Post-Quantum Secure Aggregation

Updated 11 January 2026

Post-quantum secure aggregation is a set of cryptographic protocols that enable secure computation of aggregated data in federated learning, providing privacy against both classical and quantum adversaries.
Quantum-based schemes, like GHZ-based QSA, use entanglement and decoy qubits to detect eavesdropping and ensure information-theoretic security during aggregation.
Lattice-based protocols employ Kyber key encapsulation and homomorphic masking to achieve efficient, dropout-resilient aggregation with strong post-quantum security guarantees.

Post-quantum secure aggregation encompasses cryptographic and quantum information-theoretic protocols that enable secure computation of aggregated statistics (such as sums of model updates) in collaborative settings such as federated learning (FL), with strong security guarantees that hold even against adversaries equipped with quantum computers. These schemes address both confidentiality of individual data updates and robustness against advanced cryptanalysis, extending or supplanting classical secure aggregation (e.g., secret-sharing, Diffie–Hellman, pre-quantum homomorphic encryption) by relying on primitives and methods that remain secure in the quantum era.

1. Definitions and Security Models

Post-quantum secure aggregation protocols prevent any adversary—either classical or quantum—from learning individual user contributions, except for what can be inferred from their sum. Adversarial models typically include:

Semi-honest (honest-but-curious) entities attempting to infer private updates.
Malicious, fully quantum adversaries (including servers and coalitions of clients) who aim to break protocol or extract information.
Dropout-resilient models accounting for faults and user non-participation.

Security objectives are:

Confidentiality: Aggregate computation reveals no information about individual inputs. For information-theoretic protocols, even quantum-powered adversaries can extract no information (unconditional privacy). For lattice-based protocols, confidentiality is reduced to hard quantum problems (e.g., LWE, Module-LWE).
Robustness: Correct aggregation despite the presence of Byzantine (malicious) clients.
Integrity and Unforgeability: Only properly authenticated client updates participate in aggregation.
Differential Privacy (DP) Composition: In some frameworks, DP noise is injected into updates prior to or after aggregation to further limit inferences from aggregated models (Zhang et al., 9 May 2025).

2. Quantum and Lattice-based Protocols

2.1 Quantum Secure Aggregation (QSA)

Protocols such as the GHZ-based QSA (Zhang et al., 2022) utilize distributed entangled states and quantum communication primitives:

GHZ State Preparation: The aggregator prepares an N-partite Greenberger–Horne–Zeilinger (GHZ) state:

$|{\rm GHZ}_N\rangle = \frac{1}{\sqrt2} (|0\cdots0\rangle + |1\cdots1\rangle)$

Parameter Encoding: Clients encode normalized local model parameters as $R_z$ rotations of their qubit, mapping a real $w_i$ to angle $\theta_i$ .
Decoy-based Eavesdropping Detection: Randomly placed BB84-type decoy qubits ensure that any intercept-resend or entanglement-based attack is detected with probability $1-(3/4)^d$ per decoy run.
Aggregation: Rotated GHZ qubits are returned for joint measurement. The probability distribution of measurement outcomes yields the aggregate $\sum_i \theta_i$ , enabling recovery of $\sum_i w_i$ .
Security: No information about individual $\theta_i$ leaks due to the reduced density of any single qubit being maximally mixed regardless of input rotation. Any eavesdropping introduces detectable errors in decoys.

2.2 Lattice-Based Post-Quantum Secure Aggregation

In practical deployments, cryptographic (classical) post-quantum secure aggregation uses lattice-based masking and key agreement (Rahmati et al., 3 Jan 2026, Zhang et al., 9 May 2025, Agarwal et al., 2020):

CRYSTALS-Kyber KEM: Security relies on the Module-LWE problem. Kyber provides IND-CPA/CCA-secure key encapsulation between clients for pairwise shared seed establishment.
Homomorphic/Additive Masking: Each client masks its quantized update with random masks, constructed so that paired client masks cancel in aggregation, revealing only the total sum.
Mask Distribution: Pairwise seeds from Kyber KEM are expanded by PRG into mask vectors. Shamir-sharing or other redundancy mechanisms enable dropout resilience.
Differential Privacy: DP noise (client-side and/or server-side) can be integrated at various stages to mitigate statistical inference.

A canonical aggregation round involves:

Clients locally compute and DP-perturb updates.
Clients establish pairwise Kyber keys and masks.
Each client uploads a masked update; no single entity knows all masks.
The server sums masked updates, cancels masks, and recovers only the aggregate.

2.3 Constant-Round Post-Quantum MPC Approaches

Full malicious security is obtainable using advanced primitives such as multi-key FHE, AFS-spooky encryption, parallel extractable and non-malleable commitments, and parallel ZK proofs (Agarwal et al., 2020). Such frameworks realize secure sum aggregation in constant rounds based solely on mild super-polynomial quantum LWE hardness, achieving classical communication and negligible leakage even for active quantum adversaries.

3. Efficiency, Scalability, and Complexity

Post-quantum secure aggregation protocols have been systematically analyzed for their run-time, bandwidth, and implementation parameters (Rahmati et al., 3 Jan 2026, Zhang et al., 9 May 2025, Zhang et al., 2022).

