_{i,t}^{\left(b\right)},{\pi }_{i,t}^{\left(b\right)}\right)$$

consists of a monotone nonce $n_{i,t}^{\left(b\right)}\in {\mathbb{Z}}_{\ge 0}$ (e.g., $(t,b)$ encoded as a single integer), the ciphertext $c{t}_{i,t}^{\left(b\right)}$, tag, and proof. These are streamed to $\mathsf{Srv}$ in non-decreasing order of $n_{i,t}^{\left(b\right)}$, and the nonce is bound into $c{t}_{i,t}^{\left(b\right)}$ (e.g., by hashing it into the LWE randomness) to prevent replay or reordering attacks. To validate $n_{i,t}^{\left(b\right)}$ at scale, $\mathsf{Srv}$ only stores, for each active client $i\in {\mathcal{A}}_t$, the largest accepted nonce (or equivalently the next expected block index). This is $O\left(\right|{\mathcal{A}}_t\left|\right)$ counters and can be garbage-collected at round end since nonces are round-scoped; e.g., ${10}^4$ active clients require $\approx 8\times {10}^4$ bytes for 64-bit counters. If $n_{i,t}^{\left(b\right)}$ is deterministically encoded as $(t,b)$, the check reduces to duplicate suppression and does not require long-term per-client history.

Server/helpers pipeline and rate adaptation. Upon receiving any subset of block messages from clients, the aggregator maintains, for each block index b, an active index set

$${\mathcal{I}}_t^{\left(b\right)}\subseteq {\mathcal{A}}_t$$

consisting of clients whose block-b ciphertexts have arrived and passed basic syntactic checks (including proof verification). For that block, it computes the aggregated ciphertext and tag

$${\mathbf{C}}_1^{\left(b\right)}:=\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\tilde{\alpha }}_{i,t}{\mathbf{c}}_{1,i}^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)}:=\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\tilde{\alpha }}_{i,t}{\mathbf{c}}_{2,i}^{\left(b\right)},$$

(19)

$$T_t^{\left(b\right)}:=\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\tilde{\alpha }}_{i,t}{\tau }_{i,t}^{\left(b\right)}\mathrm{mod}p.$$

Note that ${\mathcal{I}}_t^{\left(b\right)}$ can vary across blocks: a client may send early blocks promptly but drop out before later blocks. Let $\theta \in (0,1]$ be a target coverage parameter; $\mathsf{Srv}$ may decide to close block b once $|{\mathcal{I}}_t^{\left(b\right)}| \ge \theta |{\mathcal{A}}_t|$, discarding any later-arriving contributions to that block. This is the locus of rate adaptation: smaller $\theta$ accelerates progress at the cost of using fewer client contributions per block. Closing blocks early can correlate contribution with device speed: if slower clients systematically belong to underrepresented groups (a common concern in non-IID settings such as FEMNIST), their effective weight in the aggregate may be reduced. Our sketching and quantization remain unbiased conditional on the received set ${\mathcal{I}}_t^{\left(b\right)}$, but unbiasedness alone does not guarantee population- or device-level fairness [34,35]. As simple mitigations, one may (i) track each client’s effective participation over time and compensate in ${\alpha }_{i,t}$, and/or (ii) periodically run full-coverage rounds ($\theta =1$) to reduce drift.

For each closed block b, the pair $({\mathbf{C}}_1^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)})$ is forwarded to both helpers, who evaluate it under KS-IPFE function keys for the standard basis vectors ${\mathbf{e}}_1,\dots ,{\mathbf{e}}_D$ and the tag selector ${\kappa }_t$. Using Equation (15), helpers produce shares

$${\sigma }_j^{\circ ,\left(b\right)}:=\mathsf{DecShare}({\mathsf{sk}}_{{\mathbf{e}}_j}^{\circ },{\mathbf{C}}_1^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)}),{\sigma }_{{\kappa }_t}^{\circ ,\left(b\right)}:=\mathsf{DecShare}({\mathsf{sk}}_{{\overline{\kappa }}_t}^{\circ },{\mathbf{C}}_1^{\left(b\right)},{\mathbf{C}}_2^{\left(b\right)}),$$

