pith. sign in

arxiv: 2605.24054 · v1 · pith:PTF57GMZnew · submitted 2026-05-22 · 💻 cs.CR

Verifiable Secure Aggregation via Dual Servers with Linear Tags in Federated Learning

Pith reviewed 2026-06-30 16:31 UTC · model grok-4.3

classification 💻 cs.CR
keywords federated learningsecure aggregationverifiable aggregationdual serverslinear tagspseudo-random functionsprivacy preservationmodel updates
0
0 comments X

The pith

A dual-server scheme with linear tags from pseudo-random functions performs verifiable secure aggregation in federated learning while cutting user and verification costs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a protocol for aggregating model updates in federated learning that protects individual user data from the servers and lets the servers check each other's results for correctness. It relies on pseudo-random functions to generate constant-size linear tags and assumes the two servers do not collude. The design keeps total communication close to ordinary plaintext aggregation. Performance measurements show the method scales to many participants because user-side work and verification both drop substantially compared with earlier approaches.

Core claim

The authors construct a verifiable secure aggregation protocol that uses pseudo-random functions and a pair of non-colluding servers to produce linear tags. These tags enable mutual verification of the aggregated result, prevent reconstruction of individual updates, and block undetected tampering while preserving end-to-end security and constant tag size.

What carries the argument

Linear tags computed from pseudo-random functions across a non-colluding dual-server architecture, which carry the mutual verification and secure aggregation steps.

If this is right

  • For 20K-dimensional inputs, user computation falls to 18 ms, roughly seven times faster than OPSA.
  • Verification time falls to 9.5 ms, about 2.4 times faster than OPSA.
  • Communication cost stays comparable to plaintext aggregation.
  • The scheme remains practical when the number of participants is large.
  • User privacy is maintained and the aggregate result is verifiable end-to-end.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same tag mechanism could be examined for use in other multi-party settings where two non-colluding authorities can be arranged.
  • If the measured speedups hold on real hardware and datasets, the protocol might support aggregation rounds that were previously too slow.
  • A direct test would measure whether gradient-inversion attacks succeed against the final verified aggregate.

Load-bearing premise

The two servers never collude with each other.

What would settle it

An experiment in which the two servers collude, reconstruct at least one individual update, or output a tampered aggregate that still passes verification would show the security claim fails.

Figures

Figures reproduced from arXiv: 2605.24054 by Yufei Zhou.

Figure 1
Figure 1. Figure 1: Communication diagram for each stage of our scheme. The red parts indicate additional steps for verification. [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Details of our protocol (verification steps highlighted in red). [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 6
Figure 6. Figure 6: Total overhead across different aggregation rounds, [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Computation time comparison between CS and VS under different [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 5
Figure 5. Figure 5: Overhead under different dropout rates, n = 1000 and d = 20K. to KhPRF, substantially lower than POT, but slightly higher than RVFL. 2) Computation Time under Different Numbers of Users: We provide the computation overhead under different numbers of users in [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 8
Figure 8. Figure 8: Accuracy with n = 10 and δ = 0. For MNIST, we use a classic multilayer perceptron consisting of two fully connected hidden layers with 128 and 64 units, respectively, and ReLU activation functions. The input is a flat￾tened 28×28 image, and the output layer applies softmax over 10 classes. The model has 109,386 parameters. For CIFAR-10, we employ a CNN with two convolutional layers (kernel size 3×3, paddin… view at source ↗
read the original abstract

Federated learning (FL) enables collaborative model training by aggregating local updates without requiring raw data sharing. However, prior studies have shown that servers can exploit gradient inversion to compromise user privacy or manipulate aggregation results, undermining the utility of the global model. To address these concerns, we propose a secure and verifiable aggregation scheme with lightweight cryptographic primitives for FL. Our method leverages pseudo-random functions (PRFs) and a non-colluding dual-server architecture to achieve secure aggregation with mutual server verification, while maintaining communication overhead comparable to plaintext aggregation and a constant verification tag size. Crucially, it preserves user privacy and achieves end-to-end secure aggregation with verification. Moreover, our scheme significantly reduces both user computation and verification overhead, making it suitable for FL with a large number of participants. For instance, with an input dimension of 20K, user computation time is reduced to 18 ms, approximately 7$\times$ faster than OPSA, while verification time decreases to 9.5 ms, approximately 2.4$\times$ faster than OPSA.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper proposes a verifiable secure aggregation scheme for federated learning using pseudo-random functions and a non-colluding dual-server architecture. It claims to achieve secure aggregation with mutual server verification, constant-size verification tags, communication overhead comparable to plaintext aggregation, and substantially reduced user computation and verification times (e.g., 18 ms user computation and 9.5 ms verification at 20K input dimension, stated as 7× and 2.4× faster than OPSA).