Quantum Protocols: QSA requires $2N$ qubit transmissions per aggregation (server-client-server for each qubit per round), with each client performing $O(1)$ qubit rotations, and the server $O(N)$ CNOT gates plus a Hadamard per repetition. For practical $N=10$ , $M=251$ repetitions, total aggregation latency is typically a few hundred milliseconds.
Lattice-Based Protocols: Each client performs $O(N)$ pairwise key agreements and PRG expansions per round. Pairwise Kyber exchanges scale as $O(N^2)$ per round, but overhead remains manageable with hardware acceleration (e.g., $\sim$ 3.7% bandwidth overhead for 20 clients (Rahmati et al., 3 Jan 2026); $\sim$ 1 ms aggregation latency per client for $n=1000$ in Beskar (Zhang et al., 9 May 2025)).
Comparison with Pre-Quantum Methods: Post-quantum approaches increase both key/ciphertext sizes (e.g., Kyber keys at 1568 B vs. Curve25519 at 32 B) and computational costs (Kyber Encaps/Decaps at $\sim$ 2.5 ms vs. Curve25519 ECIES at $\sim$ 0.3 ms per pair), but retain sub-second latency for $N\leq 200$ .

Protocol	Security Basis	Communication/Computation	Notable Attributes
GHZ-based QSA	Quantum (physical)	$O(N)$ qubits / $O(N)$ gates	Info-theoretic privacy
Lattice-based schemes	Module-LWE (quantum)	$O(N^2)$ Kyber ops	IND-CPA, DP integration
Multi-key FHE/MPC	Circular LWE	$O(N\cdot \text{poly}(\lambda))$ messages	Malicious security, constant rounds

4. Empirical Results and Applications

Post-quantum secure aggregation has been empirically evaluated in FL and threat intelligence settings:

FL Model Utility: Quantum aggregation schemes improve accuracy for clients with limited data (MNIST: local 65% to aggregated 90%, CIFAR-10 with ResNet-18: +10–15% accuracy boost) (Zhang et al., 2022). Corresponding lattice/DP-integrated frameworks (Beskar (Zhang et al., 9 May 2025)) yield $>98\%$ accuracy for MNIST/EMNIST and 81–87% (with CDP) for CIFAR-10 in various DP regimes.
Byzantine Robustness: Post-quantum aggregation with adaptive weighted aggregation and lattice masks can withstand up to 40% Byzantine clients in IoT intrusion detection FL, maintaining 96.8% threat detection accuracy with $<$ 18% computational overhead (Rahmati et al., 3 Jan 2026).
Latency and Bandwidth: Aggregation rounds can execute in sub-second latency for $N\approx 100$ , with minimal extra bandwidth even in resource-constrained IoT environments.
Dropout and Scalability: Protocols like Beskar support arbitrary dropout without extra rounds, through signature and mask precomputation.

5. Information-Theoretic vs. Computational Security

A distinguishing aspect is the nature of security:

Quantum Protocols: Information-theoretic—fundamental quantum laws (no-cloning, entanglement disturbance) guarantee that even unbounded adversaries (with quantum computers) cannot extract private values or evade decoy detection (Zhang et al., 2022).
Lattice-Based Protocols: Computational—security relies on the conjectured intractability of lattice problems (Module-LWE), which are conjectured (but not proven) to be quantum-resistant. Hence, these provide "post-quantum" security in the computational sense (Zhang et al., 9 May 2025, Rahmati et al., 3 Jan 2026, Agarwal et al., 2020).
Hybridization: Some protocols (e.g., (Zhang et al., 9 May 2025)) integrate DP across the full FL pipeline (masking at update, intermediate model, and final model levels), synergizing cryptographic and statistical privacy.

6. Deployment Considerations and Limitations

Quantum Infrastructure: QSA protocols require access to quantum networks capable of generating and distributing entangled GHZ states and decoy-based channel monitoring. Short- to medium-range installations are currently feasible, with long-range deployment contingent on advances in quantum repeater and network hardware (Zhang et al., 2022).
Hardware and Scalability: Lattice-based approaches are already deployable using NIST Standard primitives (Kyber/Dilithium), with hardware acceleration optimizing performance in large-scale settings (up to thousands of clients) (Zhang et al., 9 May 2025).
Resilience and Extensibility: Robustness to client dropout and Byzantine attacks have been formally addressed, with provable security under composable cryptographic assumptions. Integration of DP provides rigorous privacy guarantees in the face of statistical attacks.
Future Directions: As quantum networks mature and client hardware becomes capable of supporting quantum operations, one can anticipate expanded practical application of information-theoretic quantum protocols.

7. Comparative Perspective and Research Landscape

Post-quantum secure aggregation represents a convergence of quantum information theory, lattice-based cryptography, and privacy-preserving machine learning. The literature reflects diverse instantiations:

GHZ-based QSA covers the strongest information-theoretic regime at the cost of requiring quantum network infrastructure (Zhang et al., 2022).
Lattice-based protocols (Kyber, Dilithium) currently offer practical, standard-compliant solutions with minimal latency and forward secrecy (Zhang et al., 9 May 2025, Rahmati et al., 3 Jan 2026).
Advanced FHE and MPC techniques extend secure aggregation to the malicious model with constant rounds (Agarwal et al., 2020).
Integration with DP mechanisms across the learning pipeline provides defense against privacy attacks on models, intermediate representations, and client updates (Zhang et al., 9 May 2025).

The field continues to evolve, balancing provable quantum-resistance with efficiency, scalability, and practical constraints across a range of collaborative computational settings.