for $\circ \in \{A,B\}$, $j\in \left[D\right]$. Aggregating shares and rounding as in Equation (16) yields, with overwhelming probability

$$z_{j,t}^{\left(b\right)}:=\mathsf{Round}({\sigma }_j^{A,\left(b\right)}+{\sigma }_j^{B,\left(b\right)})=〈\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)},{\mathbf{e}}_j〉,$$

so that

$${\mathbf{z}}_t^{\left(b\right)}:={(z_{1,t}^{\left(b\right)},\dots ,z_{D,t}^{\left(b\right)})}^{\top }=\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\tilde{\alpha }}_{i,t}{\mathbf{x}}_{i,t}^{\left(b\right)}\in {\mathbb{Z}}_q^D.$$

Dividing by $\Delta$ and undoing the fixed-point encoding recovers

$${\widehat{\mathbf{u}}}_t^{\left(b\right)}:={\Delta }^{-1}{\mathbf{z}}_t^{\left(b\right)}\approx \sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\alpha }_{i,t}{\mathbf{u}}_{i,t}^{\left(b\right)},$$

where the approximation error is due only to rounding in Equation (3). In parallel, the tag decryption under ${\kappa }_t$ produces ${\tilde{T}}_t^{\left(b\right)}$, which is checked against $T_t^{\left(b\right)}$ as in the previous subsection, ensuring consistency between ciphertext aggregates and tags.

Stacking all blocks, we define the recovered sketched aggregate as

$${\widehat{\mathbf{U}}}_t:=\sum _{b=1}^{B_t}{\left(P^{\left(b\right)}\right)}^{\top }{\widehat{\mathbf{u}}}_t^{\left(b\right)}\in {\mathbb{R}}^k.$$

(20)

By linearity of $P^{\left(b\right)}$ and the unbiasedness of ${\mathbf{u}}_{i,t}$, conditioning on the sets ${\left\{{\mathcal{I}}_t^{\left(b\right)}\right\}}_b$ we obtain

$$\begin{array}{cc}\hfill \mathbb{E}\left[{\widehat{\mathbf{U}}}_t\mid {\left\{{\mathbf{v}}_{i,t}\right\}}_i,{\left\{{\mathcal{I}}_t^{\left(b\right)}\right\}}_b\right]& =\sum _b{\left(P^{\left(b\right)}\right)}^{\top }\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\alpha }_{i,t}\mathbb{E}[{\mathbf{u}}_{i,t}^{\left(b\right)}\mid {\mathbf{v}}_{i,t}]\hfill \\ & =\sum _b{\left(P^{\left(b\right)}\right)}^{\top }\sum _{i\in {\mathcal{I}}_t^{\left(b\right)}}{\alpha }_{i,t}{\mathbf{s}}_{i,t}^{\left(b\right)}\hfill \\ & =\sum _i{\alpha }_{i,t}\sum _{b:i\in {\mathcal{I}}_t^{\left(b\right)}}{\left(P^{\left(b\right)}\right)}^{\top }{\mathbf{s}}_{i,t}^{\left(b\right)}.\hfill \end{array}$$

When all blocks are received, ${\mathcal{I}}_t^{\left(b\right)}={\mathcal{A}}_t$ for all b, and the last expression collapses to ${\Phi }_t{\mathbf{G}}_t$ by ${\sum }_b{\left(P^{\left(b\right)}\right)}^{\top }{P}^{\left(b\right)}=I_k$. Under rate adaptation (i.e., some ${\mathcal{I}}_t^{\left(b\right)}⊊{\mathcal{A}}_t$), the expectation equals ${\Phi }_t$ applied to a truncated aggregate in which each coordinate receives contributions only from those clients whose corresponding block arrived before closure. This aligns with the FL semantics where the effective aggregation set is the subset of clients that succeed in uploading their updates before the round deadline. Finally, the model update is computed from ${\widehat{\mathbf{U}}}_t$ via a pseudo-inverse of the sketch

