Decentralized Secure Aggregation (DSA)

Updated 25 December 2025

Decentralized Secure Aggregation (DSA) is a protocol framework enabling peers to compute aggregate values without a trusted party while ensuring data confidentiality and correct computation.
It leverages additive secret sharing, homomorphic encryption, and hybrid TEE approaches to mitigate adversarial threats like Byzantine behavior and collusion.
DSA protocols demonstrate practical scalability and efficiency in applications such as federated learning and blockchain-based aggregation, supported by rigorous key-rate and communication analyses.

Decentralized Secure Aggregation (DSA) refers to protocol frameworks that enable a network of mutually distrustful parties to collaboratively compute an aggregate value—typically the sum or average of private vectors—while provably protecting the confidentiality of individual inputs, ensuring integrity against malicious or faulty peers, and providing robustness even in the presence of collusion or Byzantine behavior. DSA generalizes secure aggregation from the centralized (server-mediated) federated learning setting to fully distributed (peer-to-peer or multi-aggregator) environments, where the aggregation step is performed without a trusted party, using information-theoretic, cryptographic, or hybrid techniques.

1. Threat Models, Security Goals, and Formal Definitions

DSA protocols formally address three intertwined challenges: data confidentiality, robustness to adversarial actors (including colluding and Byzantine peers), and correctness. The main adversarial models are:

Honest-but-curious (semi-honest): Participants follow the protocol but attempt to infer other users’ inputs from observed messages. DSA guarantees that any coalition up to size $t$ (for some threshold $t$ ) learns nothing beyond the aggregate, usually formalized via a simulation argument. This is the primary target in protocols such as additive secret sharing (More et al., 2022), information-theoretic masking (Zhang et al., 1 Aug 2025), and groupwise key schemes (Li et al., 18 Nov 2025).
Byzantine (active/malicious): Participants may arbitrarily deviate, sending malformed or malicious updates in an attempt to corrupt the aggregate. Modern DSA protocols integrate Byzantine-robust aggregation rules and cryptographically authenticated messages to defend against such attacks (Ghavamipour et al., 27 Apr 2024, Cajaraville-Aboy et al., 26 Sep 2024).
Collusion: Subsets of users may collude, combining their private randomness, keys, and received messages. DSA security definitions often demand $t$ -privacy: no coalition of up to $t$ users (plus their keys/messages) learns more than the global sum (Zhang et al., 1 Aug 2025, Li et al., 18 Dec 2025).

Formally, correctness requires that each user can reliably reconstruct the sum $S := \sum_{i=1}^K W_i$ given their own input and all observed protocol messages; security requires that no coalition learns any additional information about non-colluders' inputs beyond $S$ .

2. Information-Theoretic Foundations and Key Rate Characterizations

Recent work has delineated the fundamental communication and key requirements for DSA under arbitrary collusion patterns. The canonical setting assumes $K$ users, each with input $W_k \in \mathbb{F}_q^L$ , aiming to compute $S = \sum_{k=1}^K W_k$ with $t$ -privacy (Zhang et al., 1 Aug 2025):

Minimal communication: Each user must broadcast at least one symbol per input symbol ( $R_X \geq 1$ ).
Optimal key rate: Each user must hold at least one symbol of secret key; the system as a whole must generate at least $K-1$ independent key symbols ( $R_{Z_\Sigma} \geq K-1$ ).
Achievability: A linear one-time-pad masking of each $W_k$ with an independent key $Z_k$ (with the sum of all keys zero) is sufficient. The broadcast $X_k = W_k + Z_k$ allows each user to recover $S$ by summing all $X_k$ and removing their own key.

When the keying structure is generalized to groupwise keys (every subset of $G$ users shares an independent secret) (Li et al., 18 Nov 2025), the optimal groupwise key rate for collusion threshold $T$ is $R_K \geq (K - T - 2) / \binom{K - T - 1}{G}$ for $2 \leq G < K-T$ . For arbitrary security sets and collusion families, the source key rate is precisely characterized via a linear program, enabling DSA to flexibly target non-uniform privacy requirements (Li et al., 18 Dec 2025).

3. Cryptographic Protocol Constructions

DSA protocols instantiate these foundations with constructions falling into three major categories:

Additive Secret Sharing and MPC: Each user splits their update into random shares, distributing them to aggregators or peers. Only the full set of shares allows recovery of the original input (preventing any subset from learning anything), and the aggregate can be computed via local addition on shares (More et al., 2022, Ghavamipour et al., 27 Apr 2024). In SCOTCH (More et al., 2022), $n$ servers collect shares and compute a sum without revealing any client update, with $t$ -privacy against collusion.
Additive Homomorphic Encryption (HE): Users encrypt their updates under a jointly generated key. The aggregator adds ciphertexts to obtain an encrypted sum, which can then be decrypted only with collaboration from a threshold of users (Tian et al., 2021). Protocols such as DTAHE allow the aggregation of arbitrary linear combinations (e.g., convolutional layers in FL), with security against both dropouts and malicious modification enforced via blockchain smart contracts.
Hybrid Cryptography/TEE Architectures: DSA can combine TEEs for efficient secure computation with cryptographic masking for operators or parties lacking hardware support (Laage et al., 11 Apr 2025). Various configurations enable trade-offs between end-to-end cryptographic security and near-native performance. For example, parties may encrypt data directly to an aggregator enclave, or use FHE for aggregation and TEE-side decryption.