Significance. If the security claims hold under the stated model and the performance numbers are reproducible, the construction could provide a practical lightweight primitive for large-scale FL deployments that simultaneously address privacy against gradient inversion and integrity against aggregation manipulation. The constant tag size and dual-server mutual verification are potentially useful features if formally substantiated.

major comments (3)
  1. [Threat model] Threat model / security definitions: the end-to-end privacy and verifiability guarantees are conditioned on the two servers never colluding, yet the manuscript provides no mechanism for enforcing, detecting, or recovering from collusion; this assumption is load-bearing for all stated security properties.
  2. [Security analysis] Security analysis: no formal security model, game-based definitions, or reduction proofs appear for the claimed end-to-end secure aggregation with verification; the abstract and performance claims cannot be assessed without these.
  3. [Performance evaluation] Performance evaluation: the concrete timings (18 ms user computation, 9.5 ms verification at dimension 20K) and speedups versus OPSA are reported without implementation details, hardware platform, or experimental setup, rendering the quantitative claims unverifiable.
minor comments (2)
  1. [Abstract] The title refers to 'Linear Tags' but the abstract does not define or motivate the linear-tag construction or its role in achieving constant tag size.
  2. [Preliminaries] Notation for the PRF-based tags and how they are split across the two servers is introduced without a clear preliminary section or running example.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their thorough review and constructive comments. We address each of the major comments below, providing clarifications and indicating planned revisions to strengthen the manuscript.

read point-by-point responses
  1. Referee: [Threat model] Threat model / security definitions: the end-to-end privacy and verifiability guarantees are conditioned on the two servers never colluding, yet the manuscript provides no mechanism for enforcing, detecting, or recovering from collusion; this assumption is load-bearing for all stated security properties.

    Authors: The non-colluding dual-server model is a standard assumption in the literature on secure two-party computation and secure aggregation protocols, where the servers are assumed to follow the protocol but not collude. Our scheme's security properties are proven under this model using the properties of PRFs and linear tags. We will expand the dedicated threat model section to explicitly articulate this assumption, discuss its practical implications (such as servers operated by independent entities), and note that mechanisms for collusion detection are beyond the scope of the current work as they would require additional infrastructure not related to the cryptographic construction. revision: partial

  2. Referee: [Security analysis] Security analysis: no formal security model, game-based definitions, or reduction proofs appear for the claimed end-to-end secure aggregation with verification; the abstract and performance claims cannot be assessed without these.

    Authors: We agree that a formal treatment would enhance the paper. The current manuscript includes a security argument relying on the pseudorandomness of the PRF and the linearity of the verification tags to argue privacy and verifiability. In the revision, we will add a formal security model section defining the games for privacy against the servers and verifiability of the aggregation result, along with sketches of reductions to the PRF security assumption. revision: yes

  3. Referee: [Performance evaluation] Performance evaluation: the concrete timings (18 ms user computation, 9.5 ms verification at dimension 20K) and speedups versus OPSA are reported without implementation details, hardware platform, or experimental setup, rendering the quantitative claims unverifiable.

    Authors: The performance numbers were measured using our Python-based prototype implementation. We will add a comprehensive experimental setup subsection detailing the hardware configuration (processor, memory, operating system), the cryptographic library used, the exact implementation of the PRF and tag generation, and the methodology for timing measurements to ensure the results are reproducible and the claims verifiable. revision: yes

Circularity Check

0 steps flagged

No significant circularity; scheme is a new construction on standard primitives and explicit assumptions

full rationale

The paper presents a cryptographic construction for verifiable secure aggregation using PRFs and a non-colluding dual-server model. No equations, derivations, or performance claims reduce by construction to fitted inputs, self-definitions, or self-citation chains. The dual-server assumption is stated explicitly as a precondition rather than derived from the scheme itself. Performance numbers (e.g., 18 ms user time) are reported from implementation measurements, not from any predictive model fitted to the same data. No load-bearing uniqueness theorems or ansatzes are smuggled via self-citation. This is a standard honest finding for a construction paper whose central claims rest on cryptographic assumptions rather than internal reductions.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The scheme rests on standard cryptographic assumptions for PRFs and the modeling choice of non-colluding servers; no free parameters or new entities are introduced in the abstract.

axioms (2)
  • standard math Security properties of pseudo-random functions
    Used to generate verification tags; invoked implicitly in the scheme description.
  • domain assumption Non-collusion between the two servers
    Central to achieving mutual verification and security; stated in the abstract.

pith-pipeline@v0.9.1-grok · 5705 in / 1231 out tokens · 42243 ms · 2026-06-30T16:31:38.870590+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