$${\widehat{\mathbf{G}}}_t:={\Phi }_t^{\top }{\widehat{\mathbf{U}}}_t/\Delta ,$$

which is the estimator used in Section 5. In the idealized full-participation regime, $\mathbb{E}[{\widehat{\mathbf{G}}}_t\mid \left\{{\mathbf{v}}_{i,t}\right\}]$ = ${\Phi }_t^{\top }{\Phi }_t{\mathbf{G}}_t$, which reduces to ${\mathbf{G}}_t$ when ${\Phi }_t$ has orthonormal rows; in the non-ideal regime, ${\Phi }_t^{\top }$ acts as a linear reconstruction operator for the partially observed sketch. Because decryptions and verifications occur blockwise, the server can begin updating coordinates associated with blocks that have already been closed and validated, while late blocks continue to stream, thereby tolerating both dropouts and heavy-tailed straggler behavior without violating the FE-based confidentiality guarantees.

5. Experiments

We empirically evaluate FlowAgg-FE—our KS-IPFE with PaS-Stream—on cross-device federated learning. Experiments target three questions: (i) Does FE-based transmission preserve model quality relative to plaintext and encrypted secure aggregation? (ii) What communication and compute savings are achieved? (iii) How robust is the system to client dropout and stragglers? All notation follows Section 3 and Section 4: clients compute clipped updates ${\mathbf{v}}_{i,t}$ (Equation (1)), the server seeks only the linear aggregate ${\mathbf{G}}_t$ (Equation (2)), and PaS-Stream uses ${\Phi }_t$-sketching and unbiased quantization $Q_b$ (Equations (7) and (8)) before KS-IPFE encryption.

5.1. Setup

We empirically evaluate FlowAgg-FE in a simulated cross-device federated learning environment that captures three interacting dimensions: (i) the statistical properties of the data distribution across clients, (ii) the training hyperparameters and model architectures, and (iii) the cryptographic and systems configuration of KS-IPFE and PaS-Stream. All experiments follow the notation of Section 3 and Section 4: each participating client $C_i\in {\mathcal{A}}_t$ produces a clipped update ${\mathbf{v}}_{i,t}$ (Equation (1)), the aggregator is interested only in the linear functional ${\mathbf{G}}_t$ (Equation (2)), and PaS-Stream applies ${\Phi }_t$-sketching and unbiased quantization $Q_b$ (Equations (7) and (8)) before KS-IPFE encryption. This subsection details the learning tasks, partitioning strategies, cryptographic parameters, and system environment used throughout the evaluation.

Tasks, models, and data partitioning. We consider two canonical FL tasks representative of vision and character recognition workloads:

• CIFAR-10 [36]. A standard 10-class image classification task on $32\times 32$ color images with $\mathrm{50,000}$ training and $\mathrm{10,000}$ test examples. We employ a ResNet-18 backbone with $d\approx 11.2$ M trainable parameters. The data is partitioned across $n=1000$ virtual clients according to a Dirichlet distribution with concentration ${\alpha }_{\mathrm{CIFAR}}=0.5$ over class labels, producing a moderately non-IID distribution in which clients see a biased subset of classes. In each round we sample $|{\mathcal{A}}_t| =100$ clients uniformly without replacement and perform $E=1$ local epoch per client, for $T=100$ global rounds.
• FEMNIST [37]. A character recognition task derived from the Extended MNIST dataset, partitioned by the authors. We use a small convolutional neural network (two convolutional layers followed by two fully connected layers) with $d\approx 1.5$ M parameters. The dataset is partitioned across $n=3400$ clients (writers), each holding between 20 and 200 images; we model this using a Dirichlet distribution with ${\alpha }_{\mathrm{FEMNIST}}=0.3$ to accentuate heterogeneity. Each round samples $|{\mathcal{A}}_t| =256$ clients, with $E=1$ local epoch and $T=120$ global rounds.

