Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TAPAS: Efficient Two-Server Asymmetric Private Aggregation Beyond Prio(+)

Harish Karthikeyan, Antigoni Polychroniadou

Abstract

Privacy-preserving aggregation is a cornerstone for AI systems that learn from distributed data without exposing individual records, especially in federated learning and telemetry. Existing two-server protocols (e.g., Prio and successors) set a practical baseline by validating inputs while preventing any single party from learning users' values, but they impose symmetric costs on both servers and communication that scales with the per-client input dimension $L$. Modern learning tasks routinely involve dimensionalities $L$ in the tens to hundreds of millions of model parameters. We present TAPAS, a two-server asymmetric private aggregation scheme that addresses these limitations along four dimensions: (i) no trusted setup or preprocessing, (ii) server-side communication that is independent of $L$ (iii) post-quantum security based solely on standard lattice assumptions (LWE, SIS), and (iv) stronger robustness with identifiable abort and full malicious security for the servers. A key design choice is intentional asymmetry: one server bears the $O(L)$ aggregation and verification work, while the other operates as a lightweight facilitator with computation independent of $L$. This reduces total cost, enables the secondary server to run on commodity hardware, and strengthens the non-collusion assumption of the servers. One of our main contributions is a suite of new and efficient lattice-based zero-knowledge proofs; to our knowledge, we are the first to establish privacy and correctness with identifiable abort in the two-server setting.

TAPAS: Efficient Two-Server Asymmetric Private Aggregation Beyond Prio(+)

Abstract

Privacy-preserving aggregation is a cornerstone for AI systems that learn from distributed data without exposing individual records, especially in federated learning and telemetry. Existing two-server protocols (e.g., Prio and successors) set a practical baseline by validating inputs while preventing any single party from learning users' values, but they impose symmetric costs on both servers and communication that scales with the per-client input dimension . Modern learning tasks routinely involve dimensionalities in the tens to hundreds of millions of model parameters. We present TAPAS, a two-server asymmetric private aggregation scheme that addresses these limitations along four dimensions: (i) no trusted setup or preprocessing, (ii) server-side communication that is independent of (iii) post-quantum security based solely on standard lattice assumptions (LWE, SIS), and (iv) stronger robustness with identifiable abort and full malicious security for the servers. A key design choice is intentional asymmetry: one server bears the aggregation and verification work, while the other operates as a lightweight facilitator with computation independent of . This reduces total cost, enables the secondary server to run on commodity hardware, and strengthens the non-collusion assumption of the servers. One of our main contributions is a suite of new and efficient lattice-based zero-knowledge proofs; to our knowledge, we are the first to establish privacy and correctness with identifiable abort in the two-server setting.
Paper Structure (65 sections, 18 theorems, 37 equations, 8 figures, 4 tables)

This paper contains 65 sections, 18 theorems, 37 equations, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Detailed Comparison with Related Work
  4. Technical Overview
  5. Masking the Inputs.
  6. Additive Homomorphism.
  7. Role of the Second Server.
  8. Incorporating zero-knowledge proofs.
  9. Group-Based Zero Knowledge Proof Instantiation.
  10. Lattice-Based Zero Knowledge Proof Instantiation.
  11. Using Ajtai Commitments.
  12. Security Against Malicious Server $S_1$.
  13. Preliminaries
  14. Communication and Threat Model.
  15. Modeling Security.
  16. ...and 50 more sections

Key Result

Theorem 1

Assuming the hardness of the Hint Learning With Errors (LWE) problem, the Short Integer Solution (SIS) problem, the existence of collision-resistant hash functions, and simulation-extractable NIZKs, there exists a two-server secure aggregation protocol in the programmable random oracle model for hig

Figures (8)

  • Figure 1: Sequence Diagram of $\mathsf{TAPAS}$ showing client communication with the two servers and additional rounds of communication between the two servers. By updates, we are indicating the model updates that is to be sent to the server and are the inputs to our secure aggregation protocol. The unmasked result is communicated with all the users, in the semi-honest version. The version that is secure against malicious servers also allow the participants to verify the aggregate using commitments.
  • Figure 2: Lattice-based Zero-Knowledge Argument of Knowledge for Relation $\mathcal{R}_{\mathsf{Block}}$. Here $C$ is the maximum value of the challenge set. We sample challenges between $\{-C,\ldots,C\}$.
  • Figure 3: The ideal functionality for Secure Aggregation handling dropouts and validity constraints.
  • Figure 4: Protocol $\textrm{Two-server Asymmetric Private Aggregation Scheme}_{\text{SH}}^{\text{BP}}$ for Semi-Honest Servers. Let $L,\lambda,q$ be integers such that they are secure parameter choices of Hint LWE Assumption.
  • Figure 5: Protocol $\mathsf{TAPAS}_{\text{MAL}}^{\text{BP}}$. Adds mask $\mathbf{w}$ and homomorphic verification for malicious security.
  • ...and 3 more figures

Theorems & Definitions (38)

  • Theorem 1: Informal Theorem
  • Lemma 1: Cost of Norm proofs
  • Definition 1: Commitment Scheme
  • Lemma 2: Hiding and Binding
  • Lemma 3: Bimodal Rejection Sampling
  • Definition 2: Relation $\mathcal{R}_{\mathsf{Block}}$
  • Remark 1: Trade-off: Communication vs. Modulus Size
  • Theorem 2: Security of $\Pi_{\term{Enc}}$
  • Theorem 3: Simulatability under Hint-LWE
  • Theorem 4
  • ...and 28 more