35 extracted references

  1. [1]

    Advances and open problems in federated learning,

    P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummingset al., “Advances and open problems in federated learning,”Foundations and trends® in machine learning, vol. 14, no. 1–2, pp. 1–210, 2021

  2. [2]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics. PMLR, 2017, pp. 1273– 1282

  3. [3]

    Federated learning review: Fundamentals, enabling technologies, and future applications,

    S. Banabilah, M. Aloqaily, E. Alsayed, N. Malik, and Y . Jararweh, “Federated learning review: Fundamentals, enabling technologies, and future applications,”Information processing & management, vol. 59, no. 6, p. 103061, 2022

  4. [4]

    Deep leakage from gradients,

    L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,”Advances in neural information processing systems, vol. 32, 2019

  5. [5]

    Model inversion attacks that exploit confidence information and basic countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, 2015, pp. 1322–1333

  6. [6]

    Versa: Verifiable secure aggregation for cross-device federated learning,

    C. Hahn, H. Kim, M. Kim, and J. Hur, “Versa: Verifiable secure aggregation for cross-device federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 1, pp. 36–52, 2021

  7. [7]

    Backdoor attacks and defenses targeting multi-domain ai models: A comprehensive review,

    S. Zhang, Y . Pan, Q. Liu, Z. Yan, K.-K. R. Choo, and G. Wang, “Backdoor attacks and defenses targeting multi-domain ai models: A comprehensive review,”ACM Computing Surveys, vol. 57, no. 4, pp. 1–35, 2024

  8. [8]

    Beyond inferring class representatives: User-level privacy leakage from federated learning,

    Z. Wang, M. Song, Z. Zhang, Y . Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” inIEEE INFOCOM 2019-IEEE conference on computer communications. IEEE, 2019, pp. 2512–2520

  9. [9]

    EVFLS: An effective and verifiable federated learning aggregation scheme,

    R. Wang, J. Geng, and L. Xiong, “EVFLS: An effective and verifiable federated learning aggregation scheme,” inInternational Conference on Frontiers in Cyber Security. Springer, 2024, pp. 131–148

  10. [10]

    VOSA: Verifiable and oblivious secure aggregation for privacy-preserving federated learning,

    Y . Wang, A. Zhang, S. Wu, and S. Yu, “VOSA: Verifiable and oblivious secure aggregation for privacy-preserving federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 5, pp. 3601–3616, 2022

  11. [11]

    Effi- cient verifiable protocol for privacy-preserving aggregation in federated learning,

    T. Eltaras, F. Sabry, W. Labda, K. Alzoubi, and Q. Ahmedeltaras, “Effi- cient verifiable protocol for privacy-preserving aggregation in federated learning,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 2977–2990, 2023

  12. [12]

    Efficient and secure federated learning with verifiable weighted average aggregation,

    Z. Yang, M. Zhou, H. Yu, R. O. Sinnott, and H. Liu, “Efficient and secure federated learning with verifiable weighted average aggregation,” IEEE Transactions on Network Science and Engineering, vol. 10, no. 1, pp. 205–222, 2022

  13. [13]

    Veritas: Plaintext encoders for practical verifiable homomorphic en- cryption,

    S. Chatel, C. Knabenhans, A. Pyrgelis, C. Troncoso, and J.-P. Hubaux, “Veritas: Plaintext encoders for practical verifiable homomorphic en- cryption,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 2520–2534

  14. [14]

    Homomorphic hash and blockchain based authentication key exchange protocol for strangers,

    H. Yao, C. Wang, B. Hai, and S. Zhu, “Homomorphic hash and blockchain based authentication key exchange protocol for strangers,” in 2018 Sixth International Conference on Advanced Cloud and Big Data (CBD). IEEE, 2018, pp. 243–248

  15. [15]

    A survey on homomorphic encryption schemes: Theory and implementation,

    A. Acar, H. Aksu, A. S. Uluagac, and M. Conti, “A survey on homomorphic encryption schemes: Theory and implementation,”ACM Computing Surveys (Csur), vol. 51, no. 4, pp. 1–35, 2018

  16. [16]

    OPSA: Efficient and verifiable one-pass secure aggregation with TEE for federated learning,

    Z. Guan, Y . Zhao, Z. Wan, and J. Han, “OPSA: Efficient and verifiable one-pass secure aggregation with TEE for federated learning,”IEEE Transactions on Dependable and Secure Computing, 2025

  17. [17]

    Attack of the tails: Yes, you really can backdoor federated learning,

    H. Wang, K. Sreenivasan, S. Rajput, H. Vishwakarma, S. Agarwal, J.- y. Sohn, K. Lee, and D. Papailiopoulos, “Attack of the tails: Yes, you really can backdoor federated learning,”Advances in neural information processing systems, vol. 33, pp. 16 070–16 084, 2020