DSA for decentralized settings also encompasses consensus-based aggregation (e.g., ADMM (Jeon et al., 2020)), decentralized key generation (Elmahallawy et al., 2023), and blockchain-based summation with zero-knowledge proofs (Ismayilov et al., 2023).

4. Robustness Against Byzantine and Active Adversaries

Achieving integrity and convergence in the presence of Byzantine/malicious peers is essential for DSA in decentralized learning:

Byzantine-robust aggregation: Protocols such as WFAgg (Cajaraville-Aboy et al., 26 Sep 2024), SecureDL (Ghavamipour et al., 27 Apr 2024), and Sentinel (Feng et al., 2023) replace naive averaging with robust statistics—median, trimmed mean, cosine similarity thresholds, temporal anomaly filters, or validation-based weighting—to filter poisoned or anomalous updates. Typically, acceptance thresholds are derived so that, as long as the number of Byzantine users per neighbor set is less than half, consensus and convergence are maintained.
Cryptographic protections: Information-theoretic MACs (Ghavamipour et al., 27 Apr 2024) or zero-knowledge proofs (Ismayilov et al., 2023) ensure the integrity of exchanged messages or enforce correct computation in the presence of arbitrary deviation.
Interaction with privacy: Byzantine-robust schemes must avoid information leakage from the aggregation process; e.g., SecureDL implements all filtering (cosine similarity, normalization) over secret-shared inputs, ensuring that only the aggregate is ever revealed.

These approaches are empirically demonstrated to preserve model accuracy and consensus even with aggressive attack models (e.g., 80% Byzantine), far outperforming centralized or non-private robust aggregators.

5. Communication Models, Complexity, and Scalability

DSA protocols are highly sensitive to network structure, communication complexity, and scalability constraints:

Protocol Family	Per-User Communication	Key/State Overhead	Scalability
Additive SS/MPC	$O(n)$	$O(1)$	Linear in $n$ servers/users (More et al., 2022)
Info-theoretic DSA	$O(1)$	$O(K-1)$	Optimal, as each user only broadcasts 1 symbol (sum masking) (Zhang et al., 1 Aug 2025)
Groupwise Keys	$O(1)$	$O(n^G)$	Scales with group size, requires careful design (Li et al., 18 Nov 2025)
HE/FHE-based	$O(n)$ to $O(n^2)$	Ciphertext-size	High, for large $n$ and large input dimension
Blockchain-based	$O(\log n)$	$O(\log n)$	Efficient on-chain (hypercube), but expensive proofs (Ismayilov et al., 2023)
ADMM/group design	$O(s)$	Low	Efficient via combinatorial block design (Jeon et al., 2020)

Careful design choices impact runtime, memory, and communication overhead. Decentralized aggregation with sparsification (e.g., CESAR (Biswas et al., 13 May 2024)) enables dramatic reductions in communication by transmitting only sparse parameter subsets, requiring protocol adaptations to ensure masks still cancel.

6. Specialized DSA Architectures and Applications

DSA has been deployed and evaluated in diverse application-driven topologies:

Federated Learning and Multi-Server/Peer Models: In general FL over unreliable or partitioned networks, DSA implements confidentiality and aggregation among clients and aggregators (More et al., 2022).
Space/Satellite Constellations: FedSecure (Elmahallawy et al., 2023) introduces decentralized key generation and on-orbit aggregation, efficiently handling satellite visibility dynamics and eavesdropping.
Blockchain/SNARK-driven Aggregation: Protocols using Ethereum and Pedersen commitments combined with hypercube topologies and SNARK proofs provide fully trustless aggregation with scalable (logarithmic) overhead (Ismayilov et al., 2023).
Graph-based and Combinatorial Designs: Privacy-preserving decentralized ADMM aggregation leverages block design theory to restrict message patterns, preventing inference from repeated communication (Jeon et al., 2020).

Each implementation tunes trade-offs among privacy, robustness, communication, and deployment complexity.

7. Future Directions and Open Problems

Fundamental and applied research in DSA continues to advance on multiple fronts:

Key-rate minimization and personalized security: Linear-program-based optimizations now allow DSA to minimize key overhead under heterogeneous, non-uniform security requirements (Li et al., 18 Dec 2025).
Joint privacy and robustness: Achieving accurate learning under both strict $t$ -privacy and Byzantine adversaries remains an active area; compositional or hybrid schemes are under investigation (Ghavamipour et al., 27 Apr 2024, Cajaraville-Aboy et al., 26 Sep 2024).
Practical scalability: Efficient key generation, state management, and protocol orchestration for thousands of users are receiving intensified focus.
Integration with blockchain and hardware roots-of-trust: On-chain aggregation and trusted hardware are being explored for auditability and performance (Laage et al., 11 Apr 2025, Ismayilov et al., 2023).
Asynchronous and dynamic topologies: Addressing privacy and fault tolerance in asynchrony and under network churn is a significant technical challenge (Liu et al., 16 Aug 2024).

DSA now provides a theoretical and practical foundation for private, robust collaborative computation in decentralized settings, with provable security guarantees supported by rigorous communication and key-rate optimality theorems (Zhang et al., 1 Aug 2025, Li et al., 18 Nov 2025, Li et al., 18 Dec 2025), and demonstrated empirical viability in federated and peer-to-peer machine learning deployments (More et al., 2022, Ghavamipour et al., 27 Apr 2024, Biswas et al., 13 May 2024).