Unless otherwise specified, all baselines (Plaintext-FedAvg, Encrypted SecAgg, KS-IPFE, and PaS-Stream) use identical optimization hyperparameters (learning rate schedule, momentum, weight decay, and clipping threshold S) and client participation patterns. Initial model weights are shared across methods and each configuration is repeated with three random seeds (affecting client sampling, data shuffling, and cryptographic noise) to report mean performance. We additionally include two recent secure aggregation baselines, SecAgg+ and BatchCrypt, to contextualize FlowAgg-FE against modern encrypted aggregation protocols under the same participation/latency model. Although we report end-to-end training on CIFAR-10 and FEMNIST for reproducibility, FlowAgg-FE’s cryptographic payload and helper work scale with the sketch dimension k (and block size D), not directly with the raw model dimension d. In particular, per-client encrypted uplink is $\Theta \left(k\right)$ (split into $B_t\approx k/D$ fixed-size blocks), so the same configuration can support models with millions of parameters provided an appropriate k is chosen.

Table 1. Federated task configuration. “Non-IID skew” refers to the Dirichlet concentration parameter $\alpha$ used to draw client label distributions; smaller $\alpha$ implies stronger heterogeneity. E is the number of local epochs per round.

Task	Model	n	$|{\mathcal{A}}_{\mathit{t}}|$	T	E	Non-IID Skew $\mathit{\alpha }$
CIFAR-10	ResNet-18	1000	100	100	1	0.5
FEMNIST	CNN (small)	3400	256	120	1	0.3

summarizes the federated task configuration, highlighting the interaction between data partitioning and participation. The secure aggregation baselines (

Table 2. Secure aggregation baselines (protocol configuration).

Protocol	Trust/Collusion Assumption	Dropout Handling
Encrypted SecAgg	Server does not learn individual updates	Designed for client dropouts
SecAgg+	Same goal as SecAgg; improved practicality	Designed for client dropouts
BatchCrypt	Secure aggregation via batching/crypto	Depends on protocol instantiation

) run on the same tasks and inherit the configuration parameters $(n,|{\mathcal{A}}_t|,T,E,\alpha )$ from Table 1.

Figure 1 visualizes the resulting distribution of per-client dataset sizes under this sampling procedure. The heavy right tails for both tasks reflect the presence of a small number of “heavy” clients, which interact non-trivially with PaS-Stream’s rate-adaptive behavior and dropout robustness.

Cryptographic and streaming parameters. All experiments use a single family of LWE and gadget parameters for KS-IPFE, and a fixed sketching dimension for PaS-Stream unless explicitly varied in ablations. The default cryptographic parameters are as follows:

• Modulus $q=2^{32}$, LWE dimension $n_{\mathcal{l}}=1024$, additive noise distributions $\chi ,{\chi }^{\prime }$ with small standard deviations selected to satisfy Equation (6) for up to $|{\mathcal{A}}_t|$ active clients,
• Gadget base 2 with ${\mathcal{l}}_g=16$ digits per coordinate and block size $D=64$ so that each plaintext block encodes 64 scaled coordinates,
• Scaling factor $\Delta =2^{16}$ satisfying $\Delta S\ll q/8$ to avoid wrap-around on clipped updates.

For PaS-Stream, we set the sketch dimension $k=8192$ and the quantization bit-width $b\in \{8,4\}$; the resulting compression operator ${\Phi }_t\in {\{\pm 1/\sqrt{k}\}}^{k\times d}$ is resampled every 10 rounds to mitigate potential adversarial alignment between the sketch and the data distribution. We use a 10-round rotation as a conservative balance between privacy (limiting long-term alignment/linkability of a fixed sketch) and optimizer stability (keeping the compression operator fixed long enough for momentum/error-feedback to adapt). We add a rotation-period sensitivity study in Section 5.3. The target coverage parameter for block closure in rate adaptation is $\theta =0.7$ unless otherwise specified, meaning that a block is sealed once at least $70\%$ of scheduled clients have successfully uploaded that block.

Table 3. Cryptographic and streaming parameters used by KS-IPFE and PaS-Stream. Latency parameters describe the synthetic client latency model used to drive rate-adaptive behavior.

