Verifiable Threshold Security Aggregation Protocol

• VTSAFL is a protocol that integrates threshold cryptography and functional encryption to ensure verifiable aggregation and robust privacy in federated learning systems.
• It mitigates gradient leakage and poisoning attacks by utilizing non-interactive zero-knowledge proofs and secure multi-client functional encryption.
• Designed for both standard and resource-constrained environments, VTSAFL reduces computational and communication costs while maintaining model integrity.

The Verifiable Threshold Security Aggregation Protocol for Federated Learning (VTSAFL) is a protocolic framework for privacy-preserving and verifiable aggregation in federated learning environments. VTSAFL integrates threshold cryptography, functional encryption, and efficiency optimizations to address gradient leakage, model integrity, and real-world deployment constraints. Its construction enables clients to guarantee verifiable aggregation results and robust privacy protection, with minimal computational and communication costs, thus targeting both standard distributed settings and resource-constrained environments such as IoT deployments. VTSAFL’s adversarial model, cryptographic foundations, and empirical validation distinguish it from prior aggregation frameworks.

1. Security Model and Threat Resilience

VTSAFL targets a federated learning (FL) system with $n$ clients, $s$ aggregators, threshold $t\leq s$, and a fully trusted Trusted Authority (TA) responsible for key setup and management. The system explicitly withstands:

• Aggregator corruption: up to $t{-}1$ of $s$ aggregators can be fully malicious (active adversaries capable of protocol deviations, collusion, and tampering).
• Honest-but-curious clients: all clients follow the protocol but may attempt to infer the data of others.
• Trusted key authority: the TA is fully trusted and manages all key material.
• Authenticated, confidential channels: The protocol assumes secure communication, hence no modeling of man-in-the-middle attacks on links.

The protocol ensures:

• Gradient inference resistance: no subset of fewer than $t$ aggregators can decrypt any intermediate model or client contribution.
• Collusion resistance: privacy is preserved as long as fewer than $t$ aggregators collude.
• Aggregation verifiability: clients verify aggregation results and reject incorrect or poisoned aggregates, countering poisoning attacks.
• Replay resistance: use of fresh round labels prevents ciphertext reuse attacks.

VTSAFL's security is formalized through an indistinguishability game (IND-security, Definition 5), guaranteeing that no PPT adversary can distinguish encryptions of different vectors—even after adaptive share and encryption queries—under the Decisional Diffie-Hellman (DDH) and multi-DDH assumptions. Robustness and verifiability derive from algebraic non-interactive zero-knowledge proofs, and privacy follows directly from threshold secret sharing of functional decryption keys (Wang et al., 17 Nov 2025).

2. Verifiable Threshold Multi-Client Functional Encryption

At the core of VTSAFL is a verifiable threshold multi-client functional encryption (VTMCFE) primitive, consisting of six algorithms:

