Janus: Dual-Server Multi-Round Secure Aggregation with Verifiability for Federated Learning

Dear Reviewer nXLy,

Thank you for your valuable feedback and suggestions. Below, we address each of your concerns.

1. Definition of SHC (W1&Q1):

The output of the Commit algorithm is c, but c is not a simple tuple. In fact, we intend to convey that the complete commitment can be split into c_m and c_r via computation, rather than directly storing. We will revise the wording. The SHC is an abstract blueprint. In existing secure commitment schemes, any scheme that meets the properties we have outlined qualifies as a SHC. In fact, we instantiate SHC as the Pedersen commitment. Furthermore, when discussing the properties of SHC (lines 215-234), we have already discussed that the Pedersen commitment possesses the properties of SHC. Thus, its security is inherently guaranteed by the security of the underlying commitment, eliminating the need for a separate proof.

2. References:

Masking-based and MPC-based SA are orthogonal, with the former relying on mask generation and elimination, and the latter on distributed computations. To offer a more comprehensive view of SA, we will include the following excellent MPC-based works, including the references you recommended in the next version.

MPC-base SA. Multi-Party Computation (MPC) enables distrustful parties to jointly compute a target function while preserving privacy, which perfectly aligns with the SA. (Mohassel & Zhang, 2017) designed a scheme using secure two-party computation (2PC) and proposed MPC-friendly alternatives to non-linear functions. Prio (Corrigan-Gibbs & Boneh, 2017) employs a novel technique known as SNIPs (Secret-shared Noninteractive Proofs), enabling servers to collaboratively verify a shared proof of correctness with minimal communication overhead. Prio+(Addanki et al., 2022) replaces zero-knowledge proofs with Boolean secret sharing and share conversion protocols, boosting client-side performance. SAFELearn (Fereidooni et al., 2021) employs MPC to enable SA, resisting inference attacks with just two communication rounds while eliminating trusted third parties and supporting client dropouts. (Gehlhar et al., 2023) proposed a MPC-based FL framework that combines SA with poisoning-resistant techniques, achieving privacy and robustness. (Ben-Itzhak et al., 2024) introduced a novel scheme (ScionFL) that efficiently handles quantized inputs while providing robustness against malicious clients and supporting various 1-bit quantization schemes.

3. Misunderstanding of Instantiation (W2):

We have already provided a full instantiation in lines 640-714, not just the new primitive. The component primitives can be replaced with any instantiation that satisfies the conditions, enabling compatibility with different systems.

4. Security of Instantiation (W3):

We have already proven the security of the generic construction in lines 742-957. The generic construction is an abstract structure, and there are multiple possible implementations. Proving the security of the generic construction ensures the security of all instantiated schemes. Meanwhile, some existing generic constructions [1-3], ensure security in the same way we do. In summary, the instantiation based on the generic construction provide equivalent security guarantees.

[1] Nguyen et al. Multimodal private signatures, CRYPTO22.

[2] Luo et al. Generic construction of trace-and-revoke inner product functional encryption, ESORICS22.

[3] Yuen et al. DualRing: generic construction of ring signatures with efficient instantiations, CRYPTO21.

5. Other Defense of MIA (S1):

The method you mentioned defends against MIA by adding an extra operation required in each round, while FL typically requires multiple rounds to converge. In contrast, our Janus naturally provides this defense upon completing aggregation, without any additional steps. Second, verifying the signed hash in every round could impose a significant operational burden on clients. We believe this effectively addresses your concerns.

6. Synonym and Typos (S2):

The term 'semi-honest' is more suitable for our situation, and we will correct it.

7. Misunderstanding of Assumption (S3):

Compared to schemes that rely on the non-collusion assumption, our scheme enhances security by resisting MIA attacks and enabling verifiable results. Furthermore, it offers greater functionality by supporting dynamic participation and multi-round aggregation. Additionally, our assumption aligns with that of prominent works such as references [1, 2], both of which also rely on the non-collusion assumption, making it a common and reasonable choice in this field.

[1] Ma et al. Flamingo: Multi-round single-server secure aggregation with applications to private federated learning.

[2] Rathee et al. Elsa: Secure aggregation for federated learning with malicious actors.

Thank you for your time and effort. We will update the content in the next version. If you have any further concerns, please feel free to let us know.

Dear Reviewer LvMf,

We sincerely appreciate your valuable feedback. Below we provide a point-by-point response.

1. Dropout rate (W1&Q1):

To ensure a fair comparison, it is crucial to recognize that mask-based approaches (including BBSA, VeriFL, and Flamingo in Section 4.2) fundamentally require solving the client dropout to achieve correct aggregation. While secret sharing can address dropouts, its reconstruction overhead grows substantially with higher dropout rates (as it must recover masks for all dropped clients). In contrast, our Janus framework maintains normal aggregation regardless of dropout events, giving it inherent scalability advantages. Existing evaluations of BBSA/Flamingo already consider dropout rates up to 30%, whereas our experiments focus on demonstrating Janus’s superiority under dropout conditions. Even at the modest 10% dropout rate we tested, Janus shows significant performance gains—advantages that would only amplify with increasing dropout rates. Thus, selecting a 10% dropout rate is both methodologically sound (aligning with prior work’s evaluation scope) and sufficient to highlight our core contribution: dropout-robust aggregation. We will explicitly discuss this rationale in our revision.