Parameter	Value	Description
q	$2^{32}$	LWE modulus
$n_{\mathcal{l}}$	1024	LWE dimension
${\mathcal{l}}_g$	16	gadget digits per coordinate
D	64	block length (plaintext coordinates)
$\Delta$	$2^{16}$	scaling factor for Equation (3)
k	8192	sketch dimension (PaS-Stream)
b	8 or 4	quantization bit-width
$\theta$	$0.7$	minimum block coverage fraction
Latency shape	$1.2$	Pareto shape for client latency
Latency scale	$1.0$ s	Pareto scale (minimum latency)

summarizes the main cryptographic and streaming parameters, and Figure 2 depicts the simulated latency distribution used to emulate straggler behavior.

System environment. Experiments are executed on a cluster with two non-colluding helper processes and one aggregator process. Each helper runs on a 32-core 3.0 GHz CPU with 128 GB of RAM; the aggregator runs on a similar machine. The FL orchestration uses asynchronous RPC between clients and server, with simulated client processes replaying latency samples drawn from a Pareto distribution with shape parameter $1.2$ and scale $1.0$ s. The number of simulated clients ($n\in \{1000,3400\}$) exceeds the per-round participation $|{\mathcal{A}}_t|$, so that each round includes a fresh random subset of clients.

Figure 2 shows the empirical cumulative distribution function (CDF) of simulated client latencies. The heavy tail implies that a non-trivial fraction of clients are extreme stragglers, providing a realistic stress test for PaS-Stream’s ability to make progress with partial block coverage.

5.2. Main Results

We now compare FlowAgg-FE against the plaintext and encrypted secure aggregation baselines along three axes: final model quality, per-round communication cost, and per-round server-side compute. All experiments in this subsection use the setup of Section 5.1 with the default cryptographic and streaming parameters in Table 3. For readability, we focus on CIFAR-10 and FEMNIST; In addition to classic Encrypted SecAgg, we include SecAgg+ and BatchCrypt as modern encrypted baselines (

Table 4. Final test accuracy (%) after 100 rounds (CIFAR-10) and 120 rounds (FEMNIST); mean over 3 seeds. $\Delta$Acc is the absolute difference to Plaintext-FedAvg.

Method	CIFAR-10	$\Delta$Acc (CIFAR)	FEMNIST	$\Delta$Acc (FEMNIST)
Plaintext-FedAvg	91.7	0.0	86.9	0.0
Encrypted SecAgg	91.7	0.0	86.9	0.0
KS-IPFE (full-precision)	91.6	−0.1	86.8	−0.1
PaS-Stream ($b=8$)	91.5	−0.2	86.8	−0.1
PaS-Stream ($b=4$)	91.4	−0.3	86.7	−0.2

and

Table 5. Per-round efficiency on CIFAR-10 (mean over rounds). Uplink is measured per client per round; CPU time is the total server-side time (aggregator + helpers) per round. The rightmost columns report multiplicative reductions relative to Encrypted SecAgg.

Method	Uplink (MB)	CPU (s/Round)	Uplink Reduction	CPU Reduction
Encrypted SecAgg	2.80	62.0	1.00×	1.00×
KS-IPFE (full-precision)	1.47	38.5	1.90×	1.61×
PaS-Stream ($b=8$)	1.12	36.0	2.50×	1.72×
PaS-Stream ($b=4$)	0.82	35.1	3.41×	1.77×

). additional ablation results are deferred to the next subsection.

Accuracy. Table 4 reports final test accuracy after $T=100$ rounds on CIFAR-10 and $T=120$ rounds on FEMNIST, averaged over three random seeds. We observe that all secure methods match the plaintext baseline to within $0.3\%$ absolute on both tasks. In particular, KS-IPFE in full-precision mode is almost indistinguishable from Encrypted SecAgg, while PaS-Stream with $b=8$ and $b=4$ introduces only minor degradation consistent with the unbiasedness guarantee of Equation (8) and the controlled variance of $Q_b$.

The small accuracy gaps between PaS-Stream and Plaintext-FedAvg can be attributed to two effects: (i) the additional variance introduced by $Q_b$, which effectively adds a small amount of noise to each coordinate of the sketched gradient, and (ii) the use of a finite sketch dimension $k=8192$, which slightly distorts the geometry of the gradient space relative to the full d-dimensional model. In practice, these effects are dominated by the inherent noise of stochastic optimization, and the models converge to essentially the same generalization performance.

