"A Pairwise Mask, Born to Cancel, Living to Hide a Single Update."
A Random Vector That Sums to Zero
A fleet of hospitals that do not trust one another, and do not fully trust the coordinator either, can still compute one exact aggregate model update, because each site cloaks its contribution in random masks that are engineered to vanish only when every contribution is added together. Federated averaging needs only the sum of the per-site updates, never any single update, yet a plain implementation hands each raw update to the coordinator and asks it not to look. Secure aggregation removes that request for trust. Each pair of sites agrees on a shared secret, derives a mask from it, and adds it to one update while subtracting it from the other; in the global sum every mask meets its negative and disappears, leaving the true sum and nothing else. This section builds that protocol from the pairwise-mask idea up through key agreement, dropout robustness, the threat model it defends against, and the genuine tension it creates with the Byzantine-robust filtering of Chapter 35.
The federated training loop of this chapter has, by now, a clear shape. Each hospital holds private patient data it may not move, trains locally on that data, and sends a model update to a coordinator that combines the updates and broadcasts the improved model for the next round. Section 37.4 made the combine step concrete as federated averaging, and Section 37.3 argued that privacy is the binding constraint of the whole system, not an afterthought. A subtle gap remains. Federated averaging needs only the weighted sum of the updates, yet the coordinator receives every update individually before it adds them. A single hospital's update, inverted through a gradient-inversion attack, can leak the very patient records the federation was built to protect. Secure aggregation closes the gap: it lets the coordinator learn the sum and provably nothing else about any individual term.
1. The Sum Is All the Coordinator Needs Beginner
Recall the structure of the aggregation step. Site $i$ produces an update vector $x_i \in \mathbb{R}^d$, where $d$ is the number of model parameters (or the number of parameters in the layers being shared). The coordinator wants the sum
$$\bar{x} = \sum_{i=1}^{n} x_i,$$from which federated averaging recovers the mean by dividing by $n$, or by the total example count for the weighted variant of Section 37.4. This is exactly the reduce operation that opened the book: a sum over machines is the canonical all-reduce, the same primitive that combined gradients in Chapter 4 and synchronized data-parallel training in Chapter 14. What changes in the medical setting is the threat model around that sum. The coordinator is permitted to learn $\bar{x}$, because the aggregate of hundreds of hospitals reveals little about any one patient, but it must not learn $x_i$ for any single site, because one hospital's update can be inverted back toward its training records.
The design goal is therefore precise. We want a protocol in which every site sends the coordinator a message, the coordinator combines the messages into $\bar{x}$, and the individual messages reveal nothing about the individual updates beyond what $\bar{x}$ already implies. The cryptographic name for this guarantee is secure aggregation, and the elegant part is that it requires no homomorphic encryption and no trusted third party, only shared randomness that is built to cancel.
Secure aggregation exploits a structural fact about federated learning that no amount of encryption could supply on its own: the coordinator's task is a sum, and a sum is invariant to anything you add to the terms as long as those additions themselves sum to zero. If each site perturbs its update by a random vector, and the random vectors are arranged so that their total is exactly the zero vector, then the perturbed updates sum to the true sum while each perturbed update on its own is statistically indistinguishable from noise. The whole protocol is the engineering of randomness that cancels.
2. Pairwise Masks That Cancel Intermediate
The simplest construction that achieves cancelling randomness is pairwise additive masking. For every unordered pair of sites $\{i, j\}$, the two sites agree on a shared mask vector $s_{ij} \in \mathbb{R}^d$. They use it antisymmetrically: site $i$ adds $s_{ij}$ to its update while site $j$ subtracts the same vector. Writing $s_{ij} = -s_{ji}$ to capture that sign convention, each site forms its masked update
$$y_i = x_i + \sum_{j \neq i} s_{ij}, \qquad s_{ij} = -s_{ji}.$$The coordinator receives only the $y_i$. Each one is the true update $x_i$ buried under a sum of $n-1$ fresh random vectors, so to the coordinator it is indistinguishable from a random draw and reveals nothing about $x_i$. Now form the global sum:
$$\sum_{i=1}^{n} y_i = \sum_{i=1}^{n} x_i + \sum_{i=1}^{n} \sum_{j \neq i} s_{ij} = \sum_{i=1}^{n} x_i + \sum_{i < j} \big(s_{ij} + s_{ji}\big) = \sum_{i=1}^{n} x_i.$$Every pairwise term appears exactly twice in the double sum, once as $s_{ij}$ from site $i$ and once as $s_{ji} = -s_{ij}$ from site $j$, so each pair contributes zero. The masks annihilate in aggregate and the coordinator is left with the exact true sum $\bar{x}$, having seen only noise along the way. Figure 37.6.1 shows the cancellation for four hospitals.
