In federated learning, sparse model updates remain vulnerable to exact data reconstruction attacks under secure aggregation (SecAgg), as non-zero values at identical indices across clients directly expose per-index contributions in the aggregated result. To address this, we propose the first element-wise secure aggregation mechanism: an index’s aggregated value is revealed only if at least *t* clients contribute a non-zero value at that index; otherwise, it remains fully hidden. Our approach introduces a per-element cryptographic masking strategy—requiring no trusted third party, seamlessly integrating with existing SecAgg protocols, and featuring modular design. Coupled with the low-round Flamingo protocol, it enables fine-grained privacy protection. Theoretical analysis and empirical evaluation demonstrate robust resistance against reconstruction attacks, with bounded computational and communication overhead, confirming practical deployability.

Federated learning (FL) enables collaborative model training without sharing raw data, but individual model updates may still leak sensitive information. Secure aggregation (SecAgg) mitigates this risk by allowing the server to access only the sum of client updates, thereby concealing individual contributions. However, a significant vulnerability has recently attracted increasing attention: when model updates are sparse vectors, a non-zero value contributed by a single client at a given index can be directly revealed in the aggregate, enabling precise data reconstruction attacks. In this paper, we propose a novel enhancement to SecAgg that reveals aggregated values only at indices with at least $t$ non-zero contributions. Our mechanism introduces a per-element masking strategy to prevent the exposure of under-contributed elements, while maintaining modularity and compatibility with many existing SecAgg implementations by relying solely on cryptographic primitives already employed in a typical setup. We integrate this mechanism into Flamingo, a low-round SecAgg protocol, to provide a robust defense against such attacks. Our analysis and experimental results indicate that the additional computational and communication overhead introduced by our mechanism remains within an acceptable range, supporting the practicality of our approach.