Lattice Post-Quantum Secure Aggregation

Updated 1 February 2026

Lattice-based secure aggregation is a family of cryptographic protocols that use LWE/Ring-LWE assumptions to enable post-quantum, privacy-preserving computation of aggregated data.
These schemes integrate additively homomorphic encryption and differential privacy, making them ideal for applications like federated learning, smart metering, and IoT security.
Advanced designs incorporate dropout tolerance, Byzantine resilience, and blockchain integration to ensure efficient and verifiable aggregation in decentralized environments.

Lattice-based post-quantum secure aggregation comprises a spectrum of cryptographic protocols that enable the aggregation of private inputs from multiple users (e.g., model updates, sensor readings, or usage data) such that only the aggregate is revealed, even to adversaries equipped with quantum computing capabilities. These protocols instantiate secure aggregation using hardness assumptions from lattice cryptography—predominantly Learning With Errors (LWE), Ring-LWE, and their module variants—to attain quantum resistance, additively homomorphic properties, and integration with differential privacy (DP). Protocol designs further address application-specific constraints such as user dropouts, Byzantine robustness, threshold decryption, decentralized key management, authentication, and integration with blockchains, garnering adoption in federated learning, smart metering, and IoT security.

1. Core Lattice-Based Secure Aggregation Paradigms

The dominant approaches to lattice-based post-quantum secure aggregation fall into several categories:

Private Stream Aggregation (PSA) from DLWE and Skellam noise: PSA schemes encode individual inputs and their sum as group elements using key-homomorphic weak PRFs grounded in the decisional LWE problem. A quantum-safe construction repurposes DLWE with Skellam-distributed noise to act as both a pseudorandom mask and a DP perturbation (Valovich et al., 2017).
Homomorphic encryption (HE) for input aggregation: NTRU-based and Ring-LWE-based additively homomorphic encryption enable per-user encryption of values such that their ciphertexts can be summed. The sum decrypts directly to the aggregate, with security and efficiency properties determined by the choice of lattice parameters and ciphertext packing (Chen, 2024).
Decentralized threshold additive homomorphic encryption (DTAHE): Schemes based on RLWE amalgamate user-generated keys into a joint encryption key, enabling (weighted) sums over encrypted inputs with decryption contingent on a threshold of user contributions, supporting resilience to user dropout and distributed trust (Tian et al., 2021).
Masking protocols and KEM/PRF-based mask coordination: Schemes such as Beskar coordinate per-round one-time pads (masks) using post-quantum KEMs (e.g., Kyber) and PRFs to achieve confidentiality without explicit HE ciphertexts, thereby optimizing computational and bandwidth efficiency for high-dimensional settings (Zhang et al., 9 May 2025, Rahmati et al., 3 Jan 2026).
Blockchain and smart contract integration: Recent architectures employ R-LWE-based encryption, lattice signatures, and blockchain logs to ensure public verifiability, fraud resistance, and fine-grained aggregation on robust, decentralized ledgers (Darzi et al., 2024).

2. Algebraic Foundations and Security Reductions

Hardness Assumptions:

The security of all these protocols fundamentally reduces to LWE/Ring-LWE/Module-LWE or NTRU hardness under chosen parameter regimes. For instance, the DLWE-Skellam variant provides post-quantum security via a reduction from standard DLWE (with Gaussian noise) to Skellam-noise DLWE using lossy code techniques (Valovich et al., 2017).
For threshold and multiparty aggregation, RLWE or NTRU key generation and encryption protocols are employed, with correctness secured by noise growth analysis ensuring decryption fidelity up to specified aggregation depths (Chen, 2024, Tian et al., 2021).

Pseudorandomness and Key Homomorphism:

Lattice-based weak PRFs of the form $F_s(t) = \langle t, s \rangle + e_t \pmod q$ support key homomorphism (i.e., $F_{s_1}(t) + F_{s_2}(t) = F_{s_1+s_2}(t) + e'$ ), aligning with PSA requirements (Valovich et al., 2017).
Additive and scalar-linear homomorphism underpins the linearly homomorphic ring signature schemes and the general DTAHE construction (Guo et al., 3 Jul 2025, Tian et al., 2021).

Threshold Security and Robustness:

In DTAHE, users generate Shamir-shared secret key components and hybrid-encrypt the shares. The decryption key for the sum is reconstructible only with contributions from a threshold number of users, thereby supporting dropout resilience and distributed trust (Tian et al., 2021).
Blockchain-based schemes use auxiliary shares and secret sharing to enforce threshold decryption of aggregated ciphertexts across control centers and smart meters (Darzi et al., 2024).