Two practical questions remain before this is a usable protocol. How do two sites agree on a shared mask vector $s_{ij}$ without a trusted dealer handing it to them, and what happens when a hospital that promised to contribute masks drops offline mid-round, leaving its masks uncancelled? The next two subsections answer these in turn.
3. Deriving the Masks from Key Agreement Intermediate
The two sites in a pair must arrive at the same vector $s_{ij}$ without ever transmitting it, because anything sent through the coordinator could be observed. Diffie-Hellman key agreement is exactly the tool. Over a cyclic group with public generator $g$, site $i$ samples a secret scalar $a_i$ and publishes $g^{a_i}$; site $j$ samples $a_j$ and publishes $g^{a_j}$. Each can then form the shared secret
$$k_{ij} = (g^{a_j})^{a_i} = (g^{a_i})^{a_j} = g^{a_i a_j},$$which an eavesdropper who sees only $g^{a_i}$ and $g^{a_j}$ cannot compute under the Diffie-Hellman assumption. Both sides feed $k_{ij}$ into a pseudorandom generator seeded by that shared secret, and the generator expands it deterministically into the full mask vector $s_{ij} \in \mathbb{R}^d$. Because both sites seed the same generator with the same secret, they obtain the identical vector, and they apply it with opposite signs using the canonical ordering of their site identifiers (the lower id adds, the higher subtracts). The shared randomness is established by a single round of public-key exchange and never travels in the clear; only the short public values $g^{a_i}$ cross the network, while the mask itself is regenerated locally on each side. This is the same shared-secret-to-stream pattern the demo in Code 37.6.1 emulates with a per-pair integer seed in place of the Diffie-Hellman secret.
The strangest thing about $s_{ij}$ is that it is a vector both hospitals know perfectly, that cancels a real quantity in a real sum, and that no wire ever carried. It is reconstructed independently on two machines from a secret that is itself a product of two numbers neither machine ever revealed. A mask born from a handshake, living only in two places at once, dying the instant the sum is taken.
4. Surviving Dropout with Secret Sharing Advanced
Hospitals are not reliable network endpoints. A site can lose connectivity, a clinical workstation can be rebooted, a round can time out. If site $j$ commits masks with all its partners and then vanishes before the coordinator collects $y_j$, every mask $s_{ij}$ that survivors added against $j$ is now an orphan: there is no $y_j$ carrying the matching $-s_{ij}$ to cancel it, so the aggregate is corrupted by a pile of uncancelled noise. A protocol that fails whenever one of hundreds of sites blinks is not a protocol a hospital federation can run.
Shamir secret sharing supplies the robustness. Before masking, each site $j$ splits the secret material needed to regenerate its masks (concretely, its Diffie-Hellman secret $a_j$) into $n$ shares using a polynomial of degree $t-1$, and distributes one share to each other site. Any $t$ of the $n$ shares reconstruct the secret exactly through Lagrange interpolation, while any $t-1$ shares reveal nothing about it. The threshold property is
$$\text{any } t \text{ of } n \text{ shares} \;\Rightarrow\; \text{recover } a_j, \qquad \text{any } t-1 \text{ shares} \;\Rightarrow\; \text{learn nothing}.$$When site $j$ drops, the coordinator asks the surviving sites for their shares of $a_j$. As long as at least $t$ survivors respond, they reconstruct $a_j$, recompute the orphaned masks $s_{ij}$ that $j$ had agreed with each survivor, and the coordinator subtracts those masks from the partial aggregate, restoring an exact sum over the surviving updates. Figure 37.6.2 sketches this recovery. The threshold $t$ is the heart of the dropout-versus-privacy balance: it must be small enough that enough survivors remain to reconstruct after realistic dropout, yet large enough that the coordinator colluding with fewer than $t$ sites can never reconstruct an online site's secret and strip its mask while it is still participating.
5. The Threat Model and Its Boundaries Intermediate
A protocol is only as meaningful as the adversary it defends against, so the assumptions must be stated plainly. The standard secure-aggregation threat model is honest-but-curious (also called semi-honest): the coordinator and the sites follow the protocol faithfully, performing every step as specified, but they will try to infer everything they can from the messages they legitimately receive. Against this adversary, pairwise masking is unconditionally hiding for the individual updates, because each $y_i$ is a real update plus the sum of independent fresh masks, which is statistically independent of $x_i$. The coordinator learns the sum it is entitled to and nothing more.
