Jack Sullivan

1. Google's secure aggregation protocol assumes an honest but curious server attacker. Given an example of what can go wrong in their protocol if the attacker compromising the server is in fact active/malicious.

In the honest but curious server attacker model, the server is expected to never deviate from the protocol. During the first phase (Round ShareKeys), the server can deviate from its protocol and perform a Sybil attack on the users by simulating for a specific user u all other users v in the protocol and thus receiving all u’s key shares and recovering that users’ input. This is fixed in the active attacker model with a public-key infrastructure (PKI), which guarantees to users that messages they receive came from other users (and not the server).