• Setup (Gen): For security parameter $\lambda$, $n$ clients, $s$ aggregators, threshold $t$. The TA samples a group $\mathbb{G}$, generators $g$, $h$, client secret keys $s_i \overset\${\leftarrow} \mathbb{Z}_p$, and publishes public parameters$\mathrm{pp}$$, keeping master secrets for itself.</li> <li><strong>Functional Key Derivation (DKeyGen)</strong>: The TA, given a function vector$$\mathbf{y}$$(e.g., aggregation weights), encodes functional key shares by embedding secrets into a$$t$-recurrence over$\mathbb{Z}_p$, splitting them across$s$aggregators as$dk_j = w_{t+j-1}$$.</li> <li><strong>Encryption (Enc)</strong>: Client$$i$encrypts its local gradient$\mathbf{x}_i$with label$\ell^{(k)}$$, outputting a pair of group elements (masking the inner product and protecting statistical leakage).</li> <li><strong>Partial Decryption (ShareDecrypt)</strong>: Each aggregator computes group products on received ciphertexts using key share$$dk_j$, and provides a non-interactive Chaum–Pedersen DLEQ proof to ensure correct evaluation.</li> <li><strong>Verification (Verify)</strong>: Any client (or all) can verify each partial decryption&#39;s proof before accepting the aggregation, discarding failed proofs to ensure only valid (honest) partials are used.</li> <li><strong>Combine and Recover (CombineRecover)</strong>: Upon receiving $t$ valid partial decryption shares, the client applies the Lagrange-weighted product reconstruction, resulting in a group element encoding the aggregate. The client solves a discrete logarithm in a small range to recover the true inner product.</li> </ul> <p>The protocol&#39;s correctness follows from the algebraic properties of the functional encryption and the secret sharing construction, with verifiability enforced by the soundness of the discrete log equality proofs (<a href="/papers/2511.12936" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Wang et al., 17 Nov 2025</a>).</p> <h2 class='paper-heading' id='federated-learning-protocol-integration'>3. Federated Learning Protocol Integration</h2> <p>VTSAFL operates in the following phases:</p> <ul> <li><strong>Trusted Authority setup</strong>: $(\mathrm{pp}, \mathrm{msk}, \{ek_i\}) \gets \text{VTMCFE.Setup}(1^\lambda, t, s, n)$$, broadcasts parameters and distributes secret keys.</li> <li><strong>Client operation per round</strong>:</li> </ul> <p>1. Local training computes gradient$$x_i^{(k)}$. 2. Encrypts$c_i = \text{VTMCFE.Enc}(ek_i, x_i^{(k)}, \ell^{(k)})$, sending to aggregators. 3. Receives$t$partial decryptions$(c'_j, \pi_j)$from aggregators. 4. Verifies$(c'_j, \pi_j)$$; if successful, reconstructs and updates the model, otherwise aborts or retries.</p> <ul> <li><strong>Aggregator operation</strong>:</li> </ul> <p>1. Collects all$$c_i$. 2. Computes aggregation weight vector$\mathbf{y}$. 3. Requests key share$\text{DKeyGen}(\mathrm{pp}, \mathrm{msk}, \mathbf{y})$from the TA. 4. Computes$(c'_j, \pi_j) = \text{ShareDecrypt}(\mathrm{pp}, \{c_i\}, \mathbf{y}, dk_j)$$. 5. Sends result to all clients.</p> <p>The protocol ensures that model aggregation can proceed even in the face of malicious aggregators and allows every client to individually verify the correctness of the aggregate prior to model update (<a href="/papers/2511.12936" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Wang et al., 17 Nov 2025</a>).</p> <h2 class='paper-heading' id='security-proofs-and-cryptographic-guarantees'>4. Security Proofs and Cryptographic Guarantees</h2> <p>The formal security arguments for VTSAFL are as follows:</p> <ul> <li><strong>IND-Security</strong>: Chains of hybrid games show that replacing random-oracle outputs with “blinded” distributions and switching between challenge plaintexts yields negligible advantage to any adversary under DDH and multi-DDH.</li> <li><strong>Robustness/Verifiability</strong>: Discrete-log–equality proofs ensure incorrect or tampered aggregator shares can be readily detected and rejected by clients.</li> <li><strong>Privacy</strong>: Threshold secret sharing ensures that no subset of fewer than$$t$ corrupt aggregators can reconstruct the aggregated model or any client&#39;s contribution.</li> </ul> <p>These properties ensure protection against gradient inference, poisoning, collusion, and replay, and guarantee that only correct aggregation can be accepted by honest clients (<a href="/papers/2511.12936" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Wang et al., 17 Nov 2025</a>).</p> <h2 class='paper-heading' id='practical-efficiency-and-scalability'>5. Practical Efficiency and Scalability</h2> <p>VTSAFL achieves efficiency crucial for scaling federated learning, especially on IoT-class devices:</p> <ul> <li><strong>Computational costs</strong>: <ul> <li><strong>KeyGen</strong>: $O(n)$exponentiations for master key setup,$O(s)$$for TA key splitting.</li> <li><strong>Encryption</strong>:$$O(1)$exponentiations per client, independent of$n$.</li> <li><strong>PartialDec</strong>:$O(1)$$group ops per aggregator.</li> <li><strong>Verify/CombineRecover</strong>:$$O(1)$for individual proofs,$O(t)$$operations for share combination and one discrete logarithm in a bounded domain.</li> </ul></li> <li><strong>Key/ciphertext size</strong> (all constant wrt$$n$): <ul> <li>Client secret key:$1$element in$\mathbb{Z}_p$.</li> <li>Functional key share:$1$element in$\mathbb{Z}_p$.</li> <li>Ciphertext:$2$$group elements.</li> <li>Partial decryption share:$$2$$group elements + one proof.</li> </ul></li> <li><strong>Empirical results</strong> (for$$n$up to$50$$clients): <ul> <li>Accuracy: matches TAPFed exactly ($$\approx98.2\%$on MNIST;$\approx75.4\%$on CIFAR-10 after$20$rounds).</li> <li>Training time:$>40\%$reduction (MNIST:$3.10$h$\to$$1.84$h; CIFAR-10:$4.5$h$\to$$2.51$h).</li> <li>Communication: up to$50\%$reduction per round, client upload in MNIST$5.12$MB$\to$$2.55$$MB.</li> </ul></li> </ul> <p>The protocol dramatically lowers both computational and communication complexity, making FL feasible in settings historically limited by resource constraints (<a href="/papers/2511.12936" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Wang et al., 17 Nov 2025</a>).</p> <h2 class='paper-heading' id='suitability-for-iot-and-resource-constrained-deployments'>6. Suitability for IoT and Resource-Constrained Deployments</h2> <p>VTSAFL’s constant-size ciphertext and share design, combined with computational costs independent of the number of clients or the gradient dimension, make it particularly well-suited for deployment in Internet of Things (IoT) scenarios:</p> <ul> <li><strong>Lightweight client workload</strong>: Each client performs only$$2-3$$exponentiations per round.</li> <li><strong>Minimal communication</strong>: Per round bandwidth use is small and does not scale with model dimension or client population (approx.$$1$KB per label).
• Verifiability at the edge: Each client efficiently verifies aggregator shares, typically requiring just a few milliseconds.

These features enable reliable, privacy-preserving federated learning from edge sensors, wearables, or gateway devices, preserving both data privacy and aggregation integrity across severely constrained computational environments (Wang et al., 17 Nov 2025).

7. Related Protocols and Context in FL Aggregation

VTSAFL builds on and extends previous FL aggregation frameworks:

• Protocols such as DTAHE-based secure linear aggregation (Tian et al., 2021) also address threshold security and privacy but lack built-in aggregation verifiability and constant-size communication, and use blockchain smart contracts for server accountability.
• VTSAFL incorporates strong, non-interactive verifiability into its aggregation, reducing reliance on external enforcement mechanisms and making the protocol more communication- and computation-efficient.
• Both VTSAFL and DTAHE-based schemes tolerate dropout and partial adversarial control but differ in verification approach—VTSAFL uses cryptographic proofs at aggregation, while DTAHE variants may rely on smart contracts and post-hoc checks (Wang et al., 17 Nov 2025, Tian et al., 2021).

VTSAFL combines privacy, integrity, and resource-efficient design in a manner optimized for large-scale and resource-constrained federated learning environments.