The guarantee is bounded by collusion. If the coordinator colludes with a set of sites, the masks shared between two colluding sites are known to the coalition and cancel within it, so they no longer hide the honest sites' updates. The Shamir threshold $t$ sets the collusion bound directly: as long as fewer than $t$ parties collude, no online site's secret can be reconstructed and its mask cannot be removed, so privacy holds. Choosing $t$ is therefore a single knob that trades dropout tolerance (smaller $t$ tolerates more dropout) against collusion resistance (larger $t$ resists more collusion), and a real deployment sets it from the observed dropout rate and the trust assumptions among the participating institutions. A fully malicious adversary that deviates from the protocol, for example by reporting false shares or inconsistent public keys, needs the stronger verifiable variants noted in the research frontier below; the honest-but-curious model is the right starting point because it matches the realistic posture of regulated hospitals that will run the agreed software but would still mine any data that passes through them.
6. Secure Aggregation Meets Differential Privacy Advanced
Secure aggregation and differential privacy protect against different leaks, and a clinical federation needs both. Secure aggregation hides each individual update from the coordinator, but it does not constrain what the released sum reveals. The aggregate $\bar{x}$ itself can still leak: with auxiliary knowledge an adversary may reason about whether a particular patient's record influenced the sum, exactly the membership-style inference that differential privacy is designed to bound. The two mechanisms compose cleanly. Secure aggregation removes the need to trust the coordinator with raw updates, and differential privacy, introduced for distributed learning in Chapter 35 and motivated for this case study in Section 37.3, bounds what the released aggregate can reveal about any single record by injecting calibrated noise.
The composition is more than additive. In the distributed-DP construction, each site adds a small share of the privacy noise to its own update before masking; the masks still cancel in the sum, and the per-site noise shares add up to the full noise magnitude that the differential-privacy guarantee requires. Because secure aggregation hides the individual updates, no site has to add the full noise locally (which would destroy its own update's signal) and no trusted aggregator has to add the noise centrally (which would require trusting it). The federation gets central-DP-level accuracy with only the trust assumptions of local DP, a synergy that makes the pair far stronger together than either alone.
Who: A data engineer building a federated sepsis-prediction model across eleven hospitals in a research consortium.
Situation: Each hospital's legal team approved sharing model updates but explicitly forbade exposing any single hospital's update to the consortium's central coordinator, which was hosted by one member institution.
Problem: Plain federated averaging sent each raw update to that coordinator, and a gradient-inversion proof-of-concept from the security review reconstructed recognizable patient feature patterns from a single update.
Dilemma: Move to a homomorphic-encryption scheme, mathematically clean but adding heavy per-round compute and a key-management burden the consortium could not staff, or adopt pairwise-mask secure aggregation, which needs only key agreement and secret sharing but must be made robust to the two or three hospitals that dropped out of any given round.
Decision: They chose secure aggregation with a Shamir threshold set from the measured dropout rate, layered with distributed differential privacy for the released aggregate.
How: Each round ran a Diffie-Hellman key exchange, expanded the shared secrets into masks, secret-shared each site's secret at a threshold that tolerated up to four dropouts while resisting collusion of three, and had each site add its share of the DP noise before masking.
Result: The coordinator received only masked updates, the aggregate matched plain federated averaging to floating-point precision in rounds with no dropout, and the legal teams signed off because no individual update was ever exposed and the released model carried a provable privacy bound.
Lesson: When the binding constraint is "the hub must never see a single contribution," cancelling masks plus secret sharing buys exactly that, at a fraction of the operational cost of encryption-based aggregation.
7. The Tension with Byzantine-Robust Aggregation Advanced
Secure aggregation buys privacy by making every individual update invisible to the coordinator, and that very invisibility collides with another defense the federation may need. Byzantine-robust aggregation, developed in Chapter 35, protects the model against a malicious or malfunctioning site that submits a poisoned update; its defenses, coordinate-wise median, trimmed mean, Krum, and their relatives, all work by inspecting and comparing the individual updates and discarding the outliers. Secure aggregation hands the coordinator a single sum and refuses to show it any individual update. The robust filter has nothing to inspect, and the poisoned contribution flows straight into the protected sum.
