Paper 2026/264

WillowFold: Secure Aggregation with a Lightweight Committee

Hossein Hafezi, New York University
Kasra Abbaszadeh, University of Maryland, College Park
Adrià Gascón, Google (United States)
Phillipp Schoppmann, Google (United States)
Mariana Raykova, Google (United States)
Benedikt Bünz, New York University
Abstract

Secure aggregation enables a server to learn the sum of private inputs of clients, while revealing no additional information beyond the final sum. Recent work, Willow (CRYPTO 2025) achieves one--shot secure aggregation in the single-server model with dynamic client participation. To ensure security under these features, Willow relies on an auxiliary committee to verify the correctness of the aggregation. Although this verification requires no private information---broadening the set of parties eligible to participate in the committee---the committee’s total work scales linearly with the number of clients, which poses a challenge for large-scale deployments. This linear committee cost limitation is also shared by other state-of-the-art single-server secure aggregation protocols, including Flamingo (IEEE S&P 2023) and OPA (CRYPTO 2025). In this paper, we introduce WillowFold, a secure aggregation scheme based on Willow that enables lightweight verification of the aggregation and requires only logarithmic committee cost in the number of clients. Our scheme additionally supports streaming aggregation and reduces per-client server storage to a single ID (4 bytes), rather than storing full contributions as in Willow (1.5 KB), which facilitates distributed execution of the server-side computation. Finally, we close a gap in Willow’s security proof by showing that the zero-knowledge proofs underlying the scheme must be simulation extractable in order to rule out correlated ciphertext attacks. WillowFold employs proof-carrying data (PCD)---a primitive for incremental verification of distributed computations---to achieve a lightweight verification cost. In particular, we present a concretely efficient instantiation of WillowFold using a variant of Spartan+KZH-Fold (CCS 2025) as the underlying PCD scheme. As independent contributions, we show a zero-knowledge variant of Spartan+KZH, which is the SNARK underlying Spartan+KZH-Fold, that uses logarithmic randomness, and we further prove that this variant satisfies the simulation extractability. We implement and evaluate WillowFold, showing that it supports $8$ million clients with proof size $<60$~KB and verification time under one second--a $10^{5}$-fold improvement over Willow.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
secure aggregationPCDKZH-Fold
Contact author(s)
h hafezi @ nyu edu
kasraz @ umd edu
adriag @ google com
schoppmann @ google com
marianar @ google com
bb @ nyu edu
History
2026-02-17: approved
2026-02-15: received
See all versions
Short URL
https://ia.cr/2026/264
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2026/264,
      author = {Hossein Hafezi and Kasra Abbaszadeh and Adrià Gascón and Phillipp Schoppmann and Mariana Raykova and Benedikt Bünz},
      title = {{WillowFold}: Secure Aggregation with a Lightweight Committee},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/264},
      year = {2026},
      url = {https://eprint.iacr.org/2026/264}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.