3. Differential Privacy Integration

Skellam Mechanism for (ε,δ)-DP:

Secure aggregation protocols can integrate (ε,δ)-differential privacy by distributing Skellam noise: each honest user adds local noise sampled from $\mathrm{Sk}(\mu/(\gamma n))$ , where $\gamma$ is the minimum honest fraction; convolutional properties ensure global noise remains $\mathrm{Sk}(\mu)$ , matching central privacy guarantees (Valovich et al., 2017).
Analytical privacy–accuracy trade-offs are formalized. For function sensitivity $S$ , achieving $(\epsilon, \delta)$ -DP requires $\mu \geq \left[\log(1/\delta)+\epsilon\right]/\{1 - \cosh(\epsilon/S) + (\epsilon/S)\sinh(\epsilon/S)\}$ , while the magnitude bound of the noise is $\alpha = (S/\epsilon)[\log(1/\delta) + \epsilon + \ln(2/\beta)]$ with failure probability $\beta$ (Valovich et al., 2017).

Computational Differential Privacy (cDP):

Composing any standard DP mechanism with a computationally secure PSA yields computational $(\epsilon, \delta)$ -DP against all PPT adversaries, as formalized via indistinguishability reductions (Valovich et al., 2017).

Alternate DP Modalities:

Protocols such as Beskar flexibly support local DP (noise at clients), central DP (noise at the server), or hybrid approaches. Ultimate privacy composition depends on noise scaling and budget allocation, and empirical evidence demonstrates central DP can provide improved utility for a given privacy guarantee (Zhang et al., 9 May 2025).

4. System Architectures and Protocol Characteristics

PSA Workflow:

Users independently encrypt values at each time step using user keys; the aggregator computes and decrypts only the aggregate sum via the cancellation effect of the key-homomorphic weak PRF, with the platform operating in a low-bandwidth, one-message-per-user-per-query model (Valovich et al., 2017).

Homomorphic HE-based Aggregation:

Aggregators provide a public key; users encrypt and upload updates; aggregation proceeds via batch ciphertext addition, and the sum is decrypted directly. NTRU and RLWE-based schemes provide low per-user bandwidth and millisecond-level per-ciphertext computation; single-round aggregation feasibility depends on proper noise scaling and modulus selection (e.g., $q \sim 2^{32}$ , $N = 1024$ for 128-bit security) (Chen, 2024).

DTAHE Protocols:

Users perform distributed key generation. Encrypted inputs are posted on- or off-chain, with threshold decryption requiring partial decryptions from multiple users. These protocols extend to weighted sums and convolutional operations, enabling multi-layer federated learning aggregation (Tian et al., 2021).

Masking/KEM-based Protocols:

Users establish pairwise seeds via Kyber KEM, compute one-time PRF-based masks for each aggregation round, and upload masked updates (not ciphertexts). Assisting nodes participate in mask summing; the server unblinds to recover only the aggregate. This design optimizes computational efficiency and bandwidth, with client computation per round under 10 ms and end-to-end server aggregation under 100 ms for practical scales (Zhang et al., 9 May 2025, Rahmati et al., 3 Jan 2026).

Blockchain and Sidechain Aggregation:

Architectures for smart grid scenarios use an R-LWE backbone, integrating authentication via Ring-SIS signatures, confidentiality via RLWE encryption, and robust aggregator compliance via smart contracts. Sidechains collect encrypted readings and auxiliary shares; mainchains record aggregates, proofs, and policy changes (Darzi et al., 2024).

5. Security Guarantees and Performance Considerations

Security Notions:

IND-CPA/CCA2 Post-quantum Confidentiality: All candidate schemes are proven secure under the strongest quantum-resistant lattice assumptions available (DLWE, Module-LWE, NTRU, Ring-LWE), with proper discretization of error distributions and chosen ciphertext security if employing KEMs (Rahmati et al., 3 Jan 2026, Zhang et al., 9 May 2025, Tian et al., 2021, Chen, 2024, Darzi et al., 2024).
Integrity and Authenticity: Lattice-based digital signatures, such as those based on Module-SIS (e.g., CRYSTALS-Dilithium), are commonly employed to prevent forgeries and guarantee correctness of aggregated results.
Robustness to Dropout and Collusion: DTAHE and blockchain-integrated protocols use Shamir sharing and threshold decryption to support dropout tolerance, collusion-resilience, and decentralized trust anchors (Tian et al., 2021, Darzi et al., 2024).

Performance Metrics:

Computation and Bandwidth: HE-based and masking-based lattice schemes offer per-aggregation bandwidth ranging from 40 kB (masked/PRF protocols) to several hundred kB (RLWE-based DTAHE) (Zhang et al., 9 May 2025, Tian et al., 2021, Darzi et al., 2024). Millisecond-level client and server runtimes are achievable with moderate parameters and parallelism; server-side threshold decryption is notably more efficient in RLWE-based DTAHE than in EC-ElGamal (Tian et al., 2021).
Noise Growth and Ciphertext Packing: Correctness bounds are maintained by configuring modulus $q$ to far exceed noise magnitude post-aggregation, typically using $q \gg n\sigma^2\sqrt{N}$ , with packing techniques for high-dimensional inputs.
Empirical Security and Utility: Experimental federated learning deployments report <0.5% model accuracy loss versus unprotected baselines, with aggregation latencies well within the bounds for interactive and critical infrastructure settings (Rahmati et al., 3 Jan 2026).

