PATTERN Cited by 1 source

One-shot secure aggregation

Pattern

Design the secure-aggregation cryptographic protocol so each participating client submits a single message with their encrypted contribution and is then done — no further participation required for the aggregation to complete. The aggregation server (and a separate small client committee) drive the protocol forward without that client ever needing to come back online.

This is the mobile-fleet-deployable variant of secure aggregation. The pattern's architectural payoff is freedom from the always-online constraint that has structurally limited prior secure-aggregation deployment.

Problem

Traditional cryptographic secure-aggregation protocols are multi-round — they require participating clients to remain online across multiple message exchanges (typically 3-4 rounds) for the aggregation to complete. The 2026-05-27 Google post articulates this as the load-bearing barrier:

"Google has deployed two generations of secure aggregation protocols at scale. However, its widespread use has been limited by the complexity in its requirement that user devices remain online in multiround protocols over extended periods of time."

Concretely:

• Mobile clients churn. Phones go to sleep, lose connectivity, switch networks, run out of battery. A 3-4 round protocol completing over 5-10 minutes drops most of the fleet.
• Server has to wait. The aggregation cannot proceed without the participating clients responding to subsequent rounds, so the server blocks on the slowest reasonable participants.
• Drop-out recovery is expensive. Each dropped client triggers re-keying or substitution mechanics that compound the round count.
• Battery is a hard budget. Devices waking up multiple times to service the protocol consume power that mobile fleets can't justify for analytics.

The net effect is that multi-round secure aggregation is restricted to "the always-online subset" of the fleet — a sampling bias that contradicts the federated-analytics use case (uniformly observe the fleet's behaviour).

Solution

Make the protocol single-shot from the client's perspective. The client encrypts its contribution, ships it, and is done. The aggregation math has to be designed so that:

1. The encrypted contribution can be summed with other clients' contributions without the client's further involvement.
2. The encryption keys can also aggregate, so the server can derive a single decryption key that decrypts only the sum, not individuals (see key-aggregation).
3. Decryption of the aggregate is gated on a separate step — typically a small client committee revealing key hints — that doesn't require every contributing client to participate.
4. The protocol is dropout-tolerant by construction — a client whose contribution made it to the server is counted; a client that never submitted is simply not in the aggregate.

The 2026-05-27 Google protocol uses lattice-based cryptography to get all four properties simultaneously: the linearity of LWE-class schemes makes ciphertext + key co-aggregation algebraically natural, and the protocol is structured so client submission is one-shot.

Layering with the rest of the stack

Client side                          Server side                Committee side
─────────                            ────────────────             ─────────────
Encrypt xᵢ → cᵢ        ─────────►  Σcᵢ inside TEE                
Generate key share kᵢ  ─────────►  Σkᵢ derives                  
                                    aggregate decryption key      
                                                                  Reveal hints
                                                                  +
                                                                  add DP noise
                                                                  ──────────►
                                    Decrypt Σxᵢ + noise           
                                    (aggregate only)              

The client's only obligation is the upward arrow on the left — encrypt, ship, done. Everything else (TEE-side aggregation, committee-side unmasking) proceeds without that client.

Why "one-shot" enables the mobile fleet

Drive-by clients become first-class participants:

• Phone-in-pocket clients can contribute when they happen to be online, without scheduling.
• Battery cost is bounded to the single encryption + transmission.
• No round-trip latency — client doesn't wait for server response.
• Fleet sampling is uniform — every device that was online any time during the aggregation window can contribute, not just the always-on subset.

This is the structural difference that opens federated analytics to production-mobile-fleet workloads that prior multi-round generations could not reach.

Component pieces

1. Lattice-based encryption with linearity in keys + ciphertexts — the algebraic substrate.
2. Single-message client interface — the client sends one packet per aggregation window, with their encrypted contribution and key share.
3. TEE-resident aggregator — sums ciphertexts + sums keys; produces neither plaintext nor a per-client decryption key.
4. Committee unmasking — a small subset of clients (rotated) reveals hints to unlock the aggregate; clients serve on the committee opportunistically when online, not all participating clients.
5. DP noise — applied at unmasking; even the released aggregate is privacy-bounded.

Trade-offs vs multi-round

Property	Multi-round	One-shot (this pattern)
Client online-time required	Full aggregation window	Single message
Drop-out tolerance	Threshold-based, expensive	Native; absent clients just not in aggregate
Battery cost per client	High (multiple wake-ups)	Single encryption + transmission
Server wait time	Bounded by slowest client	None per-client
Protocol complexity	Lower per-step but more steps	Higher per-step but single step
Cryptographic substrate	Pairwise masks / DDH	Lattice (LWE / RLWE)
Post-quantum resilience	Depends	Native (lattice)
Prior-art lineage	2017 Google secure-agg, 2021 distributed-DP	2026 Google lattice-based scheme

Caveats

• Per-client compute cost is higher than a multi-round single step. Lattice-based encryption is fast but not as cheap as a pairwise-mask XOR.
• Ciphertext size is larger than ECC-based equivalents — a few kilobytes per submission, not a few hundred bytes. Generally acceptable for analytics workloads but a real bandwidth tax.
• Committee selection mechanics are a new operational dimension — who's on the committee, how is the committee attested, what happens if too few committee members are online.
• Decryption-key reconstruction still has a critical path — the committee step must complete; though it has its own dropout tolerance, it can't dropout completely.
• Specific cryptographic parameters are not disclosed in the blog post; the scheme is referenced via the linked ACM paper.

Seen in

• sources/2026-05-27-google-private-analytics-via-zero-trust-aggregation — canonical wiki instance. Lattice-based one-shot secure-aggregation scheme deployed in Google's confidential federated analytics service for Android System SafetyCore effectiveness metrics.

Related

• concepts/secure-aggregation — the cryptographic primitive class
• concepts/lattice-based-cryptography — the math substrate
• concepts/federated-analytics — the workload pattern
• concepts/on-device-ml-inference — typical upstream classifier
• patterns/cryptography-plus-tee-defense-in-depth — composes with TEE
• patterns/client-committee-key-shares — the unmasking sub-pattern
• systems/google-confidential-federated-analytics
• systems/android-safetycore