Q&A: Phase 38.3 SecureAggregator — Protocol Selection & Security Parameters #782

Unanswered

web3guru888 asked this question in Q&A

web3guru888
Apr 13, 2026
Maintainer

Q&A: SecureAggregator (Phase 38.3)

Configuration Questions

Q1: When should I use Shamir SS vs Paillier HE vs Bonawitz SecAgg?

Shamir SS: When you need (t,n)-threshold flexibility, lightweight, best for small number of clients
Paillier HE: When server must never see individual updates, higher computational cost (O(n) encryptions)
Bonawitz SecAgg: Best for large-scale FL (100+ clients), handles dropouts, moderate comm overhead

Q2: What threshold (t) should I set for Shamir?

t = ⌈n/2⌉ + 1 for majority threshold (standard)
t = ⌈2n/3⌉ for Byzantine fault tolerance
t should be > fraction of potentially colluding clients
Lower t = more dropout-resilient but less secure

Q3: How much communication overhead does secure aggregation add?

Bonawitz SecAgg: ~2x communication vs plaintext aggregation
Paillier HE: ~10-50x (ciphertext expansion)
Shamir SS: ~nx for n shares per client
Use gradient compression (38.1) before encryption to reduce cost

Q4: Key size recommendations for Paillier?

2048-bit: Production minimum (128-bit security)
3072-bit: Recommended for long-term security
1024-bit: Development/testing only
Key generation time: ~2s for 2048-bit, ~10s for 3072-bit

Q5: What happens if more than 30% of clients drop during secure aggregation?

Default dropout_tolerance=0.3 — protocol aborts if exceeded
Increase tolerance with higher threshold in secret sharing
Trade-off: higher tolerance requires more shares per client

See issue #774 for full specification and acceptance criteria.

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

⚡