2. More Applications (Q2):

We appreciate this insightful question regarding SHC's broader applicability. It is crucial to note that SHC is fundamentally a general-purpose cryptographic primitive, not limited to the specific applications we discussed. While our paper focuses on its application to SA in federated learning, SHC's architectural flexibility makes it adaptable to any scenario requiring both confidentiality and verifiability, particularly in distributed systems with accountability requirements. Specifically, SHC's cryptographic separation of concerns makes it uniquely suitable for: (1) medical data federation where SHC enables privacy-preserving auditing, (2) dual-server e-voting systems needing verifiable tallying, and (3) secure outsourced computation requiring input/output validation. We will add a discussion in the next version.

Thank you again for your insightful comments. We will integrate these clarifications in the next version. Please don't hesitate to share any further concerns.

Dear Reviewer e8s4,

We sincerely appreciate your time and effort spent on our work. We have noticed that most of your concerns stem from misunderstandings about our paper. Below, we will first clarify these misunderstandings point by point.

Misunderstanding 1. Security assumptions (W1&Q1):

We clarify that we do not assume the server cannot corrupt a single client—rather, it ensures security even if the server corrupts up to n-2 clients. For large-scale FL (n ≫ 1), corrupting n-2 clients is impractical, making this a realistic assumption (lines 88-101 and Section C.1). Additionally, our assumption aligns with the prominent works like references [1] and [2]. Such an assumption represents a widely accepted and theoretically sound approach within this research domain.

[1] Ma et al. Flamingo: Multi-round single-server secure aggregation with applications to private federated learning.

[2] Rathee et al. Elsa: Secure aggregation for federated learning with malicious actors.

Misunderstanding 2. Unrelated Techniques and Secret Key Aggregation (W2,3&Q2):

Our work does not involve secret sharing and key expansion as you mentioned. Additionally, our work goes beyond merely implementing aggregation. We have also introduced multi-round, verifiable aggregation that is resistant to MIA, among other enhancements. Finally, secret key aggregation works as follows: clients first encrypt masks using S1's public key, then S1 aggregates, and finally users verify correctness by cross-checking with S0's aggregated values. This mutual verification between S0 and S1 provides the security guarantee without time-consuming RLWE, et al. The details are in Lines 264-317, with formal correctness analysis in Lines 715-740.

Misunderstanding 3. Security Proof (Q5):

Our security proof is correct: our scheme (lines 252-317) is consistent with the ideal function (lines 799-812, 846-862), where the server holds the masked aggregated gradients (Lines 288-317), and the client holds the gradient aggregation values. The security proof methodology follows the state-of-the-art scheme Flamingo (SP23). The only identified issue is a minor typo in the function definition (S1 should be S0), which does not introduce the inconsistency you raised. This typo will be corrected in the next version.

Next, we will address your concerns point by point.

Concern 1. Malicious S_1 (W4):

Our scheme is already designed to resist the type of attack you mentioned. Specifically, S_0 and S_1 constrain each other, and users can validate the aggregated results of the two servers with the SHC. If either server attempts manipulation, clients detect inconsistencies during validation and abort participation. After theoretical analysis (Table 2), this does not increase our communication overhead.

Concern 2. New User Join (W5&Q3):

The process for a new user to obtain the model is simple and straightforward. Specifically, the user only needs to retrieve the aggregation information from S0 and S1, and then, like any other user, they can locally obtain the model parameters. Moreover, the new user can not only acquire the model parameters but also verify whether the parameters provided by the two servers are correct. This is detailed in Lines 304 to 317 of the paper.

Concern 3. Experiment (Q4):

Our experiments aim to evaluate the trade-offs introduced by SA (increased training time, potential efficiency overhead) while demonstrating that these costs remain acceptable compared to the security and function benefits. Our experimental design follows the relevant literature such as [1,2] in the same field. Therefore, our experimental design is reasonable and well validates the theoretical analyses in Section 4.1.

[1] Wang et al. VOSA: Verifiable and oblivious secure aggregation for privacy-preserving federated learning.

[2] Ma et al. Flamingo: Multi-round single-server secure aggregation with applications to private federated learning.

We greatly appreciate your feedback and will incorporate these clarifications in the next version. Thank you again, and we look forward to your response.

Dear Reviewer uPUn,

Thank you for your valuable comments. We address your concerns as follows.

1. Dynamic Engagement (W1):

Our scheme enables dynamic participation where clients can join or leave at any time without compromising security. The process is designed as follows: new clients simply (1) obtain system public parameters, (2) generate their key pairs, and (3) complete one training round with the initial model to receive the global update. Departing clients gracefully exit by ceasing submissions, while key updates follow the same streamlined joining procedure. Importantly, all participant changes occur without requiring reconstruction of the communication graph, maintaining both security and system efficiency.

2. Writing (W2):

The current version outlines our security assumptions in the abstract and Lines 88-108, with complete formal specifications provided in Appendix C.1. We will incorporate a more detailed discussion of these assumptions in the next version.

3. Future Work ( Q1):

Building on our current work, we will explore methods to resist client poisoning attacks, a common challenge faced by existing masking and encryption-based schemes. Additionally, we will focus on further enhancing both the efficiency and security of our approach.

4. Challenges of Multi-round (Q2):

The challenges of multi-round aggregation are already discussed in Lines 42 to 98 of the paper. Specifically, the core challenges regarding this aspect are threefold: (1) most existing schemes require regenerating system parameters for multi-round aggregation, i.e., repeating a single round aggregation many times to realize multiple rounds; (2) practical training scenarios with dynamic participation (users joining/leaving) typically demand complex communication graph reconstruction; and (3) while existing approaches need dedicated, time-consuming operations to achieve both multi-round execution and MIA resistance, our scheme inherently resists MIA during SA without additional overhead.

We greatly appreciate your feedback and will ensure these clarifications will be included in the next version. If you have any further concerns, please let us know.