To corroborate the small gaps in Table 4, we include round-by-round convergence curves in Figure 3 and verified that all baselines share the same optimizer, data pipeline, and participation schedule.

Communication and computation. We next quantify the per-round per-client uplink and the server-side CPU time. Uplink reflects the serialized size (in megabytes) of all messages sent by a client to the server in a given round, including KS-IPFE ciphertexts, tags, and proofs; CPU time aggregates the wall-clock time spent by the aggregator and both helpers. Table 5 summarizes these metrics on CIFAR-10, and Figure 4 and Figure 5 visualize the same data. While Table 5 and

Table 6. CIFAR-10 ablation over sketch dimension k and quantization depth b. Accuracy is final test accuracy (%) after 100 rounds; uplink is per-client per-round communication; CPU is server-side time per round.

Method	$(\mathit{k},\mathit{b})$	Accuracy (%)	Uplink (MB)	CPU (s/Round)
KS-IPFE (full-precision)	–	91.6	1.47	38.5
PaS-Stream	(16,384, 8)	91.6	1.42	37.9
PaS-Stream	$(8192,8)$	91.5	1.12	36.0
PaS-Stream	$(8192,4)$	91.4	0.82	35.1
PaS-Stream	$(4096,8)$	91.2	0.78	34.6
PaS-Stream	$(4096,4)$	91.0	0.60	34.2

report uplink and server CPU, client-side encryption cost is also important in cross-device FL.

In addition to communication and server CPU, we provide an explicit accounting of helper-side storage/latency and key-management overhead (computed from Table 3, reported in

Table 7. Analytical overhead beyond uplink and server CPU (using Table 3).

Quantity	Scaling	Example at Default Params
Split key share size (per function, per helper)	$m+D{\mathcal{l}}_g$ words	3072 words $\approx 12$ KB
Helper key storage (basis $\left\{{\mathbf{e}}_j\right\}$)	$D(m+D{\mathcal{l}}_g)$ words	$64\times 12$ KB $\approx 0.77$ MB
Helper ephemeral key refresh (e.g., ${\overline{\kappa }}_t$)	$m+D{\mathcal{l}}_g$ words/round	≈12 KB per helper
Helper compute (per block)	$(D+1)(m+D{\mathcal{l}}_g)$ mul-adds	≈$2.0\times {10}^5$
Server nonce state	$O\left(\right|{\mathcal{A}}_t\left|\right)$ counters	negligible vs. ciphertext buffers

). With $q=2^{32}$ (4 bytes/word), $D=64$, ${\mathcal{l}}_g=16$ ($D{\mathcal{l}}_g=1024$), and $m=2048$, one split function key share has $(m+D{\mathcal{l}}_g)=3072$ words (≈12 KB). Thus, storing the D basis shares for block decryption costs $\approx 0.77$ MB per helper, and per-round refresh material (e.g., for ${\kappa }_t$) is only ≈12 KB per helper. Per block, each helper evaluates $(D+1)$ decryption shares, i.e., about $(D+1)(m+D{\mathcal{l}}_g)\approx 2.0\times {10}^5$ modular multiply-adds, and the server-side nonce state is $O\left(\right|{\mathcal{A}}_t\left|\right)$ counters.

KS-IPFE already cuts uplink roughly in half compared to Encrypted SecAgg, even though it operates in full precision without sketching. This is largely due to (i) more efficient packing of plaintext coordinates into KS-IPFE blocks and (ii) avoiding some of the malleability-resistant padding required by the SecAgg pipeline. When PaS-Stream is enabled, the sketching dimension k and the quantization depth b further reduce the size of each client’s encoded update, yielding $2.5\times$ (8-bit) and $3.4\times$ (4-bit) reductions in uplink. On the compute side, FlowAgg-FE reduces helper and aggregator workload by lowering the number of effective plaintext coordinates that must be processed per round; PaS-Stream with $b=4$ achieves a $1.77\times$ reduction in CPU time relative to Encrypted SecAgg while preserving accuracy within $0.3\%$.