  18. [18]

    VerifyNet: Secure and verifiable federated learning,

    G. Xu, H. Li, S. Liu, K. Yang, and X. Lin, “VerifyNet: Secure and verifiable federated learning,”IEEE Transactions on Information Forensics and Security, vol. 15, pp. 911–926, 2019

  19. [19]

    Vfl: A verifiable federated learning with privacy-preserving for big data in industrial IoT,

    A. Fu, X. Zhang, N. Xiong, Y . Gao, H. Wang, and J. Zhang, “Vfl: A verifiable federated learning with privacy-preserving for big data in industrial IoT,”IEEE Transactions on Industrial Informatics, vol. 18, no. 5, pp. 3316–3326, 2020

  20. [20]

    Comments on “VERSA: Verifiable secure aggregation for cross-device federated learning

    F. Luo, H. Wang, and X. Yan, “Comments on “VERSA: Verifiable secure aggregation for cross-device federated learning”,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 1, pp. 499–500, 2023

  21. [21]

    Verifl: Communication-efficient and fast verifiable aggregation for federated learning,

    X. Guo, Z. Liu, J. Li, J. Gao, B. Hou, C. Dong, and T. Baker, “Verifl: Communication-efficient and fast verifiable aggregation for federated learning,”IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1736–1751, 2020

  22. [22]

    OVP-FL: outsourced verifiable privacy- preserving federated learning,

    S. Li, X. Wei, and H. Wang, “OVP-FL: outsourced verifiable privacy- preserving federated learning,”IEEE Transactions on Network Science and Engineering, 2025

  23. [23]

    RVFL: Rational verifiable federated learning secure aggregation protocol,

    X. Mu, Y . Tian, Z. Zhou, S. Wang, and J. Xiong, “RVFL: Rational verifiable federated learning secure aggregation protocol,”IEEE Internet of Things Journal, 2024

  24. [24]

    On the security of verifiable and oblivious secure aggregation for privacy-preserving federated learning,

    J. Wu and W. Zhang, “On the security of verifiable and oblivious secure aggregation for privacy-preserving federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 5, pp. 4324–4326, 2024

  25. [25]

    BatchCrypt: Efficient homomorphic encryption for Cross-Silo federated learning,

    C. Zhang, S. Li, J. Xia, W. Wang, F. Yan, and Y . Liu, “BatchCrypt: Efficient homomorphic encryption for Cross-Silo federated learning,” in 12 2020 USENIX annual technical conference (USENIX ATC 20), 2020, pp. 493–506

  26. [26]

    Katz and Y

    J. Katz and Y . Lindell,Introduction to modern cryptography: principles and protocols. Chapman and hall/CRC, 2007

  27. [27]

    Oppliger,SSL and TLS: Theory and Practice

    R. Oppliger,SSL and TLS: Theory and Practice. Artech House, 2023

  28. [28]

    Prio: Private, robust, and scalable computation of aggregate statistics,

    H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scalable computation of aggregate statistics,” in14th USENIX symposium on networked systems design and implementation (NSDI 17), 2017, pp. 259–282

  29. [29]

    Lightweight techniques for private heavy hitters,

    D. Boneh, E. Boyle, H. Corrigan-Gibbs, N. Gilboa, and Y . Ishai, “Lightweight techniques for private heavy hitters,” in2021 IEEE Sym- posium on Security and Privacy (SP). IEEE, 2021, pp. 762–776

  30. [30]

    CSHER: A system for compact storage with HE-Retrieval,

    A. Akavia, N. Oren, B. Sapir, and M. Vald, “CSHER: A system for compact storage with HE-Retrieval,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 4751–4768

  31. [31]

    Elsa: Secure aggregation for federated learning with malicious actors,

    M. Rathee, C. Shen, S. Wagh, and R. A. Popa, “Elsa: Secure aggregation for federated learning with malicious actors,” in2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023, pp. 1961–1979

  32. [32]

    Buchmann,Introduction to cryptography

    J. Buchmann,Introduction to cryptography. Springer, 2004, vol. 335

  33. [33]

    How to simulate it–a tutorial on the simulation proof technique,

    Y . Lindell, “How to simulate it–a tutorial on the simulation proof technique,”Tutorials on the Foundations of Cryptography: Dedicated to Oded Goldreich, pp. 277–346, 2017

  34. [34]

    Gradient-based learning applied to document recognition,

    Y . LeCun, L. Bottou, Y . Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,”Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 2002

  35. [35]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, Toronto, Tech. Rep. TR-2009, 2009