Secure Aggregation with an Oblivious Server

Secure aggregation usually aims at securely computing the sum of the inputs from $K$ users at a server. Noticing that the sum might inevitably reveal information about the inputs (when the inputs are non-uniform) and typically the users (not the server) desire the sum (in applications such as federated learning), we consider a variant of secure aggregation where the server is oblivious, i.e., the server only serves as a communication facilitator/helper to enable the users to securely compute the sum and learns nothing in the process. Our communication protocol involves one round of messages from the users to the server and one round of messages from the server to each user such that in the end each user only learns the sum of all $K$ inputs and the server learns no information about the inputs. For this secure aggregation with an oblivious server problem, we show that to compute $1$ bit of the sum securely, each user needs to send at least $1$ bit to the server, the server needs to send at least $1$ bit to each user, each user needs to hold a key of at least $2$ bits, and all users need to collectively hold at least $K$ key bits. In addition, when user dropouts are allowed, the optimal performance remains the same, except that the minimum size of the key held by each user increases to $K$ bits, per sum bit.