Figure 4 and Figure 5 display these results as grouped bar charts. Each bar corresponds to one of the four methods; the shading encodes the method as described in the caption, and numerical values are shown atop each bar for reference.

Overall, these results show that the combination of KS-IPFE and PaS-Stream achieves near-plaintext accuracy while significantly reducing both bandwidth and compute relative to a strong secure aggregation baseline. The gains arise from co-design across cryptography (functional encryption tailored to linear aggregation) and systems (sketching, quantization, and streaming), rather than from any single optimization in isolation. We also use a 10-round rotation as a conservative balance between privacy (limiting long-term alignment/linkability of a fixed sketch) and optimizer stability (keeping the compression operator fixed long enough for momentum/error-feedback to adapt).

5.3. Ablations and Stress Tests

We now probe the behavior of FlowAgg-FE under variations in quantization/sketch parameters and under adversarial systems conditions such as client dropout and heavy-tailed latencies. All experiments in this subsection are conducted on CIFAR-10 unless otherwise specified; FEMNIST exhibits qualitatively similar trends and is omitted for brevity. We focus on four questions: (i) how sensitive is model quality to the sketch dimension k and quantization depth b; (ii) how much communication is saved by more aggressive compression; (iii) how robust is PaS-Stream to random dropouts; and (iv) what overhead is induced by the verifiability layer under straggler-heavy latency distributions.

Quantization depth and sketch dimension. Recall that PaS-Stream applies a linear sketch ${\Phi }_t\in {\mathbb{R}}^{k\times d}$ to each clipped client gradient and then applies a stochastic quantizer $Q_b$ with bit-depth b. From Equation (8), the aggregated sketched update remains an unbiased estimator of ${\Phi }_t{\mathbf{G}}_t$, while the variance introduced by quantization scales as ${\sigma }_b^2=O\left(2^{-2b}\right)$ per coordinate. The sketch dimension k controls the Johnson–Lindenstrauss distortion and the amount of information preserved about the gradient direction.

Table 6 reports an ablation over $(k,b)$, showing accuracy, uplink, and server CPU time on CIFAR-10. The “PaS-Stream” rows differ only in their compression parameters; all other aspects of the protocol are identical.

Moving from $(k,b)=$ (16,384, 8) to $(8192,8)$ yields a $1.27\times$ reduction in uplink with negligible impact on accuracy, while $(8192,4)$ further reduces uplink by $1.37\times$ and only degrades accuracy by $0.2$ percentage points. At $k=4096$, the sketch becomes more aggressive: the uplink drops to $0.60$ MB per client per round at $b=4$, but the accuracy falls to $91.0\%$, a $0.7\%$ drop relative to the plaintext baseline. In practice, $(k,b)=(8192,4)$ appears to strike a favorable balance between compression and model quality.

Figure 6 visualizes the trade-off between compression and accuracy. The horizontal axis denotes the uplink reduction factor relative to Encrypted SecAgg, and the vertical axis shows the corresponding CIFAR-10 accuracy. Each marker corresponds to one configuration from Table 6; the monotone drop in accuracy as compression intensifies reflects the increasing variance of the estimator ${\widehat{\mathbf{G}}}_t$.

Dropout robustness and throughput under stragglers. We next examine robustness to random client dropout and heavy-tailed latency. For each method, we induce an independent per-client dropout probability $\rho \in \{0\%,10\%,20\%,30\%\}$ by randomly marking scheduled clients as unavailable on each round; the remaining active clients behave as in Section 5.1. PaS-Stream additionally employs rate adaptation: once a block reaches coverage $\theta =0.7$ of the scheduled clients, it is closed and further messages for that block are ignored.

Table 8. Robustness to random client dropout on CIFAR-10. Accuracy is final test accuracy (%); throughput is normalized relative to Encrypted SecAgg at $\rho =0\%$.