This is a real and active tension, not a detail to wave away: the privacy mechanism and the integrity mechanism want opposite things from the same updates, one to hide them and the other to scrutinize them. Three lines of work try to reconcile them. The first computes robust statistics inside the cryptographic envelope, evaluating a median or a norm bound on the masked data using secure multiparty computation so that filtering happens without anyone seeing the cleartext updates, at substantial extra protocol cost. The second relaxes the privacy target, revealing only coarse, privacy-preserving summaries such as bucketed norm histograms that are enough to reject the most extreme poison while leaking little about any single update. The third sidesteps the filter entirely by bounding each update's influence before it is masked, for example clipping every update to a fixed norm so that no single poisoned contribution can dominate the sum, which is also exactly the clipping that the differential-privacy guarantee of Section 6 requires. Naming the tension plainly is the point: a medical federation that needs both strong privacy and poisoning resistance cannot get both for free, and the choice among these three reconciliations is one of the genuinely open design decisions of the field.
The classic pairwise-mask protocol of Bonawitz et al. (2017) costs a quadratic number of pairwise keys in the number of sites, which strains federations of thousands of clients, so a major thread drives the communication down. Constructions in the lineage of SecAgg+ and LightSecAgg replace the full pairwise graph with sparse random subgraphs or coded sharing, cutting per-client cost from $O(n)$ toward near-logarithmic while preserving dropout robustness. A second thread targets the honest-but-curious boundary directly: verifiable secure aggregation lets sites prove they followed the protocol, defending against a malicious coordinator that fabricates inputs or drops honest contributions. A third, the most active for medical settings, attacks the privacy-versus-integrity tension of Section 7 head-on, with robust secure-aggregation schemes that compute trimmed means or norm-bounded filtering under the mask, and with the distributed-DP and secure-aggregation co-designs that bring central-accuracy privacy to cross-silo health federations. The unifying frontier question is whether a single-round protocol can be private, dropout-robust, poisoning-resistant, and verifiable at once, which no deployed system fully achieves today.
8. The Protocol in Code Intermediate
The construction is easiest to trust once you watch the masks vanish. The program below implements pairwise antisymmetric masking for four hospitals, emulating each pair's shared secret with a per-pair integer seed that stands in for the Diffie-Hellman value of Section 3. It prints one hospital's true update next to the masked update the coordinator would see, confirms that the sum of masked updates equals the true sum to floating-point precision, and then enacts the dropout case of Section 4: hospital 4 goes offline, and the survivors' reconstructed knowledge of its shared masks lets the coordinator recover the exact sum over the remaining three.
import numpy as np
rng = np.random.default_rng(7)
n, d = 4, 6 # 4 hospitals, update dimension 6
true_updates = rng.standard_normal((n, d)) # each hospital's real update x_i
# Pairwise antisymmetric masks s_ij = -s_ji, derived from a shared per-pair seed.
# In practice the seed is a Diffie-Hellman shared secret; here we emulate it.
def pair_mask(i, j, d):
seed = 1000 * min(i, j) + max(i, j) # both parties derive the SAME seed
m = np.random.default_rng(seed).standard_normal(d)
return m if i < j else -m # one side adds, the other subtracts
# Each hospital masks its update: y_i = x_i + sum_{j != i} s_ij
masked = np.zeros((n, d))
for i in range(n):
y = true_updates[i].copy()
for j in range(n):
if j != i:
y = y + pair_mask(i, j, d)
masked[i] = y
print("True update of hospital 0 :", np.round(true_updates[0], 3))
print("Masked y_0 seen by server :", np.round(masked[0], 3))
print(" (looks like noise, hides the real update)")
print()
true_sum = true_updates.sum(axis=0)
masked_sum = masked.sum(axis=0) # server only sums the masked y_i
print("Server sum of masked y_i :", np.round(masked_sum, 6))
print("True sum of updates :", np.round(true_sum, 6))
print("max abs difference :", f"{np.max(np.abs(masked_sum - true_sum)):.2e}")
print()
# Dropout: hospital 3 goes offline AFTER masking. Its pairwise masks with the
# survivors no longer cancel. A Shamir t-of-n sharing of hospital 3's mask seeds,
# reconstructed by the survivors, lets the server subtract the orphaned masks.
survivors = [0, 1, 2]
