This paper addresses privacy-preserving secure aggregation in distributed learning, where a server must robustly compute $K_c$ linear combinations of user inputs despite up to $K-U$ users dropping out unexpectedly (with unknown identities), while simultaneously guaranteeing input confidentiality (security) and concealing the computation specification (demand privacy). It is the first work to jointly achieve security, demand privacy, and crash-fault robustness. The authors propose a two-round asynchronous protocol based on multiplicative encryption and offline encoded key sharing, and introduce the Robust Symmetric Private Computation (RSPC) framework. Theoretically, the scheme achieves information-theoretic optimal communication rate when $K_c = 1$, and order-optimal rate (with at most a factor-of-2 gap between upper and lower bounds) for $2 leq K_c leq U-1$, significantly outperforming existing single-message or non-private aggregation schemes.

This paper considers a multi-message secure aggregation with privacy problem, in which a server aims to compute $sf K_cgeq 1$ linear combinations of local inputs from $sf K$ distributed users. The problem addresses two tasks: (1) security, ensuring that the server can only obtain the desired linear combinations without any else information about the users' inputs, and (2) privacy, preventing users from learning about the server's computation task. In addition, the effect of user dropouts is considered, where at most $sf{K-U}$ users can drop out and the identity of these users cannot be predicted in advance. We propose two schemes for $sf K_c$ is equal to (1) and $sf 2leq K_cleq U-1$, respectively. For $sf K_c$ is equal to (1), we introduce multiplicative encryption of the server's demand using a random variable, where users share coded keys offline and transmit masked models in the first round, followed by aggregated coded keys in the second round for task recovery. For $sf{2leq K_c leq U-1}$, we use robust symmetric private computation to recover linear combinations of keys in the second round. The objective is to minimize the number of symbols sent by each user during the two rounds. Our proposed schemes have achieved the optimal rate region when $ sf K_c $ is equal to (1) and the order optimal rate (within 2) when $sf{2leq K_c leq U-1}$.