Prerequisites & Notation

Before You Begin

Chapter 10 develops the secure-aggregation protocol — the production-standard privacy mechanism for federated learning. The prerequisites are Shamir secret sharing (Chapter 3), gradient aggregation (Chapter 6), and the FL paradigm (Chapter 9). Readers who completed the privacy-motivation section 9.4 will find this chapter the natural next step.

Shamir secret sharing (Chapter 3 §§3.1–3.3)(Review ch03)
Self-check: State the $(t, n)$ -threshold guarantee of Shamir's scheme in mutual-information terms.
Gradient aggregation in distributed SGD (Chapter 6)(Review ch06)
Self-check: Why is $\mathbf{G} = \sum_k \mathbf{g}_k$ the only quantity the master needs from an aggregation round?
Federated learning overview (Chapter 9)(Review ch09)
Self-check: Why is FL not privacy-preserving by default?
Basic finite-field arithmetic(Review ch03)
Self-check: Compute $5 + 7 \pmod{11}$ and find the additive inverse of $3$ in $\mathbb{F}_{11}$ .
Diffie–Hellman key exchange (basic idea)
Self-check: Two parties, public values $g, p$ : can they derive a shared secret known only to them? What is the adversary's computational problem?

Notation for This Chapter

Secure-aggregation notation extends Chapter 9's FL conventions. We introduce pairwise mask seeds $\mathbf{r}_{ij}$ and Shamir shares of these seeds for dropout handling. $T$ is the privacy threshold (number of colluding parties the scheme tolerates); $\delta$ is the expected user-dropout rate.

Symbol	Meaning	Introduced
$n$	Number of users in the round	s01
$\mathbf{g}_k \in \mathbb{R}^d$	User $k$ 's local gradient (private input)	s01
$\mathbf{G} = \sum_k \mathbf{g}_k$	Target aggregate (server's only authorized output)	s01
$\mathbf{r}_{ij}$	Pairwise random mask between users $i$ and $j$	s02
$\tilde{\mathbf{g}}_k$	User $k$ 's masked upload to the server	s02
$T$	Privacy threshold (server + up to $T$ users may collude)	s01
$\delta \in [0, 1)$	Expected dropout rate per round	s03
$\mathcal{S}_t$	Set of users surviving round $t$	s03
$\mathcal{D}_t$	Set of users dropping out at round $t$	s03
$b_k^{(i)}$	Shamir share of user $i$ 's seed held by user $k$	s03
$R_{\text{agg}}$	Per-round aggregate communication (normalized by $d$ )	s04

← Ch 9 The Threat Model for Federated Aggregation