Secure Aggregation with an Oblivious Server

TL;DR

This paper introduces a secure aggregation protocol with an oblivious server, ensuring users learn only the sum of inputs without revealing individual data, and establishes fundamental communication and key size lower bounds.

Contribution

It proposes the first secure aggregation protocol with an oblivious server and derives optimal bounds on communication and key sizes for this setting.

Findings

Minimum 1-bit communication from users to server per sum bit.

Server must send at least 1 bit to each user per sum bit.

Each user needs at least 2 bits of key, increasing to K bits with user dropouts.

Abstract

Secure aggregation usually aims at securely computing the sum of the inputs from $K$ users at a server. Noticing that the sum might inevitably reveal information about the inputs (when the inputs are non-uniform) and typically the users (not the server) desire the sum (in applications such as federated learning), we consider a variant of secure aggregation where the server is oblivious, i.e., the server only serves as a communication facilitator/helper to enable the users to securely compute the sum and learns nothing in the process. Our communication protocol involves one round of messages from the users to the server and one round of messages from the server to each user such that in the end each user only learns the sum of all $K$ inputs and the server learns no information about the inputs. For this secure aggregation with an oblivious server problem, we show that to compute $1$ bit of the sum securely, each user needs to send at least $1$ bit to the server, the server needs to send at least $1$ bit to each user, each user needs to hold a key of at least $2$ bits, and all users need to collectively hold at least $K$ key bits. In addition, when user dropouts are allowed, the optimal performance remains the same, except that the minimum size of the key held by each user increases to $K$ bits, per sum bit.