Comparative Perspective:

Compared to classical DH/Paillier/BGN, lattice-based aggregation attains post-quantum security, removes the decryption bottleneck inherent in group-based schemes, and provides a unified mechanism for authentic aggregation and differential privacy (Valovich et al., 2017, Chen, 2024).
RLWE-based DTAHE achieves lower server-side computation than EC-ElGamal threshold aggregation owing to the lack of discrete logarithm computation (Tian et al., 2021).
Blockchain augmentation with lattice primitives enables publicly auditable, fraud-resistant aggregation in large-scale sensor networks and smart grid applications (Darzi et al., 2024).

6. Advanced Extensions and Applications

Homomorphic Ring Signatures:

The first lattice-based linearly homomorphic ring signature scheme combines strong anonymity, full unforgeability and linear homomorphism, extending the secure aggregation paradigm to scenarios demanding anonymous provenance and verifiable computation (e.g., confidential blockchain aggregation and privacy-preserving voting) (Guo et al., 3 Jul 2025).

Secure Linear Aggregation for Neural Networks:

RLWE-based DTAHE protocols enable full support for weighted linear aggregation (any coefficients), supporting the construction of fully connected and convolutional layers directly over encrypted user inputs, with efficient verifiable aggregation and drop-out tolerance (Tian et al., 2021).

Blockchain and Distributed Ledger Integration:

Lattice-based aggregation protocols have been substantively extended with blockchain integration, supporting smart contract–enforced decryption policies, miner selection via hash-onion PoS, NACK-based fraud proofs, and decentralized billing in smart grid ecosystems (Darzi et al., 2024).

Byzantine and Adversarial Robustness:

Layering reputation-weighted aggregation and anomaly detection atop lattice-based secure aggregation protocols enables empirical resilience to up to 40% Byzantine participants, with retention of high model accuracy (e.g., 96.8% in IoT threat detection) and minimal performance overhead compared to non-secure FL (Rahmati et al., 3 Jan 2026).

7. Parameterization, Recommendations, and Open Challenges

Parameter Guidelines:

Context	Parameter Recommendations	Reference
PSA (Skellam)	$\kappa=256$ –$1024$, $q\sim 2^{32}$ , $\lambda=O(\text{poly}(\kappa))$	(Valovich et al., 2017)
NTRU/Ring-LWE HE	$N=1024$ –$2048$, $q=2^{32}$ – $2^{64}$ , $p=3$ –$5$	(Chen, 2024)
DTAHE (RLWE)	$d=2048$ , $h=54$ bits, threshold $t$ as needed	(Tian et al., 2021)
Kyber/KEM Masking	$n=256$ , $q=3329$ (Kyber), $q=2^{32}$ (masking), $k=3$ –$4$	(Zhang et al., 9 May 2025, Rahmati et al., 3 Jan 2026)
Homomorphic Ring Signature	$n=512$ , $k=10$ , $q\gtrsim (nk)^3$	(Guo et al., 3 Jul 2025)

Parameter settings must balance quantum resistance, noise and security margins, throughput, and aggregation depth.

Open Problems:

Efficient multiparty aggregation with minimal trust, optimal bandwidth, and full support for complex aggregation operations (e.g., polynomial non-linearities) remains an active area of research (Chen, 2024).
Bootstrapping, relinearization, and fault-tolerance for multi-round, large-scale protocols are practical challenges, especially given the noise accumulation in lattice ciphertexts.
Integration of advanced DP mechanisms, resilience against new quantum attacks on lattice instances, and composable security proofs under the Universal Composability (UC) paradigm are important ongoing directions.

Summary:

Lattice-based post-quantum secure aggregation offers a modular, versatile, and provably quantum-resistant solution for privacy-preserving sum computation and advanced statistics in distributed systems. Building on the hardness of LWE and its variants, these schemes support efficient, drop-out tolerant, and DP-compatible aggregation at scale, with performance increasingly competitive with classical precursors and extensibility to decentralized, adversarial, and blockchain settings (Valovich et al., 2017, Chen, 2024, Tian et al., 2021, Zhang et al., 9 May 2025, Darzi et al., 2024, Rahmati et al., 3 Jan 2026, Guo et al., 3 Jul 2025).

Markdown Upgrade to Chat

References (7)

Computational Differential Privacy from Lattice-based Cryptography (2017)

Homomorphic Encryption Based on Lattice Post-Quantum Cryptography (2024)

Secure Linear Aggregation Using Decentralized Threshold Additive Homomorphic Encryption For Federated Learning (2021)

Efficient Full-Stack Private Federated Deep Learning with Post-Quantum Security (2025)

Byzantine-Robust Federated Learning Framework with Post-Quantum Secure Aggregation for Real-Time Threat Intelligence Sharing in Critical IoT Infrastructure (2026)

Improving Privacy-Preserving Techniques for Smart Grid using Lattice-based Cryptography (2024)

Linearly Homomorphic Ring Signature Scheme over Lattices (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Lattice-Based Post-Quantum Secure Aggregation.