Method	Dropout $\mathit{\rho }$	Accuracy (%)	Throughput	Throughput Gain
Encrypted SecAgg	0%	91.7	1.00	1.00×
Encrypted SecAgg	10%	91.5	0.93	0.93×
Encrypted SecAgg	20%	91.3	0.88	0.88×
Encrypted SecAgg	30%	90.9	0.81	0.81×
PaS-Stream (8b)	0%	91.5	1.28	1.28×
PaS-Stream (8b)	10%	91.4	1.31	1.31×
PaS-Stream (8b)	20%	91.2	1.33	1.33×
PaS-Stream (8b)	30%	90.9	1.35	1.35×

reports final CIFAR-10 accuracy and a normalized throughput metric defined as the number of effective model updates per wall-clock minute (higher is better), under varying dropout rates for Encrypted SecAgg and PaS-Stream with $(k,b)=(8192,8)$. Accuracy remains stable up to $\rho =30\%$ for both methods, with PaS-Stream tracking Encrypted SecAgg within $0.1$–$0.2\%$ at each dropout level. Throughput decreases with $\rho$ under Encrypted SecAgg because the protocol incurs coordination overhead due to missing contributions; by contrast, PaS-Stream’s blockwise decryption and early closure allow it to increase throughput slightly as $\rho$ grows, effectively trading off some participation against faster rounds.

Figure 7 visualizes the accuracy drop as a function of $\rho$. The solid line corresponds to Encrypted SecAgg, and the dashed line to PaS-Stream; markers indicate the discrete dropout rates tested.

Finally, we evaluate the impact of heavy-tailed latencies under the Pareto model of Figure 2.

Table 9. Verifiability overhead on CIFAR-10 for KS-IPFE and PaS-Stream. CPU overhead is measured as the difference between total server-side CPU time with and without tags/proofs. Communication overhead is the additional per-client uplink.

Method	CPU Overhead (s/Round)	CPU Overhead (%)	Comm. Overhead (% of Uplink)
KS-IPFE (full-precision)	1.6	4.2%	2.1%
PaS-Stream ($k=8192,8$b)	1.5	4.3%	2.7%
PaS-Stream ($k=8192,4$b)	1.4	4.1%	2.9%

reports the relative overhead of the verifiability layer—linearly homomorphic tags and clipping/encoding proofs—on CIFAR-10 for KS-IPFE and PaS-Stream. We report the additional CPU time (absolute and as a percentage of the base KS-IPFE cost) and the additional communication per client per round.

Figure 8 shows the normalized throughput (effective model updates per minute) for KS-IPFE and PaS-Stream with and without the verifiability layer, under the same heavy-tailed latency configuration. Bars on the left of each pair correspond to the base protocol, and bars on the right to the verifiable variant. The small gaps between bars corroborate that the commuting verification layer adds only modest overhead while significantly strengthening integrity guarantees.

6. Conclusions

We have presented FlowAgg-FE, a novel verifiable functional encryption framework for secure and communication-efficient gradient transmission in distributed machine learning, tailored to the requirements of the Special Issue on security and privacy in distributed machine learning. At the cryptographic layer, our KS-IPFE scheme instantiates a key-splittable, LWE-based inner-product FE construction that supports high-dimensional, blockwise aggregation with 2-of-2 threshold decryption across two non-colluding helpers, thereby providing both function privacy and robustness against any single compromised server. At the systems layer, PaS-Stream integrates Johnson–Lindenstrauss sketching, unbiased quantization, and streaming FE encryption to produce rate-adaptive ciphertext flows that preserve unbiased estimation of the target aggregate ${\mathbf{G}}_t$ while tolerating client dropouts and stragglers. Commuting linearly homomorphic tags and clipping proofs add an efficient verifiability mechanism that ensures end-to-end integrity of the aggregated updates without exposing per-client gradients. Our empirical evaluation on CIFAR-10 and FEMNIST demonstrates that FlowAgg-FE matches plaintext and state-of-practice secure aggregation accuracy within $0.3\%$ absolute, reduces per-client uplink by up to $3.4\times$, and lowers server-side CPU time by up to $1.77\times$ under realistic participation patterns. These results indicate that carefully co-designed FE, compression, and verifiability can make function-private, scalable secure aggregation a practical building block for future federated and distributed learning systems. Future work includes extending KS-IPFE to richer families of linear and low-degree polynomial functions, exploring adaptive key rotation and revocation in dynamic client populations, and integrating our framework with production FL platforms and hardware accelerators.