Chapter Summary

Chapter Summary

Key Points

• 1.

  Secure aggregation enables FL privacy against an honest-but-curious server. The threat model is: the server follows the protocol but analyzes messages; up to $T$ users may collude. The privacy guarantee is information-theoretic: the adversary learns only the aggregate $\\mathbf{G} = \\sum_k \\mathbf{g}_k$ and nothing else about individual gradients.

• 2.

  The Bonawitz pairwise-masking protocol is the production standard. Each pair of users shares a random mask derived via Diffie–Hellman; the antisymmetric mask structure ensures exact cancellation when the server sums across users. Each user's upload is uniform modulo the aggregate constraint.

• 3.

  User dropouts are handled via Shamir-shared seeds. Each pairwise seed is split via a $(t, n-1)$-Shamir scheme; surviving users' shares let the server reconstruct dropped-user seeds to cancel leftover masks. The threshold satisfies $T + 1 \\leq t \\leq n - \\delta n$ — a feasibility constraint on collusion and dropout tolerance.

• 4.

  Caire et al. (2022) proved Bonawitz is optimal. Within the class of secure-aggregation schemes with uncoded groupwise keys, the $O(n^2)$ communication overhead is information-theoretically tight. No cleverer arrangement of pairwise or small-group keys can reduce the cost. This is the second CommIT-group contribution of Part III.

• 5.

  The $O(n^2)$ ceiling motivates CCESA. For large-$n$ deployments, Bonawitz's overhead is prohibitive. Chapter 12's CCESA (another CommIT contribution) uses a sparse random graph of pairwise masks to achieve $O(n\\sqrt{n/\\log n})$ — outside the uncoded groupwise-key class and below the Caire et al. bound. The price is a probabilistic (not deterministic) privacy guarantee.