This work addresses the problem of information-theoretically secure aggregation in a multi-server two-hop network, where up to $T$ users may collude with any subset of servers. Users communicate exclusively with their assigned servers, which then collaborate to recover the global sum. The study provides the first complete characterization of the optimal rate region for this setting, uncovering a fundamental trade-off between security and key efficiency. It demonstrates that a multi-server architecture substantially reduces the required randomness for secret keys. Within an information-theoretic security framework, leveraging linear key constructions and tight entropy bounds, the authors establish that the minimum user-to-server communication rate, inter-server communication rate, and individual key rate are each one symbol per input symbol, while the optimal source key rate is $\min\{U+V+T-2, UV-1\}$, where $U$ denotes the number of servers and $V$ the number of users per server.

Secure aggregation is a fundamental primitive in privacy-preserving distributed learning systems, where an aggregator aims to compute the sum of users'inputs without revealing individual data. In this paper, we study a multi-server secure aggregation problem in a two-hop network consisting of multiple aggregation servers and multiple users per server, under the presence of user collusion. Each user communicates only with its associated server, while the servers exchange messages to jointly recover the global sum. We adopt an information-theoretic security framework, allowing up to $T$ users to collude with any server. We characterize the complete optimal rate region in terms of user-to-server communication rate, server-to-server communication rate, individual key rate, and source key rate. Our main result shows that the minimum communication and individual key rates are all one symbol per input symbol, while the optimal source key rate is given by $\min\{U+V+T-2,\, UV-1\}$, where $U$ denotes the number of servers and $V$ the number of users per server. The achievability is established via a linear key construction that ensures correctness and security against colluding users, while the converse proof relies on tight entropy bounds derived from correctness and security constraints. The results reveal a fundamental tradeoff between security and key efficiency and demonstrate that the multi-server architecture can significantly reduce the required key randomness compared to single-server secure aggregation. Our findings provide a complete information-theoretic characterization of secure aggregation in multi-server systems with user collusion.