dropped = 3
partial_sum = masked[survivors].sum(axis=0) # what server has after dropout
# Reconstruct the masks the dropped site shared with each survivor and remove them.
orphan = np.zeros(d)
for s in survivors:
orphan = orphan + pair_mask(s, dropped, d) # mask survivor s added vs dropped
recovered = partial_sum - orphan
true_survivor_sum = true_updates[survivors].sum(axis=0)
print("Dropout case (hospital 3 offline):")
print("recovered sum of survivors:", np.round(recovered, 6))
print("true sum of survivors :", np.round(true_survivor_sum, 6))
print("max abs difference :", f"{np.max(np.abs(recovered - true_survivor_sum)):.2e}")
True update of hospital 0 : [ 0.001 0.299 -0.274 -0.891 -0.455 -0.992]
Masked y_0 seen by server : [ 2.577 -1.958 0.061 -5.203 1.798 0.383]
(looks like noise, hides the real update)
Server sum of masked y_i : [-1.734435 -0.581045 -2.637331 -1.050855 -2.57649 -0.821111]
True sum of updates : [-1.734435 -0.581045 -2.637331 -1.050855 -2.57649 -0.821111]
max abs difference : 5.55e-16
Dropout case (hospital 3 offline):
recovered sum of survivors: [ 0.166788 0.708493 -0.795596 -0.815764 -1.309043 -1.092375]
true sum of survivors : [ 0.166788 0.708493 -0.795596 -0.815764 -1.309043 -1.092375]
max abs difference : 7.77e-16The sum over sites is the same reduce that opened the book in Chapter 4 and drove every data-parallel method since. Secure aggregation is what that reduce becomes when the machines distrust one another: a collective that computes the exact aggregate while provably hiding every input to it. Scale-out here is not merely splitting work across machines for throughput; it is letting a fleet of distrustful institutions co-compute one number that none of them, and not even the coordinator, could be trusted to compute in the clear. Cryptographic coordination turns "many machines acting as one" into "many adversaries cooperating safely," and that is the form distributed AI must take wherever the data is too sensitive to centralize.
Code 37.6.1 builds the masking, key derivation, and dropout recovery by hand to expose the mechanism. Production federated-learning frameworks ship the whole protocol behind a configuration flag. In TensorFlow Federated, secure aggregation is a single factory passed to the aggregation step:
import tensorflow_federated as tff
# Replaces plain summation with the masked, dropout-robust secure-aggregation
# protocol: key agreement, pairwise masks, and Shamir sharing are all internal.
secure_sum = tff.aggregators.SecureSumFactory(
upper_bound_threshold=1.0) # clip each update's norm before masking
learning_process = tff.learning.algorithms.build_weighted_fed_avg(
model_fn,
model_aggregator=secure_sum) # FedAvg now aggregates under the mask
Secure aggregation completes the privacy story this chapter has been building: the coordinator now learns the federated sum and nothing about any single hospital's contribution, dropout no longer breaks the round, and the same clipping that bounds privacy loss also blunts poisoning. The next section turns from how the updates are combined to how the federation is governed and audited over time, the operational layer that keeps a multi-institution medical model trustworthy across many rounds, beginning in Section 37.7.
Suppose a careless implementation has every pair $\{i, j\}$ use the same mask sign on both sides, so site $i$ adds $s_{ij}$ and site $j$ also adds $s_{ij}$ (rather than subtracting it). Write the global sum $\sum_i y_i$ for this broken scheme and show what extra term now survives. Explain why the coordinator can no longer recover the true sum, and why the antisymmetry $s_{ij} = -s_{ji}$ is the exact property that makes the masks cancel. Then argue why the masks must still be derived from a shared secret rather than each site choosing its own.
Extend Code 37.6.1 so that each hospital, before masking, adds its own share of Gaussian noise drawn with standard deviation $\sigma / \sqrt{n}$ to its update (so the noise shares sum to a total of standard deviation $\sigma$ in expectation per coordinate). Confirm that the masks still cancel and that the coordinator's recovered sum now equals the true sum plus aggregate noise of roughly the intended magnitude, not $n$ times too much and not $\sqrt{n}$ times too little. Discuss how this realizes the distributed-DP composition of Section 6: why splitting the noise across sites gives central-DP accuracy with local-DP trust, and what goes wrong if instead every site adds the full $\sigma$.
A federation of $n = 50$ hospitals runs secure aggregation with a Shamir threshold $t$. Empirically, up to 8 hospitals drop in a typical round, and the consortium believes at most 5 institutions could ever collude with the coordinator. State the constraint that $t$ must satisfy to guarantee dropout recovery (enough survivors hold shares to reconstruct) and the constraint it must satisfy to guarantee privacy against the collusion bound (fewer than $t$ colluders cannot strip an online site's mask). Give a concrete value of $t$ that satisfies both, and explain what happens to the protocol's guarantees if the real dropout one round reaches 15, or the real collusion reaches 6. Tie your answer to the honest-but-curious threat model of Section 5.